*****************4G**********5G******/G
Download
Report
Transcript *****************4G**********5G******/G
Netgear 7000 Series Managed
switch
GSM7312/GSM7324/FSM7326P/GSM7224/GSM7212
Background
» Why is a non-blocking architecture important?
• Blocking architectures drop traffic when over-subscribed (over-capacity)
• Dropping traffic at higher speed means more data lost or more users
affected
• Data loss in the core of the network is a critical failure
» What is L3 switching?
• Routing done in a switch
• Cheaper and faster than traditional routers
» When/Why use L3 switching?
• Companies > 100 users
• Flat networks bogging down on traffic
• Need to segment network to improve performance
» VLAN
» Sub-networks
» How is it different than L2?
• L2 uses MAC addresses, limited to one IP network
• L3 uses IP addresses, can route to any IP network
© .1996-2004 NETGEAR® . All rights reserved
2
Layer2 segmentation - VLAN
© .1996-2004 NETGEAR® . All rights reserved
3
Layer3 segmentation - IP Subneting
© .1996-2004 NETGEAR® . All rights reserved
4
Layer 2 vs. Layer 3 features
Layer 2 features
»
»
»
»
»
»
»
»
»
»
»
»
»
»
SMNP – tested with OpenView
RMON (groups 1,2,3 and 9)
802.3x flow control
Up to 512 static VLAN groups
(IEEE 802.1Q)
Protocol Based VLAN
803.3ad LACP
Spanning Tree (IEEE 802.1D)
Rapid Spanning Tree (IEEE
802.1w)
Multiple Spanning Tree (IEEE
802.1s)
Port Mirroring
DHCP/Bootp Client for
automatic IP address setup
802.1x port baswed security
Broadcast Storm control
IGMP Snooping
© .1996-2004 NETGEAR® . All rights reserved
Layer 3 features
» IP Routing
» RIP I, II (Routing Information
Protocol)
» OSPF V2 (Open Shortest Path
First)
» VRRP (Virtual Router
Redundancy Protocol)
• Eliminates single point of
failure
» DiffServ
» ACL
5
Application
FVL328
FSM726
GSM712
FSM726S/FSM750S
» Core of Network
• Sits between WAN device and LAN
• Hang as many GSM7xx or FSM7xx switches on it as
necessary
© .1996-2004 NETGEAR® . All rights reserved
6
GSM7212
» 12 Gigabit ethernet ports.
» Each port support optional hot-swapping SFP GBIC slots for fiber
connection.
» Full layer2 management suite.
© .1996-2004 NETGEAR® . All rights reserved
7
GSM7224
» 24 Gigabit Ethernet ports.
» 4 SFP GBIC slot for fiber connection.
» Full layer2 management suite.
© .1996-2004 NETGEAR® . All rights reserved
8
GSM7224 Competitive chart
NETGEAR clearly provides the best value!
List Price
Distribution Price
Cost per Port
Copper Gigabit ports
GBIC/SFP Module slots
Bandwidth
MAC Addresses
MTBF
L2 Management
L3 Management
VLAN
Port Trunking
Traffic Prioritization (QoS)
DiffServe
Spanning Tree
Rapid Spanning Tree
SNMP & RMON
Warranty
Warranty power supply
Netgear GSM7224
3Com SuperStack 3 3824
D-Link DGS-3224TG
Dell PowerConnect 5224
$1,425
$999
$42
24
4
48Gbps (non-blocking)
4,000
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
$2,795
$1,889
$79
24
4
48Gbps (non-blocking)
16,000
40,000
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
$2,199
$1,389
$58
20
4
48Gbps (non-blocking)
32,000
not clear
Yes
No
Yes
Yes
Yes
Yes
No
Yes
$1,600
$62
24
4
48Gbps (non-blocking)
8,000
not clear
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
5 Years
5 Years
Limited Lifetime
Limited Lifetime
Limited Lifetime (5 yr)
3 years
1 year
1 year
Notes:
GBIC is a standard for Gigabit Ethernet Modules.
SFP is Small Form-factor Pluggable, a.k.a. mini GBIC. It is a smaller version of the GBIC module, used with SFP slots
The GBIC
ports on the GSM7224 are shared with the built-in Copper Gigabit ports, so that there are only two gigabit ports functional at one time.9
© 1996-2004 NETGEAR® . All rights reserved
.
GSM7312
» 12 Gigabit copper/GBIC combo ports.
» Full layer3 management suite.
© .1996-2004 NETGEAR® . All rights reserved
10
GSM7312 Competitive chart
Get more FLEXIBILITY and FUNCTIONALITY for your money
List Price
Cost per Port
10/100/1000 Mbps ports
Module slots
Height
Bandwidth/backplane
Packet forwarding
Packet buffer memory
# of priority queues
MTBF
MAC Addresses
L2 Management
DiffServ
Policy Based QoS
Access Control Lists (ACL)
Layer 4 prioritization
802.1x
Link Aggregation
VLAN
Rate Limiting
Rapid Spanning Tree
Multiple Spanning Tree
Broadcast Control
Jumbo Frames
RIP I/RIP II
OSPF
BGP, DVMRP, PIM- DM/SM
IPv6
Routing Redundancy
Warranty
Warranty power supply
NETGEAR GSM7312
3Com SuperStack 3 4900
Cisco 3550-12T
D-Link DGS-3308TG
$2,550
$213
12
12 SFP (shared)
1U
24 Gbps
17 Mpps
1.5 MB
8
166,000
8,000
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
No
No
VRRP
5 years
5 years
$3,995
$333
12
4G module
1U
56 Gbps
23 Mpps
Not Specified
4
326,000
12,000
Yes
Yes
Not clear
Yes
No
No
Yes
Yes
No
Yes
No
Yes
No
Yes
No
No
No
XRN
Lifetime (5 years after EOL)
Lifetime (5 years after EOL)
$9,995
$1,000
10
2 GBIC
1.5U
32 Gbps
17 Mps
4 MB
4
114,000
12,000
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
HSRP
Lifetime
Lifetime
$3,499
$583
6
2 GBIC
1U
16 Gbps
12 Mpps
Not Specified
4
Not Specified
8,000
Yes
No
No
No
No
No
Yes
Yes
No
No
No
Yes
No
Yes
Yes
No
No
ESRP
Lifetime (5 years after EOL)
3 years
© .1996-2004 NETGEAR® . All rights reserved
11
GSM7324
» 24 Gigabit ethernet ports.
» 4 optional hot-swapping SFP GBIC slot for fiber connection.
» Full layer3 management suite.
© .1996-2004 NETGEAR® . All rights reserved
12
GSM7324 Competitive chart
© .1996-2004 NETGEAR® . All rights reserved
13
FSM7326P
» 24 10/100 FastEthernet ports.
» 2 optional hot-swapping SFP GBIC slots for fiber connection.
» IEEE 802.3af Power-over-Ethernet support.
• 170W of PoE for Powered Device (PD) such as:
» 24 VoIP phones
» 15 WG302 Access Points
» 10 IP Video cameras (drawing full power)
© .1996-2004 NETGEAR® . All rights reserved
14
FSM7326P Competitive chart
© .1996-2004 NETGEAR® . All rights reserved
15
GSM7312 Performance Specifications
»
»
»
»
»
»
»
»
Forwarding modes: Store-and-forward
Bandwidth: 24Gbps
Switch latency: < 20 microsecond for 64-byte frames
System memory: 128Mb
Packet buffer memory: 122 KB embedded memory per port
Flash: 16Mb
Address database size: 16000 MAC addresses
Addressing: 48 bits
© .1996-2004 NETGEAR® . All rights reserved
16
GSM7324 Performance Specifications
»
»
»
»
»
»
»
»
Forwarding modes: Store-and-forward
Bandwidth: 40Gbps
Switch latency: < 20 microsecond for 64-byte frames
System memory: 128Mb
Packet buffer memory: 122 KB embedded memory per port
Flash: 16Mb
Address database size: 16000 MAC addresses
Addressing: 48 bits
© .1996-2004 NETGEAR® . All rights reserved
17
FSM7326P Performance Specifications
»
»
»
»
»
»
»
Store and forward.
Bandwidth: 8.8 Gbps (non-blocking).
< 20 microseconds for 64-bytes frames.
System memory: 128MB.
Packet buffer memory 32MB.
Flash: 16M.
Address database size: 8000.
© .1996-2004 NETGEAR® . All rights reserved
18
GSM7212 Performance Specifications
»
»
»
»
»
»
»
»
»
»
Store and forward.
Bandwidth: 24 Gbps (non-blocking).
< 20 microseconds for 64-bytes frames.
System memory: 64MB.
Packet buffer memory 171 KB per port.
Flash: 8M.
Address database size: 8000.
Number of VLANs: 256
Number of trunk: 6
Number of queues: 4
© .1996-2004 NETGEAR® . All rights reserved
19
GSM7224 Performance Specifications
»
»
»
»
»
»
»
»
»
»
Store and forward.
Bandwidth: 48 Gbps (non-blocking).
< 20 microseconds for 64-bytes frames.
System memory: 64MB.
Packet buffer memory 122 KB per port.
Flash: 8M.
Address database size: 8000.
