ON-LINE SUPPORT OFFERING TECHNICAL AND SERVICE SUPPORT IN TIME

よくある質問

Support models and software version:
ECS4120 Series V1.2.2.18 and above.
ECS4100 Series V1.2.36.191 and above.
 
Overview
ERPS provides a solution that allows physical loops but creates loop-free logical topologies. Loop avoidance for a ring topology is achieved by guaranteeing that, at any time, traffic may flow on all but one of the ring links. This particular link is called the ring protection link (RPL), and under normal conditions this link is blocked, i.e. not used for user traffic. One end of the RPL link is designated as RPL owner which is responsible to block user traffic over the RPL. Once a link failure is detected, the RPL owner shall react to unblock the RPL and quickly recover from network outages.
 
As mentioned above, a physical link of a ring will be blocked to avoid loops. Redundant links cannot be utilized. Multiple instances feature is proposed to address this problem. The set of VLANs of Ethernet ring could be grouped into several subsets called ERP instances. Because users can define a different RPL per instance, all physical links can be utilized.
 
The difference between Old and New version of ERPS.
1. Number of instance per ring
    I. Old version: one instance per ring.
    II. New version: more than one instance per ring.
2. ERPS domain vs. ERPS ring and instance
    I. Old version: all you have to do is configuring an ERPS domain which is equivalent to an ERPS ring and
                           an ERPS instance.
    II. New version: ERPS domain configuration is further decomposed into ERPS ring and ERPS instance
                             configurations.
        - Users have to configure ERPS rings and ERPS instances separately and bind one or more ERPS
           instances to any one of ERPS ring.
3. Exclusion-VLAN and inclusion-VLAN
    I. Inclusion VLANs are protected by an ERPS domain.
    II. Exclusion VLANs are not protected by an ERPS domain.
        - Traffic of exclusion VLANs will not be blocked on the ring ports.
        - VLANs not configured in the inclusion list and exclusion list will be always blocked on the ring ports.
        - Traffic of VLANs (including control VLAN, inclusion VLANs, and exclusion VLANs) used in an ERPS
           domain will always be unblocked on all non-ERPS ring ports.
 
Topology
mceclip0.png
Configuration
SW1
SW2 & SW4
SW3
 
SW1 VLAN group configuration
mceclip1.png
SW1 ERPS ring configuration
mceclip2.png
SW1 ERPS instance configuration
mceclip3.png
SW2 VLAN group configuration
mceclip4.png
SW2 ERPS ring configuration
mceclip5.png
SW2 ERPS instance configuration
mceclip6.png
SW3 VLAN group configuration
mceclip7.png
SW3 ERPS ring configuration
mceclip8.png
SW3 ERPS instance configuration
mceclip9.png
SW4 VLAN group configuration
mceclip10.png
SW4 ERPS ring configuration
mceclip11.png
SW4 ERPS instance configuration
mceclip12.png
 
Exclusion VLAN
mceclip13.png
Add two hosts for traffic VLAN 300.
If we didn't configure VLAN300 for exclusion vlan, then the traffic will be blocked by ERPS.
mceclip14.png

To prevent VLAN300 on ports of the logical line from being blocked by ERPS, the user can configure physical rings to form the line topology.
SW1
SW2
SW4
mceclip15.png
mceclip16.png
 
mceclip17.png
mceclip18.png
 
mceclip19.png
mceclip20.png
 
VLAN300 traffic could forward without problem.
mceclip21.png

Path Cost is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
mceclip0.png

*The path cost of the STP is not configured by pathcost method short or long.

User can configure the spanning tree path cost for the specified interface by following command.

[CLI Command]
spanning-tree cost {cost}
cost - The path cost for the port.
(Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method)

Calculate the spanning tree path cost on a port-channel.

1. Active Eth1/1 for port channel.

 

The spanning tree path cost on Trunk 1 is 5000.

 

The spanning tree path cost for Trunk 1 is 10000 (1G) / 2 = 5000 (Trunk).
The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 1 = 5000.


2. Active Eth1/1 & Eth1/2 for port channel.

 

The spanning tree path cost on Trunk 1 is 2500.

 

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 2 = 2500.


3. Active Eth1/1 & Eth1/2 & Eth1/3 for port channel.

 

The spanning tree path cost on Trunk 1 is 1666.

 

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 3 = 1666.

 

4. Active Eth1/1 & Eth1/2 & Eth1/3 & Eth1/4 for port channel.

 

The spanning tree path cost on Trunk 1 is 1250.

 

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 4 = 1250.

Support models and software version:
ECS4120 series v1.2.2.24 and above.
 
Overview
IPv6 Prefix Guard can work within the IPv6 Source Guard feature which restricting IPv6 traffic on non-routed, Layer 2 interface by filtering traffic based on the DHCPv6 Snooping binding table and manually configured static IPv6 bindings. IPv6 Prefix Guard is used when IPv6 prefix are delegated to the device using DHCPv6 prefix delegation. IPv6 Prefix Guard will record the range of prefix address assigned to the link and block the traffic which its source address sourced with a prefix outside this range.
 
