Virtual Lan (VLAN)

      AT-8000S
Transparent Bridge Process
(Unicast)
 •   Learning – reading the MAC source address and adding it to the
     lookup table...
Transmission Via a Bridge/Switch
                       NET:1.1.1.1                                                 NET:1....
Virtual LAN (VLAN)

•   VLANs logically (software) divide the LAN into separate subgroups - broadcast
    domains
•   VLAN...
Switch with VLANs




 VLAN
   A

 VLAN
   B
 VLAN
   C
VLAN – multiple Switches


                          Switch              Switch
                                #1        ...
Multiple VLANs on One Device –
One Armed Router



                                C,D   A,B,C, D

            A,B,C
     ...
Benefits of VLANs

•   Improves network performance
•   Reduces the number of routers needed
•   Flexible network segmenta...
Types of VLANs

•   Membership by 802.1Q tag
•   Membership by port
•   Membership by MAC address
•   Membership by protoc...
VLAN Solution




  Marketing

  Engineering

 Administration
VLAN - Propriety

•   VLAN multi switch solutions were propriety and vendor
    based:
    –   Cisco: ISL
    –   Bay : La...
Forwarding a Known Unicast
Frame

                                           VLAN Aware Switch
    VLAN Unaware Switch    ...
Forwarding Unknown Unicast and
    Multicast Frames

                                             VLAN Aware Switch
     V...
VLAN Tagging Methods


•   Explicit tagging – VLAN membership is indicated by adding
    a tag to each packet


•   Implic...
Types of devices on VLAN

•   VLAN aware device

     Understands VLAN membership
    (which user belongs to which VLAN) a...
Frames Sent by AwareUnaware
Devices

       Types of Devices
                                                   Types of F...
Type of Links – Access Link

•   Connects VLAN tagged unaware devices to the port of a
    VLAN tagged aware switch

•   T...
Types of Links – VLAN Trunk Link

•    Attaches 2 VLAN aware switches
    (or other VLAN tagged aware devices)

•   All fr...
Types of Links – General Link
•    Combination of VLAN Trunk and access Links

•    Both VLAN aware and unaware devices ar...
Tagged/Untagged Frames on Links

Types of Links       Types of Frames

•   Trunked Link     •   Tagged frame



•   Genera...
VLAN tagged unaware                       VLAN tagged
         Domain                             unaware Domain




     ...
Advantage/Disadvantage of
Tagging
               Advantages                            Disadvantages
•   The standard way ...
VLAN - Tagged/ Untagged Ports

•   The behavior of a specific port added to one or more VLANs depends on the
    mode of t...
Ingress Port behavior

• At the ingress – tagged and untagged VLAN configuration
  have the same affect:

   – Tagged fram...
Egress Port behavior

•   At the egress – tagged and untagged VLAN port configuration have
    different affects:

    – T...
The VLAN Tag – Ethernet Frame



Destination      Source                         Length
 Address         Address
         ...
The VLAN Tag

       Tag Protocol            Tag Control
         Identifier            Information
           TPID       ...
Tag Control Information

•   Tag Priority –
    – “Piggyback” on VLAN TAG
    – 7 is the highest priority (0 the default)
...
VLAN Port Database
   PORTS         1               2               3               …               24
VLAN
           use...
Switch Filtering Operation Process

•   Ingress
     - Takes received frames from a physical port and performs 3 operation...
Switch Filtering Operation

Port 1                                                                                     Por...
Switch Filtering - Ingress

•   Acceptable Frame Filter
     - Admit all / admit only tagged

•   Ingress rules
     - Tag...
Switch Filtering - Process
•   Filtering Database
     - Either static or dynamic entries
     - Either unicast or multica...
Switch Filtering - Egress

•   Egress Rules Model
    - Forwards frames as tagged frames if the egress port is defined as
...
PSS



                            ASIC
                                Fast Forwarding
                   MAC Table      ...
Filtering Database – MAC Address
Entries

•   Dynamic MAC address entries are learned based on the source
    MAC of recei...
VLAN

AT- 8000S
Implementation
VLAN Overview

•   AT- 8000S devices support 256 VLANs which can be
    assigned a VID from the full range of 4k VLAN Ids
...
VLAN Overview


•   Note that the system will never send a frame tagged with
    VID=1, since the default VLAN can be used...
Port Modes



• Access Port

• Trunk Port

• General Port
Access Mode

•   Ports set to Access Mode belong to a one VLAN only,
    whose VID is the currently set PVID (default =1)....
Access Mode

•   Ingress Filtering is always ON for ports in Access Mode.

•   Access mode ports are intended to connect e...
Trunk Mode

•   Ports set to Trunk mode can belong to as many VLANs
    as desired.

•   The port has a native VLAN (PVID)...
Trunk Mode

•   Ingress filtering is always enabled on Trunk-mode ports.
    Incoming tagged frames will undergo Ingress f...
Trunk Mode

•    The default PVID (native VLAN) is 1 (the default VLAN).
•    If another VID is configures as the port’s P...
General Mode
•   Ports set to General mode may be members of as many
    VLANs as desired.

•   Port configured in the gen...
General Mode
•   Incoming Tagged frames are classified according to their
    TAG and discarded if such a VLAN is not defi...
Frame Classification Process
AT- 8000S VLAN – User Settings
•   Device level setting (VLAN database context):
     – Creating/deleting VLANs on the sys...
AT- 8000S VLAN – User Settings

• Port level settings (cont’)
   – Defining the “native” (pvid) Trunk mode port
   – Defin...
VLAN
AT- 8000S CLI Configuration
VLAN Configuration - General


•   Use the following Global Mode command to enter VLAN
    Database mode:
vlan database

•...
Creating VLANs - Configuration

•   Use the following VLAN Configuration Mode Command to
    create a new VLAN:
vlan vlan-...
VLAN parameters - Name

•   To change a parameter of a specific VLAN enter the
    Interface VLAN Configuration Mode for t...
VLAN Port Mode - Configuration

•   Use the following Interface Mode Command to define the
    “VLAN mode” (access/ genera...
VLAN Port Mode - Configuration

•   Example – defining a port as a General Mode port:


console(config)# interface etherne...
Access Mode Port Configuration

•   Use the following Interface Mode command to define a VLAN on a
    port in the access ...
Trunk Mode Port Configuration


•   Use the following Interface Mode command to add/remove
    VLAN(s) to port in the Trun...
Trunk Mode Port Configuration

