Page 1 of 71
PRIMERGY
PRIMERGY 10/40GbE Connection Blade 18/8+2 Function Manual
FUJITSU
Page 2 of 71
Chapter 1 Network design concepts .......................................................................................................... 3
1.1 Layer 2 network design concepts .................................................................................................. 3 1.1.1 VLAN .................................................................................................................................... 3 1.1.2 Link aggregation .................................................................................................................. 4
1.2 Outline of Device Setting .............................................................................................................. 4 Chapter 2 Outline of functions .................................................................................................................. 5
2.1 Auto negotiation function............................................................................................................. 5 2.2 Flow control function .................................................................................................................... 6 2.3 Forwarding mode change function ................................................................................................ 7 2.4 MAC address learning / MAC forwarding function ........................................................................... 8 2.5 VLAN function .............................................................................................................................. 9 2.6 Link aggregation function .......................................................................................................... 13
2.6.1 LACP Function ..................................................................................................................... 14 2.7 Back-up port function ................................................................................................................. 15 2.8 STP Function .............................................................................................................................. 16
2.8.1 STP ..................................................................................................................................... 16 2.8.2 RSTP ................................................................................................................................... 19 2.8.3 MSTP .................................................................................................................................. 20
2.9 LLDP function ............................................................................................................................ 21 2.10 MAC filtering function ................................................................................................................. 22 2.11 QoS function .............................................................................................................................. 25
2.11.1 Priority control function ....................................................................................................... 25 2.11.2 Priority control function where in ACL is used ....................................................................... 28
2.12 IGMP snoop function .................................................................................................................. 31 2.13 MLD Snoop Function .................................................................................................................. 33 2.14 EHM Function ............................................................................................................................ 35 2.15 IEEE802.1X Authentication Function ........................................................................................... 36 2.16 Guest VLAN function ................................................................................................................... 41 2.17 Broadcast / Multicast storm control function ................................................................................ 42 2.18 Port mirroring function ............................................................................................................... 43 2.19 Ether L3 Monitoring Functions .................................................................................................... 45 2.20 Output rate control function ....................................................................................................... 46 2.21 Port block function ..................................................................................................................... 47 2.22 IP route control function ............................................................................................................. 48
2.22.1 Types of IP route information ............................................................................................... 48 2.22.2 Management of IP Route Information .................................................................................. 49 2.22.3 Route Control Function according to the Error Detection of Interface ...................................... 49 2.22.4 Static Routing Function ....................................................................................................... 49
2.23 IPv6 Function ............................................................................................................................. 50 2.24 IP Filtering function .................................................................................................................... 54 2.25 DSCP Value Rewrite Function....................................................................................................... 55 2.26 RADIUS function ......................................................................................................................... 57 2.27 SNMP Function ........................................................................................................................... 59
2.27.1 RMON Function ................................................................................................................... 60 2.28 SSH server function .................................................................................................................... 61
2.28.1 SSH client software ............................................................................................................. 63 2.29 Application Filter Function .......................................................................................................... 64 2.30 TACACS+ Function ....................................................................................................................... 65 2.31 LDAP Function ............................................................................................................................ 66 2.32 IEEE802.1Q Tunneling Function .................................................................................................. 67 2.33 CEE Function .............................................................................................................................. 69 2.34 Edge virtual switch function ........................................................................................................ 71
Page 3 of 71
Chapter 1 Network design concepts
1.1 Layer 2 network design concepts 1.1.1 VLAN
In layer 2 network, the destination is determined based on MAC address. And Layer2 network can be divided by
logical network called VLAN. It can make one logical network from multiple physical network or multiple logical
network from one physical network. Each VLAN is managed with VLAN ID(VID).
VLAN ID VLAN is managed by VLAN ID which number is from 1 to 4094 in decimal. The communication between the
same VLAN ID is possible but between the different VLAN ID is not possible.
Type of VLAN There are three type of VLAN.
• Port VLAN
This is to set “which vlan is belonged“ to each Ethernet port. The port will belong to assigned VLAN
• Tag VLAN
It is used when multiple VLANs are set on 1 physical line. Multiple VLANs are implemented on 1 physical line by
inserting VLAN header in the frame header of Ethernet by the method standardized in IEEE802.1Q.
• Protocol VLAN
In the frame header of Ethernet, there is a field of 16 bits called as frame type, and upper level protocol which
is stored in that frame can be identified.
For example, communication of different network protocol called as IP and IPX can be identified at the level of
the Ethernet frame. VLAN protocol uses this information and VLAN different in each network protocol can be
identified.
For example, VLAN for each sub network is divided and routing is executed in IP. However, in the IPX protocol
setting is executed where it is treated as 1 network without any divisions.
The setting of each ETHER port can be changed for these three types. In other words, when VLAN ID is 10, VLAN
can be set as VLAN port in ETHER port 1, and tag VLAN in ETHER port 2. The data of 10 VLAN is sent and
received by ETHER port 1 and ETHER port 2, and it is sent and received as a normal frame without tag by ETHER
port 1 and the frame with tag by ETHER port 2 in VLAN ID.
Router
Port VLAN
(VID10)
Port VLAN
(VID20)
Port VLAN
(VID30)
Tag VLAN
(VID10,20,30)
Router
Port VLAN
(VID10)
Protocol VLAN
(FNA VID20、IP VID30)
Page 4 of 71
1.1.2 Link aggregation
Link aggregation is a technology which treats 1 logical circuit by collecting physical circuit together. When
there is insufficient area in one physical circuit, wide area is secured by collecting multiple circuits together.
Moreover, when one circuit cannot communicate due to the cause of the failure etc. among physical circuits
which set link aggregation, the function of a redundant composition is also provided because the
communication can be continued with the other physical circuit.
When two or more VLAN are included, it is the structure where multiple VLAN are included in one circuit
logically, is composed of link aggregation similar to 1 physical circuit. Moreover, even STP is treated as one
circuit and the control of the port is executed by logical circuit of link aggregation.
1.2 Outline of Device Setting
Relation of network and setting As the information to be set in this device, Physical information related to circuit connection, logical
information related to network connection and routing information in sorting condition of data is required.
Moreover, other device specific information and setting of additional services are executed when required. In
this device, large scale classification related to setting of this information is as follows.
•ether definition
It is an instruction group defining physical information related to connection circuit in this device. Information
related to type and speed of circuit is defined.
•vlan definition
It is an instruction group defining information related to VLAN of this device. Information of VLAN protocol and
information of static study table are defined.
•lan definition
It is an instruction group defining logical information related to LAN connection in this device. Information of IP
address of LAN and network is defined. Moreover, it is defined according to lan definition related to LAN
dependent service of DHCP etc.
•Other definitions
It is an instruction group defining necessary information depending on device and information of additional
services. Information related to network administration and time information is also defined.
Definition of Network Interface The network interface which acts as ‘exit’ at the time of data transmission, has various types according to its
characteristics and connected circuit. Following is the explanation for types of network interface.
•lo
Loopback interface. It is used when return transmission is executed by internal program of the device.
•lan
Ethernet interface. It is an interface that is used in case of transmission used by Ethernet. It is set according to
the lan definition. The interface number given to this interface type, becomes the network interface name.
Example:lo0,lan0,lan1,…
Network interface of lan is set according to the lan definition.
Definition number of lan definition and interface number of network interface are in 1 to 1 correspondence.
Definition of Routing Information Routing information defines the information necessary to determine the network interface that finally
becomes the exit. In this device, routing information is set within the definition in exit interface. For example,
routing information that is defined in lan0 for output from lan0 and routing information that is defined in
lan1 for output from lan1 are set separately.
Page 5 of 71
Chapter 2 Outline of functions 2.1 Auto negotiation function
The auto negotiation function is the protocol between two devices provided by IEEE802.3u, and is the function
to set the transmission speed and the communication mode (full duplex/half duplex) automatically according to
the priority level.
▪ Communication mode is set according to algorithm determined from modes which can be communicated
mutually for connections between similar auto negotiation (Auto-Nego).
▪ When fixed config is used, normal communication is possible only in case of similar communication mode.
Points to be noted
▪ When one side is connected with the auto negotiation, and the other side is connected with fixed FULL (full
duplex), the communication mode is recognized as HALF (half duplex). In such cases, due to high error rate,
normal communication may not be possible. Hence set the communication mode correctly.
▪ Set both side communicate modes firmly when the communication mode of one side or both sides cannot be
recognized mutually in auto negotiation.
▪ When one side is connected improperly at fixed 10M, and other side at fixed 100M, the link is established with
only one device, and as per the communication state, the connection with the link can be established or cut off
repeatedly. In this case, set the communication mode correctly.
▪ There is no auto-negotiation function for link speed in 10G port.
Page 6 of 71
2.2 Flow control function In this device, the flow control function is supported by Pause frame based on IEEE802.3x. As per the flow
control settings, operation of each port is as shown below.
Points to be noted
When the flow control is applied, the connected side might not be able to transmit the frame to corresponding
port of this device. In this case, frame may be discarded as per the buffer capacity of connected side irrespective
of the priority of priority function that is set in this device. For that, disable the flow control for the network
where voice or image is used. In addition, transfer performance of data frame may deteriorate depending on
the connected side. Whether the PAUSE frame must be transmitted by flow control, is decided as per the
remaining capacity of the received buffer of input port. The frame transferred to port that is being controlled by
the length of output queue with ‘buffermode qos’ or ‘ratecontrol’, is discarded in output queue side, therefore it
is not accumulated in the reception buffer of input port. As a result, regardless of the frame being disregarded,
‘Pause’ frame is not transmitted. In order to execute the flow control steadily, set the buffermode to max so
that it is not transfered to the port where the ratecontrol is set.
<In case of fixed mode>
1) Ignored when Pause frame is received.
Flow control setting Communication
mode
System operation
Transmission Reception Transmission direction Reception direction
Off setting Off setting Full double fixed Pause frame not transmitted Flow control is not executed when
Pause frame is received ( 1)
On setting Off setting Full double fixed Pause frame is transmitted for
flow control.
Flow control is not executed when
Pause frame is received ( 1)
Off setting Off setting Full double fixed Pause frame not transmitted Flow control is executed Pause frame is
received
On setting Off setting Full double fixed Pause frame is transmitted for
flow control.
Flow control is not executed when
Pause frame is received ( 1)
Page 7 of 71
2.3 Forwarding mode change function In this device, cut-through mode and store-and-forward mode can be selected as a switching method.
Cut-through mode
Top portion of the packet is input to this device and then the packet is delivered from the transfer destination
port. Transfer is executed without waiting for the entire packet to be input, therefore delay of the packets
associated with transfer can be minimized.
Store-and-forward mode
Entire packet is input to this device and then the packet is delivered from the transfer destination port.
Points to be noted
When cut-through mode is selected, latency is can be reduced and error packets are relayed. In case of
store-and-forward mode, error packet is not transited even if it is input. On the other hand, latency is
lengthened than the cut through mode due to accumulation of packet data.
Page 8 of 71
2.4 MAC address learning / MAC forwarding function In this device, following functions are supported as a MAC address learning function.
MAC address learning basic function
It is a function that dynamically learns the transmission source MAC address of reception packet
and registers it in FDB (Forwarding Data Base). The registered MAC address is retained and
continued till aging-out time. Aging-out time can be changed by structure definition command.
(default is 300 seconds). When port is linked down, an entry learned from the corresponding
port on FDB is deleted.
MAC address auto study stop function
It is a function to stop the learning of dynamic MAC address in device unit according to structure definition.
FDB clear function
It is a function to delete the dynamically studied FDB entries. Conditions like Port unit, MAC address unit etc
can be specified.
Static MAC forwarding function
It is function where the frame having specific destination address can be transited to the port specified at each
VLAN. Unicast address can be specified in destination address.
Page 9 of 71
2.5 VLAN function VLAN function is a function that divides physical LAN into virtual multiple LANs, and executes grouping in port,
MAC address, protocol etc.
VLAN in device
VLAN prescribes communication method that has used VLAN group identification method which is called as
tagging method.