Configuration (Support CLI/WEB GUI/SNMP)
<A> CLI Command
  • Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[CLI format]
    sip - Enable IPv6 source address filtering.
    sdp - Enable IPv6 source prefix filtering.
    max-binding - Limits max binding entries.
 
  • Add static IPv6 source guard or IPv6 prefix guard binding entry on global configuration mode.
[CLI format]
    Mac-Address - A valid unicast MAC address. (x-x-x-x-x-x or xxxxxxxxxxxx)
    VLAN_ID - ID of a configured VLAN. (Range: 1-4094)
    IPv6-Address - Corresponding full IPv6 address.
    IPv6-Prefix - Corresponding IPv6 prefix of the form IPv6-address/prefix-length.
    Unit - Unit identifier. (Range: 1)
    Port - Port number. (Range: 1-28 or 52)
 
<B> WEB GUI
  • Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[WEB GUI]
Security > IPv6 Source Guard > Port Configuration > Filter Type & Max Binding Entry > Apply
mceclip0.png
mceclip1.png
 
  • Add static ipv6 source guard or ipv6 prefix guard binding entry on the switch.
[WEB GUI]
Security > IPv6 Source Guard > Static Binding > Action: Add > Apply
mceclip2.png
[WEB GUI]
Security > IPv6 Source Guard > Static Binding > Action: Show
mceclip3.png
 
<C> SNMP
  • Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardMode | ip6SrcGuardMaxBinding}.{ip6SrcGuardPortIfIndex} {integer} {value}
 
For ip6SrcGuardMode, OID 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2
 Set to disabled(1) means IPv6 Source Guard is disabled.
 Set to srcIp(2) means IPv6 Source Guard is enabled, and packets are filtered by checking source ip.
 Set to srcPrefix(3) means IPv6 Prefix Guard is enabled, and packets are filtered by checking source prefix.
 
For ip6SrcGuardMaxBinding, OID 1.3.6.1.4.1.259.10.1.45.1.74.1.1.3
 This object indicates the maximum number of bindings associated with the port.(Range from 1 to 5)
 
For ip6SrcGuardPortIfIndex,
 This object idents the port which is capable of IPv6 Source Guard feature.
 
IPv6 source guard is disable on port interface by default.
 
Enable IPv6 Prefix Guard on port24.
 
Display the current mode of IPv6 source guard.
 
Configure IPv6 source guard maximum binding entry number to 3 on port24.
[Result]
 
  • Add a static IPv6 source guard or IPv6 prefix guard binding entry on the switch.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardBindingVlanIndex | ip6SrcGuardBindingPortIfIndex | ip6SrcGuardBindingStatus}.{ip6SrcGuardBindingType}.{ip6SrcGuardBindingMacAddress}.{ip6SrcGuardBindingIpv6Address}.{ip6SrcGuardBindingPrefixLen}.{ip6SrcGuardBindingMode} {integer} {value}
 
For ip6SrcGuardBindingVlanIndex, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.4
 This object indicates the VLAN id of the associated client.(Range from 1 to 4094)
 
For ip6SrcGuardBindingPortIfIndex, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.5
 This object indicates the port of the associated client.
 
For ip6SrcGuardBindingStatus, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6
 active(1), which indicates that the conceptual row is available for use by the managed device.
 notInService(2), which indicates that the conceptual row exists in the agent, but is unavailable for use by the managed device.
 notReady(3), createAndGo(4), createAndWait(5), destroy(6)
 
For ip6SrcGuardBindingType
 This object indicates the binding type of the associated client.
 static(1),dhcp6snp(2),ndsnp(3)
 
For ip6SrcGuardBindingMacAddress,
 This object indicates the MAC address of the associated client.(Hexadecimal to Decimal)
 
For ip6SrcGuardBindingIpv6Address,
 This object indicates the IPv6 address of the associated client.(Hexadecimal to Decimal)
 
For ip6SrcGuardBindingPrefixLen,
 The object indicates the delegated prefix length of the associated client.
 
For ip6SrcGuardBindingMode,
 The object indicates the mode of this binding.
 address(1) means the mode of the binding entry is address mode.
 prefix(2) means the mode of the binding entry is prefix mode.
 
Read the IPv6 source-guard dynamic binding via CLI and SNMP.
mceclip4.png
 
Configure a static IPv6 prefix binding via SNMP.
MAC 90-E6-BA-63-96-CD=144.230.186.99.150.205
IPv6 prefix 2001:b000:2::/64=32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0
(1) Create a static IPv6 prefix binding entry.
 
(2) Set the entry on VLAN1.
 
(3) Bind the entry on port21.
 
(4) Active the entry.
 
Check the IPv6 source guard binding entry by CLI.
mceclip5.png

If the DHCPv6 server and the DHCPv6 client are connected in different VLANs/subnets, user could configure DHCPv6 relay functions for host devices attached to the switch to communicate with DHCPv6 server.

The DHCPv6 Relay Agent uses Relay Forward/Reply messages to relay the messages between Servers and Clients.


