PRIMERGYスイッチブレード(1Gbps 36/8+2)(PG-SW111)スイッチブレード(1Gbps 36/12)(PG-SW112)
スイッチコンフィグレーションガイド
CA92276-8605-01
本書をお読みになる前に外国為替及び外国貿易法に基づく特定技術について
当社のドキュメントには「外国為替および外国貿易管理法」に基づく特定技術が含まれていることがあります。特定技術が含まれて
いる場合は、当該ドキュメントを輸出または非居住者に提供するとき、同法に基づく許可が必要となります。
本書の内容について
このたびは、弊社の PRIMERGY スイッチブレード(1Gbps 36/8+2)/PRIMERGY スイッチブレード(1Gbps 36/12)をお買
い上げいただき、誠にありがとうございます。
本書は、本製品がスイッチモードに設定されている場合の設定事例を示した、スイッチコンフィグレーションガイドのマニ
ュアルです。なお、本文は英語で記載しています。
本書をよくお読みになり、正しい取り扱いをされますようお願いいたします。
■ 関連マニュアル• PRIMERGY スイッチブレード(1Gbps 36/8+2)(PG-SW111)/PRIMERGY スイッチブレード(1Gbps 36/12)
(PG-SW112) 取扱説明書
• PRIMERGY スイッチブレード(1Gbps 36/8+2)(PG-SW111)/PRIMERGY スイッチブレード(1Gbps 36/12)
(PG-SW112) スイッチユーザーズガイド
• PRIMERGY スイッチブレード(1Gbps 36/8+2)(PG-SW111)/PRIMERGY スイッチブレード(1Gbps 36/12)
(PG-SW112) IBP ユーザーズガイド
• PRIMERGY スイッチブレード(1Gbps 36/8+2)(PG-SW111)/PRIMERGY スイッチブレード(1Gbps 36/12)
(PG-SW112) IBP コンフィグレーションガイド
上記マニュアルは「PRIMERGY」ページの「マニュアル」(http://primeserver.fujitsu.com/primergy/manual.html)か
らご覧ください。
PRIMERGY Blade Server Systems
Switch Configuration Guide
© 2009 Fujitsu Technology Solutions 2
Edition March 2009
© 2009 Fujitsu Technology Solutions 3
Comments… Suggestions… Corrections…
The User Documentation Department would like to know your opinion on this manual. Yourfeedback helps us to optimize our documentation to suit your individual needs.
Fax forms for sending us your comments are included at the back of the manual. There youwill also find the addresses of the relevant User documentation Department.
Copyright and Trademarks
Copyright © 2009 Fujitsu Technology Solutions GmbH.
All rights reserved.
Delivery subject to availability; right of technical modifications reserved.
All hardware and software names used are trademarks of their respective manufacturers
© 2009 Fujitsu Technology Solutions 4
Content
1 Configuration Guide Overview ................................................................................ 7
2 Configuring VLANs .................................................................................................. 82.1 Creating a VLAN ........................................................................................................ 82.2 Configuring VLAN Members..................................................................................... 112.3 Configuring Untagged VLAN (Access Port) .............................................................. 142.4 Configuring Tagged VLAN (Trunk Port).................................................................... 162.5 Configuring Protocol VLAN....................................................................................... 18
3 Configuring Link Aggregation............................................................................... 203.1 Configuring Link Aggregation with LACP.................................................................. 203.2 Configuring Static Link Aggregation.......................................................................... 223.3 Configuring Load Balance of Link Aggregation......................................................... 24
4 Configuring Port-Backup....................................................................................... 264.1 Creating Port-backup group...................................................................................... 264.2 Configuring Active port and Backup port .................................................................. 28
5 Configuring MAC Filtering..................................................................................... 305.1 Configuring MAC filter which passes only packets of the specific sourceMAC address ........................................................................................................................... 305.2 Configuring MAC filter which passes only packets of specified destinationMAC address ........................................................................................................................... 325.3 Configuring MAC filter which rejects only packets of the specified packetformat MAC address ................................................................................................................ 345.4 Configuring MAC filter which rejects only traffic between the specified MACaddresses in VLAN................................................................................................................... 365.5 Configuring MAC filter which passes only the traffic between the specifiedMAC addresses in VLAN.......................................................................................................... 38
6 Configuring Static MAC Forwarding ..................................................................... 40
7 Configuring QoS..................................................................................................... 437.1 Configuring priority control........................................................................................ 437.2 Configuring priority control rewrite ............................................................................ 457.2.1 IP Precedence value rewrite..................................................................................... 457.2.2 Change queue of packets in VLAN........................................................................... 48
8 Configuring Spanning Tree ................................................................................... 508.1 Configuring Spanning Tree Mode............................................................................. 508.2 Configuring MSTP.................................................................................................... 53
9 Configuring IGMP snooping & Querier ................................................................. 559.1 Configuring IGMP snooping by interface .................................................................. 559.2 Configuring IGMP snooping by VLAN....................................................................... 609.3 Configuring IGMP snooping static router port ........................................................... 629.4 Configuring IGMP snooping static group member .................................................... 649.5 Configuring IGMP Snooping Querier by VLAN ......................................................... 65
10 Configuring MLD Snooping & Querier .................................................................. 6710.1 Configuring MLD Snooping by interface ................................................................... 6710.2 Configuring MLD Snooping by VLAN........................................................................ 7010.3 Configuring MLD Snooping static router port ............................................................ 7210.4 Configuring MLD Snooping static group member ..................................................... 7410.5 Configuring MLD Snooping Querier by VLAN........................................................... 75
© 2009 Fujitsu Technology Solutions 5
11 Configuring IEEE 802.1X Authentication .............................................................. 7711.1 Using Local User Name/ Password .......................................................................... 7711.2 Using Remote RADIUS Server................................................................................. 79
12 Configuring Port Mirroring .................................................................................... 81
13 Configuring IP Filtering.......................................................................................... 8213.1 Configuring IP filter which passes only packets to the specified service ................... 82
14 Configuring SNMP Agent....................................................................................... 84
15 Configuring System Log........................................................................................ 86
© 2009 Fujitsu Technology Solutions 6
© 2009 Fujitsu Technology Solutions 7
1 Configuration Guide Overview
This guide describes the PRIMERGY BX900 Ethernet Connection Blade specific functions thatyou might encounter. Basically, the guide describes how to configure your switch or how toconfigure software features on your switch. It also provides detailed information aboutcommands that have been created or changed for use by the connection blade.
This document provides the following guidelines:
Configuring VLANs
Configuring Link Aggregation
Configuring Backup Port
Configuring MAC Filtering
Configuring Static MAC Forwarding
Configuring QoS
Configuring Spanning Tree
Configuring IGMP Snooping & Querier
Configuring MLD Snooping & Querier
Configuring IEEE 802.1X Authentication
Configuring Port Mirroring
Configuring IP Filtering
Configuring SNMP Agent
Configuring System Log
Mode Prompt
privileged EXEC mode (BX900-CB1)#
Configuration mode (BX900-CB1)(Config)#
VLAN mode (BX900-CB1)(Vlan)#
Interface mode (BX900-CB1)(Interface BX900-CB1/0/1)#
Interface range mode (BX900-CB1)(if-range)#
Vlan database mode (BX900-CB1)(Vlan)#
MAC access list mode (BX900-CB1)(Config-mac-access-list)#
DiffServ class map mode (BX900-CB1)(Config-classmap)#
DiffServ policy map mode (BX900-CB1)(Config-policy-map)#
© 2009 Fujitsu Technology Solutions 8
2 Configuring VLANs
This chapter describes how to configure the VLANs in the PRIMERGY BX900 EthernetConnection Blade system.
2.1 Creating a VLAN
This section describes how to create a VLAN on the system.
Beginning in privileged EXEC mode, follow these steps to create a VLAN on system:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 vlan database Enter VLAN database mode.
Step 3 vlan vlan-id To create a VLAN with VLAN ID.
Step 4 exit Return to global configuration mode.
Step 5 exit Return to privileged EXEC mode.
Step 6 show vlan Verify the configuration.
To create a VLAN on system, use the vlan vlan-id VLAN database configurationcommand. To display the VLAN information, use show vlan privileged EXEC command.
In this example, VLAN 2 is created without any members.
(BX900-CB1)#configure
(BX900-CB1)(Config)#vlan database
(BX900-CB1)(Vlan)#vlan 2
(BX900-CB1)(Vlan)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show vlan
VLAN ID VLAN Name VLAN Type Interface(s)
------- -------------------------------- ---------- -------------------------
1 Default Default BX900-CB1/0/1,
BX900-CB1/0/2,
BX900-CB1/0/3,
BX900-CB1/0/4,
BX900-CB1/0/5,
BX900-CB1/0/6,
© 2009 Fujitsu Technology Solutions 9
BX900-CB1/0/7,
BX900-CB1/0/8,
BX900-CB1/0/9,
BX900-CB1/0/10,
BX900-CB1/0/11,
BX900-CB1/0/12,
BX900-CB1/0/13,
BX900-CB1/0/14,
BX900-CB1/0/15,
BX900-CB1/0/16,
BX900-CB1/0/17,
BX900-CB1/0/18,
BX900-CB1/0/19,
--More-- or (q)uit
BX900-CB1/0/20,
BX900-CB1/0/21,
BX900-CB1/0/22,
BX900-CB1/0/23,
BX900-CB1/0/24,
BX900-CB1/0/25,
BX900-CB1/0/26,
BX900-CB1/0/27,
BX900-CB1/0/28,
BX900-CB1/0/29,
BX900-CB1/0/30,
BX900-CB1/0/31,
BX900-CB1/0/32,
BX900-CB1/0/33,
BX900-CB1/0/34,
BX900-CB1/0/35,
BX900-CB1/0/36,
BX900-CB1/0/37,
BX900-CB1/0/38,
BX900-CB1/0/39,
BX900-CB1/0/40,
BX900-CB1/0/41,
BX900-CB1/0/42,
© 2009 Fujitsu Technology Solutions 10
--More-- or (q)uit
BX900-CB1/0/43,
BX900-CB1/0/44,
BX900-CB1/0/45,
BX900-CB1/0/46,
BX900-CB1/0/47,
BX900-CB1/0/48
2 VLAN0002 Static
1002 fddi-default Static
1003 token-ring-default Static
1004 fddinet-default Static
1005 trnet-default Static
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 11
2.2 Configuring VLAN Members
This section describes how to configure members of a VLAN.
Beginning in privileged EXEC mode, follow these steps to configure the members of a VLAN:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can bea physical Layer 2 interface or a portchannel (logical interface).
Step 3 switchport allowed vlan addvlan-idorswitchport allowed vlan removevlan-id
To add/remove an interface to/from aVLAN.
Step 4 switchport native vlan vlan-id To change the port VLAN ID to new one.
Step 5 exit Return to global configuration mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show vlan id vlan-id Verify the configuration.
To create a VLAN on system, use the vlan vlan-id VLAN database configurationcommand. To add/remove an interface to/from a VLAN, use switchport allowed vlanadd/switchport allowed vlan remove interface configuration command. To display theVLAN information, use show vlan privileged EXEC command.
In this example, VLAN 2 was created without any members. Interface 0/1 is added toVLAN2 and is removed from VLAN 1.
(BX900-CB1)#configure
(BX900-CB1)(Config)#interface 0/1
(BX900-CB1)(Interface BX900-CB1/0/1)#switchport allowed vlan add 2
(BX900-CB1)(Interface BX900-CB1/0/1)#switchport native vlan 2
(BX900-CB1)(Interface BX900-CB1/0/1)#switchport allowed vlan remove 1
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show vlan
VLAN ID VLAN Name VLAN Type Interface(s)
------- -------------------------------- ---------- -------------------------
1 Default Default BX900-CB1/0/2,
BX900-CB1/0/3,
© 2009 Fujitsu Technology Solutions 12
BX900-CB1/0/4,
BX900-CB1/0/5,
BX900-CB1/0/6,
BX900-CB1/0/7,
BX900-CB1/0/8,
BX900-CB1/0/9,
BX900-CB1/0/10,
BX900-CB1/0/11,
BX900-CB1/0/12,
BX900-CB1/0/13,
BX900-CB1/0/14,
BX900-CB1/0/15,
BX900-CB1/0/16,
BX900-CB1/0/17,
BX900-CB1/0/18,
BX900-CB1/0/19,
--More-- or (q)uit
BX900-CB1/0/20,
BX900-CB1/0/21,
BX900-CB1/0/22,
BX900-CB1/0/23,
BX900-CB1/0/24,
BX900-CB1/0/25,
BX900-CB1/0/26,
BX900-CB1/0/27,
BX900-CB1/0/28,
BX900-CB1/0/29,
BX900-CB1/0/30,
BX900-CB1/0/31,
BX900-CB1/0/32,
BX900-CB1/0/33,
BX900-CB1/0/34,
BX900-CB1/0/35,
BX900-CB1/0/36,
BX900-CB1/0/37,
BX900-CB1/0/38,
BX900-CB1/0/39,
BX900-CB1/0/40,
BX900-CB1/0/41,
© 2009 Fujitsu Technology Solutions 13
BX900-CB1/0/42,
--More-- or (q)uit
BX900-CB1/0/43,
BX900-CB1/0/44,
BX900-CB1/0/45,
BX900-CB1/0/46,
BX900-CB1/0/47,
BX900-CB1/0/48
2 VLAN0002 Static BX900-CB1/0/1
1002 fddi-default Static
1003 token-ring-default Static
1004 fddinet-default Static
1005 trnet-default Static
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 14
2.3 Configuring Untagged VLAN (Access Port)
This section describes how to configure interfaces to send untagged packet for specific VLAN.
