According to the current CPU utilization, CPU guard function sets the CPU utilization high and low watermarks in the percentage of CPU time utilized, and the CPU high and low thresholds in the number of packets being processed per second.

** Please note that the CPU guard will limit the packets transfer to CPU, but it will not limit the packets transmit to the egress port. **

Support Models: ECS4620 series, ECS4510 series, ECS4120 series, ECS4100 series, ECS5520 series, ECS4530 series, ECS2100 series, ECS3510 series

Topology:

Step 1: The switch runs in the default configuration and we try to inject the 1000 packets per second.
The CPU utilization will rise to 55 ~ 58%.

Step 2: Enable the CPU guard function globally.

Console(config)#process cpu guard

At this moment, the CPU remains and doesn't fall.
Since the current CPU utilization does not exceed the value of high-watermark, it doesn't trigger the CPU guard.

Step 3: Modify "low-watermark" and "high-watermark".
For example, we configure "high-watermark" to be lower than the current CPU utilization.

Console(config)#process cpu guard low-watermark 40
Console(config)#process cpu guard high-watermark 50

After the modification, CPU utilization will be falling and the CPU can process 392 packets per second.
It's because the current CPU utilization is higher than the high-watermark, the switch limits the packets flow to the CPU until it falls below the low-watermark.

Step 4: Modify "low-watermark" and "high-watermark".
For example, we configure "low-watermark" to be higher than the current CPU utilization.

Console(config)#process cpu guard low-watermark 50
Console(config)#process cpu guard high-watermark 55

We can see the "Current Threshold" is increasing, and the maximum value is 500 (ECS4510 Series).
If the switch limits the packets flow to the CPU after exceeding the high-watermark, the normal flow will be restored after usage falls beneath the low-watermark.

Step 5: We can also modify the "Maximum Threshold" directly to specify the number of packets being processed per second by the CPU.

Console(config)#process cpu guard max-threshold 100

The ECS5520-18X has sixteen 10G SFP+ ports and two 40G QSFP+ uplink ports. The 10G/40G ports can be configured as a single port connected with 10G SFP+/40G QSFP+ fiber cable, 10G/40G DAC (direct attach) cable, or breakout cable that connects a 40G port to four 10G ports; 10G port can also group four ports to a single 40G port. It's flexible for the user to configure it.

Configuration (Support CLI/WEB GUI/SNMP)

This example shows the default 40G and 10G port settings on ECS5520-18X.

Console#show hardware profile portmode
40G         10G         Config  Oper
Interfaces  Interfaces  Mode    Mode
----------  ----------  ------  ------
1/1         1/1-4       -       4x10g
1/5         1/5-8       -       4x10g
1/9         1/9-12      -       4x10g
1/13        1/13-16     -       4x10g
1/17        1/19-22     -       1x40g
1/18        1/23-26     -       1x40g

<A> CLI Command

• Configure port settings for 1x40G or 4x10G operation.

[CLI format]

hardware profile portmode ethernet 1/port { 1x40g | 4x10g | reset }

Warning: This command will not take effect until reload.
1x40g - Configures the port as a single 40G port.
4x10g - Configures the port as four 10G ports.
reset - Configures port mode to the default setting.

<A-1> Group four 10G ports to a single 40G port.
Eth1/1-4 will group to a single 40G port (Eth1/1).

Console#hardware profile portmode ethernet 1/1 1x40g
Warning: This command will not take effect until reload.
Console#reload
System will be restarted. Continue <y/n>? y

Console#show hardware profile portmode
40G         10G         Config  Oper
Interfaces  Interfaces  Mode    Mode
----------  ----------  ------  ------
1/1         1/1-4       1x40g   1x40g
1/5         1/5-8       -       4x10g
1/9         1/9-12      -       4x10g
1/13        1/13-16     -       4x10g
1/17        1/19-22     -       1x40g
1/18        1/23-26     -       1x40g

Console#show interfaces brief
Interface Name              Status    PVID Pri Speed/Duplex  Type         Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1                    Up           1   0 40Gfull       40GBASE QSFP None
Eth 1/ 5                    Down         1   0 10Gfull       10GBASE SFP+ None
Eth 1/ 6                    Down         1   0 10Gfull       10GBASE SFP+ None

<A-2> Breakout a single 40G port to four 10G ports.
Eth1/17 will breakout to four 10G ports (Eth1/19-22).

Console#hardware profile portmode ethernet 1/17 4x10g
Warning: This command will not take effect until reload.
Console#reload
System will be restarted. Continue <y/n>? y

Console#show hardware profile portmode
40G         10G         Config  Oper
Interfaces  Interfaces  Mode    Mode
----------  ----------  ------  ------
1/1         1/1-4       -       4x10g
1/5         1/5-8       -       4x10g
1/9         1/9-12      -       4x10g
1/13        1/13-16     -       4x10g
1/17        1/19-22     4x10g   4x10g
1/18        1/23-26     -       1x40g

Console#show interfaces brief
Interface Name              Status    PVID Pri Speed/Duplex  Type         Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
...Omit
Eth 1/16                    Down         1   0 10Gfull       10GBASE SFP+ None
Eth 1/18                    Down         1   0 40Gfull       40GBASE QSFP None
Eth 1/19                    Up           1   0 10Gfull       10GBASE SFP+ None
Eth 1/20                    Up           1   0 10Gfull       10GBASE SFP+ None
Eth 1/21                    Up           1   0 10Gfull       10GBASE SFP+ None
Eth 1/22                    Up           1   0 10Gfull       10GBASE SFP+ None

<A-3> Configure port mode to the default setting.

Console#hardware profile portmode ethernet 1/1 reset
Warning: This command will not take effect until reload.
Console#hardware profile portmode ethernet 1/17 reset
Warning: This command will not take effect until reload.
Console#reload
System will be restarted. Continue <y/n>? y

Console#show hardware profile portmode
40G         10G         Config  Oper
Interfaces  Interfaces  Mode    Mode
----------  ----------  ------  ------
1/1         1/1-4       -       4x10g
1/5         1/5-8       -       4x10g
1/9         1/9-12      -       4x10g
1/13        1/13-16     -       4x10g
1/17        1/19-22     -       1x40g
1/18        1/23-26     -       1x40g

<B> WEB GUI

• Configure port settings for 1x40G or 4x10G operation.

[WEB GUI]
Interface -> Port -> Hardware Profile -> Config Mode -> Apply

<B-1> Group four 10G ports to a single 40G port.
Eth1/1-4 will group to a single 40G port (Eth1/1).

<B-2> Breakout a single 40G port to four 10G ports.
Eth1/17 will breakout to four 10G ports (Eth1/19-22).

<C> SNMP

• Configure port settings for 1x40G or 4x10G operation.

[SNMPSET command format]

snmpwalk -v 2c -c private {switch ip} {hardwarePortModeOper}.{hardwarePortModeIfIndex}

snmpset -v 2c -c private {switch ip} {hardwarePortModeConfig}.{hardwarePortModeIfIndex} {integer} {value}

For hardwarePortModeOper, OID 1.3.6.1.4.1.259.10.1.51.1.2.16.1.1.2
The Hardware profile operational port mode. This setting is used to identify the active state of port mode.
The value mode4x10g(2) means the port operates a single 10G port.
The value mode1x40g(3) means the port operates a single 40G port.

For hardwarePortModeConfig, OID 1.3.6.1.4.1.259.10.1.51.1.2.16.1.1.3
This is used to configure hardware profile port mode settings. This action will reflect after the restart.
Set mode4x10g(2) to breakout a single 40G port to four 10G ports.
Set mode1x40g(3) to group four 10G ports to a single 40G port.

