PRIMERGY 10/40GbE Connection Blade 18/8+2 Function...

of 71

PRIMERGY

PRIMERGY 10/40GbE Connection Blade 18/8+2 Function Manual

FUJITSU

of 71

Chapter 1 Network design concepts .......................................................................................................... 3

1.1 Layer 2 network design concepts .................................................................................................. 3 1.1.1 VLAN .................................................................................................................................... 3 1.1.2 Link aggregation .................................................................................................................. 4

1.2 Outline of Device Setting .............................................................................................................. 4 Chapter 2 Outline of functions .................................................................................................................. 5

2.1 Auto negotiation function............................................................................................................. 5 2.2 Flow control function .................................................................................................................... 6 2.3 Forwarding mode change function ................................................................................................ 7 2.4 MAC address learning / MAC forwarding function ........................................................................... 8 2.5 VLAN function .............................................................................................................................. 9 2.6 Link aggregation function .......................................................................................................... 13

2.6.1 LACP Function ..................................................................................................................... 14 2.7 Back-up port function ................................................................................................................. 15 2.8 STP Function .............................................................................................................................. 16

2.8.1 STP ..................................................................................................................................... 16 2.8.2 RSTP ................................................................................................................................... 19 2.8.3 MSTP .................................................................................................................................. 20

2.9 LLDP function ............................................................................................................................ 21 2.10 MAC filtering function ................................................................................................................. 22 2.11 QoS function .............................................................................................................................. 25

2.11.1 Priority control function ....................................................................................................... 25 2.11.2 Priority control function where in ACL is used ....................................................................... 28

2.12 IGMP snoop function .................................................................................................................. 31 2.13 MLD Snoop Function .................................................................................................................. 33 2.14 EHM Function ............................................................................................................................ 35 2.15 IEEE802.1X Authentication Function ........................................................................................... 36 2.16 Guest VLAN function ................................................................................................................... 41 2.17 Broadcast / Multicast storm control function ................................................................................ 42 2.18 Port mirroring function ............................................................................................................... 43 2.19 Ether L3 Monitoring Functions .................................................................................................... 45 2.20 Output rate control function ....................................................................................................... 46 2.21 Port block function ..................................................................................................................... 47 2.22 IP route control function ............................................................................................................. 48

2.22.1 Types of IP route information ............................................................................................... 48 2.22.2 Management of IP Route Information .................................................................................. 49 2.22.3 Route Control Function according to the Error Detection of Interface ...................................... 49 2.22.4 Static Routing Function ....................................................................................................... 49

2.23 IPv6 Function ............................................................................................................................. 50 2.24 IP Filtering function .................................................................................................................... 54 2.25 DSCP Value Rewrite Function....................................................................................................... 55 2.26 RADIUS function ......................................................................................................................... 57 2.27 SNMP Function ........................................................................................................................... 59

2.27.1 RMON Function ................................................................................................................... 60 2.28 SSH server function .................................................................................................................... 61

2.28.1 SSH client software ............................................................................................................. 63 2.29 Application Filter Function .......................................................................................................... 64 2.30 TACACS+ Function ....................................................................................................................... 65 2.31 LDAP Function ............................................................................................................................ 66 2.32 IEEE802.1Q Tunneling Function .................................................................................................. 67 2.33 CEE Function .............................................................................................................................. 69 2.34 Edge virtual switch function ........................................................................................................ 71

of 71

Chapter 1 Network design concepts

1.1 Layer 2 network design concepts 1.1.1 VLAN

In layer 2 network, the destination is determined based on MAC address. And Layer2 network can be divided by

logical network called VLAN. It can make one logical network from multiple physical network or multiple logical

network from one physical network. Each VLAN is managed with VLAN ID(VID).

VLAN ID VLAN is managed by VLAN ID which number is from 1 to 4094 in decimal. The communication between the

same VLAN ID is possible but between the different VLAN ID is not possible.

Type of VLAN There are three type of VLAN.

• Port VLAN

This is to set “which vlan is belonged“ to each Ethernet port. The port will belong to assigned VLAN

• Tag VLAN

It is used when multiple VLANs are set on 1 physical line. Multiple VLANs are implemented on 1 physical line by

inserting VLAN header in the frame header of Ethernet by the method standardized in IEEE802.1Q.

• Protocol VLAN

In the frame header of Ethernet, there is a field of 16 bits called as frame type, and upper level protocol which

is stored in that frame can be identified.

For example, communication of different network protocol called as IP and IPX can be identified at the level of

the Ethernet frame. VLAN protocol uses this information and VLAN different in each network protocol can be

identified.

For example, VLAN for each sub network is divided and routing is executed in IP. However, in the IPX protocol

setting is executed where it is treated as 1 network without any divisions.

The setting of each ETHER port can be changed for these three types. In other words, when VLAN ID is 10, VLAN

can be set as VLAN port in ETHER port 1, and tag VLAN in ETHER port 2. The data of 10 VLAN is sent and

received by ETHER port 1 and ETHER port 2, and it is sent and received as a normal frame without tag by ETHER

port 1 and the frame with tag by ETHER port 2 in VLAN ID.

Router

Port VLAN

（VID10）

Port VLAN

（VID20）

Port VLAN

（VID30）

Tag VLAN

（VID10,20,30）

Router

Port VLAN

（VID10）

Protocol VLAN

（FNA VID20、IP VID30）

of 71

1.1.2 Link aggregation

Link aggregation is a technology which treats 1 logical circuit by collecting physical circuit together. When

there is insufficient area in one physical circuit, wide area is secured by collecting multiple circuits together.

Moreover, when one circuit cannot communicate due to the cause of the failure etc. among physical circuits

which set link aggregation, the function of a redundant composition is also provided because the

communication can be continued with the other physical circuit.

When two or more VLAN are included, it is the structure where multiple VLAN are included in one circuit

logically, is composed of link aggregation similar to 1 physical circuit. Moreover, even STP is treated as one

circuit and the control of the port is executed by logical circuit of link aggregation.

1.2 Outline of Device Setting

Relation of network and setting As the information to be set in this device, Physical information related to circuit connection, logical

information related to network connection and routing information in sorting condition of data is required.

Moreover, other device specific information and setting of additional services are executed when required. In

this device, large scale classification related to setting of this information is as follows.

•ether definition

It is an instruction group defining physical information related to connection circuit in this device. Information

related to type and speed of circuit is defined.

•vlan definition

It is an instruction group defining information related to VLAN of this device. Information of VLAN protocol and

information of static study table are defined.

•lan definition

It is an instruction group defining logical information related to LAN connection in this device. Information of IP

address of LAN and network is defined. Moreover, it is defined according to lan definition related to LAN

dependent service of DHCP etc.

•Other definitions

It is an instruction group defining necessary information depending on device and information of additional

services. Information related to network administration and time information is also defined.

Definition of Network Interface The network interface which acts as ‘exit’ at the time of data transmission, has various types according to its

characteristics and connected circuit. Following is the explanation for types of network interface.

•lo

Loopback interface. It is used when return transmission is executed by internal program of the device.

•lan

Ethernet interface. It is an interface that is used in case of transmission used by Ethernet. It is set according to

the lan definition. The interface number given to this interface type, becomes the network interface name.

Example：lo0,lan0,lan1,…

Network interface of lan is set according to the lan definition.

Definition number of lan definition and interface number of network interface are in 1 to 1 correspondence.

Definition of Routing Information Routing information defines the information necessary to determine the network interface that finally

becomes the exit. In this device, routing information is set within the definition in exit interface. For example,

routing information that is defined in lan0 for output from lan0 and routing information that is defined in

lan1 for output from lan1 are set separately.

of 71

Chapter 2 Outline of functions 2.1 Auto negotiation function

The auto negotiation function is the protocol between two devices provided by IEEE802.3u, and is the function

to set the transmission speed and the communication mode (full duplex/half duplex) automatically according to

the priority level.

▪ Communication mode is set according to algorithm determined from modes which can be communicated

mutually for connections between similar auto negotiation (Auto-Nego).

▪ When fixed config is used, normal communication is possible only in case of similar communication mode.

Points to be noted

▪ When one side is connected with the auto negotiation, and the other side is connected with fixed FULL (full

duplex), the communication mode is recognized as HALF (half duplex). In such cases, due to high error rate,

normal communication may not be possible. Hence set the communication mode correctly.

▪ Set both side communicate modes firmly when the communication mode of one side or both sides cannot be

recognized mutually in auto negotiation.

▪ When one side is connected improperly at fixed 10M, and other side at fixed 100M, the link is established with

only one device, and as per the communication state, the connection with the link can be established or cut off

repeatedly. In this case, set the communication mode correctly.

▪ There is no auto-negotiation function for link speed in 10G port.

of 71

2.2 Flow control function In this device, the flow control function is supported by Pause frame based on IEEE802.3x. As per the flow

control settings, operation of each port is as shown below.

Points to be noted

When the flow control is applied, the connected side might not be able to transmit the frame to corresponding

port of this device. In this case, frame may be discarded as per the buffer capacity of connected side irrespective

of the priority of priority function that is set in this device. For that, disable the flow control for the network

where voice or image is used. In addition, transfer performance of data frame may deteriorate depending on

the connected side. Whether the PAUSE frame must be transmitted by flow control, is decided as per the

remaining capacity of the received buffer of input port. The frame transferred to port that is being controlled by

the length of output queue with ‘buffermode qos’ or ‘ratecontrol’, is discarded in output queue side, therefore it

is not accumulated in the reception buffer of input port. As a result, regardless of the frame being disregarded,

‘Pause’ frame is not transmitted. In order to execute the flow control steadily, set the buffermode to max so

that it is not transfered to the port where the ratecontrol is set.

<In case of fixed mode>

1) Ignored when Pause frame is received.

Flow control setting Communication

mode

System operation

Transmission Reception Transmission direction Reception direction

Off setting Off setting Full double fixed Pause frame not transmitted Flow control is not executed when

Pause frame is received ( 1)

On setting Off setting Full double fixed Pause frame is transmitted for

flow control.

Flow control is not executed when


Off setting Off setting Full double fixed Pause frame not transmitted Flow control is executed Pause frame is

received

On setting Off setting Full double fixed Pause frame is transmitted for

flow control.

Flow control is not executed when


of 71

2.3 Forwarding mode change function In this device, cut-through mode and store-and-forward mode can be selected as a switching method.

Cut-through mode

Top portion of the packet is input to this device and then the packet is delivered from the transfer destination

port. Transfer is executed without waiting for the entire packet to be input, therefore delay of the packets

associated with transfer can be minimized.

Store-and-forward mode

Entire packet is input to this device and then the packet is delivered from the transfer destination port.

Points to be noted

When cut-through mode is selected, latency is can be reduced and error packets are relayed. In case of

store-and-forward mode, error packet is not transited even if it is input. On the other hand, latency is

lengthened than the cut through mode due to accumulation of packet data.

of 71

2.4 MAC address learning / MAC forwarding function In this device, following functions are supported as a MAC address learning function.

MAC address learning basic function

It is a function that dynamically learns the transmission source MAC address of reception packet

and registers it in FDB (Forwarding Data Base). The registered MAC address is retained and

continued till aging-out time. Aging-out time can be changed by structure definition command.

(default is 300 seconds). When port is linked down, an entry learned from the corresponding

port on FDB is deleted.

MAC address auto study stop function

It is a function to stop the learning of dynamic MAC address in device unit according to structure definition.

FDB clear function

It is a function to delete the dynamically studied FDB entries. Conditions like Port unit, MAC address unit etc

can be specified.