Number of VLANs: 228
Number of trunk: 6
Number of queues: 4
© .1996-2004 NETGEAR® . All rights reserved
20
GSM7312 System Specifications
»
»
»
»
»
»
»
»
»
»
»
»
»
Number of VLAN 228
Maximum VLAN ID 4096
Number of 802.1p traffic class 8
Number of trunks (up to 8 ports) 6
Number of routes 512
Number of routed VLAN 24
Number of ARP entries 2048
Number of ACL (and entries) with 10 entries/rule 100
Number of Queues used for DiffServ 8
Maximum rules per class 8
Maximum instance per policy 10
Maximum attributes per instance 1
Maximum service interfaces 48
© .1996-2004 NETGEAR® . All rights reserved
21
GSM7324 System Specifications
»
»
»
»
»
»
»
»
»
»
»
»
»
Number of VLAN 228
Maximum VLAN ID 4096
Number of 802.1p traffic class 4
Number of trunks (up to 8 ports) 6
Number of routes 512
Number of routed VLAN 24
Number of ARP entries 2048
Number of ACL (and entries) with 10 entries/rule 100
Number of Queues used for DiffServ 4
Maximum rules per class 8
Maximum instance per policy 10
Maximum attributes per instance 1
Maximum service interfaces 48
© .1996-2004 NETGEAR® . All rights reserved
22
FSM7326P System Specifications
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Number of MAC address 8000
Number of VLAN 228
Maximum VLAN ID 4096
Number of 802.1p traffic class 4
Number of trunks (up to 8 ports) 6
Number of routes 16
Number of routed VLAN 6
Number of ARP entries 2047
Number of ACL (and entries) with 10 entries/rule 100
Number of Queues used for DiffServ 2
Maximum rules per class 8
Maximum instance per policy 10
Maximum attributes per instance 8
Maximum service interfaces 16
© .1996-2004 NETGEAR® . All rights reserved
23
GSM7324 Front Panel
© .1996-2004 NETGEAR® . All rights reserved
24
GSM7312 Front Panel
© .1996-2004 NETGEAR® . All rights reserved
25
FSM7326P Front Panel
© .1996-2004 NETGEAR® . All rights reserved
26
GSM7212 Front Panel
© .1996-2004 NETGEAR® . All rights reserved
27
GSM7224 Front Panel
© .1996-2004 NETGEAR® . All rights reserved
28
Firmware
» Version 2
» Version 3
• New CLI
• Jumbo Frame support
• Static LAG support
• DHCP Server
© .1996-2004 NETGEAR® . All rights reserved
29
Configurations
Management Interface
» Three ways to manage the switch:
• Command Line Interface
• Web Browser Interface
• SNMP Access
» All three:
• Provide access to the same information and functions
• Grant access via user accounts
• Use a Management VLAN with a default ID of 1
» The CLI is accessible via telnet and the serial port
• Baud Rate: 9600 Bps
• Data bit: 8
• Parity: None
• Stop bit: 1
• Flow Control: None
© .1996-2004 NETGEAR® . All rights reserved
31
User Account
» To access the switch via CLI, Web or SNMP you must login as a
user
» Two kinds of user:
• READWRITE user :
» Has the authority to do anything on the system
» There is one READWRITE user who is always enabled
» The default READWRITE user name is admin
• READONLY users :
» Can view but not change data
» There can be up to five READONLY users
» The default READONLY user name is guest
» SNMP user accounts are separate from CLI and Web accounts
© .1996-2004 NETGEAR® . All rights reserved
32
Setting up user accounts
» Access the switch via the serial port
• Login the first time using the admin account
• By default there is no password
• Set up a password for the admin account
» Create additional accounts
• Create additional READONLY user accounts and password
protection as required
• Create SNMP user accounts and password protection as required
» For greater security specify encryption for account access –
Secure HTTP/SSH.
© .1996-2004 NETGEAR® . All rights reserved
33
Configurable management VLAN
» Configurable Management VLAN:
• Management VLAN is used to manage switch over a network
• Only one Management VLAN may be associated with a switch
• The default Management VLAN ID is 1
• Applies to all network connections
» Web, telnet and SNMP
• Does not apply to the service port or any routing interfaces
• Provides additional control over switch access
© .1996-2004 NETGEAR® . All rights reserved
34
Command Line Interface
» Access via the serial port or by telnet
• Answer the login prompts with a user name and password (blank if
none has been set)
» CLI commands follow the industry-standard (IS) format
• A list of commands is available by typing ? at the prompt
• Command help is available by typing the command name followed
by ?
© .1996-2004 NETGEAR® . All rights reserved
35
CLI Modes
The IS-CLI is divided into
various modes. The commands
available to the operator at any
point in time depend upon the
mode.
At login, the user starts in User
Exec Mode. A password is
required to enter any other
mode.
© .1996-2004 NETGEAR® . All rights reserved
•
•
•
•
•
•
•
•
•
•
•
•
•
•
User Exec Mode
Privileged Exec Mode - en
Global Config Mode – config
Vlan Mode – vlan database
Interface Config Mode – interface x/x
Line Config Mode
Policy Map Mode
Policy Class Mode
Class Map Mode
Router Config OSPF Mode
Router Config RIP Mode
Router Config BGP Mode
Bandwidth Provisioning Mode
Bwprovisioning - Trafficclass Mode
• Bwprovisioning - BWAllocation Mode
• DHCP Pool Configuration Mode – ip dhcp
pool <name>
36
CLI Tree Structure
ROOT
User Exec
User Exec commands
are also accessible in
Privileged Exec
mode.
Enable
No
Passwd
Correct
?
Return to Exec
prompt
Yes
Privileged
VLAN
Bwp
Global Config
Class Map
© .1996-2004 NETGEAR® . All rights reserved
Circuit Config
Interface
Policy Map
Line Config
Router Config
IP Config
37
CLI conventions
» Some commands take no parameters:
• e.g show inventory, or snmp-server enable traps
» Most commands take parameters:
• Parameters are positional and must be entered in the
correct order
• Required parameters (in angle brackets <>) precede
optional parameters (in square brackets [])
• Use of {} indicates a choice of required values
» Begin comments with #
» Reverse the action of a command
• No <command>
• e.g “no vlan 100” # Remove vlan 100
© .1996-2004 NETGEAR® . All rights reserved
38
CLI shortcuts
» When enough letters of a command are typed to uniquely
identify it, the command may be:
• Executed by typing <enter> (command abbreviation)
• Completed by typing the <tab> or <space bar> (command
completion)
» The system stores the last 16 commands executed -- access
by typing the <up-arrow-key>
» Help is accessed by entering a question mark
© .1996-2004 NETGEAR® . All rights reserved
39
Network connectivity via CLI
» Specify IP address information:
• Privileged Exec Mode
» network parms <ipaddr> <netmask> [<gateway>]
» Specify MAC address type and local address if not using the burned-in
address:
• Privileged Exec Mode:
» network mac-type {local | burnedin}
» network mac-address <macaddr>
» Set Management VLAN Id:
• Privileged Exec Mode:
» network mgmt_vlan <1-4094> -- default 1
» Display settings:
• Privileged and User Exec Mode:
» show network
© .1996-2004 NETGEAR® . All rights reserved
40
Web Interface
» http://<management_IP_address>
» Access using any web browser (e.g. Microsoft Explorer or
Netscape)
» Use the IP address of the switch as the URL
» Type the user account name in the login pop-up box
» Provide a password if one has been defined
© .1996-2004 NETGEAR® . All rights reserved
41
Using web interface
» Navigate using the menus in the left side panel
» Pop-up messages are used on the screen as feedback for
incorrect input, failed submissions, successful submissions, etc.
» Help text is available by clicking on the “help” button
» If java is enabled (on the Network Connectivity panel) a picture of
the switch is shown – click on a port to bring up the Port
Configuration panel
© .1996-2004 NETGEAR® . All rights reserved
42
Java Applet
© .1996-2004 NETGEAR® . All rights reserved
43
SNMP
» Access using network control station
» Agent supports SNMPv1, SNMPv2 and SNMPv3
» SNMP user accounts are similar to CLI/Web accounts
• A password may be defined
• Authentication is available:
» MD5
» SHA
• Encryption is available:
» DES
© .1996-2004 NETGEAR® . All rights reserved
44
SNMP structure
© .1996-2004 NETGEAR® . All rights reserved
45
MIBs
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
RFC 1213 -- Interfaces MIB
RFC 1493 -- Bridge MIB
RFC 1643 -- Ethernet MIB
RFC 1657 -- BGP4 MIB
RFC 1724 -- RIP Version 2 MIB
RFC 1850 -- OSPF Version 2 MIB
RFC 2233 -- Interfaces Group MIB
RFC 2674 -- VLAN Bridge MIB
RFC 2787 -- Virtual Router Redundancy Protocol
RFC 2819 -- RMON MIB
RFC 2932 -- IPv4 Multicast Routing MIB
RFC 2933 -- IGMP MIB
RFC 2934 -- PIM MIB
RFC 3289 -- Differentiated Services MIB
IEEE 802.3 Annex 30c -- Link Aggregation
Plus LVL7 enterprise MIB
Draft DVMRP
© .1996-2004 NETGEAR® . All rights reserved
46
RMON
» SNMP includes a RMON agent.
