Basic Commands on Alcatel Omniswitch

8/18/2019 Basic Commands on Alcatel Omniswitch

1/10

Basic commands on Alcatel Omniswitch

Introduction

This page is based on the notes I took when managing Alcatel Omniswitchs6600, 6800 in 2007 and later 6850. The !ll doc!mentation can be o!nd onAlcatel"#!cent website.

Managing the configuration files

Alcatel Omniswitchs can operate in two modes$ working and certi ied %showr!nning"director& to know in which mode the switch is'. In working mode, thecon ig!ration can be modi ied, while it is no possible in certi ied mode %well,act!all&, it is'. (hen booting, i working and certi ied con ig!ration iles aredi erent, the switch will boot in certi ied mode. )on ig!ration iles are stored incerti ed*boot.c g and working*boot.c g %the& can be directl& edited with + i+'.

• sa e r!nning "- working$ write memory

• sa e working "- certi ied$ copy working certified [flash-synchro] , flash-synchro will s&nchroni e the con accross all slots

•

sa e r!nning e en in certi ied mode$ configuration snapshot all Then mo e this ile to working*boot.c g

• reboot in working mode witho!t rollback$ reload working no rollback-timeout

• iew r!nning con ig!ration$ show configuration snapshot [all|vlan|ip|...] or write terminal

(hen modi &ing the con ig!ration, it can be !se !l to reload the switch incerti ied mode i a con ig!ration error occ!r. It is possible to program the switchto reload a ew min!tes ahead in case &o! lose control$ reload in where n isthe n!mber o min!tes to wait be ore reloading. A reload can be canceledwith reload cancel . show reload will show &o! when the switch will reboot.

Configure VLANs

http://enterprise.alcatel-lucent.com/?dept=UserGuides&page=Portalhttp://enterprise.alcatel-lucent.com/?dept=UserGuides&page=Portal


2/10

A la&er 2 /#A is created with vlan enable name vlanname and remo ed with no vlan . show vlan lists all /#A s, showvlan shows lan 1 lan n!mber- details.3epending on the microcode ersion % show microcode ', a la&er 4 /#A iscreated !sing$

• ip interface interface name vlan address mask

• vlan router interface name vlan address mask

and destro&ed with$

• no ip interface interface name

• no vlan router interface name

ort association$

• To associate a port to a speci ic lan$ vlan port default!

• To list the ports$ show vlan port

•

To list the ports o a speci ied lan$ show vlan port

• To show a port$ show vlan port !

802. $

• To tag a port$ vlan "#$.%& ! [< comment >]

• To remo e a tag$ vlan no "#$.%& !

Interfaceslobal stat!s$ 'how interfaces status

In o abo!t an inter ace %admin stat!s, 9A), speed, d!ple:, errors, ...'$ showinterfaces [port|status|!|...] ;!mmar& o inter aces errors$ show interfaces counters errors To clear co!nters$ interfaces [!port%-port$] no l$ statistics


3/10

To change an inter ace$ interface ! [speed |duple(|autoneg |flood rate ] To switch rom a!tonegociation to 00


4/10

• system name < name >

• system contact < contact >

• system location < location >

The de a!lt prompt is +"-+. session prompt default sw%-> changes it to +sw "-+. ?o! can get the other session parameters with show session config

(hen a command o!tp!ts to man& lines on the screen, it is possible to !se + more +to see page b& page. >se more to acti ate the mode and more si)e to setthe n!mber o lines shown. )ancel this mode with no more .

To change the timeo!t o the telnet*ssh sessions$ session timeout cli

N%!

;et a ser er$ ntp server . @ en i the 3 ; is con ig!red, &o! cannotspeci & a name or the T ser er. Then acti ate T $ ntp client enable .

et T in o$

• show ntp client $ tells i T is on or o , when was the last !pdated, ...

• show ntp server-list $ get the list o ser ers and with which ser er the

swich is s&nchroni ed

Logs

;how logging con $ show swlog et switch logs$

• show log swlog $ get all logs

• show log swlog timestamp $ onl& logs

since the speci ied ho!r

• empt& logs$ swlog clear

@nable s&slog with$ swlog output socket

#%!


