At8000 s caracteristicas gerais

Marvell Confidential

General Features

AT-8000S


Agenda

• Speed/duplex auto negotiation

• Flow Control

• Back pressure

• MDI/MDIX

• Storm Control

• Port Security

• Port Mirroring

• Combo Ports

• VCT


Speed/ Duplex Auto Negotiation


Auto Negotiation

• The purpose of auto negotiation is to allow a device to advertise modes of operation.

• User can set the speed, duplex mode and flow control advertisement

• Speed-duplex capabilities to be advertised can be any combination of the following: 10h, 10f, 100h, 100f, 1000f


CLI – Auto negotiation

• Use the following interface mode command to allow auto negotiation on a given interface or to advertise link capabilities. Use the no form of this command to disable negotiation:

negotiation {10h} {10f} {100h} {100f} {1000f} no negotiation

console(config)# interface ethernet 1/e1console(config-if)# negotationconsole(config-if)# negotation 10h


CLI – Show advertisement• Use the following show command to view:

– device interface advertisement– Connected link partner advertisement– resolution

console# show interfaces advertise ethernet 1/e1Port: 1/e1Type: 100M-CopperLink state: UpAuto negotiation: Enabled

1000f 1000h 100f 100h 10f 10h..... ..... .... .... ... ...

Admin Local link Advertisement no no no no no yesOper Local link Advertisement no no no no no yesOper Remote link Advertisement no no yes yes yes yesPriority Resolution - - - - - yes


CLI – Speed and Duplex

• Use the following interface mode command to define the speed of an interface, when auto-negotiation is disabled. Use the no form of this command to return to default:

speed {10|100|1000}no speed • Use the following interface mode command to define the

duplex mode (full/half)of an interface, when auto-negotiation is disabled. Use the no form of this command to return to default (full duplex):

duplex {half|full} no duplex

console(config)# interface ethernet 1/e1console(config-if)# no negotiationconsole(config-if)# speed 100console(config-if)# duplex full


Flow control


Flow Control

• The system supports flow control on all ports including Aggregate Links.

• Default state on all ports is flow control set to OFF.

• The user may enable or disable this feature on a per-port basis.


CLI - Flow Control

• Use the following interface mode command to configure the flow control of a given interface. To restore the default (flow control off), use the no form of this command.

flowcontrol { auto | on | off}no flowcontrol

– auto Auto negotiation– on Enable– off Disable

console(config-if)# flowcontrol auto


Back Pressure


Back Pressure

• The system supports backpressure on all ports (when in half duplex mode).

• The user may enable or disable this feature on a per-port basis.

• Default status on all ports is set to OFF.


CLI - Back Pressure

• Use the following interface mode command to enable the back pressure of a given interface. To disable it, use the no form of this command.back-pressure no back-pressure

console(config-if)# back-pressure


MDI/MDIX


MDI/MDIX - Preview

• Normally, Twisted Pair ports must be connected so that the Transmit pair on one end is connected to the Receive pair on the other end, and vice versa.

• Hubs and switches are deliberately wired opposite to the way end stations are wired, so that when a hub or switch is connected to an end station, a "straight through" Ethernet cable can be used, and the pairs will match up properly.

• When two hubs/switches are connected to each other, or two end stations are connected to each other, a "crossover" cable is used to make sure that the correct pairs are connected.

• The standard wiring for end stations is known as MDI (Media Dependent Interface), and the standard wiring for hubs and switches is known as MDIX (Media Dependent Interface with Crossover)


MDI/MDIX

• The device can automatically correct errors in cable selection, and make the distinction between a "straight through" cable and a "crossover" cable irrelevant. This capability is known as Auto Cross.

• Auto MDI/MDIX works only on copper ports.

• Port can be set to either MDI, MDIX or automatic crossover

• Auto-crossover is the default setting for all ports.

• MDI/MDIX setting is separate to that of the speed/Duplex auto-negotiation


CLI - MDI/MDIX

• Use mdix command to enable cable crossover on a given interface. To disable cable crossover, use the no form of this command.

mdix {on | auto}no mdix– on - Manual MDIX– Auto - Auto MDI/MDIX– No – manual MDI

console(config-if)# mdix auto


Storm Control


Storm Control – broadcast Rate Limiting

• The device can measure the rate of incoming broadcast frames on each port separately, and discard frames when the rate exceeds a user-set desired rate.

• Storm control feature is enabled/disabled separately for each port.

• The desired broadcast rate limit in is applied separately to each port.