Tagging method is a method that identifies the VLAN to which this frame belongs by attaching VLAN tag to the
frame. The defined identifier is called as VLAN ID. When 1 VLAN is defined, corresponding 1 VLAN ID is also
assigned. VLAN function supported by this device is based on IEEE802.1q.
In this device, All the ports are initially set to VID=1 as ‘no tag’ of VLAN1, setting of each port can be changed to
‘with tag’ or ‘no tag’ of specific VLAN.
VLAN and network address
When VLAN function is used, bridging communication is closed in this VLAN. Therefore, to define VLAN means
to restrict the broadcasting frame (Broadcasting domain) at the level of MAC address Furthermore, following 2
things can be done thought from the position of network layer.
• Multiple network addresses are made to correspond to each physical port by using the VLAN tag.
• 1 network address is assigned where multiple physical ports are bound.
Virtual Interface VLAN1、VLAN2、VLAN3
Switching HUB(supported VLAN)
VLAN1
VLAN2
VLAN3
Page 10 of 71
VLAN type
In VLAN function supported by this device, VLAN can be divided in following 2 units.
•Port VLAN
It is the function that executes grouping in port unit. Addresses for all the network protocols can be given.
•Protocol VLAN
It is a function that groups the ports on the basis of specific protocols.
Types of protocols that can be specified by protocol VLAN are as follows.
- IP
- IPv6
Furthermore, protocol VLAN of optional protocol can be created by directly specifying the frame type. Exanoke)
IPX (Ethernet II type EtherType:Value [0x8137,0x8138] specification)
Relationship between VLAN tag and port
When VLAN function is used, it is defined whether VLAN tag is attached at the time of sending the frame to
port in VLAN in advance. Whether to attach or not is determined according to whether the node which is at the
end of each port can identify the VLAN tag.
When VLAN function is used, segment which is connected to the end of each port of this device belongs to any
one of the following 3.
•Access link
It is the section where only the frames with no VLAN tag flow. End node which cannot recognize VLAN tag is
connected.
•Trunk link
It is the section where only the frames with VLAN tag flow. Same devices which support VLAN function with tag,
are connected by normal trunk link. End node which cannot recognize VLAN tag is not connected.
•Hybrid link
It is the section where frames with and without VLAN tag flow. Here, multiple VLANs exist and there are access
links or trunk links for respecitve VLANs. However, if focus is on specific protocol, there is only 1 VLAN where
hybrid link can be operated as access link. For example, when 2 VLANs are operated as access links on 1 hybrid
link, and if focused on IP protocol, only 1 from this can be recognized.
Points to be noted
• When 2 or more VLANs are operated as access links for specific protocol, since VLAN tag is not attached to
frame which is sent by respective VLAN, to which VLAN the frame belongs cannot be identified.
• When it is used together with spanning tree function, bridge frame and routing frame are according to
restrictions on spanning tree.
• When protocol VLAN definition is set such that it exceeds the upper limit that can be set in device, VLAN ID
specified in protocol VLAN definition that exceeds the upper limit and protocol VLAN definition, becomes
invalid, and hence all the ports that belong to invalid VLAN ID cannot be used. In addition to this, upper limit
that can be set for protocol VLAN definition in the device is 16.
Page 11 of 71
Mixed VLAN on the same port Combination of VLAN used by the same port is shown below.
: Can be mixed,×: Cannot be mixed
VLAN judgment at the time of receiving packets
When packets are received by the port set by VLAN, execute the judgment for received packets belonging to
VLAN by the following sequence.
) In this device, Tag VLAN/Protocol VLAN are defined by configuration definition and default VLAN is
created in the device for receiving BPDU packets for the port where port VLAN (untagged) is default.
VLAN tag at the time of sending packets
Handling of VLAN tag at the time of sending packets is according to Tagged / Untagged settings of
transmission port. In case of Tagged port, packets are sent with VLAN tag and in case of untagged port these
are sent without VLAN tag.
VLAN type Port VLAN(untagged) Protocol VLAN(untagged) Tag VLAN(Tagged)
Port VLAN(untagged) × ○ ○
Protocol VLAN(untagged) ○ ○ ○
Tag VLAN(Tagged) ○ ○ ○
Packet receive
Is it tagged packets? Does it match the VID,
which is defined port? Tag VLAN
Discard
Protocol VLAN
Port VLAN
Default VLAN(※)
Discard
Is it matches the protocol VLAN definition?
Is there a port VLAN definition?
Is it BPDU packets?
Yes
Yes
Yes
Yes
Yes
No
No
Page 12 of 71
VLAN trunk function The VLAN trunk function is a function to be used for communication between VLAN for a possibility of
switching when the VLAN tag is assigned and deleted. In order to carry out routing from the port which
belongs to multiple VLANs, it is relayed to other layer 3 switches. In the port, VLAN is tagged so that it can be
recognized that to which VLAN it belongs, and the frame with VLAN tag is received, routed and relayed with
layer 3 switches.
VLAN between devices When VLAN crosses between the devices, by setting the VLAN tag to the frame, the VLAN wherefrom the
frame has come, is distinguished. As a result, similar VLAN A and VLAN B can communicate in such a way that
these are connected with same switching HUB. Usually, 2 transmission lines are required, by using the VLAN
trunk function, however, it can be connected by 1 transmission line in this device.
Page 13 of 71
2.6 Link aggregation function Link aggregation function is a function for multiplexing the multiple ports and handling as 1 high speed link
(Trunk.Group). Hereon by using this function, it is possible to improve the redundancy of the link by
distributing that traffic to the other port when 1 multiplexed link (Member port) is failed.
Link aggregation function is also called as multi link ethernet or port trunking.
Furhter, configure the member ports in 1~10 ports.
Set the all member ports similar to the VLAN configuration.
The traffic to Trunk group is judged by the IP address and MAC address of transmission packet for distributing
the load.
Can be specified by selecting from the following methods.
Distribution of the load based on sending destination MAC address and sending source MAC address.
Distribution of the load based on sending destination MAC address.
Distribution of the load based on sending source MAC address.
Distribution of the load based on sending destination IP address and sending source IP address.
Load balancing based on sending destination IP address
Load balancing based on sending source IP address
Load balancing based on the reception Ethernet port
It is possible to specify the minimum member port count, the trunk group can communicate.
Trunk group communication is terminated until the count which specifies the member port of the trunk. Group
is enabled.
For example, member port where linkdown is executed is not included in the enable port etc.
In redundant configuration the trunk group is used when communication cannot be carried out until a
necessary bandwidth is secured
Further it is possible to use this function with LACP.
Points to be noted
• Port which is multiplexed is handled as 1 port. It is similar when STP or VLAN functions are used together.
• Calculate the cost of STP according to bandwidth of member port and member count, and allocate the cost
value
It is not possible to change the cost according to degeneracy/recovery.
40Gbps virtual link
10Gbps
Page 14 of 71
2.6.1 LACP Function
The LACP function is link aggregation which uses IEEE802.3 compliant LACP. Link aggregation of feasible
maximum level is continuously provided between the systems having LACP.
Confirmation of consistency of link aggregation or confirmation of link consistency and accuracy of fault
detection is improved by using LACP.
Merits of introduction
▪ As it confirms consistency with the adjacent equipment, for example if there are mistakes such as wrong
judgment of the port, the communication begins by confirming one by one destination connected to the correct
link by using the protocol levels. Therefore, communication with the wrong connection is not possible.
▪ When the LACP packet from the adjacent device is not received during the fixed time, since there is
determination of fault link, fault detection of link which exceeds the fault detection range of device port is
possible.
Points to be noted
▪ It is necessary to enable the LACP before connection for the link aggregation which uses LACP. Link
aggregation other than LACP where ‘static’ is specified in link aggregation mode cannot be connected.
▪ By specifying ‘passive’ in link aggregation operation mode, link aggregation which is similarly set to ‘passive’
before connection, cannot be configured. Specify ‘active’ for either of the two.Both can be specified as ‘active’.
Refer to “2.6 link aggregation function” for other notes.
10Gbps
40Gbps virtual link
Page 15 of 71
2.7 Back-up port function Back-up port function groups the two ports and manages port on one side as master port (Priority port) and
port on the other side as back-up port (Standby port). Further it decides port on which side should be activated.
If any error has occurred while running, port on the other side immediately switches over to activate port and it
is possible to control the network error is not much affected. In a state where group ports are linked up together,
mode which uses the master port on priority basis without fail and mode which linkedup port in the beginning
can be selected. Moreover, linkaggregation can be used as a backup port.
Points to be noted
▪ In the back-up port function, if error occurs, it is possible to switch over the active port at once and when
various protocols are used, restoration time of each protocol till restoring the communication is required.
▪ When it is used together with link aggregation, if that link aggregation has mismatched settings for back-up
configuration, link aggregation becomes disabled.
▪ If standby status of standby port is set to offline, the standby port is linked down, therefore even if
abnormality such as line omission etc has occurred it cannot be detected. After switching over the operation, it
changes to abnormality is detected.
Page 16 of 71
2.8 STP Function STP Function connects the different LANs and broadcasts MAC frames.
In this device, the following functions are supported.
2.8.1 STP
This is IEEE 802.1D Spanning Tree Protocol (STP). The spanning tree is a function which prevents the loop when
multiple paths are connected. To achieve that, STP has only one path be a communication path and configures
the tree structure network logically.
By using this function, the loop of the frames connected with the system down is not generated. Moreover, a
strong network can be constructed for failure.
STP chooses the root bridge that is the root of the logical tree structure network. Then, it decide a STP port
mode for each ports. The mode is root port, designated port or blocking port. The root port and designated port
forward the packets though blocking port does not forward.
STP interface have the following states to achieve above function
- Blocking: This does not forward frames.
- Listening: Transitional state. This is the next state of the blocking when the port become forwarding state.
- Learning: Transitional state. This is the next state of the listening.
- Forwarding: This forwards frames.
Page 17 of 71
Procedures to decide root port/ representative port/ blocking port Procedure to decide various ports is as follows.
※ 1)Following is the default cost value at the time of selecting ‘AUTO’.
Transmission speed Default path cost
10G 2000
40G 1200
At the time of link aggregation, transmission speed becomes 200 in case of 10G and 120 in case of 40G.
※ 2) • The route path cost is a total of the path cost of the port which inputs configuration BPDU packet in the
route from the root bridge and the least value is accepted.
• Path cost of the root bridge is 0.
※ 3) • One root port exists in each bridge.
• When the route path cost is same, the port identifier adopts the small port.
※ 4) • One representative port exists in each segment.
• When there are more than 2 ports which have least values, port with least bridge priority is adopts.
It is determined in each path port(It can be set in each port, and select the AUTO usually)(※1)
You assigned to each bridge the bridge priority.
It selects the port with the lowest value by calculating for each port of the bridge the root path cost(minimum path cost to the root bridge).(※2)
Port with the root path cost of the minimum in each bridge within is not the root bridge becomes the root port.(※3)
Port with the root path cost of the minimum in bridge that connects to each segment becomes the designated port.(※4)
Port that is not a designated port and a root port become the blocking port.
START
END
Decision of root bridge
Decision of root port
The bridge with the bridge priority of the minimum becomes the root bridge.
Decision of designated port
Decision of blocking port
Page 18 of 71
Network settings using spanning tree function
Parameters in spanning tree In spanning tree, several parameters are set in bridge in order to implement the designed tree structure and
tree performance. The tree structure and tree performance is determined according to this parameter.
<Parameter that determines the tree structure> The tree structure is determined as per the following
parameters.
Parameters Setting
target Remarks
Bridge Priority
(STP bridge priority)
Every
Bridge
It is set for every bridge, and bridge that sets the minimum value is used as
priority route. Minimum value in the system is set for the bridge which is
considered as root bridge.
Port Identifier
(STP port identifier) Every port
When the judgment of root path cost and bridge identifier is not used, the
prominent port of port identifier is considered as designated port. Since the
MAC address is included in bridge identifier, the designated port is not
determined in port identifier.