Beginning in privileged EXEC mode, follow these steps to configure untagged VLAN onspecific interface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can bea physical Layer 2 interface or a portchannel (logical interface).
Step 3 switchport allowed vlan addvlan-id [untagged]
To add this interface to a VLAN as anaccess port.
Step 4 exit Return to global configuration mode.
Step 5 exit Return to privileged EXEC mode.
Step 6 show vlan id vlan-id Verify the configuration.
To configure an interface to be an access port for specific VLAN, use the switchportallowed vlan add vlan-id interface configuration command. To display the VLANinformation, use show vlan id privileged EXEC command.
In this example, VLAN 2 is created without any members and interface 0/6 is configured asan access port of VLAN 2:
(BX900-CB1)#configure
(BX900-CB1)(Config)#vlan database
(BX900-CB1)(Vlan)#vlan 2
(BX900-CB1)(Vlan)#exit
(BX900-CB1)(Config)#interface 0/6
(BX900-CB1)(Interface BX900-CB1/0/6)#switchport allowed vlan add 2
(BX900-CB1)(Interface BX900-CB1/0/6)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show vlan id 2
VLAN ID: 2
VLAN Name: VLAN0002
VLAN Type: Static
Interface Current Configured Tagging
----------------- -------- ----------- --------
© 2009 Fujitsu Technology Solutions 15
BX900-CB1/0/1 Exclude Autodetect Untagged
BX900-CB1/0/2 Exclude Autodetect Untagged
BX900-CB1/0/3 Exclude Autodetect Untagged
BX900-CB1/0/4 Exclude Autodetect Untagged
BX900-CB1/0/5 Exclude Autodetect Untagged
BX900-CB1/0/6 Include Autodetect Untagged
BX900-CB1/0/7 Exclude Autodetect Untagged
BX900-CB1/0/8 Exclude Autodetect Untagged
BX900-CB1/0/9 Exclude Autodetect Untagged
BX900-CB1/0/10 Exclude Autodetect Untagged
BX900-CB1/0/11 Exclude Autodetect Untagged
BX900-CB1/0/12 Exclude Autodetect Untagged
BX900-CB1/0/13 Exclude Autodetect Untagged
BX900-CB1/0/14 Exclude Autodetect Untagged
BX900-CB1/0/15 Exclude Autodetect Untagged
BX900-CB1/0/16 Exclude Autodetect Untagged
--More-- or (q)uit
(BX900-CB1)#
iThe interface is added to a VLAN without specifying tagging information will be set tountagged port (access port) in default.
© 2009 Fujitsu Technology Solutions 16
2.4 Configuring Tagged VLAN (Trunk Port)
This section describes how to configure interfaces to send tagged packet for specific VLAN.
Beginning in privileged EXEC mode, follow these steps to configure tagged VLAN on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can bea physical Layer 2 interface or a portchannel (logical interface).
Step 3 switchport allowed vlan addvlan-id tagging
To add this interface to a VLAN as a trunkport.
Step 4 exit Return to global configuration mode.
Step 5 exit Return to privileged EXEC mode.
Step 6 show vlan id vlan-id Verify the configuration.
To configure an interface to send tagged packets for specific VLAN, use the switchportallowed vlan add vlan-id tagging interface configuration command. To display the VLANinformation, use show vlan id privileged EXEC command.
In this example, the VLAN 2 was created with a member interface 0/6. Interface 0/7 isconfigured as a trunk port of VLAN 2:
(BX900-CB1)#configure
(BX900-CB1)(Config)#interface 0/7
(BX900-CB1)(Interface BX900-CB1/0/7)#switchport allowed vlan add 2 tagging
(BX900-CB1)(Interface BX900-CB1/0/7)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show vlan id 2
VLAN ID: 2
VLAN Name: VLAN0002
VLAN Type: Static
Interface Current Configured Tagging
----------------- -------- ----------- --------
BX900-CB1/0/1 Exclude Autodetect Untagged
BX900-CB1/0/2 Exclude Autodetect Untagged
BX900-CB1/0/3 Exclude Autodetect Untagged
© 2009 Fujitsu Technology Solutions 17
BX900-CB1/0/4 Exclude Autodetect Untagged
BX900-CB1/0/5 Exclude Autodetect Untagged
BX900-CB1/0/6 Include Autodetect Untagged
BX900-CB1/0/7 Include Autodetect Tagged
BX900-CB1/0/8 Exclude Autodetect Untagged
BX900-CB1/0/9 Exclude Autodetect Untagged
BX900-CB1/0/10 Exclude Autodetect Untagged
BX900-CB1/0/11 Exclude Autodetect Untagged
BX900-CB1/0/12 Exclude Autodetect Untagged
BX900-CB1/0/13 Exclude Autodetect Untagged
BX900-CB1/0/14 Exclude Autodetect Untagged
BX900-CB1/0/15 Exclude Autodetect Untagged
BX900-CB1/0/16 Exclude Autodetect Untagged
--More-- or (q)uit
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 18
2.5 Configuring Protocol VLAN
This section describes how to configure protocol-based VLAN.
Beginning in privileged EXEC mode, follow these steps to configure protocol-based VLAN onspecific interfaces:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 switchport protocol groupgroup-name
To create a protocol-based VLANgroup.
Step 3 switchport protocol group addprotocol group-name <ip/arp/ipx>
To add a protocol to this VLAN group.
Step 4 vlan database Enter VLAN database mode.
Step 5 protocol group group-name vlan-id To associate the protocol-based VLANgroup with a VLAN ID.
Step 6 exit Return to global configuration mode.
Step 7 interface interface-id Specify the interface, and enterinterface configuration mode. Theinterface can be a physical Layer 2interface or a port channel (logicalinterface).
Step 8 switchport protocol groupgroup-name
To join the interface to the specifiedVLAN group.
Step 9 exit Return to global configuration mode.
Step 10 exit Return to privileged EXEC mode.
Step 11 show protocol group all Verify the configuration.
To create a protocol group, use switchport protocol group global configurationcommand. To assign an interface to a protocol group, use switchport protocol groupinterface configuration command. To display protocol group, use show protocol group allprivileged EXEC command.
In this example, two VLAN protocol-based groups, “pro1” and “pro2”, are created withVLAN 10 and VLAN 20 respectively. Protocol IP and ARP are assigned to the group “pro1”and “pro2” respectively. Packets except IP and ARP protocol are received as VLAN 100.Interface 0/1, and 0/2 are assigned to “pro1” and interface 0/3 and 0/4 are assigned to“pro2”.
(BX900-CB1)#configure
(BX900-CB1)(Config)#switchport protocol group pro1
(BX900-CB1)(Config)#switchport protocol group pro2
(BX900-CB1)(Config)#switchport protocol group add protocol pro1 ip
(BX900-CB1)(Config)#switchport protocol group add protocol pro2 arp
(BX900-CB1)(Config)#vlan database
(BX900-CB1)(Vlan)#vlan 10 pro1
© 2009 Fujitsu Technology Solutions 19
(BX900-CB1)(Vlan)#vlan 20 pro2
(BX900-CB1)(Vlan)#vlan 100 non-ip-arp
(BX900-CB1)(Config)#protocol group pro1 10
(BX900-CB1)(Config)#protocol group pro2 20
(BX900-CB1)(Config)#exit
(BX900-CB1)(Config)#interface range 0/1 – 0/2
(BX900-CB1)(if-range)#switchport protocol group pro1
(BX900-CB1)(if-range)#switchport allow vlan add 10
(BX900-CB1)(if-range)#exit
(BX900-CB1)(Config)#interface range 0/3 – 0/4
(BX900-CB1)(if-range)#switchport protocol group pro2
(BX900-CB1)(if-range)#switchport allow vlan add 20
(BX900-CB1)(if-range)#exit
(BX900-CB1)(Config)#interface range 0/1 – 0/4
(BX900-CB1)(if-range)#switchport allow vlan add 100
(BX900-CB1)(if-range)#switchport native vlan 100
(BX900-CB1)(if-range)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show protocol group all
Group
Group Name ID Protocol(s) VLAN Interface(s)
---------------- ------ ----------- ---- ------------------------
pro1 1 IP 10 BX900-CB1/0/1,
BX900-CB1/0/2
pro2 2 ARP 20 BX900-CB1/0/3,
BX900-CB1/0/4
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 20
3 Configuring Link Aggregation
This chapter describes how to configure the Link Aggregation in the PRIMERGY BX900Connection Blade system.
3.1 Configuring Link Aggregation with LACP
This section describes how to configure link aggregation with LACP with 4 links.
Beginning in privileged EXEC mode, follow these steps to configure link aggregation withLACP:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 port-channel name To create a port-channel.
Step 3 interface interface-id Specify the port-channel interface (logicalinterface), and enter interfaceconfiguration mode.
Step 4 no staticcapability To disable the static mode of theport-channel.
Step 5 exit Return to global configuration mode.
Step 6 interface interface-id Specify the interface, and enter interfaceconfiguration mode.
Step 7 channel-group interface-id To join the specified port-channel group.
Step 8 exit Return to global configuration mode.
Step 9 exit Return to privileged EXEC mode.
Step 10 show port-channel all Verify the configuration.
To create a port-channel group, use port-channel global configuration command. Toassign an interface to a port-channel group, use channel-group interface configurationcommand. To display port-channel group, use show port-channel all privileged EXECcommand.
In this example, a port-channel group is created and interface 0/1, 0/2, 0/3 and 0/4 are setto the member of this port-channel group.
(BX900-CB1)(Config)#port-channel pc-1
Interface BX900-CB1/1/1 created for port-channel pc-1
(BX900-CB1)(Config)#interface BX900-CB1/1/1
(BX900-CB1)(Interface BX900-CB1/1/1)#no staticcapability
(BX900-CB1)(Interface BX900-CB1/1/1)#exit
(BX900-CB1)(Config)#interface range 0/1 – 0/4
(BX900-CB1)(if-range)#channel-group BX900-CB1/1/1
© 2009 Fujitsu Technology Solutions 21
(BX900-CB1)(if-range)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show port-channel all
Port- Link
Log. Channel Adm. Trap STP Mbr Port Port
Intf Name Link Mode Mode Mode Type LB Ports Speed Active
------ --------------- ------ ---- ---- ------ ---- --- ------ --------- ------
BX900-CB1/1/1 pc-1 Down En. En. En. Dy. SDM BX900-CB1/0/1 Auto False
BX900-CB1/0/2 Auto False
BX900-CB1/0/3 Auto False
BX900-CB1/0/4 Auto False
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 22
3.2 Configuring Static Link Aggregation
This section describes how to configure link aggregation without LACP with 4 links.
Beginning in privileged EXEC mode, follow these steps to configure link aggregation withoutLACP:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 port-channel name To create a port-channel.
Step 3 interface interface-id Specify the port-channel interface (logicalinterface), and enter interfaceconfiguration mode.
Step 4 staticcapability To enable the static mode of theport-channel.
Step 5 exit Return to global configuration mode.
Step 6 interface interface-id Specify the interface, and enter interfaceconfiguration mode.
Step 7 channel-group interface-id To join the specified port-channel group.
Step 8 exit Return to global configuration mode.
Step 9 exit Return to privileged EXEC mode.
Step 10 show port-channel all Verify the configuration.
To create a port-channel group, use port-channel global configuration command. Toassign an interface to a port-channel group, use channel-group interface configurationcommand. To display port-channel group, use show port-channel all privileged EXECcommand.
