INDUSTRIAL NETWORK OPERATING SYSTEM -...

INDUSTRIAL NETWORK OPERATING SYSTEM

SECURE MANAGEMENT FOR BELDEN INDUSTRIAL ROUTERS

INOS VERSION 2.1.0

Administrator’s Guide

i

Notices

This guide describes how to setup and use the INOS software.

§ If you need further information or data sheets on GarrettCom-branded Belden Industrial routers,

refer to the GarrettCom web links at:

http://www.garrettcom.com/routers.htm

Any feedback or comments can be sent to the GarrettCom Address shown below.

GarrettCom Inc.47823 Westinghouse DriveFremont, CA 94539-7437

Phone (510) 438-9071• Fax (510) 438-9072Email – Tech support – [email protected]

Email – Sales – [email protected]

WWW – http://www.garrettcom.com/

TrademarksBelden Inc. reserves the right to change specifications, performance characteristics and/or model offerings without notice. Belden, GarrettCom, Magnum, 10RX, Industrial Network Operating System and INOS are trademarks of Belden, Inc.

All other trademarks mentioned in this document are the property of their respective owners.

Industrial Network Operating System Administrator’s Guide

ii

RightsExcept as set forth in the Software License Agreement, GarrettCom makes no representation that software programs and practices described herein will not infringe on existing or future patent rights, copyrights, trademarks, trade secrets or other proprietary rights of third parties and GarrettCom makes no warranties of any kind, either express or implied, and expressly disclaims any such warranties, including but not limited to any implied warranties of merchantability or fitness for a particular purpose and any warranties of non-infringement.

The descriptions contained herein do not imply the granting of licenses to make, use, sell, license or otherwise transfer GarrettCom products described herein. GarrettCom disclaims responsibility for errors which may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document.

INOS software is implemented using source code covered under the GNU General Public License, the GNU Lesser General Public License, and various BSD-style licenses. For complete information regarding these software licenses, please refer to the GarrettCom website.

CopyrightCopyright 2013 by GarrettCom. Printed in the US. All rights reserved.

This manual may not be reproduced or disclosed in whole or in part by any means without the written consent of Belden, Inc.

This document has been prepared to assist users of equipment manufactured by GarrettCom, and changes are made periodically to the information in this manual. Such changes are reflected in updates or are published in Software Release Notes. If you have recently upgraded your software, carefully note those areas where new commands or procedures have been added. The material contained in this manual is supplied without any warranty of any kind. GarrettCom therefore assumes no responsibility and shall incur no liability arising from the supplying or use of this document or the material contained in it.

Copyright 2013 GarrettCom, Inc. All rights reserved.

Printed in the United States of America.

Part Number: 84-03001Z

Revision History

Release DateDocument Revision

Software Release

Change Note

January 2013 A 2.0 New product release

March 2013 B 2.0.2 General expansion of CLI documentation

September 2013 C 2.1.0 New software features


iii

TABLE OF CONTENTS

PrefaceAbout This Manual .......................................................................................................................... xixConventions .................................................................................................................................... xxiWeb Access .................................................................................................................................... xxiYour Comments ............................................................................................................................. xxii

CHAPTER 1: OVERVIEW

1.1 Features and Benefits ....................................................................................................................... 11.1.1 GarrettCom Hardened ....................................................................................................... 11.1.2 Hardware Configuration .................................................................................................... 11.1.3 Multiprotocol Support ........................................................................................................ 11.1.4 Security ............................................................................................................................. 21.1.5 Management Tools ........................................................................................................... 2

1.2 Applications/Topologies .................................................................................................................... 21.2.1 Standalone Local Communications Platform .................................................................... 21.2.2 Remote Network Concentration ........................................................................................ 31.2.3 Distributed Local Network using Ethernet ......................................................................... 3

CHAPTER 2: GETTING STARTED

2.1 Defaults ............................................................................................................................................. 5

2.2 10RX access ..................................................................................................................................... 52.2.1 Connecting by Console ..................................................................................................... 52.2.2 Connecting by SSH ........................................................................................................... 52.2.3 Connecting by Browser ..................................................................................................... 5

2.3 CLI Navigation ................................................................................................................................... 62.3.1 Modes - Entering and Exiting ............................................................................................ 62.3.2 Generating Help on the Command Line ............................................................................ 62.3.3 Command Line Shorthand ................................................................................................ 7

CHAPTER 3: ROUTER MANAGEMENT

3.1 Management Interfaces ..................................................................................................................... 93.1.1 Defaults ............................................................................................................................. 93.1.2 Secure Web Server ........................................................................................................... 9

3.1.2.1 Generating a New RSA Key and Certificate ......................................................... 103.1.3 Secure Shell Server ........................................................................................................ 11

3.1.3.1 Configuring Compatibility Mode ............................................................................ 123.1.4 Telnet Server ................................................................................................................... 123.1.5 Non-SSL Web Server ...................................................................................................... 12

3.2 Time and Date ................................................................................................................................. 133.2.1 Setting Time and Date Manually ..................................................................................... 133.2.2 Configuring SNTP in the CLI ........................................................................................... 13

3.2.2.1 Enabling and Disabling the SNTP Client .............................................................. 143.2.2.2 Setting the SNTP Client Version ........................................................................... 143.2.2.3 Setting the SNTP Client Addressing Mode ........................................................... 14

CONTENTS


iv

3.2.2.4 Setting the SNTP Client Port .................................................................................153.2.2.5 Setting the SNTP Clock Format ............................................................................153.2.2.6 Setting the SNTP Client Time Zone ......................................................................163.2.2.7 Setting the SNTP Clock Summer Time .................................................................163.2.2.8 Setting the SNTP Client Authentication Key .........................................................173.2.2.9 Setting the SNTP Unicast Server ..........................................................................183.2.2.10 Setting the SNTP Unicast Server Auto-discovery .................................................183.2.2.11 Setting the SNTP Unicast-poll-interval ..................................................................183.2.2.12 Setting the SNTP Unicast-max-poll-timeout ..........................................................193.2.2.13 Setting the SNTP Unicast-max-poll-retry ..............................................................193.2.2.14 Enabling and Disabling Broadcast Mode Send Request .......................................193.2.2.15 Setting SNTP Broadcast Poll Timeout ..................................................................203.2.2.16 Setting SNTP Broadcast Delay Time ....................................................................203.2.2.17 Enabling and Disabling Multicast Mode Send Request .........................................213.2.2.18 Setting SNTP Multicast Poll Timeout ....................................................................213.2.2.19 Setting SNTP Multicast Delay Time ......................................................................213.2.2.20 Setting SNTP Multicast Group Address ................................................................223.2.2.21 Displaying Settings and Status ..............................................................................22

3.2.3 Configuring SNTP in the GUI ..........................................................................................22

3.3 SNMP ..............................................................................................................................................243.3.1 Configuring SNMPv3 Access ..........................................................................................25

3.3.1.1 Example SNMPv3 Configuration ...........................................................................263.3.2 Managing SNMPv3 Views ...............................................................................................263.3.3 Configuring SNMPv3 Notifications ...................................................................................27

3.3.3.1 Example SNMPv3 Notification Configuration ........................................................273.3.4 Filtering SNMPv3 Notifications ........................................................................................28

3.3.4.1 Example SNMPv3 Notification Filtering .................................................................283.3.5 Configuring SNMPv2c Access .........................................................................................28

3.3.5.1 Example SNMPv2c Configuration .........................................................................293.3.5.2 Limiting SNMPv2c Access By Management IP .....................................................293.3.5.3 Configuring SNMPv2c Traps .................................................................................29

3.3.6 SNMP Configuration in the CLI .......................................................................................303.3.6.1 Enabling and Disabling the SNMP Agent ..............................................................303.3.6.2 Configuring SNMP Communities ...........................................................................303.3.6.3 Configuring an SNMP Group .................................................................................303.3.6.4 Configuring SNMP Group Access .........................................................................313.3.6.5 Configuring SNMP Engine ID ................................................................................313.3.6.6 Configuring SNMP View ........................................................................................323.3.6.7 Configuring SNMP Target Address .......................................................................323.3.6.8 Configuring SNMP Target Parameters ..................................................................333.3.6.9 Configuring SNMP Users ......................................................................................343.3.6.10 Configuring SNMP Notifications ............................................................................343.3.6.11 Configuring SNMP Filters ......................................................................................353.3.6.12 Configuring SNMP Traps ......................................................................................35

3.3.7 SNMP Configuration in the GUI .......................................................................................363.3.7.1 Enabling and Disabling the SNMP Agent ..............................................................363.3.7.2 Configuring SNMP Community Settings ...............................................................363.3.7.3 Configuring SNMP Group Settings ........................................................................373.3.7.4 Configuring SNMP Group Access Settings ...........................................................383.3.7.5 Configuring SNMP Views ......................................................................................393.3.7.6 Configuring SNMP Target Addresses ...................................................................403.3.7.7 Configuring SNMP Target Parameters ..................................................................413.3.7.8 Configuring SNMP User Information .....................................................................42

CONTENTS


v

3.3.7.9 Managing SNMP Traps ........................................................................................ 433.3.7.10 Configuring SNMP Filters ..................................................................................... 44

3.4 User Management ........................................................................................................................... 443.4.1 Displaying User Information ............................................................................................ 453.4.2 Configuring System Login Information ............................................................................ 45

3.4.2.1 Setting Maximum Login Attempts and Lock-out Time .......................................... 453.4.2.2 Setting Required Password Strength .................................................................... 46

3.4.3 Executing the user Command ......................................................................................... 463.4.3.1 Adding a New User ............................................................................................... 473.4.3.2 Deleting a User ..................................................................................................... 473.4.3.3 Blocking and Releasing a User ............................................................................. 473.4.3.4 Setting a User’s Inactivity Time ............................................................................ 483.4.3.5 Setting a User’s Password Expiration Interval ...................................................... 483.4.3.6 Setting a User’s Privilege Level ............................................................................ 48

3.4.4 Changing a Password ..................................................................................................... 49

3.5 Authentication .................................................................................................................................. 503.5.1 RADIUS Authentication ................................................................................................... 50

3.5.1.1 Configuring RADIUS Authentication in the CLI ..................................................... 523.5.1.2 Configuring RADIUS Authentication in the GUI .................................................... 53

3.5.2 TACACS Authentication .................................................................................................. 543.5.2.1 Configuring TACACS Authentication in the CLI .................................................... 553.5.2.2 Configuring TACACS Authentication in the GUI ................................................... 57

3.6 File System Management ................................................................................................................ 583.6.1 Listing System Files ........................................................................................................ 583.6.2 Deleting a System File .................................................................................................... 583.6.3 Copying a System File .................................................................................................... 593.6.4 Displaying System File Contents .................................................................................... 593.6.5 Creating System Configuration Files ............................................................................... 60

3.7 Event Management ......................................................................................................................... 613.7.1 Event Notification Contents ............................................................................................. 613.7.2 Event Attributes ............................................................................................................... 613.7.3 Event IDs and Defaults ................................................................................................... 62

3.7.3.1 Event Severity ....................................................................................................... 633.7.3.2 Logging Targets .................................................................................................... 63

3.7.4 Displaying Event Information .......................................................................................... 643.7.5 Clearing Events ............................................................................................................... 653.7.6 Configuring Events .......................................................................................................... 65

3.7.6.1 Creating and Configuring a logging Class ............................................................ 653.7.6.2 Configuring a logging Event .................................................................................. 663.7.6.3 Configuring All logging Events .............................................................................. 663.7.6.4 Configuring Syslog Server .................................................................................... 673.7.6.5 Configuring the Logging Facility ........................................................................... 69

3.8 Software Upgrade ........................................................................................................................... 703.8.1 Using the Copy Command to Upgrade ........................................................................... 713.8.2 Upgrade Procedure ......................................................................................................... 72

3.8.2.1 Viewing System Information in the GUI ................................................................ 73

3.9 Restarting the Switch ...................................................................................................................... 73

CHAPTER 4: ETHERNET4.0.1 Ethernet Auto Media Interfaces ....................................................................................... 754.0.2 Enabling Ethernet Interfaces ........................................................................................... 75

CONTENTS


vi

4.0.2.1 Enabling Ethernet Ports ........................................................................................764.0.2.2 Configuring Port Type ...........................................................................................764.0.2.3 Configuring Switchport Mode ................................................................................764.0.2.4 Configuring MTU Size ...........................................................................................774.0.2.5 Configuring Storm Control .....................................................................................784.0.2.6 GUI - Port Basic Settings Screen ..........................................................................78

CHAPTER 5: VLAN5.0.1 Dynamic VLANs and Trunking ........................................................................................81

5.0.1.1 Enabling GVRP Globally in the CLI .......................................................................815.0.1.2 Enabling GVRP Globally in the GUI ......................................................................815.0.1.3 Enabling GVRP On A Port in the CLI ....................................................................825.0.1.4 Enabling GVRP On A Port in the GUI ...................................................................825.0.1.5 Setting GARP Timers For A Port in the CLI ..........................................................835.0.1.6 Setting GARP Timers For A Port in the GUI .........................................................85

5.0.2 CLI - VLAN Configuration Mode ......................................................................................865.0.2.1 Defining an Access Port in the CLI ........................................................................865.0.2.2 Defining an Access Port in the GUI .......................................................................86

5.0.3 Advanced Access Port Configuration in the CLI ..............................................................875.0.4 Advanced Access Port Configuration in the GUI .............................................................875.0.5 Examining the VLAN Database .......................................................................................885.0.6 VLANs and IP Routing .....................................................................................................895.0.7 The VLAN Command ......................................................................................................895.0.8 Configuring VLAN Learning Mode ...................................................................................895.0.9 Configuring a Static VLAN Entry in the CLI .....................................................................905.0.10 Configuring a Static VLAN Entry in the GUI ....................................................................92

5.0.10.1 Activating a VLAN .................................................................................................925.0.10.2 Disabling Unicast-MAC Learning ..........................................................................93

CHAPTER 6: SPANNING TREE

6.1 RSTP ...............................................................................................................................................95

6.2 RSTP Setup .....................................................................................................................................956.2.1 BPDUs .............................................................................................................................966.2.2 Bridge Roles ....................................................................................................................966.2.3 Port Roles ........................................................................................................................976.2.4 Edge Ports and Point-to-Point Links ................................................................................976.2.5 Port States .......................................................................................................................98

6.3 RSTP Normal Operation ..................................................................................................................98

6.4 Design Considerations .....................................................................................................................986.4.1 Basic RSTP Configuration Parameters ...........................................................................99

6.5 MSTP ...............................................................................................................................................99

6.6 Global Spanning Tree Configuration .............................................................................................1006.6.1 Enabling Spanning Tree ................................................................................................1006.6.2 Configuring Spanning Tree Mode ..................................................................................1006.6.3 Configuring Spanning Tree Compatibility ......................................................................1016.6.4 Configuring Dynamic Pathcost Calculation ....................................................................1016.6.5 Configuring Spanning Tree Timers ................................................................................1026.6.6 Configuring Spanning Tree Transmit Hold Count ..........................................................1036.6.7 Configuring Spanning Tree Priority ...............................................................................103

CONTENTS


vii

6.7 Configuring the Spanning Tree Properties of an Interface ............................................................ 1046.7.1 General Spanning Tree Port Configuration ................................................................... 1046.7.2 Configuring Auto Edge .................................................................................................. 1066.7.3 Configuring Loop Guard ................................................................................................ 1066.7.4 Configuring Restricted Role .......................................................................................... 1066.7.5 Configuring Restricted TCN .......................................................................................... 1076.7.6 Configuring BPDU Receive ........................................................................................... 1076.7.7 Configuring BPDU Transmit .......................................................................................... 108

6.8 MSTP-Specific Configuration ........................................................................................................ 1086.8.1 Configuring MST Max Hops .......................................................................................... 1086.8.2 Enter MSTP Configuration Mode .................................................................................. 1096.8.3 Configuring MST Region Name .................................................................................... 1096.8.4 Configuring MST Region Revision ................................................................................ 1106.8.5 Configuring MST Max Instance ..................................................................................... 110

6.9 Configuring MSTP In the GUI ........................................................................................................ 1106.9.1 MSTP Global Configuration .......................................................................................... 1116.9.2 MSTP Timer Configuration ............................................................................................ 1126.9.3 CIST Configuration ........................................................................................................ 1136.9.4 MSTP VLAN Mapping ................................................................................................... 1156.9.5 MSTP Port Settings ....................................................................................................... 1166.9.6 MSTP CIST Port Status ................................................................................................ 117

6.10 Configuring RSTP in the GUI ........................................................................................................ 1196.10.1 RSTP Global Configuration ........................................................................................... 1196.10.2 RSTP Timer Configuration ............................................................................................ 1216.10.3 RSTP Port Configuration ............................................................................................... 1226.10.4 RSTP Port Status .......................................................................................................... 125

CHAPTER 7: LLDP7.1 Configuring LLDP in the CLI .......................................................................................................... 127

7.1.1 Global Configuration of LLDP ....................................................................................... 1277.1.1.1 Enabling and Disabling LLDP ............................................................................. 1277.1.1.2 Configuring the LLDP Transmission Interval ...................................................... 1287.1.1.3 Configuring the LLDP Holdtime Multiplier ........................................................... 1287.1.1.4 Configuring the LLDP Reinitialization Delay ....................................................... 1297.1.1.5 Configuring the LLDP Transmission Delay ......................................................... 1297.1.1.6 Configuring the LLDP Notification Interval .......................................................... 1307.1.1.7 Configuring the LLDP Chassis ID Subtype ......................................................... 1307.1.1.8 Clearing LLDP Counters ..................................................................................... 1317.1.1.9 Clearing the LLDP Table .................................................................................... 131

7.1.2 Interface-specific Configuration of LLDP ....................................................................... 1327.1.2.1 Enabling LLDP Transmit/Receive on an Interface .............................................. 1327.1.2.2 Configuring LLDP Notifications on an Interface .................................................. 1327.1.2.3 Specifying Basic TLV Settings on a Port ............................................................ 1337.1.2.4 Configuring an ID for LLDP Port Subtype ........................................................... 1347.1.2.5 Configuring Transmission of dot1 TLVs on an Interface ..................................... 1347.1.2.6 Configuring Transmission of dot3 TLVs Subtypes on an Interface ..................... 135

7.1.3 Displaying LLDP Information ......................................................................................... 1357.1.3.1 show lldp ............................................................................................................. 1367.1.3.2 show lldp interface .............................................................................................. 1367.1.3.3 show lldp neighbors ............................................................................................ 1367.1.3.4 show lldp traffic ................................................................................................... 1367.1.3.5 show lldp local .................................................................................................... 137

CONTENTS


viii

7.1.3.6 show lldp errors ...................................................................................................1377.1.3.7 show lldp statistics ...............................................................................................137

7.2 Configuring LLDP in the GUI .........................................................................................................1387.2.1 LLDP Global Configuration ............................................................................................1387.2.2 LLDP Basic Settings ......................................................................................................1397.2.3 LLDP Interface Settings .................................................................................................1417.2.4 LLDP Neighbor Information ...........................................................................................1427.2.5 LLDP Basic TLV Settings ..............................................................................................1437.2.6 LLDP DOT1 TLV Settings .............................................................................................1447.2.7 LLDP DOT3 TLV Settings .............................................................................................146

CHAPTER 8: IP ADDRESSING AND STATIC ROUTING

8.1 Configuring IP Addresses ..............................................................................................................1478.1.1 Specifying an Interface for Configuration ......................................................................1478.1.2 Configuring an IP Address in the CLI ............................................................................1488.1.3 Configuring an IP Address in the GUI ...........................................................................1488.1.4 Configuring a VLAN Interface in the GUI .......................................................................1498.1.5 Configuring a Loopback Interface in the CLI .................................................................1518.1.6 Configuring a Loopback Interface in the GUI ................................................................151

8.2 Configuring Static Routing in the CLI .............................................................................................1528.2.1 Configuring Static IPv4 Routes ......................................................................................153

8.3 Configuring Static Routing in the GUI ............................................................................................154

8.4 Configuring ARP ............................................................................................................................1558.4.1 Configuring the ARP Cache Timeout ............................................................................1558.4.2 Configuring the ARP Request Maximum Retries ...........................................................155

CHAPTER 9: RIP9.1 Configuring RIP in the CLI .............................................................................................................157

9.1.1 Enabling and Disabling RIP ...........................................................................................1579.1.2 Configuring RIP on an Interface ....................................................................................1579.1.3 Configuring Redistribution .............................................................................................1589.1.4 Configuring the Default Metric .......................................................................................1589.1.5 Specifying Administrative Distance ................................................................................1599.1.6 Disabling and Enabling Auto-summarization .................................................................1609.1.7 Configuring Update Source Validation ..........................................................................1619.1.8 Accessing Interface-specific RIP Commands ................................................................1619.1.9 Configuring to Install Default Route ...............................................................................1619.1.10 Configuring RIP Default Route Propagation ..................................................................1619.1.11 Configuring IP RIP Send Version on an Interface .........................................................1629.1.12 Configuring IP RIP Receive Version on an Interface .....................................................1629.1.13 Configuring RIP Version Globally ..................................................................................1639.1.14 Configuring IP RIP Summary Address ..........................................................................1639.1.15 Configuring Split Horizon ...............................................................................................164

9.2 Configuring RIP in the GUI ............................................................................................................1649.2.1 Enabling and Disabling RIP ...........................................................................................1659.2.2 RIP Interface Configuration ...........................................................................................165

CONTENTS


ix

CHAPTER 10: OSPF10.1 Overview ....................................................................................................................................... 169

10.1.1 OSPF Neighbor Relationships ...................................................................................... 17010.1.2 OSPF Area Types ......................................................................................................... 170

10.1.2.1 OSPF Backbone Area ........................................................................................ 17010.1.2.2 OSPF Stub Area ................................................................................................. 17110.1.2.3 OSPF Not-So-Stubby Area ................................................................................. 171

10.2 OSPF Configuration in the CLI ...................................................................................................... 17110.2.1 Enabling and Disabling OSPF ....................................................................................... 17110.2.2 Enabling OSPF on an Interface .................................................................................... 17110.2.3 Configuring a Stub Area ................................................................................................ 17210.2.4 Configuring a Not-So-Stubby Area ................................................................................ 17210.2.5 Configuring the Cost of the Default Route in a Stub Area ............................................. 17310.2.6 Summarizing Routes Between Areas ........................................................................... 17310.2.7 Summarizing External Routes ....................................................................................... 17410.2.8 Controlling External Metrics .......................................................................................... 174

10.3 OSPF Configuring in the GUI ........................................................................................................ 17510.3.1 Enabling and Disabling OSPF ....................................................................................... 17610.3.2 OSPF Basic Settings ..................................................................................................... 17610.3.3 OSPF Area Configuration ............................................................................................. 17810.3.4 OSPF Interface Configuration ....................................................................................... 17910.3.5 OSPF Virtual Interface Configuration ............................................................................ 18110.3.6 OSPF Neighbor Configuration ...................................................................................... 18210.3.7 OSPF RRD Route Configuration ................................................................................... 18310.3.8 OSPF Area Aggregation ............................................................................................... 18410.3.9 OSPF AS External Aggregation .................................................................................... 185

10.4 OSPF Configuration Example Overview ....................................................................................... 186

10.5 OSPF Example Configuration Procedure ...................................................................................... 18610.5.1 Creating Area 0.0.0.0 .................................................................................................... 18710.5.2 Creating Area 0.0.0.3 .................................................................................................... 18810.5.3 Creating Area 0.0.0.4 .................................................................................................... 190

CHAPTER 11: BGP11.1 BGP Configuration in the CLI ........................................................................................................ 193

11.1.1 Enabling and Disabling BGP ......................................................................................... 19311.1.2 Specifying BGP Router ID ............................................................................................. 19411.1.3 Specifying a BGP Neighbor .......................................................................................... 19411.1.4 Displaying Neighbor Status ........................................................................................... 19511.1.5 Resetting a BGP Session .............................................................................................. 19511.1.6 Redistributing Routes .................................................................................................... 19611.1.7 Minimizing Route Table Size Using Aggregates ........................................................... 19611.1.8 Specifying Administrative Distance ............................................................................... 19711.1.9 Filtering Routes ............................................................................................................. 19811.1.10 Defining Policies Using Communities ........................................................................... 200

11.1.10.1Assigning Routes to a Community .................................................................... 20011.1.10.2Defining Policies for a Community .................................................................... 20111.1.10.3Defining Filters for a Community ....................................................................... 201

11.1.11 Specifying a Router's Default Local Preference ............................................................ 20211.1.12 Specifying a Local Preference ...................................................................................... 203

CONTENTS


x

11.1.13 Specifying a Metric or Multi-exit Discriminator ...............................................................20411.1.13.1Specifying a Default Metric ................................................................................20411.1.13.2Assigning Metrics to Specific Routes .................................................................20511.1.13.3Forcing a MED Comparison ...............................................................................206

11.1.14 Using a Loopback as a BGP Endpoint ..........................................................................20611.1.15 Using eBGP Without a Direct Connection .....................................................................20711.1.16 Setting Up a BGP Route Reflector ................................................................................20711.1.17 Setting Up a BGP Confederation ...................................................................................208

11.1.17.1Configuring the BGP Confederation Identifier ....................................................20811.1.17.2Specifying Confederation Members ...................................................................209

11.1.18 Synchronizing iBGP With an IGP ..................................................................................209

11.2 BGP Configuration in the GUI ........................................................................................................21011.2.1 BGP Basic Settings .......................................................................................................21011.2.2 BGP Neighbor Configuration .........................................................................................21211.2.3 BGP MED Configuration ................................................................................................21411.2.4 BGP Local Preference Configuration ............................................................................21611.2.5 BGP Filter Configuration ................................................................................................21811.2.6 BGP Route Aggregation Configuration ..........................................................................220

CHAPTER 12: ROUTE MAPS

12.1 Configuring Route Maps ................................................................................................................22312.1.1 Specifying a Route Map ................................................................................................223

12.1.1.1 Note on Sequence Numbers ...............................................................................22412.1.2 Defining a Match ............................................................................................................22412.1.3 Setting Route Values .....................................................................................................227

12.2 Applying Route Maps .....................................................................................................................22812.2.1 Route Redistribution ......................................................................................................22912.2.2 Outgoing Route Filtering ................................................................................................22912.2.3 Incoming Route Filtering ................................................................................................23012.2.4 Specifying Route Administrative Distance .....................................................................231

12.3 Route Maps and Routing Protocols ...............................................................................................23112.3.1 Route Map Functionality for RIP ....................................................................................23112.3.2 Route Map Functionality for OSPF ................................................................................23212.3.3 Route Map Functionality for BGP ..................................................................................23312.3.4 Note on Route Redistribution ........................................................................................233

12.4 Displaying Route Map Information .................................................................................................234

CHAPTER 13: GRE13.1 GRE Operation ..............................................................................................................................235

13.2 GRE Implementation .....................................................................................................................235

13.3 GRE Configuration in the CLI ........................................................................................................23513.3.1 Specifying a GRE Tunnel ..............................................................................................23613.3.2 Configuring GRE Tunnel Attributes ...............................................................................23613.3.3 Enabling Tunnel Checksum ...........................................................................................23613.3.4 Enabling Tunnel Path MTU Discovery ...........................................................................23713.3.5 Configuring Tunnel Hop Limit ........................................................................................237

13.4 GRE Configuration in the GUI .......................................................................................................23813.4.1 Specifying a GRE Tunnel ..............................................................................................238

CONTENTS


xi

CHAPTER 14: VRRP14.1 VRRP Configuration in the CLI ...................................................................................................... 241

14.1.1 Enabling VRRP ............................................................................................................. 24114.1.2 Configuring VRRP on an Interface ................................................................................ 24114.1.3 Configuring a VRRP IP Address ................................................................................... 24214.1.4 Configuring the Virtual Router Priority ........................................................................... 24214.1.5 Enabling Preemption Mode ........................................................................................... 24314.1.6 Configuring Text Authentication .................................................................................... 24414.1.7 Configuring Advertisement Interval ............................................................................... 24414.1.8 Configuring VRRP Object Tracking ............................................................................... 245

14.2 VRRP Configuration in the GUI ..................................................................................................... 24514.2.1 Enabling VRRP ............................................................................................................. 24514.2.2 VRRP Settings .............................................................................................................. 246

CHAPTER 15: OBJECT TRACKING

15.1 Trackable States and Conditions .................................................................................................. 24915.1.1 Line-Protocol State of an Interface ................................................................................ 24915.1.2 IP-Routing State of an Interface .................................................................................... 24915.1.3 IP-Route Reachability ................................................................................................... 249

15.2 Configuring Object Tracking in the CLI ......................................................................................... 25015.2.0.1 Configuring Interface Tracking Interval ............................................................... 25015.2.0.2 Configuring IP Route Tracking Interval ............................................................... 25015.2.0.3 Configuring Tracking of an Interface Line Protocol ............................................. 25115.2.0.4 Configuring Tracking of Interface IP Routing ...................................................... 25115.2.0.5 Configuring Tracking of Route Reachability ....................................................... 25215.2.0.6 Configuring Tracking Delay ................................................................................ 252

15.3 Configuring Object Tracking in the GUI ......................................................................................... 25315.3.1 Configuring Tracking Timers ......................................................................................... 25315.3.2 Configuring Object Tracking .......................................................................................... 254

CHAPTER 16: DHCP SERVER

16.1 Configuring the DHCP Server in the CLI ....................................................................................... 25716.1.1 Enabling and Disabling the DHCP Server ..................................................................... 25716.1.2 Configuring a DHCP Address Pool ............................................................................... 25716.1.3 Specifying a Boot Server ............................................................................................... 25816.1.4 Specifying a Boot File ................................................................................................... 25816.1.5 Enabling the ICMP Echo ............................................................................................... 25816.1.6 Configure Offer-reuse Interval ....................................................................................... 25916.1.7 Configuring Global DHCP Options ................................................................................ 25916.1.8 Configuring a Subnet Pool of Addresses ...................................................................... 26016.1.9 Excluding Addresses from a Pool ................................................................................. 26016.1.10 Specifying a Domain Name ........................................................................................... 26116.1.11 Specifying a DNS Server .............................................................................................. 26116.1.12 Specifying a NetBIOS and WINS Name Server ............................................................ 26216.1.13 Specifying a NetBIOS Node Type ................................................................................. 26216.1.14 Specifying a Default Router .......................................................................................... 26316.1.15 Configuring Pool-specific DHCP Options ...................................................................... 26316.1.16 Configuring a Lease Period ........................................................................................... 26416.1.17 Configuring a Pool Utilization Threshold ....................................................................... 26416.1.18 Configuring Host Hardware Type .................................................................................. 265

CONTENTS


xii

16.2 Displaying DHCP Information ........................................................................................................26516.2.1 show ip dhcp server information ....................................................................................26516.2.2 show ip dhcp server pools .............................................................................................26616.2.3 show ip dhcp server binding ..........................................................................................26616.2.4 show ip dhcp server statistics ........................................................................................266

16.3 Configuring the DHCP Server in the GUI ......................................................................................26616.3.1 Configuring DHCP Basic Settings .................................................................................26716.3.2 Configuring DHCP Global Options ................................................................................26816.3.3 Configuring DHCP Pool Settings ...................................................................................26916.3.4 Configuring DHCP Pool Option Settings .......................................................................27016.3.5 Configuring DHCP Host Option Settings .......................................................................27116.3.6 Configuring an Exclude List ...........................................................................................27216.3.7 Displaying Binding Information ......................................................................................272

CHAPTER 17: FIREWALL/NAT17.1 Defining Inside and Outside ...........................................................................................................275

17.1.1 Configuring a Default Security Policy ............................................................................27517.1.2 Enabling the Firewall .....................................................................................................27617.1.3 Configuring Basic Access Control Lists .........................................................................27617.1.4 Configuring Object Groups ............................................................................................278

17.1.4.1 Network Object Groups .......................................................................................27817.1.4.2 Service Object Groups ........................................................................................27917.1.4.3 ICMP Object Groups ...........................................................................................27917.1.4.4 Protocol Object Groups .......................................................................................280

17.1.5 Using Object Groups .....................................................................................................28017.1.6 Applying Access Control Lists .......................................................................................281

17.2 NAT ................................................................................................................................................28117.2.1 Setting up Dynamic NAT ...............................................................................................28117.2.2 Setting up Static NAT ....................................................................................................282

CHAPTER 18: IPSEC VPN18.1 IPsec VPN Operation .....................................................................................................................285

18.2 Configuring IPsec VPN in the CLI ..................................................................................................28618.2.1 IKE Profile Table ............................................................................................................286

18.2.1.1 Configure an IKE Profile ......................................................................................28618.2.1.2 Specify IKE (Phase 1) Encryption Type ..............................................................28718.2.1.3 Specify IKE (Phase 1) Hash Algorithm ................................................................28718.2.1.4 Specify a DH Group ............................................................................................28818.2.1.5 Specify PFS .........................................................................................................28818.2.1.6 Specify SA (Phase 1) Lifetime .............................................................................28918.2.1.7 Configure DPD ....................................................................................................289

18.2.2 IPsec Proposal Table ....................................................................................................29018.2.2.1 Configure an IPsec Proposal ...............................................................................29018.2.2.2 Specify IPSec (Phase 2) Encryption Type ..........................................................29118.2.2.3 Specify IPsec (Phase 2) Hash Algorithm ............................................................29118.2.2.4 Specify SA (Phase 2) Lifetime .............................................................................292

18.2.3 Crypto Maps ..................................................................................................................29218.2.3.1 Configure a Crypto Map ......................................................................................29218.2.3.2 Specify the Traffic to Protect ...............................................................................29318.2.3.3 Specify a Peer IP Address ..................................................................................293

CONTENTS


xiii

18.2.3.4 Specify the Local IP Address .............................................................................. 29418.2.3.5 Bind an IKE Profile .............................................................................................. 29418.2.3.6 Bind an IPsec Proposal ...................................................................................... 29518.2.3.7 Specify Authentication Type ............................................................................... 29518.2.3.8 Specify a Pre-shared Key ................................................................................... 296

18.2.4 IPsec VPN-related Show Commands ........................................................................... 29618.2.4.1 show ike sa ......................................................................................................... 29618.2.4.2 show ipsec sa ..................................................................................................... 29618.2.4.3 show ike profile ................................................................................................... 29618.2.4.4 show ipsec proposal ........................................................................................... 29718.2.4.5 show crypto map ................................................................................................. 297

18.2.5 IPsec VPN-related Clear Commands ............................................................................ 29718.2.5.1 clear ike sa all ..................................................................................................... 29718.2.5.2 clear ike sa peer ................................................................................................. 29818.2.5.3 clear ike sa id ...................................................................................................... 29818.2.5.4 clear ipsec sa all ................................................................................................. 29818.2.5.5 clear ipsec sa peer .............................................................................................. 29818.2.5.6 clear ipsec sa id .................................................................................................. 299

18.3 Configuring IPsec VPN in the GUI ................................................................................................ 29918.3.1 Configuring an IKE Profile ............................................................................................. 29918.3.2 Configuring an IPsec Proposal ...................................................................................... 30118.3.3 Configuring a Crypto Map ............................................................................................. 30218.3.4 Displaying IKE Security Associations ............................................................................ 30318.3.5 Displaying IPsec Security Associations ........................................................................ 30418.3.6 Configuring IPsec ACLs ................................................................................................ 305

CHAPTER 19: T1/E119.1 Configuring T1/E1 in the CLI ......................................................................................................... 307

19.1.1 Specifying a T1/E1 Interface ......................................................................................... 30719.1.2 Configure Mode on a T1/E1 Interface ........................................................................... 30819.1.3 Configure Clock Source on a T1/E1 Interface ............................................................... 30819.1.4 Configure Timeslot Bandwidth on a T1/E1 Interface ..................................................... 30919.1.5 Configure Timeslots on a T1/E1 Interface ..................................................................... 30919.1.6 Configure Frame Types on a T1/E1 Interface ............................................................... 30919.1.7 Configure Line Codes on a T1/E1 Interface .................................................................. 31019.1.8 Configure Line Build-out on a T1/E1 Interface .............................................................. 31119.1.9 Enabling and Disabling a T1/E1 Interface ..................................................................... 31119.1.10 Configuring a Channelized T1/E1 Interface .................................................................. 31219.1.11 Configuring Timeslots on a T1/E1 Channel .................................................................. 31219.1.12 Enabling and Disabling a T1/E1 Channel ..................................................................... 313

19.2 Configuring T1/E1 in the GUI ........................................................................................................ 31319.2.1 Configuring T1/E1 Ports ................................................................................................ 31319.2.2 Configuring T1/E1 Channel Settings ............................................................................. 316

19.3 Displaying T1/E1 Interface Configuration Information ................................................................... 317

CHAPTER 20: PPP20.1 Configuring PPP in the CLI ........................................................................................................... 319

20.1.1 Specifying a PPP Interface ........................................................................................... 31920.1.2 Configuring Link Control Protocol Interval ..................................................................... 32020.1.3 Configuring PPP Authentication .................................................................................... 320

CONTENTS


xiv

20.1.4 Specifying PPP Compression ........................................................................................32020.1.5 Specifying a Peer Username and Password .................................................................32120.1.6 Specifying a Device Username and Password ..............................................................32120.1.7 Configuring Maximum Slot IDs ......................................................................................32220.1.8 Enable Compression of Slot ID Field .............................................................................32220.1.9 Specify IP Address of the PPP Interface .......................................................................32220.1.10 Specify an MRU Value ..................................................................................................32320.1.11 Specify an MTU Value ...................................................................................................32320.1.12 Enable Compression of Address and Control Fields .....................................................32420.1.13 Enable Compression of Protocol Field ..........................................................................32420.1.14 Enable Use of Magic Numbers ......................................................................................32420.1.15 Disable a PPP Interface ................................................................................................32520.1.16 Specify a Physical Port for PPP Interface .....................................................................325

20.2 Configuring PPP in the GUI ...........................................................................................................32520.2.1 Configuring PPP Interfaces ...........................................................................................32620.2.2 Configuring PPP Options ...............................................................................................327

20.3 Configuring MLPPP in the CLI .......................................................................................................32920.3.1 Specifying an MLPPP Interface .....................................................................................32920.3.2 Specify an MRRU Value ................................................................................................32920.3.3 Assembling MLPPP Bundles .........................................................................................330

20.4 Configuring MLPPP in the GUI ......................................................................................................33020.4.1 Configuring MLPPP Interfaces ......................................................................................33120.4.2 Configuring MLPPP Interface Stacking .........................................................................33220.4.3 Configuring MLPPP Options ..........................................................................................333

CHAPTER 21: FRAME RELAY

21.1 Configuring Frame Relay in the CLI ..............................................................................................33521.1.0.1 Specifying a Frame Relay Interface ....................................................................33521.1.0.2 Configuring the Lower Layer for a Frame Relay Interface ..................................33621.1.0.3 Enabling a Frame Relay Interface with the No Shutdown Command .................336

21.1.1 Configuring LMI .............................................................................................................33721.1.1.1 Configuring LMI Type ..........................................................................................33721.1.1.2 Configuring LMI Mode .........................................................................................337

21.1.2 Configuring PVCs ..........................................................................................................33821.1.2.1 Specifying a Frame Relay PVC Interface ............................................................33821.1.2.2 Configuring the Lower Layer for a PVC ...............................................................33921.1.2.3 Specifying the DLCI for a PVC ............................................................................33921.1.2.4 Enabling a PVC with the No Shutdown Command .............................................340

21.1.3 Configuring IP Encapsulation ........................................................................................34021.1.3.1 Specifying the Local IP Address for IP Encapsulation ........................................34021.1.3.2 Specifying the Peer IP Address for IP Encapsulation .........................................341

21.1.4 Configuring Serial Encapsulation ..................................................................................34121.1.5 Configuring Terminal Server Extension .........................................................................34221.1.6 Configuring End-to-End Keepalive on a PVC ................................................................342

21.1.6.1 Configuring the EEK Poll Timer on a Frame Relay Interface ..............................34321.1.6.2 Configuring the EEK Response Timer on a Frame Relay Interface ....................34421.1.6.3 Configuring the EEK Event Window on a Frame Relay Interface .......................34421.1.6.4 Configuring the EEK Error Threshold on a Frame Relay Interface .....................34521.1.6.5 Configuring the EEK Success Events on a Frame Relay Interface .....................345

21.1.7 Configuring Frame Relay Queuing ................................................................................34521.1.8 Assigning Priorities to Frame Relay Packets .................................................................346

21.1.8.1 Configuring Default Priority for a PVC .................................................................346

CONTENTS


xv

21.1.8.2 Mapping DSCP Values to Queue Priorities ........................................................ 34721.1.8.3 Configuring Fragmentation on a Frame Relay Interface ..................................... 34721.1.8.4 Configuring Committed Information Rate on a PVC ........................................... 348

21.1.9 Displaying Frame Relay Information ............................................................................. 34921.1.9.1 show interface frame-relay ................................................................................. 34921.1.9.2 show interface fr-pvc ........................................................................................... 34921.1.9.3 show frame-relay priority .................................................................................... 34921.1.9.4 show qos frame-relay output dscp-map .............................................................. 349

21.1.10 Clearing Frame Relay Counters .................................................................................... 35021.1.11 Clearing FR-PVC Counters ........................................................................................... 350

21.2 Configuring Frame Relay in the GUI ............................................................................................. 35121.2.1 Configuring the Frame Relay Interface ......................................................................... 35121.2.2 Configuring Frame Relay End-to-End Keepalive .......................................................... 35221.2.3 Configuring Frame Relay PVCs .................................................................................... 35321.2.4 Configuring Frame Relay Encapsulation ....................................................................... 355

CHAPTER 22: SERIAL INTERFACE

22.1 Configuring Serial Profiles in the CLI ............................................................................................ 35722.1.1 Specifying a Serial Profile ............................................................................................. 35722.1.2 Configure a Profile’s Interface Standard ....................................................................... 35822.1.3 Configure a Profile’s Speed .......................................................................................... 35822.1.4 Configure a Profile’s Databits ........................................................................................ 35922.1.5 Configure a Profile’s Stopbits ........................................................................................ 35922.1.6 Configure a Profile’s Parity ............................................................................................ 35922.1.7 Configure a Profile to Ignore DSS ................................................................................. 36022.1.8 Configure a Profile’s Flow Control ................................................................................. 36022.1.9 Configure a Profile’s Packetization Character ............................................................... 36122.1.10 Configure a Profile’s Packet Timeout Value .................................................................. 36122.1.11 Configure a Profile’s Maximum Packet Size ................................................................. 362

22.2 Configuring Serial Interfaces in the CLI ......................................................................................... 36222.2.1 Specify a Serial Interface .............................................................................................. 36222.2.2 Associate a Profile and a Serial Interface ..................................................................... 363

22.3 Serial Interface Show Commands ................................................................................................. 36322.3.1 Display Serial Profile Information .................................................................................. 36322.3.2 Display Serial Interface Information .............................................................................. 363

22.4 Configuring Serial Profiles in the GUI ............................................................................................ 36422.4.1 Configuring a Serial Profile ........................................................................................... 36422.4.2 Associating Profiles and Ports ...................................................................................... 366

CHAPTER 23: TERMINAL SERVER

23.1 Terminal Server Operation ............................................................................................................ 37023.1.1 Passive Mode Channels ............................................................................................... 37023.1.2 Active Mode Channels .................................................................................................. 37023.1.3 Mixed Mode ................................................................................................................... 37123.1.4 Session Type ................................................................................................................ 371

23.2 Terminal Server Configuration in the CLI ...................................................................................... 37123.2.1 Specify a Terminal Server Channel .............................................................................. 37123.2.2 Configure a Port for a Channel ..................................................................................... 37223.2.3 Mapping a Serial Channel to a PVC ............................................................................. 37223.2.4 Configure Channel Direction ......................................................................................... 373

CONTENTS


xvi

23.2.5 Configure Channel Session Type ..................................................................................37323.2.6 Configure Channel Priority ............................................................................................37423.2.7 Configure Channel Local IP Address ............................................................................37423.2.8 Configure Channel Local TCP Port ...............................................................................37523.2.9 Configure Channel Remote IP Address ........................................................................37623.2.10 Configure Channel Remote TCP Port ...........................................................................37623.2.11 Configure Channel Maximum Connections ...................................................................37723.2.12 Configure Channel Retry Time ......................................................................................37723.2.13 Clear a Serial Connection ..............................................................................................378

23.3 Terminal Server Show Commands ................................................................................................37823.3.1 Display Serial Channel Information ...............................................................................37823.3.2 Display Serial Connection Information ...........................................................................378

23.4 Terminal Server Configuration in the GUI ......................................................................................37923.4.1 Configuring a Terminal Server .......................................................................................37923.4.2 Monitoring Terminal Server Connections ......................................................................38123.4.3 Monitoring Terminal Server Channels ...........................................................................382

CHAPTER 24: QOS24.1 Ethernet QoS Handling ..................................................................................................................385

24.2 IP Interface DSCP Marking ............................................................................................................387

24.3 PPP Output Queues ......................................................................................................................387

24.4 Configuring QoS in the CLI ............................................................................................................38824.4.1 Global Configuration Commands ..................................................................................388

24.4.1.1 Enabling and Disabling QoS ...............................................................................38824.4.1.2 Mapping a DSCP Output Queue .........................................................................38924.4.1.3 Mapping a CoS Output Queue ............................................................................389

24.4.2 Ethernet Interface Configuration Commands ................................................................39024.4.2.1 Configuring QoS Trust .........................................................................................39024.4.2.2 Configuring CoS Default ......................................................................................391

24.4.3 Queuing Policy Configuration Commands .....................................................................39124.4.3.1 Specify a Queueing Policy ..................................................................................39124.4.3.2 Specify Weighted Fair Queueing .........................................................................39124.4.3.3 Specify a DSCP-WFQ Match ..............................................................................392

24.4.4 Specify Strict Queueing .................................................................................................39224.4.4.1 Specify a DSCP-SPQ Match ...............................................................................39324.4.4.2 Control the Available Bandwidth on the Strict Queue .........................................393

24.4.5 IP Configuration Commands .........................................................................................39424.4.5.1 Map a Queueing Policy to a PPP Interface .........................................................394

24.4.6 Global IP Configuration Commands ..............................................................................39424.4.6.1 Map an ACL to a DSCP ......................................................................................394

24.4.7 Show Commands ..........................................................................................................39524.4.7.1 Displaying Configured QoS Interfaces ................................................................395

24.5 Configuring QoS in the GUI ...........................................................................................................39624.5.1 Enabling and Disabling QoS ..........................................................................................39624.5.2 Configuring QoS Port Settings ......................................................................................39724.5.3 Configuring a CoS Queue Map .....................................................................................39824.5.4 Configuring a DSCP Queue Map ..................................................................................40024.5.5 Configuring Frame Relay QoS for a PVC ......................................................................40124.5.6 Configuring Frame Relay QoS for a DSCP ...................................................................40224.5.7 Configuring Frame Relay Priority Weights .....................................................................403

CONTENTS


xvii

CHAPTER 25: PROTOCOL ANALYZER

25.1 Starting and Stopping the Protocol Analyzer ................................................................................. 405

25.2 Configuring Protocol Analyzer Output ........................................................................................... 405

Glossary ................................................................................................................................................. 409

Index ......................................................................................................................................................... 417

CONTENTS


xviii


xix

Preface

ABOUT THIS MANUAL

This manual provides the Administrator with instructions on how to use the Industrial Network Operating System™ – INOS™ - to configure, manage, and monitor the 10RX™ Industrial Router family of products.This manual contains: a basic description of the INOS, the basics of using the INOS and instructions for configuring INOS for specific applications. The chapters and appendices are presented as follows:

Chapter 1, “Overview” - This chapter describes the features and benefits of the Magnum 10RX.

Chapter 2, “Getting Started” - This chapter describes how to quickly get started with INOS.

Chapter 3, “Router Management” - This chapter explains how to carry out router management tasks.

Chapter 4, “Ethernet”- Explains the configuration of Ethernet connections.

Chapter 5, “VLAN” - Explains VLAN configuration.

Chapter 6, “Spanning Tree” - Explains the INOS Spanning Tree implementation.

Chapter 7, “LLDP” - Explains the Link Layer Discovery Protocol implementation.

Chapter 8, “IP Addressing and Static Routing” - Explains configuration of static routing.

Chapter 9, “RIP” - Explains configuration of the Routing Information Protocol in INOS.

Chapter 10, “OSPF” - Explains the configuration of the Open Shortest Path First Protocol.

Chapter 11, “BGP” - Explains the configuration of the Border Gateway Protocol.

Chapter 12, “Route Maps” - Explains Route filtering and manipulation with route maps.

Chapter 13, “GRE” - Explains Generic Routing Encapsulation.

Chapter 14, “VRRP” - Explains the Virtual Router Redundancy Protocol.

Chapter 15, “Object Tracking” - Explains configuration of object tracking.

Chapter 16, “DHCP Server” - Explains Dynamic Host Configuration Protocol functionality.

Chapter 17, “Firewall/NAT” - Explains basic firewall and network address translation functionality.

Chapter 18, “IPsec VPN” - Explains IPsec VPN configuration.

Chapter 19, “T1/E1” - Explains configuration of T1/E1 interfaces.

Chapter 20, “PPP” - Explains configuration of the Point-to-Point Protocol.

Chapter 21, “Frame Relay” - Explains the INOS Frame Relay implementation.

Chapter 22, “Serial Interface” - Explains the configuration of serial interfaces.


xx

Chapter 23, “Terminal Server” - Explains the Terminal Server application.

Chapter 24, “QoS” - Explains implementation of Quality of Service functionality.

Chapter 25, “Protocol Analyzer” - Explains the use of the INOS Protocol Analyzer to monitor system performance.

Glossary - A list of acronyms and technical terms used in this manual.


xxi

CONVENTIONS

Graphically distinctive alerts labeled either “Note” or “Caution” (illustrated below) are interspersed throughout this manual. These alerts call your attention to useful information related to the text immediately following the alert. Notes provide supplemental information or provide a point of emphasis. Cautions warn you of the risk of poor system performance or of system failure.

WEB ACCESS

All of the INOS manuals are also available in .pdf format on the GarrettCom website, www.garrettcom.com.

Syntax Conventions

Convntion Meaning

Typewriter font Depicts stable command-line information supplied either by the system or the user: command names, keywords, etc.

Italic Depicts user-supplied information: names, arguments, variables, etc.

[X] Square brackets enclose optional keywords or arguments.

| A pipe, or vertical line, separating elements in a series indicates that these elements are choices available at this location.

[X | Y] A pipe separating items within square brackets indicates that these are optional choices.

{X | Y} A pipe separating items within braces, or curly brackets, indicates that these items are choices but that one MUST be selected.

[X {Y | Z}] The outer square brackets indicate an optional element and the inner curly brackets indicate that if the second element is used you MUST select from among the enclosed options.

NOTE: Notes provide you with helpful information about an upcoming step or action. If youdo not use the information contained in a Note there is no risk of harm to the system, butusing the information will improve performance and/or increase your understanding.

CAUTION: A caution warns you that you should take some action to avoid poor systemperformance or system failure.


xxii

YOUR COMMENTS

If you find an error or have a helpful tip on the layout or informational content of this or any other Garrettcom manual please feel free to contact us via email with any problems or helpful information. All enquiries will be responded to with a correction or whatever resolution is required. Please make all comments to [email protected] or phone a support engineer at (510) 438-9071.


1

Chapter 1Overview

1.1 Features and Benefits

The Magnum 10RX Industrial Router provides secure multiprotocol networking in a compact, rugged package designed for power substations and other harsh environments. The 10RX combines the capabilities of an Ethernet Switch, an Async-to-TCP/IP Terminal Server, and an IP Router in a single integrated device.

1.1.1 GarrettCom Hardened

The Magnum 10RX Industrial Router is a multi-function, multi-protocol networking platform that is purpose-built for distributed industrial automation applications such as Supervisory Control and Data Acquisition (SCADA) systems.The 10RX supports a wide range of communications interfaces used by industrial devices, enabling multiple generations of remote devices and support systems to be consolidated onto a single integrated network infrastructure. The 10RX also operates effectively in extremely harsh environmental conditions such as those within power utility substations, pumping stations, treatment plants, transportation systems and wind farms. This robustness is primarily due to extended-range specifications in areas such as electromagnetic interference, temperature and electrical surges. Most other networking products will fail when facing these conditions.

1.1.2 Hardware Configuration

The 10RX can be configured with:

• Up to 10 automedia Gigabitethernet ports• Up to 32 RJ45 serial ports or 16 DB9 serial ports programmable for RS232/

485 operation• Up to 16 T1/E1 ports• Dual hot-swappable or fixed high (90 -250 VAC or VDC) or low (18-60 VDC)

power supplies

1.1.3 Multiprotocol Support

Supports the following protocols

• Async, SCADA• Ethernet, TCP/IP• Ethernet Switching

• VLANs• GVRP• RSTP/MSTP

CHAPTER 1 - OverviewApplications/Topologies


2

• Frame Relay• IP Routing

• RIP• OSPFv2• BGP4• VRRP• GRE• PPP

• TCP Terminal Server

1.1.4 Security

Supports:

• Multi-level passwords with enforcement and aging• Stateful firewall with ACLs and filtering• IP VPN using IPsec with AES encryption• Management activity logging and alarms• Radius/TACACS+ support• SSL• SSH

1.1.5 Management Tools

Supports:

• Embedded web server GUI• CLI access via SSH or Telnet• SNMPv2c and SNMPv3 MIB

1.2 Applications/Topologies

The Magnum 10RX combines the capabilities of an Ethernet Switch, an Async-to-TCP/IP Terminal Server and an IP Router in a single integrated device. This feature set enables several important applications, each building on the ability to combine Serial-and Ethernet-based industrial devices on a common communications network.

1.2.1 Standalone Local Communications Platform

The Magnum 10RX provides a complete, local communications network within an industrial location. Magnum 10RX consolidates connections from a variety of industrial devices having differing communications interfaces, including Async serial connections at connection rates of 300 bps to 230.4 Kbps and IP-oriented Ethernet connections at 10 or 1000 Mbps. This interface capability covers most RTUs, PLCs, Intelligent Electrical Devices (IEDs), industrial servers and other devices with digital data connectivity. An



3

operator may use a Human Machine Interface (HMI) application to locally connect to all the devices within the site from a common connection point. The Magnum 10RX provides Ethernet switching of IP sessions directly among Ethernet-connected devices. TCP/IP based applications such as the HMI may also connect directly to serial devices, with the Magnum 10RX providing Async-to-TCP/IP terminal services.

1.2.2 Remote Network Concentration

The Magnum 10 RX includes integrated T1/E1 DSU/CSU capability for supporting up to 16 separate wide area network (WAN) links. These links can be bundled using Multi-Link PPP (MLPPP) to provide high-speed WAN connections or used with individual PPP connections to create redundant WAN paths. The Magnum 10RX can be used in large substations or as a network concentrator in an operations center where high WAN bandwidth is required.

1.2.3 Distributed Local Network using Ethernet

In addition to stand-alone deployments, multiple Magnum 10RXs can form a distributed high-speed network within an industrial site using an Ethernet backbone. Typically the Ethernet backbone network is a resilient ring configuration. Rapid Spanning Tree Protocol (RSTP), tag-based Virtual Local Area Networks (VLANs), and traffic prioritization features combine to provide high-reliability, application-specific security and performance management capabilities that enable multiple diverse applications to effectively share a common network infrastructure.



4


5

Chapter 2Getting Started

This chapter explains how to quickly begin using your INOS industrial router through the embedded web server Graphical User Interface (GUI) or the Command Line Interface (CLI).

2.1 Defaults

As delivered INOS can be accessed with the following default username and password:

• Username — manager• Password — manager

2.2 10RX access

The following sections describe how to connect on the console, on the web, or by SSH.

The default IP address is 192.168.1.2. You can access this IP address by connecting to GbE 1/1.

2.2.1 Connecting by Console

The serial console settings are 38400-8-N-1.

2.2.2 Connecting by SSH

The default IP address is 192.168.1.2. SSH to port 22. For example,

ssh [email protected]

from a command prompt on your PC.

2.2.3 Connecting by Browser

Use the URL https://192.168.1.2

WARNING: GarrettCom recommends that you immediately create a new administrativeuser account with username and password different from the factory defaults and that youdelete the default “manager” account. See Section 3.4 for information on managing useraccounts.

CHAPTER 2 - Getting StartedCLI Navigation


6

2.3 CLI Navigation

The following section supplies guidelines for navigating the Command Line Interface.

2.3.1 Modes - Entering and Exiting

The command line interface supports the complete INOS command set. Commands are accessible in several “modes.” The current mode setting is indicated by the text displayed at the prompt.

• Magnum 10RX# — EXEC Commands

This is the default mode available at login. It gives you access to commands to display settings and status information, and to clear some settings. Administrators may also manage user accounts in this mode.

• Magnum 10RX(config)#— Global Configuration commands

• This mode is entered by typing configure terminal at the Magnum 10RX# prompt.

• It gives you access to the most commonly used configuration commands, those controlling routing, security and the like.

• Return to the EXEC Commands mode by typing end or exit at the Magnum 10RX(config)# prompt.

In addition to the two modes described above there are many configuration modes accessed by entering certain keywords at the Magnum 10RX(config)# prompt. These modes are identified by a label in the command prompt and give access to a subset of commands specific to the protocol under configuration. Examples of these modes are:

• Magnum 10RX(config-vlan)#— giving access to the subset of VLAN configuration commands.

• Magnum 10RX(config-if)#— giving access to several subsets of interface configuration commands.

• Magnum 10RX(config-router)#— giving access to subsets of router configuration commands.

In each of these protocol-specific modes you can return to Global Configuration command mode by entering exit or to EXEC Commands mode by entering end. For a list of these modes and pointers to the commands used to access them see the index under “configuration mode.”

2.3.2 Generating Help on the Command Line

Pressing ? will produce a list of valid options for the next position in the command line with brief descriptions of their significance.

Pressing TAB attempts to complete the command you have begun. If there is only one valid option for the next position in the command line that option will be displayed in the correct position. If there are multiple valid options pressing TAB will display all valid arguments to the current command with syntax defined in a conventional fashion.



7

2.3.3 Command Line Shorthand

Abbreviations: The CLI will accept as valid any text string on the command line that is sufficiently long to be valid and unambiguous at that position; thus, the full command,

Magnum 10RX# show system information

can be executed in the following shorthand:

Magnum 10RX# s sy i

Make use of the ? and TAB keys to discover the shortest unique version of any command element.



8


9

Chapter 3Router Management

This chapter explains how to carry out router management tasks. These tasks involve configuration, monitoring, and reporting on the following router features and capabilities:

• Management Interfaces• Time and Date• SNMP• User Management• Authentication• File System Management• Event Management• Software Upgrade• Restarting the Switch

3.1 Management Interfaces

INOS provides several optional management interfaces. Secure options are enabled by default but you can enable other less secure interfaces if you judge them to be necessary or useful.

3.1.1 Defaults

INOS is shipped with the following defaults. These defaults are available on initial startup and remain valid across all interfaces until they are replaced or supplemented by the user.

• Access — HTTPS and SSH access to the system are enabled by default. Any necessary keys and certificates required by these interfaces are generated automatically by the system when it boots up for the first time.

• Username — manager is the default username.• Password — manager is the default password.

3.1.2 Secure Web Server

The Secure Web Server implementation supports the following features:

• TLS 1.0 protocol• High grade 3DES, 168-bit encryption• Certificates with RSA keys of 512 and 1024 bits• Access on the standard TCP port 443

CHAPTER 3 - Router ManagementManagement Interfaces


10

To enable the HTTP Secure Server functionality in the GUI go to the System: Management: SSL: SSL Global Settings tab, as illustrated in Figure 3-1.

Figure 3-1. enabling SSL

Secure Server is enabled by default. Disable it by selecting Disable in the dropdown menu, clicking Apply, and refreshing the page.

3.1.2.1 Generating a New RSA Key and Certificate

A new RSA key and matching certificate can be generated using the following procedure. You may want to periodically generate a new RSA key for your web server to improve security or you may wish to use a certificate that has been signed by a Certificate Authority that your organization trusts.

In the GUI go to the System: Management: SSL SSL Digital Certificate tab to enter a digital certificate, as illustrated in Figure 3-2.

Figure 3-2. SSL Digital Certificate Tab

Use the following procedures to request and enter a new certificate.

1. Navigate to the System / SSL web page.

2. Select the SSL Digital Certificate tab.

3. Specify an RSA key size (512 or 1024).



11

4. Select the Generate Certificate Signing Request radio button.

5. Enter the desired Common Name.

6. Press the Apply button.

You will see a PEM encoded certificate request appear in the text box.

7. Send the certificate request to your Certificate Authority (CA) for signing.

When you have received your PEM encoded signed certificate from the CA, navigate back to the SSL Digital Certificate tab:

1. Select the Enter Certificate Signed By Certification Authority radio button.

2. Cut and paste the PEM encoded signed certificate into the text box.

3. Press the Apply button.

4. Reload your system for the new RSA key and certificate to take effect. (For information on the reload command see Section 3.9.)

A sample PEM encoded certificate request is shown below:

-----BEGIN CERTIFICATE REQUEST-----

MIIBVjCBwAIBADAXMRUwEwYDVQQDEwxQT1dFUlVUSUxJVFkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOFQrwgHgHimZYz8NZ8KLlO9kKYIA7sdGjpoHRKdSRrS5n+GSHpPiVzr1MA1O1EiZoKDNOYEmdDT5ra0ZeWtaF/B/EobFtuYFARorXtn3ah6W7p7j72N+/lEbNnFINbhD/uJ3M5V96xKBtNnyDlmnmODxdBKIV7IhSsbnfLRSLiNAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQB5kSTjCOb2dFOlPbs3RFY+wi02y0rj1h/zLY+ydUjVooWvGKIPFiSSzJ/AjmoWgpLD4Os5PLE2kcdHLGV91vptxjT6Gk2MOAfwByDM3XJCg4mZySQOoyovH/dKS2zDzKQx/XgZXOpTLBDuDk56uyCbgniP9fCqwbXAp0y/w/uomQ==-----END CERTIFICATE REQUEST-----

A sample PEM encoded signed certificate is shown below:

-----BEGIN CERTIFICATE-----

MIICATCCAWoCCQC++Tk4zXkzOTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExFjAUBgNVBAcTDU5vcnRoIEFuZG92ZXIxGTAXBgNVBAoTEEdhcnJldHRDb20sIEluYy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMQ4wDAYDVQQDEwVDQUdDSTAeFw0xMjA2MjAxODAyMzdaFw0xMjA3MjAxODAyMzdaMBcxFTATBgNVBAMTDFBPV0VSVVRJTElUWTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4VCvCAeAeKZljPw1nwouU72QpggDux0aOmgdEp1JGtLmf4ZIek+JXOvUwDU7USJmgoM05gSZ0NPmtrRl5a1oX8H8ShsW25gUBGite2fdqHpbunuPvY37+URs2cUg1uEP+4nczlX3rEoG02fIOWaeY4PF0EohXsiFKxud8tFIuI0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQC3o0D94pSPEI4D/+EJ6ZsWNcnr2CvkiSQmlW3tLyn8uhqeam0wDHG7414NQ/IW209qSCJOGg9Bo23nSoRaeiT/A3wbYtValk27WYw+tCPeLT9GHa+rb9wLZ5FuOULy/h53/ZmQbjr1C1DK49AFxO8avVofHfC8eO7FVhOMOBxffA==-----END CERTIFICATE-----

3.1.3 Secure Shell Server

The Secure Shell (SSH) Server implementation supports the following features:

• The SSHv2 protocol• High grade 3DES, 168 bit encryption



12

• Access on the standard TCP port 22

Although it is not recommended, the SSH server may also be configured in compatibility mode in order to interoperate with older SSHv1 clients.

3.1.3.1 Configuring Compatibility Mode

Compatibility with SSHv1 clients can be configured using the CLI or by using the graphical interface.

1. Configuring with the CLI:

To allow SSHv1 clients to connect to the SSH server enter the following on the CLI command line:

Magnum 10RX(config)# ip ssh version compatibility

2. Configuring with a web browser

a. Navigate to the System / SSH web page.

b. Select Both-V1,V2 from the SSH Version Compatibility drop down list.

c. Press the Apply button.

Figure 3-3. Configuring SSH V1 Compatibility

3.1.4 Telnet Server

The Telnet Server is disabled by default since it is not a secure protocol.

Telnet access can be enabled on standard TCP port 23 using the following CLI command:

Magnum 10RX(config)# set telnet enable

3.1.5 Non-SSL Web Server

Non-SSL HTTP access is disabled by default since it is not a secure protocol.

WARNING: If the CLI is accessed via Telnet, the username and password will besent in the clear and could be snooped on by an attacker.

WARNING: If the GUI is accessed via HTTP, the username and password will besent in the clear and could be snooped on by an attacker.

CHAPTER 3 - Router ManagementTime and Date


13

Non-SSL HTTP access can be enabled on standard TCP port 80 using the following CLI command:

Magnum 10RX(config)# set http enable

3.2 Time and Date

The system time and date can be obtained by implementing SNTP (See “Configuring SNTP in the CLI” on page 3-13 and “Configuring SNTP in the GUI” on page 3-22) or it can be set manually with the clock command.

For time and date functionality accessed in the GUI see Section 3.8.2.1.

3.2.1 Setting Time and Date Manually

You can set the time and date by using the clock set command at the Magnum 10RX# prompt.

Command syntax:

clock set hh:mm:ss day month year

Where:

hh:mm:ss is the specified time. Valid values for the hour are in a range of 00-23, for minutes, 00-60, and for seconds 00-60.

day is a numerical value specifying the day of the month in a range of 1-31,

month is an alphabetic string specifying the month.

year is a four-digit string in the range 2000-2035.

Example:

Magnum 10RX# clock set 12:51:30 26 september 2012

You can view the current system time with the show clock command.

Example:

Figure 3-4. show clock Command Output

3.2.2 Configuring SNTP in the CLI

SNTP (Simple Network Time Protocol) is used to obtain the system time and date from an SNTP server and to synchronize network devices to that time.

Magnum 10RX# show clock

Tue Nov 06 16:23:18 2012

Magnum 10RX#



14

The following commands enable you to configure Simple Network Time Protocol (SNTP) functionality to obtain the correct time from an SNTP server.

3.2.2.1 Enabling and Disabling the SNTP Client

Use the set sntp command in Global Configuration mode to enable and disable the SNTP client.

Command syntax:

set sntp {enable | disable}

Example:

Magnum 10RX(config)# set sntp enable

This example enables the SNTP client on the current INOS device.

Default value: Disabled

3.2.2.2 Setting the SNTP Client Version

Use the sntp client version command in Global Configuration mode to specify the SNTP version on your network. Version 4, specified in RFC 5905, became the current reference version in 2010.

Command syntax:

sntp client version{v1 | v2 | v3 | v4}

Example:

Magnum 10RX(config)# sntp client version v4

This example specifies that the SNTP client on the current INOS device will use SNTP version 4. The SNTP client should use the same version as that running on the SNTP server.

Default value: v4

3.2.2.3 Setting the SNTP Client Addressing Mode

Use the sntp client addressing mode command in Global Configuration mode to specify the SNTP addressing mode on this client.

Command syntax:

set sntp client addressing mode {unicast | broadcast | multicast}

TIP: You can force the system clock to update by disabling and re-enabling the clock withthe set sntp command.



15

Where:

Example:

Magnum 10RX(config)# sntp client addressing mode unicast

Default value: unicast

3.2.2.4 Setting the SNTP Client Port

Use the sntp client port command in Global Configuration mode to specify the SNTP port on a server that is waiting for a client connection.

Notes:

• The default value of 123 for this port is assigned by the Internet Assigned Numbers Authority (IANA).

• This command is executed only if SNTP is enabled.• The command no sntp client port deletes any non-default value that

had been specified and restores the default.

Command syntax:

sntp client port portnum

Where,

portnum is a numerical value in the range 1025-65535

Example:

Magnum 10RX(config)# sntp client port 777

Default value: 123

Valid range: 1025-65535

3.2.2.5 Setting the SNTP Clock Format

Use the sntp client clock-format command in Global Configuration mode to specify the time reporting format to be displayed.

unicast Unicast operates in a point-to-point fashion. A unicast client sends a request to a designated server at its unicast address and expects a reply from which it can determine the time and, optionally, the round-trip delay and local clock offset relative to the server.

broadcast Broadcast operates in a point-to-multipoint fashion. The SNTP server uses an IP local broadcast address instead of a multicast address. The broadcast address is scoped to a single subnet, while a multicast address has Internet-wide scope.

multicast Multicast operates in point-to-multipoint fashion. The SNTP server uses a multicast group address to send unsolicited SNTP messages to clients. The client listens on this address and sends no requests for updates.



16

Command syntax:

sntp client clock-format {ampm | hours}

Where:

ampm — Display the time in two 12-hour cycles (00:00:00-11:59:50) with suffixes AM and PM.

hours — Display the time in a single 24-hour cycle (00:00:00-23:59:59).

Example:

Magnum 10RX(config)# sntp client clock-format hours

This example specifies that the time obtained with the SNTP protocol will be displayed in 24-hour format.

Default value: hours

3.2.2.6 Setting the SNTP Client Time Zone

Use the sntp client time-zone command in Global Configuration mode to specify the difference between Universal Coordinated Time (UTC) and the local time.

Command syntax:

sntp client time-zone [+ | -] diffhrs:diffmin

Where:

+ and - preceding time values indicate a time in advance of or behind UTC.

diffhrs:diffmin specifies the difference from UTC in hours and minutes.

Example:

Magnum 10RX(config)# sntp client time-zone -5:00

This example specifies that the local time is 5 hours behind UTC. (This is the correct setting for U. S. Eastern Standard Time.)

Default value: +0:0

Valid range: -12:59 to +12:59

3.2.2.7 Setting the SNTP Clock Summer Time

Use the sntp client clock-summer-time command in Global Configuration mode to specify the beginning of Daylight Saving Time (DST) (when clocks are turned back one hour) and the end of DST (when clocks are turned ahead one hour) at your location.

Command syntax:

sntp client clock-summer-time startweek-startday-startmonth,hh:mm endweek-endday-endmonth,hh:mm

Where:

startweek is first, second, third, fourth, or fifth - designating the position in the month of the week in which DST will begin.



17

startday is sun, mon, tue, wed, thu, fri, or sat - designating the day in the starting week on which DST will begin.

startmonth is jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, or dec - designating the month in which DST will begin.

hh:mm is a numerical string designating the hour and minute at which DST will begin or end.

endweek is first, second, third, fourth, or fifth - designating the position in the month of the week in which DST will end.

endday is sun, mon, tue, wed, thu, fri, or sat - designating the day in the starting week on which DST will end.

endmonth is jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, or dec - designating the month in which DST will end.

Example:

Magnum 10RX(config)# sntp client clock-summer-time second-sun-mar,02:00 first-sun-nov,02:00

This example specifies that DST will begin at 2:00 am on the second Sunday of March and will end at 2:00 am on the first Sunday of November.

Note that the two large elements of this specification are separated by a space and that within each of those elements the hour and minute specification is separated from the week-day-month specification by a comma only (no spaces).