Path cost
(STP port path cost) Every port
Root port (Route of upper bridge) is determined. The designated port
(Designated bridge) is determined as per path cost and bridge priority. The root
of minimum value set on each port in the bridge is selected. The slow root of
transmission speed sets the high cost and uses for the backup.
It is suggested that the default value (1000÷ transmission speed Mbps) is used
for the path cost.
<Parameters of determining the tree performance>
The tree performance (Root change time during failure etc) is determined as per the following parameters
Parameters Setting
target Remarks
Hello Time
(STP bridge hello time)
Every
Bridge
Since the root bridge confirms the tree structure, it is considered as the sending
interval of configuration BPDU. Recommended time is 2 seconds.
Maximum age
(STP bridge Max age)
Every
Bridge
It is a timer value that starts the restructure of tree since configuration BPDU is
not delivered. It differs as per the delay time till configuration BPDU is delivered
to the bridge of tree structure terminal but the recommended time is 20
seconds. In order to restructure in the same timing, the bridge in same network
is set with the same parameter.
Forward delay
(STP bridge forward
delay)
Every
Bridge
It is waiting period in intermediate status till the blocking status is changed to
forwarding status.
If this time is short, synchronization of the entire tree structure in the listening
status is not acquired. In the learning status, since the learning of MAC address
learning status is inadequate, there are possibilities such as all the ports are
broadcasted or changes to loop status. Further, if the time is long, the time
required for the restructuring of tree gets longer. Recommended time is 15
seconds.
<Other parameters>
Parameters Setting
target Remarks
STP domain separation (STP domain Separation)
Every port Set whether the STP domain is separated in each port of bridge.
If STP domain is separated, the transmission of configuration BPDU from that
port is stopped.
Port which sets by separating the STP domain does not configure the STP tree.
However, the frame other than configuration BPDU is broadcasted.
ON: STP domain is not separated,
OFF:Set by separating the STP domain.
Page 19 of 71
2.8.2 RSTP
As a problem of STP, the communication may get disconnected for maximum 50 seconds. The protocol
developed to overcome the problem is RSTP (rapid spanning tree protocol). When RSTP is used, spanning tree is
calculated again for 1 second, and the change over at instantaneous interruption level becomes possible.
Moreover, RSTP is standardized as IEEE802.1w and is compatible with conventional STP(IEEE802.1d).Therefore,
the mixed environment with STP operates without trouble.
Role of port in RSTP The role of each port is as follows in STP.
• Designated port
• Root port
• Blocking port
In RSTP, specified port and root port are used as same role in STP. The blocking port is used by dividing it into
the following 2 roles.
• Alternate port
Port where alternate path is provided. There is a port, which has less cost, next to root port and it becomes the
port having alternate path to root bridge.
• Back up port
It is a port of the alternate path of the route specified by specified port. When there are more than 2
connections for the same segment on 1 switch, it is provided as alternate path.
Alternate port and backup port will changes to the normal blocking status.
State of port in RSTP In STP, there are four states of the port such as the blocking state, the listening state, the learning state, and
the forwarding state. The broadcast of MAC frame is neither executed in the blocking state nor in the listening
state. The only point of difference between the both is, BPDU transmission is not executed in the blocking state
and BPDU transmission is executed in the listening state.
In the RSTP, the blocking state and the listening state together becomes the discarding state.
Page 20 of 71
2.8.3 MSTP
Depend on VLAN configuration, there may not be any loops even if it looks no-loop in physical network. In that
case, STP decides it as loop network, but MSTP does not because it can handle the network per VLAN. Therefore,
MSTP can forward network data more efficiently than STP.
For example, There are 4 switches called Bridge A, Bridge B, Bridge C, and Bridge D and connect them as below
diagram. topology. Using MSTP, we can forwards vlan 100, 200 frame from Bridge D – Bridge B – Bridge A and
forwards vlan 300 frame from Bridge D – Bridge C – Bridge A. We can not use STP for such behavior.
Page 21 of 71
2.9 LLDP function LLDP (Link Layer Discovery Protocol) is an adjacent search protocol which aims at the understanding of the adjacent device
and the confirmation of the connection state etc by the publicity of the information of device itself.
LLDP information is delivered only to the device connected to the same physical LAN. It does not deliver before crossing
the router.
The LLDP function of this device is based on IEEE802.1AB and, provides the following functions.
∙ Device information is transmitted by LLDP
∙ Adjacent device information received by LLDP is retained
∙ The information related to LLDP is managed as MIB and MIB is acquired by SNMP function
∙ The updated adjacent information is notified by SNMP trap
∙ LLDP setting information, device information, adjacent device information, statistical Information is displayed.
The following information is included in the LLDP information transmitted from this device. It can be instructed so as not
to transmit Option information. In addition, do not transmit unnecessary option information since information above 1500
bytes cannot be transmitted. Especially note that, if it exceeds 1500 bytes while using CEE function, the information
necessary for CEE operation will not be transmitted. The content to be actually transmitted can be checked by command or
the Web screen.
∙ Device identification information (Representative MAC address) (essential)
∙ Physical port identification information (ifIndex MIB) (essential)
∙ Retention time information (TTL) (essential)
∙ Physical port explanatory information (ifDescr MIB) (Option)
∙ Device name information (sysName MIB) (Option)
∙ Device explanatory information (sysDescr MIB) (Option)
∙ Device major function information (switch/router) (Option)
∙ Physical port management address information (MAC/IPv4/IPv6) (Option)
∙ Port VLAN ID information(Option)
∙ Protocol VLAN ID information(Option)
∙ VLAN name information(Option)
∙ Protocol VLAN type information(Option)
∙ Physical port setting information(Option)
∙ Physical port power supply information(Option)
∙ Link aggregation information(Option)
∙ Maximum frame size information(Option)
The LLDP information received from the adjacent device is retained until the retention time included in LLDP
information passes. The information being retained can be checked by command or the Web screen.
The maximum number of adjacent information which can be retained in this device is shown below. The information
that cannot be retained due to exceeded maximum retention count is destroyed. The destroyed information is
counted in statistical data
Condition Retention count
Maximum retention count in the entire device 510 Minimum security retention count in 1 port 1 Shared retention count in the entire device. 476 Maximum retention count in 1 port () 477
) When all the shared parts are retained by 1 port (Only 1 can be retained in other ports)
Page 22 of 71
2.10 MAC filtering function In the MAC filtering function, the security of network is improved and the load to network can be reduced by
controlling the packet which passes this device by the combinations of MAC address, Packet format, VLAN ID,
COS value, IP address, Port number etc.
The MAC filtering process is carried out when the packet which passed this device corresponds to “acl mac”
definition, “acl vlan” definition, “acl ip” definition, “acl ip6” definition, “acl tcp” definition, “acl udp” definition
and “acl icmp” definition in ACL.
Condition of MAC filter The flow of packet data can be controlled by specifying the following conditions.
▪ Packet input port
Packet input ETHER port which is the target of filtering process
▪ Operation
Operation (block or transmit) when packet which is target of filtering process is input to ‘input ETHER port’
▪ ACL number
ACL number by which packet pattern which is the condition of MAC filter is defined.
Scope of MAC filtering function In the MAC filtering function, the application can be specified by the following unit of filter of specified packet
pattern in ACL.
• ETHER port
It is set by the ether command. The filter process is executed for the input packet that is matched with specified
ACL packet pattern for ETHER port.
• VLAN
It is set by the vlan command. The filter process is executed for the input packet that is matched with specified
ACL packet pattern for the ETHER port which belongs to VLAN. It is used while applying to all ETHER ports in
same VLAN.
Upper limit which can be set in device The upper limit which can be set in the device is shown below.
▪ Upper limit by set command:
- When the CEE function is used, 62 devices
- When the CEE function is not used, 64 devices
Settings is possible up to upper limit by setting command in addition with "macfilter", "vlan macfilter",
"lan ip filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter",
"ip6qos aclmap", "vlan ip6qos aclmap", "lan ip6 dscp" commands.
The priority level is respectively as follows.
- The applicable priority level of command is the order of "macfilter", "vlan macfilter", "lan ip filter", "qos
aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter", "ip6qos aclmap", "vlan
ip6qos aclmap", "lan ip6 dscp" commands.
- The priority level between ether ports becomes high though the ether port number is smaller.
- The priority level between VLAN becomes high though the VLAN ID is smaller.
▪ Upper limit according to number of masks:
- When the CEE function is used, 62 devices
- When the CEE function is not used, 64 devices
Settings is possible up to upper limit by number of masks in addition with "macfilter", "vlan macfilter",
"lan ip filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter",
"ip6qos aclmap", "vlan ip6qos aclmap", "lan ip6 dscp", "vlan protocol" commands.
The priority level is respectively as follows.
- The applicable priority order of command is the order of "vlan protocol", "macfilter", "vlan macfilter",
Page 23 of 71
"lan ip filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter",
"ip6qos aclmap", "vlan ip6qos aclmap", "lan ip6 dscp" commands.
- The priority level between ether ports becomes high though the ether port number is smaller.
- The priority level between VLAN becomes high though the VLAN ID is smaller.
The number of masks which “macfilter”, “vlan macfilter”, “lan ip filter”, “qos aclmap”, “vlan qos aclmap”,
“lan ip dscp”, “ip6filter”, “vlan ip6filter”, “lan ip6 filter”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6
dscp” commands consumes are as follows depending on applied acl.
When multiple acl are applied it will be the sum total of each and the total of each by combination will be as
follows.
Condition of applied acl Number of
masks
In case of acl mac definition 1
In case of acl vlan definition 1
In case of acl ip definition
When srcIP address is not specified
When tos value/ dscp value is not specified 1
When tos value/ dscp value is specified 3
When srcIP address is specified
When dstIP address is not specified 1
When dstIP address is specified
When mask value of srcIP and dstIP are same
When tos value/ dscp value is not
specified 1
When tos value/ dscp value is
specified 3
When mask value of srcIP and dstIP is
different. 3
In case of acl ip6 definition
When srcIP address is not specified
When tc value/ dscp value is not specified 1
When tc value/ dscp value is specified 3
When srcIP address is specified
When dstIP address is not specified 3
When dstIP address is specified
When tc value/ dscp value is not specified 3
When tc value/ dscp value is specified 5
The number of masks which “vlan protocol” command consumes are as follows.
Condition of applied acl Number of
masks
In case of protocol VLAN definition
When vlan protocol ipv4 is specified 3
When vlan protocol ipv6 is specified 1
When vlan protocol <count> ether is specified 1
Upper limit according to number of actions:
- When CEE function is used, 15 devices
- When CEE function is not used, 16 devices
Setting is possible to the upper limit by number of actions in addition with “qos aclmap”, “vlan qos
aclmap”, “lan ip dscp”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6 dscp”, “vlan protocol” commands.
The priority level is respectively as follows.
- The applied priority order of command is the order of “vlan protocol”, “qos aclmap”, “vlan qos
Page 24 of 71
aclmap”, “lan ip dscp”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6 dscp” commands.
- The priority level in ether port is high though the ether port number is smaller.
- The priority level between VLAN becomes high though the VLAN ID is smaller.
1 action is consumed when following commands are set and only 1 action is consumed irrespective of
number of command specifications.
- vlan <vid> protocol ipv4
- vlan <vid> protocol ipv6
When the following commands are set, 1 action is consumed.
When <tos_value>, <dscp_value> and <queue_value> are same, only 1 action is consumed irrespective of
the number of command specification.
- interface Config mode
- qos aclmap <count> tos <tos_value> <acl>
- qos aclmap <count> dscp <dscp_value> <acl>
- qos aclmap <count> queue <queue_value> <acl>
- ip6qos aclmap <count> dscp <dscp_value> <acl>
- ip6qos aclmap <count> queue <queue_value> <acl>
- vlan <vid> qos aclmap <count> tos <tos_value> <acl>
- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl>
- vlan <vid> qos aclmap <count> queue <queue_value> <acl>
- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl>
- vlan <vid> ip6qos aclmap <count> queue <queue_value> <acl>
- lan <number> ip dscp <count> acl <acl_count> <dscp_value>
- lan <number> ip6 dscp <count> acl <acl_count> <dscp_value>
When chengeQueue is set by the following commands, 1 action is consumed.