•   Use the following command to set the native (PVID) VLAN
    on the port:


switchport t...
Trunk Mode Port Configuration

•   Example - native VLAN:
     – Defining VID=2 as native VLAN for port 1/e13 and
       r...
Trunk Port – tagged/untagged

•   Example - VLAN on port untagged on input and untagged on
    output:

console(config)# i...
General Mode Port Configuration
•  Use the following Interface Mode command to add VLAN(s)
   to a General Mode port:
swit...
General Mode Port Configuration

•  Use the following command to set the PVID of a General
   Port:
switchport general pvi...
General Mode Port Configuration

•   Example – General Mode port configuration
     – Adding VLANs 2&3 as tagged, and VLAN...
General Port – tagged/untagged

•   Example - VLAN on port UNtagged on input and UNtagged on output:

console(config)# int...
General Port – tagged/untagged

•   Example - VLAN on port tagged on input and tagged on
    output:
console(config)# inte...
General Mode – Ingress Filtering

•   Use the following command to disable ingress filtering on a General
    Mode VLAN po...
General Mode – Acceptable Frame
Type

•   Use the following Interface Mode command to discard untagged
    frames at ingre...
Forbidding VLAN - Configuration
•   Use the following Interface Mode command to forbid the
    definition of a specific VL...
VLAN Show Commands

•  Use the following EXEC mode command to view entire device VLAN
   configuration:
show vlan

•  Use ...
VLAN Show Commands

•     Example – Show VLAN device configuration:

console# show vlan


Vlan       Name                 ...
VLAN Show Commands
•    Example – Show ports on VLAN with tag=3:
console# show vlan tag 3
Vlan       Name                 ...
VLAN Show Commands

• Use the following EXEC mode command to show VLAN
  configuration (Mode, PVID and configured VLANs) f...
VLAN Show Commands
•     Example – VLAN details of port 1/e14:
console# show interfaces switchport ethernet 1/e14
Port : 1...
Adding a Static MAC Address

•   Use the following VLAN interface mode command to add a
    static MAC entry to one of the...
Adding a Static MAC Address

•   Note
     – The MAC addresses are added per VLAN, and not per device
     – The type of e...
Example - Static MAC Addresses
•   Example – adding 3 static mac entries to VLAN 2:
     – One permanent (default)
     – ...
Address Table Commands
•  Use the following Global mode command to set the MAC table
   aging time (10-360 seconds).
bridg...
Address Table Show Commands

•   Use the following Privileged EXEC mode command to show
    the MAC address table of devic...
Example – Aging & Clear Bridge
•    Example – Showing address table, setting aging time to 100,
     and clearing bridge f...
Address Table Show Commands


 •    Example – show MAC address entries for a specific port:

 console# show bridge address...
Address Table Show Commands


•       Example – show MAC addresses for a VLAN:
console# show bridge address-table vlan 2
A...
Address Table Show Commands


• Use the following Privileged EXEC mode command to show
  only static MAC entries:
show bri...
Bridge (Address Table) Show
Commands

•       Example – show device static MAC address entries:

console# show bridge addr...
Address Table Show Commands


• Use the following Privileged EXEC mode command to show
  number of MAC entries:
show bridg...
Bridge (Address Table) Show
Commands

•   Example – show device MAC address count:

console# sh bridge address-table count...
Ghost VLAN Settings
Feature      Commands                    Configuring on a      Configuring on   Deletion
             ...
VLAN
Configuration Examples
Example #1



   PVID#100       Port 24


                   Internet




   PVID#2


         PVID#3
Example #1. Requirements.

•   All servers are connected to the dedicated VLAN with VID#100.

•   There are two workgroups...
Example #1 - Implementation.

    Port#    VLAN#     PVID#   Port Mode


     1-3       2,3      100     Trunk
           ...
Example #1 - CLI
console(config)#
console(config)# vlan database
console(config-vlan)# vlan 2-3,100
console(config-vlan)# ...
Example #1 - CLI Cont’
console(config)# interface range ethernet 1/e14-23
console(config-if)# switchport mode general
cons...
Example #1 - CLI Cont’
console# show vlan


Vlan             Name                       Ports             Type            ...
Example #1 - CLI Cont’
console# show interfaces switchport ethernet 1/e3
Port : 1/e3
Port Mode: Trunk
Gvrp Status: disable...
Example #2.
                                                       WEB Server
                                            ...
Example #2 - Requirements.
 •   All servers are connected to the Layer 2 switch (Server’s
     aggregator)

 •   There are...
Example #2 - Implementation
    Port         VLAN        PVID     Port Mode

    1-4            2          2        Access...
Example #2 - CLI
console(config)# vlan database
console(config-vlan)# vlan 2-5
console(config-vlan)# exit
console(config)#...
Example #2 - CLI Cont’
console(config-if)# exit
console(config)# interface range ethernet 1/e17-20
console(config-if)# cha...
Example #2 - CLI Cont’

console(config-if)# exit
console(config)# interface port-channel 1
console(config-if)# switchport ...
Example #2 - CLI Cont’
console# show vlan


Vlan               Name                     Ports              Type           ...
VLAN
Troubleshooting
General Switch Issues
Problems reported by customers are usually related somehow to
common connectivity issues (two PCs ca...
Possible          Problem         Solution
problem           description

There is no       Port within     1.    Use show...
Possible          Problem           Solution
problem           description
There is no       Port within the   5.    Use s...
Port Connectivity Troubleshooting
Hardware Problems.
 •   CLI shows the port state – up and down either via ASCII terminal...
Troubleshooting Security
    Problems


•   Unfortunately, security problems in the modern networks are very
    common to...
Troubleshooting Security Problems

•   In addition to the standard list of a well known internal network
    intrusions we...
How to Troubleshoot Hackers
    Attacks?