» Supports the RMON MIB, RFC 2819
• Group 1 – Statistics
• Group 2 – History
• Group 3 – Alarm
• Group 9 – Event
» No configuration parameters are required.
» All communication is via USMDB.
© .1996-2004 NETGEAR® . All rights reserved
47
Initial Setup
» Default – DHCP
» CLI
» Web interface
© .1996-2004 NETGEAR® . All rights reserved
48
Initial Setup - CLI
» Management IP
» Default – DHCP
» Configure static IP
• network protocol none (turn off DHCP)
• network parms <IP address> <IP subnet> <gateway>
» Save configuration
• copy system:running-config nvram:startup-config
» Show current firmware version
• en
• show hardware
© .1996-2004 NETGEAR® . All rights reserved
49
Initial Setup
© .1996-2004 NETGEAR® . All rights reserved
50
Initial Setup - Web
© .1996-2004 NETGEAR® . All rights reserved
51
Flow Control
» Flow Control
• Flow control is used to temporarily suspend transmission of data to
a device to avoid overloading its receive path
• Flow control is implemented as specified in IEEE 802.3 Annexes
31A and 31B (formerly IEEE 802.3x)
• Flow control is configurable for:
» The entire switch via CLI, Global Config mode:
[no] storm-control flowcontrol
» The entire switch via SNMP:
agentSwitchDot3FlowControlMode
» Each port via SNMP (not for Switchcore CXE)
agentPortDot3FlowContolMode
© .1996-2004 NETGEAR® . All rights reserved
52
Broadcast Storm Recovery
» Broadcast Storm Recovery, by port speed:
• Broadcast traffic checked against the high threshold
• If exceeded, broadcast traffic is discarded until traffic diminishes to
the low threshold
» CLI -- [disable] enable in Global Config mode:
» [no] switchconfig stormcontrol broadcast
» Broadcast Storm Thresholds:
Link Speed
High
Low
10 Mbps
20%
10%
100 Mbps
5%
2%
1000 Mbps
5%
2%
© .1996-2004 NETGEAR® . All rights reserved
53
Flow control / Broadcast Storm (Web Admin)
© .1996-2004 NETGEAR® . All rights reserved
54
Port Configuration
» Set port speed and type or have the ports auto-negotiate:
• Global Config mode:
» speed all {{100 | 10} {half-duplex | full-duplex} | 1000 full-duplex}
» [no] auto-negotiate all
• Interface Config mode:
» speed {{100 | 10} {half-duplex | full-duplex} | 1000 full-duplex}
» [no] auto-negotiate
» Set maximum transmission unit size:
• Interface Config mode:
» [no] mtu <1572-9216>
» Allows for jumbo frames
With firmware version 3.0.3.2 or above, the switches support setting
Port speed to 1000M full duplex for copper connection. Fiber connection
Has to be auto-negotiated.
© .1996-2004 NETGEAR® . All rights reserved
55
Port Configuration (Web admin)
© .1996-2004 NETGEAR® . All rights reserved
56
Jumbo Frame (version 3 only)
» Jumbo Frame Support
• Allows packets longer than the maximum defined in IEEE 802.3 to
be received and transmitted
• Useful for certain applications -- e.g. Network File Support
• May be necessary for DVLAN tagging
• Extends the maximum Ethernet frame size from 1518 (1522 with
VLAN tag) to 9216 bytes
• All devices in the same broadcast domain should support the
same maximum frame size
• Platform-dependent
© .1996-2004 NETGEAR® . All rights reserved
57
Frame size management
» Interface Config Mode command:
• Set the maximum frame size for an interface
» mtu <1522-9216>
» Privileged Exec Mode command:
• Display the current frame size for an interface
» show interface ethernet <slot/port>
© .1996-2004 NETGEAR® . All rights reserved
58
Port Mirroring
» Any Ethernet port can be used as a probe port by an external
network monitor
» The probe port transmits a copy of the traffic being mirrored,
although not at media speed
» The probe port no longer participates in the network, nor in any
network protocols
» No standards or RFCs apply
• The Enterprise Switching MIB is used to support this feature
© .1996-2004 NETGEAR® . All rights reserved
59
Port Mirroring Specifications
» Only one probe port that will mirror only one mirrored port
• Probe port and mirrored port cannot be the same port
• LAG interfaces or LAG members cannot be probe or mirrored
ports
• CPU port cannot be probe or mirrored port
» End user configuration is not preserved when a probe is
“deconfigured” as a probe port
» Cannot mirror traffic to/from the internal bridge/router interface
» Directional mirroring, i.e. monitoring only the receive path or the
transmit path, is not supported
© .1996-2004 NETGEAR® . All rights reserved
60
Port Mirroring CLI
» Global Config Mode commands:
• Configure probe port and mirrored port
» monitor session source <slot/port> destination <slot/port>
• Then enable mirroring for box
» monitor session mode
• To disable the probe and mirrored ports
» [no] monitor session
• Then disable mirroring for the box
» [no] monitor session mode
• Add probe port back to any VLANs
» Privileged Exec Mode command to display mode and ports:
» show monitor
© .1996-2004 NETGEAR® . All rights reserved
61
Port Mirroring (Web admin)
© .1996-2004 NETGEAR® . All rights reserved
62
DHCP Server – Web config
© .1996-2004 NETGEAR® . All rights reserved
63
DHCP Server – Pool Config
Manual Binding
© .1996-2004 NETGEAR® . All rights reserved
64
DHCP Server – Pool Config
Dynamic Binding
Using dynamic binding, make sure the network number and network is in the same subnet as the
System’s IP/netmask or one of the routing interface’s IP/netmask.
© .1996-2004 NETGEAR® . All rights reserved
65
DHCP Server – Reset Config
© .1996-2004 NETGEAR® . All rights reserved
66
DHCP Server – Binding Info
© .1996-2004 NETGEAR® . All rights reserved
67
DHCP Server – Server Stat
© .1996-2004 NETGEAR® . All rights reserved
68
VLAN
» Allows a network to be logically segmented without regard to the
physically location of devices of the network.
» One physical network becomes multiple logical networks.
» The logical network may (but not must) correspond to subnets.
» Segmentation provides:
• Better administration
• Better security
» The VLAN tag in frames optionally carries priority information.
» Traffic between VLANs must be routed.
© .1996-2004 NETGEAR® . All rights reserved
69
VLAN
» IEEE 802.1Q VLAN support:
• Allows a network to be logically segmented without regard to the
physical location of devices on the network
• One physical network becomes multiple logical networks
• The logical networks may (but not must) correspond to subnets
• Segmentation provides:
» Better administration
» Better security
» Better management of multicast traffic
» While maintaining Layer 2 forwarding speed
• The VLAN tag in frames optionally carries priority information
• Traffic between VLANs must be routed
© .1996-2004 NETGEAR® . All rights reserved
70
VLAN implementation
» IEEE 802.1Q VLAN Support
• Standard established method to insert VLAN tag into Ethernet
frame to specify VLAN membership.
• Ports may belong to multiple VLANs
• VLAN membership may be based on port or protocol
• 802.1p can be optionally added to specify priority.
• When an individual port is added to a LAG any VLAN membership
is suspended, membership is automatically restored if the port is
removed from the LAG.