- interface Config mode
- qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]
- qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
- ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
- vlan <vid> qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]
- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
When the following commands are set, 1 action is consumed.
When <vid> is same, only 1 action is consumed irrespective of the number of command specification.
- vlan <vid> protocol <count> ether
Points to be noted
When it is simultaneously used with protocol VLAN function, MAC filter function of the frame recognized as
protocol VLAN is disabled.
Refer to "vlan protocol" command item for the frame recognized as protocol VLAN.
Page 25 of 71
2.11 QoS function The QoS function is a function to secure the quality of the communication by priority control and rewriting of
priority control.
In the priority control function of this device, there is a function where ACL is not used and the function where
ACL is used.
Given below is the explanation from basic priority control function where ACL is not used.
2.11.1 Priority control function
Priority control function is a function which does queuing for the packet and outputs according to the priority of
the mapped queue. The priority control function is configured with each function such as determination of user
priority to input packet, mapping to queue in this device for the user priority and priority control of queue.
The user priority to input packet is determined by the default priority for IEEE802.1p compliant CoS and the
reception packet without tag. Moreover, when the qos classification command is used, the user priority can be
determined by using upper 3 bits of TOS field of IPv4 (IP Precedence) and upper 3 bits of TC of IPv6.When ‘qos
classification’ is validated, user priority by the upper 3 bit of TOS and TC is preferred than the user priority as per
default priority for reception packet without CoS or Tag.
For example, in case of frame with VLAN tag which carries the below mentioned IP packet, user priority is
determined by Precedence (= upper 3 bits of DSCP) of TOS field when qos classification is validated, and user
priority is determined by CoS (Priority of Tag control information) when qos classification is invalidated.
The packet having user priority is queued in the multiple queues of the output port (including the device
address port) that is mapped to that priority. Mapping of the user priority value and the queue in this device
can be changed when the number of queues is 4. The queue has the priority of 0~3 respectively and the
priority increases with the increase in number.
The queued packet is output according to priority control method of the queue. Priority control method is
selected from Strict Priority Queuing (Strict) or Weihted Round Robin (WRR) or Weighted Deficit Round Robin
(WDRR).
DA SA VLAN protocol
Tag control information
TYPE IP header IP data CRC
Priority CFI VID
3 bit 1 bit 12 bit 3 bit 1 bit 1 bit 1 bit 2 bit
DS field
6 bit 2 bit
DSCP CU
Unused R T D Precedence
TOS field
Page 26 of 71
Relation between user priority value and priority
The recommended setting of user priority value and queue in device at the time of initial setting and priority control of this
device are shown below.
User priority value
(Traffic type)
Initial setting of queue
in this device
Queue setting
(Recommended) at the
time of priority control
0(Best Effort) 1 1
1(Background) 0 0
2 (Reserved) 0 0
3(Excellent Effort) 1 1
4(Controlled Load) 2 2
5(Video) 2 2
6(Voice) 3 3
7(Network Control) 3 3
Setting for assigning user priority
Rank Method of deciding priority of input
packet
Valid settings
1 TOS qos classification ip tos on
1 TC qos classification ip6 tc on
2 CoS Depending on VLAN Tag control information upper
3 bits (priority).
2 Reception packet without Tag qos priority <queue_priority>
Page 27 of 71
Process method for priority control Any of Strict, WRR or WDRR is set in the priority control process.
• Strict : The frame of the queue with high priority is processed in top priority.
・WRR : A fixed value (Output ratio) of each queue is set and a relative priority control is executed.
For example, when 10 is set for queue 3 and 1 is set for queue 0, the process is executed at
a rate of 10:1 for queue 3 and queue 0.
・WDRR : A fixed value (Output ratio) of each queue is set and a relative priority control is executed.
WDRR controls data amount whereas WRR controls the number of packets.
The process example of Strict WRR is shown below.
Page 28 of 71
2.11.2 Priority control function where in ACL is used
This device can control the priority by using ACL. If ACL is used, the allocation of the output port queue is
decided, based on the combinations of the MAC address, packet format, VLAN ID, COS value, IP address, and
the port number etc of the packet which passes through this device and the priority control information like
DSCP can be rewritten.
When the priority is controlled using ACL, ACL that specifies the packet which is a target of priority control is
defined. For this device, "acl mac" definition, "acl vlan" definition, "acl ip" definition, "acl ip6" definition, "acl tcp"
definition, "acl udp" definition, and "acl icmp" definition are set and this enables the priority control. Moreover,
for the input port, the action against ACL number of defined ACL and the packet which is compatible to that ACL
is specified. The action comprises of specifying the output queue and rewriting of the DSCP (differentiated
services code point) field as an action.
When priority control of the packet is to be executed using DSCP, DSCP is specified by the ACL definition and the
algorithm of output queue and priority control for that DSCP are specified. WRR, WDRR, and Strict can be
selected as for the algorithm of the priority control. When the bandwidth which is least secured is to be
allocated for DSCP, WRR or WDRR can be selected, and when the frame of the queue with high priority is to be
allocated to the top priority, Strict can be selected.
Refer to the chapter of the DSCP value rewriting function for the function which executes rewriting of the DSCP
field. The DSCP rewriting function of this device complies with RFC2474: Definition of the Differentiated Services
Field (DS Field) in the IPv4 and IPv6 Headers.
Upper limit which can be set in device The upper limit which can be set in the device is shown below.
• Upper limit by set command::
- When the CEE function is used, 62 devices
- When the CEE function is not used, 64 devices
Settings is possible up to upper limit by setting command in addition with "macfilter", "vlan macfilter", "lan ip
filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter", "ip6qos
aclmap", "vlan ip6qos aclmap", "lan ip6 dscp" commands.
The priority level is respectively as follows.
- The applicable priority level of command is the order of macfilter"、"vlan macfilter"、 "lan ip
filter"、"qos aclmap"、"vlan qos aclmap"、"lan ip dscp"、"ip6filter"、"vlan ip6filter"、"lan ip6 filter"、
"ip6qos aclmap"、"vlan ip6qos aclmap"、"lan ip6 dscp" commands.
- The priority level between ether ports becomes high though the ether port number is smaller.
- The priority level between VLAN becomes high though the VLAN ID is smaller.
• Upper limit according to number of masks:
- When the CEE function is used, 62 devices
- When the CEE function is not used, 64 devices
Settings is possible up to upper limit by number of masks in addition with "macfilter", "vlan macfilter", "lan ip
filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter", "ip6qos
aclmap", "vlan ip6qos aclmap", "lan ip6 dscp", "vlan protocol" commands.
The priority level is respectively as follows.
- The applicable priority level of command is the order of vlan protocol"、"macfilter"、"vlan macfilter" 、
"lan ip filter"、"qos aclmap"、"vlan qos aclmap"、"lan ip dscp"、"ip6filter"、"vlan I p6filter"、"lan ip6
filter"、"ip6qos aclmap"、"vlan ip6qos aclmap"、"lan ip6 dscp" commands.
- The priority level between ether ports becomes high though the ether port number is smaller.
- The priority level between VLAN becomes high though the VLAN ID is smaller.
" The number of masks which “macfilter”, “vlan macfilter”, “lan ip filter”, “qos aclmap”, “vlan qos
aclmap”, “lan ip dscp”, “ip6filter”, “vlan ip6filter”, “lan ip6 filter”, “ip6qos aclmap”, “vlan ip6qos
Page 29 of 71
aclmap”, “lan ip6 dscp” commands consumes are as follows depending on applied acl.
When multiple acl are applied it will be the sum total of each and the total of each by combination will
be as follows.
Condition of applied acl Number of
masks
In case of acl mac definition 1
In case of acl vlan definition 1
In case of acl ip definition
When srcIP address is not specified
When tos value/ dscp value is not specified 1
When tos value/ dscp value is specified 3
When srcIP address is specified
When dstIP address is not specified 1
When dstIP address is specified
When mask value of srcIP and dstIP are same
When tos value/ dscp value is not
specified 1
When tos value/ dscp value is
specified 3
When mask value of srcIP and dstIP is
different. 3
In case of acl ip6 definition
When srcIP address is not specified
When tc value/ dscp value is not specified 1
When tc value/ dscp value is specified 3
When srcIP address is specified
When dstIP address is not specified 3
When dstIP address is specified
When tc value/ dscp value is not specified 3
When tc value/ dscp value is specified 5
The number of masks which “vlan protocol” command consumes are as follows.
Condition of applied acl Number of
masks
In case of protocol VLAN definition
When vlan protocol ipv4 is specified 3
When vlan protocol ipv6 is specified 1
When vlan protocol <count> ether is specified 1
Upper limit according to number of actions:
- When CEE function is used, 15 devices
- When CEE function is not used, 16 devices
Setting is possible to the upper limit by number of actions in addition with “qos aclmap”, “vlan qos
aclmap”, “lan ip dscp”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6 dscp”, “vlan protocol”
commands.
The priority level is respectively as follows.
- The applicable priority level of command is the order of vlan protocol"、"qos aclmap"、"vlan qos
aclmap"、"lan ip dscp"、"ip6qos aclmap"、"vlan ip6qos aclmap"、"lan ip6 dscp” commands.
- The priority level between ether ports becomes high though the ether port number is smaller.
- The priority level between VLAN becomes high though the VLAN ID is smaller.
Page 30 of 71
1 action is consumed when following commands are set and only 1 action is consumed irrespective of
number of command specifications.
- vlan <vid> protocol ipv4
- vlan <vid> protocol ipv6
When the following commands are set, 1 action is consumed.
When <tos_value>, <dscp_value> and <queue_value> are same, only 1 action is consumed
irrespective of the number of command specification.
- interface Config mode
- qos aclmap <count> tos <tos_value> <acl>
- qos aclmap <count> dscp <dscp_value> <acl>
- qos aclmap <count> queue <queue_value> <acl>
- ip6qos aclmap <count> dscp <dscp_value> <acl>
- ip6qos aclmap <count> queue <queue_value> <acl>
- vlan <vid> qos aclmap <count> tos <tos_value> <acl>
- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl>
- vlan <vid> qos aclmap <count> queue <queue_value> <acl>
- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl>
- vlan <vid> ip6qos aclmap <count> queue <queue_value> <acl>
- lan <number> ip dscp <count> acl <acl_count> <dscp_value>
- lan <number> ip6 dscp <count> acl <acl_count> <dscp_value>
When chengeQueue is set by the following commands, 1 action is consumed.
- interface Config mode
- qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]
- qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
- ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
- vlan <vid> qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]
- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]
When the following commands are set, 1 action is consumed.
When <vid> is same, only 1 action is consumed irrespective of the number of
command specification.
Points to be noted
When used with protocol VLAN function, QoS function is disabled for the frame identified as protocol VLAN.
Refer to "vlan protocol" command item for the frame recognized as protocol VLAN.
When used with MAC filter function, QoS function is disabled for packets corresponding to the MAC filter
function.
Moreover, QoS that uses ACL is disabled for the packets that are applied for IP MAC filter.
When priority determination method of packets is set, it is as follows.
・qos classification ip tos on
For IPv4 frame, ‘IP precedence’ field becomes a target of CoS value of “acl vlan” command option.
・qos classification ip6 tc on
For ‘IPv6 frame’, top position 3bit of ‘traffic class’ field of IPv6 becomes the target of CoS value of “acl vlan”
command option.
Page 31 of 71
2.12 IGMP snoop function The IGMP snoop function confirms the IGMP packet sent by source and transfers the multicast packet to the port
where receiver exists.
▪ Source
Terminal or multicast router connected to this device
▪ Port where receiver exists
Port where listener of multicast group address exists or the port where multicast router is connected
With the use of this function, unexpected multicast packets are not received by the terminal and the load
of terminal can be reduced.