3.2.2.8 Setting the SNTP Client Authentication Key

Use the sntp client authentication key command in Global Configuration mode enforce secure communications between SNTP client and server in the Unicast addressing mode. SNTP authentication is an optional feature. The key and key-id values required to implement it on the client should be available from the administrator of SNTP security.

Command syntax:

sntp client authentication-key key-id md5 key

Where,

key-id is an integer to be included in server packets to provide authentication.

key is a string to identify the client.

Example:

Magnum 10RX(config)# sntp client authentication-key 123 md5 whiterabbit

This example specifies that the SNTP client obtain time and date information from the server whose packets include the key-id 123 after supplying the key whiterabbit as authentication.



18

Valid ranges:

key-id:- 0 to 65535

key:- alphanumeric string of up to 16 characters.

3.2.2.9 Setting the SNTP Unicast Server

Use the sntp unicast server command in Global Configuration mode to specify the SNTP server to be used for Unicast time and date synchronization.

Command syntax:

sntp unicast-server ipv4 4addr primary | secondary] [3 | 4] [port portnum]

Where,

4addr is the IP address of the server in IPv4 format.

primary or secondary are the two valid specifications for Unicast server type.

3 or 4 are the two valid specifications for SNTP version.

portnum is a numerical value in the range 1025-36564 specifying the port identifier in the server.

Example:

Magnum 10RX(config)# sntp unicast-server ipv4 192.5.41.209 primary 4 1234

3.2.2.10 Setting the SNTP Unicast Server Auto-discovery

Use the sntp unicast-server auto-discovery command in Global Configuration mode to enable the client to automatically discover the SNTP unicast server.

Command syntax:

sntp unicast-server auto-discovery {enabled | disabled}

Example:

Magnum 10RX(config)# sntp unicast-server enable

Default value: disabled

3.2.2.11 Setting the SNTP Unicast-poll-interval

Use the sntp unicast-poll-interval command in Global Configuration mode to set the interval between SNTP request messages to the server.

Command syntax:

sntp unicast-poll-interval poll-secs

Where:

poll-secs is a numerical value specifying the interval in seconds between SNTP messages.



19

Example:

Magnum 10RX(config)# sntp unicast-poll-interval 120

Valid range: 16-16284 seconds

Default value: 64

3.2.2.12 Setting the SNTP Unicast-max-poll-timeout

Use the sntp unicast-max-poll-timeout command in Global Configuration mode to configure maximum interval to wait for a request message to complete.

Command syntax:

sntp unicast-max-poll-timeout to-secs

Where:

to-secs is a numerical value specifying the maximum number of seconds to wait for a poll to complete.

Example:

Magnum 10RX(config)# sntp unicast-poll-interval 20


Default value: 5

3.2.2.13 Setting the SNTP Unicast-max-poll-retry

Use the sntp unicast-max-poll-retry command in Global Configuration mode to configure the maximum number of failed request messages to a non-responsive server.

Command syntax:

sntp unicast-max-poll-retry retries

Where:

retries is a numerical value specifying the maximum number of times to retry sending request messages to a non-responsive server.

Example:

Magnum 10RX(config)# sntp unicast-max-poll-retry 5

Valid range: 1-10

Default value: 3

3.2.2.14 Enabling and Disabling Broadcast Mode Send Request

Use the sntp broadcast-mode send-request command in Global Configuration mode to send request packets to the broadcast server to calculate transmission delay.

Command syntax:

sntp broadcast-mode send-request [enabled | disabled]



20

Example:

Magnum 10RX(config)# sntp broadcast-mode send-request enabled

This example enables the sending of packets to the SNTP server to calculate the transmission delay. If this is not enabled the configured SNTP broadcast delay time is used.


3.2.2.15 Setting SNTP Broadcast Poll Timeout

Use the sntp broadcast-poll-timeout command in Global Configuration mode specify the maximum length of time to wait for a poll to complete.

Command syntax:

sntp broadcast-poll-timeout secs

Where:

secs is a numerical value specifying the maximum number of seconds to wait for a poll to complete.

Example:

Magnum 10RX(config)# sntp broadcast-poll-timeout 15

This example sets the maximum wait time to 15 seconds.

Default value: 5

Valid range: 1-30

3.2.2.16 Setting SNTP Broadcast Delay Time

Use the sntp broadcast-delay-time command in Global Configuration mode to specify the delay time in the case where the client does not receive a response from the server.

Command syntax:

sntp broadcast-delay-time microsecs

Where:

microsecs is a numerical value specifying the number of microseconds the client will wait for a response from the server.

Example:

Magnum 10RX(config)# sntp broadcast-delay-time 12000

Default value: 8000




21

3.2.2.17 Enabling and Disabling Multicast Mode Send Request

Use the sntp multicast-mode send-request command in Global Configuration mode to send request packets to the broadcast server to calculate transmission delay.

Command syntax:

sntp multicast-mode send-request {enabled | disabled}

Example:

Magnum 10RX(config)# sntp multicast-mode send-request enabled

This example enables the sending of packets to the SNTP server to calculate the transmission delay. If this is not enabled the configured SNTP multicast delay time is used.


3.2.2.18 Setting SNTP Multicast Poll Timeout

Use the sntp multicast-poll-timeout command in Global Configuration mode to specify the maximum length of time to wait for a poll to complete.

Command syntax:

sntp multicast-poll-timeout secs

Where:

secs is a numerical value specifying the maximum number of seconds to wait for a poll to complete.

Example:

Magnum 10RX(config)# sntp multicast-poll-timeout 15

Default value: 5

Valid range: 1-30

3.2.2.19 Setting SNTP Multicast Delay Time

Use the sntp multicast-delay-time command in Global Configuration mode to specify the length of time the client will wait for a response from the server.

Command syntax:

sntp multicast-delay-time microsecs

Where:

microsecs is a numerical value specifying the number of microseconds the client will wait for a response from the server.

Example:

Magnum 10RX(config)# sntp ntp multicast-delay-time 12000



22

Default value: 8000


3.2.2.20 Setting SNTP Multicast Group Address

Use the sntp multicast-group-address command in Global Configuration mode specify an IP address where the client will listen for updates from an SNTP server.

Command syntax:

sntp multicast-group-address ipv4 mcast_addr | default

Where:

mcast_addr is a an IPv4 address.

default sets the multicast default address to 224.0.1.1.

Example:

Magnum 10RX(config)# sntp multicast-group-address ipv4 224.0.1.2

3.2.2.21 Displaying Settings and Status

Use the following commands at the Magnum 10RX# prompt to display current settings and status:

• show sntp status• show sntp unicast–mode status• show sntp broadcast–mode status• show sntp multicast–mode status

3.2.3 Configuring SNTP in the GUI

The Graphical User Interface provides four screens for SNTP configuration.

This screen enables you to configure Simple Network Time Protocol (SNTP) functionality to obtain the correct time from an SNTP server.



23

The Client Configuration Screen

Figure 3-5. SNTP Client Configuration Screen

The SNTP parameters configurable on the CLI and described above are also configurable in the GUI on the screen depicted in Figure 3-5. Some parameters may be selected from drop-down lists; others are user-supplied according to the criteria described above for command line entry.

The SNTP Unicast Table Screen

Figure 3-6. SNTP Unicast Table Screen

The parameters configurable in this screen correspond to those described in the sntp unicast-server command above.

CHAPTER 3 - Router ManagementSNMP


24

The SNTP Broadcast Configuration Screen

Figure 3-7. SNTP Broadcast Configuration Screen

The parameters configurable in this screen correspond to those described in the several sntp broadcast- commands above.

The SNTP Multicast Configuration Screen

Figure 3-8. SNTP Multicast Configuration Screen

The parameters configurable in this screen correspond to those described in the several sntp multicast- commands above.

3.3 SNMP

The SNMP is a widely deployed protocol that is commonly used to monitor and manage network devices. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.



25

3.3.1 Configuring SNMPv3 Access

SNMPv3 configuration is based on the tables defined in RFC 3414 (SNMP USM) and RFC 3415 (SNMP VACM). To really understand how to configure SNMPv3 you should become familiar with these documents and the MIBs they define. In summary, to configure SNMPv3 access to the 10RX, you must perform the following actions:

1. Define at least one SNMPv3 user.

An SNMPv3 user entry consists of:

• a security name• an authentication protocol,• an authentication key• a privacy protocol• a privacy key

2. Define at least one SNMPv3 group.

An SNMPv3 group entry consists of:

• a group name• a user security name• a security model• a security level

Multiple users may be added to a group by creating multiple group entries with the same group name.

3. Define an SNMPv3 access policy for each group.

An SNMPv3 access policy entry consists of:

• the group name• a read view name• a write view name• a notify view name

4. Define at least one SNMPv3 view.

An SNMPv3 view entry consists of:

• a tree OID, • an OID mask, and • a type.

Views define a set of tree branches within a MIB that may or may not be accessed by a group. Separate views for reading, writing, and notifications are assigned to a group via the SNMP access policy described in the previous step.



26

3.3.1.1 Example SNMPv3 Configuration

Figure 3-9 illustrates the configuration of a single user with read/write access to the entire 10RX MIB. SNMP packets will be authenticated using MD5 (with the key auth1234) and encrypted using DES (with the key priv1234).

Figure 3-9. SNMPv3 Configuration

3.3.2 Managing SNMPv3 Views

You can limit a user's access to specific MIB trees through advanced configuration of the SNMP views assigned to that user's group. In the previous example the snmp view defaultview 1 included command tells the system that user bob should be able to access the entire MIB. That is, all OIDs starting with the octet 1 are included in the view. You can create exceptions to this policy using the excluded keyword. For example, if you wish to prevent bob from accessing any private MIB objects, you can add the following configuration to the previous example:

Figure 3-10. SNMPv3 View Configuration Example 1

You can assign different views to a group for reading, writing, and notifications. So, for example, you can easily create a configuration in which bob is allowed to read the entire MIB but is not allowed to write to any objects in the private MIB. The commands required to implement such a configuration would be:

Figure 3-11. SNMPv3 View Configuration Example 2

Magnum 10RX(config)# snmp user bob auth md5 auth1234 priv des priv1234

Magnum 10RX(config)# snmp group group1 user bob security-model v3

Magnum 10RX(config)# snmp access group1 v3 priv read defaultview write defaultview notify defaultview

Magnum 10RX(config)# snmp view defaultview 1 included

Magnum 10RX(config)# snmp view defaultview 1.3.6.1.4 excluded


Magnum 10RX(config)# snmp group group1 user bob security-model v3

Magnum 10RX(config)# snmp access group1 v3 priv read default read write defaultwrite notify defaultnotify

Magnum 10RX(config)# snmp view defaultread 1 included

Magnum 10RX(config)# snmp view defaultwrite 1 included

Magnum 10RX(config)# snmp view defaultwrite 1.3.6.1.4 excluded

Magnum 10RX(config)# snmp view defaultnotify 1 included



27

3.3.3 Configuring SNMPv3 Notifications

SNMPv3 notification configuration is based on the tables defined in RFC 3413 (SNMP Applications). To obtain the best understanding of SNMPv3 notification configuration you should become familiar with that document and the MIBs it defines.

In summary, to configure SNMPv3 notifications on the 10RX you must perform the following actions:

1. Define at least one SNMPv3 target address.

An SNMPv3 target address entry consists of:

• the name of the target address entry• the name of a target parameters entry• a target IP address• a tag

The tag is used to associate a target address with a notification type (see below).

2. Define at least one set of SNMPv3 target parameters.

An SNMPv3 target parameters entry consists of:

• the name of the target parameters entry• a security name• a security model• a security level• a message processing model.

Each set of target parameters defines the security policy to be used when sending the notification. A target parameter entry is mapped to a target address entry.

3. Define at least one SNMPv3 notification entry.

4. An SNMPv3 notification entry consists of:

• the notification entry name• a tag name• a notification type.

3.3.3.1 Example SNMPv3 Notification Configuration

Figure 3-12 illustrates the configuration of SNMPv3 traps to be sent to the user bob defined in the previous example. The trap will be sent using the security policy defined for bob and only traps that fall within bob's allowed notify view will be sent. The trap will be delivered to the address 192.168.2.42.

Figure 3-12. SNMPv3 Notification Configuration

Magnum 10RX(config)# snmp targetaddr target1 param param1 ipv4 192.168.2.42 taglist tag1

Magnum 10RX(config)# snmp targetparams param1 user bob security-model v3 priv message-processing v3

Magnum 10RX(config)# snmp notify notify1 tag tag1 type trap



28

3.3.4 Filtering SNMPv3 Notifications

You can filter SNMPv3 notifications so that only certain notifications are sent to particular Management Stations. To configure SNMPv3 notification filtering, you must perform the following actions:

1. Specify a filter profile name when configuring the target parameters (step 2 from the previous section)

2. Define a filter profile.

An SNMPv3 filter profile entry consists of:

• a filter profile name• an OID• a type.

Configuring a filter profile entry is very similar to configuring an SNMPv3 view entry. All of the filter profile entries with the same filter profile name form a single filtering policy.

3.3.4.1 Example SNMPv3 Notification Filtering

Figure 3-13 illustrates the configuration of SNMPv3 notification filtering so that no enterprise specific traps (OID prefix 1.3.6.1.4) are sent to the Management Station at 192.168.2.42.

Figure 3-13. SNMPv3 Notification Filtering

3.3.5 Configuring SNMPv2c Access

Although it is not recommended, it is possible to configure the 10RX agent to respond to SNMPv2c (or SNMPv1) requests. SNMPv1 and SNMPv2c use a non-secure clear text password called a community string for the purposes of authentication and authorization. This community string must be configured within the context of the overall SNMP security architecture defined by RFC 3412 and the co-existence strategy and MIBs defined by RFC 3584.


Magnum 10RX(config)# snmp targetparams param1 user bob security-model v3 priv message-processing v3 filter filter1


Magnum 10RX(config)# snmp filter filter1 1 included

Magnum 10RX(config)# snmp filter filter1 1.3.6.1.4 excluded



29

3.3.5.1 Example SNMPv2c Configuration

Figure 3-14 illustrates the configuration of two SNMPv2 communities. The first community (public) can only read the MIB. The second community (private) has read and write privileges.

Figure 3-14. SNMPv2 View Configuration

3.3.5.2 Limiting SNMPv2c Access By Management IP

You can configure the 10RX agent to only allow SNMPv2c access from certain Management IPs. This is accomplished by creating a v2c target address and associated parameters and then specifying that target address using a transport tag during community string configuration.

The following example assumes the SNMPv2 access configuration in Section 3.3.5.1 and adds configuration that limits access only to requests from the Management Station at 192.168.2.42.

Figure 3-15. SNMPv2c Limit Access By Management IP Example

3.3.5.3 Configuring SNMPv2c Traps

You can configure the 10RX agent to generate SNMPv1/v2c traps. For each Management Station defined using the procedure in the previous section, you can enable traps by associating a notification type with the transport tag.

The following example assumes the SNMPv2 access configurations in Section 3.3.5.2 and adds trap generation to the Management Station at 192.168.2.42 using the public community string.

Figure 3-16. SNMPv2c Trap Configuration Example

Magnum 10RX(config)# snmp view defaultv2c 1 included

Magnum 10RX(config)# snmp user public

Magnum 10RX(config)# snmp group public user public security-model v2c

Magnum 10RX(config)# snmp access public v2c read defaultv2c

Magnum 10RX(config)# snmp community index public name public security public

Magnum 10RX(config)# snmp user private

Magnum 10RX(config)# snmp group private user private security-model v2c

Magnum 10RX(config)# snmp access private v2c read defaultv2c write defaultv2c

Magnum 10RX(config)# snmp community index private name private security private


Magnum 10RX(config)# snmp targetparams param1 user public security-model v2c message-processing v2c

Magnum 10RX(config)# snmp community index public name public security transporttag tag1




30

3.3.6 SNMP Configuration in the CLI

The following sections detail the CLI commands to use to configure SNMP functionality.

3.3.6.1 Enabling and Disabling the SNMP Agent

Use the set snmp command in Global Configuration mode to enable or disable the SNMP agent. You must enable the SNMP agent to use SNMP on the device.

Command syntax:

set snmp {disable | enable}

Example:

Magnum 10RX(config)# set snmp enable


3.3.6.2 Configuring SNMP Communities

Use the snmp community index command in Global Configuration mode to specify and manage SNMP communities. For more on SNMP communities see Section 3.3.5.

Command syntax:

snmp community index commixid name commname security secname transporttag ttagid

Where:

commixid is a string of up to 32 characters identifying the community index. The community index value is unique to each community name entry.

commname preceded by the keyword name is a user-supplied string of up to 255 characters naming this community.

secname preceded by the keyword security is a user-supplied string of up to 32 characters supplying a security name for this community.

ttagid preceded by the keyword transporttag is a user-supplied string of up to 255 characters as a tag identifier. The keyword none may also be specified.

Example:

Magnum 10RX(config)# snmp community index public name public securitytransporttag tag1

The no snmp community index spec command deletes the community specified by spec.

3.3.6.3 Configuring an SNMP Group

Use the snmp group command in Global Configuration mode to configure SNMP group details.

Command syntax:

snmp group groupname user username security-model {v1 | v2c | v3}



31

Where:

groupname is a string of up to 32 characters identifying an SNMP group.

username is a string of up to 32 characters identifying a user for the group.

v1, v2c or v3, following the keyword security-model specifies an SNMP version.

Example:

Magnum 10RX(config)# snmp group testgroup user testuser security-model v2c

Default (security-model): v3

The no snmp group spec command deletes the specified details.

3.3.6.4 Configuring SNMP Group Access

Use the snmp access command in Global Configuration mode to configure group access details.

Command syntax:

snmp access groupname {v1|v2c|v3{auth|noauth|priv}} [read readview|none] [write writeview|none] [notify noteview|none]

Where:

groupname is a string of up to 32 characters identifying an SNMP group.

v1, v2c or v3 specify the SNMP version.

authentication level is controlled by specifying:

• auth — enables MD5 or SHA packet authentication.• noauth — specifies no authentication.• priv — enables both authentication and privacy.

read specifies read-only access. A read view identifier may be specified with readview, a string of up to 32 characters, or none may be specified.

write specifies both read and write access. A write view identifier may be specified with writeview, a string of up to 32 characters, or none may be specified.

notify specifies notification of changes will be sent. A notify view identifier may be specified with noteview, a string of up to 32 characters, or none may be specified.

Example:

Magnum 10RX(config)# snmp access test1group v2c read v2readview write v2writeview notify v2notifyview

The no snmp access spec command deletes the specified details.

3.3.6.5 Configuring SNMP Engine ID

Use the snmp engineid command in Global Configuration mode to configure a unique identifier for the SNMPv3 engine. The engine ID is used to identify a source SNMPv3 entity and a destination SNMPv3 entity to coordinate the exchange of messages.



32

Command syntax:

snmp engineid engidval

Where:

engidval is a hexadecimal value given as octets separated by dots, The valid length is 5 to 32 octets.

Example:

Magnum 10RX(config)# snmp engineid 80.0.08.1c.04.5f.a9

Default value: 80.00.08.1c.04.46.53

The no snmp engineid command resets the engine ID value to the default.

3.3.6.6 Configuring SNMP View

Use the snmp view command in Global Configuration mode to configure an SNMP view. An SNMP group must have already been created using the snmp group command (see Section 3.3.6.3) and SNMP group access must be configured using the snmp access command (see Section 3.3.6.4).

For more on SNMP views see Section 3.3.1.

Command syntax:

snmp view viewname OIDtree [mask OIDmask] {included | excluded}

Where:

viewname is a string of up to 32 characters identifying this view.

OIDtree specifies the sub tree value for this view.

OIDmask specifies a mask value for this view.

The keyword included allows access to the sub tree. The keyword excluded denies access.

Example:

Magnum 10RX(config)# snmp view v2readview 1.3.6.1 mask 1.1.1.1 included

The no snmp view spec command deletes the view specified by spec.

3.3.6.7 Configuring SNMP Target Address

Use the snmp targetaddr command in Global Configuration mode to configure an SNMP target address. For more on target addresses see Section 3.3.3.

Command syntax:

snmp targetaddr targname param paramname ipv4 ipaddr [timeout tosecs] [retries retcount] [taglist tagid | none] [port portval]

Where:

targname is a string of up to 32 characters identifying this target.



33

paramname following the keyword param is a string of up to 32 characters identifying a parameter.

ipaddr following the keyword ipv4 is a valid IP address.

tosecs following the keyword timeout is a numerical value in the range 1-1500 specifying the number of seconds the SNMP agent waits for a response from the SNMP Manager before retransmitting the Inform Request Message.

retcount following the keyword retries is a numerical value in the range 1-3 specifying the maximum number of times the agent can retransmit the Inform Request Message.

tagid following the keyword taglist is a string of up to 255 characters specifying the tag identifier that selects the target address. The keyword none may also be specified.

portval following the keyword port is a numerical value in the range 1-65535 specifying a port number through which the generated SNMP notifications are sent to the target address.

Example:


The no snmp targetaddr spec command removes the target address specified by spec.

3.3.6.8 Configuring SNMP Target Parameters

Use the snmp targetparams command in Global Configuration mode to configure SNMP target parameters. For more on target parameters see Section 3.3.3.

Command syntax:

snmp targetparams paramname user username security-model {v1|v2c|v3 {auth|noauth|priv}} message-processing {v1|v2c|v3} [filter profname]

Where:

paramname is a string of up to 32 characters identifying a parameter.

username following the keyword user is a string of up to 32 characters identifying a user for this parameter.

v1, v2c or v3, following the keyword security-model specifies an SNMP version.

authentication level is controlled by specifying:

• auth — enables MD5 or SHA packet authentication.• noauth — specifies no authentication.• priv — enables both authentication and privacy.

v1, v2c or v3, following the keyword message-processing specifies an SNMP version.



34

Example:

Magnum 10RX(config)# snmp targetparams param1 user public security-model v2c message-processing v2c

The no snmp targetparams spec command removes the target address specified by spec.

3.3.6.9 Configuring SNMP Users

Use the snmp user command in Global Configuration mode to configure an SNMP user. For more on SNMP users see Section 3.3.1.

Command syntax:

snmp user username [auth {md5|sha} pwda] [priv {des | aes} pwdp]]

Where:

username following the keyword user is a string of up to 32 characters identifying this user.

auth specifies that an authentication algorithm is to be used. Options are:

• md5 — Message Digest 5 authentication• sha — Security Hash Algorithm authentication

pwda (if auth has been specified) is an arbitrary string to serve as an authentication password.

priv specifies that private encryption is to be used. Options are:

• AES — Advanced Encryption Standard encryption

• DES — Data Encryption Standard encryption

pwdp (if priv has been specified) is an arbitrary string to serve as an encryption password.

Example:


The no snmp user username command deletes the details of the user specified by username.

3.3.6.10 Configuring SNMP Notifications

Use the snmp notify command in Global Configuration mode to configure an SNMP notification entry. For more on SNMP notifications see Section 3.3.3.

Command syntax:

snmp notify notename tag tagname type {trap | inform}

Where:

notename is a string of up to 32 characters identifying this notification entry.



35

tagname is a string of up to 32 characters identifying a notification tag which selects the entries in the Target Address Table.

trap or inform following the keyword type specify the type of notification:

• trap — A trap is a one-way message from a network element to the network management system.

• inform — Inform enables inform requests to be sent from a router or switch to SNMP management.

Example:


The no snmp notify spec command deletes the details of the notification entry specified by spec.

3.3.6.11 Configuring SNMP Filters

Use the snmp filter command in Global Configuration mode to filter SNMP notifications. For more on SNMP notifications see Section 3.3.4.

Command syntax:

snmp filter profname oidtree [mask oidmask] {included | excluded}

Where:

profname is a string of up to 32 characters identifying this filter profile.

oidtree is an object identifier.

oidmask a mask that, with oidtree, defines a family of sub trees.

included or excluded define whether the filter will have the effect of including specified messages or excluding them.

Example:

Magnum 10RX(config)# snmp filter filter1 1 included

The no snmp filter spec command deletes the filter specified by spec.

3.3.6.12 Configuring SNMP Traps

Use the snmp trap command in Global Configuration mode to specify the udp port over which the SNMP agent sends the trap.

Command syntax:

snmp trap udp-port portnum

Where:

portnum is a numerical value in the range 1-65535 specifying a UDP port.

Example:

Magnum 10RX(config)# snmp trap udp-port 55



36

3.3.7 SNMP Configuration in the GUI

The following sections describe the GUI screens to use to configure SNMP.

3.3.7.1 Enabling and Disabling the SNMP Agent

In the GUI go to System: SNMP to access the SNMP Agent Control Settings screen and enable or disable SNMP in the system, as illustrated in Figure 3-17

Figure 3-17. SNMP Agent Control Settings Screen

In the SNMP Agent Control Settings screen enable or disable the SNMP agent and specify an agent port.

3.3.7.2 Configuring SNMP Community Settings

In the GUI go to the System: SNMP: Security: Community tab to configure community information for SNMP versions 1 and 2, as illustrated in Figure 3-25.

Figure 3-18. SNMP Community Settings Screen

In the SNMP Community Settings screen use the upper dialog box to configure a community. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured communities.

For more on SNMP communities see Section 3.3.5 and Section 3.3.6.2.



37

3.3.7.3 Configuring SNMP Group Settings

In the GUI go to the System: SNMP: Security: Group tab to configure SNMP groups, as illustrated in Figure 3-19.

Figure 3-19. SNMP Group Settings Screen

In the SNMP Group Settings screen use the upper dialog box to specify a group. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured groups.

For more on SNMP groups see Section 3.3.1 and Section 3.3.6.3.

Table 3-1. SNMP Community Settings Fields

Parameter Description

Select You must click a selection button before modifying a configuration.

Community Index A string of up to 32 characters identifying the community index. The community index value is unique to each community name entry.

Community Name A user-supplied string of up to 255 characters naming this community.

Security Name A user-supplied string of up to 32 characters supplying a security name for this community.

Transport Tag A user-supplied string of up to 255 characters as a tag identifier.

Table 3-2. SNMP Group Settings Fields



Security Model The SNMP security model, that is, the SNMP version, that applies to this group. Options are

• v1

• v2c

• v3

Security Name A user security name of up to 32 characters.

Group Name A string of up to 32 characters identifying an SNMP group.



38

3.3.7.4 Configuring SNMP Group Access Settings

In the GUI go to the System: SNMP: Security: Group Access tab to configure access to SNMP groups, as illustrated in Figure 3-20.

Figure 3-20. SNMP Group Access Settings Screen

In the SNMP Group Access Settings screen use the upper dialog box to configure group access details. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured group access details.

For more on SNMP access see Section 3.3.2 and Section 3.3.6.4.

Table 3-3. SNMP Group Access Settings Fields



Group Name A string of up to 32 characters identifying an SNMP group.

Security Model The SNMP security model, that is, the SNMP version, that applies to this group. Option are:

• v1

• v2c

• v3

Security Level The security or authentication level may be one of the following:

• No Authentication — specifies no authentication.

• Authentication — enables MD5 or SHA packet authentication.

• Private — enables both authentication and privacy.

Read View The view provides read-only access. The view identifier is a string of up to 32 characters.

Write View The view provides read and write access. The view identifier is a string of up to 32 characters.

Notify View The view specifies that notification of changes will be sent. The view identifier is a string of up to 32 characters.



39

3.3.7.5 Configuring SNMP Views

In the GUI go to the System: SNMP: Security: View tab to configure SNMP Views, as illustrated in Figure 3-21.

Figure 3-21. SNMP ViewTree Settings Screen

In the SNMP ViewTree Settings screen use the upper dialog box to configure views. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured views.

For more on SNMP views see Section 3.3.2 and Section 3.3.6.6.

Table 3-4. SNMP ViewTree Settings Fields



View Name A string of up to 32 characters identifying this view.

Sub Tree The sub tree value for this view.

Mask A mask value for this view.

View Type Select Included to allow access to the sub tree. Select Excluded to deny access.



40

3.3.7.6 Configuring SNMP Target Addresses

In the GUI go to the System: SNMP: Security: Target Address tab to configure SNMP target addresses, as illustrated in Figure 3-22.

Figure 3-22. SNMP Target Address Settings Screen

In the SNMP Target Address Settings screen use the upper dialog box to configure target addresses. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured addresses.

For more on SNMP target addresses see Section 3.3.3 and Section 3.3.6.7.

Table 3-5. SNMP Target Address Settings Fields



Target Name A string of up to 32 characters identifying this target address entry.

Target IP Address A valid IP address for the target.

Port A numerical value in the range 1-65535 specifying a port number through which the generated SNMP notifications are sent to the target address.

Transport Tag A string of up to 255 characters specifying the tag identifier that selects the target address.

Param A string of up to 32 characters identifying a parameter entry.



41

3.3.7.7 Configuring SNMP Target Parameters

In the GUI go to the System: SNMP: Security: Target Parameter tab to configure SNMP target parameters, as illustrated in Figure 3-23.

Figure 3-23. SNMP Target Parameter Settings Screen

In the SNMP Target Parameter Settings screen use the upper dialog box to configure target parameters. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured parameters.

For more on SNMP target parameters see Section 3.3.3 and Section 3.3.6.8.

Table 3-6. SNMP Target Parameter Settings Fields



Parameter Name A string of up to 32 characters identifying a parameter.

MP Model The message processing model, defined by SNMP version. Options are:

• v1

• v2c

• v3

Security Model The security model, defined by SNMP version. Options are:

• v1

• v2c

• v3

Security Name A user security name of up to 32 characters.

Security Level The security or authentication level may be one of the following:

• No Authentication — specifies no authentication.

• Authentication — enables MD5 or SHA packet authentication.

• Private — enables both authentication and privacy.



42

3.3.7.8 Configuring SNMP User Information

In the GUI go to the System: SNMP: Security: User tab to access the Security Settings screen and configure SNMP user information, as illustrated in Figure 3-24.

Figure 3-24. SNMP Security Settings Screen

In the SNMP Security Settings screen use the upper dialog box to configure users. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured users.

For more on SNMP users see Section 3.3.1 and Section 3.3.6.9.

Table 3-7. SNMP Security Settings Fields



User Name A string of up to 32 characters identifying this user.

Authentication Protocol

The authentication algorithm is to be used. Options are:

• No Authentication

• HMAC-MD5

• HMAC-SHA

Authentication Key

An arbitrary string to serve as an authentication password.

Privacy Protocol Specifies that private encryption is to be used. Options are:

• No Privacy

• DES

• AES

Privacy Key An arbitrary string to serve as an encryption password.



43

3.3.7.9 Managing SNMP Traps

In the GUI go to the System: SNMP: Security: Trap Manager tab to configure traps, as illustrated in Figure 3-25.

Figure 3-25. SNMP Trap Settings Screen

In the SNMP Trap Settings screen use the upper dialog box to manage traps to send messages and alerts. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured traps.

For more on SNMP traps see Section 3.3.3 and Section 3.3.6.10.

Table 3-8. SNMP Trap Settings Fields



Notify Name A string of up to 32 characters identifying this notification entry.

Notify Tag Aa string of up to 32 characters identifying a notification tag which selects the entries in the Target Address Table.

Notify Type The type of notification generated by this trap. Options are:

• Trap — A trap is a one-way message from a network element to the network management system.

• Inform — Inform enables inform requests to be sent from a router or switch to SNMP management.

CHAPTER 3 - Router ManagementUser Management


44

3.3.7.10 Configuring SNMP Filters

In the GUI go to the System: SNMP: Security: Filter Conf tab to configure SNMP filter settings, as illustrated in Figure 3-26.

Figure 3-26. SNMP Filter Settings Screen

In the SNMP Filter Settings screen use the upper dialog box to configure filters for SNMP notifications. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured filters.

For more on SNMP filters see Section 3.3.4 and Section 3.3.6.11.

3.4 User Management

INOS user management commands enable an administrator to add, delete, block and unblock users, to change passwords, and to control access policies. Most of these commands are available only to an administrator but a non-administrator user can use the change password command to change his or her own password.

Table 3-9. SNMP Filter Settings Fields



Profile Name A string of up to 32 characters identifying this filter profile.

Sub Tree An object identifier.

Mask a mask that, with Sub Tree, defines a family of sub trees.

Filter Type Included or Excluded define whether the filter will have the effect of including

specified messages or excluding them.



45

3.4.1 Displaying User Information

An administrator can obtain a display of information for all users by entering the following command:

Magnum 10RX # show users

This will display output like that below. Administrators can modify all of the parameters in this display, including the deletion of users, except for the last administrative user.

Figure 3-27. Output of the show users command

3.4.2 Configuring System Login Information

Administrative users can execute the login command set to specify the login information displayed at the top of the image in Figure 3-27. These values have system-wide effect and are set when the CLI is in configuration mode.

3.4.2.1 Setting Maximum Login Attempts and Lock-out Time

The Maximum Login Attempts value specifies the number of times a user may try and fail to successfully login before the system locks that user out. The Login Lock Out Time value specifies the length of time that lock-out will endure before the user can try again to log in.

Login Information:

Maximum Login Attempts: 3

Login Lock Out Time: 30 seconds

Required Password Strength: 75%

Users:

User Name: root

User Mode: /

Privilege Level: 15

Password Expires: Never

Last Login: 10/06/11 08:17:34

Inactivity Timer: Disabled

Status: Enabled

***************************************

User Name: guest

User Mode: /

Privilege Level: 1


Last Login: Never


Status: Enabled

Login Information:

Maximum Login Attempts: 3

Login Lock Out Time: 30 seconds

Required Password Strength: 75%

Users:

User Name: root

User Mode: /

Privilege Level: 15


Last Login: 10/06/11 08:17:34


Status: Enabled

***************************************

User Name: guest

User Mode: /

Privilege Level: 1


Last Login: Never


Status: Enabled



46

The login block-for command is used to set both of these values on the same command line. Both values must be specified in order for the command to be accepted as complete.

Command syntax:

login block-for <seconds(30-600)> attempts <tries(1-10)>

Example:

Magnum 10RX(config)# login block-for 30 attempts 5

This example specifies that if a user tries and fails to login five times within 30 minutes that user will be locked out for 30 seconds before another attempt can be made.

3.4.2.2 Setting Required Password Strength

A password can be a string of up to 32 printable characters. Password strength is a measure of the presence of up to four characteristics in a password:

1. Upper case alphabetic character(s)

2. Lower case alphabetic character(s)

3. Numeric character(s)

4. Special character(s) - ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

A password possessing only one of these characteristics has a strength of 25%, two of the characteristics scores 50%, three scores 75% and four scores 100%. An administrative user can specify a password strength value anywhere from 1% to 100%. The system will not accept a password whose strength does not equal or exceed the quartile value immediately below the specified strength; thus, a specified strength of 65 would enforce a minimum of 50% strength.

A password that partially matches the username will be rejected with the message:Weak User Password, at least partially matches with Username

Command syntax:

login password-strength

Magnum 10RX(config)# login password-strength(1-100)

Example:

Magnum 10RX(config)# login password-strength 80

This example specifies a password strength that will enforce a minimum of 75% strength.

3.4.3 Executing the user Command

An administrative user can execute the user command set to add and delete individual users and to control their access and privileges. The user command is issued in the EXEC command mode and it affects only the user specified by name.

The first argument to the user command is always the user ID, followed by the name of the management task to be carried out, followed by any parameters.



47

user generic command syntax:

Magnum 10RX# user userID action [parameter]

3.4.3.1 Adding a New User

An administrative user can add a new user to the system with the new argument.

Example:

Magnum 10RX# user newcomer new

The system responds with a request for a password for newcomer and for a confirmation of that password. This adds newcomer to the user database.

3.4.3.2 Deleting a User

An administrative user can delete a user from the system with the delete argument.

Example:

Magnum 10RX# user newcomer delete

3.4.3.3 Blocking and Releasing a User

A user is denied access to an account (“blocked”) in two ways:

1. By exceeding the number of failed login attempts specified by the administrator and displayed in Login Information. In this case the user is blocked for the number of seconds specified in the login block-for setting. A show users command will display the information that the user is blocked and will provide the number of seconds remaining before the user is eligible to attempt to log in again; for example - Status Blocked 585 sec left. The user remains blocked until the specified time has expired or until an administrator executes the user username release command for the blocked account.

2. By the explicit instruction of an administrator executing the user username block command. A show users command will display the information that the user is blocked by administrative action; for example - Status Blocked by Admin. In this case the blockage remains in effect until countermanded by the user username release command.

Example:

Magnum 10RX# user newcomer block

Partial show users output: Status Blocked by Admin.

Magnum 10RX# user newcomer release

Notes:

• Newly- added users have read-only privileges.

• For an explanation of password strength see Section 3.4.2.2.



48

Partial show users output: Status Enabled.

3.4.3.4 Setting a User’s Inactivity Time

An administrative user can specify that an account will be blocked if that user has not logged in for a configured length of time.

Command syntax:

user username inactivity time [days (0-365)| hours (0-23) | minutes (0-59)| seconds (0-59)]

Example:

Magnum 10RX# user sample inactivity time days 7 hours 12

This command specifies that if the account of user sample is inactive for 7 days and 12 hours the account will be blocked. A successful login on the account will reset the countdown timer to 7 days and 12 hours.

The command user username inactivity time with no parameters disables the inactivity timer.


3.4.3.5 Setting a User’s Password Expiration Interval

An administrative user can specify that a user’s password will expire after a configured length of time.

Command syntax:

user username password expiration [days (0-365)| hours (0-23) | minutes (0-59)| seconds (0-59)]

Example:

Magnum 10RX# user sample password expiration days 90

This command specifies that the password for user sample will expire 90 days after its creation. The creation of a replacement password will reset the countdown timer to 90 days.

Set the expiration to Never by specifying any unit of time with a value of 0.

3.4.3.6 Setting a User’s Privilege Level

An administrative user can specify a user’s privilege level with the user privilege command. In this release there are four privilege levels available for users.

Command syntax:

user <username> privilege {admin | privileged | troubleshooting | read-only}

Where:

admin is access at the administrative (unrestricted) level.



49

privileged is read-write access to system configurations.

troubleshooting is read-only access to system configurations and statistics.

read-only is access restricted to debug, clear and show configurations.

Example:

Magnum 10RX# user sample privileged

This command assigns to user sample a privilege level that supports read-write configuration access.

3.4.4 Changing a Password

A user’s password can be changed by the user or by an administrator. A user changing his or her own password must be able to provide the old password before creating the new password. This step is not required of an administrator changing a user’s password. In either case the process is one of query and response illustrated in the examples below.

Command syntax (non-admin user):

change password

Example:

Figure 3-28. System/user dialog in successful password change

Command syntax (admin user):

change password user username

User Name: manager

User Mode: /

Magnum 10RX# change password

Old Password:

[Correctly entered but not displayed.]

Enter New Password:

[Entered but not displayed.]

CHAPTER 3 - Router ManagementAuthentication


50

Example:

Figure 3-29. System/admin dialog in successful password change

3.5 Authentication

INOS supports authentication with both Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS). These are authentication, authorization, and accounting (AAA) protocols.

• Authentication – The server receives requests for connections and checks that the username and password provided are authentic using a shared secret and one of two authentication schemes.

• Authorization – After successful authentication the server authorizes the requesting user to begin a session on the system.

• Accounting – The server can keep an account of services used.

RADIUS is available on both Windows and Unix systems. It is defined in RFC 2865 and RFC 2866.

TACACS is commonly used to provide authentication on Unix networks and is defined in RFC 1492.

3.5.1 RADIUS Authentication

The implementation of RADIUS authentication requires the installation of RADIUS server software on a network server and configuration of the 10RX to correctly exchange information with that server.

Install and Configure RADIUS Server Software

Obtain and install a RADIUS server application. FreeRADIUS is the best known of these and is widely available on the internet. Install the RADIUS application according to its manufacturer’s instructions. Among the files typically installed with RADIUS are two that you must edit: users.conf and clients.conf.

• In a FreeRADIUS installation for Windows these are included in the directory \\...\FreeRADIUS.net\etc.\raddb\

User Name: manager

User Mode: /

Magnum 10RX# change password user newbie

Enter New Password:

[Entered but not displayed.]

Re-enter the Password:



51

• In a FreeRADIUS installation for Unix these are often located in the directory /usr/local/etc/raddb, but this may vary with the software provider.

RADIUS Server Configuration in a Windows System

3. Edit users.conf by adding the following text to the end of the file:

"username" Auth-Type := PAP, User-Password == "password”

Where,

username is a user-supplied name for this user enclosed in quotation marks.

password is a user-supplied password for this user enclosed in quotation marks.

4. Edit clients. conf by adding the following text to the end of the file:

client xxx.xxx.xxx.xxx {

secret = radius_secret

shortname = rad

}

Where,

xxx.xxx.xxx.xxx is the IP address of a client device.

radius_secret is a user-supplied string uniquely identifying the client. (This string must match the radius_secret string specified in the 10RX RADIUS configuration described below.)

rad is a convenient alias that can be used to replace the IP address.

RADIUS Server Configuration in a Unix System

Note: the location of the *.conf files will vary with your Unix implementation.

1. Edit users.conf by adding the following text to the end of the file:

"username" Cleartext-Password := "password"

Service-Type = Administrative-User

Where,

username is a user-supplied name for this user enclosed in quotation marks.

password is a user-supplied password for this user enclosed in quotation marks.

2. Edit clients.conf by adding the following text to the end of the file:

client xxx.xxx.xxx.xxx {

secret = radius_secret

shortname = Rad

}



52

Where,

xxx.xxx.xxx.xxx is the IP address of a client device

radius_secret is a user-supplied string uniquely identifying the client. (This string must match the radius_secret string specified in the 10RX RADIUS configuration described below.)

3. Start or restart the freeradius service by entering the following command on the Unix command line:

sudo service freeradius restart

Note: The starting user privilege can be set via Linux FreeRadius with this value:

Service-Type = Administrative-User

3.5.1.1 Configuring RADIUS Authentication in the CLI

The following steps explain how to configure RADIUS authentication in the 10RX command line interface.

10RX Command Line Configuration

Configure 10RX with a RADIUS host and key.

1. Login in to the 10RX via the console or telnet.

2. On the 10RX command line enter the following commands:

Magnum 10RX (config) # radius-server host xxx.xxx.xxx.xxx key radius_secret primary

Where,

xxx.xxx.xxx.xxx is the IP address of the RADIUS server

radius_secret is the key string that identifies this 10RX to the RADIUS server.(This string must match the radius_secret string specified in the clients.conf file configuration described above.)

3. Check your configuration by entering the following command:

Magnum 10RX # show radius server



53

A successful configuration returns a report like the one below:

Figure 3-30. RADIUS server configuration report

3.5.1.2 Configuring RADIUS Authentication in the GUI

In the GUI go to the System: Management: RADIUS to configure RADIUS configuration, as illustrated in Figure 3-31.

Figure 3-31. RADIUS Server Configuration Screen

In the RADIUS Server Configuration screen use the upper dialog box to profile a RADIUS server. Click the Add button to save your specifications and display them in the lower dialog box. To modify previously configured values enter the revised values in the upper dialog and click the Modify button. The revised values will be displayed in the lower dialog box.

Radius Server Host Information

------------------------------

Index : 1

Server address : 192.168.1.90

Shared secret : yoursecret

Radius Server Status : Enabled

Response Time : 10

--Maximum Retransmission : 3

Authentication Port : 1812

Accounting Port : 1813

-----------------------------------------



54

3.5.2 TACACS Authentication

TACACS is a AAA authentication solution. The generic configuration requirements are the same as for RADIUS authentication:

• The TACACS server software must be installed.• The 10RX must be configured with the address of the TACACS server and a

secret key that is shared with the TACACS server.• The TACACS server software must be configured with certain information

including user IDs, their passwords and privilege levels, and a secret key to match the 10RX configuration.

TACACS server software is available from multiple sources. The Cisco ® ACS TACACS authentication solution is widely installed and is generously documented on the CISCO support site. The Ubuntu® operating system supplies TACACS server software at no cost. A generalized example of installation of TACACS on Ubuntu Linux is provided below. Bear in mind that the details of the installation will vary with your environment and the versions of software that you are using.

TACACS Server Configuration

These generalized instructions for installation of TACACS on the Ubuntu Linux operating system are based on software available from the following site:

http://www.ubuntuupdates.org/package/core/lucid/universe/backports/tacacs+

Table 3-10. Radius Server Configuration Fields

Parameter Description See Also

Select You must click the radio button of the port to be configured.

IP Address An IP address for the server being configured.

Primary Server If this is the primary RADIUS server select Yes, otherwise No.

Shared Secret A user-supplied string shared by client and server. Section 3.5.1, above

Server Type The authenticating server type is the only type currently supported.

Response Time The maximum time permitted for the RADIUS Server to respond to a request from the RADIUS Client.


Retry Count The maximum number of times to retransmit a request without receiving a reply.

Valid range: 1-254



55

Whether you use the software available at this site or obtain the same or similar software elsewhere, install the TACACS server software on your Ubuntu OS according to manufacturer’s instructions. You can check for the availability of TACACS on your system with the following command:

$sudo service tacacs_plus status

In the following example changes are made to the configuration file etc/tacacs+/tac_plus.conf.

1. Add the following lines to the tac_plus.conf file to set a key, establish a user account and to identify two users, John and Jane.

Figure 3-32. Example of tac_plus.conf file

2. Restart the tacacs_plus server with the following command:

$ sudo service tacacs_plus restart10RX Command Line Configuration

3.5.2.1 Configuring TACACS Authentication in the CLI

The following steps explain how to configure TACACS authentication in the command line interface.

Configure 10RX with a TACACS host and key.

1. Login in to the 10RX via the console or telnet.

# key

key = “tacacs_secret”

# users accounts

group = admin {

pap = cleartext "normal"

expires = "Jan 1 2013"

}

user = John {

default service = permit

member = admin


# chap = cleartext "normal"

# enable = cleartext "enable"

name = "John Smith"

}

user = John {

default service = permit

member = admin


# chap = cleartext "normal"

# enable = cleartext "enable"

name = "John Smith"

}

user = Jane {

# Jane has no password of her own, but she's a group member so will

#use the group password and expiry date.

member = admin



56

2. On the 10RX command line in configuration mode enter the following commands:

Magnum 10RX (config)# tacacs-server host xxx.xxx.xxx.xxx key tacacs_secret primary

Where,

xxx.xxx.xxx.xxx is the IP address of the TACACS server

tacacs_secret is the key string that identifies this 10RX to the TACACS server.(This string must match the tacacs_secret string specified in the tac_plus.conf file configuration described above.)

3. Check your configuration by entering the following command:

Magnum 10RX # show tacacs

A successful configuration returns a report like the one below:

Figure 3-33. TACACS server configuration report

4. In this example you would test for success by logging in John and Jane with the password normal.

Server : 1

Server address : 192.168.1.91

Address Type : IPV4

Single Connection : no

TCP port : 49

Timeout : 6

Secret Key : AricentTacacs

Authen. Starts sent : 0

Authen. Continues sent : 0

Authen. Enables sent : 0

Authen. Aborts sent : 0

Authen. Pass rvcd. : 0

Authen. Fails rcvd. : 0

Authen. Get User rcvd. : 0

Authen. Get Pass rcvd. : 0

Authen. Get Data rcvd. : 0

Authen. Errors rcvd. : 0

Authen. Follows rcvd. : 0

Authen. Restart rcvd. : 0

Authen. Sess. timeouts : 0

Author. Requests sent : 0

Author. Pass Add rcvd. : 0

Author. Pass Repl rcvd : 0

Author. Fails rcvd. : 0

Author. Errors rcvd. : 0

Author Follows rcvd. : 0

Author. Sess. timeouts : 0

Acct. start reqs. sent : 0

Acct. WD reqs. sent : 0

Acct. Stop reqs. sent : 0

Acct. Success rcvd. : 0

Acct. Errors rcvd. : 0

Acct. Follows rcvd. : 0

Acct. Sess. timeouts : 0

Malformed Pkts. rcvd. : 0

Socket failures : 0

Connection failures : 0



57

3.5.2.2 Configuring TACACS Authentication in the GUI

In the GUI go to the System: Management: TACACS to configure TACACS configuration, as illustrated in Figure 3-31.

Figure 3-34. TACACS Server Configuration Screen

In the TACACS Server Configuration screen use the upper dialog box to profile a TACACS server. Click the Add button and this interface information will be displayed along with any other configured interfaces in the lower dialog box. To modify previously configured values enter the revised values in the upper dialog and click the Modify button. The revised values will be displayed in the lower dialog box.

Table 3-11. TACACS Server Configuration Screens



IP Address An IP address for the server being configured. You may configure a maximum of five addresses.

Shared Secret A user-supplied string of alphabetic characters and/or numerals shared by client and server.

Section 3.5.2, above

Single Connection

Specify Yes to enable a single TCP connection to carry out both authentication and accounting. Specify No to require a separate TCP connection for each function.

Server Port The server port number for the TACACS protocol.

Default value: 49

Server Timeout The maximum time to wait for a response before timing out and connecting to a secondary server.

Default value: 5 seconds

CHAPTER 3 - Router ManagementFile System Management


58

3.6 File System Management

INOS features a large non-volatile memory for storing user configuration files and event logs. This storage is presented as a file system but does not support directories. Event log files are created automatically by the system software. Configuration files are created by the user executing the copy command.

3.6.1 Listing System Files

Use the dir command in the Exec Commands mode to display a full listing of the files in the file system. The listing includes the file size in bytes and the file name.

Command syntax:

dir

Example:

The dir command and simple output is illustrated in Figure 3-35.

Figure 3-35. dir command and output

This command displays the information that the file system contains a single log file of 964 bytes.

3.6.2 Deleting a System File

Use the erase command in the Exec Commands mode to delete a file. To delete a local file follow the keyword flash: with the file URL. Use the keywords sftp: or tftp: to erase remote files reachable by those protocols.

Command syntax:

erase {flash: | sftp: | tftp:} url

Where:

url is a URL specifying a file to be deleted either locally (flash:) or remotely (sftp:, tftp:)

Example:

Magnum 10RX# erase flash:Jan03Log

Magnum 10RX# dir

Size Name

--------- ------------------------------

964 DefaultEventLog



59

3.6.3 Copying a System File

Use the copy command in the Exec Commands mode to copy a file. To specify a local source or destination file follow the keyword flash: with the file URL. Use the keywords sftp: or tftp: to copy remote files reachable by those protocols. Copies of local files can be created and stored locally or remotely. Copies of remote files can be made and stored locally. It is not possible to copy remote files to other remote files.

Command syntax:

copy {flash: | sftp: | tftp:} src_url {flash: | sftp: | tftp:} dest_url

Where:

src_url is a URL specifying a source file to be copied either locally (flash:) or remotely (sftp:, tftp:)

dest_url is a URL specifying a destination file to be copied either locally (flash:) or remotely (sftp:, tftp:)

Examples:

Examples of the copy command used locally and to address remote files, and of the routine confirmations, are illustrated in Figure 3-36.

Figure 3-36. copy command and confirmation

3.6.4 Displaying System File Contents

Use the more command in the Exec Commands mode to display the contents of a locally stored system file. Precede the URL of the local file with the keyword flash:. The contents of system files stored remotely cannot be displayed.

Command syntax:

more flash:url

Example 1. Source and destination local

Magnum 10RX# copy flash:DefaultEventLog flash:MyLog

Copied flash:DefaultEventLog ==> flash:MyLog

Example 2. Source local and destination remote

Magnum 10RX# copy flash:DefaultEventLog sftp://user:[email protected]/log.txt

Copied flash:DefaultEventLog ==> sftp://192.168.1.42/log.txt

Example 3. Source remote and destination local

Magnum 10RX# copy sftp://user:[email protected]/log.txt flash:mylog.txt

Copied sftp://192.168.2.42/log.txt ==> flash:mylog.txt



60

Where:

url is a URL specifying a file to be displayed

Example:

The more command and simple output is illustrated in Figure 3-37.

Figure 3-37. more command and output

3.6.5 Creating System Configuration Files

In addition to copying local and remote files in the file system, the copy command is used to manage configuration files with the special running-config and startup-config targets. running-config specifies the system configuration running at the time of the execution of the command. startup-config specifies a saved configuration that will be used by the system on its next startup.

Command syntax:

copy src_config dest_config_file

Where:

src_config is either an existing configuration file or the currently running configuration

dest_config_file is a file to store the configuration information from src_config

Example:

Magnum 10RX# copy running-config startup-config

This command copies the currently running configuration to the special target startup-config. This means that the configuration currently in use will be applied on the next system start.

Example:

Magnum 10RX# copy startup-config flash:newconfig1

This command copies the special target startup-config to the local file newconfig1.

You cannot replace the running configuration while the system is running. You must reboot and force the system to use the configuration information in the startup-config target. To use a configuration saved under a different name, for example, newconfig1, copy newconfig1 to startup-config.

Magnum 10RX# more flash:DefaultEventLog

<6>Jan 9 16:20:10 2013 %CLI-79-2: User manager logged out

<6>Jan 9 16:20:12 2013 %CLI-79-1: User manager logged in

CHAPTER 3 - Router ManagementEvent Management


61

3.7 Event Management

The event management features of INOS software enable the user to determine which of the pre-defined events are logged, to specify the severity attached to events, and to control where the logged events are stored and viewed.

3.7.1 Event Notification Contents

An event is logged to a configured target in a manner that reports a number of its attributes. A typical log message has the following format:

Figure 3-38. Logged event format

3.7.2 Event Attributes

The pre-defined events possess a number of attributes, some of which are user-configurable. Event attributes are listed in Table 3-12.

Table 3-12. Event Attributes

Element DescriptionUser

Configurable?

Event ID A unique numerical identifier that combines an event category number and an event number separated by a hyphen. For example: 7-3 or 80-2.

No

Event Severity A numerical ranking of the urgency of the event from 0 to 7, where 0 is the most urgent and 7 is the least urgent,

Yes

Event Tag A brief text label identifying the category of the event. For example: CLI or SYS.

No

Event Class A grouping of events. Initially all events are assigned to the Default class. Users can define up to six additional classes. This enables management of several events by modifications to a single specification set.

Yes

Logging Target The destination of the event notification. This may be one or more of: the console (C), a buffer (B), a file (F), a remote Syslog (S). By default B, F, and S are enabled for all events, with one

exceptiona.

a.Event 79-9 is delivered with all default targets disabled. This event creates a log entry for every CLI command issued so it will presumably be enabled by the user only in very special circumstances.

Yes

Message A text string describing the event. No

Severity

<6>Aug 8 10:49:49 2012 %CLI-79-1: An administrative user logged in

Date & Time

Tag

Event ID

Message



62

3.7.3 Event IDs and Defaults

Table 3-13 lists the events that are enabled in this software version and their associated default values. The table does not list “Class” because all events are set to the value “Default” by default and it does not list “Targets” because all events (with the sole exception noted above) are enabled on targets Buffer, FIle, and Syslog and disabled on the Console target. Class, Severity, and Target are all user-configurable.

The system detects all of the events in this list and can potentially report them to a logging destination. If no logging targets are enabled however, the event will not be visible.

You can display extensive information about events and their specifications in the console with the use of the show logging events command and its arguments (all, detail, etc.)

Symbol strings such as “%s” in the message texts represent variable information generated in each event instance.

Table 3-13. Events

Event IDDefaultSeverity

Tag Message

7-1 6 INTF "Interface %s Link Status %s"

7-2 6 INTF "SFP inserted on interface %s: Vendor OUI: %s, Part Number: %s"

7-3 6 INTF "SFP removed from interface %s"

7-4 6 INTF "Automedia interface %s configured for %s"

7-5 1 INTF "Couldn't get SFP data for port %u"

49-1 6 SNTP "%s server is not responding"

78-1 6 WEB "WEBNM: Successfully logged as User - %s "

78-2 1 WEB "WEBNM: User %s successfully logged out"

78-3 1 WEB "WEBNM: Attempt to login with wrong User name or password"

79-1 6 CLI "User %s logged in"

79-2 6 CLI "User %s logged out"

79-3 1 CLI "Attempt to login as %s via %s failed"

79-8 1 CLI "User %s deleted successfully"

79-9 7 CLI "Command from %s %d:%s - %s"

79-11 1 CLI "User %s changed password successfully"

79-12 1 CLI "User %s added successfully"

80-1 2 SYS "System is rebooting...!!!"

80-2 1 SYS "Saving %s to %s failed"



63

3.7.3.1 Event Severity

The severity value is intended to give an administrator an indication of how urgently the logged event requires attention. Each event is supplied with a severity value that conforms to the general guidance provided for such severity levels in the Syslog protocol defined in RFC 5424.

The severity values assigned to each event by the manufacturer are common-sense suggestions. They can be changed by an administrator.

3.7.3.2 Logging Targets

There are four possible destinations to log an event. The event notifications can be sent to:

• The console• A memory buffer• A file• A remote Syslog server

80-3 6 SYS "%s saved to %s successfully!"

82-1 2 POWER "Power Supply #%u failed"

82-2 6 POWER "Power Supply #%u is good"

Table 3-14. Event Severities

Numerical Code

Severity

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

Table 3-13. Events

Event IDDefaultSeverity

Tag Message



64

3.7.4 Displaying Event Information

The CLI displays information about which targets are enabled in the following formats::

Figure 3-39. Logging Targets

The less detailed command abbreviates the targets to their initial letters and signifies “enabled” with “Y” and “disabled” with “N.”

Event Display Commands

The following commands are available at the EXEC commands Magnum 10RX# prompt to display logging events:

• show logging events Executed with no arguments the command displays in brief format a list of all logging events for which a target is enabled.

• show logging events nn Where nn is a one- or two-digit number specifying a category, displays all logging events of the specified category in brief format.

• show logging events all Displays in brief format a list of all logging events including any for which no target is enabled.

• show logging events detail Displays in verbose format a list of all logging events for which a target is enabled.

•show logging events detail-all Displays in brief format a list of all logging events including any for which no target is enabled.

Event ....................................................Targets

Id .......................................................C B F S

- - - - - - - - - - - - - -

7-1 N Y Y Y

With the Magnum 10RX# show logging events command:

With the Magnum 10RX# show logging events details command:

Event: 7-1

.

.

.

Event Targets:

Console: Disabled

Buffer: Enabled

File: Enabled

Syslog: Enabled



65

3.7.5 Clearing Events

The following commands are available at the EXEC commands Magnum 10RX# prompt to clear logging events:

3.7.6 Configuring Events

The following commands are available at the CONFIGURE commands Magnum 10RX(config)# prompt to configure logging events.

3.7.6.1 Creating and Configuring a logging Class

An administrative user can create a new class and set class parameters with the logging class command. A user-created class can be useful for grouping events that have similar requirements and managing them in unison by amendments to the class specifications.

The classes Default and Firewall are provided by default. These may not be deleted by users. Users can create up to six additional classes. Events are added to a class by specifying the event’s membership in the logging event command.

Command syntax:

logging class cname |severity s | max-rate rrr | buffer [size bbb] | circular | file [size fff] [number nnn] circular

Where:

cname is a string of up to 32 characters naming the class. The command executed with no parameters except a name will create a new class with default values.

s is a digit in the range 0-7 specifying the severity level. (Default =7)

rrr is a numerical value in the range 1-250 specifying the max logging rate per second. (Default = 100)

bbb is a numerical value in the range 1-1024 specifying the maximum size in Kbytes of the buffer. (Default=256)

fff is A numerical value in the range 1-4096 specifying the maximum size of the logging file in Kbytes.

nnn is A numerical value in the range 1-65535 specifying the maximum number of logging files. (Default=8)

Files and buffers are circular by default. A circular file or buffer wraps data; that is, when it reaches maximum size the oldest entries are replaced with the newest entries. A file that is not circular will stop collecting data when it reaches maximum size.

Any parameter not specified receives the default value.

•clear logging buffer string

• clear logging events nnn [nnn]



66

Example:

Magnum 10RX(config)# logging class UserAccess severity 6 max-rate 200

This command creates a new class named UserAccess with a severity level of 6 and a maximum logging rate of 200 per second. All other parameters are default.

Negating Existing Configurations

Delete a user-created class with the no logging-class command, for example:

Magnum 10RX(config)# no logging class UserAccess

A class may not be deleted while any events remain assigned to it. You must first reassign events to other classes, then delete the class when it is empty of events.

Parameters that take specific values are modified with the logging class command. Specify that a class’s logging buffer or logging file is not circular with the no logging-class command, for example:

Magnum 10RX(config)# no logging class UserAccess buffer circular

Magnum 10RX(config)# no logging class UserAccess file circular

3.7.6.2 Configuring a logging Event

An administrative user can configure events with the logging event command.

Command syntax:

logging event catnum evnum | severity s | target [console | buffer | file | syslog] class cname

Where:

catnum is a one- or two-digit value specifying the category of the event.

evnum is a one- or two-digit value specifying the event number.


cname is a string of up to 32 characters naming the class.

Example:

Magnum 10RX(config)# logging event 78 3 target c b class UserAccess

This command specifies that instances of event 78-3 (the event ID combines the category number and the event number) are to be logged to the console and to the buffer and that event 78 3 is a member of the class UserAccess. All other parameters are default.

3.7.6.3 Configuring All logging Events

An administrative user can configure all events with the same value(s) with the logging event all command. This command is like the logging event command except that it does not take an event ID specification so that any changes it makes are applied to all events.



67

Command syntax:

logging event all severity s | target [console | buffer | file | syslog] class cname

Where:


cname is a string of up to 32 characters naming the class.

Example:

Magnum 10RX(config)# logging event all target b f class Default

This command specifies that all events are to be logged to the console and to the buffer and are member of the class Default. Severity levels are not changed by this command example.

3.7.6.4 Configuring Syslog Server

An administrative user can specify a remote Syslog server as the target for logging events. The configuration must point to a valid Syslog server that conforms to RFC 5424.

Command syntax:

logging server pri [ipv4 ucast_addr] | [ipv6 ip6_addr] | host-name [port portnum] udp | tcp

Where:

pri is a numerical value in the range 128-191 specifying the minimum priority value of messages delivered to this Syslog collector.

ucast_addr is an IP address in IPv4 format.

ip6_addr is an IP address in IPv6 format.

host-name is an optional name for the target device.

portnum is a numerical value in the range 0-65535 specifying the port to receive the messages. Default ports are 514 for UDP and 601 for TCP.

Example:

Magnum 10RX(config)# logging server 150 ipv4 192.168.1.5 port 514 udp

This command creates a pointer to a Syslog collector for messages of priority 150 or higher, using the UDP transmission protocol on port 514 of the specified server.

Syslog Priority Values

A Syslog message begins with a priority value, which is a numerical value enclosed in angle brackets. This value is the product of multiplying the numerical code associated with the local facility value by 8 and adding a severity value in the range of 0-7 (See Table 3-15.). The resulting range provides 8 series of 8 values, allowing each of 8 local facilities to provide a uniquely identifying priority value for each of the 8 severity values.



68

Facility values 0-15 are reserved for specific facilities (such as kernel or mail system) defined in RFC 5424. In addition there are 8 local facility values with numerical codes 16-23. These can be assigned by an authorized user. Local0 is the default value for the current device but the user can configure the current device to be one of local1 (numerical code 17) through local7 (numerical code 23).

Delete a pointer to a Syslog collector with the no logging server command. For example:

Magnum 10RX(config)# no logging server 150 ipv4 192.168.1.5

Table 3-15. Facility Codes

Numerical Code

Facility

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

8 UUCP subsystem

9 clock daemon

10 security/authorization messages

11 FTP daemon

12 NTP subsystem

13 log audit

14 log alert

15 clock daemon

16 local0 (PRI range 128-135)










69

The parameters supplied in this command are sufficient to identify the collector unambiguously and to delete it from the Syslog table.

Examine the current logging server configuration by executing the show logging server command from the Magnum 10RX# prompt to obtain output like the following:

Figure 3-40. Log Servers Table Information

3.7.6.5 Configuring the Logging Facility

Devices in a network can be assigned facility numbers so that a common Syslog server can determine the origin of logging notifications from multiple sources. The default value of each device is local0. An administrative user can assign a device a logging facility value from local1 to local7 with the logging facility command.

Command syntax:

logging facility localx

Where:

x is a digit in the range 1-7

Example:

Magnum 10RX(config)# logging facility local3

This command specifies that the current device is logging facility local3.

You can view the logging facility value for the current device at the EXEC commands prompt with the following command:

Magnum 10RX# show logging facility

Delete the device’s logging facility designation with the no logging facility command, for example,

Magnum 10RX(config)# no logging facility

This will delete any user-specified logging facility designation and return the device to the default value of local0.

Event Log Servers Table Information

--------------------------------

Priority Facility Severity Addr-Type IpAddress Port Type

--------- -------- -------------- --------- --------------- ----- ----

129(128-1) local0 1-Alerts ipv4 192.168.1.5 514 udp

170(168-2) local5 2-Critical ipv4 192.168.1.5 601 tcp

190(184-6) local7 6-Informational ipv6 ::ffff:c0a8:105 601 tcp

-----------------------------------------

CHAPTER 3 - Router ManagementSoftware Upgrade


70

3.8 Software Upgrade

The 10RX flash memory holds a maximum of two versions of system software. The device is shipped with a current version of software. When that version is replaced with a subsequent version the replaced version remains stored in memory as a fallback version while the system runs on the new, or “upgraded,” version. On a second upgrade the oldest version is lost and the most recently replaced version becomes the fallback version.

The upgrade process normally requires the use of a TFTP of SFTP application working cooperatively with the INOS command set. The design of the INOS software update state machine is depicted in Figure 3-41, below.

Figure 3-41. Software Upgrade State Machine

State machine status can be displayed in the output of the show upgrade information command, as illustrated in Figure 3-42.

Figure 3-42. Upgrade Information Output

The meanings of these states and the actions appropriate to each are described in Table 3-16, below.

READY TO UPGRADE

INITIAL

UPGRADING

UPGRADED

FALLBACK

copy...

reload

finalize software upgrade

fallback software upgrade copy...

retry software upgrade

copy...

OR

fallback...OR

reload

Magnum 10RX# show software upgrade

Software Upgrade State: Upgraded

Slot 0: 10rxv100B4.itb Version: 1.0.0B4 (fallback)

Slot 1: phoenix.itb Version: 1.0.1X2 (upgraded, booted)



71

3.8.1 Using the Copy Command to Upgrade

The upgrade procedure requires the execution of the copy command with the upgrade-image keyword. The command syntax varies depending on whether the new image is in the 10RX flash memory or elsewhere on the network and on the file transfer tool used.

Command syntax:

with TFTP

copy tftp://ip-address/filename upgrade-image

Table 3-16. Upgrade States and User Actions

Event Description

Initial The system is in the initial state when a single software image is present in flash memory as a result of factory install or flash re-initialization.

Proceed to the next state by using the copy...upgrade-image command to copy another valid software image.

Ready to Upgrade The system is in the ready to upgrade state is when the user has uploaded an upgrade image with the copy...upgrade-image command.

Proceed to the next state by executing the reload command. When the system restarts login as with administrative privileges.

Upgrading The system is in the upgrading state when the device becomes operational following a reload from the ready to upgrade state.

Confirm with the show software upgrade command that the status is (upgrading,booted).

Proceed to the next state by executing the finalize software upgrade command.

Upgraded The system is in the upgraded state when the device is running on the newly installed software after finalization. This is the normal running configuration.

Confirm with the show software upgrade command that the status is (upgraded,booted).

From the upgraded state you can begin the process to install a new version with the copy... command or change to the fallback version with the fallback software version command.

Fallback The system is in the fallback state when the device is reloaded for any reason before finalization. This could occur, for example, as a result of power failure, user command, or because the new image did not become operational.

You can retry a failed upgrade with the retry software upgrade command or begin the upgrade process anew with the copy... command.



72

with SFTP

(Note: SFTP enables specifying a relative pathname, as in example 1 below, or an absolute pathname, as in example 2.)

1. copy sftp://<user-name>:<pass-word>@ip-address/filename upgrade-image

2. copy sftp://<user-name>:<pass-word>@ip-address//dirname/filename upgrade-image

file in flash memory

copy flash:filename upgrade-image

Where:

ip-address is the address of the device where the file resides.

filename is the name of the new image file.

user-name is a valid user name created as a part of SFTP security.

dirname is the name of a directory where the image file resides.

pass-word is a valid password created as a part of SFTP security.

3.8.2 Upgrade Procedure

1. Make the new image file available to your TFTP or SFTP server according to that application’s instructions. If you are using SFTP be sure you know the required username and password.

2. Login to the 10RX as an administrator

3. Execute the copy command using the appropriate syntax as described above. An example using TFTP follows:

Magnum 10RX# copy tftp://192.168.1.43/newimage.itb upgrade-image

Wait for console message : Copied tftp://192.168.1.43/newimage.itb ==> boot image

4. On copy command completion in the 10RX window execute the reload command.

Magnum 10RX# reload(This may produce a lengthy wait – up to several minutes.)

5. On reload completion login as an administrator and execute the following commands:

• Magnum 10RX# show system information (to view running SW version.)

• Magnum 10RX# show software upgrade (to view upgrade status)Expect the new image status to be (upgrading. booted).

CHAPTER 3 - Router ManagementRestarting the Switch


73

6. Finalize the upgrade with the following commands:

• Magnum 10RX# finalize software upgrade• Magnum 10RX# show software upgrade

(to view upgrade status)Expect new image status to be (upgraded. booted).

3.8.2.1 Viewing System Information in the GUI

The information you can obtain with the CLI Magnum 10RX# show system information command, as explained above, can also be viewed in the GUI, as illustrated in Figure 3-43.

Figure 3-43. System Information Screen

3.9 Restarting the Switch

In the CLI to shut down the Magnum 10RX and restart it use the reload command in the Exec Commands mode.

Command syntax:

reload

Example:

Magnum 10RX# reload

When asked:

Are you sure you want to reload the system (type 'yes' to confirm)?

Respond: yes

NOTE: In the event of an initial upgrade failure execute the retry softwareupgrade command.

CHAPTER 3 - Router ManagementRestarting the Switch


74

In the GUI go to System: Management: Reboot and shut down and restart by clicking the Reboot button, as illustrated in Figure 3-44.

Figure 3-44. rebooting


75

Chapter 4Ethernet

The configuration of Ethernet connections is partially automated but can be controlled to some extent by the user.

4.0.1 Ethernet Auto Media Interfaces

The 10RX router comes with up to ten auto-media Gigabit Ethernet (GbE) interfaces. Each auto-media interface supports RJ45 copper or fiber SFP. By default he first media type to achieve link is selected as the active interface.

All copper interfaces support Auto-MDIX and speed and duplex auto-negotiation at 1000, 100, and 10 Mbps.

The SFP speeds supported depend on the installed media.

4.0.2 Enabling Ethernet Interfaces

Each Ethernet interface on the 10RX is uniquely identified by a slot/port designator. Slots 1 and 2 can each hold a single port auto-media card. Slots 3, 5, 7, and 9 can each hold a dual port auto-media card. The full list of possible Ethernet port designators is:

• Gigabitethernet 1/1• Gigabitethernet 2/1• Gigabitethernet 3/1• Gigabitethernet 3/2• Gigabitethernet 5/1• Gigabitethernet 5/2• Gigabitethernet 7/1• Gigabitethernet 7/2• Gigabitethernet 9/1• Gigabitethernet 9/2

Gigabitethernet 1/1 is enabled by factory default.

