ON-LINE SUPPORT OFFERING TECHNICAL AND SERVICE SUPPORT IN TIME

FAQ

Debug command could display the debugging information for some functions in Privileged Exec mode.
The messages included the function events, transmitted/received packets...etc.
It's convenience for administrators to troubleshoot the problem on the switch.
 
The user could also dump the debug messages and contact Edgecore support(support@edge-core.com), and send a detailed description of the problem, along with the file used to record your system settings(show tech-support command).
 
Command Mode: Exec mode
(1) Debug mode of the ARP:
When we enable ARP debug command, the switch will print out the ARP process information when it receives the ARP packets.
Console#debug arp
For example:
mceclip0.png
 
(2) Debug mode of the DHCP:
When we enable DHCP debug command, the switch will print out the DHCP process information when it requires the IP address from the DHCP server.
Console#debug dhcp all
Topology:
mceclip1.png
For example:
The switch sends the DHCP DISCOVER packet.
mceclip2.png
 
The switch receives the DHCP OFFER packet from the DHCP server.
dhcp_msg_type=2 means DHCP offer packet.
mceclip3.png
 
The switch sends the DHCP REQUEST packet.
mceclip4.png
 
The switch receives the DHCP ACK packet from the DHCP server.
dhcp_msg_type=5 means DHCP ack packet.
mceclip5.png
 
(3) Debug mode of the IGMPSNP and MVR:
When we enable IGMPSNP/MVR debug command, the switch will print out the IGMP process information when it receives the IGMP control packets.
Console#debug igmpsnp-mvr all
Topology:
mceclip6.png
For example:
The switch receives the IGMP REPORT packet from the client.
mceclip7.png
 
The switch receives the IGMP LEAVE packet from the client.
mceclip8.png
 
The switch receives the IGMP QUERY packet from other device (ECS4120_2).
mceclip9.png
 
(4) Debug mode of the DHCPSNP:
When we enable DHCPSNP debug command, the switch will print out the DHCP process information when it receives the DHCP packets between the server and client.
Console# debug ip dhcp snooping all
Topology:
mceclip10.png
For example:
The switch receives the DHCP DISCOVER packet from the client.
dhcp_msg_type=1 means DHCP discover packet.
mceclip11.png
 
The switch receives the DHCP OFFER packet from the DHCP server.
dhcp_msg_type=2 means DHCP offer packet.
mceclip12.png
 
The switch receives the DHCP REQUEST packet from the client.
dhcp_msg_type=3 means DHCP request packet.
mceclip13.png
 
(5) Debug mode of the LACP:
When we enable LACP debug command, the switch will display the trunk ID to which port member belongs.
Topology:
mceclip14.png
 
For example:
Console#debug lacp config
The switch will display the LACP function status is enable or disable during the configuration.
mceclip15.png
 
Console#debug lacp event
If the LACP trunk is active, the switch will display the port member belongs to which trunk id.
mceclip16.png
 
Console#debug lacp packet
The switch will display the information when it receives/transmits the LACP packets.
mceclip18.png
 
(6) Debug mode of the MLDSNP:
When we enable MLDSNP debug command, the switch will print out the MLD process information when it receives the MLD packets(ICMPv6).
Console#debug mldsnp all
For example:
The switch receives the MLD message packet from the client.
mceclip19.png
 
The switch sends out the specific query from the port which receives the leave message.
mceclip20.png
 
The switch sends out the IPv6 General Query.
mceclip21.png
 
The switch receives the IPv6 General Query from other device.
mceclip22.png
 
(7) Debug mode of the MVR6:
When we enable MVR6 debug command, the switch will print out the MVR6 process information when it receives the ICMPv6 packets.
Console#debug mvr6 all
For example:
The switch receives the MVR6 join message from the client.
mceclip23.png
 
The switch receives the MVR6 leave message from the client.
mceclip24.png
 
The switch sends out the IPv6 General Query.
mceclip25.png
 
(8) Debug mode of the STP:
When we enable STP debug command, the switch will print out the STP process information when it's running STP protocol.
Console#debug spanning-tree all
Topology:
mceclip26.png
For example:
The switch port 1 (Root port) receives the BPDU packet from the Root Bridge.
mceclip27.png
 
If the switch port 1 (Root port) status is changing to block, then the port 2 (Alternate port) status will become forwarding(Root port) and receive the BPDU packet from the Root Bridge.
mceclip28.png

The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm thresholds.

transceiver-monitor
The setting for transceiver-monitor:

Console(config)#interface ethernet 1/X
Console(config-if)#transceiver-monitor

Use this command "transceiver-monitor" can monitor the current transceiver status, such as Temperature, TX power, RX power.
When any of the transceiver's operational values fall outside of specified thresholds, the switch will send the trap.

transceiver-threshold
The setting for transceiver-threshold:

Console(config)#interface ethernet 1/X
Console(config-if)#transceiver-threshold { current | rx-power | temperature | tx-power | voltage }

Use this command "transceiver-threshold" can set the default threshold from the transceiver to determine when an alarm or warning message should be sent.


Support Models: ECS4620 series, ECS4510 series, ECS4120 series, ECS4100 series, ECS2100 series, ECS2110 series


Topology:

Insert the transceiver --- (25)ECS4620-28T(1) --- SNMP server

The procedure to monitor the transceiver status :

Step 1: Configure the switch's IP address and enable the SNMP trap.

Console#con
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1/24
Console(config-if)#exit
Console(config)#snmp-server host 192.168.1.100 inform private version 2c

Step 2: Check the transceiver's information currently.

At this time, the RX power is not within the range of the default threshold of the Low Alarm/Waring.

mceclip1.png

Step 3: Enable the transceiver-monitor.

Console#con
Console(config)#interface ethernet 1/25
Console(config-if)#transceiver-monitor

Step 4: The switch will send out the SNMP trap (SFPThresholdAlarmWarnTrap).

mceclip0.png


The procedure to change the transceiver-threshold :

 Step 1: Check the transceiver DDM Thresholds currently.

mceclip1.png

Step 2: Configure the threshold of the Temperature.

Console(config)#interface ethernet 1/25
Console(config-if)#no transceiver-threshold-auto
Console(config-if)#transceiver-threshold temperature high-warning 7500
Console(config-if)#transceiver-threshold temperature high-alarm 8500

Step 3: Check the modification of the transceiver's information.

mceclip3.png

The management agent of Edgecore switches support SNMP (Simple Network Management Protocol).
This SNMP agent permits the switch to be managed from any system in the network using network management software.

Zabbix:

Zabbix is an open-source tool for monitoring the status of the server and device (switch, router...etc).

Available platforms:

OS: Ubuntu, CentOS, MAC

Necessary tool: Docker 

Install the Zabbix procedure:

Step 1: Make sure the Docker is installed on this device.

Step 2: Get the repository on the GitHub. (https://github.com/zabbix/zabbix-docker.git)

git clone https://github.com/zabbix/zabbix-docker.git

Step 3: Enter the folder of the zabbix-docker

cd zabbix-docker

Step 4: Install and start up the Zabbix service.

docker-compose -f docker-compose_v3_alpine_mysql_latest.yaml up -d

Step 5: Open the web browser. (http://Your Server IP Address)

Username: Admin

Password: zabbix

mceclip0.png

Create the template for Edgecore switch:

This example is monitoring the temperature of the ECS4120-28T.

Procedure:

Step 1: Create the template

Configuration -> Templates -> Create template

mceclip0.png

Step 2: Create the host

Configuration -> Hosts -> Create host

mceclip1.png 

mceclip2.png

Step 3: Create an application on the host.

ECS4120-28T -> Application -> Create application

mceclip3.png

Step 4: Create an item on the host.

ECS4120-28T -> Item -> Create item

mceclip5.png

Step 5: On the home page, create a graph of temperature on the Dashboard.

Zabbix -> edit dashboard -> Add widget

mceclip6.png

Step 6: Now, you can monitor the temperature of the ECS4120 Series via the Zabbix.

mceclip7.png

Support models and software version:
ECS4120 Series V1.2.2.18 and above.
ECS4100 Series V1.2.36.191 and above.
 
Overview
ERPS provides a solution that allows physical loops but creates loop-free logical topologies. Loop avoidance for a ring topology is achieved by guaranteeing that, at any time, traffic may flow on all but one of the ring links. This particular link is called the ring protection link (RPL), and under normal conditions this link is blocked, i.e. not used for user traffic. One end of the RPL link is designated as RPL owner which is responsible to block user traffic over the RPL. Once a link failure is detected, the RPL owner shall react to unblock the RPL and quickly recover from network outages.
 
As mentioned above, a physical link of a ring will be blocked to avoid loops. Redundant links cannot be utilized. Multiple instances feature is proposed to address this problem. The set of VLANs of Ethernet ring could be grouped into several subsets called ERP instances. Because users can define a different RPL per instance, all physical links can be utilized.
 
The difference between Old and New version of ERPS.
1. Number of instance per ring
    I. Old version: one instance per ring.
    II. New version: more than one instance per ring.
2. ERPS domain vs. ERPS ring and instance
    I. Old version: all you have to do is configuring an ERPS domain which is equivalent to an ERPS ring and
                           an ERPS instance.
    II. New version: ERPS domain configuration is further decomposed into ERPS ring and ERPS instance
                             configurations.
        - Users have to configure ERPS rings and ERPS instances separately and bind one or more ERPS
           instances to any one of ERPS ring.
3. Exclusion-VLAN and inclusion-VLAN
    I. Inclusion VLANs are protected by an ERPS domain.
    II. Exclusion VLANs are not protected by an ERPS domain.
        - Traffic of exclusion VLANs will not be blocked on the ring ports.
        - VLANs not configured in the inclusion list and exclusion list will be always blocked on the ring ports.
        - Traffic of VLANs (including control VLAN, inclusion VLANs, and exclusion VLANs) used in an ERPS
           domain will always be unblocked on all non-ERPS ring ports.
 
Topology
mceclip0.png
Configuration
SW1
SW1#configure
SW1(config)#interface ethernet 1/1
SW1(config-if)#switchport allowed vlan add 100,200,300 tagged
SW1(config-if)#exit
SW1(config)#interface ethernet 1/25
SW1(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW1(config-if)#spanning-tree spanning-disabled
SW1(config-if)#exit
SW1(config)#interface ethernet 1/26
SW1(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW1(config-if)#spanning-tree spanning-disabled
SW1(config-if)#exit
SW1(config)#erps
SW1(config)#erps vlan-group group1 add 10,100
SW1(config)#erps vlan-group group2 add 20,200
SW1(config)#erps ring Ring
SW1(config-erps-ring)#ring-port west interface ethernet 1/25
SW1(config-erps-ring)#ring-port east interface ethernet 1/26
SW1(config-erps-ring)#enable
SW1(config-erps-ring)#exit
SW1(config)#erps instance inst1 id 1
SW1(config-erps-inst)#control-vlan 10
SW1(config-erps-inst)#rpl owner
SW1(config-erps-inst)#physical-ring Ring
SW1(config-erps-inst)#inclusion-vlan group1
SW1(config-erps-inst)#enable
SW1(config-erps-inst)#exit
SW1(config)#erps instance inst2 id 2
SW1(config-erps-inst)#control-vlan 20
SW1(config-erps-inst)#physical-ring Ring
SW1(config-erps-inst)#inclusion-vlan group2
SW1(config-erps-inst)#enable
SW1(config-erps-inst)#end
SW2 & SW4
SW2#configure
SW2(config)#interface ethernet 1/1
SW2(config-if)#switchport allowed vlan add 100,200,300 tagged
SW2(config-if)#exit
SW2(config)#interface ethernet 1/25
SW2(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW2(config-if)#spanning-tree spanning-disabled
SW2(config-if)#exit
SW2(config)#interface ethernet 1/26
SW2(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW2(config-if)#spanning-tree spanning-disabled
SW2(config-if)#exit
SW2(config)#erps
SW2(config)#erps vlan-group group1 add 10,100
SW2(config)#erps vlan-group group2 add 20,200
SW2(config)#erps ring Ring
SW2(config-erps-ring)#ring-port west interface ethernet 1/25
SW2(config-erps-ring)#ring-port east interface ethernet 1/26
SW2(config-erps-ring)#enable
SW2(config-erps-ring)#exit
SW2(config)#erps instance inst1 id 1
SW2(config-erps-inst)#control-vlan 10
SW2(config-erps-inst)#physical-ring Ring
SW2(config-erps-inst)#inclusion-vlan group1
SW2(config-erps-inst)#enable
SW2(config-erps-inst)#exit
SW2(config)#erps instance inst2 id 2
SW2(config-erps-inst)#control-vlan 20
SW2(config-erps-inst)#physical-ring Ring
SW2(config-erps-inst)#inclusion-vlan group2
SW2(config-erps-inst)#enable
SW2(config-erps-inst)#end
SW3
SW3#configure
SW3(config)#interface ethernet 1/1
SW3(config-if)#switchport allowed vlan add 100,200,300 tagged
SW3(config-if)#exit
SW3(config)#interface ethernet 1/25
SW3(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW3(config-if)#spanning-tree spanning-disabled
SW3(config-if)#exit
SW3(config)#interface ethernet 1/26
SW3(config-if)#switchport allowed vlan add 10,20,100,200,300 tagged
SW3(config-if)#spanning-tree spanning-disabled
SW3(config-if)#exit
SW3(config)#erps
SW3(config)#erps vlan-group group1 add 10,100
SW3(config)#erps vlan-group group2 add 20,200
SW3(config)#erps ring Ring
SW3(config-erps-ring)#ring-port west interface ethernet 1/25
SW3(config-erps-ring)#ring-port east interface ethernet 1/26
SW3(config-erps-ring)#enable
SW3(config-erps-ring)#exit
SW3(config)#erps instance inst1 id 1
SW3(config-erps-inst)#control-vlan 10
SW3(config-erps-inst)#physical-ring Ring
SW3(config-erps-inst)#inclusion-vlan group1
SW3(config-erps-inst)#enable
SW3(config-erps-inst)#exit
SW3(config)#erps instance inst2 id 2
SW3(config-erps-inst)#control-vlan 20
SW3(config-erps-inst)#rpl owner
SW3(config-erps-inst)#physical-ring Ring
SW3(config-erps-inst)#inclusion-vlan group2
SW3(config-erps-inst)#enable
SW3(config-erps-inst)#end
 
SW1 VLAN group configuration
mceclip1.png
SW1 ERPS ring configuration
mceclip2.png
SW1 ERPS instance configuration
mceclip3.png
SW2 VLAN group configuration
mceclip4.png
SW2 ERPS ring configuration
mceclip5.png
SW2 ERPS instance configuration
mceclip6.png
SW3 VLAN group configuration
mceclip7.png
SW3 ERPS ring configuration
mceclip8.png
SW3 ERPS instance configuration
mceclip9.png
SW4 VLAN group configuration
mceclip10.png
SW4 ERPS ring configuration
mceclip11.png
SW4 ERPS instance configuration
mceclip12.png
 
Exclusion VLAN
mceclip13.png
Add two hosts for traffic VLAN 300.
If we didn't configure VLAN300 for exclusion vlan, then the traffic will be blocked by ERPS.
mceclip14.png

To prevent VLAN300 on ports of the logical line from being blocked by ERPS, the user can configure physical rings to form the line topology.
SW1
SW1(config)#erps vlan-group group3 add 300
SW1(config)#erps ring Ring
SW1(config-erps-ring)#no enable
SW1(config-erps-ring)#exclusion-vlan group3
SW1(config-erps-ring)#enable
SW2
SW2(config)#erps vlan-group group3 add 300
SW2(config)#erps ring Ring
SW2(config-erps-ring)#no enable
SW2(config-erps-ring)#exclusion-vlan group3
SW2(config-erps-ring)#enable
SW4
SW4(config)#erps vlan-group group3 add 300
SW4(config)#erps ring Ring
SW4(config-erps-ring)#no enable
SW4(config-erps-ring)#exclusion-vlan group3
SW4(config-erps-ring)#enable
mceclip15.png
mceclip16.png
 
mceclip17.png
mceclip18.png
 
mceclip19.png
mceclip20.png
 
VLAN300 traffic could forward without problem.
mceclip21.png

Path Cost is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
mceclip0.png

*The path cost of the STP is not configured by pathcost method short or long.

User can configure the spanning tree path cost for the specified interface by following command.

[CLI Command]
spanning-tree cost {cost}
cost - The path cost for the port.
(Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method)

Calculate the spanning tree path cost on a port-channel.

1. Active Eth1/1 for port channel.

Console#show interfaces brief
Interface Name Status PVID Pri Speed/Duplex Type Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1 Up 1 0 Auto-1000full 1000BASE-T 1

The spanning tree path cost on Trunk 1 is 5000.

Console#show spanning-tree brief
Interface Pri Designated Designated Oper STP Role State Oper
Bridge ID Port ID Cost Status Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1 128 32768.8CEA1B8AC667 128.57 5000 EN ROOT FWD No

The spanning tree path cost for Trunk 1 is 10000 (1G) / 2 = 5000 (Trunk).
The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 1 = 5000.