© .1996-2004 NETGEAR® . All rights reserved
71
802.1Q Tagged VLAN
Destination
Source
Destination
Source
Length/Type
TPID
TCI
Priority
© .1996-2004 NETGEAR® . All rights reserved
Data
CFI
Length/Type
Data
VLAN ID
72
Ingress
» Ingress rules:
• Acceptable Frame Types parameter defaults to Admit All Frames
• Port VLAN ID -- default is 1, can be assigned by port or protocol
• Ingress filtering defaults to disabled
» Forwarding rules based on:
• VLAN membership
• Spanning tree state (forwarding)
• Frame type (unicast or multicast)
• Filters
© .1996-2004 NETGEAR® . All rights reserved
73
Egress
» Egress rules:
• Spanning tree state (forwarding)
• VLAN membership
• Untagged frames only forwarded if embedded addresses are
canonical
» Exempt frames:
• Spanning tree BPDUs
• GVRP BPDUs
• Frames used for control purposes, e.g. LAG PDUs, flow control
© .1996-2004 NETGEAR® . All rights reserved
74
VLAN CLI
» Privileged and User Exec Mode commands:
• Display summary information for all configured VLANs
» show vlan brief
• Display detailed information for a specific VLAN
» show vlan <1-4094>
• Display port-specific information for one or more VLANs
» show vlan port {<slot/port | all>}
© .1996-2004 NETGEAR® . All rights reserved
75
VLAN CLI (Database Mode)
» VLAN Database Mode commands:
» vlan database
• [Delete] create a new VLAN and assign an ID
» [no] vlan <2-4094>
• [Reset] assign a name to a VLAN, VLAN 1 is always named
Default, default for other VLANs is a blank string
» [no] vlan name <2-4094> <name>
© .1996-2004 NETGEAR® . All rights reserved
76
VLAN CLI (Global Config Mode)
» Global Config Mode commands:
• Configure the participation of all interfaces for a VLAN
» vlan participation all {exclude | include | auto}
<1-4094>
• Configure the frame acceptance mode of all interfaces for all
VLANs
» vlan port acceptframe all {all | vlanonly}
• [Disable] enable ingress filtering for all interfaces for all VLANs
» [no] vlan port ingressfilter all
• [Disable] enable transmission of tagged frames for all interfaces
for a VLAN
» [no] vlan port tagging all <1-4094>
• [Reset] set the PVID for all interfaces for all VLANs
» [no] vlan port pvid all <1-4094>
© .1996-2004 NETGEAR® . All rights reserved
77
VLAN CLI (Interface Config Mode)
» Interface Config Mode commands:
» config
» Interface 0/x
• Configure the participation of an interface for a VLAN
» vlan participation {exclude | include | auto} <1-4094>
• Configure the frame acceptance mode of an interface for all VLANs
» vlan acceptframe {all | vlanonly}
• [Disable] enable ingress filtering for an interfaces for all VLANs
» [no] vlan ingressfilter
• [Disable] enable transmission of tagged frames for an interface for a
VLAN
» [no] vlan tagging <1-4094>
• [Reset] set the PVID for an interfaces for all VLANs
» [no] vlan pvid <1-4094>
© .1996-2004 NETGEAR® . All rights reserved
78
VLAN Web Management
© .1996-2004 NETGEAR® . All rights reserved
79
VLAN port config - Web
© .1996-2004 NETGEAR® . All rights reserved
80
VLAN Example 1
VLAN1
Create the VLAN
Vlan database
Vlan 1
Vlan name 1 vlan1
Vlan 2
Vlan name 2 vlan2
Vlan 3
Vlan name 3 vlan3
Vlan 4
Vlan name 4 vlan4
© .1996-2004 NETGEAR® . All rights reserved
VLAN2
VLAN3
VLAN4
Assign membership
Config
Interface 0/1
Vlan participation include 1
Vlan pvid 1
exit
Interface 0/2
Vlan participation include 2
Vlan pvid 2
Exit
81
VLAN Example 2
Includes in all the VLANs
VLAN1
VLAN2
VLAN3
VLAN4
» Port 1 belongs to all four VLANs. All the port can
access port 1 but not each other.
» Create common VLAN including all the ports.
» Create individual VLAN with each VLAN includes
port1.
© .1996-2004 NETGEAR® . All rights reserved
82
VLAN trunking
» Propagate VLAN information between switches.
» VTP (VLAN trunk protocol) – proprietary to Cisco.
» Trunk port – connect two switches that share VLAN information.
• Includes in all the VLANs that need to be trunked.
• Trunk port must be tagged in all VLAN.
• GARP (Generic Attributes Registration Protocol)
» GVRP and GMRP
© .1996-2004 NETGEAR® . All rights reserved
83
VLAN Example 3
Trunk port
VLAN1
VLAN2
VLAN3
VLAN4
Trunk port
VLAN1
VLAN2
VLAN3
VLAN4
» Include trunk port in all the VLAN
» Trunk port is tagged in all the VLAN
» PVID of of trunk port doesn’t matter.
© .1996-2004 NETGEAR® . All rights reserved
84
VLAN Example 4
Uplink to internet
Trunk port
VLAN1
VLAN2
VLAN3
VLAN4
Trunk port
VLAN1
VLAN2
VLAN3
VLAN4
»
»
»
»
Create common VLAN in switch#1.
Includes all the ports in common VLAN.
PVID of uplink port is VLAN ID of common VLAN.
PVIDs of the other ports are their own individual
VLAN ID.
» Include trunk ports in every VLAN.
» Trunk ports need to be tagged in every VLAN.
© .1996-2004 NETGEAR® . All rights reserved
85
802.1p
» IEEE 802.1p specifies how priority is carried in a packet header
» Netgear 7000 series switches supports:
• Per port configuration of the default priority for packets received without a
priority tag (platform dependent)
• Configuration of the mapping of 802.1p priority levels to the switch’s
priority queues (per port mapping is platform dependent)
» Default mapping:
» User priority 0 to traffic class 2
» User priority 1 to traffic class 0
» User priority 2 to traffic class 1
» User priority 3 to traffic class 3
» User priority 4 to traffic class 4
» User priority 5 to traffic class 5
» User priority 6 to traffic class 6
» User priority 7 to traffic class 7
© .1996-2004 NETGEAR® . All rights reserved
86
802.1p CLI
» Global Config Mode commands:
• Configure the priority for untagged packets for all ports
» vlan port priority all <priority>
» Interface Config Mode commands:
• Configure the priority for untagged packets for one port
» vlan port priority <priority>
• Map an 802.1p priority to an internal traffic class for one port
(traffic classes are platform dependent)
» classofservice dot1pmapping <userpriority> <trafficclass> -- valid
values are 0-7 for both parameters
© .1996-2004 NETGEAR® . All rights reserved
87
802.1p CLI
» Privileged or User Exec mode commands:
• Display the default 802.1p priority for all ports
» show vlan port all
• Display the default 802.1p priority for one port
» show vlan port <slot/port>
• Display the current mapping of 802.1p priorities to internal traffic
classes for all ports
» show classofservice dot1pmapping
• Display the current mapping of 802.1p priorities to internal traffic
classes for one port
» show classofservice dot1pmapping <slot/port>
© .1996-2004 NETGEAR® . All rights reserved
88
802.1p web admin
© .1996-2004 NETGEAR® . All rights reserved
89
802.1p web admin
© .1996-2004 NETGEAR® . All rights reserved
90
Protocol Based VLAN
» Protocol-based filters for selective frame processing
» Ingress packet classification by protocol and port reduces
unwanted traffic
• VLAN ID for untagged or priority-tagged frames based on port and
protocol id
• Processing for tagged frames is unchanged
» Traffic bridged through user specified ports
© .1996-2004 NETGEAR® . All rights reserved
91
Protocol Based VLAN
© .1996-2004 NETGEAR® . All rights reserved
92
Protocol Based VLAN
© .1996-2004 NETGEAR® . All rights reserved
93
PBVLAN Implementation
» Uses “VID Set” concept
• Multiple VID values per port
» Untagged or priority-tagged frame and VID association
• Based on port of arrival and the protocol identifier of the frame
» Assigning VID
• Frame VID selected from the VID Set of arrival port
• If Protocol Group Identifier associated with the port is equal to
Protocol Group Identifier of the frame, the VID is a member of the
VID set
• Else, frame VID is the PVID associated with the port
© .1996-2004 NETGEAR® . All rights reserved
94
PBVLAN CLI
» Global Config commands to manage a PBVLAN:
• Create a group and assign a groupid
» vlan protocol group <groupname>
• Delete a group
» vlan protocol group remove <groupid>
» Privileged Exec Mode display command:
• Display information for one or more groups -- use the ‘all’
parameter to find out which groupid was assigned to a new group
» show port protocol {<groupid> | all}
© .1996-2004 NETGEAR® . All rights reserved
95
PBVLAN CLI
» Global Config Mode commands:
• [Remove] add a protocol (IP, IPX or ARP) to a PBVLAN
» [no] vlan protocol group add protocol <groupid> <protocol>
• [Remove] add all interfaces to a PBVLAN
» [no] protocol vlan group all <groupid>
» Interface Config Mode commands:
• [Remove] add an interface to a PBVLAN
» [no] protocol vlan group <groupid>
» VLAN Database Mode commands:
• [Remove] attach a VLAN to a PBVLAN
» [no] protocol group <groupid> <vlanid>
© .1996-2004 NETGEAR® . All rights reserved
96
PBVLAN (Web Admin)
© .1996-2004 NETGEAR® . All rights reserved
97
GARP
• GARP provides a generic attribute dissemination protocol used to
support other protocols such as GVRP
• Used to register and deregister attribute values with other GARP
participants within bridged LANs
• When a GARP participant declares or withdraws a given attribute,
the attribute value is recorded with the applicant state machine for
the port from which the declaration or withdrawal was made
• There exists a GARP participant per port per GARP application
(e.g. GVRP)
© .1996-2004 NETGEAR® . All rights reserved
98
GARP VLAN Registration Protocol (GVRP)
• GVRP propagates VLAN membership throughout a network
• GVRP allows end stations and switches to issue and revoke
declarations relating to VLAN membership
• VLAN registration is made in the context of the port that receives
the GARP PDU and is propagated to the other active ports
• GVRP is disabled by default -- user must enable GVRP for the
switch and then for individual ports
• Dynamic VLANs are aged out after the LeaveAllTimer expires
three times without receipt of a join message
© .1996-2004 NETGEAR® . All rights reserved
99
GARP Multicast Registration Protocol
(GMRP)
• GMRP propagates group membership throughout a network
• GMRP allows end stations and switches devices to issue and
revoke declarations relating to group membership
• (De)registration updates the Multicast Forwarding Database -multicast packets only forwarded through ports with a GMRP
registration
• GMRP is disabled by default -- user must enable GMRP for the
switch and then for individual ports
© .1996-2004 NETGEAR® . All rights reserved
100
Link Aggregation
© .1996-2004 NETGEAR® . All rights reserved
101
Link Aggregation (Trunk)
» Link Aggregation (LAG)
• Link Aggregation, or Trunking, allows IEEE 802.3 MAC interfaces
to be grouped together logically to appear as one physical link
• LAG provides automatic redundancy between two devices
• Each link of a LAG must run at the same speed and must be in full
duplex mode
• LAGs behave like any other Ethernet link to VLAN
• A LAG can be a member of a VLAN
• A LAG is treated as a physical port with the same configuration
parameters, spanning tree port priority, path cost, etc.