In the IGMP snoop function of this device, versions 1, 2, 3 of the IGMP protocol are supported.
Conditions of the ports of this device, that are identified as port where multicast router is connected or
port where the listener exist are shown below.
Port Recognized conditions
Multicast router port It is recognized by the following conditions by the multicast router port settings (vlan <vlan_id>
igmpsnoop router).
▪ When auto is specified
When the IGMP Query packet is received, the concerned port is recognized as a multicast router
port.
▪ When yes<port_no > is specified
At the time of start up, port specified by the settings is recognized as multicast router port. Further,
as in the case where auto is specified, the port where IGMP Query packet is received is also
recognized as multicast router port.
Listener port The port where the IGMP Membership Report packet is received is recognized as a listener port.
When the packet that has the address of multicast group in the address is received, this device transfers
that packet only to the multicast router port and the listener port.
Page 32 of 71
Points to be noted
Communication may not be possible when performing the multicast communication without using the
IGMP.
Set the port connected to the device where IGMP snoop is enabled as multicast router port by
configuration definition.
When more than 2 multicast routers are connected set the multicast router port by configuration
definition.
When multicast router port is not recognized correctly and Terminal where multicast router is connected in
the beginning may not be able to receive the multicast packet.
In this device, the group address which is registered once, does not delete the entry itself, even if the
listener terminal does not exist, and deletes only the information of output port.
When an unnecessary group address is registered, it can be deleted by the clear igmpsnoop group
command. Details are,
When the maximum number of multicast group address that can be registered exceeds, flooding is done
for all the excessive addresses in the same VLAN. Do not use the IGMP snoop function, when the group
addresses being handled exceed the maximum number that can be registered.
It cannot be used in the network where communication other than the IPv4 multicast (Example: IPv6
communication) is used.
Do not enable the IGMP snoop function.
In this device, lower rank 23 bits of IP address are recognized as same address as to 224.1.1.1, 225.1.1.1,
224.1.1.1 and 225.129.1.1.
Therefore, even when a different listener terminal matching these addresses exists, the packet of for both
addresses is forwarded.
The source address of IGMP snoop need not be set usually. Set only when there is a device which cannot
recognize the IGMP packet which has 0.0.0.0 as source address. Further, when multiple IGMP devices are
connected, do not set more than 2 source addresses of IGMP snoop in the same VLAN.
In the network wherein multicast router is not connected, set to ‘do not disable’ the Querier operation by
vlan igmpsnoop querier command.
The IGMP snoop function of VLAN ID belonging to IEEE802.1Q tunnel port changes to disable.
Page 33 of 71
2.13 MLD Snoop Function MLD snoop function confirms the MLD packets sent from the source and transmits IPv6 multicast packets to the
port where receiver is present.
Source
Terminal or multicast router connected to this device
Port where receiver exists
Port where listener of multicast group address exists or the port where multicast router is connected
By using this function, unexpected IPv6 multicast packets are not received by the terminal and load of terminal
can be reduced.
MLD snoop function of this device supports version 1 of MLD protocol.
Conditions of the ports of this device, that are identified as port where multicast router is connected or
port where the listener exist are shown below.
Port Recognized conditions
Multicast router port It is recognized by the following conditions by the multicast router port settings (vlan
<vlan_id> igmpsnoop router).
▪ When auto is specified
When MLD Query packets are received, that port is recognized as multicast router port.
▪ When yes<port_no > is specified
At the time of start-up, the port specified by the settings is recognized as multicast router
port. Further, as in the case where auto is specified, the port where MLD Query packet is
received is also recognized as multicast router port.
Listener port The port where the MLD Membership Report packet is received is recognized as a listener
port.
When the packet that has the address of multicast group in the address is received, this device transfers that
packet only to the multicast router port and the listener port.
Page 34 of 71
Points to be noted
When MLD is not used and IPv6 multicast communication is executed, communication may not be
possible.
• Port connected to the device where MLD snoop is enabled, is set as multicast router port by the
configuration definition.
• When multicast port is connected over 2 machines, set the multicast port by configuration definition.
When multicast port is not recognized properly, the terminal which is connected to multicast router in the
beginning may not receive the multicast packet.
• In this device, the group address which is registered once, does not delete the entry itself, even if the
listener terminal does not exist, and deletes only the information of output port. When the un-required
group address is registered, it can be deleted with ‘clear mldsnoop group’ command.
• When maximum number of multicast group address number that can be registered exceeds, flooding is
done for excessive number in all the same VLANs.
• Do not use the MLD snoop function when the group addresses being handled exceeds the maximum
number that can be registered.
• In the network that uses the communication of IPv4 multicast enable even the IGMP snoop.
• It cannot be used in the networks that use the communications other than IPv6 multicast. Do not enable
the MLD snoop function.
• In this device addresses in which the values of lower 32 bits of IPv6 address are same are recognized as
same addresses. Therefore, packets of addresses of both the sides are transmitted even if different listener
terminals matching with these addresses exist.
• Normally there is no need to set transmission source address of MLD snoop. Set only when a device exists
wherein MLD packet that has source address as :: cannot be recognized. Further, when multiple MLD
snoop devices are connected, do not set more than 2 source addresses of MLD snoop in the same VLAN.
• Do not disable the Querier function by the ‘vlan mldsnoop querier’ command in the network where
multicast router is not connected.
• MLD snoop function of VLAN ID which belongs to IEEE802.1Q tunnel port is disabled.
Page 35 of 71
2.14 EHM Function In End-Host-Mode (EHM), ensure that there is no generation of a loop of frame where no protocol of STP etc. is
used by not transmitting frames within the uplink port.
Common switch mode and End-Host-Mode can be switched over by re-starting, after specifying it by
boot-system mode command. Both End-Host-Mode and common switch mode have independent configuration
definitions.
Points to be noted
STP (Spanning tree) function cannot be used.
When multiple connections are executed between the connection blade and ToR (Top-of-Rack) switch, it is
recommended to set linkaggregation on both the sides of connection blade and ToR switch to prevent the
overlapping of packets.
Page 36 of 71
2.15 IEEE802.1X Authentication Function IEEE802.1X authentication function authenticates by the RADIUS server installed externally.
This device supports authentication function (802.1X authentication) which complies with IEEE802.1X.
Authentication function corresponds to authentication methods “EAP-MD5”, “EAP-TLS”, “EAP-TTLS”, “PEAP”.
Local authentication that used AAA function within the device itself and remote authentication installed
externally by RADIUS server can be used as authentication database for executing authentication. When local
authentication is used, authentication is executed only by “EAP-MD5”.
When remote authentication is used, authentication executed by “EAP-TLS” and “EAP-TTLS” which is secured as
compared to local authentication.
Communication (Authentication request is removed) of supplicant that does not have authentication
permission is entirely blocked using this function and illegal access of network from the supplicant other than
the authenticated ones is denied.
By setting the attributes to the RADIUS server Supplicant is coordinated with VLAN at the time of authentication.
When VLAN ID is not notified from RADIUS server, VID set by “ether dot1x vid” command is assigned.
RADIUS server that does operation checking in this device is Fujitsu manufactured “Safeauthor V3.5”.
In this device, multiple terminals can be authenticated by 1 physical port. In such case, switching HUB etc are
connected to physical port of this device and authentication can be executed by each terminal by connecting
multiple terminals.
When multiple terminals are authenticated by 1 physical port, supplicant software that sends “EAPOL start”
message is used.
Authentication does not start in the supplicant software which does not send “EAPOL start” message.
Supplicant software which obtains operation checking in this device is a Fujitsu manufactured “Systemwalker
Desktop Inspection 802.1X supplicant”.
Points to be noted
VLAN cannot be set in advance, in the port used by this device. Terminal with successful authentication
communicates with VLAN assigned when authentication is successful.
Page 37 of 71
The authentication method and characteristics of each EAP are shown below.
Authentication
Method Characteristics
EAP-MD5 ・ Authentication standards of ID and password base.
・ User himself can change the password etc., hence reducing the load on the administrator.
EAP-TLS
・ Authentication can be done according to the information (Subject) given in the certificate.
・ Approval by using digital certificate which is registered in both client (User terminal) and server
can be done.
・ Expired user certificate can be ‘checked’ or rejected.
・ Certificate revocation list (CRL) is reflected and access of invalid certificate can be denied.
EAP-TTLS
・ Authentication standards of ID and password base.
・ Certificate is not required for user terminal.
・ The cost burden can be reduced and high security level can be maintained at the time of
introduction.
PEAP
・ Authentication standards of ID and password base.
・ Certificate is not required for user terminal.
・ The cost burden can be reduced and high security level can be maintained at the time of
introduction.
・ User himself can change the password etc., hence reducing the load on the administrator.
Attribute for VLAN ID notification
At the time of remote authentication, attribute information when setting VLAN ID assigned to Supplicant to RADIUS
server, is shown below.
Name Number Attribute Value ()
Tunnel-Type 64 VLAN(13)
Tunnel-Media-Type 65 802(6)
Tunnel-Private-Group-ID 81 VLAN ID (Coding the decimal notation by ASCII code.)
) The number in () is a decimal value which is set as an attribute.
Page 38 of 71
EAP-MD5 Authentication EAP-MD5 authentication is a method to authenticate by a common password between user terminal and
RADIUS server. The challenge and response are exchanged and encrypted by using MD5 hash function, and the
user is authenticated by RADIUS server.
At the time of local authentication, instead of "RADIUS server", "AAA function" in this device is used. The
sequence of the EAP-MD5 authentication of the IEEE802.1X function is shown below.
Page 39 of 71
EAP-TLS Authentication EAP-TLS is an authentication method wherein the certificate is assigned for both user terminal and RADIUS
server.
The sequence of the EAP-TLS authentication of the IEEE802.1X function is shown below.
Page 40 of 71
PEAP Authentication (EAP-TTLS authentication is also similar) PEAP is an authentication method wherein the certificate is assigned only to the RADIUS server.
The sequence of PEAP authentication of IEEE802.1X function is shown below.
Page 41 of 71
2.16 Guest VLAN function Guest VLAN function is a function which permits the connection to the specific VLAN (Guest VLAN) when the
terminal for which authentication is not permitted is detected.
By using this function, the operation which controls the network use of the terminal for which authentication is
not permitted, can be executed by recovering the terminal where the connection is not denied, to other VLAN.
Points to be noted
• When guest VLAN function and the dot1x authentication are used together, since the authentication is
successful during the EAP authentication, supplicant which cannot correspond to it might not operate normally.
Page 42 of 71
2.17 Broadcast / Multicast storm control function Broadcast / multicast storm control function, is a function to control the packet so as not to obstruct the
communication of other packets when large amount of packets of broadcast / multicast flow in the
network due to error.
This device sets the threshold, and controls the packet by port unit. When the flow amount of packet
exceeds the threshold, the packet is destroyed, or the port is blocked to control the flow.
Points to be noted
If the port is blocked due to the flow amount exceeding the threshold, the block release should be specified by
the online command to release the port block.
Page 43 of 71
2.18 Port mirroring function Port mirroring is the function which monitors the receiving traffic or the sending traffic of the specified
source port from the specified target port. Target port for reception mirror which monitors receiving
traffic of source port and, Target Port for transmission mirror which monitors sending traffic of
source port can be specified as target port.
When port mirroring function is used, first a probe device such as LAN analyzer is connected to the target port
to monitor the traffic condition and the connected target port and the monitored source port is specified.
Multiple source ports can be specified in this device. However when multiple ports are specified,
the total traffic for the source port should not exceed the bandwidth of the target port.
Points to be noted
▪ Only 1 target port of the mirror can be set for the sending and receiving by the device.
▪ The sending port and receiving port of the target port of the mirror cannot be set in the same port.
▪ The target port of the mirror becomes dedicated port for mirror of the source port.
▪ The port specified with the target of the mirror cannot be specified as a source.
▪ When there are multiple source ports of the mirror for the target port, the packets in the part that exceeds
the bandwidth of the target port is discarded.
▪ When the port status in the STP function of the source port is other than forwarding, the packets are mirrored
at the target port. The relation between MSTP, STP, RSTP states and the
frame to be mirrored is as follows.