Static MAC forwarding function

It is function where the frame having specific destination address can be transited to the port specified at each

VLAN. Unicast address can be specified in destination address.

of 71

2.5 VLAN function VLAN function is a function that divides physical LAN into virtual multiple LANs, and executes grouping in port,

MAC address, protocol etc.

VLAN in device

VLAN prescribes communication method that has used VLAN group identification method which is called as

tagging method.

Tagging method is a method that identifies the VLAN to which this frame belongs by attaching VLAN tag to the

frame. The defined identifier is called as VLAN ID. When 1 VLAN is defined, corresponding 1 VLAN ID is also

assigned. VLAN function supported by this device is based on IEEE802.1q.

In this device, All the ports are initially set to VID=1 as ‘no tag’ of VLAN1, setting of each port can be changed to

‘with tag’ or ‘no tag’ of specific VLAN.

VLAN and network address

When VLAN function is used, bridging communication is closed in this VLAN. Therefore, to define VLAN means

to restrict the broadcasting frame (Broadcasting domain) at the level of MAC address Furthermore, following 2

things can be done thought from the position of network layer.

• Multiple network addresses are made to correspond to each physical port by using the VLAN tag.

• 1 network address is assigned where multiple physical ports are bound.

Virtual Interface VLAN1、VLAN2、VLAN3

Switching HUB(supported VLAN)

VLAN1

VLAN2

VLAN3

of 71

VLAN type

In VLAN function supported by this device, VLAN can be divided in following 2 units.

•Port VLAN

It is the function that executes grouping in port unit. Addresses for all the network protocols can be given.

•Protocol VLAN

It is a function that groups the ports on the basis of specific protocols.

Types of protocols that can be specified by protocol VLAN are as follows.

- IP

- IPv6

Furthermore, protocol VLAN of optional protocol can be created by directly specifying the frame type. Exanoke)

IPX (Ethernet II type EtherType:Value [0x8137,0x8138] specification)

Relationship between VLAN tag and port

When VLAN function is used, it is defined whether VLAN tag is attached at the time of sending the frame to

port in VLAN in advance. Whether to attach or not is determined according to whether the node which is at the

end of each port can identify the VLAN tag.

When VLAN function is used, segment which is connected to the end of each port of this device belongs to any

one of the following 3.

•Access link

It is the section where only the frames with no VLAN tag flow. End node which cannot recognize VLAN tag is

connected.

•Trunk link

It is the section where only the frames with VLAN tag flow. Same devices which support VLAN function with tag,

are connected by normal trunk link. End node which cannot recognize VLAN tag is not connected.

•Hybrid link

It is the section where frames with and without VLAN tag flow. Here, multiple VLANs exist and there are access

links or trunk links for respecitve VLANs. However, if focus is on specific protocol, there is only 1 VLAN where

hybrid link can be operated as access link. For example, when 2 VLANs are operated as access links on 1 hybrid

link, and if focused on IP protocol, only 1 from this can be recognized.

Points to be noted

• When 2 or more VLANs are operated as access links for specific protocol, since VLAN tag is not attached to

frame which is sent by respective VLAN, to which VLAN the frame belongs cannot be identified.

• When it is used together with spanning tree function, bridge frame and routing frame are according to

restrictions on spanning tree.

• When protocol VLAN definition is set such that it exceeds the upper limit that can be set in device, VLAN ID

specified in protocol VLAN definition that exceeds the upper limit and protocol VLAN definition, becomes

invalid, and hence all the ports that belong to invalid VLAN ID cannot be used. In addition to this, upper limit

that can be set for protocol VLAN definition in the device is 16.

of 71

Mixed VLAN on the same port Combination of VLAN used by the same port is shown below.

: Can be mixed,×: Cannot be mixed

VLAN judgment at the time of receiving packets

When packets are received by the port set by VLAN, execute the judgment for received packets belonging to

VLAN by the following sequence.

) In this device, Tag VLAN/Protocol VLAN are defined by configuration definition and default VLAN is

created in the device for receiving BPDU packets for the port where port VLAN (untagged) is default.

VLAN tag at the time of sending packets

Handling of VLAN tag at the time of sending packets is according to Tagged / Untagged settings of

transmission port. In case of Tagged port, packets are sent with VLAN tag and in case of untagged port these

are sent without VLAN tag.

VLAN type Port VLAN（untagged） Protocol VLAN（untagged） Tag VLAN（Tagged）

Port VLAN（untagged） × ○ ○

Protocol VLAN（untagged） ○ ○ ○

Tag VLAN（Tagged） ○ ○ ○

Packet receive

Is it tagged packets? Does it match the VID,

which is defined port? Tag VLAN

Discard

Protocol ＶＬＡＮ

Port ＶＬＡＮ

Default ＶＬＡＮ（※）

Discard

Is it matches the protocol VLAN definition?

Is there a port VLAN definition?

Is it BPDU packets?

Yes

Yes

Yes

Yes

Yes

No

No

of 71

VLAN trunk function The VLAN trunk function is a function to be used for communication between VLAN for a possibility of

switching when the VLAN tag is assigned and deleted. In order to carry out routing from the port which

belongs to multiple VLANs, it is relayed to other layer 3 switches. In the port, VLAN is tagged so that it can be

recognized that to which VLAN it belongs, and the frame with VLAN tag is received, routed and relayed with

layer 3 switches.

VLAN between devices When VLAN crosses between the devices, by setting the VLAN tag to the frame, the VLAN wherefrom the

frame has come, is distinguished. As a result, similar VLAN A and VLAN B can communicate in such a way that

these are connected with same switching HUB. Usually, 2 transmission lines are required, by using the VLAN

trunk function, however, it can be connected by 1 transmission line in this device.

of 71

2.6 Link aggregation function Link aggregation function is a function for multiplexing the multiple ports and handling as 1 high speed link

(Trunk.Group). Hereon by using this function, it is possible to improve the redundancy of the link by

distributing that traffic to the other port when 1 multiplexed link (Member port) is failed.

Link aggregation function is also called as multi link ethernet or port trunking.

Furhter, configure the member ports in 1~10 ports.

Set the all member ports similar to the VLAN configuration.

The traffic to Trunk group is judged by the IP address and MAC address of transmission packet for distributing

the load.

Can be specified by selecting from the following methods.

Distribution of the load based on sending destination MAC address and sending source MAC address.

Distribution of the load based on sending destination MAC address.

Distribution of the load based on sending source MAC address.

Distribution of the load based on sending destination IP address and sending source IP address.

Load balancing based on sending destination IP address

Load balancing based on sending source IP address

Load balancing based on the reception Ethernet port

It is possible to specify the minimum member port count, the trunk group can communicate.

Trunk group communication is terminated until the count which specifies the member port of the trunk. Group

is enabled.

For example, member port where linkdown is executed is not included in the enable port etc.

In redundant configuration the trunk group is used when communication cannot be carried out until a

necessary bandwidth is secured

Further it is possible to use this function with LACP.

Points to be noted

• Port which is multiplexed is handled as 1 port. It is similar when STP or VLAN functions are used together.

• Calculate the cost of STP according to bandwidth of member port and member count, and allocate the cost

value

It is not possible to change the cost according to degeneracy/recovery.

40Gbps virtual link

10Gbps

of 71

2.6.1 LACP Function

The LACP function is link aggregation which uses IEEE802.3 compliant LACP. Link aggregation of feasible

maximum level is continuously provided between the systems having LACP.

Confirmation of consistency of link aggregation or confirmation of link consistency and accuracy of fault

detection is improved by using LACP.

Merits of introduction

▪ As it confirms consistency with the adjacent equipment, for example if there are mistakes such as wrong

judgment of the port, the communication begins by confirming one by one destination connected to the correct

link by using the protocol levels. Therefore, communication with the wrong connection is not possible.

▪ When the LACP packet from the adjacent device is not received during the fixed time, since there is

determination of fault link, fault detection of link which exceeds the fault detection range of device port is

possible.

Points to be noted

▪ It is necessary to enable the LACP before connection for the link aggregation which uses LACP. Link

aggregation other than LACP where ‘static’ is specified in link aggregation mode cannot be connected.

▪ By specifying ‘passive’ in link aggregation operation mode, link aggregation which is similarly set to ‘passive’

before connection, cannot be configured. Specify ‘active’ for either of the two.Both can be specified as ‘active’.

Refer to “2.6 link aggregation function” for other notes.

10Gbps

40Gbps virtual link

of 71

2.7 Back-up port function Back-up port function groups the two ports and manages port on one side as master port (Priority port) and

port on the other side as back-up port (Standby port). Further it decides port on which side should be activated.

If any error has occurred while running, port on the other side immediately switches over to activate port and it

is possible to control the network error is not much affected. In a state where group ports are linked up together,

mode which uses the master port on priority basis without fail and mode which linkedup port in the beginning

can be selected. Moreover, linkaggregation can be used as a backup port.

Points to be noted

▪ In the back-up port function, if error occurs, it is possible to switch over the active port at once and when

various protocols are used, restoration time of each protocol till restoring the communication is required.

▪ When it is used together with link aggregation, if that link aggregation has mismatched settings for back-up

configuration, link aggregation becomes disabled.

▪ If standby status of standby port is set to offline, the standby port is linked down, therefore even if

abnormality such as line omission etc has occurred it cannot be detected. After switching over the operation, it

changes to abnormality is detected.

of 71

2.8 STP Function STP Function connects the different LANs and broadcasts MAC frames.

In this device, the following functions are supported.

2.8.1 STP

This is IEEE 802.1D Spanning Tree Protocol (STP). The spanning tree is a function which prevents the loop when

multiple paths are connected. To achieve that, STP has only one path be a communication path and configures

the tree structure network logically.

By using this function, the loop of the frames connected with the system down is not generated. Moreover, a

strong network can be constructed for failure.

STP chooses the root bridge that is the root of the logical tree structure network. Then, it decide a STP port

mode for each ports. The mode is root port, designated port or blocking port. The root port and designated port

forward the packets though blocking port does not forward.

STP interface have the following states to achieve above function

- Blocking: This does not forward frames.

- Listening: Transitional state. This is the next state of the blocking when the port become forwarding state.

- Learning: Transitional state. This is the next state of the listening.

- Forwarding: This forwards frames.

of 71

Procedures to decide root port/ representative port/ blocking port Procedure to decide various ports is as follows.

※ 1）Following is the default cost value at the time of selecting ‘AUTO’.

Transmission speed Default path cost

10G 2000

40G 1200

At the time of link aggregation, transmission speed becomes 200 in case of 10G and 120 in case of 40G.

※ 2） • The route path cost is a total of the path cost of the port which inputs configuration BPDU packet in the

route from the root bridge and the least value is accepted.

• Path cost of the root bridge is 0.

※ 3） • One root port exists in each bridge.

• When the route path cost is same, the port identifier adopts the small port.

※ 4） • One representative port exists in each segment.

• When there are more than 2 ports which have least values, port with least bridge priority is adopts.

It is determined in each path port(It can be set in each port, and select the AUTO usually)（※1）

You assigned to each bridge the bridge priority.

It selects the port with the lowest value by calculating for each port of the bridge the root path cost(minimum path cost to the root bridge).（※2）

Port with the root path cost of the minimum in each bridge within is not the root bridge becomes the root port.（※3）

Port with the root path cost of the minimum in bridge that connects to each segment becomes the designated port.（※4）

Port that is not a designated port and a root port become the blocking port.

START

END

Decision of root bridge

Decision of root port

The bridge with the bridge priority of the minimum becomes the root bridge.

Decision of designated port

Decision of blocking port

of 71

Network settings using spanning tree function

Parameters in spanning tree In spanning tree, several parameters are set in bridge in order to implement the designed tree structure and

tree performance. The tree structure and tree performance is determined according to this parameter.