2. Active Eth1/1 & Eth1/2 for port channel.

Console#show interfaces brief
Interface Name Status PVID Pri Speed/Duplex Type Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1 Up 1 0 Auto-1000full 1000BASE-T 1
Eth 1/ 2 Up 1 0 Auto-1000full 1000BASE-T 1

The spanning tree path cost on Trunk 1 is 2500.

Console#show spanning-tree brief
Interface Pri Designated Designated Oper STP Role State Oper
Bridge ID Port ID Cost Status Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1 128 32768.8CEA1B8AC667 128.57 2500 EN ROOT FWD No

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 2 = 2500.


3. Active Eth1/1 & Eth1/2 & Eth1/3 for port channel.

Console#show interfaces brief
Interface Name Status PVID Pri Speed/Duplex Type Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1 Up 1 0 Auto-1000full 1000BASE-T 1
Eth 1/ 2 Up 1 0 Auto-1000full 1000BASE-T 1
Eth 1/ 3 Up 1 0 Auto-1000full 1000BASE-T 1

The spanning tree path cost on Trunk 1 is 1666.

Console#show spanning-tree brief
Interface Pri Designated Designated Oper STP Role State Oper
Bridge ID Port ID Cost Status Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1 128 32768.8CEA1B8AC667 128.57 1666 EN ROOT FWD No

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 3 = 1666.

 

4. Active Eth1/1 & Eth1/2 & Eth1/3 & Eth1/4 for port channel.

Console#show interfaces brief
Interface Name Status PVID Pri Speed/Duplex Type Trunk
--------- ----------------- --------- ---- --- ------------- ------------ -----
Eth 1/ 1 Up 1 0 Auto-1000full 1000BASE-T 1
Eth 1/ 2 Up 1 0 Auto-1000full 1000BASE-T 1
Eth 1/ 3 Up 1 0 Auto-1000full 1000BASE-T 1
Eth 1/ 4 Up 1 0 Auto-1000full 1000BASE-T 1

The spanning tree path cost on Trunk 1 is 1250.

Console#show spanning-tree brief
Interface Pri Designated Designated Oper STP Role State Oper
Bridge ID Port ID Cost Status Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ----
Trunk 1 128 32768.8CEA1B8AC667 128.57 1250 EN ROOT FWD No

The spanning tree path cost on Trunk 1 is 5000 (Trunk) / 4 = 1250.

Support models and software version:
ECS4120 series v1.2.2.24 and above.
 
Overview
IPv6 Prefix Guard can work within the IPv6 Source Guard feature which restricting IPv6 traffic on non-routed, Layer 2 interface by filtering traffic based on the DHCPv6 Snooping binding table and manually configured static IPv6 bindings. IPv6 Prefix Guard is used when IPv6 prefix are delegated to the device using DHCPv6 prefix delegation. IPv6 Prefix Guard will record the range of prefix address assigned to the link and block the traffic which its source address sourced with a prefix outside this range.
 
Configuration (Support CLI/WEB GUI/SNMP)
<A> CLI Command
  • Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[CLI format]
ipv6 source-guard { sip | sdp | max-binding }
    sip - Enable IPv6 source address filtering.
    sdp - Enable IPv6 source prefix filtering.
    max-binding - Limits max binding entries.
Console#con
Console(config)#interface ethernet 1/1
Console(config-if)#ipv6 source-guard sdp
Console(config-if)#ipv6 source-guard max-binding 3
Console(config-if)#end
Console#show ipv6 source-guard
Interface   Filter-type   Max-binding
---------   -----------   -----------
Eth 1/1     SDP                     3
Eth 1/2     DISABLED                5
Eth 1/3     DISABLED                5
 
  • Add static IPv6 source guard or IPv6 prefix guard binding entry on global configuration mode.
[CLI format]
ipv6 source-guard binding Mac-Address vlan VLAN_ID { IPv6-Address | IPv6-Prefix } interface ethernet Unit/Port
    Mac-Address - A valid unicast MAC address. (x-x-x-x-x-x or xxxxxxxxxxxx)
    VLAN_ID - ID of a configured VLAN. (Range: 1-4094)
    IPv6-Address - Corresponding full IPv6 address.
    IPv6-Prefix - Corresponding IPv6 prefix of the form IPv6-address/prefix-length.
    Unit - Unit identifier. (Range: 1)
    Port - Port number. (Range: 1-28 or 52)
Console#con
Console(config)#ipv6 source-guard binding 90-E6-BA-63-96-CD vlan 1 2001:b000:2::/64 interface ethernet 1/21
Console(config)#end
Console#show ipv6 source-guard binding
DHCPV6SNP:
 DHCP - Stateful address
NDSNP:
 ND - Stateless address
STA - Static IPv6 source guard binding

MAC Address    IPv6 Address/IPv6 Prefix                VLAN Interface Type
-------------- --------------------------------------- ---- --------- ----
90E6-BA63-96CD                        2001:b000:2::/64    1  Eth 1/21  STA
 
<B> WEB GUI
  • Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[WEB GUI]
Security > IPv6 Source Guard > Port Configuration > Filter Type & Max Binding Entry > Apply
mceclip0.png
mceclip1.png
 
  • Add static ipv6 source guard or ipv6 prefix guard binding entry on the switch.
[WEB GUI]
Security > IPv6 Source Guard > Static Binding > Action: Add > Apply
mceclip2.png
[WEB GUI]
Security > IPv6 Source Guard > Static Binding > Action: Show
mceclip3.png
 
<C> SNMP
  • Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardMode | ip6SrcGuardMaxBinding}.{ip6SrcGuardPortIfIndex} {integer} {value}
 
For ip6SrcGuardMode, OID 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2
 Set to disabled(1) means IPv6 Source Guard is disabled.
 Set to srcIp(2) means IPv6 Source Guard is enabled, and packets are filtered by checking source ip.
 Set to srcPrefix(3) means IPv6 Prefix Guard is enabled, and packets are filtered by checking source prefix.
 
For ip6SrcGuardMaxBinding, OID 1.3.6.1.4.1.259.10.1.45.1.74.1.1.3
 This object indicates the maximum number of bindings associated with the port.(Range from 1 to 5)
 
For ip6SrcGuardPortIfIndex,
 This object idents the port which is capable of IPv6 Source Guard feature.
 
IPv6 source guard is disable on port interface by default.
C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 1
 
Enable IPv6 Prefix Guard on port24.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24 i 3
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 3
 
Display the current mode of IPv6 source guard.
C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 3
 
Configure IPv6 source guard maximum binding entry number to 3 on port24.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.3.24 i 3
SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.3.24 = INTEGER: 3
[Result]
Console#show ipv6 source-guard
Interface   Filter-type   Max-binding
---------   -----------   -----------
Eth 1/23    DISABLED                5
Eth 1/24    SDP                     3
Eth 1/25    DISABLED                5
 
  • Add a static IPv6 source guard or IPv6 prefix guard binding entry on the switch.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardBindingVlanIndex | ip6SrcGuardBindingPortIfIndex | ip6SrcGuardBindingStatus}.{ip6SrcGuardBindingType}.{ip6SrcGuardBindingMacAddress}.{ip6SrcGuardBindingIpv6Address}.{ip6SrcGuardBindingPrefixLen}.{ip6SrcGuardBindingMode} {integer} {value}
 
For ip6SrcGuardBindingVlanIndex, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.4
 This object indicates the VLAN id of the associated client.(Range from 1 to 4094)
 
For ip6SrcGuardBindingPortIfIndex, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.5
 This object indicates the port of the associated client.
 
For ip6SrcGuardBindingStatus, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6
 active(1), which indicates that the conceptual row is available for use by the managed device.
 notInService(2), which indicates that the conceptual row exists in the agent, but is unavailable for use by the managed device.
 notReady(3), createAndGo(4), createAndWait(5), destroy(6)
 
For ip6SrcGuardBindingType
 This object indicates the binding type of the associated client.
 static(1),dhcp6snp(2),ndsnp(3)
 
For ip6SrcGuardBindingMacAddress,
 This object indicates the MAC address of the associated client.(Hexadecimal to Decimal)
 
For ip6SrcGuardBindingIpv6Address,
 This object indicates the IPv6 address of the associated client.(Hexadecimal to Decimal)
 
For ip6SrcGuardBindingPrefixLen,
 The object indicates the delegated prefix length of the associated client.
 
For ip6SrcGuardBindingMode,
 The object indicates the mode of this binding.
 address(1) means the mode of the binding entry is address mode.
 prefix(2) means the mode of the binding entry is prefix mode.
 
Read the IPv6 source-guard dynamic binding via CLI and SNMP.
Console#show ipv6 source-guard binding
DHCPV6SNP:
 DHCP - Stateful address
NDSNP:
 ND - Stateless address
STA - Static IPv6 source guard binding

MAC Address    IPv6 Address/IPv6 Prefix                VLAN Interface Type
-------------- --------------------------------------- ---- --------- ----
382C-4A77-DD37                      2001:db8:2222::/64    1  Eth 1/24 DHCP
mceclip4.png
C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.4.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = Gauge32: 1  -> VLAN=1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.5.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 24  -> Port=Eth1/24
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 1  -> Status=Active(1)
 
Configure a static IPv6 prefix binding via SNMP.
MAC 90-E6-BA-63-96-CD=144.230.186.99.150.205
IPv6 prefix 2001:b000:2::/64=32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0
(1) Create a static IPv6 prefix binding entry.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 5
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 5
 
(2) Set the entry on VLAN1.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.4.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 u 1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.4.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = Gauge32: 1
 
(3) Bind the entry on port21.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.5.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 21
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.5.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 21
 
(4) Active the entry.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 1
SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 1
 
Check the IPv6 source guard binding entry by CLI.
mceclip5.png

If the DHCPv6 server and the DHCPv6 client are connected in different VLANs/subnets, user could configure DHCPv6 relay functions for host devices attached to the switch to communicate with DHCPv6 server.

The DHCPv6 Relay Agent uses Relay Forward/Reply messages to relay the messages between Servers and Clients.


Topology:

Configuration for DHCPv6 relay:

!                                                                    
interface ethernet 1/1

!
interface ethernet 1/2
 switchport allowed vlan add 2 untagged
 switchport mode access
 switchport native vlan 2
 switchport allowed vlan remove 1

!
interface vlan 2
 ipv6 dhcp relay destination 2001:db8:0:1::128
!
interface vlan 1                                                   
 ipv6 address 2001:db8:0:1::129/64
!
interface vlan 2
 ipv6 address 2002:db8:0:1::129/64
!

DHCPv6 relay packet forwarding procedures:

Capture the packets on the port 2. (DHCPv6 Client)​

Capture the packets on the port 1. (DHCPv6 Server)

In this example, the client will get the IPv6 address in the range of 2002:db8:0:1::129 ~ 2002:db8:0:1::254 from the DHCP server.

The following is the example for ECS4120 series.

[SNMPSET command format]
snmpset -v 2c -c private {switch ip} { rlPortInputStatus | rlPortOutputStatus | rlPortInputLimitInKilo | rlPortOutputLimitInKilo}.{ rlPortIndex } {integer} {value}
 
For rlPortInputStatus, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6 to enabled(1) input rate limit.
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6 to disabled(2) input rate limit.
 
For rlPortOutputStatus, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7 to enabled(1) output rate limit.
 Set OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7 to disabled(2) output rate limit.
 
For rlPortInputLimitInKilo, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.10
 Value of the input rate limit. (Range: <64-10000000> kilobits per second.)
 
For rlPortOutputLimitInKilo, OID 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.11
 Value of the output rate limit. (Range: <64-10000000> kilobits per second.)
 
For rlPortIndex: The port interface of the portTable.
 The ifIndex value of the port or trunk.
 
Example:
(1) Enable input rate limit with 100M on port Eth1/1.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.6.1 i 1
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.6.1 = INTEGER: 1
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.10.1 i 100000
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.10.1 = INTEGER: 100000
(2) Enable output rate limit with 10M on port Eth1/2.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.7.2 i 1
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.7.2 = INTEGER: 1
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.16.1.2.1.11.2 i 10000
SNMPv2-SMI::enterprises.259.10.1.45.1.16.1.2.1.11.2 = INTEGER: 10000
Result:
Console#show running-config interface ethernet 1/1
interface ethernet 1/1
 rate-limit input 100000
!
Console#show interfaces switchport ethernet 1/1
Information of Eth 1/1
Broadcast Threshold : Disabled
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
LACP Status : Disabled
Ingress Rate Limit : Enabled, 100000 kbits/second
Egress Rate Limit : Disabled, 1000000 kbits/second
VLAN Membership Mode : Hybrid
Ingress Rule : Disabled
Acceptable Frame Type : All frames
Native VLAN : 1
Priority for Untagged Traffic : 0
GVRP Status : Disabled
Allowed VLAN : 1(u)
Forbidden VLAN :
802.1Q Tunnel Status : Disabled
802.1Q Tunnel Mode : Normal
802.1Q Tunnel TPID : 8100 (Hex)
Layer 2 Protocol Tunnel : None
Broadcast Block : Disabled
Unknown Multicast Block : Disabled
Unknown Unicast Block : Disabled
Console#show running-config interface ethernet 1/2
interface ethernet 1/2
 rate-limit output 10000
!
Console#show interfaces switchport ethernet 1/2
Information of Eth 1/2
Broadcast Threshold : Disabled
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
LACP Status : Disabled
Ingress Rate Limit : Disabled, 1000000 kbits/second
Egress Rate Limit : Enabled, 10000 kbits/second
VLAN Membership Mode : Hybrid
Ingress Rule : Disabled
Acceptable Frame Type : All frames
Native VLAN : 1
Priority for Untagged Traffic : 0
GVRP Status : Disabled
Allowed VLAN : 1(u)
Forbidden VLAN :
802.1Q Tunnel Status : Disabled
802.1Q Tunnel Mode : Normal
802.1Q Tunnel TPID : 8100 (Hex)
Layer 2 Protocol Tunnel : None
Broadcast Block : Disabled
Unknown Multicast Block : Disabled
Unknown Unicast Block : Disabled

Overview

The Two-Way Active Measurement Protocol (TWAMP) is an open protocol for measuring network performance between any two devices supporting the TWAMP protocol.

TWAMP uses the methodology and architecture of OWAMP to define an open protocol for measurement of two-way or round-trip metrics, in addition to the one-way metrics of OWAMP.

TWAMP consists of the following two protocols as L3 layer monitor. When starting the performance measurement session (TWAMP-Control), use the TWAMP control protocol. It is layered over TCP and is used to initiate and set up test sessions. The TWAMP test protocol is layered over UDP and is used for sending and receiving the test packets for performance measurement (TWAMP-Test).


Operational Concept

TWAMP consists of a network architecture in which a combination of Control-Client and Session-Sender is a set of hosts; meanwhile, Server and Session-Reflector are configured on the other host. Our switch supports the function of Server and Session-Reflector (RFC5357).


Establishment of Control Connection


Establishment of Test Session



Configuration (Support CLI command only currently)

TWAMP Reflector is disabled by default.

Enable TWAMP Reflector function.

Display current status and timer.


TWAMP Reflector REFWAIT timer:

Close the session that has been started when no packet associated with that session has been received for REFWAIT seconds.(Default: 900 seconds; configurable range is from 30 - 3600 seconds)



[Result]

1) TWAMP clients use IPv4 address to establish session and send test packets.

Display current status and session.

There is no packet loss via IPv4 address.

2) The maximum number of test sessions is 5.

TWAMP works correctly when the server and clients are in the same IPv4 network segments.

3) TWAMP works correctly when the server and clients are in the different IPv4 network segments.

4) TWAMP works correctly when the server and clients are in the same IPv6 network segments.

5) TWAMP works correctly when the server and clients are in the different IPv6 network segments.

 

Support models and software version:

ECS4120 series v1.2.2.18 and above.

ECS4100 series v1.2.36.191 and above.

The basic DHCPSNP topology and configuration on the switch as below.

Original Behavior: (Not support “vlan-flooding” command or “vlan-flooding” enabled.)

When the switch enabled DHCPSNP function globally, the client will request the IP address by sending out the DHCP packets (Discover/Request) to untrust port.

This DHCP packet belongs to the vlan which includes in DHCPSNP enable vlan list, the switch will forward it to trust port only which is also the vlan member.

If this DHCP packet belongs to the vlan which doesn’t include in DHCPSNP enable vlan list, the switch will forward/flood it to ALL other ports which are also the vlan member.

Disabled DHCPSNP vlan-flooding Behavior: (vlan-flooding is enabled on switch by default.)

The mechanism is the same when the DHCP packet belongs to the vlan which includes in DHCPSNP enable vlan list.

However, if this DHCP packet belongs to the vlan which doesn’t include in DHCPSNP enable vlan list, the switch will NOT forward/flood it to any other port which is also the vlan member.