Topology:

Configuration for DHCPv6 relay:

DHCPv6 relay packet forwarding procedures:

Capture the packets on the port 2. (DHCPv6 Client)​

Capture the packets on the port 1. (DHCPv6 Server)

In this example, the client will get the IPv6 address in the range of 2002:db8:0:1::129 ~ 2002:db8:0:1::254 from the DHCP server.

Overview

The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices supporting the TWAMP protocol.

TWAMP uses the methodology and architecture of OWAMP to define an open protocol for measurement of two-way or round-trip metrics, in addition to the one-way metrics of OWAMP.

TWAMP consists of the following two protocols as L3 layer monitor. When starting the performance measurement session (TWAMP-Control), use the TWAMP control protocol. It is layered over TCP and is used to initiate and set up test sessions. The TWAMP test protocol is layered over UDP and is used for sending and receiving the test packets for performance measurement (TWAMP-Test).


Operational Concept

TWAMP consists of a network architecture in which a combination of Control-Client and Session-Sender is a set of hosts; meanwhile, Server and Session-Reflector are configured on the other host. Our switch supports the function of Server and Session-Reflector (RFC5357).


Establishment of Control Connection


Establishment of Test Session



Configuration (Support CLI command only currently)

TWAMP Reflector is disabled by default.

Enable TWAMP Reflector function.

Display current status and timer.


TWAMP Reflector REFWAIT timer:

Close the session that has been started when no packet associated with that session has been received for REFWAIT seconds.(Default: 900 seconds; configurable range is from 30 - 3600 seconds)



[Result]

1) TWAMP clients use IPv4 address to establish session and send test packets.

Display current status and session.

There is no packet loss via IPv4 address.

2) The maximum number of test sessions is 5.

TWAMP works correctly when the server and clients are in the same IPv4 network segments.

3) TWAMP works correctly when the server and clients are in the different IPv4 network segments.

4) TWAMP works correctly when the server and clients are in the same IPv6 network segments.

5) TWAMP works correctly when the server and clients are in the different IPv6 network segments.

 

Support models and software version:

ECS4120 series v1.2.2.18 and above.

ECS4100 series v1.2.36.191 and above.

This article uses ECS4100-28T for the example.

Step 1:

Setting the static MAC address (40-16-7e-66-a4-36) on port 7.

64.22.126.102.164.53 = 40-16-7e-66-a4-36

Those value means the MAC address which you want to set and MAC address need be converted from Hexadecimal to Decimal.

 

Hexadecimal -> Decimal
40 -> 64
16 -> 22
7e -> 126


"02" means port 7. "x" means octets.

- Here's the way to calculate the value.

Please see this form to understand how to specify the value for port number.

- If you want to set the port 1, then the value is 80.

Note:

You cannot use single digit, ex: "x 8" in the end, it will fail. 

The correct value of port 1 should be double digits, ex: "x 80".

 

Here's another example.

- If you want to set the port 10, the value is 0040.

Step 2:

Setting the static MAC address type.

"i" means integer32.

"3" means type 3. 

- There are five types for this value, Edgecore switch supported two types.

permanent(3)

deleteOnReset(4)

Here's the Result:

We can see the MAC address which be configured to MAC table via SNMP successfully. 

 

The basic DHCPSNP topology and configuration on the switch as below.

Original Behavior: (Not support “vlan-flooding” command or “vlan-flooding” enabled.)

When the switch enabled DHCPSNP function globally, the client will request the IP address by sending out the DHCP packets (Discover/Request) to untrust port.

This DHCP packet belongs to the vlan which includes in DHCPSNP enable vlan list, the switch will forward it to trust port only which is also the vlan member.

If this DHCP packet belongs to the vlan which doesn’t include in DHCPSNP enable vlan list, the switch will forward/flood it to ALL other ports which are also the vlan member.

Disabled DHCPSNP vlan-flooding Behavior: (vlan-flooding is enabled on switch by default.)

The mechanism is the same when the DHCP packet belongs to the vlan which includes in DHCPSNP enable vlan list.

However, if this DHCP packet belongs to the vlan which doesn’t include in DHCPSNP enable vlan list, the switch will NOT forward/flood it to any other port which is also the vlan member.

The user could easily configure how the DHCP packets forward on switch ports.

[Result]
When the DHCP packets - Discover/Request from the clients is received.

Configuration via CLI/WEB/SNMP.

CLI command

Default is vlan-flooding enabled.

Console#con

Console(config)#interface ethernet 1/1

Console(config-if)#ip dhcp snooping vlan-flooding             ---> Enabled

or

Console(config-if)#no ip dhcp snooping vlan-flooding          ---> Disabled

WEB

Security > DHCP Snooping > Step: 3. Configure Interface > Enabled/Disabled Vlan Flooding

SNMP

[SNMPSET command format]

snmpset -v 2c -c private {switch ip} {dhcpSnoopPortVlanFlooding}.{dhcpSnoopPortIfIndex} {integer} {value}

For dhcpSnoopPortVlanFlooding, OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7

 Set OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7 to enabled(1) vlan flooding.

 Set OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7 to disabled(2) vlan flooding.

For dhcpSnoopPortIfIndex: The port interface of dhcpSnoopPortIfIndex

 The ifIndex value of the port or trunk.

Enabled vlan flooding.