In the following example, a port-channel group is created with static property and interface0/1, 0/2, 0/3 and 0/4 are set to the member of this port-channel group.
(BX900-CB1)(Config)#port-channel pc-1
Interface BX900-CB1/1/1 created for port-channel pc-1
(BX900-CB1)(Config)#interface BX900-CB1/1/1
(BX900-CB1)(Interface BX900-CB1/1/1)#staticcapability
(BX900-CB1)(Interface BX900-CB1/1/1)#exit
(BX900-CB1)(Config)#interface range 0/1 – 0/4
(BX900-CB1)(if-range)#channel-group BX900-CB1/1/1
(BX900-CB1)(if-range)#exit
(BX900-CB1)(Config)#exit
© 2009 Fujitsu Technology Solutions 23
(BX900-CB1)#show port-channel all
Port- Link
Log. Channel Adm. Trap STP Mbr Port Port
Intf Name Link Mode Mode Mode Type LB Ports Speed Active
------ --------------- ------ ---- ---- ------ ---- --- ------ --------- ------
BX900-CB1/1/1 pc-1 Down En. En. En. St. SDM BX900-CB1/0/1 Auto False
BX900-CB1/0/2 Auto False
BX900-CB1/0/3 Auto False
BX900-CB1/0/4 Auto False
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 24
3.3 Configuring Load Balance of Link Aggregation
This section describes how to configure link aggregation with load balance settings.
Beginning in privileged EXEC mode, follow these steps to configure link aggregation with loadbalance settings:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 interface interface-id Specify the port-channel interface (logicalinterface), and enter interfaceconfiguration mode.
Step 3 load-balance<dst-ip/dst-mac/src-dst-ip/src-dst-mac/src-ip/src-mac>
Set the load balance for the port-channelgroup.
Step 4 exit Return to global configuration mode.
Step 5 exit Return to privileged EXEC mode.
Step 6 show port-channel all Verify the configuration.
To set the load balance setting of a port-channel group, use load-balance interfaceconfiguration command. To display port-channel group, use show port-channel allprivileged EXEC command.
In this example, a port-channel group is set to use source IP and destination IP for its loadbalance setting.
(BX900-CB1)(Config)#port-channel pc-1
Interface BX900-CB1/1/1 created for port-channel pc-1
(BX900-CB1)(Config)#interface BX900-CB1/1/1
(BX900-CB1)(Interface BX900-CB1/1/1)#load-balance src-dst-ip
(BX900-CB1)(Interface BX900-CB1/1/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show port-channel all
Port- Link
Log. Channel Adm. Trap STP Mbr Port Port
Intf Name Link Mode Mode Mode Type LB Ports Speed Active
------ --------------- ------ ---- ---- ------ ---- --- ------ --------- ------
BX900-CB1/1/1 pc-1 Down En. En. En. St. SDI BX900-CB1/0/1 Auto False
BX900-CB1/0/2 Auto False
BX900-CB1/0/3 Auto False
BX900-CB1/0/4 Auto False
© 2009 Fujitsu Technology Solutions 25
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 26
4 Configuring Port-Backup
This chapter describes how to configure port-backup.
4.1 Creating Port-backup group
This section will describe how to create a port-backup group and how to enable theport-backup group.
Beginning in privileged EXEC mode, follow these steps to create port-backup group:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 port-backup group To create a port-backup group.
Step 3 port-backup To enable the port-backup admin mode.
Step 4 port-backup group enablegroup-id
To enable a specific port-backup group.
Step 5 exit Return to privileged EXEC mode.
Step 6 show port-backup Verify the configuration.
To create a port-backup group, use port-backup group global configuration command. Toenable the created port-backup group, use port-backup group enable group-id interfaceconfiguration command. To display the port-backup information, use show port-backupprivileged EXEC command.
!The port-backup group could only be enabled if both of active and backup portshave been assigned.
In this example, a port group is created and it is tried to be enabled.
(BX900-CB1)#configure
(BX900-CB1)(Config)#port-backup group
Port backup group 1 is created
(BX900-CB1)(Config)#port-backup
(BX900-CB1)(Config)#port-backup group enable 1
port pair should be configured before enabling this group.
(BX900-CB1)(Config)#exit
(BX900-CB1)#show port-backup
© 2009 Fujitsu Technology Solutions 27
Admin Mode: Enable
Group ID Mode Active Port Backup Port Current Active Port
--------- ----------- ------------ ------------ --------------------
1 Disable
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 28
4.2 Configuring Active port and Backup port
This section describes how to configure active port and backup port for a port-backup group.
Beginning in privileged EXEC mode, follow these steps to configure active port and backupport:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 port-backup group To create a port backup group.
Step 3 interface interface-id Specify the physical interface or logicalinterface with uplinks, then enter interfaceconfiguration mode.
Step 4 port-backup group group-id active Set the interface to the specificport-backup group as an active port.
Step 5 interface interface-id Specify the physical interface or logicalinterface with uplinks, then enter interfaceconfiguration mode.
Step 6 port-backup group group-idbackup
Set the interface to the specificport-backup group as a backup port.
Step 7 exit Return to global configuration mode.
Step 8 port-backup group enablegroup-id
To enable the port-backup group.
Step 9 exit Return to privileged EXEC mode.
Step 10 show port-backup Verify the configuration.
To create a port-backup group, use port-backup group global configuration command. Toset an interface to be the active port of a port-backup group, use port-backup groupgroup-id active interface configuration command. To set an interface to be the backup portof a port-backup group, use port-backup group group-id backup interface configurationcommand.
In this example, interface 0/40 is set to the active port and interface 0/41 is set to thebackup port of the port-backup group.
(BX900-CB1)#configure
(BX900-CB1)(Config)#port-backup group
Port backup group 2 is created
(BX900-CB1)(Config)#interface BX900-CB1/0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#port-backup group 2 active
(BX900-CB1)(Interface BX900-CB1/0/40)#interface BX900-CB1/0/41
(BX900-CB1)(Interface BX900-CB1/0/41)#port-backup group 2 backup
(BX900-CB1)(Interface BX900-CB1/0/41)#exit
(BX900-CB1)(Config)#port-backup group enable 2
(BX900-CB1)(Config)#exit
© 2009 Fujitsu Technology Solutions 29
(BX900-CB1)#show port-backup
Admin Mode: Enable
Group ID Mode Active Port Backup Port Current Active Port
--------- ------- ------------ ------------ --------------------
1 Disable
2 Enable BX900-CB1/0/40 BX900-CB1/0/41
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 30
5 Configuring MAC Filtering
This chapter describes how to configure MAC filtering which can limit network traffic andrestrict network for security with combination of MAC address, Packet, Ethernet type, VLAN IDand CoS value.
5.1 Configuring MAC filter which passes only packets ofthe specific source MAC address
This section describes how to configure MAC filter which passes only packets of the specifiedsource MAC address and rejects the other packets.
Beginning in privileged EXEC mode, follow these steps to configure ACL MAC filter on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 mac access-list extended acl–name
Create a new extended MAC access-listwith a name.
Step 3 permit xx:xx:xx:xx:xx:xx00:00:00:00:00:00 any
Create a new matching rule for specificsource MAC address (xx:xx:xx:xx:xx:xx)with MAC address bit mask(00:00:00:00:00:00).
Step 4 exit Return to global configuration mode.
Step 5 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 6 mac access-group acl –name in Specify the ACL which will be applied to thisinterface.
Step 7 exit Return to global configuration mode.
Step 8 exit Return to privileged EXEC mode.
Step 9 show access-lists interfaceinterface-id in
Verify the configuration.
To configure a MAC filter to interface to pass only packets with specific source MACaddress, use the mac access-list global configuration command. To display theconfiguration, use show access-lists interface privileged EXEC command.
In this example, MAC access-list is configured on interface 0/1 to pass specific sourceMAC address packets:
(BX900-CB1)#configure
(BX900-CB1)(Config)#mac access-list extended acl_mac
(BX900-CB1)(Config-mac-access-list)#permit 00:00:00:00:00:01 00:00:00:00:00:00 any
Create ACL MAC 1 : Rule ID 1
© 2009 Fujitsu Technology Solutions 31
(BX900-CB1)(Config-mac-access-list)#exit
(BX900-CB1)(Config)#interface 0/1
(BX900-CB1)(Interface BX900-CB1/0/1)#mac access-group acl_mac in
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show access-lists interface 0/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- ---------------
MAC acl_mac 1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 32
5.2 Configuring MAC filter which passes only packets ofspecified destination MAC address
This section describes how to configure MAC filter which passes only packets of the specifieddestination MAC address and rejects the other packets.
Beginning in privileged EXEC mode, follow these steps to configure ACL MAC filter on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 mac access-list extendedacl–name
Create a new extended MAC access-listwith a name.
Step 3 permit any xx:xx:xx:xx:xx:xx00:00:00:00:00:00
Create a new matching rule for specificdestination MAC address (xx:xx:xx:xx:xx:xx)with MAC address bit mask(00:00:00:00:00:00).
Step 4 exit Return to global configuration mode.
Step 5 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 6 mac access-group acl –name in Specify the ACL which will be applied to thisinterface.
Step 7 exit Return to global configuration mode.
Step 8 exit Return to privileged EXEC mode.
Step 9 show access-lists interfaceinterface-id in
Verify the configuration.
To configure a MAC filter to interface to pass only packets with specific destination MACaddress, use the mac access-list global configuration command. To display theconfiguration, use show access-lists interface privileged EXEC command.
In this example, MAC access-list is configured on interface 0/1 to pass specific destinationMAC address packets:
(BX900-CB1)#configure
(BX900-CB1)(Config)#mac access-list extended acl_dst_mac
(BX900-CB1)(Config-mac-access-list)#permit any 00:00:00:00:00:01 00:00:00:00:00:00
Create ACL MAC 1 : Rule ID 1
(BX900-CB1)(Config-mac-access-list)#exit
(BX900-CB1)(Config)#interface 0/1
(BX900-CB1)(Interface BX900-CB1/0/1)#mac access-group acl_dst_mac in
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
© 2009 Fujitsu Technology Solutions 33
(BX900-CB1)#show access-lists interface 0/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- ---------------
MAC acl_dst_mac 1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 34
5.3 Configuring MAC filter which rejects only packets ofthe specified packet format MAC address
This section describes how to configure MAC filter which rejects only the traffic between thespecified destination MAC address and passes the other packets.
Beginning in privileged EXEC mode, follow these steps to configure ACL MAC filter on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 mac access-list extended acl–name
Create a new extended MAC access-listwith a name.
Step 3 deny any xx:xx:xx:xx:xx:xx00:00:00:00:00:ff
Create a new matching rule for specificdestination MAC address (xx:xx:xx:xx:xx:xx)with MAC address bit mask(00:00:00:00:00:ff).
Step 4 permit any any Create a new matching rule for all packets.
Step 5 exit Return to global configuration mode.
Step 6 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 7 mac access-group acl –name in Specify the ACL which will be applied to thisinterface.
Step 8 exit Return to global configuration mode.
Step 9 exit Return to privileged EXEC mode.
Step 10 show access-lists interfaceinterface-id in
Verify the configuration.
To configure a MAC filter to interface to reject only packets with specific destination MACaddress format, use the mac access-list global configuration command. To display theconfiguration, use show access-lists interface privileged EXEC command.
In this example, MAC access-list is configured on interface 0/1 to reject specific format ofdestination MAC address packets (00:00:00:00:00:01 ~ 00:00:00:00:00:ff):
(BX900-CB1)#configure
(BX900-CB1)(Config)#mac access-list extended acl_mac
(BX900-CB1)(Config-mac-access-list)#deny any 00:00:00:00:00:01 00:00:00:00:00:ff
Create ACL MAC 1 : Rule ID 1
(BX900-CB1)(Config-mac-access-list)#permit any any
Create ACL MAC 1 : Rule ID 2
(BX900-CB1)(Config-mac-access-list)#exit
(BX900-CB1)(Config)#interface 0/1
© 2009 Fujitsu Technology Solutions 35
(BX900-CB1)(Interface BX900-CB1/0/1)#mac access-group acl_mac in
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show access-lists interface 0/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- ---------------
MAC acl_mac 1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 36
5.4 Configuring MAC filter which rejects only trafficbetween the specified MAC addresses in VLAN
This section describes how to configure MAC filter which rejects only the traffic between thespecified MAC addresses.
