Date post: | 04-Jun-2018 |
Category: |
Documents |
Upload: | truongthien |
View: | 242 times |
Download: | 5 times |
INDUSTRIAL NETWORK OPERATING SYSTEM
SECURE MANAGEMENT FOR BELDEN INDUSTRIAL ROUTERS
INOS VERSION 2.1.0
Administrator’s Guide
i
Notices
This guide describes how to setup and use the INOS software.
§ If you need further information or data sheets on GarrettCom-branded Belden Industrial routers,
refer to the GarrettCom web links at:
http://www.garrettcom.com/routers.htm
Any feedback or comments can be sent to the GarrettCom Address shown below.
GarrettCom Inc.47823 Westinghouse DriveFremont, CA 94539-7437
Phone (510) 438-9071• Fax (510) 438-9072Email – Tech support – [email protected]
Email – Sales – [email protected]
WWW – http://www.garrettcom.com/
TrademarksBelden Inc. reserves the right to change specifications, performance characteristics and/or model offerings without notice. Belden, GarrettCom, Magnum, 10RX, Industrial Network Operating System and INOS are trademarks of Belden, Inc.
All other trademarks mentioned in this document are the property of their respective owners.
Industrial Network Operating System Administrator’s Guide
ii
RightsExcept as set forth in the Software License Agreement, GarrettCom makes no representation that software programs and practices described herein will not infringe on existing or future patent rights, copyrights, trademarks, trade secrets or other proprietary rights of third parties and GarrettCom makes no warranties of any kind, either express or implied, and expressly disclaims any such warranties, including but not limited to any implied warranties of merchantability or fitness for a particular purpose and any warranties of non-infringement.
The descriptions contained herein do not imply the granting of licenses to make, use, sell, license or otherwise transfer GarrettCom products described herein. GarrettCom disclaims responsibility for errors which may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document.
INOS software is implemented using source code covered under the GNU General Public License, the GNU Lesser General Public License, and various BSD-style licenses. For complete information regarding these software licenses, please refer to the GarrettCom website.
CopyrightCopyright 2013 by GarrettCom. Printed in the US. All rights reserved.
This manual may not be reproduced or disclosed in whole or in part by any means without the written consent of Belden, Inc.
This document has been prepared to assist users of equipment manufactured by GarrettCom, and changes are made periodically to the information in this manual. Such changes are reflected in updates or are published in Software Release Notes. If you have recently upgraded your software, carefully note those areas where new commands or procedures have been added. The material contained in this manual is supplied without any warranty of any kind. GarrettCom therefore assumes no responsibility and shall incur no liability arising from the supplying or use of this document or the material contained in it.
Copyright 2013 GarrettCom, Inc. All rights reserved.
Printed in the United States of America.
Part Number: 84-03001Z
Revision History
Release DateDocument Revision
Software Release
Change Note
January 2013 A 2.0 New product release
March 2013 B 2.0.2 General expansion of CLI documentation
September 2013 C 2.1.0 New software features
Industrial Network Operating System Administrator’s Guide
iii
TABLE OF CONTENTS
PrefaceAbout This Manual .......................................................................................................................... xixConventions .................................................................................................................................... xxiWeb Access .................................................................................................................................... xxiYour Comments ............................................................................................................................. xxii
CHAPTER 1: OVERVIEW
1.1 Features and Benefits ....................................................................................................................... 11.1.1 GarrettCom Hardened ....................................................................................................... 11.1.2 Hardware Configuration .................................................................................................... 11.1.3 Multiprotocol Support ........................................................................................................ 11.1.4 Security ............................................................................................................................. 21.1.5 Management Tools ........................................................................................................... 2
1.2 Applications/Topologies .................................................................................................................... 21.2.1 Standalone Local Communications Platform .................................................................... 21.2.2 Remote Network Concentration ........................................................................................ 31.2.3 Distributed Local Network using Ethernet ......................................................................... 3
CHAPTER 2: GETTING STARTED
2.1 Defaults ............................................................................................................................................. 5
2.2 10RX access ..................................................................................................................................... 52.2.1 Connecting by Console ..................................................................................................... 52.2.2 Connecting by SSH ........................................................................................................... 52.2.3 Connecting by Browser ..................................................................................................... 5
2.3 CLI Navigation ................................................................................................................................... 62.3.1 Modes - Entering and Exiting ............................................................................................ 62.3.2 Generating Help on the Command Line ............................................................................ 62.3.3 Command Line Shorthand ................................................................................................ 7
CHAPTER 3: ROUTER MANAGEMENT
3.1 Management Interfaces ..................................................................................................................... 93.1.1 Defaults ............................................................................................................................. 93.1.2 Secure Web Server ........................................................................................................... 9
3.1.2.1 Generating a New RSA Key and Certificate ......................................................... 103.1.3 Secure Shell Server ........................................................................................................ 11
3.1.3.1 Configuring Compatibility Mode ............................................................................ 123.1.4 Telnet Server ................................................................................................................... 123.1.5 Non-SSL Web Server ...................................................................................................... 12
3.2 Time and Date ................................................................................................................................. 133.2.1 Setting Time and Date Manually ..................................................................................... 133.2.2 Configuring SNTP in the CLI ........................................................................................... 13
3.2.2.1 Enabling and Disabling the SNTP Client .............................................................. 143.2.2.2 Setting the SNTP Client Version ........................................................................... 143.2.2.3 Setting the SNTP Client Addressing Mode ........................................................... 14
CONTENTS
Industrial Network Operating System Administrator’s Guide
iv
3.2.2.4 Setting the SNTP Client Port .................................................................................153.2.2.5 Setting the SNTP Clock Format ............................................................................153.2.2.6 Setting the SNTP Client Time Zone ......................................................................163.2.2.7 Setting the SNTP Clock Summer Time .................................................................163.2.2.8 Setting the SNTP Client Authentication Key .........................................................173.2.2.9 Setting the SNTP Unicast Server ..........................................................................183.2.2.10 Setting the SNTP Unicast Server Auto-discovery .................................................183.2.2.11 Setting the SNTP Unicast-poll-interval ..................................................................183.2.2.12 Setting the SNTP Unicast-max-poll-timeout ..........................................................193.2.2.13 Setting the SNTP Unicast-max-poll-retry ..............................................................193.2.2.14 Enabling and Disabling Broadcast Mode Send Request .......................................193.2.2.15 Setting SNTP Broadcast Poll Timeout ..................................................................203.2.2.16 Setting SNTP Broadcast Delay Time ....................................................................203.2.2.17 Enabling and Disabling Multicast Mode Send Request .........................................213.2.2.18 Setting SNTP Multicast Poll Timeout ....................................................................213.2.2.19 Setting SNTP Multicast Delay Time ......................................................................213.2.2.20 Setting SNTP Multicast Group Address ................................................................223.2.2.21 Displaying Settings and Status ..............................................................................22
3.2.3 Configuring SNTP in the GUI ..........................................................................................22
3.3 SNMP ..............................................................................................................................................243.3.1 Configuring SNMPv3 Access ..........................................................................................25
3.3.1.1 Example SNMPv3 Configuration ...........................................................................263.3.2 Managing SNMPv3 Views ...............................................................................................263.3.3 Configuring SNMPv3 Notifications ...................................................................................27
3.3.3.1 Example SNMPv3 Notification Configuration ........................................................273.3.4 Filtering SNMPv3 Notifications ........................................................................................28
3.3.4.1 Example SNMPv3 Notification Filtering .................................................................283.3.5 Configuring SNMPv2c Access .........................................................................................28
3.3.5.1 Example SNMPv2c Configuration .........................................................................293.3.5.2 Limiting SNMPv2c Access By Management IP .....................................................293.3.5.3 Configuring SNMPv2c Traps .................................................................................29
3.3.6 SNMP Configuration in the CLI .......................................................................................303.3.6.1 Enabling and Disabling the SNMP Agent ..............................................................303.3.6.2 Configuring SNMP Communities ...........................................................................303.3.6.3 Configuring an SNMP Group .................................................................................303.3.6.4 Configuring SNMP Group Access .........................................................................313.3.6.5 Configuring SNMP Engine ID ................................................................................313.3.6.6 Configuring SNMP View ........................................................................................323.3.6.7 Configuring SNMP Target Address .......................................................................323.3.6.8 Configuring SNMP Target Parameters ..................................................................333.3.6.9 Configuring SNMP Users ......................................................................................343.3.6.10 Configuring SNMP Notifications ............................................................................343.3.6.11 Configuring SNMP Filters ......................................................................................353.3.6.12 Configuring SNMP Traps ......................................................................................35
3.3.7 SNMP Configuration in the GUI .......................................................................................363.3.7.1 Enabling and Disabling the SNMP Agent ..............................................................363.3.7.2 Configuring SNMP Community Settings ...............................................................363.3.7.3 Configuring SNMP Group Settings ........................................................................373.3.7.4 Configuring SNMP Group Access Settings ...........................................................383.3.7.5 Configuring SNMP Views ......................................................................................393.3.7.6 Configuring SNMP Target Addresses ...................................................................403.3.7.7 Configuring SNMP Target Parameters ..................................................................413.3.7.8 Configuring SNMP User Information .....................................................................42
CONTENTS
Industrial Network Operating System Administrator’s Guide
v
3.3.7.9 Managing SNMP Traps ........................................................................................ 433.3.7.10 Configuring SNMP Filters ..................................................................................... 44
3.4 User Management ........................................................................................................................... 443.4.1 Displaying User Information ............................................................................................ 453.4.2 Configuring System Login Information ............................................................................ 45
3.4.2.1 Setting Maximum Login Attempts and Lock-out Time .......................................... 453.4.2.2 Setting Required Password Strength .................................................................... 46
3.4.3 Executing the user Command ......................................................................................... 463.4.3.1 Adding a New User ............................................................................................... 473.4.3.2 Deleting a User ..................................................................................................... 473.4.3.3 Blocking and Releasing a User ............................................................................. 473.4.3.4 Setting a User’s Inactivity Time ............................................................................ 483.4.3.5 Setting a User’s Password Expiration Interval ...................................................... 483.4.3.6 Setting a User’s Privilege Level ............................................................................ 48
3.4.4 Changing a Password ..................................................................................................... 49
3.5 Authentication .................................................................................................................................. 503.5.1 RADIUS Authentication ................................................................................................... 50
3.5.1.1 Configuring RADIUS Authentication in the CLI ..................................................... 523.5.1.2 Configuring RADIUS Authentication in the GUI .................................................... 53
3.5.2 TACACS Authentication .................................................................................................. 543.5.2.1 Configuring TACACS Authentication in the CLI .................................................... 553.5.2.2 Configuring TACACS Authentication in the GUI ................................................... 57
3.6 File System Management ................................................................................................................ 583.6.1 Listing System Files ........................................................................................................ 583.6.2 Deleting a System File .................................................................................................... 583.6.3 Copying a System File .................................................................................................... 593.6.4 Displaying System File Contents .................................................................................... 593.6.5 Creating System Configuration Files ............................................................................... 60
3.7 Event Management ......................................................................................................................... 613.7.1 Event Notification Contents ............................................................................................. 613.7.2 Event Attributes ............................................................................................................... 613.7.3 Event IDs and Defaults ................................................................................................... 62
3.7.3.1 Event Severity ....................................................................................................... 633.7.3.2 Logging Targets .................................................................................................... 63
3.7.4 Displaying Event Information .......................................................................................... 643.7.5 Clearing Events ............................................................................................................... 653.7.6 Configuring Events .......................................................................................................... 65
3.7.6.1 Creating and Configuring a logging Class ............................................................ 653.7.6.2 Configuring a logging Event .................................................................................. 663.7.6.3 Configuring All logging Events .............................................................................. 663.7.6.4 Configuring Syslog Server .................................................................................... 673.7.6.5 Configuring the Logging Facility ........................................................................... 69
3.8 Software Upgrade ........................................................................................................................... 703.8.1 Using the Copy Command to Upgrade ........................................................................... 713.8.2 Upgrade Procedure ......................................................................................................... 72
3.8.2.1 Viewing System Information in the GUI ................................................................ 73
3.9 Restarting the Switch ...................................................................................................................... 73
CHAPTER 4: ETHERNET4.0.1 Ethernet Auto Media Interfaces ....................................................................................... 754.0.2 Enabling Ethernet Interfaces ........................................................................................... 75
CONTENTS
Industrial Network Operating System Administrator’s Guide
vi
4.0.2.1 Enabling Ethernet Ports ........................................................................................764.0.2.2 Configuring Port Type ...........................................................................................764.0.2.3 Configuring Switchport Mode ................................................................................764.0.2.4 Configuring MTU Size ...........................................................................................774.0.2.5 Configuring Storm Control .....................................................................................784.0.2.6 GUI - Port Basic Settings Screen ..........................................................................78
CHAPTER 5: VLAN5.0.1 Dynamic VLANs and Trunking ........................................................................................81
5.0.1.1 Enabling GVRP Globally in the CLI .......................................................................815.0.1.2 Enabling GVRP Globally in the GUI ......................................................................815.0.1.3 Enabling GVRP On A Port in the CLI ....................................................................825.0.1.4 Enabling GVRP On A Port in the GUI ...................................................................825.0.1.5 Setting GARP Timers For A Port in the CLI ..........................................................835.0.1.6 Setting GARP Timers For A Port in the GUI .........................................................85
5.0.2 CLI - VLAN Configuration Mode ......................................................................................865.0.2.1 Defining an Access Port in the CLI ........................................................................865.0.2.2 Defining an Access Port in the GUI .......................................................................86
5.0.3 Advanced Access Port Configuration in the CLI ..............................................................875.0.4 Advanced Access Port Configuration in the GUI .............................................................875.0.5 Examining the VLAN Database .......................................................................................885.0.6 VLANs and IP Routing .....................................................................................................895.0.7 The VLAN Command ......................................................................................................895.0.8 Configuring VLAN Learning Mode ...................................................................................895.0.9 Configuring a Static VLAN Entry in the CLI .....................................................................905.0.10 Configuring a Static VLAN Entry in the GUI ....................................................................92
5.0.10.1 Activating a VLAN .................................................................................................925.0.10.2 Disabling Unicast-MAC Learning ..........................................................................93
CHAPTER 6: SPANNING TREE
6.1 RSTP ...............................................................................................................................................95
6.2 RSTP Setup .....................................................................................................................................956.2.1 BPDUs .............................................................................................................................966.2.2 Bridge Roles ....................................................................................................................966.2.3 Port Roles ........................................................................................................................976.2.4 Edge Ports and Point-to-Point Links ................................................................................976.2.5 Port States .......................................................................................................................98
6.3 RSTP Normal Operation ..................................................................................................................98
6.4 Design Considerations .....................................................................................................................986.4.1 Basic RSTP Configuration Parameters ...........................................................................99
6.5 MSTP ...............................................................................................................................................99
6.6 Global Spanning Tree Configuration .............................................................................................1006.6.1 Enabling Spanning Tree ................................................................................................1006.6.2 Configuring Spanning Tree Mode ..................................................................................1006.6.3 Configuring Spanning Tree Compatibility ......................................................................1016.6.4 Configuring Dynamic Pathcost Calculation ....................................................................1016.6.5 Configuring Spanning Tree Timers ................................................................................1026.6.6 Configuring Spanning Tree Transmit Hold Count ..........................................................1036.6.7 Configuring Spanning Tree Priority ...............................................................................103
CONTENTS
Industrial Network Operating System Administrator’s Guide
vii
6.7 Configuring the Spanning Tree Properties of an Interface ............................................................ 1046.7.1 General Spanning Tree Port Configuration ................................................................... 1046.7.2 Configuring Auto Edge .................................................................................................. 1066.7.3 Configuring Loop Guard ................................................................................................ 1066.7.4 Configuring Restricted Role .......................................................................................... 1066.7.5 Configuring Restricted TCN .......................................................................................... 1076.7.6 Configuring BPDU Receive ........................................................................................... 1076.7.7 Configuring BPDU Transmit .......................................................................................... 108
6.8 MSTP-Specific Configuration ........................................................................................................ 1086.8.1 Configuring MST Max Hops .......................................................................................... 1086.8.2 Enter MSTP Configuration Mode .................................................................................. 1096.8.3 Configuring MST Region Name .................................................................................... 1096.8.4 Configuring MST Region Revision ................................................................................ 1106.8.5 Configuring MST Max Instance ..................................................................................... 110
6.9 Configuring MSTP In the GUI ........................................................................................................ 1106.9.1 MSTP Global Configuration .......................................................................................... 1116.9.2 MSTP Timer Configuration ............................................................................................ 1126.9.3 CIST Configuration ........................................................................................................ 1136.9.4 MSTP VLAN Mapping ................................................................................................... 1156.9.5 MSTP Port Settings ....................................................................................................... 1166.9.6 MSTP CIST Port Status ................................................................................................ 117
6.10 Configuring RSTP in the GUI ........................................................................................................ 1196.10.1 RSTP Global Configuration ........................................................................................... 1196.10.2 RSTP Timer Configuration ............................................................................................ 1216.10.3 RSTP Port Configuration ............................................................................................... 1226.10.4 RSTP Port Status .......................................................................................................... 125
CHAPTER 7: LLDP7.1 Configuring LLDP in the CLI .......................................................................................................... 127
7.1.1 Global Configuration of LLDP ....................................................................................... 1277.1.1.1 Enabling and Disabling LLDP ............................................................................. 1277.1.1.2 Configuring the LLDP Transmission Interval ...................................................... 1287.1.1.3 Configuring the LLDP Holdtime Multiplier ........................................................... 1287.1.1.4 Configuring the LLDP Reinitialization Delay ....................................................... 1297.1.1.5 Configuring the LLDP Transmission Delay ......................................................... 1297.1.1.6 Configuring the LLDP Notification Interval .......................................................... 1307.1.1.7 Configuring the LLDP Chassis ID Subtype ......................................................... 1307.1.1.8 Clearing LLDP Counters ..................................................................................... 1317.1.1.9 Clearing the LLDP Table .................................................................................... 131
7.1.2 Interface-specific Configuration of LLDP ....................................................................... 1327.1.2.1 Enabling LLDP Transmit/Receive on an Interface .............................................. 1327.1.2.2 Configuring LLDP Notifications on an Interface .................................................. 1327.1.2.3 Specifying Basic TLV Settings on a Port ............................................................ 1337.1.2.4 Configuring an ID for LLDP Port Subtype ........................................................... 1347.1.2.5 Configuring Transmission of dot1 TLVs on an Interface ..................................... 1347.1.2.6 Configuring Transmission of dot3 TLVs Subtypes on an Interface ..................... 135
7.1.3 Displaying LLDP Information ......................................................................................... 1357.1.3.1 show lldp ............................................................................................................. 1367.1.3.2 show lldp interface .............................................................................................. 1367.1.3.3 show lldp neighbors ............................................................................................ 1367.1.3.4 show lldp traffic ................................................................................................... 1367.1.3.5 show lldp local .................................................................................................... 137
CONTENTS
Industrial Network Operating System Administrator’s Guide
viii
7.1.3.6 show lldp errors ...................................................................................................1377.1.3.7 show lldp statistics ...............................................................................................137
7.2 Configuring LLDP in the GUI .........................................................................................................1387.2.1 LLDP Global Configuration ............................................................................................1387.2.2 LLDP Basic Settings ......................................................................................................1397.2.3 LLDP Interface Settings .................................................................................................1417.2.4 LLDP Neighbor Information ...........................................................................................1427.2.5 LLDP Basic TLV Settings ..............................................................................................1437.2.6 LLDP DOT1 TLV Settings .............................................................................................1447.2.7 LLDP DOT3 TLV Settings .............................................................................................146
CHAPTER 8: IP ADDRESSING AND STATIC ROUTING
8.1 Configuring IP Addresses ..............................................................................................................1478.1.1 Specifying an Interface for Configuration ......................................................................1478.1.2 Configuring an IP Address in the CLI ............................................................................1488.1.3 Configuring an IP Address in the GUI ...........................................................................1488.1.4 Configuring a VLAN Interface in the GUI .......................................................................1498.1.5 Configuring a Loopback Interface in the CLI .................................................................1518.1.6 Configuring a Loopback Interface in the GUI ................................................................151
8.2 Configuring Static Routing in the CLI .............................................................................................1528.2.1 Configuring Static IPv4 Routes ......................................................................................153
8.3 Configuring Static Routing in the GUI ............................................................................................154
8.4 Configuring ARP ............................................................................................................................1558.4.1 Configuring the ARP Cache Timeout ............................................................................1558.4.2 Configuring the ARP Request Maximum Retries ...........................................................155
CHAPTER 9: RIP9.1 Configuring RIP in the CLI .............................................................................................................157
9.1.1 Enabling and Disabling RIP ...........................................................................................1579.1.2 Configuring RIP on an Interface ....................................................................................1579.1.3 Configuring Redistribution .............................................................................................1589.1.4 Configuring the Default Metric .......................................................................................1589.1.5 Specifying Administrative Distance ................................................................................1599.1.6 Disabling and Enabling Auto-summarization .................................................................1609.1.7 Configuring Update Source Validation ..........................................................................1619.1.8 Accessing Interface-specific RIP Commands ................................................................1619.1.9 Configuring to Install Default Route ...............................................................................1619.1.10 Configuring RIP Default Route Propagation ..................................................................1619.1.11 Configuring IP RIP Send Version on an Interface .........................................................1629.1.12 Configuring IP RIP Receive Version on an Interface .....................................................1629.1.13 Configuring RIP Version Globally ..................................................................................1639.1.14 Configuring IP RIP Summary Address ..........................................................................1639.1.15 Configuring Split Horizon ...............................................................................................164
9.2 Configuring RIP in the GUI ............................................................................................................1649.2.1 Enabling and Disabling RIP ...........................................................................................1659.2.2 RIP Interface Configuration ...........................................................................................165
CONTENTS
Industrial Network Operating System Administrator’s Guide
ix
CHAPTER 10: OSPF10.1 Overview ....................................................................................................................................... 169
10.1.1 OSPF Neighbor Relationships ...................................................................................... 17010.1.2 OSPF Area Types ......................................................................................................... 170
10.1.2.1 OSPF Backbone Area ........................................................................................ 17010.1.2.2 OSPF Stub Area ................................................................................................. 17110.1.2.3 OSPF Not-So-Stubby Area ................................................................................. 171
10.2 OSPF Configuration in the CLI ...................................................................................................... 17110.2.1 Enabling and Disabling OSPF ....................................................................................... 17110.2.2 Enabling OSPF on an Interface .................................................................................... 17110.2.3 Configuring a Stub Area ................................................................................................ 17210.2.4 Configuring a Not-So-Stubby Area ................................................................................ 17210.2.5 Configuring the Cost of the Default Route in a Stub Area ............................................. 17310.2.6 Summarizing Routes Between Areas ........................................................................... 17310.2.7 Summarizing External Routes ....................................................................................... 17410.2.8 Controlling External Metrics .......................................................................................... 174
10.3 OSPF Configuring in the GUI ........................................................................................................ 17510.3.1 Enabling and Disabling OSPF ....................................................................................... 17610.3.2 OSPF Basic Settings ..................................................................................................... 17610.3.3 OSPF Area Configuration ............................................................................................. 17810.3.4 OSPF Interface Configuration ....................................................................................... 17910.3.5 OSPF Virtual Interface Configuration ............................................................................ 18110.3.6 OSPF Neighbor Configuration ...................................................................................... 18210.3.7 OSPF RRD Route Configuration ................................................................................... 18310.3.8 OSPF Area Aggregation ............................................................................................... 18410.3.9 OSPF AS External Aggregation .................................................................................... 185
10.4 OSPF Configuration Example Overview ....................................................................................... 186
10.5 OSPF Example Configuration Procedure ...................................................................................... 18610.5.1 Creating Area 0.0.0.0 .................................................................................................... 18710.5.2 Creating Area 0.0.0.3 .................................................................................................... 18810.5.3 Creating Area 0.0.0.4 .................................................................................................... 190
CHAPTER 11: BGP11.1 BGP Configuration in the CLI ........................................................................................................ 193
11.1.1 Enabling and Disabling BGP ......................................................................................... 19311.1.2 Specifying BGP Router ID ............................................................................................. 19411.1.3 Specifying a BGP Neighbor .......................................................................................... 19411.1.4 Displaying Neighbor Status ........................................................................................... 19511.1.5 Resetting a BGP Session .............................................................................................. 19511.1.6 Redistributing Routes .................................................................................................... 19611.1.7 Minimizing Route Table Size Using Aggregates ........................................................... 19611.1.8 Specifying Administrative Distance ............................................................................... 19711.1.9 Filtering Routes ............................................................................................................. 19811.1.10 Defining Policies Using Communities ........................................................................... 200
11.1.10.1Assigning Routes to a Community .................................................................... 20011.1.10.2Defining Policies for a Community .................................................................... 20111.1.10.3Defining Filters for a Community ....................................................................... 201
11.1.11 Specifying a Router's Default Local Preference ............................................................ 20211.1.12 Specifying a Local Preference ...................................................................................... 203
CONTENTS
Industrial Network Operating System Administrator’s Guide
x
11.1.13 Specifying a Metric or Multi-exit Discriminator ...............................................................20411.1.13.1Specifying a Default Metric ................................................................................20411.1.13.2Assigning Metrics to Specific Routes .................................................................20511.1.13.3Forcing a MED Comparison ...............................................................................206
11.1.14 Using a Loopback as a BGP Endpoint ..........................................................................20611.1.15 Using eBGP Without a Direct Connection .....................................................................20711.1.16 Setting Up a BGP Route Reflector ................................................................................20711.1.17 Setting Up a BGP Confederation ...................................................................................208
11.1.17.1Configuring the BGP Confederation Identifier ....................................................20811.1.17.2Specifying Confederation Members ...................................................................209
11.1.18 Synchronizing iBGP With an IGP ..................................................................................209
11.2 BGP Configuration in the GUI ........................................................................................................21011.2.1 BGP Basic Settings .......................................................................................................21011.2.2 BGP Neighbor Configuration .........................................................................................21211.2.3 BGP MED Configuration ................................................................................................21411.2.4 BGP Local Preference Configuration ............................................................................21611.2.5 BGP Filter Configuration ................................................................................................21811.2.6 BGP Route Aggregation Configuration ..........................................................................220
CHAPTER 12: ROUTE MAPS
12.1 Configuring Route Maps ................................................................................................................22312.1.1 Specifying a Route Map ................................................................................................223
12.1.1.1 Note on Sequence Numbers ...............................................................................22412.1.2 Defining a Match ............................................................................................................22412.1.3 Setting Route Values .....................................................................................................227
12.2 Applying Route Maps .....................................................................................................................22812.2.1 Route Redistribution ......................................................................................................22912.2.2 Outgoing Route Filtering ................................................................................................22912.2.3 Incoming Route Filtering ................................................................................................23012.2.4 Specifying Route Administrative Distance .....................................................................231
12.3 Route Maps and Routing Protocols ...............................................................................................23112.3.1 Route Map Functionality for RIP ....................................................................................23112.3.2 Route Map Functionality for OSPF ................................................................................23212.3.3 Route Map Functionality for BGP ..................................................................................23312.3.4 Note on Route Redistribution ........................................................................................233
12.4 Displaying Route Map Information .................................................................................................234
CHAPTER 13: GRE13.1 GRE Operation ..............................................................................................................................235
13.2 GRE Implementation .....................................................................................................................235
13.3 GRE Configuration in the CLI ........................................................................................................23513.3.1 Specifying a GRE Tunnel ..............................................................................................23613.3.2 Configuring GRE Tunnel Attributes ...............................................................................23613.3.3 Enabling Tunnel Checksum ...........................................................................................23613.3.4 Enabling Tunnel Path MTU Discovery ...........................................................................23713.3.5 Configuring Tunnel Hop Limit ........................................................................................237
13.4 GRE Configuration in the GUI .......................................................................................................23813.4.1 Specifying a GRE Tunnel ..............................................................................................238
CONTENTS
Industrial Network Operating System Administrator’s Guide
xi
CHAPTER 14: VRRP14.1 VRRP Configuration in the CLI ...................................................................................................... 241
14.1.1 Enabling VRRP ............................................................................................................. 24114.1.2 Configuring VRRP on an Interface ................................................................................ 24114.1.3 Configuring a VRRP IP Address ................................................................................... 24214.1.4 Configuring the Virtual Router Priority ........................................................................... 24214.1.5 Enabling Preemption Mode ........................................................................................... 24314.1.6 Configuring Text Authentication .................................................................................... 24414.1.7 Configuring Advertisement Interval ............................................................................... 24414.1.8 Configuring VRRP Object Tracking ............................................................................... 245
14.2 VRRP Configuration in the GUI ..................................................................................................... 24514.2.1 Enabling VRRP ............................................................................................................. 24514.2.2 VRRP Settings .............................................................................................................. 246
CHAPTER 15: OBJECT TRACKING
15.1 Trackable States and Conditions .................................................................................................. 24915.1.1 Line-Protocol State of an Interface ................................................................................ 24915.1.2 IP-Routing State of an Interface .................................................................................... 24915.1.3 IP-Route Reachability ................................................................................................... 249
15.2 Configuring Object Tracking in the CLI ......................................................................................... 25015.2.0.1 Configuring Interface Tracking Interval ............................................................... 25015.2.0.2 Configuring IP Route Tracking Interval ............................................................... 25015.2.0.3 Configuring Tracking of an Interface Line Protocol ............................................. 25115.2.0.4 Configuring Tracking of Interface IP Routing ...................................................... 25115.2.0.5 Configuring Tracking of Route Reachability ....................................................... 25215.2.0.6 Configuring Tracking Delay ................................................................................ 252
15.3 Configuring Object Tracking in the GUI ......................................................................................... 25315.3.1 Configuring Tracking Timers ......................................................................................... 25315.3.2 Configuring Object Tracking .......................................................................................... 254
CHAPTER 16: DHCP SERVER
16.1 Configuring the DHCP Server in the CLI ....................................................................................... 25716.1.1 Enabling and Disabling the DHCP Server ..................................................................... 25716.1.2 Configuring a DHCP Address Pool ............................................................................... 25716.1.3 Specifying a Boot Server ............................................................................................... 25816.1.4 Specifying a Boot File ................................................................................................... 25816.1.5 Enabling the ICMP Echo ............................................................................................... 25816.1.6 Configure Offer-reuse Interval ....................................................................................... 25916.1.7 Configuring Global DHCP Options ................................................................................ 25916.1.8 Configuring a Subnet Pool of Addresses ...................................................................... 26016.1.9 Excluding Addresses from a Pool ................................................................................. 26016.1.10 Specifying a Domain Name ........................................................................................... 26116.1.11 Specifying a DNS Server .............................................................................................. 26116.1.12 Specifying a NetBIOS and WINS Name Server ............................................................ 26216.1.13 Specifying a NetBIOS Node Type ................................................................................. 26216.1.14 Specifying a Default Router .......................................................................................... 26316.1.15 Configuring Pool-specific DHCP Options ...................................................................... 26316.1.16 Configuring a Lease Period ........................................................................................... 26416.1.17 Configuring a Pool Utilization Threshold ....................................................................... 26416.1.18 Configuring Host Hardware Type .................................................................................. 265
CONTENTS
Industrial Network Operating System Administrator’s Guide
xii
16.2 Displaying DHCP Information ........................................................................................................26516.2.1 show ip dhcp server information ....................................................................................26516.2.2 show ip dhcp server pools .............................................................................................26616.2.3 show ip dhcp server binding ..........................................................................................26616.2.4 show ip dhcp server statistics ........................................................................................266
16.3 Configuring the DHCP Server in the GUI ......................................................................................26616.3.1 Configuring DHCP Basic Settings .................................................................................26716.3.2 Configuring DHCP Global Options ................................................................................26816.3.3 Configuring DHCP Pool Settings ...................................................................................26916.3.4 Configuring DHCP Pool Option Settings .......................................................................27016.3.5 Configuring DHCP Host Option Settings .......................................................................27116.3.6 Configuring an Exclude List ...........................................................................................27216.3.7 Displaying Binding Information ......................................................................................272
CHAPTER 17: FIREWALL/NAT17.1 Defining Inside and Outside ...........................................................................................................275
17.1.1 Configuring a Default Security Policy ............................................................................27517.1.2 Enabling the Firewall .....................................................................................................27617.1.3 Configuring Basic Access Control Lists .........................................................................27617.1.4 Configuring Object Groups ............................................................................................278
17.1.4.1 Network Object Groups .......................................................................................27817.1.4.2 Service Object Groups ........................................................................................27917.1.4.3 ICMP Object Groups ...........................................................................................27917.1.4.4 Protocol Object Groups .......................................................................................280
17.1.5 Using Object Groups .....................................................................................................28017.1.6 Applying Access Control Lists .......................................................................................281
17.2 NAT ................................................................................................................................................28117.2.1 Setting up Dynamic NAT ...............................................................................................28117.2.2 Setting up Static NAT ....................................................................................................282
CHAPTER 18: IPSEC VPN18.1 IPsec VPN Operation .....................................................................................................................285
18.2 Configuring IPsec VPN in the CLI ..................................................................................................28618.2.1 IKE Profile Table ............................................................................................................286
18.2.1.1 Configure an IKE Profile ......................................................................................28618.2.1.2 Specify IKE (Phase 1) Encryption Type ..............................................................28718.2.1.3 Specify IKE (Phase 1) Hash Algorithm ................................................................28718.2.1.4 Specify a DH Group ............................................................................................28818.2.1.5 Specify PFS .........................................................................................................28818.2.1.6 Specify SA (Phase 1) Lifetime .............................................................................28918.2.1.7 Configure DPD ....................................................................................................289
18.2.2 IPsec Proposal Table ....................................................................................................29018.2.2.1 Configure an IPsec Proposal ...............................................................................29018.2.2.2 Specify IPSec (Phase 2) Encryption Type ..........................................................29118.2.2.3 Specify IPsec (Phase 2) Hash Algorithm ............................................................29118.2.2.4 Specify SA (Phase 2) Lifetime .............................................................................292
18.2.3 Crypto Maps ..................................................................................................................29218.2.3.1 Configure a Crypto Map ......................................................................................29218.2.3.2 Specify the Traffic to Protect ...............................................................................29318.2.3.3 Specify a Peer IP Address ..................................................................................293
CONTENTS
Industrial Network Operating System Administrator’s Guide
xiii
18.2.3.4 Specify the Local IP Address .............................................................................. 29418.2.3.5 Bind an IKE Profile .............................................................................................. 29418.2.3.6 Bind an IPsec Proposal ...................................................................................... 29518.2.3.7 Specify Authentication Type ............................................................................... 29518.2.3.8 Specify a Pre-shared Key ................................................................................... 296
18.2.4 IPsec VPN-related Show Commands ........................................................................... 29618.2.4.1 show ike sa ......................................................................................................... 29618.2.4.2 show ipsec sa ..................................................................................................... 29618.2.4.3 show ike profile ................................................................................................... 29618.2.4.4 show ipsec proposal ........................................................................................... 29718.2.4.5 show crypto map ................................................................................................. 297
18.2.5 IPsec VPN-related Clear Commands ............................................................................ 29718.2.5.1 clear ike sa all ..................................................................................................... 29718.2.5.2 clear ike sa peer ................................................................................................. 29818.2.5.3 clear ike sa id ...................................................................................................... 29818.2.5.4 clear ipsec sa all ................................................................................................. 29818.2.5.5 clear ipsec sa peer .............................................................................................. 29818.2.5.6 clear ipsec sa id .................................................................................................. 299
18.3 Configuring IPsec VPN in the GUI ................................................................................................ 29918.3.1 Configuring an IKE Profile ............................................................................................. 29918.3.2 Configuring an IPsec Proposal ...................................................................................... 30118.3.3 Configuring a Crypto Map ............................................................................................. 30218.3.4 Displaying IKE Security Associations ............................................................................ 30318.3.5 Displaying IPsec Security Associations ........................................................................ 30418.3.6 Configuring IPsec ACLs ................................................................................................ 305
CHAPTER 19: T1/E119.1 Configuring T1/E1 in the CLI ......................................................................................................... 307
19.1.1 Specifying a T1/E1 Interface ......................................................................................... 30719.1.2 Configure Mode on a T1/E1 Interface ........................................................................... 30819.1.3 Configure Clock Source on a T1/E1 Interface ............................................................... 30819.1.4 Configure Timeslot Bandwidth on a T1/E1 Interface ..................................................... 30919.1.5 Configure Timeslots on a T1/E1 Interface ..................................................................... 30919.1.6 Configure Frame Types on a T1/E1 Interface ............................................................... 30919.1.7 Configure Line Codes on a T1/E1 Interface .................................................................. 31019.1.8 Configure Line Build-out on a T1/E1 Interface .............................................................. 31119.1.9 Enabling and Disabling a T1/E1 Interface ..................................................................... 31119.1.10 Configuring a Channelized T1/E1 Interface .................................................................. 31219.1.11 Configuring Timeslots on a T1/E1 Channel .................................................................. 31219.1.12 Enabling and Disabling a T1/E1 Channel ..................................................................... 313
19.2 Configuring T1/E1 in the GUI ........................................................................................................ 31319.2.1 Configuring T1/E1 Ports ................................................................................................ 31319.2.2 Configuring T1/E1 Channel Settings ............................................................................. 316
19.3 Displaying T1/E1 Interface Configuration Information ................................................................... 317
CHAPTER 20: PPP20.1 Configuring PPP in the CLI ........................................................................................................... 319
20.1.1 Specifying a PPP Interface ........................................................................................... 31920.1.2 Configuring Link Control Protocol Interval ..................................................................... 32020.1.3 Configuring PPP Authentication .................................................................................... 320
CONTENTS
Industrial Network Operating System Administrator’s Guide
xiv
20.1.4 Specifying PPP Compression ........................................................................................32020.1.5 Specifying a Peer Username and Password .................................................................32120.1.6 Specifying a Device Username and Password ..............................................................32120.1.7 Configuring Maximum Slot IDs ......................................................................................32220.1.8 Enable Compression of Slot ID Field .............................................................................32220.1.9 Specify IP Address of the PPP Interface .......................................................................32220.1.10 Specify an MRU Value ..................................................................................................32320.1.11 Specify an MTU Value ...................................................................................................32320.1.12 Enable Compression of Address and Control Fields .....................................................32420.1.13 Enable Compression of Protocol Field ..........................................................................32420.1.14 Enable Use of Magic Numbers ......................................................................................32420.1.15 Disable a PPP Interface ................................................................................................32520.1.16 Specify a Physical Port for PPP Interface .....................................................................325
20.2 Configuring PPP in the GUI ...........................................................................................................32520.2.1 Configuring PPP Interfaces ...........................................................................................32620.2.2 Configuring PPP Options ...............................................................................................327
20.3 Configuring MLPPP in the CLI .......................................................................................................32920.3.1 Specifying an MLPPP Interface .....................................................................................32920.3.2 Specify an MRRU Value ................................................................................................32920.3.3 Assembling MLPPP Bundles .........................................................................................330
20.4 Configuring MLPPP in the GUI ......................................................................................................33020.4.1 Configuring MLPPP Interfaces ......................................................................................33120.4.2 Configuring MLPPP Interface Stacking .........................................................................33220.4.3 Configuring MLPPP Options ..........................................................................................333
CHAPTER 21: FRAME RELAY
21.1 Configuring Frame Relay in the CLI ..............................................................................................33521.1.0.1 Specifying a Frame Relay Interface ....................................................................33521.1.0.2 Configuring the Lower Layer for a Frame Relay Interface ..................................33621.1.0.3 Enabling a Frame Relay Interface with the No Shutdown Command .................336
21.1.1 Configuring LMI .............................................................................................................33721.1.1.1 Configuring LMI Type ..........................................................................................33721.1.1.2 Configuring LMI Mode .........................................................................................337
21.1.2 Configuring PVCs ..........................................................................................................33821.1.2.1 Specifying a Frame Relay PVC Interface ............................................................33821.1.2.2 Configuring the Lower Layer for a PVC ...............................................................33921.1.2.3 Specifying the DLCI for a PVC ............................................................................33921.1.2.4 Enabling a PVC with the No Shutdown Command .............................................340
21.1.3 Configuring IP Encapsulation ........................................................................................34021.1.3.1 Specifying the Local IP Address for IP Encapsulation ........................................34021.1.3.2 Specifying the Peer IP Address for IP Encapsulation .........................................341
21.1.4 Configuring Serial Encapsulation ..................................................................................34121.1.5 Configuring Terminal Server Extension .........................................................................34221.1.6 Configuring End-to-End Keepalive on a PVC ................................................................342
21.1.6.1 Configuring the EEK Poll Timer on a Frame Relay Interface ..............................34321.1.6.2 Configuring the EEK Response Timer on a Frame Relay Interface ....................34421.1.6.3 Configuring the EEK Event Window on a Frame Relay Interface .......................34421.1.6.4 Configuring the EEK Error Threshold on a Frame Relay Interface .....................34521.1.6.5 Configuring the EEK Success Events on a Frame Relay Interface .....................345
21.1.7 Configuring Frame Relay Queuing ................................................................................34521.1.8 Assigning Priorities to Frame Relay Packets .................................................................346
21.1.8.1 Configuring Default Priority for a PVC .................................................................346
CONTENTS
Industrial Network Operating System Administrator’s Guide
xv
21.1.8.2 Mapping DSCP Values to Queue Priorities ........................................................ 34721.1.8.3 Configuring Fragmentation on a Frame Relay Interface ..................................... 34721.1.8.4 Configuring Committed Information Rate on a PVC ........................................... 348
21.1.9 Displaying Frame Relay Information ............................................................................. 34921.1.9.1 show interface frame-relay ................................................................................. 34921.1.9.2 show interface fr-pvc ........................................................................................... 34921.1.9.3 show frame-relay priority .................................................................................... 34921.1.9.4 show qos frame-relay output dscp-map .............................................................. 349
21.1.10 Clearing Frame Relay Counters .................................................................................... 35021.1.11 Clearing FR-PVC Counters ........................................................................................... 350
21.2 Configuring Frame Relay in the GUI ............................................................................................. 35121.2.1 Configuring the Frame Relay Interface ......................................................................... 35121.2.2 Configuring Frame Relay End-to-End Keepalive .......................................................... 35221.2.3 Configuring Frame Relay PVCs .................................................................................... 35321.2.4 Configuring Frame Relay Encapsulation ....................................................................... 355
CHAPTER 22: SERIAL INTERFACE
22.1 Configuring Serial Profiles in the CLI ............................................................................................ 35722.1.1 Specifying a Serial Profile ............................................................................................. 35722.1.2 Configure a Profile’s Interface Standard ....................................................................... 35822.1.3 Configure a Profile’s Speed .......................................................................................... 35822.1.4 Configure a Profile’s Databits ........................................................................................ 35922.1.5 Configure a Profile’s Stopbits ........................................................................................ 35922.1.6 Configure a Profile’s Parity ............................................................................................ 35922.1.7 Configure a Profile to Ignore DSS ................................................................................. 36022.1.8 Configure a Profile’s Flow Control ................................................................................. 36022.1.9 Configure a Profile’s Packetization Character ............................................................... 36122.1.10 Configure a Profile’s Packet Timeout Value .................................................................. 36122.1.11 Configure a Profile’s Maximum Packet Size ................................................................. 362
22.2 Configuring Serial Interfaces in the CLI ......................................................................................... 36222.2.1 Specify a Serial Interface .............................................................................................. 36222.2.2 Associate a Profile and a Serial Interface ..................................................................... 363
22.3 Serial Interface Show Commands ................................................................................................. 36322.3.1 Display Serial Profile Information .................................................................................. 36322.3.2 Display Serial Interface Information .............................................................................. 363
22.4 Configuring Serial Profiles in the GUI ............................................................................................ 36422.4.1 Configuring a Serial Profile ........................................................................................... 36422.4.2 Associating Profiles and Ports ...................................................................................... 366
CHAPTER 23: TERMINAL SERVER
23.1 Terminal Server Operation ............................................................................................................ 37023.1.1 Passive Mode Channels ............................................................................................... 37023.1.2 Active Mode Channels .................................................................................................. 37023.1.3 Mixed Mode ................................................................................................................... 37123.1.4 Session Type ................................................................................................................ 371
23.2 Terminal Server Configuration in the CLI ...................................................................................... 37123.2.1 Specify a Terminal Server Channel .............................................................................. 37123.2.2 Configure a Port for a Channel ..................................................................................... 37223.2.3 Mapping a Serial Channel to a PVC ............................................................................. 37223.2.4 Configure Channel Direction ......................................................................................... 373
CONTENTS
Industrial Network Operating System Administrator’s Guide
xvi
23.2.5 Configure Channel Session Type ..................................................................................37323.2.6 Configure Channel Priority ............................................................................................37423.2.7 Configure Channel Local IP Address ............................................................................37423.2.8 Configure Channel Local TCP Port ...............................................................................37523.2.9 Configure Channel Remote IP Address ........................................................................37623.2.10 Configure Channel Remote TCP Port ...........................................................................37623.2.11 Configure Channel Maximum Connections ...................................................................37723.2.12 Configure Channel Retry Time ......................................................................................37723.2.13 Clear a Serial Connection ..............................................................................................378
23.3 Terminal Server Show Commands ................................................................................................37823.3.1 Display Serial Channel Information ...............................................................................37823.3.2 Display Serial Connection Information ...........................................................................378
23.4 Terminal Server Configuration in the GUI ......................................................................................37923.4.1 Configuring a Terminal Server .......................................................................................37923.4.2 Monitoring Terminal Server Connections ......................................................................38123.4.3 Monitoring Terminal Server Channels ...........................................................................382
CHAPTER 24: QOS24.1 Ethernet QoS Handling ..................................................................................................................385
24.2 IP Interface DSCP Marking ............................................................................................................387
24.3 PPP Output Queues ......................................................................................................................387
24.4 Configuring QoS in the CLI ............................................................................................................38824.4.1 Global Configuration Commands ..................................................................................388
24.4.1.1 Enabling and Disabling QoS ...............................................................................38824.4.1.2 Mapping a DSCP Output Queue .........................................................................38924.4.1.3 Mapping a CoS Output Queue ............................................................................389
24.4.2 Ethernet Interface Configuration Commands ................................................................39024.4.2.1 Configuring QoS Trust .........................................................................................39024.4.2.2 Configuring CoS Default ......................................................................................391
24.4.3 Queuing Policy Configuration Commands .....................................................................39124.4.3.1 Specify a Queueing Policy ..................................................................................39124.4.3.2 Specify Weighted Fair Queueing .........................................................................39124.4.3.3 Specify a DSCP-WFQ Match ..............................................................................392
24.4.4 Specify Strict Queueing .................................................................................................39224.4.4.1 Specify a DSCP-SPQ Match ...............................................................................39324.4.4.2 Control the Available Bandwidth on the Strict Queue .........................................393
24.4.5 IP Configuration Commands .........................................................................................39424.4.5.1 Map a Queueing Policy to a PPP Interface .........................................................394
24.4.6 Global IP Configuration Commands ..............................................................................39424.4.6.1 Map an ACL to a DSCP ......................................................................................394
24.4.7 Show Commands ..........................................................................................................39524.4.7.1 Displaying Configured QoS Interfaces ................................................................395
24.5 Configuring QoS in the GUI ...........................................................................................................39624.5.1 Enabling and Disabling QoS ..........................................................................................39624.5.2 Configuring QoS Port Settings ......................................................................................39724.5.3 Configuring a CoS Queue Map .....................................................................................39824.5.4 Configuring a DSCP Queue Map ..................................................................................40024.5.5 Configuring Frame Relay QoS for a PVC ......................................................................40124.5.6 Configuring Frame Relay QoS for a DSCP ...................................................................40224.5.7 Configuring Frame Relay Priority Weights .....................................................................403
CONTENTS
Industrial Network Operating System Administrator’s Guide
xvii
CHAPTER 25: PROTOCOL ANALYZER
25.1 Starting and Stopping the Protocol Analyzer ................................................................................. 405
25.2 Configuring Protocol Analyzer Output ........................................................................................... 405
Glossary ................................................................................................................................................. 409
Index ......................................................................................................................................................... 417
CONTENTS
Industrial Network Operating System Administrator’s Guide
xviii
Industrial Network Operating System Administrator’s Guide
xix
Preface
ABOUT THIS MANUAL
This manual provides the Administrator with instructions on how to use the Industrial Network Operating System™ – INOS™ - to configure, manage, and monitor the 10RX™ Industrial Router family of products.This manual contains: a basic description of the INOS, the basics of using the INOS and instructions for configuring INOS for specific applications. The chapters and appendices are presented as follows:
Chapter 1, “Overview” - This chapter describes the features and benefits of the Magnum 10RX.
Chapter 2, “Getting Started” - This chapter describes how to quickly get started with INOS.
Chapter 3, “Router Management” - This chapter explains how to carry out router management tasks.
Chapter 4, “Ethernet”- Explains the configuration of Ethernet connections.
Chapter 5, “VLAN” - Explains VLAN configuration.
Chapter 6, “Spanning Tree” - Explains the INOS Spanning Tree implementation.
Chapter 7, “LLDP” - Explains the Link Layer Discovery Protocol implementation.
Chapter 8, “IP Addressing and Static Routing” - Explains configuration of static routing.
Chapter 9, “RIP” - Explains configuration of the Routing Information Protocol in INOS.
Chapter 10, “OSPF” - Explains the configuration of the Open Shortest Path First Protocol.
Chapter 11, “BGP” - Explains the configuration of the Border Gateway Protocol.
Chapter 12, “Route Maps” - Explains Route filtering and manipulation with route maps.
Chapter 13, “GRE” - Explains Generic Routing Encapsulation.
Chapter 14, “VRRP” - Explains the Virtual Router Redundancy Protocol.
Chapter 15, “Object Tracking” - Explains configuration of object tracking.
Chapter 16, “DHCP Server” - Explains Dynamic Host Configuration Protocol functionality.
Chapter 17, “Firewall/NAT” - Explains basic firewall and network address translation functionality.
Chapter 18, “IPsec VPN” - Explains IPsec VPN configuration.
Chapter 19, “T1/E1” - Explains configuration of T1/E1 interfaces.
Chapter 20, “PPP” - Explains configuration of the Point-to-Point Protocol.
Chapter 21, “Frame Relay” - Explains the INOS Frame Relay implementation.
Chapter 22, “Serial Interface” - Explains the configuration of serial interfaces.
Industrial Network Operating System Administrator’s Guide
xx
Chapter 23, “Terminal Server” - Explains the Terminal Server application.
Chapter 24, “QoS” - Explains implementation of Quality of Service functionality.
Chapter 25, “Protocol Analyzer” - Explains the use of the INOS Protocol Analyzer to monitor system performance.
Glossary - A list of acronyms and technical terms used in this manual.
Industrial Network Operating System Administrator’s Guide
xxi
CONVENTIONS
Graphically distinctive alerts labeled either “Note” or “Caution” (illustrated below) are interspersed throughout this manual. These alerts call your attention to useful information related to the text immediately following the alert. Notes provide supplemental information or provide a point of emphasis. Cautions warn you of the risk of poor system performance or of system failure.
WEB ACCESS
All of the INOS manuals are also available in .pdf format on the GarrettCom website, www.garrettcom.com.
Syntax Conventions
Convntion Meaning
Typewriter font Depicts stable command-line information supplied either by the system or the user: command names, keywords, etc.
Italic Depicts user-supplied information: names, arguments, variables, etc.
[X] Square brackets enclose optional keywords or arguments.
| A pipe, or vertical line, separating elements in a series indicates that these elements are choices available at this location.
[X | Y] A pipe separating items within square brackets indicates that these are optional choices.
{X | Y} A pipe separating items within braces, or curly brackets, indicates that these items are choices but that one MUST be selected.
[X {Y | Z}] The outer square brackets indicate an optional element and the inner curly brackets indicate that if the second element is used you MUST select from among the enclosed options.
NOTE: Notes provide you with helpful information about an upcoming step or action. If youdo not use the information contained in a Note there is no risk of harm to the system, butusing the information will improve performance and/or increase your understanding.
CAUTION: A caution warns you that you should take some action to avoid poor systemperformance or system failure.
Industrial Network Operating System Administrator’s Guide
xxii
YOUR COMMENTS
If you find an error or have a helpful tip on the layout or informational content of this or any other Garrettcom manual please feel free to contact us via email with any problems or helpful information. All enquiries will be responded to with a correction or whatever resolution is required. Please make all comments to [email protected] or phone a support engineer at (510) 438-9071.
Industrial Network Operating System Administrator’s Guide
1
Chapter 1Overview
1.1 Features and Benefits
The Magnum 10RX Industrial Router provides secure multiprotocol networking in a compact, rugged package designed for power substations and other harsh environments. The 10RX combines the capabilities of an Ethernet Switch, an Async-to-TCP/IP Terminal Server, and an IP Router in a single integrated device.
1.1.1 GarrettCom Hardened
The Magnum 10RX Industrial Router is a multi-function, multi-protocol networking platform that is purpose-built for distributed industrial automation applications such as Supervisory Control and Data Acquisition (SCADA) systems.The 10RX supports a wide range of communications interfaces used by industrial devices, enabling multiple generations of remote devices and support systems to be consolidated onto a single integrated network infrastructure. The 10RX also operates effectively in extremely harsh environmental conditions such as those within power utility substations, pumping stations, treatment plants, transportation systems and wind farms. This robustness is primarily due to extended-range specifications in areas such as electromagnetic interference, temperature and electrical surges. Most other networking products will fail when facing these conditions.
1.1.2 Hardware Configuration
The 10RX can be configured with:
• Up to 10 automedia Gigabitethernet ports• Up to 32 RJ45 serial ports or 16 DB9 serial ports programmable for RS232/
485 operation• Up to 16 T1/E1 ports• Dual hot-swappable or fixed high (90 -250 VAC or VDC) or low (18-60 VDC)
power supplies
1.1.3 Multiprotocol Support
Supports the following protocols
• Async, SCADA• Ethernet, TCP/IP• Ethernet Switching
• VLANs• GVRP• RSTP/MSTP
CHAPTER 1 - OverviewApplications/Topologies
Industrial Network Operating System Administrator’s Guide
2
• Frame Relay• IP Routing
• RIP• OSPFv2• BGP4• VRRP• GRE• PPP
• TCP Terminal Server
1.1.4 Security
Supports:
• Multi-level passwords with enforcement and aging• Stateful firewall with ACLs and filtering• IP VPN using IPsec with AES encryption• Management activity logging and alarms• Radius/TACACS+ support• SSL• SSH
1.1.5 Management Tools
Supports:
• Embedded web server GUI• CLI access via SSH or Telnet• SNMPv2c and SNMPv3 MIB
1.2 Applications/Topologies
The Magnum 10RX combines the capabilities of an Ethernet Switch, an Async-to-TCP/IP Terminal Server and an IP Router in a single integrated device. This feature set enables several important applications, each building on the ability to combine Serial-and Ethernet-based industrial devices on a common communications network.
1.2.1 Standalone Local Communications Platform
The Magnum 10RX provides a complete, local communications network within an industrial location. Magnum 10RX consolidates connections from a variety of industrial devices having differing communications interfaces, including Async serial connections at connection rates of 300 bps to 230.4 Kbps and IP-oriented Ethernet connections at 10 or 1000 Mbps. This interface capability covers most RTUs, PLCs, Intelligent Electrical Devices (IEDs), industrial servers and other devices with digital data connectivity. An
CHAPTER 1 - OverviewApplications/Topologies
Industrial Network Operating System Administrator’s Guide
3
operator may use a Human Machine Interface (HMI) application to locally connect to all the devices within the site from a common connection point. The Magnum 10RX provides Ethernet switching of IP sessions directly among Ethernet-connected devices. TCP/IP based applications such as the HMI may also connect directly to serial devices, with the Magnum 10RX providing Async-to-TCP/IP terminal services.
1.2.2 Remote Network Concentration
The Magnum 10 RX includes integrated T1/E1 DSU/CSU capability for supporting up to 16 separate wide area network (WAN) links. These links can be bundled using Multi-Link PPP (MLPPP) to provide high-speed WAN connections or used with individual PPP connections to create redundant WAN paths. The Magnum 10RX can be used in large substations or as a network concentrator in an operations center where high WAN bandwidth is required.
1.2.3 Distributed Local Network using Ethernet
In addition to stand-alone deployments, multiple Magnum 10RXs can form a distributed high-speed network within an industrial site using an Ethernet backbone. Typically the Ethernet backbone network is a resilient ring configuration. Rapid Spanning Tree Protocol (RSTP), tag-based Virtual Local Area Networks (VLANs), and traffic prioritization features combine to provide high-reliability, application-specific security and performance management capabilities that enable multiple diverse applications to effectively share a common network infrastructure.
CHAPTER 1 - OverviewApplications/Topologies
Industrial Network Operating System Administrator’s Guide
4
Industrial Network Operating System Administrator’s Guide
5
Chapter 2Getting Started
This chapter explains how to quickly begin using your INOS industrial router through the embedded web server Graphical User Interface (GUI) or the Command Line Interface (CLI).
2.1 Defaults
As delivered INOS can be accessed with the following default username and password:
• Username — manager• Password — manager
2.2 10RX access
The following sections describe how to connect on the console, on the web, or by SSH.
The default IP address is 192.168.1.2. You can access this IP address by connecting to GbE 1/1.
2.2.1 Connecting by Console
The serial console settings are 38400-8-N-1.
2.2.2 Connecting by SSH
The default IP address is 192.168.1.2. SSH to port 22. For example,
from a command prompt on your PC.
2.2.3 Connecting by Browser
Use the URL https://192.168.1.2
WARNING: GarrettCom recommends that you immediately create a new administrativeuser account with username and password different from the factory defaults and that youdelete the default “manager” account. See Section 3.4 for information on managing useraccounts.
CHAPTER 2 - Getting StartedCLI Navigation
Industrial Network Operating System Administrator’s Guide
6
2.3 CLI Navigation
The following section supplies guidelines for navigating the Command Line Interface.
2.3.1 Modes - Entering and Exiting
The command line interface supports the complete INOS command set. Commands are accessible in several “modes.” The current mode setting is indicated by the text displayed at the prompt.
• Magnum 10RX# — EXEC Commands
This is the default mode available at login. It gives you access to commands to display settings and status information, and to clear some settings. Administrators may also manage user accounts in this mode.
• Magnum 10RX(config)#— Global Configuration commands
• This mode is entered by typing configure terminal at the Magnum 10RX# prompt.
• It gives you access to the most commonly used configuration commands, those controlling routing, security and the like.
• Return to the EXEC Commands mode by typing end or exit at the Magnum 10RX(config)# prompt.
In addition to the two modes described above there are many configuration modes accessed by entering certain keywords at the Magnum 10RX(config)# prompt. These modes are identified by a label in the command prompt and give access to a subset of commands specific to the protocol under configuration. Examples of these modes are:
• Magnum 10RX(config-vlan)#— giving access to the subset of VLAN configuration commands.
• Magnum 10RX(config-if)#— giving access to several subsets of interface configuration commands.
• Magnum 10RX(config-router)#— giving access to subsets of router configuration commands.
In each of these protocol-specific modes you can return to Global Configuration command mode by entering exit or to EXEC Commands mode by entering end. For a list of these modes and pointers to the commands used to access them see the index under “configuration mode.”
2.3.2 Generating Help on the Command Line
Pressing ? will produce a list of valid options for the next position in the command line with brief descriptions of their significance.
Pressing TAB attempts to complete the command you have begun. If there is only one valid option for the next position in the command line that option will be displayed in the correct position. If there are multiple valid options pressing TAB will display all valid arguments to the current command with syntax defined in a conventional fashion.
CHAPTER 2 - Getting StartedCLI Navigation
Industrial Network Operating System Administrator’s Guide
7
2.3.3 Command Line Shorthand
Abbreviations: The CLI will accept as valid any text string on the command line that is sufficiently long to be valid and unambiguous at that position; thus, the full command,
Magnum 10RX# show system information
can be executed in the following shorthand:
Magnum 10RX# s sy i
Make use of the ? and TAB keys to discover the shortest unique version of any command element.
CHAPTER 2 - Getting StartedCLI Navigation
Industrial Network Operating System Administrator’s Guide
8
Industrial Network Operating System Administrator’s Guide
9
Chapter 3Router Management
This chapter explains how to carry out router management tasks. These tasks involve configuration, monitoring, and reporting on the following router features and capabilities:
• Management Interfaces• Time and Date• SNMP• User Management• Authentication• File System Management• Event Management• Software Upgrade• Restarting the Switch
3.1 Management Interfaces
INOS provides several optional management interfaces. Secure options are enabled by default but you can enable other less secure interfaces if you judge them to be necessary or useful.
3.1.1 Defaults
INOS is shipped with the following defaults. These defaults are available on initial startup and remain valid across all interfaces until they are replaced or supplemented by the user.
• Access — HTTPS and SSH access to the system are enabled by default. Any necessary keys and certificates required by these interfaces are generated automatically by the system when it boots up for the first time.
• Username — manager is the default username.• Password — manager is the default password.
3.1.2 Secure Web Server
The Secure Web Server implementation supports the following features:
• TLS 1.0 protocol• High grade 3DES, 168-bit encryption• Certificates with RSA keys of 512 and 1024 bits• Access on the standard TCP port 443
CHAPTER 3 - Router ManagementManagement Interfaces
Industrial Network Operating System Administrator’s Guide
10
To enable the HTTP Secure Server functionality in the GUI go to the System: Management: SSL: SSL Global Settings tab, as illustrated in Figure 3-1.
Figure 3-1. enabling SSL
Secure Server is enabled by default. Disable it by selecting Disable in the dropdown menu, clicking Apply, and refreshing the page.
3.1.2.1 Generating a New RSA Key and Certificate
A new RSA key and matching certificate can be generated using the following procedure. You may want to periodically generate a new RSA key for your web server to improve security or you may wish to use a certificate that has been signed by a Certificate Authority that your organization trusts.
In the GUI go to the System: Management: SSL SSL Digital Certificate tab to enter a digital certificate, as illustrated in Figure 3-2.
Figure 3-2. SSL Digital Certificate Tab
Use the following procedures to request and enter a new certificate.
1. Navigate to the System / SSL web page.
2. Select the SSL Digital Certificate tab.
3. Specify an RSA key size (512 or 1024).
CHAPTER 3 - Router ManagementManagement Interfaces
Industrial Network Operating System Administrator’s Guide
11
4. Select the Generate Certificate Signing Request radio button.
5. Enter the desired Common Name.
6. Press the Apply button.
You will see a PEM encoded certificate request appear in the text box.
7. Send the certificate request to your Certificate Authority (CA) for signing.
When you have received your PEM encoded signed certificate from the CA, navigate back to the SSL Digital Certificate tab:
1. Select the Enter Certificate Signed By Certification Authority radio button.
2. Cut and paste the PEM encoded signed certificate into the text box.
3. Press the Apply button.
4. Reload your system for the new RSA key and certificate to take effect. (For information on the reload command see Section 3.9.)
A sample PEM encoded certificate request is shown below:
-----BEGIN CERTIFICATE REQUEST-----
MIIBVjCBwAIBADAXMRUwEwYDVQQDEwxQT1dFUlVUSUxJVFkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOFQrwgHgHimZYz8NZ8KLlO9kKYIA7sdGjpoHRKdSRrS5n+GSHpPiVzr1MA1O1EiZoKDNOYEmdDT5ra0ZeWtaF/B/EobFtuYFARorXtn3ah6W7p7j72N+/lEbNnFINbhD/uJ3M5V96xKBtNnyDlmnmODxdBKIV7IhSsbnfLRSLiNAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQB5kSTjCOb2dFOlPbs3RFY+wi02y0rj1h/zLY+ydUjVooWvGKIPFiSSzJ/AjmoWgpLD4Os5PLE2kcdHLGV91vptxjT6Gk2MOAfwByDM3XJCg4mZySQOoyovH/dKS2zDzKQx/XgZXOpTLBDuDk56uyCbgniP9fCqwbXAp0y/w/uomQ==-----END CERTIFICATE REQUEST-----
A sample PEM encoded signed certificate is shown below:
-----BEGIN CERTIFICATE-----
MIICATCCAWoCCQC++Tk4zXkzOTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExFjAUBgNVBAcTDU5vcnRoIEFuZG92ZXIxGTAXBgNVBAoTEEdhcnJldHRDb20sIEluYy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMQ4wDAYDVQQDEwVDQUdDSTAeFw0xMjA2MjAxODAyMzdaFw0xMjA3MjAxODAyMzdaMBcxFTATBgNVBAMTDFBPV0VSVVRJTElUWTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4VCvCAeAeKZljPw1nwouU72QpggDux0aOmgdEp1JGtLmf4ZIek+JXOvUwDU7USJmgoM05gSZ0NPmtrRl5a1oX8H8ShsW25gUBGite2fdqHpbunuPvY37+URs2cUg1uEP+4nczlX3rEoG02fIOWaeY4PF0EohXsiFKxud8tFIuI0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQC3o0D94pSPEI4D/+EJ6ZsWNcnr2CvkiSQmlW3tLyn8uhqeam0wDHG7414NQ/IW209qSCJOGg9Bo23nSoRaeiT/A3wbYtValk27WYw+tCPeLT9GHa+rb9wLZ5FuOULy/h53/ZmQbjr1C1DK49AFxO8avVofHfC8eO7FVhOMOBxffA==-----END CERTIFICATE-----
3.1.3 Secure Shell Server
The Secure Shell (SSH) Server implementation supports the following features:
• The SSHv2 protocol• High grade 3DES, 168 bit encryption
CHAPTER 3 - Router ManagementManagement Interfaces
Industrial Network Operating System Administrator’s Guide
12
• Access on the standard TCP port 22
Although it is not recommended, the SSH server may also be configured in compatibility mode in order to interoperate with older SSHv1 clients.
3.1.3.1 Configuring Compatibility Mode
Compatibility with SSHv1 clients can be configured using the CLI or by using the graphical interface.
1. Configuring with the CLI:
To allow SSHv1 clients to connect to the SSH server enter the following on the CLI command line:
Magnum 10RX(config)# ip ssh version compatibility
2. Configuring with a web browser
a. Navigate to the System / SSH web page.
b. Select Both-V1,V2 from the SSH Version Compatibility drop down list.
c. Press the Apply button.
Figure 3-3. Configuring SSH V1 Compatibility
3.1.4 Telnet Server
The Telnet Server is disabled by default since it is not a secure protocol.
Telnet access can be enabled on standard TCP port 23 using the following CLI command:
Magnum 10RX(config)# set telnet enable
3.1.5 Non-SSL Web Server
Non-SSL HTTP access is disabled by default since it is not a secure protocol.
WARNING: If the CLI is accessed via Telnet, the username and password will besent in the clear and could be snooped on by an attacker.
WARNING: If the GUI is accessed via HTTP, the username and password will besent in the clear and could be snooped on by an attacker.
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
13
Non-SSL HTTP access can be enabled on standard TCP port 80 using the following CLI command:
Magnum 10RX(config)# set http enable
3.2 Time and Date
The system time and date can be obtained by implementing SNTP (See “Configuring SNTP in the CLI” on page 3-13 and “Configuring SNTP in the GUI” on page 3-22) or it can be set manually with the clock command.
For time and date functionality accessed in the GUI see Section 3.8.2.1.
3.2.1 Setting Time and Date Manually
You can set the time and date by using the clock set command at the Magnum 10RX# prompt.
Command syntax:
clock set hh:mm:ss day month year
Where:
hh:mm:ss is the specified time. Valid values for the hour are in a range of 00-23, for minutes, 00-60, and for seconds 00-60.
day is a numerical value specifying the day of the month in a range of 1-31,
month is an alphabetic string specifying the month.
year is a four-digit string in the range 2000-2035.
Example:
Magnum 10RX# clock set 12:51:30 26 september 2012
You can view the current system time with the show clock command.
Example:
Figure 3-4. show clock Command Output
3.2.2 Configuring SNTP in the CLI
SNTP (Simple Network Time Protocol) is used to obtain the system time and date from an SNTP server and to synchronize network devices to that time.
Magnum 10RX# show clock
Tue Nov 06 16:23:18 2012
Magnum 10RX#
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
14
The following commands enable you to configure Simple Network Time Protocol (SNTP) functionality to obtain the correct time from an SNTP server.
3.2.2.1 Enabling and Disabling the SNTP Client
Use the set sntp command in Global Configuration mode to enable and disable the SNTP client.
Command syntax:
set sntp {enable | disable}
Example:
Magnum 10RX(config)# set sntp enable
This example enables the SNTP client on the current INOS device.
Default value: Disabled
3.2.2.2 Setting the SNTP Client Version
Use the sntp client version command in Global Configuration mode to specify the SNTP version on your network. Version 4, specified in RFC 5905, became the current reference version in 2010.
Command syntax:
sntp client version{v1 | v2 | v3 | v4}
Example:
Magnum 10RX(config)# sntp client version v4
This example specifies that the SNTP client on the current INOS device will use SNTP version 4. The SNTP client should use the same version as that running on the SNTP server.
Default value: v4
3.2.2.3 Setting the SNTP Client Addressing Mode
Use the sntp client addressing mode command in Global Configuration mode to specify the SNTP addressing mode on this client.
Command syntax:
set sntp client addressing mode {unicast | broadcast | multicast}
TIP: You can force the system clock to update by disabling and re-enabling the clock withthe set sntp command.
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
15
Where:
Example:
Magnum 10RX(config)# sntp client addressing mode unicast
Default value: unicast
3.2.2.4 Setting the SNTP Client Port
Use the sntp client port command in Global Configuration mode to specify the SNTP port on a server that is waiting for a client connection.
Notes:
• The default value of 123 for this port is assigned by the Internet Assigned Numbers Authority (IANA).
• This command is executed only if SNTP is enabled.• The command no sntp client port deletes any non-default value that
had been specified and restores the default.
Command syntax:
sntp client port portnum
Where,
portnum is a numerical value in the range 1025-65535
Example:
Magnum 10RX(config)# sntp client port 777
Default value: 123
Valid range: 1025-65535
3.2.2.5 Setting the SNTP Clock Format
Use the sntp client clock-format command in Global Configuration mode to specify the time reporting format to be displayed.
unicast Unicast operates in a point-to-point fashion. A unicast client sends a request to a designated server at its unicast address and expects a reply from which it can determine the time and, optionally, the round-trip delay and local clock offset relative to the server.
broadcast Broadcast operates in a point-to-multipoint fashion. The SNTP server uses an IP local broadcast address instead of a multicast address. The broadcast address is scoped to a single subnet, while a multicast address has Internet-wide scope.
multicast Multicast operates in point-to-multipoint fashion. The SNTP server uses a multicast group address to send unsolicited SNTP messages to clients. The client listens on this address and sends no requests for updates.
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
16
Command syntax:
sntp client clock-format {ampm | hours}
Where:
ampm — Display the time in two 12-hour cycles (00:00:00-11:59:50) with suffixes AM and PM.
hours — Display the time in a single 24-hour cycle (00:00:00-23:59:59).
Example:
Magnum 10RX(config)# sntp client clock-format hours
This example specifies that the time obtained with the SNTP protocol will be displayed in 24-hour format.
Default value: hours
3.2.2.6 Setting the SNTP Client Time Zone
Use the sntp client time-zone command in Global Configuration mode to specify the difference between Universal Coordinated Time (UTC) and the local time.
Command syntax:
sntp client time-zone [+ | -] diffhrs:diffmin
Where:
+ and - preceding time values indicate a time in advance of or behind UTC.
diffhrs:diffmin specifies the difference from UTC in hours and minutes.
Example:
Magnum 10RX(config)# sntp client time-zone -5:00
This example specifies that the local time is 5 hours behind UTC. (This is the correct setting for U. S. Eastern Standard Time.)
Default value: +0:0
Valid range: -12:59 to +12:59
3.2.2.7 Setting the SNTP Clock Summer Time
Use the sntp client clock-summer-time command in Global Configuration mode to specify the beginning of Daylight Saving Time (DST) (when clocks are turned back one hour) and the end of DST (when clocks are turned ahead one hour) at your location.
Command syntax:
sntp client clock-summer-time startweek-startday-startmonth,hh:mm endweek-endday-endmonth,hh:mm
Where:
startweek is first, second, third, fourth, or fifth - designating the position in the month of the week in which DST will begin.
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
17
startday is sun, mon, tue, wed, thu, fri, or sat - designating the day in the starting week on which DST will begin.
startmonth is jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, or dec - designating the month in which DST will begin.
hh:mm is a numerical string designating the hour and minute at which DST will begin or end.
endweek is first, second, third, fourth, or fifth - designating the position in the month of the week in which DST will end.
endday is sun, mon, tue, wed, thu, fri, or sat - designating the day in the starting week on which DST will end.
endmonth is jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, or dec - designating the month in which DST will end.
Example:
Magnum 10RX(config)# sntp client clock-summer-time second-sun-mar,02:00 first-sun-nov,02:00
This example specifies that DST will begin at 2:00 am on the second Sunday of March and will end at 2:00 am on the first Sunday of November.
Note that the two large elements of this specification are separated by a space and that within each of those elements the hour and minute specification is separated from the week-day-month specification by a comma only (no spaces).
3.2.2.8 Setting the SNTP Client Authentication Key
Use the sntp client authentication key command in Global Configuration mode enforce secure communications between SNTP client and server in the Unicast addressing mode. SNTP authentication is an optional feature. The key and key-id values required to implement it on the client should be available from the administrator of SNTP security.
Command syntax:
sntp client authentication-key key-id md5 key
Where,
key-id is an integer to be included in server packets to provide authentication.
key is a string to identify the client.
Example:
Magnum 10RX(config)# sntp client authentication-key 123 md5 whiterabbit
This example specifies that the SNTP client obtain time and date information from the server whose packets include the key-id 123 after supplying the key whiterabbit as authentication.
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
18
Valid ranges:
key-id:- 0 to 65535
key:- alphanumeric string of up to 16 characters.
3.2.2.9 Setting the SNTP Unicast Server
Use the sntp unicast server command in Global Configuration mode to specify the SNTP server to be used for Unicast time and date synchronization.
Command syntax:
sntp unicast-server ipv4 4addr primary | secondary] [3 | 4] [port portnum]
Where,
4addr is the IP address of the server in IPv4 format.
primary or secondary are the two valid specifications for Unicast server type.
3 or 4 are the two valid specifications for SNTP version.
portnum is a numerical value in the range 1025-36564 specifying the port identifier in the server.
Example:
Magnum 10RX(config)# sntp unicast-server ipv4 192.5.41.209 primary 4 1234
3.2.2.10 Setting the SNTP Unicast Server Auto-discovery
Use the sntp unicast-server auto-discovery command in Global Configuration mode to enable the client to automatically discover the SNTP unicast server.
Command syntax:
sntp unicast-server auto-discovery {enabled | disabled}
Example:
Magnum 10RX(config)# sntp unicast-server enable
Default value: disabled
3.2.2.11 Setting the SNTP Unicast-poll-interval
Use the sntp unicast-poll-interval command in Global Configuration mode to set the interval between SNTP request messages to the server.
Command syntax:
sntp unicast-poll-interval poll-secs
Where:
poll-secs is a numerical value specifying the interval in seconds between SNTP messages.
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
19
Example:
Magnum 10RX(config)# sntp unicast-poll-interval 120
Valid range: 16-16284 seconds
Default value: 64
3.2.2.12 Setting the SNTP Unicast-max-poll-timeout
Use the sntp unicast-max-poll-timeout command in Global Configuration mode to configure maximum interval to wait for a request message to complete.
Command syntax:
sntp unicast-max-poll-timeout to-secs
Where:
to-secs is a numerical value specifying the maximum number of seconds to wait for a poll to complete.
Example:
Magnum 10RX(config)# sntp unicast-poll-interval 20
Valid range: 1-30 seconds
Default value: 5
3.2.2.13 Setting the SNTP Unicast-max-poll-retry
Use the sntp unicast-max-poll-retry command in Global Configuration mode to configure the maximum number of failed request messages to a non-responsive server.
Command syntax:
sntp unicast-max-poll-retry retries
Where:
retries is a numerical value specifying the maximum number of times to retry sending request messages to a non-responsive server.
Example:
Magnum 10RX(config)# sntp unicast-max-poll-retry 5
Valid range: 1-10
Default value: 3
3.2.2.14 Enabling and Disabling Broadcast Mode Send Request
Use the sntp broadcast-mode send-request command in Global Configuration mode to send request packets to the broadcast server to calculate transmission delay.
