Spanning-Tree Protocol is a function to preventing undesirable loops in the network and provides path redundancy. Only one active path can exist between two stations Automatically Detect Loop on the Network Calculate path capacities and then place high-cost ( or lowest capacity) links in a backup state automatically and deterministically
Protocol RSTP provides rapid convergence of the spanning tree in less than 1 second. Provides rapid recovery of connectivity following the failure of a Bridge, Bridge Ports, or a LAN. A new Root Port can transit rapidly to the Forwarding Port State. The use of explicit acknowledgements between Bridges allow Designated Ports to transit rapidly to the Forwarding Port State. RSTP allows Bridge Ports connected to a LAN segment that is at the edge of the Bridged LAN to be configured to transit directly to Forwarding State
ports—A port configured as an edge port will immediately transit to the forwarding state after link up Root ports—A new root port will transit immediately to forwarding state and the old root port will be blocked Point-to-point links—A port connect to another switch via a point-to-point-link will become designated port and will negotiate a rapid transition with the other port by using proposal-agreement handshake to ensure a loop-free topology
length = 36 bytes BPDU Type BPDU Flags Version Protocol ID Root ID Cost of Path Bridge ID 2 octets 1 octet 1 octets 1 octets 8 octets 4 octets 8 octets 2 octets Port ID Message Age 2 octets Max Age Hello Time Forward Delay 2 octets 2 octets 2 octets 02 RST BPDU 2 Seconds 15 Seconds 2-byte priority 6-byte MAC Cost of the path to root 20 Seconds Root Message Age =0 Ver2 RSTP TCA Agreement Fowarding Learning Port Role Proposal TC 0 1 2 3 4 5 6 7 Version 1 Length
At startup each switch assumes itself as root bridge and set bridge ID equal to Root ID in the BPDU it send out Bridge ID consist of 2-bytes priority and 6-bytes MAC Address Priority range 0-65535 Default 32,768 or 0x8000 Bridge with highest priority (lowest value) will become root bridge If all devices have the same priority, the bridge with lowest MAC address becomes the root bridge
Port The port offers the lowest cost path to the root. The port which receives BPDU from designated port Designated Port The bridge which designated port attached offer the lowest cost to the root for the LAN. Designated port regenerates BPDU to the downstream bridge Alternate Port The port neither the root port nor the designated will become blocked port. Blocked port doesn’t forward packet. Blocked port receives BPDU from the designated port but doesn’t forward it
RSTP for rapid convergence to provide loop-free network and redundant path MSTP enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology, provides multiple forwarding paths for data traffic and enables load balancing
VLAN 2-5 and configure uplink port to vlan 2-5 trunk port Switch Spanning-tree mode to MSTP Add VLAN 2,3 to MSTP instance 1 Add VLAN 4,5 to MSTP instance 2 Configure MSTP name
VLAN 2-5 and configure uplink port to vlan 2-5 trunk port Switch Spanning-tree mode to MSTP Add VLAN 2,3 to MSTP instance 1 Add VLAN 4,5 to MSTP instance 2 Configure MSTP name
VLAN 2-5 and configure uplink port to vlan 2-5 trunk port Switch Spanning-tree mode to MSTP Add VLAN 2,3 to MSTP instance 1 Add VLAN 4,5 to MSTP instance 2 Configure MSTP name
VLAN 2-5 and configure uplink port to vlan 2-5 trunk port Switch Spanning-tree mode to MSTP Add VLAN 2,3 to MSTP instance 1 Add VLAN 4,5 to MSTP instance 2 Configure MSTP name
Check MSTP configuration, the Configuration name need to be identical for all switches to run MSTP together The VLANs for each instance need to be identical for all switches to run MSTP together
• Ethernet Ring Protection Switch the capability to rapidly detect and recover from node, link, or service failure to offer a very high availability service to the end user • Recovery from failures occurs in less than 50 milliseconds • This capability meets the most demanding quality and availability requirements for the delivery of mission-critical enterprise applications, high-quality voice and video services, and in the most generic case any application requiring a demanding SLA
erps domain name test id 1 Configure control-vlan 10 Assign switch as rpl owner Assign ring port east on port 25 Configure ring port west on port 25 Enable the erps
together as a single logical link to provide bigger uplink bandwidth Traffic load balancing and protection against link failure Port Trunk Link Down Increase Uplink bandwidth to 8Gbps full duplex Internet SW 2 192.168.1.2 SW 1 192.168.1.1 7072CF75BC86 7072CF78A019
Aggregation Control Protocol) Protocol for automatically and dynamically groups physical link of the same media type and speed together Link Down Capability to group upto 8 links as a trunk Ports with same media type and speed, duplex mode trunk automatically