•   Constantly change passwords and User Names
•   Periodically monitor telnet ...
At8000 s configurando vla_ns
Upcoming SlideShare
Loading in …5
×

At8000 s configurando vla_ns

4,722 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,722
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
296
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

At8000 s configurando vla_ns

  1. 1. Virtual Lan (VLAN) AT-8000S
  2. 2. Transparent Bridge Process (Unicast) • Learning – reading the MAC source address and adding it to the lookup table • Flooding – sending a packet to all segments (if no entry for destination MAC) • Forwarding – “connecting” 2 segments to forward a packet (with a known destination MAC) • Filtering – ignoring packets sent on the same node • Aging – removing “old” entries from the lookup table
  3. 3. Transmission Via a Bridge/Switch NET:1.1.1.1 NET:1.1.1.2 NODE: NODE: MAC_A MAC_B Switch/Bridge SENDER RECEIVER NODE: MAC_R PACKET PACKET p1 p2 MAC Header: MAC Header: DEST: B DEST: B SRC : A SRC : A IP Header: IP Header: DEST: 1.1.1.2 DEST: 1.1.1.2 SRC: 1.1.1.1 SRC: 1.1.1.1 DATA DATA VID MAC PORT TIME port MAC TIME 1 A 1 ##:## 1 A ##:## Marvell Confidential 1 B 2 ##:## 2 B ##:##
  4. 4. Virtual LAN (VLAN) • VLANs logically (software) divide the LAN into separate subgroups - broadcast domains • VLAN groups relate users regardless of the physical LAN segment to which the hosts are attached • Allows traffic to flow more efficiently within populations of mutual interest • VLANs allow broadcast domains to be defined without using routers • Routers are needed for communication between the different VLANs
  5. 5. Switch with VLANs VLAN A VLAN B VLAN C
  6. 6. VLAN – multiple Switches Switch Switch #1 #2 VLAN-1 VLAN-2 VLAN-1 VLAN-2 Marvell Confidential
  7. 7. Multiple VLANs on One Device – One Armed Router C,D A,B,C, D A,B,C Router Bridge/ Switch VLAN A VLAN D VLAN B VLAN C
  8. 8. Benefits of VLANs • Improves network performance • Reduces the number of routers needed • Flexible network segmentation (virtual workgroups) • Simplified administration • Enhanced network security • Reduces network solution cost • Better use of server resources
  9. 9. Types of VLANs • Membership by 802.1Q tag • Membership by port • Membership by MAC address • Membership by protocol (IP, IPX…) • Membership by subnet • Membership by application or service (telnet, FTP..)
  10. 10. VLAN Solution Marketing Engineering Administration
  11. 11. VLAN - Propriety • VLAN multi switch solutions were propriety and vendor based: – Cisco: ISL – Bay : Lattisspan – 3Com: VLT – Cabletron: SecureFast • Propriety VLAN are a disadvantage for networks that don’t wish to be vendor dependant • The IEEE 802.1q standardized VLANs
  12. 12. Forwarding a Known Unicast Frame VLAN Aware Switch VLAN Unaware Switch • Determine the VLAN • Determine the output port associated with the associated with the received frame destination address based on • Determine the output the address table port associated with the • If associated port is different destination address from source port, forward the based on the address frame to the destination port table • Otherwise – discard the frame • If associated port is not the source port, and is a member of the VLAN - forward the frame • Otherwise, discard the frame
  13. 13. Forwarding Unknown Unicast and Multicast Frames VLAN Aware Switch VLAN Unaware Switch • Determine the VLAN • Flood the frame to all ports associated with the received except the source port frame • Flood the frame only to ports that are members of the VLAN, except the source port (If Ingress filter is on)
  14. 14. VLAN Tagging Methods • Explicit tagging – VLAN membership is indicated by adding a tag to each packet • Implicit tagging - VLAN membership is determined by examining information that already exists within each packet: – Protocol ID (ether type) of the packet – MAC address (range) – Etc.
  15. 15. Types of devices on VLAN • VLAN aware device Understands VLAN membership (which user belongs to which VLAN) and format – Making forwarding decisions based on VLAN association and not only on destination address – Adding (and removing) explicit VLAN identification (tagging) to frames (tag aware) • VLAN unaware device (usually SNMP unmanaged devices) Does not Understand VLAN membership & format
  16. 16. Frames Sent by AwareUnaware Devices Types of Devices Types of Frames All connected devices • VLAN unaware device • Untagged frames (implicit) • VLAN aware device • Tagged frames (explicit) Other VLAN aware devices
  17. 17. Type of Links – Access Link • Connects VLAN tagged unaware devices to the port of a VLAN tagged aware switch • The VLAN switch adds tags to received frames, and removes tags when transmitting frames • All frames on access links are untagged VLAN Access Link tagged VLAN A aware VLAN switch tagged unaware
  18. 18. Types of Links – VLAN Trunk Link • Attaches 2 VLAN aware switches (or other VLAN tagged aware devices) • All frames on VLAN Trunk links must have a special header attached (tagged frames) • Allows for multiple VLAN frames to use one link VLAN VLAN Trunk tagged aware Link switch VLAN VLAN Trunk tagged Link VLAN tagged aware aware switch Workstation
  19. 19. Types of Links – General Link • Combination of VLAN Trunk and access Links • Both VLAN aware and unaware devices are connected • Can have both tagged and untagged frames, but all frames sent to a specific VLAN must be either tagged or untagged VLAN tagged VLAN B aware switch tagged unaware General Link Workstation VLAN tagged VLAN tagged aware switch aware Workstation
  20. 20. Tagged/Untagged Frames on Links Types of Links Types of Frames • Trunked Link • Tagged frame • General Link • Access Link • Untagged frames
  21. 21. VLAN tagged unaware VLAN tagged Domain unaware Domain Core switches VLAN tagged unaware Domain VLAN tagged aware Domain
  22. 22. Advantage/Disadvantage of Tagging Advantages Disadvantages • The standard way of VLAN • Tags can be interpreted only implementation in the networking by VLAN aware devices devices • VLAN association rules need to be • Edge switches must strip tags applied only once before forwarding them to • Only edge switches need to know the VLAN unaware devices VLAN association rules • Insertion or removal of a tag • Core switches can get higher requires recalculation of CRC performance by operating on an • May increase length of frame explicit VLAN identifier beyond maximum (“old” • VLAN aware end stations can reduce frame size – 1518 bytes, load from switches “new” frame size – 1522 bytes)
  23. 23. VLAN - Tagged/ Untagged Ports • The behavior of a specific port added to one or more VLANs depends on the mode of the port – access, trunk or general. • A port added to a VLAN on a (VLAN aware) device can be in one of 2 states – tagged or untagged (for each specific VLAN) • A certain VLAN can have both tagged and untagged ports