Disabled vlan flooding.

Support models and software version:

ECS4120 series v1.2.2.23 and above

The following is the example for ECS4120 series.

[SNMPSET command format]
snmpset -v 2c -c private {switch ip} { rlPortInputStatus | rlPortOutputStatus | rlPortInputLimitInKilo | rlPortOutputLimitInKilo}.{ rlPortIndex } {integer} {value}
 
For rlPortInputStatus, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6 to enabled(1) input rate limit.
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6 to disabled(2) input rate limit.
 
For rlPortOutputStatus, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7 to enabled(1) output rate limit.
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7 to disabled(2) output rate limit.
 
For rlPortInputLimitInKilo, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.10
 Value of the input rate limit. (Range: <64-10000000> kilobits per second.)
 
For rlPortOutputLimitInKilo, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.11
 Value of the output rate limit. (Range: <64-10000000> kilobits per second.)
 
For rlPortIndex: The port interface of the portTable.
 The ifIndex value of the port or trunk.
 
Example:
(1) Enable input rate limit with 100M on port Eth1/1.
(2) Enable output rate limit with 10M on port Eth1/2.
Result:

Supported models: ECS4120 series (V1.2.2.13)

SNMPSET command format.

snmpset -v 2c -c private {switch IP Address} {inetCidrRouteStatus}.{IPv4 or IPv6}.{Destination network segment}.{mask}.{IPv4 or IPv6}.{Next hop} {integer} {value}

{inetCidrRouteStatus}

  • OID: 1.3.6.1.2.1.4.24.7.1.17

{IPv4 or IPv6} 

  • IPv4 OID: 1.4    -->  1 = IPv4 , 4 = IPv4 address is 4 byte.
  • IPv6 OID: 2.16  -->  2 = IPv6 , 16 = IPv6 address is 16 byte. (Please indicate in decimal. e.g. 2002::1 = 32.2.0.0.0.0.0.0.0.0.0.0.0.0.0.1)

{value}

  • 4 = Active 
  • 6 = Destroy

Configure IPv4 static route via SNMP.

  • Adding a IPv4 static route as follow: 
  • NET-SNMP command: 
{inetCidrRouteStatus=1.3.6.1.2.1.4.24.7.1.17}.{IPv4=1.4}.{Destination network segment=192.168.87.0}.{mask=24}.{IPv4=1.4}.{Next hop=192.168.2.11}.{integer} {value=4}

Configure IPv6 static route via SNMP.

  • Adding a IPv6 static route as follow: 
  • NET-SNMP command:  
{inetCidrRouteStatus=1.3.6.1.2.1.4.24.7.1.17}.{IPv6=2.16}.{Destination network segment="2002:8787::"(Please indicate in Decimal)}.{mask=64}.{IPv6=2.16}.{Next hop="2002::1"(Please indicate in Decimal)}.{integer} {value=4}

Result:
!
interface vlan 1
 ip address 192.168.2.10 255.255.255.0
!
interface craft
!
!
ip route 192.168.87.0 255.255.255.0 192.168.2.11
!
!
interface vlan 1
 ipv6 address 2002::1/64
!
ipv6 route 2002:8787::/64 2002::1
!
Zero Touch Deployment on ECS4100 series.
 
When the switch boots with a factory default configuration, it supports automatically obtain IP address and configuration file from remote server. Once the switch installs the new configuration, it could automatically upgrade the current operational code when a new version is detected on the server.
 
Topology:

 
Procedure:
Step 1:
Prepare a DHCP Server and TFTP Server, and connect it to the ECS4100-12T.
 
Step 2:
Prepare ECS4100-12T’s configuration and the newer firmware.
ECS4100-12T’s configuration:
Enable Automatic Code Upgrade function, and configure the IP address or other needed functions.
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode reload
Console(config)#upgrade opcode path tftp://192.168.1.2/
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1/24
 
Step 3:
Save the configuration(Copy running-config) to remote device for more modification, then put the used configuration to the Server.
Console#copy running-config tftp
TFTP server IP address: 192.168.1.2
Destination file name: test.cfg
Success.
Console#
 
Step 4:
Modify the firmware name to “ECS4100-series.bix”.
Please note that the name for the new image stored on the TFTP server must be ECS4100-series.bix.


Step 5:
Configure the setting on DHCP Server.
Must be enabled option 66/67 on DHCP Server.

 
Step 6:
Boot ECS4100-12T with factory default configuration.
Console# configure
Console(config)# boot system config:Factory_Default_config.cfg
Console(config)# exit
Console# reload
 
Step 7:
Enable DHCP Dynamic Provision.
Console(config)#ip dhcp dynamic-provision

 
Step 8:
ECS4100-12T get the IP address from DHCP Server.


Capture the DHCP packets which include option66/67.



After ECS4100-12T installs the new configuration, it starts to look for a new image.
Then ECS4100-12T automatically upgrades the current operational code when a new version is detected on the server.

ECS2100 series firmware version v1.2.2.12 and above has a new software enhancement which support Layer 2 / Layer 3 DHCP Relay function. And the user may choose to use the L2 or L3 DHCP Relay by following commands (Default is L3). 