Command syntax:
sntp broadcast-mode send-request [enabled | disabled]
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
20
Example:
Magnum 10RX(config)# sntp broadcast-mode send-request enabled
This example enables the sending of packets to the SNTP server to calculate the transmission delay. If this is not enabled the configured SNTP broadcast delay time is used.
Default value: Disabled
3.2.2.15 Setting SNTP Broadcast Poll Timeout
Use the sntp broadcast-poll-timeout command in Global Configuration mode specify the maximum length of time to wait for a poll to complete.
Command syntax:
sntp broadcast-poll-timeout secs
Where:
secs is a numerical value specifying the maximum number of seconds to wait for a poll to complete.
Example:
Magnum 10RX(config)# sntp broadcast-poll-timeout 15
This example sets the maximum wait time to 15 seconds.
Default value: 5
Valid range: 1-30
3.2.2.16 Setting SNTP Broadcast Delay Time
Use the sntp broadcast-delay-time command in Global Configuration mode to specify the delay time in the case where the client does not receive a response from the server.
Command syntax:
sntp broadcast-delay-time microsecs
Where:
microsecs is a numerical value specifying the number of microseconds the client will wait for a response from the server.
Example:
Magnum 10RX(config)# sntp broadcast-delay-time 12000
Default value: 8000
Valid range: 1000-15000
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
21
3.2.2.17 Enabling and Disabling Multicast Mode Send Request
Use the sntp multicast-mode send-request command in Global Configuration mode to send request packets to the broadcast server to calculate transmission delay.
Command syntax:
sntp multicast-mode send-request {enabled | disabled}
Example:
Magnum 10RX(config)# sntp multicast-mode send-request enabled
This example enables the sending of packets to the SNTP server to calculate the transmission delay. If this is not enabled the configured SNTP multicast delay time is used.
Default value: Disabled
3.2.2.18 Setting SNTP Multicast Poll Timeout
Use the sntp multicast-poll-timeout command in Global Configuration mode to specify the maximum length of time to wait for a poll to complete.
Command syntax:
sntp multicast-poll-timeout secs
Where:
secs is a numerical value specifying the maximum number of seconds to wait for a poll to complete.
Example:
Magnum 10RX(config)# sntp multicast-poll-timeout 15
Default value: 5
Valid range: 1-30
3.2.2.19 Setting SNTP Multicast Delay Time
Use the sntp multicast-delay-time command in Global Configuration mode to specify the length of time the client will wait for a response from the server.
Command syntax:
sntp multicast-delay-time microsecs
Where:
microsecs is a numerical value specifying the number of microseconds the client will wait for a response from the server.
Example:
Magnum 10RX(config)# sntp ntp multicast-delay-time 12000
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
22
Default value: 8000
Valid range: 1000-15000
3.2.2.20 Setting SNTP Multicast Group Address
Use the sntp multicast-group-address command in Global Configuration mode specify an IP address where the client will listen for updates from an SNTP server.
Command syntax:
sntp multicast-group-address ipv4 mcast_addr | default
Where:
mcast_addr is a an IPv4 address.
default sets the multicast default address to 224.0.1.1.
Example:
Magnum 10RX(config)# sntp multicast-group-address ipv4 224.0.1.2
3.2.2.21 Displaying Settings and Status
Use the following commands at the Magnum 10RX# prompt to display current settings and status:
• show sntp status• show sntp unicast–mode status• show sntp broadcast–mode status• show sntp multicast–mode status
3.2.3 Configuring SNTP in the GUI
The Graphical User Interface provides four screens for SNTP configuration.
This screen enables you to configure Simple Network Time Protocol (SNTP) functionality to obtain the correct time from an SNTP server.
CHAPTER 3 - Router ManagementTime and Date
Industrial Network Operating System Administrator’s Guide
23
The Client Configuration Screen
Figure 3-5. SNTP Client Configuration Screen
The SNTP parameters configurable on the CLI and described above are also configurable in the GUI on the screen depicted in Figure 3-5. Some parameters may be selected from drop-down lists; others are user-supplied according to the criteria described above for command line entry.
The SNTP Unicast Table Screen
Figure 3-6. SNTP Unicast Table Screen
The parameters configurable in this screen correspond to those described in the sntp unicast-server command above.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
24
The SNTP Broadcast Configuration Screen
Figure 3-7. SNTP Broadcast Configuration Screen
The parameters configurable in this screen correspond to those described in the several sntp broadcast- commands above.
The SNTP Multicast Configuration Screen
Figure 3-8. SNTP Multicast Configuration Screen
The parameters configurable in this screen correspond to those described in the several sntp multicast- commands above.
3.3 SNMP
The SNMP is a widely deployed protocol that is commonly used to monitor and manage network devices. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
25
3.3.1 Configuring SNMPv3 Access
SNMPv3 configuration is based on the tables defined in RFC 3414 (SNMP USM) and RFC 3415 (SNMP VACM). To really understand how to configure SNMPv3 you should become familiar with these documents and the MIBs they define. In summary, to configure SNMPv3 access to the 10RX, you must perform the following actions:
1. Define at least one SNMPv3 user.
An SNMPv3 user entry consists of:
• a security name• an authentication protocol,• an authentication key• a privacy protocol• a privacy key
2. Define at least one SNMPv3 group.
An SNMPv3 group entry consists of:
• a group name• a user security name• a security model• a security level
Multiple users may be added to a group by creating multiple group entries with the same group name.
3. Define an SNMPv3 access policy for each group.
An SNMPv3 access policy entry consists of:
• the group name• a read view name• a write view name• a notify view name
4. Define at least one SNMPv3 view.
An SNMPv3 view entry consists of:
• a tree OID, • an OID mask, and • a type.
Views define a set of tree branches within a MIB that may or may not be accessed by a group. Separate views for reading, writing, and notifications are assigned to a group via the SNMP access policy described in the previous step.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
26
3.3.1.1 Example SNMPv3 Configuration
Figure 3-9 illustrates the configuration of a single user with read/write access to the entire 10RX MIB. SNMP packets will be authenticated using MD5 (with the key auth1234) and encrypted using DES (with the key priv1234).
Figure 3-9. SNMPv3 Configuration
3.3.2 Managing SNMPv3 Views
You can limit a user's access to specific MIB trees through advanced configuration of the SNMP views assigned to that user's group. In the previous example the snmp view defaultview 1 included command tells the system that user bob should be able to access the entire MIB. That is, all OIDs starting with the octet 1 are included in the view. You can create exceptions to this policy using the excluded keyword. For example, if you wish to prevent bob from accessing any private MIB objects, you can add the following configuration to the previous example:
Figure 3-10. SNMPv3 View Configuration Example 1
You can assign different views to a group for reading, writing, and notifications. So, for example, you can easily create a configuration in which bob is allowed to read the entire MIB but is not allowed to write to any objects in the private MIB. The commands required to implement such a configuration would be:
Figure 3-11. SNMPv3 View Configuration Example 2
Magnum 10RX(config)# snmp user bob auth md5 auth1234 priv des priv1234
Magnum 10RX(config)# snmp group group1 user bob security-model v3
Magnum 10RX(config)# snmp access group1 v3 priv read defaultview write defaultview notify defaultview
Magnum 10RX(config)# snmp view defaultview 1 included
Magnum 10RX(config)# snmp view defaultview 1.3.6.1.4 excluded
Magnum 10RX(config)# snmp user bob auth md5 auth1234 priv des priv1234
Magnum 10RX(config)# snmp group group1 user bob security-model v3
Magnum 10RX(config)# snmp access group1 v3 priv read default read write defaultwrite notify defaultnotify
Magnum 10RX(config)# snmp view defaultread 1 included
Magnum 10RX(config)# snmp view defaultwrite 1 included
Magnum 10RX(config)# snmp view defaultwrite 1.3.6.1.4 excluded
Magnum 10RX(config)# snmp view defaultnotify 1 included
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
27
3.3.3 Configuring SNMPv3 Notifications
SNMPv3 notification configuration is based on the tables defined in RFC 3413 (SNMP Applications). To obtain the best understanding of SNMPv3 notification configuration you should become familiar with that document and the MIBs it defines.
In summary, to configure SNMPv3 notifications on the 10RX you must perform the following actions:
1. Define at least one SNMPv3 target address.
An SNMPv3 target address entry consists of:
• the name of the target address entry• the name of a target parameters entry• a target IP address• a tag
The tag is used to associate a target address with a notification type (see below).
2. Define at least one set of SNMPv3 target parameters.
An SNMPv3 target parameters entry consists of:
• the name of the target parameters entry• a security name• a security model• a security level• a message processing model.
Each set of target parameters defines the security policy to be used when sending the notification. A target parameter entry is mapped to a target address entry.
3. Define at least one SNMPv3 notification entry.
4. An SNMPv3 notification entry consists of:
• the notification entry name• a tag name• a notification type.
3.3.3.1 Example SNMPv3 Notification Configuration
Figure 3-12 illustrates the configuration of SNMPv3 traps to be sent to the user bob defined in the previous example. The trap will be sent using the security policy defined for bob and only traps that fall within bob's allowed notify view will be sent. The trap will be delivered to the address 192.168.2.42.
Figure 3-12. SNMPv3 Notification Configuration
Magnum 10RX(config)# snmp targetaddr target1 param param1 ipv4 192.168.2.42 taglist tag1
Magnum 10RX(config)# snmp targetparams param1 user bob security-model v3 priv message-processing v3
Magnum 10RX(config)# snmp notify notify1 tag tag1 type trap
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
28
3.3.4 Filtering SNMPv3 Notifications
You can filter SNMPv3 notifications so that only certain notifications are sent to particular Management Stations. To configure SNMPv3 notification filtering, you must perform the following actions:
1. Specify a filter profile name when configuring the target parameters (step 2 from the previous section)
2. Define a filter profile.
An SNMPv3 filter profile entry consists of:
• a filter profile name• an OID• a type.
Configuring a filter profile entry is very similar to configuring an SNMPv3 view entry. All of the filter profile entries with the same filter profile name form a single filtering policy.
3.3.4.1 Example SNMPv3 Notification Filtering
Figure 3-13 illustrates the configuration of SNMPv3 notification filtering so that no enterprise specific traps (OID prefix 1.3.6.1.4) are sent to the Management Station at 192.168.2.42.
Figure 3-13. SNMPv3 Notification Filtering
3.3.5 Configuring SNMPv2c Access
Although it is not recommended, it is possible to configure the 10RX agent to respond to SNMPv2c (or SNMPv1) requests. SNMPv1 and SNMPv2c use a non-secure clear text password called a community string for the purposes of authentication and authorization. This community string must be configured within the context of the overall SNMP security architecture defined by RFC 3412 and the co-existence strategy and MIBs defined by RFC 3584.
Magnum 10RX(config)# snmp targetaddr target1 param param1 ipv4 192.168.2.42 taglist tag1
Magnum 10RX(config)# snmp targetparams param1 user bob security-model v3 priv message-processing v3 filter filter1
Magnum 10RX(config)# snmp notify notify1 tag tag1 type trap
Magnum 10RX(config)# snmp filter filter1 1 included
Magnum 10RX(config)# snmp filter filter1 1.3.6.1.4 excluded
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
29
3.3.5.1 Example SNMPv2c Configuration
Figure 3-14 illustrates the configuration of two SNMPv2 communities. The first community (public) can only read the MIB. The second community (private) has read and write privileges.
Figure 3-14. SNMPv2 View Configuration
3.3.5.2 Limiting SNMPv2c Access By Management IP
You can configure the 10RX agent to only allow SNMPv2c access from certain Management IPs. This is accomplished by creating a v2c target address and associated parameters and then specifying that target address using a transport tag during community string configuration.
The following example assumes the SNMPv2 access configuration in Section 3.3.5.1 and adds configuration that limits access only to requests from the Management Station at 192.168.2.42.
Figure 3-15. SNMPv2c Limit Access By Management IP Example
3.3.5.3 Configuring SNMPv2c Traps
You can configure the 10RX agent to generate SNMPv1/v2c traps. For each Management Station defined using the procedure in the previous section, you can enable traps by associating a notification type with the transport tag.
The following example assumes the SNMPv2 access configurations in Section 3.3.5.2 and adds trap generation to the Management Station at 192.168.2.42 using the public community string.
Figure 3-16. SNMPv2c Trap Configuration Example
Magnum 10RX(config)# snmp view defaultv2c 1 included
Magnum 10RX(config)# snmp user public
Magnum 10RX(config)# snmp group public user public security-model v2c
Magnum 10RX(config)# snmp access public v2c read defaultv2c
Magnum 10RX(config)# snmp community index public name public security public
Magnum 10RX(config)# snmp user private
Magnum 10RX(config)# snmp group private user private security-model v2c
Magnum 10RX(config)# snmp access private v2c read defaultv2c write defaultv2c
Magnum 10RX(config)# snmp community index private name private security private
Magnum 10RX(config)# snmp targetaddr target1 param param1 ipv4 192.168.2.42 taglist tag1
Magnum 10RX(config)# snmp targetparams param1 user public security-model v2c message-processing v2c
Magnum 10RX(config)# snmp community index public name public security transporttag tag1
Magnum 10RX(config)# snmp notify notify1 tag tag1 type trap
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
30
3.3.6 SNMP Configuration in the CLI
The following sections detail the CLI commands to use to configure SNMP functionality.
3.3.6.1 Enabling and Disabling the SNMP Agent
Use the set snmp command in Global Configuration mode to enable or disable the SNMP agent. You must enable the SNMP agent to use SNMP on the device.
Command syntax:
set snmp {disable | enable}
Example:
Magnum 10RX(config)# set snmp enable
Default value: disabled
3.3.6.2 Configuring SNMP Communities
Use the snmp community index command in Global Configuration mode to specify and manage SNMP communities. For more on SNMP communities see Section 3.3.5.
Command syntax:
snmp community index commixid name commname security secname transporttag ttagid
Where:
commixid is a string of up to 32 characters identifying the community index. The community index value is unique to each community name entry.
commname preceded by the keyword name is a user-supplied string of up to 255 characters naming this community.
secname preceded by the keyword security is a user-supplied string of up to 32 characters supplying a security name for this community.
ttagid preceded by the keyword transporttag is a user-supplied string of up to 255 characters as a tag identifier. The keyword none may also be specified.
Example:
Magnum 10RX(config)# snmp community index public name public securitytransporttag tag1
The no snmp community index spec command deletes the community specified by spec.
3.3.6.3 Configuring an SNMP Group
Use the snmp group command in Global Configuration mode to configure SNMP group details.
Command syntax:
snmp group groupname user username security-model {v1 | v2c | v3}
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
31
Where:
groupname is a string of up to 32 characters identifying an SNMP group.
username is a string of up to 32 characters identifying a user for the group.
v1, v2c or v3, following the keyword security-model specifies an SNMP version.
Example:
Magnum 10RX(config)# snmp group testgroup user testuser security-model v2c
Default (security-model): v3
The no snmp group spec command deletes the specified details.
3.3.6.4 Configuring SNMP Group Access
Use the snmp access command in Global Configuration mode to configure group access details.
Command syntax:
snmp access groupname {v1|v2c|v3{auth|noauth|priv}} [read readview|none] [write writeview|none] [notify noteview|none]
Where:
groupname is a string of up to 32 characters identifying an SNMP group.
v1, v2c or v3 specify the SNMP version.
authentication level is controlled by specifying:
• auth — enables MD5 or SHA packet authentication.• noauth — specifies no authentication.• priv — enables both authentication and privacy.
read specifies read-only access. A read view identifier may be specified with readview, a string of up to 32 characters, or none may be specified.
write specifies both read and write access. A write view identifier may be specified with writeview, a string of up to 32 characters, or none may be specified.
notify specifies notification of changes will be sent. A notify view identifier may be specified with noteview, a string of up to 32 characters, or none may be specified.
Example:
Magnum 10RX(config)# snmp access test1group v2c read v2readview write v2writeview notify v2notifyview
The no snmp access spec command deletes the specified details.
3.3.6.5 Configuring SNMP Engine ID
Use the snmp engineid command in Global Configuration mode to configure a unique identifier for the SNMPv3 engine. The engine ID is used to identify a source SNMPv3 entity and a destination SNMPv3 entity to coordinate the exchange of messages.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
32
Command syntax:
snmp engineid engidval
Where:
engidval is a hexadecimal value given as octets separated by dots, The valid length is 5 to 32 octets.
Example:
Magnum 10RX(config)# snmp engineid 80.0.08.1c.04.5f.a9
Default value: 80.00.08.1c.04.46.53
The no snmp engineid command resets the engine ID value to the default.
3.3.6.6 Configuring SNMP View
Use the snmp view command in Global Configuration mode to configure an SNMP view. An SNMP group must have already been created using the snmp group command (see Section 3.3.6.3) and SNMP group access must be configured using the snmp access command (see Section 3.3.6.4).
For more on SNMP views see Section 3.3.1.
Command syntax:
snmp view viewname OIDtree [mask OIDmask] {included | excluded}
Where:
viewname is a string of up to 32 characters identifying this view.
OIDtree specifies the sub tree value for this view.
OIDmask specifies a mask value for this view.
The keyword included allows access to the sub tree. The keyword excluded denies access.
Example:
Magnum 10RX(config)# snmp view v2readview 1.3.6.1 mask 1.1.1.1 included
The no snmp view spec command deletes the view specified by spec.
3.3.6.7 Configuring SNMP Target Address
Use the snmp targetaddr command in Global Configuration mode to configure an SNMP target address. For more on target addresses see Section 3.3.3.
Command syntax:
snmp targetaddr targname param paramname ipv4 ipaddr [timeout tosecs] [retries retcount] [taglist tagid | none] [port portval]
Where:
targname is a string of up to 32 characters identifying this target.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
33
paramname following the keyword param is a string of up to 32 characters identifying a parameter.
ipaddr following the keyword ipv4 is a valid IP address.
tosecs following the keyword timeout is a numerical value in the range 1-1500 specifying the number of seconds the SNMP agent waits for a response from the SNMP Manager before retransmitting the Inform Request Message.
retcount following the keyword retries is a numerical value in the range 1-3 specifying the maximum number of times the agent can retransmit the Inform Request Message.
tagid following the keyword taglist is a string of up to 255 characters specifying the tag identifier that selects the target address. The keyword none may also be specified.
portval following the keyword port is a numerical value in the range 1-65535 specifying a port number through which the generated SNMP notifications are sent to the target address.
Example:
Magnum 10RX(config)# snmp targetaddr target1 param param1 ipv4 192.168.2.42 taglist tag1
The no snmp targetaddr spec command removes the target address specified by spec.
3.3.6.8 Configuring SNMP Target Parameters
Use the snmp targetparams command in Global Configuration mode to configure SNMP target parameters. For more on target parameters see Section 3.3.3.
Command syntax:
snmp targetparams paramname user username security-model {v1|v2c|v3 {auth|noauth|priv}} message-processing {v1|v2c|v3} [filter profname]
Where:
paramname is a string of up to 32 characters identifying a parameter.
username following the keyword user is a string of up to 32 characters identifying a user for this parameter.
v1, v2c or v3, following the keyword security-model specifies an SNMP version.
authentication level is controlled by specifying:
• auth — enables MD5 or SHA packet authentication.• noauth — specifies no authentication.• priv — enables both authentication and privacy.
v1, v2c or v3, following the keyword message-processing specifies an SNMP version.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
34
Example:
Magnum 10RX(config)# snmp targetparams param1 user public security-model v2c message-processing v2c
The no snmp targetparams spec command removes the target address specified by spec.
3.3.6.9 Configuring SNMP Users
Use the snmp user command in Global Configuration mode to configure an SNMP user. For more on SNMP users see Section 3.3.1.
Command syntax:
snmp user username [auth {md5|sha} pwda] [priv {des | aes} pwdp]]
Where:
username following the keyword user is a string of up to 32 characters identifying this user.
auth specifies that an authentication algorithm is to be used. Options are:
• md5 — Message Digest 5 authentication• sha — Security Hash Algorithm authentication
pwda (if auth has been specified) is an arbitrary string to serve as an authentication password.
priv specifies that private encryption is to be used. Options are:
• AES — Advanced Encryption Standard encryption
• DES — Data Encryption Standard encryption
pwdp (if priv has been specified) is an arbitrary string to serve as an encryption password.
Example:
Magnum 10RX(config)# snmp user bob auth md5 auth1234 priv des priv1234
The no snmp user username command deletes the details of the user specified by username.
3.3.6.10 Configuring SNMP Notifications
Use the snmp notify command in Global Configuration mode to configure an SNMP notification entry. For more on SNMP notifications see Section 3.3.3.
Command syntax:
snmp notify notename tag tagname type {trap | inform}
Where:
notename is a string of up to 32 characters identifying this notification entry.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
35
tagname is a string of up to 32 characters identifying a notification tag which selects the entries in the Target Address Table.
trap or inform following the keyword type specify the type of notification:
• trap — A trap is a one-way message from a network element to the network management system.
• inform — Inform enables inform requests to be sent from a router or switch to SNMP management.
Example:
Magnum 10RX(config)# snmp notify notify1 tag tag1 type trap
The no snmp notify spec command deletes the details of the notification entry specified by spec.
3.3.6.11 Configuring SNMP Filters
Use the snmp filter command in Global Configuration mode to filter SNMP notifications. For more on SNMP notifications see Section 3.3.4.
Command syntax:
snmp filter profname oidtree [mask oidmask] {included | excluded}
Where:
profname is a string of up to 32 characters identifying this filter profile.
oidtree is an object identifier.
oidmask a mask that, with oidtree, defines a family of sub trees.
included or excluded define whether the filter will have the effect of including specified messages or excluding them.
Example:
Magnum 10RX(config)# snmp filter filter1 1 included
The no snmp filter spec command deletes the filter specified by spec.
3.3.6.12 Configuring SNMP Traps
Use the snmp trap command in Global Configuration mode to specify the udp port over which the SNMP agent sends the trap.
Command syntax:
snmp trap udp-port portnum
Where:
portnum is a numerical value in the range 1-65535 specifying a UDP port.
Example:
Magnum 10RX(config)# snmp trap udp-port 55
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
36
3.3.7 SNMP Configuration in the GUI
The following sections describe the GUI screens to use to configure SNMP.
3.3.7.1 Enabling and Disabling the SNMP Agent
In the GUI go to System: SNMP to access the SNMP Agent Control Settings screen and enable or disable SNMP in the system, as illustrated in Figure 3-17
Figure 3-17. SNMP Agent Control Settings Screen
In the SNMP Agent Control Settings screen enable or disable the SNMP agent and specify an agent port.
3.3.7.2 Configuring SNMP Community Settings
In the GUI go to the System: SNMP: Security: Community tab to configure community information for SNMP versions 1 and 2, as illustrated in Figure 3-25.
Figure 3-18. SNMP Community Settings Screen
In the SNMP Community Settings screen use the upper dialog box to configure a community. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured communities.
For more on SNMP communities see Section 3.3.5 and Section 3.3.6.2.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
37
3.3.7.3 Configuring SNMP Group Settings
In the GUI go to the System: SNMP: Security: Group tab to configure SNMP groups, as illustrated in Figure 3-19.
Figure 3-19. SNMP Group Settings Screen
In the SNMP Group Settings screen use the upper dialog box to specify a group. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured groups.
For more on SNMP groups see Section 3.3.1 and Section 3.3.6.3.
Table 3-1. SNMP Community Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Community Index A string of up to 32 characters identifying the community index. The community index value is unique to each community name entry.
Community Name A user-supplied string of up to 255 characters naming this community.
Security Name A user-supplied string of up to 32 characters supplying a security name for this community.
Transport Tag A user-supplied string of up to 255 characters as a tag identifier.
Table 3-2. SNMP Group Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Security Model The SNMP security model, that is, the SNMP version, that applies to this group. Options are
• v1
• v2c
• v3
Security Name A user security name of up to 32 characters.
Group Name A string of up to 32 characters identifying an SNMP group.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
38
3.3.7.4 Configuring SNMP Group Access Settings
In the GUI go to the System: SNMP: Security: Group Access tab to configure access to SNMP groups, as illustrated in Figure 3-20.
Figure 3-20. SNMP Group Access Settings Screen
In the SNMP Group Access Settings screen use the upper dialog box to configure group access details. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured group access details.
For more on SNMP access see Section 3.3.2 and Section 3.3.6.4.
Table 3-3. SNMP Group Access Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Group Name A string of up to 32 characters identifying an SNMP group.
Security Model The SNMP security model, that is, the SNMP version, that applies to this group. Option are:
• v1
• v2c
• v3
Security Level The security or authentication level may be one of the following:
• No Authentication — specifies no authentication.
• Authentication — enables MD5 or SHA packet authentication.
• Private — enables both authentication and privacy.
Read View The view provides read-only access. The view identifier is a string of up to 32 characters.
Write View The view provides read and write access. The view identifier is a string of up to 32 characters.
Notify View The view specifies that notification of changes will be sent. The view identifier is a string of up to 32 characters.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
39
3.3.7.5 Configuring SNMP Views
In the GUI go to the System: SNMP: Security: View tab to configure SNMP Views, as illustrated in Figure 3-21.
Figure 3-21. SNMP ViewTree Settings Screen
In the SNMP ViewTree Settings screen use the upper dialog box to configure views. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured views.
For more on SNMP views see Section 3.3.2 and Section 3.3.6.6.
Table 3-4. SNMP ViewTree Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
View Name A string of up to 32 characters identifying this view.
Sub Tree The sub tree value for this view.
Mask A mask value for this view.
View Type Select Included to allow access to the sub tree. Select Excluded to deny access.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
40
3.3.7.6 Configuring SNMP Target Addresses
In the GUI go to the System: SNMP: Security: Target Address tab to configure SNMP target addresses, as illustrated in Figure 3-22.
Figure 3-22. SNMP Target Address Settings Screen
In the SNMP Target Address Settings screen use the upper dialog box to configure target addresses. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured addresses.
For more on SNMP target addresses see Section 3.3.3 and Section 3.3.6.7.
Table 3-5. SNMP Target Address Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Target Name A string of up to 32 characters identifying this target address entry.
Target IP Address A valid IP address for the target.
Port A numerical value in the range 1-65535 specifying a port number through which the generated SNMP notifications are sent to the target address.
Transport Tag A string of up to 255 characters specifying the tag identifier that selects the target address.
Param A string of up to 32 characters identifying a parameter entry.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
41
3.3.7.7 Configuring SNMP Target Parameters
In the GUI go to the System: SNMP: Security: Target Parameter tab to configure SNMP target parameters, as illustrated in Figure 3-23.
Figure 3-23. SNMP Target Parameter Settings Screen
In the SNMP Target Parameter Settings screen use the upper dialog box to configure target parameters. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured parameters.
For more on SNMP target parameters see Section 3.3.3 and Section 3.3.6.8.
Table 3-6. SNMP Target Parameter Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Parameter Name A string of up to 32 characters identifying a parameter.
MP Model The message processing model, defined by SNMP version. Options are:
• v1
• v2c
• v3
Security Model The security model, defined by SNMP version. Options are:
• v1
• v2c
• v3
Security Name A user security name of up to 32 characters.
Security Level The security or authentication level may be one of the following:
• No Authentication — specifies no authentication.
• Authentication — enables MD5 or SHA packet authentication.
• Private — enables both authentication and privacy.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
42
3.3.7.8 Configuring SNMP User Information
In the GUI go to the System: SNMP: Security: User tab to access the Security Settings screen and configure SNMP user information, as illustrated in Figure 3-24.
Figure 3-24. SNMP Security Settings Screen
In the SNMP Security Settings screen use the upper dialog box to configure users. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured users.
For more on SNMP users see Section 3.3.1 and Section 3.3.6.9.
Table 3-7. SNMP Security Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
User Name A string of up to 32 characters identifying this user.
Authentication Protocol
The authentication algorithm is to be used. Options are:
• No Authentication
• HMAC-MD5
• HMAC-SHA
Authentication Key
An arbitrary string to serve as an authentication password.
Privacy Protocol Specifies that private encryption is to be used. Options are:
• No Privacy
• DES
• AES
Privacy Key An arbitrary string to serve as an encryption password.
CHAPTER 3 - Router ManagementSNMP
Industrial Network Operating System Administrator’s Guide
43
3.3.7.9 Managing SNMP Traps
In the GUI go to the System: SNMP: Security: Trap Manager tab to configure traps, as illustrated in Figure 3-25.
Figure 3-25. SNMP Trap Settings Screen
In the SNMP Trap Settings screen use the upper dialog box to manage traps to send messages and alerts. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured traps.
For more on SNMP traps see Section 3.3.3 and Section 3.3.6.10.
Table 3-8. SNMP Trap Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Notify Name A string of up to 32 characters identifying this notification entry.
Notify Tag Aa string of up to 32 characters identifying a notification tag which selects the entries in the Target Address Table.
Notify Type The type of notification generated by this trap. Options are:
• Trap — A trap is a one-way message from a network element to the network management system.
• Inform — Inform enables inform requests to be sent from a router or switch to SNMP management.
CHAPTER 3 - Router ManagementUser Management
Industrial Network Operating System Administrator’s Guide
44
3.3.7.10 Configuring SNMP Filters
In the GUI go to the System: SNMP: Security: Filter Conf tab to configure SNMP filter settings, as illustrated in Figure 3-26.
Figure 3-26. SNMP Filter Settings Screen
In the SNMP Filter Settings screen use the upper dialog box to configure filters for SNMP notifications. Click Add to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured filters.
For more on SNMP filters see Section 3.3.4 and Section 3.3.6.11.
3.4 User Management
INOS user management commands enable an administrator to add, delete, block and unblock users, to change passwords, and to control access policies. Most of these commands are available only to an administrator but a non-administrator user can use the change password command to change his or her own password.
Table 3-9. SNMP Filter Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Profile Name A string of up to 32 characters identifying this filter profile.
Sub Tree An object identifier.
Mask a mask that, with Sub Tree, defines a family of sub trees.
Filter Type Included or Excluded define whether the filter will have the effect of including
specified messages or excluding them.
CHAPTER 3 - Router ManagementUser Management
Industrial Network Operating System Administrator’s Guide
45
3.4.1 Displaying User Information
An administrator can obtain a display of information for all users by entering the following command:
Magnum 10RX # show users
This will display output like that below. Administrators can modify all of the parameters in this display, including the deletion of users, except for the last administrative user.
Figure 3-27. Output of the show users command
3.4.2 Configuring System Login Information
Administrative users can execute the login command set to specify the login information displayed at the top of the image in Figure 3-27. These values have system-wide effect and are set when the CLI is in configuration mode.
3.4.2.1 Setting Maximum Login Attempts and Lock-out Time
The Maximum Login Attempts value specifies the number of times a user may try and fail to successfully login before the system locks that user out. The Login Lock Out Time value specifies the length of time that lock-out will endure before the user can try again to log in.
Login Information:
Maximum Login Attempts: 3
Login Lock Out Time: 30 seconds
Required Password Strength: 75%
Users:
User Name: root
User Mode: /
Privilege Level: 15
Password Expires: Never
Last Login: 10/06/11 08:17:34
Inactivity Timer: Disabled
Status: Enabled
***************************************
User Name: guest
User Mode: /
Privilege Level: 1
Password Expires: Never
Last Login: Never
Inactivity Timer: Disabled
Status: Enabled
Login Information:
Maximum Login Attempts: 3
Login Lock Out Time: 30 seconds
Required Password Strength: 75%
Users:
User Name: root
User Mode: /
Privilege Level: 15
Password Expires: Never
Last Login: 10/06/11 08:17:34
Inactivity Timer: Disabled
Status: Enabled
***************************************
User Name: guest
User Mode: /
Privilege Level: 1
Password Expires: Never
Last Login: Never
Inactivity Timer: Disabled
Status: Enabled
CHAPTER 3 - Router ManagementUser Management
Industrial Network Operating System Administrator’s Guide
46
The login block-for command is used to set both of these values on the same command line. Both values must be specified in order for the command to be accepted as complete.
Command syntax:
login block-for <seconds(30-600)> attempts <tries(1-10)>
Example:
Magnum 10RX(config)# login block-for 30 attempts 5
This example specifies that if a user tries and fails to login five times within 30 minutes that user will be locked out for 30 seconds before another attempt can be made.
3.4.2.2 Setting Required Password Strength
A password can be a string of up to 32 printable characters. Password strength is a measure of the presence of up to four characteristics in a password:
1. Upper case alphabetic character(s)
2. Lower case alphabetic character(s)
3. Numeric character(s)
4. Special character(s) - ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
A password possessing only one of these characteristics has a strength of 25%, two of the characteristics scores 50%, three scores 75% and four scores 100%. An administrative user can specify a password strength value anywhere from 1% to 100%. The system will not accept a password whose strength does not equal or exceed the quartile value immediately below the specified strength; thus, a specified strength of 65 would enforce a minimum of 50% strength.
A password that partially matches the username will be rejected with the message:Weak User Password, at least partially matches with Username
Command syntax:
login password-strength
Magnum 10RX(config)# login password-strength(1-100)
Example:
Magnum 10RX(config)# login password-strength 80
This example specifies a password strength that will enforce a minimum of 75% strength.
3.4.3 Executing the user Command
An administrative user can execute the user command set to add and delete individual users and to control their access and privileges. The user command is issued in the EXEC command mode and it affects only the user specified by name.
The first argument to the user command is always the user ID, followed by the name of the management task to be carried out, followed by any parameters.
CHAPTER 3 - Router ManagementUser Management
Industrial Network Operating System Administrator’s Guide
47
user generic command syntax:
Magnum 10RX# user userID action [parameter]
3.4.3.1 Adding a New User
An administrative user can add a new user to the system with the new argument.
Example:
Magnum 10RX# user newcomer new
The system responds with a request for a password for newcomer and for a confirmation of that password. This adds newcomer to the user database.
3.4.3.2 Deleting a User
An administrative user can delete a user from the system with the delete argument.
Example:
Magnum 10RX# user newcomer delete
3.4.3.3 Blocking and Releasing a User
A user is denied access to an account (“blocked”) in two ways:
1. By exceeding the number of failed login attempts specified by the administrator and displayed in Login Information. In this case the user is blocked for the number of seconds specified in the login block-for setting. A show users command will display the information that the user is blocked and will provide the number of seconds remaining before the user is eligible to attempt to log in again; for example - Status Blocked 585 sec left. The user remains blocked until the specified time has expired or until an administrator executes the user username release command for the blocked account.
2. By the explicit instruction of an administrator executing the user username block command. A show users command will display the information that the user is blocked by administrative action; for example - Status Blocked by Admin. In this case the blockage remains in effect until countermanded by the user username release command.
Example:
Magnum 10RX# user newcomer block
Partial show users output: Status Blocked by Admin.
Magnum 10RX# user newcomer release
Notes:
• Newly- added users have read-only privileges.
• For an explanation of password strength see Section 3.4.2.2.
CHAPTER 3 - Router ManagementUser Management
Industrial Network Operating System Administrator’s Guide
48
Partial show users output: Status Enabled.
3.4.3.4 Setting a User’s Inactivity Time
An administrative user can specify that an account will be blocked if that user has not logged in for a configured length of time.
Command syntax:
user username inactivity time [days (0-365)| hours (0-23) | minutes (0-59)| seconds (0-59)]
Example:
Magnum 10RX# user sample inactivity time days 7 hours 12
This command specifies that if the account of user sample is inactive for 7 days and 12 hours the account will be blocked. A successful login on the account will reset the countdown timer to 7 days and 12 hours.
The command user username inactivity time with no parameters disables the inactivity timer.
Default value: disabled
3.4.3.5 Setting a User’s Password Expiration Interval
An administrative user can specify that a user’s password will expire after a configured length of time.
Command syntax:
user username password expiration [days (0-365)| hours (0-23) | minutes (0-59)| seconds (0-59)]
Example:
Magnum 10RX# user sample password expiration days 90
This command specifies that the password for user sample will expire 90 days after its creation. The creation of a replacement password will reset the countdown timer to 90 days.
Set the expiration to Never by specifying any unit of time with a value of 0.
3.4.3.6 Setting a User’s Privilege Level
An administrative user can specify a user’s privilege level with the user privilege command. In this release there are four privilege levels available for users.
Command syntax:
user <username> privilege {admin | privileged | troubleshooting | read-only}
Where:
admin is access at the administrative (unrestricted) level.
CHAPTER 3 - Router ManagementUser Management
Industrial Network Operating System Administrator’s Guide
49
privileged is read-write access to system configurations.
troubleshooting is read-only access to system configurations and statistics.
read-only is access restricted to debug, clear and show configurations.
Example:
Magnum 10RX# user sample privileged
This command assigns to user sample a privilege level that supports read-write configuration access.
3.4.4 Changing a Password
A user’s password can be changed by the user or by an administrator. A user changing his or her own password must be able to provide the old password before creating the new password. This step is not required of an administrator changing a user’s password. In either case the process is one of query and response illustrated in the examples below.
Command syntax (non-admin user):
change password
Example:
Figure 3-28. System/user dialog in successful password change
Command syntax (admin user):
change password user username
User Name: manager
User Mode: /
Magnum 10RX# change password
Old Password:
[Correctly entered but not displayed.]
Enter New Password:
[Entered but not displayed.]
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
50
Example:
Figure 3-29. System/admin dialog in successful password change
3.5 Authentication
INOS supports authentication with both Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS). These are authentication, authorization, and accounting (AAA) protocols.
• Authentication – The server receives requests for connections and checks that the username and password provided are authentic using a shared secret and one of two authentication schemes.
• Authorization – After successful authentication the server authorizes the requesting user to begin a session on the system.
• Accounting – The server can keep an account of services used.
RADIUS is available on both Windows and Unix systems. It is defined in RFC 2865 and RFC 2866.
TACACS is commonly used to provide authentication on Unix networks and is defined in RFC 1492.
3.5.1 RADIUS Authentication
The implementation of RADIUS authentication requires the installation of RADIUS server software on a network server and configuration of the 10RX to correctly exchange information with that server.
Install and Configure RADIUS Server Software
Obtain and install a RADIUS server application. FreeRADIUS is the best known of these and is widely available on the internet. Install the RADIUS application according to its manufacturer’s instructions. Among the files typically installed with RADIUS are two that you must edit: users.conf and clients.conf.
• In a FreeRADIUS installation for Windows these are included in the directory \\...\FreeRADIUS.net\etc.\raddb\
User Name: manager
User Mode: /
Magnum 10RX# change password user newbie
Enter New Password:
[Entered but not displayed.]
Re-enter the Password:
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
51
• In a FreeRADIUS installation for Unix these are often located in the directory /usr/local/etc/raddb, but this may vary with the software provider.
RADIUS Server Configuration in a Windows System
3. Edit users.conf by adding the following text to the end of the file:
"username" Auth-Type := PAP, User-Password == "password”
Where,
username is a user-supplied name for this user enclosed in quotation marks.
password is a user-supplied password for this user enclosed in quotation marks.
4. Edit clients. conf by adding the following text to the end of the file:
client xxx.xxx.xxx.xxx {
secret = radius_secret
shortname = rad
}
Where,
xxx.xxx.xxx.xxx is the IP address of a client device.
radius_secret is a user-supplied string uniquely identifying the client. (This string must match the radius_secret string specified in the 10RX RADIUS configuration described below.)
rad is a convenient alias that can be used to replace the IP address.
RADIUS Server Configuration in a Unix System
Note: the location of the *.conf files will vary with your Unix implementation.
1. Edit users.conf by adding the following text to the end of the file:
"username" Cleartext-Password := "password"
Service-Type = Administrative-User
Where,
username is a user-supplied name for this user enclosed in quotation marks.
password is a user-supplied password for this user enclosed in quotation marks.
2. Edit clients.conf by adding the following text to the end of the file:
client xxx.xxx.xxx.xxx {
secret = radius_secret
shortname = Rad
}
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
52
Where,
xxx.xxx.xxx.xxx is the IP address of a client device
radius_secret is a user-supplied string uniquely identifying the client. (This string must match the radius_secret string specified in the 10RX RADIUS configuration described below.)
3. Start or restart the freeradius service by entering the following command on the Unix command line:
sudo service freeradius restart
Note: The starting user privilege can be set via Linux FreeRadius with this value:
Service-Type = Administrative-User
3.5.1.1 Configuring RADIUS Authentication in the CLI
The following steps explain how to configure RADIUS authentication in the 10RX command line interface.
10RX Command Line Configuration
Configure 10RX with a RADIUS host and key.
1. Login in to the 10RX via the console or telnet.
2. On the 10RX command line enter the following commands:
Magnum 10RX (config) # radius-server host xxx.xxx.xxx.xxx key radius_secret primary
Where,
xxx.xxx.xxx.xxx is the IP address of the RADIUS server
radius_secret is the key string that identifies this 10RX to the RADIUS server.(This string must match the radius_secret string specified in the clients.conf file configuration described above.)
3. Check your configuration by entering the following command:
Magnum 10RX # show radius server
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
53
A successful configuration returns a report like the one below:
Figure 3-30. RADIUS server configuration report
3.5.1.2 Configuring RADIUS Authentication in the GUI
In the GUI go to the System: Management: RADIUS to configure RADIUS configuration, as illustrated in Figure 3-31.
Figure 3-31. RADIUS Server Configuration Screen
In the RADIUS Server Configuration screen use the upper dialog box to profile a RADIUS server. Click the Add button to save your specifications and display them in the lower dialog box. To modify previously configured values enter the revised values in the upper dialog and click the Modify button. The revised values will be displayed in the lower dialog box.
Radius Server Host Information
------------------------------
Index : 1
Server address : 192.168.1.90
Shared secret : yoursecret
Radius Server Status : Enabled
Response Time : 10
--Maximum Retransmission : 3
Authentication Port : 1812
Accounting Port : 1813
-----------------------------------------
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
54
3.5.2 TACACS Authentication
TACACS is a AAA authentication solution. The generic configuration requirements are the same as for RADIUS authentication:
• The TACACS server software must be installed.• The 10RX must be configured with the address of the TACACS server and a
secret key that is shared with the TACACS server.• The TACACS server software must be configured with certain information
including user IDs, their passwords and privilege levels, and a secret key to match the 10RX configuration.
TACACS server software is available from multiple sources. The Cisco ® ACS TACACS authentication solution is widely installed and is generously documented on the CISCO support site. The Ubuntu® operating system supplies TACACS server software at no cost. A generalized example of installation of TACACS on Ubuntu Linux is provided below. Bear in mind that the details of the installation will vary with your environment and the versions of software that you are using.
TACACS Server Configuration
These generalized instructions for installation of TACACS on the Ubuntu Linux operating system are based on software available from the following site:
http://www.ubuntuupdates.org/package/core/lucid/universe/backports/tacacs+
Table 3-10. Radius Server Configuration Fields
Parameter Description See Also
Select You must click the radio button of the port to be configured.
IP Address An IP address for the server being configured.
Primary Server If this is the primary RADIUS server select Yes, otherwise No.
Shared Secret A user-supplied string shared by client and server. Section 3.5.1, above
Server Type The authenticating server type is the only type currently supported.
Response Time The maximum time permitted for the RADIUS Server to respond to a request from the RADIUS Client.
Valid range: 1-120 seconds
Retry Count The maximum number of times to retransmit a request without receiving a reply.
Valid range: 1-254
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
55
Whether you use the software available at this site or obtain the same or similar software elsewhere, install the TACACS server software on your Ubuntu OS according to manufacturer’s instructions. You can check for the availability of TACACS on your system with the following command:
$sudo service tacacs_plus status
In the following example changes are made to the configuration file etc/tacacs+/tac_plus.conf.
1. Add the following lines to the tac_plus.conf file to set a key, establish a user account and to identify two users, John and Jane.
Figure 3-32. Example of tac_plus.conf file
2. Restart the tacacs_plus server with the following command:
$ sudo service tacacs_plus restart10RX Command Line Configuration
3.5.2.1 Configuring TACACS Authentication in the CLI
The following steps explain how to configure TACACS authentication in the command line interface.
Configure 10RX with a TACACS host and key.
1. Login in to the 10RX via the console or telnet.
# key
key = “tacacs_secret”
# users accounts
group = admin {
pap = cleartext "normal"
expires = "Jan 1 2013"
}
user = John {
default service = permit
member = admin
pap = cleartext "normal"
# chap = cleartext "normal"
# enable = cleartext "enable"
name = "John Smith"
}
user = John {
default service = permit
member = admin
pap = cleartext "normal"
# chap = cleartext "normal"
# enable = cleartext "enable"
name = "John Smith"
}
user = Jane {
# Jane has no password of her own, but she's a group member so will
#use the group password and expiry date.
member = admin
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
56
2. On the 10RX command line in configuration mode enter the following commands:
Magnum 10RX (config)# tacacs-server host xxx.xxx.xxx.xxx key tacacs_secret primary
Where,
xxx.xxx.xxx.xxx is the IP address of the TACACS server
tacacs_secret is the key string that identifies this 10RX to the TACACS server.(This string must match the tacacs_secret string specified in the tac_plus.conf file configuration described above.)
3. Check your configuration by entering the following command:
Magnum 10RX # show tacacs
A successful configuration returns a report like the one below:
Figure 3-33. TACACS server configuration report
4. In this example you would test for success by logging in John and Jane with the password normal.
Server : 1
Server address : 192.168.1.91
Address Type : IPV4
Single Connection : no
TCP port : 49
Timeout : 6
Secret Key : AricentTacacs
Authen. Starts sent : 0
Authen. Continues sent : 0
Authen. Enables sent : 0
Authen. Aborts sent : 0
Authen. Pass rvcd. : 0
Authen. Fails rcvd. : 0
Authen. Get User rcvd. : 0
Authen. Get Pass rcvd. : 0
Authen. Get Data rcvd. : 0
Authen. Errors rcvd. : 0
Authen. Follows rcvd. : 0
Authen. Restart rcvd. : 0
Authen. Sess. timeouts : 0
Author. Requests sent : 0
Author. Pass Add rcvd. : 0
Author. Pass Repl rcvd : 0
Author. Fails rcvd. : 0
Author. Errors rcvd. : 0
Author Follows rcvd. : 0
Author. Sess. timeouts : 0
Acct. start reqs. sent : 0
Acct. WD reqs. sent : 0
Acct. Stop reqs. sent : 0
Acct. Success rcvd. : 0
Acct. Errors rcvd. : 0
Acct. Follows rcvd. : 0
Acct. Sess. timeouts : 0
Malformed Pkts. rcvd. : 0
Socket failures : 0
Connection failures : 0
CHAPTER 3 - Router ManagementAuthentication
Industrial Network Operating System Administrator’s Guide
57
3.5.2.2 Configuring TACACS Authentication in the GUI
In the GUI go to the System: Management: TACACS to configure TACACS configuration, as illustrated in Figure 3-31.
Figure 3-34. TACACS Server Configuration Screen
In the TACACS Server Configuration screen use the upper dialog box to profile a TACACS server. Click the Add button and this interface information will be displayed along with any other configured interfaces in the lower dialog box. To modify previously configured values enter the revised values in the upper dialog and click the Modify button. The revised values will be displayed in the lower dialog box.
Table 3-11. TACACS Server Configuration Screens
Parameter Description See Also
Select You must click the radio button of the port to be configured.
IP Address An IP address for the server being configured. You may configure a maximum of five addresses.
Shared Secret A user-supplied string of alphabetic characters and/or numerals shared by client and server.
Section 3.5.2, above
Single Connection
Specify Yes to enable a single TCP connection to carry out both authentication and accounting. Specify No to require a separate TCP connection for each function.
Server Port The server port number for the TACACS protocol.
Default value: 49
Server Timeout The maximum time to wait for a response before timing out and connecting to a secondary server.
Default value: 5 seconds
CHAPTER 3 - Router ManagementFile System Management
Industrial Network Operating System Administrator’s Guide
58
3.6 File System Management
INOS features a large non-volatile memory for storing user configuration files and event logs. This storage is presented as a file system but does not support directories. Event log files are created automatically by the system software. Configuration files are created by the user executing the copy command.
3.6.1 Listing System Files
Use the dir command in the Exec Commands mode to display a full listing of the files in the file system. The listing includes the file size in bytes and the file name.
Command syntax:
dir
Example:
The dir command and simple output is illustrated in Figure 3-35.
Figure 3-35. dir command and output
This command displays the information that the file system contains a single log file of 964 bytes.
3.6.2 Deleting a System File
Use the erase command in the Exec Commands mode to delete a file. To delete a local file follow the keyword flash: with the file URL. Use the keywords sftp: or tftp: to erase remote files reachable by those protocols.
Command syntax:
erase {flash: | sftp: | tftp:} url
Where:
url is a URL specifying a file to be deleted either locally (flash:) or remotely (sftp:, tftp:)
Example:
Magnum 10RX# erase flash:Jan03Log
Magnum 10RX# dir
Size Name
--------- ------------------------------
964 DefaultEventLog
CHAPTER 3 - Router ManagementFile System Management
Industrial Network Operating System Administrator’s Guide
59
3.6.3 Copying a System File
Use the copy command in the Exec Commands mode to copy a file. To specify a local source or destination file follow the keyword flash: with the file URL. Use the keywords sftp: or tftp: to copy remote files reachable by those protocols. Copies of local files can be created and stored locally or remotely. Copies of remote files can be made and stored locally. It is not possible to copy remote files to other remote files.
Command syntax:
copy {flash: | sftp: | tftp:} src_url {flash: | sftp: | tftp:} dest_url
Where:
src_url is a URL specifying a source file to be copied either locally (flash:) or remotely (sftp:, tftp:)
dest_url is a URL specifying a destination file to be copied either locally (flash:) or remotely (sftp:, tftp:)
Examples:
Examples of the copy command used locally and to address remote files, and of the routine confirmations, are illustrated in Figure 3-36.
Figure 3-36. copy command and confirmation
3.6.4 Displaying System File Contents
Use the more command in the Exec Commands mode to display the contents of a locally stored system file. Precede the URL of the local file with the keyword flash:. The contents of system files stored remotely cannot be displayed.
Command syntax:
more flash:url
Example 1. Source and destination local
Magnum 10RX# copy flash:DefaultEventLog flash:MyLog
Copied flash:DefaultEventLog ==> flash:MyLog
Example 2. Source local and destination remote
Magnum 10RX# copy flash:DefaultEventLog sftp://user:[email protected]/log.txt
Copied flash:DefaultEventLog ==> sftp://192.168.1.42/log.txt
Example 3. Source remote and destination local
Magnum 10RX# copy sftp://user:[email protected]/log.txt flash:mylog.txt
Copied sftp://192.168.2.42/log.txt ==> flash:mylog.txt
CHAPTER 3 - Router ManagementFile System Management
Industrial Network Operating System Administrator’s Guide
60
Where:
url is a URL specifying a file to be displayed
Example:
The more command and simple output is illustrated in Figure 3-37.
Figure 3-37. more command and output
3.6.5 Creating System Configuration Files
In addition to copying local and remote files in the file system, the copy command is used to manage configuration files with the special running-config and startup-config targets. running-config specifies the system configuration running at the time of the execution of the command. startup-config specifies a saved configuration that will be used by the system on its next startup.
Command syntax:
copy src_config dest_config_file
Where:
src_config is either an existing configuration file or the currently running configuration
dest_config_file is a file to store the configuration information from src_config
Example:
Magnum 10RX# copy running-config startup-config
This command copies the currently running configuration to the special target startup-config. This means that the configuration currently in use will be applied on the next system start.
Example:
Magnum 10RX# copy startup-config flash:newconfig1
This command copies the special target startup-config to the local file newconfig1.
You cannot replace the running configuration while the system is running. You must reboot and force the system to use the configuration information in the startup-config target. To use a configuration saved under a different name, for example, newconfig1, copy newconfig1 to startup-config.
Magnum 10RX# more flash:DefaultEventLog
<6>Jan 9 16:20:10 2013 %CLI-79-2: User manager logged out
<6>Jan 9 16:20:12 2013 %CLI-79-1: User manager logged in
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
61
3.7 Event Management
The event management features of INOS software enable the user to determine which of the pre-defined events are logged, to specify the severity attached to events, and to control where the logged events are stored and viewed.
3.7.1 Event Notification Contents
An event is logged to a configured target in a manner that reports a number of its attributes. A typical log message has the following format:
Figure 3-38. Logged event format
3.7.2 Event Attributes
The pre-defined events possess a number of attributes, some of which are user-configurable. Event attributes are listed in Table 3-12.
Table 3-12. Event Attributes
Element DescriptionUser
Configurable?
Event ID A unique numerical identifier that combines an event category number and an event number separated by a hyphen. For example: 7-3 or 80-2.
No
Event Severity A numerical ranking of the urgency of the event from 0 to 7, where 0 is the most urgent and 7 is the least urgent,
Yes
Event Tag A brief text label identifying the category of the event. For example: CLI or SYS.
No
Event Class A grouping of events. Initially all events are assigned to the Default class. Users can define up to six additional classes. This enables management of several events by modifications to a single specification set.
Yes
Logging Target The destination of the event notification. This may be one or more of: the console (C), a buffer (B), a file (F), a remote Syslog (S). By default B, F, and S are enabled for all events, with one
exceptiona.
a.Event 79-9 is delivered with all default targets disabled. This event creates a log entry for every CLI command issued so it will presumably be enabled by the user only in very special circumstances.
Yes
Message A text string describing the event. No
Severity
<6>Aug 8 10:49:49 2012 %CLI-79-1: An administrative user logged in
Date & Time
Tag
Event ID
Message
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
62
3.7.3 Event IDs and Defaults
Table 3-13 lists the events that are enabled in this software version and their associated default values. The table does not list “Class” because all events are set to the value “Default” by default and it does not list “Targets” because all events (with the sole exception noted above) are enabled on targets Buffer, FIle, and Syslog and disabled on the Console target. Class, Severity, and Target are all user-configurable.
The system detects all of the events in this list and can potentially report them to a logging destination. If no logging targets are enabled however, the event will not be visible.
You can display extensive information about events and their specifications in the console with the use of the show logging events command and its arguments (all, detail, etc.)
Symbol strings such as “%s” in the message texts represent variable information generated in each event instance.
Table 3-13. Events
Event IDDefaultSeverity
Tag Message
7-1 6 INTF "Interface %s Link Status %s"
7-2 6 INTF "SFP inserted on interface %s: Vendor OUI: %s, Part Number: %s"
7-3 6 INTF "SFP removed from interface %s"
7-4 6 INTF "Automedia interface %s configured for %s"
7-5 1 INTF "Couldn't get SFP data for port %u"
49-1 6 SNTP "%s server is not responding"
78-1 6 WEB "WEBNM: Successfully logged as User - %s "
78-2 1 WEB "WEBNM: User %s successfully logged out"
78-3 1 WEB "WEBNM: Attempt to login with wrong User name or password"
79-1 6 CLI "User %s logged in"
79-2 6 CLI "User %s logged out"
79-3 1 CLI "Attempt to login as %s via %s failed"
79-8 1 CLI "User %s deleted successfully"
79-9 7 CLI "Command from %s %d:%s - %s"
79-11 1 CLI "User %s changed password successfully"
79-12 1 CLI "User %s added successfully"
80-1 2 SYS "System is rebooting...!!!"
80-2 1 SYS "Saving %s to %s failed"
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
63
3.7.3.1 Event Severity
The severity value is intended to give an administrator an indication of how urgently the logged event requires attention. Each event is supplied with a severity value that conforms to the general guidance provided for such severity levels in the Syslog protocol defined in RFC 5424.
The severity values assigned to each event by the manufacturer are common-sense suggestions. They can be changed by an administrator.
3.7.3.2 Logging Targets
There are four possible destinations to log an event. The event notifications can be sent to:
• The console• A memory buffer• A file• A remote Syslog server
80-3 6 SYS "%s saved to %s successfully!"
82-1 2 POWER "Power Supply #%u failed"
82-2 6 POWER "Power Supply #%u is good"
Table 3-14. Event Severities
Numerical Code
Severity
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
Table 3-13. Events
Event IDDefaultSeverity
Tag Message
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
64
3.7.4 Displaying Event Information
The CLI displays information about which targets are enabled in the following formats::
Figure 3-39. Logging Targets
The less detailed command abbreviates the targets to their initial letters and signifies “enabled” with “Y” and “disabled” with “N.”
Event Display Commands
The following commands are available at the EXEC commands Magnum 10RX# prompt to display logging events:
• show logging events Executed with no arguments the command displays in brief format a list of all logging events for which a target is enabled.
• show logging events nn Where nn is a one- or two-digit number specifying a category, displays all logging events of the specified category in brief format.
• show logging events all Displays in brief format a list of all logging events including any for which no target is enabled.
• show logging events detail Displays in verbose format a list of all logging events for which a target is enabled.
•show logging events detail-all Displays in brief format a list of all logging events including any for which no target is enabled.
Event ....................................................Targets
Id .......................................................C B F S
- - - - - - - - - - - - - -
7-1 N Y Y Y
With the Magnum 10RX# show logging events command:
With the Magnum 10RX# show logging events details command:
Event: 7-1
.
.
.
Event Targets:
Console: Disabled
Buffer: Enabled
File: Enabled
Syslog: Enabled
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
65
3.7.5 Clearing Events
The following commands are available at the EXEC commands Magnum 10RX# prompt to clear logging events:
3.7.6 Configuring Events
The following commands are available at the CONFIGURE commands Magnum 10RX(config)# prompt to configure logging events.
3.7.6.1 Creating and Configuring a logging Class
An administrative user can create a new class and set class parameters with the logging class command. A user-created class can be useful for grouping events that have similar requirements and managing them in unison by amendments to the class specifications.
The classes Default and Firewall are provided by default. These may not be deleted by users. Users can create up to six additional classes. Events are added to a class by specifying the event’s membership in the logging event command.
Command syntax:
logging class cname |severity s | max-rate rrr | buffer [size bbb] | circular | file [size fff] [number nnn] circular
Where:
cname is a string of up to 32 characters naming the class. The command executed with no parameters except a name will create a new class with default values.
s is a digit in the range 0-7 specifying the severity level. (Default =7)
rrr is a numerical value in the range 1-250 specifying the max logging rate per second. (Default = 100)
bbb is a numerical value in the range 1-1024 specifying the maximum size in Kbytes of the buffer. (Default=256)
fff is A numerical value in the range 1-4096 specifying the maximum size of the logging file in Kbytes.
nnn is A numerical value in the range 1-65535 specifying the maximum number of logging files. (Default=8)
Files and buffers are circular by default. A circular file or buffer wraps data; that is, when it reaches maximum size the oldest entries are replaced with the newest entries. A file that is not circular will stop collecting data when it reaches maximum size.
Any parameter not specified receives the default value.
•clear logging buffer string
• clear logging events nnn [nnn]
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
66
Example:
Magnum 10RX(config)# logging class UserAccess severity 6 max-rate 200
This command creates a new class named UserAccess with a severity level of 6 and a maximum logging rate of 200 per second. All other parameters are default.
Negating Existing Configurations
Delete a user-created class with the no logging-class command, for example:
Magnum 10RX(config)# no logging class UserAccess
A class may not be deleted while any events remain assigned to it. You must first reassign events to other classes, then delete the class when it is empty of events.
Parameters that take specific values are modified with the logging class command. Specify that a class’s logging buffer or logging file is not circular with the no logging-class command, for example:
Magnum 10RX(config)# no logging class UserAccess buffer circular
Magnum 10RX(config)# no logging class UserAccess file circular
3.7.6.2 Configuring a logging Event
An administrative user can configure events with the logging event command.
Command syntax:
logging event catnum evnum | severity s | target [console | buffer | file | syslog] class cname
Where:
catnum is a one- or two-digit value specifying the category of the event.
evnum is a one- or two-digit value specifying the event number.
s is a digit in the range 0-7 specifying the severity level. (Default =7)
cname is a string of up to 32 characters naming the class.
Example:
Magnum 10RX(config)# logging event 78 3 target c b class UserAccess
This command specifies that instances of event 78-3 (the event ID combines the category number and the event number) are to be logged to the console and to the buffer and that event 78 3 is a member of the class UserAccess. All other parameters are default.
3.7.6.3 Configuring All logging Events
An administrative user can configure all events with the same value(s) with the logging event all command. This command is like the logging event command except that it does not take an event ID specification so that any changes it makes are applied to all events.
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
67
Command syntax:
logging event all severity s | target [console | buffer | file | syslog] class cname
Where:
s is a digit in the range 0-7 specifying the severity level. (Default =7)
cname is a string of up to 32 characters naming the class.
Example:
Magnum 10RX(config)# logging event all target b f class Default
This command specifies that all events are to be logged to the console and to the buffer and are member of the class Default. Severity levels are not changed by this command example.
3.7.6.4 Configuring Syslog Server
An administrative user can specify a remote Syslog server as the target for logging events. The configuration must point to a valid Syslog server that conforms to RFC 5424.
Command syntax:
logging server pri [ipv4 ucast_addr] | [ipv6 ip6_addr] | host-name [port portnum] udp | tcp
Where:
pri is a numerical value in the range 128-191 specifying the minimum priority value of messages delivered to this Syslog collector.
ucast_addr is an IP address in IPv4 format.
ip6_addr is an IP address in IPv6 format.
host-name is an optional name for the target device.
portnum is a numerical value in the range 0-65535 specifying the port to receive the messages. Default ports are 514 for UDP and 601 for TCP.
Example:
Magnum 10RX(config)# logging server 150 ipv4 192.168.1.5 port 514 udp
This command creates a pointer to a Syslog collector for messages of priority 150 or higher, using the UDP transmission protocol on port 514 of the specified server.
Syslog Priority Values
A Syslog message begins with a priority value, which is a numerical value enclosed in angle brackets. This value is the product of multiplying the numerical code associated with the local facility value by 8 and adding a severity value in the range of 0-7 (See Table 3-15.). The resulting range provides 8 series of 8 values, allowing each of 8 local facilities to provide a uniquely identifying priority value for each of the 8 severity values.
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
68
Facility values 0-15 are reserved for specific facilities (such as kernel or mail system) defined in RFC 5424. In addition there are 8 local facility values with numerical codes 16-23. These can be assigned by an authorized user. Local0 is the default value for the current device but the user can configure the current device to be one of local1 (numerical code 17) through local7 (numerical code 23).
Delete a pointer to a Syslog collector with the no logging server command. For example:
Magnum 10RX(config)# no logging server 150 ipv4 192.168.1.5
Table 3-15. Facility Codes
Numerical Code
Facility
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local0 (PRI range 128-135)
17 local1 (PRI range 136-143)
18 local2 (PRI range 144-151)
19 local3 (PRI range 152-159)
20 local4 (PRI range 160-167)
21 local5 (PRI range 168-175)
22 local6 (PRI range 176-183)
23 local7 (PRI range 184-191)
CHAPTER 3 - Router ManagementEvent Management
Industrial Network Operating System Administrator’s Guide
69
The parameters supplied in this command are sufficient to identify the collector unambiguously and to delete it from the Syslog table.
Examine the current logging server configuration by executing the show logging server command from the Magnum 10RX# prompt to obtain output like the following:
Figure 3-40. Log Servers Table Information
3.7.6.5 Configuring the Logging Facility
Devices in a network can be assigned facility numbers so that a common Syslog server can determine the origin of logging notifications from multiple sources. The default value of each device is local0. An administrative user can assign a device a logging facility value from local1 to local7 with the logging facility command.
Command syntax:
logging facility localx
Where:
x is a digit in the range 1-7
Example:
Magnum 10RX(config)# logging facility local3
This command specifies that the current device is logging facility local3.
You can view the logging facility value for the current device at the EXEC commands prompt with the following command:
Magnum 10RX# show logging facility
Delete the device’s logging facility designation with the no logging facility command, for example,
Magnum 10RX(config)# no logging facility
This will delete any user-specified logging facility designation and return the device to the default value of local0.
Event Log Servers Table Information
--------------------------------
Priority Facility Severity Addr-Type IpAddress Port Type
--------- -------- -------------- --------- --------------- ----- ----
129(128-1) local0 1-Alerts ipv4 192.168.1.5 514 udp
170(168-2) local5 2-Critical ipv4 192.168.1.5 601 tcp
190(184-6) local7 6-Informational ipv6 ::ffff:c0a8:105 601 tcp
-----------------------------------------
CHAPTER 3 - Router ManagementSoftware Upgrade
Industrial Network Operating System Administrator’s Guide
70
3.8 Software Upgrade
The 10RX flash memory holds a maximum of two versions of system software. The device is shipped with a current version of software. When that version is replaced with a subsequent version the replaced version remains stored in memory as a fallback version while the system runs on the new, or “upgraded,” version. On a second upgrade the oldest version is lost and the most recently replaced version becomes the fallback version.
The upgrade process normally requires the use of a TFTP of SFTP application working cooperatively with the INOS command set. The design of the INOS software update state machine is depicted in Figure 3-41, below.
Figure 3-41. Software Upgrade State Machine
State machine status can be displayed in the output of the show upgrade information command, as illustrated in Figure 3-42.
Figure 3-42. Upgrade Information Output
The meanings of these states and the actions appropriate to each are described in Table 3-16, below.
READY TO UPGRADE
INITIAL
UPGRADING
UPGRADED
FALLBACK
copy...
reload
finalize software upgrade
fallback software upgrade copy...
retry software upgrade
copy...
OR
fallback...OR
reload
Magnum 10RX# show software upgrade
Software Upgrade State: Upgraded
Slot 0: 10rxv100B4.itb Version: 1.0.0B4 (fallback)
Slot 1: phoenix.itb Version: 1.0.1X2 (upgraded, booted)
CHAPTER 3 - Router ManagementSoftware Upgrade
Industrial Network Operating System Administrator’s Guide
71
3.8.1 Using the Copy Command to Upgrade
The upgrade procedure requires the execution of the copy command with the upgrade-image keyword. The command syntax varies depending on whether the new image is in the 10RX flash memory or elsewhere on the network and on the file transfer tool used.
Command syntax:
with TFTP
copy tftp://ip-address/filename upgrade-image
Table 3-16. Upgrade States and User Actions
Event Description
Initial The system is in the initial state when a single software image is present in flash memory as a result of factory install or flash re-initialization.
Proceed to the next state by using the copy...upgrade-image command to copy another valid software image.
Ready to Upgrade The system is in the ready to upgrade state is when the user has uploaded an upgrade image with the copy...upgrade-image command.
Proceed to the next state by executing the reload command. When the system restarts login as with administrative privileges.
Upgrading The system is in the upgrading state when the device becomes operational following a reload from the ready to upgrade state.
Confirm with the show software upgrade command that the status is (upgrading,booted).
Proceed to the next state by executing the finalize software upgrade command.
Upgraded The system is in the upgraded state when the device is running on the newly installed software after finalization. This is the normal running configuration.
Confirm with the show software upgrade command that the status is (upgraded,booted).
From the upgraded state you can begin the process to install a new version with the copy... command or change to the fallback version with the fallback software version command.
Fallback The system is in the fallback state when the device is reloaded for any reason before finalization. This could occur, for example, as a result of power failure, user command, or because the new image did not become operational.
You can retry a failed upgrade with the retry software upgrade command or begin the upgrade process anew with the copy... command.
CHAPTER 3 - Router ManagementSoftware Upgrade
Industrial Network Operating System Administrator’s Guide
72
with SFTP
(Note: SFTP enables specifying a relative pathname, as in example 1 below, or an absolute pathname, as in example 2.)
1. copy sftp://<user-name>:<pass-word>@ip-address/filename upgrade-image
2. copy sftp://<user-name>:<pass-word>@ip-address//dirname/filename upgrade-image
file in flash memory
copy flash:filename upgrade-image
Where:
ip-address is the address of the device where the file resides.
filename is the name of the new image file.
user-name is a valid user name created as a part of SFTP security.
dirname is the name of a directory where the image file resides.
pass-word is a valid password created as a part of SFTP security.
3.8.2 Upgrade Procedure
1. Make the new image file available to your TFTP or SFTP server according to that application’s instructions. If you are using SFTP be sure you know the required username and password.
2. Login to the 10RX as an administrator
3. Execute the copy command using the appropriate syntax as described above. An example using TFTP follows:
Magnum 10RX# copy tftp://192.168.1.43/newimage.itb upgrade-image
Wait for console message : Copied tftp://192.168.1.43/newimage.itb ==> boot image
4. On copy command completion in the 10RX window execute the reload command.
Magnum 10RX# reload(This may produce a lengthy wait – up to several minutes.)
5. On reload completion login as an administrator and execute the following commands:
• Magnum 10RX# show system information (to view running SW version.)
• Magnum 10RX# show software upgrade (to view upgrade status)Expect the new image status to be (upgrading. booted).
CHAPTER 3 - Router ManagementRestarting the Switch
Industrial Network Operating System Administrator’s Guide
73
6. Finalize the upgrade with the following commands:
• Magnum 10RX# finalize software upgrade• Magnum 10RX# show software upgrade
(to view upgrade status)Expect new image status to be (upgraded. booted).
3.8.2.1 Viewing System Information in the GUI
The information you can obtain with the CLI Magnum 10RX# show system information command, as explained above, can also be viewed in the GUI, as illustrated in Figure 3-43.
Figure 3-43. System Information Screen
3.9 Restarting the Switch
In the CLI to shut down the Magnum 10RX and restart it use the reload command in the Exec Commands mode.
Command syntax:
reload
Example:
Magnum 10RX# reload
When asked:
Are you sure you want to reload the system (type 'yes' to confirm)?
Respond: yes
NOTE: In the event of an initial upgrade failure execute the retry softwareupgrade command.
CHAPTER 3 - Router ManagementRestarting the Switch
Industrial Network Operating System Administrator’s Guide
74
In the GUI go to System: Management: Reboot and shut down and restart by clicking the Reboot button, as illustrated in Figure 3-44.
Figure 3-44. rebooting
Industrial Network Operating System Administrator’s Guide
75
Chapter 4Ethernet
The configuration of Ethernet connections is partially automated but can be controlled to some extent by the user.
4.0.1 Ethernet Auto Media Interfaces
The 10RX router comes with up to ten auto-media Gigabit Ethernet (GbE) interfaces. Each auto-media interface supports RJ45 copper or fiber SFP. By default he first media type to achieve link is selected as the active interface.
All copper interfaces support Auto-MDIX and speed and duplex auto-negotiation at 1000, 100, and 10 Mbps.
The SFP speeds supported depend on the installed media.
4.0.2 Enabling Ethernet Interfaces
Each Ethernet interface on the 10RX is uniquely identified by a slot/port designator. Slots 1 and 2 can each hold a single port auto-media card. Slots 3, 5, 7, and 9 can each hold a dual port auto-media card. The full list of possible Ethernet port designators is:
• Gigabitethernet 1/1• Gigabitethernet 2/1• Gigabitethernet 3/1• Gigabitethernet 3/2• Gigabitethernet 5/1• Gigabitethernet 5/2• Gigabitethernet 7/1• Gigabitethernet 7/2• Gigabitethernet 9/1• Gigabitethernet 9/2
Gigabitethernet 1/1 is enabled by factory default.
A range of interface configuration commands becomes available when you specify a valid port to configure from the Magnum 10RX(config)# prompt. This produces a new prompt, Magnum 10RX(config-if)#. This prompt signals that you are in the interface configuration mode. View the commands available in this mode by entering Help at the prompt. All commands executed will apply to the specified interface. To configure another interface exit the interface configuration mode, specify the new interface at the Magnum 10RX(config)# prompt and re-enter interface configuration mode.
CHAPTER 4 - Ethernet
Industrial Network Operating System Administrator’s Guide
76
4.0.2.1 Enabling Ethernet Ports
Use the no shutdown command in interface configuration mode to enable a port. The following example illustrates the command sequence.
Figure 4-1. Enabling a GbE Interface on the CLI
Disable a port by using the shutdown command in interface configuration mode.
4.0.2.2 Configuring Port Type
10RX ports can be configured as either switch ports or router ports. The default configuration is switchport. To enable a port as a router port execute the no switchport command. The following example illustrates the command sequence.
Example:
Figure 4-2. Configuring a Router Port
This command sequence specifies that port 7/1 is a router port and enables the port.
4.0.2.3 Configuring Switchport Mode
A port configured as a switchport may be put into one of three modes: Access, Trunk, or Hybrid. Specify the switchport mode with the switchport mode command
Command syntax:
switchport mode {access | trunk | hybrid }Example:
Example:
Magnum 10RX(config-if)# switchport mode trunk
Default value: hybrid
Magnum 10RX(config)# interface gigabitethernet 7/1
Magnum 10RX(config-if)# no shutdown
Magnum 10RX(config-if)# exit
Magnum 10RX(config)#-----------------------------------------
Magnum 10RX(config)# interface gigabitethernet 7/1
Magnum 10RX(config-if)# no switchport
Magnum 10RX(config-if)# no shutdown
Magnum 10RX(config-if)# exit
Magnum 10RX(config)#-----------------------------------------
CHAPTER 4 - Ethernet
Industrial Network Operating System Administrator’s Guide
77
4.0.2.4 Configuring MTU Size
Use the mtu command in Interface Configuration mode to configure the size of the Maximum Transmission Unit (MTU). Maximum Transmission Unit is the maximum size in bytes of the protocol data unit that will be transmitted on an interface. The protocol data unit on Ethernet networks is the frame and the default MTU size is 1500.
Command syntax:
mtu frame-size
Where:
frame-size is a numerical value in the range 68-1500.
Example:
Magnum 10RX(config-if)# mtu 1200
This command specifies a Maximum Transmission Unit size of 1200 bytes on the port currently under configuration.
Default value: 1500
Valid range: 68-1500
Table 4-1. Switchport Modes
Mode Description
access Configures the port as an access port that accepts and sends only untagged frames. This kind of port is added as a member to a specific VLAN only and carries traffic only for the VLAN to which the port is assigned.
The port can be set as an access port, only if the following two conditions are met:
• acceptable-frame-type is set as untaggedAndpriority tagged
• Port is a not a tagged member of any VLAN
trunk Configures the port as a trunk port that accepts and sends only tagged frames. This kind of port is added as a member of all existing VLANs and to any new VLAN created. It carries traffic for all VLANs.
The trunk port also accepts untagged frames if the acceptable frame type is set as all.
The port can be set as a trunk port only if the port is not a member of untagged ports for any VLAN in the switch.
hybrid Configures the port as a hybrid port that accepts and sends both tagged and untagged frames.
CHAPTER 4 - Ethernet
Industrial Network Operating System Administrator’s Guide
78
4.0.2.5 Configuring Storm Control
Storm control prevents the network from being overwhelmed by a broadcast, multicast, or destination lookup failure (DLF) packet. Storms can result from errors in network configuration or from malicious activity. Storm control allows you to specify a per-interface limit on the rate of traffic of various types.
Storm control is implemented with two commands:
• the storm-control packet-type command enables you to specify the type of packet that will be subject to the limit specified with the level command.
• the storm-control level command enables you to specify a maximum rate of bits per second to be transmitted out of the interface.
Command syntax:
storm-control packet-type {broadcast | multicast | dlf}
storm-control level levelnum
Where:
levelnum is a numerical value specifying bits per second.
Example:
The following example illustrates the command sequence.
Example:
Figure 4-3. Configuring Storm Control
This series of commands specifies that on interface GbE 5/2 multicast and broadcast traffic cannot exceed 1000 bits per second.
Default value: Storm control is disabled
Valid range: 1-262143
4.0.2.6 GUI - Port Basic Settings Screen
Enable and disable ports with GUI using the Port Basic Settings screen on the Layer 2 Management menu (identified on the menu as “Port Manager”).
Enable a port on this screen by selecting Up in the pull down menu in the Admin State column and clicking Apply. Disable it by selecting Down.
Magnum 10RX(config)# interface gigabitethernet 5/2
Magnum 10RX(config-if)# no shutdown
Magnum 10RX(config-if)# storm-control level 1000
Magnum 10RX(config-if)# storm-control packet-type multicast
Magnum 10RX(config-if)# storm-control packet-type broadcast
Magnum 10RX(config-if)#-----------------------------------------
CHAPTER 4 - Ethernet
Industrial Network Operating System Administrator’s Guide
79
Figure 4-4. Enabling a GbE Interface in the GUI
The fields that are configurable in the Port Basic Settings screen correspond to CLI commands documented in the CLI configuration section, above and the Chapter 5.
Table 4-2. Port Basic Settings Fields
Column Description Options or Range Comment
Select You must click the radio button for the port to configure.
Port Available Ethernet ports. See Section 4.0.2
Link Status Hardware status of this port
Enabled (green), Disabled (red)
Admin State Administrative status of this port.
Up, Down See Section 4.0.2.1
SwitchPort Mode Determines what types of frames will be transmitted on this port
Access, Trunk, Hybrid See Section 4.0.2.3x
MTU Size of the maximum transmission unit on this port.