5/10

;T can operates in two modes$ lat and : . In lat mode, there is onl& oneinstance or the whole switch whereas in : mode, there is one instance per/#A %like p st on )isco switches or stp on !niper ones'. I recommend the

: mode i &o! do not want to go the 9;T wa&. )hange ;T mode$ bridgemode *flat|%(%+

et ;T con $ show spantree

It is possible to deacti ate ;T on speci ied lans*ports $ vlan stp*enable|disable+ and bridge ! *enable|disable+

)hange ;T algorithm$ bridge protocol *"#$.% |' /|0 '/+ . %In 2007', I did notmanage to set rstp or all lan as a global con ig, I had to set it lan per lan!sing$ bridge %(% protocol *"#$.% |' /|0 '/+ .

DN#• ame ser ers$ ip name-server

• 3omain name$ ip domain-name

• Acti ate 3 ; client$ ip domain-lookup

D$C! relay

• ip service udp-relay

• 3B) rela& onl& or speci ied lans$ ip helper per-vlan only

• 3B) ser er address$ ip helper address vlan

• @nable 3B) rela&$ ip udp relay 233 /

#er&icesActi ate*deacti ate ser ices$ [no] ip service *ftp|ssh|telnet|http|secure-http|udp-relay|snmp|all+ . #ist o acti ated ser ices$ show ip service .


6/10

A!thenti ication can be local or made with a radi!sTo acti ate a ser ice, the a!thenti ication ha e to be set$ aaa authentificationdefault local , aaa authentification *console|ssh|ftp|"#$.%4|vlan|...+

local

A'!AC table$ show arp 9ac Address table$ show mac-address-table Add a static 9A)*I entr&$ arp , no arp to remo e it.)lear d&namic arp entries$ clear arp-table To speci & when an d&namic entr& timeo!ts %de a!lt$ 400seconds'$ mac-address-table aging-time [vlan ]

#NM!

read-only *all|ip|interface|...+ password

• The onl& wa& I o!nd to gi e the !ser ; 9 capabilities is to !se the webinter ace ..., b!t &o! can desacti ate it with user < username > no snmp

Then con ig!re the snmp ser er$

• snmp security no security

• Associate the comm!nit& string with the !ser &o! created$ snmp communitymap < community > user < username > on

• To con ig!re the ; 9 trap ser er$ snmp station []< user > *v%|v$c|v8+ enable

• snmp authentification trap *enable|disable+

• To ilter the traps sent b& the switch$ snmp trap filter

!ort mirroring


7/10

ort mirroring works 2 ports b& 2 ports. It is possible to con ig!re m!ltipleso!rces or one session and th!s see the tra ic o m!ltiple ports in one o!tp!t.

• show port mirroring status

• port mirroring source ! destination! enable

• no port mirroring

!O(

D& de a!lt, the O@ is disabled on all ports.To enable the O@ on a gi en port$ lanpower start ! To enable it on the whole slot$ lanpower start

To stop the O@, !se the s&mmetric commande lanpower stop *!|+

;how the O@ con ig!ration$ show lanpower

To limit the power a ailable or a gi en port$ lanpower ! power To limit the power a ailable or a slot$ lanpower ma(power

A power o 240( is eno!gh or a !ll slot eE!ipped with I hones %note$ TD)'.It has been noticed that a switch ma& pro e instable with O@ i too man&eE!ipments are connected and its ;> is not eno!gh power !ll.

)O# * ACL

In AO;, A)# and o; are con ig!red in the same +Eos+ section.Appl& o; when modi ied$ 9os apply 3isable o; %!se !l or tro!bleshooting'$ 9os disable

D& de a!lt, O; is not tr!sted in access ports and all tags are set to 0. It is tr!stedon tr!nked ports. To tr!st e er&where$ 9os trust ports To tr!st on one gi en port$ 9os port ! trusted

The r!les are a combinaison o the ollowing elements$

• polic& network $ de ine s!bnets


8/10

• polic& condition $ de ine conditions % rom s!bnet to s!bnet2, ...'