The user could easily configure how the DHCP packets forward on switch ports.

[Result]
When the DHCP packets - Discover/Request from the clients is received.

Configuration via CLI/WEB/SNMP.

CLI command

Default is vlan-flooding enabled.

Console#con

Console(config)#interface ethernet 1/1

Console(config-if)#ip dhcp snooping vlan-flooding             ---> Enabled

or

Console(config-if)#no ip dhcp snooping vlan-flooding          ---> Disabled

WEB

Security > DHCP Snooping > Step: 3. Configure Interface > Enabled/Disabled Vlan Flooding

SNMP

[SNMPSET command format]

snmpset -v 2c -c private {switch ip} {dhcpSnoopPortVlanFlooding}.{dhcpSnoopPortIfIndex} {integer} {value}

For dhcpSnoopPortVlanFlooding, OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7

 Set OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7 to enabled(1) vlan flooding.

 Set OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.7 to disabled(2) vlan flooding.

For dhcpSnoopPortIfIndex: The port interface of dhcpSnoopPortIfIndex

 The ifIndex value of the port or trunk.

Enabled vlan flooding.

Disabled vlan flooding.

Support models and software version:

ECS4120 series v1.2.2.23 and above

This article uses ECS4100-28T for the example.

Step 1:

Setting the static MAC address (40-16-7e-66-a4-36) on port 7.

snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.2.1.17.7.1.3.1.1.3.1.64.22.126.102.164.53.0 x 02

64.22.126.102.164.53 = 40-16-7e-66-a4-36

Those value means the MAC address which you want to set and MAC address need be converted from Hexadecimal to Decimal.

 

Hexadecimal -> Decimal
40 -> 64
16 -> 22
7e -> 126


"02" means port 7. "x" means octets.

- Here's the way to calculate the value.

Please see this form to understand how to specify the value for port number.

- If you want to set the port 1, then the value is 80.

Note:

You cannot use single digit, ex: "x 8" in the end, it will fail. 

The correct value of port 1 should be double digits, ex: "x 80".

 

Here's another example.

- If you want to set the port 10, the value is 0040.

Step 2:

Setting the static MAC address type.

snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.2.1.17.7.1.3.1.1.4.1.64.22.126.102.164.53.0 i 3

"i" means integer32.

"3" means type 3. 

- There are five types for this value, Edgecore switch supported two types.

permanent(3)

deleteOnReset(4)

Here's the Result:

We can see the MAC address which be configured to MAC table via SNMP successfully. 

 

Supported models: ECS4120 series (V1.2.2.13)

SNMPSET command format.

snmpset -v 2c -c private {switch IP Address} {inetCidrRouteStatus}.{IPv4 or IPv6}.{Destination network segment}.{mask}.{IPv4 or IPv6}.{Next hop} {integer} {value}

{inetCidrRouteStatus}

  • OID: 1.3.6.1.2.1.4.24.7.1.17

{IPv4 or IPv6} 

  • IPv4 OID: 1.4    -->  1 = IPv4 , 4 = IPv4 address is 4 byte.
  • IPv6 OID: 2.16  -->  2 = IPv6 , 16 = IPv6 address is 16 byte. (Please indicate in decimal. e.g. 2002::1 = 32.2.0.0.0.0.0.0.0.0.0.0.0.0.0.1)

{value}

  • 4 = Active 
  • 6 = Destroy

Configure IPv4 static route via SNMP.

  • Adding a IPv4 static route as follow: 
    ip route 192.168.87.0 255.255.255.0 192.168.2.11
  • NET-SNMP command: 
    snmpset -v 2c -c private 192.168.2.10 1.3.6.1.2.1.4.24.7.1.17.1.4.192.168.87.0.24.1.4.192.168.2.11 i 4
{inetCidrRouteStatus=1.3.6.1.2.1.4.24.7.1.17}.{IPv4=1.4}.{Destination network segment=192.168.87.0}.{mask=24}.{IPv4=1.4}.{Next hop=192.168.2.11}.{integer} {value=4}

Configure IPv6 static route via SNMP.

  • Adding a IPv6 static route as follow: 
    ipv6 route 2002:8787::/64 2002::1
  • NET-SNMP command:  
    snmpset -v 2c -c private 192.168.2.10 1.3.6.1.2.1.4.24.7.1.17.2.16.32.2.135.135.0.0.0.0.0.0.0.0.0.0.0.0.64.2.16.32.2.0.0.0.0.0.0.0.0.0.0.0.0.0.1 i 4
{inetCidrRouteStatus=1.3.6.1.2.1.4.24.7.1.17}.{IPv6=2.16}.{Destination network segment="2002:8787::"(Please indicate in Decimal)}.{mask=64}.{IPv6=2.16}.{Next hop="2002::1"(Please indicate in Decimal)}.{integer} {value=4}

Result:
!
interface vlan 1
 ip address 192.168.2.10 255.255.255.0
!
interface craft
!
!
ip route 192.168.87.0 255.255.255.0 192.168.2.11
!
!
interface vlan 1
 ipv6 address 2002::1/64
!
ipv6 route 2002:8787::/64 2002::1
!
Zero Touch Deployment on ECS4100 series.
 
When the switch boots with a factory default configuration, it supports automatically obtain IP address and configuration file from remote server. Once the switch installs the new configuration, it could automatically upgrade the current operational code when a new version is detected on the server.
 
Topology:

 
Procedure:
Step 1:
Prepare a DHCP Server and TFTP Server, and connect it to the ECS4100-12T.
 
Step 2:
Prepare ECS4100-12T’s configuration and the newer firmware.
ECS4100-12T’s configuration:
Enable Automatic Code Upgrade function, and configure the IP address or other needed functions.
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode reload
Console(config)#upgrade opcode path tftp://192.168.1.2/
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1/24
 
Step 3:
Save the configuration(Copy running-config) to remote device for more modification, then put the used configuration to the Server.
Console#copy running-config tftp
TFTP server IP address: 192.168.1.2
Destination file name: test.cfg
Success.
Console#
 
Step 4:
Modify the firmware name to “ECS4100-series.bix”.
Please note that the name for the new image stored on the TFTP server must be ECS4100-series.bix.


Step 5:
Configure the setting on DHCP Server.
Must be enabled option 66/67 on DHCP Server.

 
Step 6:
Boot ECS4100-12T with factory default configuration.
Console# configure
Console(config)# boot system config:Factory_Default_config.cfg
Console(config)# exit
Console# reload
 
Step 7:
Enable DHCP Dynamic Provision.
Console(config)#ip dhcp dynamic-provision

 
Step 8:
ECS4100-12T get the IP address from DHCP Server.


Capture the DHCP packets which include option66/67.



After ECS4100-12T installs the new configuration, it starts to look for a new image.
Then ECS4100-12T automatically upgrades the current operational code when a new version is detected on the server.

 
How to configure 802.1x PAE supplicant ?

Support models:
ES3510MA, ES3528MV2, ECS3510-28T/52T, ECS4110 series, ECS4510 series, ECS4620 series

Scenario:

 
When devices attached to a port, the port must submit requests to another authenticator on the network; however, the end clients do not support 802.1x authentication or prevent untrust device, neither the non-support supplicant device connection to the network. The user could configure the identity profile parameters to identify this switch as a supplicant, and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator.

Test procedures:
Step 1) Configure the management IP address
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface vlan 1
   ECS412028Fv2(config-if)#ip address 192.168.1.50/24
 
Step 2) Define an external RADIUS server
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#radius-server 1 host 192.168.1.4 key support
 
Step 3) Check the configuration of RADIUS
ECS412028Fv2#show radius-server
Remote RADIUS Server Configuration:
Server 1:
Server IP Address: 192.168.1.4
Authentication Port Number : 1812
Accounting Port Number : 1813
Retransmit Times : 2
Request Timeout : 5
 
Step 4) Enable 802.1x port authentication globally on ECS4120-28Fv2
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#dot1x system-auth-control
 
Step 5) Configure 802.1x mode on switch port
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface ethernet 1/23
   ECS412028Fv2(config-if)#dot1x port-control auto
 
Step 6) Allow multiple hosts connect to the same switch port
ECS4120-28Fv2:
   ECS412028Fv2#configure
   ECS412028Fv2(config)#interface ethernet 1/23
   ECS412028Fv2(config-if)#dot1x operation-mode multi-host
 
Step 7) Check the 802.1x configuration status is correct
ECS4120-28Fv2:
   ECS412028Fv2#show dot1x
   Global 802.1X Parameters:
   System Auth Control : Enabled
   Authenticator Parameters:
   EAPOL Pass Through : Disabled
   802.1X Port Summary

Port     Type          Operation Mode Control Mode       Authorized
-------- ------------- -------------- ------------------ ---------
Eth 1/21 Disabled      Single-Host    Force-Authorized   Yes
Eth 1/22 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/23 Authenticator Multi-Host     Auto                     N/A
Eth 1/24 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/25 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/26 Disabled      Single-Host    Force-Authorized   N/A
 
Step 8) Try to ping the radius server from Client1
Client 1 : Ping failed because the port was not authenticated by RADIUS server.


Step 9) Check the version on ECS4110-28P which support dot1x supplicant mode
ECS4110-28P(DUT):
Dut1#show version
Unit 1
Serial Number : EC1427000158
Hardware Version : R0A
EPLD Version : 0.00
Number of Ports : 28
Main Power Status : Up
Role : Master
Loader Version : 1.2.0.1
Linux Kernel Version : 2.6.22.18
Boot ROM Version : 0.0.0.1
Operation Code Version : 1.2.3.13
 
Step 10) Enable dot1x supplicant mode on port interface
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#interface ethernet 1/23
   Dut1(config-if)#dot1x pae supplicant
 
Step 11) Set up the dot1x supplicant Username and Password
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#dot1x identity profile username test
   Dut1(config)#dot1x identity profile password support
 
Step 12) Reconnect the port 1/23 of ECS4110-28P to re-authenticate.
ECS4110-28P(DUT):
   Dut1#configure
   Dut1(config)#interface ethernet 1/23
   Dut1(config-if)#shutdown
   Dut1(config-if)#no shutdown
 
Step 13) Check the status of dot1x on ECS4120-28Fv2
ECS4120-28Fv2:
ECS412028Fv2#show dot1x interface ethernet 1/23
802.1X Authenticator is enabled on port 1/23
Reauthentication : Disabled
Reauth Period : 3600 seconds
Quiet Period : 60 seconds
TX Period : 30 seconds
Supplicant Timeout : 30 seconds
Server Timeout : 10 seconds
Reauth Max Retries : 2
Max Request : 2
Operation Mode : Multi-Host
Port Control : Auto
Maximum MAC Count : 5
Intrusion Action : Block traffic
 
Supplicant : 70-72-CF-C8-58-8F // ECS4110-28P(DUT)’s MAC Address
 
Authenticator PAE State Machine
State : Authenticated
Reauth Count : 0
Current Identifier : 1
 
ECS4110-28P(DUT):
Dut1#show dot1x
Global 802.1X Parameters:
System Auth Control : Disabled
Authenticator Parameters:
EAPOL Pass Through : Disabled
Supplicant Parameters:
Identity Profile Username : test
802.1X Port Summary

Port     Type          Operation Mode Control Mode       Authorized
-------- ------------- -------------- ------------------ ----------
Eth 1/22 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/23 Supplicant    Single-Host    Force-Authorized   Yes
Eth 1/24 Disabled      Single-Host    Force-Authorized   N/A
Eth 1/25 Disabled      Single-Host    Force-Authorized   N/A
802.1X Port Details
802.1X Authenticator is disabled on port 1/23
802.1X Supplicant is enabled on port 1/23
Authenticated : Yes
Auth-period : 30 seconds
Held-period : 60 seconds
Start-period : 30 seconds
Max-start : 3
 
Step 14) Retrieve the packet by wireshark on RADIUS Server
Authentication Successfully


Step 15) Try to ping the radius server again from Client1
Client 1 : Ping Successfully


Client 2 : Successfully obtain the IP address by DHCP Server and ping to radius server



 

How to upgrade ECS4120 loader version to extend the ECC (Error Correcting code) support?

The ECS4120 Loader version 0.0.3.1 support ECC (Error Correcting code).

Environment and Preparation:

  1. The ECS4120 switch MUST with the loader version 0.0.2.6 or 0.0.3.0. Check it by the command "show version". (If your version is not 0.0.2.6 or 0.0.3.0, please DO NOT run the script.)
  2. Windows PC(Win7, Win8 or Win10) with one Serial COM port
  3. Script - ECS4120_uboot_upgrade_v2.0.0.zip

Configuration: Modify config.ini

  • [serial] section: Serial COM port

Caution: DO NOT modify [product] section's "type" parameter in the config.ini

Example:

 

How to check Serial COM port on the PC?

In Device Manager (Start -> Run -> devmgmt.msc)

Caution:

Before running the script, please turn OFF all the terminals on the PC and power OFF the Switch.

Upgrade loader:

Step 1: Run the script “uboot_upgarde.exe”.

Double click “uboot_upgrade.exe” to run the script.

mceclip1.png

Step 2: Power ON the switch

The script will execute automatically.

mceclip0.png

After upgrading, uboot_upgrade.exe will close by itself.

Caution:

When running the script, please DO NOT remove the console cable and unplug the power cord.

 

If it failed to upgrade, please send your request and log file to support@edge-core.com.

mceclip2.png

Trunk is a function that groups ports and combines the links among those ports into a single link.
As the scenario shown below, there are two links between SW1 and SW4 and therefore two loops:
1.      Loop A: SW1, SW2, SW3 and SW4
2.      Loop B: SW1 and SW4.
 
It causes problems such as a waste of CPU utilization if more than one loop exists. In order to prevent loop, Port 26 and 27 of SW1 and Port 26 and 28 of SW4 should be trunked as a group. In this way, two links between Switch 1 and 4 will be logically identified as one link by the system and only one loop exists with port 27 of SW3 blocked.
 

Use the following commands to enable LACP on port 26 and 27 of SW1.
 
SW_1#config
SW_1(config)#interface e 1/26
SW_1(config-if)#lacp
SW_1(config-if)#int e 1/27
SW_1(config-if)#lacp
 
Use the command "show interface status port-channel 1" to check trunk group members. As shown below, port 26 and 27 of SW1 are member ports of trunk group 1.
 
SW_1#sh int status port-channel 1
Information of Trunk 1
 Basic Information:
  Port Type              : 1000BASE-T
  MAC Address            : 70-72-CF-58-F9-25
 Configuration:
  Name                   :
  Port Admin             : Up
  Speed-duplex           : Auto
  Capabilities           : 10half, 10full, 100half, 100full, 1000full
  Broadcast Storm        : Enabled
  Broadcast Storm Limit  : 64 Kbits/second
  Multicast Storm        : Disabled
  Multicast Storm Limit  : 64 Kbits/second
  Unknown Unicast Storm       : Disabled
  Unknown Unicast Storm Limit : 64 Kbits/second
  Flow Control           : Disabled
  VLAN Trunking          : Disabled
 Current Status:
  Created By             : LACP
  Link Status            : Up
  Port Operation Status  : Up
  Operation Speed-duplex : 1000full
  Up Time                : 0w 0d 0h 3m 45s (225 seconds)
  Flow Control Type      : None
  Max Frame Size         : 1518 bytes (1522 bytes for tagged frames)
  Member Ports           : Eth1/26, Eth1/27
 
Use the command "show spanning-tree port-channel 1" to check information such as role and state of each port.
 
SW_1#sh spanning-tree port-channel 1
Trunk 1 Information
---------------------------------------------------------------
 Admin Status                      : Enabled
 Role                              : Designate
 State                             : Forwarding
 Admin Path Cost                   : 0
 Oper Path Cost                    : 2500
 Priority                          : 128
 Designated Cost                   : 0
 Designated Port                   : 128.33
 Designated Root                   : 4096.7072CF58F90B
 Designated Bridge                 : 4096.7072CF58F90B
 Forward Transitions               : 24
 Admin Edge Port                   : Auto
 Oper Edge Port                    : Disabled
 Admin Link Type                   : Auto
 Oper Link Type                    : Point-to-point
 Flooding Behavior                 : Enabled
 Spanning-Tree Status              : Enabled
 Loopback Detection Status         : Enabled
 Loopback Detection Release Mode   : Auto
 Loopback Detection Trap           : Disabled
 Loopback Detection Action         : Block
 Root Guard Status                 : Disabled
 BPDU Guard Status                 : Disabled
 BPDU Guard Auto Recovery          : Disabled
 BPDU Guard Auto Recovery Interval : 300
 BPDU Filter Status                : Disabled
 

1. To prevent loop

 

As shown in the figure above, there are 3 traffic paths from VLC server to PC2:
Path 1(red): from SW1 port 26 to SW4 port 26;
Path 2(blue): from SW1 port 27 to SW4 port 28;
Path 3(green): from SW1 port 28 to SW2 port 27, from SW2 port 28 to SW3 port 27, from SW3 port 28 to SW4 port 27 then to SW4 port 1.