<Parameter that determines the tree structure> The tree structure is determined as per the following

parameters.

Parameters Setting

target Remarks

Bridge Priority

(STP bridge priority)

Every

Bridge

It is set for every bridge, and bridge that sets the minimum value is used as

priority route. Minimum value in the system is set for the bridge which is

considered as root bridge.

Port Identifier

(STP port identifier) Every port

When the judgment of root path cost and bridge identifier is not used, the

prominent port of port identifier is considered as designated port. Since the

MAC address is included in bridge identifier, the designated port is not

determined in port identifier.

Path cost

(STP port path cost) Every port

Root port (Route of upper bridge) is determined. The designated port

(Designated bridge) is determined as per path cost and bridge priority. The root

of minimum value set on each port in the bridge is selected. The slow root of

transmission speed sets the high cost and uses for the backup.

It is suggested that the default value (1000÷ transmission speed Mbps) is used

for the path cost.

<Parameters of determining the tree performance>

The tree performance (Root change time during failure etc) is determined as per the following parameters

Parameters Setting

target Remarks

Hello Time

(STP bridge hello time)

Every

Bridge

Since the root bridge confirms the tree structure, it is considered as the sending

interval of configuration BPDU. Recommended time is 2 seconds.

Maximum age

(STP bridge Max age)

Every

Bridge

It is a timer value that starts the restructure of tree since configuration BPDU is

not delivered. It differs as per the delay time till configuration BPDU is delivered

to the bridge of tree structure terminal but the recommended time is 20

seconds. In order to restructure in the same timing, the bridge in same network

is set with the same parameter.

Forward delay

(STP bridge forward

delay)

Every

Bridge

It is waiting period in intermediate status till the blocking status is changed to

forwarding status.

If this time is short, synchronization of the entire tree structure in the listening

status is not acquired. In the learning status, since the learning of MAC address

learning status is inadequate, there are possibilities such as all the ports are

broadcasted or changes to loop status. Further, if the time is long, the time

required for the restructuring of tree gets longer. Recommended time is 15

seconds.

<Other parameters>

Parameters Setting

target Remarks

STP domain separation (STP domain Separation)

Every port Set whether the STP domain is separated in each port of bridge.

If STP domain is separated, the transmission of configuration BPDU from that

port is stopped.

Port which sets by separating the STP domain does not configure the STP tree.

However, the frame other than configuration BPDU is broadcasted.

ON： STP domain is not separated,

OFF：Set by separating the STP domain.

of 71

2.8.2 RSTP

As a problem of STP, the communication may get disconnected for maximum 50 seconds. The protocol

developed to overcome the problem is RSTP (rapid spanning tree protocol). When RSTP is used, spanning tree is

calculated again for 1 second, and the change over at instantaneous interruption level becomes possible.

Moreover, RSTP is standardized as IEEE802.1w and is compatible with conventional STP（IEEE802.1d）.Therefore,

the mixed environment with STP operates without trouble.

Role of port in RSTP The role of each port is as follows in STP.

• Designated port

• Root port

• Blocking port

In RSTP, specified port and root port are used as same role in STP. The blocking port is used by dividing it into

the following 2 roles.

• Alternate port

Port where alternate path is provided. There is a port, which has less cost, next to root port and it becomes the

port having alternate path to root bridge.

• Back up port

It is a port of the alternate path of the route specified by specified port. When there are more than 2

connections for the same segment on 1 switch, it is provided as alternate path.

Alternate port and backup port will changes to the normal blocking status.

State of port in RSTP In STP, there are four states of the port such as the blocking state, the listening state, the learning state, and

the forwarding state. The broadcast of MAC frame is neither executed in the blocking state nor in the listening

state. The only point of difference between the both is, BPDU transmission is not executed in the blocking state

and BPDU transmission is executed in the listening state.

In the RSTP, the blocking state and the listening state together becomes the discarding state.

of 71

2.8.3 MSTP

Depend on VLAN configuration, there may not be any loops even if it looks no-loop in physical network. In that

case, STP decides it as loop network, but MSTP does not because it can handle the network per VLAN. Therefore,

MSTP can forward network data more efficiently than STP.

For example, There are 4 switches called Bridge A, Bridge B, Bridge C, and Bridge D and connect them as below

diagram. topology. Using MSTP, we can forwards vlan 100, 200 frame from Bridge D – Bridge B – Bridge A and

forwards vlan 300 frame from Bridge D – Bridge C – Bridge A. We can not use STP for such behavior.

of 71

2.9 LLDP function LLDP (Link Layer Discovery Protocol) is an adjacent search protocol which aims at the understanding of the adjacent device

and the confirmation of the connection state etc by the publicity of the information of device itself.

LLDP information is delivered only to the device connected to the same physical LAN. It does not deliver before crossing

the router.

The LLDP function of this device is based on IEEE802.1AB and, provides the following functions.

∙ Device information is transmitted by LLDP

∙ Adjacent device information received by LLDP is retained

∙ The information related to LLDP is managed as MIB and MIB is acquired by SNMP function

∙ The updated adjacent information is notified by SNMP trap

∙ LLDP setting information, device information, adjacent device information, statistical Information is displayed.

The following information is included in the LLDP information transmitted from this device. It can be instructed so as not

to transmit Option information. In addition, do not transmit unnecessary option information since information above 1500

bytes cannot be transmitted. Especially note that, if it exceeds 1500 bytes while using CEE function, the information

necessary for CEE operation will not be transmitted. The content to be actually transmitted can be checked by command or

the Web screen.

∙ Device identification information (Representative MAC address) (essential)

∙ Physical port identification information (ifIndex MIB) （essential）

∙ Retention time information (TTL) （essential）

∙ Physical port explanatory information (ifDescr MIB) (Option)

∙ Device name information (sysName MIB) （Option）

∙ Device explanatory information (sysDescr MIB) （Option）

∙ Device major function information (switch/router) （Option）

∙ Physical port management address information (MAC/IPv4/IPv6) （Option）

∙ Port VLAN ID information（Option）

∙ Protocol VLAN ID information（Option）

∙ VLAN name information（Option）

∙ Protocol VLAN type information（Option）

∙ Physical port setting information（Option）

∙ Physical port power supply information（Option）

∙ Link aggregation information（Option）

∙ Maximum frame size information（Option）

The LLDP information received from the adjacent device is retained until the retention time included in LLDP

information passes. The information being retained can be checked by command or the Web screen.

The maximum number of adjacent information which can be retained in this device is shown below. The information

that cannot be retained due to exceeded maximum retention count is destroyed. The destroyed information is

counted in statistical data

Condition Retention count

Maximum retention count in the entire device 510 Minimum security retention count in 1 port 1 Shared retention count in the entire device. 476 Maximum retention count in 1 port () 477

) When all the shared parts are retained by 1 port (Only 1 can be retained in other ports)

of 71

2.10 MAC filtering function In the MAC filtering function, the security of network is improved and the load to network can be reduced by

controlling the packet which passes this device by the combinations of MAC address, Packet format, VLAN ID,

COS value, IP address, Port number etc.

The MAC filtering process is carried out when the packet which passed this device corresponds to “acl mac”

definition, “acl vlan” definition, “acl ip” definition, “acl ip6” definition, “acl tcp” definition, “acl udp” definition

and “acl icmp” definition in ACL.

Condition of MAC filter The flow of packet data can be controlled by specifying the following conditions.

▪ Packet input port

Packet input ETHER port which is the target of filtering process

▪ Operation

Operation (block or transmit) when packet which is target of filtering process is input to ‘input ETHER port’

▪ ACL number

ACL number by which packet pattern which is the condition of MAC filter is defined.

Scope of MAC filtering function In the MAC filtering function, the application can be specified by the following unit of filter of specified packet

pattern in ACL.

• ETHER port

It is set by the ether command. The filter process is executed for the input packet that is matched with specified

ACL packet pattern for ETHER port.

• VLAN

It is set by the vlan command. The filter process is executed for the input packet that is matched with specified

ACL packet pattern for the ETHER port which belongs to VLAN. It is used while applying to all ETHER ports in

same VLAN.

Upper limit which can be set in device The upper limit which can be set in the device is shown below.

▪ Upper limit by set command:

- When the CEE function is used, 62 devices

- When the CEE function is not used, 64 devices

Settings is possible up to upper limit by setting command in addition with "macfilter", "vlan macfilter",

"lan ip filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter",

"ip6qos aclmap", "vlan ip6qos aclmap", "lan ip6 dscp" commands.

The priority level is respectively as follows.

- The applicable priority level of command is the order of "macfilter", "vlan macfilter", "lan ip filter", "qos

aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter", "ip6qos aclmap", "vlan

ip6qos aclmap", "lan ip6 dscp" commands.

- The priority level between ether ports becomes high though the ether port number is smaller.

- The priority level between VLAN becomes high though the VLAN ID is smaller.

▪ Upper limit according to number of masks:



Settings is possible up to upper limit by number of masks in addition with "macfilter", "vlan macfilter",


"ip6qos aclmap", "vlan ip6qos aclmap", "lan ip6 dscp", "vlan protocol" commands.


- The applicable priority order of command is the order of "vlan protocol", "macfilter", "vlan macfilter",

of 71


"ip6qos aclmap", "vlan ip6qos aclmap", "lan ip6 dscp" commands.



The number of masks which “macfilter”, “vlan macfilter”, “lan ip filter”, “qos aclmap”, “vlan qos aclmap”,

“lan ip dscp”, “ip6filter”, “vlan ip6filter”, “lan ip6 filter”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6

dscp” commands consumes are as follows depending on applied acl.

When multiple acl are applied it will be the sum total of each and the total of each by combination will be as

follows.

Condition of applied acl Number of

masks

In case of acl mac definition 1

In case of acl vlan definition 1

In case of acl ip definition

When srcIP address is not specified

When tos value/ dscp value is not specified 1

When tos value/ dscp value is specified 3

When srcIP address is specified

When dstIP address is not specified 1

When dstIP address is specified

When mask value of srcIP and dstIP are same

When tos value/ dscp value is not

specified 1

When tos value/ dscp value is

specified 3

When mask value of srcIP and dstIP is

different. 3

In case of acl ip6 definition


When tc value/ dscp value is not specified 1

When tc value/ dscp value is specified 3






The number of masks which “vlan protocol” command consumes are as follows.


masks

In case of protocol VLAN definition

When vlan protocol ipv4 is specified 3


When vlan protocol <count> ether is specified 1

Upper limit according to number of actions:

- When CEE function is used, 15 devices

- When CEE function is not used, 16 devices

Setting is possible to the upper limit by number of actions in addition with “qos aclmap”, “vlan qos

aclmap”, “lan ip dscp”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6 dscp”, “vlan protocol” commands.


- The applied priority order of command is the order of “vlan protocol”, “qos aclmap”, “vlan qos

of 71

aclmap”, “lan ip dscp”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6 dscp” commands.

- The priority level in ether port is high though the ether port number is smaller.


1 action is consumed when following commands are set and only 1 action is consumed irrespective of

number of command specifications.

- vlan <vid> protocol ipv4


When the following commands are set, 1 action is consumed.

When <tos_value>, <dscp_value> and <queue_value> are same, only 1 action is consumed irrespective of

the number of command specification.