68-1500 See Section 4.0.2.4
Link Up/Down Trap Whether or not this port is transmitting and receiving
equivalent of
(config-if)# snmp trap link status
CHAPTER 4 - Ethernet
Industrial Network Operating System Administrator’s Guide
80
Port Type Whether this port is to function as a switch or as a router.
Switch Port, Router port See Section 4.0.2.2
MAC Address The hardware address of this port
Table 4-2. Port Basic Settings Fields
Column Description Options or Range Comment
Industrial Network Operating System Administrator’s Guide
81
Chapter 5VLAN
This section describes the VLAN implementation on the Magnum 10RX and the minimal steps necessary to configure VLANs on the router.
5.0.1 Dynamic VLANs and Trunking
The Magnum 10RX uses GARP VLAN Registration Protocol (GVRP) to automatically configure VLAN trunks. When you define access ports (see “Defining an Access Port in the CLI”) tagged VLAN membership is automatically set up on the necessary ports so that the various access ports can communicate over the switched VLAN infrastructure.
5.0.1.1 Enabling GVRP Globally in the CLI
In the CLI use the set gvrp command in Global Configuration mode to enable or disable the GVRP feature in all ports of the switch.
Command syntax:
set gvrp {enable | disable}
Example:
Magnum 10RX(config)# set gvrp
Use the show vlan device info command to view global VLAN information.
5.0.1.2 Enabling GVRP Globally in the GUI
In the GUI go to the Layer 2: Manager: GVRP: DynamicVlan tab to globally enable GVRP, as illustrated in Figure 5-1.
Figure 5-1. GVRP Dynamic VLAN Tab
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
82
5.0.1.3 Enabling GVRP On A Port in the CLI
In the CLI use the set port gvrp command in Global Configuration mode to enable or disable the GVRP feature on a specific port
Command syntax:
set port gvrp if-type if-id {enable | disable}
Where:
if-type is gigabitethernet.
if-id specifies a port on the switch with a port number and a slot number separated by a slash.
Example:
Magnum 10RX(config)# set port gvrp gigabitethernet 3/1 enable.
This command enables the GVRP feature on port 3/1 only.
Use the show vlan port config command to view VLAN information for specific ports.
5.0.1.4 Enabling GVRP On A Port in the GUI
In the GUI go to the Layer 2: Manager: GVRP: Port Settings tab to enable GVRP on a specific port, as illustrated in Figure 5-2.
Table 5-1. GVRP Dynamic VLAN Fields
Parameter Description
Status Select Enabled or Disabled for configuration of all ports on the switch, then click Apply.
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
83
Figure 5-2. GVRP Port Settings Tab
5.0.1.5 Setting GARP Timers For A Port in the CLI
In the CLI use the set garp timer command in Interface Configuration mode to set GARP timer values for the port under configuration. These timer values control the transmission of GARP PDUs used in synchronizing attribute information between the switches and in registering and de-registering attribute values. These values control the timing of the following messages:
• Join
The join message is sent by a GARP participant to another GARP participant to register attributes.
A GARP participant waits for its join message to be acknowledged before re-sending the join message. The join message is re-transmitted only once if the initial message is not acknowledged.
Table 5-2. Dynamic VLAN Port Configuration Fields
Parameter Description
Select You must click the radio button of the port to be configured.
Port A list of configurable gigabitethernet ports.
Status Select Enabled or Disabled for configuration of the selected port, then click Apply.
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
84
The join timer value specifies the length of time a GARP participant waits for its join message to be acknowledged before re-sending the join message.
This timer is started with the sending of the initial join message.
The join message value must be expressed in multiples of ten (that is, 210, 220, 230, etc.), must be a value greater than zero and must be less than half the value of the leave timer value.
• leave
The leave message is sent from a GARP participant to another participant, when de-registering attributes.
The leave timer value specifies the length of time to wait for any join message before removing attribute details.
This timer is started when a leave message is sent to de-register the attribute details.
The leave message value must be expressed in multiples of ten (that is, 610, 620, 630, etc.) and must be more than twice the value of the join timer value.
• leaveall
The leaveall message is sent from a GARP participant to other participants after a length of time during which registered attributes are to be maintained. This message initiates the re-registering of attribute details.
The leaveall timer value specifies the length of time during which attributes are maintained before the next de-registering/re-registering.
The leaveall message value must be expressed in multiples of ten (that is, 1010, 1020, 1030, etc.) and must be greater than the leave timer value.
Command syntax:
set garp timer {join | leave | leaveall} millisecs
Where:
imillisecs is the specified length of time. For limits see above.
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
85
Example:
In Global Configuration mode, to enter Interface Configuration mode and configure the GARP leaveall timer on interface Gigabitethernet 3/1, do the following:
Figure 5-3. Setting a GARP Timer
Default values:
join — 200
leave — 600
leaveall — 1000
Valid ranges: See above
Use the show vlan port config command to view VLAN information for specific ports.
5.0.1.6 Setting GARP Timers For A Port in the GUI
In the GUI go to the Layer 2: Manager: GVRP: GarpTimers tab to configure timers on a port, as illustrated in Figure 5-2.
Figure 5-4. GVRP GarpTimers Tab
Magnum 10RX(config)# interface gigabitethernet 3/1
Magnum 10RX(config-if)# set garp timer leaveall 1100
Magnum 10RX(config-if)# exit
Magnum 10RX(config)#
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
86
5.0.2 CLI - VLAN Configuration Mode
A range of VLAN configuration commands becomes available when you specify a valid VLAN ID with the vlan command at the Magnum 10RX(config)# prompt (Valid VLAN IDs are in the range of 1-4094.). This produces a new prompt, Magnum 10RX(config-vlan)#. This prompt signals that you are in the VLAN configuration mode. View the commands available in this mode by entering Help at the prompt. All commands executed will apply to the specified VLAN. To configure another VLAN exit the VLAN configuration mode, specify the new VLAN at the Magnum 10RX(config)# prompt and re-enter VLAN configuration mode.
5.0.2.1 Defining an Access Port in the CLI
Devices that are not VLAN-aware can be connected to the Magnum 10RX via VLAN access ports. All packets received on the access port are automatically assigned to a particular VLAN, which is specified as the port VLAN ID (PVID).
Use the switchport access command in Interface Configuration mode to configure a VLAN access port.
For example, to configure interface Gigabitethernet 3/1 as an access port on VLAN 2, do the following:
Figure 5-5. Defining a VLAN Access Port on the CLI
5.0.2.2 Defining an Access Port in the GUI
To configure a VLAN access port in the GUI go to the VLAN Port Settings Screen on the Layer 2 Management menu, select the port, specify the value in the PVID column, and click Apply.
Table 5-3. GARP Timers Fields
Parameter Description
Select You must click the radio button of the port to be configured.
Port No A list of configurable gigabitethernet ports.
GarpJoinTime Length of time to wait before re-transmission of join message.
GarpLeaveTime Length of time to wait for any join message before removing attribute details.
GarpLeaveallTime Length of time during which attributes are maintained before the next de-registering/re-registering.
Magnum 10RX(config)# interface gigabitethernet 3/1
Magnum 10RX(config-if)# switchport access vlan 2
Magnum 10RX(config-if)# exit
Magnum 10RX(config)#
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
87
Figure 5-6. Defining a VLAN Access Port in the GUI
Note: For a detailed explanation of the fields in this screen see Figure 5-8.
5.0.3 Advanced Access Port Configuration in the CLI
Executing the switchport access vlan command is actually short-hand for configuring both the ingress and egress VLAN behaviors of a port. There are three major parameters that can be set on an Ethernet port that control that port's behavior relative to VLAN processing:
• The tagged/untagged-and-priority-tagged parameter configured in VLAN configuration mode
• The acceptable-frame-type parameter, configured in interface configuration mode
• The PVID parameter, configured in interface configuration mode
The following example is equivalent to the simple example found in Section 5.0.2.1, “Defining an Access Port in the CLI”:
Figure 5-7. Configuring VLAN Parameters on the CLI
5.0.4 Advanced Access Port Configuration in the GUI
Configure VLAN parameters with the GUI using the VLAN Port Settings screen on the Layer 2 Management menu. Select a port, specify a frame type and a PVID, and click Apply.
Magnum 10RX(config)# vlan 2
Magnum 10RX(config-vlan)# ports gigabitethernet 3/1 untagged gigabitethernet 3/1
Magnum 10RX(config-vlan)# exit
Magnum 10RX(config)# interface gigabitethernet 3/1
Magnum 10RX(config-if)# switchport acceptable-frame-type untaggedAndPrioritytagged
Magnum 10RX(config-if)# switchport pvid 2
Magnum 10RX(config-if)# no shutdown
Magnum 10RX(config-if)# exit
Magnum 10RX(config)#
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
88
Enable a port on this screen by selecting Up in the pull down menu in the Admin State column and clicking Apply. Disable it by selecting Down.
Figure 5-8. Configuring VLAN Parameters in the GUI
5.0.5 Examining the VLAN Database
View the VLAN database by executing the show vlan id pvid command at the Magnum 10RX# prompt.
Figure 5-9. The VLAN Database
Table 5-4. VLAN Port Settings Fields
Parameter Description
Select You must click the radio button of the port to be configured.
Port A list of configurable gigabitethernet ports.
PVID The VLAN ID for this port.
Acceptable Frame Types
Specifies whether the VLAN specified by the PVID will accept all frames, tagged frames only, or untagged and priority tagged frames (rejecting tagged frames) on this port.
Ingress Filtering Specifies whether ingress filtering is enabled or disabled. If enabled only incoming frames that match the port’s VLAN configuration will be accepted.
Magnum 10RX# show vlan id 2
Vlan database
-------------
Vlan ID : 2
Member Ports : Gi3/1
Untagged Ports : Gi3/1
Name : Substation4
Status : Permanent
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
89
The VLAN database contains the following information for each VLAN:
• List of member ports (egress) — Member ports are those Ethernet interfaces for which packets with the given VLAN tag will egress.
• List of untagged member ports (egress) — Untagged member ports determines whether or not the packet will egress tagged or untagged.
• VLAN Name — A name defined by the user for reference.• VLAN Status — Can be Permanent or Dynamic. If all of the port
memberships have been discovered using GVRP the status of the VLAN will be Dynamic. If any of the port memberships have been statically configured by the user, then the status of the VLAN will be Permanent even if some of the port memberships have been discovered dynamically by GVRP.
5.0.6 VLANs and IP Routing
Each VLAN configured on the Magnum 10RX is associated with its own IP interface. If you assign an IP address to this interface and enable it, you will be able to forward IP traffic between VLANs. You can also manage the system remotely using any of the reachable, configured VLAN IP interface addresses.
5.0.7 The VLAN Command
Use the vlan command in Global Configuration mode to access configuration options for an existing VLAN or to specify an ID for a new VLAN to create.
Command syntax:
vlan x
Where:
x is a numerical value creating a VLAN or specifying an existing VLAN with id x.
Example:
Magnum 10RX(config)# vlan 15
Valid range: 1-4094
The no vlan x command deletes the specified VLAN.
Use the show vlan command to view configured VLANs.
5.0.8 Configuring VLAN Learning Mode
Use the vlan learning mode command in Global Configuration mode to configure the VLAN learning mode to be applied for all ports of the switch. This mode defines the forwarding database modes of operation to be implemented by the switch.
Command syntax:
vlan learning mode {ivl | svl | hybrid}
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
90
Where:
ivl specifies that a separate forwarding database is created for each VLAN. The information learned from a VLAN is not shared among other relative VLANs during forwarding decisions.
This mode is suitable in situations where the database size is not a constraint and end stations operate over multiple VLANs with the same MAC address.
svl specifies that a single forwarding database is created for all VLANs. The information learned from a VLAN is shared among all other relative VLANs during forwarding decision.
This mode is suitable in situations where the learning database size is a constraint.
hybrid specifies that a the same forwarding database is created for some VLANs and a separate forwarding database is used for some VLANs. The selection of database for the VLAN is made based on the static unicast MAC address in the Forwarding Database (FDB) table entries.
Example:
Magnum 10RX(config)# vlan learning mode svl
Default value: ivl
Use the show vlan device info command to view configured values.
5.0.9 Configuring a Static VLAN Entry in the CLI
Use the ports command in VLAN Configuration mode to statically configure a VLAN entry with the required egress member ports, untagged ports and/or forbidden ports, and activate the VLAN. The VLAN can also be activated using the vlan active command.
The no form of the command deletes the specified port details for the VLAN.
The configuration defines the tagged and untagged member ports that are used for egress tagging of a VLAN at a port.
Command syntax:
ports [add] ([<interface-type> <0/a-b,0/c,...>] [<interface-type> <0/a-b,0/c,...>]) [untagged (<interface-type> <0/a-b,0/c,...> [<interface-type> <0/a-b,0/c,...>] [all])]
Where:
add Appends the new configured ports to the existing member port list of the VLAN.
interface-type configures the ports that should be set as a member of the VLAN. Ports are specified with:
gigabitethernet, a version of LAN standard architecture that supports data transfer up to 1 Gigabit per second, and
<0/a-b, 0/c,...>, a port channel specification that sets the list of interfaces or a specific interface identifier. This value is a combination of
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
91
slot number and port number separated by a slash. Use a as a separator without space while configuring lists of interfaces. Example: 0/1,0/3 or 1,3.
untagged configures the ports that should be used for the VLAN to transmit egress packets as untagged packets.
Ports designated untagged are specified with the same interface type keywords and specifications used for all member ports (see above). Bear in mind the following limitations:
•The ports configured are a subset of the member ports.•The ports that are attached to VLAN-aware devices should always be
set as untagged ports only.•A port can be set as an untagged ports only if it is not configured as a
trunk port.
name Configures a name for the VLAN. This is a user-supplied name of up to 32 characters in length.
Example:
Magnum 10RX(config-vlan)# ports gigabitethernet 0/1 untagged gigabitethernet 0/1 name welk83
Default value: All ports available in the switch are configured as member ports and untagged ports of the default VLAN (VLAN 1). For other active VLANs, the member, untagged and forbidden ports are not set (that is, set as none).
Use the no form of the command to negate specific configured values or to delete all configured member ports with the all argument.
Use the show vlan command to view configured values.
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
92
5.0.10 Configuring a Static VLAN Entry in the GUI
The values configurable in the CLI, as explained in section Section 5.0.9, can also be configured in the GUI, as illustrated in Figure 5-10.
Figure 5-10. Static VLAN Configuration Screen
In this screen the upper dialog box is available to specify a static VLAN. The lower dialog box displays configured VLANs and is used to edit the specifications of those VLANs
5.0.10.1 Activating a VLAN
Use the vlan active command in VLAN Configuration mode to activate a VLAN in the switch. The VLAN can also be activated by assigning ports with the ports command.
Command syntax:
vlan active
Table 5-5. Static VLAN Configuration Fields
Parameter Description
Select You must click the radio button of the port to be configured.
VLAN ID An identifying number for this VLAN.
VLAN Name A user-supplied name of up to 32 characters in length.
Member Ports All ports on this switch which are members of this VLAN.
Untagged Ports The member ports that should be used for the VLAN to transmit egress packets as untagged packets.
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
93
Example:
Magnum 10RX(config-vlan)# vlan active
5.0.10.2 Disabling Unicast-MAC Learning
Unicast-MAC learning is enabled by default. The unicast-mac learning command enables or disables unicast-MAC learning feature for a VLAN or sets this feature as the default.
The source MAC learning is not done in the switch when this feature is disabled for the VLAN.
Command syntax:
set unicast-mac learning {enable | disable | default}
Example:
Magnum 10RX(config-vlan)# set unicast-mac learning disable
Default value: enabled
CHAPTER 5 - VLAN
Industrial Network Operating System Administrator’s Guide
94
Industrial Network Operating System Administrator’s Guide
95
Chapter 6Spanning Tree
Spanning Tree Protocol (STP) is a network protocol designed to provide a loop-free topology for bridged Ethernet local area networks. The basic STP protocol has been expanded and refined into the much faster Rapid Spanning Tree Protocol (RSTP) and into the Multiple Spanning Tree Protocol (MSTP) technology to serve the needs of VLAN environments. All three versions of the STP protocol are supported by INOS.
The original Spanning Tree Protocol (STP) was defined by IEEE standard 802.1D. The faster RSTP was first defined in IEEE 802.1W and RSTP supersedes STP in IEEE 802.1D (2004). STP takes 45 to 60 seconds to recover from a failure because it needs to recalculate the entire tree after a failure. RSTP can recover in less than one second because it enables ports to actively communicate information about special conditions. MNS-DX supports both protocols, so that you can configure a port to use the older STP if it is necessary to accommodate a legacy bridge.
6.1 RSTP
The Rapid Spanning Tree Protocol (RSTP) constructs a system linking the elements of a bridged local area network so as to supply redundancy, provide for quick recovery from failure of a segment, and eliminate loops. The protocol can be said to be "spanning" in that it connects all elements in the system and to be a "tree" in that it connects these elements while remaining implicitly free of loops.
6.2 RSTP Setup
When first configured with RSTP the bridges in a system exchange messages with one another to elect a root bridge and to discover the shortest path from each bridge to the root bridge. The ports that enable the shortest paths are put into forwarding mode. All other ports are assigned backup or alternate roles. When a stable tree has been established and traffic is being transmitted the system is said to have achieved convergence.
CHAPTER 6 - Spanning TreeRSTP Setup
Industrial Network Operating System Administrator’s Guide
96
Figure 6-1. Port Roles in a Rapid Spanning Tree Network
6.2.1 BPDUs
The messages exchanged by the bridges are special data frames called Bridge Protocol Data Units (BPDUs). The BPDUs contain identifying information and information about the root path cost. The best path from a bridge to the root has the lowest path cost. (The measurement takes into account the bandwidth on intervening segments.) When the spanning tree is being calculated the bridges exchange configuration BPDUs. Other types of BPDUs are exchanged during normal operation.
6.2.2 Bridge Roles
Each configured spanning tree has a single root bridge. All other bridges active in the system are designated bridges. For each segment the connected bridge that provides the shortest path to the root bridge is that segment’s designated bridge.
R
R
R
B
B
A
DesignatedBridge
DesignatedBridge
DesignatedBridge
RootBridge
R
E
A
D
Root port
B Backup port
Alternate port D
R BDesignated port
D
D
D
Bridge
E Edge port
CHAPTER 6 - Spanning TreeRSTP Setup
Industrial Network Operating System Administrator’s Guide
97
6.2.3 Port Roles
After convergence each port in the tree is assigned one of four roles:
6.2.4 Edge Ports and Point-to-Point Links
There are two other ways of classifying ports that can enable a quick transfer to the forwarding state and thus faster convergence:
• Edge Port – This is a port that connects directly to an end station. Since it connects to a single host it is incapable of forming loops, so may be safely placed in a forwarding state without going through the listening and learning stages.
• Point-to-Point Links – When a port connects directly to another switch it can safely be placed in forwarding mode.
Table 6-1. RSTP Port Roles
Port Role
Root: Each bridge (except the root bridge) has a single root port. This is the port with the lowest root path cost (the best way to the root.).
All traffic to and from the root bridge passes through the root port of the designated bridge.
Designated: Each bridge (except the root bridge) has at least one designated port. If only one port is connected to the segment it is the designated port. If more than one port is connected to the segment then the port with the best priority value in its ID is the designated port for the segment.
Any port on the root bridge that is connected to a segment is a designated port.
All Traffic to and from a specific segment passes through the designated port of the designated bridge.
Backup: A port on a designated bridge that is connected to the same segment as the designated port on that bridge. In the event of failure in the designated port the backup port would become the designated port. A backup port is blocked (inactive).
Alternate: A port that connects to a different segment than the root port on the same bridge. An alternate port provides an alternate path to the root that is inferior to the path provided by the root port. In the event of failure in the root port the alternate port would become the root port. An alternate port is blocked (inactive).
CHAPTER 6 - Spanning TreeRSTP Normal Operation
Industrial Network Operating System Administrator’s Guide
98
6.2.5 Port States
The INOS implementation of RSTP supports four operational states for a port:
Blocking – The port does not transmit or receive data frames, but the port does continue to receive BPDUs.
Listening – The port can send and receive BPDUs, but it is not learning MAC addresses or forwarding data frames.
Learning – The port is receiving BPDUs and is learning MAC addresses but it is not forwarding data frames.
Forwarding – The port is sending and receiving all packets.
Once the RSTP network is functioning all traffic is by definition handled by the ports in the forwarding state.
6.3 RSTP Normal Operation
After initial configuration RSTP functions by circulating BPDUs through the system. When these BPDUs indicate a change in the topology, such as failure of a link or the addition of a new node, the system is reconfigured.
System maintenance is carried out by the traffic in BPDUs among the bridges. Maintenance is managed under certain configurable constraints:
Hello Time – The amount of time between the transmission of configuration BPDUs on any port. Valid Range = 1-2 seconds Default value = 2 seconds. A connection is considered to be lost if hellos are not received for three consecutive times (by default this is six seconds).
Forward Delay – Controls how long the bridge waits after any state or topology change before forwarding the information to the network. The valid Range = 4-30 seconds. The default value = 15 seconds.
Maximum Age – The length of time a configuration BPDU remains valid before it is discarded.
6.4 Design Considerations
The RSTP protocol can make network decisions automatically. However, you may want to specify the settings for some or all of your bridges and ports. For instance, you may want to ensure that a particular bridge is the root bridge or that a certain port on a bridge is the designated port.
Note that you should use the Configuring Auto Edge and Configuring the Spanning Tree Properties of an Interface commands to ensure that ports connecting to end stations are specified as edge ports, and that ports that connect to other bridges using RSTP are specified as Point ports (also known as Point-to-Point ports).
CHAPTER 6 - Spanning TreeMSTP
Industrial Network Operating System Administrator’s Guide
99
6.4.1 Basic RSTP Configuration Parameters
The following parameters must be configured. The commands to accomplish these tasks are described in the following sections.
• enabled – Any bridge active in the system must have the Disabled/Enabled value set to Enabled.
• priority – The default priority value is 32768 (in a valid range of 0-65535). If you know that you want a specific bridge to be the root bridge, then set this value on that bridge low - lower than any other bridge in the system. You can also effectively specify a bridge as an alternate root bridge, to take over in the event of failure of the original root bridge, by giving it a priority value only slightly higher than that of the root bridge. When you have more than one bridge connecting to the same LAN you can determine which bridge will become the designated bridge by setting its priority value low.
• hello Time – The default Hello Time value is 2 seconds (in a valid range of 1-2). The manually configurable Hello Time value applies to the root bridge. A smaller Hello Time value will result in quicker detection of topology changes but it will also result in increased traffic on the system. Designated bridges use a Hello Time learned from BPDUs sent from the root bridge.
• forward time – The default Forward Delay value is 15 seconds (in a valid range of 4-30). A shorter Forward Delay may result in quicker adaptation to topology changes. Designated bridges use a Forward Delay learned from BPDUs sent from the root bridge.
• max-age – The default Maximum Age value is 20 seconds (in a valid range of 6-40). In a network that includes some slow links it could be useful to set a higher value for Maximum Age.
6.5 MSTP
INOS supports the Multiple Spanning Tree Protocol (MSTP), which enables the creation of “regions” of switches that share certain configuration attributes. All switches that will participate together in MSTP must belong to the same MSTP region. To share an MSTP region a group of switches must have the exact same MSTP instance-to-VLAN mappings. To prevent configuration errors, a region is identified by 3 separate parameters:
• Region name• Region revision• The complete MSTP instance-to-VLAN mapping
Here is an example of how to configure the region information:
Figure 6-2. Configuring an MSPT Region
Magnum 10RX(config)# spanning-tree mst configuration
Magnum 10RX(config-mst)# name region1
Magnum 10RX(config-mst)# revision 1
Magnum 10RX(config-mst)# instance 1 vlan 2
CHAPTER 6 - Spanning TreeGlobal Spanning Tree Configuration
Industrial Network Operating System Administrator’s Guide
100
6.6 Global Spanning Tree Configuration
You can configure Spanning Tree parameters system-wide in Global Configuration mode. Some of the values you specify globally may be overridden on interfaces that are configured in more local configuration modes.
6.6.1 Enabling Spanning Tree
Use the spanning-tree command to enable the spanning tree protocol.
Command syntax:
spanning-tree
Example:
Magnum 10RX(config)# spanning-tree
Default value: enabled.
The no spanning-tree command disables spanning tree functionality.
6.6.2 Configuring Spanning Tree Mode
Use the spanning-tree mode command to select Multiple Spanning Tree (mst) or Rapid Spanning Tree (rst) mode.
Command syntax:
spanning-tree mode {mst|rst}
Where:
mst selects Multiple Spanning Tree mode.
rst selects Rapid Spanning Tree mode.
Example:
Magnum 10RX(config)# spanning-tree mode rst
Default value: mst
Notes:
• When the Magnum 10RX boots up spanning tree is enabled by default with MST operating in the switch.
• The spanning-tree mode command starts and enables the spanning tree mode. Port-roles and states are computed only after enabling the spanning tree.
• If the user input for the spanning tree mode differs from the current configured mode of operation Magnum 10RX will shut down the operational spanning tree and restart to conform with user input.
Use the show spanning-tree detail command to view detailed spanning tree information.
CHAPTER 6 - Spanning TreeGlobal Spanning Tree Configuration
Industrial Network Operating System Administrator’s Guide
101
Use the show spanning-tree active command to view spanning tree information for active ports.
6.6.3 Configuring Spanning Tree Compatibility
Use the spanning-tree compatibility command in Global Configuration mode to enable backward compatibility with legacy STP traffic for the protocol version (RSTP or MSTP) that has been enabled with the spanning-tree mode command.
Command syntax:
spanning-tree compatibility {mst|rst|stp}
Where:
mst specifies Multiple Spanning Tree compatibility only.
rst specifies Rapid Spanning Tree compatibility when mst has been selected with the spanning-tree mode command.
stp specifies compatibility with Spanning Tree Protocol in addition to the protocol (rst or mst) enabled with the spanning-tree mode command.
Example:
Magnum 10RX(config)# spanning-tree compatibility stp
Default value: mst
The no spanning-tree compatibility command disables STP compatibility.
Notes:
• When the Magnum 10RX boots up spanning tree is enabled by default with MST operating in the switch.
• An attempt to change compatibility in conflict with mode with produce an error message. For example, if rst as been selected with the spanning-tree mode command you cannot specify mst with the spanning-tree compatibility command.
Use the show spanning-tree command to view the protocol version being executed.
6.6.4 Configuring Dynamic Pathcost Calculation
Use the spanning-tree pathcost dynamic command to configure the pathcost for all ports dynamically.
Command syntax:
spanning-tree mode pathcost dynamic
Example:
Magnum 10RX(config)# spanning-tree mode pathcost dynamic lag-speed
This command specifies that pathcosts will be calculated dynamically and re-calculated when ports are added or deleted.
CHAPTER 6 - Spanning TreeGlobal Spanning Tree Configuration
Industrial Network Operating System Administrator’s Guide
102
Default value: disabled
Notes:
• On execution of the pathcost dynamic command the pathcost of all the ports will be calculated dynamically based on the speed of the interface.
• Interfaces that have been configured with a specific pathcost are unaffected by this command.
6.6.5 Configuring Spanning Tree Timers
Use the spanning-tree command with timer arguments to specify forward-time, hello-time and max-age. See Section 6.3, “RSTP Normal Operation” for an explanation of these settings.
Command syntax:
spanning-tree {forward-time forsecs | hello-time helsecs | maxage agesecs}
Where:
forsecs is a numerical value specifying how quickly a port changes from blocking state to forwarding state.
helsecs is a numerical value specifying the frequency with which hello messages are sent to other switches.
agesecs is a numerical value specifying the maximum length of time to retain learned RSTP information.
Example:
Magnum 10RX(config)# spanning-tree max-age 6
Magnum 10RX(config)# spanning-tree hello-time 1
Magnum 10RX(config)# spanning-tree forward-time 4
Default values:
forward-time — 15 seconds
hello-time — 2 seconds
max-age — 20 seconds.
The no form of the command sets the value of the specified timer to the default.
Valid ranges:
forward-time — 4-30 seconds
hello-time — 1-2 seconds
max-age — 6-40 seconds.
Note: The following relations must be observed while configuring the timers:
• 2 * (Forward-time - 1) >= Max-age
CHAPTER 6 - Spanning TreeGlobal Spanning Tree Configuration
Industrial Network Operating System Administrator’s Guide
103
• Max-Age >= 2 * (Hello-time +1)
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.6.6 Configuring Spanning Tree Transmit Hold Count
Use the spanning-tree transmit hold-count command to set the transmit hold-count value for the switch. This value specifies the maximum number of packets that can be sent in a given hello-time interval. This resource can be used to avoid flooding.
Command syntax:
spanning-tree transmit hold-count cnt
Where:
cnt is a numerical value specifying the maximum number of packets to be sent during one hello-time interval.
Example:
Magnum 10RX(config)# spanning-tree transmit hold-count 5
Default value: 3
The no form of the command sets the hold count to the default.
Valid range: 1-10
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.6.7 Configuring Spanning Tree Priority
Use the spanning-tree priority command to specify the priority value assigned to the switch.
In RSTP, this value is used during the election of root. In MSTP, this value is used during the election of CIST root, CIST regional root and IST root.
Command syntax:
spanning-tree [mst I_id] priority prio_val
Where:
I_id optionally specifies a configured MST instance.
prio_val is a numerical value that is either 0 or a number divisible by 4096 that specifies the priority of the switch.
CHAPTER 6 - Spanning TreeConfiguring the Spanning Tree Properties of an Interface
Industrial Network Operating System Administrator’s Guide
104
Example:
Magnum 10RX(config)# spanning-tree priority 20480
Default value: 32768
The no form of the command sets the hold count to the default.
Valid range: 0-61440
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.7 Configuring the Spanning Tree Properties of an Interface
In Global Configuration mode you can specify an interface to enter Interface Configuration mode and make configuration specifications that affect that interface only.
Figure 6-3 illustrates entering Interface Configuration mode and displaying Spanning Tree help:
Figure 6-3. Configuring Spanning Tree on an Interface
6.7.1 General Spanning Tree Port Configuration
In Interface Configuration mode use the spanning-tree command to disable spanning tree on the port and to specify pathcost, link-type, portfast status, and port priority.
Magnum 10RX(config)# interface gigabitethernet 3/1
Magnum 10RX(config-if)# spanning-tree ?
auto-edge Automatic detection of bridge attached on an interface
bpdu-receive Configures the BPDU receive status of the port
bpdu-transmit Configures BPDU transmit status of the port
cost The pathcost value associated with the port
disable Disables the spanning tree on the port
link-type The link can be a point-to-point link or can be a shared LAN segment on which another bridge is present
loop-guard Enables loop guard on all the VLANs associated with the selected interface
mst Specifies the spanning tree instance
port-priority Configure port priority value
portfast Specifies that port has only hosts connected and hence can transition to forwarding rapidly
restricted-role Enables the root-guard / restricted role feature on the port
restricted-tcn Enables the topology change guard / restricted TCN feature
CHAPTER 6 - Spanning TreeConfiguring the Spanning Tree Properties of an Interface
Industrial Network Operating System Administrator’s Guide
105
Command syntax:
spanning-tree {cost cost_val |disable|link-type{point-to-point| shared}|portfast|port-priority portprio}
Where:
cost_val is a numerical specifies the pathcost value for this port.
disable disables spanning tree on this port (The no command restores the default value of enable.)
link-type can be a point-to-point link or can be a shared LAN segment on which another bridge is present. (The no form of the command will set the link type as auto.)
portfast specifies that this port has only hosts connected, so can transition to forwarding rapidly.
port_prio is a numerical value that is specifies the port priority. The value may be 0 or a number divisible by 16.
Examples:
Magnum 10RX(config-if)# spanning-tree cost 2200
Magnum 10RX(config-if)# spanning-tree link-type point-to-point
Magnum 10RX(config-if)# spanning-tree cost portfast
Magnum 10RX(config-if)# spanning-tree port-priority 64
Default values:
cost — 200000
enabled
link-type — shared
portfast — not in portfast
port-priority — 128
The no form of the command sets values to the default.
Valid ranges:
cost — 0-200000000
port-priority — 0-240
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
CHAPTER 6 - Spanning TreeConfiguring the Spanning Tree Properties of an Interface
Industrial Network Operating System Administrator’s Guide
106
6.7.2 Configuring Auto Edge
Use the spanning-tree auto-edge command in Interface Configuration mode to enable automatic detection of a bridge connected on the interface. With auto-edge enabled the port is set as an edge port so long as no BPDU is received on the port. The port is set as non-edge port if any BPDU is received.
Command syntax:
spanning-tree auto-edge
Example:
Magnum 10RX(config-if)# spanning-tree auto-edge
Default value: disabled
The no form of the command sets the value to disabled.
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.7.3 Configuring Loop Guard
Use the spanning-tree loop-guard command in Interface Configuration mode to enable the loop guard feature on a port. A blocking port with loop guard enabled will be prevented from forming loops by going into a temporary loop-inconsistent state if its receipt of BPDUs is interrupted.
Command syntax:
spanning-tree loop-guard
Example:
Magnum 10RX(config-if)# spanning-tree loop-guard
Default value: disabled
The no form of the command sets the value to disabled.
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.7.4 Configuring Restricted Role
Use the spanning-tree restricted-role command in Interface Configuration mode to specify that this port cannot be selected as the root port even if it has the best priority vector. The restricted-role feature, also known as the root-guard feature, allows you to prevent switches external to a core region of the network from influencing the spanning tree active topology.
CHAPTER 6 - Spanning TreeConfiguring the Spanning Tree Properties of an Interface
Industrial Network Operating System Administrator’s Guide
107
Note that blocking a port from selection as a root port can cause lack of spanning tree connectivity.
Command syntax:
spanning-tree restricted-role
Example:
Magnum 10RX(config-if)# spanning-tree restricted-role
Default value: disabled
The no form of the command sets the value to disabled.
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.7.5 Configuring Restricted TCN
Use the spanning-tree restricted-tcn command in Interface Configuration mode to specify that this port will not propagate topology changes or received topology change notifications (TCNs) to other ports. The restricted-tcn feature, also known as the topology change guard feature, allows you to prevent switches external to a core region of the network from causing address flushing in the region.
Note that enabling this feature can cause temporary loss of connectivity when changes in a spanning tree active topology are not communicated to the rest of the network.
Command syntax:
spanning-tree restricted-tcn
Example:
Magnum 10RX(config-if)# spanning-tree restricted-tcn
Default value: disabled
The no form of the command sets the value to disabled.
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.7.6 Configuring BPDU Receive
Use the spanning-tree bpdu-receive command in Interface Configuration mode to specify whether or not this port will process received BPDUs.
Command syntax:
spanning-tree bpdu-receive {enabled | disabled}
CHAPTER 6 - Spanning TreeMSTP-Specific Configuration
Industrial Network Operating System Administrator’s Guide
108
Where:
enabled specifies that this port will process received BPDUs normally.
disabled specifies that this port will discard received BPDUs.
Example:
Magnum 10RX(config-if)# spanning-tree bpdu-receive enabled
Default value: enabled
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.7.7 Configuring BPDU Transmit
Use the spanning-tree bpdu-transmit command in Interface Configuration mode to specify whether or not this port will transmit BPDUs.
Command syntax:
spanning-tree bpdu-transmit {enabled | disabled}
Where:
enabled specifies that this port will transmit BPDUs.
disabled specifies that this port will not transmit BPDUs.
Example:
Magnum 10RX(config-if)# spanning-tree bpdu-transmit enabled
Default value: enabled
Use the show spanning-tree detail command to view detailed spanning tree information.
Use the show spanning-tree active command to view spanning tree information for active ports.
6.8 MSTP-Specific Configuration
Some commands executed in the Global Configuration mode or in the MST Configuration mode effect only the operation of MSTP functionality.
6.8.1 Configuring MST Max Hops
Use the spanning-tree mst max-hops command in Global Configuration mode to specify the maximum number of switches that a packet can cross before it is dropped.
CHAPTER 6 - Spanning TreeMSTP-Specific Configuration
Industrial Network Operating System Administrator’s Guide
109
The root switch always transmits a BPDU with the maximum hop count value. The receiving switch decrements the value by one and propagates the BPDU with modified hop count value. The BPDU is discarded and the information held is aged out when the hop count reaches 0.
Command syntax:
spanning-tree mst max-hops maxh
Where:
maxh is a numerical value specifying the maximum number of hops a packet can take in MSTP before it is dropped.
Example:
Magnum 10RX(config)# spanning-tree mst max-hops 30
Default value: 20
Valid range: 6-40
Use the show spanning-tree mst configuration command to view detailed mst information.
6.8.2 Enter MSTP Configuration Mode
Use the spanning-tree mst configuration command to enter the MST configuration mode, which is signaled by the prompt Magnum 10RX(config-mst)#. In this mode you can perform mst instance-specific and mst region configuration tasks. Enter help at the Magnum 10RX(config-mst)# prompt to see a list of these commands.
Command syntax:
spanning-tree mst configuration
Example:
Magnum 10RX(config)# spanning-tree mst configuration
6.8.3 Configuring MST Region Name
In MST Configuration Mode use the name command to specify a name for the MST region.
The name is unique and used to identify the specific MST region. Each MST region contains multiple spanning tree instances and runs special instance of spanning tree known as ISTs to disseminate STP topology information for other STP instances.
Command syntax:
name regionname
Where:
regionname is a unique name of up to 32 characters for this MST region.
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
110
Example:
Magnum 10RX(config-mst)# name avalon
Default value: same as base MAC address of the switch
6.8.4 Configuring MST Region Revision
In MST Configuration Mode use the revision command to specify the revision for the MST region.
The revision number must be the same for all switches in the same region. It can be incremented after configuration changes to serve as a check on the synchronization of switch configurations.
Command syntax:
revision revnum
Where:
revnum is a numerical value in the range 0-65535.
Example:
Magnum 10RX(config-mst)# revision 101
Valid range: 0-65535
6.8.5 Configuring MST Max Instance
Use the spanning-tree mst max-instance command to specify the maximum number of Multiple Spanning Tree Instances (MSTIs) permitted in the switch.
Command syntax:
spanning-tree mst max-instance mstimax
Where:
mstimax is a numerical value in the range 1-16.
Example:
Magnum 10RX(config-mst)# spanning-tree mst max-instance 10
Valid range: 1-16
6.9 Configuring MSTP In the GUI
The following sections describe MSTP configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
111
6.9.1 MSTP Global Configuration
In the GUI go to the Layer 2: Manager: MSTP: Basic Settings tab to view and modify the MSPT Global Configuration screen, as illustrated in Figure 6-4.
Figure 6-4. MSTP Global Configuration Tab
The MSTP Global Configuration screen enables you to configure MST parameters that apply to all ports in the switch. Specify the values and click the apply button for your specifications to take effect.
Table 6-2. MSTP Global Configuration Fields
Parameter Description See Also
Maximum MST Instances
Maximum number of Multiple Spanning Tree Instances (MSTIs) permitted in the switch.
Valid range: 1-16
Section 6.8.5
Bridge Priority The Spanning Tree priority value assigned to the switch.
Default value: 32768
Valid range: 0-61440
Section 6.6.7
Section 6.4.1
Protocol Version The Spanning Tree version used in the switch, MSTP, RSTP, or STP. MSTP is the default. If RSTP or STP are selected the fields Region Name and Region Version are grayed out and not configurable.
Section 6.6.2
Region Name User-supplied name for the MST region.
Default value: same as base MAC address of the switch
Section 6.8.3
Region Version Must be the same for all switches in the same region. It can be incremented after configuration changes to serve as a check on the synchronization of switch configurations.
Valid range: 0-65535
Section 6.8.4
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
112
6.9.2 MSTP Timer Configuration
In the GUI go to the Layer 2: Manager: MSTP: Timers tab to view and modify the MSTP timers, as illustrated in Figure 6-5.
Figure 6-5. MSTP Timers Configuration Tab
The MSTP Timers Configuration screen enables you to configure MST timer parameters that apply to all ports in the switch. Specify the values and click the apply button for your specifications to take effect
Dynamic Path Cost Calculation
If True pathcost for all ports is configured dynamically.
Default value: False
Section 6.6.4
Section 6.2.1
Speed Change Path Cost Calculation
Select whether the dynamic path cost is to be calculated for ports whose speed changes dynamically.
If a path cost value has been manually configured that value will override regardless of any true or false specification here.
Default value: False
Table 6-3. MSTP Timers Configuration Fields
Parameter Description See Also
Maximum Hop Count
The maximum number of switches that a packet can cross before it is dropped.
Default value: 20
Valid range: 6-40
Section 6.8.1
Max Age The length of time to retain learned information.
Default value: 20 seconds
Valid range: 6-40 seconds
Section 6.6.5
Section 6.4.1
Table 6-2. MSTP Global Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
113
6.9.3 CIST Configuration
In the GUI go to the Layer 2: Manager: MSTP: Port Configuration tab to view and modify the MSPT CIST Settings screen, as illustrated in Figure 6-6.
This screen enables you to configure the port information for CIST, which spans across the entire topology irrespective of MST and SST regions. CIST is a single common/active topology consisting of all switches in the topology.
Figure 6-6. MSTP Port Configuration Tab
Table 6-4 explains the meaning and valid values for the parameters configurable in the CIST Settings screen.
Forward Delay The length of time the bridge waits after any state or topology change before forwarding the information to the network.
Default value: 15 seconds
Valid range: 4-30 seconds
Section 6.6.5
Section 6.4.1
Transmit Hold Count
The maximum number of packets that can be sent in a given hello-time interval.
Default value: 3
Valid range: 1-10
Section 6.6.6
Hello Time Interval between the sending of hello messages to other switches.
Default value: 2 seconds
Valid range: 1-2 seconds
Section 6.6.5
Section 6.4.1
Table 6-4. MSTP Port Configuration Fields
Parameter Description See Also
Select You must click a selection button before configuring a port.
Port Lists ports available for configuration.
Table 6-3. MSTP Timers Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
114
Path Cost A value used in measuring how “close” bridges are to one another.
Default value: 200000
Valid range: 0-200000000
Section 6.7.1
Section 6.2.1
Priority The priority value of this port.
Default value: 128
Valid range: 0-240 (Must be a multiple of 16.)
Section 6.2.3
Section 6.7.1
Section 6.6.7
Point to Point Status
The link type for this port can be point to point or shared. This setting determines whether that status is determined automatically or is set to “True,” that is, that it is a point to point link, or “False,” a shared link.
Options: Auto | ForceTrue | ForceFalse
Section 6.2.4
Section 6.7.1
Edge Port Whether or not this port is configured as an edge port; that is, a port that connects directly to an end station.
Options: True | False
Section 6.2.4
Section 6.7.2
MSTP Status Whether or not MSTP is enabled on this port.
Options: Enable | Disable
Section 6.6.2
Section 6.5
Protocol Migration
Always False.
Hello Time The amount of time between the transmission of configuration BPDUs on any port.
Default value: 2 seconds
Valid range: 1-2 seconds
Section 6.3
Section 6.4.1
Section 6.6.5
AutoEdge Status If True enable automatic detection of a bridge connected on the interface.
Options: True | False
Section 6.7.2
Restricted Role If True this port cannot be selected as the root port even if it has the best priority vector.
Options: True | False
Section 6.7.4
Restricted TCN If True this port will not propagate topology changes or received topology change notifications (TCNs) to other ports.
Options: True | False
Section 6.7.5
BPDU Receive If True this port will process received BPDUs normally. If False this port will discard received BPDUs.
Options: True | False
Section 6.7.6
Table 6-4. MSTP Port Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
115
6.9.4 MSTP VLAN Mapping
In the GUI go to the Layer 2: Manager: MSTP: VLAN Mapping tab to map VLANs to MSTP instances, as illustrated in Figure 6-7.
Figure 6-7. MSTP VLAN Mapping Tab
In the VLAN Mapping screen the upper dialog box enables you to specify and to configure a virtual interface. Click the Add for your specifications to take effect and to be displayed in the lower dialog box. The lower dialog box displays configured instances and enables you to delete a selected instance.
BPDU Transmit If True this port will transmit BPDUs. If False this port will not transmit BPDUs.
Options: True | False
Section 6.7.7
Loop Guard If True this port will be prevented from forming loops by going into a temporary loop-inconsistent state if its receipt of BPDUs is interrupted.
Options: True | False
Section 6.7.3
Table 6-5. MSTP VLAN Mapping Fields
Parameter Description See Also
MSTP Instance ID Specify an MSPT instance. Section 6.5
Add VLAN Specify a configured VLAN.
Delete VLAN Specify a configured and previously mapped VLAN.
Table 6-4. MSTP Port Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
116
6.9.5 MSTP Port Settings
In the GUI go to the Layer 2: Manager: MSTP: Port Settings tab to view and modify basic MSTP information for specific ports previously configured to participate in an MSTP instance, as illustrated in Figure 6-8.
Figure 6-8. MSTP Port Settings Tab
The MSTP Port Settings screen enables you to configure MST on a per port basis. Specify the values and click the apply button for your specifications to take effect.
Add / Reset Add to create a mapping. Reset to clear fields
Delete Delete a configured mapping indicated by the Select button.
Table 6-6. MSTP Port Settings Fields
Parameter Description See Also
Select You must click a selection button before editing a port’s settings.
Port Lists configured ports available for alteration.
MSTP Instance ID Displays and enables editing of the MSPT instance in which each port participates.
Port State Whether this port is enabled or disabled.
Table 6-5. MSTP VLAN Mapping Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
117
6.9.6 MSTP CIST Port Status
In the GUI go to the Layer 2: Manager: MSTP: CIST Port Status tab to view CIST information for all ports in the switch, as illustrated in Figure 6-9.
Figure 6-9. MSTP Port Settings Tab
Table 6-7 explains the meaning of the parameters displayed in the CIST Port Status screen.
Priority Displays and enables editing of the priority value of this port.
Default value: 128
Valid range: 0-240 (Must be a multiple of 16.)
Section 6.2.3
Section 6.7.1
Section 6.6.7
Cost Displays and enables editing of path cost. A value used in measuring how “close” bridges are to one another.
Default value: 200000
Valid range: 0-200000000
Section 6.7.1
Section 6.2.1
Table 6-7. MSTP Port Status Display
Parameter Description See Also
Port The port ID.
Designated Root The unique identifier of the bridge that is identified as the CIST root in the transmitted configuration BPDUs.
Root Priority The priority of the bridge that is the designated root.
Default value: 32768
Valid range: 0-61440
Designated Bridge
The unique identifier of the designated bridge for this port’s segment. The designated bridge is the only bridge that can transmit frames to and from the segment.
Table 6-6. MSTP Port Settings Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring MSTP In the GUI
Industrial Network Operating System Administrator’s Guide
118
Designated Port The identifier of the port on the designated bridge for this port's segment. This is the port the designated bridge uses to exchange frames with this segment.
Regional Root The unique identifier of the bridge that is identified as the CIST regional root in the transmitted configuration BPDUs.
Regional Root Priority
The priority of the bridge that is the regional root.
Default value: 32768
Valid range: 0-61440
Regional Path Cost
The port’s path cost that contributes to the cost of paths (including the port) towards the CIST Regional Root.
Valid range:1 - 200000000.
Type The operational Point-to-Point Status of the LAN segment attached to the port. The values can be:
• PointtoPoint — The port is treated as if it is connected to a point-to-point link.
• SharedLan — The port is treated as if it is having a shared media connection.
You can specify the values or select Auto for the switch to determine the status.
Section 6.9.3
Table 6-7. MSTP Port Status Display
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
119
6.10 Configuring RSTP in the GUI
The following sections describe RSTP configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.
6.10.1 RSTP Global Configuration
In the GUI go to the Layer 2: Manager: RSTP: Global Settings tab to view and modify the RSPT Global Configuration screen, as illustrated in Figure 6-4.
Role The current role of the port for the spanning tree instance. The values can be:
• Disabled — The port does not take part in the spanning tree process.
• Alternate — The port acts as an alternate for the root port, is blocked and not used for traffic. (It will be enabled and become the root port if the current root port is blocked.)
• Backup — The port acts as a backup for a specific designated port. It is blocked and not used for traffic. (It will be enabled and become the designated port if the active designated port is blocked.)
• Root — The port is used to forward data to the root bridge directly or through an upstream LAN segment.
• Designated — The port is used to send and receive packets to/from a specific downstream LAN segment/device. Only one designated port is assigned for each segment.
Port State The current state of the port as defined by the common STP. The values can be:
• Disabled — The port is does not take part in the spanning tree process.
• Discarding — The port is included in the STP process and is ready to learn addresses and forward data.
• Learning — The port is learning source addresses from received frames and storing them in the switching database to use when sending and receiving data.
• Forwarding — The port is sending and receiving data based on the formed loop-free spanning tree topology.
Table 6-7. MSTP Port Status Display
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
120
as illustrated in Figure 6-10.
Figure 6-10. RSTP Global Configuration Tab
The RSTP Global Configuration screen enables you to configure RST parameters that apply to all ports in the switch. Specify the values and click the apply button for your specifications to take effect.
Table 6-8. RSTP Global Configuration Fields
Parameter Description See Also
Dynamic Path Cost Calculation
Options are:
• True —Dynamically calculate pathcost based on the speed of the ports whose Admin State is set to Up at that time. The path cost is not changed based on the operational status of the ports, once calculated.
• False — Dynamically calculate pathcost based on the link speed at the time of port creation.
If you have manually assigned pathcost that value is used regardless of the selection made here.
Default value: False
Section 6.6.4
Section 6.2.1
Speed Change Path Cost Calculation
Options are:
• True — Dynamically calculates path cost for ports based on their speed at that time. The path cost is re-calculated if the speed of the port changes.
• False — Does not dynamically calculate the path cost for ports based their speed at that time.
If you have manually assigned pathcost that value is used regardless of the selection made here.
Default value: False
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
121
6.10.2 RSTP Timer Configuration
In the GUI go to the Layer 2: Manager: RSTP: Basic Settings tab to view and modify the RSPT Global Configuration screen, as illustrated in Figure 6-11.
Figure 6-11. RSTP Timers Configuration Tab
The RSTP Configuration screen enables you to configure RST timers for controlling the transmission of BPDUs during the computation of loop-free topology. This configuration is applied globally in the switch on all ports. Specify the values and click the apply button for your specifications to take effect.
Table 6-9. RSTP Timers Configuration Fields
Parameter Description See Also
Priority The priority value used for this switch during the election of root. This is a numerical value that can be either 0 or number in the valid range that is divisible by 4096.
Default value: 32768
Valid range: 0-65535
Section 6.4.1
Section 6.6.7
Version Select STP Compatible to enable backward compatibility with legacy STP traffic.
Default value: RSTP Compatible
Options: STP Compatible | RSTP Compatible
Section 6.6.3
Tx Hold Count The maximum number of packets that can be sent in a given hello-time interval.
Default value: 3
Valid range: 1-10
Section 6.6.6
Max Age The length of time to retain learned information.
Default value: 20 seconds
Valid range: 6-40 seconds
Section 6.6.5
Section 6.4.1
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
122
6.10.3 RSTP Port Configuration
In the GUI go to the Layer 2: Manager: RSTP: Basic Settings tab to view and modify the RSPT Port Configuration screen, as illustrated in Figure 6-12.
Figure 6-12. RSTP Port Configuration Tab
he RSTP Port Settings screen enables you to configure RST on a per port basis. Specify the values and click the apply button for your specifications to take effect.
Hello Time Interval between the sending of hello messages to other switches.
Default value: 2 seconds
Valid range: 1-2 seconds
Section 6.6.5
Section 6.4.1
Forward Delay The length of time the bridge waits after any state or topology change before forwarding the information to the network.
Default value: 15 seconds
Valid range: 4-30 seconds
Section 6.6.5
Section 6.4.1
Table 6-10. RSTP Port Configuration Fields
Parameter Description See Also
Select You must click a selection button before configuring a port.
Port Lists ports available for configuration.
Table 6-9. RSTP Timers Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
123
Port Role The current role of the port for the spanning tree instance. The values can be:
• Disabled — The port does not take part in the spanning tree process.
• Alternate — The port acts as an alternate for the root port, is blocked and not used for traffic. (It will be enabled and become the root port if the current root port is blocked.)
• Backup — The port acts as a backup for a specific designated port. It is blocked and not used for traffic. (It will be enabled and become the designated port if the active designated port is blocked.)
• Root — The port is used to forward data to the root bridge directly or through an upstream LAN segment.
• Designated — The port is used to send and receive packets to/from a specific downstream LAN segment/device. Only one designated port is assigned for each segment.
Section 6.2.3
Port Priority The priority value of this port.
Default value: 128
Valid range: 0-240 (Must be a multiple of 16.)
Section 6.2.3
Section 6.7.1
Section 6.6.7
RSTP Status Whether or not RSTP is enabled on this port.
Options: Enable | Disable
Section 6.6.2
Section 6.5
Path Cost A value used in measuring how “close” bridges are to one another. This value is the path cost that contributes to the path cost of paths containing this port.
The paths‟ path cost is used during calculation of shortest path to reach the root.
The path cost represents the distance between the root port and designated port. The value used will be, in order of preference:
1. The value you specifically configure. If this is not available then,
2. the value determined by a dynamic path cost calculation, if that option has been selected. If this is not available then,
3. the default value.
Default value: 200000
Valid range: 0-200000000
Section 6.7.1
Section 6.2.1
Section 6.10.1
Table 6-10. RSTP Port Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
124
Protocol Migration
This value controls the protocol migration mechanism that enables the module to interoperate with legacy 802.1D switches.
Options are:
• True — Restarts the protocol migration process.
• False — The port always transmits the standard RSTP BPDUs.
Default value: False
Admin Edge Port The administrative Edge Port value.
Options are:
• True — Sets the port as an edge port; that is, a port that is directly connected to a single end station. The Port State is set to forwarding. This allows faster convergence by eliminating the wait to receive BPDUs.
• False —Sets the port as a non-edge port; that is, a port that is connected to a routing device. The spanning tree process is performed using RSTP.
If Auto Edge Detection is set to True (see below) the value of the Edge Port parameter will be automatically updated when a change is detected.
Default value: False
Section 6.7.2
Admin Point to Point
The link type for this port can be point to point or shared. This setting determines whether that status is determined automatically or is set to “True,” that is, that it is a point to point link, or “False,” a shared link.
Options: Auto | ForceTrue | ForceFalse
Section 6.2.4
Section 6.7.1
Auto Edge Detection
If True enable automatic detection of a bridge connected on the interface.
Options: True | False
Section 6.7.2
Restricted Role If True this port cannot be selected as the root port even if it has the best priority vector.
Options: True | False
Section 6.7.4
Restricted TCN If True this port will not propagate topology changes or received topology change notifications (TCNs) to other ports.
Options: True | False
Section 6.7.5
Bpdu Receive If True this port will process received BPDUs normally. If False this port will discard received BPDUs.
Options: True | False
Section 6.7.6
Table 6-10. RSTP Port Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
125
6.10.4 RSTP Port Status
In the GUI go to the Layer 2: Manager: RSTP: Port Status tab to view RSTP status information for all ports in the switch, as illustrated in Figure 6-13.
Figure 6-13. MSTP Port Settings Tab
Table 6-11 explains the meaning of the parameters displayed in the RSTP Port Status screen.
Bpdu Transmit If True this port will transmit BPDUs. If False this port will not transmit BPDUs.
Options: True | False
Section 6.7.7
Loop Guard If True this port will be prevented from forming loops by going into a temporary loop-inconsistent state if its receipt of BPDUs is interrupted.
Options: True | False
Section 6.7.3
Table 6-11. RSTP Port Status Display
Parameter Description
Port The port ID.
Designated Root The unique identifier of the bridge that is identified as the segment root in the transmitted configuration BPDUs.
Designated Cost The Path Cost of the Designated Port of the segment connected to the port.
Designated Bridge
The unique identifier of the designated bridge for this port’s segment. The designated bridge is the only bridge that can transmit frames to and from the segment.
Designated Port The identifier of the port on the designated bridge for this port's segment. This is the port the designated bridge uses to exchange frames with this segment.
Table 6-10. RSTP Port Configuration Fields
Parameter Description See Also
CHAPTER 6 - Spanning TreeConfiguring RSTP in the GUI
Industrial Network Operating System Administrator’s Guide
126
Type The operational Point-to-Point Status of the LAN segment attached to the port. The values can be:
• PointtoPoint — The port is treated as if it is connected to a point-to-point link.
• SharedLan — The port is treated as if it is having a shared media connection.
You can specify the values or select Auto for the switch to determine the status.
Role The current role of the port for the spanning tree instance. The values can be:
• Disabled — The port does not take part in the spanning tree process.
• Alternate — The port acts as an alternate for the root port, is blocked and not used for traffic. (It will be enabled and become the root port if the current root port is blocked.)
• Backup — The port acts as a backup for a specific designated port. It is blocked and not used for traffic. (It will be enabled and become the designated port if the active designated port is blocked.)
• Root — The port is used to forward data to the root bridge directly or through an upstream LAN segment.
• Designated — The port is used to send and receive packets to/from a specific downstream LAN segment/device. Only one designated port is assigned for each segment.
Port State The current state of the port as defined by the common STP. The values can be:
• Disabled — The port is does not take part in the spanning tree process.
• Discarding — The port is included in the STP process and is ready to learn addresses and forward data.
• Learning — The port is learning source addresses from received frames and storing them in the switching database to use when sending and receiving data.
Forwarding — The port is sending and receiving data based on the formed loop-free spanning tree topology.
Table 6-11. RSTP Port Status Display
Parameter Description
Industrial Network Operating System Administrator’s Guide
127
Chapter 7LLDP
Link Layer Discover Protocol (LLDP) is an internet protocol that enables network devices to advertise their identities and capabilities and to discover information about neighbor devices.
LLDP supports a formal set of attributes that, at a minimum, describe devices in terms of type, length, and value. These attributes are referred to as TLVs. TLV information is stored in specialized device Management Information Bases (MIBs) that are accessible via the Simple Network Management Protocol (SNMP). On detection of certain events or at the expiration of a prescribed interval TLV information is extracted from LLDP local system MIB storage, formatted, and sent to the LLDP transmission module to be advertised by an LLDP agent sending LLDP Data Units (LLDPDUs). These LLDPDUs are recognized by the LLDP agents of other sites on the network and stored in LLDP remote system MIBs at those sites.
The mandatory management TLVs are:
• Port description TLV • System name TLV • System description TLV• System capabilities TLV • Management address TLV
7.1 Configuring LLDP in the CLI
The following sections describe the commands to use to configure CLI functionality on the INOS command line interface.
7.1.1 Global Configuration of LLDP
The following CLI commands control LLDP configuration on all interfaces of the switch. These commands are available in Global Configuration mode, which is signified by the Magnum 10RX(config)# prompt and is entered by typing configure terminal in the opening Exec. Commands mode.
7.1.1.1 Enabling and Disabling LLDP
Use the set lldp command in Global Configuration mode to enable or disable LLDP functionality in the switch.
Command syntax:
set lldp {enable | disable}
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
128
Where:
enable — Transmits/receives the LLDP packets between LLDP module and the server.
disable — Does not transmit/receive the LLDP packets between LLDP module and the server.
Example:
Magnum 10RX(config)# set lldp enable
Default value: disable
Use the show lldp command to view LLDP globally configured values.
7.1.1.2 Configuring the LLDP Transmission Interval
Use the lldp transmit-interval command in Global Configuration mode to set the interval at which the server will send its identifying information from the local system MIB to the LLDP transmission module.
Command syntax:
lldp transmit-interval transval
Where:
transval is a numerical value specifying the number of seconds between transmission of TLVs describing this local system.
Example:
Magnum 10RX(config)# lldp transmit-interval 120
Default value: 30 seconds
Valid range: 5-32768
The no lldp transmit-interval command sets the interval to the default.
Use the show lldp command to view LLDP globally configured values.
7.1.1.3 Configuring the LLDP Holdtime Multiplier
Use the lldp holdtime-multiplier command in Global Configuration mode to control the length of time LLDP information is retained by a receiving device before it is discarded. This time is expressed as a multiple of the length of time configured with the lldp transmit-interval command.
Command syntax:
lldp holdtime-multiplier multval
Where:
multval is a numerical value specifying the length of time to cache LLDP information before discard, expressed as a multiple of the configured transmit-interval.
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
129
Example:
Magnum 10RX(config)# lldp holdtime-multiplier 5
Default value: 4
Note that the combination of the default transmit-interval value of 30 and the default holdtime-multiplier value of 4 results in a default hold time (or Time To Live -TTL) of 120 seconds.
Valid range: 2-10
The no lldp holdtime-multiplier command sets the interval to the default.
Use the show lldp command to view LLDP globally configured values.
7.1.1.4 Configuring the LLDP Reinitialization Delay
Use the lldp reinitialization-delay command in Global Configuration to specify the length of time to elapse after LLDP is disabled on a port before it can be reinitialized.
Command syntax:
lldp reinitialization-delay reinitval
Where:
reinitval is a numerical value specifying the number of seconds required to elapse between LLDP being disabled on a port and its reinitialization.
Example:
Magnum 10RX(config)# lldp reinitialization-delay 5
Default value: 2 seconds
Valid range: 1-10
The no lldp reinitialization-delay command sets the interval to the default.
Use the show lldp command to view LLDP globally configured values.
7.1.1.5 Configuring the LLDP Transmission Delay
Use the lldp tx-delay command in Global Configuration to specify the length of time to elapse between transmissions of advertisements that are initiated by changes in LLDP local information.
Command syntax:
lldp tx-delay delayval
Where:
delayval is a numerical value specifying the number of seconds that are to elapse between transmissions of advertisements initiated by changes to LLDP local information.
Note that The delayval value must be equal to or less than 0.25 X the value for transval configured with the transmit-interval command.
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
130
Example:
Magnum 10RX(config)# lldp tx-delay 7
Default value: 2 seconds
Valid range: 1-8192
The no lldp tx-delay command sets the interval to the default.
Use the show lldp command to view LLDP globally configured values.
7.1.1.6 Configuring the LLDP Notification Interval
Use the lldp notification-interval command in Global Configuration mode to set the time interval in which the local system generates a notification event. Notifications include SNMP traps, log messages and triggers. During the specified interval only a single notification can be sent.
Command syntax:
lldp notification-interval nival
Where:
nival is a numerical value specifying the time in seconds between the sending of notifications.
Example:
Magnum 10RX(config)# lldp notification-interval 30
Default value: 5 seconds
Valid range: 5-3600
The no lldp notification-interval command sets the interval to the default.
Use the show lldp command to view LLDP globally configured values.
7.1.1.7 Configuring the LLDP Chassis ID Subtype
Use the lldp chassis-id-subtype command in Global Configuration to specify the type of ID used in the switch. Most of the available options require you only to specify the subtype; the system will derive the correct ID automatically. Three options, chassis-comp, port-comp, and local, require you to provide an identifying string. Specify only one of these options.
Command syntax:
lldp chassis-id-subtype {chassis-comp chasstring | if-alias | port-comp portstring | mac-addr | nw-addr | if-name | local localstring}
Where:
chassis-comp chasstring — The chassis-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
131
the entPhysicalAlias object for a chassis component in the entity MIB (part of the SNMP Network Management Framework).
if-alias — The if-alias key word specifies a chassis identifier based on the value of the ifAlias object in the interfaces group MIB (part of the SNMP Network Management Framework).
port-comp portstring — The port-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a port of backplane within the chassis in the entity MIB.
mac-addr — A chassis identifier based on the MAC address as defined in IEEE Std. 802.
nw-addr — A chassis identifier based on a network address associated with a particular chassis.
if-name — A chassis identifier based on the value of the ifName object in the interfaces group MIB for an interface on the containing chassis.
local localstring — The local key word followed by a string of up to 255 alphanumeric characters specifies a user-supplied local ID.
Example:
Magnum 10RX(config)# lldp chassis-id-subtype chassis-comp garrettcomswitch
Default value: mac-addr
Use the show lldp command to view LLDP globally configured values.
Use the show lldp local command to view LLDP values configured for individual interfaces.
7.1.1.8 Clearing LLDP Counters
Use the clear lldp counters command in Global Configuration mode to clear the counters that keep a total count of LLDP frames transmitted and received.
Command syntax:
clear lldp counters
Example:
Magnum 10RX(config)# clear lldp counters
Use the show lldp traffic command to view LLDP counters on all interfaces or on a specified interface.
7.1.1.9 Clearing the LLDP Table
Use the clear lldp table command in Global Configuration to clear information stored about neighbors.
Command syntax:
clear lldp table
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
132
Example:
Magnum 10RX(config)# clear lldp table
Use the show lldp neighbors command to view LLDP neighbor information.
7.1.2 Interface-specific Configuration of LLDP
The following CLI commands control LLDP configuration on a specified interface. These commands are available in Interface Configuration mode, which is signified by the Magnum 10RX(config-if)# prompt and is entered by specifying an interface for configuration in Global Configuration mode. For example:
Magnum 10RX(config)# interface gi 3/1
Magnum 10RX(config-if)#
7.1.2.1 Enabling LLDP Transmit/Receive on an Interface
Use the lldp command in Interface Configuration mode to enable transmission or reception of LLDPDUs on the interface being configured.
Command syntax:
lldp {transmit | receive}
Where:
transmit enables transmission of LLDPDUs from a server interface to the LLDP module.
receive enables reception of LLDPDUs from a server interface to the LLDP module.
Example:
Magnum 10RX(config-if)# lldp transmit
Default value: transmission and reception are enabled.
The no lldp {transmit | receive} command disables transmission or reception on the interface.
Use the show lldp interface command to view LLDP configuration details.
7.1.2.2 Configuring LLDP Notifications on an Interface
Use the lldp notification command in Interface Configuration mode to configure notification of LLDP events. Notifications include SNMP traps, log messages and triggers. Notifications are sent to the Network Management System (NMS). You can specify that a notification is sent either when a change occurs to a remote table, or when a configuration error is detected, or by both of these conditions.
Command syntax:
lldp notification [remote-table-chg] [mis-configuration]
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
133
Where:
remote-table-chg specifies that a trap notification is sent to NMS whenever remote a table change occurs.
mis-configuration specifies that a trap notification is sent to NMS whenever a mis-configuration is identified.
Example:
Magnum 10RX(config-if)# lldp notification remote-table-chg
Default value: mis-configuration
The no interface notification command disables LLDP event notification.
The frequency with which notifications are sent is configured with the lldp notification-interval command. See Section 7.1.1.6.
Use the show lldp interface command to view LLDP configuration details.
7.1.2.3 Specifying Basic TLV Settings on a Port
Use the lldp tlv-select basic-tlv command in Interface Configuration mode to specify the mandatory TLVs to include in the transmission of LLDPDUs from this interface.
Command syntax:
lldp tlv-select basic-tlv {[port-descr] [sys-name] [sys-descr] [sys-capab] [mgmt-addr {all | ipv4 addr}]}
Where:
port-descr specifies that the port description TLV (slot number/port number ID) for this port will be transmitted.
sys-name specifies that the system name TLV will be transmitted.
sys-descr specifies that the system description TLV will be transmitted.
sys-capab specifies that the system capabilities TLV will be transmitted.
mgmt-addr specifies that a management address TLV will be transmitted:
all specifies that all available management addresses will be transmitted.
ipv4 addr specifies that the management address specified by addr will be transmitted.
Example:
Magnum 10RX(config-if)# lldp tlv-select basic-tlv port-descr mgmt-addr all
The no lldp tlv-select basic-tlv tlvspec disables transmission of the TLV specified by tlvspec.
Use the show lldp local command to view LLDP values configured for individual interfaces.
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
134
7.1.2.4 Configuring an ID for LLDP Port Subtype
Use the lldp port-id-subtype command in Interface Configuration to specify a port subtype ID. Most of the available options require you only to specify the subtype; the system will derive the correct ID automatically. Two options, port-comp, and local, require you to provide an identifying string. Specify only one of these options.
Command syntax:
lldp port-id-subtype {if-alias | port-comp portstring | mac-addr | if-name | local localstring}
Where:
if-alias — The if-alias key word specifies a chassis identifier based on the value of the ifAlias object in the interfaces group MIB (part of the SNMP Network Management Framework).
port-comp portstring — The port-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a port of backplane within the chassis in the entity MIB.
mac-addr — A chassis identifier based on the MAC address as defined in IEEE Std. 802.
if-name — A chassis identifier based on the value of the ifName object in the interfaces group MIB for an interface on the containing chassis.
local localstring — The local key word followed by a string of up to 255 alphanumeric characters specifies a user-supplied local ID.
Example:
Magnum 10RX(config-if)# lldp port-id-subtype mac-addr
Default value: if-alias
Use the show lldp local command to view LLDP values configured for individual interfaces.
7.1.2.5 Configuring Transmission of dot1 TLVs on an Interface
Use the lldp tlv-select dot1tlv command in Interface Configuration mode to configure the transmission of dot1 TLVs on the port. Dot1 TLVs contain VLAN-specific information.
Command syntax:
lldp tlv-select dot1tlv {[port-vlan-id] [protocol-vlan-id {all |vlanid}] [vlan-name {all | vlanname}]}
Where:
port-vlan-id — This key word specifies the VLAN ID associated with this port and its protocols.
protocol-vlan-id — This key word specifies the ID of a group of protocols associated with a VLAN and this port.
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
135
all specifies transmission of all available values of IDs.
vlanid transmits a single specified VLAN ID.
vlan-name — This key word specifies an administratively assigned string identifying the VLAN.
all specifies transmission of all available values of VLAN names.
vlanid transmits a single specified VLAN name.
Example:
Magnum 10RX(config-if)# lldp tlv-select dot1tlv port-vlan-id protocol-vlan-id 42
The no lldp tlv-select dot1tlv tlvspec disables transmission of the TLV specified by tlvspec.
Use the show lldp local command to view LLDP values configured for individual interfaces.
7.1.2.6 Configuring Transmission of dot3 TLVs Subtypes on an Interface
Use the lldp tlv-select dot3tlv command in Interface Configuration mode to configure the transmission of dot3 TLVs on the port.
Command syntax:
lldp tlv-select dot3tlv {[macphy-config] [link-aggregation] [max-framesize]}
Where:
macphy-config — Specifies that the physical MAC configuration be transmitted in the LLDPDU.
link-aggregation — Specifies that the link aggregation protocol statistics be transmitted in the LLDPDU.
max-framesize — Specifies that the maximum frame size be transmitted in the LLDPDU.
Example:
Magnum 10RX(config-if)# lldp tlv-select dot3tlv macphy-config
The no lldp tlv-select dot3tlv tlvspec disables transmission of the TLV specified by tlvspec.
Use the show lldp local command to view LLDP values configured for individual interfaces.
7.1.3 Displaying LLDP Information
The CLI commands described below enable you to display information about the LLDP configuration and performance. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
136
7.1.3.1 show lldp
Use the show lldp command to display LLDP global configuration details.
Example:
Magnum 10RX# show lldp
7.1.3.2 show lldp interface
Use the show lldp interface command to display information about interfaces where LLDP is enabled
Command syntax:
show lldp interface [gigabitethernet ifid]
Where:
The command entered without parameters displays information about all interfaces.
gigabitethernet ifid specifies a single interface for display.
Example:
Magnum 10RX# show lldp interface gigabitethernet 3/1
7.1.3.3 show lldp neighbors
Use the show lldp neighbors command to display information about neighbors on an interface or all interfaces.
Command syntax:
show lldp neighbors [chassis-id ch_string] [gigabitethernet ifid] [detail]
Where:
The command entered without parameters displays information about all interfaces.
ch_string specifies a chassis identifier.
ifid specifies a port.
detail specifies information obtained from all TLVs received.
Example:
Magnum 10RX# show lldp neighbors detail
7.1.3.4 show lldp traffic
Use the show lldp traffic command to display LLDP counters on all interfaces or on a specific interface.
Command syntax:
show lldp traffic [gigabitethernet ifid]
Where:
CHAPTER 7 - LLDPConfiguring LLDP in the CLI
Industrial Network Operating System Administrator’s Guide
137
The command entered without parameters displays information about all interfaces.
ifid specifies a port.
Example:
Magnum 10RX# show lldp traffic gigabitethernet 3/1
7.1.3.5 show lldp local
Use the show lldp local command to display the current switch information that will be used to populate outbound LLDP advertisements for a specific interface or all interfaces.
Command syntax;
show lldp local {[gigabitethernet ifid] | [mgmt-addr]}
Where:
The command entered without parameters displays information about all interfaces.
ifid specifies a port.
mgmt-addr specifies all the management addresses configured in the system and Tx enabled ports.
Example:
Magnum 10RX# show lldp local
7.1.3.6 show lldp errors
Use the show lldp errors command to display information about errors such as memory allocation failures, queue overflows and table overflow.
Example:
Magnum 10RX# show lldp errors
7.1.3.7 show lldp statistics
Use the show lldp statistics command to display LLDP remote table statistics information.
Example:
Magnum 10RX# show lldp statistics
• Management address TLV
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
138
7.2 Configuring LLDP in the GUI
The following sections describe the configuration of LLDP in the INOS graphical User Interface.
7.2.1 LLDP Global Configuration
In the GUI go to the Layer 2: Manager: LLDP: Global Settings tab to enable LLDP functionality, as illustrated in Figure 7-1.
Figure 7-1. LLDP Global Configurations Screen
The LLDP Global Configurations screen enable you to enables you to enable or disable LLDP in the system. Click the Apply button to execute your selection.
Table 7-1. LLDP Global Configuration Fields
Parameter Description See Also
Global Status The mode of LLDP in the system.
Enabled — Specifies that all the resources required by the LLDP module are allocated and that LLDP is supported in the device on all ports.
Disabled — Specifies that LLDP is shutdown in the device on all ports and any allocated resources are released.
Section 7.1.1.1
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
139
7.2.2 LLDP Basic Settings
In the GUI go to the Layer 2: Manager: LLDP: Basic Settings tab to configure timing settings and identifiers, as illustrated in Figure 7-2.
Figure 7-2. LLDP Basic Settings Screen
In the LLDP Basic Settings screen specify the timing of various actions and provide an identifier for this device. Click the Apply button to execute your selections.
Table 7-2. LLDP Basic Settings Fields
Parameter Description See Also
Transmit Interval Sets the interval at which the server will send its identifying information from the local system MIB to the LLDP transmission module.
Default value: 30 seconds
Valid range: 5-32768
Section 7.1.1.2
Holdtime Multiplier
The length of time LLDP information is retained by a receiving device before it is discarded. This time is expressed as a multiple of the length of time specified in the Transmit Interval field.
Default value: 4
Valid range: 2-10
Section 7.1.1.3
Reinitialization Delay
Specifies the length of time to elapse after LLDP is disabled on a port before it can be reinitialized.
Default value: 2 seconds
Valid range: 1-10
Section 7.1.1.4
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
140
Tx Delay Specifies the length of time to elapse between transmissions of advertisements that are initiated by changes in LLDP local information.
Default value: 2 seconds
Valid range: 1-8192
Section 7.1.1.5
Notification Interval
Sets the time interval in which the local system generates a notification event.
Default value: 5 seconds
Valid range: 5-3600
Section 7.1.1.6
Chassis Id The chassis identifier. With most subtypes the system will derive the correct ID automatically. Three subtypes, Chassis Component, Port Component, and Local, require you to provide an identifying string.
Section 7.1.1.7
Chassis ID Subtype
Specifies the type of ID used in the switch. Options are:
• Chassis Component — The chassis-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a chassis component in the entity MIB (part of the SNMP Network Management Framework).
• Interface Alias — The if-alias key word specifies a chassis identifier based on the value of the ifAlias object in the interfaces group MIB (part of the SNMP Network Management Framework).
• Port Component — The port-comp key word followed by a string of up to 255 characters specifies a chassis identifier based on the value of the entPhysicalAlias object for a port of backplane within the chassis in the entity MIB.
• MAC Address — A chassis identifier based on the MAC address as defined in IEEE Std. 802.
• Network Address— A chassis identifier based on a network address associated with a particular chassis.
• Interface Name — A chassis identifier based on the value of the ifName object in the interfaces group MIB for an interface on the containing chassis.
• Local — The local key word followed by a string of up to 255 alphanumeric characters specifies a user-supplied local ID.
Section 7.1.1.7
Table 7-2. LLDP Basic Settings Fields
Parameter Description See Also
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
141
7.2.3 LLDP Interface Settings
In the GUI go to the Layer 2: Manager: LLDP: Interfaces tab to configure specific ports for LLDP functioning, as illustrated in Figure 7-3.