Therefore, there are two loops in the topology:

 

As shown in the figures above, when the switch receives a broadcast, multicast or unknown unicast packet from VCL Server, packet will flood to port 26(packet 2 yellow) and 27 (packet 2 green). When SW4 receives the packet from port 26, the packet will flood to port 1 (packet 3 yellow) and port 28 (packet 3 yellow). When SW4 receives the packet from port 28, the packet will flood to port 1(packet 3 green) and port 26 (packet 3 green). In this way, packets will occupy every port that connected to switch and it results in a failure to serving normal packets and sometimes a waste of CPU utilization.

Spanning Tree Protocol is a mechanism that automatically detects loops in the network and blocks the redundant paths to keep only one path for two nodes in the network. Rapid Spanning Tree Protocol (RSTP) is an enhancement of STP and provides faster spanning tree convergence. RSTP uses path cost, bridge ID and port priority/port ID of BPDU to prioritize the paths and then to establish a spanning tree.

2. To Provide Redundant path

Sometimes users create a loop intentionally in order to build up a redundant path in case the path is failed to link. Traffic dynamically switches to the redundant path and maintain network operation when the default path is failed to link.

 

When the link between SW1 port 26 and SW4 port 26 is down, SW1 port 27 which is in blocking state (Alternate Role) automatically forwards. Therefore, traffic from VLC server switches to the link between SW1 port 27 and SW4 port 28.

Use command "show log ram" to see the change log.

SW_1#sh log ram
[3] 08:59:45 2011-12-08
   'STA topology change happened on Eth 1/27.'
   level : 6, module : 5, function : 1, and event no. : 1
[2] 08:59:45 2011-12-08
   'STP port state: MSTID 0, Eth 1/27 becomes forwarding.'
   level : 6, module : 5, function : 1, and event no. : 1
[1] 08:59:45 2011-12-08
   'STP port state: MSTID 0, Eth 1/26 becomes non-forwarding.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:59:45 2011-12-08
   'Unit 1, Port 26 link-down notification.'
   level : 6, module : 5, function : 1, and event no. : 1


SW_4-0#sh log ram
[2] 08:28:56 2011-12-08
   'STA topology change happened on Eth 1/27.'
   level : 6, module : 5, function : 1, and event no. : 1
[1] 08:28:54 2011-12-08
   'STP port state: MSTID 0, Eth 1/26 becomes non-forwarding.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:28:54 2011-12-08
   'Unit 1, Port 26 link-down notification.'
   level : 6, module : 5, function : 1, and event no. : 1

SW_2-0#sh log ram
[1] 09:00:39 2011-12-08
   'User(admin/Telnet) (192.168.1.1), login successful.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:58:43 2011-12-08
   '192.168.1.1 VTY user admin, logout from PRIV. EXEC mode.'
   level : 6, module : 1, function : 0, and event no. : 1

SW_3-0#sh log ram
[2] 08:28:51 2011-12-08
   'User(admin/Telnet) (192.168.1.1), login successful.'
   level : 6, module : 5, function : 1, and event no. : 1
[1] 08:27:48 2011-12-08
   'STA topology change happened on Eth 1/27.'
   level : 6, module : 5, function : 1, and event no. : 1
[0] 08:27:12 2011-12-08
   '192.168.1.1 VTY user admin, logout from PRIV. EXEC mode.'
   level : 6, module : 1, function : 0, and event no. : 1

Users change the port priority in order to specify the forwarding port and/or blocking port. In general, the port with smaller port priority ID would be configured as the forwarding port whereas the port with bigger port priority ID would be the blocking port. For example, if users want to configure SW1 port 27 as forwarding port and the port priority ID of SW4 port 26 is 128, the port priority ID of SW1 port 27 should be changed to a number smaller than 128.
 
SW_4(config)#interface ethernet 1/27
SW_4(config-if)#spanning-tree port-priority ?
  <0-240>  Spanning-tree port priority value in steps of 16
 
Please note that the port priority value is steps of 16 in range of 0-240.
 
SW_4(config-if)#spanning-tree port-priority 16
 

A switch is configured as root if it has the smallest priority ID. Therefore, by changing the priority ID to the smallest ID, users could configure any switch as root. For example, use the following commands to change the priority of SW1 to 4096:

SW_1(config)#spanning-tree priority?
  <0-61440>  Spanning-tree priority value in steps of 4096

Please note that the priority ID value can only be changed in steps of 4096, from 0 to 61440.

SW_1(config)# spanning-tree priority 4096

After changing priority ID of SW1 to 4096, SW1 is configured as the Root and the blocking port is changed to SW4 port 28 and SW3 port 27.

How to check port statistics via SNMP OID on ECS2100 series ?
 
Interface.png
Received Octets :
1.3.6.1.2.1.31.1.1.1.6 (ifHCInOctets, 64-bit version)
1.3.6.1.2.1.2.2.1.10 (ifInOctets, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.6.1
IF-MIB::ifHCInOctets.1 = Counter64: 1751607
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.10.1
IF-MIB::ifInOctets.1 = Counter32: 1751607
 
Transmitted Octets :
1.3.6.1.2.1.31.1.1.1.10 (ifHCOutOctets, 64-bit version)
1.3.6.1.2.1.2.2.1.16 (ifOutOctets, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.10.1
IF-MIB::ifHCOutOctets.1 = Counter64: 1045353
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.16.1
IF-MIB::ifOutOctets.1 = Counter32: 1045353
 
Received Errors :
1.3.6.1.2.1.2.2.1.14 (ifInErrors)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.14.1
IF-MIB::ifInErrors.1 = Counter32: 0
 
Transmitted Errors :
1.3.6.1.2.1.2.2.1.20 (ifOutErrors)
ECS2100 series didn’t support this counter.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.20.1
IF-MIB::ifOutErrors.1 = No Such Instance currently exists at this OID
 
Received Unicast Packets :
1.3.6.1.2.1.31.1.1.1.7 (ifHCInUcastPkts, 64-bit version)
1.3.6.1.2.1.2.2.1.11 (ifInUcastPkts, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.7.1
IF-MIB::ifHCInUcastPkts.1 = Counter64: 79
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.11.1
IF-MIB::ifInUcastPkts.1 = Counter32: 79
 
Transmitted Unicast Packets :
1.3.6.1.2.1.31.1.1.1.11 (ifHCOutUcastPkts, 64-bit version)
1.3.6.1.2.1.2.2.1.17 (ifOutUcastPkts, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.11.1
IF-MIB::ifHCOutUcastPkts.1 = Counter64: 1684
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.17.1
IF-MIB::ifOutUcastPkts.1 = Counter32: 1684
 
Received Discarded Packets :
1.3.6.1.2.1.2.2.1.13 (ifInDiscards)
ECS2100 series didn’t support this counter, always return the value as 0.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.13.1
IF-MIB::ifInDiscards.1 = Counter32: 0
 
Transmitted Discarded Packets :
1.3.6.1.2.1.2.2.1.19 (ifOutDiscards)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.19.1
IF-MIB::ifOutDiscards.1 = Counter32: 0
 
Received Multicast Packets :
1.3.6.1.2.1.31.1.1.1.8 (ifHCInMulticastPkts, 64-bit version)
1.3.6.1.2.1.31.1.1.1.2 (ifInMulticastPkts, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.8.1
IF-MIB::ifHCInMulticastPkts.1 = Counter64: 20
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.2.1
IF-MIB::ifInMulticastPkts.1 = Counter32: 20
 
Transmitted Multicast Packets :
1.3.6.1.2.1.31.1.1.1.12 (ifHCOutMulticastPkts, 64-bit version)
1.3.6.1.2.1.31.1.1.1.4 (ifOutMulticastPkts, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.12.1
IF-MIB::ifHCOutMulticastPkts.1 = Counter64: 2134
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.4.1
IF-MIB::ifOutMulticastPkts.1 = Counter32: 2134
 
Received Broadcast Packets :
1.3.6.1.2.1.31.1.1.1.9 (ifHCInBroadcastPkts, 64-bit version)
1.3.6.1.2.1.31.1.1.1.3 (ifInBroadcastPkts, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.9.1
IF-MIB::ifHCInBroadcastPkts.1 = Counter64: 18069
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.3.1
IF-MIB::ifInBroadcastPkts.1 = Counter32: 18069
 
Transmitted Broadcast Packets :
1.3.6.1.2.1.31.1.1.1.13 (ifHCOutBroadcastPkts, 64-bit version)
1.3.6.1.2.1.31.1.1.1.5 (ifOutBroadcastPkts, 32-bit version)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.13.1
IF-MIB::ifHCOutBroadcastPkts.1 = Counter64: 5833
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.31.1.1.1.5.1
IF-MIB::ifOutBroadcastPkts.1 = Counter32: 5833
 
Received Unknown Packets :
1.3.6.1.2.1.2.2.1.15 (ifInUnknownProtos)
ECS2100 series didn’t support this counter.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.15.1
IF-MIB::ifInUnknownProtos.1 = No Such Instance currently exists at this OID
 
QLen Output - the length of the output packet queue (in packets) :
1.3.6.1.2.1.2.2.1.21 (ifOutQLen)
ECS2100 series didn’t support this counter.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.2.2.1.21.1
IF-MIB::ifOutQLen.1 = No Such Instance currently exists at this OID
 
 
Etherlike.png
Single Collision Frames :
1.3.6.1.2.1.10.7.2.1.4 (dot3StatsSingleCollisionFrames)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.4.1
SNMPv2-SMI::transmission.7.2.1.4.1 = Counter32: 0
 
Multiple Collision Frames :
1.3.6.1.2.1.10.7.2.1.5 (dot3StatsMultipleCollisionFrames)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.5.1
SNMPv2-SMI::transmission.7.2.1.5.1 = Counter32: 0
 
Late Collisions :
1.3.6.1.2.1.10.7.2.1.8 (dot3StatsLateCollisions)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.8.1
SNMPv2-SMI::transmission.7.2.1.8.1 = Counter32: 0
 
Excessive Collisions :
1.3.6.1.2.1.10.7.2.1.9 (dot3StatsExcessiveCollisions)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.9.1
SNMPv2-SMI::transmission.7.2.1.9.1 = Counter32: 0
 
Deferred Transmissions :
1.3.6.1.2.1.10.7.2.1.7 (dot3StatsDeferredTransmissions)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.7.1
SNMPv2-SMI::transmission.7.2.1.7.1 = Counter32: 0
 
Frames Too Long :
1.3.6.1.2.1.10.7.2.1.13 (dot3StatsFrameTooLongs)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.13.1
SNMPv2-SMI::transmission.7.2.1.13.1 = Counter32: 0
 
Symbol Errors :
1.3.6.1.2.1.10.7.2.1.18 (dot3StatsSymbolErrors)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.18.1
SNMPv2-SMI::transmission.7.2.1.18.1 = Counter32: 0
 
Pause Frames Input :
1.3.6.1.2.1.10.7.10.1.3 (dot3InPauseFrames)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.10.1.3.1
SNMPv2-SMI::transmission.7.10.1.3.1 = Counter32: 0
 
Pause Frames Output :
1.3.6.1.2.1.10.7.10.1.4 (dot3OutPauseFrames)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.10.1.4.1
SNMPv2-SMI::transmission.7.10.1.4.1 = Counter32: 0
 
Alignment Errors :
1.3.6.1.2.1.10.7.2.1.2 (dot3StatsAlignmentErrors)
ECS2100 series didn’t support this counter.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.2.1
SNMPv2-SMI::transmission.7.2.1.2.1 = No Such Instance currently exists at this OID
 
FCS Errors :
1.3.6.1.2.1.10.7.2.1.3 (dot3StatsFCSErrors)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.3.1
SNMPv2-SMI::transmission.7.2.1.3.1 = Counter32: 0
 
SQE Test Errors :
1.3.6.1.2.1.10.7.2.1.6 (dot3StatsSQETestErrors)
ECS2100 series didn’t support this counter.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.6.1
SNMPv2-SMI::transmission.7.2.1.6.1 = No Such Instance currently exists at this OID
 
Carrier Sense Errors :
1.3.6.1.2.1.10.7.2.1.11 (dot3StatsCarrierSenseErrors)
ECS2100 series didn’t support this counter.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.11.1
SNMPv2-SMI::transmission.7.2.1.11.1 = No Such Instance currently exists at this OID
 
Internal MAC Receive Errors :
1.3.6.1.2.1.10.7.2.1.16 (dot3StatsInternalMacReceiveErrors)
ECS2100 series didn’t support this counter.
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.16.1
SNMPv2-SMI::transmission.7.2.1.16.1 = No Such Instance currently exists at this OID
 
Internal MAC Transmit Errors :
1.3.6.1.2.1.10.7.2.1.10 (dot3StatsInternalMacTransmitErrors)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.10.7.2.1.10.1
SNMPv2-SMI::transmission.7.2.1.10.1 = Counter32: 0
 
 
RMON.png
Drop Events :
1.3.6.1.2.1.16.1.1.1.3 (etherStatsDropEvents)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.3.1
SNMPv2-SMI::mib-2.16.1.1.1.3.1 = Counter32: 0
 
Jabbers :
1.3.6.1.2.1.16.1.1.1.12 (etherStatsJabbers)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.12.1
SNMPv2-SMI::mib-2.16.1.1.1.12.1 = Counter32: 0
 
Fragments :
1.3.6.1.2.1.16.1.1.1.11 (etherStatsFragments)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.11.1
SNMPv2-SMI::mib-2.16.1.1.1.11.1 = Counter32: 0
 
Collisions :
1.3.6.1.2.1.16.1.1.1.13 (etherStatsCollisions)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.13.1
SNMPv2-SMI::mib-2.16.1.1.1.13.1 = Counter32: 0
 
Received Octets :
1.3.6.1.2.1.16.1.1.1.4 (etherStatsOctets)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.4.1
SNMPv2-SMI::mib-2.16.1.1.1.4.1 = Counter32: 2796960
 
Received Packets :
1.3.6.1.2.1.16.1.1.1.5 (etherStatsPkts)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.5.1
SNMPv2-SMI::mib-2.16.1.1.1.5.1 = Counter32: 23320
 
Broadcast Packets :
1.3.6.1.2.1.16.1.1.1.6 (etherStatsBroadcastPkts)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.6.1
SNMPv2-SMI::mib-2.16.1.1.1.6.1 = Counter32: 23902
 
Multicast Packets :
1.3.6.1.2.1.16.1.1.1.7 (etherStatsMulticastPkts)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.7.1
SNMPv2-SMI::mib-2.16.1.1.1.7.1 = Counter32: 2154
 
CRC Align Errors :
1.3.6.1.2.1.16.1.1.1.8 (etherStatsCRCAlignErrors)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.8.1
SNMPv2-SMI::mib-2.16.1.1.1.8.1 = Counter32: 0
 
Undersize Packets :
1.3.6.1.2.1.16.1.1.1.9 (etherStatsUndersizePkts)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.9.1
SNMPv2-SMI::mib-2.16.1.1.1.9.1 = Counter32: 0
 
Oversize Packets :
1.3.6.1.2.1.16.1.1.1.10 (etherStatsOversizePkts)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.10.1
SNMPv2-SMI::mib-2.16.1.1.1.10.1 = Counter32: 0
 
64 Byte Packets :
1.3.6.1.2.1.16.1.1.1.14 (etherStatsPkts64Octets)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.14.1
SNMPv2-SMI::mib-2.16.1.1.1.14.1 = Counter32: 4522
 
65-127 Byte Packets :
1.3.6.1.2.1.16.1.1.1.15 (etherStatsPkts65to127Octets)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.15.1
SNMPv2-SMI::mib-2.16.1.1.1.15.1 = Counter32: 21524
 
128-255 Byte Packets :
1.3.6.1.2.1.16.1.1.1.16 (etherStatsPkts128to255Octets)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.16.1
SNMPv2-SMI::mib-2.16.1.1.1.16.1 = Counter32: 887
 
256-511 Byte Packets :
1.3.6.1.2.1.16.1.1.1.17 (etherStatsPkts256to511Octets)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.17.1
SNMPv2-SMI::mib-2.16.1.1.1.17.1 = Counter32: 827
 
512-1023 Byte Packets :
1.3.6.1.2.1.16.1.1.1.18 (etherStatsPkts512to1023Octets)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.18.1
SNMPv2-SMI::mib-2.16.1.1.1.18.1 = Counter32: 53
 
1024-1518 Byte Packets :
1.3.6.1.2.1.16.1.1.1.19 (etherStatsPkts1024to1518Octets)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.2.1.16.1.1.1.19.1
SNMPv2-SMI::mib-2.16.1.1.1.19.1 = Counter32: 6
 
 
Utilization.png
Input Octets in kbits per second :
1.3.6.1.4.1.259.10.1.43.1.2.6.1.2 (portInOctetRate)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.4.1.259.10.1.43.1.2.6.1.2.1
SNMPv2-SMI::enterprises.259.10.1.43.1.2.6.1.2.1 = Counter64: 0
 
Input Packets per second :
1.3.6.1.4.1.259.10.1.43.1.2.6.1.3 (portInPacketRate)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.4.1.259.10.1.43.1.2.6.1.3.1
SNMPv2-SMI::enterprises.259.10.1.43.1.2.6.1.3.1 = Counter64: 0
 
Input Utilization :
1.3.6.1.4.1.259.10.1.43.1.2.6.1.4 (portInUtil)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.4.1.259.10.1.43.1.2.6.1.4.1
SNMPv2-SMI::enterprises.259.10.1.43.1.2.6.1.4.1 = INTEGER: 0
 
Output Octets in kbits per second :
1.3.6.1.4.1.259.10.1.43.1.2.6.1.5 (portOutOctetRate)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.4.1.259.10.1.43.1.2.6.1.5.1
SNMPv2-SMI::enterprises.259.10.1.43.1.2.6.1.5.1 = Counter64: 0
 
Output Packets per second :
1.3.6.1.4.1.259.10.1.43.1.2.6.1.6 (portOutPacketRate)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.4.1.259.10.1.43.1.2.6.1.6.1
SNMPv2-SMI::enterprises.259.10.1.43.1.2.6.1.6.1 = Counter64: 0
 
Output Utilization :
1.3.6.1.4.1.259.10.1.43.1.2.6.1.7 (portOutUtil)
C:\>snmpwalk -v 2c -c private 10.2.28.216 1.3.6.1.4.1.259.10.1.43.1.2.6.1.7.1
SNMPv2-SMI::enterprises.259.10.1.43.1.2.6.1.7.1 = INTEGER: 0
 
How to login as privilege-8 and use “Enable” to access privilege-15?
 