  24. 24. Ingress Port behavior • At the ingress – tagged and untagged VLAN configuration have the same affect: – Tagged frames which have a VID matching that of one of the VLANs defined on the port – are forwarded – Tagged frames which have a VID that does not match any of the VLANs defined on the port – are discarded – Untagged frames are forwarded on the VLAN which is the PVID – and PVID tag is added to the frames
  25. 25. Egress Port behavior • At the egress – tagged and untagged VLAN port configuration have different affects: – Tagged VLANs forward the egress traffic (“out of the device”) as tagged frames – Un-tagged VLANs forward the egress traffic (“out of the device”) as un-tagged frames
  26. 26. The VLAN Tag – Ethernet Frame Destination Source Length Address Address TPID TCI /Type DATA FSC 2 Bytes 2 Bytes Tag Protocol Identifier Tag Control Information TPID TCI
  27. 27. The VLAN Tag Tag Protocol Tag Control Identifier Information TPID TCI 2 Bytes 2 Bytes VLAN protocol Id = 0x8100 Tag Priority CFI VID 3 Bits 1Bit 12 Bits • Tag priority according to IEEE802.1p • CFI – Canonical Format Indicator • VID – VLAN ID
  28. 28. Tag Control Information • Tag Priority – – “Piggyback” on VLAN TAG – 7 is the highest priority (0 the default) • CFI – – Value 1 VLAN tag extended to include embedded Source Routing information which will also contain the canonical format of any embedded MAC address – Value 0 VLAN tag not extended + any embedded MAC addresses are in canonical (Little Endian) format • VLAN ID – Between 1 to 4094 (0x000 and 0xFFF reserved)
  29. 29. VLAN Port Database PORTS 1 2 3 … 24 VLAN use tag use tag use tag use tag use tag 1 1 1 1 0 0 x … … 1 0 2 0 x 1 0 1 1 … … 1 1 3 1 0 0 x 0 x … … 0 x … … … … … … … … … … … 4094 1 1 1 1 0 x … … 1 0
  30. 30. Switch Filtering Operation Process • Ingress - Takes received frames from a physical port and performs 3 operations: * Acceptable frame filter * ingress rules * ingress filter • Progress - Forwarding decision according to database • Egress - How to transmit frames through the output ports
  31. 31. Switch Filtering Operation Port 1 Port 1 input output Port Acceptable Ingress Ingress Forwarding Egress Port If. Frame Filter Rules Filter Decision Rules If. Switch Fabric Port 2 Port 2 output input Port Acceptable Ingress Ingress Forwarding Χ Egress Port If. Frame Filter Rules Filter Decision Rules If. Port n Port n output input Port Acceptable Ingress Ingress Forwarding Egress Port If. Frame Filter Rules Filter Decision Rules If. Ingress Progress Egress
  32. 32. Switch Filtering - Ingress • Acceptable Frame Filter - Admit all / admit only tagged • Ingress rules - Tagged frame – according to tag - Untagged frame – association rules (PVID) • Ingress Filter (default is on) - Forwards frames only if the frame’s tag VID is equal to the VID of one of the VLANs configured on the port
  33. 33. Switch Filtering - Process • Filtering Database - Either static or dynamic entries - Either unicast or multicast entries • Forwarding decisions - Known MAC addresses Lookup in MAC address table. Lookup key is based on both: VLAN tag and destination MAC address leading to the required egress port - Unknown Unicast – initial lookup in MAC forwarding table, when entry is not found – flooding is performed based on the VLAN Port Table - Broadcast frame – lookup is done directly at the VLAN Port Table (flooding to all ports of the VLAN)
  34. 34. Switch Filtering - Egress • Egress Rules Model - Forwards frames as tagged frames if the egress port is defined as VLAN tagged (for that specific VLAN) - Forwards frames as untagged frames if the egress port is defined as VLAN un-tagged (for that specific VLAN)
  35. 35. PSS ASIC Fast Forwarding MAC Table Table Entry not found Buffers Ingress filtering Broadcast to all ports Ports in the same VLAN 1 VLAN VLAN 2 Unknown Incoming destination MAC port address
  36. 36. Filtering Database – MAC Address Entries • Dynamic MAC address entries are learned based on the source MAC of received packets • Dynamic entries are subject to aging • Static MAC entries are configured by user, and may be permanent, erased when rebooting or subject to aging • Lookup in the MAC Forwarding Table (the Filtering Database) is based on VID + Destination Port
  37. 37. VLAN AT- 8000S Implementation
  38. 38. VLAN Overview • AT- 8000S devices support 256 VLANs which can be assigned a VID from the full range of 4k VLAN Ids • Default and the “discard” VLANs (4095), are treated specially as described. • Some VLAN IDs may be pre-assigned by the system for operational usage. • The number of (VLANs * ports) configured on the system should be less than or equal to 64K.
  39. 39. VLAN Overview • Note that the system will never send a frame tagged with VID=1, since the default VLAN can be used (defined) on a port only if it is set to be that port’s PVID • Note that by using PVID=4095 the user in effect limits the “allowed frame types” to “tagged only” for incoming frames. • Reference: IEEE802.1Q.
  40. 40. Port Modes • Access Port • Trunk Port • General Port
  41. 41. Access Mode • Ports set to Access Mode belong to a one VLAN only, whose VID is the currently set PVID (default =1). • This implies that the Ports will accept all untagged frames (and assign them the PVID tag), and all frames tagged with the VID currently set with the port’s PVID. • All traffic sent out will be untagged. • If the current PVID of the port is deleted from the system or deleted from the port, the Port’s PVID will be set to 1 (That is, the port will be made a member of VLAN#1, the default VLAN).
  42. 42. Access Mode • Ingress Filtering is always ON for ports in Access Mode. • Access mode ports are intended to connect end-stations to the system, especially when the end-stations are incapable of generating VLAN tags
  43. 43. Trunk Mode • Ports set to Trunk mode can belong to as many VLANs as desired. • The port has a native VLAN (PVID) which is untagged, all other VLANs are tagged • The ports will accept both tagged and untagged frames. • Untagged frames will be classified to the port’s PVID.
  44. 44. Trunk Mode • Ingress filtering is always enabled on Trunk-mode ports. Incoming tagged frames will undergo Ingress filtering and if correctly tagged, (tagged with a VID of one of the VLANs to which the port currently belongs) they will be admitted, otherwise – they will be discarded • Egress frames forwarded on to the PVID VLAN will be sent out un-tagged • Egress frames sent to all other VLANs active on the port will be sent tagged.
  45. 45. Trunk Mode • The default PVID (native VLAN) is 1 (the default VLAN). • If another VID is configures as the port’s PVID, and the corresponding VLAN is deleted from the port or from the system, the port’s PVID returns to 1 . (That is the port will be made a member of the Default VLAN) • Trunk-mode ports are intended for Switch-to-Switch links, where usually all traffic is tagged.