Beginning in privileged EXEC mode, follow these steps to configure ACL MAC filter on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 mac access-list extended acl–name
Create a new extended MAC access-listwith a name.
Step 3 deny xx:xx:xx:xx:xx:xx00:00:00:00:00:ff any vlan eq<0-4095>
Create a new matching rule for specificsource MAC address (xx:xx:xx:xx:xx:xx)with MAC address bit mask(00:00:00:00:00:ff) and a specific VLAN ID.
Step 4 permit any any Create a new matching rule for all packets.
Step 5 exit Return to global configuration mode.
Step 6 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 7 mac access-group acl –name in Specify the ACL which will be applied to thisinterface.
Step 8 exit Return to global configuration mode.
Step 9 exit Return to privileged EXEC mode.
Step 10 show access-lists interfaceinterface-id in
Verify the configuration.
To configure a MAC filter to interface to reject only packets between specific destinationMAC addresses in VLAN, use the mac access-list global configuration command. Todisplay the configuration, use show access-lists interface privileged EXEC command.
In this example, MAC access-list is configured on interface 0/1 to reject specific format ofdestination MAC address packets (00:00:00:00:00:01 ~ 00:00:00:00:00:ff):
(BX900-CB1)#configure
(BX900-CB1)(Config)#mac access-list extended acl_mac
(BX900-CB1)(Config-mac-access-list)# deny 00:00:00:00:00:01 00:00:00:00:00:ff any vlaneq 1
Create ACL MAC 1 : Rule ID 1
(BX900-CB1)(Config-mac-access-list)#permit any any
Create ACL MAC 1 : Rule ID 2
(BX900-CB1)(Config-mac-access-list)#exit
(BX900-CB1)(Config)#interface 0/1
© 2009 Fujitsu Technology Solutions 37
(BX900-CB1)(Interface BX900-CB1/0/1)#mac access-group acl_mac in
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show access-lists interface 0/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- ---------------
MAC acl_mac 1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 38
5.5 Configuring MAC filter which passes only the trafficbetween the specified MAC addresses in VLAN
This section describes how to configure MAC filter which passes sonly the traffic between thespecified MAC addresses.
Beginning in privileged EXEC mode, follow these steps to configure ACL MAC filter on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 mac access-list extended acl–name
Create a new extended MAC access-listwith a name.
Step 3 permit xx:xx:xx:xx:xx:xx00:00:00:00:00:00 any vlan eq<0-4095>
Create a new matching rule for specificdestination MAC address (xx:xx:xx:xx:xx:xx)with MAC address bit mask(00:00:00:00:00:00) and a specific VLAN ID.
Step 4 exit Return to global configuration mode.
Step 5 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 6 mac access-group acl –name in Specify the ACL which will be applied to thisinterface.
Step 7 exit Return to global configuration mode.
Step 8 exit Return to privileged EXEC mode.
Step 9 show access-lists interfaceinterface-id in
Verify the configuration.
To configure a MAC filter to interface to pass only packets between specific destinationMAC addresses in VLAN, use the mac access-list global configuration command. Todisplay the configuration, use show access-lists interface privileged EXEC command.
In this example, MAC access-list is configured on interface 0/1 to pass specific destinationMAC address packets:
(BX900-CB1)#configure
(BX900-CB1)(Config)#mac access-list extended acl_mac
(BX900-CB1)(Config-mac-access-list)# permit 00:00:00:00:00:01 00:00:00:00:00:00 anyvlan eq 1
Create ACL MAC 1 : Rule ID 1
(BX900-CB1)(Config-mac-access-list)#exit
(BX900-CB1)(Config)#interface 0/1
(BX900-CB1)(Interface BX900-CB1/0/1)#mac access-group acl_mac in
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
© 2009 Fujitsu Technology Solutions 39
(BX900-CB1)(Config)#exit
(BX900-CB1)#show access-lists interface 0/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- ---------------
MAC acl_mac 1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 40
6 Configuring Static MAC Forwarding
This section describes how to add MAC address to filter table. Only filtered member canaccess those MAC address.
Beginning in privileged EXEC mode, follow these steps to configure MAC filter on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 macfilter mac-address vlan-id Add mac-filter new rule.
Step 3 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 4 macfilter addsrc mac-addressvlan-id
Add specific interface to mac-filter.
Step 5 exit Return to global configuration mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show mac-addr-table static all Verify the configuration.
To configure a static MAC filter, use the macfilter global configuration command. Toassign an interface to macfilter addsrc interface configuration command. To display theconfiguration, use show mac-addr-table static all privileged EXEC command.
In this example, create VLAN 1 MAC address 00:00:00:00:00:01 filter, and interface 0/40 isfilter member:
(BX900-CB1)#configure
(BX900-CB1)(Config)#macfilter 00:00:00:00:00:01 1
(BX900-CB1)(Config)#interface 0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#macfilter addsrc 00:00:00:00:00:01 1
(BX900-CB1)(Interface BX900-CB1/0/40)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show mac-addr-table static all
Source
MAC Address VLAN ID Port(s)
----------------- ------- -----------------------------------------
00:00:00:00:00:01 1 BX900-CB1/0/40
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 41
Beginning in privileged EXEC mode, follow these steps to configure MAC filter on allinterfaces:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 macfilter mac-address vlan-id Add mac-filter new rule.
Step 3 macfilter addsrc all mac-addressvlan-id
Add all of interfaces to mac-filter.
Step 4 exit Return to privileged EXEC mode.
Step 5 show mac-addr-table static all Verify the configuration.
To configure a static MAC filter, use the macfilter global configuration command. Toassign all interfaces to macfilter addsrc all global configuration command. To display theconfiguration, use show mac-addr-table static all privileged EXEC command.
In this example, create VLAN 1 MAC address 00:00:00:00:00:01 filter, and all of interfacesare filter member:
(BX900-CB1)#configure
(BX900-CB1)(Config)#macfilter 00:00:00:00:00:01 1
(BX900-CB1)(Config)#macfilter addsrc all 00:00:00:00:00:01 1
(BX900-CB1)(Config)#exit
(BX900-CB1)#show mac-addr-table static all
Source
MAC Address VLAN ID Port(s)
----------------- ------- -----------------------------------------
00:00:00:00:00:01 1 BX900-CB1/0/1, BX900-CB1 /0/2,
BX900-CB1/0/3, BX900-CB1/0/4, BX900-CB1/0/5,
BX900-CB1/0/6, BX900-CB1/0/7, BX900-CB1/0/8,
BX900-CB1/0/9, BX900-CB1/0/10,
BX900-CB1/0/11, BX900-CB1/0/12,
BX900-CB1/0/13, BX900-CB1/0/14,
BX900-CB1/0/15, BX900-CB1/0/16,
BX900-CB1/0/17, BX900-CB1/0/18,
BX900-CB1/0/19, BX900-CB1/0/20,
BX900-CB1/0/21, BX900-CB1/0/22,
BX900-CB1/0/23, BX900-CB1/0/24,
BX900-CB1/0/25, BX900-CB1/0/26,
BX900-CB1/0/27, BX900-CB1/0/28,
BX900-CB1/0/29, BX900-CB1/0/30,
© 2009 Fujitsu Technology Solutions 42
BX900-CB1/0/31, BX900-CB1/0/32,
BX900-CB1/0/33, BX900-CB1/0/34,
BX900-CB1/0/35, BX900-CB1/0/36,
BX900-CB1/0/37, BX900-CB1/0/38,
--More-- or (q)uit
Source
MAC Address VLAN ID Port(s)
----------------- ------- -----------------------------------------
00:00:00:00:00:01 1 BX900-CB1/0/39, BX900-CB1/0/40,
BX900-CB1/0/41, BX900-CB1/0/42,
BX900-CB1/0/43, BX900-CB1/0/44,
BX900-CB1/0/45, BX900-CB1/0/46,
BX900-CB1/0/47, BX900-CB1/0/48
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 43
7 Configuring QoS
7.1 Configuring priority control
This section describes how to configure priority control which assigns egress port queue ofdifferent priority to User priority value (CoS) in VLAN tag.
Beginning in privileged EXEC mode, follow these steps to configure priority control on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 3 queue trust dot1p Set the trust mode to dot1p.
Step 4 queue cos-map priority-id queue-id Assign a priority ID to specific traffic classqueue to configure dot1p priority mapping.
Step 5 exit Return to global configuration mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show queue cos-map interface-id Verify the configuration.
To configure priority control and assign priority mapping to an interface, use the CoSinterface configuration command. To display the configuration, use show queue cos-mapprivileged EXEC command.
In this example, cos-map is configured on interface 0/1 to assigns egress port queue ofdifferent priority to User priority value (CoS) in VLAN tag:
(BX900-CB1)#configure
(BX900-CB1)(Config)#interface 0/1
(BX900-CB1)(Interface BX900-CB1/0/1)#queue trust dot1p
(BX900-CB1)(Interface BX900-CB1/0/1)#queue cos-map 0 1
(BX900-CB1)(Interface BX900-CB1/0/1)#queue cos-map 1 2
(BX900-CB1)(Interface BX900-CB1/0/1)#queue cos-map 4 2
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show queue cos-map 0/1
© 2009 Fujitsu Technology Solutions 44
User Priority Traffic Class
------------- -------------
0 1
1 2
2 0
3 1
4 2
5 2
6 3
7 3
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 45
7.2 Configuring priority control rewrite
This section describes how to configure priority control rewrite which rewrites priority controlinformation of packets specified with combination of MAC address, packet format, Ethernettype, VLAN ID and CoS value.
7.2.1 IP Precedence value rewrite
This section describes how to configure IP precedence value rewrite which rewrites IPprecedence value of packets which has the specified CoS value in the specified port in VLAN.
Beginning in privileged EXEC mode, follow these steps to configure IP precedence valuerewrite on specific interface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 diffserv Enable DiffServ Admin mode.
Step 3 class-map match-allclass-map-name
Create a DiffServ class with a class-mapname and enter the class map mode.
Step 4 match cos <0-7> Configure a match condition based on aCoS value.
Step 5 exit Return to global configuration mode.
Step 6 policy-map policy-name in Create a DiffServ policy with a policy-mapname.
Step 7 class class-map-name Attach the DiffServ class to this policy.
Step 8 mark ip-precedence <0-7> Configure marking action on the specific IPprecedence value.
Step 9 exit Return to policy-map configuration mode.
Step 10 exit Return to global configuration mode.
Step 11 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 12 service-policy in policy-map-name Specify the policy which will be applied tothis interface.
Step 13 exit Return to global configuration mode.
Step 14 exit Return to privileged EXEC mode.
Step 15 show class-map Verify the configuration.
Step 16 show policy-map Verify the configuration.
Step 17 show policy-map interfaceinterface-id in
Verify the configuration.
To configure an IP precedence rewrite to interface, use the DiffServ configurationcommand. To display the policy configuration, use show policy-map privileged EXECcommand. To display the class configuration, use show class-map privileged EXECcommand.
© 2009 Fujitsu Technology Solutions 46
In this example, DiffServ is configured on interface 0/1 to rewrites IP precedence value ofpackets which has the specified CoS value in the specified port in VLAN:
(BX900-CB1)#configure
(BX900-CB1)(Config)#diffserv
(BX900-CB1)(Config)#class-map match-all class1
(BX900-CB1)(Config-classmap)#match cos 5
(BX900-CB1)(Config-classmap)#exit
(BX900-CB1)(Config)#policy-map policy1 in
(BX900-CB1)(Config-policy-map)#class class1
(BX900-CB1)(Config-policy-classmap)#mark ip-precedence 2
(BX900-CB1)(Config-policy-classmap)#exit
(BX900-CB1)(Config-policy-map)#exit
(BX900-CB1)(Config)#interface 0/1
(BX900-CB1)(Interface BX900-CB1/0/1)#service-policy in policy1
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show class-map
Class
Class Name Type Reference Class Name
------------------------------- ----- -------------------------------
class1 All
(BX900-CB1)#show policy-map
Policy Name Policy Type Class Members
------------------------------- ----------- -------------------------------
policy1 In class1
(BX900-CB1)#show policy-map interface 0/1 in
Interface...................................... BX900-CB1/0/1
Direction...................................... In
Operational Status............................. Down
Policy Name.................................... policy1
Interface Summary:
© 2009 Fujitsu Technology Solutions 47
Class Name..................................... class1
In Offered Packets............................. 0
In Discarded Packets........................... 0
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 48
7.2.2 Change queue of packets in VLAN
This section describes how to configure change queue function which changes queue whichthe received packets in ingress port use in egress port.