Figure 7-3. LLDP Interface Settings Screen
In the LLDP Interface Settings screen the upper dialog box enables you to specify an IP address for a previously configured interface. Click the Modify button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.
Table 7-3. LLDP Interface Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Port Specifies the port under configuration. Section 7.1.2
Tx State Enable/disable transmission of LLDPDUs from a server interface to the LLDP module.
Section 7.1.2.1
Rx State Enable/disable reception of LLDPDUs from a server interface to the LLDP module.
Section 7.1.2.1
Tx SEM State Displays current status of the TX state event machine.
Rx SEM State Displays current status of the RX state event machine.
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
142
7.2.4 LLDP Neighbor Information
In the GUI go to the Layer 2: Manager: LLDP: Neighbors tab to display information about LLDP neighbors, as illustrated in Figure 7-4.
Figure 7-4. LLDP Neighbor Information Screen
In the LLDP Neighbor Information screen you can view basic information about LLDP neighbors. Click Clear LLDP Neighbors to delete the display of information.
Notification Status
Enables/disables notification. Section 7.1.2.2
Notification Type Configure notification of LLDP events. Notifications include SNMP traps, log messages and triggers. Notifications are sent to the Network Management System (NMS). Options are:
• Mis-config — specifies that a trap notification is sent to NMS whenever remote a table change occurs.
• Remote-Table-Change — specifies that a trap notification is sent to NMS whenever a mis-configuration is identified.
• Both — a notification is sent whenever either of the above conditions is met.
Section 7.1.2.2
Table 7-4. LLDP Neighbor Information Display
Parameter Description See Also
Chassis ID Displays a neighbor’s chassis ID. Section 7.1.1.7
Local Interface Identifies the local port on which the neighbor information is learned.
Hold Time Displays the Hold Time advertised by this neighbor. Section 7.1.1.3
Table 7-3. LLDP Interface Settings Fields
Parameter Description See Also
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
143
7.2.5 LLDP Basic TLV Settings
In the GUI go to the Layer 2: Manager: LLDP: Basic TLV Settings tab to specify the mandatory TLVs to include in the transmission of LLDPDUs from this interface, as illustrated in Figure 7-5.
Figure 7-5. LLDP Basic TLV Settings Screen
In the LLDP Basic TLV Settings screen you can specify the information to be transmitted by the selected interface. A specification of Enabled means that the information defined by that column heading will be included. Click Apply for your specifications to take effect.
See also Section 7.1.2.3.
Capability Displays the capabilities (such as bridge, router, telephone, etc.) advertised by this neighbor.
Port ID Displays the Port ID advertised by this neighbor.
Table 7-5. LLDP Basic TLV Settings
Parameter Description
Select You must click a selection button before modifying a configuration.
Interface ID A list of available gigabitethernet interfaces.
Port Description Enabled specifies that the port description TLV (slot number/port number ID) for this port will be transmitted.
Table 7-4. LLDP Neighbor Information Display
Parameter Description See Also
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
144
7.2.6 LLDP DOT1 TLV Settings
In the GUI go to the Layer 2: Manager: LLDP: DOT1 TLV Settings tab to configure the transmission of DOT1 TLVs on the port, as illustrated in Figure 7-6. DOT1 TLVs contain VLAN-specific information
Figure 7-6. LLDP DOT1 TLV Settings Screen
System Name Enabled specifies that the system name TLV will be transmitted.
System Description
Enabled specifies that the system description TLV will be transmitted.
System Capabilities
Enabled specifies that the system capabilities TLV will be transmitted.
Management Address
Enabled specifies that a management address TLV will be transmitted. The All keyword specifies that all management addresses will be included or you can specify anIPv4 address.
Table 7-5. LLDP Basic TLV Settings
Parameter Description
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
145
In the LLDP DOT1TLV Settings screen you can specify VLAN information to be transmitted by the selected interface. A specification of Enabled means that the information defined by that column heading will be included. Click Apply for your specifications to take effect.
See also Section 7.1.2.5.
Table 7-6. LLDP DOT1 TLV Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Interface ID A list of available gigabitethernet interfaces.
Port VLAN Enabled specifies the VLAN ID associated with this port and its protocols will be transmitted.
Protocol VLAN Enabled specifies the ID of a group of protocols associated with a VLAN and this port will be transmitted. The keyword All specifies transmission of all available values of IDs or use a comma separated list of configured VLAN IDs.
VLAN Name Enabled specifies an administratively assigned string identifying the VLAN will be transmitted. The keyword All specifies transmission of all available VLAN names or use a comma separated list of configured VLAN names.
CHAPTER 7 - LLDPConfiguring LLDP in the GUI
Industrial Network Operating System Administrator’s Guide
146
7.2.7 LLDP DOT3 TLV Settings
In the GUI go to the Layer 2: Manager: LLDP: DOT3 TLV Settings tab to configure the transmission of DOT3 TLVs on the port, as illustrated in Figure 7-7. DOT1 TLVs contain VLAN-specific information
Figure 7-7. LLDP DOT3 TLV Settings Screen
In the LLDP DOT3 TLV Settings screen you can specify the information to be transmitted by the selected interface. A specification of Enabled means that the information defined by that column heading will be included. Click Apply for your specifications to take effect.
See also Section 7.1.2.6.
Table 7-7. LLDP DOT3TLV Settings Fields
Parameter Description
Select You must click a selection button before modifying a configuration.
Interface ID A list of available gigabitethernet interfaces.
MAC PHY Config Enabled specifies that the physical MAC configuration be transmitted in the LLDPDU.
Link Aggregation Enabled specifies that the link aggregation protocol statistics be transmitted in the LLDPDU.
Max Framesize Enabled specifies that the maximum frame size be transmitted in the
LLDPDU.
Industrial Network Operating System Administrator’s Guide
147
Chapter 8IP Addressing and Static Routing
This chapter describes the INOS commands available to support configuration of interface IP addresses and static routes.
8.1 Configuring IP Addresses
Interfaces that can be configured as IP interfaces are:
• gigabitethernet• vlan• ppp• mlppp• loopback• fr-pvc• tunnel
8.1.1 Specifying an Interface for Configuration
Use the interface command in Global Configuration mode to specify an interface type and ID and to enter Interface Configuration mode, signaled by the Magnum 10RX(config-if)# prompt.
command syntax:
interface {gigabitethernet|vlan|ppp|mlppp|loopback|fr-pvc| tunnel} ID
Where:
ID is an integer or integer combination uniquely identifying the interface.
Example:
Magnum 10RX(config)# interface vlan 1
Magnum 10RX(config-if)#
Valid ranges:
gigabitethernet port number/slot number combination — 1-10, 1-4
VLAN — 1-4094
ppp — 1-16
NOTE: an Ethernet interface cannot have a configured IP address unless it is arouter port; that is, unless it is configured using the no switchport commandas described in Section 4.0.2.2.
CHAPTER 8 - IP Addressing and Static RoutingConfiguring IP Addresses
Industrial Network Operating System Administrator’s Guide
148
mlppp — 1-16
loopback — 0-9
fr-pvc — 1-2048
tunnel — 1-32
The no interface type ID command in Global Configuration mode deletes configuration of the specified interface.
The show interface type ID command in Exec Commands mode displays information about the specified interface.
8.1.2 Configuring an IP Address in the CLI
Use the ip address command in Interface Configuration mode to assign an IP address to the interface being configured.
command syntax:
ip address addr mask [secondary]
Where:
addr is an ip address in IPv4 format.
mask is a subnet mask.
secondary is a keyword specifying that this address is in addition to a primary address.
Example:
The commands illustrated in Figure 8-1 configure the VLAN 1 interface with a primary and a secondary IP address.
Figure 8-1. assigning IP addresses to an interface
The no ip address command in interface Configuration mode deletes the IP address from the interface under configuration.
The show interface type ID command in Exec Commands mode displays information about the specified interface.
8.1.3 Configuring an IP Address in the GUI
In the GUI go to the Layer 3 Management: IP: IP Addr tab to assign an IP address to an interface, as illustrated in Figure 8-2.
Magnum 10RX(config)# interface vlan 1Magnum 10RX(config-if)# no switchportMagnum 10RX(config-if)# ip address 192.168.1.1 255.255.255.0Magnum 10RX(config-if)# ip address 192.168.2.1 255.255.255.0 secondary
CHAPTER 8 - IP Addressing and Static RoutingConfiguring IP Addresses
Industrial Network Operating System Administrator’s Guide
149
Figure 8-2. assigning an IP address to an interface
In the IPv4 Interface Settings screen the upper dialog box enables you to specify an IP address for a previously configured interface. Click the Modify button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.
8.1.4 Configuring a VLAN Interface in the GUI
In the GUI go to the Layer 3 Management: IP: VLAN Interfaces tab to assign an IP address to an interface, as illustrated in Figure 8-3.
Table 8-1. Loopback Basic Settings Configuration Fields
Parameter Description
Select You must click the radio button of the interface to be configured.
Interface The identifiers of configured interfaces.
IP Address The IP address of this interface
Subnet Mask The subnet mask of this interface.
Broadcast Address
The broadcast address of this interface.
Address Type Type may be Primary or Secondary.
CHAPTER 8 - IP Addressing and Static RoutingConfiguring IP Addresses
Industrial Network Operating System Administrator’s Guide
150
Figure 8-3. configuring a VLAN interface
In the VLAN Interface Basic Settings screen the upper dialog box enables you to specify and to configure a virtual interface. Click the Create button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.
Table 8-2. Loopback Basic Settings Configuration Fields
Parameter Description
Select In the lower dialog box you must click the radio button of the interface to be configured.
VLAN Interface A numerical identifier for this VLAN.
Valid range: 1-4094
Admin State The Administrative State may be either Up (enabled) or Down (disabled). The interface IP address must have been configured for this state to be Up.
IPv4 Enabled State
The IPv4 Enabled State may be either Up (IPv4 is enabled on this interface) or Down (IPv4 is disabled on this interface).
CHAPTER 8 - IP Addressing and Static RoutingConfiguring IP Addresses
Industrial Network Operating System Administrator’s Guide
151
8.1.5 Configuring a Loopback Interface in the CLI
Use the interface loopback command in Global Configuration mode to enter Interface Configuration mode and assign an IP address to a loopback interface.
command syntax:
interface loopback loopid
Where:
loopid is a numerical value identifying the loopback interface to be configured.
Example:
The commands illustrated in Figure 8-4 specify, in Global Configuration mode, a loopback interface 1 to be configured and, in Interface Configuration mode, an IP address and subnet mask for that interface.
Figure 8-4. configuring a loopback interface in the CLI
The no interface loopback loopid command in Global Configuration mode deletes the configured loopback interface specified by loopid.
Valid range: 0-9
The show interface loopback ID command in Exec Commands mode displays information about the specified interface.
8.1.6 Configuring a Loopback Interface in the GUI
In the GUI go to the Layer 3 Management: IP: Loopbacks tab to configure a loopback interface, as illustrated in Figure 8-5.
Oper State The Operating State may be either Up or Down. An Up state indicates that the interface is operationally up and ready to transmit and receive.
MTU The Maximum Transmission Unit. The MTU for the interface as shown to the higher interface sub-layer (this value should not include the encapsulation or header added by the interface). If IP is operating over the interface, then this value indicates the IP MTU over this interface. To change the MTU of the interface first set the interface to administratively Down, make the change and reset it to Up.
Valid range: 68-1500
Table 8-2. Loopback Basic Settings Configuration Fields
Parameter Description
Magnum 10RX(config)# interface loopback 1Magnum 10RX(config-if)# ip address 192.168.2.1 255.255.255.255Magnum 10RX(config-if)# no shutdownMagnum 10RX(config-if)# exit
CHAPTER 8 - IP Addressing and Static RoutingConfiguring Static Routing in the CLI
Industrial Network Operating System Administrator’s Guide
152
Figure 8-5. configuring a loopback interface in the GUI
In the Loopback Basic Settings Configuration screen the upper dialog box enables you to specify a new loopback interface. Click the Create button and this interface will be displayed along with any other configured loopback interfaces in the lower dialog box, which also enables editing of some previously configured values.
8.2 Configuring Static Routing in the CLI
In configuring static routing you manually add routes to the routing table by specifying a path from the current device to a “next hop” to a destination. Unlike dynamically created routes these fixed routes are not updated by new information from other routers. In the event of a network change of connection failure traffic can be lost or delayed. However, static routing is useful for specifying some paths, such as that to a default gateway.
Table 8-3. Loopback Basic Settings Configuration Fields
Parameter Description
Select You must click the radio button of the interface to be configured.
Loopback Interface
The IDs of configured loopback interfaces.
Valid range: 0-9
Interface Status Interface status an be Up (active) or Down (inactive).
IP Address The IP address of this loopback interface
Subnet Mask The subnet mask of this loopback interface.
Broadcast Address
The broadcast address of this loopback interface.
CHAPTER 8 - IP Addressing and Static RoutingConfiguring Static Routing in the CLI
Industrial Network Operating System Administrator’s Guide
153
8.2.1 Configuring Static IPv4 Routes
Specify a static route using the ip route command to specify a destination and a next hop toward that destination or an interface directly connected to a next hop.
Command syntax:
ip route ipaddress mask {nh_address | gigabitethernet ifid | vlan vid | ppp pppid | mlppp mlpppid | fr-pvc frpvcid | tunnel tunid | distance} | [private]
Where:
ipaddress is the IP address of the route destination.
mask is the subnet mask for the IP address. This is a 32-bit number which is used to divide the IP address into network address and host address.
nh_address is the IP address or IP alias of the next hop that can be used to reach the destination.
ifid following the keyword gigabitethernet, a specification of the next hop as a destination slot and port number separated by a slash, for example: 5/1.
vid following the keyword vlan, a value specifying the next hop as a specific VLAN created / to be created. This value ranges between 1 and 4094.
pppid following the keyword ppp, a value specifying the next hop as a specific PPP interface.This value ranges between 1 and 16.
mlpppid following the keyword mlppp, a value specifying the next hop as a specific MLPPP interface.This value ranges between 1 and 16.
frpvcid following the keyword fr-pvc, a value specifying the next hop as a specific fr-pvc interface.This value ranges between 1 and 2048.
tunid following the keyword tunnel, a value specifying the next hop as a specific tunnel interface.This value ranges between 1 and 32.
distance is a numerical value for the administrative distance, which is a measure of confidence in the route. This value ranges between 1 and 255.
private is a keyword specifying that this route cannot be redistributed to other routing protocols.
Example:
Magnum 10RX(config)# ip route 60.0.0.0 255.0.0.0 50.0.0.10
This command specifies that the destination specified with the ip address 60.0.0.0 and 255.0.0.0 can be reached by a route for which the next hop is 50.0.0.10.
CHAPTER 8 - IP Addressing and Static RoutingConfiguring Static Routing in the GUI
Industrial Network Operating System Administrator’s Guide
154
8.3 Configuring Static Routing in the GUI
In the GUI go to the Layer 3 Management: IP: IP route tab to configure a static route, as illustrated in Figure 8-6.
Figure 8-6. configuring a static route in the GUI
In the IP Route Configuration screen the upper dialog box enables you to specify a new static route. Click the Add button and this route will be displayed along with any other configured static routes in the lower dialog box, which also enables editing of some previously configured values.
Table 8-4. Loopback Basic Settings Configuration Fields
Parameter Description
Select You must click the radio button of the interface to be configured.
Destination Network
The IP address of the route destination.
Subnet Mask A subnet mask for the IP address.
Next Hop The IP address or IP alias of the next hop that can be used to reach the destination. In the upper dialog box:
• If the Next Hop specification is Interface then the Interface field below is active and configured interfaces are available for selection from a drop-down menu.
• If the Next Hop specification is Gateway then the Gateway field below is active and available to receive an IP address for a gateway.
Gateway The IP address of a gateway for the configured route.
Interface The name of a configured interface to be used by this static route.
CHAPTER 8 - IP Addressing and Static RoutingConfiguring ARP
Industrial Network Operating System Administrator’s Guide
155
8.4 Configuring ARP
Address Resolution Protocol (ARP) associates an IP address with a Media Access Control (MAC) address. This creates connections between Layer 3 IP addressing and Layer 2 MAC addressing and enables you to address specific devices on your network. These mappings are maintained in an ARP cache maintained on each router which is populated with information acquired through the APR protocol. You can regulate some features of ARP access.
8.4.1 Configuring the ARP Cache Timeout
Set the ARP cache timeout value with the arp timeout command. The ARP timeout defines the time period a learned ARP entry remains in the cache. When a new timeout value is assigned only ARP entries subsequent to that assignment
The no form of this command sets the ARP cache timeout to its default value (1000).
Command syntax:
arp timeout secs
Where:
secs specifies the number of seconds new dynamic ARP entries will remain in the cache.
Example:
Magnum 10RX(config)# arp timeout 15000
This command specifies
Default value: 1000
Valid range: 30-86400
8.4.2 Configuring the ARP Request Maximum Retries
To configure the number of times to make an ARP request before deleting an unresolved ARP entry use the ip arp max-retries command.
Command syntax:
ip arp max-retries retnum
Distance A numerical value for the administrative distance, which is a measure of confidence in the route. See Section 9.1.5.
Metric The hop count metric for this destination.See Section 9.1.4.
Routing Protocol The routing protocol implemented for this route.
Table 8-4. Loopback Basic Settings Configuration Fields
Parameter Description
CHAPTER 8 - IP Addressing and Static RoutingConfiguring ARP
Industrial Network Operating System Administrator’s Guide
156
Where:
x is a digit in the range 2-10 specifying the maximum number of ARP requests to make.
Example:
Magnum 10RX(config)# ip arp max-retries 5
Default value: 3
Valid range: 2-10
Industrial Network Operating System Administrator’s Guide
157
Chapter 9RIP
Routing Information Protocol (RIP) is a widely-used protocol for managing router information within a self-contained network such as a corporate local area network or other interconnected group of LANs. RIP is an Interior Gateway Protocol (IGP) using the distance vector algorithm to define a best path. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops.
While RIP is in wide use it does have significant limitations: it is vulnerable to looping, does not scale well, and is slow to converge. Many of these limitations are addressed by other routing protocols such as OSPF. You should analyze the needs of your network and adopt a routing scheme that serves those needs.
9.1 Configuring RIP in the CLI
The INOS RIP basic and advanced configuration tasks are described in the following sections.
9.1.1 Enabling and Disabling RIP
Use the router rip command in Global Configuration mode to enable RIP globally in the current device and to enter Router Configuration mode, signaled by the Magnum 10RX(config-router)# prompt. Executing the help command at this prompt will display a list of RIP-specific commands available in this mode.
Command syntax:
router rip
Example:
Magnum 10RX(config)# router rip
Magnum 10RX(config-router)#
The no router rip command disables RIP globally.
9.1.2 Configuring RIP on an Interface
To configure RIP on a specific interface (rather than globally on the device) use the network command from the Magnum 10RX(config-router)# prompt
Command syntax:
network ipaddr
CHAPTER 9 - RIPConfiguring RIP in the CLI
Industrial Network Operating System Administrator’s Guide
158
Where:
ipaddr specifies a network interface.
Example:
Magnum 10RX(config-router)# network 10.0.0.1
This command specifies interface 10.0.0.1 as the interface to be configured.
the no network ipaddr disables RIP on the interface specified by ipaddr.
9.1.3 Configuring Redistribution
Use the redistribute command to redistribute routing information from routing domains other than RIP into the RIP routing domain. Networks commonly run more than one routing protocol, making it necessary to distribute routes obtained with one protocol into the domains of other protocols.
Command syntax:
redistribute {all | bgp | connected | ospf | static}
Where:
all specifies that all routes obtained by means other than the RIP protocol will be redistributed into the RIP domain.
bgp specifies that routes learned with the BGP protocol will be redistributed into the RIP domain.
connected specifies that any route that is a directly connected interface will be redistributed into the RIP domain.
ospf specifies that routes learned with the OSPF protocol will be redistributed into the RIP domain.
static specifies that static routes will be redistributed into the RIP domain.
Example:
Magnum 10RX(config-router)# redistribute static
This command specifies that routes that have been configured statically will be redistributed into the RIP domain.
The no redistribute spec command disables redistribution into RIP of information from the protocol specified by spec.
9.1.4 Configuring the Default Metric
Use the default-metric command in RIP Router configuration mode to set a default hop metric value to be used with all redistributed routes. This command is commonly used in conjunction with the redistribute command.
Command syntax:
default-metric n
CHAPTER 9 - RIPConfiguring RIP in the CLI
Industrial Network Operating System Administrator’s Guide
159
Where:
n is a numerical value specifying a RIP metric.
Example:
Magnum 10RX(config-router)# default-metric 1
This command specifies that the default RIP metric is 1; that is that any redistributed routes will carry a metric of 1.
Valid range: 1-16
9.1.5 Specifying Administrative Distance
Use the distance command in RIP Router Configuration mode to specify the RIP administrative distance. When the same route prefix is learned from multiple sources the administrative distance value is used as a tie-breaker when selecting the active route. Setting the RIP administrative distance allows you to indicate the preference of routes learned via RIP relative to routes from other sources such as BGP, OSPF, or static configuration. The administrative distance value is in a range of 1-255. Lower values are preferred.
Command syntax:
distance dist-val
Where:
dist-val is a numerical value specifying the administrative distance for routes learned with the RIP protocol.
Example:
Magnum 10RX(config-router)# distance 10
This command makes the system prefer RIP routes (default distance of 120) over EBGP routes (default distance of 20).
Valid range: 1-255
Default value: 120
The standard default administrative distance values for routes learned in other protocols are listed in Table 9-1.
NOTE: Although 16 is a valid hop metric it is conventionally used to indicate that adestination is inaccessible. For accessible destinations the valid range is 1-15.
NOTE: An administrative distance value of 255 would indicate that no routesupplied by this protocol should be trusted.
CHAPTER 9 - RIPConfiguring RIP in the CLI
Industrial Network Operating System Administrator’s Guide
160
9.1.6 Disabling and Enabling Auto-summarization
Auto-summarization of routes is a RIP feature by which routes to multiple subnets in the same network can be advertised with a single route specification. This feature is enabled by default.
RIPv1 always summarizes routes on classful network boundaries. RIPv2 uses variable subnet masks but by default will send summary routes based on classful subnet definitions if it advertises a classful network that has been subnetted. For example, 10.0.0.0 is a class A network with an 8 bit network address. If RIPv2 wishes to advertise the routes to 10.1.0.0/16 and 10.2.0.0/16, it will automatically summarize the two routes into a single advertisement for 10.0.0.0/8. Use the no auto-summary command to disable this summarization and have RIP send separate route advertisements for 10.1.0.0/16 and 10.2.0.0/16.
Command syntax:
auto-summary
Example:
Magnum 10RX(config-router)# auto-summary
This command enables auto-summarization.
Table 9-1. Administrative Distance Values: Protocol Defaults
Protocol Value
Connected interface 0
Static route 1
EIGRP summary route 5
EBGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EGP 140
ODR 160
External EIGRP 170
Internal BGP 200
Unknown* 255
CHAPTER 9 - RIPConfiguring RIP in the CLI
Industrial Network Operating System Administrator’s Guide
161
The no auto-summary command disable auto-summarization.
Magnum 10RX(config-router)# no auto-summary
Default value: enabled
9.1.7 Configuring Update Source Validation
Use the validate-update-source command in RIP configuration mode to filter RIP packets from indirectly connected sources. If a RIP packet is received that is not on the directly connected subnet for that interface, the packet is dropped.
Command syntax:
validate-update-source
Example:
Magnum 10RX(config-router)# validate-update-source
9.1.8 Accessing Interface-specific RIP Commands
A number of RIP-related commands are accessed by specifying a previously configured interface in Global Configuration mode to produce the Magnum 10RX(config-if)# prompt. For example,
Figure 9-1. Accessing RIP Interface-specific Commands
The available RIP commands begin with ip or with ip rip. These commands are described in the subsections that follow.
9.1.9 Configuring to Install Default Route
Enable installation of the default route received in updates to the RIP database with the ip rip default route install command. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)
Command syntax:
ip rip default route install
Example:
Magnum 10RX(config-if)# ip rip default route install
9.1.10 Configuring RIP Default Route Propagation
Set the metric to be used for a default route propagated over the interface with the ip rip default route originate command. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)
Magnum 10RX(config)# interface vlan1
Magnum 10RX(config-if)# ip rip xxx xxx
CHAPTER 9 - RIPConfiguring RIP in the CLI
Industrial Network Operating System Administrator’s Guide
162
Command syntax:
ip rip default route originate metnum
Where:
metnum is a numerical value in the range of 1-15 specifying a RIP metric.
Example:
Magnum 10RX(config-if)# ip rip default route originate 10
This command sets the RIP metric for a default route propagated over this interface to 10.
9.1.11 Configuring IP RIP Send Version on an Interface
Use the ip rip send version command in Interface Configuration mode to set the IP RIP version number for transmitting advertisements. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)
Command syntax:
ip rip send version {1 | 2 | 1 2 | none}
Where:
1 - Sends RIP updates compliant with RFC 1058.
2 - Sends multicasting RIP updates.
1 2 - Sends both multicasting RIP updates and RIP updates compliant with RFC 1058.
none - No RIP updates are sent. (This is passive operation.)
Example:
Magnum 10RX(config-if)# ip rip send version 1
Default value: 1 2
The no ip rip send version command specifies the default.
9.1.12 Configuring IP RIP Receive Version on an Interface
Use the ip rip receive version command to set the IP RIP version number for receiving advertisements. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)
Command syntax:
ip rip receive version {1 | 2 | 1 2 | none}
Where:
1 - Receives RIP updates compliant with RFC 1058.
2 - Receives multicasting RIP updates.
CHAPTER 9 - RIPConfiguring RIP in the CLI
Industrial Network Operating System Administrator’s Guide
163
1 2 - Receives both multicasting RIP updates and RIP updates compliant with RFC 1058.
none - No RIP updates are received.
Magnum 10RX(config-if)# ip rip receive version 1
Default value: 1 2
The no ip rip receive version command specifies the default.
9.1.13 Configuring RIP Version Globally
Use the version command in Router RIP Configuration mode to set the RIP version (both send and receive) on all RIP-enabled interfaces.
Command syntax:
version {1 | 2 | 1 2 | none}
Where:
1 - Specifies RIP updates compliant with RFC 1058.
2 - Specifies multicasting RIP updates.
1 2 - Specifies both multicasting RIP updates and RIP updates compliant with RFC 1058.
none - No RIP updates.
Magnum 10RX(config-router)# version 1
Default value: 1 2
The no version command specifies no global version for RIP.
9.1.14 Configuring IP RIP Summary Address
Use the ip rip summary-address command to set the route aggregation over an interface for all subnet routes that fall under the specified IP address and mask. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)
Command syntax:
ip rip summary-address ip-address mask
Where:
ip-address is a valid IP address.
mask a valid subnet mask.
NOTE: The version command executed in this configuration mode will NOT show up in therunning-config display. Instead the appropriate per-interface configuration will be set.
CHAPTER 9 - RIPConfiguring RIP in the GUI
Industrial Network Operating System Administrator’s Guide
164
Magnum 10RX(config-if)# ip rip summary-address 60.0.0.0 255.0.0.0
This command specifies that all subnets encompassed by the 60.0.0.0 IP address will be aggregated under that IP address.
This command cannot be used with IP RIP v1 send version.
Auto-summarization overrides interface specific aggregation. Disable auto-summarization if you are implementing interface-specific route aggregation (See Section 9.1.6.)
9.1.15 Configuring Split Horizon
Split horizon is a route advertising feature that reduces looping by preventing an advertisement that could send a packet back along the route by which it was delivered. With the poison reverse option enabled the unwanted route is given an infinite metric so that its unsuitability is advertised throughout the network. Enable split horizon with the ip split-horizon command. This command is a RIP interface-specific command (See “Accessing Interface-specific RIP Commands”.)
Command syntax:
ip split-horizon [poison]
Where:
poison enables the poison reverse option.
Magnum 10RX(config-if)# ip split-horizon
Default value: split horizon with poison reverse enabled
9.2 Configuring RIP in the GUI
The following sections describe RIP configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.
CHAPTER 9 - RIPConfiguring RIP in the GUI
Industrial Network Operating System Administrator’s Guide
165
9.2.1 Enabling and Disabling RIP
In the GUI go to the Layer 3 Management: RIP: Global Conf tab to view the RIP Global Configuration screen, as illustrated in Figure 9-2.
Figure 9-2. RIP Global Configuration Screen
The RIP Global Configuration screen enables you to enable or disable RIP on all interfaces in the switch. Make your selection and click the apply button for your specification to take effect. See also Section 9.1.1.
Default value: Disabled
9.2.2 RIP Interface Configuration
In the GUI go to the Layer 3 Management: RIP: Interface tab to modify specific RIP-enabled interfaces, as illustrated in Figure 9-3.
Figure 9-3. RIP Interface Configuration Screen
The RIP Interface Configuration screen enables you to configure RIP parameters for interfaces that you specify. Select an unconfigured interface from the dropdown menu in the upper dialog box and click Add to display its values in the lower dialog box. Use the lower dialog box to modify parameters.Specify the values and click the apply button for your specifications to take effect. Click Delete to eliminate the RIP configuration for a selected interface.
CHAPTER 9 - RIPConfiguring RIP in the GUI
Industrial Network Operating System Administrator’s Guide
166
.
Table 9-2. RIP Interface Fields
Parameter Description See Also
Select You must click a selection button before configuring an interface.
IP Address The IP address of the RIP interface (a read-only field).
Status The administrative status of RIP in the router. The options are:
• Enabled — The RIP process operates on this interface.
• Disabled — The RIP process does not operate on this interface.
• Passive — The RIP process is passive. (The interface accepts but does not send RIP routing updates.)
Split Horizon Specifies the operational status of Split Horizon in the system. The options are:
• Split Horizon — Applies Split Horizon on the response packets that are sent out. Does not send route on an interface from which route is learned.
• Poison Reverse — Sends route with the metric value 16 on an interface from which route is learned.
• Disabled — Sends route on all the interfaces with the metric same as that in the RIP Routing Table.
Default value: Poison Reverse.
Section 9.1.15
Default Route Installation
Whether the default route received over the interface must be installed to RIP database. Yes installs the default route, No does not.
Section 9.1.9
CHAPTER 9 - RIPConfiguring RIP in the GUI
Industrial Network Operating System Administrator’s Guide
167
Send Version The version of RIP packets that will be sent over this interface. The options are:
• RIP Version1 — Sends RIP updates compliant with RFC 1058.
• RIP Version 2 — Sends multicasting RIP2 updates.
• RIP1 Compatible — Sends both multicasting RIP updates and RIP updates compliant with RFC 1058.
• Do not send — No RIP updates are sent. (This is passive operation.)
Default value: RIP1 Compatible
Section 9.1.11
Receive Version The version of RIP packets that will be received over this interface. The options are:
• RIP1 — Receives RIP updates compliant with RFC 1058.
• RIP2 — Receives multicasting RIP2 updates.
• RIP1 or RIP2 — Receives both multicasting RIP updates and RIP updates compliant with RFC 1058.
• Do not receive — No RIP updates are received.
Default value: RIP1 or RIP2
Section 9.1.12
Table 9-2. RIP Interface Fields
Parameter Description See Also
CHAPTER 9 - RIPConfiguring RIP in the GUI
Industrial Network Operating System Administrator’s Guide
168
Industrial Network Operating System Administrator’s Guide
169
Chapter 10OSPF
Open Shortest Path First (OSPF) is a widely used link-state routing protocol. It is an Interior Gateway Protocol (IGP) that routes IP packets solely within a single routing domain, or Autonomous System (AS).
This chapter provides an overview of OSPF concepts, documentation of some basic OSPF configuration commands and an extended example of the configuration of an OSPF network
10.1 Overview
OSPF gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP datagrams. OSPF supports variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models. OSPF was designed to address and overcome many of the limitations of RIP. It reduces housekeeping overhead and promotes very fast convergence in the event of network changes or failures.
In link-state routing protocols each network node collects information about connectivity and shares that information with other nodes via Link State Advertisements (LSAs). This information is used to generate network maps and routing tables specifying the shortest path from each node to other destinations in the network.
The OSPF routing policies to construct a route table are governed by link cost factors associated with each routing interface. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit-less numbers.
An OSPF network may be structured, or subdivided, into routing areas to simplify administration, and optimize traffic and resource utilization. Areas are identified by numerical designations that may be expressed in decimal but which are conventionally expressed in octet-based dot-decimal notation like IPv4 address notation.
By convention area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The designation of other areas is up to the administrator but it is a common and practical policy to select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.
CHAPTER 10 - OSPFOverview
Industrial Network Operating System Administrator’s Guide
170
OSPF does not use a TCP or UDP transport protocol, but is encapsulated directly in an IP datagram with protocol number 89. This is in contrast to other routing protocols, such as the Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its own error detection and correction functions.
The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing.
10.1.1 OSPF Neighbor Relationships
Routers in the same broadcast domain or at each end of a point-to-point telecommunications link form adjacencies when they have detected each other. This detection occurs when a router identifies itself in an OSPF protocol “hello packet.” This is called a two-way state and is the most basic relationship. Routers select a designated router (DR) and a backup designated router (BDR) to act as a hub to reduce traffic between routers. OSPF uses both unicast and multicast to send "hello packets" and link state updates.
10.1.2 OSPF Area Types
An OSPF domain is divided into areas that are labeled with 32-bit area identifiers. The area identifiers are commonly written in the dot-decimal notation of an IPv4 address; however, they are not IP addresses and may duplicate, without conflict, any IPv4 address.
Areas are logical groupings of hosts and networks, including their routers having interfaces connected to any of the included networks. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Thus, the topology of an area is unknown outside of the area. This reduces the amount of routing traffic between parts of an autonomous system.
OSPF defines several area types. These are listed below. Some vendors also implement extensions to OSPF area types.
10.1.2.1 OSPF Backbone Area
The backbone area (area 0 or area 0.0.0.0) forms the core of an OSPF network. All other areas are connected to it and inter-area routing happens via routers connected to the backbone area and to their own associated areas. It is the logical and physical structure for the 'OSPF domain' and is attached to all nonzero areas in the OSPF domain.
The backbone area is responsible for distributing routing information between area routers. The backbone must be contiguous, but it does not need to be physically contiguous; backbone connectivity can be established and maintained through the configuration of virtual links. For example, assume area 0.0.0.1 has a physical connection to area 0.0.0.0. Further assume that area 0.0.0.2 has no direct connection to the backbone, but this area does have a connection to area 0.0.0.1. Area 0.0.0.2 can use a virtual link through the transit area 0.0.0.1 to reach the backbone. To be a transit area, an area has to have the transit attribute, so it cannot be stubby in any way.
CHAPTER 10 - OSPFOSPF Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
171
10.1.2.2 OSPF Stub Area
A stub area is an area which does not receive route advertisements external to the autonomous system (AS). Routing to destinations that are external to the AS is based entirely on a default route. This reduces the size of the routing databases for the area's internal routers.
10.1.2.3 OSPF Not-So-Stubby Area
A not-so-stubby area (NSSA) is a type of stub area that can import autonomous system external routes and send them to other areas, but still cannot receive AS external routes from other areas. NSSA is an extension of the stub area feature that allows the injection of external routes in a limited fashion into the stub area.
10.2 OSPF Configuration in the CLI
The following subsections describe a basic set of commands to configure OSPF functionality.
10.2.1 Enabling and Disabling OSPF
Use the router ospf command in Global Configuration mode to enable OSPF globally in the current device and to enter the Router OSPF Configuration mode, signaled by the Magnum 10RX(config-router)# prompt. Executing the help command at this prompt will display a list of OSPF-specific commands.
Command syntax:
router ospf
Example:
Magnum 10RX(config)# router ospf
Magnum 10RX(config-router)#
The no router ospf command disables OSPF globally.
10.2.2 Enabling OSPF on an Interface
Use the network command in Router OSPF Configuration mode to enable OSPF on a specified interface. When you enable OSPF on an interface, you are required to assign that interface to an OSPF area.
Command syntax:
network ip_adr area area_id
Where:
ip_adr is the IP address of the interface.
area_id is the OSPF area ID in dotted decimal notation.
CHAPTER 10 - OSPFOSPF Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
172
Example:
Magnum 10RX(config-router)# network 192.168.4.2 area 0.0.0.0
This command specifies the interface at IP address 192.168.4.2 for OSPF configuration and assigns it to OSPF area 0.0.0.0 (the backbone).
The no network ip_adr area area_id command disables the OSPF configuration on the interface and area specified.
10.2.3 Configuring a Stub Area
Use the area stub command in Router OSPF Configuration mode to configure a stub area. OSPF external routes are not passed into a stub area; instead, a single default route is passed into the area by the area border router. You can restrict the routes passed into a stub area even further by specifying the no-summary keyword. In that case, not even OSPF inter-area summary routes will be passed into the stub area. All routing will be done based on the default route.
Command syntax:
area area_id stub [no-summary]
Where:
area_id is the OSPF area ID in dotted decimal notation.
no-summary prevents inter-area summary routes from being passed into the stub area.
Example:
Magnum 10RX(config-router)# area 0.0.0.4 stub no-summary
This command specifies that area 0.0.0.4 will be configured as a stub area and that all routing will be based on the default route.
The no area area_id stub command removes a stub area configuration.
10.2.4 Configuring a Not-So-Stubby Area
Use the area nssa command in Router OSPF Configuration mode to configure a not-so-stubby area (NSSA). An NSSA works like a normal stub area except that external routes learned by routers in the NSSA can be passed to the backbone.
Command syntax:
area area_id nssa [no-summary]
Where:
area_id is the OSPF area ID in dotted decimal notation.
no-summary prevents inter-area summary routes from being passed into the NSSA.
CHAPTER 10 - OSPFOSPF Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
173
Example:
Magnum 10RX(config-router)# area 0.0.0.4 nssa no-summary
This command specifies that area 0.0.0.4 will be configured as a not-so-stubby area.
The no area area_id nssa command removes an NSSA configuration.
10.2.5 Configuring the Cost of the Default Route in a Stub Area
Use the area default-cost command in Router OSPF Configuration mode to configure the cost associated with the default route passed into a stub area or into an NSSA.
Command syntax:
area area_id default-cost cost
Where:
area_id is the OSPF area ID in dotted decimal notation.
cost is the value of the metric to be associated with the default route in this area.
Example:
Magnum 10RX(config-router)# area 1.1.1.1 default-cost 50
This command specifies that the metric value for the default route will be 50 in area 1.1.1.1.
Default value: 1
Valid range: 1-65535
The no area area_id default-cost command specifies the default value.
10.2.6 Summarizing Routes Between Areas
Use the area range command in Router OSPF Configuration mode to configure routes to be consolidated and summarized at OSPF area boundaries. This feature is typically used to summarize routes toward the backbone but can also be used in the other direction.
Command syntax:
area area_id range network mask [{advertise | not-advertise}]
Where:
area_id is the OSPF area ID in dotted decimal notation.
network is the network address in dotted decimal notation.
mask is the subnet mask.
advertise specifies that the summary route should be advertised to other areas.
CHAPTER 10 - OSPFOSPF Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
174
not-advertise specifies that the summary route should not be advertised to other areas, effectively hiding those routes.
Example:
Magnum 10RX(config-router)# area 1.1.1.1 range 192.168.0.0 255.255.0.0 advertise
This command specifies that all routes falling in the specified range will be summarized with this single route specification and will be advertised to other areas.
Default value: advertise
10.2.7 Summarizing External Routes
Use the summary-address command in Router OSPF Configuration mode to configure OSPF external routes (for example, routes redistributed from RIP or BGP) to be consolidated and summarized. You can summarize external routes to reduce the size of the routing table or to control which external routes are distributed into the OSPF domain.
Command syntax:
summary-address network mask area_id [{advertise | not-advertise}]
Where:
network is the network address in dotted decimal notation.
mask is the subnet mask.
area_id is the OSPF area ID in dotted decimal notation.
advertise specifies that the summary route should be advertised to other areas.
not-advertise specifies that the summary route should not be advertised to the specified area, effectively hiding those routes.
Example:
Magnum 10RX(config-router)# summary-address 192.168.0.0 255.255.0.0 0.0.0.0 advertise
This command is an instruction to summarize all external routes in 192.168.0.0 passed into area 0.0.0.0.
Default value: advertise
10.2.8 Controlling External Metrics
Use the redist-config command in Router OSPF Configuration mode to control the type and value of the metrics associated with OSPF external routes.
Command syntax:
redist-config network mask metric-value cost metric-type {asExttype1| asExttype2} tag tagval
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
175
Where:
network is the network address in dotted decimal notation.
mask is the subnet mask.
cost specifies the value of the metric.
asExttype1 specifies an external type 1 route.
asExttype2 specifies an external type 2 route.
tagval is a decimal value in the range 1- 4294967295 for a tag to assign to this route.
Example:
Magnum 10RX(config-router)# redist-config 192.168.1.0 255.255.255.0 metric-value 50 metric-type asExttype2 tag 999
This command is an instruction to treat the external route 192.168.1.0/24 as a type 2 route with a metric of 50 and bearing a tag of 999.
Default Values:
• The cost of a type 1 external route is always the sum of the external metric and the internal OSPF cost.
• The cost of a type 2 external route is just the external metric. The internal OSPF metric is not considered as part of the cost.
• A type 1 external route is always preferred over a type 2 external route for the same destination.
10.3 OSPF Configuring in the GUI
The following sections describe OSPF configuration in the Graphical User Interface. The See Also cross references in the tables direct you to related information in the CLI documentation.
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
176
10.3.1 Enabling and Disabling OSPF
In the GUI go to the Layer 3 Management: OSPF: Global Conf tab to view the OSPF Global Configuration screen, as illustrated in Figure 10-1.
Figure 10-1. OSPF Global Configuration Screen
The OSPF Global Configuration screen enables you to enable or disable OSPF on the router. Make your selection and click the apply button for your specification to take effect. See also Section 10.2.1.
10.3.2 OSPF Basic Settings
In the GUI go to the Layer 3 Management: OSPF: Basic Settings tab to configure basic OSPF parameters, as illustrated in Figure 10-2.
Figure 10-2. OSPF Basic Settings Screen
The OSPF Basic Settings screen enables you to configure OSPF parameters for a specific router. Configure a router in the upper dialog box and click Apply to display its values in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
177
.
Table 10-1. OSPF Basic Settings Fields
Parameter Description See Also
Router ID The 32-bit integer identifying this router in the AS.
Default value: 0.0.0.0
Section 10.2.1
Autonomous System Border Router
Whether or not to configure this router as an Autonomous System Border Router (ASBR). Options are Yes and No.
Default value: No
Section 10.1
RFC 1583 Compatibility
The method used to calculate summary route costs differs in the versions of OSPF defined in RFC 2178 and the older RFC 1583. The Yes option enables compatibility with the older version.
Default value: Yes
ABR-type Specifies the type of Area Border Router (ABR). Options are:
• Standard
• CISCO
• IBM
Default value: Standard
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
178
10.3.3 OSPF Area Configuration
In the GUI go to the Layer 3 Management: OSPF: Area tab to configure basic OSPF areas, as illustrated in Figure 10-3.
Figure 10-3. OSPF Area Screen
The OSPF Area screen enables you to configure OSPF area parameters. Configure an area in the upper dialog box and click Add to display the area’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
.
Table 10-2. OSPF Area Fields
Parameter Description See Also
Select You must click a selection button before modifying an area.
Area ID The OSPF area ID in dotted decimal notation.
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
179
10.3.4 OSPF Interface Configuration
In the GUI go to the Layer 3 Management: OSPF: Interface tab to configure an OSPF interface, as illustrated in Figure 10-4.
Figure 10-4. OSPF Interface Screen
The OSPF Interface screen enables you to configure an interface for OSPF operation. Configure an interface in the upper dialog box and click Add to display the interface’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
Type Specifies the required type for an area. The options are:
• Normal — OSPF are passed into the area.
• Stub — OSPF external routes are not passed into a stub area.
• NSSA — works like a normal stub area except that external routes learned by routers in the NSSA can be passed to the backbone.
Default value: Normal
Section 10.2.3
Section 10.2.4
Send Summary Routes
Specifies whether or not routes are to be summarized and propagated in this area. Options are Yes and No.
Default value: No
Section 10.2.6
Section 10.2.7
Table 10-2. OSPF Area Fields
Parameter Description See Also
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
180
.
Table 10-3. OSPF Interface Fields
Parameter Description See Also
Select You must click a selection button before modifying an interface.
Interface Select an available interface from the drop down menu.
IP Address The IP address of the selected interface.
Area ID The OSPF area ID to which the interface connects in dotted decimal notation.
Priority The priority of this interface to be used in the Designated Router election.
Default value: 1
Valid range: 0-255
Metric The cost associated with this interface.
Default value: 1
Valid Range: 1-65535
Passive Whether or not this interface will passively listen for updates. Options are Yes and No.
Default value: No
If Type The OSPF interface type. The options are
• broadcast
• nbma (Non-Broadcast Multi-Access)
• point-to-point
• point-to-multipoint
Default value: broadcast.
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
181
10.3.5 OSPF Virtual Interface Configuration
In the GUI go to the Layer 3 Management: OSPF: Virtual Interface tab to configure an OSPF interface, as illustrated in Figure 10-5.
Figure 10-5. OSPF Virtual Interface Screen
The OSPF Virtual Interface screen enables you to configure a virtual interface for OSPF operation. Configure a virtual interface in the upper dialog box and click Add to display the interface’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
.
Table 10-4. OSPF Interface Fields
Parameter Description See Also
Select You must click a selection button before modifying an interface.
Transit Area ID The OSPF area ID of the transit area in dotted decimal notation.
Neighbor Router ID
The OSPF area ID of the neighbor router in dotted decimal notation.
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
182
10.3.6 OSPF Neighbor Configuration
In the GUI go to the Layer 3 Management: OSPF: Neighbor tab to configure non-virtual neighbor parameters, as illustrated in Figure 10-6.
Figure 10-6. OSPF Neighbor Configuration Screen
The OSPF Neighbor configuration screen enables you to configure parameters for a non-virtual OSPF neighbor. Configure a neighbor in the upper dialog box and click Add to display the neighbor’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
.
Table 10-5. OSPF Interface Fields
Parameter Description See Also
Select You must click a selection button before modifying a neighbor configuration.
Neighbor IP Address
The OSPF router ID of the neighbor router in dotted decimal notation.
Neighbor Priority The priority of this interface to be used in the Designated Router election.
Default value: 1
Valid range: 0-255
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
183
10.3.7 OSPF RRD Route Configuration
In the GUI go to the Layer 3 Management: OSPF: RRD Route tab to configure certain information for learned routes, as illustrated in Figure 10-7.
Figure 10-7. OSPF RRD Route Configuration Screen
The OSPF RRD Route configuration screen enables you to configure metric cost and route type information to be applied to the routes learnt from the Routing Table Manager (RTM). Configure a route in the upper dialog box and click Add to display the RRD route’s configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
.
Table 10-6. RRD Route Fields
Parameter Description See Also
Select You must click a selection button before modifying a neighbor configuration.
Destination Network
The IP address of the destination network.
Network Mask A mask for the destination network.
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
184
10.3.8 OSPF Area Aggregation
In the GUI go to the Layer 3 Management: OSPF: Aggregation tab to aggregate area routes into a single routing table entry, as illustrated in Figure 10-8.
Figure 10-8. OSPF Area Aggregation Screen
The OSPF Area Aggregation screen enables you to configure OSPF route summarization. Configure a route in the upper dialog box and click Add to display the configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
Note that the terms route summarization and route aggregation are used synonymously in this context. See. Section 10.2.6.
Route Metric The metric value applied to the route before it is advertised into the OSPF domain.
Default value: 10
Valid range: 0 - 16777215
Route Metric Type The metric type applied to the route before it is advertised into the OSPF domain. The options are:
• asexttype1
• asexttype2
Default value: asexttype2
Section 10.2.8
Table 10-6. RRD Route Fields
Parameter Description See Also
CHAPTER 10 - OSPFOSPF Configuring in the GUI
Industrial Network Operating System Administrator’s Guide
185
.
10.3.9 OSPF AS External Aggregation
In the GUI go to the Layer 3 Management: OSPF: AsExtAggregation tab to configure aggregation of external routes, as illustrated in Figure 10-9.
Figure 10-9. OSPF AS External Aggregation Screen
The OSPF AS External Aggregation screen enables you to aggregate external routes. Configure an aggregation in the upper dialog box and click Add to display the configured parameters in the list in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
Table 10-7. Area Aggregation Fields
Parameter Description See Also
Select You must click a selection button before modifying a neighbor configuration.
Section 10.2.6
Area ID The OSPF area ID in dotted decimal notation.
Network The network address in dotted decimal notation.
Mask The subnet mask.
Advertise Whether or not to advertise the summarized route to other areas. Options are advertise and not-advertise.
Default value: advertise
CHAPTER 10 - OSPFOSPF Configuration Example Overview
Industrial Network Operating System Administrator’s Guide
186
.
10.4 OSPF Configuration Example Overview
To configure OSPF, ensure the following:
1. Determine the physical and virtual interfaces which need to participate in routing. Include WAN interfaces, LAN interfaces, and VLAN interfaces. Set the IP addresses for these interfaces.
2. Determine which interfaces need to actively broadcast routes to other routers or to be passive listeners for broadcast updates. This will depend on the network architecture.
3. Add static routes; for example, default gateway – usually the router on the outside which can resolve routing issues.
4. Configure OSPF Options.
5. Validate that the routing setup is working properly by viewing routing tables.
10.5 OSPF Example Configuration Procedure
Each device interface to be included must be correctly configured as described below. The following OSPF configuration example will depict interface configuration for one device but will assume that interfaces have been properly configured on all other devices that are members of the network.
Basic Configuration Task List
1. From the 10RX(config)# prompt: Enable OSPF routing on each device.
2. From the 10RX(config-if)# prompt: Assign IP addresses to each participating interface.
3. From the 10RX(config-router)# prompt:
Table 10-8. As External Aggregation Fields
Parameter Description See Also
Select You must click a selection button before modifying a neighbor configuration.
Section 10.2.7
Network The network address in dotted decimal notation.
Mask The subnet mask.
Area ID The OSPF area ID in dotted decimal notation.
Aggregation Effect
Whether or not to advertise the summarized route to other areas. Options are advertise and not-advertise.
Default value: advertise
CHAPTER 10 - OSPFOSPF Example Configuration Procedure
Industrial Network Operating System Administrator’s Guide
187
a. Specify a router ID for each router in the network. The router-id must be a valid IP address of a configured interface on the router.
b. Associate each participating interface with a specified OSPF area.
The following sections guide you through the steps required to configure a network consisting of three OSPF areas.
10.5.1 Creating Area 0.0.0.0
Area 0.0.0.0, the back bone area, will include participating interfaces on routers designated 10RX#1 and 10RX#2.
Configuring 10RX#1
1. Login to 10RX#1
You must have privileged access to configure OSPF routing.
2. Specify an interface to configure (in this example Gigabit Ethernet port 2/1).
Magnum 10RX# config
Magnum 10RX(config)# interface gigabitethernet 2/1
3. Disable the interface for the duration of the configuration.
Magnum 10RX(config-if)# shutdown
4. Specify OSI layer 3 routed interface status for this interface
Magnum 10RX(config-if)# no switchport
5. Specify an IP address and a mask for this interface.
Magnum 10RX(config-if)# ip address 2.2.2.2 255.255.255.0
6. Re-enable the interface.
Magnum 10RX(config-if)# no shutdown
7. Return to the CONFIGURE Commands prompt to enable OSPF.
Magnum 10RX(config)# router ospf
8. Assign a router ID
Magnum 10RX(config-router)# router-id 2.2.2.2
9. Assign the interface to an area.
Magnum 10RX(config-router)# network 2.2.2.2 area 0.0.0.0
Configuring 10RX#2 in Area 0.0.0.0
Login to 10RX#2 and repeat the steps described for 10RX#1, making the following changes to specifications in steps 3, 6, 9, and 10:
3. Specify an interface to configure (in this example Gigabit Ethernet port 1/1).
Magnum 10RX(config)# interface gigabitethernet 1/1
CHAPTER 10 - OSPFOSPF Example Configuration Procedure
Industrial Network Operating System Administrator’s Guide
188
6. Specify an IP address and a mask for this interface.
Magnum 10RX(config-if)# ip address 2.2.2.1 255.255.255.0
9. Assign a router ID
Magnum 10RX(config-router)# router-id 2.2.2.1
10. Assign the interface to an area.
Magnum 10RX(config-router)# network 2.2.2.1 area 0.0.0.0
OSPF Area 0.0.0.0 is now created with two participating interfaces: 2.2.2.2 on 10RX#1 and 2.2.2.1 on 10RX#2.
The progress of the creation of the network to this point is depicted in Figure 10-10.
Figure 10-10. Area 0.0.0 Created
View the configuration details by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf
View the OSPF interfaces by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf interface
10.5.2 Creating Area 0.0.0.3
Area 0.0.0.3 will include participating interfaces on 10RX#2 and 10RX#3.
Configuring 10RX#2 in Area 0.0.0.3
Some device-wide configuration has already been done on10RX#2 in configuring it for membership in Area 0.0.0.0. OSPF routing has been enabled on the device and it has a router ID. This means that only a subset of the steps defined for configuring interface 2.2.2.2 for Area 0.0.0.0 on 10RX#1, above, are needed to configure a second interface on 10RX#2.
While logged into 10RX#2 proceed to the CONFIGURE Commands prompt and execute the following seven commands. The first six of these commands replicate those described in steps 3-7 and 10 in “Creating Area 0.0.0.0” above.
1. Specify an interface to configure.
Magnum 10RX(config)# interface gigabitethernet 3/2
2. Disable the interface for the duration of the configuration.
10RX#110RX#2
Area 0.0.0.0
GbE 2/12.2.2.2
GbE 1/12.2.2.1
CHAPTER 10 - OSPFOSPF Example Configuration Procedure
Industrial Network Operating System Administrator’s Guide
189
Magnum 10RX(config-if)# shutdown
3. Specify OSI layer 3 routed interface status for this interface
Magnum 10RX(config-if)# no switchport
4. Specify an IP address and a mask for this interface.
Magnum 10RX(config-if)# ip address 10.5.5.4 255.255.255.0
5. Re-enable the interface.
Magnum 10RX(config-if)# no shutdown
6. Assign the interface to an area.
Magnum 10RX(config-router)# network 10.5.5.4 area 0.0.0.3
7. Create a virtual link with 10RX3.
Magnum 10RX(config-router)# area 0.0.0.3 virtual-link 10.5.5.5
Configuring 10RX#3 in Area 0.0.0.3
Login to 10RX#3and repeat the steps described for the initial configuration of 10RX#1, making the following changes to specifications in steps 3, 6, 9, and 10 and adding specification of a virtual link:
3. Specify an interface to configure (in this example Gigabit Ethernet port 3/2).
Magnum 10RX(config)# interface gigabitethernet 3/2
6. Specify an IP address and a mask for this interface.
Magnum 10RX(config-if)# ip address 10.5.5.5 255.255.255.0
9. Assign a router ID
Magnum 10RX(config-router)# router-id 10.5.5.5
10.Assign the interface to an area.
Magnum 10RX(config-router)# network 10.5.5.5 area 0.0.0.3
11.Create a virtual link with 10RX2.
Magnum 10RX(config-router)# area 0.0.0.3 virtual-link 2.2.2.1
CHAPTER 10 - OSPFOSPF Example Configuration Procedure
Industrial Network Operating System Administrator’s Guide
190
OSPF Area 0.0.0.3 is now created with two participating interfaces: 10.5.5.4 on 10RX#2 and 10.5.5.5 on 10RX#3. A virtual link has added between 10RX#2 and 10RX#3 to enable members of other areas to reach the backbone through Area 0.0.0.3. The progress of the creation of the network to this point is depicted in Figure 10-11.
Figure 10-11. Areas 0.0.0.0 and 0.0.0.3 Created
View the configuration details by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf
View the OSPF interfaces by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf interface
10.5.3 Creating Area 0.0.0.4
Area 0.0.0.4, a stub area, will include participating interfaces on 10RX#3 and 10RX#4.
Configuring 10RX#3 in Area 0.0.0.4
Some device-wide configuration has already been done on10RX#3 in configuring it for membership in Area 0.0.0.3. OSPF routing has been enabled on the device and it has a router ID. This means that same set of steps defined for configuring interface 10.5.5.4 for Area 0.0.0.3 on 10RX#2, above, can be used to configure a second interface on 10RX#3.
While logged into 10RX#3 proceed to the CONFIGURE Commands prompt and execute the following seven commands.
1. Specify an interface to configure.
Magnum 10RX(config)# interface gigabitethernet 7/1
2. Disable the interface for the duration of the configuration.
Magnum 10RX(config-if)# shutdown
10RX#110RX#2
10RX#3
Area 0.0.0.0 Area 0.0.0.3
GbE 2/12.2.2.2
GbE 1/12.2.2.1 GbE 3/2
GbE 3/2
VirtualLink
CHAPTER 10 - OSPFOSPF Example Configuration Procedure
Industrial Network Operating System Administrator’s Guide
191
3. Specify OSI layer 3 routed interface status for this interface
Magnum 10RX(config-if)# no switchport
4. Specify an IP address and a mask for this interface.
Magnum 10RX(config-if)# ip address 10.8.0.5 255.255.255.0
5. Re-enable the interface.
Magnum 10RX(config-if)# no shutdown
6. Assign the interface to an area.
Magnum 10RX(config-router)# network 10.8.0.5 area 0.0.0.4
7. Configure the area as a stub.
Magnum 10RX(config-router)# area 0.0.0.4 stub
Configuring 10RX#4 in Area 0.0.0.4
Login to 10RX#4 and repeat the steps described for the initial configuration of 10RX#1, making the following changes to specifications in steps 3, 6, 9, and 10 and adding an instruction to configure the area as a stub:
3. Specify an interface to configure.
Magnum 10RX(config)# interface gigabitethernet 7/1
6. Specify an IP address and a mask for this interface.
Magnum 10RX(config-if)# ip address 10.8.0.7 255.255.255.0
9. Assign a router ID
Magnum 10RX(config-router)# router-id 10.8.0.7
10. Assign the interface to an area.
Magnum 10RX(config-router)# network 10.8.0.7 area 0.0.0.4
11. Configure the area as a stub.
Magnum 10RX(config-router)# area 0.0.0.4 stub
CHAPTER 10 - OSPFOSPF Example Configuration Procedure
Industrial Network Operating System Administrator’s Guide
192
Figure 10-12 illustrates the network completed with the addition of area 0.0.0.4, which has two participating interfaces: 10.8.0.5 on 10RX#3 and 10.8.0.7 on 10RX#4.
Figure 10-12. Areas 0.0.0.0, 0.0.0.3, and 0.0.0.4 Created
View the configuration details by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf
View the OSPF interfaces by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf interface
View the configuration details by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf
View the OSPF interfaces by executing the following command at the EXEC prompt.
Magnum 10RX# show ip ospf interface
10RX#110RX#2
10RX#3
Area 0.0.0.0
10RX#4
Area 0.0.0.3
Area 0.0.0.4
GbE 2/12.2.2.2
GbE 1/12.2.2.1 GbE 3/2
GbE 3/2
GbE 7/110.8.0.5
GbE 7/110.8.0.7
VirtualLink
Industrial Network Operating System Administrator’s Guide
193
Chapter 11BGP
Border Gateway Protocol (BGP) is a Protocol for routing traffic between autonomous systems (AS). An autonomous system is a set of routers under a single technical administration, such as a set of routers in a power utility substation or routers controlled by a particular organization or service provider. BGP is the core routing protocol of the Internet. BGP routers (or “speakers”) communicate through TCP connections. The latest version of BGP is BGP4. This is defined in RFC 4271 and is the version supported in the INOS implementation.
BGP is a type of External Gateway Protocol (EGP). Within an autonomous system other protocols, such as RIP, OSPF, or IS-IS, are used to communicate information. These are Internal Gateway Protocols (IGP). Standards have been defined for an external (inter-AS) version of BGP called eBGP, and for an internal (intra-AS) version called iBGP. The INOS implementation of BGP supports the eBGP standard and the iBGP standard.
A BGP speaker keeps its neighbor(s) informed of the subnets to which it can provide access by exchanging a stream of messages with them.
11.1 BGP Configuration in the CLI
The following sections describe the CLI commands to use for basic BGP configuration.
11.1.1 Enabling and Disabling BGP
Use the router bgp command in Global Configuration mode to specify the autonomous system number for the device. This enables BGP globally in the current device and causes the system to display the Magnum 10RX(config-router)# prompt and to enter into BGP Router Configuration mode. Executing the help command will display a list of BGP-specific commands available in this mode.
Command syntax:
router bgp as-number
Where:
as-number is a numerical value specifying an autonomous system.
Example:
Magnum 10RX(config)# router bgp 10
Magnum 10RX(config-router)#
This command specifies AS 10, creating it if it does not already exist. Subsequent commands in the BGP Router Configuration session will modify this AS.
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
194
Valid range: 1-65535
The no router bgp command disables BGP globally.
11.1.2 Specifying BGP Router ID
Use the bgp router-id command in BGP Router Configuration mode to assign a router ID. The BGP Router ID is a unique identifier in IPv4 dotted decimal notation used as a tie-breaker for BGP path selection. Network designers typically choose an IP address already assigned to the router as the BGP Router ID. If a BGP Router ID is not manually configured, the software will automatically choose a BGP Router ID from the configured IP addresses. To manually configure the BGP Router ID use the bgp router-id command from the Magnum 10RX(config-router)# prompt.
Command syntax:
bgp router-id xxx.xxx.xxx.xxx
Where:
xxx.xxx.xxx.xxx is a valid IP address in IPv4 format.
Example:
Magnum 10RX(config-router)# bgp router-id 192.168.10.2
Default value: configuration is automatically selected from configured IP addresses.
The no bgp router-id resets the BGP Identifier of the BGP speaker to the default value.
11.1.3 Specifying a BGP Neighbor
Use the neighbor command in BGP Router Configuration mode to configure a BGP neighbor. Unlike RIP and OSPF, BGP does not automatically discover its neighbors. You must configure the IP address and AS number of each BGP neighbor.
Command syntax:
neighbor xxx.xxx.xxx.xxx remote-as as-number
Where:
xxx.xxx.xxx.xxx is a valid IP address in IPv4 format specifying a neighbor device.
as-number is a numerical value specifying the autonomous system to which the neighbor belongs.
Example:
Magnum 10RX(config-router)# neighbor 192.168.10.3 remote-as 11
The no neighbor xxx.xxx.xxx.xxx remote-as as-number command deletes configuration of the specified neighbor.
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
195
11.1.4 Displaying Neighbor Status
Use the show ip bgp neighbor command in Exec Commands mode to display information about a neighbor. Once a neighbor is correctly configured, the router will open a TCP connection to that neighbor for the purpose of exchanging BGP messages. To check the status of all neighbors use the command without arguments or supply the IP address of a specific neighbor to view the status of that neighbor only.
Command syntax:
show ip bgp neighbor
Example:
Magnum 10RX# show ip bgp neighbor
This commands causes the display of information as in Figure 11-1:
Figure 11-1. show ip bgp neighbor command output
11.1.5 Resetting a BGP Session
Use the clear ip bgp command in Exec Commands mode to reset a BGP session. After you make routing policy changes in BGP you must reset the relevant peer.
Command syntax:
clear ip bgp {xxx.xxx.xxx.xxx | peer-group | *}
BGP neighbor is 192.168.30.3, remote AS 11, external link BGP version 4, remote router ID 192.168.30.3 BGP state = Established, up for 11 minutes 11 seconds Configured BGP Maximum Prefix Limit 100 Configured Connect Retry Count 5 Current Connect Retry Count 0 Peer Passive : DISABLED Peer Status : NOT DAMPED Rcvd update before 0 secs, hold time is 40, keepalive interval is 13 secs Neighbors Capability: Route-Refresh: Advertised and received Address family IPv4 Unicast: Advertised and received Received 70 messages, 0 Updates Sent 50 messages, 0 Updates Route refresh: Received 0, sent 0. Minimum time between advertisement runs is 30 seconds Connections established 1 time(s) Local host: 192.168.30.2, Local port: 179 Foreign host: 192.168.30.3, Foreign port: 1098 Last Error: Code 0, SubCode 0.
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
196
Where:
xxx.xxx.xxx.xxx is the IP address of a configured BGP peer.
peer-group is the name of a configured BGP peer group.
* represents all BGP peers.
Example:
Magnum 10RX# clear ip bgp 192.168.10.3
This command restarts a BGP session with the peer specified by 192.168.10.3 and causes the exchange of updated configuration information.
11.1.6 Redistributing Routes
Use the redistribute command in BGP Router Configuration mode to specify the types of routing information that should be redistributed. BGP does not exchange routes automatically. Even route information for directly connected networks is not exchanged without explicit configuration. You must choose which types of routes to redistribute.
Command syntax:
redistribute {all | connected | ospf | rip | static}
Where:
all specifies the exchange of all routing information.
connected specifies the exchange of routing information on all directly connected networks.
ospf specifies the exchange of routing information learned with the OSPF protocol.
rip specifies the exchange of routing information learned with the RIP protocol.
static specifies the exchange of routing information that is statically configured.
Example:
Magnum 10RX(config-router)# redistribute all
The no redistribute protocol command prohibits redistribution of routing information from the specified protocol.
11.1.7 Minimizing Route Table Size Using Aggregates
Use the aggregate-address command in BGP Router Configuration mode to specify an aggregation of routes. You can use address aggregation to combine the advertisement of a number of specific routes into the advertisement of a single route that is a supernet of the more-specific routes.
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
197
If the summary-only option is used, the advertisement of any specific routes for the aggregate are suppressed and only the aggregate route is advertised. Otherwise, both the aggregate and the specific routes are advertised.
Command syntax:
aggregate-address index index-val ipv4-supernet pref-len [summary-only]
Where:
index-val is a numerical value that uniquely identifies the aggregation.
ipv4-supernet is the IPv4 supernet address.
pref-len is the CIDR address mask for the supernet.
summary-only specifies that only the address of the aggregate is advertised.
Example:
Magnum 10RX(config-router)# aggregate-address index 1 192.168.0.0 16 summary-only
This command advertises the supernet 192.168.0.0/16 and suppresses the aggregated subnets. An example of a suppressed subnet is 192.168.1.0/24.
Valid range for index-val: 1-100
The no aggregate-address index index-val command deletes the aggregate specified by index-val.
11.1.8 Specifying Administrative Distance
Use the distance bgp command in BGP Router Configuration mode to specify the BGP administrative distance. When the same route prefix is learned from multiple sources the administrative distance value is used as a tie-breaker when selecting the active route. Setting the BGP administrative distance allows you to indicate the preference of routes learned via BGP relative to routes from other sources such as RIP, OSPF, or static configuration. The administrative distance value is in a range of 1-255. Lower values are preferred.
Command syntax:
distance bgp dist-val
NOTE: For an aggregate route to be advertised to a peer, the router must haveat least one specific route for that aggregate.
NOTE: An administrative distance value of 255 would indicate that no routesupplied by this protocol should be trusted.
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
198
Where:
dist-val is a numerical value specifying the administrative distance for routes learned with the BGP protocol.
Example:
Magnum 10RX(config-router)# distance 50
This command specifies that in the AS being configured routes learned with the BGP protocol will have a distance value of 50.
Valid range for: 1-255
Default value (BGP): 20
The standard default administrative distance values for routes learned in other protocols are listed in Table 11-1.
11.1.9 Filtering Routes
Use the bgp filter-update command in BGP Router Configuration mode to filter routes that are advertised to specific BGP peers. Filters are evaluated in order according to their configured index. Each filter entry can either permit or deny a route based on whether or not it matches the specified remote AS, route prefix, and prefix length.
Table 11-1. Administrative Distance Values: Protocol Defaults
Protocol Value
Connected interface 0
Static route 1
EIGRP summary route 5
BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EGP 140
ODR 160
External EIGRP 170
Internal BGP 200
Unknown* 255
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
199
Specifying a 0 for remote AS, route prefix, or prefix length indicates a wild card for the purposes of a match. A list of intermediate AS can also be optionally specified as match criteria.
Command syntax:
bgp update-filter index {permit | deny} remote-as as-num route-pref pref-len [intermediate-as as-list] direction {in | out}
Where:
index is a numerical value that uniquely identifies the filter.
permit is a keyword signifying that this filter causes a matching route to be included in UPDATE messages.
deny is a keyword signifying that this filter causes a matching route to be excluded from UPDATE messages.
as-num is a numerical value specifying the remote AS to match.
route-pref is the IPv4 route prefix to match in the form A.B.C.D.
pref-len is the CIDR address mask specifying the length of the prefix to match.
as-list is a string containing a comma-delimited list of intermediate ASs to match.
in is a keyword signifying that this filter applies to incoming UPDATE messages.
out is a keyword signifying that this filter applies to outgoing UPDATE messages.
Examples:
The following figures provide examples of outbound and inbound filters.
The commands in Figure 11-2 specify that all routes except for routes with prefix 192.168.0.0 going to AS 200 should be excluded from outgoing UPDATE messages.
Figure 11-2. BGP update-filter outbound example
Magnum 10RX(config-router)# bgp update-filter 1 permit remote-as 200 192.168.0.0 16 direction outMagnum 10RX(config-router)# bgp update-filter 1 deny remote-as 0 0.0.0.0 0 direction out
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
200
The commands in Figure 11-3 specify that all routes with prefix 192.168.0.0 except for 192.168.5.0 should be excluded from incoming UPDATE messages.
Figure 11-3. BGP update-filter inbound example
Valid range for index: 1-100
The no bgp update-filter index command deletes the filter specified by index.
Use the show ip bgp filters command in Exec Commands mode to view configured filters.
11.1.10Defining Policies Using Communities
BGP communities are a way of classifying destinations so that routing policy decisions can be applied consistently across the entire classification group. For example, specific learned routes can be pattern matched and classified by one BGP speaker by assigning a community value to those routes. When that speaker sends an UPDATE message to one of its peers, all of the classified routes are sent with the community attribute attached. The peer receiving the routes with the attached community attribute can then use that classification information to make decisions on how to filter the routes. This allows better scaling of BGP routing policy since the filtering BGP router does not need to have specific filter rules for each of the destinations. It only needs one filter rule based on the community.
11.1.10.1 Assigning Routes to a Community
Use the bgp comm-route command in BGP Router Configuration mode to assign a destination to a community.
Command syntax:
bgp comm-route
Where:
additive is a keyword signifying that the specified route is added to the community.
delete is a keyword signifying that the specified route is deleted from the community.
pref-val is IPv4 route prefix.
pref-len is the CIDR address mask specifying the length in bits of the route subnet.
comm-val is a numerical community attribute value.
Magnum 10RX(config-router)# bgp update-filter 1 permit remote-as 0 192.168.5.0 24 direction in Magnum 10RX(config-router)# bgp update-filter 1 deny remote-as 0 192.168.0.0 16 direction in
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
201
Example:
Magnum 10RX(config-router)# bgp comm-route additive 192.168.1.0 24 comm-value 6553700
This command classifies the prefix 192.168.1.0/24 into the community 100:100 (decimal 6553700).
Valid range for comm-val: 1-4294967295
The no bgp comm-route route-spec command deletes the specified route from the additive or the delete community table.
Use the show ip bgp community route command in Exec Commands mode to view configured community routes.
11.1.10.2 Defining Policies for a Community
Use the bgp comm-policy command in BGP Router Configuration mode to define the policy for handling received routes that are already assigned to a community.
Command syntax:
bgp comm-policy pref-val pref-len {modify | set-add | set-none}
Where:
pref-val is IPv4 route prefix.
pref-len is the CIDR address mask specifying the length in bits of the route subnet.
modify removes the route with received delete communities and adds the additive communities.
set-add sends only the configured additive communities.
set-none sends the route without any communities.
Example:
Magnum 10RX(config-router)# bgp comm-policy 192.168.1.0 24 set-add
This command instructs to ignore any received communities for 192.168.1.0/24 and only send the community that was assigned locally via the bgp comm-route command.
The no bgp comm-policy pref-val pref-len command removes the community attribute advertisement policy for the specified destination.
Use the show ip bgp community policy command in Exec Commands mode to view configured community policies.
11.1.10.3 Defining Filters for a Community
Use the bgp comm-filter command in BGP Router Configuration mode to define filter rules for the community.
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
202
Command syntax:
bgp comm-filter {permit | deny} {in | out}
Where:
comm-val is a numerical community attribute value.
permit specifies that routes that are part of the community are allowed.
deny specifies that routes that are part of the community are not allowed.
in specifies that the rule applies to routes received via an UPDATE message from a peer.
out specifies that the rule applies to routes sent in an UPDATE message to a peer.
Example:
Magnum 10RX(config-router)# bgp comm-filter 6553900 deny out
This command excludes routes in community 100:300 (decimal 6553900) from outgoing UPDATE messages.
Valid range for comm-val: 1-4294967295
The no bgp comm-filter comm-spec command removes the filter policy for the community attribute.
Use the show ip bgp community filter command in Exec Commands mode to view configured community filters.
11.1.11Specifying a Router's Default Local Preference
Use the bgp default local-preference command in BGP Router Configuration mode to specify a default preferred exit path from the AS for the router.
When you are running BGP there may be more than one router in your AS connected to other external autonomous systems. Setting the default local preference of a router indicates the preferred path for exiting the AS. That is, if two local routers have a path to a remote network through an external AS, the router with the higher local preference will be used as the exit path from the AS.
Command syntax:
bgp default local-preference pref-val
Where:
pref-val is an integer expressing a preference value. A higher value is preferred to a lesser value.
Example:
Magnum 10RX(config-router)# bgp default local-preference 200
Valid range: 0- 2147483647
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
203
Default value: 100
The no bgp default local-preference command specifies the default.
Use the show ip bgp local-pref command to view information about local preference configuration.
11.1.12Specifying a Local Preference
Use the bgp local-preference command in BGP Router Configuration mode to specify a preferred exit path from the AS for the configured route.
Command syntax:
bgp local-preference pref-val remote-as as-num ipaddr preflen [intermediate-as as-list] value met-val direction {in|out} [override]
Where:
pref-val is the route prefix to which the metric applies.
as-num is AS number of BGP peer associated with the route-prefix.
ipaddr is the route prefix on which the local policy preference is to be applied.
pref-len is the length of the route prefix.
as-list is an optional comma-delimited list of intermediate ASs.
met-val is the value of the metric to assign to routes matching all of the specified criteria.
in applies the rule to routes received from peers via UPDATE messages.
out applies the rule to routes sent to peers via UPDATE messages.
overrride tells the router that the configured metric should override any received metric.
Example:
Magnum 10RX(config-router)# bgp local-preference 10 remote-as 100 12.0.0.0 16 intermediate-as 200,325 value 33 direction in override
Default values:
remote-as — 0
direction — in
value — 100
ipaddr — 0.0.0.0
pref-len — 0
Valid ranges:
remote-as — 0-65535
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
204
value — 0-2147483647
ipaddr — 0.0.0.0
pref-len — 0-32
The no bgp local-preference command specifies the default.
Use the show ip bgp local-pref command to view information about local preference configuration.
11.1.13Specifying a Metric or Multi-exit Discriminator
BGP can be used to create redundant connections between autonomous systems. In this case there will be more than one path that an external AS may use to enter your AS. You can provide a hint to the external AS about the preferred path by setting the metric attribute, also known as the Multi-Exit Discriminator (MED).
Suppose you have two EBGP speakers in your AS (200), router A and router B, and that both of these routers are connected to an external AS (100) via a third EBGP speaker, router C. Router A and B are also participating in an IGP such as RIP or OSPF and redistributing the IGP routes into the external AS via router C. You can use the default-metric command to tell router C which path (through router A or through router B) is the preferred path into your AS.
11.1.13.1 Specifying a Default Metric
Use the default-metric command in BGP Router Configuration mode to tell a router which path is the preferred path into your AS.
Command syntax:
default-metric met-val
Where:
met-val is an integer specifying the default IGP metric value.
Example:
The following command line examples show how to set up router A and router B so that router A is the preferred path into AS 200. If router A were to fail, then the path through router B would be used. In this example, RIP is assumed to be the IGP, but OSPF could also be used.
The commands in Figure 11-4 configure router A.
Figure 11-4. BGP default-metric configuration, router A
The commands in Figure 11-5 configure router B.