  46. 46. General Mode • Ports set to General mode may be members of as many VLANs as desired. • Port configured in the general mode can be assigned as untagged to as many VLANs as desired • The user can set separately for each VLAN whether it will be Tagged or Untagged. This setting applies to transmitted frames. • The user can configure a PVID. The default PVID is the default VLAN. • The PVID can be that of any of the VLANs configured on the port (tagged or on tagged) and also VLANs not configured on the port or even not configured on the device
  47. 47. General Mode • Incoming Tagged frames are classified according to their TAG and discarded if such a VLAN is not defined on the port. • Incoming untagged frames are classified into the VLAN whose VID is the currently configured PVID, and: – The frame is accepted if this VID (besides being the PVID) is defined on the port – The frame is discarded if this VID is not defined on the port (although it is the PVID) • Ingress filtering may be turned OFF on General-mode ports, if so desired. Ingress filtering is ON by default. • User can define whether to accepted only tagged frames or all frame types
  48. 48. Frame Classification Process
  49. 49. AT- 8000S VLAN – User Settings • Device level setting (VLAN database context): – Creating/deleting VLANs on the system • VLAN level settings (interface VLAN context) – Assigning the VLAN a name – Adding a static MAC entries to one of the VLANs ports – General interface commands (e.g: ip, igmp, etc - see other presentations) • Port level settings (interface Ethernet context) – Defining the port mode as general, trunk or access (the default) – Defining access port’s current VLAN (PVID)
  50. 50. AT- 8000S VLAN – User Settings • Port level settings (cont’) – Defining the “native” (pvid) Trunk mode port – Defining the PVID for General mode port – Adding/removing VLANs on a Trunk/General mode port – Define VLANs as tagged/untagged on general mode port – Defining a port as a forbidden port for a certain VLAN – Control ingress filtering of general mode port (Default=on) – Defining acceptable frame type for General Port (tagged only or all) – Mapping MAC-groups to VID
  51. 51. VLAN AT- 8000S CLI Configuration
  52. 52. VLAN Configuration - General • Use the following Global Mode command to enter VLAN Database mode: vlan database • Example: – Enter VLAN Configuration Mode console# console# configure console(config)# vlan database console(config-vlan)#
  53. 53. Creating VLANs - Configuration • Use the following VLAN Configuration Mode Command to create a new VLAN: vlan vlan-range • To erase a VLAN use the “no” form of the command: no vlan vlan-range • Example – creating VLANS with VID 2,3,100 and 101, and then erasing VLAN 101 console(config-vlan)# vlan 2,3,100,101 console(config-vlan)# no vlan 101
  54. 54. VLAN parameters - Name • To change a parameter of a specific VLAN enter the Interface VLAN Configuration Mode for that VLAN: • Example – assigning the VID=2 the name “success” (Default name for a VLAN is the vlan tag): console(config)# interface vlan 2 console(config-if)# name success console(config-if)#
  55. 55. VLAN Port Mode - Configuration • Use the following Interface Mode Command to define the “VLAN mode” (access/ general/ trunk) of a certain interface (Ethernet/Port Channel): switchport mode { access | trunk | general } • Use the “no” form of the command to return to default (access mode): no switchport mode Note: Trunk and General Mode port can be changed to Access Mode only if all VLANs (except for an untagged PVID) were first removed
  56. 56. VLAN Port Mode - Configuration • Example – defining a port as a General Mode port: console(config)# interface ethernet 1/e11 console(config-if)# switchport mode general
  57. 57. Access Mode Port Configuration • Use the following Interface Mode command to define a VLAN on a port in the access mode: switchport access vlan vlan-id • Example – defining VLAN 2 on access port 1/e12: console(config)# interface ethernet 1/e12 console(config-if)# switchport mode access console(config-if)# switchport access vlan 2
  58. 58. Trunk Mode Port Configuration • Use the following Interface Mode command to add/remove VLAN(s) to port in the Trunk mode: switchport trunk allowed vlan {add vlan-list | remove vlan-list} • Example – adding VLANs 2,3 and 100 on Trunk port 1/e13: console(config)# interface ethernet 1/e13 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 2-3,100 console(config-if)#
  59. 59. Trunk Mode Port Configuration • Use the following command to set the native (PVID) VLAN on the port: switchport trunk native vlan vlan-id • If the port is already a member in the VLAN (not as a native), it should be first removed from the VLAN
  60. 60. Trunk Mode Port Configuration • Example - native VLAN: – Defining VID=2 as native VLAN for port 1/e13 and receiving system error notification – removing VID=2 from port 1/e13 and then setting it as the native VLAN console(config)# interface ethernet 1/e13 console(config-if)# switchport trunk native vlan 2 Port 1/e13: Port is Trunk in VLAN 2. console(config-if)# switchport trunk allowed vlan remove 2 console(config-if)# switchport trunk native vlan 2 console(config-if)#
  61. 61. Trunk Port – tagged/untagged • Example - VLAN on port untagged on input and untagged on output: console(config)# interface ethernet 1/e18 console(config-if)# switchport mode trunk console(config-if)# switchport trunk native vlan 2 console(config-if)# • Example - VLAN on port tagged on input and tagged on output: console(config)# interface ethernet 1/e19 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 2
  62. 62. General Mode Port Configuration • Use the following Interface Mode command to add VLAN(s) to a General Mode port: switchport general allowed vlan add vlan-list [ tagged | untagged ] Note!!! default is tagged • To remove a VLAN(s) from the list: switchport general allowed vlan remove vlan-list
  63. 63. General Mode Port Configuration • Use the following command to set the PVID of a General Port: switchport general pvid vlan-id • Use the “No” command to revert to the default VLAN PVID: no switchport general pvid Note: The PVID can be either a VID defined on the port (tagged or untagged), or a VID not defined on the port or even on the system
  64. 64. General Mode Port Configuration • Example – General Mode port configuration – Adding VLANs 2&3 as tagged, and VLAN 100 as untagged to to general mode port 1/e14 – Defining VID 100 as the PVID – Reverting to the default PVID (VID=1) console(config)# interface ethernet 1/e14 console(config-if)# switchport mode general console(config-if)# switchport general allowed vlan add 2-3 tagged console(config-if)# switchport general allowed vlan add 100 untagged console(config-if)# switchport general pvid 100 console(config-if)# no switchport general pvid