The setting for Layer 2 DHCP Relay
 

The setting for Layer 3 DHCP Relay
 

When the client and DHCP server are in the same VLAN and subnet, the client may obtain the IP address from DHCP server directly. However, in practical network, clients might be in the different subnet and VLAN, then DHCP Relay function can help to get the IP address from DHCP server which is in the different subnet.

 

- L2 DHCP Relay

The L2 DHCP Relay function can be used to add the suboption information (DHCP Option 82.) and the DHCP server may refer it to assigns the corresponding IP address.

 

Topology:

 

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2.
 

2) Set IP address on VLAN interface.
 

3) Enable the L2 DHCP relay and configure the IP address of DHCP server.
 


L2 DHCP Relay packet forwarding procedures:

 

In this example, the client will get the IP address in the range of 192.168.2.240~192.168.250 from the DHCP server. 

==================================================================

 

- L3 DHCP Relay

The L3 DHCP Relay function will convent the DHCP broadcast packet into the unicast packet and add the DHCP Relay agent IP address. Then DHCP server can refer to the Relay agent IP address to assigns the corresponding IP address.

 

Topology:

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2 and port 3 to VLAN 3.
 

2) Set IP address on VLAN interface.
 

3) Enable the L3 DHCP relay and configure DHCP relay server on VLAN interface.
 

 

L3 DHCP Relay packet forwarding procedures:

Example of client B.

In this example, 
Client A can get the IP address in the range of 192.168.2.240-250 the DHCP server.
Client B can get the IP address in the range of 192.168.3.240-250 the DHCP server.

Zero Touch Deployment on ECS4100 series.
 
When the switch boots with a factory default configuration, it supports automatically obtain IP address and configuration file from remote server. Once the switch installs the new configuration, it could automatically upgrade the current operational code when a new version is detected on the server.
 
Topology:

 
Procedure:
Step 1:
Prepare a DHCP Server and TFTP Server, and connect it to the ECS4100-12T.
 
Step 2:
Prepare ECS4100-12T’s configuration and the newer firmware.
ECS4100-12T’s configuration:
Enable Automatic Code Upgrade function, and configure the IP address or other needed functions.
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode reload
Console(config)#upgrade opcode path tftp://192.168.1.2/
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1/24
 
Step 3:
Save the configuration(Copy running-config) to remote device for more modification, then put the used configuration to the Server.
Console#copy running-config tftp
TFTP server IP address: 192.168.1.2
Destination file name: test.cfg
Success.
Console#
 
Step 4:
Modify the firmware name to “ECS4100-series.bix”.
Please note that the name for the new image stored on the TFTP server must be ECS4100-series.bix.


Step 5:
Configure the setting on DHCP Server.
Must be enabled option 66/67 on DHCP Server.

 
Step 6:
Boot ECS4100-12T with factory default configuration.
Console# configure
Console(config)# boot system config:Factory_Default_config.cfg
Console(config)# exit
Console# reload
 
Step 7:
Enable DHCP Dynamic Provision.
Console(config)#ip dhcp dynamic-provision

 
Step 8:
ECS4100-12T get the IP address from DHCP Server.


Capture the DHCP packets which include option66/67.



After ECS4100-12T installs the new configuration, it starts to look for a new image.
Then ECS4100-12T automatically upgrades the current operational code when a new version is detected on the server.

ECS2100 series firmware version v1.2.2.12 and above has a new software enhancement which support Layer 2 / Layer 3 DHCP Relay function. And the user may choose to use the L2 or L3 DHCP Relay by following commands (Default is L3). 

The setting for Layer 2 DHCP Relay
 

The setting for Layer 3 DHCP Relay
 

When the client and DHCP server are in the same VLAN and subnet, the client may obtain the IP address from DHCP server directly. However, in practical network, clients might be in the different subnet and VLAN, then DHCP Relay function can help to get the IP address from DHCP server which is in the different subnet.

 

- L2 DHCP Relay

The L2 DHCP Relay function can be used to add the suboption information (DHCP Option 82.) and the DHCP server may refer it to assigns the corresponding IP address.

 

Topology:

 

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2.
 

2) Set IP address on VLAN interface.
 

3) Enable the L2 DHCP relay and configure the IP address of DHCP server.
 


L2 DHCP Relay packet forwarding procedures:

 

In this example, the client will get the IP address in the range of 192.168.2.240~192.168.250 from the DHCP server. 

==================================================================

 

- L3 DHCP Relay

The L3 DHCP Relay function will convent the DHCP broadcast packet into the unicast packet and add the DHCP Relay agent IP address. Then DHCP server can refer to the Relay agent IP address to assigns the corresponding IP address.

 

Topology:

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2 and port 3 to VLAN 3.
 

2) Set IP address on VLAN interface.
 

3) Enable the L3 DHCP relay and configure DHCP relay server on VLAN interface.
 

 

L3 DHCP Relay packet forwarding procedures:

Example of client B.

In this example, 
Client A can get the IP address in the range of 192.168.2.240-250 the DHCP server.
Client B can get the IP address in the range of 192.168.3.240-250 the DHCP server.