The IEEE 802.1X standards is a port-based access control and authentication protocol It forces a client that is connected to a switch port to authenticate to a RADIUS Server, such as Windows Internet Authentication Services (IAS) Server , before gaining access to a network. The client must be running 802.1X compliant software, which is available in operation systems such as Windows XP Ensuring only authorized users can access the network. Centralized management of username and password on RADIUS server Automatically assign the customer’s VLAN from RADIUS server to access switch
Web authentication authenticate end users that do not run the IEEE 802.1X supplicant When a user open a web browser, the Web Authentication feature intercepts the http packet and redirect to a login web page for entering username and password After the username and password have been authenticated by RADIUS server then the user can access the network Web authentication provides simple authentication without a supplicant or client Provide the friendly interface for non-802.1x clients Without any effort in trouble shooting for 802.1x client software Still can provide the centralized management.
devices which are 802.1x unaware like Printer can’t send EAPOL (Extensible Authentication Packet over LAN) to switch Switch help to send authentication information with MAC as user name and password to RADIUS server insuring only authorized devices can access to the network Network administrator can even control the 802.1x unaware devices from access the network Avoid user using the switch port connect to 802.1x unaware device Access right for 802.1x unaware devices can also be controlled by the centralized RADIUS Server for ease of management
who don’t have the access right to the corporate network still need to access the internet Visitors connect to the switch port providing incorrect or no username and password will be group to the Guest VLAN automatically so can only access the internet Automatically isolate visitor to Guest VLAN so corporate network can’t be accessed for ensuring network security In the mean time, provide prestige for visitor to surf internet
provide service of voice over IP, it is recommended to put all voice traffic into separate voice VLAN(s) for ease of management and control Automatically detect VoIP device by OUI of MAC-address or LLDP and group to Voice VLAN Automatically change port priority Switches can detect the IP phone automatically Easily associate to a logically separate VLAN for Voice used Higher CoS value be assigned for guaranteed voice quality
Security function Limit the maximum number of dynamically learned MAC addresses per subscriber interface The maximum MAC count is configurable from 1 to 1024 Dynamically learned MAC by port security will be added to static entry until the switch reboot so only devices with certain MAC addresses can access the network The Port Security learned MAC addresses is configurable to aging out with MAC-address-table aging time to make sure only certain number of MAC can access the network at a time, in cased subscriber change their device, there is no need operator intervention Port security violation action trap and shutdown MAC Notification
shutdown action by show interfaces Check port security shutdown event log Check port security shutdown action by show interfaces brief Port Security Action Shutdown
snooping allows a switch to protect a network from rogue DHCP servers Only DHCP Snooping trust port which connected to legal DHCP Server can offer IP to DHCP client Any rogue DHCP servers connected to un-trust port can no longer offer illegal IP to DHCP client and break down the network (By filters out DHCP-offer, DHCP ACK, DHCP NAK) The IP and MAC binding table can be used for IP source guard to avoid hackers changing the IP or MAC to fake valid customers. Automatically create the mapping table to reduce the operator expense
82 DHCP Snooping Option 82 provides a mechanism for assigning IP address based on the location where the client device is in the network Information about its location can be sent along with the request to the server. The DHCP server makes a decision on what IP should be assigned based on this information. Switch acts as a DHCP relay agent intercepting the DHCP requests, appends the circuit ID and remote ID in the option 82 field and forwards the request message to DHCP server a) remote-id ip-address [encode hex/ascii] b) remote-id mac-address [encode hex/ascii] c) remote-id [WORD] d) circuit-id vlan ID and Unit/Port e) circuit-id [WORD]
Format Circuit ID (extra subtype included) and Remote ID (MAC (hex) 01 N 00 04 00 01 01 01 Sub-option type Length Circuit ID Type Length VLAN ID Module Port Number 1byte 1byte 1byte 1byte 2bytes 1byte 1byte 02 08 00 06 Sub-option type Length Remote ID Type Length 1byte 1byte 1byte 1byte 6byte 70 72 cf 75 bc 86 MAC Address
A security feature that restricts IP traffic on Layer 2 interfaces by filtering traffic. based on the DHCP snooping binding database on manually configured IP source bindings Prevent traffic attacks when a host tries to attack the network by claiming neighbor host's IP address. Stop malicious people from using IP addresses that weren‘t assigned to them Stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible.