- interface Config mode

- qos aclmap <count> tos <tos_value> <acl>

- qos aclmap <count> dscp <dscp_value> <acl>

- qos aclmap <count> queue <queue_value> <acl>

- ip6qos aclmap <count> dscp <dscp_value> <acl>

- ip6qos aclmap <count> queue <queue_value> <acl>

- vlan <vid> qos aclmap <count> tos <tos_value> <acl>

- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl>

- vlan <vid> qos aclmap <count> queue <queue_value> <acl>

- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl>

- vlan <vid> ip6qos aclmap <count> queue <queue_value> <acl>

- lan <number> ip dscp <count> acl <acl_count> <dscp_value>

- lan <number> ip6 dscp <count> acl <acl_count> <dscp_value>

When chengeQueue is set by the following commands, 1 action is consumed.


- qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]

- qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]

- ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]

- vlan <vid> qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]

- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]

- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]


When <vid> is same, only 1 action is consumed irrespective of the number of command specification.

- vlan <vid> protocol <count> ether

Points to be noted

When it is simultaneously used with protocol VLAN function, MAC filter function of the frame recognized as

protocol VLAN is disabled.

Refer to "vlan protocol" command item for the frame recognized as protocol VLAN.

of 71

2.11 QoS function The QoS function is a function to secure the quality of the communication by priority control and rewriting of

priority control.

In the priority control function of this device, there is a function where ACL is not used and the function where

ACL is used.

Given below is the explanation from basic priority control function where ACL is not used.

2.11.1 Priority control function

Priority control function is a function which does queuing for the packet and outputs according to the priority of

the mapped queue. The priority control function is configured with each function such as determination of user

priority to input packet, mapping to queue in this device for the user priority and priority control of queue.

The user priority to input packet is determined by the default priority for IEEE802.1p compliant CoS and the

reception packet without tag. Moreover, when the qos classification command is used, the user priority can be

determined by using upper 3 bits of TOS field of IPv4 (IP Precedence) and upper 3 bits of TC of IPv6.When ‘qos

classification’ is validated, user priority by the upper 3 bit of TOS and TC is preferred than the user priority as per

default priority for reception packet without CoS or Tag.

For example, in case of frame with VLAN tag which carries the below mentioned IP packet, user priority is

determined by Precedence (= upper 3 bits of DSCP) of TOS field when qos classification is validated, and user

priority is determined by CoS (Priority of Tag control information) when qos classification is invalidated.

The packet having user priority is queued in the multiple queues of the output port (including the device

address port) that is mapped to that priority. Mapping of the user priority value and the queue in this device

can be changed when the number of queues is 4. The queue has the priority of 0～3 respectively and the

priority increases with the increase in number.

The queued packet is output according to priority control method of the queue. Priority control method is

selected from Strict Priority Queuing (Strict) or Weihted Round Robin (WRR) or Weighted Deficit Round Robin

(WDRR).

DA SA VLAN protocol

Tag control information

TYPE IP header IP data CRC

Priority CFI VID

3 bit 1 bit 12 bit 3 bit 1 bit 1 bit 1 bit 2 bit

DS field

6 bit 2 bit

DSCP CU

Unused R T D Precedence

TOS field

of 71

Relation between user priority value and priority

The recommended setting of user priority value and queue in device at the time of initial setting and priority control of this

device are shown below.

User priority value

(Traffic type)

Initial setting of queue

in this device

Queue setting

(Recommended) at the

time of priority control

0（Best Effort） 1 1

1（Background） 0 0

2 (Reserved) 0 0

3（Excellent Effort） 1 1

4(Controlled Load) 2 2

5(Video) 2 2

6(Voice) 3 3

7(Network Control) 3 3

Setting for assigning user priority

Rank Method of deciding priority of input

packet

Valid settings

1 TOS qos classification ip tos on

1 TC qos classification ip6 tc on

2 CoS Depending on VLAN Tag control information upper

3 bits (priority).

2 Reception packet without Tag qos priority <queue_priority>

of 71

Process method for priority control Any of Strict, WRR or WDRR is set in the priority control process.

• Strict : The frame of the queue with high priority is processed in top priority.

・WRR : A fixed value (Output ratio) of each queue is set and a relative priority control is executed.

For example, when 10 is set for queue 3 and 1 is set for queue 0, the process is executed at

a rate of 10:1 for queue 3 and queue 0.

・WDRR : A fixed value (Output ratio) of each queue is set and a relative priority control is executed.

WDRR controls data amount whereas WRR controls the number of packets.

The process example of Strict WRR is shown below.

of 71

2.11.2 Priority control function where in ACL is used

This device can control the priority by using ACL. If ACL is used, the allocation of the output port queue is

decided, based on the combinations of the MAC address, packet format, VLAN ID, COS value, IP address, and

the port number etc of the packet which passes through this device and the priority control information like

DSCP can be rewritten.

When the priority is controlled using ACL, ACL that specifies the packet which is a target of priority control is

defined. For this device, "acl mac" definition, "acl vlan" definition, "acl ip" definition, "acl ip6" definition, "acl tcp"

definition, "acl udp" definition, and "acl icmp" definition are set and this enables the priority control. Moreover,

for the input port, the action against ACL number of defined ACL and the packet which is compatible to that ACL

is specified. The action comprises of specifying the output queue and rewriting of the DSCP (differentiated

services code point) field as an action.

When priority control of the packet is to be executed using DSCP, DSCP is specified by the ACL definition and the

algorithm of output queue and priority control for that DSCP are specified. WRR, WDRR, and Strict can be

selected as for the algorithm of the priority control. When the bandwidth which is least secured is to be

allocated for DSCP, WRR or WDRR can be selected, and when the frame of the queue with high priority is to be

allocated to the top priority, Strict can be selected.

Refer to the chapter of the DSCP value rewriting function for the function which executes rewriting of the DSCP

field. The DSCP rewriting function of this device complies with RFC2474: Definition of the Differentiated Services

Field (DS Field) in the IPv4 and IPv6 Headers.

Upper limit which can be set in device The upper limit which can be set in the device is shown below.

• Upper limit by set command:：



Settings is possible up to upper limit by setting command in addition with "macfilter", "vlan macfilter", "lan ip

filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter", "ip6qos

aclmap", "vlan ip6qos aclmap", "lan ip6 dscp" commands.


- The applicable priority level of command is the order of macfilter"、"vlan macfilter"、 "lan ip

filter"、"qos aclmap"、"vlan qos aclmap"、"lan ip dscp"、"ip6filter"、"vlan ip6filter"、"lan ip6 filter"、

"ip6qos aclmap"、"vlan ip6qos aclmap"、"lan ip6 dscp" commands.



• Upper limit according to number of masks：



Settings is possible up to upper limit by number of masks in addition with "macfilter", "vlan macfilter", "lan ip

filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter", "ip6qos

aclmap", "vlan ip6qos aclmap", "lan ip6 dscp", "vlan protocol" commands.


- The applicable priority level of command is the order of vlan protocol"、"macfilter"、"vlan macfilter" 、

"lan ip filter"、"qos aclmap"、"vlan qos aclmap"、"lan ip dscp"、"ip6filter"、"vlan I p6filter"、"lan ip6

filter"、"ip6qos aclmap"、"vlan ip6qos aclmap"、"lan ip6 dscp" commands.



" The number of masks which “macfilter”, “vlan macfilter”, “lan ip filter”, “qos aclmap”, “vlan qos

aclmap”, “lan ip dscp”, “ip6filter”, “vlan ip6filter”, “lan ip6 filter”, “ip6qos aclmap”, “vlan ip6qos

of 71

aclmap”, “lan ip6 dscp” commands consumes are as follows depending on applied acl.

When multiple acl are applied it will be the sum total of each and the total of each by combination will

be as follows.


masks

In case of acl mac definition 1

In case of acl vlan definition 1

In case of acl ip definition


When tos value/ dscp value is not specified 1

When tos value/ dscp value is specified 3




When mask value of srcIP and dstIP are same

When tos value/ dscp value is not

specified 1

When tos value/ dscp value is

specified 3

When mask value of srcIP and dstIP is

different. 3

In case of acl ip6 definition









The number of masks which “vlan protocol” command consumes are as follows.


masks

In case of protocol VLAN definition



When vlan protocol <count> ether is specified 1

Upper limit according to number of actions：

- When CEE function is used, 15 devices

- When CEE function is not used, 16 devices

Setting is possible to the upper limit by number of actions in addition with “qos aclmap”, “vlan qos

aclmap”, “lan ip dscp”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6 dscp”, “vlan protocol”

commands.


- The applicable priority level of command is the order of vlan protocol"、"qos aclmap"、"vlan qos

aclmap"、"lan ip dscp"、"ip6qos aclmap"、"vlan ip6qos aclmap"、"lan ip6 dscp” commands.



of 71

1 action is consumed when following commands are set and only 1 action is consumed irrespective of

number of command specifications.




When <tos_value>, <dscp_value> and <queue_value> are same, only 1 action is consumed

irrespective of the number of command specification.


- qos aclmap <count> tos <tos_value> <acl>

- qos aclmap <count> dscp <dscp_value> <acl>

- qos aclmap <count> queue <queue_value> <acl>

- ip6qos aclmap <count> dscp <dscp_value> <acl>

- ip6qos aclmap <count> queue <queue_value> <acl>

- vlan <vid> qos aclmap <count> tos <tos_value> <acl>

- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl>

- vlan <vid> qos aclmap <count> queue <queue_value> <acl>

- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl>

- vlan <vid> ip6qos aclmap <count> queue <queue_value> <acl>

- lan <number> ip dscp <count> acl <acl_count> <dscp_value>

- lan <number> ip6 dscp <count> acl <acl_count> <dscp_value>

When chengeQueue is set by the following commands, 1 action is consumed.


- qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]

- qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]

- ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]

- vlan <vid> qos aclmap <count> tos <tos_value> <acl> [ chengeQueue ]

- vlan <vid> qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]

- vlan <vid> ip6qos aclmap <count> dscp <dscp_value> <acl> [ chengeQueue ]


When <vid> is same, only 1 action is consumed irrespective of the number of

command specification.

Points to be noted

When used with protocol VLAN function, QoS function is disabled for the frame identified as protocol VLAN.


When used with MAC filter function, QoS function is disabled for packets corresponding to the MAC filter

function.

Moreover, QoS that uses ACL is disabled for the packets that are applied for IP MAC filter.

When priority determination method of packets is set, it is as follows.

・qos classification ip tos on

For IPv4 frame, ‘IP precedence’ field becomes a target of CoS value of “acl vlan” command option.

・qos classification ip6 tc on

For ‘IPv6 frame’, top position 3bit of ‘traffic class’ field of IPv6 becomes the target of CoS value of “acl vlan”

command option.

of 71

2.12 IGMP snoop function The IGMP snoop function confirms the IGMP packet sent by source and transfers the multicast packet to the port

where receiver exists.

▪ Source

Terminal or multicast router connected to this device

▪ Port where receiver exists

Port where listener of multicast group address exists or the port where multicast router is connected

With the use of this function, unexpected multicast packets are not received by the terminal and the load

of terminal can be reduced.

In the IGMP snoop function of this device, versions 1, 2, 3 of the IGMP protocol are supported.

Conditions of the ports of this device, that are identified as port where multicast router is connected or

port where the listener exist are shown below.

Port Recognized conditions

Multicast router port It is recognized by the following conditions by the multicast router port settings (vlan <vlan_id>

igmpsnoop router).

▪ When auto is specified

When the IGMP Query packet is received, the concerned port is recognized as a multicast router

port.

▪ When yes<port_no > is specified

At the time of start up, port specified by the settings is recognized as multicast router port. Further,

as in the case where auto is specified, the port where IGMP Query packet is received is also

recognized as multicast router port.

Listener port The port where the IGMP Membership Report packet is received is recognized as a listener port.

When the packet that has the address of multicast group in the address is received, this device transfers

that packet only to the multicast router port and the listener port.

of 71

Points to be noted

Communication may not be possible when performing the multicast communication without using the

IGMP.