Beginning in privileged EXEC mode, follow these steps to configure change queue on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 diffserv Enable DiffServ Admin mode.
Step 3 class-map match-allclass-map-name
Create a DiffServ class with a class-mapname.
Step 4 match cos <0-7> Configure a match condition based on aCoS value..
Step 5 exit Return to global configuration mode.
Step 6 policy-map policy-name in Create a DiffServ policy with a policy-mapname.
Step 7 class class-map-name Attach the DiffServ class to this policy.
Step 8 assign-queue <0-6> Set queue ID to which traffic class isassigned.
Step 9 exit Return to policy-map configuration mode.
Step 10 exit Return to global configuration mode.
Step 11 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 12 service-policy in policy-map-name Specify the policy which will be applied tothis interface.
Step 13 exit Return to global configuration mode.
Step 14 exit Return to privileged EXEC mode.
Step 15 show policy-map policy-map-name Verify the configuration.
To configure change queue to interface, use the diffserv global configuration command.To display the policy configuration, use show policy-map privileged EXEC command. Todisplay the class configuration, use show class-map privileged EXEC command.
In this example, DiffServ is configured on interface 0/1 to change queue which the receivedpackets in ingress port use in egress port:
(BX900-CB1)#configure
(BX900-CB1)(Config)#diffserv
(BX900-CB1)(Config)#class-map match-all class2
(BX900-CB1)(Config-classmap)#match cos 2
(BX900-CB1)(Config-classmap)#exit
(BX900-CB1)(Config)#policy-map policy2 in
(BX900-CB1)(Config-policy-map)#class class2
© 2009 Fujitsu Technology Solutions 49
(BX900-CB1)(Config-policy-classmap)#assign-queue 7
(BX900-CB1)(Config-policy-classmap)#exit
(BX900-CB1)(Config-policy-map)#exit
(BX900-CB1)(Config)#interface 0/1
(BX900-CB1)(Interface BX900-CB1/0/1)#service-policy in policy2
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show class-map
Class
Class Name Type Reference Class Name
------------------------------- ----- -------------------------------
class1 All
class2 All
(BX900-CB1)#show policy-map
Policy Name Policy Type Class Members
------------------------------- ----------- -------------------------------
policy1 In class1
policy2 In class2
(BX900-CB1)#show policy-map policy2
Policy Name.................................... policy2
Policy Type.................................... In
Class Name..................................... class2
Assign Queue................................... 7
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 50
8 Configuring Spanning Tree
This chapter describes how to configure Spanning Tree protocol.
8.1 Configuring Spanning Tree Mode
This section describes how to configure spanning tree mode. MSTP, RSTP and STP aresupported in current firmware.
Beginning in privileged EXEC mode, follow these steps to specify the spanning tree mode andenable the spanning tree for the system.
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 spanning-tree mode {stp | rstp |mstp}
To specify the spanning tree protocol.
Step 3 spanning-tree Enable the spanning tree admin mode.
Step 4 spanning-tree port mode all Enable the spanning tree for all interfaces.
Step 5 exit Return to privileged EXEC mode.
Step 6 show spanning-tree summary Verify the configuration.
To specify the spanning tree mode, use spanning-tree mode global configurationcommand. To enable spanning tree, use spanning-tree global configuration command. Toenable interface mode, use spanning-tree port mode all global configuration commandor use spanning-tree port mode interface configuration command. To display settingsand parameters for the spanning tree, use show spanning-tree summary privilegedEXEC command.
In this example, we configure to use RSTP for the system and enable spanning tree for allinterfaces.
(BX900-CB1)#configure
(BX900-CB1)(Config)#spanning-tree mode rstp
(BX900-CB1)(Config)#spanning-tree
(BX900-CB1)(Config)#spanning-tree port mode all
(BX900-CB1)(Config)#exit
(BX900-CB1)#show spanning-tree summary
Spanning Tree Adminmode........... Enabled
Spanning Tree Forward BPDU........ Enabled
Spanning Tree Version............. IEEE 802.1w
© 2009 Fujitsu Technology Solutions 51
Configuration Name................ 00-1E-68-85-F7-5F
Configuration Revision Level...... 0
Configuration Digest Key.......... 0xac36177f50283cd4b83821d8ab26de62
Configuration Format Selector..... 0
No MST instances to display.
(BX900-CB1)#show spanning-tree mst port summary 0 all
STP STP Port
Interface Mode Type State Role
----------------- -------- ------- ----------------- ----------
BX900-CB1/0/1 Enabled Disabled Disabled
BX900-CB1/0/2 Enabled Disabled Disabled
BX900-CB1/0/3 Enabled Disabled Disabled
BX900-CB1/0/4 Enabled Disabled Disabled
BX900-CB1/0/5 Enabled Disabled Disabled
BX900-CB1/0/6 Enabled Disabled Disabled
BX900-CB1/0/7 Enabled Disabled Disabled
BX900-CB1/0/8 Enabled Disabled Disabled
BX900-CB1/0/9 Enabled Disabled Disabled
BX900-CB1/0/10 Enabled Disabled Disabled
BX900-CB1/0/11 Enabled Disabled Disabled
BX900-CB1/0/12 Enabled Disabled Disabled
BX900-CB1/0/13 Enabled Disabled Disabled
BX900-CB1/0/14 Enabled Disabled Disabled
BX900-CB1/0/15 Enabled Disabled Disabled
BX900-CB1/0/16 Enabled Disabled Disabled
BX900-CB1/0/17 Enabled Disabled Disabled
BX900-CB1/0/18 Enabled Disabled Disabled
BX900-CB1/0/19 Enabled Disabled Disabled
--More-- or (q)uit
BX900-CB1/0/20 Enabled Disabled Disabled
BX900-CB1/0/21 Enabled Disabled Disabled
BX900-CB1/0/22 Enabled Disabled Disabled
BX900-CB1/0/23 Enabled Disabled Disabled
BX900-CB1/0/24 Enabled Disabled Disabled
BX900-CB1/0/25 Enabled Disabled Disabled
BX900-CB1/0/26 Enabled Disabled Disabled
© 2009 Fujitsu Technology Solutions 52
BX900-CB1/0/27 Enabled Disabled Disabled
BX900-CB1/0/28 Enabled Disabled Disabled
BX900-CB1/0/29 Enabled Disabled Disabled
BX900-CB1/0/30 Enabled Disabled Disabled
BX900-CB1/0/31 Enabled Disabled Disabled
BX900-CB1/0/32 Enabled Disabled Disabled
BX900-CB1/0/33 Enabled Disabled Disabled
BX900-CB1/0/34 Enabled Disabled Disabled
BX900-CB1/0/35 Enabled Disabled Disabled
BX900-CB1/0/36 Enabled Disabled Disabled
BX900-CB1/0/37 Enabled Disabled Disabled
BX900-CB1/0/38 Enabled Disabled Disabled
BX900-CB1/0/39 Enabled Disabled Disabled
BX900-CB1/0/40 Enabled Disabled Disabled
BX900-CB1/0/41 Enabled Disabled Disabled
BX900-CB1/0/42 Enabled Disabled Disabled
--More-- or (q)uit
BX900-CB1/0/43 Enabled Disabled Disabled
BX900-CB1/0/44 Enabled Disabled Disabled
BX900-CB1/0/45 Enabled Disabled Disabled
BX900-CB1/0/46 Enabled Disabled Disabled
BX900-CB1/0/47 Enabled Forwarding Root
BX900-CB1/0/48 Enabled Disabled Disabled
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 53
8.2 Configuring MSTP
This section describes how to configure MSTP. MSTP can handle frames per VLAN.
Beginning in privileged EXEC mode, follow these steps to specify the MSTP configuration andenable MSTP.
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 spanning-tree mst instanceinstance-id
Add a MSTP instance to the switch.
Step 3 spanning-tree configuration name Set the MSTP region name.
Step 4 spanning-tree configurationrevision
Set the MSTP configuration revisionnumber.
Step 5 spanning-tree mst vlan instance-idvlan-id
Add an association between a MSTPinstance and a VLAN.
Step 6 spanning-tree mode mstp Set the Force Protocol Version parameterto MSTP.
Step 7 spanning-tree Set the spanning-tree operational mode tobe enabled.
Step 8 exit Return to global configuration mode.
To add a multiple spanning tree instance to the switch, use spanning-tree mst instanceglobal configuration command. To add an association between a multiple spanning treeinstance and a VLAN, use spanning-tree mst vlan global configuration command. To setthe MSTP region name and revision number, use spanning-tree configuration nameand spanning-tree configuration revision global configuration command.
To display settings and parameters for the specified multiple spanning tree instance, useshow spanning-tree mst detailed privileged EXEC command.
To display configuration for the MSTP, use show spanning-tree summary privilegedEXEC command.
In this example, a multiple spanning tree instance 2 is added to the switch and associatedwith VLAN 100.
(BX900-CB1)#configure
(BX900-CB1)(Config)#spanning-tree mst instance 2
(BX900-CB1)(Config)#spanning-tree configuration name FSC
(BX900-CB1)(Config)#spanning-tree configuration revision 2
(BX900-CB1)(Config)#spanning-tree mst vlan 2 100
(BX900-CB1)(Config)#spanning-tree mode mstp
(BX900-CB1)(Config)#spanning-tree
(BX900-CB1)(Config)#exit
© 2009 Fujitsu Technology Solutions 54
(BX900-CB1)#show spanning-tree mst detailed 2
MST Instance ID................................ 2
MST Bridge Priority............................ 32768
MST Bridge Identifier.......................... F0:02:00:1E:68:C6:06:0C
Time Since Topology Change..................... 0 day 0 hr 43 min 49 sec
Topology Change Count.......................... 1
Topology Change in progress.................... FALSE
Designated Root................................ F0:02:00:1E:68:C6:06:0C
Root Path Cost................................. 0
Root Port Identifier........................... 00:00
Associated FIDs Associated VLANs
--------------- ----------------
100 100
(BX900-CB1)#show spanning-tree summary
Spanning Tree Adminmode........... Enabled
Spanning Tree Forward BPDU........ Enabled
Spanning Tree Version............. IEEE 802.1s
Configuration Name................ FSC
Configuration Revision Level...... 2
Configuration Digest Key.......... 0xe1dd2d16f2958ee5b41cde578b6d2336
Configuration Format Selector..... 0
MST Instances..................... 2
!Be careful when using the revision command to set the MST configurationrevision level because a mistake can put the switch in a different region.
© 2009 Fujitsu Technology Solutions 55
9 Configuring IGMP snooping & Querier
This section describes how to configure the IGMP snooping.
9.1 Configuring IGMP snooping by interface
This section describes how to configure IGMP snooping on a specific interface.
Beginning in privileged EXEC mode, follow these steps to configure IGMP snooping on aspecific interface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ip igmp snooping Enable IGMP snooping admin mode.
Step 3 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 4 ip igmp snoopinginterfacemode
Enable IGMP snooping on a specificinterface.
Step 5 ip igmp snoopinggroupmembershipinterval<2-3600>
Setting multicast member timeout interval. Ifspecific interface never update group infoduring groupmembershipinterval, it will beremove from multicast group member(dynamic member).
Step 6 ip igmp snoopingmax-response-time <1-3599>
Setting multicast member remove interval. Ifspecific interface receive IGMP leavepackets, it will not remove this multicastgroup during max-response-time. IGMP fastleave must be disabled.
Step 7 ip igmp snooping fast-leave Enable IGMP snooping fast leave mode.
Step 8 ip igmp snoopingmcrtrexpiretime <0-3600>
Setting multicast router timeout interval. Ifspecific interface never receive IGMP querypacket during Multicast Router PresentExpiration time, it will be remove frommulticast router port (dynamic router).
Step 9 exit Return to global configuration mode.
Step 10 exit Return to privileged EXEC mode.
Step 11 show ip igmp snoopinginterface-id
Verify the configuration.
To enable/disable the IGMP snooping on a switch, use ip igmp snooping/no ip igmpsnooping global configuration command. To enable IGMP snooping on a specificinterface, use ip igmp snooping interfacemode interface configuration command. Todisplay the IGMP snooping configuration for a specific interface, use show ip igmpsnooping interface interface-id privileged EXEC command.