inspection uses DHCP Snooping binding database to verify the validity of received ARP packets. Use access-list arp command to create ARP ACL Use permit statement to allow valid ARP packets; use deny to reject the invalid ARP packets. Additional ARP validation for Source MAC, Destination MAC, sender/ target IP The ARP inspection is CPU intensive. Should rate limit the rate to CPU. DAI will log the dropped ARP packets. The information includes receiving VLAN, port number, source IP and source MAC.
Router Internet trust port ARP Request for gateway 192.168.1.25 4 DHCP Server ARP Reply 192.168.1.254 is at 00-1c-c4-od-15-bf ARP Reply 192.168.1.254 is at 00-1c-c4-od-15-bf 192.168.1.112 20-6a-8a-15-a2-41 192.168.1.254 00-21-91-18-52-55 192.168.1.12 00-1c-c4-0d-15-bf\ ,Man In The Middle Attack
Configure ARP inspection Enable ARP Inspection globally Enable ARP Inspection on certain VLAN Configure trust port (ARP packets received from trust port won’t be checked) Check ARP Inspection configuration
DHCP Snooping Binding Table Router Internet trust port ARP Request for gateway 192.168.1.25 4 DHCP Server ARP Reply 192.168.1.254 is at 00-21-91-18-52-55 ARP Request What MAC is 192.168.1.254 192.168.1.112 20-6a-8a-15-a2-41 192.168.1.254 00-21-91-18-52-55 192.168.1.12 00-1c-c4-0d-15-bf ARP Packet was dropped because 192.168.1.12 is not in DHCP binding table DHCP Snooping Table MAC IP Address 20-6a-8a-15-a2-41 192.168.1.112 xx-xx-xx-xx-xx-xx 192.168.1.113 yy-yy-yy-yy-yy-yy 192.168.1.114 ….. untrust port untrust port
and Log ARP Inspection statistic Possible reason of ARP packets dropped by DHCP Snooping Static IP IP doesn’t dynamically get from DHCP server, so there is no entry in the DHCP Snooping binding table Clear dhcp snooping binding table, the arp entry age out
ARP Inspection supports the validation of arp packet based on Destination MAC, IP or source MAC IP validation supports allow-zeros for 0.0.0.0 sender address
Segmentation provides segregation of traffic at Layer 2 for security Host in the same broadcast segment are unable to talk to each other and they are only able to access the ISP network
3 vlan for Data, VoIP and IPTV users Configure subscriber port for triple-play service or data service and uplink port Configure traffic-segmentation uplink and downlink port
Traffic Segmentation configuration Supports 4 sessions for separate uplink and downlink port Traffic from uplink port pfdifferent session can configure to blocking of forwarding
DSCP Preamble DEST SRC Type 0800 IP Header TCP/UDP Header DATA CRC Src Port Dest Port TOS IP Precedence TOS Preamble DEST SRC Type 0800 IP Header DATA CRC SIP DIP Preamble DEST MAC SRC MAC Type DATA CRC Preamble DEST SRC 8100 PID/VID Type DATA CRC MAC ACL IP Standard ACL IP Extended ACL
2 switches can use IGMP snooping to prevent the flooding of multicast traffic by dynamically configuring switch port so that multicast traffic is forwarded to only those ports associated with IP multicast receiver By implementing the IGMP snooping feature, it makes Layer 2 switch increase the performance of network for reducing multicast traffics flooding
port IGMP Snooping only start to work when there is a multicast router in the network, the port which connect to the multicast router and receive general query is mrouter port Mrouter port can be configured statically
Filtering Multicast Group dynamically learned to mrouter port in order to prevent flooding of unregistered Multicast group traffic Unregistered multicast data can be changed to flooded
1 to vlan 10 Configure uplink port 25,26 to 10.20 tagged port Configure SW2 port 24 which connected to Video Server to multicast vlan 20 Configure port 25-26 to 10,20 tagged port
Data Traffic by VLAN Create Policy-map for Data Traffic, match data (vlan 2) traffic, set the permitted uploading data flow to1Mbps Check Class-map and Policy-map