For hardwarePortModeIfIndex: The port interface of hardwarePortModeIfIndex.
The ifIndex value of the port or trunk.

<C-1> Group four 10G ports to a single 40G port.

C:\>snmpwalk -v 2c -c private 188.188.10.109 1.3.6.1.4.1.259.10.1.51.1.2.16.1.1.2.1
SNMPv2-SMI::enterprises.259.10.1.51.1.2.16.1.1.2.1 = INTEGER: 2

C:\>snmpset -v 2c -c private 188.188.10.109 1.3.6.1.4.1.259.10.1.51.1.2.16.1.1.3.1 i 3
SNMPv2-SMI::enterprises.259.10.1.51.1.2.16.1.1.3.1 = INTEGER: 3

Eth1/1-4 will group to a single 40G port (Eth1/1).

<C-2> Breakout a single 40G port to four 10G ports.

C:\>snmpwalk -v 2c -c private 188.188.10.109 1.3.6.1.4.1.259.10.1.51.1.2.16.1.1.2.17
SNMPv2-SMI::enterprises.259.10.1.51.1.2.16.1.1.2.17 = INTEGER: 3

C:\>snmpset -v 2c -c private 188.188.10.109 1.3.6.1.4.1.259.10.1.51.1.2.16.1.1.3.17 i 2
SNMPv2-SMI::enterprises.259.10.1.51.1.2.16.1.1.3.17 = INTEGER: 2

Eth1/17 will breakout to four 10G ports (Eth1/19-22).

Dynamic ARP Inspection(DAI) is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.

ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database – the DHCP snooping binding database or IP source guard binding database. ARP Inspection can also validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.

Topology:

Basic Configuration via CLI command:

Step 1: Enable the DHCPSNP function on global and VLAN 1.

Console(config)#ip dhcp snooping
Console(config)#ip dhcp snooping vlan 1

Step 2: Enable the DHCPSNP trust port on port 1.

Console(config)#interface ethernet 1/1
Console(config-if)#ip dhcp snooping trust

Step 3: Enable the DAI function on global and VLAN 1.

Console(config)#ip arp inspection 
Console(config)#ip arp inspection vlan 1
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection trust

Step 4: DHCP client gets the IP address from the DHCP server.

Step 5: The fake client sets the same IP address as the DHCP client and tries to send the ARP request packet.

Result: The switch will drop the ARP packet from the fake client.

Basic Configuration via SNMP:

[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {daiGlobalStatus | daiVlanStatus | daiPortTrustStatus}.{daiVlanIndex | daiPortIfIndex} {integer} {value}

For daiGlobalStatus, OID 1.3.6.1.4.1.259.10.1.45.1.56.1.1
Set enabled(1) to enable dynamic ARP inspection globally.
Set disabled(2) to disable dynamic ARP inspection globally.

For daiVlanStatus, OID 1.3.6.1.4.1.259.10.1.45.1.56.2.1.1.2
This object indicates whether dynamic ARP inspection is enabled in this VLAN.
Set enabled(1) to enable dynamic ARP inspection on VLAN.
Set disabled(2) to disable dynamic ARP inspection on VLAN.

For daiVlanIndex,
This object indicates the VLAN ID on which dynamic ARP inspection is configured.

For daiPortTrustStatus, OID 1.3.6.1.4.1.259.10.1.45.1.56.3.1.1.2
This object indicates whether the port is trusted for dynamic ARP inspection.
Set enabled(1) to enable dynamic ARP inspection trust port.
Set disabled(2) to disable dynamic ARP inspection trust port.

For daiPortIfIndex,
The ifIndex value of the port.

Step 1: Enable the DAI function globally.

root@gavin:~# snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.4.1.259.10.1.45.1.56.1.1.0 i 1

Check the configuration on CLI and SNMP:

SNMP: 

CLI:

Step 2: Enable the DAI function on VLAN 1. (daiVlanIndex=1)

root@gavin:~# snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.4.1.259.10.1.45.1.56.2.1.1.2.1 i 1

Check the configuration on CLI and SNMP:

SNMP: 

CLI:

Step 3: Enable the DAI trust port on Port 1. (daiPortIfIndex=1)

root@gavin:~# snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.4.1.259.10.1.45.1.56.3.1.1.2.1 i 1 

Check the configuration on CLI and SNMP:

SNMP: 

CLI:

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link-state routing protocol to generate a shortest-path tree, then builds up its routing table based on this tree. OSPF produces a more stable network because the participating routers act on network changes predictably and simultaneously, converging on the best route more quickly than RIP. Moreover, when several equal-cost routes to a destination exist, traffic can be distributed equally among them. A separate routing area scheme is also used to further reduce the amount of routing traffic.

Topology:

Procedure:

Switch_01 Configuration:

Step 1: Apply VLAN on port and configure VLAN's IP address.

switch-01(config)#interface ethernet 1/23
switch-01(config-if)#switchport allowed vlan add 100
switch-01(config-if)#switchport native vlan 100
switch-01(config-if)#exit
switch-01(config)#interface ethernet 1/24
switch-01(config-if)#switchport allowed vlan add 200
switch-01(config-if)#switchport native vlan 200
switch-01(config-if)#exit
switch-01(config)#interface vlan 100
switch-01(config-if)#ip address 192.168.0.1/30
switch-01(config-if)#exit
switch-01(config)#interface vlan 200
switch-01(config-if)#ip address 192.168.0.5/30
switch-01(config-if)#exit
switch-01(config)#interface vlan 1
switch-01(config-if)#ip address 192.168.1.254/24
switch-01(config-if)#exit

Step 2: Disable spanning tree on port 23,24.

switch-01#con 
switch-01(config)#interface ethernet 1/23,24 
switch-01(config-if)#spanning-tree spanning-disabled 

Step 3: Configure OSPF function.

switch-01(config)#router ospf 1
switch-01(config-router)#router-id 192.168.0.1
switch-01(config-router)#network 192.168.0.0 255.255.255.252 area 0
switch-01(config-router)#network 192.168.0.4 255.255.255.252 area 0 
switch-01(config-router)#network 192.168.1.0 255.255.255.0 area 0

Switch_02 Configuration:

Step 1: Apply VLAN on port and configure VLAN's IP address.

switch-02(config)#interface ethernet 1/1
switch-02(config-if)#switchport native vlan 2
switch-02(config-if)#switchport allowed vlan add 2
switch-02(config-if)#exit
switch-02(config)#interface ethernet 1/23 
switch-02(config-if)#switchport native vlan 100
switch-02(config-if)#switchport allowed vlan add 100
switch-02(config-if)#exit
switch-02(config)#interface ethernet 1/24 
switch-02(config-if)#switchport native vlan 300
switch-02(config-if)#switchport allowed vlan add 300
switch-02(config-if)#exit
switch-02(config)#interface vlan 2
switch-02(config-if)#ip address 192.168.2.254/24
switch-02(config-if)#exit
switch-02(config)#interface vlan 100 
switch-02(config-if)#ip address 192.168.0.2/30
switch-02(config-if)#exit
switch-02(config)#interface vlan 300
switch-02(config-if)#ip address 192.168.0.9/30
switch-02(config-if)#exit

Step 2: Disable spanning tree on port 23,24.

switch-01#con 
switch-01(config)#interface ethernet 1/23,24 
switch-01(config-if)#spanning-tree spanning-disabled 

Step 3: Configure OSPF function.