© 2009 Fujitsu Technology Solutions 56
In this example, IGMP snooping is configured on interface 0/40:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ip igmp snooping
(BX900-CB1)(Config)#interface 0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#ip igmp snooping interfacemode
(BX900-CB1)(Interface BX900-CB1/0/40)#ip igmp snooping groupmembershipinterval200
(BX900-CB1)(Interface BX900-CB1/0/40)#ip igmp snooping max-response-time 10
(BX900-CB1)(Interface BX900-CB1/0/40)#ip igmp snooping fast-leave
(BX900-CB1)(Interface BX900-CB1/0/40)#ip igmp snooping mcrtrexpiretime 0
(BX900-CB1)(Interface BX900-CB1/0/40)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ip igmp snooping 0/40
IGMP Snooping Admin Mode....................... Enable
Fast Leave Mode................................ Enable
Group Membership Interval...................... 200
Max Response Time.............................. 10
Multicast Router Present Expiration Time....... 0
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 57
Beginning in privileged EXEC mode, follow these steps to configure IGMP snooping on allinterfaces:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ip igmp snooping Enable IGMP snooping admin mode.
Step 3 ip igmp snoopinginterfacemode all
Enable IGMP snooping on all interfaces.
Step 4 ip igmp snoopinggroupmembershipinterval<2-3600>
Setting multicast member timeout interval. Ifspecific interface never update group infoduring groupmembershipinterval, it will beremove from multicast group member(dynamic member).
Step 5 ip igmp snoopingmax-response-time <1-3599>
Setting multicast member remove interval. Ifspecific interface receive IGMP leavepackets, it will not remove this multicastgroup during max-response-time. IGMP fastleave must be disabled.
Step 6 no ip igmp snooping fast-leave Disable IGMP Snooping fast leave mode.
Step 7 ip igmp snoopingmcrtrexpiretime <0-3600>
Setting multicast router timeout interval. Ifspecific interface never receive IGMP querypacket during Multicast Router PresentExpiration time, it will be remove frommulticast router port (dynamic router).
Step 8 exit Return to privileged EXEC mode.
Step 9 show ip igmp snooping Verify the configuration.
In this example, IGMP Snooping is configured on all interfaces:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ip igmp snooping
(BX900-CB1)(Config)#ip igmp snooping interfacemode all
(BX900-CB1)(Config)#ip igmp snooping groupmembershipinterval 260
(BX900-CB1)(Config)#ip igmp snooping max-response-time 10
(BX900-CB1)(Config)#no ip igmp snooping fast-leave
(BX900-CB1)(Config)#ip igmp snooping mcrtrexpiretime 0
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ip igmp snooping
Admin Mode..................................... Enable
Multicast Control Frame Count.................. 0
Interfaces Enabled for IGMP Snooping........... BX900-CB1/0/1
BX900-CB1/0/2
BX900-CB1/0/3
BX900-CB1/0/4
BX900-CB1/0/5
© 2009 Fujitsu Technology Solutions 58
BX900-CB1/0/6
BX900-CB1/0/7
BX900-CB1/0/8
BX900-CB1/0/9
BX900-CB1/0/10
BX900-CB1/0/11
BX900-CB1/0/12
BX900-CB1/0/13
BX900-CB1/0/14
BX900-CB1/0/15
BX900-CB1/0/16
BX900-CB1/0/17
BX900-CB1/0/18
BX900-CB1/0/19
BX900-CB1/0/20
--More-- or (q)uit
BX900-CB1/0/21
BX900-CB1/0/22
BX900-CB1/0/23
BX900-CB1/0/24
BX900-CB1/0/25
BX900-CB1/0/26
BX900-CB1/0/27
BX900-CB1/0/28
BX900-CB1/0/29
BX900-CB1/0/30
BX900-CB1/0/31
BX900-CB1/0/32
BX900-CB1/0/33
BX900-CB1/0/34
BX900-CB1/0/35
BX900-CB1/0/36
BX900-CB1/0/37
BX900-CB1/0/38
BX900-CB1/0/39
BX900-CB1/0/40
BX900-CB1/0/41
BX900-CB1/0/42
© 2009 Fujitsu Technology Solutions 59
BX900-CB1/0/43
--More-- or (q)uit
BX900-CB1/0/44
BX900-CB1/0/45
BX900-CB1/0/46
BX900-CB1/0/47
BX900-CB1/0/48
Vlans enabled for IGMP snooping................ None
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 60
9.2 Configuring IGMP snooping by VLAN
This section describes how to configure IGMP snooping on specific VLAN.
Beginning in privileged EXEC mode, follow these steps to configure IGMP snooping onspecific VLAN:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ip igmp snooping Enable IGMP snooping admin mode.
Step 3 vlan database Enter VLAN configuration mode.
Step 4 set igmp vlan-id Enable IGMP snooping on a specific VLAN.
Step 5 set igmpgroupmembership-intervalvlan-id <2-3600>
Setting multicast member timeout interval. Ifspecific interface never update group infoduring groupmembership-interval, it will beremove from multicast group member(dynamic member).
Step 6 set igmp maxresponse vlan-id<1-3599>
Setting multicast member remove interval. Ifspecific interface receive IGMP leavepackets, it will not remove this multicastgroup during maxresponse. IGMP fast leavemust be disabled.
Step 7 set igmp fast-leave vlan-id Enable IGMP snooping fast leave mode.
Step 8 set igmp mcrtrexpiretime vlan-id<0-3600>
Setting multicast router timeout interval. Ifspecific interface never receive IGMP querypacket during Multicast Router PresentExpiration time, it will be remove frommulticast router port (dynamic router).
Step 9 exit Return to global configuration mode.
Step 10 exit Return to privileged EXEC mode.
Step 11 show ip igmp snooping vlan-id Verify the configuration.
To enable/disable the IGMP snooping on a switch, use ip igmp snooping/no ip igmpsnooping global configuration command. To enable IGMP snooping on a specific VLAN,use set igmp vlan-id VLAN configuration command. To display the IGMP snoopingconfiguration for a specific VLAN, use show ip igmp snooping vlan-id privileged EXECcommand.
In this example, IGMP Snooping is configured on VLAN 1:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ip igmp snooping
(BX900-CB1)(Config)#vlan database
(BX900-CB1)(Vlan)#set igmp 1
(BX900-CB1)(Vlan)#set igmp groupmembership-interval 1 260
(BX900-CB1)(Vlan)#set igmp maxresponse 1 10
(BX900-CB1)(Vlan)#set igmp fast-leave 1
© 2009 Fujitsu Technology Solutions 61
(BX900-CB1)(Vlan)#set igmp mcrtrexpiretime 1 0
(BX900-CB1)(Vlan)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ip igmp snooping 1
Vlan ID........................................ 1
IGMP Snooping Admin Mode....................... Enabled
Fast Leave Mode................................ Enabled
Group Membership Interval...................... 260
Maximum Response Time.......................... 10
Multicast Router Expiry Time................... 0
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 62
9.3 Configuring IGMP snooping static router port
This section describes how to configure IGMP snooping static router port.
Beginning in privileged EXEC mode, follow these steps to configure IGMP snooping staticrouter port on specific interface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ip igmp snooping Enable IGMP snooping admin mode.
Step 3 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 4 ip igmp snooping mrouterinterface
Setting IGMP snooping static router port onspecific interface.
Step 5 exit Return to global configuration mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show ip igmp snooping mrouterinterface interface-id
Verify the configuration.
To enable/disable the IGMP snooping on a switch, use ip igmp snooping/no ip igmpsnooping global configuration command. To set IGMP snooping static router port on aspecific interface, use ip igmp snooping mrouter interface interface configurationcommand. To display the IGMP snooping static router port for a specific interface, useshow ip igmp snooping mrouter interface privileged EXEC command.
In this example, interface 0/40 is configured to be a static router port:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ip igmp snooping
(BX900-CB1)(Config)#interface 0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#ip igmp snooping mrouter interface
(BX900-CB1)(Interface BX900-CB1/0/40)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ip igmp snooping mrouter interface 0/40
Slot/Port…................................... BX900-CB1/0/40
Multicast Router Attached…................... Enable
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 63
Beginning in privileged EXEC mode, follow these steps to configure IGMP snooping staticrouter port on specific VLAN:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ip igmp snooping Enable IGMP snooping admin mode.
Step 3 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 4 ip igmp snooping mroutervlan-id
Setting IGMP snooping static router port onspecific VLAN.
Step 5 exit Return to global configuration mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show ip igmp snooping mroutervlan-id
Verify the configuration.
To enable/disable the IGMP snooping on a switch, use ip igmp snooping/no ip igmpsnooping global configuration command. To set IGMP snooping static router port on aspecific VLAN for a specific interface, use ip igmp snooping mrouter interfaceconfiguration command. To display the IGMP snooping static router port for a specificinterface, use show ip igmp snooping mrouter vlan privileged EXEC command.
In this example, VLAN 1, interface 0/40 is configured to static router port:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ip igmp snooping
(BX900-CB1)(Config)#interface 0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#ip igmp snooping mrouter 1
(BX900-CB1)(Interface BX900-CB1/0/40)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ip igmp snooping mrouter vlan 0/40
Slot/Port...................................... BX900-CB1/0/40
VLAN ID
--------
1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 64
9.4 Configuring IGMP snooping static group member
This section describes how to configure IGMP snooping static group member.
Beginning in privileged EXEC mode, follow these steps to configure IGMP snooping staticgroup member on specific interface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ip igmp snooping Enable IGMP snooping admin mode.
Step 3 ip igmp snoopinginterfacemode all
Enable IGMP snooping interface mode.
Step 4 ip igmp snooping staticmac-addr vlan vlan-id interfaceinterface-id
Setting IGMP snooping static groupmember on specific interface.
Step 5 exit Return to privileged EXEC mode.
Step 6 show ip igmp snooping static Verify the configuration.
To enable/disable the IGMP snooping on a switch, use ip igmp snooping/no ip igmpsnooping global configuration command. To set IGMP snooping static group member ona specific interface, use ip igmp snooping static mac-addr vlan vlan-id interfaceinterface-id interface configuration command. To display the IGMP snooping static routerport for a specific interface, use show ip igmp snooping static privileged EXECcommand.
In this example, interface 0/40 is configured to static group member:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ip igmp snooping
(BX900-CB1)(Config)#ip igmp snooping interfacemode all
(BX900-CB1)(Config)#ip igmp snooping static 01:00:5e:11:11:11 vlan 1 interface 0/40
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ip igmp snooping static
VLAN MAC Address Port State
==== ================= ================= ======
1 01:00:5e:11:11:11 BX900-CB1/0/40 Act.
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 65
9.5 Configuring IGMP Snooping Querier by VLAN
This section describes how to configure IGMP snooping querier.
Beginning in privileged EXEC mode, follow these steps to configure IGMP snooping querier onspecific VLAN:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ip igmp snooping querier Enable IGMP snooping querier adminmode.
Step 3 ip igmp snooping querierversion <1-2>
Setting IGMP snooping querier version.
Step 4 ip igmp snooping querier vlanvlan-id
Enable IGMP snooping querier on specificVLAN.
Step 5 ip igmp snooping querier vlanvlan-id address ip-address
Setting IGMP snooping querier IP addresson specific VLAN.
Step 6 ip igmp snooping querier vlanvlan-id election-participate
Enable IGMP snooping querier electionparticipate mode.
Step 7 exit Return to privileged EXEC mode.
Step 8 show ip igmp snooping querier Verify the IGMP snooping querierconfiguration.
Step 9 show ip igmp snooping queriervlan vlan-id
Verify the IGMP snooping querier VLANconfiguration.
To enable/disable the IGMP snooping querier on a switch, use ip igmp snoopingquerier/no ip igmp snooping querier global configuration command. To set IGMPsnooping querier version, use ip igmp snooping querier version global configurationcommand. To enable/disable IGMP snooping querier on a specific VLAN, use ip igmpsnooping querier vlan / no ip igmp snooping querier vlan global configurationcommand. To display the IGMP snooping querier, use show ip igmp snooping querier orshow ip igmp snooping querier vlan privileged EXEC command.
In this example, VLAN 1 is configured to enable IGMP snooping querier:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ip igmp snooping querier
(BX900-CB1)(Config)#ip igmp snooping querier version 2
(BX900-CB1)(Config)#ip igmp snooping querier vlan 1
(BX900-CB1)(Config)#ip igmp snooping querier vlan 1 address 192.168.2.1
(BX900-CB1)(Config)#ip igmp snooping querier vlan 1 election-participate
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ip igmp snooping querier
Global IGMP Snooping querier status
© 2009 Fujitsu Technology Solutions 66
-----------------------------------
IGMP Snooping Querier Mode..................... Enable
Querier Address................................ 0.0.0.0
IGMP Version................................... 2
Querier Query Interval......................... 60
Querier Expiry Interval........................ 60
(BX900-CB1)#show ip igmp snooping querier vlan 1
Vlan 1 : IGMP Snooping querier status
----------------------------------------------
IGMP Snooping Querier Vlan Mode................ Enable
Querier Election Participate Mode.............. Enable
Querier Vlan Address........................... 192.168.2.1
Operational State.............................. Querier
Operational version............................ 2
Operational Max Resp Time...................... 10
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 67
10 Configuring MLD Snooping & Querier
This chapter describes how to configure the MLD snooping.