Set the port connected to the device where IGMP snoop is enabled as multicast router port by

configuration definition.

When more than 2 multicast routers are connected set the multicast router port by configuration

definition.

When multicast router port is not recognized correctly and Terminal where multicast router is connected in

the beginning may not be able to receive the multicast packet.

In this device, the group address which is registered once, does not delete the entry itself, even if the

listener terminal does not exist, and deletes only the information of output port.

When an unnecessary group address is registered, it can be deleted by the clear igmpsnoop group

command. Details are,

When the maximum number of multicast group address that can be registered exceeds, flooding is done

for all the excessive addresses in the same VLAN. Do not use the IGMP snoop function, when the group

addresses being handled exceed the maximum number that can be registered.

It cannot be used in the network where communication other than the IPv4 multicast (Example: IPv6

communication) is used.

Do not enable the IGMP snoop function.

In this device, lower rank 23 bits of IP address are recognized as same address as to 224.1.1.1, 225.1.1.1,

224.1.1.1 and 225.129.1.1.

Therefore, even when a different listener terminal matching these addresses exists, the packet of for both

addresses is forwarded.

The source address of IGMP snoop need not be set usually. Set only when there is a device which cannot

recognize the IGMP packet which has 0.0.0.0 as source address. Further, when multiple IGMP devices are

connected, do not set more than 2 source addresses of IGMP snoop in the same VLAN.

In the network wherein multicast router is not connected, set to ‘do not disable’ the Querier operation by

vlan igmpsnoop querier command.

The IGMP snoop function of VLAN ID belonging to IEEE802.1Q tunnel port changes to disable.

of 71

2.13 MLD Snoop Function MLD snoop function confirms the MLD packets sent from the source and transmits IPv6 multicast packets to the

port where receiver is present.

Source

Terminal or multicast router connected to this device

Port where receiver exists

Port where listener of multicast group address exists or the port where multicast router is connected

By using this function, unexpected IPv6 multicast packets are not received by the terminal and load of terminal

can be reduced.

MLD snoop function of this device supports version 1 of MLD protocol.

Conditions of the ports of this device, that are identified as port where multicast router is connected or

port where the listener exist are shown below.

Port Recognized conditions

Multicast router port It is recognized by the following conditions by the multicast router port settings (vlan

<vlan_id> igmpsnoop router).

▪ When auto is specified

When MLD Query packets are received, that port is recognized as multicast router port.

▪ When yes<port_no > is specified

At the time of start-up, the port specified by the settings is recognized as multicast router

port. Further, as in the case where auto is specified, the port where MLD Query packet is

received is also recognized as multicast router port.

Listener port The port where the MLD Membership Report packet is received is recognized as a listener

port.

When the packet that has the address of multicast group in the address is received, this device transfers that

packet only to the multicast router port and the listener port.

of 71

Points to be noted

When MLD is not used and IPv6 multicast communication is executed, communication may not be

possible.

• Port connected to the device where MLD snoop is enabled, is set as multicast router port by the

configuration definition.

• When multicast port is connected over 2 machines, set the multicast port by configuration definition.

When multicast port is not recognized properly, the terminal which is connected to multicast router in the

beginning may not receive the multicast packet.

• In this device, the group address which is registered once, does not delete the entry itself, even if the

listener terminal does not exist, and deletes only the information of output port. When the un-required

group address is registered, it can be deleted with ‘clear mldsnoop group’ command.

• When maximum number of multicast group address number that can be registered exceeds, flooding is

done for excessive number in all the same VLANs.

• Do not use the MLD snoop function when the group addresses being handled exceeds the maximum

number that can be registered.

• In the network that uses the communication of IPv4 multicast enable even the IGMP snoop.

• It cannot be used in the networks that use the communications other than IPv6 multicast. Do not enable

the MLD snoop function.

• In this device addresses in which the values of lower 32 bits of IPv6 address are same are recognized as

same addresses. Therefore, packets of addresses of both the sides are transmitted even if different listener

terminals matching with these addresses exist.

• Normally there is no need to set transmission source address of MLD snoop. Set only when a device exists

wherein MLD packet that has source address as :: cannot be recognized. Further, when multiple MLD

snoop devices are connected, do not set more than 2 source addresses of MLD snoop in the same VLAN.

• Do not disable the Querier function by the ‘vlan mldsnoop querier’ command in the network where

multicast router is not connected.

• MLD snoop function of VLAN ID which belongs to IEEE802.1Q tunnel port is disabled.

of 71

2.14 EHM Function In End-Host-Mode (EHM), ensure that there is no generation of a loop of frame where no protocol of STP etc. is

used by not transmitting frames within the uplink port.

Common switch mode and End-Host-Mode can be switched over by re-starting, after specifying it by

boot-system mode command. Both End-Host-Mode and common switch mode have independent configuration

definitions.

Points to be noted

STP (Spanning tree) function cannot be used.

When multiple connections are executed between the connection blade and ToR (Top-of-Rack) switch, it is

recommended to set linkaggregation on both the sides of connection blade and ToR switch to prevent the

overlapping of packets.

of 71

2.15 IEEE802.1X Authentication Function IEEE802.1X authentication function authenticates by the RADIUS server installed externally.

This device supports authentication function (802.1X authentication) which complies with IEEE802.1X.

Authentication function corresponds to authentication methods “EAP-MD5”, “EAP-TLS”, “EAP-TTLS”, “PEAP”.

Local authentication that used AAA function within the device itself and remote authentication installed

externally by RADIUS server can be used as authentication database for executing authentication. When local

authentication is used, authentication is executed only by “EAP-MD5”.

When remote authentication is used, authentication executed by “EAP-TLS” and “EAP-TTLS” which is secured as

compared to local authentication.

Communication (Authentication request is removed) of supplicant that does not have authentication

permission is entirely blocked using this function and illegal access of network from the supplicant other than

the authenticated ones is denied.

By setting the attributes to the RADIUS server Supplicant is coordinated with VLAN at the time of authentication.

When VLAN ID is not notified from RADIUS server, VID set by “ether dot1x vid” command is assigned.

RADIUS server that does operation checking in this device is Fujitsu manufactured “Safeauthor V3.5”.

In this device, multiple terminals can be authenticated by 1 physical port. In such case, switching HUB etc are

connected to physical port of this device and authentication can be executed by each terminal by connecting

multiple terminals.

When multiple terminals are authenticated by 1 physical port, supplicant software that sends “EAPOL start”

message is used.

Authentication does not start in the supplicant software which does not send “EAPOL start” message.

Supplicant software which obtains operation checking in this device is a Fujitsu manufactured “Systemwalker

Desktop Inspection 802.1X supplicant”.

Points to be noted

VLAN cannot be set in advance, in the port used by this device. Terminal with successful authentication

communicates with VLAN assigned when authentication is successful.

of 71

The authentication method and characteristics of each EAP are shown below.

Authentication

Method Characteristics

EAP-MD5 ・ Authentication standards of ID and password base.

・ User himself can change the password etc., hence reducing the load on the administrator.

EAP-TLS

・ Authentication can be done according to the information (Subject) given in the certificate.

・ Approval by using digital certificate which is registered in both client (User terminal) and server

can be done.

・ Expired user certificate can be ‘checked’ or rejected.

・ Certificate revocation list (CRL) is reflected and access of invalid certificate can be denied.

EAP-TTLS

・ Authentication standards of ID and password base.

・ Certificate is not required for user terminal.

・ The cost burden can be reduced and high security level can be maintained at the time of

introduction.

PEAP

・ Authentication standards of ID and password base.

・ Certificate is not required for user terminal.

・ The cost burden can be reduced and high security level can be maintained at the time of

introduction.

・ User himself can change the password etc., hence reducing the load on the administrator.

Attribute for VLAN ID notification

At the time of remote authentication, attribute information when setting VLAN ID assigned to Supplicant to RADIUS

server, is shown below.

Name Number Attribute Value ()

Tunnel-Type 64 VLAN（13）

Tunnel-Media-Type 65 802（6）

Tunnel-Private-Group-ID 81 VLAN ID (Coding the decimal notation by ASCII code.)

) The number in () is a decimal value which is set as an attribute.

of 71

EAP-MD5 Authentication EAP-MD5 authentication is a method to authenticate by a common password between user terminal and

RADIUS server. The challenge and response are exchanged and encrypted by using MD5 hash function, and the

user is authenticated by RADIUS server.

At the time of local authentication, instead of "RADIUS server", "AAA function" in this device is used. The

sequence of the EAP-MD5 authentication of the IEEE802.1X function is shown below.

of 71

EAP-TLS Authentication EAP-TLS is an authentication method wherein the certificate is assigned for both user terminal and RADIUS

server.

The sequence of the EAP-TLS authentication of the IEEE802.1X function is shown below.

of 71

PEAP Authentication (EAP-TTLS authentication is also similar) PEAP is an authentication method wherein the certificate is assigned only to the RADIUS server.

The sequence of PEAP authentication of IEEE802.1X function is shown below.

of 71

2.16 Guest VLAN function Guest VLAN function is a function which permits the connection to the specific VLAN (Guest VLAN) when the

terminal for which authentication is not permitted is detected.

By using this function, the operation which controls the network use of the terminal for which authentication is

not permitted, can be executed by recovering the terminal where the connection is not denied, to other VLAN.

Points to be noted

• When guest VLAN function and the dot1x authentication are used together, since the authentication is

successful during the EAP authentication, supplicant which cannot correspond to it might not operate normally.

of 71

2.17 Broadcast / Multicast storm control function Broadcast / multicast storm control function, is a function to control the packet so as not to obstruct the

communication of other packets when large amount of packets of broadcast / multicast flow in the

network due to error.

This device sets the threshold, and controls the packet by port unit. When the flow amount of packet

exceeds the threshold, the packet is destroyed, or the port is blocked to control the flow.

Points to be noted

If the port is blocked due to the flow amount exceeding the threshold, the block release should be specified by

the online command to release the port block.

of 71

2.18 Port mirroring function Port mirroring is the function which monitors the receiving traffic or the sending traffic of the specified

source port from the specified target port. Target port for reception mirror which monitors receiving

traffic of source port and, Target Port for transmission mirror which monitors sending traffic of

source port can be specified as target port.

When port mirroring function is used, first a probe device such as LAN analyzer is connected to the target port

to monitor the traffic condition and the connected target port and the monitored source port is specified.

Multiple source ports can be specified in this device. However when multiple ports are specified,

the total traffic for the source port should not exceed the bandwidth of the target port.

Points to be noted

▪ Only 1 target port of the mirror can be set for the sending and receiving by the device.

▪ The sending port and receiving port of the target port of the mirror cannot be set in the same port.

▪ The target port of the mirror becomes dedicated port for mirror of the source port.

▪ The port specified with the target of the mirror cannot be specified as a source.

▪ When there are multiple source ports of the mirror for the target port, the packets in the part that exceeds

the bandwidth of the target port is discarded.

▪ When the port status in the STP function of the source port is other than forwarding, the packets are mirrored

at the target port. The relation between MSTP, STP, RSTP states and the

frame to be mirrored is as follows.

When multiple source mirrors are possible, traffic corresponding to each state is mirrored.

Source port status (in the VLAN targeted in case of

MSTP)

Frame Type Send to target port

Disable Other than BPDU Not sent

BPDU Not sent

Blocking, listening (discarding in RSTP/MSTP). Other than BPDU Not sent

BPDU sent

Learning Other than BPDU Not sent

BPDU sent

Forwarding Other than BPDU sent

BPDU sent

▪ The existence and contents of the VLAN tag of the packet that is output to the target port may differ from the

packet that is actually sent or received by the source port.

analyzer

analyzer Network

Source port Target port

(transmission mirror)

Target port (reception mirror)

of 71

▪ The packet output to the target port is as follows.