When multiple source mirrors are possible, traffic corresponding to each state is mirrored.
Source port status (in the VLAN targeted in case of
MSTP)
Frame Type Send to target port
Disable Other than BPDU Not sent
BPDU Not sent
Blocking, listening (discarding in RSTP/MSTP). Other than BPDU Not sent
BPDU sent
Learning Other than BPDU Not sent
BPDU sent
Forwarding Other than BPDU sent
BPDU sent
▪ The existence and contents of the VLAN tag of the packet that is output to the target port may differ from the
packet that is actually sent or received by the source port.
analyzer
analyzer Network
Source port Target port
(transmission mirror)
Target port (reception mirror)
Page 44 of 71
▪ The packet output to the target port is as follows.
-When the transmission packet is mirrored, it is as shown in the table mentioned below
Tag settings of address source port of packet Contents of mirror packet
At the time of setting with tag
(In case of multiple address source port in the
packets of multicast, broadcast and flooding, when
the tagged settings exist in multiple source port)
Tagged.
The contents of tag are tagged
only when it is attached to the
sending source port.
At the time of settings without tag
(In case of multiple address source port in the
packets of multicast, broadcast and flooding, when
the settings without tag exist in multiple source
port)
Not tagged.
When received packet is mirrored,
the existence and contents of VLAN tag of packet output in the target port matches with the input packets.
When received frame is mirrored along with the re-writing of DSCP and ip precedence, instead of the received
frame, the frame after change is mirrored
Page 45 of 71
2.19 Ether L3 Monitoring Functions The ether L3 is a function which confirms the existence of nodes depending on the sending / receiving of ICMP
ECHO packets for specified nodes (Device). When the other monitoring devices are connected through one or
more devices, the error of that route can be detected and the port which is monitored can be blocked.
Moreover, the link aggregation function and backup port function can be used together.
When definitions are reflected, monitoring starts even if the monitoring port is in linked down state.
• In case of ether L3 monitoring by using linkaggregation function
When monitoring is done by using link-aggregation function, when the port where error is detected is blocked,
all the member ports are also blocked.
• ether L3 monitoring by using backup port function
When monitoring by using backup port function, set so as to monitor by operation port. When ether L3
monitoring function is set in standby port, monitoring is not done. Monitoring is started when standby port
switches to operation port.
Moreover, when error is detected and when the port which is monitored is blocked, the influence of network
error can be suppressed to minimum by switching the standby port to operation port.
When the definitions are reflected, if the master port invariably changes to mode with the priority when
monitoring port is in linked down state, monitoring can be started by master port. If it changes to mode which
uses previously linked up port, monitoring is started by the port where monitoring is set.
Points to be noted
• Set the longer monitoring ‘time out’ while using together with STP function.
• For the port which is in blocked state, release the port blockage by ‘release block specification of online
command’.
• When port for monitoring is authentication port, monitoring is not done.
Page 46 of 71
2.20 Output rate control function Output rate control is a function which stops the flow of large quantity of traffic to the succeeding network and
controls the quantity of flow of the output port.
Set the control value of output and control the bandwidth with the help of port unit for this device.
When the bandwidth of traffic exceeds the threshold value, the traffic which exceeds the bandwidth is
discarded.
Points to be noted
Priority control function and output rate control function which use WRR and WDRR cannot be used together.
traffic
Network Network
Network
bandwidth limitation
Page 47 of 71
2.21 Port block function Port block function retains the linkdown status (port block function) of physical port until the operator
instructs by issuing the online command.
According to error cause, linkup/ linkdown of physical port may occur repeatedly. At that time if the redundant
path exists by continuing linkdown function (Port block function) purposefully for this device, it is possible to
secure the stable communication
Transition to the port blockage function is controlled by following.
• Manual blockage by issuing offline command.
• Automatic blockage by linkage operation of communication control function.
• Automatic blockage by change in link status of connected port.
Points to be noted
• offline command can be issued only by manager class.
• Release the port block by block release specification of online command for the port which changes to
blocked state.
• When configuration definition is modified, block may be released according to modified contents.
Manual block by offline command issue The port is considered to be in blocked state by issuing the offline command which is the Ethernet port control
command.
Automatic block by linkage operation of communication control function Transition to port block state can be specified when control functions such as broadcast / Multi cast storm are
used. Communication control functions which support the transition of the port block state are as follows
• Back-up port function.
• Broadcast / Multi cast storm control function
• ether L3 monitoring function
Automatic block by change in link status of connection port At the time of change in link status of connection port, it is possible to block the port.
In this device, change in the link state due to which transition to port block state is possible is as follows.
• Blocking at the time of start
The port is blocked when the device is started or dynamic definition is reflected.
• Blocking by linkdown frequency
When the number of linkdown specified by configuration definition is detected, port is blocked.
• Link blocking (Linkdown relay block) of other ports at the time of link down
At the time of linkdown, linkage port specified by the configuration definition is blocked.
Further, when it is restored to linkup status, block can be released along with the linkage port.
Page 48 of 71
2.22 IP route control function IP route information is managed with routing table and used for the judgment of forwarding destination of IP
packet.
IP route information is controlled by the following functions.
▪ Function to control route by fault detection of interface
▪ Static routing function
Here, types and management method of IP route information and the function that controls the IP route
information is explained.
2.22.1 Types of IP route information
IP route information is classified by the following information.
▪ Interface route (IPv4)
The IPv4 network or IPv 4 address allocated in the interface is shown. IPv 4 address allocated
in the loop back interface is managed as a host root (32 bits network mask).
▪ Interface route (IPv6)
The IPv6 prefix allocated in the interface is shown. It is generated when IPv6 prefix is set as
structure definition and when IPv6 prefix information is received by Router Advertisement Message.
The IPv6 address allocated in the loop back interface is managed as a host root (128 bits network mask).
▪ RA route (IPv6)
The generated default route is shown which is based on the information of received Router Advertisement(RA)
Message.
▪ Static route (IPv4/IPv6)
It is set as structure definition and the route information maintained in the device is shown.
IP route information is managed by the following priority values.
●IPv4
IP route
information Priority value
Interface route 0 (Fix)
Static route 1(Change allowed)
●IPv6
IP route
information Priority value
Interface route 0 (Fix)
Static route 1(Change allowed)
RA route 12(Fix)
Page 49 of 71
2.22.2 Management of IP Route Information
IP route information is managed by the route table of routing protocol and routing table.
Explanation regarding 2 tables is given below.
Routing table Routing table is structured by the priority route (Best path) that is selected from the IP route information.
Moreover, in the IP route information which is managed by the routing table, the information wherein the
interface route is excluded; is managed as number of routing entries.
Maximum number of entries is prescribed in each device for the routing entries and the route information
wherein number of maximum entries exceeds is destroyed. Furthermore, it is managed separately in IPv4 and
IPv6.
Points to be noted
In the routing table, the IP route information received by exceeding the maximum value of routine entries is
destroyed and is not registered. Moreover, the registration is not done even if the number of maximum entries
is not fulfilled according to the IP route information. When route registration is failed, the system log which
shows the failure of registration is recorded. Restart the device after the review of network configuration and
route information.
2.22.3 Route Control Function according to the Error Detection of Interface
The interface route information can be deleted from the routing table due to error detection (such as
abnormal detection by hardware) of interface. The IP route information (Route information of same address)
created by the static routing function can be converted according to the deletion of this interface route.
Moreover, the error detection of interface is notified as abnormality of interface that is used by the static
routing function and routes can be converted in the static routing function.
2.22.4 Static Routing Function
Static route is used and the IP route information is controlled by combining with the following functions.
• Function to control route by fault detection of interface
The static route by which related interface is considered as 'exit' can be deleted from the routing table due to
error detection of interface.
• Priority Route Control Function
The IP route information added in the routing table by the priority (distance) related to the route of same
address can be selected. Smaller the priority, it is handled as the priority route and only the priority route is
reflected in the routing table. Moreover, when that priority route is invalid, conversion to the next priority route
is possible.
Page 50 of 71
2.23 IPv6 Function IPv6 is a next generation internet protocol for replacing IP (IPv4) that is used primarily at present.
Host function operation in IPv6 packets can be carried out in this device.
IPv6 host functions supported by this device are as follows.
Static route setting
Automatic setting of address according to Router Advertisement Message reception
Automatic setting of default route according to Router Advertisement Message reception
Automatic setting of ND information according to Router Advertisement Message reception
Automatic selection of source address
And in this device, not only IPv4 packets but IPv6 packets can also be transmitted.
IPv6 router function supported by this device is as follows.
Static or dynamic routing
Packet filtering
Points to be noted
ICMPv6 redirect message is not sent at the time of IPv6 host function.
When IPv6 routing function is used, route information of prefix length 65~127 cannot be registered in
routing table.
Notation Method of IPv6 Address When IPv6 address of 128 bit is mentioned, that address is splitted with “:”(colon) for each 16 bits and those
contents are described in hexadecimals. First 0 can be omitted for the value of each hexadecimal. When
successive 0s are continued, it can be omitted by “::” for one-time in the notation of 1 IPv6 address.
Page 51 of 71
IPv6 address system IPv6 address can be separated in to prefix and interface ID to separate IPv4 address to the network part and
host part. Generally, the 64 bits prefix length (Prefix length) is used.
When address is mentioned by including the prefix length, “/” is given after address and the prefix length is
specified.
For the address which can be used by IPv6, the usage method is determined as per the beginning number of
bits same as IPv4. The address which can be used by this device is as follows.
•Global Unicast Addresses
It is an address used normally. Generally, it is the address generated automatically based on the address
allocated from the stipulated ISP and the Router Advertisement Message information received from IPv6
router.
•Link-Local Unicast Addresses(fe80::/64)
It is a valid special address only in the link (Range in which communication is possible without router). This
address starts the beginning 10 bits that is 1111 1110 10. Normally, it becomes 0 from the 11th bit to 64th
bit.
•Multicast Addresses
It is a multicast address. Beginning 8 bits are 1111 1111.
Static or Dynamic Route Settings The concept of IPv6 network and routing is almost same as of IPv4. The transfer destination is determined
according to the route information in device. Static route setting (Static routing) and dynamic route setting
(Dynamic routing) are the methods to provide this route information to the device.
The static routing means, the route information is set as structural definition and used. This route information
cannot be changed without changing the structural definition.
The dynamic routing means, the route information is used by learning the route information from other nodes
on the network by communication in which the routing protocol is used. This device does not support the
dynamic routing.
n bits (128 – n) bits
prefix Interface ID
Page 52 of 71
Auto settings of Address by Router Advertisement Message Reception This device supports the reception function of Router Advertisement Message.
The prefix information used by the network is included in Router Advertisement Message. When prefix
information is received, prefix list to manage valid period is generated and the IPv6 address having the
interface ID is set automatically.
The received prefix information can be referred by show ipv6 ra prefix-list command. Moreover, the
automatically set IPv6 address can be referred by show ipv6 route or show interface command.
Points to be noted
• When multiple prefix information is received by 1 interface, add only the numbers which are required for the
setting of auto generation.
• When the prefix information (Excluding indefinite period) is received after the expiry of 365 days validity, it
is operated as valid period of 365 days.
• When the prefix length of prefix information is other than 64, the prefix information is destroyed.
• When onlink flag and auto address generation flag of prefix information is set, the IPv6 address is set to
interface.
Auto Settings of Default Route by Router Advertisement Message Reception When Router Advertisement Message is received, default route is set which assumes the link local address of
transmission router as broadcast gateway.
When Router Advertisement Message is received by multiple routers, the default router list which can be used
as default router is generated, in this list, the router which can reach the packet is set as default router. The
generated default router list can be referred by show ipv6 ra default-router-list command. Moreover, the set
default router can be referred by show ipv6 route command.
Points to be noted
• When Router Advertisement Message is received from multiple routers, priority control is not operated by
router preference. In this case, the first received router is considered as default router.
• The priority value of default route by Router Advertisement Message is set by 12.