Model Name: ECS4620 series
Firmware Version: v1.2.2.19

1. Set privilege-8, privilege-15 accounts and enable password in tacacs Server
 

2. Then, set following command:
Console(config)#tacacs-server 1 host [tacacs server ip] key [tacacs server's key]
Console(config)#authentication login tacacs local
Console(config)#authentication enable tacacs local
Console(config)#line console
Console(config-line-console)#authorization exec default


3. Use privilege-8 account login to switch, and use enable to access privilege-15

PS. If you want use telnet login, you need to use “authorization exec default” in line vty, too.
 
Console#show privilege
Current privilege level is 15
Console#configure
Console(config)#line vty
Console(config-line-vty)#authorization exec default

 

 
Description:
When the user changes the default login method to use no username, the user will only need to enter the password.
 
  1. Topology:

 
  1. Switch configure:
 
  1. Reset switch to default.
Console#conf
Console(config)#boot system config:Factory_Default_Config.cfg
Console(config)#
Console#reload
System will be restarted. Continue ? y

 
  1. Set line console/vty password
Console#config
Console(config)#line console
Console(config-line-console)#password 0 support
Console(config-line-console)#login
Console(config-line-console)#exit
Console(config)#line vty
Console(config-line-vty)#password 0 support
Console(config-line-vty)#login
Console(config-line-vty)#


 
  1. Verify
Now the user login via console or vty only needs to enter the password.
 
 
When the user logs in with the password set for console/vty, the user’s privilege level is 0. The user needs to use the command “enable” to get privilege level -15.
Default enable password is “super”.
 

 
Why users cannot set up the description to the BGP neighbor?
Model: AS5710-54X-EC
 
Console(config-router)#neighbor x.x.x.x description Edge-Core
Failed to set neighbor description.
Console(config-router)#
 
Solution:
Users have to set “neighbor remote-as”. After that, users are able to set the BGP neighbor description.
 
Console#con
Console(config)#router bgp 1
Console(config-router)#neighbor 192.168.1.2 remote-as 2
Console(config-router)#neighbor 192.168.1.2 description Edge-Core
Console(config-router)#
 
What BGP log messages are supported on the AS5710-54X-EC?
 
Answer: The AS5710-54X-EC supports 3 BGP log messages.
  1. BGP_NEIGHBOR_CHANGE_MESSAGE   "BGP: %s"
  2. BGP_ESTABLISHED_NOTIFICATION_MESSAGE   "BGP established, ip: %s, last err: 0x%04x, state: %s"
  3. BGP_BACKWARD_TRANS_NOTIFICATION_MESSAGE   "BGP backward trans, ip: %s, last err: 0x%04x, state: %s"
Answer:
No, all the Edgecore switches unit ID start from 1.
For some stackable switches (ex, ECS4510, ECS4620), which may have 4 units in a stack for management. Then the unit ID is from 1 to 4.
 
For example:
If the client connects on port2 of second unit in stack, the interface would be "eth 2/2".
How to set up the "auto-upgrade" on ECS4100 Series?
 
Scenario:
 

 
Procedures:
1. Upload the firmware to the TFTP server and specify the file name to “ECS4100-series.bix”.

2. Configure the IP address on switch. (The management IP address is 192.168.2.10/24 by default.)
Console#configure
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.199.10/24
 
3. Enable the auto-upgrade function on global mode.
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode reload
 
4. Configure the directory path of TFTP server.
Console(config)#upgrade opcode path tftp://192.168.199.2/

 
5. Save the configuration file.
Console#copy running-config startup-config

6. Reboot the switch.

7. The switch will look for newer firmware version after rebooting. If there is a newer firmware, the switch will auto upgrade and restart the system.

8. Now, the switch boots up with newer version.

 
How to set up “DHCP Dynamic Provision” on ECS4100 Series?
 
Scenario:

 
 
Introduction:
When the switch obtains the IP address from the DHCP server, it will download the configuration from TFTP server and apply the configuration automatically.
 
Procedures:
1. Put the configuration file to the TFTP server.
2. The DHCP server must setup the option 66(TFTP server name) and 67 (Bootfile name).
For Example: 
Serva32.exe is a free software tool which contain DHCP and TFTP server. (http://www.vercot.com/~serva/)

 
3. DHCP options is disable by default.  The user has to enable the “DHCP Dynamic Provision” on global mode.
Console#configure
Console(config)#ip dhcp dynamic-provision

 
4. Configure the switch to obtain management IP address from the DHCP server.
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp

 
5. The switch sends the DHCP discover packet to acquire an IP address.

 
6. When switch obtain the IP address, it will start to download the configuration file from the TFTP server and apply the configuration automatically.

*The configuration file will be set to the startup file automatically.
Test result of Cable Diagnostics among Edgecore switches (ES3528M, ECS3510-28T, ECS4100-52T)
Cable Diagnostic supports either (A) cable failures, as well as the status and approximate distance to a fault or (B) the approximate cable length if no fault is found.






 
Install and configure MRTG on Ubuntu

System info:
Ubuntu 16.04.2 LTS (Desktop, amd64)

 
Package info:
  1. snmpd           v5.7.3
  2. mrtg               v2.17.4
  3. apache2        v2.4.18

 

 Install and configure steps:

0. Update the source package list
sudo apt-get update

 
1. snmpd
1-1  Install packages
sudo apt-get install snmp
sudo apt-get install snmpd
 

 
1-2  Creat snmp community word
echo 'rocommunity public' > /etc/snmp/snmpd.conf
  
1-3  Restart the snmpd service
service snmpd restart
 
  
     
 1-4  Test snmpd (Can get OIDs)
 snmpwalk localhost –v 1 –c public
 
  
Reference:
http://www.debianhelp.co.uk/snmp.htm
http://www.net-snmp.org/docs/readmefiles.html

2. mrtg
2-1  Install mrtg
sudo apt-get install mrtg

2-2  Configure mrtg.cfg
sudo vi /etc/mrtg.cfg

 
3. apache2
3-1  Install apache2
sudo apt-get install apache2

 
3-2  Configure apache2.cfg
sudo vi /etc/apache2/apache2.cfg

 In the end of this file, add Alias /mrtg “/var/www/mrtg”to link URL to file.
 Syntax: Alias URL-path file-path/directory-path
 
 3-3  Creat new folder to save MRTG data
 sudo mkdir /var/www/mrtg
  
  3-4  Creat MRTG data (Need execute 3 times)
  sudo env LANG=C /usr/bin/mrtg /etc/mrtg.cfg

If success, you can find the data under /var/www/mrtg/
 
3-5  Link test.html to index.html
sudo ln –s /var/www/mrtg/test.html /var/www/mrtg/index.html
 
 This command can use http://192.168.1.20/mrtg to access the MRTG page.
 No need to use http://192.168.1.20/mrtg/test.html to access this page.
 
 3-6  Restart apache web service
 service apache2 restart


Result:
Now can access the MRTG statistic page ( http:// Ubuntu_server 's IP/mrtg )
This page will refresh per 5 min.
 

 
 
How to configure the QinQ (Basic QinQ) on ES3510MA?


Firmware Version: 1.5.1.18
IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs.
QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
 
At SW 1 and SW4
1. Configure access mode
Console(config)#interface ethernet 1/1
Console(config-if)#switchport mode access
Console(config-if)#switchport native vlan 2
Console(config-if)#switchport allowed vlan remove 1
2. Configure trunk mode
Console(config)#interface ethernet 1/9
Console(config-if)#switchport mode trunk
Console(config-if)#switchport allowed vlan add 2 tagged
Console(config-if)#switchport allowed vlan remove 1
 
At SW2 and SW3
1. Enable QinQ  
Console(config)#dot1q-tunnel system-tunnel-control
2. Configure Q-in-Q access port 
Console(config)interface ethernet 1/1
Console(config-if)#switchport allowed vlan add 20 untagged
Console(config-if)#switchport native vlan 20
Console(config-if)#switchport allowed vlan remove 1
Console(config-if)#switchport dot1q-tunnel mode access
3. Configure Q-in-Q uplink port 
Console(config)interface ethernet 1/5
Console(config-if)#switchport allowed vlan add 20 tagged
Console(config-if)#switchport dot1q-tunnel mode uplink
 
Check the status on the switch
Console#show dot1q-tunnel
802.1Q Tunnel Status : Enabled
Port     Mode   TPID (Hex) Priority Mapping
-------- ------ ---------- ----------------
Eth 1/ 1 Access       8100 Disabled        
Eth 1/ 2 Normal       8100 Disabled        
Eth 1/ 3 Normal       8100 Disabled        
Eth 1/ 4 Normal       8100 Disabled        
Eth 1/ 5 Uplink       8100 Disabled        
Eth 1/ 6 Normal       8100 Disabled        
Eth 1/ 7 Normal       8100 Disabled
Eth 1/ 8 Normal       8100 Disabled
Eth 1/ 9 Normal       8100 Disabled
Eth 1/ 10 Normal       8100 Disabled
 
The packet, captured from SW1 to SW2.

 
The packet, captured from SW2 to SW3.


The packet, captured from SW3 to SW4.
We didn't support the enable/disable PoE function in private MIB.
However, user may enable/disable PoE function via standard MIB - POWER-ETHERNET-MIB.
SNMPSET command format:
snmpset -v 2c -c public <switch ip> <pethPsePortAdminEnable>.<pethPsePortGroupIndex>.<pethPsePortIndex> <integer> <value>
pethPsePortAdminEnable = true(1), false(2)
 
For example:
Disabled PoE function on eth1/3.
(1) pethPsePortAdminEnable (Integer 2 : false)
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.2.1.105.1.1.1.3.1.3 i 2
SNMPv2-SMI::mib-2.105.1.1.1.3.1.3 = INTEGER: 2
 
Result

 
 
How to set the Traffic-segmentation?
 
Support model: ECS4620 Series, ECS4510 Series, ECS4120 Series, ECS4100 Series, ECS4110 Series, ECS4210, ECS3500 Series, ECS2100 Series,
 
When Traffic segmentation is enabling, then
  1. Ping from 192.168.1.101 to 192.168.1.102 will fail. (downlink port to downlink port)
  2. Ping from 192.168.1.101 to 192.168.1.112 will pass. (downlink port to uplink port)
 

 
Setting traffic-segmentation
Console(config)#traffic-segmentation uplink ethernet 1/12
Console(config)#traffic-segmentation downlink ethernet 1/1-2
Console(config)#traffic-segmentation
Console(config)#end
Console#show traffic-segmentation
 
 Traffic segmentation Status   :        Enabled
 Uplink-to-Uplink Mode      :        Blocking
 
 Session   Uplink Ports           Downlink Ports
---------   ------------------------------  -----------------------------
    1      Ethernet  1/12        Ethernet  1/1
                                Ethernet  1/2

 
Test:
When Traffic segmentation Status shows Enabled,
  1. Ping from 192.168.1.101 to 192.168.1.102 will fail.
  2. Ping from 192.168.1.101 to 192.168.1.112 will pass.


When Traffic segmentation Status shows Disable,
  1. Ping from 192.168.1.101 to 192.168.1.102 will pass.
  2. Ping from 192.168.1.101 to 192.168.1.112 will pass too.



 
 
Topology:
SNMP Version 3 provides security features that cover message integrity, authentication, and encryption.
Users can use SNMPv3 to read/write the switch which is more secure than SNMP version 1 & 2.
 
Switch’s Configuration:
1. Configure the management IP address on switch.
Console#configure
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1/24
 
2. Create a SNMP “view” rule which control the user access to the MIB.
Console(config)#snmp-server view Super 1.3.6.1.4.1.259.10.1.46.* included
- The “*” sign is using to select entire text of the OID.
 
3. Create a SNMP group and specify the security level.
Console(config)#snmp-server group Super_group v3 priv read Super write Super
- The SNMPv3 supports the following setting of security levels:
auth - The group is using the authNoPriv security level
noauth - The group is using the noAuthNoPriv security level
priv - The group is using SNMPv3 authPriv security level
 
4. Create a SNMP user account and specify its group.
Console(config)#snmp-server user support Super_group v3 auth md5 test1234 priv des56 test1234
 
 
Net-SNMP:
root@E5100-Ts-TestPC:~# snmpwalk -v 3 -u support -l AuthPriv -a MD5 -A test1234 -x DES -X test1234 192.168.1.1 1.3.6.1.4.1.259.10.1.46.1
Now user can use SNMPv3 to read/write the switch.
We have two different designs of MVR - L2 MVR & L3 MVR.
The Key difference for those two are the multicast data received on the clients.
For example, please find the basic MVR configuration on the switch.


 
L2 MVR design
When the switch enables MVR function and the status becomes "Active", the MVR receiver port will join the MVR VLAN as member automatically.
Once the client joins the multicast group, the client could receive the multicast data with MVR VLAN tagged (trunk mode) or untagged (hybrid mode).


 
Models: ECS4620 series, ECS4510 series, ECS4120 series, ECS4100 series, ECS4110 series, ECS4210 series, ECS3510-28T/52T, ES3528Mv2, ES3510MA
 
L3 MVR design
MVR receiver port will NOT join the MVR VLAN as member automatically when the MVR function is active.
When the client joins the multicast group, the multicast data with MVR VLAN will replace the VLAN tag to client VLAN and forward to the port.


 
Models: ECS4660-28F, ECS4610-24F, ECS4610-26T/50T
 
front 10G ports

Console#switch stacking-port option ?
  <1-2>  the option of stacking port 
(option 1 is front 10G ports such as port 25-26 in ECS4510-28T or ECS4620-28T )
Console#switch stacking-port option 1 ?
  <1-8>  unit number
Console#switch stacking-port option 1 1
After setting, please reload the switch.
 
You can check the setting by using “show stacking-port option” command.

rear 10G ports

Console#switch stacking-port option ?
  <1-2>  the option of stacking port 
(option 2 is rear 10G ports such as port 27-28 in ECS4510-28T or ECS4620-28T )
Console#switch stacking-port option 2 ?
  <1-8>  unit number
Console#switch stacking-port option 2 1
After setting, please reload the switch.
 
You can check the setting by using “show switch stacking-port option” command.
Use class-map to classify the VLAN traffic, and policy-map to restrict rate of traffic.
 
A config example show as below,
 
ECS4510 series
==== Create the class-map for VLAN classification ====
ECS4510(config)# class-map test
ECS4510(config-cmap)# match vlan 1
========================================
 
==== policy-map for traffic limation ====
ECS4510(config)# policy-map VLAN1_limit
ECS4510(config-pmap)# class test
ECS4510(config-pmap-c)# police flow 10000 1600000 conform-action transmit
violate-action drop    (Restricted to 10 Mbps, and drop packets if exceeded)
================================================================
 
==== Apply this policy-map to the ports (input for ingress, output for egress)====
ECS4510(config)# interface ethernet 1/1
ECS4510(config-if)# service-policy input VLAN1_limit
==============================================
 
==== Check the configuration ====
 
ECS4510# show policy-map
Policy Map VLAN1_limit
Description:
 class test
  police flow 10000 1600000 conform-action transmit violate-action drop
 
ECS4510# show policy-map interface 1/1 input
Service-policy VLAN1_limit
============================
How to configure ERPS Major Ring and Sub Ring?
 