A range of interface configuration commands becomes available when you specify a valid port to configure from the Magnum 10RX(config)# prompt. This produces a new prompt, Magnum 10RX(config-if)#. This prompt signals that you are in the interface configuration mode. View the commands available in this mode by entering Help at the prompt. All commands executed will apply to the specified interface. To configure another interface exit the interface configuration mode, specify the new interface at the Magnum 10RX(config)# prompt and re-enter interface configuration mode.

CHAPTER 4 - Ethernet


76

4.0.2.1 Enabling Ethernet Ports

Use the no shutdown command in interface configuration mode to enable a port. The following example illustrates the command sequence.

Figure 4-1. Enabling a GbE Interface on the CLI

Disable a port by using the shutdown command in interface configuration mode.

4.0.2.2 Configuring Port Type

10RX ports can be configured as either switch ports or router ports. The default configuration is switchport. To enable a port as a router port execute the no switchport command. The following example illustrates the command sequence.

Example:

Figure 4-2. Configuring a Router Port

This command sequence specifies that port 7/1 is a router port and enables the port.

4.0.2.3 Configuring Switchport Mode

A port configured as a switchport may be put into one of three modes: Access, Trunk, or Hybrid. Specify the switchport mode with the switchport mode command

Command syntax:

switchport mode {access | trunk | hybrid }Example:

Example:

Magnum 10RX(config-if)# switchport mode trunk

Default value: hybrid

Magnum 10RX(config)# interface gigabitethernet 7/1

Magnum 10RX(config-if)# no shutdown

Magnum 10RX(config-if)# exit

Magnum 10RX(config)#-----------------------------------------


Magnum 10RX(config-if)# no switchport



Magnum 10RX(config)#-----------------------------------------



77

4.0.2.4 Configuring MTU Size

Use the mtu command in Interface Configuration mode to configure the size of the Maximum Transmission Unit (MTU). Maximum Transmission Unit is the maximum size in bytes of the protocol data unit that will be transmitted on an interface. The protocol data unit on Ethernet networks is the frame and the default MTU size is 1500.

Command syntax:

mtu frame-size

Where:

frame-size is a numerical value in the range 68-1500.

Example:

Magnum 10RX(config-if)# mtu 1200

This command specifies a Maximum Transmission Unit size of 1200 bytes on the port currently under configuration.

Default value: 1500


Table 4-1. Switchport Modes

Mode Description

access Configures the port as an access port that accepts and sends only untagged frames. This kind of port is added as a member to a specific VLAN only and carries traffic only for the VLAN to which the port is assigned.

The port can be set as an access port, only if the following two conditions are met:

• acceptable-frame-type is set as untaggedAndpriority tagged

• Port is a not a tagged member of any VLAN

trunk Configures the port as a trunk port that accepts and sends only tagged frames. This kind of port is added as a member of all existing VLANs and to any new VLAN created. It carries traffic for all VLANs.

The trunk port also accepts untagged frames if the acceptable frame type is set as all.

The port can be set as a trunk port only if the port is not a member of untagged ports for any VLAN in the switch.

hybrid Configures the port as a hybrid port that accepts and sends both tagged and untagged frames.



78

4.0.2.5 Configuring Storm Control

Storm control prevents the network from being overwhelmed by a broadcast, multicast, or destination lookup failure (DLF) packet. Storms can result from errors in network configuration or from malicious activity. Storm control allows you to specify a per-interface limit on the rate of traffic of various types.

Storm control is implemented with two commands:

• the storm-control packet-type command enables you to specify the type of packet that will be subject to the limit specified with the level command.

• the storm-control level command enables you to specify a maximum rate of bits per second to be transmitted out of the interface.

Command syntax:

storm-control packet-type {broadcast | multicast | dlf}

storm-control level levelnum

Where:

levelnum is a numerical value specifying bits per second.

Example:

The following example illustrates the command sequence.

Example:

Figure 4-3. Configuring Storm Control

This series of commands specifies that on interface GbE 5/2 multicast and broadcast traffic cannot exceed 1000 bits per second.

Default value: Storm control is disabled


4.0.2.6 GUI - Port Basic Settings Screen

Enable and disable ports with GUI using the Port Basic Settings screen on the Layer 2 Management menu (identified on the menu as “Port Manager”).

Enable a port on this screen by selecting Up in the pull down menu in the Admin State column and clicking Apply. Disable it by selecting Down.



Magnum 10RX(config-if)# storm-control level 1000

Magnum 10RX(config-if)# storm-control packet-type multicast

Magnum 10RX(config-if)# storm-control packet-type broadcast

Magnum 10RX(config-if)#-----------------------------------------



79

Figure 4-4. Enabling a GbE Interface in the GUI

The fields that are configurable in the Port Basic Settings screen correspond to CLI commands documented in the CLI configuration section, above and the Chapter 5.

Table 4-2. Port Basic Settings Fields

Column Description Options or Range Comment

Select You must click the radio button for the port to configure.

Port Available Ethernet ports. See Section 4.0.2

Link Status Hardware status of this port

Enabled (green), Disabled (red)

Admin State Administrative status of this port.

Up, Down See Section 4.0.2.1

SwitchPort Mode Determines what types of frames will be transmitted on this port

Access, Trunk, Hybrid See Section 4.0.2.3x

MTU Size of the maximum transmission unit on this port.

68-1500 See Section 4.0.2.4

Link Up/Down Trap Whether or not this port is transmitting and receiving

equivalent of

(config-if)# snmp trap link status



80

Port Type Whether this port is to function as a switch or as a router.

Switch Port, Router port See Section 4.0.2.2

MAC Address The hardware address of this port

Table 4-2. Port Basic Settings Fields

Column Description Options or Range Comment


81

Chapter 5VLAN

This section describes the VLAN implementation on the Magnum 10RX and the minimal steps necessary to configure VLANs on the router.

5.0.1 Dynamic VLANs and Trunking

The Magnum 10RX uses GARP VLAN Registration Protocol (GVRP) to automatically configure VLAN trunks. When you define access ports (see “Defining an Access Port in the CLI”) tagged VLAN membership is automatically set up on the necessary ports so that the various access ports can communicate over the switched VLAN infrastructure.

5.0.1.1 Enabling GVRP Globally in the CLI

In the CLI use the set gvrp command in Global Configuration mode to enable or disable the GVRP feature in all ports of the switch.

Command syntax:

set gvrp {enable | disable}

Example:

Magnum 10RX(config)# set gvrp

Use the show vlan device info command to view global VLAN information.

5.0.1.2 Enabling GVRP Globally in the GUI

In the GUI go to the Layer 2: Manager: GVRP: DynamicVlan tab to globally enable GVRP, as illustrated in Figure 5-1.

Figure 5-1. GVRP Dynamic VLAN Tab

CHAPTER 5 - VLAN


82

5.0.1.3 Enabling GVRP On A Port in the CLI

In the CLI use the set port gvrp command in Global Configuration mode to enable or disable the GVRP feature on a specific port

Command syntax:

set port gvrp if-type if-id {enable | disable}

Where:

if-type is gigabitethernet.

if-id specifies a port on the switch with a port number and a slot number separated by a slash.

Example:

Magnum 10RX(config)# set port gvrp gigabitethernet 3/1 enable.

This command enables the GVRP feature on port 3/1 only.

Use the show vlan port config command to view VLAN information for specific ports.

5.0.1.4 Enabling GVRP On A Port in the GUI

In the GUI go to the Layer 2: Manager: GVRP: Port Settings tab to enable GVRP on a specific port, as illustrated in Figure 5-2.

Table 5-1. GVRP Dynamic VLAN Fields


Status Select Enabled or Disabled for configuration of all ports on the switch, then click Apply.

CHAPTER 5 - VLAN


83

Figure 5-2. GVRP Port Settings Tab

5.0.1.5 Setting GARP Timers For A Port in the CLI

In the CLI use the set garp timer command in Interface Configuration mode to set GARP timer values for the port under configuration. These timer values control the transmission of GARP PDUs used in synchronizing attribute information between the switches and in registering and de-registering attribute values. These values control the timing of the following messages:

• Join

The join message is sent by a GARP participant to another GARP participant to register attributes.

A GARP participant waits for its join message to be acknowledged before re-sending the join message. The join message is re-transmitted only once if the initial message is not acknowledged.

Table 5-2. Dynamic VLAN Port Configuration Fields



Port A list of configurable gigabitethernet ports.

Status Select Enabled or Disabled for configuration of the selected port, then click Apply.

CHAPTER 5 - VLAN


84

The join timer value specifies the length of time a GARP participant waits for its join message to be acknowledged before re-sending the join message.

This timer is started with the sending of the initial join message.

The join message value must be expressed in multiples of ten (that is, 210, 220, 230, etc.), must be a value greater than zero and must be less than half the value of the leave timer value.

• leave

The leave message is sent from a GARP participant to another participant, when de-registering attributes.

The leave timer value specifies the length of time to wait for any join message before removing attribute details.

This timer is started when a leave message is sent to de-register the attribute details.

The leave message value must be expressed in multiples of ten (that is, 610, 620, 630, etc.) and must be more than twice the value of the join timer value.

• leaveall

The leaveall message is sent from a GARP participant to other participants after a length of time during which registered attributes are to be maintained. This message initiates the re-registering of attribute details.

The leaveall timer value specifies the length of time during which attributes are maintained before the next de-registering/re-registering.

The leaveall message value must be expressed in multiples of ten (that is, 1010, 1020, 1030, etc.) and must be greater than the leave timer value.

Command syntax:

set garp timer {join | leave | leaveall} millisecs

Where:

imillisecs is the specified length of time. For limits see above.

CHAPTER 5 - VLAN


85

Example:

In Global Configuration mode, to enter Interface Configuration mode and configure the GARP leaveall timer on interface Gigabitethernet 3/1, do the following:

Figure 5-3. Setting a GARP Timer

Default values:

join — 200

leave — 600

leaveall — 1000

Valid ranges: See above

Use the show vlan port config command to view VLAN information for specific ports.

5.0.1.6 Setting GARP Timers For A Port in the GUI

In the GUI go to the Layer 2: Manager: GVRP: GarpTimers tab to configure timers on a port, as illustrated in Figure 5-2.

Figure 5-4. GVRP GarpTimers Tab


Magnum 10RX(config-if)# set garp timer leaveall 1100


Magnum 10RX(config)#

CHAPTER 5 - VLAN


86

5.0.2 CLI - VLAN Configuration Mode

A range of VLAN configuration commands becomes available when you specify a valid VLAN ID with the vlan command at the Magnum 10RX(config)# prompt (Valid VLAN IDs are in the range of 1-4094.). This produces a new prompt, Magnum 10RX(config-vlan)#. This prompt signals that you are in the VLAN configuration mode. View the commands available in this mode by entering Help at the prompt. All commands executed will apply to the specified VLAN. To configure another VLAN exit the VLAN configuration mode, specify the new VLAN at the Magnum 10RX(config)# prompt and re-enter VLAN configuration mode.

5.0.2.1 Defining an Access Port in the CLI

Devices that are not VLAN-aware can be connected to the Magnum 10RX via VLAN access ports. All packets received on the access port are automatically assigned to a particular VLAN, which is specified as the port VLAN ID (PVID).

Use the switchport access command in Interface Configuration mode to configure a VLAN access port.

For example, to configure interface Gigabitethernet 3/1 as an access port on VLAN 2, do the following:

Figure 5-5. Defining a VLAN Access Port on the CLI

5.0.2.2 Defining an Access Port in the GUI

To configure a VLAN access port in the GUI go to the VLAN Port Settings Screen on the Layer 2 Management menu, select the port, specify the value in the PVID column, and click Apply.

Table 5-3. GARP Timers Fields



Port No A list of configurable gigabitethernet ports.

GarpJoinTime Length of time to wait before re-transmission of join message.

GarpLeaveTime Length of time to wait for any join message before removing attribute details.

GarpLeaveallTime Length of time during which attributes are maintained before the next de-registering/re-registering.


Magnum 10RX(config-if)# switchport access vlan 2



CHAPTER 5 - VLAN


87

Figure 5-6. Defining a VLAN Access Port in the GUI

Note: For a detailed explanation of the fields in this screen see Figure 5-8.

5.0.3 Advanced Access Port Configuration in the CLI

Executing the switchport access vlan command is actually short-hand for configuring both the ingress and egress VLAN behaviors of a port. There are three major parameters that can be set on an Ethernet port that control that port's behavior relative to VLAN processing:

• The tagged/untagged-and-priority-tagged parameter configured in VLAN configuration mode

• The acceptable-frame-type parameter, configured in interface configuration mode

• The PVID parameter, configured in interface configuration mode

The following example is equivalent to the simple example found in Section 5.0.2.1, “Defining an Access Port in the CLI”:

Figure 5-7. Configuring VLAN Parameters on the CLI

5.0.4 Advanced Access Port Configuration in the GUI

Configure VLAN parameters with the GUI using the VLAN Port Settings screen on the Layer 2 Management menu. Select a port, specify a frame type and a PVID, and click Apply.

Magnum 10RX(config)# vlan 2

Magnum 10RX(config-vlan)# ports gigabitethernet 3/1 untagged gigabitethernet 3/1

Magnum 10RX(config-vlan)# exit


Magnum 10RX(config-if)# switchport acceptable-frame-type untaggedAndPrioritytagged

Magnum 10RX(config-if)# switchport pvid 2




CHAPTER 5 - VLAN


88

Enable a port on this screen by selecting Up in the pull down menu in the Admin State column and clicking Apply. Disable it by selecting Down.

Figure 5-8. Configuring VLAN Parameters in the GUI

5.0.5 Examining the VLAN Database

View the VLAN database by executing the show vlan id pvid command at the Magnum 10RX# prompt.

Figure 5-9. The VLAN Database

Table 5-4. VLAN Port Settings Fields



Port A list of configurable gigabitethernet ports.

PVID The VLAN ID for this port.

Acceptable Frame Types

Specifies whether the VLAN specified by the PVID will accept all frames, tagged frames only, or untagged and priority tagged frames (rejecting tagged frames) on this port.

Ingress Filtering Specifies whether ingress filtering is enabled or disabled. If enabled only incoming frames that match the port’s VLAN configuration will be accepted.

Magnum 10RX# show vlan id 2

Vlan database

-------------

Vlan ID : 2

Member Ports : Gi3/1

Untagged Ports : Gi3/1

Name : Substation4

Status : Permanent

CHAPTER 5 - VLAN


89

The VLAN database contains the following information for each VLAN:

• List of member ports (egress) — Member ports are those Ethernet interfaces for which packets with the given VLAN tag will egress.

• List of untagged member ports (egress) — Untagged member ports determines whether or not the packet will egress tagged or untagged.

• VLAN Name — A name defined by the user for reference.• VLAN Status — Can be Permanent or Dynamic. If all of the port

memberships have been discovered using GVRP the status of the VLAN will be Dynamic. If any of the port memberships have been statically configured by the user, then the status of the VLAN will be Permanent even if some of the port memberships have been discovered dynamically by GVRP.

5.0.6 VLANs and IP Routing

Each VLAN configured on the Magnum 10RX is associated with its own IP interface. If you assign an IP address to this interface and enable it, you will be able to forward IP traffic between VLANs. You can also manage the system remotely using any of the reachable, configured VLAN IP interface addresses.

5.0.7 The VLAN Command

Use the vlan command in Global Configuration mode to access configuration options for an existing VLAN or to specify an ID for a new VLAN to create.

Command syntax:

vlan x

Where:

x is a numerical value creating a VLAN or specifying an existing VLAN with id x.

Example:

Magnum 10RX(config)# vlan 15

Valid range: 1-4094

The no vlan x command deletes the specified VLAN.

Use the show vlan command to view configured VLANs.

5.0.8 Configuring VLAN Learning Mode

Use the vlan learning mode command in Global Configuration mode to configure the VLAN learning mode to be applied for all ports of the switch. This mode defines the forwarding database modes of operation to be implemented by the switch.

Command syntax:

vlan learning mode {ivl | svl | hybrid}

CHAPTER 5 - VLAN


90

Where:

ivl specifies that a separate forwarding database is created for each VLAN. The information learned from a VLAN is not shared among other relative VLANs during forwarding decisions.

This mode is suitable in situations where the database size is not a constraint and end stations operate over multiple VLANs with the same MAC address.

svl specifies that a single forwarding database is created for all VLANs. The information learned from a VLAN is shared among all other relative VLANs during forwarding decision.

This mode is suitable in situations where the learning database size is a constraint.

hybrid specifies that a the same forwarding database is created for some VLANs and a separate forwarding database is used for some VLANs. The selection of database for the VLAN is made based on the static unicast MAC address in the Forwarding Database (FDB) table entries.

Example:

Magnum 10RX(config)# vlan learning mode svl

Default value: ivl

Use the show vlan device info command to view configured values.

5.0.9 Configuring a Static VLAN Entry in the CLI

Use the ports command in VLAN Configuration mode to statically configure a VLAN entry with the required egress member ports, untagged ports and/or forbidden ports, and activate the VLAN. The VLAN can also be activated using the vlan active command.

The no form of the command deletes the specified port details for the VLAN.

The configuration defines the tagged and untagged member ports that are used for egress tagging of a VLAN at a port.

Command syntax:

ports [add] ([<interface-type> <0/a-b,0/c,...>] [<interface-type> <0/a-b,0/c,...>]) [untagged (<interface-type> <0/a-b,0/c,...> [<interface-type> <0/a-b,0/c,...>] [all])]

Where:

add Appends the new configured ports to the existing member port list of the VLAN.

interface-type configures the ports that should be set as a member of the VLAN. Ports are specified with:

gigabitethernet, a version of LAN standard architecture that supports data transfer up to 1 Gigabit per second, and

<0/a-b, 0/c,...>, a port channel specification that sets the list of interfaces or a specific interface identifier. This value is a combination of

CHAPTER 5 - VLAN


91

slot number and port number separated by a slash. Use a as a separator without space while configuring lists of interfaces. Example: 0/1,0/3 or 1,3.

untagged configures the ports that should be used for the VLAN to transmit egress packets as untagged packets.

Ports designated untagged are specified with the same interface type keywords and specifications used for all member ports (see above). Bear in mind the following limitations:

•The ports configured are a subset of the member ports.•The ports that are attached to VLAN-aware devices should always be

set as untagged ports only.•A port can be set as an untagged ports only if it is not configured as a

trunk port.

name Configures a name for the VLAN. This is a user-supplied name of up to 32 characters in length.

Example:

Magnum 10RX(config-vlan)# ports gigabitethernet 0/1 untagged gigabitethernet 0/1 name welk83

Default value: All ports available in the switch are configured as member ports and untagged ports of the default VLAN (VLAN 1). For other active VLANs, the member, untagged and forbidden ports are not set (that is, set as none).

Use the no form of the command to negate specific configured values or to delete all configured member ports with the all argument.

Use the show vlan command to view configured values.

CHAPTER 5 - VLAN


92

5.0.10 Configuring a Static VLAN Entry in the GUI

The values configurable in the CLI, as explained in section Section 5.0.9, can also be configured in the GUI, as illustrated in Figure 5-10.

Figure 5-10. Static VLAN Configuration Screen

In this screen the upper dialog box is available to specify a static VLAN. The lower dialog box displays configured VLANs and is used to edit the specifications of those VLANs

5.0.10.1 Activating a VLAN

Use the vlan active command in VLAN Configuration mode to activate a VLAN in the switch. The VLAN can also be activated by assigning ports with the ports command.

Command syntax:

vlan active

Table 5-5. Static VLAN Configuration Fields



VLAN ID An identifying number for this VLAN.

VLAN Name A user-supplied name of up to 32 characters in length.

Member Ports All ports on this switch which are members of this VLAN.

Untagged Ports The member ports that should be used for the VLAN to transmit egress packets as untagged packets.

CHAPTER 5 - VLAN


93

Example:

Magnum 10RX(config-vlan)# vlan active

5.0.10.2 Disabling Unicast-MAC Learning

Unicast-MAC learning is enabled by default. The unicast-mac learning command enables or disables unicast-MAC learning feature for a VLAN or sets this feature as the default.

The source MAC learning is not done in the switch when this feature is disabled for the VLAN.

Command syntax:

set unicast-mac learning {enable | disable | default}

Example:

Magnum 10RX(config-vlan)# set unicast-mac learning disable

Default value: enabled

CHAPTER 5 - VLAN


94


95

Chapter 6Spanning Tree

Spanning Tree Protocol (STP) is a network protocol designed to provide a loop-free topology for bridged Ethernet local area networks. The basic STP protocol has been expanded and refined into the much faster Rapid Spanning Tree Protocol (RSTP) and into the Multiple Spanning Tree Protocol (MSTP) technology to serve the needs of VLAN environments. All three versions of the STP protocol are supported by INOS.

The original Spanning Tree Protocol (STP) was defined by IEEE standard 802.1D. The faster RSTP was first defined in IEEE 802.1W and RSTP supersedes STP in IEEE 802.1D (2004). STP takes 45 to 60 seconds to recover from a failure because it needs to recalculate the entire tree after a failure. RSTP can recover in less than one second because it enables ports to actively communicate information about special conditions. MNS-DX supports both protocols, so that you can configure a port to use the older STP if it is necessary to accommodate a legacy bridge.

6.1 RSTP

The Rapid Spanning Tree Protocol (RSTP) constructs a system linking the elements of a bridged local area network so as to supply redundancy, provide for quick recovery from failure of a segment, and eliminate loops. The protocol can be said to be "spanning" in that it connects all elements in the system and to be a "tree" in that it connects these elements while remaining implicitly free of loops.

6.2 RSTP Setup

When first configured with RSTP the bridges in a system exchange messages with one another to elect a root bridge and to discover the shortest path from each bridge to the root bridge. The ports that enable the shortest paths are put into forwarding mode. All other ports are assigned backup or alternate roles. When a stable tree has been established and traffic is being transmitted the system is said to have achieved convergence.

CHAPTER 6 - Spanning TreeRSTP Setup


96

Figure 6-1. Port Roles in a Rapid Spanning Tree Network

6.2.1 BPDUs

The messages exchanged by the bridges are special data frames called Bridge Protocol Data Units (BPDUs). The BPDUs contain identifying information and information about the root path cost. The best path from a bridge to the root has the lowest path cost. (The measurement takes into account the bandwidth on intervening segments.) When the spanning tree is being calculated the bridges exchange configuration BPDUs. Other types of BPDUs are exchanged during normal operation.

6.2.2 Bridge Roles

Each configured spanning tree has a single root bridge. All other bridges active in the system are designated bridges. For each segment the connected bridge that provides the shortest path to the root bridge is that segment’s designated bridge.

R

R

R

B

B

A

DesignatedBridge

DesignatedBridge

DesignatedBridge

RootBridge

R

E

A

D

Root port

B Backup port

Alternate port D

R BDesignated port

D

D

D

Bridge

E Edge port

CHAPTER 6 - Spanning TreeRSTP Setup


97

6.2.3 Port Roles

After convergence each port in the tree is assigned one of four roles:

6.2.4 Edge Ports and Point-to-Point Links

There are two other ways of classifying ports that can enable a quick transfer to the forwarding state and thus faster convergence:

• Edge Port – This is a port that connects directly to an end station. Since it connects to a single host it is incapable of forming loops, so may be safely placed in a forwarding state without going through the listening and learning stages.

• Point-to-Point Links – When a port connects directly to another switch it can safely be placed in forwarding mode.

Table 6-1. RSTP Port Roles

Port Role

Root: Each bridge (except the root bridge) has a single root port. This is the port with the lowest root path cost (the best way to the root.).

All traffic to and from the root bridge passes through the root port of the designated bridge.

Designated: Each bridge (except the root bridge) has at least one designated port. If only one port is connected to the segment it is the designated port. If more than one port is connected to the segment then the port with the best priority value in its ID is the designated port for the segment.

Any port on the root bridge that is connected to a segment is a designated port.

All Traffic to and from a specific segment passes through the designated port of the designated bridge.

Backup: A port on a designated bridge that is connected to the same segment as the designated port on that bridge. In the event of failure in the designated port the backup port would become the designated port. A backup port is blocked (inactive).

Alternate: A port that connects to a different segment than the root port on the same bridge. An alternate port provides an alternate path to the root that is inferior to the path provided by the root port. In the event of failure in the root port the alternate port would become the root port. An alternate port is blocked (inactive).

CHAPTER 6 - Spanning TreeRSTP Normal Operation


98

6.2.5 Port States

The INOS implementation of RSTP supports four operational states for a port:

Blocking – The port does not transmit or receive data frames, but the port does continue to receive BPDUs.

Listening – The port can send and receive BPDUs, but it is not learning MAC addresses or forwarding data frames.

Learning – The port is receiving BPDUs and is learning MAC addresses but it is not forwarding data frames.

Forwarding – The port is sending and receiving all packets.

Once the RSTP network is functioning all traffic is by definition handled by the ports in the forwarding state.

6.3 RSTP Normal Operation

After initial configuration RSTP functions by circulating BPDUs through the system. When these BPDUs indicate a change in the topology, such as failure of a link or the addition of a new node, the system is reconfigured.

System maintenance is carried out by the traffic in BPDUs among the bridges. Maintenance is managed under certain configurable constraints:

Hello Time – The amount of time between the transmission of configuration BPDUs on any port. Valid Range = 1-2 seconds Default value = 2 seconds. A connection is considered to be lost if hellos are not received for three consecutive times (by default this is six seconds).

Forward Delay – Controls how long the bridge waits after any state or topology change before forwarding the information to the network. The valid Range = 4-30 seconds. The default value = 15 seconds.

Maximum Age – The length of time a configuration BPDU remains valid before it is discarded.

6.4 Design Considerations

The RSTP protocol can make network decisions automatically. However, you may want to specify the settings for some or all of your bridges and ports. For instance, you may want to ensure that a particular bridge is the root bridge or that a certain port on a bridge is the designated port.

Note that you should use the Configuring Auto Edge and Configuring the Spanning Tree Properties of an Interface commands to ensure that ports connecting to end stations are specified as edge ports, and that ports that connect to other bridges using RSTP are specified as Point ports (also known as Point-to-Point ports).

CHAPTER 6 - Spanning TreeMSTP


99

6.4.1 Basic RSTP Configuration Parameters

The following parameters must be configured. The commands to accomplish these tasks are described in the following sections.

• enabled – Any bridge active in the system must have the Disabled/Enabled value set to Enabled.

• priority – The default priority value is 32768 (in a valid range of 0-65535). If you know that you want a specific bridge to be the root bridge, then set this value on that bridge low - lower than any other bridge in the system. You can also effectively specify a bridge as an alternate root bridge, to take over in the event of failure of the original root bridge, by giving it a priority value only slightly higher than that of the root bridge. When you have more than one bridge connecting to the same LAN you can determine which bridge will become the designated bridge by setting its priority value low.

• hello Time – The default Hello Time value is 2 seconds (in a valid range of 1-2). The manually configurable Hello Time value applies to the root bridge. A smaller Hello Time value will result in quicker detection of topology changes but it will also result in increased traffic on the system. Designated bridges use a Hello Time learned from BPDUs sent from the root bridge.

• forward time – The default Forward Delay value is 15 seconds (in a valid range of 4-30). A shorter Forward Delay may result in quicker adaptation to topology changes. Designated bridges use a Forward Delay learned from BPDUs sent from the root bridge.

• max-age – The default Maximum Age value is 20 seconds (in a valid range of 6-40). In a network that includes some slow links it could be useful to set a higher value for Maximum Age.

6.5 MSTP

INOS supports the Multiple Spanning Tree Protocol (MSTP), which enables the creation of “regions” of switches that share certain configuration attributes. All switches that will participate together in MSTP must belong to the same MSTP region. To share an MSTP region a group of switches must have the exact same MSTP instance-to-VLAN mappings. To prevent configuration errors, a region is identified by 3 separate parameters:

• Region name• Region revision• The complete MSTP instance-to-VLAN mapping

Here is an example of how to configure the region information:

Figure 6-2. Configuring an MSPT Region

Magnum 10RX(config)# spanning-tree mst configuration

Magnum 10RX(config-mst)# name region1

Magnum 10RX(config-mst)# revision 1

Magnum 10RX(config-mst)# instance 1 vlan 2

CHAPTER 6 - Spanning TreeGlobal Spanning Tree Configuration


100

6.6 Global Spanning Tree Configuration

You can configure Spanning Tree parameters system-wide in Global Configuration mode. Some of the values you specify globally may be overridden on interfaces that are configured in more local configuration modes.

6.6.1 Enabling Spanning Tree

Use the spanning-tree command to enable the spanning tree protocol.

Command syntax:

spanning-tree

Example:

Magnum 10RX(config)# spanning-tree

Default value: enabled.

The no spanning-tree command disables spanning tree functionality.

6.6.2 Configuring Spanning Tree Mode

Use the spanning-tree mode command to select Multiple Spanning Tree (mst) or Rapid Spanning Tree (rst) mode.

Command syntax:

spanning-tree mode {mst|rst}

Where:

mst selects Multiple Spanning Tree mode.

rst selects Rapid Spanning Tree mode.

Example:

Magnum 10RX(config)# spanning-tree mode rst

Default value: mst

Notes:

• When the Magnum 10RX boots up spanning tree is enabled by default with MST operating in the switch.

• The spanning-tree mode command starts and enables the spanning tree mode. Port-roles and states are computed only after enabling the spanning tree.

• If the user input for the spanning tree mode differs from the current configured mode of operation Magnum 10RX will shut down the operational spanning tree and restart to conform with user input.

Use the show spanning-tree detail command to view detailed spanning tree information.



101

Use the show spanning-tree active command to view spanning tree information for active ports.

6.6.3 Configuring Spanning Tree Compatibility

Use the spanning-tree compatibility command in Global Configuration mode to enable backward compatibility with legacy STP traffic for the protocol version (RSTP or MSTP) that has been enabled with the spanning-tree mode command.

Command syntax:

spanning-tree compatibility {mst|rst|stp}

Where:

mst specifies Multiple Spanning Tree compatibility only.

rst specifies Rapid Spanning Tree compatibility when mst has been selected with the spanning-tree mode command.

stp specifies compatibility with Spanning Tree Protocol in addition to the protocol (rst or mst) enabled with the spanning-tree mode command.

Example:

Magnum 10RX(config)# spanning-tree compatibility stp

Default value: mst

The no spanning-tree compatibility command disables STP compatibility.

Notes:

• When the Magnum 10RX boots up spanning tree is enabled by default with MST operating in the switch.

• An attempt to change compatibility in conflict with mode with produce an error message. For example, if rst as been selected with the spanning-tree mode command you cannot specify mst with the spanning-tree compatibility command.

Use the show spanning-tree command to view the protocol version being executed.

6.6.4 Configuring Dynamic Pathcost Calculation

Use the spanning-tree pathcost dynamic command to configure the pathcost for all ports dynamically.

Command syntax:

spanning-tree mode pathcost dynamic

Example:

Magnum 10RX(config)# spanning-tree mode pathcost dynamic lag-speed

This command specifies that pathcosts will be calculated dynamically and re-calculated when ports are added or deleted.



102


Notes:

• On execution of the pathcost dynamic command the pathcost of all the ports will be calculated dynamically based on the speed of the interface.

• Interfaces that have been configured with a specific pathcost are unaffected by this command.

6.6.5 Configuring Spanning Tree Timers

Use the spanning-tree command with timer arguments to specify forward-time, hello-time and max-age. See Section 6.3, “RSTP Normal Operation” for an explanation of these settings.

Command syntax:

spanning-tree {forward-time forsecs | hello-time helsecs | maxage agesecs}

Where:

forsecs is a numerical value specifying how quickly a port changes from blocking state to forwarding state.

helsecs is a numerical value specifying the frequency with which hello messages are sent to other switches.

agesecs is a numerical value specifying the maximum length of time to retain learned RSTP information.

Example:

Magnum 10RX(config)# spanning-tree max-age 6

Magnum 10RX(config)# spanning-tree hello-time 1

Magnum 10RX(config)# spanning-tree forward-time 4

Default values:

forward-time — 15 seconds

hello-time — 2 seconds

max-age — 20 seconds.

The no form of the command sets the value of the specified timer to the default.

Valid ranges:

forward-time — 4-30 seconds

hello-time — 1-2 seconds

max-age — 6-40 seconds.

Note: The following relations must be observed while configuring the timers:

• 2 * (Forward-time - 1) >= Max-age



103

• Max-Age >= 2 * (Hello-time +1)



6.6.6 Configuring Spanning Tree Transmit Hold Count

Use the spanning-tree transmit hold-count command to set the transmit hold-count value for the switch. This value specifies the maximum number of packets that can be sent in a given hello-time interval. This resource can be used to avoid flooding.

Command syntax:

spanning-tree transmit hold-count cnt

Where:

cnt is a numerical value specifying the maximum number of packets to be sent during one hello-time interval.

Example:

Magnum 10RX(config)# spanning-tree transmit hold-count 5

Default value: 3

The no form of the command sets the hold count to the default.

Valid range: 1-10



6.6.7 Configuring Spanning Tree Priority

Use the spanning-tree priority command to specify the priority value assigned to the switch.

In RSTP, this value is used during the election of root. In MSTP, this value is used during the election of CIST root, CIST regional root and IST root.

Command syntax:

spanning-tree [mst I_id] priority prio_val

Where:

I_id optionally specifies a configured MST instance.

prio_val is a numerical value that is either 0 or a number divisible by 4096 that specifies the priority of the switch.

CHAPTER 6 - Spanning TreeConfiguring the Spanning Tree Properties of an Interface


104

Example:

Magnum 10RX(config)# spanning-tree priority 20480

Default value: 32768

The no form of the command sets the hold count to the default.




6.7 Configuring the Spanning Tree Properties of an Interface

In Global Configuration mode you can specify an interface to enter Interface Configuration mode and make configuration specifications that affect that interface only.

Figure 6-3 illustrates entering Interface Configuration mode and displaying Spanning Tree help:

Figure 6-3. Configuring Spanning Tree on an Interface

6.7.1 General Spanning Tree Port Configuration

In Interface Configuration mode use the spanning-tree command to disable spanning tree on the port and to specify pathcost, link-type, portfast status, and port priority.


Magnum 10RX(config-if)# spanning-tree ?

auto-edge Automatic detection of bridge attached on an interface

bpdu-receive Configures the BPDU receive status of the port

bpdu-transmit Configures BPDU transmit status of the port

cost The pathcost value associated with the port

disable Disables the spanning tree on the port

link-type The link can be a point-to-point link or can be a shared LAN segment on which another bridge is present

loop-guard Enables loop guard on all the VLANs associated with the selected interface

mst Specifies the spanning tree instance

port-priority Configure port priority value

portfast Specifies that port has only hosts connected and hence can transition to forwarding rapidly

restricted-role Enables the root-guard / restricted role feature on the port

restricted-tcn Enables the topology change guard / restricted TCN feature



105

Command syntax:

spanning-tree {cost cost_val |disable|link-type{point-to-point| shared}|portfast|port-priority portprio}

Where:

cost_val is a numerical specifies the pathcost value for this port.

disable disables spanning tree on this port (The no command restores the default value of enable.)

link-type can be a point-to-point link or can be a shared LAN segment on which another bridge is present. (The no form of the command will set the link type as auto.)

portfast specifies that this port has only hosts connected, so can transition to forwarding rapidly.

port_prio is a numerical value that is specifies the port priority. The value may be 0 or a number divisible by 16.

Examples:

Magnum 10RX(config-if)# spanning-tree cost 2200

Magnum 10RX(config-if)# spanning-tree link-type point-to-point

Magnum 10RX(config-if)# spanning-tree cost portfast

Magnum 10RX(config-if)# spanning-tree port-priority 64

Default values:

cost — 200000

enabled

link-type — shared

portfast — not in portfast

port-priority — 128

The no form of the command sets values to the default.

Valid ranges:

cost — 0-200000000

port-priority — 0-240





106

6.7.2 Configuring Auto Edge

Use the spanning-tree auto-edge command in Interface Configuration mode to enable automatic detection of a bridge connected on the interface. With auto-edge enabled the port is set as an edge port so long as no BPDU is received on the port. The port is set as non-edge port if any BPDU is received.

Command syntax:

spanning-tree auto-edge

Example:

Magnum 10RX(config-if)# spanning-tree auto-edge


The no form of the command sets the value to disabled.



6.7.3 Configuring Loop Guard

Use the spanning-tree loop-guard command in Interface Configuration mode to enable the loop guard feature on a port. A blocking port with loop guard enabled will be prevented from forming loops by going into a temporary loop-inconsistent state if its receipt of BPDUs is interrupted.

Command syntax:

spanning-tree loop-guard

Example:

Magnum 10RX(config-if)# spanning-tree loop-guard





6.7.4 Configuring Restricted Role

Use the spanning-tree restricted-role command in Interface Configuration mode to specify that this port cannot be selected as the root port even if it has the best priority vector. The restricted-role feature, also known as the root-guard feature, allows you to prevent switches external to a core region of the network from influencing the spanning tree active topology.



107

Note that blocking a port from selection as a root port can cause lack of spanning tree connectivity.

Command syntax:

spanning-tree restricted-role

Example:

Magnum 10RX(config-if)# spanning-tree restricted-role





6.7.5 Configuring Restricted TCN

Use the spanning-tree restricted-tcn command in Interface Configuration mode to specify that this port will not propagate topology changes or received topology change notifications (TCNs) to other ports. The restricted-tcn feature, also known as the topology change guard feature, allows you to prevent switches external to a core region of the network from causing address flushing in the region.

Note that enabling this feature can cause temporary loss of connectivity when changes in a spanning tree active topology are not communicated to the rest of the network.

Command syntax:

spanning-tree restricted-tcn

Example:

Magnum 10RX(config-if)# spanning-tree restricted-tcn





6.7.6 Configuring BPDU Receive

Use the spanning-tree bpdu-receive command in Interface Configuration mode to specify whether or not this port will process received BPDUs.

Command syntax:

spanning-tree bpdu-receive {enabled | disabled}

CHAPTER 6 - Spanning TreeMSTP-Specific Configuration


108

Where:

enabled specifies that this port will process received BPDUs normally.

disabled specifies that this port will discard received BPDUs.

Example:

Magnum 10RX(config-if)# spanning-tree bpdu-receive enabled




6.7.7 Configuring BPDU Transmit

Use the spanning-tree bpdu-transmit command in Interface Configuration mode to specify whether or not this port will transmit BPDUs.

Command syntax:

spanning-tree bpdu-transmit {enabled | disabled}

Where:

enabled specifies that this port will transmit BPDUs.

disabled specifies that this port will not transmit BPDUs.

Example:

Magnum 10RX(config-if)# spanning-tree bpdu-transmit enabled




6.8 MSTP-Specific Configuration

Some commands executed in the Global Configuration mode or in the MST Configuration mode effect only the operation of MSTP functionality.

6.8.1 Configuring MST Max Hops

Use the spanning-tree mst max-hops command in Global Configuration mode to specify the maximum number of switches that a packet can cross before it is dropped.

CHAPTER 6 - Spanning TreeMSTP-Specific Configuration


109

The root switch always transmits a BPDU with the maximum hop count value. The receiving switch decrements the value by one and propagates the BPDU with modified hop count value. The BPDU is discarded and the information held is aged out when the hop count reaches 0.

Command syntax:

spanning-tree mst max-hops maxh

Where:

maxh is a numerical value specifying the maximum number of hops a packet can take in MSTP before it is dropped.

Example:

Magnum 10RX(config)# spanning-tree mst max-hops 30

Default value: 20

Valid range: 6-40

Use the show spanning-tree mst configuration command to view detailed mst information.

6.8.2 Enter MSTP Configuration Mode

Use the spanning-tree mst configuration command to enter the MST configuration mode, which is signaled by the prompt Magnum 10RX(config-mst)#. In this mode you can perform mst instance-specific and mst region configuration tasks. Enter help at the Magnum 10RX(config-mst)# prompt to see a list of these commands.

Command syntax:

spanning-tree mst configuration

Example:

Magnum 10RX(config)# spanning-tree mst configuration

6.8.3 Configuring MST Region Name

In MST Configuration Mode use the name command to specify a name for the MST region.

The name is unique and used to identify the specific MST region. Each MST region contains multiple spanning tree instances and runs special instance of spanning tree known as ISTs to disseminate STP topology information for other STP instances.

Command syntax:

name regionname

Where:

regionname is a unique name of up to 32 characters for this MST region.

CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI


110

Example:

Magnum 10RX(config-mst)# name avalon

Default value: same as base MAC address of the switch

6.8.4 Configuring MST Region Revision

In MST Configuration Mode use the revision command to specify the revision for the MST region.

The revision number must be the same for all switches in the same region. It can be incremented after configuration changes to serve as a check on the synchronization of switch configurations.

Command syntax:

revision revnum

Where:

revnum is a numerical value in the range 0-65535.

Example:

Magnum 10RX(config-mst)# revision 101


6.8.5 Configuring MST Max Instance

Use the spanning-tree mst max-instance command to specify the maximum number of Multiple Spanning Tree Instances (MSTIs) permitted in the switch.

Command syntax:

spanning-tree mst max-instance mstimax

Where:

mstimax is a numerical value in the range 1-16.

Example:

Magnum 10RX(config-mst)# spanning-tree mst max-instance 10

Valid range: 1-16

6.9 Configuring MSTP In the GUI

The following sections describe MSTP configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.



111

6.9.1 MSTP Global Configuration

In the GUI go to the Layer 2: Manager: MSTP: Basic Settings tab to view and modify the MSPT Global Configuration screen, as illustrated in Figure 6-4.

Figure 6-4. MSTP Global Configuration Tab

The MSTP Global Configuration screen enables you to configure MST parameters that apply to all ports in the switch. Specify the values and click the apply button for your specifications to take effect.

Table 6-2. MSTP Global Configuration Fields


Maximum MST Instances

Maximum number of Multiple Spanning Tree Instances (MSTIs) permitted in the switch.

Valid range: 1-16

Section 6.8.5

Bridge Priority The Spanning Tree priority value assigned to the switch.



Section 6.6.7

Section 6.4.1

Protocol Version The Spanning Tree version used in the switch, MSTP, RSTP, or STP. MSTP is the default. If RSTP or STP are selected the fields Region Name and Region Version are grayed out and not configurable.

Section 6.6.2

Region Name User-supplied name for the MST region.

Default value: same as base MAC address of the switch

Section 6.8.3

Region Version Must be the same for all switches in the same region. It can be incremented after configuration changes to serve as a check on the synchronization of switch configurations.


Section 6.8.4



112

6.9.2 MSTP Timer Configuration

In the GUI go to the Layer 2: Manager: MSTP: Timers tab to view and modify the MSTP timers, as illustrated in Figure 6-5.

Figure 6-5. MSTP Timers Configuration Tab

The MSTP Timers Configuration screen enables you to configure MST timer parameters that apply to all ports in the switch. Specify the values and click the apply button for your specifications to take effect

Dynamic Path Cost Calculation

If True pathcost for all ports is configured dynamically.

Default value: False

Section 6.6.4

Section 6.2.1

Speed Change Path Cost Calculation

Select whether the dynamic path cost is to be calculated for ports whose speed changes dynamically.

If a path cost value has been manually configured that value will override regardless of any true or false specification here.


Table 6-3. MSTP Timers Configuration Fields


Maximum Hop Count

The maximum number of switches that a packet can cross before it is dropped.

Default value: 20

Valid range: 6-40

Section 6.8.1

Max Age The length of time to retain learned information.



Section 6.6.5

Section 6.4.1

Table 6-2. MSTP Global Configuration Fields




113

6.9.3 CIST Configuration

In the GUI go to the Layer 2: Manager: MSTP: Port Configuration tab to view and modify the MSPT CIST Settings screen, as illustrated in Figure 6-6.

This screen enables you to configure the port information for CIST, which spans across the entire topology irrespective of MST and SST regions. CIST is a single common/active topology consisting of all switches in the topology.

Figure 6-6. MSTP Port Configuration Tab

Table 6-4 explains the meaning and valid values for the parameters configurable in the CIST Settings screen.

Forward Delay The length of time the bridge waits after any state or topology change before forwarding the information to the network.



Section 6.6.5

Section 6.4.1

Transmit Hold Count

The maximum number of packets that can be sent in a given hello-time interval.

Default value: 3

Valid range: 1-10

Section 6.6.6

Hello Time Interval between the sending of hello messages to other switches.



Section 6.6.5

Section 6.4.1

Table 6-4. MSTP Port Configuration Fields


Select You must click a selection button before configuring a port.

Port Lists ports available for configuration.

Table 6-3. MSTP Timers Configuration Fields




114

Path Cost A value used in measuring how “close” bridges are to one another.



Section 6.7.1

Section 6.2.1

Priority The priority value of this port.

Default value: 128

Valid range: 0-240 (Must be a multiple of 16.)

Section 6.2.3

Section 6.7.1

Section 6.6.7

Point to Point Status

The link type for this port can be point to point or shared. This setting determines whether that status is determined automatically or is set to “True,” that is, that it is a point to point link, or “False,” a shared link.

Options: Auto | ForceTrue | ForceFalse

Section 6.2.4

Section 6.7.1

Edge Port Whether or not this port is configured as an edge port; that is, a port that connects directly to an end station.

Options: True | False

Section 6.2.4

Section 6.7.2

MSTP Status Whether or not MSTP is enabled on this port.

Options: Enable | Disable

Section 6.6.2

Section 6.5

Protocol Migration

Always False.

Hello Time The amount of time between the transmission of configuration BPDUs on any port.



Section 6.3

Section 6.4.1

Section 6.6.5

AutoEdge Status If True enable automatic detection of a bridge connected on the interface.


Section 6.7.2

Restricted Role If True this port cannot be selected as the root port even if it has the best priority vector.


Section 6.7.4

Restricted TCN If True this port will not propagate topology changes or received topology change notifications (TCNs) to other ports.


Section 6.7.5

BPDU Receive If True this port will process received BPDUs normally. If False this port will discard received BPDUs.


Section 6.7.6





115

6.9.4 MSTP VLAN Mapping

In the GUI go to the Layer 2: Manager: MSTP: VLAN Mapping tab to map VLANs to MSTP instances, as illustrated in Figure 6-7.

Figure 6-7. MSTP VLAN Mapping Tab

In the VLAN Mapping screen the upper dialog box enables you to specify and to configure a virtual interface. Click the Add for your specifications to take effect and to be displayed in the lower dialog box. The lower dialog box displays configured instances and enables you to delete a selected instance.

BPDU Transmit If True this port will transmit BPDUs. If False this port will not transmit BPDUs.


Section 6.7.7

Loop Guard If True this port will be prevented from forming loops by going into a temporary loop-inconsistent state if its receipt of BPDUs is interrupted.


Section 6.7.3

Table 6-5. MSTP VLAN Mapping Fields


MSTP Instance ID Specify an MSPT instance. Section 6.5

Add VLAN Specify a configured VLAN.

Delete VLAN Specify a configured and previously mapped VLAN.





116

6.9.5 MSTP Port Settings

In the GUI go to the Layer 2: Manager: MSTP: Port Settings tab to view and modify basic MSTP information for specific ports previously configured to participate in an MSTP instance, as illustrated in Figure 6-8.

Figure 6-8. MSTP Port Settings Tab

The MSTP Port Settings screen enables you to configure MST on a per port basis. Specify the values and click the apply button for your specifications to take effect.

Add / Reset Add to create a mapping. Reset to clear fields

Delete Delete a configured mapping indicated by the Select button.

Table 6-6. MSTP Port Settings Fields


Select You must click a selection button before editing a port’s settings.

Port Lists configured ports available for alteration.

MSTP Instance ID Displays and enables editing of the MSPT instance in which each port participates.

Port State Whether this port is enabled or disabled.

Table 6-5. MSTP VLAN Mapping Fields




117

6.9.6 MSTP CIST Port Status

In the GUI go to the Layer 2: Manager: MSTP: CIST Port Status tab to view CIST information for all ports in the switch, as illustrated in Figure 6-9.


Table 6-7 explains the meaning of the parameters displayed in the CIST Port Status screen.

Priority Displays and enables editing of the priority value of this port.

Default value: 128


Section 6.2.3

Section 6.7.1

Section 6.6.7

Cost Displays and enables editing of path cost. A value used in measuring how “close” bridges are to one another.



Section 6.7.1

Section 6.2.1

Table 6-7. MSTP Port Status Display


Port The port ID.

Designated Root The unique identifier of the bridge that is identified as the CIST root in the transmitted configuration BPDUs.

Root Priority The priority of the bridge that is the designated root.



Designated Bridge

The unique identifier of the designated bridge for this port’s segment. The designated bridge is the only bridge that can transmit frames to and from the segment.

Table 6-6. MSTP Port Settings Fields




118

Designated Port The identifier of the port on the designated bridge for this port's segment. This is the port the designated bridge uses to exchange frames with this segment.

Regional Root The unique identifier of the bridge that is identified as the CIST regional root in the transmitted configuration BPDUs.

Regional Root Priority

The priority of the bridge that is the regional root.



Regional Path Cost

The port’s path cost that contributes to the cost of paths (including the port) towards the CIST Regional Root.

Valid range:1 - 200000000.

Type The operational Point-to-Point Status of the LAN segment attached to the port. The values can be:

• PointtoPoint — The port is treated as if it is connected to a point-to-point link.

• SharedLan — The port is treated as if it is having a shared media connection.

You can specify the values or select Auto for the switch to determine the status.

Section 6.9.3



CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI


119

6.10 Configuring RSTP in the GUI

The following sections describe RSTP configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.

6.10.1 RSTP Global Configuration

In the GUI go to the Layer 2: Manager: RSTP: Global Settings tab to view and modify the RSPT Global Configuration screen, as illustrated in Figure 6-4.

Role The current role of the port for the spanning tree instance. The values can be:

• Disabled — The port does not take part in the spanning tree process.

• Alternate — The port acts as an alternate for the root port, is blocked and not used for traffic. (It will be enabled and become the root port if the current root port is blocked.)

• Backup — The port acts as a backup for a specific designated port. It is blocked and not used for traffic. (It will be enabled and become the designated port if the active designated port is blocked.)

• Root — The port is used to forward data to the root bridge directly or through an upstream LAN segment.

• Designated — The port is used to send and receive packets to/from a specific downstream LAN segment/device. Only one designated port is assigned for each segment.

Port State The current state of the port as defined by the common STP. The values can be:

• Disabled — The port is does not take part in the spanning tree process.

• Discarding — The port is included in the STP process and is ready to learn addresses and forward data.

• Learning — The port is learning source addresses from received frames and storing them in the switching database to use when sending and receiving data.

• Forwarding — The port is sending and receiving data based on the formed loop-free spanning tree topology.





120

as illustrated in Figure 6-10.

Figure 6-10. RSTP Global Configuration Tab

The RSTP Global Configuration screen enables you to configure RST parameters that apply to all ports in the switch. Specify the values and click the apply button for your specifications to take effect.

Table 6-8. RSTP Global Configuration Fields


Dynamic Path Cost Calculation

Options are:

• True —Dynamically calculate pathcost based on the speed of the ports whose Admin State is set to Up at that time. The path cost is not changed based on the operational status of the ports, once calculated.

• False — Dynamically calculate pathcost based on the link speed at the time of port creation.

If you have manually assigned pathcost that value is used regardless of the selection made here.


Section 6.6.4

Section 6.2.1

Speed Change Path Cost Calculation

Options are:

• True — Dynamically calculates path cost for ports based on their speed at that time. The path cost is re-calculated if the speed of the port changes.

• False — Does not dynamically calculate the path cost for ports based their speed at that time.

If you have manually assigned pathcost that value is used regardless of the selection made here.




121

6.10.2 RSTP Timer Configuration

In the GUI go to the Layer 2: Manager: RSTP: Basic Settings tab to view and modify the RSPT Global Configuration screen, as illustrated in Figure 6-11.

Figure 6-11. RSTP Timers Configuration Tab

The RSTP Configuration screen enables you to configure RST timers for controlling the transmission of BPDUs during the computation of loop-free topology. This configuration is applied globally in the switch on all ports. Specify the values and click the apply button for your specifications to take effect.

Table 6-9. RSTP Timers Configuration Fields


Priority The priority value used for this switch during the election of root. This is a numerical value that can be either 0 or number in the valid range that is divisible by 4096.



Section 6.4.1

Section 6.6.7

Version Select STP Compatible to enable backward compatibility with legacy STP traffic.

Default value: RSTP Compatible

Options: STP Compatible | RSTP Compatible

Section 6.6.3

Tx Hold Count The maximum number of packets that can be sent in a given hello-time interval.

Default value: 3

Valid range: 1-10

Section 6.6.6

Max Age The length of time to retain learned information.



Section 6.6.5

Section 6.4.1



122

6.10.3 RSTP Port Configuration

In the GUI go to the Layer 2: Manager: RSTP: Basic Settings tab to view and modify the RSPT Port Configuration screen, as illustrated in Figure 6-12.

Figure 6-12. RSTP Port Configuration Tab

he RSTP Port Settings screen enables you to configure RST on a per port basis. Specify the values and click the apply button for your specifications to take effect.

Hello Time Interval between the sending of hello messages to other switches.



Section 6.6.5

Section 6.4.1

Forward Delay The length of time the bridge waits after any state or topology change before forwarding the information to the network.



Section 6.6.5

Section 6.4.1

Table 6-10. RSTP Port Configuration Fields


Select You must click a selection button before configuring a port.

Port Lists ports available for configuration.

Table 6-9. RSTP Timers Configuration Fields




123

Port Role The current role of the port for the spanning tree instance. The values can be:






Section 6.2.3

Port Priority The priority value of this port.

Default value: 128


Section 6.2.3

Section 6.7.1

Section 6.6.7

RSTP Status Whether or not RSTP is enabled on this port.

Options: Enable | Disable

Section 6.6.2

Section 6.5

Path Cost A value used in measuring how “close” bridges are to one another. This value is the path cost that contributes to the path cost of paths containing this port.

The paths‟ path cost is used during calculation of shortest path to reach the root.

The path cost represents the distance between the root port and designated port. The value used will be, in order of preference:

1. The value you specifically configure. If this is not available then,

2. the value determined by a dynamic path cost calculation, if that option has been selected. If this is not available then,

3. the default value.



Section 6.7.1

Section 6.2.1

Section 6.10.1





124

Protocol Migration

This value controls the protocol migration mechanism that enables the module to interoperate with legacy 802.1D switches.

Options are:

• True — Restarts the protocol migration process.

• False — The port always transmits the standard RSTP BPDUs.


Admin Edge Port The administrative Edge Port value.

Options are:

• True — Sets the port as an edge port; that is, a port that is directly connected to a single end station. The Port State is set to forwarding. This allows faster convergence by eliminating the wait to receive BPDUs.

• False —Sets the port as a non-edge port; that is, a port that is connected to a routing device. The spanning tree process is performed using RSTP.

If Auto Edge Detection is set to True (see below) the value of the Edge Port parameter will be automatically updated when a change is detected.


Section 6.7.2

Admin Point to Point

The link type for this port can be point to point or shared. This setting determines whether that status is determined automatically or is set to “True,” that is, that it is a point to point link, or “False,” a shared link.

Options: Auto | ForceTrue | ForceFalse

Section 6.2.4

Section 6.7.1

Auto Edge Detection

If True enable automatic detection of a bridge connected on the interface.


Section 6.7.2

Restricted Role If True this port cannot be selected as the root port even if it has the best priority vector.


Section 6.7.4

Restricted TCN If True this port will not propagate topology changes or received topology change notifications (TCNs) to other ports.


Section 6.7.5

Bpdu Receive If True this port will process received BPDUs normally. If False this port will discard received BPDUs.


Section 6.7.6





125

6.10.4 RSTP Port Status

In the GUI go to the Layer 2: Manager: RSTP: Port Status tab to view RSTP status information for all ports in the switch, as illustrated in Figure 6-13.


Table 6-11 explains the meaning of the parameters displayed in the RSTP Port Status screen.

Bpdu Transmit If True this port will transmit BPDUs. If False this port will not transmit BPDUs.


Section 6.7.7

Loop Guard If True this port will be prevented from forming loops by going into a temporary loop-inconsistent state if its receipt of BPDUs is interrupted.


Section 6.7.3

Table 6-11. RSTP Port Status Display


Port The port ID.

Designated Root The unique identifier of the bridge that is identified as the segment root in the transmitted configuration BPDUs.

Designated Cost The Path Cost of the Designated Port of the segment connected to the port.

Designated Bridge

The unique identifier of the designated bridge for this port’s segment. The designated bridge is the only bridge that can transmit frames to and from the segment.

Designated Port The identifier of the port on the designated bridge for this port's segment. This is the port the designated bridge uses to exchange frames with this segment.





126

Type The operational Point-to-Point Status of the LAN segment attached to the port. The values can be:

• PointtoPoint — The port is treated as if it is connected to a point-to-point link.

• SharedLan — The port is treated as if it is having a shared media connection.

You can specify the values or select Auto for the switch to determine the status.

Role The current role of the port for the spanning tree instance. The values can be:






Port State The current state of the port as defined by the common STP. The values can be:

• Disabled — The port is does not take part in the spanning tree process.

• Discarding — The port is included in the STP process and is ready to learn addresses and forward data.

• Learning — The port is learning source addresses from received frames and storing them in the switching database to use when sending and receiving data.

Forwarding — The port is sending and receiving data based on the formed loop-free spanning tree topology.

Table 6-11. RSTP Port Status Display



127

Chapter 7LLDP

Link Layer Discover Protocol (LLDP) is an internet protocol that enables network devices to advertise their identities and capabilities and to discover information about neighbor devices.

LLDP supports a formal set of attributes that, at a minimum, describe devices in terms of type, length, and value. These attributes are referred to as TLVs. TLV information is stored in specialized device Management Information Bases (MIBs) that are accessible via the Simple Network Management Protocol (SNMP). On detection of certain events or at the expiration of a prescribed interval TLV information is extracted from LLDP local system MIB storage, formatted, and sent to the LLDP transmission module to be advertised by an LLDP agent sending LLDP Data Units (LLDPDUs). These LLDPDUs are recognized by the LLDP agents of other sites on the network and stored in LLDP remote system MIBs at those sites.

The mandatory management TLVs are:

• Port description TLV • System name TLV • System description TLV• System capabilities TLV • Management address TLV

7.1 Configuring LLDP in the CLI

The following sections describe the commands to use to configure CLI functionality on the INOS command line interface.

7.1.1 Global Configuration of LLDP

The following CLI commands control LLDP configuration on all interfaces of the switch. These commands are available in Global Configuration mode, which is signified by the Magnum 10RX(config)# prompt and is entered by typing configure terminal in the opening Exec. Commands mode.

7.1.1.1 Enabling and Disabling LLDP

Use the set lldp command in Global Configuration mode to enable or disable LLDP functionality in the switch.

Command syntax:

set lldp {enable | disable}

CHAPTER 7 - LLDPConfiguring LLDP in the CLI


128

Where:

enable — Transmits/receives the LLDP packets between LLDP module and the server.

disable — Does not transmit/receive the LLDP packets between LLDP module and the server.

Example:

Magnum 10RX(config)# set lldp enable

Default value: disable

Use the show lldp command to view LLDP globally configured values.

7.1.1.2 Configuring the LLDP Transmission Interval

Use the lldp transmit-interval command in Global Configuration mode to set the interval at which the server will send its identifying information from the local system MIB to the LLDP transmission module.

Command syntax:

lldp transmit-interval transval

Where:

transval is a numerical value specifying the number of seconds between transmission of TLVs describing this local system.

Example:

Magnum 10RX(config)# lldp transmit-interval 120



The no lldp transmit-interval command sets the interval to the default.


7.1.1.3 Configuring the LLDP Holdtime Multiplier

Use the lldp holdtime-multiplier command in Global Configuration mode to control the length of time LLDP information is retained by a receiving device before it is discarded. This time is expressed as a multiple of the length of time configured with the lldp transmit-interval command.

Command syntax:

lldp holdtime-multiplier multval

Where:

multval is a numerical value specifying the length of time to cache LLDP information before discard, expressed as a multiple of the configured transmit-interval.



129

Example:

Magnum 10RX(config)# lldp holdtime-multiplier 5

Default value: 4

Note that the combination of the default transmit-interval value of 30 and the default holdtime-multiplier value of 4 results in a default hold time (or Time To Live -TTL) of 120 seconds.

Valid range: 2-10

The no lldp holdtime-multiplier command sets the interval to the default.


7.1.1.4 Configuring the LLDP Reinitialization Delay

Use the lldp reinitialization-delay command in Global Configuration to specify the length of time to elapse after LLDP is disabled on a port before it can be reinitialized.

Command syntax:

lldp reinitialization-delay reinitval

Where:

reinitval is a numerical value specifying the number of seconds required to elapse between LLDP being disabled on a port and its reinitialization.

Example:

Magnum 10RX(config)# lldp reinitialization-delay 5


Valid range: 1-10

The no lldp reinitialization-delay command sets the interval to the default.


7.1.1.5 Configuring the LLDP Transmission Delay

Use the lldp tx-delay command in Global Configuration to specify the length of time to elapse between transmissions of advertisements that are initiated by changes in LLDP local information.

Command syntax:

lldp tx-delay delayval

Where:

delayval is a numerical value specifying the number of seconds that are to elapse between transmissions of advertisements initiated by changes to LLDP local information.

Note that The delayval value must be equal to or less than 0.25 X the value for transval configured with the transmit-interval command.



130

Example:

Magnum 10RX(config)# lldp tx-delay 7


Valid range: 1-8192

The no lldp tx-delay command sets the interval to the default.


7.1.1.6 Configuring the LLDP Notification Interval

Use the lldp notification-interval command in Global Configuration mode to set the time interval in which the local system generates a notification event. Notifications include SNMP traps, log messages and triggers. During the specified interval only a single notification can be sent.

Command syntax:

lldp notification-interval nival

Where:

nival is a numerical value specifying the time in seconds between the sending of notifications.

Example:

Magnum 10RX(config)# lldp notification-interval 30


Valid range: 5-3600

The no lldp notification-interval command sets the interval to the default.


7.1.1.7 Configuring the LLDP Chassis ID Subtype

Use the lldp chassis-id-subtype command in Global Configuration to specify the type of ID used in the switch. Most of the available options require you only to specify the subtype; the system will derive the correct ID automatically. Three options, chassis-comp, port-comp, and local, require you to provide an identifying string. Specify only one of these options.

Command syntax:

lldp chassis-id-subtype {chassis-comp chasstring | if-alias | port-comp portstring | mac-addr | nw-addr | if-name | local localstring}

Where:

chassis-comp chasstring — The chassis-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of



131

the entPhysicalAlias object for a chassis component in the entity MIB (part of the SNMP Network Management Framework).

if-alias — The if-alias key word specifies a chassis identifier based on the value of the ifAlias object in the interfaces group MIB (part of the SNMP Network Management Framework).

port-comp portstring — The port-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a port of backplane within the chassis in the entity MIB.

mac-addr — A chassis identifier based on the MAC address as defined in IEEE Std. 802.

nw-addr — A chassis identifier based on a network address associated with a particular chassis.

if-name — A chassis identifier based on the value of the ifName object in the interfaces group MIB for an interface on the containing chassis.

local localstring — The local key word followed by a string of up to 255 alphanumeric characters specifies a user-supplied local ID.

Example:

Magnum 10RX(config)# lldp chassis-id-subtype chassis-comp garrettcomswitch

Default value: mac-addr


Use the show lldp local command to view LLDP values configured for individual interfaces.

7.1.1.8 Clearing LLDP Counters

Use the clear lldp counters command in Global Configuration mode to clear the counters that keep a total count of LLDP frames transmitted and received.

Command syntax:

clear lldp counters

Example:

Magnum 10RX(config)# clear lldp counters

Use the show lldp traffic command to view LLDP counters on all interfaces or on a specified interface.

7.1.1.9 Clearing the LLDP Table

Use the clear lldp table command in Global Configuration to clear information stored about neighbors.

Command syntax:

clear lldp table



132

Example:

Magnum 10RX(config)# clear lldp table

Use the show lldp neighbors command to view LLDP neighbor information.

7.1.2 Interface-specific Configuration of LLDP

The following CLI commands control LLDP configuration on a specified interface. These commands are available in Interface Configuration mode, which is signified by the Magnum 10RX(config-if)# prompt and is entered by specifying an interface for configuration in Global Configuration mode. For example:

Magnum 10RX(config)# interface gi 3/1

Magnum 10RX(config-if)#

7.1.2.1 Enabling LLDP Transmit/Receive on an Interface

Use the lldp command in Interface Configuration mode to enable transmission or reception of LLDPDUs on the interface being configured.

Command syntax:

lldp {transmit | receive}

Where:

transmit enables transmission of LLDPDUs from a server interface to the LLDP module.

receive enables reception of LLDPDUs from a server interface to the LLDP module.

Example:

Magnum 10RX(config-if)# lldp transmit

Default value: transmission and reception are enabled.

The no lldp {transmit | receive} command disables transmission or reception on the interface.

Use the show lldp interface command to view LLDP configuration details.

7.1.2.2 Configuring LLDP Notifications on an Interface

Use the lldp notification command in Interface Configuration mode to configure notification of LLDP events. Notifications include SNMP traps, log messages and triggers. Notifications are sent to the Network Management System (NMS). You can specify that a notification is sent either when a change occurs to a remote table, or when a configuration error is detected, or by both of these conditions.

Command syntax:

lldp notification [remote-table-chg] [mis-configuration]



133

Where:

remote-table-chg specifies that a trap notification is sent to NMS whenever remote a table change occurs.

mis-configuration specifies that a trap notification is sent to NMS whenever a mis-configuration is identified.

Example:

Magnum 10RX(config-if)# lldp notification remote-table-chg

Default value: mis-configuration

The no interface notification command disables LLDP event notification.

The frequency with which notifications are sent is configured with the lldp notification-interval command. See Section 7.1.1.6.

Use the show lldp interface command to view LLDP configuration details.

7.1.2.3 Specifying Basic TLV Settings on a Port

Use the lldp tlv-select basic-tlv command in Interface Configuration mode to specify the mandatory TLVs to include in the transmission of LLDPDUs from this interface.

Command syntax:

lldp tlv-select basic-tlv {[port-descr] [sys-name] [sys-descr] [sys-capab] [mgmt-addr {all | ipv4 addr}]}

Where:

port-descr specifies that the port description TLV (slot number/port number ID) for this port will be transmitted.

sys-name specifies that the system name TLV will be transmitted.

sys-descr specifies that the system description TLV will be transmitted.

sys-capab specifies that the system capabilities TLV will be transmitted.

mgmt-addr specifies that a management address TLV will be transmitted:

all specifies that all available management addresses will be transmitted.

ipv4 addr specifies that the management address specified by addr will be transmitted.

Example:

Magnum 10RX(config-if)# lldp tlv-select basic-tlv port-descr mgmt-addr all

The no lldp tlv-select basic-tlv tlvspec disables transmission of the TLV specified by tlvspec.




134

7.1.2.4 Configuring an ID for LLDP Port Subtype

Use the lldp port-id-subtype command in Interface Configuration to specify a port subtype ID. Most of the available options require you only to specify the subtype; the system will derive the correct ID automatically. Two options, port-comp, and local, require you to provide an identifying string. Specify only one of these options.

Command syntax:

lldp port-id-subtype {if-alias | port-comp portstring | mac-addr | if-name | local localstring}

Where:

if-alias — The if-alias key word specifies a chassis identifier based on the value of the ifAlias object in the interfaces group MIB (part of the SNMP Network Management Framework).

port-comp portstring — The port-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a port of backplane within the chassis in the entity MIB.

mac-addr — A chassis identifier based on the MAC address as defined in IEEE Std. 802.

if-name — A chassis identifier based on the value of the ifName object in the interfaces group MIB for an interface on the containing chassis.

local localstring — The local key word followed by a string of up to 255 alphanumeric characters specifies a user-supplied local ID.

Example:

Magnum 10RX(config-if)# lldp port-id-subtype mac-addr

Default value: if-alias


7.1.2.5 Configuring Transmission of dot1 TLVs on an Interface

Use the lldp tlv-select dot1tlv command in Interface Configuration mode to configure the transmission of dot1 TLVs on the port. Dot1 TLVs contain VLAN-specific information.

Command syntax:

lldp tlv-select dot1tlv {[port-vlan-id] [protocol-vlan-id {all |vlanid}] [vlan-name {all | vlanname}]}

Where:

port-vlan-id — This key word specifies the VLAN ID associated with this port and its protocols.

protocol-vlan-id — This key word specifies the ID of a group of protocols associated with a VLAN and this port.



135

all specifies transmission of all available values of IDs.

vlanid transmits a single specified VLAN ID.

vlan-name — This key word specifies an administratively assigned string identifying the VLAN.

all specifies transmission of all available values of VLAN names.

vlanid transmits a single specified VLAN name.

Example:

Magnum 10RX(config-if)# lldp tlv-select dot1tlv port-vlan-id protocol-vlan-id 42

The no lldp tlv-select dot1tlv tlvspec disables transmission of the TLV specified by tlvspec.


7.1.2.6 Configuring Transmission of dot3 TLVs Subtypes on an Interface

Use the lldp tlv-select dot3tlv command in Interface Configuration mode to configure the transmission of dot3 TLVs on the port.

Command syntax:

lldp tlv-select dot3tlv {[macphy-config] [link-aggregation] [max-framesize]}

Where:

macphy-config — Specifies that the physical MAC configuration be transmitted in the LLDPDU.

link-aggregation — Specifies that the link aggregation protocol statistics be transmitted in the LLDPDU.

max-framesize — Specifies that the maximum frame size be transmitted in the LLDPDU.

Example:

Magnum 10RX(config-if)# lldp tlv-select dot3tlv macphy-config

The no lldp tlv-select dot3tlv tlvspec disables transmission of the TLV specified by tlvspec.


7.1.3 Displaying LLDP Information

The CLI commands described below enable you to display information about the LLDP configuration and performance. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.



136

7.1.3.1 show lldp

Use the show lldp command to display LLDP global configuration details.

Example:

Magnum 10RX# show lldp

7.1.3.2 show lldp interface

Use the show lldp interface command to display information about interfaces where LLDP is enabled

Command syntax:

show lldp interface [gigabitethernet ifid]

Where:

The command entered without parameters displays information about all interfaces.

gigabitethernet ifid specifies a single interface for display.

Example:

Magnum 10RX# show lldp interface gigabitethernet 3/1

7.1.3.3 show lldp neighbors

Use the show lldp neighbors command to display information about neighbors on an interface or all interfaces.

Command syntax:

show lldp neighbors [chassis-id ch_string] [gigabitethernet ifid] [detail]

Where:


ch_string specifies a chassis identifier.

ifid specifies a port.

detail specifies information obtained from all TLVs received.

Example:

Magnum 10RX# show lldp neighbors detail

7.1.3.4 show lldp traffic

Use the show lldp traffic command to display LLDP counters on all interfaces or on a specific interface.

Command syntax:

show lldp traffic [gigabitethernet ifid]

Where:



137



Example:

Magnum 10RX# show lldp traffic gigabitethernet 3/1

7.1.3.5 show lldp local

Use the show lldp local command to display the current switch information that will be used to populate outbound LLDP advertisements for a specific interface or all interfaces.

Command syntax;

show lldp local {[gigabitethernet ifid] | [mgmt-addr]}

Where:



mgmt-addr specifies all the management addresses configured in the system and Tx enabled ports.