Traffic can be classified per service with different bandwidth profile • Two rate: Committed Information Rate, Excess information rate • Three color: Green, Yellow, Red (Discard) C-Bucket “Green” Tokens E-Bucket “Yellow” Tokens Overflow Overflow Committed Information Rate Excess Information Rate Committed Burst Size Excess Burst Size
Three color – Green: deliver service frame with performance levels as per SLA for the CoS instance – Yellow: deliver service frame but performance levels as per SLA for the CoS instance does not apply – Red :Discard
Color Mapping Classify VLAN 2 Data traffic and configure trTCM with Committed Information rate 5Mbps (Green), committed burst size 20MB, Excessive Information Rate 10Mbps (Yellow), Excessive burst size 40MB, exceed set DCSP to 3, violate set DSCP to 6 Check trTCM configuration
on Radius server Can’t use local account(admin/admin) login to switch, only can use the account on Radius server. User Access Verification Username: admin Password: Username: root Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console#show privilege Current privilege level is 15 Console# User Access Verification Username: user1 Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 8 Console> User Access Verification Username: user2 Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 3 Console> User Access Verification Username: user3 Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 0 Console>
on Tacacs+ server If Radius server unreachable, then will use the account on Tacacs+ server. User Access Verification Username: root Password: Username: ecroot Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console#show privilege Current privilege level is 15 Console# User Access Verification Username: user11 Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 11 Console> User Access Verification Username: user22 Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 8 Console> User Access Verification Username: other Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 0 Console>
on local Both Radius and Tacacs+ server are unavailable, we still can login with local account. User Access Verification Username: ecroot Password: Username: admin Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console#show privilege Current privilege level is 15 Console# User Access Verification Username: customer Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 8 Console> User Access Verification Username: guest Password: CLI session with the ECS4510-28F is opened. To end the CLI session, enter [Exit]. Console>show privilege Current privilege level is 0 Console>
Services Edge-Core introduce Carrier Ethernet services devices for business, wholesale and mobile backhaul Helps service providers on shortening deployment times, increasing operational efficiency and minimizing TCO (total cost of ownership) to ensure profitable service delivery Providing service provider a comprehensive set of tools to help them provision, monitor and control E-Line, E- Tree and E-LAN services more efficiently Optimize network operations and meet customer service expectations, provides substantial cost reductions and revenue gains
IEEE 802.1ag Connectivity Fault Management which provides tools for service level OAM and detecting, isolating and reporting connectivity faults in a provider network
SW1 Create CFM domain and assign the level Create Maintenance associate and mapping to vlan Define the remote MEP ID for crosscheck Create Maintenance End Point 12 and 14 on port 25 and 26
SW2 Create CFM domain and assign the level on SW2 Create Maintenance associate and mapping to vlan Define the remote MEP ID for crosscheck Create Maintenance End Point 21 and 23 on port 25 and 26
Delay Variation ITU-T Y.1731 which covers connectivity management and also provides tools to measure performance parameters for a service such as frame delay and frame delay variation
ckng
mmmatsuda
kurochan
shutotakahashi
vividtone
snoozer05
coconala_engineer
gappy50
scalefactory
mtpooh
shoe116
enakai00
tjun
eileencodes
addyosmani
paulrobertlloyd
thoeni
jeffersonlam
csswizardry
sergeychernyshev
malarkey
kneath
chrisshort
keavy