1. Right-clicking at the node icon, press the 'Create Link'

 
2. Link the node to the network device, and select the port numbers their connected

 

 
 
3. Final topology
How to calculate the expiry time of IGMPSNP/MVR entry on ECS4100 series?
 
When a group's timer expires then it will be removed from IGMPSNP group table /MVR member table, therefore, this group's multicast traffic will stop forwarding. Once the switch received the group's IGMP report packet, then the timer will start to calculate or renew.
 
IGMP snooping:

IGMPSNP Expire time =
Last Member Query Count x Query Interval + Query Response Interval
 
For Example:
Default: 125 x 2 + 10 = 260 seconds = 4 minutes and 20 seconds
 

MVR:

MVR Expire time =
MVR Robustness Value x MVR Proxy Query Interval + 10 seconds (static)
 
For Example:
Default: 125 x 2 + 10 = 260 seconds = 4 minutes and 20 seconds

Notice: Enable/Disable “MVR Proxy Switching” will not affect to the expire time.
How to configure 802.1x PAE supplicant ?

Support models:
ES3510MA, ES3528MV2, ECS3510-28T/52T, ECS4110 series, ECS4510 series, ECS4620 series

Scenario:

 
When devices attached to a port, the port must submit requests to another authenticator on the network; however, the end clients do not support 802.1x authentication or prevent untrust device, neither the non-support supplicant device connection to the network. The user could configure the identity profile parameters to identify this switch as a supplicant, and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator.

Test procedures:
Step 1) Configure the management IP address
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface vlan 1
   ECS412028Fv2(config-if)#ip address 192.168.1.50/24
 
Step 2) Define an external RADIUS server
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#radius-server 1 host 192.168.1.4 key support
 
Step 3) Check the configuration of RADIUS
ECS412028Fv2#show radius-server
Remote RADIUS Server Configuration:
Server 1:
Server IP Address: 192.168.1.4
Authentication Port Number : 1812
Accounting Port Number : 1813
Retransmit Times : 2
Request Timeout : 5
 
Step 4) Enable 802.1x port authentication globally on ECS4120-28Fv2
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#dot1x system-auth-control
 
Step 5) Configure 802.1x mode on switch port
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface ethernet 1/23
   ECS412028Fv2(config-if)#dot1x port-control auto
 
Step 6) Allow multiple hosts connect to the same switch port
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface ethernet 1/23
   ECS412028Fv2(config-if)#dot1x operation-mode multi-host
 
Step 7) Check the 802.1x configuration status is correct
ECS4120-28Fv2:
   ECS412028Fv2#show dot1x
   Global 802.1X Parameters:
   System Auth Control : Enabled
   Authenticator Parameters:
   EAPOL Pass Through : Disabled
   802.1X Port Summary

Port     Type          Operation Mode Control Mode       Authorized
-------- ------------- -------------- ------------------ ---------
Eth 1/21 Disabled      Single-Host    Force-Authorized   Yes
Eth 1/22 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/23 Authenticator Multi-Host     Auto                     N/A
Eth 1/24 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/25 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/26 Disabled      Single-Host    Force-Authorized   N/A
 
Step 8) Try to ping the radius server from Client1
Client 1 : Ping failed because the port was not authenticated by RADIUS server.


Step 9) Check the version on ECS4110-28P which support dot1x supplicant mode
ECS4110-28P(DUT):
Dut1#show version
Unit 1
Serial Number : EC1427000158
Hardware Version : R0A
EPLD Version : 0.00
Number of Ports : 28
Main Power Status : Up
Role : Master
Loader Version : 1.2.0.1
Linux Kernel Version : 2.6.22.18
Boot ROM Version : 0.0.0.1
Operation Code Version : 1.2.3.13
 
Step 10) Enable dot1x supplicant mode on port interface
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#interface ethernet 1/23
   Dut1(config-if)#dot1x pae supplicant
 
Step 11) Set up the dot1x supplicant Username and Password
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#dot1x identity profile username test
   Dut1(config)#dot1x identity profile password support
 
Step 12) Reconnect the port 1/23 of ECS4110-28P to re-authenticate.
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#interface ethernet 1/23
   Dut1(config-if)#shutdown
   Dut1(config-if)#no shutdown
 
Step 13) Check the status of dot1x on ECS4120-28Fv2
ECS4120-28Fv2:
ECS412028Fv2#show dot1x interface ethernet 1/23
802.1X Authenticator is enabled on port 1/23
Reauthentication : Disabled
Reauth Period : 3600 seconds
Quiet Period : 60 seconds
TX Period : 30 seconds
Supplicant Timeout : 30 seconds
Server Timeout : 10 seconds
Reauth Max Retries : 2
Max Request : 2
Operation Mode : Multi-Host
Port Control : Auto
Maximum MAC Count : 5
Intrusion Action : Block traffic
 
Supplicant : 70-72-CF-C8-58-8F // ECS4110-28P(DUT)’s MAC Address
 
Authenticator PAE State Machine
State : Authenticated
Reauth Count : 0
Current Identifier : 1
 