Example:

Magnum 10RX# show lldp local

7.1.3.6 show lldp errors

Use the show lldp errors command to display information about errors such as memory allocation failures, queue overflows and table overflow.

Example:

Magnum 10RX# show lldp errors

7.1.3.7 show lldp statistics

Use the show lldp statistics command to display LLDP remote table statistics information.

Example:

Magnum 10RX# show lldp statistics

• Management address TLV

CHAPTER 7 - LLDPConfiguring LLDP in the GUI


138

7.2 Configuring LLDP in the GUI

The following sections describe the configuration of LLDP in the INOS graphical User Interface.

7.2.1 LLDP Global Configuration

In the GUI go to the Layer 2: Manager: LLDP: Global Settings tab to enable LLDP functionality, as illustrated in Figure 7-1.

Figure 7-1. LLDP Global Configurations Screen

The LLDP Global Configurations screen enable you to enables you to enable or disable LLDP in the system. Click the Apply button to execute your selection.

Table 7-1. LLDP Global Configuration Fields


Global Status The mode of LLDP in the system.

Enabled — Specifies that all the resources required by the LLDP module are allocated and that LLDP is supported in the device on all ports.

Disabled — Specifies that LLDP is shutdown in the device on all ports and any allocated resources are released.

Section 7.1.1.1



139

7.2.2 LLDP Basic Settings

In the GUI go to the Layer 2: Manager: LLDP: Basic Settings tab to configure timing settings and identifiers, as illustrated in Figure 7-2.

Figure 7-2. LLDP Basic Settings Screen

In the LLDP Basic Settings screen specify the timing of various actions and provide an identifier for this device. Click the Apply button to execute your selections.

Table 7-2. LLDP Basic Settings Fields


Transmit Interval Sets the interval at which the server will send its identifying information from the local system MIB to the LLDP transmission module.



Section 7.1.1.2

Holdtime Multiplier

The length of time LLDP information is retained by a receiving device before it is discarded. This time is expressed as a multiple of the length of time specified in the Transmit Interval field.

Default value: 4

Valid range: 2-10

Section 7.1.1.3

Reinitialization Delay

Specifies the length of time to elapse after LLDP is disabled on a port before it can be reinitialized.


Valid range: 1-10

Section 7.1.1.4



140

Tx Delay Specifies the length of time to elapse between transmissions of advertisements that are initiated by changes in LLDP local information.


Valid range: 1-8192

Section 7.1.1.5

Notification Interval

Sets the time interval in which the local system generates a notification event.


Valid range: 5-3600

Section 7.1.1.6

Chassis Id The chassis identifier. With most subtypes the system will derive the correct ID automatically. Three subtypes, Chassis Component, Port Component, and Local, require you to provide an identifying string.

Section 7.1.1.7

Chassis ID Subtype

Specifies the type of ID used in the switch. Options are:

• Chassis Component — The chassis-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a chassis component in the entity MIB (part of the SNMP Network Management Framework).

• Interface Alias — The if-alias key word specifies a chassis identifier based on the value of the ifAlias object in the interfaces group MIB (part of the SNMP Network Management Framework).

• Port Component — The port-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a port of backplane within the chassis in the entity MIB.

• MAC Address — A chassis identifier based on the MAC address as defined in IEEE Std. 802.

• Network Address— A chassis identifier based on a network address associated with a particular chassis.

• Interface Name — A chassis identifier based on the value of the ifName object in the interfaces group MIB for an interface on the containing chassis.

• Local — The local key word followed by a string of up to 255 alphanumeric characters specifies a user-supplied local ID.

Section 7.1.1.7

Table 7-2. LLDP Basic Settings Fields




141

7.2.3 LLDP Interface Settings

In the GUI go to the Layer 2: Manager: LLDP: Interfaces tab to configure specific ports for LLDP functioning, as illustrated in Figure 7-3.

Figure 7-3. LLDP Interface Settings Screen

In the LLDP Interface Settings screen the upper dialog box enables you to specify an IP address for a previously configured interface. Click the Modify button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.

Table 7-3. LLDP Interface Settings Fields



Port Specifies the port under configuration. Section 7.1.2

Tx State Enable/disable transmission of LLDPDUs from a server interface to the LLDP module.

Section 7.1.2.1

Rx State Enable/disable reception of LLDPDUs from a server interface to the LLDP module.

Section 7.1.2.1

Tx SEM State Displays current status of the TX state event machine.

Rx SEM State Displays current status of the RX state event machine.



142

7.2.4 LLDP Neighbor Information

In the GUI go to the Layer 2: Manager: LLDP: Neighbors tab to display information about LLDP neighbors, as illustrated in Figure 7-4.

Figure 7-4. LLDP Neighbor Information Screen

In the LLDP Neighbor Information screen you can view basic information about LLDP neighbors. Click Clear LLDP Neighbors to delete the display of information.

Notification Status

Enables/disables notification. Section 7.1.2.2

Notification Type Configure notification of LLDP events. Notifications include SNMP traps, log messages and triggers. Notifications are sent to the Network Management System (NMS). Options are:

• Mis-config — specifies that a trap notification is sent to NMS whenever remote a table change occurs.

• Remote-Table-Change — specifies that a trap notification is sent to NMS whenever a mis-configuration is identified.

• Both — a notification is sent whenever either of the above conditions is met.

Section 7.1.2.2

Table 7-4. LLDP Neighbor Information Display


Chassis ID Displays a neighbor’s chassis ID. Section 7.1.1.7

Local Interface Identifies the local port on which the neighbor information is learned.

Hold Time Displays the Hold Time advertised by this neighbor. Section 7.1.1.3

Table 7-3. LLDP Interface Settings Fields




143

7.2.5 LLDP Basic TLV Settings

In the GUI go to the Layer 2: Manager: LLDP: Basic TLV Settings tab to specify the mandatory TLVs to include in the transmission of LLDPDUs from this interface, as illustrated in Figure 7-5.

Figure 7-5. LLDP Basic TLV Settings Screen

In the LLDP Basic TLV Settings screen you can specify the information to be transmitted by the selected interface. A specification of Enabled means that the information defined by that column heading will be included. Click Apply for your specifications to take effect.

See also Section 7.1.2.3.

Capability Displays the capabilities (such as bridge, router, telephone, etc.) advertised by this neighbor.

Port ID Displays the Port ID advertised by this neighbor.

Table 7-5. LLDP Basic TLV Settings



Interface ID A list of available gigabitethernet interfaces.

Port Description Enabled specifies that the port description TLV (slot number/port number ID) for this port will be transmitted.

Table 7-4. LLDP Neighbor Information Display




144

7.2.6 LLDP DOT1 TLV Settings

In the GUI go to the Layer 2: Manager: LLDP: DOT1 TLV Settings tab to configure the transmission of DOT1 TLVs on the port, as illustrated in Figure 7-6. DOT1 TLVs contain VLAN-specific information

Figure 7-6. LLDP DOT1 TLV Settings Screen

System Name Enabled specifies that the system name TLV will be transmitted.

System Description

Enabled specifies that the system description TLV will be transmitted.

System Capabilities

Enabled specifies that the system capabilities TLV will be transmitted.

Management Address

Enabled specifies that a management address TLV will be transmitted. The All keyword specifies that all management addresses will be included or you can specify anIPv4 address.

Table 7-5. LLDP Basic TLV Settings




145

In the LLDP DOT1TLV Settings screen you can specify VLAN information to be transmitted by the selected interface. A specification of Enabled means that the information defined by that column heading will be included. Click Apply for your specifications to take effect.


Table 7-6. LLDP DOT1 TLV Settings Fields




Port VLAN Enabled specifies the VLAN ID associated with this port and its protocols will be transmitted.

Protocol VLAN Enabled specifies the ID of a group of protocols associated with a VLAN and this port will be transmitted. The keyword All specifies transmission of all available values of IDs or use a comma separated list of configured VLAN IDs.

VLAN Name Enabled specifies an administratively assigned string identifying the VLAN will be transmitted. The keyword All specifies transmission of all available VLAN names or use a comma separated list of configured VLAN names.



146

7.2.7 LLDP DOT3 TLV Settings

In the GUI go to the Layer 2: Manager: LLDP: DOT3 TLV Settings tab to configure the transmission of DOT3 TLVs on the port, as illustrated in Figure 7-7. DOT1 TLVs contain VLAN-specific information

Figure 7-7. LLDP DOT3 TLV Settings Screen

In the LLDP DOT3 TLV Settings screen you can specify the information to be transmitted by the selected interface. A specification of Enabled means that the information defined by that column heading will be included. Click Apply for your specifications to take effect.


Table 7-7. LLDP DOT3TLV Settings Fields




MAC PHY Config Enabled specifies that the physical MAC configuration be transmitted in the LLDPDU.

Link Aggregation Enabled specifies that the link aggregation protocol statistics be transmitted in the LLDPDU.

Max Framesize Enabled specifies that the maximum frame size be transmitted in the

LLDPDU.


147

Chapter 8IP Addressing and Static Routing

This chapter describes the INOS commands available to support configuration of interface IP addresses and static routes.

8.1 Configuring IP Addresses

Interfaces that can be configured as IP interfaces are:

• gigabitethernet• vlan• ppp• mlppp• loopback• fr-pvc• tunnel

8.1.1 Specifying an Interface for Configuration

Use the interface command in Global Configuration mode to specify an interface type and ID and to enter Interface Configuration mode, signaled by the Magnum 10RX(config-if)# prompt.

command syntax:

interface {gigabitethernet|vlan|ppp|mlppp|loopback|fr-pvc| tunnel} ID

Where:

ID is an integer or integer combination uniquely identifying the interface.

Example:

Magnum 10RX(config)# interface vlan 1


Valid ranges:

gigabitethernet port number/slot number combination — 1-10, 1-4

VLAN — 1-4094

ppp — 1-16

NOTE: an Ethernet interface cannot have a configured IP address unless it is arouter port; that is, unless it is configured using the no switchport commandas described in Section 4.0.2.2.

CHAPTER 8 - IP Addressing and Static RoutingConfiguring IP Addresses


148

mlppp — 1-16

loopback — 0-9

fr-pvc — 1-2048

tunnel — 1-32

The no interface type ID command in Global Configuration mode deletes configuration of the specified interface.

The show interface type ID command in Exec Commands mode displays information about the specified interface.

8.1.2 Configuring an IP Address in the CLI

Use the ip address command in Interface Configuration mode to assign an IP address to the interface being configured.

command syntax:

ip address addr mask [secondary]

Where:

addr is an ip address in IPv4 format.

mask is a subnet mask.

secondary is a keyword specifying that this address is in addition to a primary address.

Example:

The commands illustrated in Figure 8-1 configure the VLAN 1 interface with a primary and a secondary IP address.

Figure 8-1. assigning IP addresses to an interface

The no ip address command in interface Configuration mode deletes the IP address from the interface under configuration.

The show interface type ID command in Exec Commands mode displays information about the specified interface.

8.1.3 Configuring an IP Address in the GUI

In the GUI go to the Layer 3 Management: IP: IP Addr tab to assign an IP address to an interface, as illustrated in Figure 8-2.

Magnum 10RX(config)# interface vlan 1Magnum 10RX(config-if)# no switchportMagnum 10RX(config-if)# ip address 192.168.1.1 255.255.255.0Magnum 10RX(config-if)# ip address 192.168.2.1 255.255.255.0 secondary



149

Figure 8-2. assigning an IP address to an interface

In the IPv4 Interface Settings screen the upper dialog box enables you to specify an IP address for a previously configured interface. Click the Modify button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.

8.1.4 Configuring a VLAN Interface in the GUI

In the GUI go to the Layer 3 Management: IP: VLAN Interfaces tab to assign an IP address to an interface, as illustrated in Figure 8-3.

Table 8-1. Loopback Basic Settings Configuration Fields


Select You must click the radio button of the interface to be configured.

Interface The identifiers of configured interfaces.

IP Address The IP address of this interface

Subnet Mask The subnet mask of this interface.

Broadcast Address

The broadcast address of this interface.

Address Type Type may be Primary or Secondary.



150

Figure 8-3. configuring a VLAN interface

In the VLAN Interface Basic Settings screen the upper dialog box enables you to specify and to configure a virtual interface. Click the Create button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.



Select In the lower dialog box you must click the radio button of the interface to be configured.

VLAN Interface A numerical identifier for this VLAN.

Valid range: 1-4094

Admin State The Administrative State may be either Up (enabled) or Down (disabled). The interface IP address must have been configured for this state to be Up.

IPv4 Enabled State

The IPv4 Enabled State may be either Up (IPv4 is enabled on this interface) or Down (IPv4 is disabled on this interface).



151

8.1.5 Configuring a Loopback Interface in the CLI

Use the interface loopback command in Global Configuration mode to enter Interface Configuration mode and assign an IP address to a loopback interface.

command syntax:

interface loopback loopid

Where:

loopid is a numerical value identifying the loopback interface to be configured.

Example:

The commands illustrated in Figure 8-4 specify, in Global Configuration mode, a loopback interface 1 to be configured and, in Interface Configuration mode, an IP address and subnet mask for that interface.

Figure 8-4. configuring a loopback interface in the CLI

The no interface loopback loopid command in Global Configuration mode deletes the configured loopback interface specified by loopid.

Valid range: 0-9

The show interface loopback ID command in Exec Commands mode displays information about the specified interface.

8.1.6 Configuring a Loopback Interface in the GUI

In the GUI go to the Layer 3 Management: IP: Loopbacks tab to configure a loopback interface, as illustrated in Figure 8-5.

Oper State The Operating State may be either Up or Down. An Up state indicates that the interface is operationally up and ready to transmit and receive.

MTU The Maximum Transmission Unit. The MTU for the interface as shown to the higher interface sub-layer (this value should not include the encapsulation or header added by the interface). If IP is operating over the interface, then this value indicates the IP MTU over this interface. To change the MTU of the interface first set the interface to administratively Down, make the change and reset it to Up.




Magnum 10RX(config)# interface loopback 1Magnum 10RX(config-if)# ip address 192.168.2.1 255.255.255.255Magnum 10RX(config-if)# no shutdownMagnum 10RX(config-if)# exit

CHAPTER 8 - IP Addressing and Static RoutingConfiguring Static Routing in the CLI


152

Figure 8-5. configuring a loopback interface in the GUI

In the Loopback Basic Settings Configuration screen the upper dialog box enables you to specify a new loopback interface. Click the Create button and this interface will be displayed along with any other configured loopback interfaces in the lower dialog box, which also enables editing of some previously configured values.

8.2 Configuring Static Routing in the CLI

In configuring static routing you manually add routes to the routing table by specifying a path from the current device to a “next hop” to a destination. Unlike dynamically created routes these fixed routes are not updated by new information from other routers. In the event of a network change of connection failure traffic can be lost or delayed. However, static routing is useful for specifying some paths, such as that to a default gateway.




Loopback Interface

The IDs of configured loopback interfaces.

Valid range: 0-9

Interface Status Interface status an be Up (active) or Down (inactive).

IP Address The IP address of this loopback interface

Subnet Mask The subnet mask of this loopback interface.

Broadcast Address

The broadcast address of this loopback interface.

CHAPTER 8 - IP Addressing and Static RoutingConfiguring Static Routing in the CLI


153

8.2.1 Configuring Static IPv4 Routes

Specify a static route using the ip route command to specify a destination and a next hop toward that destination or an interface directly connected to a next hop.

Command syntax:

ip route ipaddress mask {nh_address | gigabitethernet ifid | vlan vid | ppp pppid | mlppp mlpppid | fr-pvc frpvcid | tunnel tunid | distance} | [private]

Where:

ipaddress is the IP address of the route destination.

mask is the subnet mask for the IP address. This is a 32-bit number which is used to divide the IP address into network address and host address.

nh_address is the IP address or IP alias of the next hop that can be used to reach the destination.

ifid following the keyword gigabitethernet, a specification of the next hop as a destination slot and port number separated by a slash, for example: 5/1.

vid following the keyword vlan, a value specifying the next hop as a specific VLAN created / to be created. This value ranges between 1 and 4094.

pppid following the keyword ppp, a value specifying the next hop as a specific PPP interface.This value ranges between 1 and 16.

mlpppid following the keyword mlppp, a value specifying the next hop as a specific MLPPP interface.This value ranges between 1 and 16.

frpvcid following the keyword fr-pvc, a value specifying the next hop as a specific fr-pvc interface.This value ranges between 1 and 2048.

tunid following the keyword tunnel, a value specifying the next hop as a specific tunnel interface.This value ranges between 1 and 32.

distance is a numerical value for the administrative distance, which is a measure of confidence in the route. This value ranges between 1 and 255.

private is a keyword specifying that this route cannot be redistributed to other routing protocols.

Example:

Magnum 10RX(config)# ip route 60.0.0.0 255.0.0.0 50.0.0.10

This command specifies that the destination specified with the ip address 60.0.0.0 and 255.0.0.0 can be reached by a route for which the next hop is 50.0.0.10.

CHAPTER 8 - IP Addressing and Static RoutingConfiguring Static Routing in the GUI


154

8.3 Configuring Static Routing in the GUI

In the GUI go to the Layer 3 Management: IP: IP route tab to configure a static route, as illustrated in Figure 8-6.

Figure 8-6. configuring a static route in the GUI

In the IP Route Configuration screen the upper dialog box enables you to specify a new static route. Click the Add button and this route will be displayed along with any other configured static routes in the lower dialog box, which also enables editing of some previously configured values.




Destination Network

The IP address of the route destination.

Subnet Mask A subnet mask for the IP address.

Next Hop The IP address or IP alias of the next hop that can be used to reach the destination. In the upper dialog box:

• If the Next Hop specification is Interface then the Interface field below is active and configured interfaces are available for selection from a drop-down menu.

• If the Next Hop specification is Gateway then the Gateway field below is active and available to receive an IP address for a gateway.

Gateway The IP address of a gateway for the configured route.

Interface The name of a configured interface to be used by this static route.

CHAPTER 8 - IP Addressing and Static RoutingConfiguring ARP


155

8.4 Configuring ARP

Address Resolution Protocol (ARP) associates an IP address with a Media Access Control (MAC) address. This creates connections between Layer 3 IP addressing and Layer 2 MAC addressing and enables you to address specific devices on your network. These mappings are maintained in an ARP cache maintained on each router which is populated with information acquired through the APR protocol. You can regulate some features of ARP access.

8.4.1 Configuring the ARP Cache Timeout

Set the ARP cache timeout value with the arp timeout command. The ARP timeout defines the time period a learned ARP entry remains in the cache. When a new timeout value is assigned only ARP entries subsequent to that assignment

The no form of this command sets the ARP cache timeout to its default value (1000).

Command syntax:

arp timeout secs

Where:

secs specifies the number of seconds new dynamic ARP entries will remain in the cache.

Example:

Magnum 10RX(config)# arp timeout 15000

This command specifies

Default value: 1000


8.4.2 Configuring the ARP Request Maximum Retries

To configure the number of times to make an ARP request before deleting an unresolved ARP entry use the ip arp max-retries command.

Command syntax:

ip arp max-retries retnum

Distance A numerical value for the administrative distance, which is a measure of confidence in the route. See Section 9.1.5.

Metric The hop count metric for this destination.See Section 9.1.4.

Routing Protocol The routing protocol implemented for this route.



CHAPTER 8 - IP Addressing and Static RoutingConfiguring ARP


156

Where:

x is a digit in the range 2-10 specifying the maximum number of ARP requests to make.

Example:

Magnum 10RX(config)# ip arp max-retries 5

Default value: 3

Valid range: 2-10


157

Chapter 9RIP

Routing Information Protocol (RIP) is a widely-used protocol for managing router information within a self-contained network such as a corporate local area network or other interconnected group of LANs. RIP is an Interior Gateway Protocol (IGP) using the distance vector algorithm to define a best path. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops.

While RIP is in wide use it does have significant limitations: it is vulnerable to looping, does not scale well, and is slow to converge. Many of these limitations are addressed by other routing protocols such as OSPF. You should analyze the needs of your network and adopt a routing scheme that serves those needs.

9.1 Configuring RIP in the CLI

The INOS RIP basic and advanced configuration tasks are described in the following sections.

9.1.1 Enabling and Disabling RIP

Use the router rip command in Global Configuration mode to enable RIP globally in the current device and to enter Router Configuration mode, signaled by the Magnum 10RX(config-router)# prompt. Executing the help command at this prompt will display a list of RIP-specific commands available in this mode.

Command syntax:

router rip

Example:

Magnum 10RX(config)# router rip

Magnum 10RX(config-router)#

The no router rip command disables RIP globally.

9.1.2 Configuring RIP on an Interface

To configure RIP on a specific interface (rather than globally on the device) use the network command from the Magnum 10RX(config-router)# prompt

Command syntax:

network ipaddr

CHAPTER 9 - RIPConfiguring RIP in the CLI


158

Where:

ipaddr specifies a network interface.

Example:

Magnum 10RX(config-router)# network 10.0.0.1

This command specifies interface 10.0.0.1 as the interface to be configured.

the no network ipaddr disables RIP on the interface specified by ipaddr.

9.1.3 Configuring Redistribution

Use the redistribute command to redistribute routing information from routing domains other than RIP into the RIP routing domain. Networks commonly run more than one routing protocol, making it necessary to distribute routes obtained with one protocol into the domains of other protocols.

Command syntax:

redistribute {all | bgp | connected | ospf | static}

Where:

all specifies that all routes obtained by means other than the RIP protocol will be redistributed into the RIP domain.

bgp specifies that routes learned with the BGP protocol will be redistributed into the RIP domain.

connected specifies that any route that is a directly connected interface will be redistributed into the RIP domain.

ospf specifies that routes learned with the OSPF protocol will be redistributed into the RIP domain.

static specifies that static routes will be redistributed into the RIP domain.

Example:

Magnum 10RX(config-router)# redistribute static

This command specifies that routes that have been configured statically will be redistributed into the RIP domain.

The no redistribute spec command disables redistribution into RIP of information from the protocol specified by spec.

9.1.4 Configuring the Default Metric

Use the default-metric command in RIP Router configuration mode to set a default hop metric value to be used with all redistributed routes. This command is commonly used in conjunction with the redistribute command.

Command syntax:

default-metric n



159

Where:

n is a numerical value specifying a RIP metric.

Example:

Magnum 10RX(config-router)# default-metric 1

This command specifies that the default RIP metric is 1; that is that any redistributed routes will carry a metric of 1.

Valid range: 1-16

9.1.5 Specifying Administrative Distance

Use the distance command in RIP Router Configuration mode to specify the RIP administrative distance. When the same route prefix is learned from multiple sources the administrative distance value is used as a tie-breaker when selecting the active route. Setting the RIP administrative distance allows you to indicate the preference of routes learned via RIP relative to routes from other sources such as BGP, OSPF, or static configuration. The administrative distance value is in a range of 1-255. Lower values are preferred.

Command syntax:

distance dist-val

Where:

dist-val is a numerical value specifying the administrative distance for routes learned with the RIP protocol.

Example:

Magnum 10RX(config-router)# distance 10

This command makes the system prefer RIP routes (default distance of 120) over EBGP routes (default distance of 20).

Valid range: 1-255

Default value: 120

The standard default administrative distance values for routes learned in other protocols are listed in Table 9-1.

NOTE: Although 16 is a valid hop metric it is conventionally used to indicate that adestination is inaccessible. For accessible destinations the valid range is 1-15.

NOTE: An administrative distance value of 255 would indicate that no routesupplied by this protocol should be trusted.



160

9.1.6 Disabling and Enabling Auto-summarization

Auto-summarization of routes is a RIP feature by which routes to multiple subnets in the same network can be advertised with a single route specification. This feature is enabled by default.

RIPv1 always summarizes routes on classful network boundaries. RIPv2 uses variable subnet masks but by default will send summary routes based on classful subnet definitions if it advertises a classful network that has been subnetted. For example, 10.0.0.0 is a class A network with an 8 bit network address. If RIPv2 wishes to advertise the routes to 10.1.0.0/16 and 10.2.0.0/16, it will automatically summarize the two routes into a single advertisement for 10.0.0.0/8. Use the no auto-summary command to disable this summarization and have RIP send separate route advertisements for 10.1.0.0/16 and 10.2.0.0/16.

Command syntax:

auto-summary

Example:

Magnum 10RX(config-router)# auto-summary

This command enables auto-summarization.

Table 9-1. Administrative Distance Values: Protocol Defaults

Protocol Value

Connected interface 0

Static route 1

EIGRP summary route 5

EBGP 20

Internal EIGRP 90

IGRP 100

OSPF 110

IS-IS 115

RIP 120

EGP 140

ODR 160

External EIGRP 170

Internal BGP 200

Unknown* 255



161

The no auto-summary command disable auto-summarization.

Magnum 10RX(config-router)# no auto-summary


9.1.7 Configuring Update Source Validation

Use the validate-update-source command in RIP configuration mode to filter RIP packets from indirectly connected sources. If a RIP packet is received that is not on the directly connected subnet for that interface, the packet is dropped.

Command syntax:

validate-update-source

Example:

Magnum 10RX(config-router)# validate-update-source

9.1.8 Accessing Interface-specific RIP Commands

A number of RIP-related commands are accessed by specifying a previously configured interface in Global Configuration mode to produce the Magnum 10RX(config-if)# prompt. For example,

Figure 9-1. Accessing RIP Interface-specific Commands

The available RIP commands begin with ip or with ip rip. These commands are described in the subsections that follow.

9.1.9 Configuring to Install Default Route

Enable installation of the default route received in updates to the RIP database with the ip rip default route install command. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)

Command syntax:

ip rip default route install

Example:

Magnum 10RX(config-if)# ip rip default route install

9.1.10 Configuring RIP Default Route Propagation

Set the metric to be used for a default route propagated over the interface with the ip rip default route originate command. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)

Magnum 10RX(config)# interface vlan1

Magnum 10RX(config-if)# ip rip xxx xxx



162

Command syntax:

ip rip default route originate metnum

Where:

metnum is a numerical value in the range of 1-15 specifying a RIP metric.

Example:

Magnum 10RX(config-if)# ip rip default route originate 10

This command sets the RIP metric for a default route propagated over this interface to 10.

9.1.11 Configuring IP RIP Send Version on an Interface

Use the ip rip send version command in Interface Configuration mode to set the IP RIP version number for transmitting advertisements. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)

Command syntax:

ip rip send version {1 | 2 | 1 2 | none}

Where:

1 - Sends RIP updates compliant with RFC 1058.

2 - Sends multicasting RIP updates.

1 2 - Sends both multicasting RIP updates and RIP updates compliant with RFC 1058.

none - No RIP updates are sent. (This is passive operation.)

Example:

Magnum 10RX(config-if)# ip rip send version 1

Default value: 1 2

The no ip rip send version command specifies the default.

9.1.12 Configuring IP RIP Receive Version on an Interface

Use the ip rip receive version command to set the IP RIP version number for receiving advertisements. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)

Command syntax:

ip rip receive version {1 | 2 | 1 2 | none}

Where:

1 - Receives RIP updates compliant with RFC 1058.

2 - Receives multicasting RIP updates.



163

1 2 - Receives both multicasting RIP updates and RIP updates compliant with RFC 1058.

none - No RIP updates are received.

Magnum 10RX(config-if)# ip rip receive version 1

Default value: 1 2

The no ip rip receive version command specifies the default.

9.1.13 Configuring RIP Version Globally

Use the version command in Router RIP Configuration mode to set the RIP version (both send and receive) on all RIP-enabled interfaces.

Command syntax:

version {1 | 2 | 1 2 | none}

Where:

1 - Specifies RIP updates compliant with RFC 1058.

2 - Specifies multicasting RIP updates.

1 2 - Specifies both multicasting RIP updates and RIP updates compliant with RFC 1058.

none - No RIP updates.

Magnum 10RX(config-router)# version 1

Default value: 1 2

The no version command specifies no global version for RIP.

9.1.14 Configuring IP RIP Summary Address

Use the ip rip summary-address command to set the route aggregation over an interface for all subnet routes that fall under the specified IP address and mask. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)

Command syntax:

ip rip summary-address ip-address mask

Where:

ip-address is a valid IP address.

mask a valid subnet mask.

NOTE: The version command executed in this configuration mode will NOT show up in therunning-config display. Instead the appropriate per-interface configuration will be set.

CHAPTER 9 - RIPConfiguring RIP in the GUI


164

Magnum 10RX(config-if)# ip rip summary-address 60.0.0.0 255.0.0.0

This command specifies that all subnets encompassed by the 60.0.0.0 IP address will be aggregated under that IP address.

This command cannot be used with IP RIP v1 send version.

Auto-summarization overrides interface specific aggregation. Disable auto-summarization if you are implementing interface-specific route aggregation (See Section 9.1.6.)

9.1.15 Configuring Split Horizon

Split horizon is a route advertising feature that reduces looping by preventing an advertisement that could send a packet back along the route by which it was delivered. With the poison reverse option enabled the unwanted route is given an infinite metric so that its unsuitability is advertised throughout the network. Enable split horizon with the ip split-horizon command. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)

Command syntax:

ip split-horizon [poison]

Where:

poison enables the poison reverse option.

Magnum 10RX(config-if)# ip split-horizon

Default value: split horizon with poison reverse enabled

9.2 Configuring RIP in the GUI

The following sections describe RIP configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.



165

9.2.1 Enabling and Disabling RIP

In the GUI go to the Layer 3 Management: RIP: Global Conf tab to view the RIP Global Configuration screen, as illustrated in Figure 9-2.

Figure 9-2. RIP Global Configuration Screen

The RIP Global Configuration screen enables you to enable or disable RIP on all interfaces in the switch. Make your selection and click the apply button for your specification to take effect. See also Section 9.1.1.


9.2.2 RIP Interface Configuration

In the GUI go to the Layer 3 Management: RIP: Interface tab to modify specific RIP-enabled interfaces, as illustrated in Figure 9-3.

Figure 9-3. RIP Interface Configuration Screen

The RIP Interface Configuration screen enables you to configure RIP parameters for interfaces that you specify. Select an unconfigured interface from the dropdown menu in the upper dialog box and click Add to display its values in the lower dialog box. Use the lower dialog box to modify parameters.Specify the values and click the apply button for your specifications to take effect. Click Delete to eliminate the RIP configuration for a selected interface.



166

.

Table 9-2. RIP Interface Fields


Select You must click a selection button before configuring an interface.

IP Address The IP address of the RIP interface (a read-only field).

Status The administrative status of RIP in the router. The options are:

• Enabled — The RIP process operates on this interface.

• Disabled — The RIP process does not operate on this interface.

• Passive — The RIP process is passive. (The interface accepts but does not send RIP routing updates.)

Split Horizon Specifies the operational status of Split Horizon in the system. The options are:

• Split Horizon — Applies Split Horizon on the response packets that are sent out. Does not send route on an interface from which route is learned.

• Poison Reverse — Sends route with the metric value 16 on an interface from which route is learned.

• Disabled — Sends route on all the interfaces with the metric same as that in the RIP Routing Table.

Default value: Poison Reverse.

Section 9.1.15

Default Route Installation

Whether the default route received over the interface must be installed to RIP database. Yes installs the default route, No does not.

Section 9.1.9



167

Send Version The version of RIP packets that will be sent over this interface. The options are:

• RIP Version1 — Sends RIP updates compliant with RFC 1058.

• RIP Version 2 — Sends multicasting RIP2 updates.

• RIP1 Compatible — Sends both multicasting RIP updates and RIP updates compliant with RFC 1058.

• Do not send — No RIP updates are sent. (This is passive operation.)

Default value: RIP1 Compatible

Section 9.1.11

Receive Version The version of RIP packets that will be received over this interface. The options are:

• RIP1 — Receives RIP updates compliant with RFC 1058.

• RIP2 — Receives multicasting RIP2 updates.

• RIP1 or RIP2 — Receives both multicasting RIP updates and RIP updates compliant with RFC 1058.

• Do not receive — No RIP updates are received.

Default value: RIP1 or RIP2

Section 9.1.12

Table 9-2. RIP Interface Fields




168


169

Chapter 10OSPF

Open Shortest Path First (OSPF) is a widely used link-state routing protocol. It is an Interior Gateway Protocol (IGP) that routes IP packets solely within a single routing domain, or Autonomous System (AS).

This chapter provides an overview of OSPF concepts, documentation of some basic OSPF configuration commands and an extended example of the configuration of an OSPF network

10.1 Overview

OSPF gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP datagrams. OSPF supports variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models. OSPF was designed to address and overcome many of the limitations of RIP. It reduces housekeeping overhead and promotes very fast convergence in the event of network changes or failures.

In link-state routing protocols each network node collects information about connectivity and shares that information with other nodes via Link State Advertisements (LSAs). This information is used to generate network maps and routing tables specifying the shortest path from each node to other destinations in the network.

The OSPF routing policies to construct a route table are governed by link cost factors associated with each routing interface. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit-less numbers.

An OSPF network may be structured, or subdivided, into routing areas to simplify administration, and optimize traffic and resource utilization. Areas are identified by numerical designations that may be expressed in decimal but which are conventionally expressed in octet-based dot-decimal notation like IPv4 address notation.

By convention area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The designation of other areas is up to the administrator but it is a common and practical policy to select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.

CHAPTER 10 - OSPFOverview


170

OSPF does not use a TCP or UDP transport protocol, but is encapsulated directly in an IP datagram with protocol number 89. This is in contrast to other routing protocols, such as the Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its own error detection and correction functions.

The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing.

10.1.1 OSPF Neighbor Relationships

Routers in the same broadcast domain or at each end of a point-to-point telecommunications link form adjacencies when they have detected each other. This detection occurs when a router identifies itself in an OSPF protocol “hello packet.” This is called a two-way state and is the most basic relationship. Routers select a designated router (DR) and a backup designated router (BDR) to act as a hub to reduce traffic between routers. OSPF uses both unicast and multicast to send "hello packets" and link state updates.

10.1.2 OSPF Area Types

An OSPF domain is divided into areas that are labeled with 32-bit area identifiers. The area identifiers are commonly written in the dot-decimal notation of an IPv4 address; however, they are not IP addresses and may duplicate, without conflict, any IPv4 address.

Areas are logical groupings of hosts and networks, including their routers having interfaces connected to any of the included networks. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Thus, the topology of an area is unknown outside of the area. This reduces the amount of routing traffic between parts of an autonomous system.

OSPF defines several area types. These are listed below. Some vendors also implement extensions to OSPF area types.

10.1.2.1 OSPF Backbone Area

The backbone area (area 0 or area 0.0.0.0) forms the core of an OSPF network. All other areas are connected to it and inter-area routing happens via routers connected to the backbone area and to their own associated areas. It is the logical and physical structure for the 'OSPF domain' and is attached to all nonzero areas in the OSPF domain.

The backbone area is responsible for distributing routing information between area routers. The backbone must be contiguous, but it does not need to be physically contiguous; backbone connectivity can be established and maintained through the configuration of virtual links. For example, assume area 0.0.0.1 has a physical connection to area 0.0.0.0. Further assume that area 0.0.0.2 has no direct connection to the backbone, but this area does have a connection to area 0.0.0.1. Area 0.0.0.2 can use a virtual link through the transit area 0.0.0.1 to reach the backbone. To be a transit area, an area has to have the transit attribute, so it cannot be stubby in any way.

CHAPTER 10 - OSPFOSPF Configuration in the CLI


171

10.1.2.2 OSPF Stub Area

A stub area is an area which does not receive route advertisements external to the autonomous system (AS). Routing to destinations that are external to the AS is based entirely on a default route. This reduces the size of the routing databases for the area's internal routers.

10.1.2.3 OSPF Not-So-Stubby Area

A not-so-stubby area (NSSA) is a type of stub area that can import autonomous system external routes and send them to other areas, but still cannot receive AS external routes from other areas. NSSA is an extension of the stub area feature that allows the injection of external routes in a limited fashion into the stub area.

10.2 OSPF Configuration in the CLI

The following subsections describe a basic set of commands to configure OSPF functionality.

10.2.1 Enabling and Disabling OSPF

Use the router ospf command in Global Configuration mode to enable OSPF globally in the current device and to enter the Router OSPF Configuration mode, signaled by the Magnum 10RX(config-router)# prompt. Executing the help command at this prompt will display a list of OSPF-specific commands.

Command syntax:

router ospf

Example:

Magnum 10RX(config)# router ospf


The no router ospf command disables OSPF globally.

10.2.2 Enabling OSPF on an Interface

Use the network command in Router OSPF Configuration mode to enable OSPF on a specified interface. When you enable OSPF on an interface, you are required to assign that interface to an OSPF area.

Command syntax:

network ip_adr area area_id

Where:

ip_adr is the IP address of the interface.

area_id is the OSPF area ID in dotted decimal notation.



172

Example:

Magnum 10RX(config-router)# network 192.168.4.2 area 0.0.0.0

This command specifies the interface at IP address 192.168.4.2 for OSPF configuration and assigns it to OSPF area 0.0.0.0 (the backbone).

The no network ip_adr area area_id command disables the OSPF configuration on the interface and area specified.

10.2.3 Configuring a Stub Area

Use the area stub command in Router OSPF Configuration mode to configure a stub area. OSPF external routes are not passed into a stub area; instead, a single default route is passed into the area by the area border router. You can restrict the routes passed into a stub area even further by specifying the no-summary keyword. In that case, not even OSPF inter-area summary routes will be passed into the stub area. All routing will be done based on the default route.

Command syntax:

area area_id stub [no-summary]

Where:


no-summary prevents inter-area summary routes from being passed into the stub area.

Example:

Magnum 10RX(config-router)# area 0.0.0.4 stub no-summary

This command specifies that area 0.0.0.4 will be configured as a stub area and that all routing will be based on the default route.

The no area area_id stub command removes a stub area configuration.

10.2.4 Configuring a Not-So-Stubby Area

Use the area nssa command in Router OSPF Configuration mode to configure a not-so-stubby area (NSSA). An NSSA works like a normal stub area except that external routes learned by routers in the NSSA can be passed to the backbone.

Command syntax:

area area_id nssa [no-summary]

Where:


no-summary prevents inter-area summary routes from being passed into the NSSA.



173

Example:

Magnum 10RX(config-router)# area 0.0.0.4 nssa no-summary

This command specifies that area 0.0.0.4 will be configured as a not-so-stubby area.

The no area area_id nssa command removes an NSSA configuration.

10.2.5 Configuring the Cost of the Default Route in a Stub Area

Use the area default-cost command in Router OSPF Configuration mode to configure the cost associated with the default route passed into a stub area or into an NSSA.

Command syntax:

area area_id default-cost cost

Where:


cost is the value of the metric to be associated with the default route in this area.

Example:

Magnum 10RX(config-router)# area 1.1.1.1 default-cost 50

This command specifies that the metric value for the default route will be 50 in area 1.1.1.1.

Default value: 1


The no area area_id default-cost command specifies the default value.

10.2.6 Summarizing Routes Between Areas

Use the area range command in Router OSPF Configuration mode to configure routes to be consolidated and summarized at OSPF area boundaries. This feature is typically used to summarize routes toward the backbone but can also be used in the other direction.

Command syntax:

area area_id range network mask [{advertise | not-advertise}]

Where:


network is the network address in dotted decimal notation.

mask is the subnet mask.

advertise specifies that the summary route should be advertised to other areas.



174

not-advertise specifies that the summary route should not be advertised to other areas, effectively hiding those routes.

Example:

Magnum 10RX(config-router)# area 1.1.1.1 range 192.168.0.0 255.255.0.0 advertise

This command specifies that all routes falling in the specified range will be summarized with this single route specification and will be advertised to other areas.

Default value: advertise

10.2.7 Summarizing External Routes

Use the summary-address command in Router OSPF Configuration mode to configure OSPF external routes (for example, routes redistributed from RIP or BGP) to be consolidated and summarized. You can summarize external routes to reduce the size of the routing table or to control which external routes are distributed into the OSPF domain.

Command syntax:

summary-address network mask area_id [{advertise | not-advertise}]

Where:




advertise specifies that the summary route should be advertised to other areas.

not-advertise specifies that the summary route should not be advertised to the specified area, effectively hiding those routes.

Example:

Magnum 10RX(config-router)# summary-address 192.168.0.0 255.255.0.0 0.0.0.0 advertise

This command is an instruction to summarize all external routes in 192.168.0.0 passed into area 0.0.0.0.


10.2.8 Controlling External Metrics

Use the redist-config command in Router OSPF Configuration mode to control the type and value of the metrics associated with OSPF external routes.

Command syntax:

redist-config network mask metric-value cost metric-type {asExttype1| asExttype2} tag tagval

CHAPTER 10 - OSPFOSPF Configuring in the GUI


175

Where:



cost specifies the value of the metric.

asExttype1 specifies an external type 1 route.

asExttype2 specifies an external type 2 route.

tagval is a decimal value in the range 1- 4294967295 for a tag to assign to this route.

Example:

Magnum 10RX(config-router)# redist-config 192.168.1.0 255.255.255.0 metric-value 50 metric-type asExttype2 tag 999

This command is an instruction to treat the external route 192.168.1.0/24 as a type 2 route with a metric of 50 and bearing a tag of 999.

Default Values:

• The cost of a type 1 external route is always the sum of the external metric and the internal OSPF cost.

• The cost of a type 2 external route is just the external metric. The internal OSPF metric is not considered as part of the cost.

• A type 1 external route is always preferred over a type 2 external route for the same destination.

10.3 OSPF Configuring in the GUI

The following sections describe OSPF configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.



176

10.3.1 Enabling and Disabling OSPF

In the GUI go to the Layer 3 Management: OSPF: Global Conf tab to view the OSPF Global Configuration screen, as illustrated in Figure 10-1.

Figure 10-1. OSPF Global Configuration Screen

The OSPF Global Configuration screen enables you to enable or disable OSPF on the router. Make your selection and click the apply button for your specification to take effect. See also Section 10.2.1.

10.3.2 OSPF Basic Settings

In the GUI go to the Layer 3 Management: OSPF: Basic Settings tab to configure basic OSPF parameters, as illustrated in Figure 10-2.

Figure 10-2. OSPF Basic Settings Screen

The OSPF Basic Settings screen enables you to configure OSPF parameters for a specific router. Configure a router in the upper dialog box and click Apply to display its values in the lower dialog box. Use the lower dialog box to modify previously configured parameters.



177

.

Table 10-1. OSPF Basic Settings Fields


Router ID The 32-bit integer identifying this router in the AS.

Default value: 0.0.0.0

Section 10.2.1

Autonomous System Border Router

Whether or not to configure this router as an Autonomous System Border Router (ASBR). Options are Yes and No.

Default value: No

Section 10.1

RFC 1583 Compatibility

The method used to calculate summary route costs differs in the versions of OSPF defined in RFC 2178 and the older RFC 1583. The Yes option enables compatibility with the older version.

Default value: Yes

ABR-type Specifies the type of Area Border Router (ABR). Options are:

• Standard

• CISCO

• IBM

Default value: Standard



178

10.3.3 OSPF Area Configuration

In the GUI go to the Layer 3 Management: OSPF: Area tab to configure basic OSPF areas, as illustrated in Figure 10-3.

Figure 10-3. OSPF Area Screen

The OSPF Area screen enables you to configure OSPF area parameters. Configure an area in the upper dialog box and click Add to display the area’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

.

Table 10-2. OSPF Area Fields


Select You must click a selection button before modifying an area.

Area ID The OSPF area ID in dotted decimal notation.



179

10.3.4 OSPF Interface Configuration

In the GUI go to the Layer 3 Management: OSPF: Interface tab to configure an OSPF interface, as illustrated in Figure 10-4.

Figure 10-4. OSPF Interface Screen

The OSPF Interface screen enables you to configure an interface for OSPF operation. Configure an interface in the upper dialog box and click Add to display the interface’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

Type Specifies the required type for an area. The options are:

• Normal — OSPF are passed into the area.

• Stub — OSPF external routes are not passed into a stub area.

• NSSA — works like a normal stub area except that external routes learned by routers in the NSSA can be passed to the backbone.

Default value: Normal

Section 10.2.3

Section 10.2.4

Send Summary Routes

Specifies whether or not routes are to be summarized and propagated in this area. Options are Yes and No.

Default value: No

Section 10.2.6

Section 10.2.7

Table 10-2. OSPF Area Fields




180

.

Table 10-3. OSPF Interface Fields


Select You must click a selection button before modifying an interface.

Interface Select an available interface from the drop down menu.

IP Address The IP address of the selected interface.

Area ID The OSPF area ID to which the interface connects in dotted decimal notation.

Priority The priority of this interface to be used in the Designated Router election.

Default value: 1

Valid range: 0-255

Metric The cost associated with this interface.

Default value: 1

Valid Range: 1-65535

Passive Whether or not this interface will passively listen for updates. Options are Yes and No.

Default value: No

If Type The OSPF interface type. The options are

• broadcast

• nbma (Non-Broadcast Multi-Access)

• point-to-point

• point-to-multipoint

Default value: broadcast.



181

10.3.5 OSPF Virtual Interface Configuration

In the GUI go to the Layer 3 Management: OSPF: Virtual Interface tab to configure an OSPF interface, as illustrated in Figure 10-5.

Figure 10-5. OSPF Virtual Interface Screen

The OSPF Virtual Interface screen enables you to configure a virtual interface for OSPF operation. Configure a virtual interface in the upper dialog box and click Add to display the interface’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

.



Select You must click a selection button before modifying an interface.

Transit Area ID The OSPF area ID of the transit area in dotted decimal notation.

Neighbor Router ID

The OSPF area ID of the neighbor router in dotted decimal notation.



182

10.3.6 OSPF Neighbor Configuration

In the GUI go to the Layer 3 Management: OSPF: Neighbor tab to configure non-virtual neighbor parameters, as illustrated in Figure 10-6.

Figure 10-6. OSPF Neighbor Configuration Screen

The OSPF Neighbor configuration screen enables you to configure parameters for a non-virtual OSPF neighbor. Configure a neighbor in the upper dialog box and click Add to display the neighbor’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

.



Select You must click a selection button before modifying a neighbor configuration.

Neighbor IP Address

The OSPF router ID of the neighbor router in dotted decimal notation.

Neighbor Priority The priority of this interface to be used in the Designated Router election.

Default value: 1

Valid range: 0-255



183

10.3.7 OSPF RRD Route Configuration

In the GUI go to the Layer 3 Management: OSPF: RRD Route tab to configure certain information for learned routes, as illustrated in Figure 10-7.

Figure 10-7. OSPF RRD Route Configuration Screen

The OSPF RRD Route configuration screen enables you to configure metric cost and route type information to be applied to the routes learnt from the Routing Table Manager (RTM). Configure a route in the upper dialog box and click Add to display the RRD route’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

.

Table 10-6. RRD Route Fields



Destination Network

The IP address of the destination network.

Network Mask A mask for the destination network.



184

10.3.8 OSPF Area Aggregation

In the GUI go to the Layer 3 Management: OSPF: Aggregation tab to aggregate area routes into a single routing table entry, as illustrated in Figure 10-8.

Figure 10-8. OSPF Area Aggregation Screen

The OSPF Area Aggregation screen enables you to configure OSPF route summarization. Configure a route in the upper dialog box and click Add to display the configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

Note that the terms route summarization and route aggregation are used synonymously in this context. See. Section 10.2.6.

Route Metric The metric value applied to the route before it is advertised into the OSPF domain.

Default value: 10

Valid range: 0 - 16777215

Route Metric Type The metric type applied to the route before it is advertised into the OSPF domain. The options are:

• asexttype1

• asexttype2

Default value: asexttype2

Section 10.2.8

Table 10-6. RRD Route Fields




185

.

10.3.9 OSPF AS External Aggregation

In the GUI go to the Layer 3 Management: OSPF: AsExtAggregation tab to configure aggregation of external routes, as illustrated in Figure 10-9.

Figure 10-9. OSPF AS External Aggregation Screen

The OSPF AS External Aggregation screen enables you to aggregate external routes. Configure an aggregation in the upper dialog box and click Add to display the configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

Table 10-7. Area Aggregation Fields



Section 10.2.6


Network The network address in dotted decimal notation.

Mask The subnet mask.

Advertise Whether or not to advertise the summarized route to other areas. Options are advertise and not-advertise.


CHAPTER 10 - OSPFOSPF Configuration Example Overview


186

.

10.4 OSPF Configuration Example Overview

To configure OSPF, ensure the following:

1. Determine the physical and virtual interfaces which need to participate in routing. Include WAN interfaces, LAN interfaces, and VLAN interfaces. Set the IP addresses for these interfaces.

2. Determine which interfaces need to actively broadcast routes to other routers or to be passive listeners for broadcast updates. This will depend on the network architecture.

3. Add static routes; for example, default gateway – usually the router on the outside which can resolve routing issues.

4. Configure OSPF Options.

5. Validate that the routing setup is working properly by viewing routing tables.

10.5 OSPF Example Configuration Procedure

Each device interface to be included must be correctly configured as described below. The following OSPF configuration example will depict interface configuration for one device but will assume that interfaces have been properly configured on all other devices that are members of the network.

Basic Configuration Task List

1. From the 10RX(config)# prompt: Enable OSPF routing on each device.

2. From the 10RX(config-if)# prompt: Assign IP addresses to each participating interface.

3. From the 10RX(config-router)# prompt:

Table 10-8. As External Aggregation Fields



Section 10.2.7

Network The network address in dotted decimal notation.

Mask The subnet mask.


Aggregation Effect

Whether or not to advertise the summarized route to other areas. Options are advertise and not-advertise.


CHAPTER 10 - OSPFOSPF Example Configuration Procedure


187

a. Specify a router ID for each router in the network. The router-id must be a valid IP address of a configured interface on the router.

b. Associate each participating interface with a specified OSPF area.

The following sections guide you through the steps required to configure a network consisting of three OSPF areas.

10.5.1 Creating Area 0.0.0.0

Area 0.0.0.0, the back bone area, will include participating interfaces on routers designated 10RX#1 and 10RX#2.

Configuring 10RX#1

1. Login to 10RX#1

You must have privileged access to configure OSPF routing.

2. Specify an interface to configure (in this example Gigabit Ethernet port 2/1).

Magnum 10RX# config


3. Disable the interface for the duration of the configuration.

Magnum 10RX(config-if)# shutdown

4. Specify OSI layer 3 routed interface status for this interface


5. Specify an IP address and a mask for this interface.

Magnum 10RX(config-if)# ip address 2.2.2.2 255.255.255.0

6. Re-enable the interface.


7. Return to the CONFIGURE Commands prompt to enable OSPF.


8. Assign a router ID

Magnum 10RX(config-router)# router-id 2.2.2.2

9. Assign the interface to an area.


Configuring 10RX#2 in Area 0.0.0.0

Login to 10RX#2 and repeat the steps described for 10RX#1, making the following changes to specifications in steps 3, 6, 9, and 10:





188







OSPF Area 0.0.0.0 is now created with two participating interfaces: 2.2.2.2 on 10RX#1 and 2.2.2.1 on 10RX#2.

The progress of the creation of the network to this point is depicted in Figure 10-10.

Figure 10-10. Area 0.0.0 Created

View the configuration details by executing the following command at the EXEC prompt.

Magnum 10RX# show ip ospf

View the OSPF interfaces by executing the following command at the EXEC prompt.

Magnum 10RX# show ip ospf interface


Area 0.0.0.3 will include participating interfaces on 10RX#2 and 10RX#3.


Some device-wide configuration has already been done on10RX#2 in configuring it for membership in Area 0.0.0.0. OSPF routing has been enabled on the device and it has a router ID. This means that only a subset of the steps defined for configuring interface 2.2.2.2 for Area 0.0.0.0 on 10RX#1, above, are needed to configure a second interface on 10RX#2.

While logged into 10RX#2 proceed to the CONFIGURE Commands prompt and execute the following seven commands. The first six of these commands replicate those described in steps 3-7 and 10 in “Creating Area 0.0.0.0” above.

1. Specify an interface to configure.



10RX#110RX#2

Area 0.0.0.0

GbE 2/12.2.2.2

GbE 1/12.2.2.1



189










7. Create a virtual link with 10RX3.

Magnum 10RX(config-router)# area 0.0.0.3 virtual-link 10.5.5.5


Login to 10RX#3and repeat the steps described for the initial configuration of 10RX#1, making the following changes to specifications in steps 3, 6, 9, and 10 and adding specification of a virtual link:







10.Assign the interface to an area.


11.Create a virtual link with 10RX2.

Magnum 10RX(config-router)# area 0.0.0.3 virtual-link 2.2.2.1



190

OSPF Area 0.0.0.3 is now created with two participating interfaces: 10.5.5.4 on 10RX#2 and 10.5.5.5 on 10RX#3. A virtual link has added between 10RX#2 and 10RX#3 to enable members of other areas to reach the backbone through Area 0.0.0.3. The progress of the creation of the network to this point is depicted in Figure 10-11.

Figure 10-11. Areas 0.0.0.0 and 0.0.0.3 Created






Area 0.0.0.4, a stub area, will include participating interfaces on 10RX#3 and 10RX#4.


Some device-wide configuration has already been done on10RX#3 in configuring it for membership in Area 0.0.0.3. OSPF routing has been enabled on the device and it has a router ID. This means that same set of steps defined for configuring interface 10.5.5.4 for Area 0.0.0.3 on 10RX#2, above, can be used to configure a second interface on 10RX#3.

While logged into 10RX#3 proceed to the CONFIGURE Commands prompt and execute the following seven commands.





10RX#110RX#2

10RX#3

Area 0.0.0.0 Area 0.0.0.3

GbE 2/12.2.2.2

GbE 1/12.2.2.1 GbE 3/2

GbE 3/2

VirtualLink



191









7. Configure the area as a stub.

Magnum 10RX(config-router)# area 0.0.0.4 stub


Login to 10RX#4 and repeat the steps described for the initial configuration of 10RX#1, making the following changes to specifications in steps 3, 6, 9, and 10 and adding an instruction to configure the area as a stub:









11. Configure the area as a stub.

Magnum 10RX(config-router)# area 0.0.0.4 stub



192

Figure 10-12 illustrates the network completed with the addition of area 0.0.0.4, which has two participating interfaces: 10.8.0.5 on 10RX#3 and 10.8.0.7 on 10RX#4.

Figure 10-12. Areas 0.0.0.0, 0.0.0.3, and 0.0.0.4 Created









10RX#110RX#2

10RX#3

Area 0.0.0.0

10RX#4

Area 0.0.0.3

Area 0.0.0.4

GbE 2/12.2.2.2

GbE 1/12.2.2.1 GbE 3/2

GbE 3/2

GbE 7/110.8.0.5

GbE 7/110.8.0.7

VirtualLink


193

Chapter 11BGP

Border Gateway Protocol (BGP) is a Protocol for routing traffic between autonomous systems (AS). An autonomous system is a set of routers under a single technical administration, such as a set of routers in a power utility substation or routers controlled by a particular organization or service provider. BGP is the core routing protocol of the Internet. BGP routers (or “speakers”) communicate through TCP connections. The latest version of BGP is BGP4. This is defined in RFC 4271 and is the version supported in the INOS implementation.

BGP is a type of External Gateway Protocol (EGP). Within an autonomous system other protocols, such as RIP, OSPF, or IS-IS, are used to communicate information. These are Internal Gateway Protocols (IGP). Standards have been defined for an external (inter-AS) version of BGP called eBGP, and for an internal (intra-AS) version called iBGP. The INOS implementation of BGP supports the eBGP standard and the iBGP standard.

A BGP speaker keeps its neighbor(s) informed of the subnets to which it can provide access by exchanging a stream of messages with them.

11.1 BGP Configuration in the CLI

The following sections describe the CLI commands to use for basic BGP configuration.

11.1.1 Enabling and Disabling BGP

Use the router bgp command in Global Configuration mode to specify the autonomous system number for the device. This enables BGP globally in the current device and causes the system to display the Magnum 10RX(config-router)# prompt and to enter into BGP Router Configuration mode. Executing the help command will display a list of BGP-specific commands available in this mode.

Command syntax:

router bgp as-number

Where:

as-number is a numerical value specifying an autonomous system.

Example:

Magnum 10RX(config)# router bgp 10


This command specifies AS 10, creating it if it does not already exist. Subsequent commands in the BGP Router Configuration session will modify this AS.

CHAPTER 11 - BGPBGP Configuration in the CLI


194


The no router bgp command disables BGP globally.

11.1.2 Specifying BGP Router ID

Use the bgp router-id command in BGP Router Configuration mode to assign a router ID. The BGP Router ID is a unique identifier in IPv4 dotted decimal notation used as a tie-breaker for BGP path selection. Network designers typically choose an IP address already assigned to the router as the BGP Router ID. If a BGP Router ID is not manually configured, the software will automatically choose a BGP Router ID from the configured IP addresses. To manually configure the BGP Router ID use the bgp router-id command from the Magnum 10RX(config-router)# prompt.

Command syntax:

bgp router-id xxx.xxx.xxx.xxx

Where:

xxx.xxx.xxx.xxx is a valid IP address in IPv4 format.

Example:

Magnum 10RX(config-router)# bgp router-id 192.168.10.2

Default value: configuration is automatically selected from configured IP addresses.

The no bgp router-id resets the BGP Identifier of the BGP speaker to the default value.

11.1.3 Specifying a BGP Neighbor

Use the neighbor command in BGP Router Configuration mode to configure a BGP neighbor. Unlike RIP and OSPF, BGP does not automatically discover its neighbors. You must configure the IP address and AS number of each BGP neighbor.

Command syntax:

neighbor xxx.xxx.xxx.xxx remote-as as-number

Where:

xxx.xxx.xxx.xxx is a valid IP address in IPv4 format specifying a neighbor device.

as-number is a numerical value specifying the autonomous system to which the neighbor belongs.

Example:

Magnum 10RX(config-router)# neighbor 192.168.10.3 remote-as 11

The no neighbor xxx.xxx.xxx.xxx remote-as as-number command deletes configuration of the specified neighbor.



195

11.1.4 Displaying Neighbor Status

Use the show ip bgp neighbor command in Exec Commands mode to display information about a neighbor. Once a neighbor is correctly configured, the router will open a TCP connection to that neighbor for the purpose of exchanging BGP messages. To check the status of all neighbors use the command without arguments or supply the IP address of a specific neighbor to view the status of that neighbor only.

Command syntax:

show ip bgp neighbor

Example:

Magnum 10RX# show ip bgp neighbor

This commands causes the display of information as in Figure 11-1:

Figure 11-1. show ip bgp neighbor command output

11.1.5 Resetting a BGP Session

Use the clear ip bgp command in Exec Commands mode to reset a BGP session. After you make routing policy changes in BGP you must reset the relevant peer.

Command syntax:

clear ip bgp {xxx.xxx.xxx.xxx | peer-group | *}

BGP neighbor is 192.168.30.3, remote AS 11, external link BGP version 4, remote router ID 192.168.30.3 BGP state = Established, up for 11 minutes 11 seconds Configured BGP Maximum Prefix Limit 100 Configured Connect Retry Count 5 Current Connect Retry Count 0 Peer Passive : DISABLED Peer Status : NOT DAMPED Rcvd update before 0 secs, hold time is 40, keepalive interval is 13 secs Neighbors Capability: Route-Refresh: Advertised and received Address family IPv4 Unicast: Advertised and received Received 70 messages, 0 Updates Sent 50 messages, 0 Updates Route refresh: Received 0, sent 0. Minimum time between advertisement runs is 30 seconds Connections established 1 time(s) Local host: 192.168.30.2, Local port: 179 Foreign host: 192.168.30.3, Foreign port: 1098 Last Error: Code 0, SubCode 0.



196

Where:

xxx.xxx.xxx.xxx is the IP address of a configured BGP peer.

peer-group is the name of a configured BGP peer group.

* represents all BGP peers.

Example:

Magnum 10RX# clear ip bgp 192.168.10.3

This command restarts a BGP session with the peer specified by 192.168.10.3 and causes the exchange of updated configuration information.

11.1.6 Redistributing Routes

Use the redistribute command in BGP Router Configuration mode to specify the types of routing information that should be redistributed. BGP does not exchange routes automatically. Even route information for directly connected networks is not exchanged without explicit configuration. You must choose which types of routes to redistribute.

Command syntax:

redistribute {all | connected | ospf | rip | static}

Where:

all specifies the exchange of all routing information.

connected specifies the exchange of routing information on all directly connected networks.

ospf specifies the exchange of routing information learned with the OSPF protocol.

rip specifies the exchange of routing information learned with the RIP protocol.

static specifies the exchange of routing information that is statically configured.

Example:

Magnum 10RX(config-router)# redistribute all

The no redistribute protocol command prohibits redistribution of routing information from the specified protocol.

11.1.7 Minimizing Route Table Size Using Aggregates

Use the aggregate-address command in BGP Router Configuration mode to specify an aggregation of routes. You can use address aggregation to combine the advertisement of a number of specific routes into the advertisement of a single route that is a supernet of the more-specific routes.



197

If the summary-only option is used, the advertisement of any specific routes for the aggregate are suppressed and only the aggregate route is advertised. Otherwise, both the aggregate and the specific routes are advertised.

Command syntax:

aggregate-address index index-val ipv4-supernet pref-len [summary-only]

Where:

index-val is a numerical value that uniquely identifies the aggregation.

ipv4-supernet is the IPv4 supernet address.

pref-len is the CIDR address mask for the supernet.

summary-only specifies that only the address of the aggregate is advertised.

Example:

Magnum 10RX(config-router)# aggregate-address index 1 192.168.0.0 16 summary-only

This command advertises the supernet 192.168.0.0/16 and suppresses the aggregated subnets. An example of a suppressed subnet is 192.168.1.0/24.

Valid range for index-val: 1-100

The no aggregate-address index index-val command deletes the aggregate specified by index-val.

11.1.8 Specifying Administrative Distance

Use the distance bgp command in BGP Router Configuration mode to specify the BGP administrative distance. When the same route prefix is learned from multiple sources the administrative distance value is used as a tie-breaker when selecting the active route. Setting the BGP administrative distance allows you to indicate the preference of routes learned via BGP relative to routes from other sources such as RIP, OSPF, or static configuration. The administrative distance value is in a range of 1-255. Lower values are preferred.

Command syntax:

distance bgp dist-val

NOTE: For an aggregate route to be advertised to a peer, the router must haveat least one specific route for that aggregate.

NOTE: An administrative distance value of 255 would indicate that no routesupplied by this protocol should be trusted.



198

Where:

dist-val is a numerical value specifying the administrative distance for routes learned with the BGP protocol.

Example:

Magnum 10RX(config-router)# distance 50

This command specifies that in the AS being configured routes learned with the BGP protocol will have a distance value of 50.

Valid range for: 1-255

Default value (BGP): 20

The standard default administrative distance values for routes learned in other protocols are listed in Table 11-1.

11.1.9 Filtering Routes

Use the bgp filter-update command in BGP Router Configuration mode to filter routes that are advertised to specific BGP peers. Filters are evaluated in order according to their configured index. Each filter entry can either permit or deny a route based on whether or not it matches the specified remote AS, route prefix, and prefix length.

Table 11-1. Administrative Distance Values: Protocol Defaults

Protocol Value

Connected interface 0

Static route 1

EIGRP summary route 5

BGP 20

Internal EIGRP 90

IGRP 100

OSPF 110

IS-IS 115

RIP 120

EGP 140

ODR 160

External EIGRP 170

Internal BGP 200

Unknown* 255



199

Specifying a 0 for remote AS, route prefix, or prefix length indicates a wild card for the purposes of a match. A list of intermediate AS can also be optionally specified as match criteria.

Command syntax:

bgp update-filter index {permit | deny} remote-as as-num route-pref pref-len [intermediate-as as-list] direction {in | out}

Where:

index is a numerical value that uniquely identifies the filter.

permit is a keyword signifying that this filter causes a matching route to be included in UPDATE messages.

deny is a keyword signifying that this filter causes a matching route to be excluded from UPDATE messages.

as-num is a numerical value specifying the remote AS to match.

route-pref is the IPv4 route prefix to match in the form A.B.C.D.

pref-len is the CIDR address mask specifying the length of the prefix to match.

as-list is a string containing a comma-delimited list of intermediate ASs to match.

in is a keyword signifying that this filter applies to incoming UPDATE messages.

out is a keyword signifying that this filter applies to outgoing UPDATE messages.

Examples:

The following figures provide examples of outbound and inbound filters.

The commands in Figure 11-2 specify that all routes except for routes with prefix 192.168.0.0 going to AS 200 should be excluded from outgoing UPDATE messages.

Figure 11-2. BGP update-filter outbound example

Magnum 10RX(config-router)# bgp update-filter 1 permit remote-as 200 192.168.0.0 16 direction outMagnum 10RX(config-router)# bgp update-filter 1 deny remote-as 0 0.0.0.0 0 direction out



200

The commands in Figure 11-3 specify that all routes with prefix 192.168.0.0 except for 192.168.5.0 should be excluded from incoming UPDATE messages.

Figure 11-3. BGP update-filter inbound example

Valid range for index: 1-100

The no bgp update-filter index command deletes the filter specified by index.

Use the show ip bgp filters command in Exec Commands mode to view configured filters.

11.1.10Defining Policies Using Communities

BGP communities are a way of classifying destinations so that routing policy decisions can be applied consistently across the entire classification group. For example, specific learned routes can be pattern matched and classified by one BGP speaker by assigning a community value to those routes. When that speaker sends an UPDATE message to one of its peers, all of the classified routes are sent with the community attribute attached. The peer receiving the routes with the attached community attribute can then use that classification information to make decisions on how to filter the routes. This allows better scaling of BGP routing policy since the filtering BGP router does not need to have specific filter rules for each of the destinations. It only needs one filter rule based on the community.

11.1.10.1 Assigning Routes to a Community

Use the bgp comm-route command in BGP Router Configuration mode to assign a destination to a community.

Command syntax:

bgp comm-route

Where:

additive is a keyword signifying that the specified route is added to the community.

delete is a keyword signifying that the specified route is deleted from the community.

pref-val is IPv4 route prefix.

pref-len is the CIDR address mask specifying the length in bits of the route subnet.

comm-val is a numerical community attribute value.

Magnum 10RX(config-router)# bgp update-filter 1 permit remote-as 0 192.168.5.0 24 direction in Magnum 10RX(config-router)# bgp update-filter 1 deny remote-as 0 192.168.0.0 16 direction in



201

Example:

Magnum 10RX(config-router)# bgp comm-route additive 192.168.1.0 24 comm-value 6553700

This command classifies the prefix 192.168.1.0/24 into the community 100:100 (decimal 6553700).

Valid range for comm-val: 1-4294967295

The no bgp comm-route route-spec command deletes the specified route from the additive or the delete community table.

Use the show ip bgp community route command in Exec Commands mode to view configured community routes.

11.1.10.2 Defining Policies for a Community

Use the bgp comm-policy command in BGP Router Configuration mode to define the policy for handling received routes that are already assigned to a community.

Command syntax:

bgp comm-policy pref-val pref-len {modify | set-add | set-none}

Where:

pref-val is IPv4 route prefix.

pref-len is the CIDR address mask specifying the length in bits of the route subnet.

modify removes the route with received delete communities and adds the additive communities.

set-add sends only the configured additive communities.

set-none sends the route without any communities.

Example:

Magnum 10RX(config-router)# bgp comm-policy 192.168.1.0 24 set-add

This command instructs to ignore any received communities for 192.168.1.0/24 and only send the community that was assigned locally via the bgp comm-route command.

The no bgp comm-policy pref-val pref-len command removes the community attribute advertisement policy for the specified destination.

Use the show ip bgp community policy command in Exec Commands mode to view configured community policies.

11.1.10.3 Defining Filters for a Community

Use the bgp comm-filter command in BGP Router Configuration mode to define filter rules for the community.



202

Command syntax:

bgp comm-filter {permit | deny} {in | out}

Where:

comm-val is a numerical community attribute value.

permit specifies that routes that are part of the community are allowed.

deny specifies that routes that are part of the community are not allowed.

in specifies that the rule applies to routes received via an UPDATE message from a peer.

out specifies that the rule applies to routes sent in an UPDATE message to a peer.

Example:

Magnum 10RX(config-router)# bgp comm-filter 6553900 deny out

This command excludes routes in community 100:300 (decimal 6553900) from outgoing UPDATE messages.

Valid range for comm-val: 1-4294967295

The no bgp comm-filter comm-spec command removes the filter policy for the community attribute.

Use the show ip bgp community filter command in Exec Commands mode to view configured community filters.

11.1.11Specifying a Router's Default Local Preference

Use the bgp default local-preference command in BGP Router Configuration mode to specify a default preferred exit path from the AS for the router.

When you are running BGP there may be more than one router in your AS connected to other external autonomous systems. Setting the default local preference of a router indicates the preferred path for exiting the AS. That is, if two local routers have a path to a remote network through an external AS, the router with the higher local preference will be used as the exit path from the AS.

Command syntax:

bgp default local-preference pref-val

Where:

pref-val is an integer expressing a preference value. A higher value is preferred to a lesser value.

Example:

Magnum 10RX(config-router)# bgp default local-preference 200

Valid range: 0- 2147483647



203

Default value: 100

The no bgp default local-preference command specifies the default.

Use the show ip bgp local-pref command to view information about local preference configuration.

11.1.12Specifying a Local Preference

Use the bgp local-preference command in BGP Router Configuration mode to specify a preferred exit path from the AS for the configured route.

Command syntax:

bgp local-preference pref-val remote-as as-num ipaddr preflen [intermediate-as as-list] value met-val direction {in|out} [override]

Where:

pref-val is the route prefix to which the metric applies.

as-num is AS number of BGP peer associated with the route-prefix.

ipaddr is the route prefix on which the local policy preference is to be applied.

pref-len is the length of the route prefix.

as-list is an optional comma-delimited list of intermediate ASs.

met-val is the value of the metric to assign to routes matching all of the specified criteria.

in applies the rule to routes received from peers via UPDATE messages.

out applies the rule to routes sent to peers via UPDATE messages.

overrride tells the router that the configured metric should override any received metric.

Example:

Magnum 10RX(config-router)# bgp local-preference 10 remote-as 100 12.0.0.0 16 intermediate-as 200,325 value 33 direction in override

Default values:

remote-as — 0

direction — in

value — 100

ipaddr — 0.0.0.0

pref-len — 0

Valid ranges:

remote-as — 0-65535



204

value — 0-2147483647

ipaddr — 0.0.0.0

pref-len — 0-32

The no bgp local-preference command specifies the default.

Use the show ip bgp local-pref command to view information about local preference configuration.

11.1.13Specifying a Metric or Multi-exit Discriminator

BGP can be used to create redundant connections between autonomous systems. In this case there will be more than one path that an external AS may use to enter your AS. You can provide a hint to the external AS about the preferred path by setting the metric attribute, also known as the Multi-Exit Discriminator (MED).

Suppose you have two EBGP speakers in your AS (200), router A and router B, and that both of these routers are connected to an external AS (100) via a third EBGP speaker, router C. Router A and B are also participating in an IGP such as RIP or OSPF and redistributing the IGP routes into the external AS via router C. You can use the default-metric command to tell router C which path (through router A or through router B) is the preferred path into your AS.

11.1.13.1 Specifying a Default Metric

Use the default-metric command in BGP Router Configuration mode to tell a router which path is the preferred path into your AS.

Command syntax:

default-metric met-val

Where:

met-val is an integer specifying the default IGP metric value.