  65. 65. General Port – tagged/untagged • Example - VLAN on port UNtagged on input and UNtagged on output: console(config)# interface ethernet 1/e20 console(config-if)# switchport mode general console(config-if)# switchport general pvid 2 console(config-if)# switchport general allowed vlan add 2 untagged • Example - VLAN on port UNtagged on input and tagged on output: console(config)# interface ethernet 1/e21 console(config-if)# switchport mode general console(config-if)# switchport general pvid 2 console(config-if)# switchport general allowed vlan add 2 tagged
  66. 66. General Port – tagged/untagged • Example - VLAN on port tagged on input and tagged on output: console(config)# interface ethernet 1/e22 console(config-if)# switchport mode general console(config-if)# switchport general allowed vlan add 2 tagged • Example - VLAN on port tagged on input and UNtagged on output: console(config)# interface ethernet 1/e23 console(config-if)# switchport mode general console(config-if)# switchport general allowed vlan add 2 untagged
  67. 67. General Mode – Ingress Filtering • Use the following command to disable ingress filtering on a General Mode VLAN port. Use the “no” form of the command to switch filter on: switchport general ingress-filtering disable no switchport general ingress-filtering disable
  68. 68. General Mode – Acceptable Frame Type • Use the following Interface Mode command to discard untagged frames at ingress. Use the no form of the command to allow untagged frames at ingress (the default): switchport general acceptable-frame-type tagged-only no switchport general acceptable-frame-type tagged-only
  69. 69. Forbidding VLAN - Configuration • Use the following Interface Mode command to forbid the definition of a specific VLAN (statically or dynamically) on a port (remove option – cancels the restrictions): switchport forbidden vlan {add vlan-list | remove vlan-list} • Note that the forbidden VLAN cannot be one that does not exist on the system, or one already define on the port console(config)# interface ethernet 1/e21 console(config-if)# switchport forbidden vlan add 2 VLAN 2: Port 1/e21 cannot be Egress and Forbidden. console(config-if)# switchport forbidden vlan add 55 VLAN 55: VLAN was not created by user. console(config-if)# console(config-if)# switchport forbidden vlan add 3
  70. 70. VLAN Show Commands • Use the following EXEC mode command to view entire device VLAN configuration: show vlan • Use the following EXEC mode command to show interfaces belonging to a specific VLAN on the device: show vlan {tag vlan-id | name vlan-name}
  71. 71. VLAN Show Commands • Example – Show VLAN device configuration: console# show vlan Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 1 1 1/e(1,10-12,15-24),ch(1-8) other Required 2 success 1/e(2-9,13-14) permanent Required 3 3 1/e(13-14) permanent Required 100 100 1/e(13-14) permanent Required console#
  72. 72. VLAN Show Commands • Example – Show ports on VLAN with tag=3: console# show vlan tag 3 Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 3 3 1/e(13-14) permanent Required • Example – Show ports on VLAN named success: console# show vlan name success Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 2 success 1/e(2-9,13-14) permanent Required
  73. 73. VLAN Show Commands • Use the following EXEC mode command to show VLAN configuration (Mode, PVID and configured VLANs) for a specific port: show interfaces switchport { ethernet interface | port- channel port-channel-number }
  74. 74. VLAN Show Commands • Example – VLAN details of port 1/e14: console# show interfaces switchport ethernet 1/e14 Port : 1/e14 Port Mode: General Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 100 - Forbidden VLANS: Port is member in: Vlan Name Egress rule Port Membership Type Vlan Name ---- -------------------------------- ----------- -------------------- ---- -------------------------------- 2 success Tagged Static 3 3 Tagged Static Classification rules: 100 100 Untagged Static Group ID Vlan ID ---  -------- ------- 1 4
  75. 75. Adding a Static MAC Address • Use the following VLAN interface mode command to add a static MAC entry to one of the ports in the VLAN: bridge address mac-address {ethernet interface | port-channel port-channel-number} [permanent | delete-on-reset | delete- on-timeout | secure] MAC Address format: H.H.H or H:H:H:H:H:H or H-H-H-H-H-H • User can define whether the entry will be: – permanent – deleted after reset – aged out on time out – as with dynamic entries – Secure – entry is deleted if port mode changes to “ unlock” (used when port is in locked mode)
  76. 76. Adding a Static MAC Address • Note – The MAC addresses are added per VLAN, and not per device – The type of entry (permanent secure etc) has to be entered before interface (if no type is mentioned default is permanent) – You can configure an address on a port even if it does not belong to a VLAN • The “no” form of the command deletes a static MAC entry from the table: no bridge address [mac-address] if no mac-address is specified in the command, all static entries are erased from the table
  77. 77. Example - Static MAC Addresses • Example – adding 3 static mac entries to VLAN 2: – One permanent (default) – One to be deleted on reset – One (one a secure port) to be deleted when port is unlocked console(config)# interface vlan 2 console(config-if)# bridge address 00:11:22:33:44:55 ethernet 1/e10 console(config-if)# bridge address 00:11:22:33:44:55 permanent ethernet 1/e8 console(config-if)# bridge address 00:99:88:77:66:55 delete-on-reset ethernet 1/e7 console(config-if)# bridge address 00:99:88:77:44:33 secure ethernet 1/e5 VLAN:2, Port:1/e5 , Mac:00:00:99:88:77:44: : Port is not Locked, can't add Secure Address Note: the error message
  78. 78. Address Table Commands • Use the following Global mode command to set the MAC table aging time (10-360 seconds). bridge aging-time seconds • Use the “no” format of the command to return to the default of 300 seconds: no bridge aging-time • Use the following EXEC mode command to remove learned addressed from the table: clear bridge
  79. 79. Address Table Show Commands • Use the following Privileged EXEC mode command to show the MAC address table of device : show bridge address-table • Use the following Privileged EXEC mode command to show addresses on specific VLAN: show bridge address-table vlan vlan [ethernet interface | port- channel port-channel-number] • Use the following Privileged EXEC mode command to show addresses on specific port: show bridge address-table { ethernet interface | port-channel port- channel-number} [vlan vlan]