switch-02(config)#router ospf 1
switch-02(config-router)#router-id 192.168.0.2
switch-02(config-router)#network 192.168.0.0 255.255.255.252 area 0
switch-02(config-router)#network 192.168.0.8 255.255.255.252 area 0
switch-02(config-router)#network 192.168.2.0 255.255.255.0 area 0

Switch_03 Configuration:

Step 1: Apply VLAN on port and configure VLAN's IP address.

switch-03(config)#interface ethernet 1/1
switch-03(config-if)#switchport native vlan 3 
switch-03(config-if)#switchport allowed vlan add 3
switch-03(config-if)#exit
switch-03(config)#interface ethernet 1/23
switch-03(config-if)#switchport native vlan 200
switch-03(config-if)#switchport allowed vlan add 200
switch-03(config-if)#exit
switch-03(config)#interface ethernet 1/24
switch-03(config-if)#switchport native vlan 300
switch-03(config-if)#switchport allowed vlan add 300
switch-03(config-if)#exit
switch-03(config)#interface vlan 3
switch-03(config-if)#ip address 192.168.3.254/24
switch-03(config-if)#exit
switch-03(config)#interface vlan 200
switch-03(config-if)#ip address 192.168.0.6/30
switch-03(config-if)#exit
switch-03(config)#interface vlan 300
switch-03(config-if)#ip address 192.168.0.10/30
switch-03(config-if)#exit

Step 2: Disable spanning tree on port 23,24.

switch-01#con 
switch-01(config)#interface ethernet 1/23,24 
switch-01(config-if)#spanning-tree spanning-disabled 

Step 3: Configure OSPF function.

switch-03(config)#router ospf 1
switch-03(config-router)#router-id 192.168.0.3
switch-03(config-router)#network 192.168.0.4 255.255.255.252 area 0
switch-03(config-router)#network 192.168.0.8 255.255.255.252 area 0
switch-03(config-router)#network 192.168.3.0 255.255.255.0 area 0 

Result:

Check the routing table on all the switches.

Switch-01's routing table:

Switch-02's routing table:

Switch-03's routing table:

Display the information about neighboring routers on all the switches.

Switch-01's OSPF Neighbor Information

Switch-02's OSPF Neighbor Information

Switch-03's OSPF Neighbor Information

VLAN2-Client A(192.168.2.1) could ping to VLAN1-Client C(192.168.1.1).

Debug command could display the debugging information for some functions in Privileged Exec mode.

The messages included the function events, transmitted/received packets...etc.

It's convenience for administrators to troubleshoot the problem on the switch.

 

The user could also dump the debug messages and contact Edgecore support(support@edge-core.com), and send a detailed description of the problem, along with the file used to record your system settings(show tech-support command).

 

Command Mode: Exec mode

(1) Debug mode of the ARP:

When we enable ARP debug command, the switch will print out the ARP process information when it receives the ARP packets.

Console#debug arp

For example:

Console#debug dhcp all

(3) Debug mode of the IGMPSNP and MVR:

When we enable IGMPSNP/MVR debug command, the switch will print out the IGMP process information when it receives the IGMP control packets.

Console#debug igmpsnp-mvr all

Topology:

For example:

The switch receives the IGMP REPORT packet from the client.

 

The switch receives the IGMP LEAVE packet from the client.

 

The switch receives the IGMP QUERY packet from other device (ECS4120_2).

 

(4) Debug mode of the DHCPSNP:

When we enable DHCPSNP debug command, the switch will print out the DHCP process information when it receives the DHCP packets between the server and client.

Console# debug ip dhcp snooping all

Topology:

For example:

The switch receives the DHCP DISCOVER packet from the client.

dhcp_msg_type=1 means DHCP discover packet.

 

The switch receives the DHCP OFFER packet from the DHCP server.

dhcp_msg_type=2 means DHCP offer packet.

 

The switch receives the DHCP REQUEST packet from the client.

dhcp_msg_type=3 means DHCP request packet.

 

(5) Debug mode of the LACP:

When we enable LACP debug command, the switch will display the trunk ID to which port member belongs.

Topology:

 

For example:

Console#debug lacp config

The switch will display the LACP function status is enable or disable during the configuration.

 

Console#debug lacp event

If the LACP trunk is active, the switch will display the port member belongs to which trunk id.

 

Console#debug lacp packet

The switch will display the information when it receives/transmits the LACP packets.

 

(6) Debug mode of the MLDSNP:

When we enable MLDSNP debug command, the switch will print out the MLD process information when it receives the MLD packets(ICMPv6).

Console#debug mldsnp all

For example:

The switch receives the MLD message packet from the client.

 

The switch sends out the specific query from the port which receives the leave message.

 

The switch sends out the IPv6 General Query.

 

The switch receives the IPv6 General Query from other device.

 

(7) Debug mode of the MVR6:

When we enable MVR6 debug command, the switch will print out the MVR6 process information when it receives the ICMPv6 packets.

Console#debug mvr6 all

For example:

The switch receives the MVR6 join message from the client.

 

The switch receives the MVR6 leave message from the client.

 

The switch sends out the IPv6 General Query.

 

(8) Debug mode of the STP:

When we enable STP debug command, the switch will print out the STP process information when it's running STP protocol.

Console#debug spanning-tree all

Topology:

For example:

The switch port 1 (Root port) receives the BPDU packet from the Root Bridge.

 

If the switch port 1 (Root port) status is changing to block, then the port 2 (Alternate port) status will become forwarding(Root port) and receive the BPDU packet from the Root Bridge.

The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm thresholds.

transceiver-monitor
The setting for transceiver-monitor:

Console(config)#interface ethernet 1/X
Console(config-if)#transceiver-monitor

Use this command "transceiver-monitor" can monitor the current transceiver status, such as Temperature, TX power, RX power.
When any of the transceiver's operational values fall outside of specified thresholds, the switch will send the trap.

transceiver-threshold
The setting for transceiver-threshold:

Console(config)#interface ethernet 1/X
Console(config-if)#transceiver-threshold { current | rx-power | temperature | tx-power | voltage }

Use this command "transceiver-threshold" can set the default threshold from the transceiver to determine when an alarm or warning message should be sent.

Support Models: ECS4620 series, ECS4510 series, ECS4120 series, ECS4100 series, ECS2100 series, ECS2110 series

Topology:

Insert the transceiver --- (25)ECS4620-28T(1) --- SNMP server

The procedure to monitor the transceiver status :

Step 1: Configure the switch's IP address and enable the SNMP trap.

Console#con
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1/24
Console(config-if)#exit
Console(config)#snmp-server host 192.168.1.100 inform private version 2c

Step 2: Check the transceiver's information currently.

At this time, the RX power is not within the range of the default threshold of the Low Alarm/Waring.

Step 3: Enable the transceiver-monitor.

Console#con
Console(config)#interface ethernet 1/25
Console(config-if)#transceiver-monitor

Step 4: The switch will send out the SNMP trap (SFPThresholdAlarmWarnTrap).

The procedure to change the transceiver-threshold :

 Step 1: Check the transceiver DDM Thresholds currently.

Step 2: Configure the threshold of the Temperature.

Console(config)#interface ethernet 1/25
Console(config-if)#no transceiver-threshold-auto 
Console(config-if)#transceiver-threshold temperature high-warning 7500 
Console(config-if)#transceiver-threshold temperature high-alarm 8500 

Step 3: Check the modification of the transceiver's information.

The management agent of Edgecore switches support SNMP (Simple Network Management Protocol).
This SNMP agent permits the switch to be managed from any system in the network using network management software.