Magnum 10RX(config)# router bgp 200 Magnum 10RX(config-router)# default-metric 10 Magnum 10RX(config-router)# redistribute rip
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
205
Figure 11-5. BGP default-metric configuration, router B
Default value: 0
The no default-metric command specifies the default.
Use the show ip bgp info command to view information about BGP configuration.
11.1.13.2 Assigning Metrics to Specific Routes
Use the bgp med command in BGP Router Configuration mode to specify metrics for routes with specific criteria such as prefix, remote AS, and intermediate autonomous systems.
Command syntax:
bgp med med-index remote-as as-number pref-val pref-len [intermediate-as as-list] value met-val direction {in | out} [override]
Where:
med-index is an integer to identify this rule.
as-number is an integer to identify the remote AS to which the metric applies.
pref-val is the route prefix to which the metric applies.
pref-len is the length of the route prefix.
as-list is an optional comma-delimited list of intermediate ASs.
met-val is the value of the metric to assign to routes matching all of the specified criteria.
in applies the rule to routes received from peers via UPDATE messages.
out applies the rule to routes sent to peers via UPDATE messages.
overrride tells the router that the configured metric should override any received metric.
Example:
Magnum 10RX(config-router)# bgp med 1 remote-as 100 192.168.1.0 24 value 25 direction out
This command sets the metric to 25 for the 192.168.1.0/24 prefix sent to AS 100.
Valid range, MED: 1-100
Default, MED: 0
Use the show ip bgp med command to view information about BGP MED configuration.
Magnum 10RX(config)# router bgp 200 Magnum 10RX(config-router)# default-metric 20 Magnum 10RX(config-router)# redistribute rip
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
206
11.1.13.3 Forcing a MED Comparison
Use the bgp always-compare-med command in BGP Router Configuration mode to compare metrics from two different ASs.
By default, an eBGP speaker will not compare metrics from two different autonomous systems. The bgp always-compare-med command forces the router to do this comparison. This is useful if there is a redundant path to a network through two different autonomous systems and you want to indicate which path is preferred by setting the metric.
Example:
Magnum 10RX(config-router)# bgp always-compare-med
The no bgp always-compare-med command disables MED comparison.
Use the show ip bgp info command to view information about BGP configuration.
11.1.14Using a Loopback as a BGP Endpoint
Use the neighbor update-source command in BGP Router Configuration mode to specify a loopback interface.
It is common in iBGP to use a loopback interface as the TCP endpoint of a BGP session. This allows the router to maintain connectivity with its neighbors even in the face of network failures. As long as the IGP is able to find a path between the two iBGP neighbors, the BGP session will remain active. If an actual IP interface was used as the end point, if it went down, the BGP session would be terminated. To tell BGP to use a specific IP address as its local endpoint, use the update-source keyword in the bgp neighbor command.
Command syntax:
neighbor xxx.xxx.xxx.xxx update-source yyy.yyy.yyy.yyy
Where:
xxx.xxx.xxx.xxx is a valid IP address in IPv4 format specifying a neighbor device.
xyyy.yyy.yyy.yyy is a valid IP address in IPv4 format specifying a loopback interface.
Example:
Figure 11-6 illustrates implementation of a loopback interface as a BGP endpoint from the configuration of the loopback interface to the execution of the update-source command.
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
207
Figure 11-6. show ip bgp neighbor command output
11.1.15Using eBGP Without a Direct Connection
Use the neighbor ebgp-multihop command in BGP Router Configuration mode to notify eBGP that neighbors are not directly connected.
Sometimes it is necessary to connect two eBGP neighbors that are not directly connected. In this case, some other routing information (for example, static route) will be necessary so that the two peers know the path on which to communicate. By default, eBGP expects to be directly connected to its neighbor. To tell eBGP that the neighbor is not directly connected, use the ebgp-multihop keyword in the neighbor command.
In contrast, iBGP speakers do not assume they are directly connected to their neighbor. Static routes or an IGP are typically needed to provide route information for finding a path between the two speakers.
Command syntax:
neighbor xxx.xxx.xxx.xxx ebgp-multihop
Where:
xxx.xxx.xxx.xxx is the IP address of the BGP-speaking neighbor.
Example:
Magnum 10RX(config-router)# bgp neighbor 192.168.99.9 ebgp-multihop
The no bgp neighbor xxx.xxx.xxx.xxx ebgp-multihop negates a multihop specification.
11.1.16Setting Up a BGP Route Reflector
To enable BGP route reflection use the neighbor route-reflector-client command in BGP Router Configuration mode to specify each of the router reflector's clients. BGP normally requires full mesh connectivity between all iBGP speakers in an AS because iBGP speakers are not allowed to advertise routes learned from another iBGP speaker. BGP route reflection allows you to relax this restriction to some degree so that a full iBGP mesh is not necessarily required in order to run iBGP.
A BGP route reflector is an iBGP speaker that only advertises routes learned from other iBGP speakers to its configured clients. A BGP route reflector "cluster" is a route reflector plus all of its clients. The following rules are followed by a route reflector:
1. Routes from a BGP peer that is not a client are reflected to all of the clients within the cluster.
Magnum 10RX(config)# interface loopback 1 Magnum 10RX(config-if)# ip address 192.168.901.1 255.255.255.255 Magnum 10RX(config-if)# no shutdown Magnum 10RX(config-if)# exit Magnum 10RX(config)# router bgp 1 Magnum 10RX(config-router)# bgp neighbor 192 168 90 2 update source 192 168 91 1
Magnum 10RX(config)# interface loopback 1 Magnum 10RX(config-if)# ip address 192.168.91.1 255.255.255.255 Magnum 10RX(config-if)# no shutdown Magnum 10RX(config-if)# exit Magnum 10RX(config)# router bgp 1 Magnum 10RX(config-router)# neighbor 192.168.90.2 update-source 192.168.91.1
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
208
2. Routes from a BGP peer that is a client are advertised to all other peers (clients and non-clients).
3. Routes from an eBGP peer are advertised to all other peers (clients and non-clients).
Command syntax:
neighbor [xxx.xxx.xxx.xxx | group-name] route-reflector-client
Where:
xxx.xxx.xxx.xxx is the IP address of the remote peer.
group-name is the name of a configured peer group.
Example:
The commands illustrated in Figure 11-7 peer with the IBGP speaker at 1.1.1.1 in AS 100 and reflect routes for that speaker.
Figure 11-7. route reflector configuration
The no neighbor route-reflector-client command resets the peer as a conventional BGP peer.
Use the show ip bgp rfl info command to view information about reflector configuration.
11.1.17Setting Up a BGP Confederation
iBGP normally requires full mesh connectivity between all iBGP speakers in an AS. A BGP confederation allows you to break a large AS into multiple smaller AS that speak eBGP but exchange routing as if they used iBGP. In this way the full mesh requirement is relaxed but information like next hop, metric, and local preference are preserved within the confederation. In addition the confederation looks like a single AS to eBGP speakers outside the confederation.
The AS number of the confederation is the confederation identifier. This identifier must be configured on each EBGP speaker in the confederation.
11.1.17.1 Configuring the BGP Confederation Identifier
To configure the confederation identifier use the bgp confederation identifier command.
Command syntax:
bgp confederation identifier as-num
Where:
as-num is a numerical value uniquely identifying this confederation.
Magnum 10RX(config)# router bgp 100 Magnum 10RX(config-router)# neighbor 1.1.1.1 remote-as 100 Magnum 10RX(config-router)# neighbor 1.1.1.1 route-reflector-client
CHAPTER 11 - BGPBGP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
209
Example:
The commands illustrated in Figure 11-7 associate AS 50 with confederation 200.
Figure 11-8. associating an AS with a confederation
Valid range: 1-65535
The no confederation identifier command deletes the confederation identifier.
Use the show ip bgp confed info command to view information about confederation configuration.
11.1.17.2 Specifying Confederation Members
Use the bgp confederation peers command in BGP Router Configuration mode to configure the AS that are inside the confederation. Each eBGP speaker in the confederation needs to distinguish between AS that are inside the confederation and AS that are outside the confederation.
Command syntax:
bgp confederation peers as-num
Where:
as-num is a numerical value specifying an AS within the confederation.
Example:
The commands illustrated in Figure 11-7 configure a router in AS 50 to be aware that AS 40 and AS 60 are also members of the confederation.
Figure 11-9. associating an AS with a confederation
Valid range: 1-65535
The no confederation peers as-num command removes the AS specified by as-num from the confederation.
Use the show ip bgp confed info command to view information about confederation configuration.
11.1.18Synchronizing iBGP With an IGP
Use the synchronization command in BGP Router Configuration mode to enable synchronization.
Magnum 10RX(config)# router bgp 50 Magnum 10RX(config-router)# bgp confederation identifier 200
Magnum 10RX(config)# router bgp 50 Magnum 10RX(config-router)# bgp confederation peer 40 Magnum 10RX(config-router)# bgp confederation peer 60
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
210
If you are using iBGP to forward traffic between two other autonomous systems you should enable synchronization. When synchronization is enabled, iBGP will not advertise a route that it learns from another AS until that route has been completely propagated to all other routers in the AS via an IGP. If synchronization is not enabled in this scenario there may be cases where intermediate routers in the AS will not know how to forward traffic to one of the external ASs.
Command syntax:
synchronization
Example:
Magnum 10RX(config-router)# synchronization
Default value: disabled
The no synchronization command specifies the default.
11.2 BGP Configuration in the GUI
The following sections describe the screens available in INOS GUI to configure BGP.
11.2.1 BGP Basic Settings
In the GUI go to the Layer 3 Management: BGP: BGP Basic Settings tab to specify basic BGP parameters, as illustrated in Figure 11-10.
Figure 11-10. BGP Basic Settings Screen
The BGPP Basic Settings screen enables you to enable or disable BGP in the switch, and to specify an Autonomous System (AS) number and a local preference value. Make your selections and click the Apply button for your specification to take effect.
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
211
.
Table 11-2. BGP Basic Settings Fields
Parameter Description See Also
Status Whether or not BGP is enabled in the system.Options are Enabled and Disabled.
Default value: Disabled
Note: The BGP system can be enabled only if the local AS number is configured.
Section 11.1.1
AS Number The local AS number.
Default value: 0
Valid range: 0-65535
Note: This value can be configured only if the state of the BGP system is set as Disabled.
Section 11.1.1
Default Local Preference
A value indicating strength of preference as a path for exiting the AS. That is, if two local routers have a path to a remote network through an external AS, the router with the higher local preference will be used as the exit path from the AS.
Default value: 100
Valid range: 2147483647
Section 11.1.11
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
212
11.2.2 BGP Neighbor Configuration
In the GUI go to the Layer 3 Management: BGP: Neighbors tab to configure a BGP peer, as illustrated in Figure 11-10.
Figure 11-11. BGP Neighbor Configuration Screen
In BGP a peer is a neighbor (that is, another reachable device) configured for BGP communication with the current device.
The BGP Neighbor Configuration screen enables you to configure the parameters of a BGP peer of this device. You can configure a new peer in the upper dialog box and click Add to display the configured peer in the lower dialog box. You can modify the parameters of a previously configured peer in the lower dialog box. Click Apply for our changes to take effect.
.
Table 11-3. BGP Neighbor Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a neighbor’s parameters.
Peer Address The IP address of the device to be configured as a BGP peer.
Default value: 0.0.0.0
Section 11.1.3
Remote AS The identifying number for the AS of the peer.
Valid range: 1-65535
Section 11.1.3
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
213
EBGP Multihop Enable or disable the speaker’s ability to accept or attempt connections to external peers residing on networks that are not directly connected. The options are:
• Enable — Enables the speaker to accept or attempt connections.
• Disable — Disables the speaker from accepting or attempting connections.
Default value: Disable
This field value can be applied only to directly connected EBGP peers and not to internal peers.
d
Next Hop Specifies the method to generate the next hop value. The options are
• automatic — Generates the next hop based on the IP address of the destination and the next hop value in the route information.
• self — Sets the sender’s local address as the next hop attribute.
Default value: automatic
d
Source Address A source address for the TCP connection to the peer.
The IP address configured on the physical interface directly connected to the BGP peer is used as the source address by default.
Section 11.1.14
Table 11-3. BGP Neighbor Configuration Fields
Parameter Description See Also
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
214
11.2.3 BGP MED Configuration
In the GUI go to the Layer 3 Management: BGP: Multi-Exit Discriminators tab to specify strength of preference among available routes, as illustrated in Figure 11-12.
Figure 11-12. BGP MED Configuration Screen
The Multi-Exit Discriminator (MED) is a metric attribute used in contexts that offer more than one route to a destination to provide guidance in the BGP protocol as to a route preference.
The BGP MED screen enables you to preference values to specified routes to supply guidance to BGP. Make your selection and click the apply button for your specification to take effect.
.
Table 11-4. BGP MED Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Section 11.1.13
MED ID An integer to identify the rule that applies to routes matching the configured criteria.
Valid range: 1-100
Section 11.1.13.2
Remote AS An integer to identify the remote AS to which the metric applies.
Default value: 0
Valid range: 0-65535
Section 11.1.13.2
IP Address Prefix The IP address prefix in the Network Layer Reachability Information field in the update.
Default value: 0.0.0.0.
Section 11.1.13.2
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
215
IP Address Prefix Length
The length (in bits) of the IP address prefix in the Network Layer Reachability Information field. The value ranges between 0 and 32 bits.
Default value: 0
Valid range: 0-32
Section 11.1.13.2
Intermediate AS An optional comma-delimited list of intermediate ASs.
Section 11.1.13.2
Direction The direction of the route to which the configuration is to be applied.
• In applies the rule to routes received from peers via UPDATE messages.
• Out applies the rule to routes sent to peers via UPDATE messages.
Default value: In
Section 11.1.13.2
Value The value of the metric to assign to routes matching all of the specified criteria.
Default value: 0
Valid range: 0-2147483647
Section 11.1.13.2
Preference True means that the configured metric value overrides any received metric.
Section 11.1.13.2
Table 11-4. BGP MED Configuration Fields
Parameter Description See Also
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
216
11.2.4 BGP Local Preference Configuration
In the GUI go to the Layer 3 Management: BGP: Local Preference tab to specify a preferred exit path from the AS for the configured route., as illustrated in Figure 11-13.
Figure 11-13. BGP Local Preference Configuration Screen
The BGPP Basic Settings screen enables you to configure a local preference value for a configured route. Specify a new configuration in the upper dialog box and click ADD to display the configuration in the lower dialog box. Edit previously configured routes in the lower dialog box and click Apply for your changes to take effect.
.
Table 11-5. BGP Local Preference Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a neighbor’s parameters.
Local Preference ID
An integer to identify the rule that applies to routes matching the configured criteria.
Default value: 0
Valid Range: 1-100
Section 11.1.12
Remote AS An integer to identify the remote AS to which the metric applies.
Default value: 0
Valid range: 0-65535
Section 11.1.12
IP Address Prefix The IP address prefix in the Network Layer Reachability Information field in the update.
Default value: 0.0.0.0.
Section 11.1.12
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
217
IP Address Prefix Length
The length (in bits) of the IP address prefix in the Network Layer Reachability Information field.
Default value: 0
Valid range: 0-32
Section 11.1.12
Intermediate AS An optional comma-delimited list of intermediate ASs.
Section 11.1.12
Direction The direction of the route to which the configuration is to be applied.
• In applies the rule to routes received from peers via UPDATE messages.
• Out applies the rule to routes sent to peers via UPDATE messages.
Default value: In
Section 11.1.12
Value The value of the metric to assign to routes matching all of the specified criteria.
Default value: 100
Valid range: 0-2147483647
Section 11.1.12
Preference True means that the configured metric value overrides any received metric.
Section 11.1.12
Table 11-5. BGP Local Preference Configuration Fields
Parameter Description See Also
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
218
11.2.5 BGP Filter Configuration
In the GUI go to the Layer 3 Management: BGP: Filters tab to filter routes that are advertised to specific BGP peers, as illustrated in Figure 11-14.
Figure 11-14. BGP Filter Configuration Screen
The BGP Filter Configuration screen enables you
to filter routes that are advertised to specific BGP peers. Filters are evaluated in order according to their configured index. Each filter entry can either permit or deny a route based on whether or not it matches the specified remote AS, route prefix, and prefix length.
Use the upper dialog box to configure a new filter. Click ADD to save the configuration and display it in the lower dialog box. Edit parameters of previously configured filters in the lower dialog box and click Apply for your changes to take effect.
.
Table 11-6. BGP Filter Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a neighbor’s parameters.
Filter ID A numerical value that uniquely identifies the filter.
Valid Range: 1-100
Section 11.1.9
Remote AS An integer to identify the remote AS to which the filter applies.
Default value: 0
Valid range: 0-65535
Section 11.1.9
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
219
IP Address The IP address prefix in the Network Layer Reachability Information field in the update.
Default value: 0.0.0.0.
Section 11.1.9
IP Address Prefix Length
The length (in bits) of the IP address prefix in the Network Layer Reachability Information field.
Default value: 0
Valid range: 0-32
Section 11.1.9
Intermediate AS An optional comma-delimited list of intermediate ASs.
Section 11.1.9
Direction The direction of the update. Options are:
• in is a keyword signifying that this filter applies to incoming UPDATE messages.
• out is a keyword signifying that this filter applies to outgoing UPDATE messages.
Section 11.1.9
Action The action enforced by the filter. Options are:
• allow — This filter causes a matching route to be included in UPDATE messages.
• deny — This filter causes a matching route to be excluded from UPDATE messages.
Section 11.1.9
Table 11-6. BGP Filter Configuration Fields
Parameter Description See Also
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
220
11.2.6 BGP Route Aggregation Configuration
In the GUI go to the Layer 3 Management: BGP: Route Aggregation tab to specify an aggregation of routes, as illustrated in Figure 11-15.
Figure 11-15. BGP Route Aggregation Configuration Screen
Use address aggregation to combine the advertisement of a number of specific routes into the advertisement of a single route that is a supernet of the more-specific routes. If the summary-only option is selected, the advertisement of any specific routes in the aggregate is suppressed and only the aggregate route is advertised. Otherwise, both the aggregate and the specific routes are advertised.
Configure a new aggregation in the upper dialog box and click ADD to save the configuration and display it in the lower dialog box. Edit the parameters of previously configured aggregations in the lower dialog box and click Apply for your changes to take effect.
.
Table 11-7. BGP Route Aggregation Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying an aggregation’s parameters.
ID A numerical value that uniquely identifies the aggregation.
Valid Range: 1-100
Section 11.1.7
IP Address Prefix is the IPv4 supernet address.
Default value: 0.0.0.0.
Section 11.1.7
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
221
IP Address Prefix Length
the CIDR address mask for the supernet.
Default value: 0
Valid range: 0-32
Section 11.1.11
Route Advertise The route(s) to advertise. Options are:
Summary Only — Only the address of the aggregate (the supernet) is advertised.
All — Both the aggregate and the specific routes are advertised.
Section 11.1.7
Table 11-7. BGP Route Aggregation Configuration Fields
Parameter Description See Also
CHAPTER 11 - BGPBGP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
222
Industrial Network Operating System Administrator’s Guide
223
Chapter 12Route Maps
The 10RX supports route filtering and manipulation through the use of route maps. Route maps can be used to control:
• how routes are redistributed• which routes are accepted when learned via a dynamic routing protocol• which routes are advertised by a dynamic routing protocol
Route maps can also be used to modify certain types of route information.
In release 2.1 of the software, route maps can only be configured using the CLI.
12.1 Configuring Route Maps
A route map can be thought of as a type of access control list. You may have up to 10 entries in the list for each route map and each entry consists of three parts:
• a permit or deny action• optional match values• optional set values
The following rules apply to matches:
• A route map entry with no match values matches all routes.• A route map entry with multiple match values matches a route if any of the
match values correspond to the route.• Every route map ends with an implicit deny that matches all routes.• Set values are applied to all routes in a permit entry that meet the match
criteria.
12.1.1 Specifying a Route Map
Use the route-map command in Global Configuration mode to create a route map or to modify a previously configured route map. Execution of the route-map command will begin the Route Map Configuration mode, signified by the Magnum 10RX(config-rmap-mapname)# prompt, where mapname is the name you have specified with the route-map command.
Command syntax:
route-map mapname [{permit | deny}] [sequence-number]
Where:
mapname is a user-supplied string of up to 20 characters that names the route map.
sequence-number is a numerical value in the range 1-10 specifying the order in which this map is evaluated relative to other route maps.
CHAPTER 12 - Route MapsConfiguring Route Maps
Industrial Network Operating System Administrator’s Guide
224
Example:
Magnum 10RX(config)# route-map mymap permit
Magnum 10RX(config-rmap-mymap)#
Once you are in Route Map Configuration mode you can execute match and set commands with numerous arguments, as detailed below. In the example above the permit keyword has been specified so that any matching routes will be permitted. To configure routes to be denied you must exit Route Map Configuration mode with the exit command and re-enter it with the route-map command and the keyword deny.
The no route-map mapname command deletes the route map entry specified by mapname.
12.1.1.1 Note on Sequence Numbers
Specifying a sequence number allows you to control the order in which the route-map entries are evaluated.
For example, to place a specific deny entry in front of a more general permit entry execute the commands below:
Figure 12-1. Route Map Sequencing Example
If you do not specify a sequence number, sequence number 1 is assumed.
12.1.2 Defining a Match
Use the match command in Route Map Configuration mode to define criteria against which routes are to be matched. Routes matching the specified criteria will be permitted or denied depending on the option used with the preceding route-map command.
Several different types of matching criteria can be used. These are detailed in Table 12-1, below.
The no match matchspec command deletes the match entry specified by matchspec.
Magnum 10RX(config)# route-map mymap deny 1
Magnum 10RX(config-rmap-mymap)# match destination ip 192.168.5.0 255.255.255.0
Magnum 10RX(config-rmap-mymap)# exit
Magnum 10RX(config)# route-map mymap permit 2
Magnum 10RX(config-rmap-mymap)# match destination ip 192.168.0.0 255.255.0.0
Magnum 10RX(config-rmap-mymap)# exit
CHAPTER 12 - Route MapsConfiguring Route Maps
Industrial Network Operating System Administrator’s Guide
225
Table 12-1. Route Map Matching Criteria
Match Type Usage
destination IP Use this command to specify the IP address and mask of the route's destination.
Syntax:
match destination ip ipaddr mask
Example:
Magnum 10RX(config-rmap-mapname)# match ip destination 192.168.5.0 255.255.255.0
source IP Use this command to specify the IP address and mask of the source of a received route. In the case of RIP, this would be the IP address of the interface sending the RIP advertisement. In the case of OSPF, this would be the router ID of the LSA originator.
Syntax:
match source ip ipaddr mask
Example:
Magnum 10RX(config-rmap-mapname)# match source ip 192.168.5.0 255.255.255.0
interface Use this command to specify the IP interface of the route's next hop.
Syntax:
match interface ifspec
Where ifspec can be:
• gigabitethernet slotnum/portnum
• vlan vlanid (1-4094)
• loopback loopid (0-9)
• ppp pppifid (1-16)
• mlppp mlpppifid (1-16)
• tunnel tunnid (1-32)
Example:
Magnum 10RX(config-rmap-mapname)# match interface gigabitethernet 5/1
next-hop IP Use this command to specify the IP address of the route's next hop.
Syntax:
match next-hop ip ipaddr
Example:
Magnum 10RX(config-rmap-mapname)# match next-hop ip 192.168.5.0
metric Use this command to specify the route's metric.
Syntax:
match metric metricval(1-2147483647)
Example:
Magnum 10RX(config-rmap-mapname)# match metric 1000
CHAPTER 12 - Route MapsConfiguring Route Maps
Industrial Network Operating System Administrator’s Guide
226
route-type Use this command to specify the route's type. This can be either local, which specifies a directly connected route, or remote, which includes static routes and routes learned from a dynamic routing protocol.
Syntax:
match route-type {local | remote}
Example:
Magnum 10RX(config-rmap-mapname)# match route-type remote
community Use this command to specify the community of a BGP route.
Syntax:
match community {local-as|no-advt|no-export|comm-num intval|none}
Where the community specification can be:
• local-as — a local autonomous system BGP community
• no-advt — a no-advertisement BGP community
• no-export — a no-export BGP community
• the BGP community specified by the community number comm-num intval(1-4294967295)
• none — that is, not a member of a BGP community
Example:
Magnum 10RX(config-rmap-mapname)# match community local-as
For more on the BGP community value see Section 11.1.10.
local-preference Use this command to specify the local preference of a BGP route.
Syntax:
match local-preference lpval(1-2147483647)
Example:
Magnum 10RX(config-rmap-mapname)# match local-preference 150
For more on the BGP local-preference value see Section 11.1.11.
origin Use this command to specify where the route originated.
Syntax:
match origin {igp |egp | incomplete}
Where:
• igp — specifies a route originating through an interior gateway protocol.
• egp — specifies a route originating through an exterior gateway protocol.
• incomplete — specifies a route originating through unknown heritage.
Example:
Magnum 10RX(config-rmap-mapname)# match origin egp
Table 12-1. Route Map Matching Criteria
Match Type Usage
CHAPTER 12 - Route MapsConfiguring Route Maps
Industrial Network Operating System Administrator’s Guide
227
12.1.3 Setting Route Values
Use the set command in Route Map Configuration mode to manipulate routes that have been filtered with the match command.
A variety of values can be set. These are detailed in Table 12-2, below.
The no set setspec command deletes the match entry specified by setspec.
Table 12-2. Route Map Set Values
Match Type Usage
next-hop IP Use this command to specify the IP address of the new next hop value to be applied to the matching routes.
Syntax:
set next-hop ip ipaddr
Example:
Magnum 10RX(config-rmap-mapname)# set next-hop ip 192.168.5.0
metric Use this command specify the metric to be applied to matching routes.
Syntax:
set metric metricval(1-2147483647)
Example:
Magnum 10RX(config-rmap-mapname)# set metric 1000
interface Use this command to specify the next hop IP interface to be applied to matching routes.
Syntax:
set interface ifspec
Where ifspec can be:
• gigabitethernet slotnum/portnum
• vlan vlanid (1-4094)
• loopback loopid (0-9)
• ppp pppifid (1-16)
• mlppp mlpppifid (1-16)
• tunnel tunnid (1-32)
Example:
Magnum 10RX(config-rmap-mapname)# set interface vlan 5
tag Use this command to specify the OSPF tag to be applied to matching routes.
Syntax:
set tag tagval (1-2147483647)
Example:
Magnum 10RX(config-rmap-mapname)# set tag 20
CHAPTER 12 - Route MapsApplying Route Maps
Industrial Network Operating System Administrator’s Guide
228
12.2 Applying Route Maps
Configured route maps can be applied to filter and manipulate routes by managing them in concert with other INOS configuration commands.
community Use this command to specify the BGP community to be applied to matching routes.
Syntax:
set community {local-as|no-advt|no-export|comm-num intval|none}
Where the community specification can be:
• local-as — a local autonomous system BGP community
• no-advt — a no-advertisement BGP community
• no-export — a no-export BGP community
• the BGP community specified by the community number comm-num intval(1-4294967295)
• none — that is, not a member of a BGP community
Example:
Magnum 10RX(config-rmap-mapname)# set community no-export
For more on the BGP community value see Section 11.1.10
local-preference Use this command to specify the BGP local preference to be applied to matching routes.
Syntax:
set local-preference lpval(1-2147483647)
Example:
Magnum 10RX(config-rmap-mapname)# set local-preference 150
For more on the BGP local-preference value see Section 11.1.11.
origin Use this command specify the origin of matching routes.
Syntax:
set origin {igp |egp | incomplete}
Where:
• igp — specifies a route originating through an interior gateway protocol.
• egp — specifies a route originating through an exterior gateway protocol.
• incomplete — specifies a route originating through unknown heritage.
Example:
Magnum 10RX(config-rmap-mapname)# set origin egp
Table 12-2. Route Map Set Values
Match Type Usage
CHAPTER 12 - Route MapsApplying Route Maps
Industrial Network Operating System Administrator’s Guide
229
12.2.1 Route Redistribution
Use the redistribute protocol route-map command in Router Configuration mode to apply a route map as a filter list for the routes to redistribute. Permitted routes are redistributed. Denied routes are not. Set commands are allowed in certain cases to manipulate some route information during redistribution.
Command Syntax:
redistribute protocol mapname
Where protocol can be:
static — redistributes routes configured statically.
connected — redistributes directly connected network routes.
bgp — redistributes routes that are learned by the BGP process.
ospf — redistributes routes that are learned by the OSPF process.
rip — redistributes routes that are learned by the RIP process.
all — redistributes all routes
And mapname is the name of a configured route map to control redistribution.
(Note: the list of valid protocol names will vary depending on the protocol specified when Router Configuration mode was entered; that is, the protocol under configuration will not be available as an option.)
Example:
The commands shown in Figure 12-2 redistribute only static routes in the 192.168.0.0/16 subnet into RIP:
Figure 12-2. Route Map Redistribution
12.2.2 Outgoing Route Filtering
Use the distribute-list route-map mapname out command in Router Configuration mode to filter advertised routes. Permitted routes will be advertised, denied routes will not. Some set commands are allowed in certain cases to manipulate route information right before it is sent.
Command Syntax:
distribute-list route-map mapname out
Magnum 10RX(config)# route-map rip_filter permit
Magnum 10RX(config-rmap-rip_filter)# match destination ip 192.168.0.0 255.255.0.0
Magnum 10RX(config-rmap-rip_filter)# exit
Magnum 10RX(config)# router rip
Magnum 10RX(config-router)# redistribute static route-map rip_filter
CHAPTER 12 - Route MapsApplying Route Maps
Industrial Network Operating System Administrator’s Guide
230
Where:
mapname is the name of a configured route map to filter routes.
Example:
The commands shown in Figure 12-3 prevent RIP from advertising routes that have a metric of 10:
Figure 12-3. Outgoing Route Filtering
12.2.3 Incoming Route Filtering
Use the distribute-list route-map mapname in command in Router Configuration mode to filter advertised routes. Permitted routes will be advertised, denied routes will not. Some set are allowed in certain cases to manipulate route information right before it is installed in the route table.
Command Syntax:
distribute-list route-map mapname in
Where:
mapname is the name of a configured route map to filter routes.
Example:
The commands shown in Figure 12-4 prevent RIP from installing routes advertised by the RIP router at 192.168.1.1:
Figure 12-4. Incoming Route Filtering
Magnum 10RX(config)# route-map rip_filter deny 1
Magnum 10RX(config-rmap-rip_filter)# match metric 10
Magnum 10RX(config-rmap-rip_filter)# exit
Magnum 10RX(config)# route-map rip_filter permit 2
Magnum 10RX(config-rmap-rip_filter)# exit
Magnum 10RX(config)# router rip
Magnum 10RX(config-router)# distribute-list route-map rip_filter out
Magnum 10RX(config)# route-map rip_filter deny 1
Magnum 10RX(config-rmap-rip_filter)# match source ip 192.168.1.1 255.255.255.255
Magnum 10RX(config-rmap-rip_filter)# exit
Magnum 10RX(config)# route-map rip_filter permit 2
Magnum 10RX(config-rmap-rip_filter)# exit
Magnum 10RX(config)# router rip
Magnum 10RX(config-router)# distribute-list route-map rip_filter in
CHAPTER 12 - Route MapsRoute Maps and Routing Protocols
Industrial Network Operating System Administrator’s Guide
231
12.2.4 Specifying Route Administrative Distance
Use the distance distval mapname command in Router Configuration mode to specify an administrative distance for routes that match the criteria in the route map specified by mapname.
For more on administrative distance see Section 9.1.5 and Section 11.1.8.
Command syntax:
distance distval [route-map mapname]
Where:
distval is a numerical value specifying the administrative distance to apply to routes matching the criteria in the route map specified by mapname.
mapname is the name of a configured route map.
Example:
Magnum 10RX(config-router)# distance 100 route-map mymap
Valid range: 1-255
12.3 Route Maps and Routing Protocols
Certain route map match and set commands are not applicable for certain routing protocols and commands. The following sections identify, for each INOS-supported routing protocol, which match and set commands are available and how they can be applied.
12.3.1 Route Map Functionality for RIP
Table 12-3 illustrates which commands can be used in conjunction with which distribution applications in RIP.
Table 12-3. Route Map Match and Set Commands Supported in RIP
Supported Route Map Commands
Distribute-ListIN
Distribute-ListOUT
Redistribute
match destination ip Yes Yes Yes
match source ip Yes No No
match interface Yes Yes Yes
match next-hop ip Yes Yes Yes
match metric Yes Yes Yes
match route-type Yes Yes Yes
CHAPTER 12 - Route MapsRoute Maps and Routing Protocols
Industrial Network Operating System Administrator’s Guide
232
12.3.2 Route Map Functionality for OSPF
Table 12-4 illustrates which commands can be used in conjunction with which distribution applications in OSPF.
set next-hop ip Yes No No
set metric Yes Yes No
set interface Yes No No
Table 12-4. Route Map Match and Set Commands Supported in OSPF
Route Map Command
Distribute-ListIN
Distribute-ListOUT
Redistribute
match destination ip Yes No Yes
match source ip Yes No No
match interface Yes No Yes
match next-hop ip Yes No Yes
match metric Yes No Yes
match tag Yes No No
match metric-type Yes No No
match route-type Yes No Yes
set next-hop ip Yes No No
set metric Yes No No
set interface Yes No No
set tag Yes No Yes
Table 12-3. Route Map Match and Set Commands Supported in RIP
Supported Route Map Commands
Distribute-ListIN
Distribute-ListOUT
Redistribute
CHAPTER 12 - Route MapsRoute Maps and Routing Protocols
Industrial Network Operating System Administrator’s Guide
233
12.3.3 Route Map Functionality for BGP
Table 12-5 illustrates which commands can be used in conjunction with which distribution applications in BGP.
12.3.4 Note on Route Redistribution
In route redistribution it is important to remember that the match commands, as in the example below, apply to the protocol the routes are being redistributed from while the set commands in the example apply to the protocol the routes are being redistributed into.
For example, execute the commands in Figure 12-5 to redistribute OSPF routes with a destination IP of 192.168.1.0/24 into RIP while setting their RIP metric to 5:
Table 12-5. Route Map Match and Set Commands Supported in BGP
Route Map Command
Distribute-ListIN
Distribute-ListOUT
Redistribute
match destination ip Yes Yes Yes
match source ip Yes No No
match interface Yes Yes Yes
match next-hop ip Yes Yes Yes
match metric Yes Yes Yes
match route-type Yes No Yes
match community Yes Yes No
match local-preference Yes Yes No
match origin Yes Yes No
set next-hop ip Yes No No
set metric Yes Yes Yes
set interface Yes No No
set community Yes Yes No
set local-preference Yes Yes No
set origin Yes Yes No
CHAPTER 12 - Route MapsDisplaying Route Map Information
Industrial Network Operating System Administrator’s Guide
234
Figure 12-5. Route Map Redistribution Example
12.4 Displaying Route Map Information
Use the show route-map command in Exec Commands mode to display information about all configured route maps or a specified route map.
Command syntax:
show route map [mapname]
Where:
mapname is the name of a configured route map.
Example:
Magnum 10RX show route-map mymap
Magnum 10RX(config)# route-map ospf_to_rip
Magnum 10RX(config-rmap-ospf_to_rip)# match destination ip 192.168.1.0 255.255.255.0
Magnum 10RX(config-rmap-ospf_to_rip)# set metric 5
Magnum 10RX(config-rmap-ospf_to_rip)# exit
Magnum 10RX(config)# router ospf
Magnum 10RX(config-router)# redistribute rip route-map ospf_to_rip
Industrial Network Operating System Administrator’s Guide
235
Chapter 13GRE
Generic Routing Encapsulation (GRE) is a technique that allows datagrams to be encapsulated into IP Packets and then redirected to an intermediate host. At the intermediate destination the datagrams are decapsulated and routed to the next leg. GRE allows a tunnel to be created using a certain protocol which then hides the contents of another protocol carried within the tunnel.
13.1 GRE Operation
In a simple GRE application two machines, Source and Receiver, are separated by a public IP network. The two routers are set up to be the terminal points of a tunnel through the network. These two routers communicate with the local source or destination machine in the protocol configured for the local environment and pass it through the tunnel encapsulated inside GRE packets.
13.2 GRE Implementation
GRE encapsulation takes place at Layer 3 of the OSI Model, taking the form of a delivery header followed by a GRE Header followed by a payload packet as shown in the figure below.
The encapsulated unit has the structure depicted in Figure 13-1.
Figure 13-1. GRE Implementation
13.3 GRE Configuration in the CLI
INOS enables you to create an instance of a GRE tunnel and to specify source and destination and to configure some features to manage the traffic in the tunnel.
CHAPTER 13 - GREGRE Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
236
13.3.1 Specifying a GRE Tunnel
Use the interface tunnel command in Global Configuration mode to specify a GRE tunnel and to enter Tunnel Interface Configuration mode, signaled by the prompt Magnum 10RX(config-if)#.
Command syntax:
interface tunnel tun_id
Where:
tun_id is a numerical value uniquely identifying this GRE tunnel.
Example:
Magnum 10RX(config)# interface tunnel 3
Magnum 10RX(config-if)#
This command specifies GRE tunnel 3, creating it if it does not already exist. Subsequent commands in the Tunnel Interface Configuration session will modify this tunnel.
Valid range: 1-32
The no interface tunnel tun_id command deletes the tunnel specified by tun_id.
13.3.2 Configuring GRE Tunnel Attributes
Use the tunnel mode command in Tunnel Interface Configuration mode to specify that the tunnel is a GRE tunnel and to specify source and destination addresses.
Command syntax:
tunnel mode gre src_ip_addr dest_ip_address
Where:
src_ip_addr is a valid IP address specifying a source for the tunnel.
dest_ip_address is a valid IP address specifying a destination for the tunnel.
Example:
Magnum 10RX(config-if)# tunnel mode gre source 192.168.1.2 dest 10.0.0.2
13.3.3 Enabling Tunnel Checksum
Use the tunnel checksum command in Tunnel Interface Configuration mode to enable end-to-end checksumming of packets.
Command syntax:
tunnel checksum
CHAPTER 13 - GREGRE Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
237
Example:
Magnum 10RX(config-if)# tunnel checksum
Default value: disabled
The no tunnel checksum command specifies the default.
13.3.4 Enabling Tunnel Path MTU Discovery
Use the tunnel path-mtu-discovery command in Tunnel Interface Configuration mode to enable discovery of the Maximum Transmission Unit (MTU) size on the prescribed path.
Command syntax:
tunnel path-mtu-discovery
Example:
Magnum 10RX(config-if)# tunnel path-mtu-discovery
Default value: disabled
The no tunnel path-mtu-discovery command specifies the default.
13.3.5 Configuring Tunnel Hop Limit
Use the tunnel hop-limit command in Tunnel Interface Configuration to specify a limit to the number of hops a packet can take before being discarded.
Command syntax:
tunnel hop-limit h_limit
Where:
h_limit is a numerical value specifying the number of hops a packet can take before being discarded. 0 specifies the value in the payload header.
Example:
Magnum 10RX(config-if)# tunnel hop-limit 100
This command specifies that the hop-limit field will be decremented by 1 at each hop until 0 is reached and the packet is discarded.
Valid-range: 0-255
CHAPTER 13 - GREGRE Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
238
13.4 GRE Configuration in the GUI
INOS enables you to create an instance of a GRE tunnel and to specify source and destination and to configure some features to manage the traffic in the tunnel.
13.4.1 Specifying a GRE Tunnel
In the GUI go to the Layer 3 Management: IP: TUNNEL Interfaces tab to configure a GRE tunnel, as illustrated in Figure 13-2.
Figure 13-2. Tunnel Configuration Screen
In the tunnel configuration screen use upper dialog box to specify a tunnel. Click the Create button to save your specification and to display it in the lower dialog box. Use the lower dialog box to edit or delete configured tunnels.
Table 13-1. Tunnel Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Tunnel ID Specify a numerical value uniquely identifying this GRE tunnel.
Valid range: 1-32
Section 13.3.1
Mode GRE is the sole available selection. Section 13.3.2
Link Status A green or red symbol to indicate the physical status of the connection.
Admin State Up or Down to indicate the administrative status of the connection.
Source Specify a valid IP address specifying a source for the tunnel.
Section 13.3.2
CHAPTER 13 - GREGRE Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
239
Destination Specify a valid IP address specifying a destination for the tunnel.
Section 13.3.2
Hop Limit Specify a limit to the number of hops a packet can take before being discarded.
Valid range: 0-255
Section 13.3.5
Checksum Enable or disable end-to-end checksumming of packets. Section 13.3.3
Path MTU Enable or disable discovery of the Maximum Transmission Unit (MTU) size on the prescribed path.
Section 13.3.4
Table 13-1. Tunnel Configuration Fields
Parameter Description See Also
CHAPTER 13 - GREGRE Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
240
Industrial Network Operating System Administrator’s Guide
241
Chapter 14VRRP
The Virtual Router Redundancy Protocol (VRRP), described in RFC 3768, is a method of providing a backup router if a primary (or “master”) router should fail. The virtual router is a group of two or more physical routers sharing certain identifying information on the same network. One of these routers is configured with the IP address that will be used as the VRIP. This router is the “owner” of the VRIP and will serve the master role so long as it is operational. The devices that are included in a virtual router communicate with one another with a frequency specified by the value of the advertising interval. When a device serving the master role has not been heard from for a length of time that exceeds three times the advertising interval that device is presumed to be non-functioning and priority values are used to elect a new master router from the remaining members of the virtual router.
14.1 VRRP Configuration in the CLI
The following sections describe the commands available in INOS to configure VRRP.
14.1.1 Enabling VRRP
Use the router vrrp command in Global Configuration mode to enable VRRP on the router and to enter VRRP Configuration mode displaying the Magnum 10RX(config-vrrp)# prompt.
Command syntax:
router vrrp
Example:
Magnum 10RX(config)# router vrrp
use the no router vrrp command to disable VRRP.
14.1.2 Configuring VRRP on an Interface
Use the interface command in VRRP Configuration mode to configure VRRP parameters on a particular interface and to enter VRRP Interface Configuration mode displaying the Magnum 10RX(config-vrrp-if)# prompt.
Command syntax:
interface {vlan vid | gigabitethernet ifnum}
Where:
CHAPTER 14 - VRRPVRRP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
242
vid following the keyword vlan is a numerical value specifying a VLAN. This value ranges between 1 and 4094.
ifnum following the keyword gigiabitehernet is a specification of an Ethernet slot and port separated by a slash, for example: 5/1.
Example:
Magnum 10RX(config-vrrp)# interface vlan 6
Magnum 10RX(config-vrrp-if)#
Valid range:
vid : 1-4094
ifnum: a valid slot/port designation.
Use the show vrrp interface command to view configured values.
14.1.3 Configuring a VRRP IP Address
Use the vrrp vrid ipv4 command in VRRP Interface Configuration mode to configure the IP address for the virtual router. A VRRP instance can be associated with more than one IP address. When the router becomes master for an instance it replies to the ARP requests for all the associated IP addresses. You can specify that an IP address is not the primary address by following the address specification with the key word secondary.
Command syntax:
vrrp vrid ipv4 ipaddr [secondary]
Where:
vrid is a numerical value in the range 1-255 specifying a virtual router ID.
ipaddr is a valid primary or secondary IP address.
Example:
Magnum 10RX(config-vrrp-if)# vrrp 1 ipv4 10.0.0.1
Valid range (VRID):1-255
The no vrrp vrid ipv4 command deletes the IP address of the virtual router.
Use the show vrrp interface ifid detail command on a switch that has an interface, specified by ifid, configured as a member of the VRRP instance to see configured values.
14.1.4 Configuring the Virtual Router Priority
Use the vrrp vrid priority command in VRRP Interface Configuration mode to configure the priority of the backup routers. The router with the highest priority will take over if the master fails.
CHAPTER 14 - VRRPVRRP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
243
The priority value for the VRRP router that owns the IP address(es) associated with the virtual router is always 255. VRRP routers backing up a virtual router must use priority values between 1 and 254.
Command syntax:
vrrp vrid priority pval
Where:
vrid is a numerical value specifying a virtual router ID.
pval is a numerical value specifying a priority.
Example:
Magnum 10RX(config-vrrp-if)# vrrp 1 priority 200
Default value: 100
Valid ranges:
VRID — 1-255
Priority — 1-254
The no form of this command will set the priority to the default value.
Use the show vrrp interface ifid command to view configured values.
14.1.5 Enabling Preemption Mode
Use the vrrp vrid preempt command in VRRP Interface Configuration mode to enable preemption mode on the virtual router. When preemption mode is enabled and a new VRRP router is added to the network with a priority higher than that of any existing routers the new router will become the master. This will be true even though the previous master remains up and running.
Command syntax:
vrrp vrid preempt [delay minimum minval]
Where:
vrid is a numerical value specifying a virtual router ID.
minval is a numerical value specifying a minimum delay in seconds before assuming master status.
Example:
Magnum 10RX(config-vrrp-if)# vrrp 1 preempt delay minimum 10
Default value: enabled
Note: Currently delay minimum option is not supported.
Valid ranges:
VRID — 1-255
CHAPTER 14 - VRRPVRRP Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
244
delay minimum — 1-30
The no form of the command will disable the preemption mode for the virtual router.
Use the show vrrp interface ifid detail command to view configured values.
14.1.6 Configuring Text Authentication
Use the vrrp vrid text-authentication command in VRRP Interface Configuration mode to enable simple text authentication for the virtual router and to specify a password. Incoming VRRP packets must contain a matching password or they will be discarded
Command syntax:
vrrp vrid text-authentication pwd
Where:
vrid is a numerical value specifying a virtual router ID.
pwd is a text string of up to 16 characters.
Example:
Magnum 10RX(config-vrrp-if)# vrrp 1 text-authentication gronk87
Default value: no authentication
Valid Range (VRID): 1-255
The no form of this command sets the authentication type for the virtual router to none
Use the show vrrp interface ifid detail command to view configured values.
14.1.7 Configuring Advertisement Interval
Use the vrrp vrid timer command in VRRP Interface Configuration mode to set the value of the advertisement interval for the virtual router. The VRRP master router sends an advertisement packet at the configured interval to inform other routers that the master is alive.
Command syntax:
vrrp vrid timer secs
Where:
vrid is a numerical value specifying a virtual router ID.
secs is a numerical value specifying the interval between advertising packets.
Example:
Magnum 10RX(config-vrrp-if)# vrrp 1 timer 20
Default value: 1 second
The no form of this command sets the advertisement interval to the default.
CHAPTER 14 - VRRPVRRP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
245
Use the show vrrp interface ifid detail command to view configured values.
14.1.8 Configuring VRRP Object Tracking
Use the vrrp vrid track command in VRRP Interface Configuration mode to assign an object tracker to a VRRP instance. This allows VRRP to use certain object states in the system, such as the status of a WAN link, to determine what router should be the master. When the tracked object is in the down state the VRRP priority is decremented. When the tracked object is in the up state the VRRP priority is equal to its original value.
Command syntax:
vrrp vrid track object-id decrement decrement-value
Where:
vrid is a numerical value specifying a virtual router ID.
object-id is a numerical value specifying a previously configured object tracker.
decrement-value is a numerical value between 1-254 that specifies how much to decrement the VRRP priority.
Example:
Magnum 10RX(config-vrrp-if)# vrrp 2 track 5 decrement 10
14.2 VRRP Configuration in the GUI
The following sections describe the GUI screens available in INOS to configure VRRP.
14.2.1 Enabling VRRP
In the GUI go to the Layer 3 Management: VRRP: Basic Settings tab to enable or disable VRRP in the switch, as illustrated in Figure 14-1.
Figure 14-1. VRRP Basic Settings Screen
The VRRP Basic Settings screen enables you to enable or disable VRRP in the switch. Make your selection and click the apply button for your specification to take effect. See also Section 14.1.1.
CHAPTER 14 - VRRPVRRP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
246
14.2.2 VRRP Settings
In the GUI go to the Layer 3 Management: VRRP: VRRP Settings tab to configure the parameters for virtual routers, as illustrated in Figure 14-2.
Figure 14-2. VRRP Settings Screen
The VRRP Settings screen enables you to configure parameters for a virtual router. Configure a router in the upper dialog box and click Add to display its values in the lower dialog box. Use the lower dialog box to modify previously configured parameters.
.
Table 14-1. VRRP Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a router’s parameters.
Virtual Router ID A numerical value identifying a virtual router.
Valid range: 1-255
Section 14.1.2
Interface The name or other designation of the interface on which the VRRP is configured.
Section 14.1.2
Primary IP Address
The primary IP address for the virtual router.
Default value: 0.0.0.0
Section 14.1.3
Priority The priority value to be used for the Virtual Router master election process.
Default value: 100
Valid range: 1-254
Section 14.1.4
CHAPTER 14 - VRRPVRRP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
247
Advertisement Interval
The interval in seconds for sending advertisement packets.
Default value: 1 second
Valid range: 1-255 seconds
Section 14.1.7
Pre-emption Whether a higher priority virtual router will preempt a lower priority master router. Options are Enable and Disable.
Default value: Enable
Section 14.1.5
Table 14-1. VRRP Settings Fields
Parameter Description See Also
CHAPTER 14 - VRRPVRRP Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
248
Industrial Network Operating System Administrator’s Guide
249
Chapter 15Object Tracking
This chapter describes the management of the INOS Object Tracking application. Object tracking enables tracking of specific objects on the device, such as the interface line protocol state, IP routing, and route reachability, and it enables action when the tracked object's state changes. This feature increases the availability of the network and shortens recovery time if an object state goes down. Several clients can register with the tracking process, track the same object, and take action when the object state changes. For example, Virtual Router Redundancy Protocol (VRRP) tracks certain objects and changes the state when specified thresholds are reached, thereby allowing other routers to do forwarding on its behalf.
15.1 Trackable States and Conditions
The following sections describe some of the states and conditions that can be monitored and acted upon by the INOS Object Tracking functionality.
15.1.1 Line-Protocol State of an Interface
The line-protocol state determines whether the lower level protocol has been negotiated for the link. If the lower layer negotiations fail the link should be considered down and tracking clients should be informed.
15.1.2 IP-Routing State of an Interface
An IP-routing object is considered up when all of the following criteria are met:
• IP routing is globally enabled.• The interface line-protocol state is up. • The interface has a valid IP address.
Interface IP routing will go down when one of the following criteria is met:
• IP routing is disabled globally. • The interface line-protocol state is down.• The interface IP address is unknown.
15.1.3 IP-Route Reachability
The reachability of a route can be tracked so that if a specific route becomes inaccessible the client can take corresponding action.For example, a VRRP router can reduce its priority value, thereby causing a change in state from Master to Backup.
CHAPTER 15 - Object TrackingConfiguring Object Tracking in the CLI
Industrial Network Operating System Administrator’s Guide
250
15.2 Configuring Object Tracking in the CLI
The following sections describe the CLI commands that enable you to configure INOS Object tracking in the CLI.
15.2.0.1 Configuring Interface Tracking Interval
Use the track timer interface command in the Global Configuration mode to specify the frequency at which the tracking process will poll the tracked interface.
Command syntax:
track timer interface pollsec_if
Where:
pollsec_if is a numerical value specifying the polling interval in seconds.
Example:
Magnum 10RX(config)# track timer interface 60
This command specifies that the tracked interface will be polled every 60 seconds.
Default value: 1 second
Valid range: 1-3000
Use the show track command in Exec Commands mode to view configured values.
15.2.0.2 Configuring IP Route Tracking Interval
Use the track timer ip route command in the Global Configuration mode to specify the frequency at which the tracking process will poll the tracked IP route.
Command syntax:
track timer ip route pollsec_route
Where:
pollsec_route is a numerical value specifying the polling interval in seconds.
Example:
Magnum 10RX(config)# track timer ip route 120
This command specifies that the tracked IP route will be polled every 120 seconds.
Default value: 15 seconds
Valid range: 1-3000
Use the show track command in Exec Commands mode to view configured values.
CHAPTER 15 - Object TrackingConfiguring Object Tracking in the CLI
Industrial Network Operating System Administrator’s Guide
251
15.2.0.3 Configuring Tracking of an Interface Line Protocol
Use the track interface line-protocol command in the Global Configuration mode to specify an interface on which line protocol status will be tracked and to enter the Tracking Configuration mode, signaled by the prompt Magnum 10RX(config-track)#
Command syntax:
track objnum interface type number line-protocol
Where:
objnum specifies a numerical value for this tracked object.
type specifies the interface type.
number specifies the individual interface addressed.
Example:
Magnum 10RX(config)# track 5 interface gigabitethernet 1/1 line-protocol
Magnum 10RX(config-track)#
This command specifies that tracked object number 5 is line protocol status on the GbE interface 1/1.
Valid range, object number: 1-500
Use the show track command in Exec Commands mode to view configured values.
15.2.0.4 Configuring Tracking of Interface IP Routing
Use the track interface ip-routing command in the Global Configuration mode to enable tracking of IP routing on an interface and to enter the Tracking Configuration mode, signaled by the prompt Magnum 10RX(config-track)#.
Command syntax:
track objnum interface type number ip-routing
Where:
objnum specifies a numerical value for this tracked object.
type specifies the interface type.
number specifies the individual interface addressed.
Example:
Magnum 10RX(config)# track 499 interface vlan 1 ip‐routing
Magnum 10RX(config-track)#
This command specifies that tracked object number 499 is IP routing on VLAN 1.
Valid range, object number: 1-500
Use the show track command in Exec Commands mode to view configured values.
CHAPTER 15 - Object TrackingConfiguring Object Tracking in the CLI
Industrial Network Operating System Administrator’s Guide
252
15.2.0.5 Configuring Tracking of Route Reachability
Use the track ip route reachability command in the Global Configuration mode to enable tracking of IP routing on an IP interface and to enter the Tracking Configuration mode, signaled by the prompt Magnum 10RX(config-track)#.
Command syntax:
track objnum ip route route_num mask reachability
Where:
objnum specifies a numerical value for this tracked object.
route_num is an IP address in dotted decimal notation to the route that is being tracked
mask is a subnet mask in dotted decimal notation.
Example:
Magnum 10RX(config)# track 10 ip route 198.162.1.3 255.255.255.0 reachability
Magnum 10RX(config-track)#
This command specifies that tracked object number 10 is the reachability of the specified route.
Valid range, object number: 1-500
Use the show track command in Exec Commands mode to view configured values.
15.2.0.6 Configuring Tracking Delay
Use the delay up down command in the Tracking Configuration mode to specify a period of time to delay communicating state changes of a tracked object. The delay in communication following a transition to the up state and the delay in communication following the transition to a down state are separately specified.
The tracked object starts the delay timer when a state change occurs but does not recognize a state change until the delay timer expires. After the timer expires the object state is checked again and the client is notified only if the object currently has a changed state. Object tracking ignores any intermediate state changes before the delay timer expires.
For example, for an interface line-protocol tracked object that is in the up state with a 20 second down delay, the delay timer starts when the line protocol goes down. The client is not notified that the object is in the down state unless the line protocol is down 20 seconds later.
Command syntax:
delay up u_delay down d_delay
Where:
u-delay is a numerical value specifying the number of seconds to delay notification of a changed state when an object state changes from down to up.
CHAPTER 15 - Object TrackingConfiguring Object Tracking in the GUI
Industrial Network Operating System Administrator’s Guide
253
d_delay is a numerical value specifying the number of seconds to delay notification of a changed state when an object state changes from up to down.
Example:
Magnum 10RX(config-track)# delay up 30 down 60
This command specifies that when the tracked object being configured changes state from down to up notification of this change to the client will be delayed by 30 seconds. Notification of a change from up to down will be delayed 60 seconds.
Valid range: 0-180
Use the show track command in Exec Commands mode to view configured values.
15.3 Configuring Object Tracking in the GUI
The following sections describe the screens that enable you to configure INOS Object tracking in the GUI.
15.3.1 Configuring Tracking Timers
In the GUI go to the Layer 3 Management: Track: Track Timer tab to specify tracking timing intervals for interfaces and IP routes, as illustrated in Figure 15-2.
Figure 15-1. Object Track Timer Screen
In the Object Track Timer screen to specify frequency at which the tracking process will poll the tracked interface of IP route. Click Apply for your specifications to take effect.
Table 15-1. Object Track Timer Fields
Parameter Description See Also
Interface Track Timer
Specify a polling interval in seconds.
Default value: 1 second
Valid range: 1-3000
Section 15.2.0.1
IP Route Track Timer
Specify a polling interval in seconds.
Default value: 15 seconds
Valid range: 1-3000
Section 15.2.0.2
CHAPTER 15 - Object TrackingConfiguring Object Tracking in the GUI
Industrial Network Operating System Administrator’s Guide
254
15.3.2 Configuring Object Tracking
In the GUI go to the Layer 3 Management: Track: Track Settings tab to configure tracking details, as illustrated in Figure 15-2.
Figure 15-2. Object Tracking Configuration Screen
In the object tracking configuration screen use the upper dialog box to specify the details of the tracking process. Click the Create button to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured object tracking.
Table 15-2. Object Tracking Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Track ID Specify a number to identify this tracked object.
Valid range: 1-500
Section 15.2.0.3
Section 15.2.0.4
Track Type Specify whether the tracking is to focus on an interface or on an IP route.
Section 15.2.0.3
Section 15.2.0.4
Track Protocol Specify the protocol type to be tracked. Options are
Line-protocol — The state of an interface’s lower level protocol.
IP-routing — The state of IP routing on an interface
Section 15.2.0.3
Section 15.2.0.4
Interface If the target is an interface select an available interface. Section 15.2.0.3
Network If reachability of a route is tracked enter an IP address here.
Section 15.2.0.5
CHAPTER 15 - Object TrackingConfiguring Object Tracking in the GUI
Industrial Network Operating System Administrator’s Guide
255
Subnet Mask If reachability of a route is tracked enter a network mask here.
Section 15.2.0.5
Delay Up Specify the delay in communication following the transition to an up state.
Valid range: 0-180 seconds
Section 15.2.0.6
Delay Down Specify the delay in communication following the transition to a down state.
Valid range: 0-180 seconds
Section 15.2.0.6
Table 15-2. Object Tracking Fields
Parameter Description See Also
CHAPTER 15 - Object TrackingConfiguring Object Tracking in the GUI
Industrial Network Operating System Administrator’s Guide
256
Industrial Network Operating System Administrator’s Guide
257
Chapter 16DHCP Server
The Dynamic Host Configuration Protocol (DHCP) enables you to reserve ranges of addresses that can be allocated temporarily to devices as needed. Dynamic allocation allows automatic reuse of addresses by granting temporary address leases to hosts as they are requested. When a lease expires, the host must renew the lease with the server. If a lease is not renewed, that address may be allocated to a new host. For dynamic allocation a set of address pools (or "ranges") are configured on the server and new addresses are selected from these pools.
16.1 Configuring the DHCP Server in the CLI
The following subsections detail the CLI commands that enable you to configure the DHCP server. These commands are executed from Global Configuration mode and from DHCP configuration mode.
16.1.1 Enabling and Disabling the DHCP Server
Use the set dhcp server command in Global Configuration mode to enable or disable DHCP server functionality.
Command syntax:
set dhcp server {enable|disable}
Example:
Magnum 10RX(config)# set dhcp server enable
16.1.2 Configuring a DHCP Address Pool
Use the ip dhcp pool command in Global Configuration mode to create the DHCP address pool and to enter DHCP Configuration mode, signified by the Magnum 10RX(dhcp-config)# prompt, for address pool-related configuration.
Command syntax:
ip dhcp pool poolnum
Where:
poolnum is a numerical value specifying an address pool
Example:
Magnum 10RX(config)# ip dhcp pool 100
Magnum 10RX(dhcp-config)#
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI
Industrial Network Operating System Administrator’s Guide
258
Valid range: 1-2147483647
The no ip dhcp pool poolnum command deletes the address pool specified by poolnum.
16.1.3 Specifying a Boot Server
Use the ip dhcp next-server command in Global Configuration mode to configure in the DCHP server parameters the IP address of the boot server (that is, TFTP server) from which the initial boot file is to be loaded in a DHCP client. When a DHCP client starts it contacts the boot server in order to download the boot file.
Command syntax:
ip dhcp next-server ipaddr
Where:
ipaddr is the IP address of the boot server.
Example:
Magnum 10RX(config)# ip dhcp next-server 192.168.2.10
Default value: If no boot server is specified the DHCP server fulfills this function.
The no ip dhcp next-server command specifies the default
16.1.4 Specifying a Boot File
Use the ip dhcp bootfile command in Global Configuration mode to configure in the DCHP server parameters the name of the boot file. This is the file that stores the boot image (operating system) and that the client loads and executes.
Command syntax:
ip dhcp bootfile filename
Where:
filename is a string of up to 63 characters in length naming the boot file.
Example:
Magnum 10RX(config)# ip dhcp bootfile booterup5
The no dhcp bootfile command deletes a configured boot file name.
16.1.5 Enabling the ICMP Echo
Use the ip dhcp ping packets command in Global Configuration mode to enable the Internet Control Message Protocol (ICMP) echo mechanism on the DHCP server. With this feature enabled the server is able to ping candidate IP addresses to make sure they are available before assigning them to clients.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI
Industrial Network Operating System Administrator’s Guide
259
Command syntax:
ip dhcp ping packets
Example:
Magnum 10RX(config)# ip dhcp ping packets
Default value: feature is disabled
The no ip dhcp ping packets command specifies the default.
16.1.6 Configure Offer-reuse Interval
Use the ip dhcp server offer-reuse command in Global Configuration mode to configure the length of time the server will wait to receive a DHCP REQUEST from a client before making an offered IP address available to another client.
Command syntax:
ip dhcp server offer-reuse offersecs
Where:
offersecs is a numerical value in the range 1-120 specifying the number of seconds between an offer made and a response from the targeted client.
Example:
Magnum 10RX(config)# ip dhcp server offer-reuse 10
Default value: 5
Valid range: 1-120
The no ip dhcp server offer-reuse command specifies the default.
16.1.7 Configuring Global DHCP Options
Use the ip dhcp option command in Global Configuration mode to configure DHCP options defined in RFC 2132. For the option command applied to specific address pools see Section 16.1.15.
Command syntax:
ip dhcp option code {ascii string | hex hexval | ip ipaddr}
Where:
code is a numerical value in the range 1-214748364 specifying an option defined in RFC 2132.
string following the keyword ascii specifies a text to be returned.
hexval following the keyword hex specifies a hex value to be returned.
ipaddr following the keyword ip specifies an IP address to be returned.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI
Industrial Network Operating System Administrator’s Guide
260
Example:
Magnum 10RX(config)# ip dhcp option 11 ascii testtext
Valid range (code): 1-214748364
The no ip dhcp option optionspec command deletes the option specified by optionspec.
16.1.8 Configuring a Subnet Pool of Addresses
Use the network command in DHCP Configuration mode to specify network IP address range in the subnet pool.
Command syntax:
network ipaddr [{mask| / preflength}] [start_ip startaddr][end_ip endaddr]
Where:
ipaddr specifies the network IP subnet address for the DHCP pool of addresses available to be assigned to clients.
mask specifies a subnet mask for the network IP address. This value is used to calculate the range of available addresses.
preflength specifies the number of high-order bits in the IP address. This value, in the range 1-31, must be preceded by a three-element prefix made up of a space followed by a forward slash followed by another space. This specification has the effect of creating a mask and an end-of-range address. For example, 20.0.0.0 / 6
startaddr specifies the first IP address in the pool. If this address is manually specified it overrides any automatically calculated beginning-of-range address.
endaddr specifies the last IP address in the pool. If this address is manually specified it overrides any automatically calculated end-of-range address.
Example:
Magnum 10RX(dhcp-config)# network 20.0.0.0 255.0.0.0 start_ip 20.0.0.50 end_ip 20.0.0.100
Default value (mask): 255.0.0.0
Valid range (preflength): 1-31
The no network addressspec command deletes from the pool the addresses specified by addressspec.
16.1.9 Excluding Addresses from a Pool
Use the excluded-address command in DHCP Configuration mode to exclude specified addresses from a previously configured address pool. The addresses in this subset of addresses will not be assigned to DCHP clients.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI
Industrial Network Operating System Administrator’s Guide
261
Command syntax:
excluded-address startaddr endaddr
Where:
startaddr is the initial IP address in the excluded range.
endaddr is the last IP address in the excluded range.
Example:
Magnum 10RX(dhcp-config)# excluded-address 20.0.0.1 20.0.0.30
The no excluded-address startaddr endaddr command ends the exclusion of the range of addresses defined by startaddr endaddr.
16.1.10 Specifying a Domain Name
Use the domain-name command in DHCP Configuration mode to configure the domain name option in the DHCP configuration parameters. A DHCP client uses this domain name while resolving host names through a domain name system.
Command syntax:
domain-name dname
Where:
dname is a string of up to 63 characters specifying a domain name.
Example:
Magnum 10RX(dhcp-config)# domain-name garrettcom
The no domain-name dname command deletes the configured domain name dname.
16.1.11 Specifying a DNS Server
Use the dns-server command in DHCP Configuration mode to configure a DNS server’s IP address in the DHCP configuration parameters.
Command syntax:
dns-server ipaddr
Where:
ipaddr is the IP address of a DNS server.
Example:
Magnum 10RX(dhcp-config)# dns-server 192.168.2.10
The no dns-server command deletes a configured DNS server address.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI
Industrial Network Operating System Administrator’s Guide
262
16.1.12 Specifying a NetBIOS and WINS Name Server
Use the netbios-name-server command in DHCP Configuration mode to configure the IP address of a name server for Network Basic Input/Output System (NetBIOS) and Windows Internet Name Service (WINS) in the DHCP configuration parameters.
Command syntax:
netbios-name-server ipaddr
Where:
ipaddr is the IP address of a NetBIOS and WINS name server.
Example:
Magnum 10RX(dhcp-config)# netbios-name-server 10.10.10.4
The no netbios-name-server command deletes a configured NetBIOS server address.
16.1.13 Specifying a NetBIOS Node Type
Use the netbios-node-type command in DHCP Configuration mode to configure the method used to register and resolve NetBIOS names to IP addresses.
Command syntax:
netbios-node-type {nodeval|b-node|h-node|m-node|p-node}
Where:
nodeval is a numerical value in the range 0-255 that enables NetBIOS over TCP/IP clients.
b-node is a keyword specifying that name resolution will be done by broadcasts.
h-node is a keyword specifying that name resolution will be done by a hybrid of p-node and b-node, first attempting a query of a name server and then using a name broadcast.
m-node is a keyword specifying that name resolution will be done by a mixture b-node and p-node, first attempting resolution by broadcast and then by querying a name server.
p-node is a keyword specifying that name resolution be done peer-to-peer, by a query of a configured NetBios name server.
Example:
Magnum 10RX(dhcp-config)# netbios-node-type h-node
The no netbios-node-type command deletes a configured node type.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI
Industrial Network Operating System Administrator’s Guide
263
16.1.14 Specifying a Default Router
Use the default-router command in DHCP Configuration mode to specify the IP address of a default router with which clients can communicate to access an address pool.
Command syntax:
default-router ipaddr
Where:
ipaddr is the IP address of the default router.
Example:
Magnum 10RX(dhcp-config)# default-router 192.168.4.12
Valid range: 1-16
The no default-router command deletes the configured IP address.
16.1.15 Configuring Pool-specific DHCP Options
Use the option command in DHCP Configuration mode to configure DHCP options defined in RFC 2132. For the option command applied globally see Section 16.1.7.
Command syntax:
option code {ascii string | hex hexval | ip ipaddr}
Where:
code is a numerical value in the range 1-214748364 specifying a DHCP option used in a DHCP OFFER message in response to a DHCP DISCOVER message.
string following the keyword ascii specifies a text for the DHCP option specified by code.
hexval following the keyword hex specifies a hex value for the DHCP option specified by code.
ipaddr following the keyword ip specifies an IP address for the DHCP option specified by code.
Example:
Magnum 10RX(dhcp-config)# option 19 ascii hex f
Valid range (code): 1-214748364
The no option optionspec command deletes the option specified by optionspec.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the CLI
Industrial Network Operating System Administrator’s Guide
264
16.1.16 Configuring a Lease Period
Use the lease command in DHCP Configuration mode to specify a lease period; that is, the duration of a client’s possession of an IP address assigned by the DHCP server. The user specifies the lease period in terms of days, hours, and minutes. An internal calculation is done to translate these specifications into total seconds.
Command syntax:
lease {days [hours [minutes]]|infinite}
Where:
days is a numerical value in the range 0-365 specifying a number of days.
hours is a numerical value in the range 0-23 specifying a number of hours.
minutes is a numerical value in the range 1-59 specifying a number of minutes.
infinite is a keyword specifying that the lease period is 2147483647 seconds.
Example:
Magnum 10RX(dhcp-config)# lease 0 8
Default value: 3600 seconds (1 hr.)
Valid ranges:
days — 0-365
hours — 0-23
minutes — 1-59
The no lease command specifies the default.
16.1.17 Configuring a Pool Utilization Threshold
Use the utilization threshold command in DHCP Configuration mode to specify a percentage of the addresses in the pool. When the proportion of addresses in use exceeds this percentage warnings will be triggered: a syslog event and an SNMP trap message will be generated.
Command syntax:
utilization threshold percentage
Where:
percentage is a numerical value in the range 0-100 specifying the percentage of utilization of the address pool that, when exceeded, will trigger warnings.
Example:
Magnum 10RX(dhcp-config)# utilization threshold 80
Default value: 75
Valid range: 0-100
CHAPTER 16 - DHCP ServerDisplaying DHCP Information
Industrial Network Operating System Administrator’s Guide
265
The no utilization threshold command specifies the default.
16.1.18 Configuring Host Hardware Type
Use the host hardware-type command in DHCP Configuration mode to specify the host hardware type and either a host IP address or an appropriate DHCP option.
Command syntax:
host client-identifier mac-address {ipaddress|option code {ascii string|hex hexval|ipaddress}}
Where:
mac-address following the keyword client-identifier is a conventional MAC address for the host.
ipaddress is an IP address for the DCHP host.
code is a numerical value in the range 1-214748364 specifying a DHCP option used in a DHCP OFFER message in response to a DHCP DISCOVER message.
string following the keyword ascii specifies a text for the DHCP option specified by code.
hexval following the keyword hex specifies a hex value for the DHCP option specified by code.
ipaddr following the keyword ip specifies an IP address for the DHCP option specified by code.
Example:
Magnum 10RX(dhcp-config)# host client-identifier d0:67:e5:4e:f8:1c option 1 ip 10.0.0.1
Default value: 75
Valid range (code): 1-214748364
The no host typespec command deletes the configured hardware type and option specified by typespec.
16.2 Displaying DHCP Information
The CLI commands described below enable you to display information about DHCP configuration and performance. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.
16.2.1 show ip dhcp server information
Use the show ip dhcp server information command to display status and identifying information about the DHCP server.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
266
Example:
Magnum 10RX# show ip dhcp server information
16.2.2 show ip dhcp server pools
Use the show ip dhcp server pools command to display information about the definition and configuration of all DHCP pools.
Example:
Magnum 10RX# show ip dhcp server pools
16.2.3 show ip dhcp server binding
Use the show ip dhcp server binding command to display information about address information exchanged between DHCP server and client.
Example:
Magnum 10RX# show ip dhcp server binding
16.2.4 show ip dhcp server statistics
Use the show ip dhcp server statistics command to display information about DHCP performance.
Example:
Magnum 10RX# show ip dhcp server statistics
16.3 Configuring the DHCP Server in the GUI
The following subsections detail the GUI screens that enable you to configure the DHCP server. These screens are accessed on the Layer 3 Management: DHCP Server branch of the GUI menu.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
267
16.3.1 Configuring DHCP Basic Settings
In the GUI go to the Layer 3 Management: DHCP Server: Basic Settings tab to configure basic DHCP parameters, as illustrated in Figure 16-1.
Figure 16-1. DHCP Basic Settings Screen
Select or enter values in the fields of the DHCP Basic Settings screen and click the Apply button to implement and save your specifications.
Table 16-1. DHCP Basic Settings Fields
Parameter Description See Also
DHC Server Enabled must be selected to have DHCP functionality in the server.
Section 16.1.1
Server Offer-Reuse Time (secs)
Configure the length of time the server will wait to receive a DHCP REQUEST from a client before making an offered IP address available to another client.
Default value: 5
Valid range: 1-120
Section 16.1.6
ICMP Echo Mechanism
Enable or disable the Internet Control Message Protocol (ICMP) echo mechanism on the DHCP server. With this feature enabled the server is able to ping candidate IP addresses to make sure they are available before assigning them to clients.
Section 16.1.5
DHCP Next Server IP address
Specify the IP address of the boot server from which the initial boot file is to be loaded in a DHCP client. When a DHCP client starts it contacts the boot server in order to download the boot file.
Section 16.1.3
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
268
16.3.2 Configuring DHCP Global Options
In the GUI go to the Layer 3 Management: DHCP Server: Global Options tab to set options specified in RFC 2132 to have system-wide effect, as illustrated in Figure 16-2.
Figure 16-2. DHCP Global Option Settings Screen
In the DHCP Global Options Settings screen you can select from a list of conventional options available from a drop-down menu. The option code associated with your selection will appear in the Option Code field. Alternatively, you can select the “manual” option (the last item on the drop-down menu) and enter the Option Code value. Options selected here have system-wide effect.
Table 16-2. DHCP Global Option Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Option Select one from among the options available in the drop-down menu.
Section 16.1.7
Option Code This field is editable only if you make the “Manual” selection from the Option drop-down menu. In that case you can specify the code specified in RFC 2132 for an option. Otherwise the code associated with a selection made in the Option field will be inserted automatically.
Option Value This may be a text string, an IP address, or a numerical value, depending on the type of Option selected.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
269
16.3.3 Configuring DHCP Pool Settings
In the GUI go to the Layer 3 Management: DHCP Server: Pool Settings tab to set options specified in RFC 2132 to have effect in this pool, as illustrated in Figure 16-3.
Figure 16-3. DHCP Pool Settings Screen
Use the fields of the DHCP Settings Screen to define the range and availability of addresses in the pool.
Table 16-3. DHCP Pool Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Pool ID A numerical value in the range 1-2147483647 identifying this address pool.
Section 16.1.2
Subnet Pool Specifies the subnet network number of the pool Section 16.1.8
Network Mask Specifies the subnet mask for the address pool. Section 16.1.8
Start IP Address Specifies the IP address the begins the range of addresses in the pool.
Section 16.1.8
End IP Address Specifies the IP address the ends the range of addresses in the pool.
Section 16.1.8
Lease Time (secs) Specifies the duration of a client’s possession of an IP address assigned by the DHCP server.
Section 16.1.16
Utilization Threshold
Specifies a percentage of the total number or addresses in the pool. When the proportion of addresses in use exceeds this percentage warnings will be triggered.
Section 16.1.17
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
270
16.3.4 Configuring DHCP Pool Option Settings
In the GUI go to the Layer 3 Management: DHCP Server: Pool Option Settings tab to configure options to apply to a specific address pool, as illustrated in Figure 16-1.
Figure 16-4. DHCP Pool Option Settings Screen
In the DHCP Pool Options Settings screen you can select from a list of conventional options available from a drop-down menu. The option code associated with your selection will appear in the Option Code field. Alternatively, you can select the “manual” option (the last item on the drop-down menu) and enter the Option Code value. Options selected here have effect in this pool only.
Table 16-4. DHCP Pool Option Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Option Select one from among the options available in the drop-down menu.
Section 16.1.15
Option Code This field is editable only if you make the “Manual” selection from the Option drop-down menu. In that case you can specify the code specified in RFC 2132 for an option. Otherwise the code associated with a selection made in the Option field will be inserted automatically.
Option Value This may be a text string, an IP address, or a numerical value, depending on the type of Option selected.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
271
16.3.5 Configuring DHCP Host Option Settings
In the GUI go to the Layer 3 Management: DHCP Server: Host Options tab to specify the host hardware type and either a host IP address or an appropriate DHCP option, as illustrated in Figure 16-1.
Figure 16-5. DHCP Host Option Settings Screen
In the DHCP Host Options Settings screen you can specify client and host identifiers and select from a list of conventional options available from a drop-down menu.
Table 16-5. Host Option Settings Fields
Parameter Description See Also
Pool ID A numerical value identifying a configured address pool. Section 16.1.18
Client Identifier The MAC address of the targeted client.
Host Identifier Type
Specify whether the host is to be identified by IP address or by option type.
Host IP Address The IP address of the host.
Host Option Code Select an RFC 2132 for an option from the drop-down list.