Example:

The following command line examples show how to set up router A and router B so that router A is the preferred path into AS 200. If router A were to fail, then the path through router B would be used. In this example, RIP is assumed to be the IGP, but OSPF could also be used.

The commands in Figure 11-4 configure router A.

Figure 11-4. BGP default-metric configuration, router A

The commands in Figure 11-5 configure router B.

Magnum 10RX(config)# router bgp 200 Magnum 10RX(config-router)# default-metric 10 Magnum 10RX(config-router)# redistribute rip



205

Figure 11-5. BGP default-metric configuration, router B

Default value: 0

The no default-metric command specifies the default.

Use the show ip bgp info command to view information about BGP configuration.

11.1.13.2 Assigning Metrics to Specific Routes

Use the bgp med command in BGP Router Configuration mode to specify metrics for routes with specific criteria such as prefix, remote AS, and intermediate autonomous systems.

Command syntax:

bgp med med-index remote-as as-number pref-val pref-len [intermediate-as as-list] value met-val direction {in | out} [override]

Where:

med-index is an integer to identify this rule.

as-number is an integer to identify the remote AS to which the metric applies.

pref-val is the route prefix to which the metric applies.

pref-len is the length of the route prefix.

as-list is an optional comma-delimited list of intermediate ASs.

met-val is the value of the metric to assign to routes matching all of the specified criteria.

in applies the rule to routes received from peers via UPDATE messages.

out applies the rule to routes sent to peers via UPDATE messages.

overrride tells the router that the configured metric should override any received metric.

Example:

Magnum 10RX(config-router)# bgp med 1 remote-as 100 192.168.1.0 24 value 25 direction out

This command sets the metric to 25 for the 192.168.1.0/24 prefix sent to AS 100.

Valid range, MED: 1-100

Default, MED: 0

Use the show ip bgp med command to view information about BGP MED configuration.

Magnum 10RX(config)# router bgp 200 Magnum 10RX(config-router)# default-metric 20 Magnum 10RX(config-router)# redistribute rip



206

11.1.13.3 Forcing a MED Comparison

Use the bgp always-compare-med command in BGP Router Configuration mode to compare metrics from two different ASs.

By default, an eBGP speaker will not compare metrics from two different autonomous systems. The bgp always-compare-med command forces the router to do this comparison. This is useful if there is a redundant path to a network through two different autonomous systems and you want to indicate which path is preferred by setting the metric.

Example:

Magnum 10RX(config-router)# bgp always-compare-med

The no bgp always-compare-med command disables MED comparison.

Use the show ip bgp info command to view information about BGP configuration.

11.1.14Using a Loopback as a BGP Endpoint

Use the neighbor update-source command in BGP Router Configuration mode to specify a loopback interface.

It is common in iBGP to use a loopback interface as the TCP endpoint of a BGP session. This allows the router to maintain connectivity with its neighbors even in the face of network failures. As long as the IGP is able to find a path between the two iBGP neighbors, the BGP session will remain active. If an actual IP interface was used as the end point, if it went down, the BGP session would be terminated. To tell BGP to use a specific IP address as its local endpoint, use the update-source keyword in the bgp neighbor command.

Command syntax:

neighbor xxx.xxx.xxx.xxx update-source yyy.yyy.yyy.yyy

Where:

xxx.xxx.xxx.xxx is a valid IP address in IPv4 format specifying a neighbor device.

xyyy.yyy.yyy.yyy is a valid IP address in IPv4 format specifying a loopback interface.

Example:

Figure 11-6 illustrates implementation of a loopback interface as a BGP endpoint from the configuration of the loopback interface to the execution of the update-source command.



207

Figure 11-6. show ip bgp neighbor command output

11.1.15Using eBGP Without a Direct Connection

Use the neighbor ebgp-multihop command in BGP Router Configuration mode to notify eBGP that neighbors are not directly connected.

Sometimes it is necessary to connect two eBGP neighbors that are not directly connected. In this case, some other routing information (for example, static route) will be necessary so that the two peers know the path on which to communicate. By default, eBGP expects to be directly connected to its neighbor. To tell eBGP that the neighbor is not directly connected, use the ebgp-multihop keyword in the neighbor command.

In contrast, iBGP speakers do not assume they are directly connected to their neighbor. Static routes or an IGP are typically needed to provide route information for finding a path between the two speakers.

Command syntax:

neighbor xxx.xxx.xxx.xxx ebgp-multihop

Where:

xxx.xxx.xxx.xxx is the IP address of the BGP-speaking neighbor.

Example:

Magnum 10RX(config-router)# bgp neighbor 192.168.99.9 ebgp-multihop

The no bgp neighbor xxx.xxx.xxx.xxx ebgp-multihop negates a multihop specification.

11.1.16Setting Up a BGP Route Reflector

To enable BGP route reflection use the neighbor route-reflector-client command in BGP Router Configuration mode to specify each of the router reflector's clients. BGP normally requires full mesh connectivity between all iBGP speakers in an AS because iBGP speakers are not allowed to advertise routes learned from another iBGP speaker. BGP route reflection allows you to relax this restriction to some degree so that a full iBGP mesh is not necessarily required in order to run iBGP.

A BGP route reflector is an iBGP speaker that only advertises routes learned from other iBGP speakers to its configured clients. A BGP route reflector "cluster" is a route reflector plus all of its clients. The following rules are followed by a route reflector:

1. Routes from a BGP peer that is not a client are reflected to all of the clients within the cluster.

Magnum 10RX(config)# interface loopback 1 Magnum 10RX(config-if)# ip address 192.168.901.1 255.255.255.255 Magnum 10RX(config-if)# no shutdown Magnum 10RX(config-if)# exit Magnum 10RX(config)# router bgp 1 Magnum 10RX(config-router)# bgp neighbor 192 168 90 2 update source 192 168 91 1

Magnum 10RX(config)# interface loopback 1 Magnum 10RX(config-if)# ip address 192.168.91.1 255.255.255.255 Magnum 10RX(config-if)# no shutdown Magnum 10RX(config-if)# exit Magnum 10RX(config)# router bgp 1 Magnum 10RX(config-router)# neighbor 192.168.90.2 update-source 192.168.91.1



208

2. Routes from a BGP peer that is a client are advertised to all other peers (clients and non-clients).

3. Routes from an eBGP peer are advertised to all other peers (clients and non-clients).

Command syntax:

neighbor [xxx.xxx.xxx.xxx | group-name] route-reflector-client

Where:

xxx.xxx.xxx.xxx is the IP address of the remote peer.

group-name is the name of a configured peer group.

Example:

The commands illustrated in Figure 11-7 peer with the IBGP speaker at 1.1.1.1 in AS 100 and reflect routes for that speaker.

Figure 11-7. route reflector configuration

The no neighbor route-reflector-client command resets the peer as a conventional BGP peer.

Use the show ip bgp rfl info command to view information about reflector configuration.

11.1.17Setting Up a BGP Confederation

iBGP normally requires full mesh connectivity between all iBGP speakers in an AS. A BGP confederation allows you to break a large AS into multiple smaller AS that speak eBGP but exchange routing as if they used iBGP. In this way the full mesh requirement is relaxed but information like next hop, metric, and local preference are preserved within the confederation. In addition the confederation looks like a single AS to eBGP speakers outside the confederation.

The AS number of the confederation is the confederation identifier. This identifier must be configured on each EBGP speaker in the confederation.

11.1.17.1 Configuring the BGP Confederation Identifier

To configure the confederation identifier use the bgp confederation identifier command.

Command syntax:

bgp confederation identifier as-num

Where:

as-num is a numerical value uniquely identifying this confederation.

Magnum 10RX(config)# router bgp 100 Magnum 10RX(config-router)# neighbor 1.1.1.1 remote-as 100 Magnum 10RX(config-router)# neighbor 1.1.1.1 route-reflector-client



209

Example:

The commands illustrated in Figure 11-7 associate AS 50 with confederation 200.

Figure 11-8. associating an AS with a confederation


The no confederation identifier command deletes the confederation identifier.

Use the show ip bgp confed info command to view information about confederation configuration.

11.1.17.2 Specifying Confederation Members

Use the bgp confederation peers command in BGP Router Configuration mode to configure the AS that are inside the confederation. Each eBGP speaker in the confederation needs to distinguish between AS that are inside the confederation and AS that are outside the confederation.

Command syntax:

bgp confederation peers as-num

Where:

as-num is a numerical value specifying an AS within the confederation.

Example:

The commands illustrated in Figure 11-7 configure a router in AS 50 to be aware that AS 40 and AS 60 are also members of the confederation.

Figure 11-9. associating an AS with a confederation


The no confederation peers as-num command removes the AS specified by as-num from the confederation.

Use the show ip bgp confed info command to view information about confederation configuration.

11.1.18Synchronizing iBGP With an IGP

Use the synchronization command in BGP Router Configuration mode to enable synchronization.

Magnum 10RX(config)# router bgp 50 Magnum 10RX(config-router)# bgp confederation identifier 200

Magnum 10RX(config)# router bgp 50 Magnum 10RX(config-router)# bgp confederation peer 40 Magnum 10RX(config-router)# bgp confederation peer 60

CHAPTER 11 - BGPBGP Configuration in the GUI


210

If you are using iBGP to forward traffic between two other autonomous systems you should enable synchronization. When synchronization is enabled, iBGP will not advertise a route that it learns from another AS until that route has been completely propagated to all other routers in the AS via an IGP. If synchronization is not enabled in this scenario there may be cases where intermediate routers in the AS will not know how to forward traffic to one of the external ASs.

Command syntax:

synchronization

Example:

Magnum 10RX(config-router)# synchronization


The no synchronization command specifies the default.

11.2 BGP Configuration in the GUI

The following sections describe the screens available in INOS GUI to configure BGP.

11.2.1 BGP Basic Settings

In the GUI go to the Layer 3 Management: BGP: BGP Basic Settings tab to specify basic BGP parameters, as illustrated in Figure 11-10.

Figure 11-10. BGP Basic Settings Screen

The BGPP Basic Settings screen enables you to enable or disable BGP in the switch, and to specify an Autonomous System (AS) number and a local preference value. Make your selections and click the Apply button for your specification to take effect.



211

.

Table 11-2. BGP Basic Settings Fields


Status Whether or not BGP is enabled in the system.Options are Enabled and Disabled.


Note: The BGP system can be enabled only if the local AS number is configured.

Section 11.1.1

AS Number The local AS number.

Default value: 0


Note: This value can be configured only if the state of the BGP system is set as Disabled.

Section 11.1.1

Default Local Preference

A value indicating strength of preference as a path for exiting the AS. That is, if two local routers have a path to a remote network through an external AS, the router with the higher local preference will be used as the exit path from the AS.

Default value: 100

Valid range: 2147483647

Section 11.1.11



212

11.2.2 BGP Neighbor Configuration

In the GUI go to the Layer 3 Management: BGP: Neighbors tab to configure a BGP peer, as illustrated in Figure 11-10.

Figure 11-11. BGP Neighbor Configuration Screen

In BGP a peer is a neighbor (that is, another reachable device) configured for BGP communication with the current device.

The BGP Neighbor Configuration screen enables you to configure the parameters of a BGP peer of this device. You can configure a new peer in the upper dialog box and click Add to display the configured peer in the lower dialog box. You can modify the parameters of a previously configured peer in the lower dialog box. Click Apply for our changes to take effect.

.

Table 11-3. BGP Neighbor Configuration Fields


Select You must click a selection button before modifying a neighbor’s parameters.

Peer Address The IP address of the device to be configured as a BGP peer.


Section 11.1.3

Remote AS The identifying number for the AS of the peer.


Section 11.1.3



213

EBGP Multihop Enable or disable the speaker’s ability to accept or attempt connections to external peers residing on networks that are not directly connected. The options are:

• Enable — Enables the speaker to accept or attempt connections.

• Disable — Disables the speaker from accepting or attempting connections.

Default value: Disable

This field value can be applied only to directly connected EBGP peers and not to internal peers.

d

Next Hop Specifies the method to generate the next hop value. The options are

• automatic — Generates the next hop based on the IP address of the destination and the next hop value in the route information.

• self — Sets the sender’s local address as the next hop attribute.

Default value: automatic

d

Source Address A source address for the TCP connection to the peer.

The IP address configured on the physical interface directly connected to the BGP peer is used as the source address by default.

Section 11.1.14

Table 11-3. BGP Neighbor Configuration Fields




214

11.2.3 BGP MED Configuration

In the GUI go to the Layer 3 Management: BGP: Multi-Exit Discriminators tab to specify strength of preference among available routes, as illustrated in Figure 11-12.

Figure 11-12. BGP MED Configuration Screen

The Multi-Exit Discriminator (MED) is a metric attribute used in contexts that offer more than one route to a destination to provide guidance in the BGP protocol as to a route preference.

The BGP MED screen enables you to preference values to specified routes to supply guidance to BGP. Make your selection and click the apply button for your specification to take effect.

.

Table 11-4. BGP MED Configuration Fields



Section 11.1.13

MED ID An integer to identify the rule that applies to routes matching the configured criteria.

Valid range: 1-100

Section 11.1.13.2

Remote AS An integer to identify the remote AS to which the metric applies.

Default value: 0


Section 11.1.13.2

IP Address Prefix The IP address prefix in the Network Layer Reachability Information field in the update.

Default value: 0.0.0.0.

Section 11.1.13.2



215

IP Address Prefix Length

The length (in bits) of the IP address prefix in the Network Layer Reachability Information field. The value ranges between 0 and 32 bits.

Default value: 0

Valid range: 0-32

Section 11.1.13.2

Intermediate AS An optional comma-delimited list of intermediate ASs.

Section 11.1.13.2

Direction The direction of the route to which the configuration is to be applied.

• In applies the rule to routes received from peers via UPDATE messages.

• Out applies the rule to routes sent to peers via UPDATE messages.

Default value: In

Section 11.1.13.2

Value The value of the metric to assign to routes matching all of the specified criteria.

Default value: 0


Section 11.1.13.2

Preference True means that the configured metric value overrides any received metric.

Section 11.1.13.2

Table 11-4. BGP MED Configuration Fields




216

11.2.4 BGP Local Preference Configuration

In the GUI go to the Layer 3 Management: BGP: Local Preference tab to specify a preferred exit path from the AS for the configured route., as illustrated in Figure 11-13.

Figure 11-13. BGP Local Preference Configuration Screen

The BGPP Basic Settings screen enables you to configure a local preference value for a configured route. Specify a new configuration in the upper dialog box and click ADD to display the configuration in the lower dialog box. Edit previously configured routes in the lower dialog box and click Apply for your changes to take effect.

.

Table 11-5. BGP Local Preference Configuration Fields



Local Preference ID

An integer to identify the rule that applies to routes matching the configured criteria.

Default value: 0

Valid Range: 1-100

Section 11.1.12

Remote AS An integer to identify the remote AS to which the metric applies.

Default value: 0


Section 11.1.12

IP Address Prefix The IP address prefix in the Network Layer Reachability Information field in the update.


Section 11.1.12



217


The length (in bits) of the IP address prefix in the Network Layer Reachability Information field.

Default value: 0

Valid range: 0-32

Section 11.1.12


Section 11.1.12

Direction The direction of the route to which the configuration is to be applied.

• In applies the rule to routes received from peers via UPDATE messages.

• Out applies the rule to routes sent to peers via UPDATE messages.

Default value: In

Section 11.1.12

Value The value of the metric to assign to routes matching all of the specified criteria.

Default value: 100


Section 11.1.12

Preference True means that the configured metric value overrides any received metric.

Section 11.1.12

Table 11-5. BGP Local Preference Configuration Fields




218

11.2.5 BGP Filter Configuration

In the GUI go to the Layer 3 Management: BGP: Filters tab to filter routes that are advertised to specific BGP peers, as illustrated in Figure 11-14.

Figure 11-14. BGP Filter Configuration Screen

The BGP Filter Configuration screen enables you

to filter routes that are advertised to specific BGP peers. Filters are evaluated in order according to their configured index. Each filter entry can either permit or deny a route based on whether or not it matches the specified remote AS, route prefix, and prefix length.

Use the upper dialog box to configure a new filter. Click ADD to save the configuration and display it in the lower dialog box. Edit parameters of previously configured filters in the lower dialog box and click Apply for your changes to take effect.

.

Table 11-6. BGP Filter Configuration Fields



Filter ID A numerical value that uniquely identifies the filter.

Valid Range: 1-100

Section 11.1.9

Remote AS An integer to identify the remote AS to which the filter applies.

Default value: 0


Section 11.1.9



219

IP Address The IP address prefix in the Network Layer Reachability Information field in the update.


Section 11.1.9


The length (in bits) of the IP address prefix in the Network Layer Reachability Information field.

Default value: 0

Valid range: 0-32

Section 11.1.9


Section 11.1.9

Direction The direction of the update. Options are:

• in is a keyword signifying that this filter applies to incoming UPDATE messages.

• out is a keyword signifying that this filter applies to outgoing UPDATE messages.

Section 11.1.9

Action The action enforced by the filter. Options are:

• allow — This filter causes a matching route to be included in UPDATE messages.

• deny — This filter causes a matching route to be excluded from UPDATE messages.

Section 11.1.9

Table 11-6. BGP Filter Configuration Fields




220

11.2.6 BGP Route Aggregation Configuration

In the GUI go to the Layer 3 Management: BGP: Route Aggregation tab to specify an aggregation of routes, as illustrated in Figure 11-15.

Figure 11-15. BGP Route Aggregation Configuration Screen

Use address aggregation to combine the advertisement of a number of specific routes into the advertisement of a single route that is a supernet of the more-specific routes. If the summary-only option is selected, the advertisement of any specific routes in the aggregate is suppressed and only the aggregate route is advertised. Otherwise, both the aggregate and the specific routes are advertised.

Configure a new aggregation in the upper dialog box and click ADD to save the configuration and display it in the lower dialog box. Edit the parameters of previously configured aggregations in the lower dialog box and click Apply for your changes to take effect.

.

Table 11-7. BGP Route Aggregation Configuration Fields


Select You must click a selection button before modifying an aggregation’s parameters.

ID A numerical value that uniquely identifies the aggregation.

Valid Range: 1-100

Section 11.1.7

IP Address Prefix is the IPv4 supernet address.


Section 11.1.7



221


the CIDR address mask for the supernet.

Default value: 0

Valid range: 0-32

Section 11.1.11

Route Advertise The route(s) to advertise. Options are:

Summary Only — Only the address of the aggregate (the supernet) is advertised.

All — Both the aggregate and the specific routes are advertised.

Section 11.1.7

Table 11-7. BGP Route Aggregation Configuration Fields




222


223

Chapter 12Route Maps

The 10RX supports route filtering and manipulation through the use of route maps. Route maps can be used to control:

• how routes are redistributed• which routes are accepted when learned via a dynamic routing protocol• which routes are advertised by a dynamic routing protocol

Route maps can also be used to modify certain types of route information.

In release 2.1 of the software, route maps can only be configured using the CLI.

12.1 Configuring Route Maps

A route map can be thought of as a type of access control list. You may have up to 10 entries in the list for each route map and each entry consists of three parts:

• a permit or deny action• optional match values• optional set values

The following rules apply to matches:

• A route map entry with no match values matches all routes.• A route map entry with multiple match values matches a route if any of the

match values correspond to the route.• Every route map ends with an implicit deny that matches all routes.• Set values are applied to all routes in a permit entry that meet the match

criteria.

12.1.1 Specifying a Route Map

Use the route-map command in Global Configuration mode to create a route map or to modify a previously configured route map. Execution of the route-map command will begin the Route Map Configuration mode, signified by the Magnum 10RX(config-rmap-mapname)# prompt, where mapname is the name you have specified with the route-map command.

Command syntax:

route-map mapname [{permit | deny}] [sequence-number]

Where:

mapname is a user-supplied string of up to 20 characters that names the route map.

sequence-number is a numerical value in the range 1-10 specifying the order in which this map is evaluated relative to other route maps.

CHAPTER 12 - Route MapsConfiguring Route Maps


224

Example:

Magnum 10RX(config)# route-map mymap permit

Magnum 10RX(config-rmap-mymap)#

Once you are in Route Map Configuration mode you can execute match and set commands with numerous arguments, as detailed below. In the example above the permit keyword has been specified so that any matching routes will be permitted. To configure routes to be denied you must exit Route Map Configuration mode with the exit command and re-enter it with the route-map command and the keyword deny.

The no route-map mapname command deletes the route map entry specified by mapname.

12.1.1.1 Note on Sequence Numbers

Specifying a sequence number allows you to control the order in which the route-map entries are evaluated.

For example, to place a specific deny entry in front of a more general permit entry execute the commands below:

Figure 12-1. Route Map Sequencing Example

If you do not specify a sequence number, sequence number 1 is assumed.

12.1.2 Defining a Match

Use the match command in Route Map Configuration mode to define criteria against which routes are to be matched. Routes matching the specified criteria will be permitted or denied depending on the option used with the preceding route-map command.

Several different types of matching criteria can be used. These are detailed in Table 12-1, below.

The no match matchspec command deletes the match entry specified by matchspec.

Magnum 10RX(config)# route-map mymap deny 1

Magnum 10RX(config-rmap-mymap)# match destination ip 192.168.5.0 255.255.255.0

Magnum 10RX(config-rmap-mymap)# exit

Magnum 10RX(config)# route-map mymap permit 2

Magnum 10RX(config-rmap-mymap)# match destination ip 192.168.0.0 255.255.0.0

Magnum 10RX(config-rmap-mymap)# exit



225

Table 12-1. Route Map Matching Criteria

Match Type Usage

destination IP Use this command to specify the IP address and mask of the route's destination.

Syntax:

match destination ip ipaddr mask

Example:

Magnum 10RX(config-rmap-mapname)# match ip destination 192.168.5.0 255.255.255.0

source IP Use this command to specify the IP address and mask of the source of a received route. In the case of RIP, this would be the IP address of the interface sending the RIP advertisement. In the case of OSPF, this would be the router ID of the LSA originator.

Syntax:

match source ip ipaddr mask

Example:

Magnum 10RX(config-rmap-mapname)# match source ip 192.168.5.0 255.255.255.0

interface Use this command to specify the IP interface of the route's next hop.

Syntax:

match interface ifspec

Where ifspec can be:

• gigabitethernet slotnum/portnum

• vlan vlanid (1-4094)

• loopback loopid (0-9)

• ppp pppifid (1-16)

• mlppp mlpppifid (1-16)

• tunnel tunnid (1-32)

Example:

Magnum 10RX(config-rmap-mapname)# match interface gigabitethernet 5/1

next-hop IP Use this command to specify the IP address of the route's next hop.

Syntax:

match next-hop ip ipaddr

Example:

Magnum 10RX(config-rmap-mapname)# match next-hop ip 192.168.5.0

metric Use this command to specify the route's metric.

Syntax:

match metric metricval(1-2147483647)

Example:

Magnum 10RX(config-rmap-mapname)# match metric 1000



226

route-type Use this command to specify the route's type. This can be either local, which specifies a directly connected route, or remote, which includes static routes and routes learned from a dynamic routing protocol.

Syntax:

match route-type {local | remote}

Example:

Magnum 10RX(config-rmap-mapname)# match route-type remote

community Use this command to specify the community of a BGP route.

Syntax:

match community {local-as|no-advt|no-export|comm-num intval|none}

Where the community specification can be:

• local-as — a local autonomous system BGP community

• no-advt — a no-advertisement BGP community

• no-export — a no-export BGP community

• the BGP community specified by the community number comm-num intval(1-4294967295)

• none — that is, not a member of a BGP community

Example:

Magnum 10RX(config-rmap-mapname)# match community local-as

For more on the BGP community value see Section 11.1.10.

local-preference Use this command to specify the local preference of a BGP route.

Syntax:

match local-preference lpval(1-2147483647)

Example:

Magnum 10RX(config-rmap-mapname)# match local-preference 150

For more on the BGP local-preference value see Section 11.1.11.

origin Use this command to specify where the route originated.

Syntax:

match origin {igp |egp | incomplete}

Where:

• igp — specifies a route originating through an interior gateway protocol.

• egp — specifies a route originating through an exterior gateway protocol.

• incomplete — specifies a route originating through unknown heritage.

Example:

Magnum 10RX(config-rmap-mapname)# match origin egp

Table 12-1. Route Map Matching Criteria

Match Type Usage



227

12.1.3 Setting Route Values

Use the set command in Route Map Configuration mode to manipulate routes that have been filtered with the match command.

A variety of values can be set. These are detailed in Table 12-2, below.

The no set setspec command deletes the match entry specified by setspec.

Table 12-2. Route Map Set Values

Match Type Usage

next-hop IP Use this command to specify the IP address of the new next hop value to be applied to the matching routes.

Syntax:

set next-hop ip ipaddr

Example:

Magnum 10RX(config-rmap-mapname)# set next-hop ip 192.168.5.0

metric Use this command specify the metric to be applied to matching routes.

Syntax:

set metric metricval(1-2147483647)

Example:

Magnum 10RX(config-rmap-mapname)# set metric 1000

interface Use this command to specify the next hop IP interface to be applied to matching routes.

Syntax:

set interface ifspec

Where ifspec can be:

• gigabitethernet slotnum/portnum

• vlan vlanid (1-4094)

• loopback loopid (0-9)

• ppp pppifid (1-16)

• mlppp mlpppifid (1-16)

• tunnel tunnid (1-32)

Example:

Magnum 10RX(config-rmap-mapname)# set interface vlan 5

tag Use this command to specify the OSPF tag to be applied to matching routes.

Syntax:

set tag tagval (1-2147483647)

Example:

Magnum 10RX(config-rmap-mapname)# set tag 20

CHAPTER 12 - Route MapsApplying Route Maps


228

12.2 Applying Route Maps

Configured route maps can be applied to filter and manipulate routes by managing them in concert with other INOS configuration commands.

community Use this command to specify the BGP community to be applied to matching routes.

Syntax:

set community {local-as|no-advt|no-export|comm-num intval|none}

Where the community specification can be:

• local-as — a local autonomous system BGP community

• no-advt — a no-advertisement BGP community

• no-export — a no-export BGP community

• the BGP community specified by the community number comm-num intval(1-4294967295)

• none — that is, not a member of a BGP community

Example:

Magnum 10RX(config-rmap-mapname)# set community no-export

For more on the BGP community value see Section 11.1.10

local-preference Use this command to specify the BGP local preference to be applied to matching routes.

Syntax:

set local-preference lpval(1-2147483647)

Example:

Magnum 10RX(config-rmap-mapname)# set local-preference 150

For more on the BGP local-preference value see Section 11.1.11.

origin Use this command specify the origin of matching routes.

Syntax:

set origin {igp |egp | incomplete}

Where:

• igp — specifies a route originating through an interior gateway protocol.

• egp — specifies a route originating through an exterior gateway protocol.

• incomplete — specifies a route originating through unknown heritage.

Example:

Magnum 10RX(config-rmap-mapname)# set origin egp

Table 12-2. Route Map Set Values

Match Type Usage



229

12.2.1 Route Redistribution

Use the redistribute protocol route-map command in Router Configuration mode to apply a route map as a filter list for the routes to redistribute. Permitted routes are redistributed. Denied routes are not. Set commands are allowed in certain cases to manipulate some route information during redistribution.

Command Syntax:

redistribute protocol mapname

Where protocol can be:

static — redistributes routes configured statically.

connected — redistributes directly connected network routes.

bgp — redistributes routes that are learned by the BGP process.

ospf — redistributes routes that are learned by the OSPF process.

rip — redistributes routes that are learned by the RIP process.

all — redistributes all routes

And mapname is the name of a configured route map to control redistribution.

(Note: the list of valid protocol names will vary depending on the protocol specified when Router Configuration mode was entered; that is, the protocol under configuration will not be available as an option.)

Example:

The commands shown in Figure 12-2 redistribute only static routes in the 192.168.0.0/16 subnet into RIP:

Figure 12-2. Route Map Redistribution

12.2.2 Outgoing Route Filtering

Use the distribute-list route-map mapname out command in Router Configuration mode to filter advertised routes. Permitted routes will be advertised, denied routes will not. Some set commands are allowed in certain cases to manipulate route information right before it is sent.

Command Syntax:

distribute-list route-map mapname out

Magnum 10RX(config)# route-map rip_filter permit

Magnum 10RX(config-rmap-rip_filter)# match destination ip 192.168.0.0 255.255.0.0

Magnum 10RX(config-rmap-rip_filter)# exit


Magnum 10RX(config-router)# redistribute static route-map rip_filter



230

Where:

mapname is the name of a configured route map to filter routes.

Example:

The commands shown in Figure 12-3 prevent RIP from advertising routes that have a metric of 10:

Figure 12-3. Outgoing Route Filtering

12.2.3 Incoming Route Filtering

Use the distribute-list route-map mapname in command in Router Configuration mode to filter advertised routes. Permitted routes will be advertised, denied routes will not. Some set are allowed in certain cases to manipulate route information right before it is installed in the route table.

Command Syntax:

distribute-list route-map mapname in

Where:

mapname is the name of a configured route map to filter routes.

Example:

The commands shown in Figure 12-4 prevent RIP from installing routes advertised by the RIP router at 192.168.1.1:

Figure 12-4. Incoming Route Filtering

Magnum 10RX(config)# route-map rip_filter deny 1

Magnum 10RX(config-rmap-rip_filter)# match metric 10


Magnum 10RX(config)# route-map rip_filter permit 2



Magnum 10RX(config-router)# distribute-list route-map rip_filter out

Magnum 10RX(config)# route-map rip_filter deny 1

Magnum 10RX(config-rmap-rip_filter)# match source ip 192.168.1.1 255.255.255.255


Magnum 10RX(config)# route-map rip_filter permit 2



Magnum 10RX(config-router)# distribute-list route-map rip_filter in

CHAPTER 12 - Route MapsRoute Maps and Routing Protocols


231

12.2.4 Specifying Route Administrative Distance

Use the distance distval mapname command in Router Configuration mode to specify an administrative distance for routes that match the criteria in the route map specified by mapname.

For more on administrative distance see Section 9.1.5 and Section 11.1.8.

Command syntax:

distance distval [route-map mapname]

Where:

distval is a numerical value specifying the administrative distance to apply to routes matching the criteria in the route map specified by mapname.

mapname is the name of a configured route map.

Example:

Magnum 10RX(config-router)# distance 100 route-map mymap

Valid range: 1-255

12.3 Route Maps and Routing Protocols

Certain route map match and set commands are not applicable for certain routing protocols and commands. The following sections identify, for each INOS-supported routing protocol, which match and set commands are available and how they can be applied.

12.3.1 Route Map Functionality for RIP

Table 12-3 illustrates which commands can be used in conjunction with which distribution applications in RIP.

Table 12-3. Route Map Match and Set Commands Supported in RIP

Supported Route Map Commands

Distribute-ListIN

Distribute-ListOUT

Redistribute

match destination ip Yes Yes Yes

match source ip Yes No No

match interface Yes Yes Yes

match next-hop ip Yes Yes Yes

match metric Yes Yes Yes

match route-type Yes Yes Yes



232

12.3.2 Route Map Functionality for OSPF

Table 12-4 illustrates which commands can be used in conjunction with which distribution applications in OSPF.

set next-hop ip Yes No No

set metric Yes Yes No

set interface Yes No No

Table 12-4. Route Map Match and Set Commands Supported in OSPF

Route Map Command

Distribute-ListIN

Distribute-ListOUT

Redistribute

match destination ip Yes No Yes


match interface Yes No Yes

match next-hop ip Yes No Yes

match metric Yes No Yes

match tag Yes No No

match metric-type Yes No No

match route-type Yes No Yes


set metric Yes No No


set tag Yes No Yes

Table 12-3. Route Map Match and Set Commands Supported in RIP

Supported Route Map Commands

Distribute-ListIN

Distribute-ListOUT

Redistribute



233

12.3.3 Route Map Functionality for BGP

Table 12-5 illustrates which commands can be used in conjunction with which distribution applications in BGP.

12.3.4 Note on Route Redistribution

In route redistribution it is important to remember that the match commands, as in the example below, apply to the protocol the routes are being redistributed from while the set commands in the example apply to the protocol the routes are being redistributed into.

For example, execute the commands in Figure 12-5 to redistribute OSPF routes with a destination IP of 192.168.1.0/24 into RIP while setting their RIP metric to 5:

Table 12-5. Route Map Match and Set Commands Supported in BGP

Route Map Command

Distribute-ListIN

Distribute-ListOUT

Redistribute

match destination ip Yes Yes Yes


match interface Yes Yes Yes

match next-hop ip Yes Yes Yes

match metric Yes Yes Yes

match route-type Yes No Yes

match community Yes Yes No

match local-preference Yes Yes No

match origin Yes Yes No


set metric Yes Yes Yes


set community Yes Yes No

set local-preference Yes Yes No

set origin Yes Yes No

CHAPTER 12 - Route MapsDisplaying Route Map Information


234

Figure 12-5. Route Map Redistribution Example

12.4 Displaying Route Map Information

Use the show route-map command in Exec Commands mode to display information about all configured route maps or a specified route map.

Command syntax:

show route map [mapname]

Where:

mapname is the name of a configured route map.

Example:

Magnum 10RX show route-map mymap

Magnum 10RX(config)# route-map ospf_to_rip

Magnum 10RX(config-rmap-ospf_to_rip)# match destination ip 192.168.1.0 255.255.255.0

Magnum 10RX(config-rmap-ospf_to_rip)# set metric 5

Magnum 10RX(config-rmap-ospf_to_rip)# exit


Magnum 10RX(config-router)# redistribute rip route-map ospf_to_rip


235

Chapter 13GRE

Generic Routing Encapsulation (GRE) is a technique that allows datagrams to be encapsulated into IP Packets and then redirected to an intermediate host. At the intermediate destination the datagrams are decapsulated and routed to the next leg. GRE allows a tunnel to be created using a certain protocol which then hides the contents of another protocol carried within the tunnel.

13.1 GRE Operation

In a simple GRE application two machines, Source and Receiver, are separated by a public IP network. The two routers are set up to be the terminal points of a tunnel through the network. These two routers communicate with the local source or destination machine in the protocol configured for the local environment and pass it through the tunnel encapsulated inside GRE packets.

13.2 GRE Implementation

GRE encapsulation takes place at Layer 3 of the OSI Model, taking the form of a delivery header followed by a GRE Header followed by a payload packet as shown in the figure below.

The encapsulated unit has the structure depicted in Figure 13-1.

Figure 13-1. GRE Implementation

13.3 GRE Configuration in the CLI

INOS enables you to create an instance of a GRE tunnel and to specify source and destination and to configure some features to manage the traffic in the tunnel.

CHAPTER 13 - GREGRE Configuration in the CLI


236

13.3.1 Specifying a GRE Tunnel

Use the interface tunnel command in Global Configuration mode to specify a GRE tunnel and to enter Tunnel Interface Configuration mode, signaled by the prompt Magnum 10RX(config-if)#.

Command syntax:

interface tunnel tun_id

Where:

tun_id is a numerical value uniquely identifying this GRE tunnel.

Example:

Magnum 10RX(config)# interface tunnel 3


This command specifies GRE tunnel 3, creating it if it does not already exist. Subsequent commands in the Tunnel Interface Configuration session will modify this tunnel.

Valid range: 1-32

The no interface tunnel tun_id command deletes the tunnel specified by tun_id.

13.3.2 Configuring GRE Tunnel Attributes

Use the tunnel mode command in Tunnel Interface Configuration mode to specify that the tunnel is a GRE tunnel and to specify source and destination addresses.

Command syntax:

tunnel mode gre src_ip_addr dest_ip_address

Where:

src_ip_addr is a valid IP address specifying a source for the tunnel.

dest_ip_address is a valid IP address specifying a destination for the tunnel.

Example:

Magnum 10RX(config-if)# tunnel mode gre source 192.168.1.2 dest 10.0.0.2

13.3.3 Enabling Tunnel Checksum

Use the tunnel checksum command in Tunnel Interface Configuration mode to enable end-to-end checksumming of packets.

Command syntax:

tunnel checksum

CHAPTER 13 - GREGRE Configuration in the CLI


237

Example:

Magnum 10RX(config-if)# tunnel checksum


The no tunnel checksum command specifies the default.

13.3.4 Enabling Tunnel Path MTU Discovery

Use the tunnel path-mtu-discovery command in Tunnel Interface Configuration mode to enable discovery of the Maximum Transmission Unit (MTU) size on the prescribed path.

Command syntax:

tunnel path-mtu-discovery

Example:

Magnum 10RX(config-if)# tunnel path-mtu-discovery


The no tunnel path-mtu-discovery command specifies the default.

13.3.5 Configuring Tunnel Hop Limit

Use the tunnel hop-limit command in Tunnel Interface Configuration to specify a limit to the number of hops a packet can take before being discarded.

Command syntax:

tunnel hop-limit h_limit

Where:

h_limit is a numerical value specifying the number of hops a packet can take before being discarded. 0 specifies the value in the payload header.

Example:

Magnum 10RX(config-if)# tunnel hop-limit 100

This command specifies that the hop-limit field will be decremented by 1 at each hop until 0 is reached and the packet is discarded.

Valid-range: 0-255

CHAPTER 13 - GREGRE Configuration in the GUI


238

13.4 GRE Configuration in the GUI

INOS enables you to create an instance of a GRE tunnel and to specify source and destination and to configure some features to manage the traffic in the tunnel.

13.4.1 Specifying a GRE Tunnel

In the GUI go to the Layer 3 Management: IP: TUNNEL Interfaces tab to configure a GRE tunnel, as illustrated in Figure 13-2.

Figure 13-2. Tunnel Configuration Screen

In the tunnel configuration screen use upper dialog box to specify a tunnel. Click the Create button to save your specification and to display it in the lower dialog box. Use the lower dialog box to edit or delete configured tunnels.

Table 13-1. Tunnel Configuration Fields



Tunnel ID Specify a numerical value uniquely identifying this GRE tunnel.

Valid range: 1-32

Section 13.3.1

Mode GRE is the sole available selection. Section 13.3.2

Link Status A green or red symbol to indicate the physical status of the connection.

Admin State Up or Down to indicate the administrative status of the connection.

Source Specify a valid IP address specifying a source for the tunnel.

Section 13.3.2



239

Destination Specify a valid IP address specifying a destination for the tunnel.

Section 13.3.2

Hop Limit Specify a limit to the number of hops a packet can take before being discarded.

Valid range: 0-255

Section 13.3.5

Checksum Enable or disable end-to-end checksumming of packets. Section 13.3.3

Path MTU Enable or disable discovery of the Maximum Transmission Unit (MTU) size on the prescribed path.

Section 13.3.4

Table 13-1. Tunnel Configuration Fields




240


241

Chapter 14VRRP

The Virtual Router Redundancy Protocol (VRRP), described in RFC 3768, is a method of providing a backup router if a primary (or “master”) router should fail. The virtual router is a group of two or more physical routers sharing certain identifying information on the same network. One of these routers is configured with the IP address that will be used as the VRIP. This router is the “owner” of the VRIP and will serve the master role so long as it is operational. The devices that are included in a virtual router communicate with one another with a frequency specified by the value of the advertising interval. When a device serving the master role has not been heard from for a length of time that exceeds three times the advertising interval that device is presumed to be non-functioning and priority values are used to elect a new master router from the remaining members of the virtual router.

14.1 VRRP Configuration in the CLI

The following sections describe the commands available in INOS to configure VRRP.

14.1.1 Enabling VRRP

Use the router vrrp command in Global Configuration mode to enable VRRP on the router and to enter VRRP Configuration mode displaying the Magnum 10RX(config-vrrp)# prompt.

Command syntax:

router vrrp

Example:

Magnum 10RX(config)# router vrrp

use the no router vrrp command to disable VRRP.

14.1.2 Configuring VRRP on an Interface

Use the interface command in VRRP Configuration mode to configure VRRP parameters on a particular interface and to enter VRRP Interface Configuration mode displaying the Magnum 10RX(config-vrrp-if)# prompt.

Command syntax:

interface {vlan vid | gigabitethernet ifnum}

Where:

CHAPTER 14 - VRRPVRRP Configuration in the CLI


242

vid following the keyword vlan is a numerical value specifying a VLAN. This value ranges between 1 and 4094.

ifnum following the keyword gigiabitehernet is a specification of an Ethernet slot and port separated by a slash, for example: 5/1.

Example:

Magnum 10RX(config-vrrp)# interface vlan 6

Magnum 10RX(config-vrrp-if)#

Valid range:

vid : 1-4094

ifnum: a valid slot/port designation.

Use the show vrrp interface command to view configured values.

14.1.3 Configuring a VRRP IP Address

Use the vrrp vrid ipv4 command in VRRP Interface Configuration mode to configure the IP address for the virtual router. A VRRP instance can be associated with more than one IP address. When the router becomes master for an instance it replies to the ARP requests for all the associated IP addresses. You can specify that an IP address is not the primary address by following the address specification with the key word secondary.

Command syntax:

vrrp vrid ipv4 ipaddr [secondary]

Where:

vrid is a numerical value in the range 1-255 specifying a virtual router ID.

ipaddr is a valid primary or secondary IP address.

Example:

Magnum 10RX(config-vrrp-if)# vrrp 1 ipv4 10.0.0.1

Valid range (VRID):1-255

The no vrrp vrid ipv4 command deletes the IP address of the virtual router.

Use the show vrrp interface ifid detail command on a switch that has an interface, specified by ifid, configured as a member of the VRRP instance to see configured values.

14.1.4 Configuring the Virtual Router Priority

Use the vrrp vrid priority command in VRRP Interface Configuration mode to configure the priority of the backup routers. The router with the highest priority will take over if the master fails.



243

The priority value for the VRRP router that owns the IP address(es) associated with the virtual router is always 255. VRRP routers backing up a virtual router must use priority values between 1 and 254.

Command syntax:

vrrp vrid priority pval

Where:

vrid is a numerical value specifying a virtual router ID.

pval is a numerical value specifying a priority.

Example:

Magnum 10RX(config-vrrp-if)# vrrp 1 priority 200

Default value: 100

Valid ranges:

VRID — 1-255

Priority — 1-254

The no form of this command will set the priority to the default value.

Use the show vrrp interface ifid command to view configured values.

14.1.5 Enabling Preemption Mode

Use the vrrp vrid preempt command in VRRP Interface Configuration mode to enable preemption mode on the virtual router. When preemption mode is enabled and a new VRRP router is added to the network with a priority higher than that of any existing routers the new router will become the master. This will be true even though the previous master remains up and running.

Command syntax:

vrrp vrid preempt [delay minimum minval]

Where:


minval is a numerical value specifying a minimum delay in seconds before assuming master status.

Example:

Magnum 10RX(config-vrrp-if)# vrrp 1 preempt delay minimum 10


Note: Currently delay minimum option is not supported.

Valid ranges:

VRID — 1-255



244

delay minimum — 1-30

The no form of the command will disable the preemption mode for the virtual router.

Use the show vrrp interface ifid detail command to view configured values.

14.1.6 Configuring Text Authentication

Use the vrrp vrid text-authentication command in VRRP Interface Configuration mode to enable simple text authentication for the virtual router and to specify a password. Incoming VRRP packets must contain a matching password or they will be discarded

Command syntax:

vrrp vrid text-authentication pwd

Where:


pwd is a text string of up to 16 characters.

Example:

Magnum 10RX(config-vrrp-if)# vrrp 1 text-authentication gronk87

Default value: no authentication

Valid Range (VRID): 1-255

The no form of this command sets the authentication type for the virtual router to none


14.1.7 Configuring Advertisement Interval

Use the vrrp vrid timer command in VRRP Interface Configuration mode to set the value of the advertisement interval for the virtual router. The VRRP master router sends an advertisement packet at the configured interval to inform other routers that the master is alive.

Command syntax:

vrrp vrid timer secs

Where:


secs is a numerical value specifying the interval between advertising packets.

Example:

Magnum 10RX(config-vrrp-if)# vrrp 1 timer 20

Default value: 1 second

The no form of this command sets the advertisement interval to the default.

CHAPTER 14 - VRRPVRRP Configuration in the GUI


245


14.1.8 Configuring VRRP Object Tracking

Use the vrrp vrid track command in VRRP Interface Configuration mode to assign an object tracker to a VRRP instance. This allows VRRP to use certain object states in the system, such as the status of a WAN link, to determine what router should be the master. When the tracked object is in the down state the VRRP priority is decremented. When the tracked object is in the up state the VRRP priority is equal to its original value.

Command syntax:

vrrp vrid track object-id decrement decrement-value

Where:


object-id is a numerical value specifying a previously configured object tracker.

decrement-value is a numerical value between 1-254 that specifies how much to decrement the VRRP priority.

Example:

Magnum 10RX(config-vrrp-if)# vrrp 2 track 5 decrement 10

14.2 VRRP Configuration in the GUI

The following sections describe the GUI screens available in INOS to configure VRRP.

14.2.1 Enabling VRRP

In the GUI go to the Layer 3 Management: VRRP: Basic Settings tab to enable or disable VRRP in the switch, as illustrated in Figure 14-1.

Figure 14-1. VRRP Basic Settings Screen

The VRRP Basic Settings screen enables you to enable or disable VRRP in the switch. Make your selection and click the apply button for your specification to take effect. See also Section 14.1.1.



246

14.2.2 VRRP Settings

In the GUI go to the Layer 3 Management: VRRP: VRRP Settings tab to configure the parameters for virtual routers, as illustrated in Figure 14-2.

Figure 14-2. VRRP Settings Screen

The VRRP Settings screen enables you to configure parameters for a virtual router. Configure a router in the upper dialog box and click Add to display its values in the lower dialog box. Use the lower dialog box to modify previously configured parameters.

.

Table 14-1. VRRP Settings Fields


Select You must click a selection button before modifying a router’s parameters.

Virtual Router ID A numerical value identifying a virtual router.

Valid range: 1-255

Section 14.1.2

Interface The name or other designation of the interface on which the VRRP is configured.

Section 14.1.2

Primary IP Address

The primary IP address for the virtual router.


Section 14.1.3

Priority The priority value to be used for the Virtual Router master election process.

Default value: 100

Valid range: 1-254

Section 14.1.4



247

Advertisement Interval

The interval in seconds for sending advertisement packets.



Section 14.1.7

Pre-emption Whether a higher priority virtual router will preempt a lower priority master router. Options are Enable and Disable.

Default value: Enable

Section 14.1.5

Table 14-1. VRRP Settings Fields




248


249

Chapter 15Object Tracking

This chapter describes the management of the INOS Object Tracking application. Object tracking enables tracking of specific objects on the device, such as the interface line protocol state, IP routing, and route reachability, and it enables action when the tracked object's state changes. This feature increases the availability of the network and shortens recovery time if an object state goes down. Several clients can register with the tracking process, track the same object, and take action when the object state changes. For example, Virtual Router Redundancy Protocol (VRRP) tracks certain objects and changes the state when specified thresholds are reached, thereby allowing other routers to do forwarding on its behalf.

15.1 Trackable States and Conditions

The following sections describe some of the states and conditions that can be monitored and acted upon by the INOS Object Tracking functionality.

15.1.1 Line-Protocol State of an Interface

The line-protocol state determines whether the lower level protocol has been negotiated for the link. If the lower layer negotiations fail the link should be considered down and tracking clients should be informed.

15.1.2 IP-Routing State of an Interface

An IP-routing object is considered up when all of the following criteria are met:

• IP routing is globally enabled.• The interface line-protocol state is up. • The interface has a valid IP address.

Interface IP routing will go down when one of the following criteria is met:

• IP routing is disabled globally. • The interface line-protocol state is down.• The interface IP address is unknown.

15.1.3 IP-Route Reachability

The reachability of a route can be tracked so that if a specific route becomes inaccessible the client can take corresponding action.For example, a VRRP router can reduce its priority value, thereby causing a change in state from Master to Backup.

CHAPTER 15 - Object TrackingConfiguring Object Tracking in the CLI


250

15.2 Configuring Object Tracking in the CLI

The following sections describe the CLI commands that enable you to configure INOS Object tracking in the CLI.

15.2.0.1 Configuring Interface Tracking Interval

Use the track timer interface command in the Global Configuration mode to specify the frequency at which the tracking process will poll the tracked interface.

Command syntax:

track timer interface pollsec_if

Where:

pollsec_if is a numerical value specifying the polling interval in seconds.

Example:

Magnum 10RX(config)# track timer interface 60

This command specifies that the tracked interface will be polled every 60 seconds.


Valid range: 1-3000

Use the show track command in Exec Commands mode to view configured values.

15.2.0.2 Configuring IP Route Tracking Interval

Use the track timer ip route command in the Global Configuration mode to specify the frequency at which the tracking process will poll the tracked IP route.

Command syntax:

track timer ip route pollsec_route

Where:

pollsec_route is a numerical value specifying the polling interval in seconds.

Example:

Magnum 10RX(config)# track timer ip route 120

This command specifies that the tracked IP route will be polled every 120 seconds.


Valid range: 1-3000




251

15.2.0.3 Configuring Tracking of an Interface Line Protocol

Use the track interface line-protocol command in the Global Configuration mode to specify an interface on which line protocol status will be tracked and to enter the Tracking Configuration mode, signaled by the prompt Magnum 10RX(config-track)#

Command syntax:

track objnum interface type number line-protocol

Where:

objnum specifies a numerical value for this tracked object.

type specifies the interface type.

number specifies the individual interface addressed.

Example:

Magnum 10RX(config)# track 5 interface gigabitethernet 1/1 line-protocol

Magnum 10RX(config-track)#

This command specifies that tracked object number 5 is line protocol status on the GbE interface 1/1.

Valid range, object number: 1-500


15.2.0.4 Configuring Tracking of Interface IP Routing

Use the track interface ip-routing command in the Global Configuration mode to enable tracking of IP routing on an interface and to enter the Tracking Configuration mode, signaled by the prompt Magnum 10RX(config-track)#.

Command syntax:

track objnum interface type number ip-routing

Where:


type specifies the interface type.

number specifies the individual interface addressed.

Example:

Magnum 10RX(config)# track 499 interface vlan 1 ip‐routing


This command specifies that tracked object number 499 is IP routing on VLAN 1.





252

15.2.0.5 Configuring Tracking of Route Reachability

Use the track ip route reachability command in the Global Configuration mode to enable tracking of IP routing on an IP interface and to enter the Tracking Configuration mode, signaled by the prompt Magnum 10RX(config-track)#.

Command syntax:

track objnum ip route route_num mask reachability

Where:


route_num is an IP address in dotted decimal notation to the route that is being tracked

mask is a subnet mask in dotted decimal notation.

Example:

Magnum 10RX(config)# track 10 ip route 198.162.1.3 255.255.255.0 reachability


This command specifies that tracked object number 10 is the reachability of the specified route.



15.2.0.6 Configuring Tracking Delay

Use the delay up down command in the Tracking Configuration mode to specify a period of time to delay communicating state changes of a tracked object. The delay in communication following a transition to the up state and the delay in communication following the transition to a down state are separately specified.

The tracked object starts the delay timer when a state change occurs but does not recognize a state change until the delay timer expires. After the timer expires the object state is checked again and the client is notified only if the object currently has a changed state. Object tracking ignores any intermediate state changes before the delay timer expires.

For example, for an interface line-protocol tracked object that is in the up state with a 20 second down delay, the delay timer starts when the line protocol goes down. The client is not notified that the object is in the down state unless the line protocol is down 20 seconds later.

Command syntax:

delay up u_delay down d_delay

Where:

u-delay is a numerical value specifying the number of seconds to delay notification of a changed state when an object state changes from down to up.

CHAPTER 15 - Object TrackingConfiguring Object Tracking in the GUI


253

d_delay is a numerical value specifying the number of seconds to delay notification of a changed state when an object state changes from up to down.

Example:

Magnum 10RX(config-track)# delay up 30 down 60

This command specifies that when the tracked object being configured changes state from down to up notification of this change to the client will be delayed by 30 seconds. Notification of a change from up to down will be delayed 60 seconds.

Valid range: 0-180


15.3 Configuring Object Tracking in the GUI

The following sections describe the screens that enable you to configure INOS Object tracking in the GUI.

15.3.1 Configuring Tracking Timers

In the GUI go to the Layer 3 Management: Track: Track Timer tab to specify tracking timing intervals for interfaces and IP routes, as illustrated in Figure 15-2.

Figure 15-1. Object Track Timer Screen

In the Object Track Timer screen to specify frequency at which the tracking process will poll the tracked interface of IP route. Click Apply for your specifications to take effect.

Table 15-1. Object Track Timer Fields


Interface Track Timer

Specify a polling interval in seconds.


Valid range: 1-3000

Section 15.2.0.1

IP Route Track Timer

Specify a polling interval in seconds.


Valid range: 1-3000

Section 15.2.0.2



254

15.3.2 Configuring Object Tracking

In the GUI go to the Layer 3 Management: Track: Track Settings tab to configure tracking details, as illustrated in Figure 15-2.

Figure 15-2. Object Tracking Configuration Screen

In the object tracking configuration screen use the upper dialog box to specify the details of the tracking process. Click the Create button to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured object tracking.

Table 15-2. Object Tracking Fields



Track ID Specify a number to identify this tracked object.

Valid range: 1-500

Section 15.2.0.3

Section 15.2.0.4

Track Type Specify whether the tracking is to focus on an interface or on an IP route.

Section 15.2.0.3

Section 15.2.0.4

Track Protocol Specify the protocol type to be tracked. Options are

Line-protocol — The state of an interface’s lower level protocol.

IP-routing — The state of IP routing on an interface

Section 15.2.0.3

Section 15.2.0.4

Interface If the target is an interface select an available interface. Section 15.2.0.3

Network If reachability of a route is tracked enter an IP address here.

Section 15.2.0.5



255

Subnet Mask If reachability of a route is tracked enter a network mask here.

Section 15.2.0.5

Delay Up Specify the delay in communication following the transition to an up state.


Section 15.2.0.6

Delay Down Specify the delay in communication following the transition to a down state.


Section 15.2.0.6

Table 15-2. Object Tracking Fields




256


257

Chapter 16DHCP Server

The Dynamic Host Configuration Protocol (DHCP) enables you to reserve ranges of addresses that can be allocated temporarily to devices as needed. Dynamic allocation allows automatic reuse of addresses by granting temporary address leases to hosts as they are requested. When a lease expires, the host must renew the lease with the server. If a lease is not renewed, that address may be allocated to a new host. For dynamic allocation a set of address pools (or "ranges") are configured on the server and new addresses are selected from these pools.

16.1 Configuring the DHCP Server in the CLI

The following subsections detail the CLI commands that enable you to configure the DHCP server. These commands are executed from Global Configuration mode and from DHCP configuration mode.

16.1.1 Enabling and Disabling the DHCP Server

Use the set dhcp server command in Global Configuration mode to enable or disable DHCP server functionality.

Command syntax:

set dhcp server {enable|disable}

Example:

Magnum 10RX(config)# set dhcp server enable

16.1.2 Configuring a DHCP Address Pool

Use the ip dhcp pool command in Global Configuration mode to create the DHCP address pool and to enter DHCP Configuration mode, signified by the Magnum 10RX(dhcp-config)# prompt, for address pool-related configuration.

Command syntax:

ip dhcp pool poolnum

Where:

poolnum is a numerical value specifying an address pool

Example:

Magnum 10RX(config)# ip dhcp pool 100

Magnum 10RX(dhcp-config)#

CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI


258


The no ip dhcp pool poolnum command deletes the address pool specified by poolnum.

16.1.3 Specifying a Boot Server

Use the ip dhcp next-server command in Global Configuration mode to configure in the DCHP server parameters the IP address of the boot server (that is, TFTP server) from which the initial boot file is to be loaded in a DHCP client. When a DHCP client starts it contacts the boot server in order to download the boot file.

Command syntax:

ip dhcp next-server ipaddr

Where:

ipaddr is the IP address of the boot server.

Example:

Magnum 10RX(config)# ip dhcp next-server 192.168.2.10

Default value: If no boot server is specified the DHCP server fulfills this function.

The no ip dhcp next-server command specifies the default

16.1.4 Specifying a Boot File

Use the ip dhcp bootfile command in Global Configuration mode to configure in the DCHP server parameters the name of the boot file. This is the file that stores the boot image (operating system) and that the client loads and executes.

Command syntax:

ip dhcp bootfile filename

Where:

filename is a string of up to 63 characters in length naming the boot file.

Example:

Magnum 10RX(config)# ip dhcp bootfile booterup5

The no dhcp bootfile command deletes a configured boot file name.

16.1.5 Enabling the ICMP Echo

Use the ip dhcp ping packets command in Global Configuration mode to enable the Internet Control Message Protocol (ICMP) echo mechanism on the DHCP server. With this feature enabled the server is able to ping candidate IP addresses to make sure they are available before assigning them to clients.



259

Command syntax:

ip dhcp ping packets

Example:

Magnum 10RX(config)# ip dhcp ping packets

Default value: feature is disabled

The no ip dhcp ping packets command specifies the default.

16.1.6 Configure Offer-reuse Interval

Use the ip dhcp server offer-reuse command in Global Configuration mode to configure the length of time the server will wait to receive a DHCP REQUEST from a client before making an offered IP address available to another client.

Command syntax:

ip dhcp server offer-reuse offersecs

Where:

offersecs is a numerical value in the range 1-120 specifying the number of seconds between an offer made and a response from the targeted client.

Example:

Magnum 10RX(config)# ip dhcp server offer-reuse 10

Default value: 5

Valid range: 1-120

The no ip dhcp server offer-reuse command specifies the default.

16.1.7 Configuring Global DHCP Options

Use the ip dhcp option command in Global Configuration mode to configure DHCP options defined in RFC 2132. For the option command applied to specific address pools see Section 16.1.15.

Command syntax:

ip dhcp option code {ascii string | hex hexval | ip ipaddr}

Where:

code is a numerical value in the range 1-214748364 specifying an option defined in RFC 2132.

string following the keyword ascii specifies a text to be returned.

hexval following the keyword hex specifies a hex value to be returned.

ipaddr following the keyword ip specifies an IP address to be returned.



260

Example:

Magnum 10RX(config)# ip dhcp option 11 ascii testtext

Valid range (code): 1-214748364

The no ip dhcp option optionspec command deletes the option specified by optionspec.

16.1.8 Configuring a Subnet Pool of Addresses

Use the network command in DHCP Configuration mode to specify network IP address range in the subnet pool.

Command syntax:

network ipaddr [{mask| / preflength}] [start_ip startaddr][end_ip endaddr]

Where:

ipaddr specifies the network IP subnet address for the DHCP pool of addresses available to be assigned to clients.

mask specifies a subnet mask for the network IP address. This value is used to calculate the range of available addresses.

preflength specifies the number of high-order bits in the IP address. This value, in the range 1-31, must be preceded by a three-element prefix made up of a space followed by a forward slash followed by another space. This specification has the effect of creating a mask and an end-of-range address. For example, 20.0.0.0 / 6

startaddr specifies the first IP address in the pool. If this address is manually specified it overrides any automatically calculated beginning-of-range address.

endaddr specifies the last IP address in the pool. If this address is manually specified it overrides any automatically calculated end-of-range address.

Example:

Magnum 10RX(dhcp-config)# network 20.0.0.0 255.0.0.0 start_ip 20.0.0.50 end_ip 20.0.0.100

Default value (mask): 255.0.0.0

Valid range (preflength): 1-31

The no network addressspec command deletes from the pool the addresses specified by addressspec.

16.1.9 Excluding Addresses from a Pool

Use the excluded-address command in DHCP Configuration mode to exclude specified addresses from a previously configured address pool. The addresses in this subset of addresses will not be assigned to DCHP clients.



261

Command syntax:

excluded-address startaddr endaddr

Where:

startaddr is the initial IP address in the excluded range.

endaddr is the last IP address in the excluded range.

Example:

Magnum 10RX(dhcp-config)# excluded-address 20.0.0.1 20.0.0.30

The no excluded-address startaddr endaddr command ends the exclusion of the range of addresses defined by startaddr endaddr.

16.1.10 Specifying a Domain Name

Use the domain-name command in DHCP Configuration mode to configure the domain name option in the DHCP configuration parameters. A DHCP client uses this domain name while resolving host names through a domain name system.

Command syntax:

domain-name dname

Where:

dname is a string of up to 63 characters specifying a domain name.

Example:

Magnum 10RX(dhcp-config)# domain-name garrettcom

The no domain-name dname command deletes the configured domain name dname.

16.1.11 Specifying a DNS Server

Use the dns-server command in DHCP Configuration mode to configure a DNS server’s IP address in the DHCP configuration parameters.

Command syntax:

dns-server ipaddr

Where:

ipaddr is the IP address of a DNS server.

Example:

Magnum 10RX(dhcp-config)# dns-server 192.168.2.10

The no dns-server command deletes a configured DNS server address.



262

16.1.12 Specifying a NetBIOS and WINS Name Server

Use the netbios-name-server command in DHCP Configuration mode to configure the IP address of a name server for Network Basic Input/Output System (NetBIOS) and Windows Internet Name Service (WINS) in the DHCP configuration parameters.

Command syntax:

netbios-name-server ipaddr

Where:

ipaddr is the IP address of a NetBIOS and WINS name server.

Example:

Magnum 10RX(dhcp-config)# netbios-name-server 10.10.10.4

The no netbios-name-server command deletes a configured NetBIOS server address.

16.1.13 Specifying a NetBIOS Node Type

Use the netbios-node-type command in DHCP Configuration mode to configure the method used to register and resolve NetBIOS names to IP addresses.

Command syntax:

netbios-node-type {nodeval|b-node|h-node|m-node|p-node}

Where:

nodeval is a numerical value in the range 0-255 that enables NetBIOS over TCP/IP clients.

b-node is a keyword specifying that name resolution will be done by broadcasts.

h-node is a keyword specifying that name resolution will be done by a hybrid of p-node and b-node, first attempting a query of a name server and then using a name broadcast.

m-node is a keyword specifying that name resolution will be done by a mixture b-node and p-node, first attempting resolution by broadcast and then by querying a name server.

p-node is a keyword specifying that name resolution be done peer-to-peer, by a query of a configured NetBios name server.

Example:

Magnum 10RX(dhcp-config)# netbios-node-type h-node

The no netbios-node-type command deletes a configured node type.



263

16.1.14 Specifying a Default Router

Use the default-router command in DHCP Configuration mode to specify the IP address of a default router with which clients can communicate to access an address pool.

Command syntax:

default-router ipaddr

Where:

ipaddr is the IP address of the default router.

Example:

Magnum 10RX(dhcp-config)# default-router 192.168.4.12

Valid range: 1-16

The no default-router command deletes the configured IP address.

16.1.15 Configuring Pool-specific DHCP Options

Use the option command in DHCP Configuration mode to configure DHCP options defined in RFC 2132. For the option command applied globally see Section 16.1.7.

Command syntax:

option code {ascii string | hex hexval | ip ipaddr}

Where:

code is a numerical value in the range 1-214748364 specifying a DHCP option used in a DHCP OFFER message in response to a DHCP DISCOVER message.

string following the keyword ascii specifies a text for the DHCP option specified by code.

hexval following the keyword hex specifies a hex value for the DHCP option specified by code.

ipaddr following the keyword ip specifies an IP address for the DHCP option specified by code.

Example:

Magnum 10RX(dhcp-config)# option 19 ascii hex f


The no option optionspec command deletes the option specified by optionspec.



264

16.1.16 Configuring a Lease Period

Use the lease command in DHCP Configuration mode to specify a lease period; that is, the duration of a client’s possession of an IP address assigned by the DHCP server. The user specifies the lease period in terms of days, hours, and minutes. An internal calculation is done to translate these specifications into total seconds.

Command syntax:

lease {days [hours [minutes]]|infinite}

Where:

days is a numerical value in the range 0-365 specifying a number of days.

hours is a numerical value in the range 0-23 specifying a number of hours.

minutes is a numerical value in the range 1-59 specifying a number of minutes.

infinite is a keyword specifying that the lease period is 2147483647 seconds.

Example:

Magnum 10RX(dhcp-config)# lease 0 8

Default value: 3600 seconds (1 hr.)

Valid ranges:

days — 0-365

hours — 0-23

minutes — 1-59

The no lease command specifies the default.

16.1.17 Configuring a Pool Utilization Threshold

Use the utilization threshold command in DHCP Configuration mode to specify a percentage of the addresses in the pool. When the proportion of addresses in use exceeds this percentage warnings will be triggered: a syslog event and an SNMP trap message will be generated.

Command syntax:

utilization threshold percentage

Where:

percentage is a numerical value in the range 0-100 specifying the percentage of utilization of the address pool that, when exceeded, will trigger warnings.

Example:

Magnum 10RX(dhcp-config)# utilization threshold 80

Default value: 75

Valid range: 0-100

CHAPTER 16 - DHCP ServerDisplaying DHCP Information


265

The no utilization threshold command specifies the default.

16.1.18 Configuring Host Hardware Type

Use the host hardware-type command in DHCP Configuration mode to specify the host hardware type and either a host IP address or an appropriate DHCP option.

Command syntax:

host client-identifier mac-address {ipaddress|option code {ascii string|hex hexval|ipaddress}}

Where:

mac-address following the keyword client-identifier is a conventional MAC address for the host.

ipaddress is an IP address for the DCHP host.

code is a numerical value in the range 1-214748364 specifying a DHCP option used in a DHCP OFFER message in response to a DHCP DISCOVER message.

string following the keyword ascii specifies a text for the DHCP option specified by code.

hexval following the keyword hex specifies a hex value for the DHCP option specified by code.

ipaddr following the keyword ip specifies an IP address for the DHCP option specified by code.

Example:

Magnum 10RX(dhcp-config)# host client-identifier d0:67:e5:4e:f8:1c option 1 ip 10.0.0.1

Default value: 75


The no host typespec command deletes the configured hardware type and option specified by typespec.

16.2 Displaying DHCP Information

The CLI commands described below enable you to display information about DHCP configuration and performance. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.

16.2.1 show ip dhcp server information

Use the show ip dhcp server information command to display status and identifying information about the DHCP server.

CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI


266

Example:

Magnum 10RX# show ip dhcp server information

16.2.2 show ip dhcp server pools

Use the show ip dhcp server pools command to display information about the definition and configuration of all DHCP pools.

Example:

Magnum 10RX# show ip dhcp server pools

16.2.3 show ip dhcp server binding

Use the show ip dhcp server binding command to display information about address information exchanged between DHCP server and client.

Example:

Magnum 10RX# show ip dhcp server binding

16.2.4 show ip dhcp server statistics

Use the show ip dhcp server statistics command to display information about DHCP performance.

Example:

Magnum 10RX# show ip dhcp server statistics

16.3 Configuring the DHCP Server in the GUI

The following subsections detail the GUI screens that enable you to configure the DHCP server. These screens are accessed on the Layer 3 Management: DHCP Server branch of the GUI menu.



267

16.3.1 Configuring DHCP Basic Settings

In the GUI go to the Layer 3 Management: DHCP Server: Basic Settings tab to configure basic DHCP parameters, as illustrated in Figure 16-1.

Figure 16-1. DHCP Basic Settings Screen

Select or enter values in the fields of the DHCP Basic Settings screen and click the Apply button to implement and save your specifications.

Table 16-1. DHCP Basic Settings Fields


DHC Server Enabled must be selected to have DHCP functionality in the server.

Section 16.1.1

Server Offer-Reuse Time (secs)

Configure the length of time the server will wait to receive a DHCP REQUEST from a client before making an offered IP address available to another client.

Default value: 5

Valid range: 1-120

Section 16.1.6

ICMP Echo Mechanism

Enable or disable the Internet Control Message Protocol (ICMP) echo mechanism on the DHCP server. With this feature enabled the server is able to ping candidate IP addresses to make sure they are available before assigning them to clients.

Section 16.1.5

DHCP Next Server IP address

Specify the IP address of the boot server from which the initial boot file is to be loaded in a DHCP client. When a DHCP client starts it contacts the boot server in order to download the boot file.

Section 16.1.3



268

16.3.2 Configuring DHCP Global Options

In the GUI go to the Layer 3 Management: DHCP Server: Global Options tab to set options specified in RFC 2132 to have system-wide effect, as illustrated in Figure 16-2.

Figure 16-2. DHCP Global Option Settings Screen

In the DHCP Global Options Settings screen you can select from a list of conventional options available from a drop-down menu. The option code associated with your selection will appear in the Option Code field. Alternatively, you can select the “manual” option (the last item on the drop-down menu) and enter the Option Code value. Options selected here have system-wide effect.

Table 16-2. DHCP Global Option Fields



Option Select one from among the options available in the drop-down menu.

Section 16.1.7

Option Code This field is editable only if you make the “Manual” selection from the Option drop-down menu. In that case you can specify the code specified in RFC 2132 for an option. Otherwise the code associated with a selection made in the Option field will be inserted automatically.

Option Value This may be a text string, an IP address, or a numerical value, depending on the type of Option selected.



269

16.3.3 Configuring DHCP Pool Settings

In the GUI go to the Layer 3 Management: DHCP Server: Pool Settings tab to set options specified in RFC 2132 to have effect in this pool, as illustrated in Figure 16-3.

Figure 16-3. DHCP Pool Settings Screen

Use the fields of the DHCP Settings Screen to define the range and availability of addresses in the pool.

Table 16-3. DHCP Pool Settings Fields



Pool ID A numerical value in the range 1-2147483647 identifying this address pool.

Section 16.1.2

Subnet Pool Specifies the subnet network number of the pool Section 16.1.8

Network Mask Specifies the subnet mask for the address pool. Section 16.1.8

Start IP Address Specifies the IP address the begins the range of addresses in the pool.

Section 16.1.8

End IP Address Specifies the IP address the ends the range of addresses in the pool.

Section 16.1.8

Lease Time (secs) Specifies the duration of a client’s possession of an IP address assigned by the DHCP server.

Section 16.1.16

Utilization Threshold

Specifies a percentage of the total number or addresses in the pool. When the proportion of addresses in use exceeds this percentage warnings will be triggered.

Section 16.1.17



270

16.3.4 Configuring DHCP Pool Option Settings

In the GUI go to the Layer 3 Management: DHCP Server: Pool Option Settings tab to configure options to apply to a specific address pool, as illustrated in Figure 16-1.

Figure 16-4. DHCP Pool Option Settings Screen

In the DHCP Pool Options Settings screen you can select from a list of conventional options available from a drop-down menu. The option code associated with your selection will appear in the Option Code field. Alternatively, you can select the “manual” option (the last item on the drop-down menu) and enter the Option Code value. Options selected here have effect in this pool only.

Table 16-4. DHCP Pool Option Fields



Option Select one from among the options available in the drop-down menu.

Section 16.1.15

Option Code This field is editable only if you make the “Manual” selection from the Option drop-down menu. In that case you can specify the code specified in RFC 2132 for an option. Otherwise the code associated with a selection made in the Option field will be inserted automatically.

Option Value This may be a text string, an IP address, or a numerical value, depending on the type of Option selected.



271

16.3.5 Configuring DHCP Host Option Settings

In the GUI go to the Layer 3 Management: DHCP Server: Host Options tab to specify the host hardware type and either a host IP address or an appropriate DHCP option, as illustrated in Figure 16-1.

Figure 16-5. DHCP Host Option Settings Screen

In the DHCP Host Options Settings screen you can specify client and host identifiers and select from a list of conventional options available from a drop-down menu.