-When the transmission packet is mirrored, it is as shown in the table mentioned below

Tag settings of address source port of packet Contents of mirror packet

At the time of setting with tag

(In case of multiple address source port in the

packets of multicast, broadcast and flooding, when

the tagged settings exist in multiple source port)

Tagged.

The contents of tag are tagged

only when it is attached to the

sending source port.

At the time of settings without tag

(In case of multiple address source port in the

packets of multicast, broadcast and flooding, when

the settings without tag exist in multiple source

port)

Not tagged.

When received packet is mirrored,

the existence and contents of VLAN tag of packet output in the target port matches with the input packets.

When received frame is mirrored along with the re-writing of DSCP and ip precedence, instead of the received

frame, the frame after change is mirrored

of 71

2.19 Ether L3 Monitoring Functions The ether L3 is a function which confirms the existence of nodes depending on the sending / receiving of ICMP

ECHO packets for specified nodes (Device). When the other monitoring devices are connected through one or

more devices, the error of that route can be detected and the port which is monitored can be blocked.

Moreover, the link aggregation function and backup port function can be used together.

When definitions are reflected, monitoring starts even if the monitoring port is in linked down state.

• In case of ether L3 monitoring by using linkaggregation function

When monitoring is done by using link-aggregation function, when the port where error is detected is blocked,

all the member ports are also blocked.

• ether L3 monitoring by using backup port function

When monitoring by using backup port function, set so as to monitor by operation port. When ether L3

monitoring function is set in standby port, monitoring is not done. Monitoring is started when standby port

switches to operation port.

Moreover, when error is detected and when the port which is monitored is blocked, the influence of network

error can be suppressed to minimum by switching the standby port to operation port.

When the definitions are reflected, if the master port invariably changes to mode with the priority when

monitoring port is in linked down state, monitoring can be started by master port. If it changes to mode which

uses previously linked up port, monitoring is started by the port where monitoring is set.

Points to be noted

• Set the longer monitoring ‘time out’ while using together with STP function.

• For the port which is in blocked state, release the port blockage by ‘release block specification of online

command’.

• When port for monitoring is authentication port, monitoring is not done.

of 71

2.20 Output rate control function Output rate control is a function which stops the flow of large quantity of traffic to the succeeding network and

controls the quantity of flow of the output port.

Set the control value of output and control the bandwidth with the help of port unit for this device.

When the bandwidth of traffic exceeds the threshold value, the traffic which exceeds the bandwidth is

discarded.

Points to be noted

Priority control function and output rate control function which use WRR and WDRR cannot be used together.

traffic

Network Network

Network

bandwidth limitation

of 71

2.21 Port block function Port block function retains the linkdown status (port block function) of physical port until the operator

instructs by issuing the online command.

According to error cause, linkup/ linkdown of physical port may occur repeatedly. At that time if the redundant

path exists by continuing linkdown function (Port block function) purposefully for this device, it is possible to

secure the stable communication

Transition to the port blockage function is controlled by following.

• Manual blockage by issuing offline command.

• Automatic blockage by linkage operation of communication control function.

• Automatic blockage by change in link status of connected port.

Points to be noted

• offline command can be issued only by manager class.

• Release the port block by block release specification of online command for the port which changes to

blocked state.

• When configuration definition is modified, block may be released according to modified contents.

Manual block by offline command issue The port is considered to be in blocked state by issuing the offline command which is the Ethernet port control

command.

Automatic block by linkage operation of communication control function Transition to port block state can be specified when control functions such as broadcast / Multi cast storm are

used. Communication control functions which support the transition of the port block state are as follows

• Back-up port function.

• Broadcast / Multi cast storm control function

• ether L3 monitoring function

Automatic block by change in link status of connection port At the time of change in link status of connection port, it is possible to block the port.

In this device, change in the link state due to which transition to port block state is possible is as follows.

• Blocking at the time of start

The port is blocked when the device is started or dynamic definition is reflected.

• Blocking by linkdown frequency

When the number of linkdown specified by configuration definition is detected, port is blocked.

• Link blocking (Linkdown relay block) of other ports at the time of link down

At the time of linkdown, linkage port specified by the configuration definition is blocked.

Further, when it is restored to linkup status, block can be released along with the linkage port.

of 71

2.22 IP route control function IP route information is managed with routing table and used for the judgment of forwarding destination of IP

packet.

IP route information is controlled by the following functions.

▪ Function to control route by fault detection of interface

▪ Static routing function

Here, types and management method of IP route information and the function that controls the IP route

information is explained.

2.22.1 Types of IP route information

IP route information is classified by the following information.

▪ Interface route (IPv4)

The IPv4 network or IPv 4 address allocated in the interface is shown. IPv 4 address allocated

in the loop back interface is managed as a host root (32 bits network mask).

▪ Interface route (IPv6)

The IPv6 prefix allocated in the interface is shown. It is generated when IPv6 prefix is set as

structure definition and when IPv6 prefix information is received by Router Advertisement Message.

The IPv6 address allocated in the loop back interface is managed as a host root (128 bits network mask).

▪ RA route (IPv6)

The generated default route is shown which is based on the information of received Router Advertisement(RA)

Message.

▪ Static route (IPv4/IPv6)

It is set as structure definition and the route information maintained in the device is shown.

IP route information is managed by the following priority values.

●IPv4

IP route

information Priority value

Interface route 0 (Fix)

Static route 1(Change allowed)

●IPv6

IP route

information Priority value

Interface route 0 (Fix)

Static route 1(Change allowed)

RA route 12(Fix)

of 71

2.22.2 Management of IP Route Information

IP route information is managed by the route table of routing protocol and routing table.

Explanation regarding 2 tables is given below.

Routing table Routing table is structured by the priority route (Best path) that is selected from the IP route information.

Moreover, in the IP route information which is managed by the routing table, the information wherein the

interface route is excluded; is managed as number of routing entries.

Maximum number of entries is prescribed in each device for the routing entries and the route information

wherein number of maximum entries exceeds is destroyed. Furthermore, it is managed separately in IPv4 and

IPv6.

Points to be noted

In the routing table, the IP route information received by exceeding the maximum value of routine entries is

destroyed and is not registered. Moreover, the registration is not done even if the number of maximum entries

is not fulfilled according to the IP route information. When route registration is failed, the system log which

shows the failure of registration is recorded. Restart the device after the review of network configuration and

route information.

2.22.3 Route Control Function according to the Error Detection of Interface

The interface route information can be deleted from the routing table due to error detection (such as

abnormal detection by hardware) of interface. The IP route information (Route information of same address)

created by the static routing function can be converted according to the deletion of this interface route.

Moreover, the error detection of interface is notified as abnormality of interface that is used by the static

routing function and routes can be converted in the static routing function.

2.22.4 Static Routing Function

Static route is used and the IP route information is controlled by combining with the following functions.

• Function to control route by fault detection of interface

The static route by which related interface is considered as 'exit' can be deleted from the routing table due to

error detection of interface.

• Priority Route Control Function

The IP route information added in the routing table by the priority (distance) related to the route of same

address can be selected. Smaller the priority, it is handled as the priority route and only the priority route is

reflected in the routing table. Moreover, when that priority route is invalid, conversion to the next priority route

is possible.

of 71

2.23 IPv6 Function IPv6 is a next generation internet protocol for replacing IP (IPv4) that is used primarily at present.

Host function operation in IPv6 packets can be carried out in this device.

IPv6 host functions supported by this device are as follows.

Static route setting

Automatic setting of address according to Router Advertisement Message reception

Automatic setting of default route according to Router Advertisement Message reception

Automatic setting of ND information according to Router Advertisement Message reception

Automatic selection of source address

And in this device, not only IPv4 packets but IPv6 packets can also be transmitted.

IPv6 router function supported by this device is as follows.

Static or dynamic routing

Packet filtering

Points to be noted

ICMPv6 redirect message is not sent at the time of IPv6 host function.

When IPv6 routing function is used, route information of prefix length 65~127 cannot be registered in

routing table.

Notation Method of IPv6 Address When IPv6 address of 128 bit is mentioned, that address is splitted with “:”(colon) for each 16 bits and those

contents are described in hexadecimals. First 0 can be omitted for the value of each hexadecimal. When

successive 0s are continued, it can be omitted by “::” for one-time in the notation of 1 IPv6 address.

of 71

IPv6 address system IPv6 address can be separated in to prefix and interface ID to separate IPv4 address to the network part and

host part. Generally, the 64 bits prefix length (Prefix length) is used.

When address is mentioned by including the prefix length, “/” is given after address and the prefix length is

specified.

For the address which can be used by IPv6, the usage method is determined as per the beginning number of

bits same as IPv4. The address which can be used by this device is as follows.

•Global Unicast Addresses

It is an address used normally. Generally, it is the address generated automatically based on the address

allocated from the stipulated ISP and the Router Advertisement Message information received from IPv6

router.

•Link-Local Unicast Addresses(fe80::/64)

It is a valid special address only in the link (Range in which communication is possible without router). This

address starts the beginning 10 bits that is 1111 1110 10. Normally, it becomes 0 from the 11th bit to 64th

bit.

•Multicast Addresses

It is a multicast address. Beginning 8 bits are 1111 1111.

Static or Dynamic Route Settings The concept of IPv6 network and routing is almost same as of IPv4. The transfer destination is determined

according to the route information in device. Static route setting (Static routing) and dynamic route setting

(Dynamic routing) are the methods to provide this route information to the device.

The static routing means, the route information is set as structural definition and used. This route information

cannot be changed without changing the structural definition.

The dynamic routing means, the route information is used by learning the route information from other nodes

on the network by communication in which the routing protocol is used. This device does not support the

dynamic routing.

n bits (128 – n) bits

prefix Interface ID

of 71

Auto settings of Address by Router Advertisement Message Reception This device supports the reception function of Router Advertisement Message.

The prefix information used by the network is included in Router Advertisement Message. When prefix

information is received, prefix list to manage valid period is generated and the IPv6 address having the

interface ID is set automatically.

The received prefix information can be referred by show ipv6 ra prefix-list command. Moreover, the

automatically set IPv6 address can be referred by show ipv6 route or show interface command.

Points to be noted

• When multiple prefix information is received by 1 interface, add only the numbers which are required for the

setting of auto generation.

• When the prefix information (Excluding indefinite period) is received after the expiry of 365 days validity, it

is operated as valid period of 365 days.

• When the prefix length of prefix information is other than 64, the prefix information is destroyed.

• When onlink flag and auto address generation flag of prefix information is set, the IPv6 address is set to

interface.

Auto Settings of Default Route by Router Advertisement Message Reception When Router Advertisement Message is received, default route is set which assumes the link local address of

transmission router as broadcast gateway.

When Router Advertisement Message is received by multiple routers, the default router list which can be used

as default router is generated, in this list, the router which can reach the packet is set as default router. The

generated default router list can be referred by show ipv6 ra default-router-list command. Moreover, the set

default router can be referred by show ipv6 route command.

Points to be noted

• When Router Advertisement Message is received from multiple routers, priority control is not operated by

router preference. In this case, the first received router is considered as default router.

• The priority value of default route by Router Advertisement Message is set by 12.

When operated along with default route of static, change the priority value of static route.

Auto Settings of ND information by Router Advertisement Message Reception In the Router Advertisement Message, adjacent information (ND information) used at the time of

communication is included. When the ND information included in received message and ND information

saved in this device differs after receiving the Router Advertisement Message, the ND information is updated.

The ND information saved in this device and its initial value are shown below.