• A router port may be a member of a LAG, but routing will be
disabled while it is a member
© .1996-2004 NETGEAR® . All rights reserved
102
LAG Implementation
» Interface restrictions:
• LAG speed may not be changed
• Routing is not supported on links in a LAG
• An interface can belong to only one LAG
» Number of LAGs and number of members vary by platform
• Maximum of 8 LAGs with maximum of 8 members each on
Reference Platform
» Supports IEEE 802.3 Clause 43 with minor exceptions:
• No optional features supported, e.g. Marker Generator/Receiver
• Mux machine implemented as coupled not independent control
• Some MIB variables not supported (see later slide)
• Static LAG supported in version 3 only.
© .1996-2004 NETGEAR® . All rights reserved
103
Static LAG
» Manual Aggregation
• If the partner does not respond with LACPDUs, the system will
wait 3 seconds and aggregate manually
• This configuration should only be enabled if both parties are
802.3ad-compliant and have the protocol enabled
• LAGs should be configured and STP enabled on both devices
before connecting cables
• Manual aggregation uses default values:
» If a LACPDU is received with different values the link will drop out
» When all member links have dropped out, the group will re-aggregate
with the new information
• Manual aggregation is disabled by default, and when enabled applies to
all LAG interfaces
© .1996-2004 NETGEAR® . All rights reserved
104
LAG
© .1996-2004 NETGEAR® . All rights reserved
105
LAG CLI
» Global Config mode CLI commands to create a LAG:
• Configure the LAG
» port-channel <name>
•
Use show port-channel all to display the logical slot/port
» port-channel name {<logical slot/port> | all} <name>
» [no] port-channel linktrap {<logical slot/port} | all}
» spanning-tree stpmode {<logical slot/port} | all} {off | 802.1d | fast}
• [Disable] enable the LAG
» [no] port-channel adminmode {<logical slot/port> | all}
• Delete all ports from a LAG:
» deleteport <logical slot/port> all
• Delete a LAG:
» no port-channel {<logical slot/port> | all}
© .1996-2004 NETGEAR® . All rights reserved
106
LAG CLI
» Interface Config mode CLI commands to configure a LAG:
• Add ports:
» addport <logical slot/port>
• Delete ports:
» deleteport <logical slot/port>
• Delete one or all LAGs:
» delete interface {<logical slot/port> | all}
» Privileged Exec mode CLI command to display LAG information:
• Returns mode information
• Lists members -- slot.port notation, link speed
» show port-channel {<logical slot/port> | all}
© .1996-2004 NETGEAR® . All rights reserved
107
Static LAG CLI
» Global Config Mode commands to disable/enable static capability
for the switch:
• port-channel staticcapability
» All LAGs with configured members but no active members will now
aggregate statically on link up interfaces
» No effect on dynamic LAGs
• no port-channel staticcapability
» Active members of static LAGs will drop. A LAG with no active
members will go down
» Privileged and User Exec Mode display command:
• show port-channel brief
» Displays whether static capability is enabled
© .1996-2004 NETGEAR® . All rights reserved
108
Link Aggregation - Web
© .1996-2004 NETGEAR® . All rights reserved
109
Link Aggregation - Web
© .1996-2004 NETGEAR® . All rights reserved
110
Link Aggregation on Netgear managed
switches
» Smart Switches – Static LAG
» 700 series switches – LACP and static LAG
» 7000 series switches – LACP and static LAG
» Both switches in a LAG has to be using the same type of link
aggregation.
» Only version 3 firmware support static LAG on the 7000 series
switches.
© .1996-2004 NETGEAR® . All rights reserved
111
Multicast Forwarding Database
» Allows co-existence of different Layer 2 multicast protocols
» Maintains a shared VLAN ID-MAC address table
» Current users (no component interaction):
• GARP Multicast Registration Protocol (GMRP)
• IGMP Snooping
• Static MAC Filtering
» Types of entries:
• Static -- configured by the end user
• Dynamic (network configured) -- e.g. GMRP
• Dynamic (network assisted) -- e.g. IGMP Snooping
© .1996-2004 NETGEAR® . All rights reserved
112
MTFD Table – Standard and Management
» Standards:
• No IEEE standards or IETF RFCs exist
» MIBs supported:
• Supported by the FASTPATH Enterprise Switching MIB
• Objects supported:
» agentSwitchMFDBTable
» agentSwitchMFDBSummaryTable
» CLI display commands:
• Display the entire table or a specific entry
» show mfdb table <macaddr/all>
• Display the table for a given protocol
» show mfdb <gmrp/igmpsnooping>
• Display the MFDB statistics
» show mfdb stats
© .1996-2004 NETGEAR® . All rights reserved
113
MTFD - CLI
» Privileged Exec Mode commands to display MFDB information:
• Display one or all multicast entries
» show mac-address-table multicast {<macaddr> | all}
• Display the GMRP entries
» show mac-address-table gmrp
• Display the IGMP Snooping entries
» show mac-address-table igmpsnooping
• Display one or all static MAC filtering entries
» show mac-address-table static {<macaddr> <vlanid> | all}
• Display the static filtering entries
» show mac-address-table staticfiltering
• Display the MFDB statistics
» show mac-address-table stats
© .1996-2004 NETGEAR® . All rights reserved
114
MTFD table
» Table entries consist of:
• VLAN ID
» VLAN IDs 1-4095 when running IVL
» VLAN ID 0 only when running SVL
• Group MAC address
• Up to L7_MFDB_MAX_USERS user components
» User components consist of:
• One of the component IDs in L7_COMPONENT IDS_t Type
• 16 bit entry description
» Bitmask of forwarding list of interfaces
» Bitmask of filtering list of interfaces
» Entries are updated by the controlling protocol
© .1996-2004 NETGEAR® . All rights reserved
115
IGMP Snooping
» Restricts IP multicast traffic to interested nodes
» Builds entries for the Multicast Forwarding Database
• IP addresses are collapsed to MAC addresses
» 01:00:5E:XX:XX:XX filled in with last 23 bits of IP address
» 230.1.2.3 folds into 01:00:5E:01:02:03
• IGMP entries aged out using a configurable query interval timer
• IGMP Leave Group messages trigger IGMP Queries
• Topology changes trigger IGMP General Queries from STP root
bridges
© .1996-2004 NETGEAR® . All rights reserved
116
IGMP Snooping
» Decodes IGMP Membership Reports (Joins) and Leave Group
Messges:
• Identifies ports requesting multicast traffic
» Decodes IGMP query messages and PIM and DVMRP control
frames:
• Builds list of multicast routers
» Limitations:
• Number of entries for IGMP Snooping limited by the size of the
Multicast Forwarding Database
» Platform-dependent
» MFDB is shared with GMRP and Static MAC Filtering
© .1996-2004 NETGEAR® . All rights reserved
117
IGMP Snooping
Multicast Router
Q
ue
rie
s
IGMP Snooping switches
multicast client
IG
P
MP
R
IGM eport
/J
P
L
eav oint
e
M
int
Jo
rt/
po ve
Re Le a
MP P
IG IGM
IG
MTFD Table
multicast client
© .1996-2004 NETGEAR® . All rights reserved
118
IGMP Snooping Implementation
» Implemented in conformance with IETF draft standard dated
January 2002
• The Enterprise Switching MIB is used to support this feature
» Implementation options chosen:
• Multicast router list built based on arrival port of IGMP Queries
• Code supports IGMP, DVMRP, PIMv1 and PIMv2 messages (IPPROTO = 2 and IP-PROTO = 103)
• Proxy reporting is not supported
• Unregistered packets are flooded, no configuration option to
suppress this behavior
• IGMP and multicast frames are only forwarded within a VLAN
© .1996-2004 NETGEAR® . All rights reserved
119
IGMP Snooping Interaction
» IGMP and multicast frames are only forwarded within a VLAN
» IGMP Snooping may be configured but will not be enabled for:
• Interfaces that are members of a LAG
» But the LAG itself may be enabled
• Interfaces that are enabled for IGMP
• Interfaces that are enabled for routing
• Interfaces that are enabled for VLAN routing
• A port that is configured as a mirror destination port
© .1996-2004 NETGEAR® . All rights reserved
120
IGMP Snooping Topology
© .1996-2004 NETGEAR® . All rights reserved
121
IGMP Snooping Standard
» RFCs/drafts supported
• draft-ietf-magma-snoop-02.txt: IGMP and MLD snooping switches
• Options implemented/not implemented:
» Support detection of Multicast Routers based on arrival of IGMP
Queries as well as PIM and DVMRP control frames
» Support for topology changes
» Multicast Forwarding table is based on VLAN ID/MAC address
» Unregistered packets are flooded, no configuration option to suppress
this behavior
» IGMP and multicast frames are only forwarded within a VLAN
» No support for Multicast Router Discovery Protocol
» No support for Proxy Reporting
© .1996-2004 NETGEAR® . All rights reserved
122
IGMP Snooping MIB
» No standard MIB exists for IGMP Snooping
» MIB supported in Netgear 7000 series switches:
• agentSwitchIGMPSnoopingAdminMode
• agentSwitchIGMPSnoopingQueryInterval
• agentSwitchIGMPSnoopingMaxResponseTime
• agentSwitchIGMPSnoopingMRPExpirationTime
• agentSwitchIGMPSnoopingPortMask
• agentSwitchIGMPSnoopingMulticastControlFramesProcessed
• agentSwitchIGMPSnoopingDataFramesForwarded
© .1996-2004 NETGEAR® . All rights reserved
123
IGMP Snooping CLI
» Global Config Mode CLI commands:
• [Disable] enable IGMP Snooping
» [no] set igmp
• [Disable] enable IGMP Snooping on all interfaces
» [no] set igmp interfacemode all
• Commands to configure timers:
» [no] set igmp groupmembershipinterval <2-3600>
•
Default 125 seconds
» [no] set igmp maxresponse <1-less than group membership
interval>
•
Default 10 seconds
» [no] set igmp mcrtrpresent <0-3600>
•
Default 0 seconds (no expiration)
© .1996-2004 NETGEAR® . All rights reserved
124
IGMP Snooping CLI
» Interface Config Mode CLI commands:
• [Disable] enable IGMP Snooping on a specific interface
» [no] set igmp
» Privileged Exec Mode CLI command:
• Displays enabled interfaces, timers, and counts of control and data
frames processed by the CPU
» show igmpsnooping
© .1996-2004 NETGEAR® . All rights reserved
125
IGMP Snooping web admin
© .1996-2004 NETGEAR® . All rights reserved
126
IGMP Snooping web admin
© .1996-2004 NETGEAR® . All rights reserved
127
IGMP Snooping table
© .1996-2004 NETGEAR® . All rights reserved
128
IP Subneting
© .1996-2004 NETGEAR® . All rights reserved
129
VLAN routing
» To the network, the VLAN and router functions are independent
entities.