  80. 80. Example – Aging & Clear Bridge • Example – Showing address table, setting aging time to 100, and clearing bridge from dynamic entries. console# show bridge address-table console# clear bridge Aging time is 300 sec console# show bridge address-table Vlan Mac Address Port Type Aging time is 100 sec ------ --------------------- ------ -------------- Vlan Mac Address Port Type 2 00:10:a4:8f:ba:33 1/e8 dynamic ------ --------------------- ------ -------------- 2 00:11:22:33:44:55 1/e8 static 2 00:11:22:33:44:55 1/e8 static 2 00:99:88:77:44:33 1/e6 secure 2 00:99:88:77:44:33 1/e6 secure 2 00:99:88:77:66:55 1/e7 static 2 00:99:88:77:66:55 1/e7 static console# con console# console(config)# bridge aging-time 100 console(config)# exit
  81. 81. Address Table Show Commands • Example – show MAC address entries for a specific port: console# show bridge address-table ethernet 1/e13 Aging time is 100 sec Vlan Mac Address Port Type ---- ------------------- ---- ------------ 3 00:10:a4:8f:ba:33 1/e13 dynamic
  82. 82. Address Table Show Commands • Example – show MAC addresses for a VLAN: console# show bridge address-table vlan 2 Aging time is 100 sec Vlan Mac Address Port Type ------ --------------------- ------ -------------- 2 00:11:22:33:44:55 1/e8 static 2 00:99:88:77:44:33 1/e6 secure 2 00:aa:bb:cc:dd:00 1/e9 static console#
  83. 83. Address Table Show Commands • Use the following Privileged EXEC mode command to show only static MAC entries: show bridge address-table static • Note that this option can be used to show (as in the general address table show command): – All static entries on device – Static entries on VLAN – Static entries on a certain Interface – Combination of specific VLAN and interface
  84. 84. Bridge (Address Table) Show Commands • Example – show device static MAC address entries: console# show bridge address-table static Aging time is 100 sec Vlan Mac Address Port Type ------ --------------------- ------ ---------- 2 00:11:22:33:44:55 1/e8 permanent 2 00:99:88:77:44:33 1/e6 secure 2 00:aa:bb:cc:dd:00 1/e9 delete-on-reset
  85. 85. Address Table Show Commands • Use the following Privileged EXEC mode command to show number of MAC entries: show bridge address-table count • Note that this option can be used to show (as in the general address table show command): – All static entries on device – Static entries on VLAN – Static entries on a certain Interface – Combination of specific VLAN and interface
  86. 86. Bridge (Address Table) Show Commands • Example – show device MAC address count: console# sh bridge address-table count Gathering data. Capacity : 8192 Free : 8189 Used :3 Secure : 1 Dynamic : 0 Static : 2 console#
  87. 87. Ghost VLAN Settings Feature Commands Configuring on a Configuring on Deletion non existent VLAN dynamic VLAN of VLAN Address Bridge address, bridge Impossible to enter Impossible Entry is table multicast, bridge the VLAN context. removed. multicast forward-all, bridge multicast forbidden forward-all VLAN Name Impossible to enter Impossible Entry is properties VLAN context. removed. Port switchport access vlan, Not allowed (except Not allowed Entry is membership switchpoprt trunk allowed PVID of general removed. in VLAN vlan, switchport trunk mode) native vlan, switchport general allowed vlan, switchport forbidden vlan IGMP Ip igmp snooping Impossible to enter Impossible Entry is snooping the VLAN context. removed. IP Ip address, ip address Impossible to enter Impossible Not addressing dhcp the VLAN context. allowed
  88. 88. VLAN Configuration Examples
  89. 89. Example #1 PVID#100 Port 24 Internet PVID#2 PVID#3
  90. 90. Example #1. Requirements. • All servers are connected to the dedicated VLAN with VID#100. • There are two workgroups in the network (correspondently mapped to two VLANs – VID#2 and VID#3). • No traffic is allowed between VID#2 and VID#3. • Traffic from VID#2 and VID#3 is allowed to server and to the Internet. • No traffic is allowed to/from the Internet from/to the Servers. • Workstation NICs do not support VLAN tagging. • Servers and Internet router support VLAN tagging.
  91. 91. Example #1 - Implementation. Port# VLAN# PVID# Port Mode 1-3 2,3 100 Trunk Tagged 4-13 2, 100 2 General untagged 14-23 3, 100 3 General untagged 24 2,3 1 Trunk Tagged
  92. 92. Example #1 - CLI console(config)# console(config)# vlan database console(config-vlan)# vlan 2-3,100 console(config-vlan)# exit console(config)# interface range ethernet 1/e1-3 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 2-3 console(config-if)# switchport trunk native vlan 100 14-may-2003 19:12:43 %LINK-I-Up: Vlan 2 14-may-2003 19:12:43 %LINK-I-Up: Vlan 3 14-may-2003 19:12:43 %LINK-I-Up: Vlan 100 console(config-if)# console(config)# in range ethernet 1/e4-13 console(config-if)# switchport mode general console(config-if)# switchport general allowed vlan add 2,100 untagged console(config-if)# exit
  93. 93. Example #1 - CLI Cont’ console(config)# interface range ethernet 1/e14-23 console(config-if)# switchport mode general console(config-if)# switchport general allowed vlan add 3,100 untagged console(config-if)# exit console(config)# interface ethernet 1/e24 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 2-3 console(config-if)# exit console(config)#
  94. 94. Example #1 - CLI Cont’ console# show vlan Vlan Name Ports Type Authorization ---- -------------------------------- --------------------------- ------------ ---------------- 1 1 1/e(4-24),ch(1-7) other Required 2 2 1/e(1-13,24) permanent Required 3 3 1/e(1-3,14-24) permanent Required 100 100 1/e(1-23) permanent Required
  95. 95. Example #1 - CLI Cont’ console# show interfaces switchport ethernet 1/e3 Port : 1/e3 Port Mode: Trunk Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 100 Port is member in: Vlan Name Egress rule Port Membership Type ---- -------------------------------- ----------- -------------------- 2 2 Tagged Static 3 3 Tagged Static 100 100 Untagged Static ……
  96. 96. Example #2. WEB Server Windows LAG#1 Multimedia FTP Server Server Layer 2/3/4 switch AT- 8000S acting as a L2 switch … Layer 2 switch LAG#2 Layer 2/3/4 switch
  97. 97. Example #2 - Requirements. • All servers are connected to the Layer 2 switch (Server’s aggregator) • There are 4 workgroups in the network (correspondently mapped to 4 VLANs – VID#2 through VID#5). • No traffic is allowed among VLANs. • AT- 8000S Device is connected through two L2 LAGs (LAG#1 and LAG#2) to the Layer 2/3/4 switches. • All VLANs have access to Servers. • All NICs don’t support VLAN tagging
  98. 98. Example #2 - Implementation Port VLAN PVID Port Mode 1-4 2 2 Access 5-8 3 3 Access 9-12 4 4 Access 13-16 5 5 Access 17-24 Default Default Access LAG1 (17-20) 2,3 Tagged 1 Trunk Lag2 (21-24) 4,5 Tagged 1 Trunk