Zabbix:

Zabbix is an open-source tool for monitoring the status of the server and device (switch, router...etc).

Available platforms:

OS: Ubuntu, CentOS, MAC

Necessary tool: Docker 

Install the Zabbix procedure:

Step 1: Make sure the Docker is installed on this device.

Step 2: Get the repository on the GitHub. (https://github.com/zabbix/zabbix-docker.git)

git clone https://github.com/zabbix/zabbix-docker.git

Step 3: Enter the folder of the zabbix-docker

cd zabbix-docker

Step 4: Install and start up the Zabbix service.

docker-compose -f docker-compose_v3_alpine_mysql_latest.yaml up -d

Step 5: Open the web browser. (http://Your Server IP Address)

Username: Admin

Password: zabbix

Create the template for Edgecore switch:

This example is monitoring the temperature of the ECS4120-28T.

Procedure:

Step 1: Create the template

Configuration -> Templates -> Create template

Step 2: Create the host

Configuration -> Hosts -> Create host

Step 3: Create an application on the host.

ECS4120-28T -> Application -> Create application

Step 4: Create an item on the host.

ECS4120-28T -> Item -> Create item

Step 5: On the home page, create a graph of temperature on the Dashboard.

Zabbix -> edit dashboard -> Add widget

Step 6: Now, you can monitor the temperature of the ECS4120 Series via the Zabbix.

SW1#configure
SW1(config)#interface ethernet 1/1
SW1(config-if)#switchport allowed vlan add 100,200,300 tagged
SW1(config-if)#exit
SW1(config)#interface ethernet 1/25
SW1(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW1(config-if)#spanning-tree spanning-disabled
SW1(config-if)#exit
SW1(config)#interface ethernet 1/26
SW1(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW1(config-if)#spanning-tree spanning-disabled
SW1(config-if)#exit
SW1(config)#erps
SW1(config)#erps vlan-group group1 add 10,100
SW1(config)#erps vlan-group group2 add 20,200
SW1(config)#erps ring Ring
SW1(config-erps-ring)#ring-port west interface ethernet 1/25
SW1(config-erps-ring)#ring-port east interface ethernet 1/26
SW1(config-erps-ring)#enable
SW1(config-erps-ring)#exit
SW1(config)#erps instance inst1 id 1
SW1(config-erps-inst)#control-vlan 10
SW1(config-erps-inst)#rpl owner
SW1(config-erps-inst)#physical-ring Ring
SW1(config-erps-inst)#inclusion-vlan group1
SW1(config-erps-inst)#enable
SW1(config-erps-inst)#exit
SW1(config)#erps instance inst2 id 2
SW1(config-erps-inst)#control-vlan 20
SW1(config-erps-inst)#physical-ring Ring
SW1(config-erps-inst)#inclusion-vlan group2
SW1(config-erps-inst)#enable
SW1(config-erps-inst)#end

SW2#configure
SW2(config)#interface ethernet 1/1
SW2(config-if)#switchport allowed vlan add 100,200,300 tagged
SW2(config-if)#exit
SW2(config)#interface ethernet 1/25
SW2(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW2(config-if)#spanning-tree spanning-disabled
SW2(config-if)#exit
SW2(config)#interface ethernet 1/26
SW2(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW2(config-if)#spanning-tree spanning-disabled
SW2(config-if)#exit
SW2(config)#erps
SW2(config)#erps vlan-group group1 add 10,100
SW2(config)#erps vlan-group group2 add 20,200
SW2(config)#erps ring Ring
SW2(config-erps-ring)#ring-port west interface ethernet 1/25
SW2(config-erps-ring)#ring-port east interface ethernet 1/26
SW2(config-erps-ring)#enable
SW2(config-erps-ring)#exit
SW2(config)#erps instance inst1 id 1
SW2(config-erps-inst)#control-vlan 10
SW2(config-erps-inst)#physical-ring Ring
SW2(config-erps-inst)#inclusion-vlan group1
SW2(config-erps-inst)#enable
SW2(config-erps-inst)#exit
SW2(config)#erps instance inst2 id 2
SW2(config-erps-inst)#control-vlan 20
SW2(config-erps-inst)#physical-ring Ring
SW2(config-erps-inst)#inclusion-vlan group2
SW2(config-erps-inst)#enable
SW2(config-erps-inst)#end

SW3#configure
SW3(config)#interface ethernet 1/1
SW3(config-if)#switchport allowed vlan add 100,200,300 tagged
SW3(config-if)#exit
SW3(config)#interface ethernet 1/25
SW3(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW3(config-if)#spanning-tree spanning-disabled
SW3(config-if)#exit
SW3(config)#interface ethernet 1/26
SW3(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW3(config-if)#spanning-tree spanning-disabled
SW3(config-if)#exit
SW3(config)#erps
SW3(config)#erps vlan-group group1 add 10,100
SW3(config)#erps vlan-group group2 add 20,200
SW3(config)#erps ring Ring
SW3(config-erps-ring)#ring-port west interface ethernet 1/25
SW3(config-erps-ring)#ring-port east interface ethernet 1/26
SW3(config-erps-ring)#enable
SW3(config-erps-ring)#exit
SW3(config)#erps instance inst1 id 1
SW3(config-erps-inst)#control-vlan 10
SW3(config-erps-inst)#physical-ring Ring
SW3(config-erps-inst)#inclusion-vlan group1
SW3(config-erps-inst)#enable
SW3(config-erps-inst)#exit
SW3(config)#erps instance inst2 id 2
SW3(config-erps-inst)#control-vlan 20
SW3(config-erps-inst)#rpl owner
SW3(config-erps-inst)#physical-ring Ring
SW3(config-erps-inst)#inclusion-vlan group2
SW3(config-erps-inst)#enable
SW3(config-erps-inst)#end

SW1(config)#erps vlan-group group3 add 300
SW1(config)#erps ring Ring
SW1(config-erps-ring)#no enable
SW1(config-erps-ring)#exclusion-vlan group3
SW1(config-erps-ring)#enable

SW2(config)#erps vlan-group group3 add 300
SW2(config)#erps ring Ring
SW2(config-erps-ring)#no enable
SW2(config-erps-ring)#exclusion-vlan group3
SW2(config-erps-ring)#enable

SW4(config)#erps vlan-group group3 add 300
SW4(config)#erps ring Ring
SW4(config-erps-ring)#no enable
SW4(config-erps-ring)#exclusion-vlan group3
SW4(config-erps-ring)#enable

Path Cost is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.

*The path cost of the STP is not configured by pathcost method short or long.

User can configure the spanning tree path cost for the specified interface by following command.

[CLI Command]
spanning-tree cost {cost}
cost - The path cost for the port.
(Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method)

Calculate the spanning tree path cost on a port-channel.

1. Active Eth1/1 for port channel.

Console#show interfaces brief
Interface Name              Status    PVID Pri Speed/Duplex  Type         Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1                    Up           1   0 Auto-1000full 1000BASE-T   1

The spanning tree path cost on Trunk 1 is 5000.

Console#show spanning-tree brief
Interface Pri Designated            Designated Oper     STP    Role State Oper
              Bridge ID             Port ID    Cost     Status            Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1   128 32768.8CEA1B8AC667    128.57         5000 EN     ROOT FWD   No

The spanning tree path cost for Trunk 1 is 10000 (1G) / 2 = 5000 (Trunk).
The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 1 = 5000.