Host Option Value This may be a text string, an IP address, or a numerical value, depending on the type of Option selected.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
272
16.3.6 Configuring an Exclude List
In the GUI go to the Layer 3 Management: DHCP Server: Exclude List tab to specify addresses in a configure pool that are not to be distributed to clients, as illustrated in Figure 16-1.
Figure 16-6. DCHP Server IP Exclude Settings Screen
In the upper dialog box specify a range of addresses to be excluded from distribution. Click add for your specification to take effect and to be displayed in the lower dialog box. Use the lower dialog box to view configurations, modify configured exclusions, or to delete a selected configuration.
16.3.7 Displaying Binding Information
In the GUI go to the Layer 3 Management: DHCP Server: Binding Information tab to display DHCP binding information, as illustrated in Figure 16-1.
Figure 16-7. DHCP Server Bindings Screen
Table 16-6. DHCP Server IP Exclude Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Pool ID A numerical value identifying a configured address pool. Section 16.1.9
Start IP Address Specify the initial IP address in the excluded range.
End IP Address Specify the final IP address in the excluded range.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
273
The DHCP binding information screen displays mapping between the IP address and MAC address of a client.
Table 16-7. Server Bindings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
IP Address The IP Address associated with the binding. Section 16.2.3
Hardware Address
The hardware address type associated with the binding.
Binding State The state of this binding. Valid states are
• offered — The offer of the binding has been sent to the client but response has been received.
• assigned — The address is assigned to the client.
• probed — The address is currently being probed by the DHCP server.
Expire Time Indicates the time remaining for this binding.
CHAPTER 16 - DHCP ServerConfiguring the DHCP Server in the GUI
Industrial Network Operating System Administrator’s Guide
274
Industrial Network Operating System Administrator’s Guide
275
Chapter 17Firewall/NAT
The 10RX features a stateful firewall with the ability to do dynamic and static address translation. The following sections describe basic firewall and Network Address Translation (NAT) configuration commands to use to provide protection for your network.
17.1 Defining Inside and Outside
By factory default, the 10RX firewall is disabled and no packet filtering occurs.
You can set up a simple default firewall policy by choosing an "outside" interface (that is, the "public" network where the threats are) and an "inside" interface (that is, the "private" network that you wish to protect) and then enabling the firewall. All connections initiated from the inside and directed to the outside are allowed and all connections initiated from the outside and directed to the inside are denied. This prevents attackers on the outside from accessing network resources behind your firewall.
17.1.1 Configuring a Default Security Policy
Use the nameif and security-level commands in Interface Configuration mode to configure the default security policy on your interfaces. With the nameif command you give the selected interface a meaningful name and with the security-level command you assign a security level to that interface. A security level of 0 means that the attached network is not trusted. A security level of 100 means that the attached network is fully trusted. A DMZ or other intermediate security arrangement can be created by using a security level between 0 and 100.
Command syntax:
nameif ifname
security-level seclev
Where:
ifname is a user-supplied string giving a name to the interface.
seclev is an integer specifying the security level to assign to the interface.
Figure 17-1 provides an example of the CLI commands to execute to select interface Gigabitethernet 3/1, connect it to the public network, and assign it a security level implying high risk.
CHAPTER 17 - Firewall/NATDefining Inside and Outside
Industrial Network Operating System Administrator’s Guide
276
Figure 17-1. Establishing the Firewall’s Public Interface
Figure 17-2 provides an example of the CLI commands to execute to select Gigabitethernet 5/1, connect it to the private network, and assign it a security level implying great trust.
Figure 17-2. Establishing the Firewall’s Private Interface
Figure 17-3 provides an example of the CLI commands to execute to select Gigabitethernet 7/1 and make it a DMZ by assigning it a an intermediate security level.
Figure 17-3. Establishing a DMZ
17.1.2 Enabling the Firewall
Use the set firewall command in Global Configuration mode to enable or disable the firewall. The firewall cannot be enabled until you have configured a basic default security policy.
Command syntax:
set firewall {enable | disable}
Example:
Magnum 10RX(config)# set firewall enable
Default value: disabled
17.1.3 Configuring Basic Access Control Lists
In addition to the default security policy, you also have fine-grained control over what traffic is allowed to pass from lower and to higher security zones.
Magnum 10RX(config)# interface gigabitethernet 3/1 Magnum 10RX(config-if)# no switchport Magnum 10RX(config-if)# ip address 192.168.3.2 255.255.255.0 Magnum 10RX(config-if)# nameif outside Magnum 10RX(config-if)# security-level 0 Magnum 10RX(config-if) exit
Magnum 10RX(config)# interface gigabitethernet 5/1 Magnum 10RX(config-if)# no switchport Magnum 10RX(config-if)# ip address 192.168.2.2 255.255.255.0 Magnum 10RX(config-if)# nameif inside Magnum 10RX(config-if)# security-level 100 Magnum 10RX(config-if) exit
Magnum 10RX(config)# interface gigabitethernet 7/1 Magnum 10RX(config-if)# no switchport Magnum 10RX(config-if)# ip address 192.168.4.2 255.255.255.0 Magnum 10RX(config-if)# nameif dmz Magnum 10RX(config-if)# security-level 50
CHAPTER 17 - Firewall/NATDefining Inside and Outside
Industrial Network Operating System Administrator’s Guide
277
Use the access-list command in Global Configuration mode to create specific security policies that create exceptions to the default policy.
Command syntax:
access-list acl-name [line lineno] extended {deny | permit}{ip | tcp | udp | protocol-number} {any | host source-host | source-network source-mask}[{{eq | neq | lt | gt} src-port | range src-port-low src-port-high}]{any | host destination-host | destination-network destination-mask}[{{eq | neq | lt | gt} dst-port | range dst-port-low dst-port-high}]
Where:
acl-name is a user-supplied name for this access list.
lineno specifies a line number within the ACL where this entry is to be located. (By default new entries are added to the end of the list.)
protocol-number is a numerical value specifying the number in the IP header that identifies the targeted protocol.
source-host is an IP address specifying a source.
source-network source-mask together specify a subnet as a source.
src-port is a numerical value specifying a TCP or UDP port as a source. The preceding key words eq (equal to), neq (not equal to), lt (less than), and gt (greater than) define the relation of the entry being configured to the port or ports specified.
src-port-low and src-port-high following the key word range together define a range of ports as a source.
destination-host is an IP address specifying a destination.
destination-network destination-mask together specify a subnet as a destination.
dst-port is a numerical value specifying a TCP or UDP port as a destination. The preceding key words eq (equal to), neq (not equal to), lt (less than), and gt (greater than) define the relation of the entry being configured to the port or ports specified.
dst-port-low and dst-port-high together following the key word range together define a range of ports as a destination.
CHAPTER 17 - Firewall/NATDefining Inside and Outside
Industrial Network Operating System Administrator’s Guide
278
Examples
To make a particular server (192.168.2.42) in your private network accessible from the public network:
Magnum 10RX(config)#access-list allow_server1 extended permit ip any host 192.168.2.42
To make the entire subnet accessible:
Magnum 10RX(config)#access-list allow_server2 extended permit ip any 192.168.2.0 255.255.255.0
To make the server only accessible by a particular host on the outside network:
Magnum 10RX(config)#access-list allow_server3 extended permit ip host 192.168.3.43 host 192.168.2.42
To allow access to only UDP port 9999 on 192.168.2.42:
Magnum 10RX(config)#access-list allow_server4 extended permit udp any host 192.168.2.42 eq 9999
To allow access to only the range of TCP ports 10201-10204 on subnet 192.168.2.0/24:
Magnum 10RX(config)#access-list allow_server5 extended permit tcp any 192.168.2.0 255.255.255.0 range 10201 10204
The no acl-list extended permit target-spec command deletes the specified exception.
17.1.4 Configuring Object Groups
You can manage related network devices and services and their specialized firewall treatment by creating object groups.
17.1.4.1 Network Object Groups
Use the object-group network command in Global Configuration mode to enter into Network Object Group Configuration mode, signaled by the Magnum10RX(config-network)# prompt.
Command syntax:
object-group network object-group-name
Where:
object-group-name is a string specifying a user-supplied name for the group.
Figure 17-4 provides an example of the commands to use to create a network object group containing two non-contiguous address ranges.
CHAPTER 17 - Firewall/NATDefining Inside and Outside
Industrial Network Operating System Administrator’s Guide
279
Figure 17-4. Configuring Non-contiguous Address Ranges as an Object Group
17.1.4.2 Service Object Groups
Service object groups enable you to specify sets of either UDP or TCP ports that define a network service or set of network services.
Use the object-group service command in Global Configuration mode to enter into Service Object Group Configuration mode, signaled by the Magnum 10RX(config-service)# prompt.
Command syntax:
object-group service {tcp | tcpudp | udp} object-group-name
Where:
keywords tcp, tcpudp, and udp specify tcp service, udp service, or both.
object-group-name is a string specifying a user-supplied name for the group.
Figure 17-5 provides an example of the commands to use to create a service object containing a set of non-contiguous ports.
Figure 17-5. Configuring a Service Object Group of Non-contiguous Ports
17.1.4.3 ICMP Object Groups
ICMP object groups enable you to specify sets of ICMP types.
Use the object-group icmp command in Global Configuration mode to enter into ICMP Object Group Configuration mode, signaled by the Magnum 10RX(config-icmp-type)# prompt.
Command syntax:
object-group icmp object-group-name
Where:
object-group-name is a string specifying a user-supplied name for the group.
Magnum 10RX(config)# object-group network group1Magnum 10RX(config-network)# network-object range 192.168.5.32 192.168.5.37Magnum 10RX(config-network)# network-object range 192.168.5.55 192.168.5.64Magnum 10RX(config-network)# exitMagnum 10RX(config)#
Magnum 10RX(config)# object-group service tcp service1Magnum 10RX(config-service)# port-object eq 10201 Magnum 10RX(config-service)# port-object range 10204 10209Magnum 10RX(config-service)# exitMagnum 10RX(config)#
CHAPTER 17 - Firewall/NATDefining Inside and Outside
Industrial Network Operating System Administrator’s Guide
280
Figure 17-6 provides an example of the commands to use to create an ICMP group containing both the ICMP echo request and reply types.
Figure 17-6. Configuring an ICMP Type Group
17.1.4.4 Protocol Object Groups
Protocol object groups enable you to specify sets of IP protocols.
Use the object-group protocol command in Global Configuration mode to enter into Protocol Object Group Configuration mode, signaled by the Magnum 10RX(config-protocol)# prompt.
Command syntax:
object-group protocol object-group-name
Where:
object-group-name is a string specifying a user-supplied name for the group.
Figure 17-7 provides an example of the commands to use to create a protocol group containing multiple IP protocol types.
Figure 17-7. Configuring a Protocol Group
17.1.5 Using Object Groups
After you have defined network or service object groups you may use them in Access Control Lists (ACLs) to define security policies for the Firewall. For example, to define an ACL that allows hosts in the modbusmasters IP range to access the modbustcp service, configure the ACL as illustrated in Figure 17-8:
Figure 17-8. ACL Configuration
Magnum 10RX(config)# object-group icmp pingsMagnum 10RX(config-icmp-type)# icmp-object 0Magnum 10RX(config-icmp-type)# icmp-object 8Magnum 10RX(config-icmp-type)# exitMagnum 10RX(config)#
Magnum 10RX(config)# object-group protocol proto1Magnum 10RX(config-protocol)# protocol-object 50Magnum 10RX(config-protocol)# protocol-object 51Magnum 10RX(config-protocol)# exitMagnum 10RX(config)#
Magnum 10RX(config)# access-list mbus extended permit tcp object-group modbusmasters any service-object-group modbustcpMagnum 10RX(config)#
CHAPTER 17 - Firewall/NATNAT
Industrial Network Operating System Administrator’s Guide
281
17.1.6 Applying Access Control Lists
An Access Control List (ACL) does not take effect until it is applied to an interface. To apply an ACL use the fw-nat-group command in Global Configuration mode to enter the Firewall Nat Group Configuration mode, signaled by the Magnum 10RX(config-fw-nat-fw#)# prompt. Use the access-group command from within the Firewall Nat Group Configuration mode and then activate the firewall group using the active command.
Note that the fw-nat-group command will only be effective if the firewall has been enabled with the set firewall command. See Section 17.1.2.
Example:
Figure 17-9 provides an example of the commands to use to apply an ACL.
Figure 17-9. Applying an ACL
17.2 NAT
The most common goal of network address translation is to hide a private address space from hosts on a public network. This is often required because the private IP address space is typically re-used by many different internal networks and is thus not routable on a public IP network.
When configuring NAT it is important to understand the meaning of real and mapped interfaces and addresses: In a traditional NAT application the real interface is an interface connected to the private or inside part of the network and a mapped interface is an interface connected to the public or outside part of the network.
17.2.1 Setting up Dynamic NAT
A dynamic NAT hides the addressing of a private network using a technique known as source NAT or IP masquerading. Packets passing from the private (real) network to the public (mapped) network have the source address replaced with a public IP address, usually the public address of the public interface itself. This translation is undone for response packets flowing in the reverse direction. In the case where a single public address is used for masquerading multiple network sessions, TCP and UDP port translation is also used to keep track of individual packet flows so that translations can be properly undone in the reverse direction.
To set up basic dynamic NAT, use the following procedure:
1. Create a new network object.
Magnum 10RX(config)# fw-nat-group fw1 Magnum 10RX(config-fw-nat-fw1)# access-group allow_server3 in interface outside Magnum 10RX(config-fw-nat-fw1)# active Magnum 10RX(config-fw-nat-fw1)# exit Magnum 10RX(config)#
CHAPTER 17 - Firewall/NATNAT
Industrial Network Operating System Administrator’s Guide
282
2. In the network object specify the real IP address range that should be translated.
3. In the network object use the nat command to specify dynamic NAT and the real and mapped interfaces.
4. Create a new fw-nat-group or modify an existing group.
5. Use the nat command to specify the network object you've created
Figure 17-10 provides an example of the commands to set up a rule that will perform IP masquerading on packets forwarded to the outside network.
Figure 17-10. Configuring IP Masquerading
17.2.2 Setting up Static NAT
Static NAT, also sometimes referred to as destination NAT or port forwarding, replaces the destination address and port in a packet so that clients using public network addresses can access servers on the private network.
To set up a static NAT use the following procedure:
1. Create a new network object
2. In the network object specify the real IP address of the target host
3. In the network object use the nat command to specify static NAT, the real and mapped interfaces, and the desired port translation
4. Create a new fw-nat-group or modify an existing group
5. Use the nat command to specify the network object you've created
Figure 17-11 provides an example of the commands to set up a rule that allows clients to connect to an inside telnet server (TCP port 23) at 192.168.2.42 using the outside address and TCP port 10023.
Magnum 10RX(config)# object-group network nat1Magnum 10RX(config-network-object)# newtwork-object range 0.0.0.0
255.255.255.255Magnum 10RX(config-network-object)# nat (any , outside) dynamicMagnum 10RX(config-network-object)# exitMagnum 10RX(config)# fw-nat-group fw1Magnum 10RX(config-fw-nat-fw1)# nat object nat1Magnum 10RX(config-fw-nat-fw1)# exitMagnum 10RX(config)#
CHAPTER 17 - Firewall/NATNAT
Industrial Network Operating System Administrator’s Guide
283
Figure 17-11. Configuring Static NAT
Magnum 10RX(config)# object-group network nat2Magnum 10RX(config-network-object)# network-object host 192.168.2.42Magnum 10RX(config-network-object)# nat (any , outside) static
interface service tcp 23 10023Magnum 10RX(config-network-object)# exitMagnum 10RX(config)# fw-nat-group fw1Magnum 10RX(config-fw-nat-fw1)# nat object nat2Magnum 10RX(config-fw-nat-fw1)# exitMagnum 10RX(config)#
CHAPTER 17 - Firewall/NATNAT
Industrial Network Operating System Administrator’s Guide
284
Industrial Network Operating System Administrator’s Guide
285
Chapter 18IPsec VPN
INOS supports Virtual Private Networks (VPN) via IPsec.
18.1 IPsec VPN Operation
In an IPsec VPN each VPN tunnel is defined by a set of security associations (SAs). Each SA defines a secure, unidirectional communication channel between two entities. The SAs are established via a two-phase process defined by the Internet Key Exchange (IKE) protocol. During Phase 1 the entities establish an initial secure channel. This exchange includes an authentication step that proves that each side knows a user-configured pre-shared key. The encrypted, authenticated Phase 1 channel is then used for communication during Phase 2 where the entities establish the keys that are actually used to encrypt the traffic that flows through the tunnel.
10RX supports on-demand IKE negotiation. This means that the 10RX will only initiate the establishment of a security association if there is network traffic that requires protection (that is, if packets match the traffic descriptor in the policy database). If an SA is idle it will not be "rekeyed", that is, an inactive SA will be allowed to expire without negotiating a new SA to take over.
Note that the terms “traffic descriptor” and “access control list” (ACL) are synonymous.
The 10RX implements Dead Peer Detection (DPD) by periodically sending R-U-THERE messages. The periodicity of these messages is user-configurable. If the peer does not respond to three consecutive R-U-THERE messages the peer is assumed dead and any SAs associated with that peer are deleted.
The 10RX supports tunnel mode and the ESP protocol. ESP provides both confidentiality and integrity. Tunnel mode completely conceals the identity and nature of the protected traffic since each IP packet is fully encapsulated and encrypted.
Traffic that does not match an IPsec traffic descriptor is bypassed. IPsec does not filter or drop packets. Filter non-IPsec traffic by configuring the 10RX firewall.
IPsec VPN behavior is governed by a set of data structures that can be configured and displayed by the commands explained in the following sections.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
286
18.2 Configuring IPsec VPN in the CLI
The following sections explain the CLI commands to use to configure IPsec VPN.
18.2.1 IKE Profile Table
Each IKE profile table entry describes the parameters used to negotiate an IKE SA (that is, "phase 1" security association) between the 10RX router and a remote security gateway. The IKE SA is used to securely establish future IPsec SAs.
The configurable parameters for a profile are:
• Name — each IKE profile has a user-configurable name. In the CLI, the name is used instead of the index to reference the profile.
• Encryption — the symmetric encryption algorithm used to protect the confidentiality of the IKE SA. Possible values are DES, 3DES, AES, or AES-256. Defaults to 3DES.
• Hash — the hashing function used to protect the integrity of the IKE SA. Possible values are MD5, SHA-1, SHA-256, or SHA-384. Defaults to SHA-1.
• Group — the Diffie-Hellman (DH) group used for key generation. Possible values are 1, 2, 5, 14, or 24. Defaults to 2.
• PFS — if Perfect Forward Secrecy (PFS) is supported, specifies the DH group to be used. Possible values are 1, 2, 5, 14, or 24. Defaults to 2. If PFS is enabled, all key generation is performed using a DH exchange, increasing the security of the protocol. If no PFS, a DH exchange is not used when generating phase 2 keys, saving time and computation.
• Lifetime — the number of seconds that the IKE SA will be valid once it is created. After this timer expires, the SA is immediately deleted. Valid range is 300 (5 minutes) to 86400 (1 day). Defaults to 28800 (8 hours). IKE SAs are created on-demand based on the need for negotiating phase 2 SAs.
• DPD — the number of seconds between R-U-THERE keepalive messages used by the Dead Peer Detection (DPD) algorithm. If the peer does not respond to R-U-THERE messages the SAs with that peer will be deleted. Valid range is 10 to 86400. Defaults to 30.
Security levels obtainable with various combinations of parameters are detailed in RFC6379.
18.2.1.1 Configure an IKE Profile
Use the crypto ike profile command in Global Configuration mode to enter IKE Profile Configuration mode and generate the Magnum 10RX(config-ike-profile)# prompt.
Command syntax:
crypto ike profile profname
Where:
profname is a unique string of up to 64 printable characters identifying the profile.
Example:
Magnum 10RX(config)# crypto ike profile ikeprof3
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
287
Magnum 10RX(config-ike-profile)#
This command specifies an IKE profile named ikeprof3. Subsequent commands in this configuration mode will modify that profile.
Valid range: up to 64 printable characters
The no crypto ike profile profname command deletes the profiles specified by profname.
Use the show ike profile command to view configured values.
18.2.1.2 Specify IKE (Phase 1) Encryption Type
Use the encryption command in IKE Profile Configuration mode to set the encryption algorithm to be used by IKE when establishing a phase 1 security association.
Command syntax:
encryption {des|3des|aes|aes256}
Where:
des, 3des,and aes are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.
Example:
Magnum 10RX(config-ike-profile)# encryption aes
This command specifies that traffic governed by this IKE profile will use AES encryption.
Default value: 3DES
The no encryption command sets the encryption to the default value.
Use the show ike profile command to view configured values.
18.2.1.3 Specify IKE (Phase 1) Hash Algorithm
Use the hash command in IKE Profile Configuration mode to set the hash algorithm to be used by IKE when establishing a phase 1 security association.
Command syntax:
hash {md5|sha-1|sha-256|sha-384}
Where:
md5, sha-1,sha-256, and sha-384 are elements of a NIST-standard family of cryptographic algorithms.
Example:
Magnum 10RX(config-ike-profile)# hash sha-256
This command specifies that traffic governed by this IKE profile will use the SHA-256 hash algorithm.
Default value: SHA-1
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
288
The no hash command sets the encryption to the default value.
Use the show ike profile command to view configured values.
18.2.1.4 Specify a DH Group
Use the group command in IKE Profile Configuration mode to set the DH group to be used by IKE when establishing a phase 1 security association.
Command syntax:
group {1|2|5|14|24}
Where:
1, 2,5, 14, and 24 are the available Diffie-Hellman groups.
The 10RX software supports the following Diffie-Hellman (DH) Groups. Key strength and whether conventional Diffie-Hellman (DH) or Elliptical Curve Diffie-Hellman (ECDH) is indicated parenthetically:
• Group 1 (768 bit DH)• Group 2 (1024 bit DH)• Group 5 (1536 bit DH)• Group 14 (2048 bit DH, 224-bit Prime Order Subgroup)• Group 24 (2048 bit DH, 256-bit Prime Order Subgroup)
Example:
Magnum 10RX(config-ike-profile)# group 5
This command specifies that traffic governed by this IKE profile will use DH Group 5.
Default value: Group 2
The no group command sets the encryption to the default value.
Use the show ike profile command to view configured values.
18.2.1.5 Specify PFS
Use the pfs command in IKE Profile Configuration mode to enable Perfect Forward Secrecy (PFS) and to set the DH group to be used by IKE when creating a phase 2 security association.
Command syntax:
pfs {1|2|5|14|24}
Where:
1, 2,5, 14, and 24 are the available Diffie-Hellman groups.
Example:
Magnum 10RX(config-ike-profile)# pfs 14
This command specifies that traffic governed by this IKE profile will use PFS and DH Group 14.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
289
Default value: PFS disabled
The no pfs command disables PFS.
Use the show ike profile command to view configured values.
18.2.1.6 Specify SA (Phase 1) Lifetime
Use the lifetime seconds command in IKE Profile Configuration mode to set the expiration time for a phase 1 security association.
Command syntax:
lifetime seconds lifesecs
Where:
lifesecs specifies the number of seconds before the phase 1 SA is deleted.
Example:
Magnum 10RX(config-ike-profile)# lifetime seconds 600
This command specifies that an SA created with this IKE profile will be deleted 600 seconds after its creation.
Default value: 28800 seconds
Valid range: 300-86400 seconds
The no lifetime command sets the encryption to the default value.
Use the show ike profile command to view configured values.
18.2.1.7 Configure DPD
Use the dpd command in IKE Profile Configuration mode to set the number of seconds between R-U-THERE messages. If the peer does not respond to three consecutive R-U-THERE messages the SAs with that peer will be deleted.
Command syntax:
dpd dpdsecs
Where:
dpdsecs specifies the number of seconds between R-U-THERE messages.
Example:
Magnum 10RX(config-ike-profile)# dpd 200
This command specifies that a device in an SA created with this IKE profile will send R-U-THERE messages every 200 seconds.
Default value: 30 seconds
Valid range: 10-3600 seconds
The no dpd command sets the encryption to the default value.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
290
Use the show ike profile command to view configured values.
18.2.2 IPsec Proposal Table
Each IPsec proposal table entry describes the parameters used to negotiate an IPSEC SA (that is, "phase 2" security association). This is the SA that will be used to encrypt data traffic between the 10RX and the remote security gateway.
The configurable IPsec Proposal parameters are:
• Name — each IPsec proposal has a user-configurable name. In the CLI, the name is used instead of the index to reference the proposal.
• Encryption — the symmetric encryption algorithm used to protect the confidentiality of the IPSEC SA. Possible values are DES, 3DES, AES, or AES256. Defaults to 3DES.
• Hash — the hashing function used to protect the integrity of the IPSEC SA. Possible values are MD5, SHA-1, SHA-256, or SHA-384. Defaults to SHA-1.
• Lifetime — the number of seconds that the IPsec SA will be valid once it is created After this timer expires, the SA is immediately deleted. Valid range is 300 (5 minutes) to 86400 (1 day). Defaults to 28800 (8 hours). As long as an IPsec SA is being actively used, new IPsec SAs will be automatically created to "refresh" the encryption keys. The new SAs are created well in advance of the previous SA lifetime expiration so that traffic is not interrupted.
18.2.2.1 Configure an IPsec Proposal
Use the crypto ike proposal command in Global Configuration mode to enter IPsec Proposal Configuration mode and generate the Magnum 10RX(config-ipsec-proposal)# prompt.
Command syntax:
crypto ipsec proposal propname
Where:
propname is a a unique string of up to 64 printable characters identifying the proposal.
Example:
Magnum 10RX(config)# crypto ipsec proposal ipprop11
Magnum 10RX(config-ipsec-proposal)#
This command specifies an IPsec Proposal named ipprop11. Subsequent commands in this configuration mode will modify that proposal.
Valid range: up to 64 printable characters
The no ipsec proposal propname command deletes the proposal specified by propname. A proposal can only be deleted if it is not referenced by any crypto map. If the user tries to delete a referenced proposal, the message %error: proposal is referenced by a crypto map is returned.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
291
Use the show ipsec proposal command to view configured values.
18.2.2.2 Specify IPSec (Phase 2) Encryption Type
Use the encryption command in IPSec Proposal Configuration mode to set the encryption algorithm to be used when establishing a phase 2 security association.
Command syntax:
encryption {des|3des|aes|aes256}
Where:
des, 3des,aes, and aes256 are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.
Example:
Magnum 10RX(config-ipsec-proposal)# encryption aes
This command specifies that traffic governed by this IPsec proposal will use AES encryption.
Default value: 3DES
The no encryption command sets the encryption to the default value.
Use the show ipsec proposal command to view configured values.
18.2.2.3 Specify IPsec (Phase 2) Hash Algorithm
Use the hash command in IPSec Proposal Configuration mode to set the hash algorithm to be used by IKE when establishing a phase 2 security association.
Command syntax:
hash {md5|sha-1|sha-256|sha-384}
Where:
md5, sha-1,sha-256, and sha-384 are elements of a NIST-standard family of cryptographic algorithms.
Example:
Magnum 10RX(config-ipsec-proposal)# hash sha-256
This command specifies that traffic governed by this IPsec proposal will use the SHA-256 hash algorithm.
Default value: SHA-1
The no hash command sets the encryption to the default value.
Use the show ipsec proposal command to view configured values.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
292
18.2.2.4 Specify SA (Phase 2) Lifetime
Use the lifetime seconds command in IPSec Proposal Configuration mode to set the expiration time for a phase 2 security association.
Command syntax:
lifetime seconds lifesecs
Where:
lifesecs specifies the number of seconds before the phase 2 SA is deleted.
Example:
Magnum 10RX(config-ipsec-proposal)# lifetime seconds 600
This command specifies that an SA created with this IPsec proposal will be deleted 600 seconds after its creation.
Default value: 28800 seconds
Valid range: 300-86400 seconds
The no lifetime command sets the encryption to the default value.
Use the show ipsec proposal command to view configured values.
18.2.3 Crypto Maps
Each crypto map binds an IKE profile, an IPsec proposal, an IKE local IP address, an IKE peer IP address, and a traffic descriptor (specified by an ACL).
The configurable parameters are:
• Name — each crypto map has a user-configurable name. In the CLI, the name is used instead of the index to reference the crypto map.
• IKE Profile — the index of the IKE profile. If no profile is specified, default values are used.
• IPsec Proposal — the index of the IPsec proposal. f no proposal is specified, default values are used.
• Local IP address — the local IP address from which our local IKE process communicates.
• Peer IP address — the remote IP address of our IKE peer.• Traffic Descriptor — the name of the ACL that describes the traffic that will
be protected per the IPsec Proposal crypto parameters.• Authentication Type — this specifies the method of authentication. For
release 2.0, the only valid authentication type is pre-shared key.• Authentication Name — when the authentication method is pre-shared
key, this is the value of the key.
18.2.3.1 Configure a Crypto Map
Use the crypto map command in Global Configuration mode to enter Crypto Map Configuration mode and generate the Magnum 10RX(config-crypto-map)# prompt.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
293
Command syntax:
crypto map mapname
Where:
mapname is a a unique string of up to 64 printable characters identifying the map.
Example:
Magnum 10RX(config-)# crypto map crypmap18
Magnum 10RX(config-crypto-map)#
This command specifies a crypto map named crypmap18. Subsequent commands in this configuration mode will modify that map.
Valid range: up to 64 printable characters
The no crypto map mapname command deletes the map specified by mapname.
Use the show crypto map command to view configured values.
18.2.3.2 Specify the Traffic to Protect
Use the match command in Crypto Map Configuration mode to specify an Access Control List (ACL) that defines the traffic to be protected. A valid ACL simply lists addresses of source and destination networks or hosts.
Command syntax:
match aclname
Where:
aclname specifies a valid ACL.
Example:
Magnum 10RX(config-crypto-map)# match aclmfg
This command specifies an access control list named aclmfg that lists source and destination addresses that define the traffic to be protected.
Default value: None. This parameter MUST be specified. If it is not specified the message %warning: incomplete crypto map will be generated on exiting crypto map configuration.
The no match command deletes an existing association with an ACL.
Use the show crypto map command to view configured values.
18.2.3.3 Specify a Peer IP Address
Use the peer address command in Crypto Map Configuration mode to specify the peer IP address.
NOTE: ACLs that use objects and/or object-groups are not valid for specifyingthe traffic to protect.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
294
Command syntax:
peer address xxx.xxx.xxx.xxx
Where:
xxx.xxx.xxx.xxx is the address of the peer in IPv4 format.
Example:
Magnum 10RX(config-crypto-map)# peer address 192.168.1.2
Default value: None. This parameter MUST be specified. If it is not specified the message %warning: incomplete crypto map will be generated on exiting crypto map configuration.
The no peer address command deletes an existing peer address.
Use the show crypto map command to view configured values.
18.2.3.4 Specify the Local IP Address
Use the local address command in Crypto Map Configuration mode to specify the local IP address.
Command syntax:
local address xxx.xxx.xxx.xxx
Where:
xxx.xxx.xxx.xxx is the local address in IPv4 format.
Example:
Magnum 10RX(config-crypto-map)# local address 192.168.1.3
Default value: None. This parameter MUST be specified. If it is not specified the message %warning: incomplete crypto map will be generated on exiting crypto map configuration.
The no local address command deletes an existing local address.
Use the show crypto map command to view configured values.
18.2.3.5 Bind an IKE Profile
Use the profile command in Crypto Map Configuration mode to specify the IKE profile to bind to the addresses configured with the peer address and local address commands.
Command syntax:
profile profname
Where:
profname is the name of a configured IKE profile.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
295
Example:
Magnum 10RX(config-crypto-map)# profile ikeprof33
Default value: If no profile is specified a default profile is used containing the default values for each element of an IKE profile. See the command set for configuring an IKE profile to view these default values.
The no profile command deletes a bound IKE profile from the crypto map.
Use the show crypto map command to view configured values.
18.2.3.6 Bind an IPsec Proposal
Use the proposal command in Crypto Map Configuration mode to specify the IPsec proposal to bind to the addresses configured with the peer address and local address commands.
Command syntax:
proposal propname
Where:
propname is the name of a configured I IPsec proposal.
Example:
Magnum 10RX(config-crypto-map)# proposal ipprop11
Default value: If no proposal is specified a default proposal is used containing the default values for each element of an IPsec proposal. See the command set for configuring an IPsec proposal to view these default values.
The no proposal command deletes a bound IKE profile from the crypto map.
Use the show crypto map command to view configured values.
18.2.3.7 Specify Authentication Type
Use the auth-type command in Crypto Map Configuration mode to specify the authentication method.
Command syntax:
auth-type {psk}
Where:
psk stands for pre-shared key. In this release this is the only available authentication method
Example:
Magnum 10RX(config-crypto-map)# auth-type psk
NOTE: Crypto maps specifying the same remote peer address must use theexact same IKE profile parameters.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
296
Default value: psk.
Use the show crypto map command to view configured values.
18.2.3.8 Specify a Pre-shared Key
Use the auth-info command in Crypto Map Configuration mode to specify the pre-shared key to be used when authenticating to the peer.
Command syntax:
auth-info aistring
Where:
aistring is a string of up to 256 printable characters.
Example:
Magnum 10RX(config-crypto-map)# auth-info 747hhf73h!38pnvh
None. This parameter MUST be specified. If it is not specified the message %warning: incomplete crypto map will be generated on exiting crypto map configuration.
The no auth-info command deletes the configured auth-info value.
Use the show crypto map command to view configured values.
18.2.4 IPsec VPN-related Show Commands
The following commands, executed in Exec Commands mode, display information about IPsec data.
18.2.4.1 show ike sa
Use the show ike sa command to show information from the IKE SA table.
Example:
Magnum 10RX# show ike sa
18.2.4.2 show ipsec sa
Use the show ipsec sa command to show information from the IPSEC SA table.
Example:
Magnum 10RX# show ipsec sa
18.2.4.3 show ike profile
Use the show ike profile command to display all of the configured IKE profiles.
Example:
Magnum 10RX# show ike profile
Example output:
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
297
Magnum 10RX# show ike profileProfile ikeprof3Encryption is 3DES, Hash is SHA-1DH group is 2, PFS is disabledMaximum lifetime is 28800 seconds, DPD keepalive is 30 seconds
18.2.4.4 show ipsec proposal
Use the show ipsec proposal command to display all of the configured Ipsec proposals.
Example:
Magnum 10RX# show ipsec proposal
Example output:
Magnum 10RX# show ipsec proposalProposal ipprop11Encryption is 3DES, Hash is SHA-1Maximum lifetime is 28800 seconds
18.2.4.5 show crypto map
Use the show crypto map command to display all of the configured crypto maps.
Example:
Magnum 10RX# show crypto map
Example output:
Magnum 10RX# show crypto mapMap crypmap18Profile is ikeprof3, Proposal is ipprop11Local address is 0.0.0.0, Peer address is 0.0.0.0Match based on ACL aclmfgAuth type is PSKs
18.2.5 IPsec VPN-related Clear Commands
The following commands, executed in Exec Commands mode, clear specified configured IPsec information.
18.2.5.1 clear ike sa all
Use the clear ike sa command to delete all active phase 1 SAs and force re-negotiation.
Example:
Magnum 10RX # clear ike sa all
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the CLI
Industrial Network Operating System Administrator’s Guide
298
18.2.5.2 clear ike sa peer
Use the clear ike sa peer command to delete all phase 1 SAs associated with the specified peer and force re-negotiation with that particular IKE peer. This command will also delete any phase 2 SAs that were created using the deleted phase 1 SAs.
Command syntax:
clear ike sa peer xxx.xxx.xxx.xxx
Where:
xxx.xxx.xxx.xxx is the address of the IKE peer in IPv4 format.
Example:
Magnum 10RX # clear ike sa peer 192.168.1.1
18.2.5.3 clear ike sa id
Use the clear ike sa id command to delete a specific phase 1 SA by the identifier shown in the show ike sa command and force re-negotiation. This command will also delete any phase 2 SAs that were created using the deleted phase 1 SA.
Command syntax:
clear ike sa id ike-sa-id
Where:
ike-sa-id is the SA ID shown in the show ike sa command.
Example:
Magnum 10RX # clear ike sa 1d 1
18.2.5.4 clear ipsec sa all
Use the clear ipsec sa all command to delete all IPSEC SAs.
Example:
Magnum 10RX # clear ipsec sa all
18.2.5.5 clear ipsec sa peer
Use the clear ipsec sa peer command to delete all IPSEC SAs that have been established with the specified peer and force re-negotiation for those SAs.
Command syntax:
clear ipsec sa peer xxx.xxx.xxx.xxx
Where:
xxx.xxx.xxx.xxx is the configured peer address in IPv4 format.
Example:
Magnum 10RX # clear ipsec sa peer 192.168.1.1
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
299
18.2.5.6 clear ipsec sa id
Use the clear ipsec sa command to delete an IPSEC SA by ID and to force re-negotiation.
Command syntax:
clear ike sa ipsec-sa-id
Where:
ipsec-sa-id is the ipsec SA ID as reported by the show ipsec sa command.
Example:
Magnum 10RX # clear ipsec sa id 2
18.3 Configuring IPsec VPN in the GUI
The following sections explain the CLI commands to use to configure IPsec VPN.
18.3.1 Configuring an IKE Profile
In the GUI go to the Security Management: IPSEC: IKE Profile tab to define an IKE profile, as illustrated in Figure 18-1.
Figure 18-1. IKE Profile Basic Settings Screen
In the IKE Profile Basic Settings screen use the upper dialog box to name an IKE profile and specify its properties. Click the Create button to save your definition and display it in the lower dialog box. Use the lower dialog box to edit or delete configured profiles.
For a comprehensive treatment of IKE profiles see Section 18.2.1.
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
300
Table 18-1. IKE Profile Basic Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Name Specify a name for the profile in a string of up to 64 printable characters.
Section 18.2.1.1
Encryption Set the encryption algorithm to be used by IKE when establishing a phase 1 security association. Options are DES, 3DES,AES, and AES256. These are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.
Section 18.2.1.2
Hash Set the hash algorithm to be used by IKE when establishing a phase 1 security association. Options are MD5, SHA-1,SHA-256, and SHA-384. These are elements of a NIST-standard family of cryptographic algorithms.
Section 18.2.1.3
Group Set the Diffie-Hellman (DH) group to be used by IKE when establishing a phase 1 security association.
The 10RX software supports the following DH Groups. Key strength and whether conventional Diffie-Hellman (DH) or Elliptical Curve Diffie-Hellman (ECDH) is indicated parenthetically:
Group 1 (768 bit DH)
Group 2 (1024 bit DH)
Group 5 (1536 bit DH)
Group 14 (2048 bit DH, 224-bit Prime Order Subgroup)
Group 24 (2048 bit DH, 256-bit Prime Order Subgroup)
Section 18.2.1.4
PFS Enable or disable Perfect Forward Secrecy (PFS) and set the DH group to be used by IKE when creating a phase 2 security association.
Section 18.2.1.5
Lifetime Set the expiration time for a phase 1 security association.
Default value: 28800 seconds
Valid range: 300-86400 seconds
Section 18.2.1.6
DPD Set the number of seconds between R-U-THERE messages. If the peer does not respond to three consecutive R-U-THERE messages the SAs with that peer will be deleted.
Default value: 30 seconds
Valid range: 10-3600 seconds
Section 18.2.1.7
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
301
18.3.2 Configuring an IPsec Proposal
In the GUI go to the Security Management: IPSEC: IPSec Proposal tab to define an IPsec proposal, as illustrated in Figure 18-2.
Figure 18-2. IPSec Proposal Basic Settings Screen
In the IPSec Proposal Basic Settings screen use the upper dialog box to name an IPsec proposal and specify its properties. Click the Create button to save your definition and display it in the lower dialog box. Use the lower dialog box to edit or delete configured proposals.
For a comprehensive treatment of IPsec proposals see Section 18.2.2.
Table 18-2. IPSec Basic Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Name Specify a name for the proposal in a string of up to 64 printable characters.
Section 18.2.2.1
Encryption Set the encryption algorithm to be used when establishing a phase 2 security association. Options are DES, 3DES,AES, and AES256. These are NIST-standard cryptographic ciphers of various key lengths. 3des is a more secure version of the DES standard in which data is encrypted three times.
Section 18.2.2.2
Hash Set the hash algorithm to be used when establishing a phase 2 security association. Options are MD5, SHA-1,SHA-256, and SHA-384. These are elements of a NIST-standard family of cryptographic algorithms.
Section 18.2.2.3
Lifetime Set the expiration time for a phase 2 security association.
Default value: 28800 seconds
Valid range: 300-86400 seconds
Section 18.2.2.4
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
302
18.3.3 Configuring a Crypto Map
In the GUI go to the Security Management: IPSEC: Crypto Map tab to configure a crypto map, as illustrated in Figure 18-3.
Figure 18-3. Crypto Map Basic Settings Screen
In the IPSec Crypto Map Basic Settings screen use the upper dialog box define a crypto map. Click the Create button to save your definition and display it in the lower dialog box. Use the lower dialog box to edit or delete configured maps.
For a comprehensive treatment of crypto maps see Section 18.2.3.
Table 18-3. Crypto Map Basic Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Name Specify a name for the map in a string of up to 64 printable characters.
Section 18.2.3.1
IKE Profile Specify the configured IKE profile to bind to the addresses configured with the Peer IP and Local IP specifications.
Default value: If no profile is specified a default profile is used containing the default values for each element of an IKE profile.
Section 18.2.3.5
IPsec Proposal Specify the configured IPsec proposal to bind to the addresses configured with the Peer IP and Local IP specifications.
Default value: If no profile is specified a default profile is used containing the default values for each element of an IPsec proposal.
Section 18.2.3.6
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
303
18.3.4 Displaying IKE Security Associations
In the GUI go to the Security Management: IPSEC: IKE SA tab to view the details of IKE security associations, as illustrated in Figure 18-2.
Figure 18-4. IKE Security Association Screen
The IKE Security Association screen reports details of configured and active sessions.
Local IP Specify the local IP address.
Default value: None. This parameter MUST be specified.
Section 18.2.3.4
Peer IP Specify the peer IP address.
Default value: None. This parameter MUST be specified.
Section 18.2.3.3
ACL Specify an Access Control List (ACL) that defines the traffic to be protected.
Default value: None. This parameter MUST be specified.
Section 18.2.3.2
PSK Specify the pre-shared key to be used when authenticating to the peer.
Default value: None. This parameter MUST be specified.
Section 18.2.3.8
Confirm PSK Re-enter the PSK. Section 18.2.3.8
Table 18-4. IKE Security Association Fields
Parameter Description
Select You must click a selection button before deleting a configuration.
IKE SA ID An internal unique identifier for the IKE session.
Initiator Address The IP address of the IKE peer that initiated the IKE session.
Responder Address The IP address of the other IKE peer.
Initiator Cookie A random number selected by the initiator to uniquely identify the session.
Responder Cookie A random number selected by the responder to uniquely identify the session.
Maximum Lifetime The configured maximum number of seconds this session can last before it is automatically deleted.
Table 18-3. Crypto Map Basic Settings Fields
Parameter Description See Also
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
304
18.3.5 Displaying IPsec Security Associations
In the GUI go to the Security Management: IPSEC: IPSec SA tab to view the details of IPsec security associations, as illustrated in Figure 18-2.
Figure 18-5. IPSEC Security Association Screen
In the IPSEC Security Association screen reports details of configured and active sessions.
Remaining Lifetime The actual number of seconds left until this session is deleted.
Encryption Algorithm The encryption algorithm selected to secure the IKE session communication channel.
Hash Algorithm The hash algorithm selected to secure the IKE session communication channel.
Table 18-5. IPsec Security Association Fields
Parameter Description
Select You must click a selection button before deleting a configuration.
Outbound ID An internal unique identifier for the outbound security association (SA).
Inbound ID An internal unique identifier for the inbound SA.
Outbound SPI The security parameters index for the outbound SA.
Inbound SPI The security parameters index for the inbound SA.
Source Address Start The start of the source IP address range for secured traffic.
Source Address End The end of the source IP address range for secured traffic.
Destination Address Start
The start of the destination IP address range for secured traffic.
Destination Address End The end of the destination IP address range for secured traffic.
Maximum Lifetime The configured maximum number of seconds these SAs can last before they are automatically deleted.
Remaining Lifetime The actual number of seconds left until the SAs are deleted.
Table 18-4. IKE Security Association Fields
Parameter Description
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
305
18.3.6 Configuring IPsec ACLs
In the GUI go to the Security Management: IPSEC: IPSec ACLs tab define access control lists, as illustrated in Figure 18-2.
Figure 18-6. IPSEC ACL Settings Screen
In the IPSEC ACL screen define access control lists (also called traffic descriptors) to alert IPsec to the presence of traffic needing protection and to initiate a security association.
Encryption Algorithm The encryption algorithm selected to secure the SA communication channel.
Hash Algorithm The hash algorithm selected to secure the SA communication channel.
Table 18-6. IPsec ACL Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
ACL Name A user-supplied name for this ACL.
Protocol The protocol (IP or GRE) to which this ACL is applied.
Source Address A source IP address for traffic needing protection.
Source Mask A source network mask for traffic needing protection.
Destination Address
A destination IP address for traffic needing protection.
Table 18-5. IPsec Security Association Fields
Parameter Description
CHAPTER 18 - IPsec VPNConfiguring IPsec VPN in the GUI
Industrial Network Operating System Administrator’s Guide
306
Destination Mask A destination network mask for traffic needing protection.
Remark Descriptive information about the ACL.
Table 18-6. IPsec ACL Fields
Parameter Description See Also
Industrial Network Operating System Administrator’s Guide
307
Chapter 19T1/E1
INOS supports Wide Area Networking (WAN) through dual-port T1/E1 cards in slots 3 through 10, for a maximum of 8 cards and 16 T1/E1 (or WAN) interfaces per system. Each interface can be run in either T1 or E1 mode. The physical layer parameters for each of these interface can be individually configured by the user. T1/E1 port status and statistics may also be retrieved by the user.
For the purposes of this Document any instance of the term WAN refers to the North American T1 and the European E1 standard.
A T1/E1 interface may operate in fractional mode, where a subset of the available time slots are used. Furthermore, a T1/E1 interface may be operated in a channelized configuration where the available timeslots may be assigned to up to 24 (T1) or 31 (E1) individual channels. Each channel is equivalent to a single logical interface. Up to 8 T1/E1 interfaces may be channelized.
19.1 Configuring T1/E1 in the CLI
10RX supports ports to transmit and receive T1/E1 traffic. Each of these ports is separately configurable and may be divided up into multiple channels.The CLI commands in the sections below describe the commands to use to configure T1/E1 ports and channels.
19.1.1 Specifying a T1/E1 Interface
Use the interface t1e1 command in Global Configuration mode to specify a new or existing T1/E1 interface and to enter T1/E1 Interface Configuration mode, signaled by the Magnum 10RX(config-t1e1)# prompt.
Command syntax:
interface t1e1 slot/port
Where:
slot/port are valid slot and port designations for a T1/E1 port on this device. (Use the show interface command in the Exec Commands mode to discover valid slot/port combinations.)
NOTE: T1 designates a North American hardware specification for telecommunicationstrunking. The analogous European specification is E1. A more general term, DS1, iscommonly used to include both of these standards. Wide Area Networking (WAN) is thenetworking concept supported by these technologies.
CHAPTER 19 - T1/E1Configuring T1/E1 in the CLI
Industrial Network Operating System Administrator’s Guide
308
Example:
Magnum 10RX(config)# interface t1e1 8/1
Magnum 10RX(config-t1e1)#
This command specifies the T1/E1 interface 8/1. Subsequent commands in the T1/E1 Configuration session will modify this interface.
Use the show interface t1e1 slot/port command to view configured values.
19.1.2 Configure Mode on a T1/E1 Interface
Use the mode command in T1/E1 Interface Configuration mode to specify the transmission mode of this port.
Command syntax:
mode {T1 | E1}
Where:
T1 specifies the North American T1 standard.
E1 specifies the European E1 standard.
Example:
Magnum 10RX(config-t1e1)# mode t1
Default value: T1
Use the show interface t1e1 slot/port command to view configured values.
19.1.3 Configure Clock Source on a T1/E1 Interface
Use the clock command in T1/E1 Interface Configuration mode to specify the clock source for this port. Ordinarily this setting matches what the carrier provides. For private lines one side must be local and the other received.
Command syntax:
clock {local | received}
Where:
local specifies internal clocking.
received specifies external clocking.
Example:
Magnum 10RX(config-t1e1)# clock local
Default value: external
Use the show interface t1e1 slot/port command to view configured values.
CHAPTER 19 - T1/E1Configuring T1/E1 in the CLI
Industrial Network Operating System Administrator’s Guide
309
19.1.4 Configure Timeslot Bandwidth on a T1/E1 Interface
Use the timeslot-bandwidth command in T1/E1 Interface Configuration mode to specify the data rate for this port. (E1 circuits normally use a value of 64kbps.)
Command syntax:
timeslot-bandwidth {56K | 64K}
Where:
56K specifies a usable data rate of 56kbps.
64K specifies a usable data rate of 64kbps.
Example:
Magnum 10RX(config-t1e1)# timeslot-bandwidth 56K
Default value: 56K
Use the show interface t1e1 slot/port command to view configured values.
19.1.5 Configure Timeslots on a T1/E1 Interface
Use the timeslots command in T1/E1 Interface Configuration mode to specify the time slots to use with the T1 or E1 circuit. For specific channels use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed. Example: 1,3,5-8.
Command syntax:
timeslots tslot-spec
Where:
tslot-spec specifies the timeslots to use for this circuit.
Example:
Magnum 10RX(config-t1e1)# timeslots 1-5
Valid ranges:
For T1 interfaces — 1-24
For E1 interfaces — 1-31 (Except that for the CAS frame type timeslot 16 is not available.)
The no timeslots command specifies the default.
Use the show interface t1e1 slot/port command to view configured values.
19.1.6 Configure Frame Types on a T1/E1 Interface
Use the frame-types command in T1/E1 Interface Configuration mode to specify the frame types for the T1 or E1 circuit. The frame type is normally specified by the carrier.
CHAPTER 19 - T1/E1Configuring T1/E1 in the CLI
Industrial Network Operating System Administrator’s Guide
310
Command syntax:
frame-type {ESF | D4 | FAS | CAS}
Where:
For T1 mode the following values may be selected:
• ESF specifies Extended Super Framing format, consisting of 24 consecutive 193 bit frames.
• D4 specifies a framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames.
For E1 mode the following values may be selected:
• FAS specifies Frame Alignment Signaling. • CAS specifies Channel Associated Signaling, a method that "robs" some bits
of each frame to transmit synchronization information.
Example:
Magnum 10RX(config-t1e1)# frame-type D4
Default value: ESF
Use the show interface t1e1 slot/port command to view configured values.
19.1.7 Configure Line Codes on a T1/E1 Interface
Use the line-codes command in T1/E1 Interface Configuration mode to specify the line codes for the T1 or E1 circuit. Line codes are normally specified by the carrier.
Command syntax:
line-code {AMI | B8ZS | HDB3}
Where:
For T1 mode the following values may be selected:
• AMI specifies Alternate Mark Inversion line coding.• B8ZS specifies Bipolar With 8 Zero Substitution line coding.
For T1 mode the following values may be selected:
• AMI specifies Alternate Mark Inversion line coding.• HDB3 specifies High Density Bipolar 3 line coding.
Example:
Magnum 10RX(config-t1e1)# line-code AMI
Default value: B8ZS
Use the show interface t1e1 slot/port command to view configured values.
CHAPTER 19 - T1/E1Configuring T1/E1 in the CLI
Industrial Network Operating System Administrator’s Guide
311
19.1.8 Configure Line Build-out on a T1/E1 Interface
Use the line-build-out command in T1/E1 Interface Configuration mode to specify the line build out compensation for the T1 or E1 circuit. Line build out compensates for the loss based on distance from the device to the first repeater in the circuit. A longer distance from the device to the repeater requires that the signal strength on the circuit be boosted to compensate for loss over that distance. The specified compensation is expressed either in decibels or in feet. Contact your service provider for details on this information.
Command syntax:
line-build-out {0to133 | 133to266 | 266to399 | 399to533 | 533to655 | -7.5dB |-15dB | -22.5dB}
Where:
Arguments specify required signal compensation. The options are:
0to133 - distance from 0 feet to 133 ft
133to266 - distance from 133 ft to 266 ft
266to399 - distance from 266 ft to 399 ft
399to533 - distance from 399 ft to 533 ft
533to655 - distance from 533 ft to 655 ft
-7.5dB - a signal loss of 7.5dB
-15dB - a signal loss of 15dB
-22.5dB - a signal loss of 22.5dB
Example:
Magnum 10RX(config-t1e1)# line-build-out 133to266
Default value: 0 to 133
Use the show interface t1e1 slot/port command to view configured values.
19.1.9 Enabling and Disabling a T1/E1 Interface
Use the no shutdown command in T1/E1 Interface Configuration mode to enable a T1/E1 interface.
Command syntax:
no shutdown
Example:
Magnum 10RX(config-t1e1)# no shutdown
Default value: interface is disabled
The shutdown command disables the interface.
Use the show interface t1e1 slot/port command to view configured values.
CHAPTER 19 - T1/E1Configuring T1/E1 in the CLI
Industrial Network Operating System Administrator’s Guide
312
19.1.10 Configuring a Channelized T1/E1 Interface
Use the channel command in T1/E1 Interface Configuration mode to configure a channel and to enter the T1/E1 Channel Configuration mode, signified by the Magnum 10RX(config-channel)# prompt. Up to 8 DS1 interfaces may be channelized. the number of channels is limited by the number of available timeslots.
Command syntax:
channel chanid
Where:
chanid is a numerical value specifying a valid channel ID.
Example:
Magnum 10RX(config-t1e1)# channel 4
Magnum 10RX(config-channel)#
Valid ranges:
For T1 interfaces — 1-24
For E1 interfaces — 1-31
Default value: no channels configured
The no channel chanid deletes the channel specified by chanid.
19.1.11 Configuring Timeslots on a T1/E1 Channel
Use the timeslots command in Channel Configuration mode to specify the time slots to use with the channel. Use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed. Example: 1,3,5-8.
A timeslot may be assigned to only one channel.
Command syntax:
timeslots tslot-spec
Where:
tslot-spec specifies the timeslots to use for this channel.
Example:
Magnum 10RX(config-channel)# timeslots 2-6,9
Valid ranges:
For T1 interfaces — 1-24
For E1 interfaces — 1-31
Default value: no time slots assigned
The no timeslots command specifies the default.
CHAPTER 19 - T1/E1Configuring T1/E1 in the GUI
Industrial Network Operating System Administrator’s Guide
313
Use the show interface t1e1 slot/port command to view configured values.
19.1.12 Enabling and Disabling a T1/E1 Channel
Use the no shutdown command in Channel Configuration mode to enable a T1/E1 channel.
Command syntax:
no shutdown
Example:
Magnum 10RX(config-channel)# no shutdown
Default value: channel is disabled
The shutdown command disables the channel.
Use the show interface t1e1 slot/port command to view configured values.
19.2 Configuring T1/E1 in the GUI
10RX supports ports to transmit and receive T1/E1 traffic. Each of these ports is separately configurable and may be divided up into multiple channels.The following sectins describe the GUI screens to use to configure T1/E1 ports and channels.
19.2.1 Configuring T1/E1 Ports
In the GUI go to the WAN Management: T1/E1 Port Manager: T1/E1 Port Configuration tab to configure T1/E1 ports, as illustrated in Figure 19-1.
Figure 19-1. T1/E1 Port Configuration Screen
CHAPTER 19 - T1/E1Configuring T1/E1 in the GUI
Industrial Network Operating System Administrator’s Guide
314
In the T1/E1 Port Configuration screen define a profile for a specified T1/E1 port. Click Apply to save your specifications and make them effective.
Table 19-1. T1/E1 Port Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Port The port and slot number combination identifying a T1/E1 port.
Section 19.1.1
Link Status An indicator (Up or Down) of the status of this link.
Admin State Display or set the administrative status (Up or Down) of this T1/E1 port.
Mode Display or set the mode of this port. Options are:
• T1 — specifies the North American T1 standard.
• E1 — specifies the European E1 standard.
Section 19.1.2
Clock Specify the clock source for this port. Options are:
• received — specifies external clocking.
• local — specifies internal clocking.
Section 19.1.3
Timeslot Specify the time slots to use with the T1 or E1 circuit. For specific channels use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed.
Section 19.1.5
Timeslot Bandwidth
Specify the data rate for this port. (E1 circuits normally use a value of 64kbps.)
• 56k — specifies a usable data rate of 56kbps.
• 64k — specifies a usable data rate of 64kbps.
Section 19.1.4
Frame Types Specify the frame types for the T1 or E1 circuit. The frame type is normally specified by the carrier.
For T1 mode the following values may be selected:
• ESF — specifies Extended Super Framing format, consisting of 24 consecutive 193 bit frames.
• D4 — specifies a framing format also known as SF (Super Frame), consisting of 12 consecutive 193 bit frames.
For E1 mode the following values may be selected:
• FAS — specifies Frame Alignment Signaling.
• CAS — specifies Channel Associated Signaling, a method that "robs" some bits of each frame to transmit synchronization information.
Section 19.1.6
CHAPTER 19 - T1/E1Configuring T1/E1 in the GUI
Industrial Network Operating System Administrator’s Guide
315
Line Code Specify the line codes for the T1 or E1 circuit. Line codes are normally specified by the carrier.
For T1 mode the following values may be selected:
• AMI — specifies Alternate Mark Inversion line coding.
• B8ZS — specifies Bipolar With 8 Zero Substitution line coding.
For E1 mode the following values may be selected:
• AMI — specifies Alternate Mark Inversion line coding.
• HDB3 — specifies High Density Bipolar 3 line coding.
Section 19.1.7
Line Build Out Specify the line build out compensation for the T1 or E1 circuit. Line build out compensates for the loss based on distance from the device to the first repeater in the circuit. Opions are:
• 0to133 - distance from 0 feet to 133 ft
• 133to266 - distance from 133 ft to 266 ft
• 266to399 - distance from 266 ft to 399 ft
• 399to533 - distance from 399 ft to 533 ft
• 533to655 - distance from 533 ft to 655 ft
• -7.5dB - a signal loss of 7.5dB
• -15dB - a signal loss of 15dB
• -22.5dB - a signal loss of 22.5dB
Section 19.1.8
Line Status Displays the status of this T1 or E1 line:
• ok – The line has link and is functioning properly.
• carrierLoss – No carrier signal detected.
• blueAlarm – Also known as Alarm Indication Signal (AIS) or an “all ones” alarm. This indicates a total absence of an incoming signal due to a disruption in the communications path.
• rxLos – The line is not synchronized to the received data stream.
• yellowAlarm – Also known as a Remote Alarm indication (RAI). This indicates that a remote interface is encountering a problem with a signal from this interface. This could result from an equipment problem or from incompatible configurations.
• redAlarm – The incoming signal is corrupted (wrong frame type or errors in framing).
• loopUp – The line is looping back received data.
Table 19-1. T1/E1 Port Configuration Fields
Parameter Description See Also
CHAPTER 19 - T1/E1Configuring T1/E1 in the GUI
Industrial Network Operating System Administrator’s Guide
316
19.2.2 Configuring T1/E1 Channel Settings
In the GUI go to the WAN Management: T1/E1 Port Manager: T1/E1 Channel Settings tab to configure T1/E1 ports, as illustrated in Figure 19-2.
Figure 19-2. T1/E1 Channel Settings Screen
In the T1/E1 Channel Settings screen use the upper dialog box to configure T1/E1 channels. Click Create to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured channels.
Table 19-2. T1/E1 Channel Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Port ID Select an available T1/E1 port. Section 19.1.10
Channel Number Specify a channel number to associate with the port identified in the Port ID field. Valid port numbers are:
• For T1 interfaces — 1-24
• For E1 interfaces — 1-31
Section 19.1.10
Link Status An indicator (Up or Down) of the status of this link.
Admin State Display or set the administrative status (enabled or disabled) of this channel.
Timeslot Specify the time slots to use with this channel. Use single slot numbers separated by commas or a range separated by a hyphen. Spaces are not allowed.
Section 19.1.11
CHAPTER 19 - T1/E1Displaying T1/E1 Interface Configuration Information
Industrial Network Operating System Administrator’s Guide
317
19.3 Displaying T1/E1 Interface Configuration Information
Use the show interface t1e1 command in the Exec Commands mode to view configured T1E1 Interface values.
Command syntax:
show interface t1e1 slot/port
Where:
slot/port are valid slot and port designations for a configured T1/E1 port on this device.
Example:
Magnum 10RX# show interface t1e1 8/1
Figure 19-3 provides an example show command output.
Figure 19-3. show interface t1e1 Command Output
Mat1e1-8/1 is down, line protocol is down (not connected) Mode: T1 TimeSlot B/W: 56k TimeSlots: 1-24 Clock: received Framing: ESF Line Code: B8ZS Line build out: 0to133 Line Status: carrier loss Link up/down trap is enabled 0 input packets, 0 input octets 0 output packets, 0 output octets 0 rx overruns, 0 rx aborts 0 rx bad crc, 0 rx long frames 4230 rx short frames
CHAPTER 19 - T1/E1Displaying T1/E1 Interface Configuration Information
Industrial Network Operating System Administrator’s Guide
318
Industrial Network Operating System Administrator’s Guide
319
Chapter 20PPP
Point-to-Point Protocol (PPP) is a data link protocol commonly used to establish a direct connection between two networking nodes. It can provide authentication, encryption, and compression. It is used over many types of physical networks including serial cable, phone line, trunk line, cellular telephone, specialized radio links, or fiber optic links such as SONET. Most Internet service providers (ISPs) use PPP for customer access to the Internet or to private wide-area network services.
Multilink PPP (MLPPP) is a protocol that permits more permits multiple PPP ports to be bundled to achieve a greater effective bandwidth than is available on a single port. MLPPP is configured by defining one or more multilink bundles and associating ports with each bundle. The bundle serves to encapsulate configuration data that is common to all PPP links that belong to that bundle. A bundle may contain physical links operating at different speeds, for example one T1/E1 line and two asynchronous lines.
Some commands documented in this chapter can be applied to both PPP and MLPPP. These commands are:
• ip address, see Section 20.1.9.• authentication, see Section 20.1.3.• sent-username, see Section 20.1.6.• shutdown, see Section 20.1.15.
20.1 Configuring PPP in the CLI
The following sections describe the CLI commands used to configure PPP interfaces.
20.1.1 Specifying a PPP Interface
Use the interface ppp command in Global Configuration mode to specify configuration options for a PPP interface. This command brings up the PPP Interface Configuration mode signaled by the Magnum 10RX(config-ppp) prompt and enables you to enter configuration commands for the specified PPP interface.
Command syntax:
interface ppp ifid
Where:
ifid is a numerical value in the range 1-16 specifying a PPP interface ID
Example:
Magnum 10RX(config)# interface ppp 5
Magnum 10RX(config-ppp)#
CHAPTER 20 - PPPConfiguring PPP in the CLI
Industrial Network Operating System Administrator’s Guide
320
Valid range: 1-16
The no interface ppp ifid command deletes the PPP interface specified by ifid.
20.1.2 Configuring Link Control Protocol Interval
Use the lcp-echo-interval command in PPP Configuration mode to set the value for the interval between Link Control Protocol (LCP) keepalive exchanges. More frequent exchanges reduce the time to detect a down link but use more bandwidth.
Command syntax:
lcp-echo-interval lcp-int
Where:
lcp-int is a numerical value in the range 3-3600 specifying the interval in seconds between LCP exchanges.
Example:
Magnum 10RX(config-ppp)# interface ppp 600
This commands specifies that LCP keepalive exchanges will occur every ten minutes.
Default: 30 seconds
Valid range: 3-3600 seconds
The no lcp-echo-interval command specifies the default.
20.1.3 Configuring PPP Authentication
Use the authentication command in PPP Configuration mode to specify the authentication protocol to use for this PPP interface.
Command syntax:
authentication {chap | pap}
Where:
chap specifies the Challenge Handshake Authentication Protocol (CHAP).
pap specifies the Password Authentication Protocol (PAP).
Example:
Magnum 10RX(config-ppp)# authentication chap
Default: no authentication
The no authentication command specifies the default.
20.1.4 Specifying PPP Compression
Use the compression command in PPP Configuration mode to specify the use of Van Jacobson TCP/IP header compression.
CHAPTER 20 - PPPConfiguring PPP in the CLI
Industrial Network Operating System Administrator’s Guide
321
Command syntax:
compression vjc
Where:
vjc specifies Van Jacobson TCP/IP header compression (as described in RFC 1144).
Example:
Magnum 10RX(config-ppp)# compression vjc
Default: no TCP/IP header compression.
The no compression command specifies the default.
20.1.5 Specifying a Peer Username and Password
Use the username command in PPP Configuration mode to configure authentication (PAP or CHAP) credentials for a remote peer. The username and password specified must match those used by the peer.
Command syntax:
username user password pass
Where:
user specifies the username for the remote user or host.
pass specifies the cleartext password for the remote user, host, or Magnum 10KR.
Example:
Magnum 10RX(config-ppp)# username obelix password idefix
Valid Ranges:
user — 1-32 characters
pass — 1-32 characters
The no username command deletes configured peer CHAP or PAP credentials.
20.1.6 Specifying a Device Username and Password
Use the sent-username command in PPP Configuration mode to specify the name and password used by this device in PAP or CHAP authentication protocols.
Command syntax:
sent-username user password pass
Where:
user specifies the name used to authenticate this device to a remote peer.
pass specifies the password used to authenticate this device to a remote peer.
CHAPTER 20 - PPPConfiguring PPP in the CLI
Industrial Network Operating System Administrator’s Guide
322
Example:
Magnum 10RX(config-ppp)# sent-username obelix password idefix
Valid Ranges:
user — 1-32 characters
pass — 1-32 characters
The no sent-username command deletes any configured device PAP or CHAP credentials.
20.1.7 Configuring Maximum Slot IDs
Use the max-slot-id command in PPP Configuration mode to configure the maximum number of slot IDs to be used when Van Jacobson TCP/IP compression is used.
Command syntax:
max-slot-id idval
Where:
idval specifies the maximum slot IDs to be used when Van Jacobson TCP/IP compression has been enabled.
Example:
Magnum 10RX(config-ppp)# max-slot-id 12
Default Value: 16
Valid Range: 2-16
The no max-slot-id command restores the default.
20.1.8 Enable Compression of Slot ID Field
Use the comp-slot-id command in PPP Configuration mode to enable or disable compression of the slot id field when Van Jacobson TCP/IP compression is used.
Command syntax:
comp-slot-id {enable|disable}
Example:
Magnum 10RX(config-ppp)# comp-slot-id enable
Default Value: compression of slot ID enabled
20.1.9 Specify IP Address of the PPP Interface
Use the ip address command in PPP Configuration mode to specify the IP address of the PPP interface. The netmask, which is not specified on the command line, is 255.255.255.255 by default.
CHAPTER 20 - PPPConfiguring PPP in the CLI
Industrial Network Operating System Administrator’s Guide
323
Command syntax:
ip address ipadr
Where:
ipadr is a valid IPv4 address.
Example:
Magnum 10RX(config-ppp)# ip address 192.168.10.12
The no ip address command deletes a configured IP address.
20.1.10 Specify an MRU Value
Use the mru command in PPP Configuration mode to specify a Maximum Received Unit (MRU) value. The MRU defines The maximum size (in bytes) of the protocol data unit that will be received on an interface.
Command syntax:
mru mruval
Where:
mruval is a numerical value specifying the maximum size in bytes of a protocol data unit that can be received on the interface.
Example:
Magnum 10RX(config-ppp)# mru 1000
Default Value: 1500
Valid Range: 128-1500
The no mru command restores the default value.
20.1.11 Specify an MTU Value
Use the mtu command in PPP Configuration mode to specify a Maximum Transmission Unit (MTU) value. The MTU defines The maximum size (in bytes) of the protocol data unit that will be transmitted over the interface.
Command syntax:
mtu mtuval
Where:
mtuval is a numerical value specifying the maximum size in bytes of a protocol data unit that can be transmitted over the interface.
Example:
Magnum 10RX(config-ppp)# mtu 300
Default Value: 1500
CHAPTER 20 - PPPConfiguring PPP in the CLI
Industrial Network Operating System Administrator’s Guide
324
Valid Range: 68-1500
20.1.12 Enable Compression of Address and Control Fields
Use the acfc command in PPP Configuration mode to enable Address and Control Field Compression (ACFC) of the PPP interface.
Command syntax:
acfc
Example:
Magnum 10RX(config-ppp)# acfc
Default Value: compression of address and control fields not enabled
The no acfc command disables acfc.
20.1.13 Enable Compression of Protocol Field
Use the pfc command in PPP Configuration mode to enable Protocol Field Compression (PFC) of the PPP interface.
Command syntax:
pfc
Example:
Magnum 10RX(config-ppp)# pfc
Default Value: compression of protocol field not enabled
The no pfc command disables pfc.
20.1.14 Enable Use of Magic Numbers
Use the magic-number command in PPP Configuration mode to enable use of magic numbers for transmitting PPP configuration/maintenance packets on the PPP interface. A magic number inserted in a packet can be used to detect loops if it reappears at its point of origin.
Command syntax:
magic-number
Example:
Magnum 10RX(config-ppp)# magic-number
Default Value: use of magic numbers is disabled
The no magic-number command disables the magic number feature.
CHAPTER 20 - PPPConfiguring PPP in the GUI
Industrial Network Operating System Administrator’s Guide
325
20.1.15 Disable a PPP Interface
Use the shutdown command in PPP Configuration mode to disable a PPP interface. Use the no form of the command to enable the port.
Command syntax:
shutdown
Example:
Magnum 10RX(config-ppp)# shutdown
Default Value: PPP interface is disabled
The no shutdown command enables the PPP interface.
20.1.16 Specify a Physical Port for PPP Interface
Use the layer command in PPP Configuration mode to assign the physical port for this PPP interface.
Command syntax:
layer t1e1 slot/port
Where:
slot/port specifies a valid slot and port on the device configured as a T1E1 port. (Use the show interface command in the EXEC mode to discover properly configured interfaces.)
Example:
Magnum 10RX(config-ppp)# layer t1e1 8/1
The no layer command deletes the assignment of the physical port to this PPP interface. This then allows a different physical port to be layered/assigned.
20.2 Configuring PPP in the GUI
The following sections describe the GUI screens to use to configure to configure PPP interfaces.
CHAPTER 20 - PPPConfiguring PPP in the GUI
Industrial Network Operating System Administrator’s Guide
326
20.2.1 Configuring PPP Interfaces
In the GUI go to the WAN Management: PPP: PPP Interfaces tab to configure PPP interfaces on the device, as illustrated in Figure 20-1.
Figure 20-1. Point-to-Point Protocol Interfaces Screen
In the Point-to-Point protocol interfaces use the upper dialog box to define the properties of a PPP interface. Click the Create button to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured PPP interfaces.
Table 20-1. Point-to-Point Protocol Interface Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
PPP Interface A numerical value identifying this PPP interface.
Valid range: 1-16
Section 20.1.1
Link Status An indicator (Up or Down) for the physical status of this link.
Lower Level Interface
Identifies the physical interface under configuration. Section 20.1.16
Higher Level Interface
Identifies the higher-level interface (if any) stacked over a PPP interface.
Admin State An indicator (Up or Down) for the administrative status of this interface.
Local IP Address IP address of the interface being configured.
CHAPTER 20 - PPPConfiguring PPP in the GUI
Industrial Network Operating System Administrator’s Guide
327
20.2.2 Configuring PPP Options
In the GUI go to the WAN Management: PPP: PPP Options tab to specify PPP options, as illustrated in Figure 20-2.
Figure 20-2. PPP Options Screen
LCP Echo Interval Specify the value for the interval between Link Control Protocol (LCP) keepalive exchanges.
Default value: 30 seconds
Valid range: 3-3600 seconds
Section 20.1.2
Authentication Specify the authentication protocol to use for this PPP interface. Options are:
• none
• CHAP — the Challenge Handshake Authentication Protocol.
• PAP — the Password Authentication Protocol.
Note: the next four fields are displayed and editable if PAP or CHAP is selected.
Section 20.1.3
Local User Name For authentication purposes specify a string of up to 32 characters as a local user name.
Section 20.1.6
Local User Password
For authentication purposes specify a string of up to 32 characters as a local user password.
Section 20.1.6
Remote User Name
For authentication purposes specify a string of up to 32 characters as a remote user name.
Section 20.1.5
Remote User Password
For authentication purposes specify a string of up to 32 characters as a remote user password.
Section 20.1.5
Table 20-1. Point-to-Point Protocol Interface Fields
Parameter Description See Also
CHAPTER 20 - PPPConfiguring PPP in the GUI
Industrial Network Operating System Administrator’s Guide
328
In the PPP options screen specify options for a selected PPP interface. Click Apply for your specifications to take effect.
Table 20-2. PPP Options Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
PPP Interface The identifier for the PPP interface selected.
Compression Optionally specify Van Jacobson TCP/OP header compression.
Section 20.1.4
Maximum Slot ID Specify the maximum number of slot IDs to be used when Van Jacobson TCP/IP compression has been specified.
Default Value: 16
Valid Range: 2-16
Section 20.1.7
Compression Slot ID
Enable or disable compression of the slot id field when Van Jacobson TCP/IP compression is used.
Section 20.1.8
Maximum Receive Unit
Specify a Maximum Received Unit (MRU) value. The MRU defines The maximum size (in bytes) of the protocol data unit that will be received on an interface.
Default Value: 1500
Valid Range: 128-1500
Section 20.1.10
Maximum Transmission Unit
Specify a Maximum Transmission Unit (MTU) value. The MTU defines The maximum size (in bytes) of the protocol data unit that will be transmitted over the interface.
Default Value: 1500
Valid Range: 68-1500
Section 20.1.11
Address and Control Field Compression
Enable or disable Address and Control Field Compression (ACFC) of the PPP interface.
Section 20.1.12
Protocol Field Compression
Enable or disable Protocol Field Compression (PFC) of the PPP interface.
Section 20.1.13
Magic Number Enable or disable use of magic numbers for transmitting PPP configuration/maintenance packets on the PPP interface. A magic number inserted in a packet can be used to detect loops if it reappears at its point of origin.
Section 20.1.14
Policy Name Specify a name for the policy that comprises these specifications.
CHAPTER 20 - PPPConfiguring MLPPP in the CLI
Industrial Network Operating System Administrator’s Guide
329
20.3 Configuring MLPPP in the CLI
The following sections describe the CLI commands used to configure MLPPP interfaces.
The following commands documented in the PPP configuration section of this chapter can also be executed at the Magnum 10RX(config-mlppp) prompt:
• ip address, see Section 20.1.9.• authentication, see Section 20.1.3.• sent-username, see Section 20.1.6.• shutdown, see Section 20.1.15.
20.3.1 Specifying an MLPPP Interface
Use the interface mlp command in Global Configuration mode to specify configuration options for an MLPPP interface. This command brings up the MLPPP Interface Configuration mode signaled by the Magnum 10RX(config-mlppp) prompt and enables you to enter configuration commands for the specified MLPPP interface.
Command syntax:
interface mlppp ifid
Where:
ifid is a numerical value in the range 1-16 specifying an MLPPP interface ID
Example:
Magnum 10RX(config)# interface mlppp 5
Magnum 10RX(config-mlppp)#
Valid range: 1-16
The no interface mlppp ifid command deletes the MLPPP interface specified by ifid.
20.3.2 Specify an MRRU Value
Use the mrru command in MLPPP Configuration mode to specify a Maximum Reconstructed Received Unit (MRRU) value. The MRRU defines The maximum size (in bytes) of the reassembled packets that will be received on an interface.
Command syntax:
mru mrruval
Where:
mrruval is a numerical value specifying the maximum size in bytes of a protocol data unit that can be received on the interface.
Example:
Magnum 10RX(config-mlppp)# mrru 1000
Default Value: 1500
CHAPTER 20 - PPPConfiguring MLPPP in the GUI
Industrial Network Operating System Administrator’s Guide
330
Valid Range: 128-1500
The no mrru command restores the default value.
20.3.3 Assembling MLPPP Bundles
Use the layer ppp command in MLPPP Configuration mode to add a PPP interface to an MLPPP bundle; that is, to layer it below the MLPPP interface under configuration.
Command syntax:
layer ppp pppid
Where:
pppid is the identifier of a configured PPP interface.