10.1 Configuring MLD Snooping by interface
This section describes how to configure MLD snooping on specific port.
Beginning in privileged EXEC mode, follow these steps to configure MLD snooping on specificinterface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ipv6 mld snooping Enable MLD snooping admin mode.
Step 3 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 4 ipv6 mld snoopinginterfacemode
Enable MLD snooping on specific interface.
Step 5 ipv6 mld snoopinggroupmembership-interval<2-3600>
Setting multicast member timeout interval. Ifspecific interface never update group infoduring group membership-interval, it will beremove from multicast group member(dynamic member).
Step 6 ipv6 mld snoopingmax-response-time <1-3599>
Setting multicast member remove interval. Ifspecific interface receive MLD leavepackets, it will not remove this multicastgroup during max-response-time. MLD fastleave must be disabled.
Step 7 ipv6 mld snooping fast-leave Enable MLD snooping fast leave mode.
Step 8 ipv6 mld snoopingmcrtrexpiretime <0-3600>
Setting multicast router timeout interval. Ifspecific interface never receive MLD querypacket during Multicast Router PresentExpiration time, it will be remove frommulticast router port (dynamic router).
Step 9 exit Return to global configuration mode.
Step 10 exit Return to privileged EXEC mode.
Step 11 show ipv6 mld snooping Verify the configuration.
To enable/disable the MLD snooping on a switch, use ipv6 mld snooping/no ipv6 mldsnooping global configuration command. To enable/disable MLD snooping for a specificinterface, use ipv6 mld snooping interfacemode/no ipv6 mld snooping interfacemodeinterface configuration command. To display the MLD snooping configuration, use showipv6 mld snooping privileged EXEC command.
In this example, MLD snooping is configured on interface 0/40:
© 2009 Fujitsu Technology Solutions 68
(BX900-CB1)#configure
(BX900-CB1)(Config)#ipv6 mld snooping
(BX900-CB1)(Config)#interface 0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#ipv6 mld snooping interfacemode
(BX900-CB1)(Interface BX900-CB1/0/40)#ipv6 mld snooping groupmembership-interval260
(BX900-CB1)(Interface BX900-CB1/0/40)#ipv6 mld snooping max-response-time 10
(BX900-CB1)(Interface BX900-CB1/0/40)#ipv6 mld snooping fast-leave
(BX900-CB1)(Interface BX900-CB1/0/40)#ipv6 mld snooping mcrtrexpiretime 0
(BX900-CB1)(Interface BX900-CB1/0/40)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ipv6 mld snooping
Admin Mode..................................... Enable
Multicast Control Frame Count.................. 0
Interfaces Enabled for MLD Snooping............ BX900-CB1/0/40
Vlans enabled for MLD snooping................. None
(BX900-CB1)#
Beginning in privileged EXEC mode, follow these steps to configure MLD snooping on allinterfaces:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ipv6 mld snooping Enable MLD snooping admin mode.
Step 3 ipv6 mld snooping interfacemodeall
Enable MLD snooping on all interfaces.
Step 4 ipv6 mld snoopinggroupmembershipinterval<2-3600>
Setting multicast member timeout interval. Ifspecific interface never update group infoduring group membership-interval, it will beremove from multicast group member(dynamic member).
Step 5 ipv6 mld snoopingmax-response-time <1-3599>
Setting multicast member remove interval. Ifspecific interface receive MLD leavepackets, it will not remove this multicastgroup during max-response-time. MLD fastleave must be disabled.
Step 6 ipv6 mld snooping fast-leave Enable MLD snooping fast leave mode.
Step 7 ipv6 mld snoopingmcrtrexpiretime <0-3600>
Setting multicast router timeout interval. Ifspecific interface never receive MLD querypacket during Multicast Router PresentExpiration time, it will be remove frommulticast router port (dynamic router).
Step 8 exit Return to privileged EXEC mode.
Step 9 show ipv6 mld snooping Verify the configuration.
© 2009 Fujitsu Technology Solutions 69
To enable/disable the MLD snooping on all interfaces, use ipv6 mld snoopinginterfacemode all/no ipv6 mld snooping interfacemode all global configurationcommand.
In this example, MLD snooping is configured on all interfaces:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ipv6 mld snooping
(BX900-CB1)(Config)#ipv6 mld snooping interfacemode all
(BX900-CB1)(Config)#ipv6 mld snooping groupmembershipinterval 260
(BX900-CB1)(Config)#ipv6 mld snooping snooping max-response-time 10
(BX900-CB1)(Config)#ipv6 mld snooping fast-leave
(BX900-CB1)(Config)#ipv6 mld snooping mcrtrexpiretime 0
(BX900-CB1)(Config)#exit
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 70
10.2 Configuring MLD Snooping by VLAN
This section describes how to configure MLD snooping on a specific VLAN.
Beginning in privileged EXEC mode, follow these steps to configure MLD snooping on specificVLAN:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ipv6 mld snooping Enable MLD snooping admin mode.
Step 3 vlan database Enter VLAN configuration mode.
Step 4 set mld vlan-id Enable MLD snooping on a specific VLAN.
Step 5 set mldgroupmembership-intervalvlan-id <2-3600>
Setting multicast member timeout interval. Ifspecific interface never update group infoduring group membership-interval, it will beremove from multicast group member(dynamic member).
Step 6 set mld maxresponse vlan-id<1-3599>
Setting multicast member remove interval. Ifspecific interface receive MLD leavepackets, it will not remove this multicastgroup during max response. MLD fast leavemust be disabled.
Step 7 set mld fast-leave vlan-id Enable MLD snooping fast leave mode.
Step 8 set mld mcrtrexpiretime vlan-id<0-3600>
Setting multicast router timeout interval. Ifspecific interface never receive MLD querypacket during Multicast Router PresentExpiration time, it will be remove frommulticast router port (dynamic router).
Step 9 exit Return to global configuration mode.
Step 10 exit Return to privileged EXEC mode.
Step 11 show ipv6 mld snooping Verify the configuration.
To enable/disable the MLD snooping on a specific VLAN, use set mld vlan-id/no set mldvlan-id VLAN configuration command. To display the MLD snooping configuration, useshow ipv6 mld snooping privileged EXEC command.
In this example, MLD snooping is configured on VLAN 1:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ipv6 mld snooping
(BX900-CB1)(Config)#vlan database
(BX900-CB1)(Vlan)#set mld 1
(BX900-CB1)(Vlan)#set mld groupmembership-interval 1 260
(BX900-CB1)(Vlan)# set mld maxresponse 1 10
(BX900-CB1)(Vlan)#set mld fast-leave 1
(BX900-CB1)(Vlan)#set mld mcrtrexpiretime 1 0
© 2009 Fujitsu Technology Solutions 71
(BX900-CB1)(Vlan)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ipv6 mld snooping
Admin Mode..................................... Enable
Multicast Control Frame Count.................. 0
Interfaces Enabled for MLD Snooping............ None
Vlans enabled for MLD snooping................. 1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 72
10.3 Configuring MLD Snooping static router port
This section describes how to configure MLD snooping static router port.
Beginning in privileged EXEC mode, follow these steps to configure MLD snooping staticrouter port on specific interface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ipv6 mld snooping Enable MLD snooping admin mode.
Step 3 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 4 ipv6 mld snooping mrouterinterface
Setting MLD snooping static router port onspecific interface.
Step 5 exit Return to global configuration mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show ipv6 mld snooping mrouterinterface interface-id
Verify the configuration.
To enable/disable the MLD snooping static router port on a specific interface, use ipv6 mldsnooping interface interface configuration command. To display the static router port,use show ipv6 mld snooping mrouter interface privileged EXEC command.
In this example, interface 0/40 is configured to static router port:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ipv6 mld snooping
(BX900-CB1)(Config)#interface 0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#ipv6 mld snooping mrouter interface
(BX900-CB1)(Interface BX900-CB1/0/40)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ipv6 mld snooping mrouter interface 0/40
Slot/Port...................................... BX900-CB1/0/40
Multicast Router Attached...................... Enable
VLAN ID
--------
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 73
Beginning in privileged EXEC mode, follow these steps to configure MLD snooping staticrouter port on specific VLAN:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ipv6 mld snooping Enable MLD snooping admin mode.
Step 3 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 4 ipv6 mld snooping mrouter vlan-id Setting MLD snooping static router port onspecific VLAN.
Step 5 exit Return to global configuration mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show ipv6 mld snooping mroutervlan interface-id
Verify the configuration.
To enable/disable the MLD snooping static router port on a specific VLAN for a specificinterface, use ipv6 mld snooping mrouter/no ipv6 mld snooping mrouter interfaceconfiguration command. To display the static router port, use show ipv6 mld snoopingmrouter vlan privileged EXEC command.
In this example, VLAN 1, interface 0/40 is configured to static router port:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ipv6 mld snooping
(BX900-CB1)(Config)#interface 0/40
(BX900-CB1)(Interface BX900-CB1/0/40)#ipv6 mld snooping mrouter 1
(BX900-CB1)(Interface BX900-CB1/0/40)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ipv6 mld snooping mrouter vlan 0/40
Slot/Port...................................... BX900-CB1/0/40
VLAN ID
--------
1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 74
10.4 Configuring MLD Snooping static group member
This section describes how to configure MLD snooping static group member.
Beginning in privileged EXEC mode, follow these steps to configure MLD snooping staticgroup member on specific interface:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ipv6 mld snooping Enable MLD snooping admin mode.
Step 3 Ipv6 mld snooping interfacemodeall
Enable MLD snooping interface mode for allinterfaces.
Step 4 ipv6 mld snooping static mac-addrvlan vlan-id interface interface-id
Setting MLD snooping static group memberon specific interface.
Step 5 exit Return to privileged EXEC mode.
Step 6 show ipv6 mld snooping static Verify the configuration.
To add/remove the MLD snooping static group member for specific interface and VLAN,use ipv6 mld snooping static mac-addr vlan vlan-id interface interface-id/no ipv6 mldsnooping static mac-addr vlan vlan-id interface interface-id global configurationcommand. To display the static group members, use show ipv6 mld snooping staticprivileged EXEC command.
In this example, interface 0/40 is configured to static group member:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ipv6 mld snooping
(BX900-CB1)(Config)#ipv6 mld snooping interfacemode all
(BX900-CB1)(Config)#ipv6 mld snooping static 33:33:00:11:11:11 vlan 1 interface 0/40
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ipv6 mld snooping static
VLAN MAC Address Port State
==== ================= ================= ======
1 33:33:00:11:11:11 BX900-CB1/0/40 Act.
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 75
10.5 Configuring MLD Snooping Querier by VLAN
This section describes how to configure MLD snooping querier.
Beginning in privileged EXEC mode, follow these steps to configure MLD snooping querier onspecific VLAN:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 ipv6 mld snooping querier Enable MLD snooping querier admin mode.
Step 3 ipv6 mld snooping querier vlanvlan-id
Enable MLD snooping querier on specificVLAN.
Step 4 ipv6 mld snooping querier vlanvlan-id address ip-address
Setting MLD snooping querier IP addresson specific VLAN.
Step 5 ipv6 mld snooping querier vlanvlan-id election-participate
Enable MLD snooping querier electionparticipate mode.
Step 6 exit Return to privileged EXEC mode.
Step 7 show ipv6 mld snooping querier Verify the configuration.
Step 8 Show ipv6 mld snooping queriervlan vlan-id
Verify the configuration.
To enable/disable the MLD snooping querier on a switch, use ipv6 mld snoopingquerier/no ipv6 mld snooping querier global configuration command. To enable/disablequerier on a specific VLAN, use ipv6 mld snooping querier vlan global configurationmode. To display the querier configuration, use show ipv6 mld snooping querier orshow ipv6 mld snooping querier vlan privileged EXEC command.