2. Active Eth1/1 & Eth1/2 for port channel.

Console#show interfaces brief
Interface Name              Status    PVID Pri Speed/Duplex  Type         Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1                    Up           1   0 Auto-1000full 1000BASE-T   1
Eth 1/ 2                    Up           1   0 Auto-1000full 1000BASE-T   1

The spanning tree path cost on Trunk 1 is 2500.

Console#show spanning-tree brief
Interface Pri Designated            Designated Oper     STP    Role State Oper
              Bridge ID             Port ID    Cost     Status            Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1   128 32768.8CEA1B8AC667    128.57         2500 EN     ROOT FWD   No

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 2 = 2500.

3. Active Eth1/1 & Eth1/2 & Eth1/3 for port channel.

Console#show interfaces brief
Interface Name              Status    PVID Pri Speed/Duplex  Type         Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1                    Up           1   0 Auto-1000full 1000BASE-T   1
Eth 1/ 2                    Up           1   0 Auto-1000full 1000BASE-T   1
Eth 1/ 3                    Up           1   0 Auto-1000full 1000BASE-T   1

The spanning tree path cost on Trunk 1 is 1666.

Console#show spanning-tree brief
Interface Pri Designated            Designated Oper     STP    Role State Oper
              Bridge ID             Port ID    Cost     Status            Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1   128 32768.8CEA1B8AC667    128.57         1666 EN     ROOT FWD   No

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 3 = 1666.

4. Active Eth1/1 & Eth1/2 & Eth1/3 & Eth1/4 for port channel.

Console#show interfaces brief
Interface Name              Status    PVID Pri Speed/Duplex  Type         Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1                    Up           1   0 Auto-1000full 1000BASE-T   1
Eth 1/ 2                    Up           1   0 Auto-1000full 1000BASE-T   1
Eth 1/ 3                    Up           1   0 Auto-1000full 1000BASE-T   1
Eth 1/ 4                    Up           1   0 Auto-1000full 1000BASE-T   1

The spanning tree path cost on Trunk 1 is 1250.

Console#show spanning-tree brief
Interface Pri Designated            Designated Oper     STP    Role State Oper
              Bridge ID             Port ID    Cost     Status            Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1   128 32768.8CEA1B8AC667    128.57         1250 EN     ROOT FWD   No

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 4 = 1250.

• Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.

ipv6 source-guard { sip | sdp | max-binding }

Console#con
Console(config)#interface ethernet 1/1
Console(config-if)#ipv6 source-guard sdp
Console(config-if)#ipv6 source-guard max-binding 3
Console(config-if)#end
Console#show ipv6 source-guard
Interface   Filter-type   Max-binding
---------   -----------   -----------
Eth 1/1     SDP                     3
Eth 1/2     DISABLED                5
Eth 1/3     DISABLED                5

• Add static IPv6 source guard or IPv6 prefix guard binding entry on global configuration mode.

ipv6 source-guard binding Mac-Address vlan VLAN_ID { IPv6-Address | IPv6-Prefix } interface ethernet Unit/Port

Console#con
Console(config)#ipv6 source-guard binding 90-E6-BA-63-96-CD vlan 1 2001:b000:2::/64 interface ethernet 1/21
Console(config)#end
Console#show ipv6 source-guard binding
DHCPV6SNP:
 DHCP - Stateful address
NDSNP:
 ND - Stateless address
STA - Static IPv6 source guard binding

MAC Address    IPv6 Address/IPv6 Prefix                VLAN Interface Type
-------------- --------------------------------------- ---- --------- ----
90E6-BA63-96CD                        2001:b000:2::/64    1  Eth 1/21  STA

• Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.

• Add static ipv6 source guard or ipv6 prefix guard binding entry on the switch.

• Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.

C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 1

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24 i 3
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 3

C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 3

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.3.24 i 3
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.3.24 = INTEGER: 3

Console#show ipv6 source-guard
Interface   Filter-type   Max-binding
---------   -----------   -----------
Eth 1/23    DISABLED                5
Eth 1/24    SDP                     3
Eth 1/25    DISABLED                5

• Add a static IPv6 source guard or IPv6 prefix guard binding entry on the switch.

Console#show ipv6 source-guard binding
DHCPV6SNP:
 DHCP - Stateful address
NDSNP:
 ND - Stateless address
STA - Static IPv6 source guard binding

MAC Address    IPv6 Address/IPv6 Prefix                VLAN Interface Type
-------------- --------------------------------------- ---- --------- ----
382C-4A77-DD37                      2001:db8:2222::/64    1  Eth 1/24 DHCP

C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.4.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = Gauge32: 1  -> VLAN=1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.5.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 24  -> Port=Eth1/24
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 1  -> Status=Active(1)

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 5
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 5

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.4.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 u 1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.4.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = Gauge32: 1

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.5.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 21
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.5.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 21

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 1

If the DHCPv6 server and the DHCPv6 client are connected in different VLANs/subnets, user could configure DHCPv6 relay functions for host devices attached to the switch to communicate with DHCPv6 server.

The DHCPv6 Relay Agent uses Relay Forward/Reply messages to relay the messages between Servers and Clients.

Topology:

Configuration for DHCPv6 relay:

!                                                                    
interface ethernet 1/1
 
!
interface ethernet 1/2
 switchport allowed vlan add 2 untagged
 switchport mode access
 switchport native vlan 2
 switchport allowed vlan remove 1
 
!
interface vlan 2
 ipv6 dhcp relay destination 2001:db8:0:1::128
!
interface vlan 1                                                     
 ipv6 address 2001:db8:0:1::129/64
!
interface vlan 2
 ipv6 address 2002:db8:0:1::129/64
!

DHCPv6 relay packet forwarding procedures:

Capture the packets on the port 2. (DHCPv6 Client)​

Capture the packets on the port 1. (DHCPv6 Server)

In this example, the client will get the IPv6 address in the range of 2002:db8:0:1::129 ~ 2002:db8:0:1::254 from the DHCP server.

Overview

The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices supporting the TWAMP protocol.

TWAMP uses the methodology and architecture of OWAMP to define an open protocol for measurement of two-way or round-trip metrics, in addition to the one-way metrics of OWAMP.

TWAMP consists of the following two protocols as L3 layer monitor. When starting the performance measurement session (TWAMP-Control), use the TWAMP control protocol. It is layered over TCP and is used to initiate and set up test sessions. The TWAMP test protocol is layered over UDP and is used for sending and receiving the test packets for performance measurement (TWAMP-Test).

Operational Concept

TWAMP consists of a network architecture in which a combination of Control-Client and Session-Sender is a set of hosts; meanwhile, Server and Session-Reflector are configured on the other host. Our switch supports the function of Server and Session-Reflector (RFC5357).

Establishment of Control Connection

Establishment of Test Session

Configuration (Support CLI command only currently)

TWAMP Reflector is disabled by default.

Enable TWAMP Reflector function.

Display current status and timer.

TWAMP Reflector REFWAIT timer:

Close the session that has been started when no packet associated with that session has been received for REFWAIT seconds.(Default: 900 seconds; configurable range is from 30 - 3600 seconds)

[Result]

1) TWAMP clients use IPv4 address to establish session and send test packets.

Display current status and session.

There is no packet loss via IPv4 address.

2) The maximum number of test sessions is 5.

TWAMP works correctly when the server and clients are in the same IPv4 network segments.

3) TWAMP works correctly when the server and clients are in the different IPv4 network segments.

4) TWAMP works correctly when the server and clients are in the same IPv6 network segments.

5) TWAMP works correctly when the server and clients are in the different IPv6 network segments.

Support models and software version:

ECS4120 series v1.2.2.18 and above.