When operated along with default route of static, change the priority value of static route.
Auto Settings of ND information by Router Advertisement Message Reception In the Router Advertisement Message, adjacent information (ND information) used at the time of
communication is included. When the ND information included in received message and ND information
saved in this device differs after receiving the Router Advertisement Message, the ND information is updated.
The ND information saved in this device and its initial value are shown below.
• Valid period (Default is 30 seconds) for reachability of adjacent device
• Transmission interval (Default is 1 second) of Neighbor Solicitation(NS)Message which confirms the
reachabilty of adjacent device
• Number of maximum hop (Default is 64)
• MTU length (Default is 1500 bytes) recommended on received network
Page 53 of 71
Auto selection of source address In IPv6, it is general that multiple IPv6 addresses are allocated to interface. The communication is started
from this device and when explicit source address is not specified by application, the address is selected based
on a fixed rule from multiple IPv6 addresses.
The selection rule of the source address which is to be supported by this device is based on the following RFC
and the draft.
• RFC3484:Default Address Selection for Internet Protocol version 6 (IPv6)
Page 54 of 71
2.24 IP Filtering function The security of the network for this device can be improved by using settings of the IP filtering function and
the password etc.
With IP filtering function the security of the network can be improved by controlling the packet which is
transmitted and received via this device by using IP address and the port number, etc. In this device, IP
filtering process is executed when the packet which is input in this device corresponds to "acl ip" definition of
the ACL definition and "acl tcp" definition and "acl udp" or "acl icmp" definitions which are specified.
It is necessary to consider the following elements to improve the security of the network.
Security policy of network
Elements other than switch (Firewall, User authentication etc.)
Points to be noted
Computer virus infection cannot be prevented by the switch of this device. Other countermeasures are
necessary as the virus measures software is used in the personal computer.
The security policy is decided according to connection type There are two directions "From outside to inside" and "From inside to outside" in which the data flows when
similar LANs are connected even if internet is connected. When the security policy is decided, it is necessary to
consider these two directions.
● Example of security policy for the data which flows "From outside to Inside"
Set in such a way that the packet should not be received.
Reject the access to the private host.
Unnecessary access is prevented by internal user.
● Example of security policy for the data which flows "From inside to outside
Limit the access to the site which has legal issues.
Unnecessary access is prevented by internal user.
Supplement The IP filtering functions only for the data which flows “from outside to inside", and it does not function for
the data which flows "from inside to outside" and the data between the personal computer (The data from
LAN) inside.
Page 55 of 71
2.25 DSCP Value Rewrite Function DSCP value rewrite is a function to rewrite the DSCP value of IP packets specified. Delay within IP-VPN net can
be reduced if the DSCP value of data that is requested by voice and response using IP-VPN net is changed and
then sent. The function is enabled when connected with carrier VPN service (Super VPN etc) that controls
packet priority by DSCP value.
DSCP value rewrite function supported by this device is compliant with given below RFC (Request For
Comments).
RFC2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers
DSCP value rewrite function can control DSCP field from 8 bit ‘Type Of Service (TOS)’ field having IP packet
header and 8 bit ‘traffic class’ field having IPv6 packet header defined by IPv4 [RFC 791].
• RFC791 Internet Protocol
• RFC2460 Internet Protocol,Version 6 (IPv6)Specification
Destination IP address, destination port number, source IP address, source port number and protocol number
can be specified in ‘rewrite’ condition. DSCP value of packets that agree with this condition are re-written and
transmitted. When agreed with multiple conditions, condition with smaller definition number is used.
DSCP value of the packets which is not the target of ‘rewrite’, are not re-written.
Packets entered in this device are executed by DSCP value rewrite process, corresponding to “acl.ip” definition
(acl.ip6 definition in case of IPv6), of specified ACL definition and “acl.tcp”, “acl.udp”, or “acl.icmp” definition, in
this device.
When executing DSCP rewrite, determination method of output queue can be selected in 2 ways. 1 is, by
determination method on the basis of relation of user priority in packets with the corresponding queue. In this
case, DSCP rewrite is not influenced by determination of output queue. User priority is determined by user
priority according to upper 3 bit (Upper 3 bit of DSCP before rewrite) of TOS or TC when used by ‘qos
classification’ function, IEEE802.1p compliant CoS and priority level of default priority in untagged received
packets. Another 1 is, when ‘changeQueue’ function is used, output queue is determined according to DSCP
Page 56 of 71
after rewrite. Output queue related to DSCP after rewrite, is the output queue where upper 3 bits of that DSCP
are considered to be user priority. Priority control, which is to be set in ‘traffic’ of DSCP that is re-written, can be
applied by specifying priority control algorithm and priority for output queue.
Points to be noted When used with protocol VLAN function, QoS function is disabled for the frame identified as protocol VLAN.
Refer to "vlan protocol" command item for the frame recognized as protocol VLAN.
Moreover, QoS that uses ACL is disabled for the packets that are applied for IP MAC filter.
When priority determination method of packets is set, it is as follows.
Page 57 of 71
2.26 RADIUS function The RADIUS function is a function to manage AAA (Authentication, Authorization, Accounting) information by
using an external server (RADIUS server). When same AAA information is necessary in the multiple devices
and when a large amount of user information is to be managed, it is possible to manage by consolidating
authentication information and configuration information of user and connecting time of each user.
In this device, the RADIUS client function is supported.
The RADIUS client function is used by the following RADIUS support functions via AAA.
AAA information which can be used by each respective function is shown below.
RADIUS support
function
Authentication Method
(authentication)
User information
(authoraization)
Accounting
(accouning)
IEEE802.1X
Authentication
EAP-MD5 authentication, EAP-TLS
authentication
EAP-TTLS authentication, PEAP
authentication
Does not use ▪ Number of sending
and receiving octets
▪ Number of sending
and receiving packets
▪ Connection time
ARP authentication PAP authentication / CHAP
authentication
()
Does not use Does not use
DHCP MAC address
check
PAP authentication / CHAP
authentication
()
Does not use Does not use
) It is an authentication which uses MAC address (HEX12 characters without separating character) for user
name and MAC address for password.
Backup configuration or load sharing configuration which uses multiple RADIUS servers is possiblefor the
RADIUS client function of this device.
The authentication server and the accounting server defined as RADIUS server have alive status and dead
status.
The meaning of each status is as follows.
▪ alive status
It is a status wherein the server is available.
It is used in preference of the higher (numerical value in the definition is small) priority server.
When multiple servers of the same priority exist, the server is selected randomly.
▪ dead status
It is the status where the server usage is temporarily stopped due to time out of request from
server address. Additionally, when the server of alive status exists, the value of the defined
priority is not used.
When time specified by the restoration stand by time is elapsed, it automatically is restored in
alive status.
If all servers are in dead status when authentication or accounting is carried out, take the trial
randomly at 1 server and the server wherefrom the response is obtained is restored in the alive
status.
Page 58 of 71
Points to be noted
▪ The number with which authentication and accounting can be carried out at the same time by restricting the
RADIUS protocol, is 256. Both fail when the authentication and the accounting of 257 or more are carried out
at the same time.
▪ Even if the RADIUS client function is defined, user information of the same group is used. When both RADIUS
client function (aaa radius) and user information (aaa user) are defined in the AAA group, authentication is
carried out by the RADIUS client function. When authentication by the RADIUS client function is successful,
user information is not used, but when authentication fails, the authentication is carried out with next user
information.
Page 59 of 71
2.27 SNMP Function SNMP (Simple Network Management Protocol) is an IP management protocol to accumulate and manage the
information of IP layer and TCP layer level.
In the SNMP function, device for management is called as SNMP manager and device to be managed is called
as SNMP agent.
When the network is managed by SNMP function, managing side should support SNMP manager function and
the side to be managed should support SNMP agent function.
Operating condition and failure condition of the terminal on the network is uniformly managed by SNMP
manager function. The management information called as MIB (Management Information Base) is returned
for the request from SNMP manager by SNMP agent function.
The network is managed by SNMP function by using these two functions and by transmitting and receiving the
parameter defined in MIB within SNMP manager and SNMP agent.
SNMPv1, SNMPv2c and SNMPv3 are supported by this device. Moreover, standard MIB and Fujitsu extended
MIB are supported.
Hint MIB
In MIB, there is a standard MIB which is not related to the vendor of the device and device vendor specific
extended MIB. The standard MIB defined by RFC1213 is the virtual information area to
access the respective management object of the management node. In RFC, the management
information which should be attached by SNMP agent is defined. In the management information,
there is system information as SNMP node (system name and manager name etc.) and a statistical
information related to TCP/IP. However, the transmission path and HUB etc cannot be fully managed
in the items defined by RFC. Therefore, MIB is extended by matching the information of the various
protocols and vendor specific device of the each company. This is called as extended MIB.
MIB is defined in the ASN.1 (Abstract Syntax Notation) format. The extended MIB is managed by SNMP
manager by releasing that extended MIB at SNMP agent side. SNMP manager should define the
information of that extended MIB so that it is accumulated.
Page 60 of 71
2.27.1 RMON Function
RMON (Remote Network Monitoring) is the standard specifications for network monitoring. It is a function
which monitors the communication state of traffic or error of LAN from remote location.
RMON function is an extension of SNMP function. It stores the statistical information of LAN at SNMP agent
side. Data which is stored in response to the request from SNMP manager (Or RMON manager) is returned as
a response of SNMP.
RMON groups shown below are supported by this devices.
• statistics Group
Collects the basic statistical information of packet number or error number of ETHER port monitored.
• history Group
Stores the information collected in statistical group and similar total information as history information.
Since the history information is stored in the device as a statistical information of fixed period, the SNMP
manager (Or RMON manager) can obtain the statistical information by collecting it serially.
Page 61 of 71
2.28 SSH server function SSH server function supports the remote logging function (ssh server) similar to TELNET server function and
remote file transfer function FTP(sftp server) similar to server function. In TELNET server function and FTP server
function, it is feared that the content of the communicationmay be intercepted when communicating like the
plain text data. In SSH server function, by host authentication and encryption communication, the login
function and the file transfer function can be safely trusted and used.
At the time of Power on and reset of this device SSH host authentication key of this device is generated. The
generation time is from few seconds to few minutes. At the time of start and completion of SSH hos
authentication key generation there is syslog output, and SSH can be connected to this device from the point
where generation is complete. When it is necessary to set other connected SSH host authentication key in the
SSH client software beforehand, set the SSH host authentication key displayed by executing 'show ssh server
key dsa' command and 'show ssh server key rsa' command in this device.
In this device when SSH is connected by sending the SSH host authentication key of this device to SSH client
side and if the set and saved key differ, the SSH connection is rejected. Therefore, SSH is connected by resetting
or by deleting the SSH host authentication key which is set and saved in SSH client software by device
exchange etc.
After that, enter password prompt is displayed but it may take some time until it is displayed by SSH host
authentication process. Moreover, the SSH server function can be completely aborted by setting the serverinfo
ssh / serverinfo sftp command to ‘off’.
In order to connect the ssh client and the sftp client with the SSH port and when either of ssh or sftp of the
serverinfo command is 'on', SSH port of this device can be connected as it is in the same state. And when set to
'off', it cannot be connected until the password is input.
Points to be noted
It takes time to generate SSH host authentication key when it reflects that either of the SSH functionin
serverinfo command is validated by starting this device in a state where the SSH server function is completely
terminated. At this time, there is a possibility to effect other processes as the session monitor
time-out is generated.