In this example, VLAN 1 is configured to enable MLD snooping querier:
(BX900-CB1)#configure
(BX900-CB1)(Config)#ipv6 mld snooping querier
(BX900-CB1)(Config)#ipv6 mld snooping querier vlan 1
(BX900-CB1)(Config)#ipv6 mld snooping querier vlan 1 address FE80::11:11
(BX900-CB1)(Config)#ipv6 mld snooping querier vlan 1 election-participate
(BX900-CB1)(Config)#exit
(BX900-CB1)#show ipv6 mld snooping querier
Global MLD Snooping querier status
----------------------------------
MLD Snooping Querier Mode...................... Enable
Querier Address................................ ::
MLD Version.................................... 1
Querier Query Interval......................... 60
© 2009 Fujitsu Technology Solutions 76
Querier Expiry Interval........................ 60
(BX900-CB1)#show ipv6 mld snooping querier vlan 1
Vlan 1 : MLD Snooping querier status
----------------------------------------------
MLD Snooping Querier Vlan Mode................. Enable
Querier Election Participate Mode.............. Enable
Querier Vlan Address........................... FE80::11:11
Operational State.............................. Querier
Operational version............................ 1
Operational Max Resp Time...................... 10
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 77
11 Configuring IEEE 802.1X Authentication
This chapter describes how to configure IEEE 802.1X authentication.
11.1 Using Local User Name/ Password
This section describes how to configure IEEE 802.1X authentication by using local user nameand password.
Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1Xauthentication:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 dot1x system-auth-control Enable IEEE 802.1X authenticationsupport on the switch
Step 3 exit Return to global configuration mode.
Step 4 show dot1x summary interface-id Show status for a specified port
To enable/disable IEEE 802.1X authentication for on a switch, use the dot1xsystem-auth-control/no dot1x system-auth-control global configuration command. Thedefault authentication mode of port control is auto. You can specify the mode you want byusing dot1x port-control all mode global configuration command or dot1x port-controlmode interface configuration command. To display the configuration, use show dot1xsummary interface-id privileged EXEC command.
In this example, we want to configure all interfaces to force-authorized mode but interface0/6 to auto authentication mode. Then check the authenticated state for the interface 0/6.
(BX900-CB1)(Config)#dot1x port-control all force-authorized
(BX900-CB1)(Config)#interface 0/6
(BX900-CB1)(Interface BX900-CB1/0/6)#dot1x port-control auto
(BX900-CB1)(Interface BX900-CB1/0/6)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show dot1x summary 0/6
Operating Reauthentication
Interface Control Mode Control Mode Enabled Port Status
--------- ------------------ ------------------ ---------------- ------------
BX900-CB1/0/6 auto auto FALSE Authorized
© 2009 Fujitsu Technology Solutions 78
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 79
11.2 Using Remote RADIUS Server
This section describes how to configure IEEE 802.1X authentication by using remote RADIUSserver.
Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1Xauthentication:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 radius-server host authip-addr/hostname
Create a radius server for IEEE 802.1Xauthentication
Step 3 radius-server key authip-addr/hostnam <0/7> key-value
Give s radius share key to a radiusserver
Step 4 authentication login list-name radius Create a authentication list for radius
Step 5 dot1x system-auth-control Enable IEEE 802.1X authenticationsupport on the switch
Step 6 dot1x default-login list-name Assign an authentication list to IEEE802.1X default login for non-configuredusers
Step 7 exit Return to global configuration mode.
Step 8
To assign a remote radius server for IEEE 802.1X, use radius-server host authip-addr/hostname. To create an authentication list for radius, use authentication loginlist-name radius. To assign an authentication list for IEEE 802.1X non-configured users,use dot1x default-login list-name.
In this example, a radius server 192.168.3.1 will be assigned to authenticate IEEE 802.1Xwith share key secret.
(BX900-CB1)(Config)#radius-server host auth 192.168.3.1
(BX900-CB1)(Config)#radius-server key auth 192.168.3.1 0 secret
(BX900-CB1)(Config)#authentication login test-list radius
(BX900-CB1)(Config)#dot1x system-auth-control
(BX900-CB1)(Config)#dot1x default-login test-list
(BX900-CB1)(Config)#dot1x port-control all auto
(BX900-CB1)(Config)#exit
(BX900-CB1)#show authentication
Authentication Login List Method 1 Method 2 Method 3
------------------------- -------- -------- --------
defaultList local undefined undefined
test-list radius undefined undefined
© 2009 Fujitsu Technology Solutions 80
(BX900-CB1)#show radius
Current Server Host Address.................... 192.168.3.1
Number of Configured Servers................... 1
Number of Retransmits.......................... 4
Timeout Duration............................... 5
RADIUS Accounting Mode......................... Disable
RADIUS Dead Time............................... 255
RADIUS Attribute 4 Mode........................ Disable
RADIUS Attribute 4 Value....................... 0.0.0.0
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 81
12 Configuring Port Mirroring
This chapter describes how to configure port mirroring function.
Beginning in privileged EXEC mode, follow these steps to configure port mirroring:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 port-monitor session session-idmode
Enable admin mode.
Step 3 port-monitor session session-idsource interface interface-id [rx| tx]
Setting port-monitor source port. Theinterface can be a physical Layer 2 interfaceor a port channel (logical interface).
Step 4 port-monitor session session-iddestination interface interface-id
Setting port-monitor destination port.
Step 5 show port-monitor sessionsession-id
Verify the configuration.
To enable/disable a port mirroring session, use port-monitor session session-id mode /no port-monitor session session-id mode global configuration command. To configure asource port, use port-monitor session session-id source interface global configurationcommand, to configure a destination port, use port-monitor session session-iddestination interface global configuration command. To display port mirroringconfiguration, use show port-monitor session session-id privileged EXEC command.
In this example, interface 0/46 is configured to monitor the transmitted and receivedpackets of interface 0/40 and to monitor the received packets of interface 0/41:
(BX900-CB1)#configure
(BX900-CB1)(Config)#port-monitor session 1 mode
(BX900-CB1)(Config)#port-monitor session 1 source interface 0/40
(BX900-CB1)(Config)#port-monitor session 1 source interface 0/41 rx
(BX900-CB1)(Config)#port-monitor session 1 destination interface 0/46
(BX900-CB1)(Config)#exit
(BX900-CB1)#show port-monitor session 1
Session ID Admin Mode Dest.Port Sour.Port Type
---------- ---------- ---------- ------------- -----
1 Enable BX900-CB1/0/46 BX900-CB1/0/40 Rx,Tx
BX900-CB1/0/41 Rx
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 82
13 Configuring IP Filtering
This chapter describes how to configure IP filtering which controls packets by combination ofIP address and port number for network security.
13.1 Configuring IP filter which passes only packets to thespecified service
This section describes how to configure IP filter which passes access to Web server and DNSserver and rejects the other accesses.
Beginning in privileged EXEC mode, follow these steps to configure IP extended ACL filter onspecific interface:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 access-list acl-id permit tcp anyany eq <80|www>
Create a new IP extended access-list withACL ID and rule to permit packets to accessWeb server. The http port is 80.
Step 3 access-list acl-id permit tcp anyany eq 53
Create another rule in the same ACL ID topermit packets to access DNS server. TheDNS port is 53.
Step 4 interface interface-id Specify the interface, and enter interfaceconfiguration mode. The interface can be aphysical Layer 2 interface or a port channel(logical interface).
Step 5 ip access-group acl-id in Specify the ACL which will be applied to thisinterface.
Step 6 exit Return to global configuration mode.
Step 7 show ip access-list Verify the configuration.
To configure an IP filter to interface to pass only packets access to Web server and DNSserver, use the ip access-list global configuration command. To display the configurationof a specific interface, use show access-lists interface interface-id in privileged EXECcommand.
In this example, IP extended access-list is configured on interface 0/1 to pass specificapplication packets:
(BX900-CB1)(Config)#access-list 100 permit tcp any any eq 80
Create ACL 100 : Rule ID 1
(BX900-CB1)(Config)#access-list 100 permit tcp any any eq 53
Create ACL 100 : Rule ID 2
(BX900-CB1)(Config)#interface 0/1
© 2009 Fujitsu Technology Solutions 83
(BX900-CB1)(Interface BX900-CB1/0/1)#ip access-group 100 in
(BX900-CB1)(Interface BX900-CB1/0/1)#exit
(BX900-CB1)(Config)#exit
(BX900-CB1)#show access-lists interface 0/1 in
ACL Type ACL ID Sequence Number
-------- ------------------------------- ---------------
IP 100 1
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 84
14 Configuring SNMP Agent
This chapter describes how to configure SNMP agent which informs MIB information of SNMPhost.
Beginning in privileged EXEC mode, follow these steps to configure SNMP agent community:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 snmp-server communitycommunity-name1
Create a snmp community. The defaultaccess mode is READ-ONLY.
Step 3 snmp-server communitycommunity-name2
Create another snmp community.
Step 4 snmp-server community rwcommunity-name2
Set the access mode of the SNMPcommunity to READ-WRITE access mode..
Step 5 exit Return to global configuration mode.
Step 6 show snmp Verify the configuration.
To configure snmp community, use the snmp-server global configuration command. Todisplay the snmp configuration, use show snmp privileged EXEC command.
In this example, two snmp communities are created for read and read-write:
(BX900-CB1)(Config)#snmp-server community public
(BX900-CB1)(Config)#snmp-server community private
(BX900-CB1)(Config)#snmp-server community rw private
(BX900-CB1)(Config)#exit
(BX900-CB1)#show snmp
SNMP Community Name Client IP Address Client IP Mask Access Mode Status
------------------- ----------------- ----------------- ----------- --------
public 0.0.0.0 0.0.0.0 Read Only Enable
private 0.0.0.0 0.0.0.0 Read/Write Enable
(BX900-CB1)#
© 2009 Fujitsu Technology Solutions 85
Beginning in privileged EXEC mode, follow these steps to configure SNMP trap receiver:
Command Purpose
Step 1 configure Enter global configuration mode
Step 2 snmptrap trap-name ipaddresssnmpversion <snmpv1|snmpv2>
Create a SNMP trap and specify the clientIP address to receive SNMP traps.
Step 3 exit Return to global configuration mode.
Step 4 show snmptrap Verify the configuration.
To configure snmp trap, use the snmptrap global configuration command. To display thesnmp trap configuration, use show snmptrap privileged EXEC command.
In this example, create and activate the snmp trap for snmp trap receiver:
(BX900-CB1)(Config)#snmptrap public 192.168.2.2 snmpversion snmpv2
(BX900-CB1)(Config)#exit
(BX900-CB)#show snmptrap
SNMP Trap Name IP Address SNMP Version Status
------------------- ----------------- -------------- --------
public 192.168.2.2 snmpv2 Enable
(BX900-CB)#
© 2009 Fujitsu Technology Solutions 86
15 Configuring System Log
This chapter describes how to configure system log function which sends system logs tosyslog server.
Beginning in privileged EXEC mode, follow these steps to configure system logs to syslogserver:
Command Purpose
Step 1 configure Enter global configuration mode.
Step 2 logging host hostaddress [port][severitylevel]
Set the IP address and port number oflogging host/server which syslogmessage to be sent.
Step 3 logging syslog To enable the syslog to configured hosts.
Step 4 exit Return to privileged EXEC mode.
Step 5 show logging Verify the configuration of syslog
Step 6 show logging host Verify the configuration of syslog host
To create a syslog host, use logging host global configuration command. To enable ordisable syslog, use logging syslog global configuration command.
In this example, create a logging host to sent critical messages and enable the syslogclient.
(BX900-CB1)(Config)#logging host 172.16.2.109 514 critical
(BX900-CB1)(Config)#logging syslog
(BX900-CB1)(Config)#exit
(BX900-CB1)#show logging
Logging Client Local Port : 514
CLI Command Logging : disabled
Console Logging : disabled
Console Logging Severity Filter : alert
Buffered Logging : enabled
Syslog Logging : enabled
Log Messages Received : 94
Log Messages Dropped : 0
Log Messages Relayed : 14
© 2009 Fujitsu Technology Solutions 87
(BX900-CB1)#show logging hosts
Index IP Address Severity Port Status
----- ----------------- ----------- ------ -------------
1 172.16.2.109 critical 514 Active
PRIMERGYスイッチブレード (1Gbps 36/8+2)(PG-SW111)
スイッチブレード (1Gbps 36/12)(PG-SW112)
スイッチコンフィグレーションガイド
CA92276-8605-01
発行日 2009年7月
発行責任 富士通株式会社
●本書の内容は、改善のため事前連絡なしに変更することがあります。
●本書に記載されたデータの使用に起因する、第三者の特許権およびその他
の権利の侵害については、当社はその責を負いません。
●無断転載を禁じます。