ECS4100 series v1.2.36.191 and above.

The following is the example for ECS4120 series.

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6.1 i 1
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.6.1 = INTEGER: 1

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.10.1 i 100000
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.10.1 = INTEGER: 100000

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7.2 i 1
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.7.2 = INTEGER: 1

C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.11.2 i 10000
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.11.2 = INTEGER: 10000

Console#show running-config interface ethernet 1/1
interface ethernet 1/1
 rate-limit input 100000
!

Console#show interfaces switchport ethernet 1/1
Information of Eth 1/1
 Broadcast Threshold : Disabled
 Multicast Threshold : Disabled
 Unknown Unicast Threshold : Disabled
 LACP Status : Disabled
 Ingress Rate Limit : Enabled, 100000 kbits/second
 Egress Rate Limit : Disabled, 1000000 kbits/second
 VLAN Membership Mode : Hybrid
 Ingress Rule : Disabled
 Acceptable Frame Type : All frames
 Native VLAN : 1
 Priority for Untagged Traffic : 0
 GVRP Status : Disabled
 Allowed VLAN : 1(u)
 Forbidden VLAN :
 802.1Q Tunnel Status : Disabled
 802.1Q Tunnel Mode : Normal
 802.1Q Tunnel TPID : 8100 (Hex)
 Layer 2 Protocol Tunnel : None
 Broadcast Block : Disabled
 Unknown Multicast Block : Disabled
 Unknown Unicast Block : Disabled

Console#show running-config interface ethernet 1/2
interface ethernet 1/2
 rate-limit output 10000
!

Console#show interfaces switchport ethernet 1/2
Information of Eth 1/2
 Broadcast Threshold : Disabled
 Multicast Threshold : Disabled
 Unknown Unicast Threshold : Disabled
 LACP Status : Disabled
 Ingress Rate Limit : Disabled, 1000000 kbits/second
 Egress Rate Limit : Enabled, 10000 kbits/second
 VLAN Membership Mode : Hybrid
 Ingress Rule : Disabled
 Acceptable Frame Type : All frames
 Native VLAN : 1
 Priority for Untagged Traffic : 0
 GVRP Status : Disabled
 Allowed VLAN : 1(u)
 Forbidden VLAN :
 802.1Q Tunnel Status : Disabled
 802.1Q Tunnel Mode : Normal
 802.1Q Tunnel TPID : 8100 (Hex)
 Layer 2 Protocol Tunnel : None
 Broadcast Block : Disabled
 Unknown Multicast Block : Disabled
 Unknown Unicast Block : Disabled

1. To prevent loop

As shown in the figure above, there are 3 traffic paths from VLC server to PC2:
Path 1(red): from SW1 port 26 to SW4 port 26;
Path 2(blue): from SW1 port 27 to SW4 port 28;
Path 3(green): from SW1 port 28 to SW2 port 27, from SW2 port 28 to SW3 port 27, from SW3 port 28 to SW4 port 27 then to SW4 port 1.

Therefore, there are two loops in the topology:

As shown in the figures above, when the switch receives a broadcast, multicast or unknown unicast packet from VCL Server, packet will flood to port 26(packet 2 yellow) and 27 (packet 2 green). When SW4 receives the packet from port 26, the packet will flood to port 1 (packet 3 yellow) and port 28 (packet 3 yellow). When SW4 receives the packet from port 28, the packet will flood to port 1(packet 3 green) and port 26 (packet 3 green). In this way, packets will occupy every port that connected to switch and it results in a failure to serving normal packets and sometimes a waste of CPU utilization.

Spanning Tree Protocol is a mechanism that automatically detects loops in the network and blocks the redundant paths to keep only one path for two nodes in the network. Rapid Spanning Tree Protocol (RSTP) is an enhancement of STP and provides faster spanning tree convergence. RSTP uses path cost, bridge ID and port priority/port ID of BPDU to prioritize the paths and then to establish a spanning tree.

2. To Provide Redundant path

Sometimes users create a loop intentionally in order to build up a redundant path in case the path is failed to link. Traffic dynamically switches to the redundant path and maintain network operation when the default path is failed to link.

When the link between SW1 port 26 and SW4 port 26 is down, SW1 port 27 which is in blocking state (Alternate Role) automatically forwards. Therefore, traffic from VLC server switches to the link between SW1 port 27 and SW4 port 28.

Use command "show log ram" to see the change log.

SW_1#sh log ram
[3] 08:59:45 2011-12-08
   'STA topology change happened on Eth 1/27.'
   level : 6, module : 5, function : 1, and event no. : 1
[2] 08:59:45 2011-12-08
   'STP port state: MSTID 0, Eth 1/27 becomes forwarding.'
   level : 6, module : 5, function : 1, and event no. : 1
[1] 08:59:45 2011-12-08
   'STP port state: MSTID 0, Eth 1/26 becomes non-forwarding.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:59:45 2011-12-08
   'Unit 1, Port 26 link-down notification.'
   level : 6, module : 5, function : 1, and event no. : 1

SW_4-0#sh log ram
[2] 08:28:56 2011-12-08
   'STA topology change happened on Eth 1/27.'
   level : 6, module : 5, function : 1, and event no. : 1
[1] 08:28:54 2011-12-08
   'STP port state: MSTID 0, Eth 1/26 becomes non-forwarding.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:28:54 2011-12-08
   'Unit 1, Port 26 link-down notification.'
   level : 6, module : 5, function : 1, and event no. : 1

SW_2-0#sh log ram
[1] 09:00:39 2011-12-08
   'User(admin/Telnet) (192.168.1.1), login successful.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:58:43 2011-12-08
   '192.168.1.1 VTY user admin, logout from PRIV. EXEC mode.'
   level : 6, module : 1, function : 0, and event no. : 1

SW_3-0#sh log ram
[2] 08:28:51 2011-12-08
   'User(admin/Telnet) (192.168.1.1), login successful.'
   level : 6, module : 5, function : 1, and event no. : 1
[1] 08:27:48 2011-12-08
   'STA topology change happened on Eth 1/27.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:27:12 2011-12-08
   '192.168.1.1 VTY user admin, logout from PRIV. EXEC mode.'
   level : 6, module : 1, function : 0, and event no. : 1

A switch is configured as root if it has the smallest priority ID. Therefore, by changing the priority ID to the smallest ID, users could configure any switch as root. For example, use the following commands to change the priority of SW1 to 4096:

SW_1(config)#spanning-tree priority?
  <0-61440>  Spanning-tree priority value in steps of 4096

Please note that the priority ID value can only be changed in steps of 4096, from 0 to 61440.

SW_1(config)# spanning-tree priority 4096

After changing priority ID of SW1 to 4096, SW1 is configured as the Root and the blocking port is changed to SW4 port 28 and SW3 port 27.

1. Topology:

2. Switch configure:

1. Reset switch to default.

? y

 

2. Set line console/vty password

Console#config
Console(config)#line console
Console(config-line-console)#password 0 support
Console(config-line-console)#login
Console(config-line-console)#exit
Console(config)#line vty
Console(config-line-vty)#password 0 support
Console(config-line-vty)#login
Console(config-line-vty)#


 

3. Verify

Now the user login via console or vty only needs to enter the password.
 
 
When the user logs in with the password set for console/vty, the user’s privilege level is 0. The user needs to use the command “enable” to get privilege level -15.
Default enable password is “super”.
 