ECS4110-28P(DUT):
Dut1#show dot1x
Global 802.1X Parameters:
System Auth Control : Disabled
Authenticator Parameters:
EAPOL Pass Through : Disabled
Supplicant Parameters:
Identity Profile Username : test
802.1X Port Summary

Port     Type          Operation Mode Control Mode       Authorized
-------- ------------- -------------- ------------------ ----------
Eth 1/22 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/23 Supplicant    Single-Host    Force-Authorized   Yes
Eth 1/24 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/25 Disabled      Single-Host    Force-Authorized   N/A
802.1X Port Details
802.1X Authenticator is disabled on port 1/23
802.1X Supplicant is enabled on port 1/23
Authenticated : Yes
Auth-period : 30 seconds
Held-period : 60 seconds
Start-period : 30 seconds
Max-start : 3
 
Step 14) Retrieve the packet by wireshark on RADIUS Server
Authentication Successfully


Step 15) Try to ping the radius server again from Client1
Client 1 : Ping Successfully


Client 2 : Successfully obtain the IP address by DHCP Server and ping to radius server


How to upgrade ECS4120 loader version to extend the ECC (Error Correcting code) support?

The ECS4120 Loader version 0.0.3.0 and above support ECC (Error Correcting code).

Environment and Preparation:
  1. The ECS4120 switch (Its loader version is 0.0.2.6. Check it by the command “show version”)
  2. Windows PC(Win7, Win8 or Win10) with one Serial COM port
  3. Script – ECS4120_uboot_upgrade_v1.0.2_BH2.zip
 
Configuration: Modify config.ini
  • [serial] section: Serial COM port
Caution: DO NOT modify [product] section’s “type” parameter in the config.ini

Example:


How to check Serial COM port on the PC?
In Device Manager (Start -> Run -> devmgmt.msc)




Caution:
Before running the script, please turn OFF all the terminal on the PC and power OFF the Switch.
 
Upgrade loader: 
Step 1: Run the script “uboot_upgarde.exe”.
Double click “uboot_upgrade.exe” to run the script.


Step 2: Power ON the switch
The script will execute automatically.


After upgrading, uboot_upgrade.exe will close by itself.

Caution:
When running the script, please DO NOT remove the console cable and unplug the power cord.
 
If it failed to upgrade, please send your request and log file to support@edge-core.com

ECS2100 series firmware version v1.2.2.12 and above has a new software enhancement which support Layer 2 / Layer 3 DHCP Relay function. And the user may choose to use the L2 or L3 DHCP Relay by following commands (Default is L3). 

The setting for Layer 2 DHCP Relay
 

The setting for Layer 3 DHCP Relay
 

When the client and DHCP server are in the same VLAN and subnet, the client may obtain the IP address from DHCP server directly. However, in practical network, clients might be in the different subnet and VLAN, then DHCP Relay function can help to get the IP address from DHCP server which is in the different subnet.

 

- L2 DHCP Relay

The L2 DHCP Relay function can be used to add the suboption information (DHCP Option 82.) and the DHCP server may refer it to assigns the corresponding IP address.

 

Topology:

 

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2.
 

2) Set IP address on VLAN interface.
 

3) Enable the L2 DHCP relay and configure the IP address of DHCP server.
 


L2 DHCP Relay packet forwarding procedures:

 

In this example, the client will get the IP address in the range of 192.168.2.240~192.168.250 from the DHCP server. 

==================================================================

 

- L3 DHCP Relay

The L3 DHCP Relay function will convent the DHCP broadcast packet into the unicast packet and add the DHCP Relay agent IP address. Then DHCP server can refer to the Relay agent IP address to assigns the corresponding IP address.

 

Topology:

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2 and port 3 to VLAN 3.
 

2) Set IP address on VLAN interface.
 

3) Enable the L3 DHCP relay and configure DHCP relay server on VLAN interface.
 

 

L3 DHCP Relay packet forwarding procedures:

Example of client B.

In this example, 
Client A can get the IP address in the range of 192.168.2.240-250 the DHCP server.
Client B can get the IP address in the range of 192.168.3.240-250 the DHCP server.

How to calculate the expiry time of IGMPSNP/MVR entry on ECS4100 series?
 
When a group's timer expires then it will be removed from IGMPSNP group table /MVR member table, therefore, this group's multicast traffic will stop forwarding. Once the switch received the group's IGMP report packet, then the timer will start to calculate or renew.
 
IGMP snooping:

IGMPSNP Expire time =
Last Member Query Count x Query Interval + Query Response Interval
 
For Example:
Default: 125 x 2 + 10 = 260 seconds = 4 minutes and 20 seconds
 

MVR:

MVR Expire time =
MVR Robustness Value x MVR Proxy Query Interval + 10 seconds (static)
 
For Example:
Default: 125 x 2 + 10 = 260 seconds = 4 minutes and 20 seconds

Notice: Enable/Disable “MVR Proxy Switching” will not affect to the expire time.
How to configure 802.1x PAE supplicant ?

Support models:
ES3510MA, ES3528MV2, ECS3510-28T/52T, ECS4110 series, ECS4510 series, ECS4620 series

Scenario:

 
When devices attached to a port, the port must submit requests to another authenticator on the network; however, the end clients do not support 802.1x authentication or prevent untrust device, neither the non-support supplicant device connection to the network. The user could configure the identity profile parameters to identify this switch as a supplicant, and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator.