• polic& action $ de ine actions %permit, den&, ...'

• polic& r!le $ appl& action to condition %i F then ?'

The s&nta: or the di erent blocks is the ollowing$policy network group mask mask

... policy condition source network group destination

group policy action disposition policy rule [disable] precedence

condition action

, where precedence is the order r!les can be applied

As an e:ample$

policy network group :o1/ %;$.% ".%.# mask $==.$==.$==.# %;$.% ".%%.#mask $==.$==.$= .#policy network group ata %?$.% .#.# mask $==.$==.$==.#

policy condition :o1/-:o1/ source network group :o1/ destinationnetwork group :o1/policy condition :o1/- ata source network group :o1/ destinationnetwork group atapolicy condition ata- ata source network group ata destinationnetwork group atapolicy condition 3ther source ip any destination ip any

policy action eny disposition denypolicy action /ermit

policy rule 6llow :o1/-:o1/ precedence $## condition :o1/-:o1/action /ermitpolicy rule 6llow :o1/- ata disable precedence $## condition :o1/-

ata action /ermitpolicy rule 6llow ata- ata precedence $## condition ata- ataaction /ermitpolicy rule eny 3ther precedence $## condition 3ther action eny

9os port %!$ trusted

9os port %!8 trusted9os apply

+,-./0


9/10

aaa radius-server radius_srv% host key retransmit 8 timeout $ auth-port %"%$ acct-port %"%8aaa radius-server radius_srv$ host key retransmit 8 timeout $ auth-port %"%$ acct-port %"%8

@ Ase the radius for vlan assignementaaa authentication vlan single-mode radius_srv% radius_srv$@ use the internal database for authent to the local servicesaaa authentication default localaaa authentication console localaaa authentication ftp localaaa authentication snmp local@ "#%.%4 authentication serversaaa authentication "#$.%( radius_srv% radius_srv$@ 567 base authentication servers *used for devices that canBt do"#$.%4 like 1/-/hones+aaa authentication mac radius_srv% radius_srv$

6:C6D,

@ 6uthentication portal in the switch. 2y defaultE last 1/ of thesubnet.avlan auth-ip

:C6D definition

vlan = enable name :o1/vlan %# enable name atavlan %# authentication enable

configuration of interface %!8

vlan %# port default %!8@ enable dynamic vlan assignemtvlan port mobile %!8@ enable "#$.%4vlan port %!8 "#$.%( enable

@ "#$.%4@ - direction both F> control on inbound G outbound traffic@ - port-control auto F> port initially in unauthori)ed stateE and putin authori)ed mode automatically by the switch upon the e(changedbetween the switch and the end station@ - 9uiet-period # F> reHect the "#$.%4 authentications during #safter an authentication failure@ - server-timeout 8# F> superseded by the aaa radius-server ...

timeout@ - re-authperiod 8 ## F> 8 ##sF%h before re-authent is re9uired@ - no reauthentication F> disables the reauthent"#$.%( %!8 direction both port-control auto 9uiet-period # t(-period8# supp-timeout 8# server-timeout 8# ma(-re9 $ re-authperiod 8 ## noreauthentication

@ length of a captive portal session"#$.%( %!8 captive-portal session-limit %$ retry-count 8


10/10

@ poll the end device $ times before stating it is not "#$.%4 compliant"#$.%( %!8 supp-polling retry $@ if authentication is successful but returns no :C6D 1 * pass +E usedefault vlan for the supplicant else * fail +E block the port"#$.%( %!8 supplicant policy authentication pass group-mobilitydefault-vlan fail block@idem for non supplicant *not "#$.%4+ devices - authentication by 567address with a 0adius"#$.%( %!8 non-supplicant policy authentication pass group-mobilityblock fail block@ used by supplicant and non supplicant when captive-portal is usedin the "#$.%( supplicant policy or "#$.%( non-supplicant policy"#$.%( %!8 captive-portal policy authentication pass default-vlan failblock

Basic Commands on Alcatel Omniswitch

Documents

Transcript of Basic Commands on Alcatel Omniswitch