• Rate is set in Kbits/sec. The default is 100Kbps

• User can define if storm control will be applied only to Broadcast packets or to multicast (and unknown) as well


CLI - Storm Control

• Use the following Interface Configuration Mode command to enable broadcast rate limiting on a certain interface. Use the no form of this command to return to default (rate limiting disabled).port storm-control broadcast enableno port storm-control broadcast enable

console(config)# interface ethernet 1/e3console(config-if)# port storm-control broadcast enableconsole(config-if)#


CLI - Storm Control

• Use the following Interface Configuration Mode command to set the maximum rate of broadcast. Use the no form of this command to return to default .port storm-control broadcast rate rateno port storm-control broadcast rate

• Use the following interface Configuration Mode command to count multicast (and unknown unicast) packets in the port storm-control broadcast rate command. Use the no form the command to disable counting of multicastsport storm-control include-multicast [unknown-unicast]no port storm-control include-multicast console(config-if)# port storm-control include-multicast unknown-unicast

console(config)# interface ethernet 1/e5console(config-if)# port storm-control broadcast rate 70000


Show - Storm Control

• Use the following EXEC Mode command to see the storm control configutation on the device .Show ports storm-control

console# show ports storm-controlPort State Rate [Kbits/Sec] Included-------- -------- ---------------- -------------------------------------1/e1 Disabled 100 Broadcast1/e2 Disabled 100 Broadcast1/e3 Enabled 100 Broadcast1/e4 Disabled 100 Broadcast1/e5 Enabled 70000 Broadcast, Multicast, Unknown unicast1/e6 Disabled 100 Broadcast1/e7 Disabled 100 Broadcast1/e8 Disabled 100 Broadcast


Port security


Port Security• A control mechanism which monitors received and learned

packets on a port. • Packets received on a locked port, whose source address

was not found in MAC forwarding table (not learned previously dynamically or not entered statically), are treated in one of the following ways, which can be configured per port– Forward (Frame is forwarded, but its address is not

learned)– Discard– Discard and and disable the port– send an SNMP trap (together with one of the

previous options)• When a port becomes a locked port, all the current

addresses that were learned dynamically by the switch on that specific port, are transformed to a “secure” status. They are kept after reset if running config was copied to startup


Port Security – Number of MACs

• A port security feature to increase security by limiting access on a specific port to a limited user-defined number of hosts

• A frame with a new Source MAC arriving on port after limit is reached invokes the port lock mechanism

• Addresses learned on port are still subject to aging.

• A port can be defined either with classic port lock or with number of MAC port lock


Port security - Configuration

• Port security can be enabled only on ports which have been define as dot1x multiple hosts.

• Define type of port security– Regular lock– Number of MAC based lock (and the value)

• Define the per-port action to be carried out once intrusion detection has been discovered, as defined above.

• Set the frequency of SNMP traps sent • To release a port disabled by port security:

– Either use the exec mode “set interface active” command, or– Reload (reboot) device


CLI - Port Security

• Use the following interface configuration mode command to allow multiple hosts on a certain interface. The “no” form of commands disables multiple hosts (the default)

dot1x multiple-hostsno dot1x multiple-hosts

console(config)# interface ethernet 1/e1console(config-if)# dot1x multiple-hosts


CLI – Basic Port Security

• Use the following interface mode command to lock learning of new addresses on an interface. Use the no form of this command to enable learning of new addresses.

port security [ forward | discard | discard-shutdown ] [trap seconds]

no port security

console(config)# interface ethernet 1/e1console(config-if)# port security discard-shutdown


CLI – Lock Port Addresses

console# show bridge address-tableAging time is 300 sec

Vlan Mac Address Port Type-------- --------------------- ------ ----------

1 00:00:09:00:00:00 1/e1 secure //locked port addresses1 00:00:09:00:00:01 1/e1 secure1 00:00:09:00:00:02 1/e1 secure1 00:00:09:00:00:03 1/e1 secure1 00:00:09:00:00:04 1/e1 secure1 00:00:09:00:00:05 1/e1 secure1 00:00:09:00:00:06 1/e1 secure1 00:00:09:00:00:07 1/e1 secure1 00:00:09:00:00:08 1/e1 secure1 00:00:09:00:00:09 1/e1 secure

g13 00:00:e2:86:f4:f2 1/e13 dynamic //regular learned address


CLI – Enabling a Port Shutdown• Use the following Privileged EXEC mode command to enable a

port that was shut down by port security feature:set interface active {ethernet interface | port-channel port-

channel-number}

//sending traffic with new addresses to locked portconsole# 01-Jan-2000 02:15:43 %LINK-W-Down: 1/e1console# sh interfaces status

Flow Link Back MdixPort Type Duplex Speed Neg ctrl State Pressure Mode........ ............ ...... ..... ........ .... ........... ........ .......1/e1 100M-Copper -- -- -- -- Down* -- --1/e2 100M-Copper Full 100 Enabled Off Up Disabled On…*: The interface was suspended by the system.console#


CLI – Enabling a Port Shutdown (cont’)

• …Enabling a port that was shut down by port security feature

console# set interface active ethernet 1/e1console# 01-Jan-2000 01:50:27 %LINK-I-Up: 1/e1

console# show interfaces statusFlow Link Back Mdix

Port Type Duplex Speed Neg ctrl State Pressure Mode........ ............ ...... ..... ........ .... ........... ........ .......