Topology shows as below:

 
Major Ring (Domain): Switch A is RPL Owner for major ring.

 
Sub Ring (Domain): Switch E is RPL owner for sub ring.

 
Blocking port

 
Configuration:
  1. Major Ring
 
Switch A:
        A(config)#erps
        A(config)#erps domain major
        A(config-erps)#control-vlan 10
        A(config-erps)#ring-port east interface ethernet 1/1
        A(config-erps)#ring-port west interface ethernet 1/2
        A(config-erps)#rpl owner
        A(config-erps)#enable

 
Switch B: (The configuration of Switch C & Switch D are the same as Switch B)
        B(config)#erps
        B(config)#erps domain major
        B(config-erps)#control-vlan 10
        B(config-erps)#ring-port east interface ethernet 1/1
        B(config-erps)#ring-port west interface ethernet 1/2
        B(config-erps)#enable

 
  1. Sub Ring
Switch C & D are the members of Major Ring and Sub Ring.
  • Need to assign major domain by “major-domain” command.
  • Assign only one ring-port.
Switch C: (The configuration of Switch D is the same as Switch C)
        C(config)#erps
        C (config)#erps domain sub
        C (config-erps)#major-domain major
        C (config-erps)#control-vlan 20
        C (config-erps)#ring-port west interface ethernet 1/3
        C (config-erps)#enable

 

 
Switch E:
        E(config)#erps
        E(config)#erps domain sub
        E(config-erps)#control-vlan 20
        E(config-erps)#ring-port east interface ethernet 1/1
        E(config-erps)#ring-port west interface ethernet 1/3
        E(config-erps)#rpl owner
        E(config-erps)#enable

 
Switch F:
        F(config)#erps
        F(config)#erps domain sub
        F(config-erps)#control-vlan 20
        F(config-erps)#ring-port east interface ethernet 1/1
        F(config-erps)#ring-port west interface ethernet 1/3
        F(config-erps)#enable
What's the difference between "lowerLayerDown" and "down" status read by SNMP?
 
Models: ECS4620 series, ECS4510 series, ECS4120 series, ECS4100 series, ECS4110 series, ECS4210 series, ECS3510-28T/52T, ES3528Mv2, ES3510MA, ECS2100 series
 
When users try to get the current operational state of the interface by SNMP, the OID should be ifOperStatus (1.3.6.1.2.1.2.2.1.8).
There are two kind of results, “lowerLayerDown(7)” and “down(2)”.
IF-MIB::ifOperStatus.25 = INTEGER: lowerLayerDown(7)
IF-MIB::ifOperStatus.1001 = INTEGER: down(2)
 
What's the difference between "lowerLayerDown" and "down" status?
(1) lowerLayerDown: If “operstatus” is not able to change to UP, and the cause is due to PHY link is down, it will display lowerlayerdown.
For example, no cable connected or admin down/manual shutdown. (In current design, it will shut down PHY) or shut down by the specific functions below.



(2) down: If the operstatus is not able to change to UP and the cause is NOT due to the PHY link is down, it will display down.
For example, vlan adminstatus down.
 
Console#sh ip int
VLAN 1 is Administrative Up - Link Down
  Address is CC-37-AB-94-80-20
  Index: 1001, MTU: 1500
  Address Mode is User specified
  IP Address: 192.168.2.10 Mask: 255.255.255.0
  Proxy ARP is disabled
  DHCP Client Vendor Class ID (text): ECS2100-10T
  DHCP Relay Server:
Console#
How to set up the switch clustering?
support model: ECS4620 Series, ECS4510 Series, ECS4120 Series, ECS4100 Series, ECS4110 Series, ECS4210, ECS3500 Series, ECS2100 Series, ECS2110 Series
 
Switch Clustering:
Switch Clustering is a method of grouping switches together to enable centralized management through a single unit.
 
What’s Cluster Commander and Cluster Member?
A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster.
 
The steps to configure on ECS2100-28T and ECS4110-52P:
ECS2100-28T(config)#cluster  (enables clustering on the switch.)
ECS4110-52P(config)#cluster
 
The steps to configure on ECS2100-52T:
ECS2100-52T(config)#int vlan 1
ECS2100-52T (config-if)#ip address 192.168.1.1/24
ECS2100-52T (config)#cluster
ECS2100-52T (config)#cluster ip-pool 10.1.2.1 
(IP pool is used to assign IP addresses to Member switches in the cluster. Cluster IP addresses are in the form 10.x.x.x)
ECS2100-52T (config)#cluster commander  (enables the switch as a cluster Commander.)
ECS2100-52T (config)#exit

 
ECS2100-52T#show cluster candidates
Cluster Candidates:
Role            MAC Address       Description
--------------- ----------------- -----------------------------------------
Candidate       00-E0-0C-11-CC-00   ECS2100-28T
Candidate       CC-37-AB-42-6F-B8   ECS4110-52P
ECS2100-52T#configure
ECS2100-52T(config)#cluster member mac-address 00-E0-0C-11-CC-00 id 1  
(configures a Candidate switch as a cluster Member.)
ECS2100-52T(config)#cluster member mac-address CC-37-AB-42-6F-B8 id 2
ECS2100-52T(config)#exit
 
After setting, you can check the member by using “show cluster members” command.


 
Test via telnet.


 

 
Test via web:



 

 
Test via console:

How to classify and modify the CoS(802.1P) value by DiffServ on ECS4100 series?
 
Scenario:
 

 
 
Procedures:
  1. Add the VID (VLAN ID) to the port interface. In this example, the traffic will tag VLAN 2.

    Console#configure
    Console(config)#interface ethernet 1/1
    Console(config-if)#switchport allowed vlan add 2 tagged
    Console(config-if)#exi
    Console(config)#interface ethernet 1/47
    Console(config-if)#switchport allowed vlan add 2 tagged
 
  1. Create a class map to classify the specified traffic. In this example, it will match to the traffic of CoS 0.

    Console(config)#class-map CoS
    Console(config-cmap)#match cos 0

    Console#show class-map
    Class Map match-any CoS
    Description:
     Match CoS 0
 
  1. Create a policy map and use the class command to configure policies for traffic which match the criteria defined in a class map. In this example, the value of CoS will be modified to “7” if the traffic match to the class map.

    Console(config)#policy-map CoS-test
    Console(config-pmap)#class CoS
    Console(config-pmap-c)#set cos 7

    Console#show policy-map
    Policy Map CoS-test
    Description:
     class CoS
      set CoS 7
 
  1. Apply the policy map to the ingress or egress side of a particular interface. In this example, the policy map will be applied to ingress of port 1.

    Console#configure
    Console(config)#interface ethernet 1/1
    Console(config-if)#service-policy ?
      input   Input direction
      output  Output  direction
    Console(config-if)#service-policy input CoS-test

    Console#show running-config interface ethernet 1/1
    interface ethernet 1/1
     switchport allowed vlan add 2 tagged
     service-policy input CoS-test

    !
 
Result:
When the switch received the packet of CoS “0” from port 1, this CoS will be modified to “7” then be sent out from the port 47.
 

 
The format of DHCPv6 snooping option37 (Remote-ID) on Edgecore switch
 
Models: ECS4620 series, ECS4510 series, ECS4120 series, ECS4100 series, ECS4110 series, ECS3510-28T/52T, ES3528MV2, ES3510MA
 
According to the RFC4649, the format of the DHCPv6 Relay Agent Remote-ID option show as below:
 
 
Enable DHCPv6 snooping remote-id option on switch, and capture a packet as example below.

1) Correspond to the format of the DHCPv6 Relay Agent Remote-ID option.
option-code 00 25
option-length 00 1a
enterprise-number 00 00 01 03
remote-id value 00 01 00 05 01 03 00 0e 00 01 00 01 52 4e 62 c3 00 12 cf fc 54 92
 
2)
remote-id value 00 01 00 05 01 03 00 0e 00 01 00 01 52 4e 62 c3 00 12 cf fc 54 92
The detailed definition of remote-id value.
remote-id type 00 01
VLAN ID 00 05
Unit 01
Port 03
Length of DUID 00 0e
DUID 00 01 00 01 52 4e 62 c3 00 12 cf fc 54 92
 
3) There are four different definition for DUID (DHCP Unique Identifier) as below, the first one is used on Edgecore switches.
1. Link-layer address plus time (DUID-LLT) – RFC3315
2. Vendor-assigned unique ID based on Enterprise Number (DUID-EN) – RFC3315
3. Link-layer address (DUID-LL) – RFC3315
4. UUID-Based DUID (DUID-UUID) – RFC6355
 
※1. Link-layer address plus time (DUID-LLT) – RFC3315

 
 
 
How to allow the user who belongs Level X to execute the command on Edgecore switch?

Support models:
ECS4620 series, Version: 1.2.2.34
ECS4510 series, Version: 1.5.2.34
ECS4120 series, Version: 1.0.2.33
ECS4100 series, Version: 1.2.4.173
ECS4110 series, Version: 1.2.3.12
ECS4210 series, Version: 1.0.0.56
ECS3500 series, Version: 1.5.2.8
ECS2100 series, Version: 1.2.2.9
 
Introduction:
Users with privilege 0~14 is not allowed to execute all commands on Edgecore switches.
 
The picture as shown below is the default setting for privilege level 2.
User with privilege level 2 is not allowed to enter configure mode (command “configure”).
P.S There is no configure command.

 
Solution:
We’re able to assign specific commands for those users with privilege 0~14 by command “privilege”.
 
Example:
ECS4620 series, Version: 1.2.2.34
User who belongs privilege level 2 is capable of shutdown the port and configure the IP address.
 
Before configuration, you have to know how many commands you need for setting.
For example:
  1. Exec mode: configure
  2. Configure mode: interface ethernet 1/1
  3. Configure mode: interface vlan 1
  4. Interface-eth mode: shutdown
  5. Interface-vlan mode: ip address
 
Configuration:
Step 1: Assign “configure” command to level 2
            privilege exec level 2 configure
Step 2: Assign “interface ethernet & interface vlan” command to level 2.
            privilege configure level 2 interface 
           privilege configure level 2 interface Ethernet
           privilege
configure level 2 interface vlan
 
Step 3: Assign “shutdown” command to level 2.
           privilege interface-eth level 2 shutdown
 
Step 4: Assign “ip address” command to level 2.
           privilege interface-vlan level 2 ip address
Topology:

Step:
  1. Setup FreeRadius Server
  2. Configure client
  3. Configure switch
  4. Verify
 
  1. Setup FreeRadius Server
  1. Install freeradius server to Ubuntu((Ubuntu 14.04) as follow command:
    FreeRadius ~ # apt-get install freeradius -y
  2. Configure “users” and “clients.conf” file
 
      Users (path: /etc/freeradius/users)
  • Username “tsCommonName”.  It must be as same as commonName in the client.cnf (refer to step 3)
  • “Tunnel-Private-Group-ID” parameter is for dynamically adding VLAN

 
Clients.conf (path: /etc/freeradius/clients.conf)

 
  1. Download the FreeRadius source code from https://freeradius.org/
FreeRadius ~ # wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.15.tar.gz
After decompress the source file, use files “~/freeradius-server-3.0.15/raddb/certs” to replace “/etc/freeradius/certs”
 
Reference commands:
FreeRadius certs # pwd
/etc/freeradius/certs
FreeRadius certs # rm -rf *
FreeRadius certs # cp -Rf ~/freeradius-server-3.0.15/raddb/certs/* .
 
  1. Modify ca files: server.cnf / client.cnf 
    server.cnf: modify output_password (path: /etc/freeradius/certs/server.cnf)
 
client.cnf: modify output_password, emailAddress and commonName
(path: /etc/freeradius/certs/client.cnf )
  • commonName need same as “Username” in users file

 
  1. Launch bootstrap script (path: /etc/freeradius/certs/bootstrap )
    FreeRadius certs # ./bootstrap
  2. Copy “ca.pem”, “client.key” and “ts@example.org.pem” (which is as same as “emailAddress” parameter) to Client.
          Path:
          /etc/freeradius/certs/ca.pem
          /etc/freeradius/certs/client.key
          /etc/freeradius/certs/ts@example.org.pem
  1. Modify eap.conf file (path: /etc/freeradius/eap.conf)
  1. Change default_eap_type to tls
  1. Remove(delete or comment) the make_cert_command
  1. Change “private_key_password” value as same as server.cnf’s output_password.
  1. After all Server side configuration is finished, restart the FreeRadius server.
      You can use command:
  1. FreeRadius freeradius # Service freeradius start => start server normally or
  2. FreeRadius freeradius # Freeradius -X => start server with debug mode.
 
  1. Configure client
  1. Get the three files at configure server, please refer to “Setup FreeRadius Server” step 5
“ca.pem”, “client.key” and “ts@example.org.pem” (which is same as “emailAddress” parameter)
 
       2. Add CA to client and update CA
           Commands:
            root@ts:/home/ts/Desktop# cp ca.pem /usr/local/share/ca-certificates/ca.pem.crt
            root@ts:/home/ts/Desktop# update-ca-certificates
  1. Configure Client’s network configure

 
  1. Configure switch
  1. Switch IP:
    Console#configure
    Console(config)#interface vlan 1
    Console(config-if)#ip address 192.168.2.46/20
  1. Switch Vlan:
    Console(config)#vlan database
    Console(config-vlan)#vlan 3
      3. 802.1x configure: 
          Global Configuration: 
          Console(config)#dot1x system-auth-control

          Interface Configuration: 
          Console(config)#interface eth 1/3
          Console(config-if)#dot1x port-control auto
 
  1. Verify
Before client authentication, port #3 only allows the traffic which belong to vlan 1(u)

 
        After authentication, port #3 allows the traffic which belong to vlan 1(u) and 3(t)


       
        In show vlan, you can see port #3 dynamic add to vlan 3
How to create PoE time range profile via CLI and SNMP on ECS4120-28P?

Scenario:

Configuration on ECS4120-28P:
Example for periodic time and date
ECS4120-28P#con
ECS4120-28P(config)#time-range TEST
ECS4120-28P(config-time-range)#periodic daily 8 0 to daily 21 0
ECS4120-28P(config-time-range)#exit
ECS4120-28P(config)#interface ethernet 1/1
ECS4120-28P(config-if)#power inline time-range TEST
ECS4120-28P(config-if)#end
ECS4120-28P#
 
[CLI Command]
time-range name
periodic
{daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute
to
{daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend } hour minute
 
[SNMPSET command format]
1. Enable time-range
snmpset -v 2c -c private {switch ip} {timeRangeStatus}.{timeRangeIndex} {integer} {value}
For timeRangeStatus, OID 1.3.6.1.4.1.259.10.1.45.1.61.1.1.3
Set OID 1.3.6.1.4.1.259.10.1.45.1.61.1.1.3 to valid(1) to create an entry.
Set OID 1.3.6.1.4.1.259.10.1.45.1.61.1.1.3 to invalid(2) to destroy an entry.
For timeRangeIndex: The index for time-range
Identified starts from 0.
 
2. Create time-range
snmpset -v 2c -c private {switch ip} {timeRangeName}.{timeRangeIndex} {string} {name}
For timeRangeName, OID 1.3.6.1.4.1.259.10.1.45.1.61.1.1.2
Configure as string, user should give a name to the time-range.
 
3. Configure time range rule
snmpset -v 2c -c private {switch ip} {timeRangePeriodic}.{timeRangeIndex}.{PeriodicType}.{startHour}.{startMinute}.{PeriodicType}.{endHour}.{endMinute}
{integer} {value}

For timeRangePeriodic, OID 1.3.6.1.4.1.259.10.1.45.1.61.2.1.8
Set OID 1.3.6.1.4.1.259.10.1.45.1.61.2.1.8 to valid(1) to create an entry and periodic execute.
Set OID 1.3.6.1.4.1.259.10.1.45.1.61.2.1.8to invalid(2) to destroy an entry.

For PeriodicType, {sunday(0),monday(1),tuesday(2),wednesday(3),thursday(4),friday(5),saturday(6),daily(7),weekdays(8),weekend(9)}
For startHour and startMinute: Integer.
For endHour and endMinute: Integer.

4. Assign time-range to power inline
snmpset -v 2c -c private {switch ip} {PSE_Port_TimeRange_Name}.{UnitID}.{PortID} {string} {TimeRange_Name}
For PSE_Port_TimeRange_Name, OID 1.3.6.1.4.1.259.10.1.45.1.28.6.1.11
Configure as string, user should assign a specific time-range.
For UnitID and PortID,
Specify the port that apply the time-range.
 