Table 16-5. Host Option Settings Fields


Pool ID A numerical value identifying a configured address pool. Section 16.1.18

Client Identifier The MAC address of the targeted client.

Host Identifier Type

Specify whether the host is to be identified by IP address or by option type.

Host IP Address The IP address of the host.

Host Option Code Select an RFC 2132 for an option from the drop-down list.

Host Option Value This may be a text string, an IP address, or a numerical value, depending on the type of Option selected.



272

16.3.6 Configuring an Exclude List

In the GUI go to the Layer 3 Management: DHCP Server: Exclude List tab to specify addresses in a configure pool that are not to be distributed to clients, as illustrated in Figure 16-1.

Figure 16-6. DCHP Server IP Exclude Settings Screen

In the upper dialog box specify a range of addresses to be excluded from distribution. Click add for your specification to take effect and to be displayed in the lower dialog box. Use the lower dialog box to view configurations, modify configured exclusions, or to delete a selected configuration.

16.3.7 Displaying Binding Information

In the GUI go to the Layer 3 Management: DHCP Server: Binding Information tab to display DHCP binding information, as illustrated in Figure 16-1.

Figure 16-7. DHCP Server Bindings Screen

Table 16-6. DHCP Server IP Exclude Fields



Pool ID A numerical value identifying a configured address pool. Section 16.1.9

Start IP Address Specify the initial IP address in the excluded range.

End IP Address Specify the final IP address in the excluded range.



273

The DHCP binding information screen displays mapping between the IP address and MAC address of a client.

Table 16-7. Server Bindings Fields



IP Address The IP Address associated with the binding. Section 16.2.3

Hardware Address

The hardware address type associated with the binding.

Binding State The state of this binding. Valid states are

• offered — The offer of the binding has been sent to the client but response has been received.

• assigned — The address is assigned to the client.

• probed — The address is currently being probed by the DHCP server.

Expire Time Indicates the time remaining for this binding.



274


275

Chapter 17Firewall/NAT

The 10RX features a stateful firewall with the ability to do dynamic and static address translation. The following sections describe basic firewall and Network Address Translation (NAT) configuration commands to use to provide protection for your network.

17.1 Defining Inside and Outside

By factory default, the 10RX firewall is disabled and no packet filtering occurs.

You can set up a simple default firewall policy by choosing an "outside" interface (that is, the "public" network where the threats are) and an "inside" interface (that is, the "private" network that you wish to protect) and then enabling the firewall. All connections initiated from the inside and directed to the outside are allowed and all connections initiated from the outside and directed to the inside are denied. This prevents attackers on the outside from accessing network resources behind your firewall.

17.1.1 Configuring a Default Security Policy

Use the nameif and security-level commands in Interface Configuration mode to configure the default security policy on your interfaces. With the nameif command you give the selected interface a meaningful name and with the security-level command you assign a security level to that interface. A security level of 0 means that the attached network is not trusted. A security level of 100 means that the attached network is fully trusted. A DMZ or other intermediate security arrangement can be created by using a security level between 0 and 100.

Command syntax:

nameif ifname

security-level seclev

Where:

ifname is a user-supplied string giving a name to the interface.

seclev is an integer specifying the security level to assign to the interface.

Figure 17-1 provides an example of the CLI commands to execute to select interface Gigabitethernet 3/1, connect it to the public network, and assign it a security level implying high risk.

CHAPTER 17 - Firewall/NATDefining Inside and Outside


276

Figure 17-1. Establishing the Firewall’s Public Interface

Figure 17-2 provides an example of the CLI commands to execute to select Gigabitethernet 5/1, connect it to the private network, and assign it a security level implying great trust.

Figure 17-2. Establishing the Firewall’s Private Interface

Figure 17-3 provides an example of the CLI commands to execute to select Gigabitethernet 7/1 and make it a DMZ by assigning it a an intermediate security level.

Figure 17-3. Establishing a DMZ

17.1.2 Enabling the Firewall

Use the set firewall command in Global Configuration mode to enable or disable the firewall. The firewall cannot be enabled until you have configured a basic default security policy.

Command syntax:

set firewall {enable | disable}

Example:

Magnum 10RX(config)# set firewall enable


17.1.3 Configuring Basic Access Control Lists

In addition to the default security policy, you also have fine-grained control over what traffic is allowed to pass from lower and to higher security zones.

Magnum 10RX(config)# interface gigabitethernet 3/1 Magnum 10RX(config-if)# no switchport Magnum 10RX(config-if)# ip address 192.168.3.2 255.255.255.0 Magnum 10RX(config-if)# nameif outside Magnum 10RX(config-if)# security-level 0 Magnum 10RX(config-if) exit

Magnum 10RX(config)# interface gigabitethernet 5/1 Magnum 10RX(config-if)# no switchport Magnum 10RX(config-if)# ip address 192.168.2.2 255.255.255.0 Magnum 10RX(config-if)# nameif inside Magnum 10RX(config-if)# security-level 100 Magnum 10RX(config-if) exit

Magnum 10RX(config)# interface gigabitethernet 7/1 Magnum 10RX(config-if)# no switchport Magnum 10RX(config-if)# ip address 192.168.4.2 255.255.255.0 Magnum 10RX(config-if)# nameif dmz Magnum 10RX(config-if)# security-level 50



277

Use the access-list command in Global Configuration mode to create specific security policies that create exceptions to the default policy.

Command syntax:

access-list acl-name [line lineno] extended {deny | permit}{ip | tcp | udp | protocol-number} {any | host source-host | source-network source-mask}[{{eq | neq | lt | gt} src-port | range src-port-low src-port-high}]{any | host destination-host | destination-network destination-mask}[{{eq | neq | lt | gt} dst-port | range dst-port-low dst-port-high}]

Where:

acl-name is a user-supplied name for this access list.

lineno specifies a line number within the ACL where this entry is to be located. (By default new entries are added to the end of the list.)

protocol-number is a numerical value specifying the number in the IP header that identifies the targeted protocol.

source-host is an IP address specifying a source.

source-network source-mask together specify a subnet as a source.

src-port is a numerical value specifying a TCP or UDP port as a source. The preceding key words eq (equal to), neq (not equal to), lt (less than), and gt (greater than) define the relation of the entry being configured to the port or ports specified.

src-port-low and src-port-high following the key word range together define a range of ports as a source.

destination-host is an IP address specifying a destination.

destination-network destination-mask together specify a subnet as a destination.

dst-port is a numerical value specifying a TCP or UDP port as a destination. The preceding key words eq (equal to), neq (not equal to), lt (less than), and gt (greater than) define the relation of the entry being configured to the port or ports specified.

dst-port-low and dst-port-high together following the key word range together define a range of ports as a destination.



278

Examples

To make a particular server (192.168.2.42) in your private network accessible from the public network:

Magnum 10RX(config)#access-list allow_server1 extended permit ip any host 192.168.2.42

To make the entire subnet accessible:

Magnum 10RX(config)#access-list allow_server2 extended permit ip any 192.168.2.0 255.255.255.0

To make the server only accessible by a particular host on the outside network:

Magnum 10RX(config)#access-list allow_server3 extended permit ip host 192.168.3.43 host 192.168.2.42

To allow access to only UDP port 9999 on 192.168.2.42:

Magnum 10RX(config)#access-list allow_server4 extended permit udp any host 192.168.2.42 eq 9999

To allow access to only the range of TCP ports 10201-10204 on subnet 192.168.2.0/24:

Magnum 10RX(config)#access-list allow_server5 extended permit tcp any 192.168.2.0 255.255.255.0 range 10201 10204

The no acl-list extended permit target-spec command deletes the specified exception.

17.1.4 Configuring Object Groups

You can manage related network devices and services and their specialized firewall treatment by creating object groups.

17.1.4.1 Network Object Groups

Use the object-group network command in Global Configuration mode to enter into Network Object Group Configuration mode, signaled by the Magnum10RX(config-network)# prompt.

Command syntax:

object-group network object-group-name

Where:

object-group-name is a string specifying a user-supplied name for the group.

Figure 17-4 provides an example of the commands to use to create a network object group containing two non-contiguous address ranges.



279

Figure 17-4. Configuring Non-contiguous Address Ranges as an Object Group

17.1.4.2 Service Object Groups

Service object groups enable you to specify sets of either UDP or TCP ports that define a network service or set of network services.

Use the object-group service command in Global Configuration mode to enter into Service Object Group Configuration mode, signaled by the Magnum 10RX(config-service)# prompt.

Command syntax:

object-group service {tcp | tcpudp | udp} object-group-name

Where:

keywords tcp, tcpudp, and udp specify tcp service, udp service, or both.


Figure 17-5 provides an example of the commands to use to create a service object containing a set of non-contiguous ports.

Figure 17-5. Configuring a Service Object Group of Non-contiguous Ports

17.1.4.3 ICMP Object Groups

ICMP object groups enable you to specify sets of ICMP types.

Use the object-group icmp command in Global Configuration mode to enter into ICMP Object Group Configuration mode, signaled by the Magnum 10RX(config-icmp-type)# prompt.

Command syntax:

object-group icmp object-group-name

Where:


Magnum 10RX(config)# object-group network group1Magnum 10RX(config-network)# network-object range 192.168.5.32 192.168.5.37Magnum 10RX(config-network)# network-object range 192.168.5.55 192.168.5.64Magnum 10RX(config-network)# exitMagnum 10RX(config)#

Magnum 10RX(config)# object-group service tcp service1Magnum 10RX(config-service)# port-object eq 10201 Magnum 10RX(config-service)# port-object range 10204 10209Magnum 10RX(config-service)# exitMagnum 10RX(config)#



280

Figure 17-6 provides an example of the commands to use to create an ICMP group containing both the ICMP echo request and reply types.

Figure 17-6. Configuring an ICMP Type Group

17.1.4.4 Protocol Object Groups

Protocol object groups enable you to specify sets of IP protocols.

Use the object-group protocol command in Global Configuration mode to enter into Protocol Object Group Configuration mode, signaled by the Magnum 10RX(config-protocol)# prompt.

Command syntax:

object-group protocol object-group-name

Where:


Figure 17-7 provides an example of the commands to use to create a protocol group containing multiple IP protocol types.

Figure 17-7. Configuring a Protocol Group

17.1.5 Using Object Groups

After you have defined network or service object groups you may use them in Access Control Lists (ACLs) to define security policies for the Firewall. For example, to define an ACL that allows hosts in the modbusmasters IP range to access the modbustcp service, configure the ACL as illustrated in Figure 17-8:

Figure 17-8. ACL Configuration

Magnum 10RX(config)# object-group icmp pingsMagnum 10RX(config-icmp-type)# icmp-object 0Magnum 10RX(config-icmp-type)# icmp-object 8Magnum 10RX(config-icmp-type)# exitMagnum 10RX(config)#

Magnum 10RX(config)# object-group protocol proto1Magnum 10RX(config-protocol)# protocol-object 50Magnum 10RX(config-protocol)# protocol-object 51Magnum 10RX(config-protocol)# exitMagnum 10RX(config)#

Magnum 10RX(config)# access-list mbus extended permit tcp object-group modbusmasters any service-object-group modbustcpMagnum 10RX(config)#

CHAPTER 17 - Firewall/NATNAT


281

17.1.6 Applying Access Control Lists

An Access Control List (ACL) does not take effect until it is applied to an interface. To apply an ACL use the fw-nat-group command in Global Configuration mode to enter the Firewall Nat Group Configuration mode, signaled by the Magnum 10RX(config-fw-nat-fw#)# prompt. Use the access-group command from within the Firewall Nat Group Configuration mode and then activate the firewall group using the active command.

Note that the fw-nat-group command will only be effective if the firewall has been enabled with the set firewall command. See Section 17.1.2.

Example:

Figure 17-9 provides an example of the commands to use to apply an ACL.

Figure 17-9. Applying an ACL

17.2 NAT

The most common goal of network address translation is to hide a private address space from hosts on a public network. This is often required because the private IP address space is typically re-used by many different internal networks and is thus not routable on a public IP network.

When configuring NAT it is important to understand the meaning of real and mapped interfaces and addresses: In a traditional NAT application the real interface is an interface connected to the private or inside part of the network and a mapped interface is an interface connected to the public or outside part of the network.

17.2.1 Setting up Dynamic NAT

A dynamic NAT hides the addressing of a private network using a technique known as source NAT or IP masquerading. Packets passing from the private (real) network to the public (mapped) network have the source address replaced with a public IP address, usually the public address of the public interface itself. This translation is undone for response packets flowing in the reverse direction. In the case where a single public address is used for masquerading multiple network sessions, TCP and UDP port translation is also used to keep track of individual packet flows so that translations can be properly undone in the reverse direction.

To set up basic dynamic NAT, use the following procedure:

1. Create a new network object.

Magnum 10RX(config)# fw-nat-group fw1 Magnum 10RX(config-fw-nat-fw1)# access-group allow_server3 in interface outside Magnum 10RX(config-fw-nat-fw1)# active Magnum 10RX(config-fw-nat-fw1)# exit Magnum 10RX(config)#



282

2. In the network object specify the real IP address range that should be translated.

3. In the network object use the nat command to specify dynamic NAT and the real and mapped interfaces.

4. Create a new fw-nat-group or modify an existing group.

5. Use the nat command to specify the network object you've created

Figure 17-10 provides an example of the commands to set up a rule that will perform IP masquerading on packets forwarded to the outside network.

Figure 17-10. Configuring IP Masquerading

17.2.2 Setting up Static NAT

Static NAT, also sometimes referred to as destination NAT or port forwarding, replaces the destination address and port in a packet so that clients using public network addresses can access servers on the private network.

To set up a static NAT use the following procedure:

1. Create a new network object

2. In the network object specify the real IP address of the target host

3. In the network object use the nat command to specify static NAT, the real and mapped interfaces, and the desired port translation

4. Create a new fw-nat-group or modify an existing group

5. Use the nat command to specify the network object you've created

Figure 17-11 provides an example of the commands to set up a rule that allows clients to connect to an inside telnet server (TCP port 23) at 192.168.2.42 using the outside address and TCP port 10023.

Magnum 10RX(config)# object-group network nat1Magnum 10RX(config-network-object)# newtwork-object range 0.0.0.0

255.255.255.255Magnum 10RX(config-network-object)# nat (any , outside) dynamicMagnum 10RX(config-network-object)# exitMagnum 10RX(config)# fw-nat-group fw1Magnum 10RX(config-fw-nat-fw1)# nat object nat1Magnum 10RX(config-fw-nat-fw1)# exitMagnum 10RX(config)#



283

Figure 17-11. Configuring Static NAT

Magnum 10RX(config)# object-group network nat2Magnum 10RX(config-network-object)# network-object host 192.168.2.42Magnum 10RX(config-network-object)# nat (any , outside) static

interface service tcp 23 10023Magnum 10RX(config-network-object)# exitMagnum 10RX(config)# fw-nat-group fw1Magnum 10RX(config-fw-nat-fw1)# nat object nat2Magnum 10RX(config-fw-nat-fw1)# exitMagnum 10RX(config)#



284


285

Chapter 18IPsec VPN

INOS supports Virtual Private Networks (VPN) via IPsec.

18.1 IPsec VPN Operation

In an IPsec VPN each VPN tunnel is defined by a set of security associations (SAs). Each SA defines a secure, unidirectional communication channel between two entities. The SAs are established via a two-phase process defined by the Internet Key Exchange (IKE) protocol. During Phase 1 the entities establish an initial secure channel. This exchange includes an authentication step that proves that each side knows a user-configured pre-shared key. The encrypted, authenticated Phase 1 channel is then used for communication during Phase 2 where the entities establish the keys that are actually used to encrypt the traffic that flows through the tunnel.

10RX supports on-demand IKE negotiation. This means that the 10RX will only initiate the establishment of a security association if there is network traffic that requires protection (that is, if packets match the traffic descriptor in the policy database). If an SA is idle it will not be "rekeyed", that is, an inactive SA will be allowed to expire without negotiating a new SA to take over.

Note that the terms “traffic descriptor” and “access control list” (ACL) are synonymous.

The 10RX implements Dead Peer Detection (DPD) by periodically sending R-U-THERE messages. The periodicity of these messages is user-configurable. If the peer does not respond to three consecutive R-U-THERE messages the peer is assumed dead and any SAs associated with that peer are deleted.

The 10RX supports tunnel mode and the ESP protocol. ESP provides both confidentiality and integrity. Tunnel mode completely conceals the identity and nature of the protected traffic since each IP packet is fully encapsulated and encrypted.

Traffic that does not match an IPsec traffic descriptor is bypassed. IPsec does not filter or drop packets. Filter non-IPsec traffic by configuring the 10RX firewall.

IPsec VPN behavior is governed by a set of data structures that can be configured and displayed by the commands explained in the following sections.

CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI


286

18.2 Configuring IPsec VPN in the CLI

The following sections explain the CLI commands to use to configure IPsec VPN.

18.2.1 IKE Profile Table

Each IKE profile table entry describes the parameters used to negotiate an IKE SA (that is, "phase 1" security association) between the 10RX router and a remote security gateway. The IKE SA is used to securely establish future IPsec SAs.

The configurable parameters for a profile are:

• Name — each IKE profile has a user-configurable name. In the CLI, the name is used instead of the index to reference the profile.

• Encryption — the symmetric encryption algorithm used to protect the confidentiality of the IKE SA. Possible values are DES, 3DES, AES, or AES-256. Defaults to 3DES.

• Hash — the hashing function used to protect the integrity of the IKE SA. Possible values are MD5, SHA-1, SHA-256, or SHA-384. Defaults to SHA-1.

• Group — the Diffie-Hellman (DH) group used for key generation. Possible values are 1, 2, 5, 14, or 24. Defaults to 2.

• PFS — if Perfect Forward Secrecy (PFS) is supported, specifies the DH group to be used. Possible values are 1, 2, 5, 14, or 24. Defaults to 2. If PFS is enabled, all key generation is performed using a DH exchange, increasing the security of the protocol. If no PFS, a DH exchange is not used when generating phase 2 keys, saving time and computation.

• Lifetime — the number of seconds that the IKE SA will be valid once it is created. After this timer expires, the SA is immediately deleted. Valid range is 300 (5 minutes) to 86400 (1 day). Defaults to 28800 (8 hours). IKE SAs are created on-demand based on the need for negotiating phase 2 SAs.

• DPD — the number of seconds between R-U-THERE keepalive messages used by the Dead Peer Detection (DPD) algorithm. If the peer does not respond to R-U-THERE messages the SAs with that peer will be deleted. Valid range is 10 to 86400. Defaults to 30.

Security levels obtainable with various combinations of parameters are detailed in RFC6379.

18.2.1.1 Configure an IKE Profile

Use the crypto ike profile command in Global Configuration mode to enter IKE Profile Configuration mode and generate the Magnum 10RX(config-ike-profile)# prompt.

Command syntax:

crypto ike profile profname

Where:

profname is a unique string of up to 64 printable characters identifying the profile.

Example:

Magnum 10RX(config)# crypto ike profile ikeprof3



287

Magnum 10RX(config-ike-profile)#

This command specifies an IKE profile named ikeprof3. Subsequent commands in this configuration mode will modify that profile.

Valid range: up to 64 printable characters

The no crypto ike profile profname command deletes the profiles specified by profname.

Use the show ike profile command to view configured values.

18.2.1.2 Specify IKE (Phase 1) Encryption Type

Use the encryption command in IKE Profile Configuration mode to set the encryption algorithm to be used by IKE when establishing a phase 1 security association.

Command syntax:

encryption {des|3des|aes|aes256}

Where:

des, 3des,and aes are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.

Example:

Magnum 10RX(config-ike-profile)# encryption aes

This command specifies that traffic governed by this IKE profile will use AES encryption.

Default value: 3DES

The no encryption command sets the encryption to the default value.


18.2.1.3 Specify IKE (Phase 1) Hash Algorithm

Use the hash command in IKE Profile Configuration mode to set the hash algorithm to be used by IKE when establishing a phase 1 security association.

Command syntax:

hash {md5|sha-1|sha-256|sha-384}

Where:

md5, sha-1,sha-256, and sha-384 are elements of a NIST-standard family of cryptographic algorithms.

Example:

Magnum 10RX(config-ike-profile)# hash sha-256

This command specifies that traffic governed by this IKE profile will use the SHA-256 hash algorithm.

Default value: SHA-1



288

The no hash command sets the encryption to the default value.


18.2.1.4 Specify a DH Group

Use the group command in IKE Profile Configuration mode to set the DH group to be used by IKE when establishing a phase 1 security association.

Command syntax:

group {1|2|5|14|24}

Where:

1, 2,5, 14, and 24 are the available Diffie-Hellman groups.

The 10RX software supports the following Diffie-Hellman (DH) Groups. Key strength and whether conventional Diffie-Hellman (DH) or Elliptical Curve Diffie-Hellman (ECDH) is indicated parenthetically:

• Group 1 (768 bit DH)• Group 2 (1024 bit DH)• Group 5 (1536 bit DH)• Group 14 (2048 bit DH, 224-bit Prime Order Subgroup)• Group 24 (2048 bit DH, 256-bit Prime Order Subgroup)

Example:

Magnum 10RX(config-ike-profile)# group 5

This command specifies that traffic governed by this IKE profile will use DH Group 5.

Default value: Group 2

The no group command sets the encryption to the default value.


18.2.1.5 Specify PFS

Use the pfs command in IKE Profile Configuration mode to enable Perfect Forward Secrecy (PFS) and to set the DH group to be used by IKE when creating a phase 2 security association.

Command syntax:

pfs {1|2|5|14|24}

Where:

1, 2,5, 14, and 24 are the available Diffie-Hellman groups.

Example:

Magnum 10RX(config-ike-profile)# pfs 14

This command specifies that traffic governed by this IKE profile will use PFS and DH Group 14.



289

Default value: PFS disabled

The no pfs command disables PFS.


18.2.1.6 Specify SA (Phase 1) Lifetime

Use the lifetime seconds command in IKE Profile Configuration mode to set the expiration time for a phase 1 security association.

Command syntax:

lifetime seconds lifesecs

Where:

lifesecs specifies the number of seconds before the phase 1 SA is deleted.

Example:

Magnum 10RX(config-ike-profile)# lifetime seconds 600

This command specifies that an SA created with this IKE profile will be deleted 600 seconds after its creation.



The no lifetime command sets the encryption to the default value.


18.2.1.7 Configure DPD

Use the dpd command in IKE Profile Configuration mode to set the number of seconds between R-U-THERE messages. If the peer does not respond to three consecutive R-U-THERE messages the SAs with that peer will be deleted.

Command syntax:

dpd dpdsecs

Where:

dpdsecs specifies the number of seconds between R-U-THERE messages.

Example:

Magnum 10RX(config-ike-profile)# dpd 200

This command specifies that a device in an SA created with this IKE profile will send R-U-THERE messages every 200 seconds.



The no dpd command sets the encryption to the default value.



290


18.2.2 IPsec Proposal Table

Each IPsec proposal table entry describes the parameters used to negotiate an IPSEC SA (that is, "phase 2" security association). This is the SA that will be used to encrypt data traffic between the 10RX and the remote security gateway.

The configurable IPsec Proposal parameters are:

• Name — each IPsec proposal has a user-configurable name. In the CLI, the name is used instead of the index to reference the proposal.

• Encryption — the symmetric encryption algorithm used to protect the confidentiality of the IPSEC SA. Possible values are DES, 3DES, AES, or AES256. Defaults to 3DES.

• Hash — the hashing function used to protect the integrity of the IPSEC SA. Possible values are MD5, SHA-1, SHA-256, or SHA-384. Defaults to SHA-1.

• Lifetime — the number of seconds that the IPsec SA will be valid once it is created After this timer expires, the SA is immediately deleted. Valid range is 300 (5 minutes) to 86400 (1 day). Defaults to 28800 (8 hours). As long as an IPsec SA is being actively used, new IPsec SAs will be automatically created to "refresh" the encryption keys. The new SAs are created well in advance of the previous SA lifetime expiration so that traffic is not interrupted.

18.2.2.1 Configure an IPsec Proposal

Use the crypto ike proposal command in Global Configuration mode to enter IPsec Proposal Configuration mode and generate the Magnum 10RX(config-ipsec-proposal)# prompt.

Command syntax:

crypto ipsec proposal propname

Where:

propname is a a unique string of up to 64 printable characters identifying the proposal.

Example:

Magnum 10RX(config)# crypto ipsec proposal ipprop11

Magnum 10RX(config-ipsec-proposal)#

This command specifies an IPsec Proposal named ipprop11. Subsequent commands in this configuration mode will modify that proposal.


The no ipsec proposal propname command deletes the proposal specified by propname. A proposal can only be deleted if it is not referenced by any crypto map. If the user tries to delete a referenced proposal, the message %error: proposal is referenced by a crypto map is returned.



291

Use the show ipsec proposal command to view configured values.

18.2.2.2 Specify IPSec (Phase 2) Encryption Type

Use the encryption command in IPSec Proposal Configuration mode to set the encryption algorithm to be used when establishing a phase 2 security association.

Command syntax:

encryption {des|3des|aes|aes256}

Where:

des, 3des,aes, and aes256 are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.

Example:

Magnum 10RX(config-ipsec-proposal)# encryption aes

This command specifies that traffic governed by this IPsec proposal will use AES encryption.

Default value: 3DES

The no encryption command sets the encryption to the default value.


18.2.2.3 Specify IPsec (Phase 2) Hash Algorithm

Use the hash command in IPSec Proposal Configuration mode to set the hash algorithm to be used by IKE when establishing a phase 2 security association.

Command syntax:

hash {md5|sha-1|sha-256|sha-384}

Where:

md5, sha-1,sha-256, and sha-384 are elements of a NIST-standard family of cryptographic algorithms.

Example:

Magnum 10RX(config-ipsec-proposal)# hash sha-256

This command specifies that traffic governed by this IPsec proposal will use the SHA-256 hash algorithm.

Default value: SHA-1

The no hash command sets the encryption to the default value.




292

18.2.2.4 Specify SA (Phase 2) Lifetime

Use the lifetime seconds command in IPSec Proposal Configuration mode to set the expiration time for a phase 2 security association.

Command syntax:

lifetime seconds lifesecs

Where:

lifesecs specifies the number of seconds before the phase 2 SA is deleted.

Example:

Magnum 10RX(config-ipsec-proposal)# lifetime seconds 600

This command specifies that an SA created with this IPsec proposal will be deleted 600 seconds after its creation.



The no lifetime command sets the encryption to the default value.


18.2.3 Crypto Maps

Each crypto map binds an IKE profile, an IPsec proposal, an IKE local IP address, an IKE peer IP address, and a traffic descriptor (specified by an ACL).

The configurable parameters are:

• Name — each crypto map has a user-configurable name. In the CLI, the name is used instead of the index to reference the crypto map.

• IKE Profile — the index of the IKE profile. If no profile is specified, default values are used.

• IPsec Proposal — the index of the IPsec proposal. f no proposal is specified, default values are used.

• Local IP address — the local IP address from which our local IKE process communicates.

• Peer IP address — the remote IP address of our IKE peer.• Traffic Descriptor — the name of the ACL that describes the traffic that will

be protected per the IPsec Proposal crypto parameters.• Authentication Type — this specifies the method of authentication. For

release 2.0, the only valid authentication type is pre-shared key.• Authentication Name — when the authentication method is pre-shared

key, this is the value of the key.

18.2.3.1 Configure a Crypto Map

Use the crypto map command in Global Configuration mode to enter Crypto Map Configuration mode and generate the Magnum 10RX(config-crypto-map)# prompt.



293

Command syntax:

crypto map mapname

Where:

mapname is a a unique string of up to 64 printable characters identifying the map.

Example:

Magnum 10RX(config-)# crypto map crypmap18

Magnum 10RX(config-crypto-map)#

This command specifies a crypto map named crypmap18. Subsequent commands in this configuration mode will modify that map.


The no crypto map mapname command deletes the map specified by mapname.

Use the show crypto map command to view configured values.

18.2.3.2 Specify the Traffic to Protect

Use the match command in Crypto Map Configuration mode to specify an Access Control List (ACL) that defines the traffic to be protected. A valid ACL simply lists addresses of source and destination networks or hosts.

Command syntax:

match aclname

Where:

aclname specifies a valid ACL.

Example:

Magnum 10RX(config-crypto-map)# match aclmfg

This command specifies an access control list named aclmfg that lists source and destination addresses that define the traffic to be protected.

Default value: None. This parameter MUST be specified. If it is not specified the message %warning: incomplete crypto map will be generated on exiting crypto map configuration.

The no match command deletes an existing association with an ACL.


18.2.3.3 Specify a Peer IP Address

Use the peer address command in Crypto Map Configuration mode to specify the peer IP address.

NOTE: ACLs that use objects and/or object-groups are not valid for specifyingthe traffic to protect.



294

Command syntax:

peer address xxx.xxx.xxx.xxx

Where:

xxx.xxx.xxx.xxx is the address of the peer in IPv4 format.

Example:

Magnum 10RX(config-crypto-map)# peer address 192.168.1.2


The no peer address command deletes an existing peer address.


18.2.3.4 Specify the Local IP Address

Use the local address command in Crypto Map Configuration mode to specify the local IP address.

Command syntax:

local address xxx.xxx.xxx.xxx

Where:

xxx.xxx.xxx.xxx is the local address in IPv4 format.

Example:

Magnum 10RX(config-crypto-map)# local address 192.168.1.3


The no local address command deletes an existing local address.


18.2.3.5 Bind an IKE Profile

Use the profile command in Crypto Map Configuration mode to specify the IKE profile to bind to the addresses configured with the peer address and local address commands.

Command syntax:

profile profname

Where:

profname is the name of a configured IKE profile.



295

Example:

Magnum 10RX(config-crypto-map)# profile ikeprof33

Default value: If no profile is specified a default profile is used containing the default values for each element of an IKE profile. See the command set for configuring an IKE profile to view these default values.

The no profile command deletes a bound IKE profile from the crypto map.


18.2.3.6 Bind an IPsec Proposal

Use the proposal command in Crypto Map Configuration mode to specify the IPsec proposal to bind to the addresses configured with the peer address and local address commands.

Command syntax:

proposal propname

Where:

propname is the name of a configured I IPsec proposal.

Example:

Magnum 10RX(config-crypto-map)# proposal ipprop11

Default value: If no proposal is specified a default proposal is used containing the default values for each element of an IPsec proposal. See the command set for configuring an IPsec proposal to view these default values.

The no proposal command deletes a bound IKE profile from the crypto map.


18.2.3.7 Specify Authentication Type

Use the auth-type command in Crypto Map Configuration mode to specify the authentication method.

Command syntax:

auth-type {psk}

Where:

psk stands for pre-shared key. In this release this is the only available authentication method

Example:

Magnum 10RX(config-crypto-map)# auth-type psk

NOTE: Crypto maps specifying the same remote peer address must use theexact same IKE profile parameters.



296

Default value: psk.


18.2.3.8 Specify a Pre-shared Key

Use the auth-info command in Crypto Map Configuration mode to specify the pre-shared key to be used when authenticating to the peer.

Command syntax:

auth-info aistring

Where:

aistring is a string of up to 256 printable characters.

Example:

Magnum 10RX(config-crypto-map)# auth-info 747hhf73h!38pnvh

None. This parameter MUST be specified. If it is not specified the message %warning: incomplete crypto map will be generated on exiting crypto map configuration.

The no auth-info command deletes the configured auth-info value.


18.2.4 IPsec VPN-related Show Commands

The following commands, executed in Exec Commands mode, display information about IPsec data.

18.2.4.1 show ike sa

Use the show ike sa command to show information from the IKE SA table.

Example:

Magnum 10RX# show ike sa

18.2.4.2 show ipsec sa

Use the show ipsec sa command to show information from the IPSEC SA table.

Example:

Magnum 10RX# show ipsec sa

18.2.4.3 show ike profile

Use the show ike profile command to display all of the configured IKE profiles.

Example:

Magnum 10RX# show ike profile

Example output:



297

Magnum 10RX# show ike profileProfile ikeprof3Encryption is 3DES, Hash is SHA-1DH group is 2, PFS is disabledMaximum lifetime is 28800 seconds, DPD keepalive is 30 seconds

18.2.4.4 show ipsec proposal

Use the show ipsec proposal command to display all of the configured Ipsec proposals.

Example:

Magnum 10RX# show ipsec proposal

Example output:

Magnum 10RX# show ipsec proposalProposal ipprop11Encryption is 3DES, Hash is SHA-1Maximum lifetime is 28800 seconds

18.2.4.5 show crypto map

Use the show crypto map command to display all of the configured crypto maps.

Example:

Magnum 10RX# show crypto map

Example output:

Magnum 10RX# show crypto mapMap crypmap18Profile is ikeprof3, Proposal is ipprop11Local address is 0.0.0.0, Peer address is 0.0.0.0Match based on ACL aclmfgAuth type is PSKs

18.2.5 IPsec VPN-related Clear Commands

The following commands, executed in Exec Commands mode, clear specified configured IPsec information.

18.2.5.1 clear ike sa all

Use the clear ike sa command to delete all active phase 1 SAs and force re-negotiation.

Example:

Magnum 10RX # clear ike sa all



298

18.2.5.2 clear ike sa peer

Use the clear ike sa peer command to delete all phase 1 SAs associated with the specified peer and force re-negotiation with that particular IKE peer. This command will also delete any phase 2 SAs that were created using the deleted phase 1 SAs.

Command syntax:

clear ike sa peer xxx.xxx.xxx.xxx

Where:

xxx.xxx.xxx.xxx is the address of the IKE peer in IPv4 format.

Example:

Magnum 10RX # clear ike sa peer 192.168.1.1

18.2.5.3 clear ike sa id

Use the clear ike sa id command to delete a specific phase 1 SA by the identifier shown in the show ike sa command and force re-negotiation. This command will also delete any phase 2 SAs that were created using the deleted phase 1 SA.

Command syntax:

clear ike sa id ike-sa-id

Where:

ike-sa-id is the SA ID shown in the show ike sa command.

Example:

Magnum 10RX # clear ike sa 1d 1

18.2.5.4 clear ipsec sa all

Use the clear ipsec sa all command to delete all IPSEC SAs.

Example:

Magnum 10RX # clear ipsec sa all

18.2.5.5 clear ipsec sa peer

Use the clear ipsec sa peer command to delete all IPSEC SAs that have been established with the specified peer and force re-negotiation for those SAs.

Command syntax:

clear ipsec sa peer xxx.xxx.xxx.xxx

Where:

xxx.xxx.xxx.xxx is the configured peer address in IPv4 format.

Example:

Magnum 10RX # clear ipsec sa peer 192.168.1.1

CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI


299

18.2.5.6 clear ipsec sa id

Use the clear ipsec sa command to delete an IPSEC SA by ID and to force re-negotiation.

Command syntax:

clear ike sa ipsec-sa-id

Where:

ipsec-sa-id is the ipsec SA ID as reported by the show ipsec sa command.

Example:

Magnum 10RX # clear ipsec sa id 2

18.3 Configuring IPsec VPN in the GUI

The following sections explain the CLI commands to use to configure IPsec VPN.

18.3.1 Configuring an IKE Profile

In the GUI go to the Security Management: IPSEC: IKE Profile tab to define an IKE profile, as illustrated in Figure 18-1.

Figure 18-1. IKE Profile Basic Settings Screen

In the IKE Profile Basic Settings screen use the upper dialog box to name an IKE profile and specify its properties. Click the Create button to save your definition and display it in the lower dialog box. Use the lower dialog box to edit or delete configured profiles.

For a comprehensive treatment of IKE profiles see Section 18.2.1.



300

Table 18-1. IKE Profile Basic Settings Fields



Name Specify a name for the profile in a string of up to 64 printable characters.

Section 18.2.1.1

Encryption Set the encryption algorithm to be used by IKE when establishing a phase 1 security association. Options are DES, 3DES,AES, and AES256. These are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.

Section 18.2.1.2

Hash Set the hash algorithm to be used by IKE when establishing a phase 1 security association. Options are MD5, SHA-1,SHA-256, and SHA-384. These are elements of a NIST-standard family of cryptographic algorithms.

Section 18.2.1.3

Group Set the Diffie-Hellman (DH) group to be used by IKE when establishing a phase 1 security association.

The 10RX software supports the following DH Groups. Key strength and whether conventional Diffie-Hellman (DH) or Elliptical Curve Diffie-Hellman (ECDH) is indicated parenthetically:

Group 1 (768 bit DH)



Group 14 (2048 bit DH, 224-bit Prime Order Subgroup)

Group 24 (2048 bit DH, 256-bit Prime Order Subgroup)

Section 18.2.1.4

PFS Enable or disable Perfect Forward Secrecy (PFS) and set the DH group to be used by IKE when creating a phase 2 security association.

Section 18.2.1.5

Lifetime Set the expiration time for a phase 1 security association.



Section 18.2.1.6

DPD Set the number of seconds between R-U-THERE messages. If the peer does not respond to three consecutive R-U-THERE messages the SAs with that peer will be deleted.



Section 18.2.1.7



301

18.3.2 Configuring an IPsec Proposal

In the GUI go to the Security Management: IPSEC: IPSec Proposal tab to define an IPsec proposal, as illustrated in Figure 18-2.

Figure 18-2. IPSec Proposal Basic Settings Screen

In the IPSec Proposal Basic Settings screen use the upper dialog box to name an IPsec proposal and specify its properties. Click the Create button to save your definition and display it in the lower dialog box. Use the lower dialog box to edit or delete configured proposals.

For a comprehensive treatment of IPsec proposals see Section 18.2.2.

Table 18-2. IPSec Basic Settings Fields



Name Specify a name for the proposal in a string of up to 64 printable characters.

Section 18.2.2.1

Encryption Set the encryption algorithm to be used when establishing a phase 2 security association. Options are DES, 3DES,AES, and AES256. These are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.

Section 18.2.2.2

Hash Set the hash algorithm to be used when establishing a phase 2 security association. Options are MD5, SHA-1,SHA-256, and SHA-384. These are elements of a NIST-standard family of cryptographic algorithms.

Section 18.2.2.3

Lifetime Set the expiration time for a phase 2 security association.



Section 18.2.2.4



302

18.3.3 Configuring a Crypto Map

In the GUI go to the Security Management: IPSEC: Crypto Map tab to configure a crypto map, as illustrated in Figure 18-3.

Figure 18-3. Crypto Map Basic Settings Screen

In the IPSec Crypto Map Basic Settings screen use the upper dialog box define a crypto map. Click the Create button to save your definition and display it in the lower dialog box. Use the lower dialog box to edit or delete configured maps.

For a comprehensive treatment of crypto maps see Section 18.2.3.

Table 18-3. Crypto Map Basic Settings Fields



Name Specify a name for the map in a string of up to 64 printable characters.

Section 18.2.3.1

IKE Profile Specify the configured IKE profile to bind to the addresses configured with the Peer IP and Local IP specifications.

Default value: If no profile is specified a default profile is used containing the default values for each element of an IKE profile.

Section 18.2.3.5

IPsec Proposal Specify the configured IPsec proposal to bind to the addresses configured with the Peer IP and Local IP specifications.

Default value: If no profile is specified a default profile is used containing the default values for each element of an IPsec proposal.

Section 18.2.3.6



303

18.3.4 Displaying IKE Security Associations

In the GUI go to the Security Management: IPSEC: IKE SA tab to view the details of IKE security associations, as illustrated in Figure 18-2.

Figure 18-4. IKE Security Association Screen

The IKE Security Association screen reports details of configured and active sessions.

Local IP Specify the local IP address.

Default value: None. This parameter MUST be specified.

Section 18.2.3.4

Peer IP Specify the peer IP address.


Section 18.2.3.3

ACL Specify an Access Control List (ACL) that defines the traffic to be protected.


Section 18.2.3.2

PSK Specify the pre-shared key to be used when authenticating to the peer.


Section 18.2.3.8

Confirm PSK Re-enter the PSK. Section 18.2.3.8

Table 18-4. IKE Security Association Fields


Select You must click a selection button before deleting a configuration.

IKE SA ID An internal unique identifier for the IKE session.

Initiator Address The IP address of the IKE peer that initiated the IKE session.

Responder Address The IP address of the other IKE peer.

Initiator Cookie A random number selected by the initiator to uniquely identify the session.

Responder Cookie A random number selected by the responder to uniquely identify the session.

Maximum Lifetime The configured maximum number of seconds this session can last before it is automatically deleted.

Table 18-3. Crypto Map Basic Settings Fields




304

18.3.5 Displaying IPsec Security Associations

In the GUI go to the Security Management: IPSEC: IPSec SA tab to view the details of IPsec security associations, as illustrated in Figure 18-2.

Figure 18-5. IPSEC Security Association Screen

In the IPSEC Security Association screen reports details of configured and active sessions.

Remaining Lifetime The actual number of seconds left until this session is deleted.

Encryption Algorithm The encryption algorithm selected to secure the IKE session communication channel.

Hash Algorithm The hash algorithm selected to secure the IKE session communication channel.

Table 18-5. IPsec Security Association Fields



Outbound ID An internal unique identifier for the outbound security association (SA).

Inbound ID An internal unique identifier for the inbound SA.

Outbound SPI The security parameters index for the outbound SA.

Inbound SPI The security parameters index for the inbound SA.

Source Address Start The start of the source IP address range for secured traffic.

Source Address End The end of the source IP address range for secured traffic.

Destination Address Start

The start of the destination IP address range for secured traffic.

Destination Address End The end of the destination IP address range for secured traffic.

Maximum Lifetime The configured maximum number of seconds these SAs can last before they are automatically deleted.

Remaining Lifetime The actual number of seconds left until the SAs are deleted.

Table 18-4. IKE Security Association Fields




305

18.3.6 Configuring IPsec ACLs

In the GUI go to the Security Management: IPSEC: IPSec ACLs tab define access control lists, as illustrated in Figure 18-2.

Figure 18-6. IPSEC ACL Settings Screen

In the IPSEC ACL screen define access control lists (also called traffic descriptors) to alert IPsec to the presence of traffic needing protection and to initiate a security association.

Encryption Algorithm The encryption algorithm selected to secure the SA communication channel.

Hash Algorithm The hash algorithm selected to secure the SA communication channel.

Table 18-6. IPsec ACL Fields



ACL Name A user-supplied name for this ACL.

Protocol The protocol (IP or GRE) to which this ACL is applied.

Source Address A source IP address for traffic needing protection.

Source Mask A source network mask for traffic needing protection.

Destination Address

A destination IP address for traffic needing protection.

Table 18-5. IPsec Security Association Fields




306

Destination Mask A destination network mask for traffic needing protection.

Remark Descriptive information about the ACL.

Table 18-6. IPsec ACL Fields



307

Chapter 19T1/E1

INOS supports Wide Area Networking (WAN) through dual-port T1/E1 cards in slots 3 through 10, for a maximum of 8 cards and 16 T1/E1 (or WAN) interfaces per system. Each interface can be run in either T1 or E1 mode. The physical layer parameters for each of these interface can be individually configured by the user. T1/E1 port status and statistics may also be retrieved by the user.

For the purposes of this Document any instance of the term WAN refers to the North American T1 and the European E1 standard.

A T1/E1 interface may operate in fractional mode, where a subset of the available time slots are used. Furthermore, a T1/E1 interface may be operated in a channelized configuration where the available timeslots may be assigned to up to 24 (T1) or 31 (E1) individual channels. Each channel is equivalent to a single logical interface. Up to 8 T1/E1 interfaces may be channelized.

19.1 Configuring T1/E1 in the CLI

10RX supports ports to transmit and receive T1/E1 traffic. Each of these ports is separately configurable and may be divided up into multiple channels.The CLI commands in the sections below describe the commands to use to configure T1/E1 ports and channels.

19.1.1 Specifying a T1/E1 Interface

Use the interface t1e1 command in Global Configuration mode to specify a new or existing T1/E1 interface and to enter T1/E1 Interface Configuration mode, signaled by the Magnum 10RX(config-t1e1)# prompt.

Command syntax:

interface t1e1 slot/port

Where:

slot/port are valid slot and port designations for a T1/E1 port on this device. (Use the show interface command in the Exec Commands mode to discover valid slot/port combinations.)

NOTE: T1 designates a North American hardware specification for telecommunicationstrunking. The analogous European specification is E1. A more general term, DS1, iscommonly used to include both of these standards. Wide Area Networking (WAN) is thenetworking concept supported by these technologies.

CHAPTER 19 - T1/E1Configuring T1/E1 in the CLI


308

Example:

Magnum 10RX(config)# interface t1e1 8/1

Magnum 10RX(config-t1e1)#

This command specifies the T1/E1 interface 8/1. Subsequent commands in the T1/E1 Configuration session will modify this interface.

Use the show interface t1e1 slot/port command to view configured values.

19.1.2 Configure Mode on a T1/E1 Interface

Use the mode command in T1/E1 Interface Configuration mode to specify the transmission mode of this port.

Command syntax:

mode {T1 | E1}

Where:

T1 specifies the North American T1 standard.

E1 specifies the European E1 standard.

Example:

Magnum 10RX(config-t1e1)# mode t1

Default value: T1


19.1.3 Configure Clock Source on a T1/E1 Interface

Use the clock command in T1/E1 Interface Configuration mode to specify the clock source for this port. Ordinarily this setting matches what the carrier provides. For private lines one side must be local and the other received.

Command syntax:

clock {local | received}

Where:

local specifies internal clocking.

received specifies external clocking.

Example:

Magnum 10RX(config-t1e1)# clock local

Default value: external




309

19.1.4 Configure Timeslot Bandwidth on a T1/E1 Interface

Use the timeslot-bandwidth command in T1/E1 Interface Configuration mode to specify the data rate for this port. (E1 circuits normally use a value of 64kbps.)

Command syntax:

timeslot-bandwidth {56K | 64K}

Where:

56K specifies a usable data rate of 56kbps.

64K specifies a usable data rate of 64kbps.

Example:

Magnum 10RX(config-t1e1)# timeslot-bandwidth 56K

Default value: 56K


19.1.5 Configure Timeslots on a T1/E1 Interface

Use the timeslots command in T1/E1 Interface Configuration mode to specify the time slots to use with the T1 or E1 circuit. For specific channels use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed. Example: 1,3,5-8.

Command syntax:

timeslots tslot-spec

Where:

tslot-spec specifies the timeslots to use for this circuit.

Example:

Magnum 10RX(config-t1e1)# timeslots 1-5

Valid ranges:

For T1 interfaces — 1-24

For E1 interfaces — 1-31 (Except that for the CAS frame type timeslot 16 is not available.)

The no timeslots command specifies the default.


19.1.6 Configure Frame Types on a T1/E1 Interface

Use the frame-types command in T1/E1 Interface Configuration mode to specify the frame types for the T1 or E1 circuit. The frame type is normally specified by the carrier.



310

Command syntax:

frame-type {ESF | D4 | FAS | CAS}

Where:

For T1 mode the following values may be selected:

• ESF specifies Extended Super Framing format, consisting of 24 consecutive 193 bit frames.

• D4 specifies a framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames.

For E1 mode the following values may be selected:

• FAS specifies Frame Alignment Signaling. • CAS specifies Channel Associated Signaling, a method that "robs" some bits

of each frame to transmit synchronization information.

Example:

Magnum 10RX(config-t1e1)# frame-type D4

Default value: ESF


19.1.7 Configure Line Codes on a T1/E1 Interface

Use the line-codes command in T1/E1 Interface Configuration mode to specify the line codes for the T1 or E1 circuit. Line codes are normally specified by the carrier.

Command syntax:

line-code {AMI | B8ZS | HDB3}

Where:


• AMI specifies Alternate Mark Inversion line coding.• B8ZS specifies Bipolar With 8 Zero Substitution line coding.


• AMI specifies Alternate Mark Inversion line coding.• HDB3 specifies High Density Bipolar 3 line coding.

Example:

Magnum 10RX(config-t1e1)# line-code AMI

Default value: B8ZS




311

19.1.8 Configure Line Build-out on a T1/E1 Interface

Use the line-build-out command in T1/E1 Interface Configuration mode to specify the line build out compensation for the T1 or E1 circuit. Line build out compensates for the loss based on distance from the device to the first repeater in the circuit. A longer distance from the device to the repeater requires that the signal strength on the circuit be boosted to compensate for loss over that distance. The specified compensation is expressed either in decibels or in feet. Contact your service provider for details on this information.

Command syntax:

line-build-out {0to133 | 133to266 | 266to399 | 399to533 | 533to655 | -7.5dB |-15dB | -22.5dB}

Where:

Arguments specify required signal compensation. The options are:

0to133 - distance from 0 feet to 133 ft

133to266 - distance from 133 ft to 266 ft




-7.5dB - a signal loss of 7.5dB

-15dB - a signal loss of 15dB

-22.5dB - a signal loss of 22.5dB

Example:

Magnum 10RX(config-t1e1)# line-build-out 133to266

Default value: 0 to 133


19.1.9 Enabling and Disabling a T1/E1 Interface

Use the no shutdown command in T1/E1 Interface Configuration mode to enable a T1/E1 interface.

Command syntax:

no shutdown

Example:

Magnum 10RX(config-t1e1)# no shutdown

Default value: interface is disabled

The shutdown command disables the interface.




312

19.1.10 Configuring a Channelized T1/E1 Interface

Use the channel command in T1/E1 Interface Configuration mode to configure a channel and to enter the T1/E1 Channel Configuration mode, signified by the Magnum 10RX(config-channel)# prompt. Up to 8 DS1 interfaces may be channelized. the number of channels is limited by the number of available timeslots.

Command syntax:

channel chanid

Where:

chanid is a numerical value specifying a valid channel ID.

Example:

Magnum 10RX(config-t1e1)# channel 4

Magnum 10RX(config-channel)#

Valid ranges:


For E1 interfaces — 1-31

Default value: no channels configured

The no channel chanid deletes the channel specified by chanid.

19.1.11 Configuring Timeslots on a T1/E1 Channel

Use the timeslots command in Channel Configuration mode to specify the time slots to use with the channel. Use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed. Example: 1,3,5-8.

A timeslot may be assigned to only one channel.

Command syntax:

timeslots tslot-spec

Where:

tslot-spec specifies the timeslots to use for this channel.

Example:

Magnum 10RX(config-channel)# timeslots 2-6,9

Valid ranges:


For E1 interfaces — 1-31

Default value: no time slots assigned

The no timeslots command specifies the default.

CHAPTER 19 - T1/E1Configuring T1/E1 in the GUI


313


19.1.12 Enabling and Disabling a T1/E1 Channel

Use the no shutdown command in Channel Configuration mode to enable a T1/E1 channel.

Command syntax:

no shutdown

Example:

Magnum 10RX(config-channel)# no shutdown

Default value: channel is disabled

The shutdown command disables the channel.


19.2 Configuring T1/E1 in the GUI

10RX supports ports to transmit and receive T1/E1 traffic. Each of these ports is separately configurable and may be divided up into multiple channels.The following sectins describe the GUI screens to use to configure T1/E1 ports and channels.

19.2.1 Configuring T1/E1 Ports

In the GUI go to the WAN Management: T1/E1 Port Manager: T1/E1 Port Configuration tab to configure T1/E1 ports, as illustrated in Figure 19-1.

Figure 19-1. T1/E1 Port Configuration Screen



314

In the T1/E1 Port Configuration screen define a profile for a specified T1/E1 port. Click Apply to save your specifications and make them effective.

Table 19-1. T1/E1 Port Configuration Fields



Port The port and slot number combination identifying a T1/E1 port.

Section 19.1.1

Link Status An indicator (Up or Down) of the status of this link.

Admin State Display or set the administrative status (Up or Down) of this T1/E1 port.

Mode Display or set the mode of this port. Options are:

• T1 — specifies the North American T1 standard.

• E1 — specifies the European E1 standard.

Section 19.1.2

Clock Specify the clock source for this port. Options are:

• received — specifies external clocking.

• local — specifies internal clocking.

Section 19.1.3

Timeslot Specify the time slots to use with the T1 or E1 circuit. For specific channels use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed.

Section 19.1.5

Timeslot Bandwidth

Specify the data rate for this port. (E1 circuits normally use a value of 64kbps.)

• 56k — specifies a usable data rate of 56kbps.

• 64k — specifies a usable data rate of 64kbps.

Section 19.1.4

Frame Types Specify the frame types for the T1 or E1 circuit. The frame type is normally specified by the carrier.


• ESF — specifies Extended Super Framing format, consisting of 24 consecutive 193 bit frames.

• D4 — specifies a framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames.


• FAS — specifies Frame Alignment Signaling.

• CAS — specifies Channel Associated Signaling, a method that "robs" some bits of each frame to transmit synchronization information.

Section 19.1.6



315

Line Code Specify the line codes for the T1 or E1 circuit. Line codes are normally specified by the carrier.


• AMI — specifies Alternate Mark Inversion line coding.

• B8ZS — specifies Bipolar With 8 Zero Substitution line coding.


• AMI — specifies Alternate Mark Inversion line coding.

• HDB3 — specifies High Density Bipolar 3 line coding.

Section 19.1.7

Line Build Out Specify the line build out compensation for the T1 or E1 circuit. Line build out compensates for the loss based on distance from the device to the first repeater in the circuit. Opions are:

• 0to133 - distance from 0 feet to 133 ft

• 133to266 - distance from 133 ft to 266 ft




• -7.5dB - a signal loss of 7.5dB

• -15dB - a signal loss of 15dB

• -22.5dB - a signal loss of 22.5dB

Section 19.1.8

Line Status Displays the status of this T1 or E1 line:

• ok – The line has link and is functioning properly.

• carrierLoss – No carrier signal detected.

• blueAlarm – Also known as Alarm Indication Signal (AIS) or an “all ones” alarm. This indicates a total absence of an incoming signal due to a disruption in the communications path.

• rxLos – The line is not synchronized to the received data stream.

• yellowAlarm – Also known as a Remote Alarm indication (RAI). This indicates that a remote interface is encountering a problem with a signal from this interface. This could result from an equipment problem or from incompatible configurations.

• redAlarm – The incoming signal is corrupted (wrong frame type or errors in framing).

• loopUp – The line is looping back received data.

Table 19-1. T1/E1 Port Configuration Fields




316

19.2.2 Configuring T1/E1 Channel Settings

In the GUI go to the WAN Management: T1/E1 Port Manager: T1/E1 Channel Settings tab to configure T1/E1 ports, as illustrated in Figure 19-2.

Figure 19-2. T1/E1 Channel Settings Screen

In the T1/E1 Channel Settings screen use the upper dialog box to configure T1/E1 channels. Click Create to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured channels.

Table 19-2. T1/E1 Channel Settings Fields



Port ID Select an available T1/E1 port. Section 19.1.10

Channel Number Specify a channel number to associate with the port identified in the Port ID field. Valid port numbers are:

• For T1 interfaces — 1-24

• For E1 interfaces — 1-31

Section 19.1.10

Link Status An indicator (Up or Down) of the status of this link.

Admin State Display or set the administrative status (enabled or disabled) of this channel.

Timeslot Specify the time slots to use with this channel. Use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed.

Section 19.1.11

CHAPTER 19 - T1/E1Displaying T1/E1 Interface Configuration Information


317

19.3 Displaying T1/E1 Interface Configuration Information

Use the show interface t1e1 command in the Exec Commands mode to view configured T1E1 Interface values.

Command syntax:

show interface t1e1 slot/port

Where:

slot/port are valid slot and port designations for a configured T1/E1 port on this device.

Example:

Magnum 10RX# show interface t1e1 8/1

Figure 19-3 provides an example show command output.

Figure 19-3. show interface t1e1 Command Output

Mat1e1-8/1 is down, line protocol is down (not connected) Mode: T1 TimeSlot B/W: 56k TimeSlots: 1-24 Clock: received Framing: ESF Line Code: B8ZS Line build out: 0to133 Line Status: carrier loss Link up/down trap is enabled 0 input packets, 0 input octets 0 output packets, 0 output octets 0 rx overruns, 0 rx aborts 0 rx bad crc, 0 rx long frames 4230 rx short frames

CHAPTER 19 - T1/E1Displaying T1/E1 Interface Configuration Information


318


319

Chapter 20PPP

Point-to-Point Protocol (PPP) is a data link protocol commonly used to establish a direct connection between two networking nodes. It can provide authentication, encryption, and compression. It is used over many types of physical networks including serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber optic links such as SONET. Most Internet service providers (ISPs) use PPP for customer access to the Internet or to private wide-area network services.

Multilink PPP (MLPPP) is a protocol that permits more permits multiple PPP ports to be bundled to achieve a greater effective bandwidth than is available on a single port. MLPPP is configured by defining one or more multilink bundles and associating ports with each bundle. The bundle serves to encapsulate configuration data that is common to all PPP links that belong to that bundle. A bundle may contain physical links operating at different speeds, for example one T1/E1 line and two asynchronous lines.

Some commands documented in this chapter can be applied to both PPP and MLPPP. These commands are:

• ip address, see Section 20.1.9.• authentication, see Section 20.1.3.• sent-username, see Section 20.1.6.• shutdown, see Section 20.1.15.

20.1 Configuring PPP in the CLI

The following sections describe the CLI commands used to configure PPP interfaces.

20.1.1 Specifying a PPP Interface

Use the interface ppp command in Global Configuration mode to specify configuration options for a PPP interface. This command brings up the PPP Interface Configuration mode signaled by the Magnum 10RX(config-ppp) prompt and enables you to enter configuration commands for the specified PPP interface.

Command syntax:

interface ppp ifid

Where:

ifid is a numerical value in the range 1-16 specifying a PPP interface ID

Example:

Magnum 10RX(config)# interface ppp 5

Magnum 10RX(config-ppp)#

CHAPTER 20 - PPPConfiguring PPP in the CLI


320

Valid range: 1-16

The no interface ppp ifid command deletes the PPP interface specified by ifid.

20.1.2 Configuring Link Control Protocol Interval

Use the lcp-echo-interval command in PPP Configuration mode to set the value for the interval between Link Control Protocol (LCP) keepalive exchanges. More frequent exchanges reduce the time to detect a down link but use more bandwidth.

Command syntax:

lcp-echo-interval lcp-int

Where:

lcp-int is a numerical value in the range 3-3600 specifying the interval in seconds between LCP exchanges.

Example:

Magnum 10RX(config-ppp)# interface ppp 600

This commands specifies that LCP keepalive exchanges will occur every ten minutes.

Default: 30 seconds


The no lcp-echo-interval command specifies the default.

20.1.3 Configuring PPP Authentication

Use the authentication command in PPP Configuration mode to specify the authentication protocol to use for this PPP interface.

Command syntax:

authentication {chap | pap}

Where:

chap specifies the Challenge Handshake Authentication Protocol (CHAP).

pap specifies the Password Authentication Protocol (PAP).

Example:

Magnum 10RX(config-ppp)# authentication chap

Default: no authentication

The no authentication command specifies the default.

20.1.4 Specifying PPP Compression

Use the compression command in PPP Configuration mode to specify the use of Van Jacobson TCP/IP header compression.



321

Command syntax:

compression vjc

Where:

vjc specifies Van Jacobson TCP/IP header compression (as described in RFC 1144).

Example:

Magnum 10RX(config-ppp)# compression vjc

Default: no TCP/IP header compression.

The no compression command specifies the default.

20.1.5 Specifying a Peer Username and Password

Use the username command in PPP Configuration mode to configure authentication (PAP or CHAP) credentials for a remote peer. The username and password specified must match those used by the peer.

Command syntax:

username user password pass

Where:

user specifies the username for the remote user or host.

pass specifies the cleartext password for the remote user, host, or Magnum 10KR.

Example:

Magnum 10RX(config-ppp)# username obelix password idefix

Valid Ranges:

user — 1-32 characters

pass — 1-32 characters

The no username command deletes configured peer CHAP or PAP credentials.

20.1.6 Specifying a Device Username and Password

Use the sent-username command in PPP Configuration mode to specify the name and password used by this device in PAP or CHAP authentication protocols.

Command syntax:

sent-username user password pass

Where:

user specifies the name used to authenticate this device to a remote peer.

pass specifies the password used to authenticate this device to a remote peer.



322

Example:

Magnum 10RX(config-ppp)# sent-username obelix password idefix

Valid Ranges:

user — 1-32 characters

pass — 1-32 characters

The no sent-username command deletes any configured device PAP or CHAP credentials.

20.1.7 Configuring Maximum Slot IDs

Use the max-slot-id command in PPP Configuration mode to configure the maximum number of slot IDs to be used when Van Jacobson TCP/IP compression is used.

Command syntax:

max-slot-id idval

Where:

idval specifies the maximum slot IDs to be used when Van Jacobson TCP/IP compression has been enabled.

Example:

Magnum 10RX(config-ppp)# max-slot-id 12

Default Value: 16

Valid Range: 2-16

The no max-slot-id command restores the default.

20.1.8 Enable Compression of Slot ID Field

Use the comp-slot-id command in PPP Configuration mode to enable or disable compression of the slot id field when Van Jacobson TCP/IP compression is used.

Command syntax:

comp-slot-id {enable|disable}

Example:

Magnum 10RX(config-ppp)# comp-slot-id enable

Default Value: compression of slot ID enabled

20.1.9 Specify IP Address of the PPP Interface

Use the ip address command in PPP Configuration mode to specify the IP address of the PPP interface. The netmask, which is not specified on the command line, is 255.255.255.255 by default.



323

Command syntax:

ip address ipadr

Where:

ipadr is a valid IPv4 address.

Example:

Magnum 10RX(config-ppp)# ip address 192.168.10.12

The no ip address command deletes a configured IP address.

20.1.10 Specify an MRU Value

Use the mru command in PPP Configuration mode to specify a Maximum Received Unit (MRU) value. The MRU defines The maximum size (in bytes) of the protocol data unit that will be received on an interface.

Command syntax:

mru mruval

Where:

mruval is a numerical value specifying the maximum size in bytes of a protocol data unit that can be received on the interface.

Example:

Magnum 10RX(config-ppp)# mru 1000

Default Value: 1500


The no mru command restores the default value.

20.1.11 Specify an MTU Value

Use the mtu command in PPP Configuration mode to specify a Maximum Transmission Unit (MTU) value. The MTU defines The maximum size (in bytes) of the protocol data unit that will be transmitted over the interface.

Command syntax:

mtu mtuval

Where:

mtuval is a numerical value specifying the maximum size in bytes of a protocol data unit that can be transmitted over the interface.

Example:

Magnum 10RX(config-ppp)# mtu 300

Default Value: 1500



324


20.1.12 Enable Compression of Address and Control Fields

Use the acfc command in PPP Configuration mode to enable Address and Control Field Compression (ACFC) of the PPP interface.

Command syntax:

acfc

Example:

Magnum 10RX(config-ppp)# acfc

Default Value: compression of address and control fields not enabled

The no acfc command disables acfc.

20.1.13 Enable Compression of Protocol Field

Use the pfc command in PPP Configuration mode to enable Protocol Field Compression (PFC) of the PPP interface.

Command syntax:

pfc

Example:

Magnum 10RX(config-ppp)# pfc

Default Value: compression of protocol field not enabled

The no pfc command disables pfc.

20.1.14 Enable Use of Magic Numbers

Use the magic-number command in PPP Configuration mode to enable use of magic numbers for transmitting PPP configuration/maintenance packets on the PPP interface. A magic number inserted in a packet can be used to detect loops if it reappears at its point of origin.

Command syntax:

magic-number

Example:

Magnum 10RX(config-ppp)# magic-number

Default Value: use of magic numbers is disabled

The no magic-number command disables the magic number feature.

CHAPTER 20 - PPPConfiguring PPP in the GUI


325

20.1.15 Disable a PPP Interface

Use the shutdown command in PPP Configuration mode to disable a PPP interface. Use the no form of the command to enable the port.

Command syntax:

shutdown

Example:

Magnum 10RX(config-ppp)# shutdown

Default Value: PPP interface is disabled

The no shutdown command enables the PPP interface.

20.1.16 Specify a Physical Port for PPP Interface

Use the layer command in PPP Configuration mode to assign the physical port for this PPP interface.

Command syntax:

layer t1e1 slot/port

Where:

slot/port specifies a valid slot and port on the device configured as a T1E1 port. (Use the show interface command in the EXEC mode to discover properly configured interfaces.)

Example:

Magnum 10RX(config-ppp)# layer t1e1 8/1

The no layer command deletes the assignment of the physical port to this PPP interface. This then allows a different physical port to be layered/assigned.

20.2 Configuring PPP in the GUI

The following sections describe the GUI screens to use to configure to configure PPP interfaces.



326

20.2.1 Configuring PPP Interfaces

In the GUI go to the WAN Management: PPP: PPP Interfaces tab to configure PPP interfaces on the device, as illustrated in Figure 20-1.

Figure 20-1. Point-to-Point Protocol Interfaces Screen

In the Point-to-Point protocol interfaces use the upper dialog box to define the properties of a PPP interface. Click the Create button to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured PPP interfaces.

Table 20-1. Point-to-Point Protocol Interface Fields



PPP Interface A numerical value identifying this PPP interface.

Valid range: 1-16

Section 20.1.1

Link Status An indicator (Up or Down) for the physical status of this link.

Lower Level Interface

Identifies the physical interface under configuration. Section 20.1.16

Higher Level Interface

Identifies the higher-level interface (if any) stacked over a PPP interface.

Admin State An indicator (Up or Down) for the administrative status of this interface.

Local IP Address IP address of the interface being configured.



327

20.2.2 Configuring PPP Options

In the GUI go to the WAN Management: PPP: PPP Options tab to specify PPP options, as illustrated in Figure 20-2.

Figure 20-2. PPP Options Screen

LCP Echo Interval Specify the value for the interval between Link Control Protocol (LCP) keepalive exchanges.



Section 20.1.2

Authentication Specify the authentication protocol to use for this PPP interface. Options are:

• none

• CHAP — the Challenge Handshake Authentication Protocol.

• PAP — the Password Authentication Protocol.

Note: the next four fields are displayed and editable if PAP or CHAP is selected.

Section 20.1.3

Local User Name For authentication purposes specify a string of up to 32 characters as a local user name.

Section 20.1.6

Local User Password

For authentication purposes specify a string of up to 32 characters as a local user password.

Section 20.1.6

Remote User Name

For authentication purposes specify a string of up to 32 characters as a remote user name.

Section 20.1.5

Remote User Password

For authentication purposes specify a string of up to 32 characters as a remote user password.

Section 20.1.5





328

In the PPP options screen specify options for a selected PPP interface. Click Apply for your specifications to take effect.

Table 20-2. PPP Options Fields



PPP Interface The identifier for the PPP interface selected.

Compression Optionally specify Van Jacobson TCP/OP header compression.

Section 20.1.4

Maximum Slot ID Specify the maximum number of slot IDs to be used when Van Jacobson TCP/IP compression has been specified.

Default Value: 16

Valid Range: 2-16

Section 20.1.7

Compression Slot ID

Enable or disable compression of the slot id field when Van Jacobson TCP/IP compression is used.

Section 20.1.8

Maximum Receive Unit

Specify a Maximum Received Unit (MRU) value. The MRU defines The maximum size (in bytes) of the protocol data unit that will be received on an interface.

Default Value: 1500


Section 20.1.10

Maximum Transmission Unit

Specify a Maximum Transmission Unit (MTU) value. The MTU defines The maximum size (in bytes) of the protocol data unit that will be transmitted over the interface.

Default Value: 1500


Section 20.1.11

Address and Control Field Compression

Enable or disable Address and Control Field Compression (ACFC) of the PPP interface.

Section 20.1.12

Protocol Field Compression

Enable or disable Protocol Field Compression (PFC) of the PPP interface.

Section 20.1.13

Magic Number Enable or disable use of magic numbers for transmitting PPP configuration/maintenance packets on the PPP interface. A magic number inserted in a packet can be used to detect loops if it reappears at its point of origin.

Section 20.1.14

Policy Name Specify a name for the policy that comprises these specifications.

CHAPTER 20 - PPPConfiguring MLPPP in the CLI


329

20.3 Configuring MLPPP in the CLI

The following sections describe the CLI commands used to configure MLPPP interfaces.

The following commands documented in the PPP configuration section of this chapter can also be executed at the Magnum 10RX(config-mlppp) prompt:

• ip address, see Section 20.1.9.• authentication, see Section 20.1.3.• sent-username, see Section 20.1.6.• shutdown, see Section 20.1.15.

20.3.1 Specifying an MLPPP Interface

Use the interface mlp command in Global Configuration mode to specify configuration options for an MLPPP interface. This command brings up the MLPPP Interface Configuration mode signaled by the Magnum 10RX(config-mlppp) prompt and enables you to enter configuration commands for the specified MLPPP interface.

Command syntax:

interface mlppp ifid

Where:

ifid is a numerical value in the range 1-16 specifying an MLPPP interface ID

Example:

Magnum 10RX(config)# interface mlppp 5

Magnum 10RX(config-mlppp)#

Valid range: 1-16

The no interface mlppp ifid command deletes the MLPPP interface specified by ifid.

20.3.2 Specify an MRRU Value

Use the mrru command in MLPPP Configuration mode to specify a Maximum Reconstructed Received Unit (MRRU) value. The MRRU defines The maximum size (in bytes) of the reassembled packets that will be received on an interface.

Command syntax:

mru mrruval

Where:

mrruval is a numerical value specifying the maximum size in bytes of a protocol data unit that can be received on the interface.

Example:

Magnum 10RX(config-mlppp)# mrru 1000

Default Value: 1500

CHAPTER 20 - PPPConfiguring MLPPP in the GUI


330


The no mrru command restores the default value.

20.3.3 Assembling MLPPP Bundles

Use the layer ppp command in MLPPP Configuration mode to add a PPP interface to an MLPPP bundle; that is, to layer it below the MLPPP interface under configuration.

Command syntax:

layer ppp pppid

Where:

pppid is the identifier of a configured PPP interface.

Example:

Magnum 10RX(config-mlppp)# layer ppp 9

The no layer ppp spec command removes the interface specified by spec from the bundle.

20.4 Configuring MLPPP in the GUI

The following sections describe the GUI screens to use to configure to configure MLPPP interfaces.



331

20.4.1 Configuring MLPPP Interfaces

In the GUI go to the WAN Management: MLPPP: MLPPP Interfaces tab to configure MLPPP interfaces on the device, as illustrated in Figure 20-1.

Figure 20-3. Multilink Point-to-Point Protocol Interfaces Screen

In the Multilink Point-to-Point protocol interfaces use the upper dialog box to define the properties of an MLPPP interface. Click the Create button to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured MLPPP interfaces.




PPP Interface A numerical value identifying this MLPPP interface.

Valid range: 1-16

Section 20.1.1

Link Status An indicator (Up or Down) for the physical status of this link.

Admin State An indicator (Up or Down) for the administrative status of this interface.

Local IP Address IP address of the interface being configured.



332

20.4.2 Configuring MLPPP Interface Stacking

In the GUI go to the WAN Management: MLPPP: MLPPP Interfaces tab to configure PPP interfaces on the device, as illustrated in Figure 20-4.

Figure 20-4. Multilink Point-to-Point Protocol Interface Stacking Screen

Authentication Specify the authentication protocol to use for this PPP interface. Options are:

• none

• CHAP — the Challenge Handshake Authentication Protocol.

• PAP — the Password Authentication Protocol.

Note: the next four fields are displayed and editable if PAP or CHAP is selected.

Section 20.1.3

Local User Name For authentication purposes specify a string of up to 32 characters as a local user name.