» A VLAN can be a port on the router function.
» A port is either a VLAN or a router port, not both.
» Bridge Layer Processing:
• The port will perform normal processing and forward unicast
packets to the interface found in the MAC address table
» Router Layer Processing:
• Packet is associated with a VLAN or a physical interface
© .1996-2004 NETGEAR® . All rights reserved
130
VLAN Routing
» There is no standard for VLAN Routing.
» Only one of the reserved MAC addresses is assigned for all
routed VLANs.
• It will be added to the forwarding database if any VLAN is enabled
for routing
» When routing is enabled on a port, STP state is set to forwarding
as soon as the link is up.
» “Speed” (used for calculating the cost of the VLAN interface) is
set to 10Mbps for VLAN Routing I/Fs.
© .1996-2004 NETGEAR® . All rights reserved
131
VLAN Routing Limitations
» Only IVL is supported with VLAN Routing.
• The MAC address is added to each unicast table associated with
the routed VLAN
» When routing is enabled on a port, it will not participate in Layer 2
activities, e.g. GVRP.
» VRRP is currently not supported with VLAN Routing.
» Number of routed VLANs is platform-specific.
» Each routed VLAN is associated with only one sub-net.
» Platform-specific considerations:
• May have slow performance on some platforms
• Forwarding-plane implementation (implemented for SwitchCore)
• VLAN Routing with VRRP (implemented for SwitchCore)
© .1996-2004 NETGEAR® . All rights reserved
132
VLAN Routing CLI
» From vlan database mode:
• CLI command to create routing on a VLAN:
» vlan routing <vlan> - range 1-4094
• CLI command to delete routing on a VLAN:
» no vlan routing <vlan>
» From user exec mode:
• CLI command to display VLAN routing information for all VLANs
with routing enabled.
» show ip vlan
© .1996-2004 NETGEAR® . All rights reserved
133
VLAN Routing – Web admin
© .1996-2004 NETGEAR® . All rights reserved
134
VLAN Routing – Interface admin
© .1996-2004 NETGEAR® . All rights reserved
135
VLAN Routing Wizard
© .1996-2004 NETGEAR® . All rights reserved
136
RIP
» Routing Information Protocol (RIP)
• “Interior” gateway protocol for small to medium size networks
• Each route characterized by number of gateways, or hops
• Sends update message every 30 seconds to all adjacent routers
• Version 1 – RFC 1058
» Routes specified by IP destination network and hop count
» Updates broadcast to all stations on attached network
• Version 2 – RFC 1723
» Addition of subnet mask and gateway to route description
» Special multicast address (224.0.0.9) for route updates
» Compatibility mode to communicate with RIPv1 routers
» Authentication provides security for route table updates
• FASTPATH™ has APIs for:
» Configuration and gathering statistics
© .1996-2004 NETGEAR® . All rights reserved
137
RIP – Web admin
© .1996-2004 NETGEAR® . All rights reserved
138
OSPF
» Open Shortest path First (OSPF)
• An “interior” gateway protocol designed for medium to large scale
networks
• Uses Hello packets to discover neighboring routers
• Link state protocol. Link state advertisements (LSAs) are flooded as a
result of network topology changes
• Autonomous system hierarchy with intra- and inter-area routing.
• Provides a mechanism for authentication of data.
• The shortest path algorithm may result in multiple equal cost paths to the
same destination. This is useful for load balancing enhancing route
redundancy and traffic management.
© .1996-2004 NETGEAR® . All rights reserved
139
OSPF – Web admin
© .1996-2004 NETGEAR® . All rights reserved
140
BootP / DHCP Relay
» Implemented as defined in RFC 1542 (Chapter 4) and RFC 3046
• Supports Circuit ID sub-option
• Does not support Remote ID sub-option
» Relays BOOTP/DHCP requests when there is no server on the
subnet
» Requests are regenerated, not forwarded as-is
» Configuration required to:
• Enable/disable the agent (default = disable)
• Enable/disable DHCP agent options (default = disable)
• Enable/disable adding each DHCP agent sub-option (default =
disable)
• Set the forwarding IP address
» One per box, not multiple as defined in the RFC
© .1996-2004 NETGEAR® . All rights reserved
141
BootP/DHCP relay - CLI
» no bootpdhcprelay disable
» bootpdhcprelay serverip 10.4.1.50
» bootpdhcprelay cidoptmode
© .1996-2004 NETGEAR® . All rights reserved
142
BootP / DHCP Relay – Web config
© .1996-2004 NETGEAR® . All rights reserved
143
VRRP
» Implemented in accordance with RFC 2338
• Supports only a single IP address per Virtual Router
• Supports multiple Virtual Routers per interface
» Eliminates the single point of failure associated with static default
routes
» Dynamically assigns forwarding responsibility for an IP address
to one virtual router within the VRRP group
» Any of the virtual router’s IP addresses can be used as the default
first hop router
» Responsibility can be reassigned without reconfiguring the
network
© .1996-2004 NETGEAR® . All rights reserved
144
VRRP CLI
» CLI command to set VRRP for the box:
• [no] vrrp disable
» CLI commands for a virtual router for an interface:
• [no] vrrp <VrID> enable
» CLI commands to set VRRP parms for an interface:
• [no] vrrp <VrID> priority <1-254>
• [no] vrrp <VrID> ip <ipaddress> <ipaddr>
• [no] vrrp <VrID> preempt
• [no] vrrp <VrID> timers advertise
• [no] vrrp <VrID> authentication
• vrrp removedetails <vrID>
© .1996-2004 NETGEAR® . All rights reserved
145
VRRP CLI
» CLI command to display VRRP state and statistics for the box:
• show vrrp
» CLI commands to display VRRP parameters and statistics for
interfaces:
• show vrrp interface stats <slot/port> <VrID>
• show vrrp interface <slot/port> <VrID>
• show vrrp interface brief
© .1996-2004 NETGEAR® . All rights reserved
146
VRRP CLI
» CLI command to display VRRP state and statistics for the box:
• show vrrp
» CLI commands to display VRRP parameters and statistics for
interfaces:
• show vrrp interface brief
» Information on all virtual routers
• show vrrp interface <slot.port> <vrID>
• show vrrp interface stats <slot.port> <vrID>
© .1996-2004 NETGEAR® . All rights reserved
147
VRRP – Web admin
© .1996-2004 NETGEAR® . All rights reserved
148
Example
Internet
Internt Connection#1
Internt Connection#2
192.168.1.1 Router
Router 192.168.3.1
Port 0.5 192.168.1.100
Default Gateway: 192.168.1.1
Port 0.3: 192.168.3.101
Default Gateway: 192.168.3.1
GSM7312 Switch#2
Backup router
Port 0.4 192.168.3.102
VRID: 20
Priority: 200
Virtual address: 192.168.3.101
GSM7312 Switch#1
Master router
Layer 2 switch
End station
© .1996-2004 NETGEAR® . All rights reserved
Port 0.3 192.168.3.101
VRID: 20
Priority: 255
Virtual address: 192.168.3.101
192.168.3.100
Default gateway:
192.168.3.101
149
Example
1. Enable routing on the switch.
2. Enable routing on the interface.
3. Assign IP address to the interface
© .1996-2004 NETGEAR® . All rights reserved
150
Example
4. Set up default route to internet connection
© .1996-2004 NETGEAR® . All rights reserved
151
Example
5. Enable VRRP on switch.
6. Assign VRID to the interface.
7. Assign a virtual IP.
8. Assign a priority.
© .1996-2004 NETGEAR® . All rights reserved
152
Example
9. Create the backup router on switch#2 using the same steps.
© .1996-2004 NETGEAR® . All rights reserved
153
QOS Support
• Bandwidth Provisioning (Not supported)
• Access Control Lists (ACL)
• Differentiated Services
» Class
» Policy
» Service
© .1996-2004 NETGEAR® . All rights reserved
154
QOS Terminologies
» QoS Terms:
• Bandwidth Profile
» Average BW
» Peak BW
• Class (match filter)
» Source/destination MAC address
» Source/destination IP address
» Class of Service (IEEE 802.1p priority) value
» VLAN information (VLAN ID)
» IP Service Type (AKA: ToS bits, Precedence value, DSCP value)
» Layer 4 protocol (TCP, UDP etc.)