Example for configure via SNMP:
(1) timeRangeStatus, OID 1.3.6.1.4.1.259.10.1.45.1.61.1.1.3 ; timeRangeIndex = 0 (Integer 1 : valid)

(2) timeRangeName, OID 1.3.6.1.4.1.259.10.1.45.1.61.1.1.2 ; timeRangeIndex = 0 (String “TEST”: the profile name is TEST)

(3) timeRangePeriodic, OID 1.3.6.1.4.1.259.10.1.45.1.61.2.1.8 ; timeRangeIndex = 0 ; PeriodicType = daily(7) ;
startHour = 8 ; startMinute = 0 ; PeriodicType = daily(7) ; endHour = 21 ; endMinute = 0 (Integer 1 : valid)
(4) PSE_Port_TimeRange_Name, OID 1.3.6.1.4.1.259.10.1.45.1.28.6.1.11 ; UnitID = 1 ; PortID = 1
(String “TEST”: Apply the profile TEST)

 
Result:
Time range table in ECS4120-28P.

When the system is operating in the time-range (8:00 to 21:00), AP will power on.





 
When the system is out of the time-range, PSE will not supply the power.






 
Why the specific ARP packet is still filtered by MAC ACL on ECS4100 series even the rule permits source MAC of ARP packet?
 
Model:
ECS4100 series
 
Firmware version:
ECS4100 series V1.2.4.173
 
Simulation scenario:
  1. Prepare two types of ARP packets.
    A. The sender MAC address of ARP header is different from source MAC address of Ethernet header.

    B. The sender MAC address of ARP header is the same as source MAC address of Ethernet header.
  2. Configure MAC ACL to permit the source MAC address of ARP packet and deny other packets.
    Console(config)#access-list mac test
    Console(config-mac-acl)#permit host 0C-C4-7A-06-FB-11 any
    Console(config-mac-acl)#deny any any
     
  3. Apply this MAC ACL to ingress of port 1.
    Console(config)#interface ethernet 1/1
    Console(config-if)#mac access-group test in
     
  4. Inject these two ARP packets to the port 1. Thus, the switch forwards B-ARP packet but filter A-ARP packet by MAC ACL
Root Cause:
This is chipset behavior. MAC ACL inspect sender MAC address of ARP header instead of source MAC address of Ethernet header for ARP packets.
 
How to use Layer2 traceroute (a.k.a CFM linktrace) on Edgecore Switch?

Support models:
ECS4620 series, Version: 1.2.2.34
ECS4510 series, Version: 1.5.2.34
ECS4120 series, Version: 1.0.2.33
ECS4100 series, Version: 1.2.4.173
ECS4110 series, Version: 1.2.3.12
ECS3500 series, Version: 1.5.2.8
 
Here’s the sample: (use ECS4620-28F)
Topology:


Maintenance End Point (MEP): generates and responds to CFM PDUs
Maintenance Intermediate Points (MIP): Forwarding CFM PDUs as intermediate maintenance points
 
SW1 configuration:
SW1#con
SW1(config)#ethernet cfm domain index 1 name Test level 5
(create maintenance domain [MD], the index is 1, name is character string “Test”, the MD level 5)
SW1(config-ether-cfm)#ma index 1 name Test_MA vlan 1
(create maintenance association [MA] service in MD, the index is 2, name is “Test_MA” and  service VLAN identifier is “1.”)
SW1(config-ether-cfm)#mep crosscheck mpid 20 ma Test_MA
(Configure MEP crosscheck with mpid 20 on SW 3 ma “Test_MA.” The Cross Check List for a MD contains a list of MEPID (Maintenance End Point Identifier) which are configured in a MA)
SW1(config-ether-cfm)#exit
SW1(config)#interface ethernet 1/1
SW1(config-if)#ethernet cfm mep mpid 10 md Test ma Test_MA
(Create mep mpid 10 on port 1)
 
SW2 configuration:
SW2#con
SW2(config)#ethernet cfm domain index 1 name Test level 5
SW2(config-ether-cfm)#ma index 1 name Test_MA vlan 1
SW2(config-ether-cfm)#end
 
SW3 configuration:
SW3#con
SW3(config)#ethernet cfm domain index 1 name Test level 5
SW3(config-ether-cfm)#ma index 1 name Test_MA vlan 1
SW3(config-ether-cfm)#mep crosscheck mpid 10 ma Test_MA
SW3(config-ether-cfm)#exit
SW3(config)#interface ethernet 1/1
SW3(config-if)#ethernet cfm mep mpid 20 md Test ma Test_MA
 
The Link trace SW1 port1 to SW3 port 1.


The MAC listed as below are the port MAC
8C-EA-1B-57-9B-24 (SW2 port 1/1 MAC)
8C-EA-1b-57-9B-25 (SW2 port 1/2 MAC)
70-72-CF-FD-AE-DA (SW3 port 1/1 MAC)
 
How to configure VRRP on ECS4620?
  1. Topology

 
  1. VRRP Master(ECS4620_Master) configuration:
  • Basic configuration (detail configuration please refer to Appendix)
  1. Create VLAN 11-13
  2. Configure VLAN IP address
  3. Set each port allow VLAN
          Port #1: PVID = 11, VID = 11(u)
          Port #2: PVID = 12, VID = 12(u)
          Port #3: PVID = 13, VID = 13(u)
  1. Disable Spanning-tree on downlink port(#1, #2)
  2. Set default route to VLAN 13
 
  • VRRP configuration(virtual IP addresses for VLAN 11 and VLAN 12)
          Master#configure
          Master(config)#interface vlan 11
          Master(config-if)#vrrp 1 ip 172.16.11.254
          Master(config-if)#vrrp 1 priority 200
          Master(config-if)#interface vlan 12
          Master(config-if)#vrrp 2 ip 172.16.12.254
          Master(config-if)#vrrp 2 priority 200
 
  1. VRRP Backup(ECS4620_Back_up) configuration
  • Basic configuration (detail configuration please refer to Appendix)
  1. Create VLAN 11-13
  2. Configure VLAN IP address
  3. Set each ports’ allow VLAN
          Port #1: PVID = 11, VID = 11(u)
          Port #2: PVID = 12, VID = 12(u)
          Port #3: PVID = 13, VID = 13(u)
  1. Disable Spanning-tree at downlink port(#1, #2)
  2. Set default route to VLAN 13
  • VRRP configuration(virtual IP addresses for VLAN 11 and VLAN 12)
          BackUp(config)#interface vlan 11
          BackUp(config-if)#vrrp 1 ip 172.16.11.254
          BackUp(config-if)#interface vlan 12
          BackUp(config-if)#vrrp 2 ip 172.16.12.254
 
  1. Check VRRP status on VRRP Master and Backup
  1. Show VRRP [ID]
Use ”“ can see each VRRP’s detail information.
  1. Show VRRP brief
Use “” can see all VRRP group’s brief information.
  1. Server/Client configure
At Server side and client side, configure gateway as Virtual IP (.254) as follow:
Server Side Client Side

When server or client sends packet to gateway,  the format of destination MAC address is 00-00-5E-00-01-[VRRP-ID]

Client send packet

 
Server send packet

 
Appendix
Details of VRRP Master(ECS4620_Master) configuration:
  • Basic configure
1. Master#configure
    Master#configure
    Master(config)#vlan database
    Master(config-vlan)#vlan 11-13
 
Configure VLAN IP address

Master#configure
Master(config)#interface vlan 11
Master(config-if)#ip address 172.16.11.1/24
Master(config-if)#interface vlan 12
Master(config-if)#ip address 172.16.12.1/24
Master(config-if)#interface vlan 13
Master(config-if)#ip address 172.16.13.1/24
 
2. Set each port allow VLAN
    Master#configure
    Master(config)#interface ethernet 1/1
    Master(config-if)#switchport allowed vlan add 11 untagged
    Master(config-if)#switchport native vlan 11
    Master(config-if)#switchport allowed vlan remove 1
    Master(config-if)#interface ethernet 1/2
    Master(config-if)#switchport allowed vlan add 12 untagged
    Master(config-if)#switchport native vlan 12
    Master(config-if)#switchport allowed vlan remove 1
    Master(config-if)#interface ethernet 1/3
    Master(config-if)#switchport allowed vlan add 13 untagged
    Master(config-if)#switchport native vlan 13
    Master(config-if)#switchport allowed vlan remove 1
 
3. Disable Spanning-tree at downlink port(#1, #2)
    Master#configure
    Master(config)#interface ethernet 1/1
    Master(config-if)#spanning-tree spanning-disabled
    Master(config-if)#interface ethernet 1/2
    Master(config-if)#spanning-tree spanning-disabled
 
4. Set default route to vlan 13
    Master#configure
    Master(config)#ip default-gateway 172.16.13.2
 
Details of VRRP Backup (ECS4620_Back_up) configuration
  • Basic configure
  1. Create VLAN 11-13
BackUp #configure
BackUp (config)#vlan database
BackUp(config-vlan)#vlan 11-13
 
      2. Configure VLAN IP address

BackUp#configure
BackUp(config)#interface vlan 11
BackUp(config-if)#ip address 172.16.11.2/24
BackUp(config-if)#interface vlan 12
BackUp(config-if)#ip address 172.16.12.2/24
BackUp(config-if)#interface vlan 13
BackUp(config-if)#ip address 172.16.13.2/24
 
       3. Set each port allow vlan

BackUp#configure
BackUp(config)#interface ethernet 1/1
BackUp(config-if)#switchport allowed vlan add 11 untagged
BackUp(config-if)#switchport native vlan 11
BackUp(config-if)#switchport allowed vlan remove 1
BackUp(config-if)#interface ethernet 1/2
BackUp(config-if)#switchport allowed vlan add 12 untagged
BackUp(config-if)#switchport native vlan 12
BackUp(config-if)#switchport allowed vlan remove 1
BackUp(config-if)#interface ethernet 1/3
BackUp(config-if)#switchport allowed vlan add 13 untagged
BackUp(config-if)#switchport native vlan 13
BackUp(config-if)#switchport allowed vlan remove 1
 

          4.Disable Spanning-tree at downlink port(#1, #2)

BackUp#configure
BackUp(config)#interface ethernet 1/1
BackUp(config-if)#spanning-tree spanning-disabled
BackUp(config-if)#interface ethernet 1/2
BackUp(config-if)#spanning-tree spanning-disabled
 
  1. Set default route to vlan 13
BackUp #configure
BackUp (config)#ip default-gateway 172.16.13.1
How to configure PIM-SM (Sparse-Mode) on ECS4620 series ?

Scenario:

Configuration on ECS4620-28T_SW1:
SW1#con
SW1(config)#interface ethernet 1/23
SW1(config-if)#switchport allowed vlan add 10 untagged
SW1(config-if)#switchport native vlan 10
SW1(config-if)#switchport allowed vlan remove 1
SW1(config-if)#exit
SW1(config)#interface ethernet 1/24
SW1(config-if)#switchport allowed vlan add 20 untagged
SW1(config-if)#switchport native vlan 20
SW1(config-if)#switchport allowed vlan remove 1
SW1(config-if)#exit
SW1(config)#interface vlan 10
SW1(config-if)#ip address 192.168.10.1/24
SW1(config-if)#ip igmp
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#exit
SW1(config)#interface vlan 20
SW1(config-if)#ip address 192.168.20.1/24
SW1(config-if)#ip igmp
SW1(config-if)#ip pim sparse-mode
SW1(config-if)#exit
SW1(config)#ip multicast-routing
SW1(config)#router pim
SW1(config)#ip pim rp-address 192.168.10.1
SW1(config)#router ospf
SW1(config-router)#network 192.168.10.0 255.255.255.0 area 0
SW1(config-router)#network 192.168.20.0 255.255.255.0 area 0
SW1(config-router)#end


Configuration on ECS4620-28T_SW2:
SW2#con
SW2(config)#interface ethernet 1/23
SW2(config-if)#switchport allowed vlan add 30 untagged
SW2(config-if)#switchport native vlan 30
SW2(config-if)#switchport allowed vlan remove 1
SW2(config-if)#exit
SW2(config)#interface ethernet 1/24
SW2(config-if)#switchport allowed vlan add 20 untagged
SW2(config-if)#switchport native vlan 20
SW2(config-if)#switchport allowed vlan remove 1
SW2(config-if)#exit
SW2(config)#interface vlan 20
SW2(config-if)#ip address 192.168.20.2/24
SW2(config-if)#ip igmp
SW2(config-if)#ip pim sparse-mode
SW2(config-if)#exit
SW2(config)#interface vlan 30
SW2(config-if)#ip address 192.168.30.1/24
SW2(config-if)#ip igmp
SW2(config-if)#ip pim sparse-mode
SW2(config-if)#exit
SW2(config)#ip multicast-routing
SW2(config)#router pim
SW2(config)#ip pim rp-address 192.168.10.1
SW2(config)#router ospf
SW2(config-router)#network 192.168.20.0 255.255.255.0 area 0
SW2(config-router)#network 192.168.30.0 255.255.255.0 area 0
SW2(config-router)#end
 
Display the information about interfaces configured for PIM.
 
 

Display the multicast information for the specified interface.





Display the information in the routing table.



Display the information about PIM neighbors.



Display the active RPs and associated multicast routing entries.
 

Display the information for IGMP groups.


Display the IPv4 multicast routing table.


 
What's the behavior for the command "MVR transmit-filter" ?

The basic MVR topology and configuration on the switches as below.


Original Behavior: (Not support “transmit-filter” command or “transmit-filter” disabled.)
When the switch enabled MVR function and the status becomes "Active", once the client joins/leaves the multicast group by sending out the report to MVR receiver port.
This report will be forwarded to All the Active Source ports as below.


The MVR member of ES3528MV2_SW1 and ES3528MV2_SW2 as below.



Enabled Transmit-Filter Behavior: (Transmit-filter is disabled on switch by default.)
The mechanism is the same, but this report will not be forwarded to the port which enable transmit-filter as below.
The user could easily configure how the report forward on MVR source ports.


The MVR member of ES3528MV2_SW1 and ES3528MV2_SW2 as below.



Display transmit-filter per port configuration.



Support models and software version:
ECS4210 series v1.0.0.61
ES3528MV2 v1.5.2.14
ECS3510-28T/52T v1.5.2.14
ES3510MA v1.5.2.14
How to check the MAC address count via SNMP on ECS2100 series?
 
In original design, user could only check the number of MAC addresses used and the number of available MAC addresses for the overall system by CLI command and WEB interface. Edgecore implement to read Total/Dynamic/Static MAC address count by SNMP.
Support version: ECS2100 series V1.2.2.12 and above.
 
[SNMPSET command format]
snmpwalk -v 2c -c private {switch ip} { amtrMacAddrDynamicCount | amtrMacAddrStaticCount | amtrMacAddrTotalCount }
 
For amtrMacAddrDynamicCount, OID 1.3.6.1.4.1.259.10.1.43.1.1.8.4
The number of dot1dTpFdbTable entries in the BRIDGE-MIB.
For amtrMacAddrStaticCount, OID 1.3.6.1.4.1.259.10.1.43.1.1.8.5
The number of dot1dStaticTable entries in the BRIDGE-MIB.
For amtrMacAddrTotalCount, OID 1.3.6.1.4.1.259.10.1.43.1.1.8.6
The sum of dot1dTpFdbTable and dot1dStaticTable entries.
 
For example, the following are current mac-address table entries and mac-address count display by CLI command.


 
The following are the number of Dynamic/Static/Total MAC address count display by SNMP.
(1) amtrMacAddrDynamicCount, OID 1.3.6.1.4.1.259.10.1.43.1.1.8.4
Number of Dynamic MAC Address : 5

(2) amtrMacAddrStaticCount, OID 1.3.6.1.4.1.259.10.1.43.1.1.8.5
Number of Static MAC Address : 2

(3) amtrMacAddrTotalCount, OID 1.3.6.1.4.1.259.10.1.43.1.1.8.6
Total Number of MAC Address : 7

 
How to enable sticky mac on ECS4620 series?
 
Support Model Name: ECS4620 series
Software Version: v1.2.2.39
In original design, port security function will stop learning MAC addresses when it reaches a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
 
If enable network-access aging then the switch's secure MAC address table will be removed when the aging time expires or detect the MAC address on new ports.
 
So we enhance Sticky MAC function on ECS4620 series. When you connect the interface to your network, you can enable the sticky MAC feature and ensure that MAC-address is only learned on this port and protect MAC-address is not learned by other ports even port move or any attack.
 
Topology:
  1. Port 1 enable sticky MAC, and connect a PC on it. The PC's MAC address was learned on port 1.

 
  1. Disconnect the PC’s link which connect to the hub, and move to port 2. Then the PC will fail to access the network through the port2 due to the MAC address was already learned on port1.


 
Procedure:
Step1:
Enable port security and sticky MAC on port 1.
Enable network-access aging on global.


Step2:
Connect the PC to port 1. And check the MAC address was learned on port 1


Step3:
Disconnect the PC's link which connect to the hub, and move to port 2
Confirm the PC's MAC address still be learned on port 1, and fail to learn on port 2.



Step 4:
Port 2 enable port security and set intrusion action as shutdown.
(Suggest set max-mac-count > 1)


Disconnect the PC’s link which connect to the hub, and move to port 2.
Confirm the port is shut down by the sticky secure MAC address intrude into other port security enabled port.