  99. 99. Example #2 - CLI console(config)# vlan database console(config-vlan)# vlan 2-5 console(config-vlan)# exit console(config)# interface range ethernet 1/e1-4 console(config-if)# switchport access vlan 2 console(config-if)# exit console(config)# interface range ethernet 1/e5-8 console(config-if)# switchport access vlan 3 15-Jun-2003 11:40:45 %LINK-I-Up: Vlan 3 console(config-if)# exit console(config)# interface range ethernet 1/e9-12 console(config-if)# switchport access vlan 4 15-Jun-2003 11:41:11 %LINK-I-Up: Vlan 4 console(config-if)# exit console(config)# interface range ethernet 1/e13-16 console(config-if)# switchport access vlan 5 15-Jun-2003 11:42:24 %LINK-I-Up: Vlan 5
  100. 100. Example #2 - CLI Cont’ console(config-if)# exit console(config)# interface range ethernet 1/e17-20 console(config-if)# channel-group 1 mode on 15-Jun-2003 11:43:20 %TRUNK-I-PORTADDED: Port 1/e17 added to ch1 15-Jun-2003 11:43:20 %TRUNK-I-PORTADDED: Port 1/e18 added to ch1 15-Jun-2003 11:43:21 %TRUNK-I-PORTADDED: Port 1/e19 added to ch1 15-Jun-2003 11:43:21 %TRUNK-I-PORTADDED: Port 1/e20 added to ch1 15-Jun-2003 11:43:21 %LINK-I-Up: ch1 console(config-if)# exit console(config)# interface range ethernet 1/e21-24 console(config-if)# channel-group 2 mode on 15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e21 added to ch2 15-Jun-2003 11:44:13 %LINK-I-Up: ch2 15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e22 added to ch2 15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e23 added to ch2 15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e24 added to ch2
  101. 101. Example #2 - CLI Cont’ console(config-if)# exit console(config)# interface port-channel 1 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 2-3 console(config-if)# exit console(config)# interface port-channel 2 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 4-5 console(config-if)# exit console(config)#
  102. 102. Example #2 - CLI Cont’ console# show vlan Vlan Name Ports Type Authorization ---- -------------------------------- --------------------------- ------------ ---------------- 1 1 ch(1-7) other Required 2 2 1/e(1-4),ch1 permanent Required 3 3 1/e(5-8),ch1 permanent Required 4 4 1/e(9-12),ch2 permanent Required 5 5 1/e(13-16),ch2 permanent Required console#
  103. 103. VLAN Troubleshooting
  104. 104. General Switch Issues Problems reported by customers are usually related somehow to common connectivity issues (two PCs can’t communicate within the VLAN, PC connected to the device doesn’t have access to the Internet or to the centrally located database and so on). The following list presents the typical connectivity problems within the VLANs • Port connectivity issues • Hardware issues • Configuration issues – Port configuration issues – Port mode configuration issues – Port status issues – 802.1q • RSTP/STP issues • Access Control and Security issues • LAG issues • Management issues
  105. 105. Possible Problem Solution problem description There is no Port within 1. Use show vlan command to check whether the port traffic through the VLAN belongs to the VLAN. the port within doesn’t 2. Check whether the port is configured for LAG on the VLAN transmit data both sides of LAG. If on the other side it is not configured for LAG, it can cause the RSTP/STP processes to block the port on the side of LAG. Use show interface switchport port-channel to check whether port belongs to LAG or not. 3. Use the show interfaces status command to check whether there is a mismatch in the port duplex mode configuration - full duplex side thinks that it can send whenever it wants to, but the half duplex side expects packets only at certain times, not at any time. 4. Use show interfaces status to check whether the port is disabled by port security. One of the action modes is “discard-shutdown”. Port security violation blocks automatically a traffic through the port.
  106. 106. Possible Problem Solution problem description There is no Port within the 5. Use show spanning-tree ethernet command to check traffic through VLAN doesn’t what is the spanning tree port status. the port within transmit data 6. In RSTP mode, according to the standard, edge the VLAN ports are not involved in the RSTP processes. However, if the edge ports received a BPDU (for some reason) it will participate in the STP and may be blocked. Port can’t be Port can’t be 1. Use show interfaces port-channel to check whether assigned to a assigned to port belongs to LAG or not. VLAN VLAN neither 2. Use show ip interface to check whether port is through ASCII dedicated for management (for adding untagged terminal VLAN). (telnet) nor 3. Use show interface switchport ethernet to check port through the properties. Verify that port is not forbidden from EWS being a member of that VLAN 4. Trunk port’s native VLAN can’t be added as a tagged VLAN to the port. 5. Use show ports monitor command to check whether the port is a target (mirror) port.
  107. 107. Port Connectivity Troubleshooting Hardware Problems. • CLI shows the port state – up and down either via ASCII terminal or Telnet. • CLI command “show interface status” - displays current status of the port. • A link light doesn’t guarantee that the cable is fully functional. • Remove the cable from the port and re-insert it – be sure that traps are sent to the ASCII terminal or telnet terminal. • Sometimes a cable appears to be seated in the jack, but actually it is not – unplug the cable and re-insert it. • If, after all the above mentioned, the port doesn’t come up, it is recommended to check the cable with the cable tester. • Another reason to consider is SW shut down of the port (port security or ACL port disabled option in other types of devices)
  108. 108. Troubleshooting Security Problems • Unfortunately, security problems in the modern networks are very common today. • Network managers are making big efforts to protect networks from internal and external attacks. • According to the last researches, over 70% of the intrusions in the network are internal.
  109. 109. Troubleshooting Security Problems • In addition to the standard list of a well known internal network intrusions we would like to point out the following ones: – changes in the running and start-up configurations: • Port configuration • IP interface configuration • RSTP/STP configuration • VLAN configuration and so on – changing password for the ASCII terminal and telnet access – changes in the access control and security – uploading/downloading new software images – uploading/downloading new system configurations – system reload/reboot either through ASCII terminal and CLI/Debug CLI or telnet – erasing device configuration – erasing software image
  110. 110. How to Troubleshoot Hackers Attacks? • Constantly change passwords and User Names • Periodically monitor telnet sessions • Secure the management port, allow management and control from dedicated PCs only.

×