» Layer 4 source/destination ports
• Policy
» Drop/Send (ACL)
» Mark DSCP
» Police (to Bandwidth Profile)
• Service
» Apply Class, Policy to Interface
© .1996-2004 NETGEAR® . All rights reserved
155
Bandwidth Provisioning
» Permits delivery of varying levels of allocated bandwidth to users on the
same physical I/F
• Provides Committed Information Rate
• Provides Maximum Burst Rate
» Allocates bandwidth by mapping a subscriber's traffic profile to a
prescribed policy
» Actively provisions minimum and maximum bandwidth.
» Benefits
• Enables control of bandwidth allocated to users, applications, and
organizations sharing the same link
• Enables delivery of adequate levels of service without over-provisioning
network equipment
• Reduces risk of network congestion
• Prevents a small number of applications or users from consuming all the
available bandwidth
© .1996-2004 NETGEAR® . All rights reserved
156
Bandwidth Allocation (Traffic Class)
» Configuring Bandwidth Provisioning
• Create a Traffic Class – type VLAN only
• Attach the TC to an interface and assign a VLAN ID
• Create a Bandwidth Allocation Profile and assign minimum and
maximum bandwidth
• Attach the Profile to the Traffic Class
• Max of 128 Traffic Classes
» VLAN traffic transmitted on the interface is guaranteed the
minimum bandwidth
» VLAN traffic transmitted on the interface will not exceed the
maximum bandwidth
© .1996-2004 NETGEAR® . All rights reserved
157
Bandwidth allocation profile
» Operator associates Bandwidth Allocation Profile (BAP) with a
Traffic Class
• BAP defines minimum and maximum bandwidth for a VLAN
• Default BAP: min. = 1 Mbps, max. = 100 Mbps
• Sum of all min. bandwidth definitions for an interface may not
exceed its capability, except for LAGs
• There is no limit on max. bandwidth definitions
• Maximum of 128 BAPs, including the default
© .1996-2004 NETGEAR® . All rights reserved
158
Bandwidth Allocation CLI
» Privileged and User Exec mode commands:
• Display traffic class information:
» show bwp-trafficclass summary
» show bwp-trafficclass detailed <name>
» show bwp-trafficclass allocatedbw {<slot/port> | all}
• Display bandwidth allocation information:
» show bwpr-bwallocation summary
» show bwp-bwallocation detailed <name>
© .1996-2004 NETGEAR® . All rights reserved
159
Bandwidth Allocation CLI
» Bwprovisioning Config mode:
• [Delete] create a Bandwidth Allocation Profile and change to
Bwprovisioning Config mode
» [no] bwallocation <name>
» Bwprovisioning Config mode:
• Configure the maximum bandwidth for the BAP
» [no] maxbandwidth <maxbandwidth> -- default 100 Mbps
• Configure the minimum bandwidth for the BAP
» [no] minbandwidth <minbandwidth> -- default 1 Mbps
© .1996-2004 NETGEAR® . All rights reserved
160
Bandwidth Allocation CLI
» Bwprovisioning Config mode:
• [Delete] create a traffic class and change to Traffic-Class Config mode
» [no] trafficclass <name>
» Traffic-Class Config mode:
• Associate a VLAN with the traffic class
» vlan <vlanid>
• Attach an interface to the traffic class
» port <slot/port>
• Assign the priority for the traffic class
» weight <weight>
• Associate a BAP with the traffic class
» bwallocation <bwprofile>
© .1996-2004 NETGEAR® . All rights reserved
161
ACL
» Process:
• Create an Access Control List, specifying an ACL ID and a rule
• Up to 10 rules can be specified for an ACL, using the same
command
• Associate the ACL with a protocol using distribute-list
» Usage:
• If a packet matches Rule 1, the action is taken (permit or deny)
• If not, the packet is tested against Rule 2, and so on
• If a packet does not match any user defined rules, it will always
match the ‘implicit deny’ rule and be dropped
© .1996-2004 NETGEAR® . All rights reserved
162
ACL CLI
» Global Config Mode commands to create ACLs and rules:
• [Delete] create an Access Control List
» [no] access-list <0-199> <{permit | deny}> {<srcip> <srcmask>
| <dstip> <dstmask>}
» Privileged and User Exec mode display command:
• show ip access-lists <accesslistnumber>
© .1996-2004 NETGEAR® . All rights reserved
163
ACL
» Host A is allowed access to the Human Resources Network,
Host B’s access is blocked
© .1996-2004 NETGEAR® . All rights reserved
164
ACL
• ACLs are made up of a sequential collection of permit and deny
conditions, called rules
• Rules can be configured to inspect up to six fields of a packet:
» Source IP
» Destination IP
» Source L4 Port
» Destination L4 Port
» TOS Byte
» Protocol Number
• Access control lists are applied one or more interfaces:
» For inbound traffic only, or
» For outbound traffic only
© .1996-2004 NETGEAR® . All rights reserved
165
ACL Support
» There is no standard for ACL:
• MIB support is provided in the Enterprise MIB
» Management via CLI, Web and SNMP
» Limitations:
• Classification is performed only on the six-tuple field
• Maximum number of ACLs is 100
• Maximum number of rules per ACL is 10
• An ACL can be applied to more than one interface, but only in one
direction
© .1996-2004 NETGEAR® . All rights reserved
166
Creating an ACL
» Process:
• The user creates an ACL by specifying a number through the
•
•
•
•
management layer, the ACL ID
The user adds new rules to the ACL
The user configures the match criteria for the rules
The user applies the ACL to one or more interfaces
The user specifies the direction, inbound or outbound, to which the list
should be applied
© .1996-2004 NETGEAR® . All rights reserved
167
ACL CLI
» Global Config Mode:
• [Delete] create a standard ACL and its rules:
» [no] access-list <accesslistnumber> <1-99> {deny | permit}
{every | <srcip> <srcmask>}
• [Delete] create an extended ACL and its rules:
» [no] access-list <accesslistnumber> <100-199> {deny |
permit} {every | {icmp | igmp | ip | tcp | udp | <number>}
<srcip> <srcmask> [{eq {<portkey> | <portvalue>} | range
<startport> <endport>}] [precedence <precedence>] [tos <tos>
<tosmask>] [dscp <dscp>]}
© .1996-2004 NETGEAR® . All rights reserved
168
ACL CLI
» Privileged and User Exec Mode:
• Display an ACL and all of its rules:
» show ip access-lists <accesslistnumber>
» Global Config Mode:
• Attach an ACL to all interfaces
» ip access-group <accesslistnumber> [in | out]
» Interface Config Mode:
• Attach an ACL to a specific interface
» ip access-group <accesslistnumber> [in | out]
© .1996-2004 NETGEAR® . All rights reserved
169
ACL – Web admin
© .1996-2004 NETGEAR® . All rights reserved
170
ACL Rule – Web admin
© .1996-2004 NETGEAR® . All rights reserved
171
ACL Example
Internet
switch
66.33.22.0/24
192.168.251.130/27
192.168.251.161/27
192.168.251.192/27
Objective: Restrict ssh access from internet to 66.33.22.0/24
while allow access from all internal network.