• Valid period (Default is 30 seconds) for reachability of adjacent device

• Transmission interval (Default is 1 second) of Neighbor Solicitation（NS）Message which confirms the

reachabilty of adjacent device

• Number of maximum hop (Default is 64)

• MTU length (Default is 1500 bytes) recommended on received network

of 71

Auto selection of source address In IPv6, it is general that multiple IPv6 addresses are allocated to interface. The communication is started

from this device and when explicit source address is not specified by application, the address is selected based

on a fixed rule from multiple IPv6 addresses.

The selection rule of the source address which is to be supported by this device is based on the following RFC

and the draft.

• RFC3484：Default Address Selection for Internet Protocol version 6 （IPv6）

of 71

2.24 IP Filtering function The security of the network for this device can be improved by using settings of the IP filtering function and

the password etc.

With IP filtering function the security of the network can be improved by controlling the packet which is

transmitted and received via this device by using IP address and the port number, etc. In this device, IP

filtering process is executed when the packet which is input in this device corresponds to "acl ip" definition of

the ACL definition and "acl tcp" definition and "acl udp" or "acl icmp" definitions which are specified.

It is necessary to consider the following elements to improve the security of the network.

Security policy of network

Elements other than switch (Firewall, User authentication etc.)

Points to be noted

Computer virus infection cannot be prevented by the switch of this device. Other countermeasures are

necessary as the virus measures software is used in the personal computer.

The security policy is decided according to connection type There are two directions "From outside to inside" and "From inside to outside" in which the data flows when

similar LANs are connected even if internet is connected. When the security policy is decided, it is necessary to

consider these two directions.

● Example of security policy for the data which flows "From outside to Inside"

Set in such a way that the packet should not be received.

Reject the access to the private host.

Unnecessary access is prevented by internal user.

● Example of security policy for the data which flows "From inside to outside

Limit the access to the site which has legal issues.

Unnecessary access is prevented by internal user.

Supplement The IP filtering functions only for the data which flows “from outside to inside", and it does not function for

the data which flows "from inside to outside" and the data between the personal computer (The data from

LAN) inside.

of 71

2.25 DSCP Value Rewrite Function DSCP value rewrite is a function to rewrite the DSCP value of IP packets specified. Delay within IP-VPN net can

be reduced if the DSCP value of data that is requested by voice and response using IP-VPN net is changed and

then sent. The function is enabled when connected with carrier VPN service (Super VPN etc) that controls

packet priority by DSCP value.

DSCP value rewrite function supported by this device is compliant with given below RFC (Request For

Comments).

RFC2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers

DSCP value rewrite function can control DSCP field from 8 bit ‘Type Of Service (TOS)’ field having IP packet

header and 8 bit ‘traffic class’ field having IPv6 packet header defined by IPv4 [RFC 791].

• RFC791 Internet Protocol

• RFC2460 Internet Protocol,Version 6 （IPv6）Specification

Destination IP address, destination port number, source IP address, source port number and protocol number

can be specified in ‘rewrite’ condition. DSCP value of packets that agree with this condition are re-written and

transmitted. When agreed with multiple conditions, condition with smaller definition number is used.

DSCP value of the packets which is not the target of ‘rewrite’, are not re-written.

Packets entered in this device are executed by DSCP value rewrite process, corresponding to “acl.ip” definition

(acl.ip6 definition in case of IPv6), of specified ACL definition and “acl.tcp”, “acl.udp”, or “acl.icmp” definition, in

this device.

When executing DSCP rewrite, determination method of output queue can be selected in 2 ways. 1 is, by

determination method on the basis of relation of user priority in packets with the corresponding queue. In this

case, DSCP rewrite is not influenced by determination of output queue. User priority is determined by user

priority according to upper 3 bit (Upper 3 bit of DSCP before rewrite) of TOS or TC when used by ‘qos

classification’ function, IEEE802.1p compliant CoS and priority level of default priority in untagged received

packets. Another 1 is, when ‘changeQueue’ function is used, output queue is determined according to DSCP

of 71

after rewrite. Output queue related to DSCP after rewrite, is the output queue where upper 3 bits of that DSCP

are considered to be user priority. Priority control, which is to be set in ‘traffic’ of DSCP that is re-written, can be

applied by specifying priority control algorithm and priority for output queue.

Points to be noted When used with protocol VLAN function, QoS function is disabled for the frame identified as protocol VLAN.


Moreover, QoS that uses ACL is disabled for the packets that are applied for IP MAC filter.

When priority determination method of packets is set, it is as follows.

of 71

2.26 RADIUS function The RADIUS function is a function to manage AAA (Authentication, Authorization, Accounting) information by

using an external server (RADIUS server). When same AAA information is necessary in the multiple devices

and when a large amount of user information is to be managed, it is possible to manage by consolidating

authentication information and configuration information of user and connecting time of each user.

In this device, the RADIUS client function is supported.

The RADIUS client function is used by the following RADIUS support functions via AAA.

AAA information which can be used by each respective function is shown below.

RADIUS support

function

Authentication Method

（authentication）

User information

（authoraization）

Accounting

（accouning）

IEEE802.1X

Authentication

EAP-MD5 authentication, EAP-TLS

authentication

EAP-TTLS authentication, PEAP

authentication

Does not use ▪ Number of sending

and receiving octets

▪ Number of sending

and receiving packets

▪ Connection time

ARP authentication PAP authentication / CHAP

authentication

()

Does not use Does not use

DHCP MAC address

check

PAP authentication / CHAP

authentication

()

Does not use Does not use

) It is an authentication which uses MAC address (HEX12 characters without separating character) for user

name and MAC address for password.

Backup configuration or load sharing configuration which uses multiple RADIUS servers is possiblefor the

RADIUS client function of this device.

The authentication server and the accounting server defined as RADIUS server have alive status and dead

status.

The meaning of each status is as follows.

▪ alive status

It is a status wherein the server is available.

It is used in preference of the higher (numerical value in the definition is small) priority server.

When multiple servers of the same priority exist, the server is selected randomly.

▪ dead status

It is the status where the server usage is temporarily stopped due to time out of request from

server address. Additionally, when the server of alive status exists, the value of the defined

priority is not used.

When time specified by the restoration stand by time is elapsed, it automatically is restored in

alive status.

If all servers are in dead status when authentication or accounting is carried out, take the trial

randomly at 1 server and the server wherefrom the response is obtained is restored in the alive

status.

of 71

Points to be noted

▪ The number with which authentication and accounting can be carried out at the same time by restricting the

RADIUS protocol, is 256. Both fail when the authentication and the accounting of 257 or more are carried out

at the same time.

▪ Even if the RADIUS client function is defined, user information of the same group is used. When both RADIUS

client function (aaa radius) and user information (aaa user) are defined in the AAA group, authentication is

carried out by the RADIUS client function. When authentication by the RADIUS client function is successful,

user information is not used, but when authentication fails, the authentication is carried out with next user

information.

of 71

2.27 SNMP Function SNMP (Simple Network Management Protocol) is an IP management protocol to accumulate and manage the

information of IP layer and TCP layer level.

In the SNMP function, device for management is called as SNMP manager and device to be managed is called

as SNMP agent.

When the network is managed by SNMP function, managing side should support SNMP manager function and

the side to be managed should support SNMP agent function.

Operating condition and failure condition of the terminal on the network is uniformly managed by SNMP

manager function. The management information called as MIB (Management Information Base) is returned

for the request from SNMP manager by SNMP agent function.

The network is managed by SNMP function by using these two functions and by transmitting and receiving the

parameter defined in MIB within SNMP manager and SNMP agent.

SNMPv1, SNMPv2c and SNMPv3 are supported by this device. Moreover, standard MIB and Fujitsu extended

MIB are supported.

Hint MIB

In MIB, there is a standard MIB which is not related to the vendor of the device and device vendor specific

extended MIB. The standard MIB defined by RFC1213 is the virtual information area to

access the respective management object of the management node. In RFC, the management

information which should be attached by SNMP agent is defined. In the management information,

there is system information as SNMP node (system name and manager name etc.) and a statistical

information related to TCP/IP. However, the transmission path and HUB etc cannot be fully managed

in the items defined by RFC. Therefore, MIB is extended by matching the information of the various

protocols and vendor specific device of the each company. This is called as extended MIB.

MIB is defined in the ASN.1 (Abstract Syntax Notation) format. The extended MIB is managed by SNMP

manager by releasing that extended MIB at SNMP agent side. SNMP manager should define the

information of that extended MIB so that it is accumulated.

of 71

2.27.1 RMON Function

RMON (Remote Network Monitoring) is the standard specifications for network monitoring. It is a function

which monitors the communication state of traffic or error of LAN from remote location.

RMON function is an extension of SNMP function. It stores the statistical information of LAN at SNMP agent

side. Data which is stored in response to the request from SNMP manager (Or RMON manager) is returned as

a response of SNMP.

RMON groups shown below are supported by this devices.

• statistics Group

Collects the basic statistical information of packet number or error number of ETHER port monitored.

• history Group

Stores the information collected in statistical group and similar total information as history information.

Since the history information is stored in the device as a statistical information of fixed period, the SNMP

manager (Or RMON manager) can obtain the statistical information by collecting it serially.

of 71

2.28 SSH server function SSH server function supports the remote logging function (ssh server) similar to TELNET server function and

remote file transfer function FTP（sftp server) similar to server function. In TELNET server function and FTP server

function, it is feared that the content of the communicationmay be intercepted when communicating like the

plain text data. In SSH server function, by host authentication and encryption communication, the login

function and the file transfer function can be safely trusted and used.

At the time of Power on and reset of this device SSH host authentication key of this device is generated. The

generation time is from few seconds to few minutes. At the time of start and completion of SSH hos

authentication key generation there is syslog output, and SSH can be connected to this device from the point

where generation is complete. When it is necessary to set other connected SSH host authentication key in the

SSH client software beforehand, set the SSH host authentication key displayed by executing 'show ssh server

key dsa' command and 'show ssh server key rsa' command in this device.

In this device when SSH is connected by sending the SSH host authentication key of this device to SSH client

side and if the set and saved key differ, the SSH connection is rejected. Therefore, SSH is connected by resetting

or by deleting the SSH host authentication key which is set and saved in SSH client software by device

exchange etc.

After that, enter password prompt is displayed but it may take some time until it is displayed by SSH host

authentication process. Moreover, the SSH server function can be completely aborted by setting the serverinfo

ssh / serverinfo sftp command to ‘off’.

In order to connect the ssh client and the sftp client with the SSH port and when either of ssh or sftp of the

serverinfo command is 'on', SSH port of this device can be connected as it is in the same state. And when set to

'off', it cannot be connected until the password is input.

Points to be noted

It takes time to generate SSH host authentication key when it reflects that either of the SSH functionin

serverinfo command is validated by starting this device in a state where the SSH server function is completely

terminated. At this time, there is a possibility to effect other processes as the session monitor

time-out is generated.

of 71

Following are the points of differentiation between sftp connection and ftp connection

Items Sftp connection ftp connection

User ID specifications Specifications before connection

(Specify some part of sftp client when

starting connection)

Specifications after connection

(Specify some part of client

before the connection)

Binary mode specifications No Yes

Binary mode specifications No Yes

SSH server function that is supported by this device

Items Support contents

SSH server version OpenSSH 3.9p1

SSH protocol version Supports only the version of SSH Protocol version

SSH port number/ protocol 22 / TCP

IP protocol version IPv4、IPv6

Host certification protocol RSA

Types of host authentication

algorithms ssh-rsa, ssh-dss

Types of cryptographic methods aes128-cbc、3des-cbc、blowfish-cbc、cast128-cbc、arcfour、aes192-cbc、aes256-

cbc、[email protected]、aes128-ctr、aes192-ctr、aes256-ctr

Types of message authentication hmac-md5、hmac-sha1、hmac-ripemd160、[email protected]、

hmacsha1-

96、hmac-md5-96

Synchronous connection number 1

of 71

2.28.1 SSH client software

In the SSH server function of this device, use the SSH client software (ssh client software and sftp client

software) which supports to SSH protocol version 2 since it supports only to SSH protocol version 2.

of 71

2.29 Application Filter Function In the application filter function, an access related to each server function operated in this device can be

controlled.