Section 20.1.6

Local User Password

For authentication purposes specify a string of up to 32 characters as a local user password.

Section 20.1.6

Remote User Name

For authentication purposes specify a string of up to 32 characters as a remote user name.

Section 20.1.5

Remote User Password

For authentication purposes specify a string of up to 32 characters as a remote user password.

Section 20.1.5





333

In the Multilink Point-to-Point interface stacking screen use the upper dialog box to specify a configured PPP interface to be included in an MLPPP grouped interface. Click the Add button to save your specification and display it in the lower dialog box. Use the lower dialog box delete configured MLPPP associations.

20.4.3 Configuring MLPPP Options

In the GUI go to the WAN Management: MLPPP: MLPPP Options tab to specify MLPPP options, as illustrated in Figure 20-2.

Figure 20-5. MLPPP Options Screen

In the MLPPP options screen specify options for a selected MLPPP interface. Click Apply for your specifications to take effect.

Table 20-4. Point-to-Point Protocol Interface Stacking Fields



MLPPP Interface A numerical value identifying this MLPPP interface.

Valid range: 1-16

Section 20.3.3

PPP Interface A numerical value specifying a configured PPP interface. Section 20.3.3

Table 20-5. MLPPP Options Fields



MLPPP Interface The identifier for the MLPPP interface selected.

Compression Optionally specify Van Jacobson TCP/OP header compression.

Section 20.1.4

Maximum Slot ID Specify the maximum number of slot IDs to be used when Van Jacobson TCP/IP compression has been specified.

Default Value: 16

Valid Range: 2-16

Section 20.1.7

Compression Slot ID

Enable or disable compression of the slot id field when Van Jacobson TCP/IP compression is used.

Section 20.1.8



334

MRRU Specify a Maximum Received Reconstructed Unit (MRRU) value. The MRRU defines The maximum size (in bytes) of the protocol data unit that will be received on an interface.

Default Value: 1500


Section 20.1.10

Maximum Transmission Unit

Specify a Maximum Transmission Unit (MTU) value. The MTU defines The maximum size (in bytes) of the protocol data unit that will be transmitted over the interface.

Default Value: 1500


Section 20.1.11

Short-seq-header-format

Enable or disable abbreviated headers.

Policy Name Specify a name for the policy that comprises these specifications.

Table 20-5. MLPPP Options Fields



335

Chapter 21Frame Relay

The 10RX supports the creation and management of Frame Relay Permanent Virtual Circuits (PVCs) as well as the encapsulation of IP and serial data packets over these circuits.

21.1 Configuring Frame Relay in the CLI

The Frame Relay service is layered on top of a physical WAN interface. The physical WAN interfaces can be either a fractional T1/E1 interface or an individual channel on a channelized T1/E1 interface.

For example, to create a Frame Relay interface with instance number 1 that runs directly over T1/E1 interface 4/1 and enable it execute the following commands:

Figure 21-1. Configuring an FR interface to run directly over a T1/E1 interface

To create a Frame Relay interface with instance number 2 that runs over T1/E1 channel 5 on interface 6/2 and enable it:

Figure 21-2. Configuring FR to run over a channelized interface

The following subsections detail the commands used to accomplish these tasks.

21.1.0.1 Specifying a Frame Relay Interface

Use the interface frame-relay command in Global Configuration mode to configure a Frame Relay interface and to enter the Frame Relay Interface Configuration mode, signified by the Magnum 10RX(config-fr)# prompt. If the specified Frame Relay interface does not exist it will be created.

Command syntax:

interface frame-relay frid

Magnum 10RX(config)# interface frame-relay 1

Magnum 10RX(config-fr)# layer t1e1 4/1-----------------------------------------


Magnum 10RX(config-fr)# layer t1e1 6/2 chan 5

Magnum 10RX(config-fr)# no shutdown-----------------------------------------

CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI


336

Where:

frid is a numerical value in the range 1-192 specifying a Frame Relay interface ID.

Example:


Magnum 10RX(config-fr)#

Valid range: 1-192

The no interface frame-relay frid command deletes the Frame Relay interface specified by frid.

21.1.0.2 Configuring the Lower Layer for a Frame Relay Interface

Use the layer t1/e1 command in Frame Relay interface Configuration mode to configure the lower layer (physical) interface for this Frame Relay interface. (For the use of the layer command with a specific PVC see Section 21.1.2.2.)

Command syntax:

layer t1/e1 ifid [chan channum]

Where:

ifid specifies the slot and port number of the T1/E/1 port.

channum, an optional parameter, specifies the channel number designator corresponding to the channelized T1/E1 interface.

Example:

Magnum 10RX(config-fr)# layer t1e1 6/2 chan 5

The no layer command unstacks the interfaces.

21.1.0.3 Enabling a Frame Relay Interface with the No Shutdown Command

Use the no shutdown command in Frame Relay Configuration mode to enable a configured Frame Relay interface.

Command syntax

no shutdown

Example:

Magnum 10RX(config-fr)# no shutdown

Note: This command has significance in the context of configuration of a specific interface as illustrated in Figure 21-2.

Default value: port is disabled

The shutdown command disables the port.



337

21.1.1 Configuring LMI

The Local Management Interface protocol is a signaling standard used between routers and Frame Relay switches. Each Frame Relay interface has the ability to run the Local Management Interface (LMI) protocol to determine the status of its Permanent Virtual Circuits (PVCs). To run LMI you must choose the appropriate LMI type and mode based on your specific network requirements. You service provider will generally specify which LMI type and mode you should use.

21.1.1.1 Configuring LMI Type

Use the lmi type command in Frame Relay Interface Configuration mode to specify the LMI standard to which the interface should conform.

Command syntax:

lmi type {lmi | ccitt | ansi}

Where:

lmi specifies Cisco (aka, Gang of Four) LMI type.

ccitt specifies ITU-T Q.933 Annex A LMI type.

ansi specifies Annex D LMI type defined by ANSI standard T1.617.

Example:

Magnum 10RX(config-fr)# lmi type ccitt

Default value: LMI disabled

The no lmi type command specifies the default.

21.1.1.2 Configuring LMI Mode

Use the lmi mode command in Frame Relay Interface Configuration mode to specify whether the interface should implement the user part or the network part of the LMI protocol.

When connecting to a service provider network you should choose user mode. When connecting two 10RX routers together directly choose user mode on one side and network mode on the other side.

Command syntax:

lmi mode {user | network}

Where:

user specifies that this interface will implement the user part of the LMI protocol.

network specifies that this interface will implement the network part of the LMI protocol.

NOTE: On other products user mode is often referred to as "DTE" and networkmode is referred to as "DCE".



338

Example:

Magnum 10RX(config-fr)# lmi mode user

Default value: user

The no lmi mode command specifies the default.

21.1.2 Configuring PVCs

Each Frame Relay interface supports the configuration of multiple permanent virtual circuits (PVCs). Each PVC creates a bidirectional communication path through the Frame Relay network from one end point to another. A Data Link Connection Identifier (DLCI) is assigned to each PVC. The DLCI only has local significance on a Frame Relay interface and can be re-used on each separate Frame Relay interface. Your service provider will generally specify which DLCI to use for a particular PVC.

Create a PVC in the following steps:

1. Specify a new Frame Relay PVC interface with thee the interface fr-pvc command in Global Configuration mode.

2. Configure the physical interface with the layer command in Frame Relay PVC Configuration mode.

3. Configure DLCI with the dlci command in Frame Relay PVC Configuration mode.

4. Enable the PVC with the no shutdown command in Frame Relay PVC Configuration mode.

For example, to create PVC instance 1 layer it on top of Frame Relay interface 1 and assign DLCI 105 execute the following commands:

Figure 21-3. Configuring a PVC

The following subsections detail the commands used to accomplish this task.

21.1.2.1 Specifying a Frame Relay PVC Interface

Use the interface fr-pvc command in Global Configuration mode to specify a Frame Relay PVC interface and to enter the Frame Relay PVC Interface Configuration mode, signified by the Magnum 10RX(config-fr-pvc)# prompt. If the specified Frame Relay PVC interface does not exist it will be created.

Command syntax:

interface fr-pvc pvcid

Magnum 10RX(config)# interface fr-pvc 1

Magnum 10RX(config-fr-pvc)# layer frame-relay 1

Magnum 10RX(config-fr-pvc)# dlci 105

Magnum 10RX(config-fr-pvc)# no shutdown



339

Where:

pvcid is a numerical value in the range 1-2048 specifying a Frame Relay interface ID.

Example:


Magnum 10RX(config-fr-pvc)#

Valid range: 1-2048

The no interface fr-pvc pvcid command deletes the Frame Relay PVC interface specified by pvcid.

21.1.2.2 Configuring the Lower Layer for a PVC

Use the layer frame-relay command in Frame Relay PVC interface Configuration mode to configure the lower layer (physical) interface for this PVC. (For the use of the layer command with a Frame Relay interface see Section 21.1.0.2.)

Command syntax:

layer frame-relay ifid

Where:

ifid specifies the interface identifier of the underlying Frame Relay interface.

Example:

Magnum 10RX(config-fr-pvc)# layer frame-relay 1

Note: This command has significance in the context of configuration of a specific PVC as illustrated in Figure 21-3.

The no layer command unstacks the interfaces.

21.1.2.3 Specifying the DLCI for a PVC

Use the dlci command in Frame Relay PVC interface Configuration mode to specify a DLCI for this PVC.

Command syntax:

dlci dlcival

Where:

dlcival is a numerical value in the range of 1-1022 specifying a DLCI for this PVC.

Example:


Note: This command has significance in the context of configuration of a specific PVC as illustrated in Figure 21-3.



340

21.1.2.4 Enabling a PVC with the No Shutdown Command

Use the no shutdown command in Frame Relay PVC Configuration mode to enable a configured Frame Relay interface.

Command syntax

no shutdown

Example:


Note: This command has significance in the context of configuration of a specific interface as illustrated in Figure 21-3.

Default value: PVC is disabled

The shutdown command disables the port.

21.1.3 Configuring IP Encapsulation

A Frame Relay PVC can be used like a point-to-point IP link. IP packets are encapsulated by Frame Relay using the techniques outlined in RFC 1490. Configure IP encapsulation by specifying the IP addresses of the current device and a peer device.

For example, to configure a frame relay PVC instance 3, layer it on top of the physical WAN interface T1/E1 6/1, assign DLCI 105, configure and enable it for RFC 1490 IP encapsulation execute the following commands:

Figure 21-4. Configuring IP encapsulation

After a frame relay PVC is configured for RFC 1490 IP encapsulation the PVC becomes a full IP interface. You may specify it as the next hop in a static route or run dynamic routing protocols across the PVC interface. You can also use the show ip interface command to see the IP interface status of the PVC.

21.1.3.1 Specifying the Local IP Address for IP Encapsulation

Use the ip address command in Frame Relay PVC configuration mode to specify the IP address of the current device.

NOTE: The no shutdown command will return an error if either the local orremote IP addresses or the serial-over-FR parameters are not configured.


Magnum 10RX(config-fr-pvc)# layer t1e1 6/1


Magnum 10RX(config-fr-pvc)# ip address 192.168.90.1

Magnum 10RX(config-fr-pvc)# peer ip address 192.168.90.2




341

Command syntax:

ip address ipaddr

Where:

ipaddr is a valid IP address for the current device.

Example:

Magnum 10RX(config-fr-pvc)# ip address 192.168.90.1

The no ip address command deletes an address configured for the current device.

21.1.3.2 Specifying the Peer IP Address for IP Encapsulation

Use the peer ip address command in Frame Relay PVC configuration mode to specify the IP address of the peer device.

Command syntax:

peer ip address ipaddr

Where:

ipaddr is a valid IP address for the peer device.

Example:

Magnum 10RX(config-fr-pvc)# peer ip address 192.168.90.2

The no peer ip address command deletes an address configured for a peer device.

21.1.4 Configuring Serial Encapsulation

A Frame Relay PVC can be used to carry asynchronous serial data. This feature is typically used to extend the reach of SCADA protocols using a WAN infrastructure.

Use the serial-fr serial command in Frame Relay PVC configuration mode to specify the slot number and port number of an interface.

Command syntax:

serial-fr serial ifid [padding]

Where:

ifid specifies the slot and port number of the interface.

padding, an optional parameter, specifies that a 3 byte offset is created within each packet between the frame relay header and the payload. This is for compatibility with Dynastar router products.

NOTE: If the ip address and/or peer ip address command has previously beenexecuted for this PVC this command will fail. In such a case issue the no ip address and/or no peer ip address command before executing the serial-fr serial command.



342

Example:

Magnum 10RX(config-fr-pvc)# serial-fr serial 10/1

Default value: No serial to Frame Relay channel is enabled.

The no serial-fr command specifies the default.

21.1.5 Configuring Terminal Server Extension

A Frame Relay PVC can also be used to extend a typical serial terminal server connection to a remote serial port over a WAN. On one side of the network, a terminal server TCP connection is made and that connection is mapped to a Frame Relay PVC. On the other side of the network, that PVC is mapped directly to an async serial port. Data received on the local TCP connection is transmitted on the remote serial port and data received on the remote serial port is sent on the local TCP connection.

Note: This feature is called IP-FR/FR-IP on Dynastar products.

To enable this application, create a new serial-channel but instead of mapping the channel to a local serial port, use the fr-pvc command in Terminal Server Configuration mode to map the channel to a configured Frame Relay PVC.

The following example illustrates the creation of a new terminal server channel that listens on TCP port 10201 with its connections mapped to Frame Relay PVC 3:

Figure 21-5. Configuring Terminal Server Extension

For more on Terminal Server configuration see Chapter 23.

• For details on the use of the local-tcp command see Section 23.2.8.• For details on the use of the fr-pvc command see Section 23.2.3.

21.1.6 Configuring End-to-End Keepalive on a PVC

Frame relay End-to-End Keepalive (EEK) is a mechanism for determining the health of a PVC on an end-to-end basis. In contrast to LMI EEK does not require any special processing or knowledge from the Frame Relay network since in-band keep-alive messages (KAs) are exchanged between the two PVC end points.

An EEK end point sends periodic KA requests to the remote end of a PVC and the remote end point sends back KAs in reply. If a KA reply is received within a certain amount of time, it is considered a "success event.” If a KA reply is not received within a certain period of time, it is considered an "error event.” If the number of error events within a sliding event window exceeds the error threshold the PVC transitions to the down state. If the number of consecutive success events exceeds the success threshold the PVC transitions to the up state.

Magnum 10RX(config)# serial-channel 1

Magnum 10RX(config-ts)# local-tcp 10201

Magnum 10RX(config-ts)# fr-pvc 3-----------------------------------------



343

Alternatively, an EEK end point may operate in reply-only mode. In this mode the end point sends KA replies in response to KA requests but does not send KA requests of its own. In this mode the end point expects to receive periodic KA requests from the other side. Each KA request received is considered a "success event.” If a KA request is not received within the expected time frame an "error event" is recorded. If the number of error events within a sliding event window exceeds the error threshold the PVC transitions to the down state. If the number of consecutive success events exceeds the success threshold the PVC transitions to the up state.

To enable EEK and configure its parameters use the eek mode command in Frame Relay PVC Configuration mode. The parameters described in this section are configurable per-PVC. There are other parameters that are configurable per-Frame Relay interface. These are described in subsequent sections.

Command syntax:

eek mode {bidirectional | request | reply | passive-reply}

Where:

bidirectional specifies that the device sends periodic KA requests and that it replies to KA requests that it receives. EEK events are based on received KA replies.

request specifies that the device sends periodic KA requests but does not reply to KA requests. EEK events are based on received KA replies.

reply specifies that the device does not send periodic KA requests but does reply to KA requests. EEK events are based on received KA requests.

passive-reply specifies that the device does not send periodic KA requests but does reply to KA requests. In this mode, the local state of the PVC is not determined by EEK.

Example:

Magnum 10RX(config-fr-pvc)# eek mode request

Default value: By default EEK is not enabled.

The no eek mode command disables EEK.

21.1.6.1 Configuring the EEK Poll Timer on a Frame Relay Interface

Use the eek poll-timer command in Frame Relay Interface Configuration mode to configure the number of seconds between KA request transmissions. If a KA reply is not received before the expiration of the polling interval an error event is declared.

Command syntax:

eek poll-timer interval

Where:

interval is a numerical value in the range 1-255 specifying the number of seconds to elapse between keepalive requests.



344

Example:

Magnum 10RX(config-fr)# eek poll-timer 30

Default value: 10

Valid range: 1-255

The no eek poll-timer command restores the default.

21.1.6.2 Configuring the EEK Response Timer on a Frame Relay Interface

Use the eek response-timer command in Frame Relay Interface Configuration mode to configure the number of seconds to wait for a new KA request before declaring a new error event. This timer is only relevant when EEK is in bidirectional or reply mode.

Command syntax:

eek response-timer interval

Where:

interval is a numerical value in the range 1-255 specifying the number of seconds to elapse after a received keepalive request before declaring an error event.

Example:

Magnum 10RX(config-fr)# eek response-timer 45

Default value: 15

Valid range: 1-255

The no eek response-timer command restores the default.

21.1.6.3 Configuring the EEK Event Window on a Frame Relay Interface

Use the eek event-window command in Frame Relay Interface Configuration mode to configure the number of recent events to track.

Command syntax:

eek event-window windowval

Where:

windowval is a numerical value in the range 1-32 specifying the number of recent events to check for errors.

Example:

Magnum 10RX(config-fr)# eek event-window 5

Default value: 3

Valid range: 1-32

The no eek event-window command restores the default.



345

21.1.6.4 Configuring the EEK Error Threshold on a Frame Relay Interface

Use the eek error-threshold command in Frame Relay Interface Configuration mode to configure the number of error events that must be in the event window before declaring the PVC to be down.

Command syntax:

eek error-threshold interval

Where:

interval is a numerical value in the range 1-32 specifying the number of errors needed to change the keepalive state from up to down.

Example:

Magnum 10RX(config-fr)# eek error-threshold 5

Default value: 2

Valid range: 1-32

The no eek error-threshold command restores the default.

21.1.6.5 Configuring the EEK Success Events on a Frame Relay Interface

Use the eek success-events command in Frame Relay Interface Configuration mode to configure the number of consecutive success events that must be generated before declaring the PVC to be up.

Command syntax:

eek success-events successes

Where:

successes is a numerical value in the range 1-32 specifying the number of consecutive success events required to change the keepalive state from down to up.

Example:

Magnum 10RX(config-fr)# eek success-events 10

Default value: 2

Valid range: 1-32

The no eek success-events command restores the default.

21.1.7 Configuring Frame Relay Queuing

Each Frame Relay interface supports 4 configurable queues that can implement different combinations of strict priority and weighted fair queuing. The actual number of queues is 6 but the lowest priority of these, queue 0, has a fixed value of 1 and the highest priority of these, queue 5, has a fixed value of 10. Queues 0 and 5 are not user-configurable. The configurable queues are numbered 1 to 4 with level 4 being the highest priority queue and level 1 being the lowest priority queue.



346

A weight of 10 sets the priority queue to strict, meaning that all frames at that priority are transmitted before moving on to a lower priority queue. The weight can only be set to 10 if all higher priority queues are also set to 10. Otherwise, the configured value is a "weighting factor" relative to the next lower level queue. The default weight is 2.

Packets waiting in a strict priority queue are always transmitted before any packets in a lower level queue. You will typically assign your SCADA or other real time traffic (for example, VoIP, console access) to a strict priority queue.

Packets waiting in a weighted fair queue are transmitted in a weighted round robin fashion based on the relative ‘weighting factors’ of the weighted fair queues. For example, if you assume uniform traffic streams for each priority using the default weights (2), 2 priority-4 packets will be sent for every 1 priority-3 packet, 2 priority-3 packets will be sent for every 1 priority-2 packet, and so on. You will typically assign your non-real time traffic (for example, web traffic or bulk data transfer like FTP) a low priority.

Use the frame-relay priority command in Global Configuration mode to configure the relative weighting of the priority queues for all Frame Relay interfaces.

Command syntax:

frame-relay priority qnum weight weightval

Where:

qnum is a numerical value in the range 1-4 specifying the priority queue for which a map is being setup or (with the no command) removed.

weightval is a numerical value in the range 1-10 specifying the weighting for the priority queue specified with qnum.

Example:

Magnum 10RX(config)# frame-relay priority 3 weight 4

Default value (weight): 2

Valid range:

priority — 1-4

weight — 1-10

The no frame-relay priority {qnum} command with qnum specified restores the default value for the specified queue. If no qnum is specified the command restores the default value for all 4 queues.

21.1.8 Assigning Priorities to Frame Relay Packets

Packets can be prioritized based on their PVC or, if they are RFC-1490 encapsulated IP packets, based on their DiffServ Code Point (DSCP).

21.1.8.1 Configuring Default Priority for a PVC

Use the priority command in Frame Relay PVC Configuration mode to configure the default priority for this PVC.



347

Command syntax:

priority priorval

Where:

priorval is a numerical value in the range 0-5 specifying the default priority of this PVC.

Example:

Magnum 10RX(config-fr-pvc)# priority 3

Default value: 0

Valid range: 0-5

21.1.8.2 Mapping DSCP Values to Queue Priorities

For RFC-1490 encapsulated IP packets use the qos frame-relay output dscp-map command in Global Configuration mode to map DSCP values to queue priority levels for all Frame Relay interfaces. (For more on QoS see Chapter 24.)

Command syntax:

qos frame-relay output dscp-map dscp priorval

Where:

dscp specifies the DSCP to which the value specified by priorval is being mapped.

priorval is a numerical value in the range 0-5 specifying the priority for this map.

Example:

Magnum 10RX(config)# qos frame-relay output dscp-map 4 46

This command maps the expedited forwarding (EF) DSCP of 46 to priority level 4.

Default value:

The default priority value is the value specified with the priority command in Frame Relay PVC mode for an individual PVC.

Valid ranges:

priority — 0-5

dscp — 0-63 or 0x00-0x3F

The no qos frame-relay output [dscp] form with dscp specified restores the default value for the specified DSCP. If dscp is not specified the command restores the default value for all DSCPs.

21.1.8.3 Configuring Fragmentation on a Frame Relay Interface

Fragmenting large packets helps improve the latency of real time packets over slow WAN links.



348

Suppose that you are running two Frame Relay PVCs over a single 64 Kbps T1 channel. The first PVC is transmitting low-priority IP packets and the second PVC is transmitting high-priority SCADA packets. A typical large IP packet coming from an Ethernet LAN will be about 1500 bytes. If the interface begins to transmit that large IP packet just slightly after receiving a high priority SCADA packet, the entire transmission must complete before the SCADA packet can be transmitted. At 64 Kbps it will take roughly 190 msecs to transmit the large IP packet. If a worst-case latency of 190 msecs is not acceptable for the SCADA packet fragmentation can be used to break the large IP packets up into smaller chunks so that the high priority SCADA packet can be interleaved, effectively capping the worst-case latency for the SCADA packet. For example, if the low-priority traffic is fragmented into 64 byte chunks, the worst-case latency will drop to about 8 msecs.

Use the frag-size command in Frame Relay Interface Configuration mode to enable fragmentation for any RFC 1490 PVCs on that interface and to set the maximum fragment size.

Command syntax:

frag-size fragval

Where:

fragval is a numerical value in the range 1-1500 specifying the maximum number of bytes in a fragment.

Example:

Magnum 10RX(config-fr)# frag-size 64

Default value: fragmentation disabled

Valid range: 1-1500 bytes

The no frag-size command restores the default.

21.1.8.4 Configuring Committed Information Rate on a PVC

The Committed Information Rate (CIR) is the minimum data throughput that your service provider guarantees to support over a particular PVC. At the edge of the Frame Relay network it is the responsibility of the customer's router to shape PVC traffic such that it does not exceed this rate. Thus, configuring the CIR enforces a throughput rate limit on packets transmitted over a PVC. The CIR can also be used to limit the throughput of traffic in a high priority queue so that the high priority traffic will never completely starve lower priority traffic on the Frame Relay interface. Typically you will design your network and network applications so that you leave some bandwidth available to lower priority traffic. However, setting the CIR is a safeguard against a misbehaving high priority source monopolizing your WAN link bandwidth.

Use the cir command in Frame Relay PVC Interface Configuration mode to set the CIR for a PVC.

Command syntax:

cir cirval



349

Where:

cirval is a numerical value in the range 1-2048 specifying the maximum Kbps for this PVC.

Example:

Magnum 10RX(config-fr-pvc)# cir 100

Default value: the bit rate of the Frame Relay interface


The no cir command restores the default.

21.1.9 Displaying Frame Relay Information

The CLI commands described below enable you to display information about Frame Relay configuration and performance. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.

21.1.9.1 show interface frame-relay

Use the show interface frame-relay command to display Frame Relay global configuration details.

Example:

Magnum 10RX# show interface frame-relay 33

21.1.9.2 show interface fr-pvc

Use the show interface fr-pvc command to display Frame Relay global configuration details.

Example:

Magnum 10RX# show interface fr-pvc 10

21.1.9.3 show frame-relay priority

Use the show frame-relay priority command to display the configured priority weighting of the Frame Relay interface queues.

Example:

Magnum 10RX# show frame-relay priority

21.1.9.4 show qos frame-relay output dscp-map

Use the show qos frame-relay output dscp-map command to display the configured DSCP-to-priority queue mappings

Example:

Magnum 10RX# show qos frame-relay output dscp-map



350

21.1.10 Clearing Frame Relay Counters

Use the clear counters frame-relay command in Exec Commands mode with Frame Relay-specific arguments to clear Frame Relay counters

Command syntax:

clear counters frame-relay frid [lmi]

Where:

frid is a numerical value in the range 1-192 specifying a configured Frame Relay interface.

lmi is an optional key word specifying that LMI counters are to be cleared.

Example:

Magnum 10RX# clear counters frame-relay 25 lmi

Valid range: 1-192

21.1.11 Clearing FR-PVC Counters

Use the clear counters fr-pvc command in Exec Commands mode with FR-PVC-specific arguments to clear FR-PVC counters

Command syntax:

clear counters fr-pvc pvcid [eek]

Where:

pvcid is a numerical value in the range 1-2048 specifying a configured PVC.

eek is an optional key word specifying that EEK counters are to be cleared.

Example:

Magnum 10RX# clear counters fr-pvc 888 eek

Valid range: 1-2048

CHAPTER 21 - Frame RelayConfiguring Frame Relay in the GUI


351

21.2 Configuring Frame Relay in the GUI

The following sections describe the screens to use to configure Frame Relay functionality in the GUI.

21.2.1 Configuring the Frame Relay Interface

In the GUI go to the WAN Management: Frame Relay: Frame Relay Interface Configuration tab to configure Frame Relay interfaces, as illustrated in Figure 21-6.

Figure 21-6. Frame Relay Interface Configuration Screen

In the Frame Relay Interface Configuration screen use the upper dialog box to specify an interface. Click Create to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured interfaces.

Table 21-1. Frame Relay Interface Configuration Fields



FR Interface Name

A numerical value in the range 1-192 specifying a Frame Relay interface ID. This value will be appended to “frame-relay” to form an identifying label.

Section 21.1.0.1

Oper Status A green or red symbol to indicate the physical status of the connection.


Lower Layer Interface

Specifies the T1/E1 port that lies under this FR interface. Section 21.1.0.2

Channel Number Optionally specify a channel number designator corresponding to the channelized T1/E1 interface.

Section 21.1.0.2

Link Up/Down Trap

Enable or disable notification of link status.



352

21.2.2 Configuring Frame Relay End-to-End Keepalive

In the GUI go to the WAN Management: Frame Relay: FR End-to-End Keeepalive tab to configure End-to-End Keepalive (EEK) end point, as illustrated in Figure 21-7.

Figure 21-7. Frame Relay End-to-End Keepalive Screen

In the Frame Relay End-to-End Keepalive screen configure the EEK values for a previously configured Frame Relay interface.

For more on End-to-End Keepalive functionality see Section 21.1.6.

LMI Type Specifies the Local Management Interface (LMI) type. If specified, options are:

• lmi — Cisco (aka, Gang of Four) LMI type.

• ccitt — ITU-T Q.933 Annex A LMI type.

• ansi — Annex D LMI type defined by ANSI standard T1.617.

Section 21.1.1.1

LMI Mode Specify whether the interface should implement the user part or the network part of the LMI protocol. When connecting to a service provider network you should choose User mode. When connecting two 10RX routers together directly choose user mode on one side and Network mode on the other side.

Section 21.1.1.2

Fragmentation Status

Enable or disable fragmentation on the interface. Section 21.1.8.3

Fragmentation Size

Specify fragment size in a range of 1-1500 bytes. Section 21.1.8.3

Table 21-2. Frame Relay End-to-End Keepalive Fields



FR Interface Name

The identifier for the selected Frame Relay interface.

Poll Timer Specify the number of seconds between keep alive poll transmissions.


Valid range: 1-255

Section 21.1.6.1

Table 21-1. Frame Relay Interface Configuration Fields




353

21.2.3 Configuring Frame Relay PVCs

In the GUI go to the WAN Management: Frame Relay: FR PVCs tab to configure Permanent Virtual Circuits (PVCs), as illustrated in Figure 21-8.

Figure 21-8. Frame Relay PVCs Screen

In the Frame Relay PVCs screen use the upper dialog box to configure the PVC. Click Create to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured PVCs.

For more on Frame Relay PVCs see Section 21.1.2.

Response Timer Specify the number of seconds to wait for a new KA request before declaring a new error event.

Default value: 15

Valid range: 1-255

Section 21.1.6.2

Event Window Specify the number of recent events to track.

Default value: 3

Valid range: 1-32

Section 21.1.6.3

Error Threshold Specify the number of error events that must be in the event window before declaring the PVC to be down.

Default value: 2

Valid range: 1-32

Section 21.1.6.4

Success Events Specify the number of consecutive success events that must be generated before declaring the PVC to be up.

Default value: 2

Valid range: 1-32

Section 21.1.6.5

Table 21-2. Frame Relay End-to-End Keepalive Fields


UP



354

Table 21-3. Frame Relay PVCs Fields



FR PVC Name A numerical value in the range 1-2048 specifying a Frame Relay PVC name. This value will be appended to “FR PVC Name” to form an identifying label.

Section 21.1.2.1

DLCI Specify a Data Link Connection Identifier (DLCI) for this PVC.

Valid range: 1-1022

Section 21.1.2.3

Oper Status A green or red symbol to indicate the physical status of the connection.


FR Interface Name

The identifier for the selected Frame Relay interface.

EEK Mode Specify the End-to-End Keepalive mode. Options are:

• bidirectional — specifies that the device sends periodic KA requests and that it replies to KA requests that it receives. EEK events are based on received KA replies.

• request — specifies that the device sends periodic KA requests but does not reply to KA requests. EEK events are based on received KA replies.

• reply — specifies that the device does not send periodic KA requests but does reply to KA requests. EEK events are based on received KA requests.

• passive-reply — specifies that the device does not send periodic KA requests but does reply to KA requests. In this mode, the local state of the PVC is not determined by EEK.

Section 21.1.6

EEK State The state of the EEK exchange on this FR-PVC. Possible states are:

• dn-snd — The Send side of EEK is down.

• dn-rcv — The receive side of EEK is down.

• dn-s/r — The send and receive sides of EEK are down.

• up — EEK is up.

• disabled — EEK is disabled.



355

21.2.4 Configuring Frame Relay Encapsulation

In the GUI go to the WAN Management: Frame Relay: FR Encapsulation tab to configure Frame Relay encapsulation, as illustrated in Figure 21-9.

Figure 21-9. Frame Relay Encapsulation Screen

In the Frame Relay Encapsulation enable Frame Relay encapsulation of IP packets between two points on a previously configured PVC. Click Apply to make your configuration effective.

For more on Frame Relay encapsulation see Section 21.1.3.

Table 21-4. Frame Relay Encapsulation Fields



FR PVC Name The identifier for the selected PVC. XREF

Serial-Over-FR Port

If asynchronous serial data is being encapsulated, the identifier of the serial port.

Section 21.1.4

Serial-Over-FR Padding

If encapsulation of asynchronous serial data is being configured you can optionally specify that t a 3-byte offset (“padding”) is created within each packet between the frame relay header and the payload. This is for compatibility with Dynastar router products.

Section 21.1.4

Local IP Address If IP encapsulation is being configured, a valid IP address for the current device.

Section 21.1.3.1

Remote IP Address

If IP encapsulation is being configured, a valid IP address for the peer device.

Section 21.1.3.2

IP MTU Specify a Maximum Transmission Unit size for this connection.

Default Value: 1500




356


357

Chapter 22Serial Interface

INOS supports dual-port and quad-port async serial cards in slots 3 through 10, for a maximum of 8 cards and 32 async serial interfaces per system. You can configure the physical layer parameters for each async serial interface individually or in groups via serial profiles. You can retrieve status and statistics for each configured serial port.

The administrative status (adminStatus) of a serial interface is independent of any layers above it, for example, PPP or terminal server; thus, when the adminStatus of a serial interface is set to UP, the physical port parameters must be programmed into the hardware and the port must be enabled to begin communications, including turning on appropriate data set signals. Conversely, when the adminStatus of a serial interface is set to DOWN, the port must be disabled from communications, including turning off appropriate data set signals.

The association of a serial port and its profile may not be changed unless the adminStatus is first set to DOWN. However, an associated serial profile may be modified independent of the adminStatus value. If the serial profile is changed and the adminStatus is UP, then the serial profile set function sets the adminStatus to DOWN and then back to UP, effectively resetting the port parameters. Note that this reset may cause higher layer protocols to go down or to cause other interruptions.

22.1 Configuring Serial Profiles in the CLI

A serial profile is a named set of configuration specifications that can be associated with a serial interface. When a profile is associated with 1 or more serial interfaces it may NOT be deleted. If an attempt is made to delete an associated serial profile an error message is displayed.

The following sections explain the CLI commands used to configure a serial profile.

22.1.1 Specifying a Serial Profile

Use the serial-profile command in Global Configuration mode to specify a new or existing serial profile and to enter Serial Profile Configuration mode, signaled by the Magnum 10RX(config-sp)# prompt.

Command syntax:

serial profile profname

Where:

profname is a string of up to 32 printable characters

CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the CLI


358

Example:

Magnum 10RX(config)# serial-profile nannerl

This command specifies the serial profile nannerl, creating it if it does not already exist. Subsequent commands in the Serial Profile Configuration session will modify this profile.


The no serial-profile profname command deletes the serial profile specified by profname.

Use the show serial-profile profname command to view configured values.

22.1.2 Configure a Profile’s Interface Standard

Use the if-standard command in Serial Profile Configuration mode to specify the physical interface standard for a serial profile.

Command syntax:

if-standard {rs232 | rs485-2wire | rs485-4wire}

Where:

rs232 RTS always asserted

rs485-2wire half-duplex operation

rs485-4wire full-duplex operation

Example:

Magnum 10RX(config-sp)# if-standard rs485-2wire

This command specifies that the physical interface standard used by this serial profile will be half-duplex (RTS asserted only when transmitting).

Default value: rs232

The no if-standard command specifies the default value.


22.1.3 Configure a Profile’s Speed

Use the speed command in Serial Profile Configuration mode to specify the speed for a serial profile.

Command syntax:

speed bps

Where:

bps specifies a baud rate. Legal values are 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200, 230400



359

Example:

Magnum 10RX(config-sp)# speed 38400

Default value: 9600

The no speed command specifies the default value.


22.1.4 Configure a Profile’s Databits

Use the databits command in Serial Profile Configuration mode to specify the total number of bits in a character to be used by this profile.

Command syntax:

databits {7 | 8}

Example:

Magnum 10RX(config-sp)# databits 7

Default value: 8

The no databits command specifies the default value.


22.1.5 Configure a Profile’s Stopbits

Use the stopbits command in Serial Profile Configuration mode to specify the duration of the MARK condition on the line after character transmission is complete.

Command syntax:

stopbits {1 | 1.5 | 2}

Example:

Magnum 10RX(config-sp)# stopbits 2

Default value: 1

The no stopbits command specifies the default value.


22.1.6 Configure a Profile’s Parity

Use the parity command in Serial Profile Configuration mode to specify the parity value for this profile. Setting the parity bit enables error detection.

Command syntax:

parity {odd | even}



360

Example:

Magnum 10RX(config-sp)# parity even

Default value: none

The no parity command specifies the default value.


22.1.7 Configure a Profile to Ignore DSS

Use the ignore-dss command in Serial Profile Configuration mode to enable ignoring data set signals for a serial profile. When enabled, the operStatus of the port is UP if the adminStatus is UP. When disabled, the operStatus of the port is UP if the DSR or DCD handshake signal is on and the adminStatus is UP.

Command syntax:

ignore-dss

Example:

Magnum 10RX(config-sp)# ignore-dss


The no ignore-dss command specifies the default value.


22.1.8 Configure a Profile’s Flow Control

Use the flow-ctl command in Serial Profile Configuration mode to specify the type of flow control for this profile.

Command syntax:

flow-ctl {xonxoff | rtscts}

Where:

xonxoff specifies software flow control. Unit will stop transmitting if an XOFF (19) character (CTL-S) is detected in the received stream and will start when an XON (17) character (CTL-Q) is detected.

rtscts specifies hardware flow control. Unit will stop transmitting if CTS is de-asserted.

Example:

Magnum 10RX(config-sp)# flow-ctl xonxoff


The no flow-ctl command specifies the default value.




361

22.1.9 Configure a Profile’s Packetization Character

Use the pkt-char command in Serial Profile Configuration mode to specify the end-of-packet character for a serial profile. This parameter defines a special character in the data stream that forces an end-of-packet event.

Command syntax:

pkt-char pkchval

Where:

pkchval is a numerical value specifying the end-of-packet character. This value may be expressed in decimal or in hex.

Example:

Magnum 10RX(config-sp)# pkt-char 88


Valid range: 0-255

The no pkt-char command disables end-of-packet character matching.


22.1.10 Configure a Profile’s Packet Timeout Value

Use the pkt-time command in Serial Profile Configuration mode to specify the packet timeout for a serial profile. This parameter defines a timeout value in milliseconds. If an additional character is not received before the timer expires an end-of-packet event occurs.

Command syntax:

pkt-time pktoval

Where:

pktoval is a numerical value specifying in milliseconds the interval of inactivity after which the end-of-packet timer will trigger an event

Example:

Magnum 10RX(config-sp)# pkt-time 500

Default value: 200

Valid range: 1-1000 msec

The no pkt-char command disables end-of-packet event timer.


CHAPTER 22 - Serial InterfaceConfiguring Serial Interfaces in the CLI


362

22.1.11 Configure a Profile’s Maximum Packet Size

Use the max-pkt-size command in Serial Profile Configuration mode to specify the maximum packet size for a serial profile. When the number of received characters reaches this maximum an end-of-packet event occurs.

Command syntax:

max-pkt-size pktsize

Where:

pktsize is a numerical value specifying the maximum number of serial characters in a packet for this profile

Example:

Magnum 10RX(config-sp)# max-pkt-size 800

Default value: 1024


The no max-pkt-size command specifies the default value.


22.2 Configuring Serial Interfaces in the CLI

A serial profile is put into use by being associated with an asynchronous serial interface. For the related shutdown and no shutdown commands see Section 20.1.15.

22.2.1 Specify a Serial Interface

Use the interface serial command in Global Configuration mode to specify to specify a serial interface to be configured and to enter the Serial Interface Configuration mode, signaled by the Magnum 10RX(config-serial)# prompt.

Command syntax:

interface serial slot/port

Where:

slot/port are valid slot and port designations on this device

Example:

Magnum 10RX(config)# interface serial 4/1

Magnum 10RX(config-serial)#

Subsequent commands in this configuration mode will modify the interface specified by slot/port in this command.

CHAPTER 22 - Serial InterfaceSerial Interface Show Commands


363

22.2.2 Associate a Profile and a Serial Interface

Use the use serial-profile command in Serial Interface Configuration mode to set the serial profile to use for an asynchronous serial interface. The same profile can be associated with multiple serial interfaces.

Command syntax:

use serial-profile profname

Where:

profname is the name of a configured serial profile

Example:

Magnum 10RX(config-serial)# use serial-profile nannerl

This command specifies that the serial interface being configured will use serial profile nannerl.

22.3 Serial Interface Show Commands

Use the following command in the Exec Commands mode to display information about serial interfaces and profiles.

22.3.1 Display Serial Profile Information

Use the show serial-profile command to display the serial profile configuration. If no configured profile is specified all serial profiles are displayed.

Command syntax:

show serial-profile [profname]

Where:

profname is the name of a configured serial profile

Example:

Magnum 10RX# show serial-profile nannerl

22.3.2 Display Serial Interface Information

Use the show interface serial command to display the current interface configuration and status information. If the show interface command is executed by itself the system displays information for every interface in the system. Specify a serial interface to show information on that interface alone.

show interface serial [slot/port]

Where:

slot/port are valid slot and port designations on this device.

CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the GUI


364

Example:

Magnum 10RX#show interface serial 8/1

22.4 Configuring Serial Profiles in the GUI

A serial profile is a named set of configuration specifications that can be associated with a serial interface. When a profile is associated with 1 or more serial interfaces it may NOT be deleted. If an attempt is made to delete an associated serial profile an error message is displayed.

The following sections explain the GUI screens used to configure a serial profile.

22.4.1 Configuring a Serial Profile

In the GUI go to the Serial Management: Port Manager: Serial Profile Settings tab to assign an IP address to an interface, as illustrated in Figure 22-1.

Figure 22-1. Serial Profile Settings Screen



365

In the Serial Profile Settings screen use the upper dialog box to define a serial port’s profile. Click the Create button to save the profile and display it in the lower dialog box. Use the lower dialog box to edit or delete configured profiles.

Table 22-1. Serial Profile Settings Fields



Serial Profile Name

Specify a string of up to 32 printable characters as a name for this profile.

Section 22.1.1

Interface Standard

Specify the physical interface standard for a serial profile. Options are:

• rs232 — RTS always asserted

• rs485-2wire — half-duplex operation

• rs485-4wire — full-duplex operation

Section 22.1.2

Speed Specify the speed for this serial profile.

Legal values are baud rates of 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200, 230400

Section 22.1.3

Databits Specify the total number of bits (7 or 8) in a character to be used by this profile.

Section 22.1.4

Stopbits Specify the duration of the MARK condition (1 or 2) on the line after character transmission is complete.

Section 22.1.5

Parity Specify the parity value (odd or even) for this profile. Setting the parity bit enables error detection.

Section 22.1.6

Ignore-dss Enable or disable ignoring data set signals for a serial profile.

When enabled, the operStatus of the port is UP if the adminStatus is UP. When disabled, the operStatus of the port is UP if the DSR or DCD handshake signal is on and the adminStatus is UP.

Section 22.1.7

Flow Control Specify the type of flow control for this profile. Options are:

• xonxoff — specifies software flow control. Unit will stop transmitting if an XOFF (19) character (CTL-S) is detected in the received stream and will start when an XON (17) character (CTL-Q) is detected.

• rtscts — specifies hardware flow control. Unit will stop transmitting if CTS is de-asserted.

Section 22.1.8

Packet Character Status

Enable or disable use of a character to mark the end of a packet event.

Section 22.1.9

Packet Character Specify a numerical value as the character to be used to mark the end of a packet event.

Valid range: 0-255

Section 22.1.9



366

22.4.2 Associating Profiles and Ports

In the GUI go to the Serial Management: Port Manager: Serial Port Configuration tab to associate a configured profile with a serial interface, as illustrated in Figure 22-2.

Figure 22-2. Serial Port Configuration Screen

In the Serial Port Configuration screen to assign a configured profile to a serial interface and to make the interface active. Click Apply to save your specifications and make them effective.

Packet Timeout Specify in milliseconds the interval of inactivity after which the end-of-packet timer will trigger an event.

Default value: 200


Section 22.1.10

Maximum Packet Size

Specify the maximum packet size for a serial profile. When the number of received characters reaches this maximum an end-of-packet event occurs.

Default value: 1024


Section 22.1.11

Table 22-1. Serial Profile Settings Fields




367

Table 22-2. Serial Port Configuration Fields



Port Select from a list of available serial ports. Section 22.2.1

Link Status An indicator of the physical state (Up or Down) of this port.

Admin Status Set the administrative status of this port to Up or Down.

Link Up/Down Trap

Enable or disable notification of changes in link status.

Serial Profile Name

Specify a configured serial profile to be associated with this serial port.

Section 22.2.2



368


369

Chapter 23Terminal Server

The terminal services application encapsulates serial data in the payload of a TCP segment, allowing users to access any serial device over a TCP/IP network. Terminal services behavior is easily understood in terms of channels, which are full-duplex serial streams that are associated with one or more TCP connections. Each channel may be assigned a diffserv priority. Channels may be outgoing or incoming depending on whether the application initiates the TCP connection or waits for remote clients to connect. Each serial port may be assigned up to 16 channels, only one of which may be incoming. An incoming channel may accept TCP connections from as many as 32 remote peers. This level of flexibility is required to support multi-site SCADA applications, for example. The Figure 23-1 below depicts such a scenario.

Figure 23-1. Terminal Server SCADA Application

In this example the terminal services application on the device connected to the SCADA master has been configured to initiate a TCP connection to the device attached to each remote SCADA slave. Serial data from the master is transmitted over each TCP connection. For incoming channels the application is responsible for serializing access to the physical port; each response from the RTU is delivered to the requester only.

The status of each channel may be displayed; this information includes call direction, TCP connection state, the number of TCP connections, and the local and remote IP address and TCP port number.

CHAPTER 23 - Terminal ServerTerminal Server Operation


370

23.1 Terminal Server Operation

Magnum-RX offers a terminal server function that transports serial characters over a TCP/IP network. A flexible set of connection options allows the user to configure each serial port for a different mode of operation. The terminal server functionality is organized into serial communication channels that may be added or deleted from the system. Each channel is associated with a particular serial port and operates either in passive or active mode.

23.1.1 Passive Mode Channels

When a terminal server channel operates in passive (server) mode, it waits for incoming TCP connection requests. When a request is received it is accepted if the following criteria are met:

• serial port operational state is UP• maximum number of incoming connections will not be exceeded

After a connection request is accepted, the TCP connection becomes active and serial data may be transmitted and received on the channel.

A terminal server channel operates in passive mode if the “Call Direction” parameter is set to “IN."

The following configuration parameters also affect the operation of the port in passive mode:

• Local IP – the IP address at which the server listens for connections. If the system has only a single assigned IP address, this parameter defaults to the system IP address and cannot be changed. If the system has multiple assigned IP addresses, this parameter can be set to any of those addresses. In this case, the software will only accept connections destined for the configured IP address. The port will not be reachable using other IP addresses, even if they are assigned to the system.

• Local TCP – the TCP port at which the server listens for connections. The TCP port may be in the range 1000 to 65535. It is invalid to assign the same TCP port to multiple terminal server serial ports.

• Maximum Connections – the maximum number of incoming connections that will be accepted for the terminal server serial port. Up to 5 simultaneous incoming connections are supported per serial port.

23.1.2 Active Mode Channels

When a terminal server port operates in active (client) mode, it actively attempts to connect to a specified remote host whenever the serial port operational state is UP.

After an outgoing connection request is accepted by the remote host, the TCP connection becomes active and serial data may be transmitted and received on the channel.

A terminal server port operates in active mode if the “Call Direction” parameter is set to “OUT".

CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI


371

The following configuration parameters also effect the operation of the port in active mode:

• Local IP – the IP address to which the channel binds before making an outgoing connection. This is the address used in a transmitted packet's source address IP header field.

• Local TCP– the TCP port to which the channel binds before making an outgoing connection. The TCP port may be in the range 1000 to 65535. This is the port number used in a transmitted packet's source port TCP header field. It is invalid to assign the same TCP port to multiple terminal server channels. When a channel is configured in active mode, it is also valid to have no Local TCP port assigned (by issuing the no local-tcp command). This tells the system that it can select any unused port number as the local TCP port for this connection.

• Remote IP – the IP address to which the terminal server attempts to connect• Remote TCP – the TCP port to which the terminal server attempts to

connect• Retry Time – when a connection attempt fails (for any reason), this is the

minimum amount of time the terminal server will wait before re-trying the attempt.

23.1.3 Mixed Mode

You can configure a terminal server port to operate in a mixed mode in which it simultaneously acts as both a passive server and an active client. This is accomplished by adding an "IN" channel as well as at least one "OUT" channel that uses the port. In general, this mode should be used with care. If you configure both sides of a connection with a mixed mode you can produce redundant TCP connections.

23.1.4 Session Type

Each terminal server port can be configured as a raw TCP connection or as a Telnet connection. Generally, the session type should be specified as raw (the default) unless you plan on connecting to the port using a telnet application. This may be appropriate in certain cases where you are accessing a device console port using the terminal server.

23.2 Terminal Server Configuration in the CLI

You manage the Terminal Server application by creating and configuring terminal server channels. The CLI commands to accomplish these tasks are described in the following sections.

23.2.1 Specify a Terminal Server Channel

Use the serial-channel command in Global Configuration mode to specify a new or existing serial channel and to enter Terminal Server Configuration mode, signaled by the Magnum 10RX(config-ts)# prompt.



372

Command syntax:

serial-channel channame

Where:

channame is a string of up to 16 printable characters

Example:

Magnum 10RX(config)# serial-channel amadeus

This command specifies the serial channel amadeus, creating it if it does not already exist. Subsequent commands in the Terminal Server Configuration session will modify this channel.


The no serial-channel channame command deletes the channel specified by channame and tears down any associated TCP connections.

Use the show serial-channel channame command to view configured values.

23.2.2 Configure a Port for a Channel

Use the serial-port command in Terminal Server Configuration mode to set the serial port for this terminal server channel. The same serial port may be associated with multiple channels, but it cannot be associated with more than one channel that is set to the "IN" direction.

Command syntax:

serial-port serial slot/port

Where:

slot/port are valid slot and port designations for a serial port on this device.

Example:

Magnum 10RX(config-ts)# serial-port serial 8/1

This command specifies the serial channel under configuration will use slot 8, port 1 on this device.

Default value: no port specified

The no serial-port command specifies the default.


Note that specifying a serial port with the serial-port command will override a previous configuration of an fr-pvc connection on the port. See Section 23.2.3.

23.2.3 Mapping a Serial Channel to a PVC

A Frame Relay PVC can be used to extend a typical serial terminal server connection to a remote serial port over a WAN. This feature is explained in Section 21.1.5.



373

Use the fr-pvc command in Terminal Server Configuration mode to map the channel to a configured Frame Relay PVC.

Command syntax:

fr-pvc pvcid

Where:

x is the a numerical value in the range 1-2048 specifying a configured PVC.

Example:

Magnum 10RX(config-ts)# fr-pvc 25

Valid range: 1-2048

The no fr-pvc command deletes the configured mapping.

Note that specifying an fr-pvc connection with the fr-pvc command will override a previous configuration of a serial port. See Section 23.2.2.

23.2.4 Configure Channel Direction

Use the direction command in Terminal Server Configuration mode to set the direction parameter for a terminal server channel.

Command syntax:

direction {in | out}

Where:

in — The port acts like a passive TCP server, listening at the configured Local TCP port.

out — The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.

Example:

Magnum 10RX(config-ts)# direction out

This command specifies the serial channel under configuration will be in active mode.

Default value: in

The no direction command specifies the default.


23.2.5 Configure Channel Session Type

Use the session-type command in Terminal Server Configuration mode to set the session type (raw or telnet) for a terminal server channel.

Command syntax:

session-type {raw | telnet}



374

Where:

raw — provides a transparent pipe for serial data.

telnet — enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).

Example:

Magnum 10RX(config-ts)# session-type telnet

This command specifies the serial channel under configuration will be in active mode.

Default value: raw

The no session-type command specifies the default.


23.2.6 Configure Channel Priority

Use the priority command in Terminal Server Configuration mode to set the priority for a terminal server channel. Each IP packet generated on this port will be assigned a DiffServ Code Point (DSCP) based on the priority set by this parameter.

Command syntax:

priority dscp

Where:

dscp is a numerical value specifying a DiffServ Code Point. This value may be expressed in decimal or in hex,

Example:

Magnum 10RX(config-ts)# priority 0x2E

This command specifies the serial channel under configuration has an expedited forwarding priority.

Default value: 0

The no priority command specifies the default.


23.2.7 Configure Channel Local IP Address

Use the local-address command in Terminal Server Configuration mode to set the local IP address for a terminal server channel. When the channel direction is set to "IN" and no local-address is specified the channel will accept incoming connections on any of its configured IP addresses. When the channel direction is set to "OUT" and no local-address is specified, when making the outgoing connection the channel will choose the best configured IP address to use automatically.



375

Command syntax:

local-address xxx.xxx.xxx.xxx

Where:

xxx.xxx.xxx.xxx is a valid local IP address. This is the IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.

Example:

Magnum 10RX(config-ts)# local-address 192.168.1.2

Default value: no local address

The no local-address command specifies the default.


23.2.8 Configure Channel Local TCP Port

Use the local-tcp command in Terminal Server Configuration mode to set the local TCP port for a terminal server channel. Channels configured with direction "IN" must have a local TCP port specified. Channels configured with direction "OUT" do not require this specification. If it is left unspecified a random port will be chosen by the system.

Command syntax:

local-tcp portnum

Where:

portnum is a numerical value specifying the TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.

Example:

Magnum 10RX(config-ts)# local-tcp 1492


Default value: no local TCP port

The no local-tcp command specifies the default.


NOTE: No two rows in the table may have the same Local IP and Local TCPcombination. These combined values must comprise a unique identifier.



376

23.2.9 Configure Channel Remote IP Address

Use the remote-address command in Terminal Server Configuration mode to set the remote IP address for a terminal server channel.

Command syntax:

remote-address xxx.xxx.xxx.xxx

Where:

xxx.xxx.xxx.xxx is a valid remote IP address. This is the IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."

Example:

Magnum 10RX(config-ts)# remote-address 192.168.34.34

Default value: no remote-address

The no remote-address command specifies the default.


23.2.10 Configure Channel Remote TCP Port

Use the remote-tcp command in Terminal Server Configuration mode to set the remote TCP port for a terminal server channel. This is the remote TCP port that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."

Command syntax:

remote-tcp portnum

Where:

portnum The remote TCP port that the client attempts to connect to when the direction is set to "OUT."

Example:

Magnum 10RX(config-ts)# remote-tcp 1819


Default value: no remote TCP port

The no remote-tcp command specifies the default.




377

23.2.11 Configure Channel Maximum Connections

Use the max-conn command in Terminal Server Configuration mode to set the maximum number of connections for a terminal server channel. This is the maximum number of incoming TCP connections to accept for this serial port. This parameter is ignored when the channel direction is set to "OUT."

Command syntax:

max-conn cnctnum

Where:

cnctnum is a numerical value specifying maximum number of incoming TCP connections.

Example:

Magnum 10RX(config-ts)# max-conn 18

Valid Range: 1-32

Default value: 5

The no max-conn command specifies the default.


23.2.12 Configure Channel Retry Time

Use the retry-time command in Terminal Server Configuration mode to set the retry time for a terminal server channel. This is the number of seconds the client waits for a connection to succeed before timing out and retrying. This parameter is ignored when the channel direction is set to "IN."

Command syntax:

retry-time retrysecs

Where:

retrysecs is a numerical value specifying the number of seconds until retrying the connection.

Example:

Magnum 10RX(config-ts)# retry-time 60

Valid Range: 1-90 seconds

Default value: 30

The no retry-time command specifies the default.


CHAPTER 23 - Terminal ServerTerminal Server Show Commands


378

23.2.13 Clear a Serial Connection

Use the clear serial connection command in Exec Commands mode to delete an existing terminal server connection. Retrieve the connection ID value with the show serial-connection command in Exec Commands mode.

Command syntax:

clear serial connection connect-id

Where:

connect_id is the system-assigned identification number of the connection to be deleted.

Example:

Magnum 10RX# clear serial connection 1

Use the show serial-connection command to view connection ID values.

23.3 Terminal Server Show Commands

The CLI commands described below enable you to display information about the Terminal Server channels and connections. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.

23.3.1 Display Serial Channel Information

Use the show serial-channel command in Exec Commands mode to display the configured terminal server channels. If no channel name is supplied all channels are displayed in summary form. For more detailed information specify a channel by name.

Command syntax:

show serial-channel [channel-name]

Where:

channel-name specifies a configured channel to be displayed in detail.

Example:

Magnum 10RX#show serial-channel nannerl

23.3.2 Display Serial Connection Information

Use the show serial-connection command in Exec Commands mode to display terminal server connections. If no connection ID is supplied all connections are displayed in summary form. For more detailed information specify a connection by ID.

Command syntax:

show serial-connection [connection-id]

CHAPTER 23 - Terminal ServerTerminal Server Configuration in the GUI


379

Where:

connection-id specifies a terminal server connection to be displayed in detail.

Example:

Magnum 10RX#show serial-connection 1

23.4 Terminal Server Configuration in the GUI

You manage the Terminal Server application by creating and configuring terminal server channels. The GUI screens used to accomplish these tasks are described in the following sections.

23.4.1 Configuring a Terminal Server

In the GUI go to the Serial Management: Terminal Server: Terminal Server Configuration to define a terminal server profile, as illustrated in Figure 23-2.

Figure 23-2. Terminal Server Configuration Screen



380

In the IPv4 Interface Settings screen the upper dialog box enables you to specify an IP address for a previously configured interface. Click the Modify button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.

Table 23-1. Terminal Server Configuration Fields



Serial Channel Name

Specify a name of up to 16 printable charaters for this Terminal Server channel.

Section 23.2.1

Port Type The only valid port type is serial.

Port ID Specify the ID for this serial port Section 23.2.2

Direction Set a direction for this channel. Options are:

• in — The port acts like a passive TCP server, listening at the configured Local TCP port.

• out — The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.

Section 23.2.4

Session Type Specify a session type for this channel. Options are:

• raw — provides a transparent pipe for serial data.

• telnet — enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).

Section 23.2.5

Priority (DSCP) Specify a DiffServ Code Point.

Valid range: 0-63

Section 23.2.6

Local IP Address Specify a valid local IP address. This is the IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.

Section 23.2.7

Local TCP Port Specify the TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.


Section 23.2.8

Remote IP Address

Specify a valid remote IP address. This is the IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."

Section 23.2.9

Remote TCP Port Specify the remote TCP port that the client attempts to connect to when the direction is set to "OUT."


Section 23.2.10



381

23.4.2 Monitoring Terminal Server Connections

In the GUI go to the Serial Management: Terminal Server: Terminal Server Connections tab for a view into the operation of terminal server connections, as illustrated in Figure 23-3.

Figure 23-3. Terminal Server Connections Screen

In the terminal server connections screen you can view identifying and performance information for configured terminal server connections. Click Delete to remove a connection.

Maximum Connections

Specify the maximum number of incoming TCP connections.

Valid Range: 1-32

Default value: 5

Section 23.2.11

Retry Time Specify the number of seconds the client waits for a connection to succeed before timing out and retrying.

Valid Range: 1-90 seconds


Section 23.2.12

Table 23-2. Terminal Server Connections Fields



Connection ID A unique system-assigned identifier for this connection.

Channel Name The user-supplied name for this Terminal Server channel. Section 23.2.1


Port ID The identifier for this serial port. Section 23.2.6

Direction The direction for this channel. Options are:



Section 23.2.4

Table 23-1. Terminal Server Configuration Fields




382

23.4.3 Monitoring Terminal Server Channels

In the GUI go to the Serial Management: Terminal Server: Terminal Server Channel Status tab for a view into the status of configured terminal server channels, as illustrated in Figure 23-4.

Figure 23-4. Terminal Server Channel Status Screen

Connection Type The session type for this channel. Options are:



Section 23.2.5

Local IP Address The IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.

Section 23.2.7

Local TCP Port The TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.

Section 23.2.8

Remote IP Address

The IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."

Section 23.2.9

Remote TCP Port The TCP port that the client attempts to connect to when the direction is set to "OUT."

Section 23.2.10

Octets Transmitted

The total number of octets transmitted on this connection.

Octets Received The total number of octets received on this connection.

Table 23-2. Terminal Server Connections Fields




383

In the terminal server channel status screen you can view configuration information for terminal server channels.

Table 23-3. Terminal Server Channel Status Fields


Channel Name The user-supplied name for this Terminal Server channel. Section 23.2.1


Port ID The identifier for this serial port. Section 23.2.6

Direction The direction for this channel. Options are:



Section 23.2.4

Session Type The session type for this channel. Options are:



Section 23.2.5

Local IP Address The IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.

Section 23.2.7

Local TCP Port The TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.

Section 23.2.8

Remote IP Address

The IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."

Section 23.2.9

Remote TCP Port The TCP port that the client attempts to connect to when the direction is set to "OUT."

Section 23.2.10



384

Channel State The state of the channel. This field may display one of the following values:

• Stopped — The channel is disabled because the associated serial port is disabled or down.

• Listening — The channel is acting as a passive server and is waiting for incoming connection requests.

• Refusing — The channel is acting as a passive server and is actively refusing new connections because it has reached the maximum number of connections for the channel.

• Waiting — The channel is acting as an active client and is waiting for the re-try timer to expire. After the timer expires the channel will attempt again to establish the configured connection.

• Connecting — The channel is acting as an active client, has issued a connection request to the configured remote host, and is waiting for a response.

• Connected — The channel is acting as an active client and a connection has been established.

• Handshaking — The channel is associated with a secure serial port and is currently attempting an SSL handshake with the remote host.

Connections The total number of connections configured on this channel.

Table 23-3. Terminal Server Channel Status Fields



385

Chapter 24QoS

Quality of Service (QoS) is a term applied to a variety of technologies for managing network traffic so as to enhance performance, to reduce congestion, and to share resources among devices, users, and applications. A central QoS technique is the assignment of priorities to specific segments of network traffic.

INOS leverages a number of industry-standard technologies to provide administrative control of network traffic. These technologies are summarized in Table 24-1.

24.1 Ethernet QoS Handling

The flow charts contained in Figure 24-1 and Figure 24-2 illustrate the Ethernet QoS handling of received packets in layer 2.

Table 24-1. QoS Resources

Technology

Interface or Port Type

served

Description

Class of Service

(CoS)

Ethernet Class of Service (CoS) refers to the eight-level priority field optionally present in an Ethernet header as specified by the IEEE 802.1p standard. Through global user configuration each CoS value can be mapped to one of the eight WFQ levels on an Ethernet port.

Differentiated Services Code Point

(DSCP)

IP The Differentiated Services Code Point (DSCP) is a 6-bit field present in all IP packet headers as specified by RFC 2474. Through global user configuration each DSCP can be mapped to one of the eight WFQ levels on Ethernet ports. On PPP interfaces a DSCP can be mapped to a WFQ level or an SPQ through a QoS profile.

Weighted Fair Queue

(WFQ)

Ethernet,PPP

An eight-level weighted fair queue (WFQ) is implemented on each Ethernet port and also optionally on PPP interfaces. When a packet is ready to egress one of these ports, it is placed in one of the eight queues depending on the packet's classification. For Ethernet packets are classified based on CoS or DSCP. For PPP, packets are classified based on DSCP. The relative weights of the eight queues are fixed at 128-64-32-16-8-4-2-1.

Strict Priority Queue

(SPQ)

PPP An optional four-level strict priority queue (SPQ) is implemented on PPP interfaces. IP packets marked with certain configurable DSCPs are placed in the SPQ and will be transmitted before lower priority packets. The SPQ also implements a configurable minimum guaranteed rate parameter that can reserve bandwidth for the queue while also preventing the starvation of lower priority traffic.

CHAPTER 24 - QoSEthernet QoS Handling


386

Figure 24-1. QoS Trust Mode Flow: CoS or DSCP

Figure 24-2. QoS Trust Mode Flow: None or Both

Use switchport priority defaultfor queue

assignment

Use qos output cos-map queue

for queue assignment

Use qos output dscp-map queue


Use switchport priority default for queue

assignment

CoSTagged? IP?

Check configuredqos trust

for receive interface

Packet Received

Y N Y N

cos dscp

Use switchport priority defaultfor queue

assignment

Use switchport priority default for queue

assignment

Use qos output cos-map queue


Use qos output dscp-map queue


CoSTagged?

IP?

Check configuredqos trust

for receive interface

Packet Received

YN

YN

no qos trust both

CHAPTER 24 - QoSIP Interface DSCP Marking


387

24.2 IP Interface DSCP Marking

When a packet is received on an IP interface its source address, destination address, protocol type, source port, and destination port are compared against Access Control Lists (ACLs) configured with the ip qos mark dscp command for that interface. If a match is found the packet is marked with the mapped DSCP value and then passed along to the IP stack for further processing. This marking always overrides any DSCP value in the matching packet.

For example, the following commands displayed in Figure 24-3 would mark all TCP port 10023 traffic destined for 192.168.1.5 with the expedited forwarding DSCP:

Figure 24-3. DSCP Marking

For more on access lists see Section 17.1.3.

Notes:

• DSCP marking only applies to IP traffic that is being forwarded by the IP stack in software. DSCP marking of Ethernet packets switched by the hardware at layer 2 is not yet supported.

• Only matches based on IP address, subnet mask, and TCP/UDP port are currently supported when configuring DSCP marking.

24.3 PPP Output Queues

When a packet is to be transmitted on a PPP interface, it may be priority queued depending on the output queue policy that is assigned to the interface. Queue policies are created using the ip qos policy command in Global Configuration mode. Execution of the ip qos policy command enables definition of multiple policies and enters the QoS Policy Configuration mode, signaled by the Magnum 10RX(config-qos-policy)# prompt. In this mode you can specify polices to be assigned to multiple PPP interfaces.

• If strict priority queuing is enabled using the strict-queue command any packet with a mapped DSCP will be placed in that queue and handled with strict priority over the other queues. DSCPs are mapped to the strict priority queue using the match dscp command in the Strict Queue Configuration mode. Strict priority queues are numbered 3-0 with queue 3 being the highest priority queue.

• If the strict priority guaranteed rate is set using the rate command, packets in the strict queue will be guaranteed at least the amount of bandwidth specified. If traffic in the queue exceeds the specified rate, a policing function is allowed to drop some of the excess packets in order to prevent lower priority traffic from being starved. However, the rate is not a hard maximum on the amount of bandwidth available to that queue. If the

Magnum 10RX(config)#access-list mark1 extended permit tcp any host 192.168.1.5 eq 10023Magnum 10RX(config)#ip qos mask dscp 46 match access-list mark1

CHAPTER 24 - QoSConfiguring QoS in the CLI


388

lower priority queues are empty, the higher priority queue can use all of the link's bandwidth. If a strict queue becomes full new packets will tail drop.

• If weighted fair queuing is enabled using the weighted-fair-queue command, any packet with a mapped DSCP will be placed in the appropriate weighted output queue level. DSCPs are mapped to the weighted fair queue level using the match dscp command in the Weighted Fair Queue Configuration mode. Weighted fair queue levels are 7-0 with a fixed weighting of 128-64-32-16-8-4-2-1, respectively.

The weighted fair queue is always treated as a lower priority queue than the strict priority queues.

The following diagram illustrates the priority queuing model as it is implemented at the PPP interface:

Figure 24-4. General PPP Queuing Model

In the model illustrated in Figure 24-4 a queue mapping decision is made based on whether strict priority queuing or weighted fair queueing is enabled and also on what DSCP to queue mappings have been configured.

24.4 Configuring QoS in the CLI

INOS QoS features can be configured from several different configuration modes, as detailed below.

24.4.1 Global Configuration Commands

The following commands are executed in Global Configuration mode.

24.4.1.1 Enabling and Disabling QoS

Use the set qos command in the Interface Configuration mode to enable QoS in the system.



389

Command syntax:

set qos {enable | disable}

Example:

Magnum 10RX(config)# set qos enable


24.4.1.2 Mapping a DSCP Output Queue

Use the qos output dscp-map command in Global Configuration mode to create a global mapping between a trusted DSCP and an output queue level.

Command syntax:

qos output dscp-map {dvalue qlevel}

Where:

dvalue specifies the DSCP to map to the queue level specified by qlevel.

qlevel specifies the level of the output queue.

Example:

Magnum 10RX(config)# qos output dscp-map 50 5

This command specifies that a DSCP of 50 will map to an output queue level 5.

Valid ranges:

DSCP — 0-63

Queue level — 0-7

Default value: every DSCP value maps to level 1.

24.4.1.3 Mapping a CoS Output Queue

Use the qos output cos-map command in the Global Configuration mode to create a global mapping between a trusted CoS and an output queue level for Ethernet ports only.

Command syntax:

qos output cos-map cos qlevel

Where:

cos specifies the CoS value to map to the queue level specified by qlevel.


Example:

Magnum 10RX(config)# qos output cos-map 0 2

This command specifies that a CoS value of 0 will map to an output queue level 2.



390

Valid ranges:

Queue level — 0-7

CoS — 0-7

Default value:

The default mapping is:

0 — 0

1 — 1

2 — 2

3 — 3

4 — 4

5 — 5

6 — 6

7 — 7

24.4.2 Ethernet Interface Configuration Commands

The following commands can be executed after you have accessed Interface Configuration mode for Ethernet interfaces as described in Section 4.0.2.1.

24.4.2.1 Configuring QoS Trust

Use the qos trust command in Interface Configuration mode to set the trust mode of a specified Ethernet port. See Figure 24-1 and Figure 24-2 for the effect the trust mode has on tag processing.

Command syntax:

qos trust {cos | dscp | both}

Where:

cos specifies the use of the CoS field (if it exists) to determine packet priority.

dscp specifies the use of the DSCP field to determine packet priority.

both specifies the use of the CoS field (if it exists). Otherwise use the DSCP field.

Example:

Magnum 10RX(config-if)# qos trust cos

This command specifies that the Class of Service (CoS) field will be used to determine packet priority.

Default value: untrusted

The no qos trust command specifies the “untrusted” value.



391

24.4.2.2 Configuring CoS Default

Use the qos cos default command in Interface Configuration mode to specify the default CoS for a port. The default CoS is used if no CoS is specified in the packet itself.

Command syntax:

qos cos default defnum

Where:

defnum is a numerical value specifying the default priority value of this port.

Example:

Magnum 10RX(config-if)# qos cos default 5

Valid range: 0-7

Default value: 0

The no qos cos default command specifies the default value (0).

24.4.3 Queuing Policy Configuration Commands

The following commands are used to configure queue policies that can be assigned to IP interfaces. In Release 2.0, IP queuing policies can only be assigned to PPP interfaces.

24.4.3.1 Specify a Queueing Policy

Use the ip qos policy command in Global Configuration mode to name and configure a queuing policy and to enter the Qos Policy Configuration mode, signaled by the Magnum 10RX(config-qos-policy)# prompt.

Command syntax:

Magnum 10RX(config)# ip qos policy pol_name

Where:

pol_name is a user-supplied string of printable characters naming the policy.

Example:

Magnum 10RX(config)# ip qos policy p1

Magnum 10RX(config-qos-policy)#

This command specifies a queuing policy named p1 and enters QoS Policy Configuration mode for the purpose of configuring that policy.

The no qos policy pol_name command deletes the policy specified by pol_name.