 
 
How to configure smart pair on CLI and Web GUI?

Support models: ECS4100 series

Scenario:

 
 
Concept:
A smart pair is a function which provide layer 2 link redundancies, one of which is primary port and the other is backup port. All traffics are forwarded through primary port and backup port is at standby state. If primary port is link-down, the backup port will be activated and all traffics will forwarded through backup port. When primary port recovers, all traffics will be forwarded through primary port after a WTR time (wait-to-restore delay).
  
CLI Configuration:
 
Step 1) Disable spanning-tree on each port
Dut1:
Dut1#configure
Dut1(config)#interface ethernet 1/9,10,11
Dut1(config-if)#spanning-tree spanning-disabled
Dut2:
Dut2#configure
Dut2(config)#interface ethernet 1/10,12
Dut2(config-if)#spanning-tree spanning-disabled
Dut3:
Dut3#configure
Dut3(config)#interface ethernet 1/9,11,12
Dut3(config-if)#spanning-tree spanning-disabled
 
*Note: Smart Pair can’t be configured as one of these port types.
  1. LACP enable port
  2. Spanning Tree enabled port
 
Step 2) Set the smart pair configuration on Dut3
Dut3:
Dut3#configure
Dut3(config)#smart-pair 1
Dut3(config-smart-pair)#primary-port ethernet 1/11
Dut3(config-smart-pair)#backup-port ethernet 1/12
 
Step 3) Check the smart pair configuration is correct
Dut3:
Dut3#show smart-pair 1
Primary Port : Eth 1/11 (forwarding)
Backup Port  : Eth 1/12 (blocking)
Wait-To-Restore Delay : 30 seconds

*Default WTR time is 30 seconds
Step 4) Client A keep pinging Clint B


The traffic is normal 
Step 5) Client A keep pinging Clint B and then unplug Dut3_Port1/11


Since the traffic failover to the backup port (Port1/12), the ICMP traffic will still work.


 
 
Step 6) Check the smart pair status
Dut3:
Dut3#show smart-pair 1
Primary Port  : Eth 1/11 (blocking)
Backup Port   : Eth 1/12 (forwarding)
Wait-To-Restore Delay : 30 seconds
 
Step 7) Plug in Dut3_Port1/11 and wait for 30 seconds


The ICMP traffic will still work when the traffic transfer back to the primary port

Step 8) Check the smart pair status
Dut3:
Dut3#show smart-pair 1
Primary Port  : Eth 1/11 (forwarding)
Backup Port   : Eth 1/12 (blocking)
Wait-To-Restore Delay : 30 seconds
 
WEB Configuration:
 
Step 1) Set the management IP on each switch
Dut1:
Dut1#configure
Dut1(config)#interface vlan 1
Dut1(config-if)#ip address 192.168.1.1/24
Dut2:
Dut2#configure
Dut2(config)#interface vlan 1
Dut2(config-if)#ip address 192.168.1.2/24
Dut3:
Dut3#configure
Dut3(config)#interface vlan 1
Dut3(config-if)#ip address 192.168.1.3/24
 
Step 1) Log in the switch by Web GUI
Dut1:

 
Step 2) Disable the spanning tree 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 




Step 3) Disable the spanning tree 
Dut2: Follow the same steps as Dut1
 
 
 



 
 
 
 
 
 
 
 
 




 
Step 4) Disable the spanning tree 
Dut3: Follow the same steps as Dut1




Step 5) Set the smart pair configuration on Dut3

 
 
       
   
 
     





Step 6) Check the smart pair status



The status is normal
Client A keep pinging Clint B


The traffic is normal
 
Client A keep pinging Clint B and then unplug in Dut3_Port1/11



Since the traffic failover to the backup port (Port1/12), the ICMP traffic will still work.
 

 
 
 Step 9) Check the smart pair status


Step 10) Plug in Dut3_Port1/11 and wait for 30 seconds



The ICMP traffic will still work when the traffic transfer back to the primary port
 
Step 11) Check the smart pair status

 
[Enhancement] Extend the characters of remote-id and circuit-id for DHCPSNP option82 and PPPoE IA.
 
Support Model and Firmware version:
ECS4100 Series (Firmware version 1.2.30.183 and above)
ECS4120 Series (Firmware version 1.2.2.5 and above)
 
Summary:
Agent settings Length for string
PPPoEIA Circuit-id 57 characters
PPPoEIA Remote-id 63 characters
DHCPSNP option82 Circuit-id 246 characters *1
DHCPSNP option82 Remote-id 246 characters *2
 
*1 In order to set circuit-id to maximum the length of 246 characters, you have to configure remote-id to 1 character string. If you want to keep the default setting of DHCPSNP option82 Remote-id with Mac-address information (10 bytes = 4+6). The maximum length of Circuit-id that you can configure is 241 characters (255-10-4)
*2 In order to set remote-id to maximum the length of 246 characters, you have to configure circuit-id to 1 character string. If you want to keep the default setting of DHCPSNP option82 Circuit-id with Vlan-id, module, port number information (8 bytes = 4+2+1+1), the maximum length of Remote-id that you can configure is 243 characters (255-8-4)
 

 

1.PPPoE IA - Circuit ID and Remote ID

The Access-Node MUST encode and send the Circuit ID and Remote ID as a TAG in PPPoE discovery
Packet in the format described as below:


According to TR101, we append the capability of setting PPPoE IA sub-tags as following.
PPPoEIA Circuit-id string length to 57
PPPoEIA Remote-id string to 63
 
At the maximum length setting string with Circuit-id, the sub-tag of the packet will be
Type: 01
Length: 3f (63)
Value: node id (1 byte minimum) + "eth" (occupy 5 bytes) + string (57 bytes remain)

At the maximum length setting string with Remote-id, the sub-tag of the packet will be
Type: 02
Length: 3f (63)
Value: string (63 bytes remain)
 
 

2.DHCP Relay Agent Information Option

This document defines a new DHCP Option called the Relay Agent Information Option.  It is a "container" option for specific agent-supplied sub-options.  The format of the Relay Agent Information option is:

The length N gives the total number of octets in the Agent Information Field.  The Agent Information field consists of a sequence of SubOpt/Length/Value tuples for each sub-option, encoded in the following manner:

 
No "pad" sub-option is defined, and the Information field shall NOT be terminated with a 255 sub-option. The length N of the DHCP Agent Information Option shall include all bytes of the sub-option code/length/value tuples. Since at least one sub-option must be defined, the minimum Relay Agent Information length is two (2). The   length N of the sub-options shall be the number of octets in only that sub-option's value field. A sub-option length may be zero. The sub-options need not appear in sub-option code order.
  
The initial assignment of DHCP Relay Agent Sub-options is as follows:
                
DHCP Agent              Sub-Option Description
Sub-option Code
---------------               ---------------------------------
          1                        Agent Circuit ID Sub-option
          2                        Agent Remote ID Sub-option
 
 
According to RFC3046 and TR101, we append the capability of setting DHCPSNP option82 as following.
DHCPSNP option82 Circuit-id string length to 246.
DHCPSNP option82 Remote-id string to 246.
 
Note: DHCPSNP option82 total length is 255 bytes, both Circuit-id and Remote-id share this space.
 
At the max length setting string with Circuit-id while the Remote-id manually configured 1 byte string.
The space for Circuit-id string is 255-4-4-1=246 bytes.

Type: 01 (sub-option 1 circuit-id)
Length: f8 (248)
Type: 01 (string)
Length: f6 (246)
Value: string (246 bytes remain)
 
At the max length setting string with Remote-id while the Circuit-id manually configured 1 byte string.
The space for Remote-id string is 255-4-4-1=246 bytes

Type: 02 (sub-option 2 remote-id)
Length: f8 (248)
Type: 04 (string)
Length: f6 (246)
Value: string (246 bytes remain)
 
Note: When DHCPSNP option82 function enabled on an Edge-Core switch, the default setting of Circuit-id and Remote-id will have a format as following.
 

 
So, at default settings, the Circuit-id will have 8 bytes length, and the Remote-id will have 10 bytes length. In order to reach the maximum setting of 246 bytes string, users must manually configure either Circuit-id or Remote-id with 1 byte string.
 

ECS2100 series firmware version v1.2.2.12 and above has a new software enhancement which support Layer 2 / Layer 3 DHCP Relay function. And the user may choose to use the L2 or L3 DHCP Relay by following commands (Default is L3). 

The setting for Layer 2 DHCP Relay
 

Console(config)#ip dhcp l2 relay

The setting for Layer 3 DHCP Relay
 

Console(config)#ip dhcp l3 relay

When the client and DHCP server are in the same VLAN and subnet, the client may obtain the IP address from DHCP server directly. However, in practical network, clients might be in the different subnet and VLAN, then DHCP Relay function can help to get the IP address from DHCP server which is in the different subnet.

 

- L2 DHCP Relay

The L2 DHCP Relay function can be used to add the suboption information (DHCP Option 82.) and the DHCP server may refer it to assigns the corresponding IP address.

 

Topology:

 

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2.
 

Console(config)#interface ethernet 1/2
Console(config-if)#switchport native vlan 2
Console(config-if)#switchport mode access

2) Set IP address on VLAN interface.
 

Console(config)#int vlan 1
Console(config-if)#ip address 192.168.1.1/24
Console(config-if)#exit

3) Enable the L2 DHCP relay and configure the IP address of DHCP server.
 

Console(config)#ip dhcp l2 relay
Console(config)#ip dhcp relay information option
Console(config)#ip dhcp relay server 192.168.1.254


L2 DHCP Relay packet forwarding procedures:

 

In this example, the client will get the IP address in the range of 192.168.2.240~192.168.250 from the DHCP server. 

==================================================================

 

- L3 DHCP Relay

The L3 DHCP Relay function will convent the DHCP broadcast packet into the unicast packet and add the DHCP Relay agent IP address. Then DHCP server can refer to the Relay agent IP address to assigns the corresponding IP address.

 

Topology:

Configuration on ECS2100-28T:

1) Configure the port 2 to VLAN 2 and port 3 to VLAN 3.
 

Console(config)#interface ethernet 1/2
Console(config-if)#switchport native vlan 2
Console(config-if)#switchport mode access
Console(config-if)#exit
Console(config)#interface ethernet 1/3
Console(config-if)#switchport native vlan 3
Console(config-if)#switchport mode access
Console(config-if)#exit

2) Set IP address on VLAN interface.
 

Console(config)#int vlan 1
Console(config-if)#ip address 192.168.1.1/24
Console(config-if)#exit
Console(config)#int vlan 2
Console(config-if)#ip address 192.168.2.1/24
Console(config-if)#exit
Console(config)#int vlan 3
Console(config-if)#ip address 192.168.3.1/24
Console(config-if)#exit

3) Enable the L3 DHCP relay and configure DHCP relay server on VLAN interface.
 

Console(config)#ip dhcp l3 relay
Console(config)#int vlan 2

Console(config-if)#ip dhcp relay server 192.168.1.254
Console(config-if)#exit
Console(config)#int vlan 3
Console(config-if)#ip dhcp relay server 192.168.1.254
Console(config-if)#exit

 

L3 DHCP Relay packet forwarding procedures:

Example of client B.

In this example, 
Client A can get the IP address in the range of 192.168.2.240-250 the DHCP server.
Client B can get the IP address in the range of 192.168.3.240-250 the DHCP server.

How to configure SNMPv3 notification messages on ECS4510 series?
 
 

 
Product Model & Software
ECS4510-28T firmware version: v1.5.2.16
SNMP Server software: MG-soft v10.0.0.4044
 
Configure Procedures
1. Setting an IP address on ECS4510-28T.
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.1 255.255.255.0
 
2. Specifies an “engine-id” for the SNMP server.
Console(config)#snmp-server engine-id remote 192.168.1.20 8000052301c0a80114
*Please find the engine-id from your SNMP server.
The “engine-id” is automatically generated that is unique to the host.

 
3. Create a remote SNMPv3 user.
Console(config)#snmp-server user andy super remote 192.168.1.20 v3 auth md5 andytest
* Also need to create a same user on your SNMP server.

 
4. Create an SNMP “view entry” which controls user access to the MIB for the specific notification message.
Console(config)#snmp-server view super 1.3.6.1.4.1.259.10.1.24.* included.
*This example OID could access to whole the MIB tree of ECS4510-28T.
 
5. Create an SNMP group sets the access policy for the assigned users, and mapping SNMP users to SNMP views.
Console(config)#snmp-server group super v3 auth
 
6. Specify the target SNMP server that will receive inform messages.
Console(config)#snmp-server host 192.168.1.20 inform andy version 3 auth
*If we specify an SNMP Version 3 host, then the community-string is interpreted as an SNMP user name.
Thus here community-string “andy” is the user name.
 
7. SNMP informs collector will receive the SNMPv3 trap.

 
Troubleshooting

If the SNMP server still can’t receive the trap message from switch.
Please continue to capture SNMP packet on the SNMP server, then you could start to do the troubleshooting.
Generally it can be divided into the following two cases.
 
1) Host has not received the SNMP packets. >>> check the configuration of the switch.
-----------------------------------Switch’s Configuration Example-----------------------------------------------------
!
snmp-server engine-id remote 192.168.1.20 8000052301c0a80114
snmp-server group super v3 auth
snmp-server user andy super remote 192.168.1.20 v3 auth md5 andytest
snmp-server view super 1.3.6.1.4.1.259.10.1.24.* included
snmp-server host 192.168.1.20 inform andy version 3 auth
!
!
interface vlan 1
 ip address 192.168.1.1/24
!
-----------------------------------Switch’s Configuration End------------------------------------------------------------
 
2) Host has received the SNMP packets. >>> check the engine-ID and user profile of SNMP server and switch.
 
 
Problem: Why ECS4210 series will fail to enable IPv6 RA Guard on port interface ?
 
Problem description:
When user would like to enable IPv6 RA Guard on port interface by command below, but it display failed.
Console#con
Console(config)#interface ethernet 1/1
Console(config-if)#ipv6 nd raguard
Failed to configure IPv6 RA Guard on port 1/1.
Console(config-if)#
 
Solution:
To sloved rules number issue on ECS4210 series, R&D add new feature for dynamic TCAM allocation.
About IPv6 RA Guard, it's IPv6 rule.
According to tcam design, you must change to 'default' mode then could enable IPv6 RA Guard.(default is ipv4 mode)
Console(config)#tcam allocation ?
  default  allocate one slice for MAC, one slice for IPv4, two slices for IPv6
  ipv4     allocate one slice for MAC, three slices for IPv4, no slices for IPv6
  mac      allocate two slices for MAC, one slice for IPv4, no slices for IPv6
Console(config)#tcam allocation default
please remember save the config and reboot the switch, then new allocation will apply.
When you use IPv4/MAC mode, it will share IPv6 table to IPv4/MAC.
On 'IPv4' or 'MAC' mode, it will always fail to enable IPv6 RA Guard.
 
[Reason]
Chip have symptom for the limit number of ACLs.
[Target]
Dynamic to allocate superfluous rules to other rules.
[Action] .
==default mode==
MAC rules: 128 rules share with MAC ACL, MAC service policy and reserved rules.
IPv4 rules: 128 rules share with IPv4 ACL, IPv4 service policy and reserved rules.
IPv6 rules: 128 rules share with IPv6 ACL, IPv6 service policy and reserved rules.
 
==IPv4 mode==
MAC rules: 128 rules share with MAC ACL, MAC service policy and reserved rules.
IPv4 rules: 128 rules share with IPv4 ACL. 256 rules share with IPv4 service policy.
IPv6 rules: 0 rules.
 
==mac mode==
MAC rules: 128 rules share with MAC ACL and reserved rules. 128 rules share with MAC service policy.
IPv4 rules: 128 rules share with IPv4 ACL, IPv4 service policy and reserved rules.
IPv6 rules: 0 rules.
 
 
 
 

Topology

 

A. Configuration

 

B. Check ERPS status

 

ERPS status on S1 (RPL Owner)

 

ERPS status on S3

 

ERPS status on S5

 

C. Disconnect the link between Agg2 and S5.

With ERPS recovery procedure, the RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The RPL owner then enters protection state by unblocking the West port. However, using this standard recovery procedure may cause a non-EPRS device to become isolated when the ERPS device adjacent to it detects a continuity check message (CCM) loss event and blocks the link between the non-ERPS device and ERPS device.

 

ERPS domain status on S1

 

ERPS domain status on S5

 

D. Enable non-ERPS device protection

If non-ERPS device protection is enabled on the ring, the ring ports on the RPL owner node and non-owner nodes will not be blocked when signal loss is detected by CCM loss events. When non-ERPS device protection is enabled on a RPL owner node, it will send non-standard health-check packets to poll the ring health when it enters the protection state.

 

Enable non-ERPS device protection on S1 and S5.

 

When ERPS status was changed to protection mode, port 24 on S1 become forwarding, and non-ERPS device will not be isolated.

 

ERPS and domain status on S1