Accordingly, the maintenance of this device or the terminal which uses the server function of this device is

restricted and security can be increased.

of 71

2.30 TACACS+ Function TACACS+ function is a function which manages the AAA (Authentication, Authorization, Accounting)

information by using external server (TACACS+ server). When same AAA information is required for multiple

devices or when maximum user information is managed, Authentication, Authorization and Accounting

information is summarized and can be managed. This device supports the user authentication function and

command authorization function of TACACS+ client function. User authentication function means,

authentication is processed when access user is logged in this device. Command authorization function means,

authorization is processed when access user executes the command provided of this device.

Backup configuration or load sharing configuration by using TACACS+ server of multiple device is possible for

TACACS+ client function.


alive status


Used by assigning from the higher (Definition value is smaller) priority server.


dead status

It is a status wherein the usage of server stops temporarily due to TCP connection failure of server or when

request of server is timeout. Additionally, when server of ‘alive’ status exists, defined priority value is not used.

When the time specified in restoration standby time is elapsed, it automatically restores in ‘alive’ status. When

all servers are in ‘dead’ status at the time of authentication or authorization, take a trial randomly by 1 server

and the server from which response is acquired is restored in ‘alive’ status.

Points to be noted

Accounting function of TACACS+ client function is not supported.

Unable to use simultaneously with RADIUS client function. When both the RADIUS client function (aaa radius)

and TACACS+ client function (aaa tacacsp) are defined in AAA group, TACACS+ client function is disabled.

When both the TACACS+ client function and user information (aaa user) are defined in AAA group,

authentication is done by TACACS+ client function. If the authentication by TACACS+ client function is failed,

authentication by user information is also not done.

When definition of shared key for TACACS+ server is omitted, authenticated and authorized data is not

encrypted. When authenticated and authorized data is encrypted, define the shared key.

TACACS+ command authorization function is enabled only when it is logged in by using the TACACS+ user

authentication function.

Authority class at the time of TACACS+ user authentication depends on the existence of manager password

(password admin set) settings.

TACACS+ command authorization function is not operated in Web settings and FTP/SFTP.

Settings of authorization related to the commands which are actually executed by TACACS+ command

authorization function and other commands are shown below.

Executed commands Commands which requires authorization settings

diff show running-config(When diff executes along with

running-config)

show tech-support show(All show commands)

save show(All show commands)

load All configured definition command

Authority class at the time of authentication by existence of manager password is shown below.

<When manager password does not exists>

Only the general user class is authenticated.

<When manager password exists>

Manager class is authenticated. When authentication is failed, general user class is authenticated.

of 71

2.31 LDAP Function LDAP function manages the AAA (Authentication, Authorization, Accounting) information by using the external

server (LDAP server). If the same AAA information is required in many devices or if the large amount of user

information is to be managed then the authentication information is summarized and managed.

In this device, the user authentication function of LDAP client function is supported.

User authentication function executes the authentication process at the time when access user is logged in to

this device.

LDAP client function enables the backup configuration and load sharing configuration used by LDAP server of

multiple machines.


▪ alive state


It is used in preference of the higher (numerical value in the definition is small) priority server.


・dead state

It is a status wherein the usage of server stops temporarily due to TCP connection failure of server or when

request of server is timeout. Additionally, when server of ‘alive’ status exists, defined priority value is not used.

When the time specified in restoration standby time is elapsed, it automatically restores in ‘alive’ status. At the

time of authentication, if all servers will be in dead status, take the trial in any one of randomly selected server

and the server from which the response is received is restored to alive status.

Points to be noted

▪ RADIUS client function and TACACS+ client function cannot be used simultaneously. When RADIUS client

function (aaa radius) or TACACS+ client function (aaa tacacsp) or LDAP client function is defined in AAA group,

LDAP client function becomes disabled. When LDAP client function and user information (aaa user) both are

defined in AAA group, authentication is executed in the LDAP client function. Even if authentication is failed

in the LDAP client function, user information is not authenticated.

of 71

2.32 IEEE802.1Q Tunneling Function IEEE802.1Q tunneling function is a function designed for service provider.

According to IEEE802.1Q tunneling, VLAN traffic of customer can be transmitted via service provider network

without affecting other VLAN traffic.

In following figure, packets sent from 802.1Q tag port of customer to tunnel port of service provider have

802.1Q tag. Further, when received by tunnel port of service edge and sent from 802.1Q tag port of service

provider, another 802.1Q tag is added again (Double tag). When transferred within service provider, the

original 802.1Q tag is protected as switching is executed by removing additional tag that is added for the

second time. Therefore, tag is not added at the time of transmission from tunnel port of edge switch to

customer side switch.

Merits of introduction

When the service provider provides WAN (Ethernet) for the multiple customers, the VLAN ID used by customer

may be duplicated and the VLAN limit (4096) of IEEE802.1Q specification may be immediately exceeded. As

per the IEEE802.1Q tunneling, the tag is added again with the switch on the career side for the traffic with the

tag transmitted by the customer. Accordingly, customer VLAN traffic can be transmitted as a single VLAN traffic

and the problem of the VLAN ID duplication and the VLAN control is solved.

Points to be noted

Port cannot be used when STP (Spanning tree) function and LLDP (Link Layer Discovery Protocol) function is

defined.

In VLAN ID belonging to IEEE802.1Q tunnel port, the packet may be transmitted to wrong address as double

tag is not applied for the port, which is not IEEE802.1Q tunnel port, and where 'untag' is set.

In IEEE802.1Q tunnel port, “acl vlan” definition is operated in VLAN port where ‘untag’ is set in corresponding

port.

customer

customer

Service provider

802.1Q tag port

802.1Q tunnel port

802.1Q tag port

802.1Q tunnel port

802.1Q tag port

Double tag

802.1q tag 802.1q tag

802.1Q tag

of 71

At the time of simultaneous use with protocol VLAN function, when the frame that is recognized as protocol

VLAN is received by IEEE802.1Q tunnel port, the protocol VLAN is to be applied for that frame and IEEE802.1Q

tunneling function will be disabled.

of 71

2.33 CEE Function

CEE (Converged Enhanced Ethernet) function is the one by which the extensions required to integrate the

different types of conventional communications, such as LAN, IPC, and SAN etc in one network is added in

Ethernet. It is used in FCoE (Fibre Channel over Ethernet) which is used to send/receive the Fibre Channel from

SAN (Storage Area Network) protocol by Ethernet. In this device, element technologies shown below are

supported as CEE functions.

ETS (Enhanced Transmission Selection)

It is a function used to summarize the flow of multiple traffic class (Traffic Class or Priority) as Traffic class

group (Traffic class group or Priority Group PG) and to secure the smaller region of each traffic class group by

restricting the quantity of flow. It is examined as IEEE802.1 Qaz. It is assumed that, different types of

communications such as LAN, IPC, and SAN etc are assigned in each Traffic class group.

DCBX (Data Center Bridging eXchange)

It defines the information exchanged between peer of CEE device and examined as one part of ETS (IEEE802.1

Qaz). It notifies both the ETS and PFC setting information of each peer and process by which setting is

adjusted is executed. Implemented as LLDP extension.

PFC (Priority-based Flow Control)

Though the flow control function explained in section 2.2 is considered as control of link level, it is extended

such that the flow of each Priority can be controlled therefore it is examined as IEEE802.1 Qbb. For example,

PFC is enabled for the Priority or PG which passes through the weak protocol in frame loss such as FCoE and it

is assumed that there is an operation to disable the PFC for the flow obtained by high throughput even if loss

is accepted.

Points to be noted

Though enable/ disable in each port or linkaggregation can be set by CEE function, band control and PFC control

cannot be secured when frame is transferred during enable/ disable of CEE function and between the ports with

different settings. Whether to uniform the settings by all port or it should set in such a way that, the frame is not

transferred by enable/ disable of CEE functions or between the ports with different settings by using the settings

of egress permission command or VLAN.

CEE function cannot be used simultaneously with mirror target function, output rate control function and

Fibre Channel

IP DCBX

SAN

CNA expansion board

LAN

FCoE enabled switch

FCoE

IP DCBX FCoE

IP

of 71

IEEE802.1Q tunneling function. When CEE function is defined in valid port; same port cannot be used.

When CEE function is in valid port, the settings of queue specifications and queue change function become

disabled by ACL for ETHER port.

When CEE function is in valid port, priority control function using WRR and WDRR, the settings of queue

specifications and queue change function by ACL for VLAN, flow control function of link level explained in section

2.2 and settings of save queue in each priority by qos cosmap command are ignored.

When traffic class group 15 is used, traffic class group 15 is transferred to maximum priority and the traffic class

groups other than this transfers the remaining bands by dividing it with the ratio of bandwidth that is

respectively specified.

PFC becomes enabled only after the negotiation between peers is completed by DCBX.

The length of output queue related to the frame of valid traffic class group is not restricted by PFC irrespective of

the settings of buffermode command. Therefore, there is a possibility that the other traffic class group or frames

of other port address discarded easily by PFC, in the situation wherein lots of frame of valid traffic class group are

accumulated.

CEE function is enabled for the frames having size less than 2300 Bytes. The flow control does not functioned

effectively for the frames having size more than this and the band control might not be as per expectations.

Though the band of the traffic class group is specified in percentage, there is a limitation on the ratio of

minimum band and maximum band that can be actually controlled. When only 2 traffic class groups to which PFC

is disabled are defined, the ratio of minimum band and maximum band will be 1:14. When only 3 traffic class

groups to which PFC is enabled are defined, the ratio of minimum band and maximum band will be 1:7.

Moreover, when traffic class groups to which PFC is disabled are defined, the ratio of minimum band and

maximum band will be approximately 1:4. For example, when PFC is used and defined by valid traffic class group

and invalid traffic class group respectively for the port of 10Gbps and even if the band is set to 10 and 90, actually

it is controlled by 2Gbps and 8Gbps.

of 71

2.34 Edge virtual switch function Edge virtual switch (Edge Virtual Bridging) function is a necessary for the adjacent switch connected to the

server in the server virtualization environment. A virtual switch which operates on server virtualization software

exists in the server visualization environment, and the communication is switched between virtual machines.

Therefore, process according to the form of a virtual switch is necessary in the adjacent switch. The following

elemental technologies are supported as an edge virtual switch function in this device.

▪Virtual Ethernet Bridge (VEB)

The communication between virtual machines on the same physical machine is carried out with virtual switch

which operates in the virtualization software.

▪ Virtual Ethernet Port Aggregator (VEPA)

It is a technology which off loads the process of a virtual switch to external physical switch. A physical switch

identifies an individual virtual machine by the MAC address, and the frame of virtual machine address on the

same physical server is transmitted by reflective relay.

Points to be noted

▪ When STP (spanning tree) function is defined, that port cannot be used.

▪ When the function is to be defined in linkaggregation, define similarly in all the ports that constitute the

linkaggregation.

PRIMERGY 10/40GbE Connection Blade 18/8+2 Function...

Documents

Transcript of PRIMERGY 10/40GbE Connection Blade 18/8+2 Function...