 

1. BGP_NEIGHBOR_CHANGE_MESSAGE   "BGP: %s"
2. BGP_ESTABLISHED_NOTIFICATION_MESSAGE   "BGP established, ip: %s, last err: 0x%04x, state: %s"
3. BGP_BACKWARD_TRANS_NOTIFICATION_MESSAGE   "BGP backward trans, ip: %s, last err: 0x%04x, state: %s"

1. Ping from 192.168.1.101 to 192.168.1.102 will fail. (downlink port to downlink port)
2. Ping from 192.168.1.101 to 192.168.1.112 will pass. (downlink port to uplink port)

1. Ping from 192.168.1.101 to 192.168.1.102 will fail.
2. Ping from 192.168.1.101 to 192.168.1.112 will pass.

1. Ping from 192.168.1.101 to 192.168.1.102 will pass.
2. Ping from 192.168.1.101 to 192.168.1.112 will pass too.

1. Major Ring

2. Sub Ring

• Need to assign major domain by “major-domain” command.
• Assign only one ring-port.

1. Add the VID (VLAN ID) to the port interface. In this example, the traffic will tag VLAN 2.
   
   Console#configure
   Console(config)#interface ethernet 1/1
   Console(config-if)#switchport allowed vlan add 2 tagged
   Console(config-if)#exi
   Console(config)#interface ethernet 1/47
   Console(config-if)#switchport allowed vlan add 2 tagged

2. Create a class map to classify the specified traffic. In this example, it will match to the traffic of CoS 0.
   
   Console(config)#class-map CoS
   Console(config-cmap)#match cos 0
   
   Console#show class-map
   Class Map match-any CoS
   Description:
    Match CoS 0

3. Create a policy map and use the class command to configure policies for traffic which match the criteria defined in a class map. In this example, the value of CoS will be modified to “7” if the traffic match to the class map.
   
   Console(config)#policy-map CoS-test
   Console(config-pmap)#class CoS
   Console(config-pmap-c)#set cos 7
   
   Console#show policy-map
   Policy Map CoS-test
   Description:
    class CoS
     set CoS 7

4. Apply the policy map to the ingress or egress side of a particular interface. In this example, the policy map will be applied to ingress of port 1.
   
   Console#configure
   Console(config)#interface ethernet 1/1
   Console(config-if)#service-policy ?
     input   Input direction
     output  Output  direction
   Console(config-if)#service-policy input CoS-test
   
   Console#show running-config interface ethernet 1/1
   interface ethernet 1/1
    switchport allowed vlan add 2 tagged
    service-policy input CoS-test
   
   !

1. Exec mode: configure
2. Configure mode: interface ethernet 1/1
3. Configure mode: interface vlan 1
4. Interface-eth mode: shutdown
5. Interface-vlan mode: ip address

1. Setup FreeRadius Server
2. Configure client
3. Configure switch
4. Verify

1. Setup FreeRadius Server

0. Install freeradius server to Ubuntu((Ubuntu 14.04) as follow command:
   FreeRadius ~ # apt-get install freeradius -y
1. Configure “users” and “clients.conf” file

• Username “tsCommonName”.  It must be as same as commonName in the client.cnf (refer to step 3)
• “Tunnel-Private-Group-ID” parameter is for dynamically adding VLAN

2. Download the FreeRadius source code from https://freeradius.org/

3. Modify ca files: server.cnf / client.cnf 
   server.cnf: modify output_password (path: /etc/freeradius/certs/server.cnf)
   

• commonName need same as “Username” in users file

4. Launch bootstrap script (path: /etc/freeradius/certs/bootstrap )
   FreeRadius certs # ./bootstrap
5. Copy “ca.pem”, “client.key” and “ts@example.org.pem” (which is as same as “emailAddress” parameter) to Client.

6. Modify eap.conf file (path: /etc/freeradius/eap.conf)

1. Change default_eap_type to tls

2. Remove(delete or comment) the make_cert_command

3. Change “private_key_password” value as same as server.cnf’s output_password.

7. After all Server side configuration is finished, restart the FreeRadius server.

1. FreeRadius freeradius # Service freeradius start => start server normally or
2. FreeRadius freeradius # Freeradius -X => start server with debug mode.

2. Configure client

1. Get the three files at configure server, please refer to “Setup FreeRadius Server” step 5

3. Configure Client’s network configure

3. Configure switch

1. Switch IP:
   Console#configure
   Console(config)#interface vlan 1
   Console(config-if)#ip address 192.168.2.46/20

2. Switch Vlan:
   Console(config)#vlan database
   Console(config-vlan)#vlan 3

4. Verify

1. Prepare two types of ARP packets.
   A. The sender MAC address of ARP header is different from source MAC address of Ethernet header.
   
   B. The sender MAC address of ARP header is the same as source MAC address of Ethernet header.
2. Configure MAC ACL to permit the source MAC address of ARP packet and deny other packets.
   Console(config)#access-list mac test
   Console(config-mac-acl)#permit host 0C-C4-7A-06-FB-11 any
   Console(config-mac-acl)#deny any any
    
3. Apply this MAC ACL to ingress of port 1.
   Console(config)#interface ethernet 1/1
   Console(config-if)#mac access-group test in
    
4. Inject these two ARP packets to the port 1. Thus, the switch forwards B-ARP packet but filter A-ARP packet by MAC ACL. 

1. Topology

2. VRRP Master(ECS4620_Master) configuration:

• Basic configuration (detail configuration please refer to Appendix)

1. Create VLAN 11-13
2. Configure VLAN IP address
3. Set each port allow VLAN

4. Disable Spanning-tree on downlink port(#1, #2)
5. Set default route to VLAN 13

• VRRP configuration(virtual IP addresses for VLAN 11 and VLAN 12)

3. VRRP Backup(ECS4620_Back_up) configuration

• Basic configuration (detail configuration please refer to Appendix)

1. Create VLAN 11-13
2. Configure VLAN IP address
3. Set each ports’ allow VLAN

4. Disable Spanning-tree at downlink port(#1, #2)
5. Set default route to VLAN 13

• VRRP configuration(virtual IP addresses for VLAN 11 and VLAN 12)

4. Check VRRP status on VRRP Master and Backup

1. Show VRRP [ID]

2. Show VRRP brief

5. Server/Client configure

Server Side	Client Side

• Basic configure

• Basic configure

1. Create VLAN 11-13

5. Set default route to vlan 13

1. Port 1 enable sticky MAC, and connect a PC on it. The PC's MAC address was learned on port 1.

2. Disconnect the PC’s link which connect to the hub, and move to port 2. Then the PC will fail to access the network through the port2 due to the MAC address was already learned on port1.

1. LACP enable port
2. Spanning Tree enabled port

1.PPPoE IA - Circuit ID and Remote ID

2.DHCP Relay Agent Information Option

ECS2100 series firmware version v1.2.2.12 and above has a new software enhancement which support Layer 2 / Layer 3 DHCP Relay function. And the user may choose to use the L2 or L3 DHCP Relay by following commands (Default is L3). 

The setting for Layer 2 DHCP Relay
 

Console(config)#ip dhcp l2 relay

The setting for Layer 3 DHCP Relay
 

Console(config)#ip dhcp l3 relay

When the client and DHCP server are in the same VLAN and subnet, the client may obtain the IP address from DHCP server directly. However, in practical network, clients might be in the different subnet and VLAN, then DHCP Relay function can help to get the IP address from DHCP server which is in the different subnet.

- L2 DHCP Relay

The L2 DHCP Relay function can be used to add the suboption information (DHCP Option 82.) and the DHCP server may refer it to assigns the corresponding IP address.

Topology:

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2.
 