Rules:
1. Allow 66.33.22.0/24
2. Allow 192.168.251.0/24
3. Deny 0.0.0.0/0.0.0.0
4. Permit 0.0.0.0/0.0.0.0
© .1996-2004 NETGEAR® . All rights reserved
TCP
TCP
TCP
ALL
192.168.251.130/27
192.168.251.130/27
192.168.251.130/27
0.0.0.0/0.0.0.0
22
22
22
ALL
172
Step 1: Create ACL and apply to interfaces
© .1996-2004 NETGEAR® . All rights reserved
173
Step 2: Create rule#1
© .1996-2004 NETGEAR® . All rights reserved
174
Step 3: Define rule#1
© .1996-2004 NETGEAR® . All rights reserved
175
Step 4: Create rule#2
© .1996-2004 NETGEAR® . All rights reserved
176
Step 5: Create rule#3
© .1996-2004 NETGEAR® . All rights reserved
177
Step 6: Create rule#4
© .1996-2004 NETGEAR® . All rights reserved
178
ACL Created
© .1996-2004 NETGEAR® . All rights reserved
179
DiffServ - Standard
» RFCs/drafts supported
• “Definition of the Differentiated Services Field (DS Field) in the IPv4 and
IPv6 Headers” (RFC 2474)
» No known exceptions, limitations, or omissions
• “An Architecture for Differentiated Services” (RFC 2475)
» No known exceptions, limitations, or omissions
• “Assured Forwarding PHB Group” (RFC 2597)
» Most platforms limited to 1 AF class (AF3X)
» Relies on hardware implementation for compliance
• “An Expedited Forwarding PHB (Per-Hop Behavior)” (RFC 3246)
» No known exceptions, limitations, or omissions
» Relies on hardware implementation for compliance
• “New Terminology and Clarifications for DiffServ” (RFC 3260)
» No known exceptions, limitations, or omissions
© .1996-2004 NETGEAR® . All rights reserved
180
Diffserv
» Classify IP packets into marked traffic streams
• Multi-field classification on IP 6-tuple (and more) at edge
• IP DSCP/Precedence classification by interior nodes
» Condition traffic streams at ingress
• Marking, policing
» Provision network node resources to handle marked traffic
according to per-hop behavior specifications
• Bandwidth allocation, queuing, outbound rate shaping
» Independent of FASTPATH Switching or Routing
• Requires either one as a pre-requisite in the build
• Not involved in packet forwarding decision
© .1996-2004 NETGEAR® . All rights reserved
181
Diffserv - Edge
© .1996-2004 NETGEAR® . All rights reserved
182
DiffServ Interior
© .1996-2004 NETGEAR® . All rights reserved
183
DiffServ Limitation
» IPv4 packets only
» Reference class definitions
• Class may reference one other class of same type
» ‘all’-to-’all’, ‘any’-to-’any’
» class type ‘acl’ not supported
• ‘exclude’ parameter not supported
• Total reference class chain limited to 2x max number of rules per class
» Minimal configuration “undo” capability
• May delete class, policy, policy instance if not currently referenced
• Generally, class rules and policy attributes cannot be deleted
» Must delete parent class/policy and re-specify
» Can sometimes delete rule/attribute if it is most recent one added
© .1996-2004 NETGEAR® . All rights reserved
184
DiffServ Support
» General DiffServ support
» Class type
• ‘all’
» Class match fields
• Each match condition field
• The ‘exclude’ option
• Support for masks (for fields that have them)
• Support for ranges (e.g., layer 4 port range)
» Policy definition
• Whether outbound policy classifier is unrestricted
• Inbound attributes and styles
• Each outbound attribute
© .1996-2004 NETGEAR® . All rights reserved
185
DiffServ CLI
» Privileged Exec mode display commands
• General Diffserv information
» show diffserv
• Service information
» show diffserv service brief {in | out}
» show diffserv service <slot/port> {in | out}
• Policy information
» show policy-map [<policyname>]
» show policy-map interface <slot/port> {in | out}
• Class information
» show class-map [<classname>]
• Statistics
» show service-policy-map {in | out}
© .1996-2004 NETGEAR® . All rights reserved
186
Configure DiffServ on 7000 switches
»
»
»
»
»
»
1. Create DiffServ Class.
2. Select matching criteria for DiffServ Class.
3. Create Policy.
4. Assign classes to policy.
5 Define policy class.
6. Apply policy to interfaces.
© .1996-2004 NETGEAR® . All rights reserved
187
DiffServ CLI
» Global Config mode commands:
• [Disable] enable DiffServ
» [no] diffserv
• [Delete] create a DiffServ class
» [no] class-map [{match-all | match-any | match-access-group <aclid>}]
<classmapname>
• Rename a DiffServ class
» class-map rename <classname> <newclassname>
• Attach a policy to all interfaces
» service-policy {in | out} <policymapname>
» Successful execution of the class-map command:
• Changes the mode to Class-Map Config
• Class-Map Config commands will apply to the specified classmapname
© .1996-2004 NETGEAR® . All rights reserved
188
DiffServ - CLI
» Class-Map Config mode commands:
• Add match conditions to a class
» match [not] cos <0-7>
» match [not] {destination-address | source-address} mac <macaddr>
<macmask>
» match [not] {dstip | srcip} <ipaddr> <ipmask>
» match [not] {dstl4port | srcl4port} {<portkey> | <0-65535> [<065535>]}
» match [not] ip dscp <dscpval>
» match [not] ip precedence <0-7>
» match [not] ip tos <tosbits> <tosmask>
» match [not] protocol {<protocol-name> | <0-255>}
» match [not] vlan <1-4094>
» match [not] any
© .1996-2004 NETGEAR® . All rights reserved
189
DiffServ - CLI
» Global Config mode commands:
• [Delete] create a DiffServ policy
» [no] policy-map <policyname> {in | out}
• Rename a DiffServ policy
» policymap rename <policyname> <newpolicyname>
» Successful execution of the policy-map command:
• Changes the mode to Policy-Map Config
• Policy-Map Config commands will apply to the specified policyname
» Interface Config mode command:
• Attach a policy to an interface
» service-policy {in | out} <policymapname>
© .1996-2004 NETGEAR® . All rights reserved
190
DiffServ CLI
» Policy-Map Config mode command:
• Create a class definition instance within the policy
• The classname is the name of an existing DiffServ class
» class <classname>
» Successful execution of the class command:
• Changes the mode to Policy-Class-Map Config
• Policy-Class-Map Config commands will apply to the specified
classname
© .1996-2004 NETGEAR® . All rights reserved
191
DiffServ CLI
» Policy-Class-Map Config mode commands:
• Reserve minimum bandwidth
» bandwidth kbps <1-4294967295>
» bandwidth percent <1-100>
• Reserve maximum bandwidth
» expedite kbps <1-4294967295> [1-128]
» expedite percent <1-100> [1-128]
• Specify that packets are to be marked
» mark cos <0-7>
» mark ip-dscp <dscpval>
» mark ip-precedence <0-7>
• Establish traffic shaping
» shape bps-average <1-4294967295>
» shape bps-peak <1-4294967295> <1-4294967295>
• Change queue depth management from tail drop to RED
» randomdrop <1-250000> <1-500000> <0-100> [<0-1000000> [<0-16>]]
© .1996-2004 NETGEAR® . All rights reserved
192
DiffServ CLI
» Policy-Class-Map Config mode commands:
• Establish traffic policing style
» police-simple {<1-4294967295> <1-128> conform-action <parms>
[violate-action <parms>]}
» police-single-rate {<1-4294967295> <1-128> <1-128> conform-action
<parms> exceed-action <parms> [violate-action <parms>]}
» police-two-rate {<1-4294967295> <1-128> <1-4294967295> <1-128>
conform-action <parms> exceed-action <parms> [violate-action
<parms>]}
• Where:
» conform-action, exceed-action and violate-action parameters = {drop |
set-prec-transmit <0-7> | set-dscp-transmit <0-63> | transmit}
© .1996-2004 NETGEAR® . All rights reserved
193
DiffServ – Web admin
© .1996-2004 NETGEAR® . All rights reserved
194
DiffServ Class – Web admin
© .1996-2004 NETGEAR® . All rights reserved
195
DiffServ Policy – Web admin
© .1996-2004 NETGEAR® . All rights reserved
196
DiffServ Policy Class – Web admin
© .1996-2004 NETGEAR® . All rights reserved
197
Diffserv Wizard
© .1996-2004 NETGEAR® . All rights reserved
198
802.1p priority queue mapping
» 4-7
» 0-3
© .1996-2004 NETGEAR® . All rights reserved
queue 1
queue 0
High
Normal
199
DSCP priority queue mapping
»
»
»
»
46
26,28,30
32,40,48,56
Everything else
© .1996-2004 NETGEAR® . All rights reserved
queue 3
queue 2
queue 1
queue 0
Highest
High
Low
Lowest
200
DiffServ Example
Objective:
Setting up a NetGear FSM7326P (PoE) switch
to prioritize traffic being sent from a ShoreTel
VoIP phone system with a DiffServ tag set (EF).
© .1996-2004 NETGEAR® . All rights reserved
201
Step 1: Create the DiffServ Class
© .1996-2004 NETGEAR® . All rights reserved
202
Step 2: Add matching criteria to the
class
© .1996-2004 NETGEAR® . All rights reserved
203
Step 3: Create DiffServ Policy
© .1996-2004 NETGEAR® . All rights reserved
204
Step 4: Add DiffServ class to policy
© .1996-2004 NETGEAR® . All rights reserved
205
Step 5: Create Policy Class Definition
© .1996-2004 NETGEAR® . All rights reserved
206
Step 6: Assign DiffServ Policy to interface
© .1996-2004 NETGEAR® . All rights reserved
207
Power over Ethernet (FSM7326P)
© .1996-2004 NETGEAR® . All rights reserved
208
PoE troubleshooting
» devshell hapiPoeDebugHwDump – Must be issue with serial
console connection.
© .1996-2004 NETGEAR® . All rights reserved
209
Questions and Answers