Example:
Magnum 10RX(config-mlppp)# layer ppp 9
The no layer ppp spec command removes the interface specified by spec from the bundle.
20.4 Configuring MLPPP in the GUI
The following sections describe the GUI screens to use to configure to configure MLPPP interfaces.
CHAPTER 20 - PPPConfiguring MLPPP in the GUI
Industrial Network Operating System Administrator’s Guide
331
20.4.1 Configuring MLPPP Interfaces
In the GUI go to the WAN Management: MLPPP: MLPPP Interfaces tab to configure MLPPP interfaces on the device, as illustrated in Figure 20-1.
Figure 20-3. Multilink Point-to-Point Protocol Interfaces Screen
In the Multilink Point-to-Point protocol interfaces use the upper dialog box to define the properties of an MLPPP interface. Click the Create button to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured MLPPP interfaces.
Table 20-3. Point-to-Point Protocol Interface Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
PPP Interface A numerical value identifying this MLPPP interface.
Valid range: 1-16
Section 20.1.1
Link Status An indicator (Up or Down) for the physical status of this link.
Admin State An indicator (Up or Down) for the administrative status of this interface.
Local IP Address IP address of the interface being configured.
CHAPTER 20 - PPPConfiguring MLPPP in the GUI
Industrial Network Operating System Administrator’s Guide
332
20.4.2 Configuring MLPPP Interface Stacking
In the GUI go to the WAN Management: MLPPP: MLPPP Interfaces tab to configure PPP interfaces on the device, as illustrated in Figure 20-4.
Figure 20-4. Multilink Point-to-Point Protocol Interface Stacking Screen
Authentication Specify the authentication protocol to use for this PPP interface. Options are:
• none
• CHAP — the Challenge Handshake Authentication Protocol.
• PAP — the Password Authentication Protocol.
Note: the next four fields are displayed and editable if PAP or CHAP is selected.
Section 20.1.3
Local User Name For authentication purposes specify a string of up to 32 characters as a local user name.
Section 20.1.6
Local User Password
For authentication purposes specify a string of up to 32 characters as a local user password.
Section 20.1.6
Remote User Name
For authentication purposes specify a string of up to 32 characters as a remote user name.
Section 20.1.5
Remote User Password
For authentication purposes specify a string of up to 32 characters as a remote user password.
Section 20.1.5
Table 20-3. Point-to-Point Protocol Interface Fields
Parameter Description See Also
CHAPTER 20 - PPPConfiguring MLPPP in the GUI
Industrial Network Operating System Administrator’s Guide
333
In the Multilink Point-to-Point interface stacking screen use the upper dialog box to specify a configured PPP interface to be included in an MLPPP grouped interface. Click the Add button to save your specification and display it in the lower dialog box. Use the lower dialog box delete configured MLPPP associations.
20.4.3 Configuring MLPPP Options
In the GUI go to the WAN Management: MLPPP: MLPPP Options tab to specify MLPPP options, as illustrated in Figure 20-2.
Figure 20-5. MLPPP Options Screen
In the MLPPP options screen specify options for a selected MLPPP interface. Click Apply for your specifications to take effect.
Table 20-4. Point-to-Point Protocol Interface Stacking Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
MLPPP Interface A numerical value identifying this MLPPP interface.
Valid range: 1-16
Section 20.3.3
PPP Interface A numerical value specifying a configured PPP interface. Section 20.3.3
Table 20-5. MLPPP Options Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
MLPPP Interface The identifier for the MLPPP interface selected.
Compression Optionally specify Van Jacobson TCP/OP header compression.
Section 20.1.4
Maximum Slot ID Specify the maximum number of slot IDs to be used when Van Jacobson TCP/IP compression has been specified.
Default Value: 16
Valid Range: 2-16
Section 20.1.7
Compression Slot ID
Enable or disable compression of the slot id field when Van Jacobson TCP/IP compression is used.
Section 20.1.8
CHAPTER 20 - PPPConfiguring MLPPP in the GUI
Industrial Network Operating System Administrator’s Guide
334
MRRU Specify a Maximum Received Reconstructed Unit (MRRU) value. The MRRU defines The maximum size (in bytes) of the protocol data unit that will be received on an interface.
Default Value: 1500
Valid Range: 128-1500
Section 20.1.10
Maximum Transmission Unit
Specify a Maximum Transmission Unit (MTU) value. The MTU defines The maximum size (in bytes) of the protocol data unit that will be transmitted over the interface.
Default Value: 1500
Valid Range: 68-1500
Section 20.1.11
Short-seq-header-format
Enable or disable abbreviated headers.
Policy Name Specify a name for the policy that comprises these specifications.
Table 20-5. MLPPP Options Fields
Parameter Description See Also
Industrial Network Operating System Administrator’s Guide
335
Chapter 21Frame Relay
The 10RX supports the creation and management of Frame Relay Permanent Virtual Circuits (PVCs) as well as the encapsulation of IP and serial data packets over these circuits.
21.1 Configuring Frame Relay in the CLI
The Frame Relay service is layered on top of a physical WAN interface. The physical WAN interfaces can be either a fractional T1/E1 interface or an individual channel on a channelized T1/E1 interface.
For example, to create a Frame Relay interface with instance number 1 that runs directly over T1/E1 interface 4/1 and enable it execute the following commands:
Figure 21-1. Configuring an FR interface to run directly over a T1/E1 interface
To create a Frame Relay interface with instance number 2 that runs over T1/E1 channel 5 on interface 6/2 and enable it:
Figure 21-2. Configuring FR to run over a channelized interface
The following subsections detail the commands used to accomplish these tasks.
21.1.0.1 Specifying a Frame Relay Interface
Use the interface frame-relay command in Global Configuration mode to configure a Frame Relay interface and to enter the Frame Relay Interface Configuration mode, signified by the Magnum 10RX(config-fr)# prompt. If the specified Frame Relay interface does not exist it will be created.
Command syntax:
interface frame-relay frid
Magnum 10RX(config)# interface frame-relay 1
Magnum 10RX(config-fr)# layer t1e1 4/1-----------------------------------------
Magnum 10RX(config)# interface frame-relay 2
Magnum 10RX(config-fr)# layer t1e1 6/2 chan 5
Magnum 10RX(config-fr)# no shutdown-----------------------------------------
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
336
Where:
frid is a numerical value in the range 1-192 specifying a Frame Relay interface ID.
Example:
Magnum 10RX(config)# interface frame-relay 1
Magnum 10RX(config-fr)#
Valid range: 1-192
The no interface frame-relay frid command deletes the Frame Relay interface specified by frid.
21.1.0.2 Configuring the Lower Layer for a Frame Relay Interface
Use the layer t1/e1 command in Frame Relay interface Configuration mode to configure the lower layer (physical) interface for this Frame Relay interface. (For the use of the layer command with a specific PVC see Section 21.1.2.2.)
Command syntax:
layer t1/e1 ifid [chan channum]
Where:
ifid specifies the slot and port number of the T1/E/1 port.
channum, an optional parameter, specifies the channel number designator corresponding to the channelized T1/E1 interface.
Example:
Magnum 10RX(config-fr)# layer t1e1 6/2 chan 5
The no layer command unstacks the interfaces.
21.1.0.3 Enabling a Frame Relay Interface with the No Shutdown Command
Use the no shutdown command in Frame Relay Configuration mode to enable a configured Frame Relay interface.
Command syntax
no shutdown
Example:
Magnum 10RX(config-fr)# no shutdown
Note: This command has significance in the context of configuration of a specific interface as illustrated in Figure 21-2.
Default value: port is disabled
The shutdown command disables the port.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
337
21.1.1 Configuring LMI
The Local Management Interface protocol is a signaling standard used between routers and Frame Relay switches. Each Frame Relay interface has the ability to run the Local Management Interface (LMI) protocol to determine the status of its Permanent Virtual Circuits (PVCs). To run LMI you must choose the appropriate LMI type and mode based on your specific network requirements. You service provider will generally specify which LMI type and mode you should use.
21.1.1.1 Configuring LMI Type
Use the lmi type command in Frame Relay Interface Configuration mode to specify the LMI standard to which the interface should conform.
Command syntax:
lmi type {lmi | ccitt | ansi}
Where:
lmi specifies Cisco (aka, Gang of Four) LMI type.
ccitt specifies ITU-T Q.933 Annex A LMI type.
ansi specifies Annex D LMI type defined by ANSI standard T1.617.
Example:
Magnum 10RX(config-fr)# lmi type ccitt
Default value: LMI disabled
The no lmi type command specifies the default.
21.1.1.2 Configuring LMI Mode
Use the lmi mode command in Frame Relay Interface Configuration mode to specify whether the interface should implement the user part or the network part of the LMI protocol.
When connecting to a service provider network you should choose user mode. When connecting two 10RX routers together directly choose user mode on one side and network mode on the other side.
Command syntax:
lmi mode {user | network}
Where:
user specifies that this interface will implement the user part of the LMI protocol.
network specifies that this interface will implement the network part of the LMI protocol.
NOTE: On other products user mode is often referred to as "DTE" and networkmode is referred to as "DCE".
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
338
Example:
Magnum 10RX(config-fr)# lmi mode user
Default value: user
The no lmi mode command specifies the default.
21.1.2 Configuring PVCs
Each Frame Relay interface supports the configuration of multiple permanent virtual circuits (PVCs). Each PVC creates a bidirectional communication path through the Frame Relay network from one end point to another. A Data Link Connection Identifier (DLCI) is assigned to each PVC. The DLCI only has local significance on a Frame Relay interface and can be re-used on each separate Frame Relay interface. Your service provider will generally specify which DLCI to use for a particular PVC.
Create a PVC in the following steps:
1. Specify a new Frame Relay PVC interface with thee the interface fr-pvc command in Global Configuration mode.
2. Configure the physical interface with the layer command in Frame Relay PVC Configuration mode.
3. Configure DLCI with the dlci command in Frame Relay PVC Configuration mode.
4. Enable the PVC with the no shutdown command in Frame Relay PVC Configuration mode.
For example, to create PVC instance 1 layer it on top of Frame Relay interface 1 and assign DLCI 105 execute the following commands:
Figure 21-3. Configuring a PVC
The following subsections detail the commands used to accomplish this task.
21.1.2.1 Specifying a Frame Relay PVC Interface
Use the interface fr-pvc command in Global Configuration mode to specify a Frame Relay PVC interface and to enter the Frame Relay PVC Interface Configuration mode, signified by the Magnum 10RX(config-fr-pvc)# prompt. If the specified Frame Relay PVC interface does not exist it will be created.
Command syntax:
interface fr-pvc pvcid
Magnum 10RX(config)# interface fr-pvc 1
Magnum 10RX(config-fr-pvc)# layer frame-relay 1
Magnum 10RX(config-fr-pvc)# dlci 105
Magnum 10RX(config-fr-pvc)# no shutdown
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
339
Where:
pvcid is a numerical value in the range 1-2048 specifying a Frame Relay interface ID.
Example:
Magnum 10RX(config)# interface fr-pvc 25
Magnum 10RX(config-fr-pvc)#
Valid range: 1-2048
The no interface fr-pvc pvcid command deletes the Frame Relay PVC interface specified by pvcid.
21.1.2.2 Configuring the Lower Layer for a PVC
Use the layer frame-relay command in Frame Relay PVC interface Configuration mode to configure the lower layer (physical) interface for this PVC. (For the use of the layer command with a Frame Relay interface see Section 21.1.0.2.)
Command syntax:
layer frame-relay ifid
Where:
ifid specifies the interface identifier of the underlying Frame Relay interface.
Example:
Magnum 10RX(config-fr-pvc)# layer frame-relay 1
Note: This command has significance in the context of configuration of a specific PVC as illustrated in Figure 21-3.
The no layer command unstacks the interfaces.
21.1.2.3 Specifying the DLCI for a PVC
Use the dlci command in Frame Relay PVC interface Configuration mode to specify a DLCI for this PVC.
Command syntax:
dlci dlcival
Where:
dlcival is a numerical value in the range of 1-1022 specifying a DLCI for this PVC.
Example:
Magnum 10RX(config-fr-pvc)# dlci 105
Note: This command has significance in the context of configuration of a specific PVC as illustrated in Figure 21-3.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
340
21.1.2.4 Enabling a PVC with the No Shutdown Command
Use the no shutdown command in Frame Relay PVC Configuration mode to enable a configured Frame Relay interface.
Command syntax
no shutdown
Example:
Magnum 10RX(config-fr-pvc)# no shutdown
Note: This command has significance in the context of configuration of a specific interface as illustrated in Figure 21-3.
Default value: PVC is disabled
The shutdown command disables the port.
21.1.3 Configuring IP Encapsulation
A Frame Relay PVC can be used like a point-to-point IP link. IP packets are encapsulated by Frame Relay using the techniques outlined in RFC 1490. Configure IP encapsulation by specifying the IP addresses of the current device and a peer device.
For example, to configure a frame relay PVC instance 3, layer it on top of the physical WAN interface T1/E1 6/1, assign DLCI 105, configure and enable it for RFC 1490 IP encapsulation execute the following commands:
Figure 21-4. Configuring IP encapsulation
After a frame relay PVC is configured for RFC 1490 IP encapsulation the PVC becomes a full IP interface. You may specify it as the next hop in a static route or run dynamic routing protocols across the PVC interface. You can also use the show ip interface command to see the IP interface status of the PVC.
21.1.3.1 Specifying the Local IP Address for IP Encapsulation
Use the ip address command in Frame Relay PVC configuration mode to specify the IP address of the current device.
NOTE: The no shutdown command will return an error if either the local orremote IP addresses or the serial-over-FR parameters are not configured.
Magnum 10RX(config)# interface fr-pvc 3
Magnum 10RX(config-fr-pvc)# layer t1e1 6/1
Magnum 10RX(config-fr-pvc)# dlci 105
Magnum 10RX(config-fr-pvc)# ip address 192.168.90.1
Magnum 10RX(config-fr-pvc)# peer ip address 192.168.90.2
Magnum 10RX(config-fr-pvc)# no shutdown
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
341
Command syntax:
ip address ipaddr
Where:
ipaddr is a valid IP address for the current device.
Example:
Magnum 10RX(config-fr-pvc)# ip address 192.168.90.1
The no ip address command deletes an address configured for the current device.
21.1.3.2 Specifying the Peer IP Address for IP Encapsulation
Use the peer ip address command in Frame Relay PVC configuration mode to specify the IP address of the peer device.
Command syntax:
peer ip address ipaddr
Where:
ipaddr is a valid IP address for the peer device.
Example:
Magnum 10RX(config-fr-pvc)# peer ip address 192.168.90.2
The no peer ip address command deletes an address configured for a peer device.
21.1.4 Configuring Serial Encapsulation
A Frame Relay PVC can be used to carry asynchronous serial data. This feature is typically used to extend the reach of SCADA protocols using a WAN infrastructure.
Use the serial-fr serial command in Frame Relay PVC configuration mode to specify the slot number and port number of an interface.
Command syntax:
serial-fr serial ifid [padding]
Where:
ifid specifies the slot and port number of the interface.
padding, an optional parameter, specifies that a 3 byte offset is created within each packet between the frame relay header and the payload. This is for compatibility with Dynastar router products.
NOTE: If the ip address and/or peer ip address command has previously beenexecuted for this PVC this command will fail. In such a case issue the no ip address and/or no peer ip address command before executing the serial-fr serial command.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
342
Example:
Magnum 10RX(config-fr-pvc)# serial-fr serial 10/1
Default value: No serial to Frame Relay channel is enabled.
The no serial-fr command specifies the default.
21.1.5 Configuring Terminal Server Extension
A Frame Relay PVC can also be used to extend a typical serial terminal server connection to a remote serial port over a WAN. On one side of the network, a terminal server TCP connection is made and that connection is mapped to a Frame Relay PVC. On the other side of the network, that PVC is mapped directly to an async serial port. Data received on the local TCP connection is transmitted on the remote serial port and data received on the remote serial port is sent on the local TCP connection.
Note: This feature is called IP-FR/FR-IP on Dynastar products.
To enable this application, create a new serial-channel but instead of mapping the channel to a local serial port, use the fr-pvc command in Terminal Server Configuration mode to map the channel to a configured Frame Relay PVC.
The following example illustrates the creation of a new terminal server channel that listens on TCP port 10201 with its connections mapped to Frame Relay PVC 3:
Figure 21-5. Configuring Terminal Server Extension
For more on Terminal Server configuration see Chapter 23.
• For details on the use of the local-tcp command see Section 23.2.8.• For details on the use of the fr-pvc command see Section 23.2.3.
21.1.6 Configuring End-to-End Keepalive on a PVC
Frame relay End-to-End Keepalive (EEK) is a mechanism for determining the health of a PVC on an end-to-end basis. In contrast to LMI EEK does not require any special processing or knowledge from the Frame Relay network since in-band keep-alive messages (KAs) are exchanged between the two PVC end points.
An EEK end point sends periodic KA requests to the remote end of a PVC and the remote end point sends back KAs in reply. If a KA reply is received within a certain amount of time, it is considered a "success event.” If a KA reply is not received within a certain period of time, it is considered an "error event.” If the number of error events within a sliding event window exceeds the error threshold the PVC transitions to the down state. If the number of consecutive success events exceeds the success threshold the PVC transitions to the up state.
Magnum 10RX(config)# serial-channel 1
Magnum 10RX(config-ts)# local-tcp 10201
Magnum 10RX(config-ts)# fr-pvc 3-----------------------------------------
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
343
Alternatively, an EEK end point may operate in reply-only mode. In this mode the end point sends KA replies in response to KA requests but does not send KA requests of its own. In this mode the end point expects to receive periodic KA requests from the other side. Each KA request received is considered a "success event.” If a KA request is not received within the expected time frame an "error event" is recorded. If the number of error events within a sliding event window exceeds the error threshold the PVC transitions to the down state. If the number of consecutive success events exceeds the success threshold the PVC transitions to the up state.
To enable EEK and configure its parameters use the eek mode command in Frame Relay PVC Configuration mode. The parameters described in this section are configurable per-PVC. There are other parameters that are configurable per-Frame Relay interface. These are described in subsequent sections.
Command syntax:
eek mode {bidirectional | request | reply | passive-reply}
Where:
bidirectional specifies that the device sends periodic KA requests and that it replies to KA requests that it receives. EEK events are based on received KA replies.
request specifies that the device sends periodic KA requests but does not reply to KA requests. EEK events are based on received KA replies.
reply specifies that the device does not send periodic KA requests but does reply to KA requests. EEK events are based on received KA requests.
passive-reply specifies that the device does not send periodic KA requests but does reply to KA requests. In this mode, the local state of the PVC is not determined by EEK.
Example:
Magnum 10RX(config-fr-pvc)# eek mode request
Default value: By default EEK is not enabled.
The no eek mode command disables EEK.
21.1.6.1 Configuring the EEK Poll Timer on a Frame Relay Interface
Use the eek poll-timer command in Frame Relay Interface Configuration mode to configure the number of seconds between KA request transmissions. If a KA reply is not received before the expiration of the polling interval an error event is declared.
Command syntax:
eek poll-timer interval
Where:
interval is a numerical value in the range 1-255 specifying the number of seconds to elapse between keepalive requests.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
344
Example:
Magnum 10RX(config-fr)# eek poll-timer 30
Default value: 10
Valid range: 1-255
The no eek poll-timer command restores the default.
21.1.6.2 Configuring the EEK Response Timer on a Frame Relay Interface
Use the eek response-timer command in Frame Relay Interface Configuration mode to configure the number of seconds to wait for a new KA request before declaring a new error event. This timer is only relevant when EEK is in bidirectional or reply mode.
Command syntax:
eek response-timer interval
Where:
interval is a numerical value in the range 1-255 specifying the number of seconds to elapse after a received keepalive request before declaring an error event.
Example:
Magnum 10RX(config-fr)# eek response-timer 45
Default value: 15
Valid range: 1-255
The no eek response-timer command restores the default.
21.1.6.3 Configuring the EEK Event Window on a Frame Relay Interface
Use the eek event-window command in Frame Relay Interface Configuration mode to configure the number of recent events to track.
Command syntax:
eek event-window windowval
Where:
windowval is a numerical value in the range 1-32 specifying the number of recent events to check for errors.
Example:
Magnum 10RX(config-fr)# eek event-window 5
Default value: 3
Valid range: 1-32
The no eek event-window command restores the default.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
345
21.1.6.4 Configuring the EEK Error Threshold on a Frame Relay Interface
Use the eek error-threshold command in Frame Relay Interface Configuration mode to configure the number of error events that must be in the event window before declaring the PVC to be down.
Command syntax:
eek error-threshold interval
Where:
interval is a numerical value in the range 1-32 specifying the number of errors needed to change the keepalive state from up to down.
Example:
Magnum 10RX(config-fr)# eek error-threshold 5
Default value: 2
Valid range: 1-32
The no eek error-threshold command restores the default.
21.1.6.5 Configuring the EEK Success Events on a Frame Relay Interface
Use the eek success-events command in Frame Relay Interface Configuration mode to configure the number of consecutive success events that must be generated before declaring the PVC to be up.
Command syntax:
eek success-events successes
Where:
successes is a numerical value in the range 1-32 specifying the number of consecutive success events required to change the keepalive state from down to up.
Example:
Magnum 10RX(config-fr)# eek success-events 10
Default value: 2
Valid range: 1-32
The no eek success-events command restores the default.
21.1.7 Configuring Frame Relay Queuing
Each Frame Relay interface supports 4 configurable queues that can implement different combinations of strict priority and weighted fair queuing. The actual number of queues is 6 but the lowest priority of these, queue 0, has a fixed value of 1 and the highest priority of these, queue 5, has a fixed value of 10. Queues 0 and 5 are not user-configurable. The configurable queues are numbered 1 to 4 with level 4 being the highest priority queue and level 1 being the lowest priority queue.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
346
A weight of 10 sets the priority queue to strict, meaning that all frames at that priority are transmitted before moving on to a lower priority queue. The weight can only be set to 10 if all higher priority queues are also set to 10. Otherwise, the configured value is a "weighting factor" relative to the next lower level queue. The default weight is 2.
Packets waiting in a strict priority queue are always transmitted before any packets in a lower level queue. You will typically assign your SCADA or other real time traffic (for example, VoIP, console access) to a strict priority queue.
Packets waiting in a weighted fair queue are transmitted in a weighted round robin fashion based on the relative ‘weighting factors’ of the weighted fair queues. For example, if you assume uniform traffic streams for each priority using the default weights (2), 2 priority-4 packets will be sent for every 1 priority-3 packet, 2 priority-3 packets will be sent for every 1 priority-2 packet, and so on. You will typically assign your non-real time traffic (for example, web traffic or bulk data transfer like FTP) a low priority.
Use the frame-relay priority command in Global Configuration mode to configure the relative weighting of the priority queues for all Frame Relay interfaces.
Command syntax:
frame-relay priority qnum weight weightval
Where:
qnum is a numerical value in the range 1-4 specifying the priority queue for which a map is being setup or (with the no command) removed.
weightval is a numerical value in the range 1-10 specifying the weighting for the priority queue specified with qnum.
Example:
Magnum 10RX(config)# frame-relay priority 3 weight 4
Default value (weight): 2
Valid range:
priority — 1-4
weight — 1-10
The no frame-relay priority {qnum} command with qnum specified restores the default value for the specified queue. If no qnum is specified the command restores the default value for all 4 queues.
21.1.8 Assigning Priorities to Frame Relay Packets
Packets can be prioritized based on their PVC or, if they are RFC-1490 encapsulated IP packets, based on their DiffServ Code Point (DSCP).
21.1.8.1 Configuring Default Priority for a PVC
Use the priority command in Frame Relay PVC Configuration mode to configure the default priority for this PVC.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
347
Command syntax:
priority priorval
Where:
priorval is a numerical value in the range 0-5 specifying the default priority of this PVC.
Example:
Magnum 10RX(config-fr-pvc)# priority 3
Default value: 0
Valid range: 0-5
21.1.8.2 Mapping DSCP Values to Queue Priorities
For RFC-1490 encapsulated IP packets use the qos frame-relay output dscp-map command in Global Configuration mode to map DSCP values to queue priority levels for all Frame Relay interfaces. (For more on QoS see Chapter 24.)
Command syntax:
qos frame-relay output dscp-map dscp priorval
Where:
dscp specifies the DSCP to which the value specified by priorval is being mapped.
priorval is a numerical value in the range 0-5 specifying the priority for this map.
Example:
Magnum 10RX(config)# qos frame-relay output dscp-map 4 46
This command maps the expedited forwarding (EF) DSCP of 46 to priority level 4.
Default value:
The default priority value is the value specified with the priority command in Frame Relay PVC mode for an individual PVC.
Valid ranges:
priority — 0-5
dscp — 0-63 or 0x00-0x3F
The no qos frame-relay output [dscp] form with dscp specified restores the default value for the specified DSCP. If dscp is not specified the command restores the default value for all DSCPs.
21.1.8.3 Configuring Fragmentation on a Frame Relay Interface
Fragmenting large packets helps improve the latency of real time packets over slow WAN links.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
348
Suppose that you are running two Frame Relay PVCs over a single 64 Kbps T1 channel. The first PVC is transmitting low-priority IP packets and the second PVC is transmitting high-priority SCADA packets. A typical large IP packet coming from an Ethernet LAN will be about 1500 bytes. If the interface begins to transmit that large IP packet just slightly after receiving a high priority SCADA packet, the entire transmission must complete before the SCADA packet can be transmitted. At 64 Kbps it will take roughly 190 msecs to transmit the large IP packet. If a worst-case latency of 190 msecs is not acceptable for the SCADA packet fragmentation can be used to break the large IP packets up into smaller chunks so that the high priority SCADA packet can be interleaved, effectively capping the worst-case latency for the SCADA packet. For example, if the low-priority traffic is fragmented into 64 byte chunks, the worst-case latency will drop to about 8 msecs.
Use the frag-size command in Frame Relay Interface Configuration mode to enable fragmentation for any RFC 1490 PVCs on that interface and to set the maximum fragment size.
Command syntax:
frag-size fragval
Where:
fragval is a numerical value in the range 1-1500 specifying the maximum number of bytes in a fragment.
Example:
Magnum 10RX(config-fr)# frag-size 64
Default value: fragmentation disabled
Valid range: 1-1500 bytes
The no frag-size command restores the default.
21.1.8.4 Configuring Committed Information Rate on a PVC
The Committed Information Rate (CIR) is the minimum data throughput that your service provider guarantees to support over a particular PVC. At the edge of the Frame Relay network it is the responsibility of the customer's router to shape PVC traffic such that it does not exceed this rate. Thus, configuring the CIR enforces a throughput rate limit on packets transmitted over a PVC. The CIR can also be used to limit the throughput of traffic in a high priority queue so that the high priority traffic will never completely starve lower priority traffic on the Frame Relay interface. Typically you will design your network and network applications so that you leave some bandwidth available to lower priority traffic. However, setting the CIR is a safeguard against a misbehaving high priority source monopolizing your WAN link bandwidth.
Use the cir command in Frame Relay PVC Interface Configuration mode to set the CIR for a PVC.
Command syntax:
cir cirval
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
349
Where:
cirval is a numerical value in the range 1-2048 specifying the maximum Kbps for this PVC.
Example:
Magnum 10RX(config-fr-pvc)# cir 100
Default value: the bit rate of the Frame Relay interface
Valid range: 1-2048 bytes
The no cir command restores the default.
21.1.9 Displaying Frame Relay Information
The CLI commands described below enable you to display information about Frame Relay configuration and performance. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.
21.1.9.1 show interface frame-relay
Use the show interface frame-relay command to display Frame Relay global configuration details.
Example:
Magnum 10RX# show interface frame-relay 33
21.1.9.2 show interface fr-pvc
Use the show interface fr-pvc command to display Frame Relay global configuration details.
Example:
Magnum 10RX# show interface fr-pvc 10
21.1.9.3 show frame-relay priority
Use the show frame-relay priority command to display the configured priority weighting of the Frame Relay interface queues.
Example:
Magnum 10RX# show frame-relay priority
21.1.9.4 show qos frame-relay output dscp-map
Use the show qos frame-relay output dscp-map command to display the configured DSCP-to-priority queue mappings
Example:
Magnum 10RX# show qos frame-relay output dscp-map
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the CLI
Industrial Network Operating System Administrator’s Guide
350
21.1.10 Clearing Frame Relay Counters
Use the clear counters frame-relay command in Exec Commands mode with Frame Relay-specific arguments to clear Frame Relay counters
Command syntax:
clear counters frame-relay frid [lmi]
Where:
frid is a numerical value in the range 1-192 specifying a configured Frame Relay interface.
lmi is an optional key word specifying that LMI counters are to be cleared.
Example:
Magnum 10RX# clear counters frame-relay 25 lmi
Valid range: 1-192
21.1.11 Clearing FR-PVC Counters
Use the clear counters fr-pvc command in Exec Commands mode with FR-PVC-specific arguments to clear FR-PVC counters
Command syntax:
clear counters fr-pvc pvcid [eek]
Where:
pvcid is a numerical value in the range 1-2048 specifying a configured PVC.
eek is an optional key word specifying that EEK counters are to be cleared.
Example:
Magnum 10RX# clear counters fr-pvc 888 eek
Valid range: 1-2048
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the GUI
Industrial Network Operating System Administrator’s Guide
351
21.2 Configuring Frame Relay in the GUI
The following sections describe the screens to use to configure Frame Relay functionality in the GUI.
21.2.1 Configuring the Frame Relay Interface
In the GUI go to the WAN Management: Frame Relay: Frame Relay Interface Configuration tab to configure Frame Relay interfaces, as illustrated in Figure 21-6.
Figure 21-6. Frame Relay Interface Configuration Screen
In the Frame Relay Interface Configuration screen use the upper dialog box to specify an interface. Click Create to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured interfaces.
Table 21-1. Frame Relay Interface Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
FR Interface Name
A numerical value in the range 1-192 specifying a Frame Relay interface ID. This value will be appended to “frame-relay” to form an identifying label.
Section 21.1.0.1
Oper Status A green or red symbol to indicate the physical status of the connection.
Admin State Up or Down to indicate the administrative status of the connection.
Lower Layer Interface
Specifies the T1/E1 port that lies under this FR interface. Section 21.1.0.2
Channel Number Optionally specify a channel number designator corresponding to the channelized T1/E1 interface.
Section 21.1.0.2
Link Up/Down Trap
Enable or disable notification of link status.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the GUI
Industrial Network Operating System Administrator’s Guide
352
21.2.2 Configuring Frame Relay End-to-End Keepalive
In the GUI go to the WAN Management: Frame Relay: FR End-to-End Keeepalive tab to configure End-to-End Keepalive (EEK) end point, as illustrated in Figure 21-7.
Figure 21-7. Frame Relay End-to-End Keepalive Screen
In the Frame Relay End-to-End Keepalive screen configure the EEK values for a previously configured Frame Relay interface.
For more on End-to-End Keepalive functionality see Section 21.1.6.
LMI Type Specifies the Local Management Interface (LMI) type. If specified, options are:
• lmi — Cisco (aka, Gang of Four) LMI type.
• ccitt — ITU-T Q.933 Annex A LMI type.
• ansi — Annex D LMI type defined by ANSI standard T1.617.
Section 21.1.1.1
LMI Mode Specify whether the interface should implement the user part or the network part of the LMI protocol. When connecting to a service provider network you should choose User mode. When connecting two 10RX routers together directly choose user mode on one side and Network mode on the other side.
Section 21.1.1.2
Fragmentation Status
Enable or disable fragmentation on the interface. Section 21.1.8.3
Fragmentation Size
Specify fragment size in a range of 1-1500 bytes. Section 21.1.8.3
Table 21-2. Frame Relay End-to-End Keepalive Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
FR Interface Name
The identifier for the selected Frame Relay interface.
Poll Timer Specify the number of seconds between keep alive poll transmissions.
Default value: 10 seconds
Valid range: 1-255
Section 21.1.6.1
Table 21-1. Frame Relay Interface Configuration Fields
Parameter Description See Also
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the GUI
Industrial Network Operating System Administrator’s Guide
353
21.2.3 Configuring Frame Relay PVCs
In the GUI go to the WAN Management: Frame Relay: FR PVCs tab to configure Permanent Virtual Circuits (PVCs), as illustrated in Figure 21-8.
Figure 21-8. Frame Relay PVCs Screen
In the Frame Relay PVCs screen use the upper dialog box to configure the PVC. Click Create to save your specifications and display them in the lower dialog box. Use the lower dialog box to edit or delete configured PVCs.
For more on Frame Relay PVCs see Section 21.1.2.
Response Timer Specify the number of seconds to wait for a new KA request before declaring a new error event.
Default value: 15
Valid range: 1-255
Section 21.1.6.2
Event Window Specify the number of recent events to track.
Default value: 3
Valid range: 1-32
Section 21.1.6.3
Error Threshold Specify the number of error events that must be in the event window before declaring the PVC to be down.
Default value: 2
Valid range: 1-32
Section 21.1.6.4
Success Events Specify the number of consecutive success events that must be generated before declaring the PVC to be up.
Default value: 2
Valid range: 1-32
Section 21.1.6.5
Table 21-2. Frame Relay End-to-End Keepalive Fields
Parameter Description See Also
UP
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the GUI
Industrial Network Operating System Administrator’s Guide
354
Table 21-3. Frame Relay PVCs Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
FR PVC Name A numerical value in the range 1-2048 specifying a Frame Relay PVC name. This value will be appended to “FR PVC Name” to form an identifying label.
Section 21.1.2.1
DLCI Specify a Data Link Connection Identifier (DLCI) for this PVC.
Valid range: 1-1022
Section 21.1.2.3
Oper Status A green or red symbol to indicate the physical status of the connection.
Admin State Up or Down to indicate the administrative status of the connection.
FR Interface Name
The identifier for the selected Frame Relay interface.
EEK Mode Specify the End-to-End Keepalive mode. Options are:
• bidirectional — specifies that the device sends periodic KA requests and that it replies to KA requests that it receives. EEK events are based on received KA replies.
• request — specifies that the device sends periodic KA requests but does not reply to KA requests. EEK events are based on received KA replies.
• reply — specifies that the device does not send periodic KA requests but does reply to KA requests. EEK events are based on received KA requests.
• passive-reply — specifies that the device does not send periodic KA requests but does reply to KA requests. In this mode, the local state of the PVC is not determined by EEK.
Section 21.1.6
EEK State The state of the EEK exchange on this FR-PVC. Possible states are:
• dn-snd — The Send side of EEK is down.
• dn-rcv — The receive side of EEK is down.
• dn-s/r — The send and receive sides of EEK are down.
• up — EEK is up.
• disabled — EEK is disabled.
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the GUI
Industrial Network Operating System Administrator’s Guide
355
21.2.4 Configuring Frame Relay Encapsulation
In the GUI go to the WAN Management: Frame Relay: FR Encapsulation tab to configure Frame Relay encapsulation, as illustrated in Figure 21-9.
Figure 21-9. Frame Relay Encapsulation Screen
In the Frame Relay Encapsulation enable Frame Relay encapsulation of IP packets between two points on a previously configured PVC. Click Apply to make your configuration effective.
For more on Frame Relay encapsulation see Section 21.1.3.
Table 21-4. Frame Relay Encapsulation Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
FR PVC Name The identifier for the selected PVC. XREF
Serial-Over-FR Port
If asynchronous serial data is being encapsulated, the identifier of the serial port.
Section 21.1.4
Serial-Over-FR Padding
If encapsulation of asynchronous serial data is being configured you can optionally specify that t a 3-byte offset (“padding”) is created within each packet between the frame relay header and the payload. This is for compatibility with Dynastar router products.
Section 21.1.4
Local IP Address If IP encapsulation is being configured, a valid IP address for the current device.
Section 21.1.3.1
Remote IP Address
If IP encapsulation is being configured, a valid IP address for the peer device.
Section 21.1.3.2
IP MTU Specify a Maximum Transmission Unit size for this connection.
Default Value: 1500
Valid Range: 68-1500
CHAPTER 21 - Frame RelayConfiguring Frame Relay in the GUI
Industrial Network Operating System Administrator’s Guide
356
Industrial Network Operating System Administrator’s Guide
357
Chapter 22Serial Interface
INOS supports dual-port and quad-port async serial cards in slots 3 through 10, for a maximum of 8 cards and 32 async serial interfaces per system. You can configure the physical layer parameters for each async serial interface individually or in groups via serial profiles. You can retrieve status and statistics for each configured serial port.
The administrative status (adminStatus) of a serial interface is independent of any layers above it, for example, PPP or terminal server; thus, when the adminStatus of a serial interface is set to UP, the physical port parameters must be programmed into the hardware and the port must be enabled to begin communications, including turning on appropriate data set signals. Conversely, when the adminStatus of a serial interface is set to DOWN, the port must be disabled from communications, including turning off appropriate data set signals.
The association of a serial port and its profile may not be changed unless the adminStatus is first set to DOWN. However, an associated serial profile may be modified independent of the adminStatus value. If the serial profile is changed and the adminStatus is UP, then the serial profile set function sets the adminStatus to DOWN and then back to UP, effectively resetting the port parameters. Note that this reset may cause higher layer protocols to go down or to cause other interruptions.
22.1 Configuring Serial Profiles in the CLI
A serial profile is a named set of configuration specifications that can be associated with a serial interface. When a profile is associated with 1 or more serial interfaces it may NOT be deleted. If an attempt is made to delete an associated serial profile an error message is displayed.
The following sections explain the CLI commands used to configure a serial profile.
22.1.1 Specifying a Serial Profile
Use the serial-profile command in Global Configuration mode to specify a new or existing serial profile and to enter Serial Profile Configuration mode, signaled by the Magnum 10RX(config-sp)# prompt.
Command syntax:
serial profile profname
Where:
profname is a string of up to 32 printable characters
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the CLI
Industrial Network Operating System Administrator’s Guide
358
Example:
Magnum 10RX(config)# serial-profile nannerl
This command specifies the serial profile nannerl, creating it if it does not already exist. Subsequent commands in the Serial Profile Configuration session will modify this profile.
Valid range: up to 32 printable characters
The no serial-profile profname command deletes the serial profile specified by profname.
Use the show serial-profile profname command to view configured values.
22.1.2 Configure a Profile’s Interface Standard
Use the if-standard command in Serial Profile Configuration mode to specify the physical interface standard for a serial profile.
Command syntax:
if-standard {rs232 | rs485-2wire | rs485-4wire}
Where:
rs232 RTS always asserted
rs485-2wire half-duplex operation
rs485-4wire full-duplex operation
Example:
Magnum 10RX(config-sp)# if-standard rs485-2wire
This command specifies that the physical interface standard used by this serial profile will be half-duplex (RTS asserted only when transmitting).
Default value: rs232
The no if-standard command specifies the default value.
Use the show serial-profile profname command to view configured values.
22.1.3 Configure a Profile’s Speed
Use the speed command in Serial Profile Configuration mode to specify the speed for a serial profile.
Command syntax:
speed bps
Where:
bps specifies a baud rate. Legal values are 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200, 230400
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the CLI
Industrial Network Operating System Administrator’s Guide
359
Example:
Magnum 10RX(config-sp)# speed 38400
Default value: 9600
The no speed command specifies the default value.
Use the show serial-profile profname command to view configured values.
22.1.4 Configure a Profile’s Databits
Use the databits command in Serial Profile Configuration mode to specify the total number of bits in a character to be used by this profile.
Command syntax:
databits {7 | 8}
Example:
Magnum 10RX(config-sp)# databits 7
Default value: 8
The no databits command specifies the default value.
Use the show serial-profile profname command to view configured values.
22.1.5 Configure a Profile’s Stopbits
Use the stopbits command in Serial Profile Configuration mode to specify the duration of the MARK condition on the line after character transmission is complete.
Command syntax:
stopbits {1 | 1.5 | 2}
Example:
Magnum 10RX(config-sp)# stopbits 2
Default value: 1
The no stopbits command specifies the default value.
Use the show serial-profile profname command to view configured values.
22.1.6 Configure a Profile’s Parity
Use the parity command in Serial Profile Configuration mode to specify the parity value for this profile. Setting the parity bit enables error detection.
Command syntax:
parity {odd | even}
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the CLI
Industrial Network Operating System Administrator’s Guide
360
Example:
Magnum 10RX(config-sp)# parity even
Default value: none
The no parity command specifies the default value.
Use the show serial-profile profname command to view configured values.
22.1.7 Configure a Profile to Ignore DSS
Use the ignore-dss command in Serial Profile Configuration mode to enable ignoring data set signals for a serial profile. When enabled, the operStatus of the port is UP if the adminStatus is UP. When disabled, the operStatus of the port is UP if the DSR or DCD handshake signal is on and the adminStatus is UP.
Command syntax:
ignore-dss
Example:
Magnum 10RX(config-sp)# ignore-dss
Default value: disabled
The no ignore-dss command specifies the default value.
Use the show serial-profile profname command to view configured values.
22.1.8 Configure a Profile’s Flow Control
Use the flow-ctl command in Serial Profile Configuration mode to specify the type of flow control for this profile.
Command syntax:
flow-ctl {xonxoff | rtscts}
Where:
xonxoff specifies software flow control. Unit will stop transmitting if an XOFF (19) character (CTL-S) is detected in the received stream and will start when an XON (17) character (CTL-Q) is detected.
rtscts specifies hardware flow control. Unit will stop transmitting if CTS is de-asserted.
Example:
Magnum 10RX(config-sp)# flow-ctl xonxoff
Default value: disabled
The no flow-ctl command specifies the default value.
Use the show serial-profile profname command to view configured values.
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the CLI
Industrial Network Operating System Administrator’s Guide
361
22.1.9 Configure a Profile’s Packetization Character
Use the pkt-char command in Serial Profile Configuration mode to specify the end-of-packet character for a serial profile. This parameter defines a special character in the data stream that forces an end-of-packet event.
Command syntax:
pkt-char pkchval
Where:
pkchval is a numerical value specifying the end-of-packet character. This value may be expressed in decimal or in hex.
Example:
Magnum 10RX(config-sp)# pkt-char 88
Default value: disabled
Valid range: 0-255
The no pkt-char command disables end-of-packet character matching.
Use the show serial-profile profname command to view configured values.
22.1.10 Configure a Profile’s Packet Timeout Value
Use the pkt-time command in Serial Profile Configuration mode to specify the packet timeout for a serial profile. This parameter defines a timeout value in milliseconds. If an additional character is not received before the timer expires an end-of-packet event occurs.
Command syntax:
pkt-time pktoval
Where:
pktoval is a numerical value specifying in milliseconds the interval of inactivity after which the end-of-packet timer will trigger an event
Example:
Magnum 10RX(config-sp)# pkt-time 500
Default value: 200
Valid range: 1-1000 msec
The no pkt-char command disables end-of-packet event timer.
Use the show serial-profile profname command to view configured values.
CHAPTER 22 - Serial InterfaceConfiguring Serial Interfaces in the CLI
Industrial Network Operating System Administrator’s Guide
362
22.1.11 Configure a Profile’s Maximum Packet Size
Use the max-pkt-size command in Serial Profile Configuration mode to specify the maximum packet size for a serial profile. When the number of received characters reaches this maximum an end-of-packet event occurs.
Command syntax:
max-pkt-size pktsize
Where:
pktsize is a numerical value specifying the maximum number of serial characters in a packet for this profile
Example:
Magnum 10RX(config-sp)# max-pkt-size 800
Default value: 1024
Valid range: 32-1024 msec
The no max-pkt-size command specifies the default value.
Use the show serial-profile profname command to view configured values.
22.2 Configuring Serial Interfaces in the CLI
A serial profile is put into use by being associated with an asynchronous serial interface. For the related shutdown and no shutdown commands see Section 20.1.15.
22.2.1 Specify a Serial Interface
Use the interface serial command in Global Configuration mode to specify to specify a serial interface to be configured and to enter the Serial Interface Configuration mode, signaled by the Magnum 10RX(config-serial)# prompt.
Command syntax:
interface serial slot/port
Where:
slot/port are valid slot and port designations on this device
Example:
Magnum 10RX(config)# interface serial 4/1
Magnum 10RX(config-serial)#
Subsequent commands in this configuration mode will modify the interface specified by slot/port in this command.
CHAPTER 22 - Serial InterfaceSerial Interface Show Commands
Industrial Network Operating System Administrator’s Guide
363
22.2.2 Associate a Profile and a Serial Interface
Use the use serial-profile command in Serial Interface Configuration mode to set the serial profile to use for an asynchronous serial interface. The same profile can be associated with multiple serial interfaces.
Command syntax:
use serial-profile profname
Where:
profname is the name of a configured serial profile
Example:
Magnum 10RX(config-serial)# use serial-profile nannerl
This command specifies that the serial interface being configured will use serial profile nannerl.
22.3 Serial Interface Show Commands
Use the following command in the Exec Commands mode to display information about serial interfaces and profiles.
22.3.1 Display Serial Profile Information
Use the show serial-profile command to display the serial profile configuration. If no configured profile is specified all serial profiles are displayed.
Command syntax:
show serial-profile [profname]
Where:
profname is the name of a configured serial profile
Example:
Magnum 10RX# show serial-profile nannerl
22.3.2 Display Serial Interface Information
Use the show interface serial command to display the current interface configuration and status information. If the show interface command is executed by itself the system displays information for every interface in the system. Specify a serial interface to show information on that interface alone.
show interface serial [slot/port]
Where:
slot/port are valid slot and port designations on this device.
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the GUI
Industrial Network Operating System Administrator’s Guide
364
Example:
Magnum 10RX#show interface serial 8/1
22.4 Configuring Serial Profiles in the GUI
A serial profile is a named set of configuration specifications that can be associated with a serial interface. When a profile is associated with 1 or more serial interfaces it may NOT be deleted. If an attempt is made to delete an associated serial profile an error message is displayed.
The following sections explain the GUI screens used to configure a serial profile.
22.4.1 Configuring a Serial Profile
In the GUI go to the Serial Management: Port Manager: Serial Profile Settings tab to assign an IP address to an interface, as illustrated in Figure 22-1.
Figure 22-1. Serial Profile Settings Screen
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the GUI
Industrial Network Operating System Administrator’s Guide
365
In the Serial Profile Settings screen use the upper dialog box to define a serial port’s profile. Click the Create button to save the profile and display it in the lower dialog box. Use the lower dialog box to edit or delete configured profiles.
Table 22-1. Serial Profile Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Serial Profile Name
Specify a string of up to 32 printable characters as a name for this profile.
Section 22.1.1
Interface Standard
Specify the physical interface standard for a serial profile. Options are:
• rs232 — RTS always asserted
• rs485-2wire — half-duplex operation
• rs485-4wire — full-duplex operation
Section 22.1.2
Speed Specify the speed for this serial profile.
Legal values are baud rates of 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200, 230400
Section 22.1.3
Databits Specify the total number of bits (7 or 8) in a character to be used by this profile.
Section 22.1.4
Stopbits Specify the duration of the MARK condition (1 or 2) on the line after character transmission is complete.
Section 22.1.5
Parity Specify the parity value (odd or even) for this profile. Setting the parity bit enables error detection.
Section 22.1.6
Ignore-dss Enable or disable ignoring data set signals for a serial profile.
When enabled, the operStatus of the port is UP if the adminStatus is UP. When disabled, the operStatus of the port is UP if the DSR or DCD handshake signal is on and the adminStatus is UP.
Section 22.1.7
Flow Control Specify the type of flow control for this profile. Options are:
• xonxoff — specifies software flow control. Unit will stop transmitting if an XOFF (19) character (CTL-S) is detected in the received stream and will start when an XON (17) character (CTL-Q) is detected.
• rtscts — specifies hardware flow control. Unit will stop transmitting if CTS is de-asserted.
Section 22.1.8
Packet Character Status
Enable or disable use of a character to mark the end of a packet event.
Section 22.1.9
Packet Character Specify a numerical value as the character to be used to mark the end of a packet event.
Valid range: 0-255
Section 22.1.9
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the GUI
Industrial Network Operating System Administrator’s Guide
366
22.4.2 Associating Profiles and Ports
In the GUI go to the Serial Management: Port Manager: Serial Port Configuration tab to associate a configured profile with a serial interface, as illustrated in Figure 22-2.
Figure 22-2. Serial Port Configuration Screen
In the Serial Port Configuration screen to assign a configured profile to a serial interface and to make the interface active. Click Apply to save your specifications and make them effective.
Packet Timeout Specify in milliseconds the interval of inactivity after which the end-of-packet timer will trigger an event.
Default value: 200
Valid range: 1-1000 msec
Section 22.1.10
Maximum Packet Size
Specify the maximum packet size for a serial profile. When the number of received characters reaches this maximum an end-of-packet event occurs.
Default value: 1024
Valid range: 32-1024 msec
Section 22.1.11
Table 22-1. Serial Profile Settings Fields
Parameter Description See Also
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the GUI
Industrial Network Operating System Administrator’s Guide
367
Table 22-2. Serial Port Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Port Select from a list of available serial ports. Section 22.2.1
Link Status An indicator of the physical state (Up or Down) of this port.
Admin Status Set the administrative status of this port to Up or Down.
Link Up/Down Trap
Enable or disable notification of changes in link status.
Serial Profile Name
Specify a configured serial profile to be associated with this serial port.
Section 22.2.2
CHAPTER 22 - Serial InterfaceConfiguring Serial Profiles in the GUI
Industrial Network Operating System Administrator’s Guide
368
Industrial Network Operating System Administrator’s Guide
369
Chapter 23Terminal Server
The terminal services application encapsulates serial data in the payload of a TCP segment, allowing users to access any serial device over a TCP/IP network. Terminal services behavior is easily understood in terms of channels, which are full-duplex serial streams that are associated with one or more TCP connections. Each channel may be assigned a diffserv priority. Channels may be outgoing or incoming depending on whether the application initiates the TCP connection or waits for remote clients to connect. Each serial port may be assigned up to 16 channels, only one of which may be incoming. An incoming channel may accept TCP connections from as many as 32 remote peers. This level of flexibility is required to support multi-site SCADA applications, for example. The Figure 23-1 below depicts such a scenario.
Figure 23-1. Terminal Server SCADA Application
In this example the terminal services application on the device connected to the SCADA master has been configured to initiate a TCP connection to the device attached to each remote SCADA slave. Serial data from the master is transmitted over each TCP connection. For incoming channels the application is responsible for serializing access to the physical port; each response from the RTU is delivered to the requester only.
The status of each channel may be displayed; this information includes call direction, TCP connection state, the number of TCP connections, and the local and remote IP address and TCP port number.
CHAPTER 23 - Terminal ServerTerminal Server Operation
Industrial Network Operating System Administrator’s Guide
370
23.1 Terminal Server Operation
Magnum-RX offers a terminal server function that transports serial characters over a TCP/IP network. A flexible set of connection options allows the user to configure each serial port for a different mode of operation. The terminal server functionality is organized into serial communication channels that may be added or deleted from the system. Each channel is associated with a particular serial port and operates either in passive or active mode.
23.1.1 Passive Mode Channels
When a terminal server channel operates in passive (server) mode, it waits for incoming TCP connection requests. When a request is received it is accepted if the following criteria are met:
• serial port operational state is UP• maximum number of incoming connections will not be exceeded
After a connection request is accepted, the TCP connection becomes active and serial data may be transmitted and received on the channel.
A terminal server channel operates in passive mode if the “Call Direction” parameter is set to “IN."
The following configuration parameters also affect the operation of the port in passive mode:
• Local IP – the IP address at which the server listens for connections. If the system has only a single assigned IP address, this parameter defaults to the system IP address and cannot be changed. If the system has multiple assigned IP addresses, this parameter can be set to any of those addresses. In this case, the software will only accept connections destined for the configured IP address. The port will not be reachable using other IP addresses, even if they are assigned to the system.
• Local TCP – the TCP port at which the server listens for connections. The TCP port may be in the range 1000 to 65535. It is invalid to assign the same TCP port to multiple terminal server serial ports.
• Maximum Connections – the maximum number of incoming connections that will be accepted for the terminal server serial port. Up to 5 simultaneous incoming connections are supported per serial port.
23.1.2 Active Mode Channels
When a terminal server port operates in active (client) mode, it actively attempts to connect to a specified remote host whenever the serial port operational state is UP.
After an outgoing connection request is accepted by the remote host, the TCP connection becomes active and serial data may be transmitted and received on the channel.
A terminal server port operates in active mode if the “Call Direction” parameter is set to “OUT".
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
371
The following configuration parameters also effect the operation of the port in active mode:
• Local IP – the IP address to which the channel binds before making an outgoing connection. This is the address used in a transmitted packet's source address IP header field.
• Local TCP– the TCP port to which the channel binds before making an outgoing connection. The TCP port may be in the range 1000 to 65535. This is the port number used in a transmitted packet's source port TCP header field. It is invalid to assign the same TCP port to multiple terminal server channels. When a channel is configured in active mode, it is also valid to have no Local TCP port assigned (by issuing the no local-tcp command). This tells the system that it can select any unused port number as the local TCP port for this connection.
• Remote IP – the IP address to which the terminal server attempts to connect• Remote TCP – the TCP port to which the terminal server attempts to
connect• Retry Time – when a connection attempt fails (for any reason), this is the
minimum amount of time the terminal server will wait before re-trying the attempt.
23.1.3 Mixed Mode
You can configure a terminal server port to operate in a mixed mode in which it simultaneously acts as both a passive server and an active client. This is accomplished by adding an "IN" channel as well as at least one "OUT" channel that uses the port. In general, this mode should be used with care. If you configure both sides of a connection with a mixed mode you can produce redundant TCP connections.
23.1.4 Session Type
Each terminal server port can be configured as a raw TCP connection or as a Telnet connection. Generally, the session type should be specified as raw (the default) unless you plan on connecting to the port using a telnet application. This may be appropriate in certain cases where you are accessing a device console port using the terminal server.
23.2 Terminal Server Configuration in the CLI
You manage the Terminal Server application by creating and configuring terminal server channels. The CLI commands to accomplish these tasks are described in the following sections.
23.2.1 Specify a Terminal Server Channel
Use the serial-channel command in Global Configuration mode to specify a new or existing serial channel and to enter Terminal Server Configuration mode, signaled by the Magnum 10RX(config-ts)# prompt.
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
372
Command syntax:
serial-channel channame
Where:
channame is a string of up to 16 printable characters
Example:
Magnum 10RX(config)# serial-channel amadeus
This command specifies the serial channel amadeus, creating it if it does not already exist. Subsequent commands in the Terminal Server Configuration session will modify this channel.
Valid range: up to 16 printable characters
The no serial-channel channame command deletes the channel specified by channame and tears down any associated TCP connections.
Use the show serial-channel channame command to view configured values.
23.2.2 Configure a Port for a Channel
Use the serial-port command in Terminal Server Configuration mode to set the serial port for this terminal server channel. The same serial port may be associated with multiple channels, but it cannot be associated with more than one channel that is set to the "IN" direction.
Command syntax:
serial-port serial slot/port
Where:
slot/port are valid slot and port designations for a serial port on this device.
Example:
Magnum 10RX(config-ts)# serial-port serial 8/1
This command specifies the serial channel under configuration will use slot 8, port 1 on this device.
Default value: no port specified
The no serial-port command specifies the default.
Use the show serial-channel channame command to view configured values.
Note that specifying a serial port with the serial-port command will override a previous configuration of an fr-pvc connection on the port. See Section 23.2.3.
23.2.3 Mapping a Serial Channel to a PVC
A Frame Relay PVC can be used to extend a typical serial terminal server connection to a remote serial port over a WAN. This feature is explained in Section 21.1.5.
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
373
Use the fr-pvc command in Terminal Server Configuration mode to map the channel to a configured Frame Relay PVC.
Command syntax:
fr-pvc pvcid
Where:
x is the a numerical value in the range 1-2048 specifying a configured PVC.
Example:
Magnum 10RX(config-ts)# fr-pvc 25
Valid range: 1-2048
The no fr-pvc command deletes the configured mapping.
Note that specifying an fr-pvc connection with the fr-pvc command will override a previous configuration of a serial port. See Section 23.2.2.
23.2.4 Configure Channel Direction
Use the direction command in Terminal Server Configuration mode to set the direction parameter for a terminal server channel.
Command syntax:
direction {in | out}
Where:
in — The port acts like a passive TCP server, listening at the configured Local TCP port.
out — The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.
Example:
Magnum 10RX(config-ts)# direction out
This command specifies the serial channel under configuration will be in active mode.
Default value: in
The no direction command specifies the default.
Use the show serial-channel channame command to view configured values.
23.2.5 Configure Channel Session Type
Use the session-type command in Terminal Server Configuration mode to set the session type (raw or telnet) for a terminal server channel.
Command syntax:
session-type {raw | telnet}
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
374
Where:
raw — provides a transparent pipe for serial data.
telnet — enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).
Example:
Magnum 10RX(config-ts)# session-type telnet
This command specifies the serial channel under configuration will be in active mode.
Default value: raw
The no session-type command specifies the default.
Use the show serial-channel channame command to view configured values.
23.2.6 Configure Channel Priority
Use the priority command in Terminal Server Configuration mode to set the priority for a terminal server channel. Each IP packet generated on this port will be assigned a DiffServ Code Point (DSCP) based on the priority set by this parameter.
Command syntax:
priority dscp
Where:
dscp is a numerical value specifying a DiffServ Code Point. This value may be expressed in decimal or in hex,
Example:
Magnum 10RX(config-ts)# priority 0x2E
This command specifies the serial channel under configuration has an expedited forwarding priority.
Default value: 0
The no priority command specifies the default.
Use the show serial-channel channame command to view configured values.
23.2.7 Configure Channel Local IP Address
Use the local-address command in Terminal Server Configuration mode to set the local IP address for a terminal server channel. When the channel direction is set to "IN" and no local-address is specified the channel will accept incoming connections on any of its configured IP addresses. When the channel direction is set to "OUT" and no local-address is specified, when making the outgoing connection the channel will choose the best configured IP address to use automatically.
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
375
Command syntax:
local-address xxx.xxx.xxx.xxx
Where:
xxx.xxx.xxx.xxx is a valid local IP address. This is the IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.
Example:
Magnum 10RX(config-ts)# local-address 192.168.1.2
Default value: no local address
The no local-address command specifies the default.
Use the show serial-channel channame command to view configured values.
23.2.8 Configure Channel Local TCP Port
Use the local-tcp command in Terminal Server Configuration mode to set the local TCP port for a terminal server channel. Channels configured with direction "IN" must have a local TCP port specified. Channels configured with direction "OUT" do not require this specification. If it is left unspecified a random port will be chosen by the system.
Command syntax:
local-tcp portnum
Where:
portnum is a numerical value specifying the TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.
Example:
Magnum 10RX(config-ts)# local-tcp 1492
Valid Range: 1000-65535
Default value: no local TCP port
The no local-tcp command specifies the default.
Use the show serial-channel channame command to view configured values.
NOTE: No two rows in the table may have the same Local IP and Local TCPcombination. These combined values must comprise a unique identifier.
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
376
23.2.9 Configure Channel Remote IP Address
Use the remote-address command in Terminal Server Configuration mode to set the remote IP address for a terminal server channel.
Command syntax:
remote-address xxx.xxx.xxx.xxx
Where:
xxx.xxx.xxx.xxx is a valid remote IP address. This is the IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."
Example:
Magnum 10RX(config-ts)# remote-address 192.168.34.34
Default value: no remote-address
The no remote-address command specifies the default.
Use the show serial-channel channame command to view configured values.
23.2.10 Configure Channel Remote TCP Port
Use the remote-tcp command in Terminal Server Configuration mode to set the remote TCP port for a terminal server channel. This is the remote TCP port that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."
Command syntax:
remote-tcp portnum
Where:
portnum The remote TCP port that the client attempts to connect to when the direction is set to "OUT."
Example:
Magnum 10RX(config-ts)# remote-tcp 1819
Valid Range: 1-65535
Default value: no remote TCP port
The no remote-tcp command specifies the default.
Use the show serial-channel channame command to view configured values.
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the CLI
Industrial Network Operating System Administrator’s Guide
377
23.2.11 Configure Channel Maximum Connections
Use the max-conn command in Terminal Server Configuration mode to set the maximum number of connections for a terminal server channel. This is the maximum number of incoming TCP connections to accept for this serial port. This parameter is ignored when the channel direction is set to "OUT."
Command syntax:
max-conn cnctnum
Where:
cnctnum is a numerical value specifying maximum number of incoming TCP connections.
Example:
Magnum 10RX(config-ts)# max-conn 18
Valid Range: 1-32
Default value: 5
The no max-conn command specifies the default.
Use the show serial-channel channame command to view configured values.
23.2.12 Configure Channel Retry Time
Use the retry-time command in Terminal Server Configuration mode to set the retry time for a terminal server channel. This is the number of seconds the client waits for a connection to succeed before timing out and retrying. This parameter is ignored when the channel direction is set to "IN."
Command syntax:
retry-time retrysecs
Where:
retrysecs is a numerical value specifying the number of seconds until retrying the connection.
Example:
Magnum 10RX(config-ts)# retry-time 60
Valid Range: 1-90 seconds
Default value: 30
The no retry-time command specifies the default.
Use the show serial-channel channame command to view configured values.
CHAPTER 23 - Terminal ServerTerminal Server Show Commands
Industrial Network Operating System Administrator’s Guide
378
23.2.13 Clear a Serial Connection
Use the clear serial connection command in Exec Commands mode to delete an existing terminal server connection. Retrieve the connection ID value with the show serial-connection command in Exec Commands mode.
Command syntax:
clear serial connection connect-id
Where:
connect_id is the system-assigned identification number of the connection to be deleted.
Example:
Magnum 10RX# clear serial connection 1
Use the show serial-connection command to view connection ID values.
23.3 Terminal Server Show Commands
The CLI commands described below enable you to display information about the Terminal Server channels and connections. These commands are executed in Exec Commands mode at the Magnum 10RX# prompt.
23.3.1 Display Serial Channel Information
Use the show serial-channel command in Exec Commands mode to display the configured terminal server channels. If no channel name is supplied all channels are displayed in summary form. For more detailed information specify a channel by name.
Command syntax:
show serial-channel [channel-name]
Where:
channel-name specifies a configured channel to be displayed in detail.
Example:
Magnum 10RX#show serial-channel nannerl
23.3.2 Display Serial Connection Information
Use the show serial-connection command in Exec Commands mode to display terminal server connections. If no connection ID is supplied all connections are displayed in summary form. For more detailed information specify a connection by ID.
Command syntax:
show serial-connection [connection-id]
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
379
Where:
connection-id specifies a terminal server connection to be displayed in detail.
Example:
Magnum 10RX#show serial-connection 1
23.4 Terminal Server Configuration in the GUI
You manage the Terminal Server application by creating and configuring terminal server channels. The GUI screens used to accomplish these tasks are described in the following sections.
23.4.1 Configuring a Terminal Server
In the GUI go to the Serial Management: Terminal Server: Terminal Server Configuration to define a terminal server profile, as illustrated in Figure 23-2.
Figure 23-2. Terminal Server Configuration Screen
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
380
In the IPv4 Interface Settings screen the upper dialog box enables you to specify an IP address for a previously configured interface. Click the Modify button and this interface information will be displayed along with any other configured interfaces in the lower dialog box, which also enables editing of some previously configured values.
Table 23-1. Terminal Server Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Serial Channel Name
Specify a name of up to 16 printable charaters for this Terminal Server channel.
Section 23.2.1
Port Type The only valid port type is serial.
Port ID Specify the ID for this serial port Section 23.2.2
Direction Set a direction for this channel. Options are:
• in — The port acts like a passive TCP server, listening at the configured Local TCP port.
• out — The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.
Section 23.2.4
Session Type Specify a session type for this channel. Options are:
• raw — provides a transparent pipe for serial data.
• telnet — enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).
Section 23.2.5
Priority (DSCP) Specify a DiffServ Code Point.
Valid range: 0-63
Section 23.2.6
Local IP Address Specify a valid local IP address. This is the IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.
Section 23.2.7
Local TCP Port Specify the TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.
Valid Range: 1000-65535
Section 23.2.8
Remote IP Address
Specify a valid remote IP address. This is the IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."
Section 23.2.9
Remote TCP Port Specify the remote TCP port that the client attempts to connect to when the direction is set to "OUT."
Valid Range: 1-65535
Section 23.2.10
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
381
23.4.2 Monitoring Terminal Server Connections
In the GUI go to the Serial Management: Terminal Server: Terminal Server Connections tab for a view into the operation of terminal server connections, as illustrated in Figure 23-3.
Figure 23-3. Terminal Server Connections Screen
In the terminal server connections screen you can view identifying and performance information for configured terminal server connections. Click Delete to remove a connection.
Maximum Connections
Specify the maximum number of incoming TCP connections.
Valid Range: 1-32
Default value: 5
Section 23.2.11
Retry Time Specify the number of seconds the client waits for a connection to succeed before timing out and retrying.
Valid Range: 1-90 seconds
Default value: 30 seconds
Section 23.2.12
Table 23-2. Terminal Server Connections Fields
Parameter Description See Also
Select You must click a selection button before deleting a configuration.
Connection ID A unique system-assigned identifier for this connection.
Channel Name The user-supplied name for this Terminal Server channel. Section 23.2.1
Port Type The only valid port type is serial.
Port ID The identifier for this serial port. Section 23.2.6
Direction The direction for this channel. Options are:
• in — The port acts like a passive TCP server, listening at the configured Local TCP port.
• out — The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.
Section 23.2.4
Table 23-1. Terminal Server Configuration Fields
Parameter Description See Also
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
382
23.4.3 Monitoring Terminal Server Channels
In the GUI go to the Serial Management: Terminal Server: Terminal Server Channel Status tab for a view into the status of configured terminal server channels, as illustrated in Figure 23-4.
Figure 23-4. Terminal Server Channel Status Screen
Connection Type The session type for this channel. Options are:
• raw — provides a transparent pipe for serial data.
• telnet — enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).
Section 23.2.5
Local IP Address The IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.
Section 23.2.7
Local TCP Port The TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.
Section 23.2.8
Remote IP Address
The IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."
Section 23.2.9
Remote TCP Port The TCP port that the client attempts to connect to when the direction is set to "OUT."
Section 23.2.10
Octets Transmitted
The total number of octets transmitted on this connection.
Octets Received The total number of octets received on this connection.
Table 23-2. Terminal Server Connections Fields
Parameter Description See Also
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
383
In the terminal server channel status screen you can view configuration information for terminal server channels.
Table 23-3. Terminal Server Channel Status Fields
Parameter Description See Also
Channel Name The user-supplied name for this Terminal Server channel. Section 23.2.1
Port Type The only valid port type is serial.
Port ID The identifier for this serial port. Section 23.2.6
Direction The direction for this channel. Options are:
• in — The port acts like a passive TCP server, listening at the configured Local TCP port.
• out — The port acts like an active TCP client and attempts to connect out to the server specified by the Remote IP and Remote TCP parameters.
Section 23.2.4
Session Type The session type for this channel. Options are:
• raw — provides a transparent pipe for serial data.
• telnet — enables basic Telnet negotiation and control character processing (ECHO and BINARY modes supported).
Section 23.2.5
Local IP Address The IP address upon which the server listens for connections when the direction is set to "IN." If the direction is set to "OUT" this is the source IP address of the connection.
Section 23.2.7
Local TCP Port The TCP port number associated with the serial port upon which the server listens for connection requests on a TCP/IP network.
Section 23.2.8
Remote IP Address
The IP address that the client attempts to connect to when the direction is set to "OUT." This parameter is ignored when the channel direction is set to "IN."
Section 23.2.9
Remote TCP Port The TCP port that the client attempts to connect to when the direction is set to "OUT."
Section 23.2.10
CHAPTER 23 - Terminal ServerTerminal Server Configuration in the GUI
Industrial Network Operating System Administrator’s Guide
384
Channel State The state of the channel. This field may display one of the following values:
• Stopped — The channel is disabled because the associated serial port is disabled or down.
• Listening — The channel is acting as a passive server and is waiting for incoming connection requests.
• Refusing — The channel is acting as a passive server and is actively refusing new connections because it has reached the maximum number of connections for the channel.
• Waiting — The channel is acting as an active client and is waiting for the re-try timer to expire. After the timer expires the channel will attempt again to establish the configured connection.
• Connecting — The channel is acting as an active client, has issued a connection request to the configured remote host, and is waiting for a response.
• Connected — The channel is acting as an active client and a connection has been established.
• Handshaking — The channel is associated with a secure serial port and is currently attempting an SSL handshake with the remote host.
Connections The total number of connections configured on this channel.
Table 23-3. Terminal Server Channel Status Fields
Parameter Description See Also
Industrial Network Operating System Administrator’s Guide
385
Chapter 24QoS
Quality of Service (QoS) is a term applied to a variety of technologies for managing network traffic so as to enhance performance, to reduce congestion, and to share resources among devices, users, and applications. A central QoS technique is the assignment of priorities to specific segments of network traffic.
INOS leverages a number of industry-standard technologies to provide administrative control of network traffic. These technologies are summarized in Table 24-1.
24.1 Ethernet QoS Handling
The flow charts contained in Figure 24-1 and Figure 24-2 illustrate the Ethernet QoS handling of received packets in layer 2.
Table 24-1. QoS Resources
Technology
Interface or Port Type
served
Description
Class of Service
(CoS)
Ethernet Class of Service (CoS) refers to the eight-level priority field optionally present in an Ethernet header as specified by the IEEE 802.1p standard. Through global user configuration each CoS value can be mapped to one of the eight WFQ levels on an Ethernet port.
Differentiated Services Code Point
(DSCP)
IP The Differentiated Services Code Point (DSCP) is a 6-bit field present in all IP packet headers as specified by RFC 2474. Through global user configuration each DSCP can be mapped to one of the eight WFQ levels on Ethernet ports. On PPP interfaces a DSCP can be mapped to a WFQ level or an SPQ through a QoS profile.
Weighted Fair Queue
(WFQ)
Ethernet,PPP
An eight-level weighted fair queue (WFQ) is implemented on each Ethernet port and also optionally on PPP interfaces. When a packet is ready to egress one of these ports, it is placed in one of the eight queues depending on the packet's classification. For Ethernet packets are classified based on CoS or DSCP. For PPP, packets are classified based on DSCP. The relative weights of the eight queues are fixed at 128-64-32-16-8-4-2-1.
Strict Priority Queue
(SPQ)
PPP An optional four-level strict priority queue (SPQ) is implemented on PPP interfaces. IP packets marked with certain configurable DSCPs are placed in the SPQ and will be transmitted before lower priority packets. The SPQ also implements a configurable minimum guaranteed rate parameter that can reserve bandwidth for the queue while also preventing the starvation of lower priority traffic.
CHAPTER 24 - QoSEthernet QoS Handling
Industrial Network Operating System Administrator’s Guide
386
Figure 24-1. QoS Trust Mode Flow: CoS or DSCP
Figure 24-2. QoS Trust Mode Flow: None or Both
Use switchport priority defaultfor queue
assignment
Use qos output cos-map queue
for queue assignment
Use qos output dscp-map queue
for queue assignment
Use switchport priority default for queue
assignment
CoSTagged? IP?
Check configuredqos trust
for receive interface
Packet Received
Y N Y N
cos dscp
Use switchport priority defaultfor queue
assignment
Use switchport priority default for queue
assignment
Use qos output cos-map queue
for queue assignment
Use qos output dscp-map queue
for queue assignment
CoSTagged?
IP?
Check configuredqos trust
for receive interface
Packet Received
YN
YN
no qos trust both
CHAPTER 24 - QoSIP Interface DSCP Marking
Industrial Network Operating System Administrator’s Guide
387
24.2 IP Interface DSCP Marking
When a packet is received on an IP interface its source address, destination address, protocol type, source port, and destination port are compared against Access Control Lists (ACLs) configured with the ip qos mark dscp command for that interface. If a match is found the packet is marked with the mapped DSCP value and then passed along to the IP stack for further processing. This marking always overrides any DSCP value in the matching packet.
For example, the following commands displayed in Figure 24-3 would mark all TCP port 10023 traffic destined for 192.168.1.5 with the expedited forwarding DSCP:
Figure 24-3. DSCP Marking
For more on access lists see Section 17.1.3.
Notes:
• DSCP marking only applies to IP traffic that is being forwarded by the IP stack in software. DSCP marking of Ethernet packets switched by the hardware at layer 2 is not yet supported.
• Only matches based on IP address, subnet mask, and TCP/UDP port are currently supported when configuring DSCP marking.
24.3 PPP Output Queues
When a packet is to be transmitted on a PPP interface, it may be priority queued depending on the output queue policy that is assigned to the interface. Queue policies are created using the ip qos policy command in Global Configuration mode. Execution of the ip qos policy command enables definition of multiple policies and enters the QoS Policy Configuration mode, signaled by the Magnum 10RX(config-qos-policy)# prompt. In this mode you can specify polices to be assigned to multiple PPP interfaces.
• If strict priority queuing is enabled using the strict-queue command any packet with a mapped DSCP will be placed in that queue and handled with strict priority over the other queues. DSCPs are mapped to the strict priority queue using the match dscp command in the Strict Queue Configuration mode. Strict priority queues are numbered 3-0 with queue 3 being the highest priority queue.
• If the strict priority guaranteed rate is set using the rate command, packets in the strict queue will be guaranteed at least the amount of bandwidth specified. If traffic in the queue exceeds the specified rate, a policing function is allowed to drop some of the excess packets in order to prevent lower priority traffic from being starved. However, the rate is not a hard maximum on the amount of bandwidth available to that queue. If the
Magnum 10RX(config)#access-list mark1 extended permit tcp any host 192.168.1.5 eq 10023Magnum 10RX(config)#ip qos mask dscp 46 match access-list mark1
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
388
lower priority queues are empty, the higher priority queue can use all of the link's bandwidth. If a strict queue becomes full new packets will tail drop.
• If weighted fair queuing is enabled using the weighted-fair-queue command, any packet with a mapped DSCP will be placed in the appropriate weighted output queue level. DSCPs are mapped to the weighted fair queue level using the match dscp command in the Weighted Fair Queue Configuration mode. Weighted fair queue levels are 7-0 with a fixed weighting of 128-64-32-16-8-4-2-1, respectively.
The weighted fair queue is always treated as a lower priority queue than the strict priority queues.
The following diagram illustrates the priority queuing model as it is implemented at the PPP interface:
Figure 24-4. General PPP Queuing Model
In the model illustrated in Figure 24-4 a queue mapping decision is made based on whether strict priority queuing or weighted fair queueing is enabled and also on what DSCP to queue mappings have been configured.
24.4 Configuring QoS in the CLI
INOS QoS features can be configured from several different configuration modes, as detailed below.
24.4.1 Global Configuration Commands
The following commands are executed in Global Configuration mode.
24.4.1.1 Enabling and Disabling QoS
Use the set qos command in the Interface Configuration mode to enable QoS in the system.
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
389
Command syntax:
set qos {enable | disable}
Example:
Magnum 10RX(config)# set qos enable
Default value: disabled
24.4.1.2 Mapping a DSCP Output Queue
Use the qos output dscp-map command in Global Configuration mode to create a global mapping between a trusted DSCP and an output queue level.
Command syntax:
qos output dscp-map {dvalue qlevel}
Where:
dvalue specifies the DSCP to map to the queue level specified by qlevel.
qlevel specifies the level of the output queue.
Example:
Magnum 10RX(config)# qos output dscp-map 50 5
This command specifies that a DSCP of 50 will map to an output queue level 5.
Valid ranges:
DSCP — 0-63
Queue level — 0-7
Default value: every DSCP value maps to level 1.
24.4.1.3 Mapping a CoS Output Queue
Use the qos output cos-map command in the Global Configuration mode to create a global mapping between a trusted CoS and an output queue level for Ethernet ports only.
Command syntax:
qos output cos-map cos qlevel
Where:
cos specifies the CoS value to map to the queue level specified by qlevel.
qlevel specifies the level of the output queue.
Example:
Magnum 10RX(config)# qos output cos-map 0 2
This command specifies that a CoS value of 0 will map to an output queue level 2.
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
390
Valid ranges:
Queue level — 0-7
CoS — 0-7
Default value:
The default mapping is:
0 — 0
1 — 1
2 — 2
3 — 3
4 — 4
5 — 5
6 — 6
7 — 7
24.4.2 Ethernet Interface Configuration Commands
The following commands can be executed after you have accessed Interface Configuration mode for Ethernet interfaces as described in Section 4.0.2.1.
24.4.2.1 Configuring QoS Trust
Use the qos trust command in Interface Configuration mode to set the trust mode of a specified Ethernet port. See Figure 24-1 and Figure 24-2 for the effect the trust mode has on tag processing.