1/e1 100M-Copper Full 100 Enabled Off Up Disabled On1/e2 100M-Copper Full 100 Enabled Off Up Disabled On1/e3 100M-Copper Full 100 Enabled Off Up Disabled On……


CLI – port security mode

• Use the following Interface Configuration mode command to configure the port security mode.

• To return to the default configuration, use the no form of this command.

port security mode {lock | max-addresses}no port security mode

console(config-if)# port security mode max-addresses


CLI – port security max

• The following Interface Configuration mode command configures the maximum number of addresses that can be learned on the port while the port is in port security mode.

• To return to the default configuration, use the no form of this command.

port security max maxno port security max

console(config-if)# port security max 23


CLI – port security routed secure-address

• Use the following interface configuration mode command to adds a MAC-layer secure address to a routed port:

port security routed secure-address mac-address

Console(config)# interface ethernet 1/e1Console(config-if)# ip address dhcpConsole(config-if)# port security routed secure-address 66:66:66:66:66:66


CLI – Show Port Security

• Use the following privilege EXEC mode command to view port security settings:

show ports security [ethernet interface | port-channel port-channel-number]

console# show ports securityPort status Learning Action Maximum Trap Frequency------- -------- ------------- ----------------- --------- -------- ---------1/e1 Disabled Max-addresses - 23 - -1/e2 Disabled Lock - 1 - -


Port Mirroring


Port Mirroring• One session of traffic monitoring is supported system-wide (tx and

rx).

• User can choose if to mirror only RX traffic, only Tx frames or both.

• At ingress - the frames arriving at the target port are copies of the frames passing through the source port at ingress, prior to any in-switch action.

• It is possible to specify up to 8 ports to be monitored by a single target port. However, in these cases, any excess traffic will silently be discarded (and user will not know which).

• Port Mirroring is only relevant to Physical ports. In LAGs, the member ports have to be specified individually as sources.

• It is possible to specify up to 24 source ports to be monitored by a single target port .

• The user may set the monitored traffic to be send tagged or untagged.


Port Mirroring

• Target ports:– Cannot be a member of a LAG.– Cannot be a source of a mirror session.– Cannot be a member of a VLAN (except for default VLAN)– Cannot be GVRP enabled– Cannot be configured with IP address

• Port monitor is supported across the stack


CLI - Configuring Port Mirroring

• Use the following Interface mode command to define port mirroring (interface mode is that of the target port). Use the “no” form of command to remove monitor session(s):

port monitor src-interface [rx | tx]no port monitor src-interface

• Use the following EXEC mode command to view port monitor settings:

show ports monitor


CLI - Configuring Port Mirroring

• Use the following Interface Configuration mode command to transmit tagged ingress mirrored packets.

• To transmit untagged ingress mirrored packets, use the no form of this command.

port monitor vlan-taggingno port monitor vlan-tagging


Combo ports


Combo Ports Overview

• A single logical port that has two physical connections:a) RJ45 Connectorb) SFP port.

• Only one of the two physical connections may be used at a time.

• Some port features and port controls available for user are affected by the actual physical connection used.

• The system will automatically detect the media that is in use on a combo port, and will utilize this knowledge in all operations and control interfaces.


Combo Ports

• If both RJ45 and SFP are present (link up in both connections), the SFP will be active, and the RJ45 physical port will be disabled and ignored.

• It is possible to switch from the RJ45 to the SFP (or vice-versa) without a system reboot or reset.

• When the link changes from copper to fiber and vice-versa, or the SFP module is exchanged, the system attempts to configure the new link as the “old” one was. If this configuration fails for any reason, the ports are configured with factory default values.


VCT

Virtual Cable Test


VCT - Functional description

• Virtual Cable Test (VCT) technology provides the mechanism to detect and report potential cabling issues, such as cable open circuit, cable short circuit, Etc.

• Cable analysis is available only on Copper Cables.• Cable analysis can only be done when the link is down. • Cable Length, on the other hand, can be measured only

when the link is up. • The following parameters are detected:

1) Cable Type/Status2) Cable length – per cable (50 Meter minimum; 30 meter

resolution) 3) Fault–Distance, in case of fault (may deviate 1-2

meters)• Only short circuits across wires within a pair are reported.


CLI - VCT Configuration

• Use the following EXEC privilege mode command to activate VCT on a certain port:

test copper-port tdr interface

console(config)# interface ethernet 1/e9console(config-if)# shutdown01-Jan-2000 01:48:56 %LINK-W-Down: Vlan 1console(config-if)# 01-Jan-2000 01:48:56 %LINK-W-Down: 1/e9console(config-if)# exitconsole(config)# exitconsole# test copper-port tdr 1/e9..Cable on port 1/e9 is goodconsole#


CLI - VCT Show command

• Use the following EXEC privilege mode command to show VCT results:

Show copper-port tdr interface

console# show copper-ports tdr 1/e9

Port Result Length [meters] Date----------- ----------- ---------------- --------------------------

1/e9 Open cable 01-Apr-2004 01:57:14

console#

At8000 s caracteristicas gerais

Business

Transcript of At8000 s caracteristicas gerais