Page 62 of 71
Following are the points of differentiation between sftp connection and ftp connection
Items Sftp connection ftp connection
User ID specifications Specifications before connection
(Specify some part of sftp client when
starting connection)
Specifications after connection
(Specify some part of client
before the connection)
Binary mode specifications No Yes
Binary mode specifications No Yes
SSH server function that is supported by this device
Items Support contents
SSH server version OpenSSH 3.9p1
SSH protocol version Supports only the version of SSH Protocol version
SSH port number/ protocol 22 / TCP
IP protocol version IPv4、IPv6
Host certification protocol RSA
Types of host authentication
algorithms ssh-rsa, ssh-dss
Types of cryptographic methods aes128-cbc、3des-cbc、blowfish-cbc、cast128-cbc、arcfour、aes192-cbc、aes256-
cbc、[email protected]、aes128-ctr、aes192-ctr、aes256-ctr
Types of message authentication hmac-md5、hmac-sha1、hmac-ripemd160、[email protected]、
hmacsha1-
96、hmac-md5-96
Synchronous connection number 1
Page 63 of 71
2.28.1 SSH client software
In the SSH server function of this device, use the SSH client software (ssh client software and sftp client
software) which supports to SSH protocol version 2 since it supports only to SSH protocol version 2.
Page 64 of 71
2.29 Application Filter Function In the application filter function, an access related to each server function operated in this device can be
controlled.
Accordingly, the maintenance of this device or the terminal which uses the server function of this device is
restricted and security can be increased.
Page 65 of 71
2.30 TACACS+ Function TACACS+ function is a function which manages the AAA (Authentication, Authorization, Accounting)
information by using external server (TACACS+ server). When same AAA information is required for multiple
devices or when maximum user information is managed, Authentication, Authorization and Accounting
information is summarized and can be managed. This device supports the user authentication function and
command authorization function of TACACS+ client function. User authentication function means,
authentication is processed when access user is logged in this device. Command authorization function means,
authorization is processed when access user executes the command provided of this device.
Backup configuration or load sharing configuration by using TACACS+ server of multiple device is possible for
TACACS+ client function.
The meaning of each status is as follows.
alive status
It is a status wherein the server is available.
Used by assigning from the higher (Definition value is smaller) priority server.
When multiple servers of the same priority exist, the server is selected randomly.
dead status
It is a status wherein the usage of server stops temporarily due to TCP connection failure of server or when
request of server is timeout. Additionally, when server of ‘alive’ status exists, defined priority value is not used.
When the time specified in restoration standby time is elapsed, it automatically restores in ‘alive’ status. When
all servers are in ‘dead’ status at the time of authentication or authorization, take a trial randomly by 1 server
and the server from which response is acquired is restored in ‘alive’ status.
Points to be noted
Accounting function of TACACS+ client function is not supported.
Unable to use simultaneously with RADIUS client function. When both the RADIUS client function (aaa radius)
and TACACS+ client function (aaa tacacsp) are defined in AAA group, TACACS+ client function is disabled.
When both the TACACS+ client function and user information (aaa user) are defined in AAA group,
authentication is done by TACACS+ client function. If the authentication by TACACS+ client function is failed,
authentication by user information is also not done.
When definition of shared key for TACACS+ server is omitted, authenticated and authorized data is not
encrypted. When authenticated and authorized data is encrypted, define the shared key.
TACACS+ command authorization function is enabled only when it is logged in by using the TACACS+ user
authentication function.
Authority class at the time of TACACS+ user authentication depends on the existence of manager password
(password admin set) settings.
TACACS+ command authorization function is not operated in Web settings and FTP/SFTP.
Settings of authorization related to the commands which are actually executed by TACACS+ command
authorization function and other commands are shown below.
Executed commands Commands which requires authorization settings
diff show running-config(When diff executes along with
running-config)
show tech-support show(All show commands)
save show(All show commands)
load All configured definition command
Authority class at the time of authentication by existence of manager password is shown below.
<When manager password does not exists>
Only the general user class is authenticated.
<When manager password exists>
Manager class is authenticated. When authentication is failed, general user class is authenticated.
Page 66 of 71
2.31 LDAP Function LDAP function manages the AAA (Authentication, Authorization, Accounting) information by using the external
server (LDAP server). If the same AAA information is required in many devices or if the large amount of user
information is to be managed then the authentication information is summarized and managed.
In this device, the user authentication function of LDAP client function is supported.
User authentication function executes the authentication process at the time when access user is logged in to
this device.
LDAP client function enables the backup configuration and load sharing configuration used by LDAP server of
multiple machines.
The meaning of each status is as follows.
▪ alive state
It is a status wherein the server is available.
It is used in preference of the higher (numerical value in the definition is small) priority server.
When multiple servers of the same priority exist, the server is selected randomly.
・dead state
It is a status wherein the usage of server stops temporarily due to TCP connection failure of server or when
request of server is timeout. Additionally, when server of ‘alive’ status exists, defined priority value is not used.
When the time specified in restoration standby time is elapsed, it automatically restores in ‘alive’ status. At the
time of authentication, if all servers will be in dead status, take the trial in any one of randomly selected server
and the server from which the response is received is restored to alive status.
Points to be noted
▪ RADIUS client function and TACACS+ client function cannot be used simultaneously. When RADIUS client
function (aaa radius) or TACACS+ client function (aaa tacacsp) or LDAP client function is defined in AAA group,
LDAP client function becomes disabled. When LDAP client function and user information (aaa user) both are
defined in AAA group, authentication is executed in the LDAP client function. Even if authentication is failed
in the LDAP client function, user information is not authenticated.
Page 67 of 71
2.32 IEEE802.1Q Tunneling Function IEEE802.1Q tunneling function is a function designed for service provider.
According to IEEE802.1Q tunneling, VLAN traffic of customer can be transmitted via service provider network
without affecting other VLAN traffic.
In following figure, packets sent from 802.1Q tag port of customer to tunnel port of service provider have
802.1Q tag. Further, when received by tunnel port of service edge and sent from 802.1Q tag port of service
provider, another 802.1Q tag is added again (Double tag). When transferred within service provider, the
original 802.1Q tag is protected as switching is executed by removing additional tag that is added for the
second time. Therefore, tag is not added at the time of transmission from tunnel port of edge switch to
customer side switch.
Merits of introduction
When the service provider provides WAN (Ethernet) for the multiple customers, the VLAN ID used by customer
may be duplicated and the VLAN limit (4096) of IEEE802.1Q specification may be immediately exceeded. As
per the IEEE802.1Q tunneling, the tag is added again with the switch on the career side for the traffic with the
tag transmitted by the customer. Accordingly, customer VLAN traffic can be transmitted as a single VLAN traffic
and the problem of the VLAN ID duplication and the VLAN control is solved.
Points to be noted
Port cannot be used when STP (Spanning tree) function and LLDP (Link Layer Discovery Protocol) function is
defined.
In VLAN ID belonging to IEEE802.1Q tunnel port, the packet may be transmitted to wrong address as double
tag is not applied for the port, which is not IEEE802.1Q tunnel port, and where 'untag' is set.
In IEEE802.1Q tunnel port, “acl vlan” definition is operated in VLAN port where ‘untag’ is set in corresponding
port.
customer
customer
Service provider
802.1Q tag port
802.1Q tunnel port
802.1Q tag port
802.1Q tunnel port
802.1Q tag port
Double tag
802.1q tag 802.1q tag
802.1Q tag
Page 68 of 71
At the time of simultaneous use with protocol VLAN function, when the frame that is recognized as protocol
VLAN is received by IEEE802.1Q tunnel port, the protocol VLAN is to be applied for that frame and IEEE802.1Q
tunneling function will be disabled.
Page 69 of 71
2.33 CEE Function
CEE (Converged Enhanced Ethernet) function is the one by which the extensions required to integrate the
different types of conventional communications, such as LAN, IPC, and SAN etc in one network is added in
Ethernet. It is used in FCoE (Fibre Channel over Ethernet) which is used to send/receive the Fibre Channel from
SAN (Storage Area Network) protocol by Ethernet. In this device, element technologies shown below are
supported as CEE functions.
ETS (Enhanced Transmission Selection)
It is a function used to summarize the flow of multiple traffic class (Traffic Class or Priority) as Traffic class
group (Traffic class group or Priority Group PG) and to secure the smaller region of each traffic class group by
restricting the quantity of flow. It is examined as IEEE802.1 Qaz. It is assumed that, different types of
communications such as LAN, IPC, and SAN etc are assigned in each Traffic class group.
DCBX (Data Center Bridging eXchange)
It defines the information exchanged between peer of CEE device and examined as one part of ETS (IEEE802.1
Qaz). It notifies both the ETS and PFC setting information of each peer and process by which setting is
adjusted is executed. Implemented as LLDP extension.
PFC (Priority-based Flow Control)
Though the flow control function explained in section 2.2 is considered as control of link level, it is extended
such that the flow of each Priority can be controlled therefore it is examined as IEEE802.1 Qbb. For example,
PFC is enabled for the Priority or PG which passes through the weak protocol in frame loss such as FCoE and it
is assumed that there is an operation to disable the PFC for the flow obtained by high throughput even if loss
is accepted.
Points to be noted
Though enable/ disable in each port or linkaggregation can be set by CEE function, band control and PFC control
cannot be secured when frame is transferred during enable/ disable of CEE function and between the ports with
different settings. Whether to uniform the settings by all port or it should set in such a way that, the frame is not
transferred by enable/ disable of CEE functions or between the ports with different settings by using the settings
of egress permission command or VLAN.
CEE function cannot be used simultaneously with mirror target function, output rate control function and
Fibre Channel
IP DCBX
SAN
CNA expansion board
LAN
FCoE enabled switch
FCoE
IP DCBX FCoE
IP
Page 70 of 71
IEEE802.1Q tunneling function. When CEE function is defined in valid port; same port cannot be used.
When CEE function is in valid port, the settings of queue specifications and queue change function become
disabled by ACL for ETHER port.
When CEE function is in valid port, priority control function using WRR and WDRR, the settings of queue
specifications and queue change function by ACL for VLAN, flow control function of link level explained in section
2.2 and settings of save queue in each priority by qos cosmap command are ignored.
When traffic class group 15 is used, traffic class group 15 is transferred to maximum priority and the traffic class
groups other than this transfers the remaining bands by dividing it with the ratio of bandwidth that is
respectively specified.
PFC becomes enabled only after the negotiation between peers is completed by DCBX.
The length of output queue related to the frame of valid traffic class group is not restricted by PFC irrespective of
the settings of buffermode command. Therefore, there is a possibility that the other traffic class group or frames
of other port address discarded easily by PFC, in the situation wherein lots of frame of valid traffic class group are
accumulated.
CEE function is enabled for the frames having size less than 2300 Bytes. The flow control does not functioned
effectively for the frames having size more than this and the band control might not be as per expectations.
Though the band of the traffic class group is specified in percentage, there is a limitation on the ratio of
minimum band and maximum band that can be actually controlled. When only 2 traffic class groups to which PFC
is disabled are defined, the ratio of minimum band and maximum band will be 1:14. When only 3 traffic class
groups to which PFC is enabled are defined, the ratio of minimum band and maximum band will be 1:7.
Moreover, when traffic class groups to which PFC is disabled are defined, the ratio of minimum band and
maximum band will be approximately 1:4. For example, when PFC is used and defined by valid traffic class group
and invalid traffic class group respectively for the port of 10Gbps and even if the band is set to 10 and 90, actually
it is controlled by 2Gbps and 8Gbps.
Page 71 of 71
2.34 Edge virtual switch function Edge virtual switch (Edge Virtual Bridging) function is a necessary for the adjacent switch connected to the
server in the server virtualization environment. A virtual switch which operates on server virtualization software
exists in the server visualization environment, and the communication is switched between virtual machines.
Therefore, process according to the form of a virtual switch is necessary in the adjacent switch. The following
elemental technologies are supported as an edge virtual switch function in this device.
▪Virtual Ethernet Bridge (VEB)
The communication between virtual machines on the same physical machine is carried out with virtual switch
which operates in the virtualization software.
▪ Virtual Ethernet Port Aggregator (VEPA)
It is a technology which off loads the process of a virtual switch to external physical switch. A physical switch
identifies an individual virtual machine by the MAC address, and the frame of virtual machine address on the
same physical server is transmitted by reflective relay.
Points to be noted
▪ When STP (spanning tree) function is defined, that port cannot be used.
▪ When the function is to be defined in linkaggregation, define similarly in all the ports that constitute the
linkaggregation.