Command syntax:
qos trust {cos | dscp | both}
Where:
cos specifies the use of the CoS field (if it exists) to determine packet priority.
dscp specifies the use of the DSCP field to determine packet priority.
both specifies the use of the CoS field (if it exists). Otherwise use the DSCP field.
Example:
Magnum 10RX(config-if)# qos trust cos
This command specifies that the Class of Service (CoS) field will be used to determine packet priority.
Default value: untrusted
The no qos trust command specifies the “untrusted” value.
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
391
24.4.2.2 Configuring CoS Default
Use the qos cos default command in Interface Configuration mode to specify the default CoS for a port. The default CoS is used if no CoS is specified in the packet itself.
Command syntax:
qos cos default defnum
Where:
defnum is a numerical value specifying the default priority value of this port.
Example:
Magnum 10RX(config-if)# qos cos default 5
Valid range: 0-7
Default value: 0
The no qos cos default command specifies the default value (0).
24.4.3 Queuing Policy Configuration Commands
The following commands are used to configure queue policies that can be assigned to IP interfaces. In Release 2.0, IP queuing policies can only be assigned to PPP interfaces.
24.4.3.1 Specify a Queueing Policy
Use the ip qos policy command in Global Configuration mode to name and configure a queuing policy and to enter the Qos Policy Configuration mode, signaled by the Magnum 10RX(config-qos-policy)# prompt.
Command syntax:
Magnum 10RX(config)# ip qos policy pol_name
Where:
pol_name is a user-supplied string of printable characters naming the policy.
Example:
Magnum 10RX(config)# ip qos policy p1
Magnum 10RX(config-qos-policy)#
This command specifies a queuing policy named p1 and enters QoS Policy Configuration mode for the purpose of configuring that policy.
The no qos policy pol_name command deletes the policy specified by pol_name.
24.4.3.2 Specify Weighted Fair Queueing
Use the weighted-fair-queue command in QoS Policy Configuration mode to enable weighted fair queuing on a PPP interface and to enter the QoS Policy Weighted-Fair-Queueing Configuration mode, signaled by the Magnum 10RX(config-qos-policy-wfq)# prompt. See Section 24.3 for information on the implementation of weighted fair queuing.
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
392
Command syntax:
weighted-fair-queue
Example:
Magnum 10RX(config-qos-policy)# weighted-fair-queue
Magnum 10RX(config-qos-policy-wfq)#
Default: weighted fair queueing is disabled.
The no ip qos output weighted-fair-queue command disables weighted fair queueing.
24.4.3.3 Specify a DSCP-WFQ Match
Use the match dscp command in QoS Policy Weighted-Fair-Queueing Configuration mode to map a DSCP to a particular weighted fair queue level.
Command syntax:
match dscp {dvalue qlevel}
Where:
dvalue specifies the DSCP to map to the queue level specified by qlevel.
qlevel specifies the level of the output queue.
Example:
Magnum 10RX(config-qos-policy-wfq)# match dscp 25 5
This command specifies that a DSCP of 25 will map to an output queue level 5.
Default value: no DSCPs are mapped to the weighted fair queue.
Valid ranges:
DSCP — 0-63
queue level — 0-7, where 7 is the highest level and therefore the most heavily weighted. Weights increase by a factor of 2 for each level with a relative weight of 1 for level 0 and a relative weight of 128 for level 7.
The no match dscp {dvalue qlevel} command removes the specified mapping.
24.4.4 Specify Strict Queueing
Use the strict-queue command in QoS Policy Configuration mode to enable a strict high priority queue on a PPP interface and to enter the Qos Policy Strict-Queueing Configuration mode, signaled by the Magnum 10RX(config-qos-policy-spq)# prompt. See Section 24.3 for information on the implementation of strict priority queuing.
Command syntax:
strict-queue priority
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
393
Where:
priority is a numerical value specifying the priority associated with this interface.
Example:
Magnum 10RX(config-qos-policy)# strict-queue 2
Magnum 10RX(config-qos-policy-spq)#
The no ip qos output strict-queue command disables strict queuing.
Default: the strict high priority queue is disabled.
Valid range: 0-3, where 0 is the lowest priority and 3 is the highest priority.
24.4.4.1 Specify a DSCP-SPQ Match
Use the match dscp command in Qos Policy Strict-Queueing Configuration mode to map a DSCP to the strict priority queue previously associated with this interface with the strict-queue command.
Command syntax:
match dscp dvalue
Where:
dvalue specifies the DSCP to map to the strict queue configured for this interface.
Example:
Magnum 10RX(config-qos-policy-spq)# match dscp 21
This command specifies that a DSCP of 21 will map to the strict queue configured for this interface.
Default value: no DSCPs are mapped to the strict priority queue.
Valid ranges:
DSCP — 0-63
24.4.4.2 Control the Available Bandwidth on the Strict Queue
Use the rate command in Qos Policy Strict-Queueing Configuration mode to guarantee a minimum amount of bandwidth to packets in a strict queue. This specification, also called a policer, is expressed in kilobits per second and can adjust according to context. For details see Section 24.3.
Command syntax:
rate kbps
Where:
kbps specifies that at least kbps of bandwidth will be available to this strict queue.
Example:
Magnum 10RX(config-qos-policy-spq)# rate 1000
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
394
The no rate command disables a configured policer.
Default value: policer is disabled.
Valid ranges: 1-24000
Default value: The queue is assigned all available bandwidth on the link. This is typically not desirable since lower priority traffic can be starved if the link is overloaded.
24.4.5 IP Configuration Commands
For Release 2.0, the following command applies only to PPP interfaces.
24.4.5.1 Map a Queueing Policy to a PPP Interface
Use the ip qos output queue policy command in PPP Interface Configuration mode to map an IP queuing policy to a PPP interface.
Command syntax:
ip qos output queue policy pol_name
Where:
pol_name is the name of the queueing policy to be mapped to the PPP interface under configuration.
Example:
Magnum 10RX(config-ppp)# ip qos output queue policy p1
Default value: no assigned policy.
Use the no ip qos output queue policy command to remove the policy mapping.
24.4.6 Global IP Configuration Commands
For Release 2.0, the following command applies only to packets forwarded by the IP stack in software.
24.4.6.1 Map an ACL to a DSCP
Use the ip qos mark dscp command in Global Configuration mode to map an access control list (ACL) to a DSCP. If a packet is received on an interface and it matches the ACL the packet will be marked with the mapped DSCP.
NOTE: Only the protocol type, source address, source port, destinationaddress, and destination port are supported when using the ip qos markdscp command to assign an ACL.
CHAPTER 24 - QoSConfiguring QoS in the CLI
Industrial Network Operating System Administrator’s Guide
395
Command syntax:
ip qos mark dscp dval match address acl
Where:
dval is a numerical value specifying the DSCP to be mapped.
acl is the name of the access control list to be mapped to dval.
Example:
Magnum 10RX:(config)# ip qos mark dscp 21 match address mfglist
This command specifies that a if received packet matches with the ACL mfglist that packet will be mapped to DSCP 21.
Valid range (DSCP): 0-63
Default value: no DSCP marking is enabled.
The no ip qos mark dscp dval command disables marking for that DSCP.
24.4.7 Show Commands
The following command is executed in the Exec Commands mode.
24.4.7.1 Displaying Configured QoS Interfaces
Use the show ip qos interface command to display packet counters for the different queues that have been configured on the interface. This command only applies to PPP interfaces for Release 2.0.
Command syntax:
show ip qos interface ppp ppp-id
Where:
ppp-id is the configured identifier of a PPP interface.
Example:
Magnum 10RX# show ip qos interface ppp 5
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
396
Example output:
Strict Queue Priority 1
Sent 164 packets, 1296 bytes
Best Effort Queue
Sent 47643 packets, 937627 bytes
Weighted Fair Queue Level 1
Sent 10 packets, 924 bytes
Weighted Fair Queue Level 3
Sent 6524 packets, 1746776 bytes
24.5 Configuring QoS in the GUI
INOS QoS features can be configured from several different configuration modes, as detailed below.
24.5.1 Enabling and Disabling QoS
In the GUI go to the Layer 2: Manager: QOS: Global Settings tab to enable or disable QoS functionality in the system, as illustrated in Figure 24-5.
Figure 24-5. QoS Global Configuration Screen
In the QoS Global Configuration screen choose Enabled or Disabled status to set QoS status for the system and click the Apply button to apply your choice.
Table 24-2. QoS Global Configuration Fields
Parameter Description See Also
Enable Enables QoS in the system. Section 24.4.1.1
Disable Disables QoS in the system.
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
397
24.5.2 Configuring QoS Port Settings
In the GUI go to the Layer 2: Manager: QOS: Port Settings tab to configure default CoS, trust mode, and DSCP mutation for specific ports, as illustrated in Figure 24-6.
Figure 24-6. QoS Port Settings Screen
In the QoS Port Settings screen set QoS values specific to individual ports and click the Apply button to apply your choices.
Table 24-3. Port Settings Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Port A list of ports available for configuration.
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
398
24.5.3 Configuring a CoS Queue Map
In the GUI go to the Layer 2: Manager: QOS: CoS Queue Map tab to create a global mapping between a trusted CoS and an output queue level, as illustrated in Figure 24-7.
Figure 24-7. CoS Queue Map Configuration Screen
Default CoS The default CoS is used if no CoS is specified in the packet itself.
Default value: 0
Section 24.4.2.2
Trust Mode Specify the QoS trust mode for this port. Options are:
• Untrusted — switchport priority default will be used.
• Trust L2 CoS — specifies the use of the CoS field (if it exists) to determine packet priority.
• Trust L3 DSCP — specifies the use of the DSCP field to determine packet priority.
• Trust Both — specifies the use of the CoS field (if it exists). Otherwise use the DSCP field.
Default value: Untrusted
Section 24.4.2.1
Figure 24-1
Figure 24-2
Table 24-3. Port Settings Fields
Parameter Description See Also
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
399
In the QoS Queue Map Configuration screen create a global mapping between a trusted CoS and an output queue level for Ethernet ports only. Click the Apply button for your choices to take effect.
Table 24-4. CoS Queue Map Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
CoS A CoS value. (The values in this column are not configurable.)
Queue An output queue level that maps to the CoS value in this row.
Valid range: 0-7
Default mapping:
0 — 0
1 — 1
2 — 2
3 — 3
4 — 4
5 — 5
6 — 6
7 — 7
Section 24.4.1.3
Figure 24-1
Figure 24-2
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
400
24.5.4 Configuring a DSCP Queue Map
In the GUI go to the Layer 2: Manager: QOS: DSCP Queue Map tab to create a global mapping between a trusted DSCP and an output queue level, as illustrated in Figure 24-8.
Figure 24-8. DSCP Queue Map Configuration Screen
In the DSCP Queue Map screen create a global mapping between a trusted DSCP and an output queue level. Click the Apply button for your choices to take effect.
Table 24-5. DSCP Queue Map Configuration Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
401
24.5.5 Configuring Frame Relay QoS for a PVC
In the GUI go to the WAN Management: Frame Relay QOS: FR QoS tab to assign QoS priorities based on a Frame Relay PVC, as illustrated in Figure 24-9.
Figure 24-9. Frame Relay QoS Screen
In the Frame Relay QoS Configuration screen configure a default priority for the selected Frame Relay PVC. Click the Apply button for your choices to take effect.
For more on Frame Relay queueing see Section 21.1.7.
DSCP A DSCP value. (The values in this column are not configurable.)
Queue An output queue level that maps to the DSCP value in this row.
Valid range:
DSCP — 0-63
Queue level — 0-7
Default value All DSCP values map to queue level 1
Section 24.4.1.2
Figure 24-1
Figure 24-2
Table 24-6. Frame Relay QoS Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
FR PVC Name The identifier for the selected PVC.
Default Priority Specify the default priority for this PVC.
Default value: 0
Valid range: 0-5
Section 21.1.8.1
Table 24-5. DSCP Queue Map Configuration Fields
Parameter Description See Also
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
402
24.5.6 Configuring Frame Relay QoS for a DSCP
In the GUI go to the WAN Management: Frame Relay QOS: FR DSCP Priority Mapping tab to enable QoS priorities based the DSCP value of encapsulated IP packets, as illustrated in Figure 24-10.
Figure 24-10. Frame Relay DSCP Priority Mapping Screen
In the Frame Relay DSCP Priority Mapping screen use the upper dialog box to configure a priority for a specified DSCP. Click the Add button for your choices to take effect and to be displayed in the lower dialog box. Use the lower dialog box to edit or delete configured mappings.
For more on Frame Relay queueing see Section 21.1.7.
CIR Status The Committed Information Rate (CIR) is the minimum data throughput that your service provider guarantees to support over a particular PVC. Use this selection field to enable or disable CIR on this PVC.
Section 21.1.8.4
CIR Specify the CIR value in bytes.
Default value: the bit rate of the Frame Relay interface
Valid range: 1-2048 bytes
Section 21.1.8.4
Table 24-7. Frame Relay DSCP Priority Mapping Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
DSCP Specify a DSCP value.
Valid range: 0-63 or 0x00-0x3F
Section 21.1.8.2
Priority Specify the default priority for this DSCP.
Valid range: 0-5
Section 21.1.8.2
Table 24-6. Frame Relay QoS Fields
Parameter Description See Also
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
403
24.5.7 Configuring Frame Relay Priority Weights
In the GUI go to the WAN Management: Frame Relay QOS: FR Priority Weights tab to map priority values to queue weights, as illustrated in Figure 24-10.
Figure 24-11. Frame Relay Priority Weights Screen
In the Frame Relay Priority Weights assign one of the four configurable queue weights to each priority. Click the Apply button for your choices to take effect.
For more on Frame Relay queueing see Section 21.1.7.
CIR Status The Committed Information Rate (CIR) is the minimum data throughput that your service provider guarantees to support over a particular PVC. Use this selection field to enable or disable CIR on this PVC.
Section 21.1.8.4
CIR Specify the CIR value in bytes.
Default value: the bit rate of the Frame Relay interface
Valid range: 1-2048 bytes
Section 21.1.8.4
Table 24-8. Frame Relay Priority Weights Fields
Parameter Description See Also
Select You must click a selection button before modifying a configuration.
Priority Specify a DSCP value.
Valid range: 0-63 or 0x00-0x3F
Section 21.1.8.2
Weight Specify the default priority for this DSCP.
Valid range: 0-5
Section 21.1.8.2
Table 24-7. Frame Relay DSCP Priority Mapping Fields
Parameter Description See Also
CHAPTER 24 - QoSConfiguring QoS in the GUI
Industrial Network Operating System Administrator’s Guide
404
CIR Status The Committed Information Rate (CIR) is the minimum data throughput that your service provider guarantees to support over a particular PVC. Use this selection field to enable or disable CIR on this PVC.
Section 21.1.8.4
CIR Specify the CIR value in bytes.
Default value: the bit rate of the Frame Relay interface
Valid range: 1-2048 bytes
Section 21.1.8.4
Table 24-8. Frame Relay Priority Weights Fields
Parameter Description See Also
Magnum Network Software - DX Administrator’s Guide
405
Chapter 25Protocol Analyzer
Use the INOS protocol analyzer feature to capture and display the packets received and transmitted through a particular interface. Specify the interface on which monitoring is to be done along with any filtering options to obtain useful output. The output of the analyzer is displayed in the CLI management window.
25.1 Starting and Stopping the Protocol Analyzer
The following analyzer controls are available as keyboard commands:
• start — Start the protocol analyzer by executing the protocol-analyzer command with valid arguments (See Section 25.2).
• pause — Press any key other than the q key to pause a running analysis.• resume — Press any key other than the q key to resume a paused analysis.• stop — Press the q key to stop the analyzer.
25.2 Configuring Protocol Analyzer Output
Use the protocol-analyzer command in Exec commands mode to specify an interface to be monitored and the types of data to be displayed for that interface. The protocol-analyzer command supports a great number of arguments.
Use the protocol-analyzer command followed by the ip keyword to specify an ip interface.
Command syntax:
protocol-analyzer ip ipif_type output_specs
Where:
ipif_type is any of,
gigabitethernet — an active Ethernet port identified by a port number/slot number combination.
mlppp — a numerical value in the range 1-16 specifying a configured MLPPP interface ID.
ppp — a numerical value in the range 1-16 specifying a configured PPP interface ID.
tunnel — a numerical value in the range 1-32 specifying a configured tunnel interface ID.
vlan — a numerical value in the range 1-4094 specifying a configured VLAN interface ID.
CHAPTER 25 - Protocol AnalyzerConfiguring Protocol Analyzer Output
Magnum Network Software - DX Administrator’s Guide
406
output_specs may be any of the specifications in Table 25-1.
Use the protocol-analyzer command followed by the interface keyword to specify a physical interface.
protocol-analyzer interface physif_type output_specs
Where:
physif_type is any of,
gigabitethernet — an active Ethernet port identified by a port number/slot number combination.
serial — an active serial port identified by a port number/slot number combination.
t1e1 — an active T1/E1 port identified by a port number/slot number combination
output_specs may be any of the specifications in Table 25-1.
Table 25-1 describes the arguments that can be used with both protocol-analyzer ip and protocol-analyzer interface to filter and shape protocol analyzer output.
NOTE: The syntax used in the INOS Protocol Analyzer commands is the same as that usedin the well-known Wireshark Network Protocol Analyzer.
Table 25-1. Protocol Analyzer Output Arguments
Keyword Variables
filter The keyword filter precedes a filter string to be used to filter the captured packets.
The filter string uses tcpdump syntax, including boolean expressions. Enclose the filter string in double quotes, for example: “filter_string”.
format The format keyword enables you to specify the degree of detail in the output. Options are:
• brief — displays packet data with minimal information. (The default format for tcpdump.)
• extended — displays packet data in hexadecimal format. (Equivalent to the tcpdump -XX option.)
• verbose — displays packet data in human readable format. (Equivalent to the tcpdump -vv option.)
• full — a combination of the extended and verbose options. (Equivalent to the tcpdump -vv and -XX options combined.)
Default value: brief
CHAPTER 25 - Protocol AnalyzerConfiguring Protocol Analyzer Output
Magnum Network Software - DX Administrator’s Guide
407
Examples:
1. "Example 1 illustrates specifying an IP interface and starts the display of captured packets in the CLI management window in raw mode.
Magnum 10RX# protocol-analyzer ip gigabitethernet 5/2
Figure 25-1. Protocol Analyzer Output, Example 1
2. "Example 2 illustrates the monitoring of an IP interface in brief mode with two filters applied:
• The source or destination IP network is 172.16.0.0/16.• The protocol is ICMP.
Magnum 10RX# protocol-analyzer ip vlan 1 format brief filter "net 172.16 and icmp"
Figure 25-2. Protocol Analyzer Output, Example 2
level The level keyword enables you to specify the packet display level. Options are:
• layer2 — packet display level option is set as L2. Display layer 2 headers (for instance, Ethernet headers) as well al layer 3 headers.
• layer3 — packet display level option is set as L3. Display Layer 3 headers only.
Default value: layer2
timestamp The timestamp keyword enables you to specify the timestamp format. Options are:
• absolute — the timestamp will specify the actual time when the packet was captured.
• delta — the timestamp will specify the time elapsed between this packet and the preceding packet.
• none — no timestamp specified.
• relative — timestamp will specify the time elapsed since the protocol analyzer was started.
Default value: absolute
Table 25-1. Protocol Analyzer Output Arguments
Keyword Variables
10:55:47.040202 ARP, Request who-has 172.16.210.1 tell 172.16.210.41, length 46
10:55:47.124811 STP 802.1s, Rapid STP, CIST Flags [Forward, Agreement]
10:55:47.343223 IP 172.16.210.41.57369 > 239.255.255.250.1900: UDP, length 133
11:01:46.619643 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.210.32 > 172.16.210.30: ICMP echo request, id 21002, seq 765, length 64
11:01:46.619920 IP (tos 0x0, ttl 64, id 47562, offset 0, flags [none], proto ICMP (1), length 84)
172.16.210.30 > 172.16.210.32: ICMP echo reply, id 21002, seq 765, length 64
CHAPTER 25 - Protocol AnalyzerConfiguring Protocol Analyzer Output
Magnum Network Software - DX Administrator’s Guide
408
3. "Example 3 illustrates the monitoring of an interface in full display mode with two filters applied:
• The source or destination IP network is 172.16.0.0/16• The source or destination tcp port is 80.
Magnum 10RX# protocol-analyzer interface t1e1 10/1 format full filter "net 172.16 and tcp port 80"
Figure 25-3. Protocol Analyzer Output, Example 3
4. 2.Example 4 illustrates the monitoring of a gigabitethernet interface in brief display mode.
Magnum 10RX# protocol-analyzer interface gigabitethernet 5/2
Figure 25-4. Protocol Analyzer Output, Example 4
11:10:48.835381 IP (tos 0x0, ttl 51, id 23433, offset 0, flags [none], proto TCP (6), length 52)
74.125.236.84.80 > 172.16.210.32.40273: Flags [.], cksum 0x1faa (correct), ack 1089, win 1002, options [nop,nop,TS val 3127539032 ecr 1102765], length 0
0x0000: 4500 0034 5b89 0000 3306 7738 4a7d ec54 E..4[...3.w8J}.T
0x0010: ac10 d220 0050 9d51 0156 a7d1 1212 41ca .....P.Q.V....A.
0x0020: 8010 03ea 1faa 0000 0101 080a ba6a 7558 .............juX
0x0030: 0010 d3ad
....
11:10:48.836058 IP (tos 0x0, ttl 51, id 23434, offset 0, flags [none], proto TCP (6), length 188)
74.125.236.84.80 > 172.16.210.32.40273: Flags [P.], seq 1:137, ack 1089, win 1002, options [nop,nop,TS val 3127539032 ecr 1102765], length 136
0x0000: 4500 00bc 5b8a 0000 3306 76af 4a7d ec54 E...[...3.v.J}.T
0x0010: ac10 d220 0050 9d51 0156 a7d1 1212 41ca .....P.Q.V....A.
0x0020: 8018 03ea 0597 0000 0101 080a ba6a 7558 .............juX
0x0030: 0010 d3ad 4854 5450 2f31 2e31 2033 3034 ....HTTP/1.1.304
0x0040: 204e 6f74 204d 6f64 6966 6965 .Not.Modified
08:49:44.278781 00:20:61:05:25:08 (oui Unknown) > 00:20:61:05:23:08 (oui Unknown), ethertype IPv4 (0x0800), length 74: 24.0.0.1 > 24.0.0.2: ICMP echo request, id 0, seq 1, length 40
08:49:44.286601 00:20:61:05:23:08 (oui Unknown) > 00:20:61:05:25:08 (oui Unknown), ethertype IPv4 (0x0800), length 74: 24.0.0.2 > 24.0.0.1: ICMP echo reply, id 0, seq 1, length 40
Industrial Network Operating System Administrator’s Guide
409
Glossary
This glossary contains brief explanations of acronyms and other terms used in this manual.
Term Definition
3DES Triple Data Encryption Standard (DES). A more secure version of the DES standard in which data is encrypted three times.
802.1p An IEEE standard that provides Quality of Service (QoS) at the layer 2 level.
ACL Access Control List. In IPSec ACLs can be configured to filter router traffic by source, destination, protocol or other criteria.
AES Advanced Encryption Standard. A NIST-standard cryptographic cipher that uses a block length of 128 bits and key lengths of 128, 192 or 256 bit.
ANSI American National Standards Institute.
ARP Address Resolution Protocol. Enables discovery of a device’s MAC address when only its IP address is known.
AS Autonomous System. A set of routers under a single technical administration with an apparently coherent interior routing plan.
ASCII American Standard Code for Information Interchange.
BGP Border Gateway Protocol. a Protocol for routing traffic between autonomous systems (AS).
BPV Bipolar violation.
BPDU Bridge Protocol Data Units. Message units that carry the Spanning Tree Protocol information.
CBT Core Based Trees. One of the communications protocols of the Internet Protocol Suite. Builds and maintains a shared delivery tree for a multicast group.
CCITT Comité consultatif international téléphonique et télégraphique. An institution to coordinate telecommunication standards. Although the CCITT acronyms is still widely used the institution has been known since 1992 as ITU Telecommunication Standardization Sector (ITU-T).
CHAP Challenge-Handshake Authentication Protocol. A method of authentication of remote clients used by Point to Point Protocol (PPP) servers and based on a shared secret.
CIDR Classless Inter-Domain Routing. A CIDR address is written with a forward slash preceding a suffix indicating the number of bits in the prefix length, such as 192.168.0.0/16.
CIR Committed Information Rate. A guaranteed data rate negotiated with a carrier.
-
Industrial Network Operating System Administrator’s Guide
410
CIST Common and Internal Spanning Tree. CIST is a concept of Multiple Spanning Tree (MST) technology. The CIST is a unique default spanning tree that runs among all MST regions in a network.
CFX Configuration XML File.
CoS Class of Service. Refers to the eight level priority field optionally present in an Ethernet header as specified by the IEEE 802.1p standard.
CRC Cyclic Redundancy Check. A method of detecting errors in transmitted data.
CTS Clear-to-Send. On an RS-232 interface, a DCE’s signal granting a DTE permission to transmit.
DCD Data Carrier Detect. On an RS-232 interface, a DCE’s signal that a connection has been established.
DCE Data Communications Equipment. Typically a communication device such as a modem. In an RS-232 link a DCE communicates with a DTE.
DDS Digital Data Service. A private line digital service from carriers other than AT&T.
DES Data Encryption Standard (DES). A NIST-standard cryptographic cipher that uses a 56-bit key.
DH Diffie-Hellman key exchange. A key exchange method that allows two parties to jointly establish a shared secret key over an insecure communications channel to support encryption of subsequent communications.
DHCP Dynamic Host Configuration Protocol.
Diffie-Hellman See DH.
DiffServ DIFFerentiated SERVices. A type of Quality of Service (QoS) functionality.
DLCI Data Link Connection Identifier. An identifying number for a private or switched virtual circuit in a frame relay network.
DPD Dead Peer Detection. A method of determining that an IKE peer (that is, a networked server) is inoperative.
DSA Digital Signature Algorithm. A United States Federal Government standard for verifying digital signatures.
DSCP Differentiated Services Code Point. A value in the DiffServ portion of an IP packet header used for classification purposes.
DSR/DTR Data Set Ready/Data Terminal Ready. RS-232 handshake signals sent from the modem to the terminal (DSR) or from the terminal to the modem (DTR) indicating readiness to accept data.
DTE Data Terminal Equipment. Typically a computer system. In an RS-232 link a DTE communicates with a DCE.
DTR See DSR/DTR.
Term Definition
-
Industrial Network Operating System Administrator’s Guide
411
E1 See T1/E1.
ECDH Elliptic Curve Diffie-Hellman. A version of the Diffie_Hellman key exchange (see DH, above) that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel.
EGP Exterior Gateway Protocol. An internet routing protocol.
ESP Encapsulation Security Payload. An IPSec header extension for supporting security services.
FCS Frame Check Sequence. Extra characters added to a Frame for error detection and correction.
FEFI Far End Fault Indication. A feature of optical ports that detects an unresponsive link and shuts down transmission from the port.
GARP Generic Attribute Registration Protocol to enable similar devices to register and de-register attribute values, such as VLAN identifiers and multicast group membership.
GGP Gateway to Gateway Protocol. One of the communications protocols of the Internet Protocol Suite. Used mainly for routing datagrams.
GMRP GARP Multicast Registration Protocol allows bridges and end stations to dynamically register group membership information.
GVRP GARP VLAN Registration Protocol for registering VLAN trunking between multilayer switches.
HMI Human Machine Interface. The device that enables a person to monitor and control a machine. Typically the HMI is a computer.
HTTP HyperText Transfer Protocol.
I2C A multi-master serial single-ended computer bus.
ICMP The Internet Control Message Protocol. One of the communications protocols of the Internet Protocol Suite. Chiefly used to convey error messages.
IDRP Inter-Domain Routing Protocol.
IED A microprocessor-based device that controls power system equipment such as circuit breakers and voltage regulators.
IEEE Institute of Electrical and Electronics Engineers
IGP Interior Gateway Protocols. A set of routing protocols used within a system.
IGMP Internet Group Management Protocol. One of the communications protocols of the Internet Protocol Suite. Used to manage membership in multicast groups.
IKE Internet Key Exchange. The protocol used to set up a Security Association in the IPsec protocol suite.
IP Internet Protocol.
Term Definition
-
Industrial Network Operating System Administrator’s Guide
412
IPCP Internet Protocol Control Protocol. IResponsible for configuring, enabling, and disabling the IP protocol modules on both ends of a Point-to-Point link.
IPIP IP in IP encapsulation. One of the communications protocols of the Internet Protocol Suite. Encloses an inner IP header with an outer header for tunneling.
ISO-IP ISO Internetworking Protocol. A network layer protocol in an OSI network.
ITU-T See CCITT.
LAN A. computer network covering a small geographic area, like a home, office, or group of buildings.
Compare to WAN.
LCP Link Control Protocol. A part of the Point-to-Point Protocol by which communicating devices exchange LCP packets to determine standards of transmission.
LMI Local Management Interface. A signaling standard used between routers and frame relay switches.
LRC Longitudinal Redundancy Check. A method of detecting errors in transmitted data.
LSA Link State Advertisement. An OSPF data structure that describes a portion of an OSPF network.
LSC Last Schema Change.
MAC Media Access Control. A MAC address is a unique identifier attached to most forms of networking equipment.
MD5 Message-Digest algorithm 5. A common cryptographic hash function.
MED Multiple Exit Discriminator. In BGP this value provides guidance as to a preferred entrance point.
MIB Management Information Base. A database used by SNMP to manage devices such as switches and routers in a network.
MLPPP Multi-Link Point-to-Point Protocol. MLPPP enables the bundling of PPP connections to increase effective bandwidth.
Modbus A communications protocol using master/slave architecture. A commonly available means of connecting industrial electronic devices.
MRU Maximum Receive Unit. The maximum size in bytes of the protocol data unit that will be received on an interface.
MSTP Multiple Spanning Tree Protocol. A system for creating regions of switches that share certain configuration attributes.
MTU Maximum Transmission Unit. The maximum size in bytes of the protocol data unit that will be transmitted on an interface.
NAPT See NAT.
Term Definition
-
Industrial Network Operating System Administrator’s Guide
413
NAT Network Address Port Translation. A method of using a single public IP address to provide internet access to multiple private IP addresses.
NetBIOS Network Basic Input/Output System. A service enabling applications on multiple computers to communicate via a LAN.
NNI Network to Network Interface.
NSSA Not So Stubby Area is an OSPF area with a limited ability to import external routes and transmit them to the OSPF backbone.
OID Object IDentifier. In SNMP an OID is a string identifying an object in a MIB.
OSPF Open Shortest Path First. A routing protocol to determine the best path for traffic over a TCP/IP network.
PAP Password Authentication Protocol. An authentication protocol using unencrypted ASCII passwords over a network.
Path Cost A Spanning Tree parameter that measures how close bridges are to one another. It takes into account the bandwidth of the links between bridges.
PEM Privacy Enhanced Mail File format. A standard for secure e-mail on the Internet.
PFS Perfect Forward Secrecy. A property of public key cryptography whereby the compromise of one key does not lead to the compromise of any other keys.
PHY An abbreviation for the physical layer of the OSI model.
An instantiation of PHY connects a link layer device (often called a MAC) to a physical medium such as an optical fiber or copper cable.
PoE Power over Ethernet. A technology for delivering power (along with data) to remote devices over the twisted pair cabling of an Ethernet network.
PPP Point-to-Point Protocol. A data link protocol to establish a direct connection between two networking nodes, commonly used for modem dial-up connections.
PVC A point-to-point connection that is established before its first use and maintained regardless of the level of activity.
PVID Port VID. A user configurable parameter that associates a native VLAN with a port. Each port is assigned exactly one PVID. By default, each port is assigned PVID 1.
QoS Quality of Service. Technology and techniques, such as prioritization, to ensure the predictable handling of specified kinds of traffic.
RADIUS Remote Authentication Dial-In User Service. An AAA (authentication, authorization and accounting) protocol using a challenge/response method for authentication.
RC4 A stream cipher commonly used with SSL and in wireless networks.
Term Definition
-
Industrial Network Operating System Administrator’s Guide
414
RED Random Early Detection. An active queue management algorithm for congestion avoidance.
RIB Routing Information Base. A database on a BGP router that accumulates information about routes to reachable destinations.
RIP Routing Information Protocol. An Interior Gateway Protocol (IGP) routing protocol used on internal networks. It determines a route based on the smallest hop count between source and destination. It has a limit of 15 hops.
RS-232 A popular standard for passing serial binary data point-to-point between digital systems. Also known as EIA-232. Compare to RS-485.
RS-485 A standard for passing serial data in point-to-point or multipoint configurations among digital data systems. Also known as EIA-485. Less common but more versatile than RS-232.
RSA Rivest-Shamir-Adleman key. A two-part key. The private key is kept by the owner; the public key is published.
RSTP Rapid Spanning Tree Protocol. RSTP is a protocol that prevents loops in bridged LAN environments. It also provides for fast recovery from link failures. This product supports RSTP as specified in IEEE 802.1D (2004).
RSVP Resource reSerVation Protocol. One of the communications protocols of the Internet Protocol Suite. Used to support Quality of Service (QoS) flows.
RTS/CTS Request to Send/Clear to Send. RS-232 flow control signals sent by transmitting stations (RTS) and receiving stations (CTS).
RTU Remote Terminal Unit. A device that collects data from data acquisition equipment and sends it to the main system over a network.
SA Security Association. In IPSec an SA defines a secure, unidirectional communication channel between two entities.
SADB Security Association Database. An IPSec database containing security information specific to particular connections.Compare to SPD.
SCADA Supervisory Control And Data Acquisition. A process control application that collects data from networked devices.
SFP Small Form-factor Pluggable Transceiver. A full-duplex serial interface converter that converts electrical signals to optical signals to run over fiber.
SHA Secure Hash Algorithm. Cryptographic hash algorithms developed by the National Security Agency. These include SHA-1 and its successor, SHA-2, which encompasses SHA-256 and SHA-384.
SNMP Simple Network Management Protocol. A network monitoring and control protocol.
SNTP Simple Network Time Protocol.
SONET Synchronous Optical Networking. A multiplexing protocol for use over optical fiber.
Term Definition
-
Industrial Network Operating System Administrator’s Guide
415
SPD Security Policies Database. An IPSec database containing security policies general to the device. Compare to SADB.
SPI Security Parameters Index. A value added to the header in IPSec tunneling that identifies a session and its encryption properties.
SPQ Strict Priority Queue. An optional single level strict priority queue implemented on PPP interfaces.
SSH Secure SHell. A network protocol using public key cryptography to provide secure remote login.
SSL Secure Socket Layer. A cryptographic protocol that creates a secure data transfer session over a standard TCP connection.
Station Cache A database maintained by the Ethernet bridge that tracks MAC addresses of stations on the network and the ports associated with them.
Suite B A set of cryptographic algorithms promulgated by the National Security Agency.
Syslog A protocol for sending event messages over an IP network to remote servers called "event message collectors."
T1/E1 T1 is a widely-used T-carrier telecommunications standard capable of transmitting 1.544 Mbits/second. The T1 designation is used in North America. The analogous system outside of North America is called E1.
TACACS Terminal Access Controller Access-Control System. A remote authentication protocol.
TCN Topology Change Notification. In the RSTP protocol, a BPDU sent by a bridge to its root port to signal a topology change.
TCP Transmission Control Protocol.
TLS Transport Layer Security.
TLV Time, Length, and Value descriptions of devices. TLVs are formed, stored, and exchanged by networked devices using LLDP.
TOS Type of Service. An eight-bit field in the IPv4 header available for specifying priority.
UDP User Datagram Protocol. One of the communications protocols of the Internet Protocol Suite. Replaces TCP when a reliable delivery is not required.
URL Uniform Resource Locator.
VID VLAN Identifier.
VLAN Virtual Local Area Network. A logical subgroup within a local area network that is created with software rather than by physically manipulating cables.
VRRP Virtual Router Redundancy Protocol. A protocol for specifying a backup router to be used in case of failure of a master router.
Term Definition
-
Industrial Network Operating System Administrator’s Guide
416
WAN Wide Area Network. A computer network that crosses metropolitan, regional, or national boundaries.
Compare to LAN.
WFQ Weighted Fair Queueing. A packet scheduling technique that enables several data flows to use the same link.
WINS Windows Internet Naming Service. A Microsoft service for mapping host names to network addresses.
X.509 An X.509 certificate is a message that contains an entity's credentials. Information such as the entity's name, organization, and contact information are included.
XML eXtensible Markup Language
XON/XOFF A software flow control protocol in which a receiver sends an XOFF character to a transmitter to signal that it is unable to receive data and an XON character to signal that it is able to receive data.
Term Definition
Industrial Network Operating System Administrator’s Guide417
333333
INDEX
Symbols10RX
access 5features and benefits 1hardware configurations 1security provisions 2supported protocols 1
3DES 286 to 287, 290 to 291
AAAA protocols 50access control list, See ACLaccess port, VLAN 86access swithport mode 77access-list command 277ACFC 324ACL
applying 281configuring 276in crypto maps 293in IPsec 285in QoS 387, 394route map as 223
Address 148Address and Control Field Compression 324Address Resolution Protocol, See ARPadministrative distance 159, 197, 231advertisement interval, VRRP 244AES 286 to 287, 290 to 291AES-256 286 to 287, 290 to 291aggregate-address command 196aggregation of routes
BGP 196, 220OSPF 173 to 174, 184 to 185RIP 163
area default-cost command 173area nssa command 172area range command 173area stub command 172area types 170ARP 155arp max-retries command 155ARP timeout 155arp timeout command 155asynchronous, see serial interfacesauthentication
IPsec 292, 295 to 296PPP 320RADIUS 50TACACS 54VRRP 244
authentication command 320authentication, authorization, and accounting 50auth-info command 296auto-summarization of routes 160auto-summary command 160
Bbackbone area 170BGP
overview 193basic settings in the GUI 210communities 200 to 202confederations 208configuration in the CLI 193 to 210
INDEX
Industrial Network Operating System Administrator’s Guide418
configuration in the GUI 210 to 221enabling/disabling 193, 210filter configuration in the GUI 218local preference configuration in the GUI 216loopback 206MED configuration in the GUI 214neighbor configuration in the GUI 212resetting a session 195route aggregation configuration in the GUI 220route map functionality 233route reflector 207
bgp always-compare-med command 206bgp comm-filter command 201bgp comm-policy command 201bgp comm-route command 200bgp confederation identifier command 208bgp confederation peers command 209bgp default local-preference command 202bgp filter-update command 198bgp local-preference command 203bgp med command 205bgp router-id command 194blocking a user 46boot server 258Border Gateway Protocol, see BGPBPDU 96bridge roles 96broadcast-delay-time command 20
Ccertificate, RSA 10change password command 49channel command 312channels 312CHAP authentication 320chassis ID 130, 140CIR 348cir command 348Class of Service 385clear counters frame-relay command 350
clear counters fr-pvc command 350clear ike sa all command 297clear ike sa id command 298clear ike sa peer command 298clear ip bgp command 195clear ipsec sa all command 298clear ipsec sa id command 299clear ipsec sa peer command 298clear lldp counters command 131clear lldp table command 131clear logging buffer command 65clear logging events command 65clear serial connection command 378CLI
navigation 6obtaining help 6shorthand 7
clock command 308clock set command 13clock source for T1/E1 interface 308command
object-group network 278command line interface, see CLIcommands
access-list 277aggregate-address 196area default-cost 173area nssa 172area range 173area stub 172arp max-retries 155arp timeout 155authentication 320auth-info 296auto-summary 160bgp always-compare-med 206bgp comm-filter 201bgp comm-policy 201bgp comm-route 200bgp confederation identifier 208bgp confederation peers 209
INDEX
Industrial Network Operating System Administrator’s Guide419
bgp default local-preference 202bgp filter-update 198bgp local-preference 203bgp med 205bgp router-id 194change password 49channel 312cir 348clear counters frame-relay 350clear counters fr-pvc 350clear ike sa all 297clear ike sa id 298clear ike sa peer 298clear ip bgp 195clear ipsec sa all 298clear ipsec sa id 299clear ipsec sa peer 298clear lldp counters 131clear lldp table 131clear logging buffer 65clear logging events 65clear serial connection 378clock 308clock set 13compression vjc 320copy 59, 71crypto ike profile 286crypto ipsec proposal 290crypto map 292databits 359default-metric 158, 204default-router 263delay up down 252dir 58direction 373distance
RIP 159route map 231
distance bgp 197distribute-list 229 to 230dlci 339dns-server 261
domain-name 261dpd 289eek error-threshold 345eek event-window 344eek mode 343eek poll-timer 343eek response-timer 344eek success-events 345encryption (IKE phase 1) 287erase 58excluded-address 260finalize software upgrade 73flow-ctl 360frag-size 348frame-relay priority 346frame-types 309fr-pvc 373fw-nat-group 281group 288hash (IKE phase 1) 287hash (IKE phase 2) 291host hardware-type 265if-standard 358ignore-dss 360interface 147interface (VRRP) 241interface frame-relay 335interface fr-pvc 338interface mlp 329interface mlppp 329interface ppp 319interface serial 362interface t1e1 307interface tunnel 236IP address (PPP) 322ip address (PVC) 340ip dhcp bootfile 258ip dhcp next-server 258ip dhcp option 259ip dhcp ping packets 258ip dhcp pool 257ip dhcp server offer-reuse 259
INDEX
Industrial Network Operating System Administrator’s Guide420
ip qos mark dscp 394ip qos output queue 394ip qos output strict-queue 392ip qos policy 391ip rip default route install 161ip rip default route originate 161ip rip receive version 162ip rip send version 162ip rip summary-address 163ip route 153ip split-horizon 164ip ssh version compatibility 12layer 325layer (frame rela y PVC) 339layer (frame relay interface) 336layer ppp 330lcp-echo-interval 320lease 264lifetime seconds (IKE phase 1) 289lifetime seconds (IKE phase 2) 292line-build-out 311line-codes 310lldp 132lldp chassis-id-subtype 130lldp holdtime-multiplier 128lldp notification 132lldp notification-interval command 130lldp port-id-subtype 134lldp reinitialization-delay 129lldp tlv-select basic-tlv 133lldp tlv-select dot1tlv 134lldp tlv-select dot3tlv 135lldp transmit-interval 128lldp tx-delay 129lmi mode 337lmi type 337local address (TS) 374local address (VPN) 294local-tcp 375logging class 65logging event 66
logging facility 69logging server 67login block-for 46login password-strength 46magic-number 324match 224, 293match dscp 392 to 393match dscp, WFQ 392max-conn 377max-pkt-size 362mlppp, interface 329mlppp, sent-username 321mlppp, username 321mlppp,ip address 322mode 308more 59mrru 329mtu 77, 323nameif 275nat 282neighbor 194
with ebgp-multihop argument 207with route-reflector-client argument 207with update-source argument 206
netbios-name-server 262netbios-node-type 262network (DHCP) 260network (OSPF) 171network (RIP) 157no aggregate-address 197no bgp always-compare-med 206no bgp comm-filter 202no bgp comm-policy 201no bgp comm-route 201no bgp local-preference 204no bgp neighbor ebgp-multihoop command 207no bgp router-id 194no bgp update-filter 200no bgpdefault local-preference 203no channel 312no cir 349
INDEX
Industrial Network Operating System Administrator’s Guide421
no confederation identifier 209no confederation peers 209no default-metric 205no dhcp bootfile 258no dhcp option 260no dhcp server offer-reuse 259no direction 373no dns-server 261no domain-name 261no eek error-threshold 345no eek event-window 344no eek mode 343no eek poll-timer 344no eek response-timer 344no eek success-events 345no excluded-address 261no frag-size 348no frame-relay priority 346no fr-pvc 373no host hardware-type 265no interface frame-relay 336no interface fr-pvc 339no ip address (PVC) 341no ip dhcp 258no ip dhcp next-server 258no ip dhcp ping packets 259no ip qos mark dscp 395no ip qos output queue 394no ip qos policy 391no layer 336, 339no lease 264no lmi mode 338no lmi type 337no local address (TS) 375no local address (VPN) 294no local-tcp 375no match 224no match dscp 392no max-conn 377no neighbor 194no neighbor route-reflector-client 208no netbios-name-server 262
no netbios-node-type 262no network (DHCP) 260no network (OSPF) 172no network (RIP) 158no option (DHCP) 263no peer ip address (PVC) 341no priority (TS) 374no qos cos default 391no qos trust 390no rate 394no redistribute 196no remote-address 376no remote-tcp 376no retry-time 377no route-map 224no router bgp 194no serial-channel 372no serial-fr 342no serial-port 372no session-type 374no set (route map values) 227no shutdown
Ethernet port 76Frame Relay interface 336Frame Relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311
no snmp access 31no snmp community index 30no snmp engineid 32no snmp filter 35no snmp group 31no snmp notify 35no snmp targetaddr 33no snmp targetparams 34no snmp view 32no strict-queue 393no switchport 76no synchronization 210no timeslots 309, 312no utilization threshold 265
INDEX
Industrial Network Operating System Administrator’s Guide422
no weighted-fair-queue 392object-group icmp 279object-group protocol 280object-group service 279option (DHCP) 263parity 359peer address 293peer IP address (PVC) 341pfs 288pkt-char 361pkt-time 361ports (VLAN) 90ppp acfc 324ppp comp-slot-id 322ppp max-slot-id 322ppp mru 323ppp pfc 324ppp, authentication 320ppp, compression 320ppp, interface 319ppp, ip address 322ppp, layer 325ppp, sent-username 321ppp, shutdown 325ppp, username 321ppp,lcp-echo-interval 320priority (PVC) 346priority (TS) 374profile (crypto map) 295proposal (crypto map) 294protocol-analyzer 405qos frame-relay output dscp-map 347qos output cos-map 389qos output dscp-map 389qos trust 390qos, set (enable and disable) 388qos, switchport priority default 391radius-server 52rate 393redist-config 174redistribute
BGP 196RIP 158route map 229
reload 73remote-address 376remote-tcp 376retry software upgrade 73retry-time 377route-map 223router bgp 193router ospf 171router rip 157router vrrp 241security-level 275sent-username 321serial-channel 371serial-fr serial 341serial-port 372serial-profile 357, 363session-type 373set (route map values) 227set dhcp server 257set firewall 276set garp timer 83set gvrp 81set lldp 127set port gvrp 82set qos 388set snmp 30set sntp 14set telnet enable 12set unicast-mac learning 93show clock 13show crypto 297show frame-relay priority 349show ike profile 296show ike sa 296show interface frame-relay 349show interface fr-pvc 349show interface serial 363show interface t1e1 317
INDEX
Industrial Network Operating System Administrator’s Guide423
show ip bgp community filter 202show ip bgp community policy 201show ip bgp community route 201show ip bgp confed info 209show ip bgp filters 200show ip bgp frl info 208show ip bgp info 205show ip bgp local-pref 203 to 204show ip bgp med 205show ip bgp neighbor 195show ip dhcp server binding 266show ip dhcp server information 265show ip dhcp server pools 266show ip dhcp server statistics 266show ip qos interface 395show ipsec proposal 297show ipsec sa 296show lldp 136show lldp errors 137show lldp interface 136show lldp local 137show lldp neighbors 136show lldp statistics 137show lldp traffic 136show logging events 64show logging facility 69show logging server 69show qos frame-relay output dscp-map 349show radius server 52show serial-channel 378show serial-connection 378show serial-profile 363show sntp broadcast-mode status 22show sntp multicast-mode status 22show sntp status 22show sntp unicast-mode status 22show software upgrade 72 to 73show system information 72show tacacs 56show upgrade information 70show users 45show vlan id 88
shutdownEthernet port 76Frame Relay interface 336Frame Relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311
snmp access 31snmp community index 30snmp engineid 31snmp filter 35snmp group 30snmp notify 34snmp targerparams 33snmp targetaddr 32snmp trap 35snmp user 34snmp view 32sntp broadcast-delay-time 20sntp broadcast-mode send-request 19sntp broadcast-poll-timeout 20sntp client addressing mode 14sntp client authentication key 17sntp client clock-format 15sntp client clock-summer-time 16sntp client port 15sntp client time-zone 16sntp client version 14sntp multicast-delay-time 21sntp multicast-group-address 22sntp multicast-mode send-request 21sntp multicast-poll-timeout 21sntp unicast server 18sntp unicast-max-poll-retry 19sntp unicast-max-poll-timeout 19sntp unicast-poll-interval 18sntp unicast-server auto-discovery 18spanning tree 100spanning tree auto-edge 106spanning tree bpdu-receive 107spanning tree bpdu-transmit 108spanning tree compatibility 101
INDEX
Industrial Network Operating System Administrator’s Guide424
spanning tree interface properties 104spanning tree loop-guard 106spanning tree mode 100spanning tree mst configuration 109spanning tree mst max-hops 108spanning tree mst max-instance 110spanning tree name 109spanning tree pathcost dynamic 101spanning tree priority 103spanning tree restricted-role 106spanning tree restricted-tcn 107spanning tree revision 110spanning tree root-guard 106spanning tree timers 102spanning tree topology change guard 107spanning tree transmit hold count 103speed 358stopbits 359storm control 78strict-queue 392summary-address 174switchport acceptable-frame type 87switchport access vlan 86switchport mode 76switchport priority default 391synchronization 209tacacs-server 56timeslot-bandwidth 309timeslots 312
T1/E1 channel 312T1/E1 circuit 309
track interface ip-routing 251track interface line-protocol 251track ip route reachability 252track timer interface 250track timer ip route 250tunnel checksum 236tunnel hop-limit 237tunnel mode 236tunnel path-mtu-discovery 237user 46
username 321utilization threshold 264validate-update-source 161version 163vlan 89vlan active 92vlan learning mode 89vrrp vrid ipv4 242vrrp vrid preempt 243vrrp vrid priority 242vrrp vrid text-authentication 244vrrp vrid timer 244vrrp vrid track 245weighted-fair-queue 391
Committed Information Rate, see CIRcommunities, BGP 200community filters 201community policies 201compression 324
acfc 324ppp comp-slot-id 322ppp max-slot-id with 322
compression vjc command 320confederations, BGP 208configuration
defaults 9files 60
configuration modeconfig-channel 312config-crypto-map 292config-fr 335config-fr-pvc 338config-fw-nat-fw# 281config-icmp-type 279config-if 75, 132, 161, 236, 390config-mlppp 329config-mst 109config-network 278config-ppp 319, 394config-protocol 280config-qos-policy 391
INDEX
Industrial Network Operating System Administrator’s Guide425
config-qos-policy-spq 392config-qos-policy-wfq 391config-rmap 223config-router 157, 171, 193config-service 279config-sp 357config-t1e1 307config-track 251config-ts 371config-vlan 86config-vrrp 241config-vrrp-if 241dhcp-config 257
connecting to the 10RX 5contacting GarrettCom xxiiconventions used in this manua xxicopy command 59, 71CoS 385CoS queue map configuration 398crypto ike profile command 286crypto map command 292crypto map configuration mode 292crypto maps 292
Ddata link connection identifier, see DLCIdatabase
VLAN 88, 90databits command 359date, system 13DCE lmi mode 337DCSP 385dead peer detection, See DPDdefault
administrative distance values 160configuration 9DHCP router 263event severity 62local preference (BGP) 202metric (BGP) 204metric (RIP redistribution) 158
password 5RIP route 161username 5
default cost 173default-metric command 158, 204default-router command 263delay up down command 252DES 286 to 287, 290 to 291DH groups 286, 288DHCP
overview 257configuring in the CLI 257 to 265configuring in the GUI 266 to 273displaying information 265, 272enabling and disabling 257, 267options 259, 263, 268, 270 to 271
Differentiated Services Code Point. see DSCPDiffie-Hellman, See DHdir command 58direction command 373distance bgp command 197distance command
RIP 159route map 231
distance, administrative 159, 197, 231distribute-list command 229 to 230DLCI 338 to 339dlci command 339DLF 78DNS 261dns-server command 261domain-name command 261dot1 TLV 134dot3 TLV 135DPD 285 to 286, 289dpd command 289DS1, see T1/E1DSCP 347, 374, 387 to 388, 392, 394DSCP queue map configuration 400DTE lmi mode 337Dynamic Host Configuration Protocol, see DHCP
INDEX
Industrial Network Operating System Administrator’s Guide426
EE1, see T1/E1eBGP 193, 207edge ports 97EEK configuration 342, 352eek error-threshold command 345eek event-window command 344eek mode command 343eek poll-timer command 343eek response-timer command 344eek success-events command 345enabling SSL in the GUI 10encapsulation 341encryption command, IKE phase 1 287encryption standards 286 to 287, 290 to 291End-toEnd Keepalive, see EEKerase command 58Ethernet
enabling ports 76interfaces 75port type 76settings in the GUI 78
eventsattributes 61clearing 65configuring 66defaults 62logging targets 63management 61 to 69notifications 61severity 63
excluded-address command 260expedited forwarding 385, 387
Ffacility codes 68features and benefits of 10RX 1file system management 58filtering
BGP community 201
routes, BGP 198, 218SNMPv3 notifications 28VLAN 88with route maps 228 to 231see also, ACL
finalize software upgrade command 73firewall
overview 275configuration in the CLI 275 to 281enabling and disabling 276
flow-ctl command 360forward delay 98 to 99, 102fragmentation 347frag-size command 348Frame Relay
overview 335clearing counters 350configuration in the CLI 335 to 349configuration in the GUI 351 to 355displaying information 349EEK configuration 342, 352enabling and disabling a PVC 340, 353enabling and disabling an interface 336, 351LMI configuration 337, 352PVC configuration 338, 353queueing configuration 345
frame types for T1/E1 309frame-relay priority command 346frames, VLAN types 87frame-types command 309fr-pvc command 373fw-nat-group command 281
GGARP 81GARP timer configuration in the GUI 85GARP VLAN Registration Protocol, see GVRPGarrettCom website xxiGbE, auto media 75Generic Routing Encapsulation, see GRE
INDEX
Industrial Network Operating System Administrator’s Guide427
Gigabit Ethernet 75GRE
overview 235configuration in the CLI 235 to 237configuration in the GUI 238
group command 288GUI
BGP Basic Settings 210BGP Filter Configuration 218BGP Local Preference Configuration 216BGP MED Configuration 214BGP Neighbor Configuration 212BGP Route Aggregation Configuration 220CoS Queue Map Configuration 398Crypto Map Basic Settings 302DHCP Basic Settings 267DHCP Global Options 268DHCP Host Option Settings 271DHCP Pool Option Settings 270DHCP Pool Settings 269DHCP Server Binding 272DHCP Server IP Exclude Settings 272DSCP Queue Map 400dynamic VLAN global configuration 81dynamic VLAN port configuration 82Frame Relay DSCP Priority Mapping 402Frame Relay Encapsulation 355Frame Relay End-to-End Keepalive 352Frame Relay Interface Configuration 351Frame Relay Priority Weights 403Frame Relay PVCs 353Frame Relay QoS 401GARP timer configuration 85IKE Profile Basic Settings 299IKE Security Association 303IP address configuration 148IPsec ACL Settings 305IPsec Proposal Basic Settings 301IPsec Security Association 304LLDP Basic Settings 139LLDP Basic TLV Settings 143LLDP DOT1 TLV Settings 144
LLDP DOT3 TLV Settings 146LLDP Global Configurations 138LLDP Interface Settings 141LLDP Neighbor Information 142loopback interface configuration 151MSTP configuration 110 to 119Multilink Point-to-Point Protocol Interface
Stacking 332Multilink Point-to-Point Protocol Interfaces 331Multilink Point-toPoint Protocol Options 333Object Track Timer 253Object Tracking Configuration 254OSPF Area Aggregation 184OSPF Area Configuration 178OSPF AS External Aggregation 185OSPF Basic Settings 176OSPF configuration 175OSPF global configuration 176OSPF Interface Configuration 179OSPF Neighbor Configuration 182OSPF RRD Route Configuration 183OSPF Virtual Interface Configuration 181Point-to-Point Protocol Interfaces 326Port Basic Settings 78PPP Options 327QoS Global Configuration 396QoS Port Settings 397RADIUS server configuration 53reboot 74RIP configuration 164RSTP configuration 119 to 126Serial Port Configuration 366Serial Profile Configuration 364SNMP Agent Control Settings 36SNMP Community Settings 36SNMP Filter Settings 44SNMP Group Settings 37SNMP Security Settings 42SNMP Target Address Settings 40SNMP Target Parameter Settings 41SNMP Trap Settings 43SNMP View Tree Settings 39
INDEX
Industrial Network Operating System Administrator’s Guide428
SNTP Broadcast Configuration 24SNTP Client Configuration 22SNTP Unicast Table 23SSH Global Settings 12SSL Digital Certificate 10SSL Global Settings 10static routing configuration 154static VLAN configuration 92System Information 73T1/E1 Channel Settings 316T1/E1 Port Configuration 313TACACS server configuration 57Terminal Server Channel Status 382Terminal Server Configuration 379Terminas Server Connections 381VLAN interface configuration 149VLAN port settings 86 to 87VRRP Basic Settings 245VRRP Settings 246
GUI SNMP Group Access Settings 38GVRP 81GVRP configuration in the GUI 81 to 82, 85
Hhardware configurations 1hash algorithms 286 to 287, 290 to 291hash command
IKE phase 1 287IKE phase 2 291
hello time 98 to 99, 102help output in the CLI 6holdtime multiplier, LLDP 128hop metric 155, 158host hardware-type command 265HTTP, Non-SSL 12hybrid switchport mode 77
IiBGP 193, 209ICMP, enabling echo 258if-standard command 358ignore-dss command 360IGP 209IKE
encryption type, phase 1 287encryption type, phase 2 291lifetime 286profile 286profile table 286
ike proposal configuration mode 286inactivity time 48ingress filtering 88INOS
system files 58upgrade 70
interface command 147interface command (vrrp) 241interface frame-relay command 335interface fr-pvc command 338interface ip-routing 251interface line-protocol 251interface mlp command 329interface mlppp command 329interface ppp command 319interface serial command 362interface t1e1 command 307interface tracking interval 250interface tunnel command 236interfaces
configuring IP addresses 147gigabitethernet 75internet 75loopback 151management 9OSPF 179specifying 147T1/E1 307
INDEX
Industrial Network Operating System Administrator’s Guide429
Internet Control Message Protocol, see ICMPIP address
and VLANs 89configuring on an interface 147IPsec local 294IPsec peer 293lease 264PPP 322PVC 340terminal server local 374VRRP 242
ip address commandPPP 322PVC 340
IP address configuration in the GUI 148ip dhcp bootfile command 258ip dhcp next-server command 258ip dhcp option command 259ip dhcp ping packets command 258ip dhcp pool command 257ip dhcp server offer-reuse command 259IP encapsulation 340ip qos mark dscp command 394ip qos output queue command 394ip qos output strict-queue command 392ip qos policy command 391ip rip default route install command 161ip rip default route originate command 161ip rip receive version command 162ip rip send version command 162ip rip summary-address command 163ip route command 153ip route reachability command 252IP route tracking interval 250ip split-horizon command 164ip ssh version compatibility command 12IP-FR/FR-IP 342IP-route reachability 249, 252IP-routing state 249IPsec authentication 292, 295 to 296IPsec proposal 290ipsec proposal command 290
IPsec proposal configuration mode 290IPsec VPN
overview 285configuring in the CLI 286 to 299configuring in the GUI 299 to 306
Kkeepalive 320key
IKE 285RADIUS 52RSA 10SNTP 17TACACS 56
Llayer command 325layer command (frame relay interface) 336layer command (frame relay PVC) 339layer ppp command 330lcp-echo-interval command 320learned routes 183lease command 264lease, IP address 264lifetime 286, 289 to 290, 292lifetime seconds command, IKE phase 1 289lifetime seconds command, IKE phase 2 292limiting traffic with storm control 78line codes for T1/E1 310line-build-out command 311line-codes command 310line-protocol state 249link control protocol interval 320Link Layer Discovery Protocol, see LLDPLLDP
overview 127configuration in the CLI 127 to 135configuration in the GUI 138 to 146displaying information 135, 142enabling and disabling globally 127, 138
INDEX
Industrial Network Operating System Administrator’s Guide430
enabling and disabling on an interface 132, 141lldp chassis-id-subtype command 130lldp command 132LLDP configuration in the CLI 127 to 135lldp holdtime-multiplier command 128lldp notification command 132lldp notification-interval command 130lldp port-id-subtype 134lldp reinitialization-delay command 129lldp tlv-select basic-tlv command 133lldp tlv-select dot1tlv 134lldp tlv-select dot3tlv 135lldp transmit-interval command 128lldp tx-delay command 129LMI configuration 337, 352lmi mode command 337lmi type command 337local address command (TS) 374local address command (VPN) 294Local Management Interface, see LMIlocal preference
BGP 203, 216BGP default 202
local-tcp command 375logging class 65logging class command 65logging event 66logging event command 66logging facility command 69logging server command 67logging targets 63login block-for command 46login configuration 45login password-strength command 46loop detection 324loop guard 106, 115, 125loopback
BGP endpoint 206interface configuration in the CLI 151interface configuration in the GUI 151
Mmagic numbers 324magic-number command 324management interfaces 9match command 224, 293match dscp (wfq) command 392match dscp command 392 to 393max-conn command 377maximum age 98 to 99, 102Maximum Received Unit 323Maximum Reconstructed Received Unit 329Maximum Transmission Unit 323max-pkt-size command 362MED 204 to 206, 214metric 155, 173, 183, 204metrics 174MLPPP
overview 319configuring in the CLI 329 to 330configuring in the GUI 330 to 334
modeeek 343T1/E1 transmission 308terminal server 370
mode command 308monitoring with the Protocol Analyzer 405more command 59MRRU 329mrru command 329MRU 323mst configuration mode 109MSTP 99
region 99revision 99
MSTP configuration in the GUI 110 to 119MTU 77, 323mtu command 77Multi-Exit Discriminator, see MEDMultilink Point-to-Point Protocol, see MLPPP
INDEX
Industrial Network Operating System Administrator’s Guide431
Nnameif command 275nat command 282NAT configuration in the CLI 281 to 283navigating the CLI 6neighbor
BGP 194, 212BGP status,showing 195LLDP 127, 142OSPF 170, 181 to 182
neighbor command 194with ebgp-multihop argument 207with route-reflector-client argument 207with update-source argument 206
NetBIOS 262netbios-name-server command 262netbios-node-type command 262Network Address Translation, see NATNetwork Basic Input/Output System, see NetBIOSnetwork command
DHCP 260OSPF 171RIP 157
network object groups 278 to 279no aggregate-address command 197no bgp always-compare-med command 206no bgp comm-filter command 202no bgp comm-policy command 201no bgp comm-route command 201no bgp default local-preference command 203no bgp local-preference command 204no bgp router-id command 194no bgp update-filter command 200no channel command 312no cir command 349no confederation identifier command 209no confederation peers command 209no default-metric command 205no dhcp bootfile command 258no dhcp offer-reuse command 259no dhcp option command 260
no direction command 373no dns-server command 261no domain-name command 261no eek error-threshold command 345no eek event-window command 344no eek mode command 343no eek poll-timer command 344no eek response-timer command 344no eek success-events command 345no excluded-address command 261no frag-size command 348no frame-relay priority command 346no fr-pvc command 373no host hardware-type command 265no interface frame-relay command 336no interface fr-pvc command 339no ip address command (PVC) 341no ip dhcp command 258no ip dhcp next-server command 258no ip dhcp ping pac 259no ip qos mark dscp command 395no ip qos output queue command 394no ip qos policy command 391no layer command 336, 339no lease command 264no lmi mode command 338no lmi type command 337no local address command (TS) 375no local address command (VPN) 294no local-tcp command 375no match command 224no match dscp command 392no max-conn command 377no neighbor command 194no neighbor ebgp-multihop command 207no neighbor route-reflector-client command 208no netbios-name-server command 262no netbios-node-type command 262no network command
DHCP 260OSPF 172RIP 158
INDEX
Industrial Network Operating System Administrator’s Guide432
no option command (DHCP) 263no peer ip address command (PVC) 341no priority command (TS) 374no qos cos default command 391no qos trust command 390no rate command 394no redistribute command 196no remote-address command 376no remote-tcp command 376no retry-time command 377no route-map command 224no router bgp command 194no serial-channel command 372no serial-fr command 342no serial-port command 372no session-type command 374no set (route map values) commands 227no shutdown command
Ethernet port 76Frame Relay interface 336Frame Relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311
no snmp access command 31no snmp community index command 30no snmp engineid command 32no snmp filter command 35no snmp group command 31no snmp notify command 35no snmp targetaddr command 33no snmp targetparams command 34no snmp view command 32no strict-queue command 393no switchport command 76no synchronization command 210no timeslots command 309, 312no utilization threshold command 265no weighted-fair-queue command 392notifications, SNMP 27not-so-stubby-area 171 to 172
nssa 171 to 172
Oobject tracking
overview 249configuring in the CLI 250 to 253configuring in the GUI 253 to 255trackable states and conditions 249
object tracking in VRRP 245object-group icmp command 279object-group network command 278object-group protocol command 280object-group service command 279objects and object groups 278 to 280Open Shortest Path First, see OSPFoption command (DHCP) 263OSPF
overview 169configuration in the CLI 171 to 175configuration in the GUI 175 to 186enabling and disabling 176enabling globally 171example 186 to 192route map functionality 232
output queues 387
PPAP authentication 320parity command 359password
changing 49strength 46
password expiration interval 48peer address command 293peer ip address command (PVC) 341perfect forward secrecy, See PFSpermanent virtual circuits, see PVCPFC 324PFS 286, 288
INDEX
Industrial Network Operating System Administrator’s Guide433
pfs command 288pkt-char command 361pkt-time command 361pmtu command 323point ports 97Point-toPoint Protocol, see PPPpoint-to-point-links 97policer 385policies, BGP community 201port roles 97port subtype 134portfast 104ports 104
Ethernet 76link type 104pathcost 104RSTP 98T1/E1 307, 313type router 76type switchport 76VLAN config command 90
ports (VLAN) command 90PPP
overview 319configuring in the CLI 319 to 325configuring in the GUI 325 to 328enable/disable interface 325output queues 387physical port 325strict queueing 392
ppp acfc command 324ppp comp-slot-id command 322ppp max-slot-id command 322ppp mru command 323ppp pfc command 324preemption, VRRP 243pre-shared key 296priority
Frame Relay 345PVC default 346RSTP 99, 103spanning tree port 104
terminal server channel 374VRRP 242
priority commandPVC 346TS 374
priority tagged frames 87privilege level 48profile command, crypto map 295proposal command, crypto map 294proposal, IPsec 290Protocol Analyzer
overview 405configuring 405 to 407starting and stopping 405
protocol field compression, See PFCprotocol object groups 280protocol-analyzer command 405protocols supported 1psk 296PVC 338, 353PVID 87
QQoS
overview 385 to 388configuring in the CLI 388 to 396configuring in the GUI 396 to 404displaying information 395enabling and disabling 388, 396global configuration in the GUI 396port settings in the GUI 397
qos frame-relay output dscp-map command 347qos output cos-map command 389qos output dscp-map command 389qos trust command 390qos trust mode 390qos, switchport priority default command 391Quality of Service, see QoSqueueing configuration, Frame Relay 345queueing policy configuration 391 to 395
INDEX
Industrial Network Operating System Administrator’s Guide434
RRADIUS 50RADIUS server configuration in the GUI 53radius-server command 52Rapid Spanning Tree Protocol, see RSTPrate command 393reachability 252reboot 74rebooting in the GUI 74redist-config command 174redistribute command
BGP 196RIP 158route map 229
redistribution 158, 196region name 109region revision 110region, MSTP 99reload 73reload command 73remote-address command 376remote-tcp command 376resetting a BGP session 195restart 73retry software upgrade command 73retry-time command 377revision, MSTP 99RFC1583 compatibility 176RIP
overview 157configuration in the CLI 157 to 164configuration in the GUI 164 to 167enabling and disabling 157route map functionality 231
RJ45 75Roles 97roles
bridge 96port 97
route configuration in OSPF 183
route mapsoverview 223and routing protocols 231 to 233applying 228 to 231configuring 223 to 228displaying information 234
route redistributionBGP 196RIP 158
route reflector 207route summarization, OSPF 173 to 174, 184 to 185route-map command 223router bgp command 193router ospf command 171router rip command 157router vrrp command 241Routing Information Protocol, see RIPrs232 358rs485-2wire 358rs485-4wire 358RSA key and certificate 10RSTP 95
overview 95 to 99bridge roles 96forward delay 98 to 99, 102hello time 98 to 99, 102maximum age 98 to 99, 102port roles 97port states 98priority 99
RSTP configuration in the CLI 100 to 110RSTP configuration in the GUI 119 to 126running-config 60
SSCADA 341, 346, 348Secure Shell Server, see SSHSecure Sockets Layer, see SSLsecure web server 9security provisions 2
INDEX
Industrial Network Operating System Administrator’s Guide435
security-level command 275sent-username command 321serial encapsulation 341serial interfaces
overview 357configuring in the CLI 362configuring in the GUI 366configuring profiles in the GUI 364configuring serial profiles in the CLI 357 to 362displaying information 363speed 358
serial-channel command 371serial-fr serial command 341serial-port command 372serial-profile command 357, 363service object groups 279session-type command 373set (route map values) commands 227set dhcp server command 257set firewall command 276set garp timer command 83set gvrp command 81set lldp command 127set port gvrp command 82set qos command 388set snmp command 30set sntp command 14set telnet enable command 12set unicast-mac learning command 93SFP 75shortcuts in the CLI 7show clock command 13show crypto command 297show frame-relay priority command 349show ike profile command 296show ike sa command 296show interface frame-relay command 349show interface fr-pvc command 349show interface serial command 363show interface t1e1 command 317show ip bgp community filter command 202show ip bgp community policy command 201
show ip bgp community route command 201show ip bgp confed info command 209show ip bgp filters command 200show ip bgp info command 205show ip bgp local-pref command 203 to 204show ip bgp med command 205show ip bgp neighbor command 195show ip bgp rfl info command 208show ip dhcp server binding command 266show ip dhcp server information command 265show ip dhcp server pools command 266show ip dhcp server statistics command 266show ip qos interface command 395show ipsec proposal command 297show ipsec sa command 296show lldp command 136show lldp errors command 137show lldp interface command 136show lldp local command 137show lldp neighbors command 136show lldp statistics command 137show lldp traffic command 136show logging events command 64show logging facility command 69show logging server command 69show qos frame-relay output dscp-map command 349show radius server command 52show serial-channel command 378show serial-connection command 378show serial-profile command 363show sntp broadcast-mode status command 22show sntp multicast-mode status command 22show sntp status command 22show sntp unicast-mode status command 22show software upgrade command 72 to 73show system information command 72show tacacs command 56show upgrade information command 70show users command 45show vlan id command 88shutdown command
Ethernet port 76
INDEX
Industrial Network Operating System Administrator’s Guide436
Frame Relay interface 336Frame relay PVC 340PPP 325t1e1 channel 313t1e1 circuit 311
signal compensation for T1/E1 311Simple Network Management Protocol, see SNMPSNMP
overview 24access 25, 29, 31, 38communities 30, 36configuration in the CLI 30 to 35configuration in the GUI 36 to 44enabling and disabling 30, 36filters 28, 35, 44groups 30, 37notifications 27, 34traps 29, 35, 43v2 configuration examples 28 to 29v3 configuration examples 25 to 28views 26, 32, 39
snmp access command 31snmp community index command 30snmp engineid command 31snmp filter command 35snmp group command 30snmp notify command 34snmp targetaddr command 32snmp targetparams command 33snmp trap command 35snmp user command 34snmp view command 32SNTP
configuration in the CLI 13 to 22configuration in the GUI 22 to 24
sntp boradcast-mode send-request command 19sntp broadcast-poll-timeout command 20sntp client addressing mode command 14sntp client authentication key command 17sntp client clock-format command 15sntp client clock-summer-time command 16
sntp client port command 15sntp client time-zone command 16sntp client version command 14sntp multicast-delay-time command 21sntp multicast-group-address command 22sntp multicast-mode send-request command 21sntp multicast-poll-timeout command 21sntp unicast server command 18sntp unicast-max-poll-retry command 19sntp unicast-max-poll-timeout command 19sntp unicast-poll-interval command 18sntp unicast-server auto-discovery command 18software upgrade 70spanning tree auto-edge command 106spanning tree bpdu-receive command 107spanning tree bpdu-transmit command 108spanning tree command 100spanning tree compatibility command 101spanning tree interface properties command 104spanning tree loop-guard 106spanning tree mode command 100spanning tree mst configuration command 109spanning tree mst max-hops command 108spanning tree mst max-instance command 110spanning tree name command 109spanning tree pathcost dynamic command 101spanning tree priority command 103Spanning Tree Protocol, see RSTPspanning tree restricted-role command 106spanning tree restricted-tcn command 107spanning tree revision command 110spanning tree root-guard command 106spanning tree timers commands 102spanning tree topology change guard command 107spanning tree transmit hold count command 103speed command 358split horizon 164SPQ 385, 387
policer 385SSH 11
SSHv1 compatibility 12
INDEX
Industrial Network Operating System Administrator’s Guide437
SSHv2 12SSH configuration in the GUI 12ssh version compatibility command 12SSL 10SSL certificate generation in the GUI 10startup-config 60static routes 153static routing configuration in the GUI 154static VLAN 90static VLAN configuration in the GUI 92stopbits command 359storm control 78storm control command 78STP, see RSTPStrict Priority Queue 385strict-queue command 392stub area 171 to 172summarization 173 to 174summary-address command 174switchport acceptable-frame type command 87switchport access vlan command 86switchport mode command 76switchport priority default command 391synchronization command 209synchronization, iBGP with IGP 209syntax conventions xxiSyslog
configuring server 67facility codes 68priority values 67
system date 13system information in the GUI 73system time 13
TT1/E1
overview 307configuration in the CLI 307 to 313configuration in the GUI 313 to 316displaying information 317enabling and disabling a channel 313
enabling and disabling an interface 311TACACS 54TACACS server configuration in the GUI 57tacacs-server command 56tagged frames 87tcn 107Telnet server 12Telnet terminal server connection 371Terminal Server
overview 369configuration in the CLI 371 to 378configuration in the GUI 379 to 384display information 378modes 370
terminal server frame relay extension 342Time to Live, see TTLtime,system 13timeout 155timer
GARP 83PPP 320spanning tree 102, 112, 121VRRP 244
timeslot bandwidth command 309timeslots 309, 312timeslots command 312
T1/E1 channel 312T1/E1 circuit 309
TLV 127, 133 to 135Tools 2topoligies 2topology change notification 107track interface ip-routing command 251track interface line-protocol 251track timer interface command 250track timer ip route command 250trackable states and conditions 249traffic descriptor, see ACLtransit area 181transmission interval, LLDP 128traps, SNMPV2c 29trunk switchport mode 77
INDEX
Industrial Network Operating System Administrator’s Guide438
trunking 81trust mode, QoS 390tunnel
GRE configuration 235interface configuration 147IPsec VPN configuration 285
tunnel checksum command 236tunnel hop-limit command 237tunnel mode command 236tunnel path-mtu-discovery command 237
Uunicast time and date synchronization 18untagged frames 87upgrading software 70user
adding 47blocking and releasing 47deleting 47inactivity time 48password expiration interval 48privilege level 48
user command 46user management 44 to 50username command 321utilization threshold command 264
Vvalidate-update-source command 161Van Jacobson compression 320version command 163views, SNMP 26Virtual Router Redundancy Protocol, see VRRPvjc 320VLAN
database 88, 90learning mode 89
vlan active command 92vlan command 89
VLAN interface configuration in the GUI 149vlan learning mode command 89VLAN port configuration in the GUI 86 to 87VLANs 81 to 93VoIP 346VPN, see IPsec VPNVRRP
overview 241configuration in the CLI 241 to 245configuration in the GUI 245 to 247enable/disable 241, 245
vrrp vrid ipv4 command 242vrrp vrid preempt command 243vrrp vrid priority command 242vrrp vrid text-authentication command 244vrrp vrid timer command 244vrrp vrid track command 245
WWAN, see T1/E1web access to INOS manuals xxiweighted fair queue, See WFQweighted-fair-queue command 391WFQ 385, 388, 391Windows Internet Name Service, see WINSWINS 262