Test procedures:
Step 1) Configure the management IP address
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface vlan 1
   ECS412028Fv2(config-if)#ip address 192.168.1.50/24
 
Step 2) Define an external RADIUS server
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#radius-server 1 host 192.168.1.4 key support
 
Step 3) Check the configuration of RADIUS
ECS412028Fv2#show radius-server
Remote RADIUS Server Configuration:
Server 1:
Server IP Address: 192.168.1.4
Authentication Port Number : 1812
Accounting Port Number : 1813
Retransmit Times : 2
Request Timeout : 5
 
Step 4) Enable 802.1x port authentication globally on ECS4120-28Fv2
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#dot1x system-auth-control
 
Step 5) Configure 802.1x mode on switch port
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface ethernet 1/23
   ECS412028Fv2(config-if)#dot1x port-control auto
 
Step 6) Allow multiple hosts connect to the same switch port
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface ethernet 1/23
   ECS412028Fv2(config-if)#dot1x operation-mode multi-host
 
Step 7) Check the 802.1x configuration status is correct
ECS4120-28Fv2:
   ECS412028Fv2#show dot1x
   Global 802.1X Parameters:
   System Auth Control : Enabled
   Authenticator Parameters:
   EAPOL Pass Through : Disabled
   802.1X Port Summary

Port     Type          Operation Mode Control Mode       Authorized
-------- ------------- -------------- ------------------ ---------
Eth 1/21 Disabled      Single-Host    Force-Authorized   Yes
Eth 1/22 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/23 Authenticator Multi-Host     Auto                     N/A
Eth 1/24 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/25 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/26 Disabled      Single-Host    Force-Authorized   N/A
 
Step 8) Try to ping the radius server from Client1
Client 1 : Ping failed because the port was not authenticated by RADIUS server.


Step 9) Check the version on ECS4110-28P which support dot1x supplicant mode
ECS4110-28P(DUT):
Dut1#show version
Unit 1
Serial Number : EC1427000158
Hardware Version : R0A
EPLD Version : 0.00
Number of Ports : 28
Main Power Status : Up
Role : Master
Loader Version : 1.2.0.1
Linux Kernel Version : 2.6.22.18
Boot ROM Version : 0.0.0.1
Operation Code Version : 1.2.3.13
 
Step 10) Enable dot1x supplicant mode on port interface
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#interface ethernet 1/23
   Dut1(config-if)#dot1x pae supplicant
 
Step 11) Set up the dot1x supplicant Username and Password
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#dot1x identity profile username test
   Dut1(config)#dot1x identity profile password support
 
Step 12) Reconnect the port 1/23 of ECS4110-28P to re-authenticate.
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#interface ethernet 1/23
   Dut1(config-if)#shutdown
   Dut1(config-if)#no shutdown
 
Step 13) Check the status of dot1x on ECS4120-28Fv2
ECS4120-28Fv2:
ECS412028Fv2#show dot1x interface ethernet 1/23
802.1X Authenticator is enabled on port 1/23
Reauthentication : Disabled
Reauth Period : 3600 seconds
Quiet Period : 60 seconds
TX Period : 30 seconds
Supplicant Timeout : 30 seconds
Server Timeout : 10 seconds
Reauth Max Retries : 2
Max Request : 2
Operation Mode : Multi-Host
Port Control : Auto
Maximum MAC Count : 5
Intrusion Action : Block traffic
 
Supplicant : 70-72-CF-C8-58-8F // ECS4110-28P(DUT)’s MAC Address
 
Authenticator PAE State Machine
State : Authenticated
Reauth Count : 0
Current Identifier : 1
 
ECS4110-28P(DUT):
Dut1#show dot1x
Global 802.1X Parameters:
System Auth Control : Disabled
Authenticator Parameters:
EAPOL Pass Through : Disabled
Supplicant Parameters:
Identity Profile Username : test
802.1X Port Summary

Port     Type          Operation Mode Control Mode       Authorized
-------- ------------- -------------- ------------------ ----------
Eth 1/22 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/23 Supplicant    Single-Host    Force-Authorized   Yes
Eth 1/24 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/25 Disabled      Single-Host    Force-Authorized   N/A
802.1X Port Details
802.1X Authenticator is disabled on port 1/23
802.1X Supplicant is enabled on port 1/23
Authenticated : Yes
Auth-period : 30 seconds
Held-period : 60 seconds
Start-period : 30 seconds
Max-start : 3
 
Step 14) Retrieve the packet by wireshark on RADIUS Server
Authentication Successfully


Step 15) Try to ping the radius server again from Client1
Client 1 : Ping Successfully


Client 2 : Successfully obtain the IP address by DHCP Server and ping to radius server


「製品セレクタツール」をクリックすると、
必要な情報を検索できます。

製品セレクタツール

私は自発的にエッジコアネットワークスに私の権限と許可を与え、エッジコアネットワークスに提供する情報を使用し開示することを許可します

OK