24.4.3.2 Specify Weighted Fair Queueing

Use the weighted-fair-queue command in QoS Policy Configuration mode to enable weighted fair queuing on a PPP interface and to enter the QoS Policy Weighted-Fair-Queueing Configuration mode, signaled by the Magnum 10RX(config-qos-policy-wfq)# prompt. See Section 24.3 for information on the implementation of weighted fair queuing.



392

Command syntax:

weighted-fair-queue

Example:

Magnum 10RX(config-qos-policy)# weighted-fair-queue

Magnum 10RX(config-qos-policy-wfq)#

Default: weighted fair queueing is disabled.

The no ip qos output weighted-fair-queue command disables weighted fair queueing.

24.4.3.3 Specify a DSCP-WFQ Match

Use the match dscp command in QoS Policy Weighted-Fair-Queueing Configuration mode to map a DSCP to a particular weighted fair queue level.

Command syntax:

match dscp {dvalue qlevel}

Where:

dvalue specifies the DSCP to map to the queue level specified by qlevel.


Example:

Magnum 10RX(config-qos-policy-wfq)# match dscp 25 5

This command specifies that a DSCP of 25 will map to an output queue level 5.

Default value: no DSCPs are mapped to the weighted fair queue.

Valid ranges:

DSCP — 0-63

queue level — 0-7, where 7 is the highest level and therefore the most heavily weighted. Weights increase by a factor of 2 for each level with a relative weight of 1 for level 0 and a relative weight of 128 for level 7.

The no match dscp {dvalue qlevel} command removes the specified mapping.

24.4.4 Specify Strict Queueing

Use the strict-queue command in QoS Policy Configuration mode to enable a strict high priority queue on a PPP interface and to enter the Qos Policy Strict-Queueing Configuration mode, signaled by the Magnum 10RX(config-qos-policy-spq)# prompt. See Section 24.3 for information on the implementation of strict priority queuing.

Command syntax:

strict-queue priority



393

Where:

priority is a numerical value specifying the priority associated with this interface.

Example:

Magnum 10RX(config-qos-policy)# strict-queue 2

Magnum 10RX(config-qos-policy-spq)#

The no ip qos output strict-queue command disables strict queuing.

Default: the strict high priority queue is disabled.

Valid range: 0-3, where 0 is the lowest priority and 3 is the highest priority.

24.4.4.1 Specify a DSCP-SPQ Match

Use the match dscp command in Qos Policy Strict-Queueing Configuration mode to map a DSCP to the strict priority queue previously associated with this interface with the strict-queue command.

Command syntax:

match dscp dvalue

Where:

dvalue specifies the DSCP to map to the strict queue configured for this interface.

Example:

Magnum 10RX(config-qos-policy-spq)# match dscp 21

This command specifies that a DSCP of 21 will map to the strict queue configured for this interface.

Default value: no DSCPs are mapped to the strict priority queue.

Valid ranges:

DSCP — 0-63

24.4.4.2 Control the Available Bandwidth on the Strict Queue

Use the rate command in Qos Policy Strict-Queueing Configuration mode to guarantee a minimum amount of bandwidth to packets in a strict queue. This specification, also called a policer, is expressed in kilobits per second and can adjust according to context. For details see Section 24.3.

Command syntax:

rate kbps

Where:

kbps specifies that at least kbps of bandwidth will be available to this strict queue.

Example:

Magnum 10RX(config-qos-policy-spq)# rate 1000



394

The no rate command disables a configured policer.

Default value: policer is disabled.

Valid ranges: 1-24000

Default value: The queue is assigned all available bandwidth on the link. This is typically not desirable since lower priority traffic can be starved if the link is overloaded.

24.4.5 IP Configuration Commands

For Release 2.0, the following command applies only to PPP interfaces.

24.4.5.1 Map a Queueing Policy to a PPP Interface

Use the ip qos output queue policy command in PPP Interface Configuration mode to map an IP queuing policy to a PPP interface.

Command syntax:

ip qos output queue policy pol_name

Where:

pol_name is the name of the queueing policy to be mapped to the PPP interface under configuration.

Example:

Magnum 10RX(config-ppp)# ip qos output queue policy p1

Default value: no assigned policy.

Use the no ip qos output queue policy command to remove the policy mapping.

24.4.6 Global IP Configuration Commands

For Release 2.0, the following command applies only to packets forwarded by the IP stack in software.

24.4.6.1 Map an ACL to a DSCP

Use the ip qos mark dscp command in Global Configuration mode to map an access control list (ACL) to a DSCP. If a packet is received on an interface and it matches the ACL the packet will be marked with the mapped DSCP.

NOTE: Only the protocol type, source address, source port, destinationaddress, and destination port are supported when using the ip qos markdscp command to assign an ACL.



395

Command syntax:

ip qos mark dscp dval match address acl

Where:

dval is a numerical value specifying the DSCP to be mapped.

acl is the name of the access control list to be mapped to dval.

Example:

Magnum 10RX:(config)# ip qos mark dscp 21 match address mfglist

This command specifies that a if received packet matches with the ACL mfglist that packet will be mapped to DSCP 21.

Valid range (DSCP): 0-63

Default value: no DSCP marking is enabled.

The no ip qos mark dscp dval command disables marking for that DSCP.

24.4.7 Show Commands

The following command is executed in the Exec Commands mode.

24.4.7.1 Displaying Configured QoS Interfaces

Use the show ip qos interface command to display packet counters for the different queues that have been configured on the interface. This command only applies to PPP interfaces for Release 2.0.

Command syntax:

show ip qos interface ppp ppp-id

Where:

ppp-id is the configured identifier of a PPP interface.

Example:

Magnum 10RX# show ip qos interface ppp 5

CHAPTER 24 - QoSConfiguring QoS in the GUI


396

Example output:

Strict Queue Priority 1

Sent 164 packets, 1296 bytes

Best Effort Queue


Weighted Fair Queue Level 1


Weighted Fair Queue Level 3


24.5 Configuring QoS in the GUI

INOS QoS features can be configured from several different configuration modes, as detailed below.

24.5.1 Enabling and Disabling QoS

In the GUI go to the Layer 2: Manager: QOS: Global Settings tab to enable or disable QoS functionality in the system, as illustrated in Figure 24-5.

Figure 24-5. QoS Global Configuration Screen

In the QoS Global Configuration screen choose Enabled or Disabled status to set QoS status for the system and click the Apply button to apply your choice.

Table 24-2. QoS Global Configuration Fields


Enable Enables QoS in the system. Section 24.4.1.1

Disable Disables QoS in the system.



397

24.5.2 Configuring QoS Port Settings

In the GUI go to the Layer 2: Manager: QOS: Port Settings tab to configure default CoS, trust mode, and DSCP mutation for specific ports, as illustrated in Figure 24-6.

Figure 24-6. QoS Port Settings Screen

In the QoS Port Settings screen set QoS values specific to individual ports and click the Apply button to apply your choices.

Table 24-3. Port Settings Fields



Port A list of ports available for configuration.



398

24.5.3 Configuring a CoS Queue Map

In the GUI go to the Layer 2: Manager: QOS: CoS Queue Map tab to create a global mapping between a trusted CoS and an output queue level, as illustrated in Figure 24-7.

Figure 24-7. CoS Queue Map Configuration Screen

Default CoS The default CoS is used if no CoS is specified in the packet itself.

Default value: 0

Section 24.4.2.2

Trust Mode Specify the QoS trust mode for this port. Options are:

• Untrusted — switchport priority default will be used.

• Trust L2 CoS — specifies the use of the CoS field (if it exists) to determine packet priority.

• Trust L3 DSCP — specifies the use of the DSCP field to determine packet priority.

• Trust Both — specifies the use of the CoS field (if it exists). Otherwise use the DSCP field.

Default value: Untrusted

Section 24.4.2.1

Figure 24-1

Figure 24-2

Table 24-3. Port Settings Fields




399

In the QoS Queue Map Configuration screen create a global mapping between a trusted CoS and an output queue level for Ethernet ports only. Click the Apply button for your choices to take effect.

Table 24-4. CoS Queue Map Configuration Fields



CoS A CoS value. (The values in this column are not configurable.)

Queue An output queue level that maps to the CoS value in this row.

Valid range: 0-7

Default mapping:

0 — 0

1 — 1

2 — 2

3 — 3

4 — 4

5 — 5

6 — 6

7 — 7

Section 24.4.1.3

Figure 24-1

Figure 24-2



400

24.5.4 Configuring a DSCP Queue Map

In the GUI go to the Layer 2: Manager: QOS: DSCP Queue Map tab to create a global mapping between a trusted DSCP and an output queue level, as illustrated in Figure 24-8.

Figure 24-8. DSCP Queue Map Configuration Screen

In the DSCP Queue Map screen create a global mapping between a trusted DSCP and an output queue level. Click the Apply button for your choices to take effect.

Table 24-5. DSCP Queue Map Configuration Fields





401

24.5.5 Configuring Frame Relay QoS for a PVC

In the GUI go to the WAN Management: Frame Relay QOS: FR QoS tab to assign QoS priorities based on a Frame Relay PVC, as illustrated in Figure 24-9.

Figure 24-9. Frame Relay QoS Screen

In the Frame Relay QoS Configuration screen configure a default priority for the selected Frame Relay PVC. Click the Apply button for your choices to take effect.

For more on Frame Relay queueing see Section 21.1.7.

DSCP A DSCP value. (The values in this column are not configurable.)

Queue An output queue level that maps to the DSCP value in this row.

Valid range:

DSCP — 0-63

Queue level — 0-7

Default value All DSCP values map to queue level 1

Section 24.4.1.2

Figure 24-1

Figure 24-2

Table 24-6. Frame Relay QoS Fields



FR PVC Name The identifier for the selected PVC.

Default Priority Specify the default priority for this PVC.

Default value: 0

Valid range: 0-5

Section 21.1.8.1

Table 24-5. DSCP Queue Map Configuration Fields




402

24.5.6 Configuring Frame Relay QoS for a DSCP

In the GUI go to the WAN Management: Frame Relay QOS: FR DSCP Priority Mapping tab to enable QoS priorities based the DSCP value of encapsulated IP packets, as illustrated in Figure 24-10.

Figure 24-10. Frame Relay DSCP Priority Mapping Screen

In the Frame Relay DSCP Priority Mapping screen use the upper dialog box to configure a priority for a specified DSCP. Click the Add button for your choices to take effect and to be displayed in the lower dialog box. Use the lower dialog box to edit or delete configured mappings.


CIR Status The Committed Information Rate (CIR) is the minimum data throughput that your service provider guarantees to support over a particular PVC. Use this selection field to enable or disable CIR on this PVC.

Section 21.1.8.4

CIR Specify the CIR value in bytes.



Section 21.1.8.4

Table 24-7. Frame Relay DSCP Priority Mapping Fields



DSCP Specify a DSCP value.

Valid range: 0-63 or 0x00-0x3F

Section 21.1.8.2

Priority Specify the default priority for this DSCP.

Valid range: 0-5

Section 21.1.8.2

Table 24-6. Frame Relay QoS Fields




403

24.5.7 Configuring Frame Relay Priority Weights

In the GUI go to the WAN Management: Frame Relay QOS: FR Priority Weights tab to map priority values to queue weights, as illustrated in Figure 24-10.

Figure 24-11. Frame Relay Priority Weights Screen

In the Frame Relay Priority Weights assign one of the four configurable queue weights to each priority. Click the Apply button for your choices to take effect.



Section 21.1.8.4




Section 21.1.8.4

Table 24-8. Frame Relay Priority Weights Fields



Priority Specify a DSCP value.

Valid range: 0-63 or 0x00-0x3F

Section 21.1.8.2

Weight Specify the default priority for this DSCP.

Valid range: 0-5

Section 21.1.8.2

Table 24-7. Frame Relay DSCP Priority Mapping Fields




404


Section 21.1.8.4




Section 21.1.8.4

Table 24-8. Frame Relay Priority Weights Fields


Magnum Network Software - DX Administrator’s Guide

405

Chapter 25Protocol Analyzer

Use the INOS protocol analyzer feature to capture and display the packets received and transmitted through a particular interface. Specify the interface on which monitoring is to be done along with any filtering options to obtain useful output. The output of the analyzer is displayed in the CLI management window.

25.1 Starting and Stopping the Protocol Analyzer

The following analyzer controls are available as keyboard commands:

• start — Start the protocol analyzer by executing the protocol-analyzer command with valid arguments (See Section 25.2).

• pause — Press any key other than the q key to pause a running analysis.• resume — Press any key other than the q key to resume a paused analysis.• stop — Press the q key to stop the analyzer.

25.2 Configuring Protocol Analyzer Output

Use the protocol-analyzer command in Exec commands mode to specify an interface to be monitored and the types of data to be displayed for that interface. The protocol-analyzer command supports a great number of arguments.

Use the protocol-analyzer command followed by the ip keyword to specify an ip interface.

Command syntax:

protocol-analyzer ip ipif_type output_specs

Where:

ipif_type is any of,

gigabitethernet — an active Ethernet port identified by a port number/slot number combination.

mlppp — a numerical value in the range 1-16 specifying a configured MLPPP interface ID.

ppp — a numerical value in the range 1-16 specifying a configured PPP interface ID.

tunnel — a numerical value in the range 1-32 specifying a configured tunnel interface ID.

vlan — a numerical value in the range 1-4094 specifying a configured VLAN interface ID.

CHAPTER 25 - Protocol AnalyzerConfiguring Protocol Analyzer Output


406

output_specs may be any of the specifications in Table 25-1.

Use the protocol-analyzer command followed by the interface keyword to specify a physical interface.

protocol-analyzer interface physif_type output_specs

Where:

physif_type is any of,

gigabitethernet — an active Ethernet port identified by a port number/slot number combination.

serial — an active serial port identified by a port number/slot number combination.

t1e1 — an active T1/E1 port identified by a port number/slot number combination

output_specs may be any of the specifications in Table 25-1.

Table 25-1 describes the arguments that can be used with both protocol-analyzer ip and protocol-analyzer interface to filter and shape protocol analyzer output.

NOTE: The syntax used in the INOS Protocol Analyzer commands is the same as that usedin the well-known Wireshark Network Protocol Analyzer.

Table 25-1. Protocol Analyzer Output Arguments

Keyword Variables

filter The keyword filter precedes a filter string to be used to filter the captured packets.

The filter string uses tcpdump syntax, including boolean expressions. Enclose the filter string in double quotes, for example: “filter_string”.

format The format keyword enables you to specify the degree of detail in the output. Options are:

• brief — displays packet data with minimal information. (The default format for tcpdump.)

• extended — displays packet data in hexadecimal format. (Equivalent to the tcpdump -XX option.)

• verbose — displays packet data in human readable format. (Equivalent to the tcpdump -vv option.)

• full — a combination of the extended and verbose options. (Equivalent to the tcpdump -vv and -XX options combined.)

Default value: brief



407

Examples:

1. "Example 1 illustrates specifying an IP interface and starts the display of captured packets in the CLI management window in raw mode.

Magnum 10RX# protocol-analyzer ip gigabitethernet 5/2

Figure 25-1. Protocol Analyzer Output, Example 1

2. "Example 2 illustrates the monitoring of an IP interface in brief mode with two filters applied:

• The source or destination IP network is 172.16.0.0/16.• The protocol is ICMP.

Magnum 10RX# protocol-analyzer ip vlan 1 format brief filter "net 172.16 and icmp"


level The level keyword enables you to specify the packet display level. Options are:

• layer2 — packet display level option is set as L2. Display layer 2 headers (for instance, Ethernet headers) as well al layer 3 headers.

• layer3 — packet display level option is set as L3. Display Layer 3 headers only.

Default value: layer2

timestamp The timestamp keyword enables you to specify the timestamp format. Options are:

• absolute — the timestamp will specify the actual time when the packet was captured.

• delta — the timestamp will specify the time elapsed between this packet and the preceding packet.

• none — no timestamp specified.

• relative — timestamp will specify the time elapsed since the protocol analyzer was started.

Default value: absolute

Table 25-1. Protocol Analyzer Output Arguments

Keyword Variables

10:55:47.040202 ARP, Request who-has 172.16.210.1 tell 172.16.210.41, length 46

10:55:47.124811 STP 802.1s, Rapid STP, CIST Flags [Forward, Agreement]

10:55:47.343223 IP 172.16.210.41.57369 > 239.255.255.250.1900: UDP, length 133

11:01:46.619643 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

172.16.210.32 > 172.16.210.30: ICMP echo request, id 21002, seq 765, length 64

11:01:46.619920 IP (tos 0x0, ttl 64, id 47562, offset 0, flags [none], proto ICMP (1), length 84)

172.16.210.30 > 172.16.210.32: ICMP echo reply, id 21002, seq 765, length 64



408

3. "Example 3 illustrates the monitoring of an interface in full display mode with two filters applied:

• The source or destination IP network is 172.16.0.0/16• The source or destination tcp port is 80.

Magnum 10RX# protocol-analyzer interface t1e1 10/1 format full filter "net 172.16 and tcp port 80"


4. 2.Example 4 illustrates the monitoring of a gigabitethernet interface in brief display mode.

Magnum 10RX# protocol-analyzer interface gigabitethernet 5/2


11:10:48.835381 IP (tos 0x0, ttl 51, id 23433, offset 0, flags [none], proto TCP (6), length 52)

74.125.236.84.80 > 172.16.210.32.40273: Flags [.], cksum 0x1faa (correct), ack 1089, win 1002, options [nop,nop,TS val 3127539032 ecr 1102765], length 0

0x0000: 4500 0034 5b89 0000 3306 7738 4a7d ec54 E..4[...3.w8J}.T

0x0010: ac10 d220 0050 9d51 0156 a7d1 1212 41ca .....P.Q.V....A.

0x0020: 8010 03ea 1faa 0000 0101 080a ba6a 7558 .............juX

0x0030: 0010 d3ad

....

11:10:48.836058 IP (tos 0x0, ttl 51, id 23434, offset 0, flags [none], proto TCP (6), length 188)

74.125.236.84.80 > 172.16.210.32.40273: Flags [P.], seq 1:137, ack 1089, win 1002, options [nop,nop,TS val 3127539032 ecr 1102765], length 136

0x0000: 4500 00bc 5b8a 0000 3306 76af 4a7d ec54 E...[...3.v.J}.T

0x0010: ac10 d220 0050 9d51 0156 a7d1 1212 41ca .....P.Q.V....A.

0x0020: 8018 03ea 0597 0000 0101 080a ba6a 7558 .............juX

0x0030: 0010 d3ad 4854 5450 2f31 2e31 2033 3034 ....HTTP/1.1.304

0x0040: 204e 6f74 204d 6f64 6966 6965 .Not.Modified

08:49:44.278781 00:20:61:05:25:08 (oui Unknown) > 00:20:61:05:23:08 (oui Unknown), ethertype IPv4 (0x0800), length 74: 24.0.0.1 > 24.0.0.2: ICMP echo request, id 0, seq 1, length 40

08:49:44.286601 00:20:61:05:23:08 (oui Unknown) > 00:20:61:05:25:08 (oui Unknown), ethertype IPv4 (0x0800), length 74: 24.0.0.2 > 24.0.0.1: ICMP echo reply, id 0, seq 1, length 40


409

Glossary

This glossary contains brief explanations of acronyms and other terms used in this manual.

Term Definition

3DES Triple Data Encryption Standard (DES). A more secure version of the DES standard in which data is encrypted three times.

802.1p An IEEE standard that provides Quality of Service (QoS) at the layer 2 level.

ACL Access Control List. In IPSec ACLs can be configured to filter router traffic by source, destination, protocol or other criteria.

AES Advanced Encryption Standard. A NIST-standard cryptographic cipher that uses a block length of 128 bits and key lengths of 128, 192 or 256 bit.

ANSI American National Standards Institute.

ARP Address Resolution Protocol. Enables discovery of a device’s MAC address when only its IP address is known.

AS Autonomous System. A set of routers under a single technical administration with an apparently coherent interior routing plan.

ASCII American Standard Code for Information Interchange.

BGP Border Gateway Protocol. a Protocol for routing traffic between autonomous systems (AS).

BPV Bipolar violation.

BPDU Bridge Protocol Data Units. Message units that carry the Spanning Tree Protocol information.

CBT Core Based Trees. One of the communications protocols of the Internet Protocol Suite. Builds and maintains a shared delivery tree for a multicast group.

CCITT Comité consultatif international téléphonique et télégraphique. An institution to coordinate telecommunication standards. Although the CCITT acronyms is still widely used the institution has been known since 1992 as ITU Telecommunication Standardization Sector (ITU-T).

CHAP Challenge-Handshake Authentication Protocol. A method of authentication of remote clients used by Point to Point Protocol (PPP) servers and based on a shared secret.

CIDR Classless Inter-Domain Routing. A CIDR address is written with a forward slash preceding a suffix indicating the number of bits in the prefix length, such as 192.168.0.0/16.

CIR Committed Information Rate. A guaranteed data rate negotiated with a carrier.

-


410

CIST Common and Internal Spanning Tree. CIST is a concept of Multiple Spanning Tree (MST) technology. The CIST is a unique default spanning tree that runs among all MST regions in a network.

CFX Configuration XML File.

CoS Class of Service. Refers to the eight level priority field optionally present in an Ethernet header as specified by the IEEE 802.1p standard.

CRC Cyclic Redundancy Check. A method of detecting errors in transmitted data.

CTS Clear-to-Send. On an RS-232 interface, a DCE’s signal granting a DTE permission to transmit.

DCD Data Carrier Detect. On an RS-232 interface, a DCE’s signal that a connection has been established.

DCE Data Communications Equipment. Typically a communication device such as a modem. In an RS-232 link a DCE communicates with a DTE.

DDS Digital Data Service. A private line digital service from carriers other than AT&T.

DES Data Encryption Standard (DES). A NIST-standard cryptographic cipher that uses a 56-bit key.

DH Diffie-Hellman key exchange. A key exchange method that allows two parties to jointly establish a shared secret key over an insecure communications channel to support encryption of subsequent communications.

DHCP Dynamic Host Configuration Protocol.

Diffie-Hellman See DH.

DiffServ DIFFerentiated SERVices. A type of Quality of Service (QoS) functionality.

DLCI Data Link Connection Identifier. An identifying number for a private or switched virtual circuit in a frame relay network.

DPD Dead Peer Detection. A method of determining that an IKE peer (that is, a networked server) is inoperative.

DSA Digital Signature Algorithm. A United States Federal Government standard for verifying digital signatures.

DSCP Differentiated Services Code Point. A value in the DiffServ portion of an IP packet header used for classification purposes.

DSR/DTR Data Set Ready/Data Terminal Ready. RS-232 handshake signals sent from the modem to the terminal (DSR) or from the terminal to the modem (DTR) indicating readiness to accept data.

DTE Data Terminal Equipment. Typically a computer system. In an RS-232 link a DTE communicates with a DCE.

DTR See DSR/DTR.

Term Definition

-


411

E1 See T1/E1.

ECDH Elliptic Curve Diffie-Hellman. A version of the Diffie_Hellman key exchange (see DH, above) that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel.

EGP Exterior Gateway Protocol. An internet routing protocol.

ESP Encapsulation Security Payload. An IPSec header extension for supporting security services.

FCS Frame Check Sequence. Extra characters added to a Frame for error detection and correction.

FEFI Far End Fault Indication. A feature of optical ports that detects an unresponsive link and shuts down transmission from the port.

GARP Generic Attribute Registration Protocol to enable similar devices to register and de-register attribute values, such as VLAN identifiers and multicast group membership.

GGP Gateway to Gateway Protocol. One of the communications protocols of the Internet Protocol Suite. Used mainly for routing datagrams.

GMRP GARP Multicast Registration Protocol allows bridges and end stations to dynamically register group membership information.

GVRP GARP VLAN Registration Protocol for registering VLAN trunking between multilayer switches.

HMI Human Machine Interface. The device that enables a person to monitor and control a machine. Typically the HMI is a computer.

HTTP HyperText Transfer Protocol.

I2C A multi-master serial single-ended computer bus.

ICMP The Internet Control Message Protocol. One of the communications protocols of the Internet Protocol Suite. Chiefly used to convey error messages.

IDRP Inter-Domain Routing Protocol.

IED A microprocessor-based device that controls power system equipment such as circuit breakers and voltage regulators.

IEEE Institute of Electrical and Electronics Engineers

IGP Interior Gateway Protocols. A set of routing protocols used within a system.

IGMP Internet Group Management Protocol. One of the communications protocols of the Internet Protocol Suite. Used to manage membership in multicast groups.

IKE Internet Key Exchange. The protocol used to set up a Security Association in the IPsec protocol suite.

IP Internet Protocol.

Term Definition

-


412

IPCP Internet Protocol Control Protocol. IResponsible for configuring, enabling, and disabling the IP protocol modules on both ends of a Point-to-Point link.

IPIP IP in IP encapsulation. One of the communications protocols of the Internet Protocol Suite. Encloses an inner IP header with an outer header for tunneling.

ISO-IP ISO Internetworking Protocol. A network layer protocol in an OSI network.

ITU-T See CCITT.

LAN A. computer network covering a small geographic area, like a home, office, or group of buildings.

Compare to WAN.

LCP Link Control Protocol. A part of the Point-to-Point Protocol by which communicating devices exchange LCP packets to determine standards of transmission.

LMI Local Management Interface. A signaling standard used between routers and frame relay switches.

LRC Longitudinal Redundancy Check. A method of detecting errors in transmitted data.

LSA Link State Advertisement. An OSPF data structure that describes a portion of an OSPF network.

LSC Last Schema Change.

MAC Media Access Control. A MAC address is a unique identifier attached to most forms of networking equipment.

MD5 Message-Digest algorithm 5. A common cryptographic hash function.

MED Multiple Exit Discriminator. In BGP this value provides guidance as to a preferred entrance point.

MIB Management Information Base. A database used by SNMP to manage devices such as switches and routers in a network.

MLPPP Multi-Link Point-to-Point Protocol. MLPPP enables the bundling of PPP connections to increase effective bandwidth.

Modbus A communications protocol using master/slave architecture. A commonly available means of connecting industrial electronic devices.

MRU Maximum Receive Unit. The maximum size in bytes of the protocol data unit that will be received on an interface.

MSTP Multiple Spanning Tree Protocol. A system for creating regions of switches that share certain configuration attributes.

MTU Maximum Transmission Unit. The maximum size in bytes of the protocol data unit that will be transmitted on an interface.

NAPT See NAT.

Term Definition

-


413

NAT Network Address Port Translation. A method of using a single public IP address to provide internet access to multiple private IP addresses.

NetBIOS Network Basic Input/Output System. A service enabling applications on multiple computers to communicate via a LAN.

NNI Network to Network Interface.

NSSA Not So Stubby Area is an OSPF area with a limited ability to import external routes and transmit them to the OSPF backbone.

OID Object IDentifier. In SNMP an OID is a string identifying an object in a MIB.

OSPF Open Shortest Path First. A routing protocol to determine the best path for traffic over a TCP/IP network.

PAP Password Authentication Protocol. An authentication protocol using unencrypted ASCII passwords over a network.

Path Cost A Spanning Tree parameter that measures how close bridges are to one another. It takes into account the bandwidth of the links between bridges.

PEM Privacy Enhanced Mail File format. A standard for secure e-mail on the Internet.

PFS Perfect Forward Secrecy. A property of public key cryptography whereby the compromise of one key does not lead to the compromise of any other keys.

PHY An abbreviation for the physical layer of the OSI model.

An instantiation of PHY connects a link layer device (often called a MAC) to a physical medium such as an optical fiber or copper cable.

PoE Power over Ethernet. A technology for delivering power (along with data) to remote devices over the twisted pair cabling of an Ethernet network.

PPP Point-to-Point Protocol. A data link protocol to establish a direct connection between two networking nodes, commonly used for modem dial-up connections.

PVC A point-to-point connection that is established before its first use and maintained regardless of the level of activity.

PVID Port VID. A user configurable parameter that associates a native VLAN with a port. Each port is assigned exactly one PVID. By default, each port is assigned PVID 1.

QoS Quality of Service. Technology and techniques, such as prioritization, to ensure the predictable handling of specified kinds of traffic.

RADIUS Remote Authentication Dial-In User Service. An AAA (authentication, authorization and accounting) protocol using a challenge/response method for authentication.

RC4 A stream cipher commonly used with SSL and in wireless networks.

Term Definition

-


414

RED Random Early Detection. An active queue management algorithm for congestion avoidance.

RIB Routing Information Base. A database on a BGP router that accumulates information about routes to reachable destinations.

RIP Routing Information Protocol. An Interior Gateway Protocol (IGP) routing protocol used on internal networks. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops.

RS-232 A popular standard for passing serial binary data point-to-point between digital systems. Also known as EIA-232. Compare to RS-485.

RS-485 A standard for passing serial data in point-to-point or multipoint configurations among digital data systems. Also known as EIA-485. Less common but more versatile than RS-232.

RSA Rivest-Shamir-Adleman key. A two-part key. The private key is kept by the owner; the public key is published.

RSTP Rapid Spanning Tree Protocol. RSTP is a protocol that prevents loops in bridged LAN environments. It also provides for fast recovery from link failures. This product supports RSTP as specified in IEEE 802.1D (2004).

RSVP Resource reSerVation Protocol. One of the communications protocols of the Internet Protocol Suite. Used to support Quality of Service (QoS) flows.

RTS/CTS Request to Send/Clear to Send. RS-232 flow control signals sent by transmitting stations (RTS) and receiving stations (CTS).

RTU Remote Terminal Unit. A device that collects data from data acquisition equipment and sends it to the main system over a network.

SA Security Association. In IPSec an SA defines a secure, unidirectional communication channel between two entities.

SADB Security Association Database. An IPSec database containing security information specific to particular connections.Compare to SPD.

SCADA Supervisory Control And Data Acquisition. A process control application that collects data from networked devices.

SFP Small Form-factor Pluggable Transceiver. A full-duplex serial interface converter that converts electrical signals to optical signals to run over fiber.

SHA Secure Hash Algorithm. Cryptographic hash algorithms developed by the National Security Agency. These include SHA-1 and its successor, SHA-2, which encompasses SHA-256 and SHA-384.

SNMP Simple Network Management Protocol. A network monitoring and control protocol.

SNTP Simple Network Time Protocol.

SONET Synchronous Optical Networking. A multiplexing protocol for use over optical fiber.

Term Definition

-


415

SPD Security Policies Database. An IPSec database containing security policies general to the device. Compare to SADB.

SPI Security Parameters Index. A value added to the header in IPSec tunneling that identifies a session and its encryption properties.

SPQ Strict Priority Queue. An optional single level strict priority queue implemented on PPP interfaces.

SSH Secure SHell. A network protocol using public key cryptography to provide secure remote login.

SSL Secure Socket Layer. A cryptographic protocol that creates a secure data transfer session over a standard TCP connection.

Station Cache A database maintained by the Ethernet bridge that tracks MAC addresses of stations on the network and the ports associated with them.

Suite B A set of cryptographic algorithms promulgated by the National Security Agency.

Syslog A protocol for sending event messages over an IP network to remote servers called "event message collectors."

T1/E1 T1 is a widely-used T-carrier telecommunications standard capable of transmitting 1.544 Mbits/second. The T1 designation is used in North America. The analogous system outside of North America is called E1.

TACACS Terminal Access Controller Access-Control System. A remote authentication protocol.

TCN Topology Change Notification. In the RSTP protocol, a BPDU sent by a bridge to its root port to signal a topology change.

TCP Transmission Control Protocol.

TLS Transport Layer Security.

TLV Time, Length, and Value descriptions of devices. TLVs are formed, stored, and exchanged by networked devices using LLDP.

TOS Type of Service. An eight-bit field in the IPv4 header available for specifying priority.

UDP User Datagram Protocol. One of the communications protocols of the Internet Protocol Suite. Replaces TCP when a reliable delivery is not required.

URL Uniform Resource Locator.

VID VLAN Identifier.

VLAN Virtual Local Area Network. A logical subgroup within a local area network that is created with software rather than by physically manipulating cables.

VRRP Virtual Router Redundancy Protocol. A protocol for specifying a backup router to be used in case of failure of a master router.

Term Definition

-


416

WAN Wide Area Network. A computer network that crosses metropolitan, regional, or national boundaries.

Compare to LAN.

WFQ Weighted Fair Queueing. A packet scheduling technique that enables several data flows to use the same link.

WINS Windows Internet Naming Service. A Microsoft service for mapping host names to network addresses.

X.509 An X.509 certificate is a message that contains an entity's credentials. Information such as the entity's name, organization, and contact information are included.

XML eXtensible Markup Language

XON/XOFF A software flow control protocol in which a receiver sends an XOFF character to a transmitter to signal that it is unable to receive data and an XON character to signal that it is able to receive data.

Term Definition

Industrial Network Operating System Administrator’s Guide417

333333

INDEX

Symbols10RX

access 5features and benefits 1hardware configurations 1security provisions 2supported protocols 1

3DES 286 to 287, 290 to 291

AAAA protocols 50access control list, See ACLaccess port, VLAN 86access swithport mode 77access-list command 277ACFC 324ACL

applying 281configuring 276in crypto maps 293in IPsec 285in QoS 387, 394route map as 223

Address 148Address and Control Field Compression 324Address Resolution Protocol, See ARPadministrative distance 159, 197, 231advertisement interval, VRRP 244AES 286 to 287, 290 to 291AES-256 286 to 287, 290 to 291aggregate-address command 196aggregation of routes

BGP 196, 220OSPF 173 to 174, 184 to 185RIP 163

area default-cost command 173area nssa command 172area range command 173area stub command 172area types 170ARP 155arp max-retries command 155ARP timeout 155arp timeout command 155asynchronous, see serial interfacesauthentication

IPsec 292, 295 to 296PPP 320RADIUS 50TACACS 54VRRP 244

authentication command 320authentication, authorization, and accounting 50auth-info command 296auto-summarization of routes 160auto-summary command 160

Bbackbone area 170BGP

overview 193basic settings in the GUI 210communities 200 to 202confederations 208configuration in the CLI 193 to 210

INDEX


configuration in the GUI 210 to 221enabling/disabling 193, 210filter configuration in the GUI 218local preference configuration in the GUI 216loopback 206MED configuration in the GUI 214neighbor configuration in the GUI 212resetting a session 195route aggregation configuration in the GUI 220route map functionality 233route reflector 207

bgp always-compare-med command 206bgp comm-filter command 201bgp comm-policy command 201bgp comm-route command 200bgp confederation identifier command 208bgp confederation peers command 209bgp default local-preference command 202bgp filter-update command 198bgp local-preference command 203bgp med command 205bgp router-id command 194blocking a user 46boot server 258Border Gateway Protocol, see BGPBPDU 96bridge roles 96broadcast-delay-time command 20

Ccertificate, RSA 10change password command 49channel command 312channels 312CHAP authentication 320chassis ID 130, 140CIR 348cir command 348Class of Service 385clear counters frame-relay command 350

clear counters fr-pvc command 350clear ike sa all command 297clear ike sa id command 298clear ike sa peer command 298clear ip bgp command 195clear ipsec sa all command 298clear ipsec sa id command 299clear ipsec sa peer command 298clear lldp counters command 131clear lldp table command 131clear logging buffer command 65clear logging events command 65clear serial connection command 378CLI

navigation 6obtaining help 6shorthand 7

clock command 308clock set command 13clock source for T1/E1 interface 308command

object-group network 278command line interface, see CLIcommands

access-list 277aggregate-address 196area default-cost 173area nssa 172area range 173area stub 172arp max-retries 155arp timeout 155authentication 320auth-info 296auto-summary 160bgp always-compare-med 206bgp comm-filter 201bgp comm-policy 201bgp comm-route 200bgp confederation identifier 208bgp confederation peers 209

INDEX


bgp default local-preference 202bgp filter-update 198bgp local-preference 203bgp med 205bgp router-id 194change password 49channel 312cir 348clear counters frame-relay 350clear counters fr-pvc 350clear ike sa all 297clear ike sa id 298clear ike sa peer 298clear ip bgp 195clear ipsec sa all 298clear ipsec sa id 299clear ipsec sa peer 298clear lldp counters 131clear lldp table 131clear logging buffer 65clear logging events 65clear serial connection 378clock 308clock set 13compression vjc 320copy 59, 71crypto ike profile 286crypto ipsec proposal 290crypto map 292databits 359default-metric 158, 204default-router 263delay up down 252dir 58direction 373distance

RIP 159route map 231

distance bgp 197distribute-list 229 to 230dlci 339dns-server 261

domain-name 261dpd 289eek error-threshold 345eek event-window 344eek mode 343eek poll-timer 343eek response-timer 344eek success-events 345encryption (IKE phase 1) 287erase 58excluded-address 260finalize software upgrade 73flow-ctl 360frag-size 348frame-relay priority 346frame-types 309fr-pvc 373fw-nat-group 281group 288hash (IKE phase 1) 287hash (IKE phase 2) 291host hardware-type 265if-standard 358ignore-dss 360interface 147interface (VRRP) 241interface frame-relay 335interface fr-pvc 338interface mlp 329interface mlppp 329interface ppp 319interface serial 362interface t1e1 307interface tunnel 236IP address (PPP) 322ip address (PVC) 340ip dhcp bootfile 258ip dhcp next-server 258ip dhcp option 259ip dhcp ping packets 258ip dhcp pool 257ip dhcp server offer-reuse 259

INDEX


ip qos mark dscp 394ip qos output queue 394ip qos output strict-queue 392ip qos policy 391ip rip default route install 161ip rip default route originate 161ip rip receive version 162ip rip send version 162ip rip summary-address 163ip route 153ip split-horizon 164ip ssh version compatibility 12layer 325layer (frame rela y PVC) 339layer (frame relay interface) 336layer ppp 330lcp-echo-interval 320lease 264lifetime seconds (IKE phase 1) 289lifetime seconds (IKE phase 2) 292line-build-out 311line-codes 310lldp 132lldp chassis-id-subtype 130lldp holdtime-multiplier 128lldp notification 132lldp notification-interval command 130lldp port-id-subtype 134lldp reinitialization-delay 129lldp tlv-select basic-tlv 133lldp tlv-select dot1tlv 134lldp tlv-select dot3tlv 135lldp transmit-interval 128lldp tx-delay 129lmi mode 337lmi type 337local address (TS) 374local address (VPN) 294local-tcp 375logging class 65logging event 66

logging facility 69logging server 67login block-for 46login password-strength 46magic-number 324match 224, 293match dscp 392 to 393match dscp, WFQ 392max-conn 377max-pkt-size 362mlppp, interface 329mlppp, sent-username 321mlppp, username 321mlppp,ip address 322mode 308more 59mrru 329mtu 77, 323nameif 275nat 282neighbor 194

with ebgp-multihop argument 207with route-reflector-client argument 207with update-source argument 206

netbios-name-server 262netbios-node-type 262network (DHCP) 260network (OSPF) 171network (RIP) 157no aggregate-address 197no bgp always-compare-med 206no bgp comm-filter 202no bgp comm-policy 201no bgp comm-route 201no bgp local-preference 204no bgp neighbor ebgp-multihoop command 207no bgp router-id 194no bgp update-filter 200no bgpdefault local-preference 203no channel 312no cir 349

INDEX


no confederation identifier 209no confederation peers 209no default-metric 205no dhcp bootfile 258no dhcp option 260no dhcp server offer-reuse 259no direction 373no dns-server 261no domain-name 261no eek error-threshold 345no eek event-window 344no eek mode 343no eek poll-timer 344no eek response-timer 344no eek success-events 345no excluded-address 261no frag-size 348no frame-relay priority 346no fr-pvc 373no host hardware-type 265no interface frame-relay 336no interface fr-pvc 339no ip address (PVC) 341no ip dhcp 258no ip dhcp next-server 258no ip dhcp ping packets 259no ip qos mark dscp 395no ip qos output queue 394no ip qos policy 391no layer 336, 339no lease 264no lmi mode 338no lmi type 337no local address (TS) 375no local address (VPN) 294no local-tcp 375no match 224no match dscp 392no max-conn 377no neighbor 194no neighbor route-reflector-client 208no netbios-name-server 262

no netbios-node-type 262no network (DHCP) 260no network (OSPF) 172no network (RIP) 158no option (DHCP) 263no peer ip address (PVC) 341no priority (TS) 374no qos cos default 391no qos trust 390no rate 394no redistribute 196no remote-address 376no remote-tcp 376no retry-time 377no route-map 224no router bgp 194no serial-channel 372no serial-fr 342no serial-port 372no session-type 374no set (route map values) 227no shutdown

Ethernet port 76Frame Relay interface 336Frame Relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311

no snmp access 31no snmp community index 30no snmp engineid 32no snmp filter 35no snmp group 31no snmp notify 35no snmp targetaddr 33no snmp targetparams 34no snmp view 32no strict-queue 393no switchport 76no synchronization 210no timeslots 309, 312no utilization threshold 265

INDEX


no weighted-fair-queue 392object-group icmp 279object-group protocol 280object-group service 279option (DHCP) 263parity 359peer address 293peer IP address (PVC) 341pfs 288pkt-char 361pkt-time 361ports (VLAN) 90ppp acfc 324ppp comp-slot-id 322ppp max-slot-id 322ppp mru 323ppp pfc 324ppp, authentication 320ppp, compression 320ppp, interface 319ppp, ip address 322ppp, layer 325ppp, sent-username 321ppp, shutdown 325ppp, username 321ppp,lcp-echo-interval 320priority (PVC) 346priority (TS) 374profile (crypto map) 295proposal (crypto map) 294protocol-analyzer 405qos frame-relay output dscp-map 347qos output cos-map 389qos output dscp-map 389qos trust 390qos, set (enable and disable) 388qos, switchport priority default 391radius-server 52rate 393redist-config 174redistribute

BGP 196RIP 158route map 229

reload 73remote-address 376remote-tcp 376retry software upgrade 73retry-time 377route-map 223router bgp 193router ospf 171router rip 157router vrrp 241security-level 275sent-username 321serial-channel 371serial-fr serial 341serial-port 372serial-profile 357, 363session-type 373set (route map values) 227set dhcp server 257set firewall 276set garp timer 83set gvrp 81set lldp 127set port gvrp 82set qos 388set snmp 30set sntp 14set telnet enable 12set unicast-mac learning 93show clock 13show crypto 297show frame-relay priority 349show ike profile 296show ike sa 296show interface frame-relay 349show interface fr-pvc 349show interface serial 363show interface t1e1 317

INDEX


show ip bgp community filter 202show ip bgp community policy 201show ip bgp community route 201show ip bgp confed info 209show ip bgp filters 200show ip bgp frl info 208show ip bgp info 205show ip bgp local-pref 203 to 204show ip bgp med 205show ip bgp neighbor 195show ip dhcp server binding 266show ip dhcp server information 265show ip dhcp server pools 266show ip dhcp server statistics 266show ip qos interface 395show ipsec proposal 297show ipsec sa 296show lldp 136show lldp errors 137show lldp interface 136show lldp local 137show lldp neighbors 136show lldp statistics 137show lldp traffic 136show logging events 64show logging facility 69show logging server 69show qos frame-relay output dscp-map 349show radius server 52show serial-channel 378show serial-connection 378show serial-profile 363show sntp broadcast-mode status 22show sntp multicast-mode status 22show sntp status 22show sntp unicast-mode status 22show software upgrade 72 to 73show system information 72show tacacs 56show upgrade information 70show users 45show vlan id 88

shutdownEthernet port 76Frame Relay interface 336Frame Relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311

snmp access 31snmp community index 30snmp engineid 31snmp filter 35snmp group 30snmp notify 34snmp targerparams 33snmp targetaddr 32snmp trap 35snmp user 34snmp view 32sntp broadcast-delay-time 20sntp broadcast-mode send-request 19sntp broadcast-poll-timeout 20sntp client addressing mode 14sntp client authentication key 17sntp client clock-format 15sntp client clock-summer-time 16sntp client port 15sntp client time-zone 16sntp client version 14sntp multicast-delay-time 21sntp multicast-group-address 22sntp multicast-mode send-request 21sntp multicast-poll-timeout 21sntp unicast server 18sntp unicast-max-poll-retry 19sntp unicast-max-poll-timeout 19sntp unicast-poll-interval 18sntp unicast-server auto-discovery 18spanning tree 100spanning tree auto-edge 106spanning tree bpdu-receive 107spanning tree bpdu-transmit 108spanning tree compatibility 101

INDEX


spanning tree interface properties 104spanning tree loop-guard 106spanning tree mode 100spanning tree mst configuration 109spanning tree mst max-hops 108spanning tree mst max-instance 110spanning tree name 109spanning tree pathcost dynamic 101spanning tree priority 103spanning tree restricted-role 106spanning tree restricted-tcn 107spanning tree revision 110spanning tree root-guard 106spanning tree timers 102spanning tree topology change guard 107spanning tree transmit hold count 103speed 358stopbits 359storm control 78strict-queue 392summary-address 174switchport acceptable-frame type 87switchport access vlan 86switchport mode 76switchport priority default 391synchronization 209tacacs-server 56timeslot-bandwidth 309timeslots 312

T1/E1 channel 312T1/E1 circuit 309

track interface ip-routing 251track interface line-protocol 251track ip route reachability 252track timer interface 250track timer ip route 250tunnel checksum 236tunnel hop-limit 237tunnel mode 236tunnel path-mtu-discovery 237user 46

username 321utilization threshold 264validate-update-source 161version 163vlan 89vlan active 92vlan learning mode 89vrrp vrid ipv4 242vrrp vrid preempt 243vrrp vrid priority 242vrrp vrid text-authentication 244vrrp vrid timer 244vrrp vrid track 245weighted-fair-queue 391

Committed Information Rate, see CIRcommunities, BGP 200community filters 201community policies 201compression 324

acfc 324ppp comp-slot-id 322ppp max-slot-id with 322

compression vjc command 320confederations, BGP 208configuration

defaults 9files 60

configuration modeconfig-channel 312config-crypto-map 292config-fr 335config-fr-pvc 338config-fw-nat-fw# 281config-icmp-type 279config-if 75, 132, 161, 236, 390config-mlppp 329config-mst 109config-network 278config-ppp 319, 394config-protocol 280config-qos-policy 391

INDEX


config-qos-policy-spq 392config-qos-policy-wfq 391config-rmap 223config-router 157, 171, 193config-service 279config-sp 357config-t1e1 307config-track 251config-ts 371config-vlan 86config-vrrp 241config-vrrp-if 241dhcp-config 257

connecting to the 10RX 5contacting GarrettCom xxiiconventions used in this manua xxicopy command 59, 71CoS 385CoS queue map configuration 398crypto ike profile command 286crypto map command 292crypto map configuration mode 292crypto maps 292

Ddata link connection identifier, see DLCIdatabase

VLAN 88, 90databits command 359date, system 13DCE lmi mode 337DCSP 385dead peer detection, See DPDdefault

administrative distance values 160configuration 9DHCP router 263event severity 62local preference (BGP) 202metric (BGP) 204metric (RIP redistribution) 158

password 5RIP route 161username 5

default cost 173default-metric command 158, 204default-router command 263delay up down command 252DES 286 to 287, 290 to 291DH groups 286, 288DHCP

overview 257configuring in the CLI 257 to 265configuring in the GUI 266 to 273displaying information 265, 272enabling and disabling 257, 267options 259, 263, 268, 270 to 271

Differentiated Services Code Point. see DSCPDiffie-Hellman, See DHdir command 58direction command 373distance bgp command 197distance command

RIP 159route map 231

distance, administrative 159, 197, 231distribute-list command 229 to 230DLCI 338 to 339dlci command 339DLF 78DNS 261dns-server command 261domain-name command 261dot1 TLV 134dot3 TLV 135DPD 285 to 286, 289dpd command 289DS1, see T1/E1DSCP 347, 374, 387 to 388, 392, 394DSCP queue map configuration 400DTE lmi mode 337Dynamic Host Configuration Protocol, see DHCP

INDEX


EE1, see T1/E1eBGP 193, 207edge ports 97EEK configuration 342, 352eek error-threshold command 345eek event-window command 344eek mode command 343eek poll-timer command 343eek response-timer command 344eek success-events command 345enabling SSL in the GUI 10encapsulation 341encryption command, IKE phase 1 287encryption standards 286 to 287, 290 to 291End-toEnd Keepalive, see EEKerase command 58Ethernet

enabling ports 76interfaces 75port type 76settings in the GUI 78

eventsattributes 61clearing 65configuring 66defaults 62logging targets 63management 61 to 69notifications 61severity 63

excluded-address command 260expedited forwarding 385, 387

Ffacility codes 68features and benefits of 10RX 1file system management 58filtering

BGP community 201

routes, BGP 198, 218SNMPv3 notifications 28VLAN 88with route maps 228 to 231see also, ACL

finalize software upgrade command 73firewall

overview 275configuration in the CLI 275 to 281enabling and disabling 276

flow-ctl command 360forward delay 98 to 99, 102fragmentation 347frag-size command 348Frame Relay

overview 335clearing counters 350configuration in the CLI 335 to 349configuration in the GUI 351 to 355displaying information 349EEK configuration 342, 352enabling and disabling a PVC 340, 353enabling and disabling an interface 336, 351LMI configuration 337, 352PVC configuration 338, 353queueing configuration 345

frame types for T1/E1 309frame-relay priority command 346frames, VLAN types 87frame-types command 309fr-pvc command 373fw-nat-group command 281

GGARP 81GARP timer configuration in the GUI 85GARP VLAN Registration Protocol, see GVRPGarrettCom website xxiGbE, auto media 75Generic Routing Encapsulation, see GRE

INDEX


Gigabit Ethernet 75GRE

overview 235configuration in the CLI 235 to 237configuration in the GUI 238

group command 288GUI

BGP Basic Settings 210BGP Filter Configuration 218BGP Local Preference Configuration 216BGP MED Configuration 214BGP Neighbor Configuration 212BGP Route Aggregation Configuration 220CoS Queue Map Configuration 398Crypto Map Basic Settings 302DHCP Basic Settings 267DHCP Global Options 268DHCP Host Option Settings 271DHCP Pool Option Settings 270DHCP Pool Settings 269DHCP Server Binding 272DHCP Server IP Exclude Settings 272DSCP Queue Map 400dynamic VLAN global configuration 81dynamic VLAN port configuration 82Frame Relay DSCP Priority Mapping 402Frame Relay Encapsulation 355Frame Relay End-to-End Keepalive 352Frame Relay Interface Configuration 351Frame Relay Priority Weights 403Frame Relay PVCs 353Frame Relay QoS 401GARP timer configuration 85IKE Profile Basic Settings 299IKE Security Association 303IP address configuration 148IPsec ACL Settings 305IPsec Proposal Basic Settings 301IPsec Security Association 304LLDP Basic Settings 139LLDP Basic TLV Settings 143LLDP DOT1 TLV Settings 144

LLDP DOT3 TLV Settings 146LLDP Global Configurations 138LLDP Interface Settings 141LLDP Neighbor Information 142loopback interface configuration 151MSTP configuration 110 to 119Multilink Point-to-Point Protocol Interface

Stacking 332Multilink Point-to-Point Protocol Interfaces 331Multilink Point-toPoint Protocol Options 333Object Track Timer 253Object Tracking Configuration 254OSPF Area Aggregation 184OSPF Area Configuration 178OSPF AS External Aggregation 185OSPF Basic Settings 176OSPF configuration 175OSPF global configuration 176OSPF Interface Configuration 179OSPF Neighbor Configuration 182OSPF RRD Route Configuration 183OSPF Virtual Interface Configuration 181Point-to-Point Protocol Interfaces 326Port Basic Settings 78PPP Options 327QoS Global Configuration 396QoS Port Settings 397RADIUS server configuration 53reboot 74RIP configuration 164RSTP configuration 119 to 126Serial Port Configuration 366Serial Profile Configuration 364SNMP Agent Control Settings 36SNMP Community Settings 36SNMP Filter Settings 44SNMP Group Settings 37SNMP Security Settings 42SNMP Target Address Settings 40SNMP Target Parameter Settings 41SNMP Trap Settings 43SNMP View Tree Settings 39

INDEX


SNTP Broadcast Configuration 24SNTP Client Configuration 22SNTP Unicast Table 23SSH Global Settings 12SSL Digital Certificate 10SSL Global Settings 10static routing configuration 154static VLAN configuration 92System Information 73T1/E1 Channel Settings 316T1/E1 Port Configuration 313TACACS server configuration 57Terminal Server Channel Status 382Terminal Server Configuration 379Terminas Server Connections 381VLAN interface configuration 149VLAN port settings 86 to 87VRRP Basic Settings 245VRRP Settings 246

GUI SNMP Group Access Settings 38GVRP 81GVRP configuration in the GUI 81 to 82, 85

Hhardware configurations 1hash algorithms 286 to 287, 290 to 291hash command

IKE phase 1 287IKE phase 2 291

hello time 98 to 99, 102help output in the CLI 6holdtime multiplier, LLDP 128hop metric 155, 158host hardware-type command 265HTTP, Non-SSL 12hybrid switchport mode 77

IiBGP 193, 209ICMP, enabling echo 258if-standard command 358ignore-dss command 360IGP 209IKE

encryption type, phase 1 287encryption type, phase 2 291lifetime 286profile 286profile table 286

ike proposal configuration mode 286inactivity time 48ingress filtering 88INOS

system files 58upgrade 70

interface command 147interface command (vrrp) 241interface frame-relay command 335interface fr-pvc command 338interface ip-routing 251interface line-protocol 251interface mlp command 329interface mlppp command 329interface ppp command 319interface serial command 362interface t1e1 command 307interface tracking interval 250interface tunnel command 236interfaces

configuring IP addresses 147gigabitethernet 75internet 75loopback 151management 9OSPF 179specifying 147T1/E1 307

INDEX


Internet Control Message Protocol, see ICMPIP address

and VLANs 89configuring on an interface 147IPsec local 294IPsec peer 293lease 264PPP 322PVC 340terminal server local 374VRRP 242

ip address commandPPP 322PVC 340

IP address configuration in the GUI 148ip dhcp bootfile command 258ip dhcp next-server command 258ip dhcp option command 259ip dhcp ping packets command 258ip dhcp pool command 257ip dhcp server offer-reuse command 259IP encapsulation 340ip qos mark dscp command 394ip qos output queue command 394ip qos output strict-queue command 392ip qos policy command 391ip rip default route install command 161ip rip default route originate command 161ip rip receive version command 162ip rip send version command 162ip rip summary-address command 163ip route command 153ip route reachability command 252IP route tracking interval 250ip split-horizon command 164ip ssh version compatibility command 12IP-FR/FR-IP 342IP-route reachability 249, 252IP-routing state 249IPsec authentication 292, 295 to 296IPsec proposal 290ipsec proposal command 290

IPsec proposal configuration mode 290IPsec VPN

overview 285configuring in the CLI 286 to 299configuring in the GUI 299 to 306

Kkeepalive 320key

IKE 285RADIUS 52RSA 10SNTP 17TACACS 56

Llayer command 325layer command (frame relay interface) 336layer command (frame relay PVC) 339layer ppp command 330lcp-echo-interval command 320learned routes 183lease command 264lease, IP address 264lifetime 286, 289 to 290, 292lifetime seconds command, IKE phase 1 289lifetime seconds command, IKE phase 2 292limiting traffic with storm control 78line codes for T1/E1 310line-build-out command 311line-codes command 310line-protocol state 249link control protocol interval 320Link Layer Discovery Protocol, see LLDPLLDP

overview 127configuration in the CLI 127 to 135configuration in the GUI 138 to 146displaying information 135, 142enabling and disabling globally 127, 138

INDEX


enabling and disabling on an interface 132, 141lldp chassis-id-subtype command 130lldp command 132LLDP configuration in the CLI 127 to 135lldp holdtime-multiplier command 128lldp notification command 132lldp notification-interval command 130lldp port-id-subtype 134lldp reinitialization-delay command 129lldp tlv-select basic-tlv command 133lldp tlv-select dot1tlv 134lldp tlv-select dot3tlv 135lldp transmit-interval command 128lldp tx-delay command 129LMI configuration 337, 352lmi mode command 337lmi type command 337local address command (TS) 374local address command (VPN) 294Local Management Interface, see LMIlocal preference

BGP 203, 216BGP default 202

local-tcp command 375logging class 65logging class command 65logging event 66logging event command 66logging facility command 69logging server command 67logging targets 63login block-for command 46login configuration 45login password-strength command 46loop detection 324loop guard 106, 115, 125loopback

BGP endpoint 206interface configuration in the CLI 151interface configuration in the GUI 151

Mmagic numbers 324magic-number command 324management interfaces 9match command 224, 293match dscp (wfq) command 392match dscp command 392 to 393max-conn command 377maximum age 98 to 99, 102Maximum Received Unit 323Maximum Reconstructed Received Unit 329Maximum Transmission Unit 323max-pkt-size command 362MED 204 to 206, 214metric 155, 173, 183, 204metrics 174MLPPP

overview 319configuring in the CLI 329 to 330configuring in the GUI 330 to 334

modeeek 343T1/E1 transmission 308terminal server 370

mode command 308monitoring with the Protocol Analyzer 405more command 59MRRU 329mrru command 329MRU 323mst configuration mode 109MSTP 99

region 99revision 99

MSTP configuration in the GUI 110 to 119MTU 77, 323mtu command 77Multi-Exit Discriminator, see MEDMultilink Point-to-Point Protocol, see MLPPP

INDEX


Nnameif command 275nat command 282NAT configuration in the CLI 281 to 283navigating the CLI 6neighbor

BGP 194, 212BGP status,showing 195LLDP 127, 142OSPF 170, 181 to 182

neighbor command 194with ebgp-multihop argument 207with route-reflector-client argument 207with update-source argument 206

NetBIOS 262netbios-name-server command 262netbios-node-type command 262Network Address Translation, see NATNetwork Basic Input/Output System, see NetBIOSnetwork command

DHCP 260OSPF 171RIP 157

network object groups 278 to 279no aggregate-address command 197no bgp always-compare-med command 206no bgp comm-filter command 202no bgp comm-policy command 201no bgp comm-route command 201no bgp default local-preference command 203no bgp local-preference command 204no bgp router-id command 194no bgp update-filter command 200no channel command 312no cir command 349no confederation identifier command 209no confederation peers command 209no default-metric command 205no dhcp bootfile command 258no dhcp offer-reuse command 259no dhcp option command 260

no direction command 373no dns-server command 261no domain-name command 261no eek error-threshold command 345no eek event-window command 344no eek mode command 343no eek poll-timer command 344no eek response-timer command 344no eek success-events command 345no excluded-address command 261no frag-size command 348no frame-relay priority command 346no fr-pvc command 373no host hardware-type command 265no interface frame-relay command 336no interface fr-pvc command 339no ip address command (PVC) 341no ip dhcp command 258no ip dhcp next-server command 258no ip dhcp ping pac 259no ip qos mark dscp command 395no ip qos output queue command 394no ip qos policy command 391no layer command 336, 339no lease command 264no lmi mode command 338no lmi type command 337no local address command (TS) 375no local address command (VPN) 294no local-tcp command 375no match command 224no match dscp command 392no max-conn command 377no neighbor command 194no neighbor ebgp-multihop command 207no neighbor route-reflector-client command 208no netbios-name-server command 262no netbios-node-type command 262no network command

DHCP 260OSPF 172RIP 158

INDEX


no option command (DHCP) 263no peer ip address command (PVC) 341no priority command (TS) 374no qos cos default command 391no qos trust command 390no rate command 394no redistribute command 196no remote-address command 376no remote-tcp command 376no retry-time command 377no route-map command 224no router bgp command 194no serial-channel command 372no serial-fr command 342no serial-port command 372no session-type command 374no set (route map values) commands 227no shutdown command

Ethernet port 76Frame Relay interface 336Frame Relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311

no snmp access command 31no snmp community index command 30no snmp engineid command 32no snmp filter command 35no snmp group command 31no snmp notify command 35no snmp targetaddr command 33no snmp targetparams command 34no snmp view command 32no strict-queue command 393no switchport command 76no synchronization command 210no timeslots command 309, 312no utilization threshold command 265no weighted-fair-queue command 392notifications, SNMP 27not-so-stubby-area 171 to 172

nssa 171 to 172

Oobject tracking

overview 249configuring in the CLI 250 to 253configuring in the GUI 253 to 255trackable states and conditions 249

object tracking in VRRP 245object-group icmp command 279object-group network command 278object-group protocol command 280object-group service command 279objects and object groups 278 to 280Open Shortest Path First, see OSPFoption command (DHCP) 263OSPF

overview 169configuration in the CLI 171 to 175configuration in the GUI 175 to 186enabling and disabling 176enabling globally 171example 186 to 192route map functionality 232

output queues 387

PPAP authentication 320parity command 359password

changing 49strength 46

password expiration interval 48peer address command 293peer ip address command (PVC) 341perfect forward secrecy, See PFSpermanent virtual circuits, see PVCPFC 324PFS 286, 288

INDEX


pfs command 288pkt-char command 361pkt-time command 361pmtu command 323point ports 97Point-toPoint Protocol, see PPPpoint-to-point-links 97policer 385policies, BGP community 201port roles 97port subtype 134portfast 104ports 104

Ethernet 76link type 104pathcost 104RSTP 98T1/E1 307, 313type router 76type switchport 76VLAN config command 90

ports (VLAN) command 90PPP

overview 319configuring in the CLI 319 to 325configuring in the GUI 325 to 328enable/disable interface 325output queues 387physical port 325strict queueing 392

ppp acfc command 324ppp comp-slot-id command 322ppp max-slot-id command 322ppp mru command 323ppp pfc command 324preemption, VRRP 243pre-shared key 296priority

Frame Relay 345PVC default 346RSTP 99, 103spanning tree port 104

terminal server channel 374VRRP 242

priority commandPVC 346TS 374

priority tagged frames 87privilege level 48profile command, crypto map 295proposal command, crypto map 294proposal, IPsec 290Protocol Analyzer

overview 405configuring 405 to 407starting and stopping 405

protocol field compression, See PFCprotocol object groups 280protocol-analyzer command 405protocols supported 1psk 296PVC 338, 353PVID 87

QQoS

overview 385 to 388configuring in the CLI 388 to 396configuring in the GUI 396 to 404displaying information 395enabling and disabling 388, 396global configuration in the GUI 396port settings in the GUI 397

qos frame-relay output dscp-map command 347qos output cos-map command 389qos output dscp-map command 389qos trust command 390qos trust mode 390qos, switchport priority default command 391Quality of Service, see QoSqueueing configuration, Frame Relay 345queueing policy configuration 391 to 395

INDEX


RRADIUS 50RADIUS server configuration in the GUI 53radius-server command 52Rapid Spanning Tree Protocol, see RSTPrate command 393reachability 252reboot 74rebooting in the GUI 74redist-config command 174redistribute command

BGP 196RIP 158route map 229

redistribution 158, 196region name 109region revision 110region, MSTP 99reload 73reload command 73remote-address command 376remote-tcp command 376resetting a BGP session 195restart 73retry software upgrade command 73retry-time command 377revision, MSTP 99RFC1583 compatibility 176RIP

overview 157configuration in the CLI 157 to 164configuration in the GUI 164 to 167enabling and disabling 157route map functionality 231

RJ45 75Roles 97roles

bridge 96port 97

route configuration in OSPF 183

route mapsoverview 223and routing protocols 231 to 233applying 228 to 231configuring 223 to 228displaying information 234

route redistributionBGP 196RIP 158

route reflector 207route summarization, OSPF 173 to 174, 184 to 185route-map command 223router bgp command 193router ospf command 171router rip command 157router vrrp command 241Routing Information Protocol, see RIPrs232 358rs485-2wire 358rs485-4wire 358RSA key and certificate 10RSTP 95

overview 95 to 99bridge roles 96forward delay 98 to 99, 102hello time 98 to 99, 102maximum age 98 to 99, 102port roles 97port states 98priority 99

RSTP configuration in the CLI 100 to 110RSTP configuration in the GUI 119 to 126running-config 60

SSCADA 341, 346, 348Secure Shell Server, see SSHSecure Sockets Layer, see SSLsecure web server 9security provisions 2

INDEX


security-level command 275sent-username command 321serial encapsulation 341serial interfaces

overview 357configuring in the CLI 362configuring in the GUI 366configuring profiles in the GUI 364configuring serial profiles in the CLI 357 to 362displaying information 363speed 358

serial-channel command 371serial-fr serial command 341serial-port command 372serial-profile command 357, 363service object groups 279session-type command 373set (route map values) commands 227set dhcp server command 257set firewall command 276set garp timer command 83set gvrp command 81set lldp command 127set port gvrp command 82set qos command 388set snmp command 30set sntp command 14set telnet enable command 12set unicast-mac learning command 93SFP 75shortcuts in the CLI 7show clock command 13show crypto command 297show frame-relay priority command 349show ike profile command 296show ike sa command 296show interface frame-relay command 349show interface fr-pvc command 349show interface serial command 363show interface t1e1 command 317show ip bgp community filter command 202show ip bgp community policy command 201

show ip bgp community route command 201show ip bgp confed info command 209show ip bgp filters command 200show ip bgp info command 205show ip bgp local-pref command 203 to 204show ip bgp med command 205show ip bgp neighbor command 195show ip bgp rfl info command 208show ip dhcp server binding command 266show ip dhcp server information command 265show ip dhcp server pools command 266show ip dhcp server statistics command 266show ip qos interface command 395show ipsec proposal command 297show ipsec sa command 296show lldp command 136show lldp errors command 137show lldp interface command 136show lldp local command 137show lldp neighbors command 136show lldp statistics command 137show lldp traffic command 136show logging events command 64show logging facility command 69show logging server command 69show qos frame-relay output dscp-map command 349show radius server command 52show serial-channel command 378show serial-connection command 378show serial-profile command 363show sntp broadcast-mode status command 22show sntp multicast-mode status command 22show sntp status command 22show sntp unicast-mode status command 22show software upgrade command 72 to 73show system information command 72show tacacs command 56show upgrade information command 70show users command 45show vlan id command 88shutdown command

Ethernet port 76

INDEX


Frame Relay interface 336Frame relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311

signal compensation for T1/E1 311Simple Network Management Protocol, see SNMPSNMP

overview 24access 25, 29, 31, 38communities 30, 36configuration in the CLI 30 to 35configuration in the GUI 36 to 44enabling and disabling 30, 36filters 28, 35, 44groups 30, 37notifications 27, 34traps 29, 35, 43v2 configuration examples 28 to 29v3 configuration examples 25 to 28views 26, 32, 39

snmp access command 31snmp community index command 30snmp engineid command 31snmp filter command 35snmp group command 30snmp notify command 34snmp targetaddr command 32snmp targetparams command 33snmp trap command 35snmp user command 34snmp view command 32SNTP

configuration in the CLI 13 to 22configuration in the GUI 22 to 24

sntp boradcast-mode send-request command 19sntp broadcast-poll-timeout command 20sntp client addressing mode command 14sntp client authentication key command 17sntp client clock-format command 15sntp client clock-summer-time command 16

sntp client port command 15sntp client time-zone command 16sntp client version command 14sntp multicast-delay-time command 21sntp multicast-group-address command 22sntp multicast-mode send-request command 21sntp multicast-poll-timeout command 21sntp unicast server command 18sntp unicast-max-poll-retry command 19sntp unicast-max-poll-timeout command 19sntp unicast-poll-interval command 18sntp unicast-server auto-discovery command 18software upgrade 70spanning tree auto-edge command 106spanning tree bpdu-receive command 107spanning tree bpdu-transmit command 108spanning tree command 100spanning tree compatibility command 101spanning tree interface properties command 104spanning tree loop-guard 106spanning tree mode command 100spanning tree mst configuration command 109spanning tree mst max-hops command 108spanning tree mst max-instance command 110spanning tree name command 109spanning tree pathcost dynamic command 101spanning tree priority command 103Spanning Tree Protocol, see RSTPspanning tree restricted-role command 106spanning tree restricted-tcn command 107spanning tree revision command 110spanning tree root-guard command 106spanning tree timers commands 102spanning tree topology change guard command 107spanning tree transmit hold count command 103speed command 358split horizon 164SPQ 385, 387

policer 385SSH 11

SSHv1 compatibility 12

INDEX


SSHv2 12SSH configuration in the GUI 12ssh version compatibility command 12SSL 10SSL certificate generation in the GUI 10startup-config 60static routes 153static routing configuration in the GUI 154static VLAN 90static VLAN configuration in the GUI 92stopbits command 359storm control 78storm control command 78STP, see RSTPStrict Priority Queue 385strict-queue command 392stub area 171 to 172summarization 173 to 174summary-address command 174switchport acceptable-frame type command 87switchport access vlan command 86switchport mode command 76switchport priority default command 391synchronization command 209synchronization, iBGP with IGP 209syntax conventions xxiSyslog

configuring server 67facility codes 68priority values 67

system date 13system information in the GUI 73system time 13

TT1/E1

overview 307configuration in the CLI 307 to 313configuration in the GUI 313 to 316displaying information 317enabling and disabling a channel 313

enabling and disabling an interface 311TACACS 54TACACS server configuration in the GUI 57tacacs-server command 56tagged frames 87tcn 107Telnet server 12Telnet terminal server connection 371Terminal Server

overview 369configuration in the CLI 371 to 378configuration in the GUI 379 to 384display information 378modes 370

terminal server frame relay extension 342Time to Live, see TTLtime,system 13timeout 155timer

GARP 83PPP 320spanning tree 102, 112, 121VRRP 244

timeslot bandwidth command 309timeslots 309, 312timeslots command 312

T1/E1 channel 312T1/E1 circuit 309

TLV 127, 133 to 135Tools 2topoligies 2topology change notification 107track interface ip-routing command 251track interface line-protocol 251track timer interface command 250track timer ip route command 250trackable states and conditions 249traffic descriptor, see ACLtransit area 181transmission interval, LLDP 128traps, SNMPV2c 29trunk switchport mode 77

INDEX


trunking 81trust mode, QoS 390tunnel

GRE configuration 235interface configuration 147IPsec VPN configuration 285

tunnel checksum command 236tunnel hop-limit command 237tunnel mode command 236tunnel path-mtu-discovery command 237

Uunicast time and date synchronization 18untagged frames 87upgrading software 70user

adding 47blocking and releasing 47deleting 47inactivity time 48password expiration interval 48privilege level 48

user command 46user management 44 to 50username command 321utilization threshold command 264

Vvalidate-update-source command 161Van Jacobson compression 320version command 163views, SNMP 26Virtual Router Redundancy Protocol, see VRRPvjc 320VLAN

database 88, 90learning mode 89

vlan active command 92vlan command 89

VLAN interface configuration in the GUI 149vlan learning mode command 89VLAN port configuration in the GUI 86 to 87VLANs 81 to 93VoIP 346VPN, see IPsec VPNVRRP

overview 241configuration in the CLI 241 to 245configuration in the GUI 245 to 247enable/disable 241, 245

vrrp vrid ipv4 command 242vrrp vrid preempt command 243vrrp vrid priority command 242vrrp vrid text-authentication command 244vrrp vrid timer command 244vrrp vrid track command 245

WWAN, see T1/E1web access to INOS manuals xxiweighted fair queue, See WFQweighted-fair-queue command 391WFQ 385, 388, 391Windows Internet Name Service, see WINSWINS 262

Date post:	04-Jun-2018
Category:	Documents
Upload:	truongthien
View:	242 times
Download:	5 times

INDUSTRIAL NETWORK OPERATING SYSTEM -...

Documents