Console(config)#interface ethernet 1/2
Console(config-if)#switchport native vlan 2
Console(config-if)#switchport mode access

2) Set IP address on VLAN interface.
 

Console(config)#int vlan 1
Console(config-if)#ip address 192.168.1.1/24
Console(config-if)#exit

3) Enable the L2 DHCP relay and configure the IP address of DHCP server.
 

Console(config)#ip dhcp l2 relay
Console(config)#ip dhcp relay information option
Console(config)#ip dhcp relay server 192.168.1.254

L2 DHCP Relay packet forwarding procedures:

In this example, the client will get the IP address in the range of 192.168.2.240~192.168.250 from the DHCP server. 

==================================================================

- L3 DHCP Relay

The L3 DHCP Relay function will convent the DHCP broadcast packet into the unicast packet and add the DHCP Relay agent IP address. Then DHCP server can refer to the Relay agent IP address to assigns the corresponding IP address.

Topology:

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2 and port 3 to VLAN 3.
 

Console(config)#interface ethernet 1/2
Console(config-if)#switchport native vlan 2
Console(config-if)#switchport mode access
Console(config-if)#exit
Console(config)#interface ethernet 1/3
Console(config-if)#switchport native vlan 3
Console(config-if)#switchport mode access
Console(config-if)#exit

2) Set IP address on VLAN interface.
 

Console(config)#int vlan 1
Console(config-if)#ip address 192.168.1.1/24
Console(config-if)#exit
Console(config)#int vlan 2
Console(config-if)#ip address 192.168.2.1/24
Console(config-if)#exit
Console(config)#int vlan 3
Console(config-if)#ip address 192.168.3.1/24
Console(config-if)#exit

3) Enable the L3 DHCP relay and configure DHCP relay server on VLAN interface.
 

Console(config)#ip dhcp l3 relay
Console(config)#int vlan 2
Console(config-if)#ip dhcp relay server 192.168.1.254
Console(config-if)#exit
Console(config)#int vlan 3
Console(config-if)#ip dhcp relay server 192.168.1.254
Console(config-if)#exit

L3 DHCP Relay packet forwarding procedures:

Example of client B.

In this example, 
Client A can get the IP address in the range of 192.168.2.240-250 the DHCP server.
Client B can get the IP address in the range of 192.168.3.240-250 the DHCP server.

How to upgrade ECS4120 loader version to extend the ECC (Error Correcting code) support?

The ECS4120 Loader version 0.0.3.1 support ECC (Error Correcting code).

Environment and Preparation:

1. The ECS4120 switch MUST with the loader version 0.0.2.6 or 0.0.3.0. Check it by the command "show version". (If your version is not 0.0.2.6 or 0.0.3.0, please DO NOT run the script.)
2. Windows PC(Win7, Win8 or Win10) with one Serial COM port
3. Script - ECS4120_uboot_upgrade_v2.0.0.zip

Configuration: Modify config.ini

• [serial] section: Serial COM port

Caution: DO NOT modify [product] section's "type" parameter in the config.ini

Example:

How to check Serial COM port on the PC?

In Device Manager (Start -> Run -> devmgmt.msc)

Caution:

Before running the script, please turn OFF all the terminals on the PC and power OFF the Switch.

Upgrade loader:

Step 1: Run the script “uboot_upgarde.exe”.

Double click “uboot_upgrade.exe” to run the script.

Step 2: Power ON the switch

The script will execute automatically.

After upgrading, uboot_upgrade.exe will close by itself.

Caution:

When running the script, please DO NOT remove the console cable and unplug the power cord.

If it failed to upgrade, please send your request and log file to support@edge-core.com.

Supported models: ECS4120 series (V1.2.2.13)

SNMPSET command format.

snmpset -v 2c -c private {switch IP Address} {inetCidrRouteStatus}.{IPv4 or IPv6}.{Destination network segment}.{mask}.{IPv4 or IPv6}.{Next hop} {integer} {value}

{inetCidrRouteStatus}

• OID: 1.3.6.1.2.1.4.24.7.1.17

{IPv4 or IPv6} 

• IPv4 OID: 1.4    -->  1 = IPv4 , 4 = IPv4 address is 4 byte.
• IPv6 OID: 2.16  -->  2 = IPv6 , 16 = IPv6 address is 16 byte. (Please indicate in decimal. e.g. 2002::1 = 32.2.0.0.0.0.0.0.0.0.0.0.0.0.0.1)

{value}

• 4 = Active 
• 6 = Destroy

Configure IPv4 static route via SNMP.

• Adding a IPv4 static route as follow: 

  ip route 192.168.87.0 255.255.255.0 192.168.2.11

• NET-SNMP command: 

  snmpset -v 2c -c private 192.168.2.10 1.3.6.1.2.1.4.24.7.1.17.1.4.192.168.87.0.24.1.4.192.168.2.11 i 4

The basic DHCPSNP topology and configuration on the switch as below.

Original Behavior: (Not support “vlan-flooding” command or “vlan-flooding” enabled.)

When the switch enabled DHCPSNP function globally, the client will request the IP address by sending out the DHCP packets (Discover/Request) to untrust port.

This DHCP packet belongs to the vlan which includes in DHCPSNP enable vlan list, the switch will forward it to trust port only which is also the vlan member.

If this DHCP packet belongs to the vlan which doesn’t include in DHCPSNP enable vlan list, the switch will forward/flood it to ALL other ports which are also the vlan member.

Disabled DHCPSNP vlan-flooding Behavior: (vlan-flooding is enabled on switch by default.)

The mechanism is the same when the DHCP packet belongs to the vlan which includes in DHCPSNP enable vlan list.

However, if this DHCP packet belongs to the vlan which doesn’t include in DHCPSNP enable vlan list, the switch will NOT forward/flood it to any other port which is also the vlan member.

The user could easily configure how the DHCP packets forward on switch ports.

[Result]
When the DHCP packets - Discover/Request from the clients is received.
​

Configuration via CLI/WEB/SNMP.

CLI command

Default is vlan-flooding enabled.

Console#con

Console(config)#interface ethernet 1/1

Console(config-if)#ip dhcp snooping vlan-flooding             ---> Enabled

or

Console(config-if)#no ip dhcp snooping vlan-flooding          ---> Disabled

WEB

Security > DHCP Snooping > Step: 3. Configure Interface > Enabled/Disabled Vlan Flooding

SNMP

[SNMPSET command format]

snmpset -v 2c -c private {switch ip} {dhcpSnoopPortVlanFlooding}.{dhcpSnoopPortIfIndex} {integer} {value}

For dhcpSnoopPortVlanFlooding, OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7

 Set OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7 to enabled(1) vlan flooding.

 Set OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7 to disabled(2) vlan flooding.

For dhcpSnoopPortIfIndex: The port interface of dhcpSnoopPortIfIndex

 The ifIndex value of the port or trunk.

Enabled vlan flooding.

Disabled vlan flooding.

Support models and software version:

ECS4120 series v1.2.2.23 and above

Topology

A. Configuration

B. Check ERPS status

ERPS status on S1 (RPL Owner)

ERPS status on S3

ERPS status on S5

C. Disconnect the link between Agg2 and S5.

With ERPS recovery procedure, the RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The RPL owner then enters protection state by unblocking the West port. However, using this standard recovery procedure may cause a non-EPRS device to become isolated when the ERPS device adjacent to it detects a continuity check message (CCM) loss event and blocks the link between the non-ERPS device and ERPS device.

ERPS domain status on S1

ERPS domain status on S5