ISCOM2600G (A) Series Configuration Guide (CLI) (Rel - 12)

www.raisecom.
com
ISCOM2600G (A) Series

Configuration Guide (CLI)
(Rel_12)
Raisecom Technology Co., Ltd. provides customers with comprehensive technical support and services. For any
assistance, please contact our local office or company headquarters.
Website: http://www.raisecom.com
Tel: 8610-82883305
Fax: 8610-82883056
Email: export@raisecom.com
Address: Raisecom Building, No. 11, East Area, No. 10 Block, East Xibeiwang Road, Haidian District, Beijing,
P.R.China
Postal code: 100094
-----------------------------------------------------------------------------------------------------------------------------------------
Notice
Copyright ©2022
Raisecom
All rights reserved.
No part of this publication may be excerpted, reproduced, translated, or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in Writing from Raisecom
Technology Co., Ltd.
is the trademark of Raisecom Technology Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) Preface
Preface
Objectives
This document describes features supported by the ISCOM2600G series switch, and related
configurations, including basic configurations, basic principles and configuration procedures
of Ethernet, ring network protection, PoE, reliability, security, and QoS, and related
configuration examples.
The appendix lists terms, acronyms, and abbreviations involved in this document.
By reading this document, you can master principles and configurations of the ISCOM2600G
series switch, and how to network with the ISCOM2600G series switch.
Versions
The following table lists the product versions related to this document.
Product name Software version Hardware version

ISCOM2600G series switch V3.63M A
Conventions
Symbol conventions
The symbols that may be found in this document are defined as below.
Symbol Description
Indicate a hazard with a medium or low level of risk which, if
not avoided, could result in minor or moderate injury.
Indicate a potentially hazardous situation that, if not avoided,

could cause equipment damage, data loss, and performance
degradation, or unexpected results.
Raisecom Proprietary and Confidential

i
Copyright © Raisecom Technology Co., Ltd.
Raisecom
Symbol Description
Provide additional information to emphasize or supplement
important points of the main text.
Indicate a tip that may help you solve a problem or save time.
General conventions
Convention Description
Times New Roman Normal paragraphs are in Times New Roman.
Arial Paragraphs in Warning, Caution, Notes, and Tip are in Arial.
Boldface Buttons and navigation paths are in Boldface.
Italic Book titles are in italics.
Lucida Console Terminal display is in Lucida Console.
Book Antiqua Heading 1, Heading 2, Heading 3, and Block are in Book

Antiqua.
Command conventions
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in square brackets [ ] are
optional.
{ x | y | ... } Alternative items are grouped in braces and separated by
vertical bars. One is selected.
[ x | y | ... ] Optional alternative items are grouped in square brackets and
separated by vertical bars. One or none is selected.
{ x | y | ... } * Alternative items are grouped in braces and separated by
vertical bars. A minimum of one or a maximum of all can be
selected.
[ x | y | ... ] * The parameter before the & sign can be repeated 1 to n times.

ii
Raisecom
Change history
Updates between document versions are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Issue 12 (2021-06-24)
Twelfth commercial release
 Upgraded the system software to V3.62M.
 Deleted ISF and RIP.
 Updated commands in IP basis, multicast, QoS, TACACS+, and CPU protection.
Issue 11 (2019-12-30)
Eleventh commercial release
 Upgraded the system software to V3.60M.
 Updated commands of 802.1x, RADIUS, TACACS+, user management, ND Snooping,
and L2CP.
Issue 10 (2019-08-30)
Tenth commercial release
 Fixed known bugs.
Issue 09 (2019-04-30)
Ninth commercial release
 Upgraded the system software to V3.60.
 Added commands of ISF, IP Source Guard, DHCP Snooping, and L2CP.
 Upgraded commands of interface management, static route, interface loopback, QoS, and
ACL.
 Upgraded configuration steps and added examples to configuration steps.
Issue 08 (2018-11-15)
Eighth commercial release
 Upgraded commands for device login, 802.1x, static route, and MAC address.
Issue 07 (2018-05-14)
Seventh commercial release
 Upgraded the software version to V3.50.
 Added zero-configuration, DHCPv6 Relay, and BFD.

iii
Raisecom
 Updated commands of BootROM, interface management, QoS, DHCP, multicast, storm

control, TACACS+, RADIUS, and SNMP.
Issue 06 (2017-06-30)
Sixth commercial release
 Added RIP.
 Updated commands of time management, interface management, QinQ, VLAN mapping,
QoS, DHCP, multicast, storm control, TACACS+, and RADIUS.
Issue 05 (2016-11-15)
Fifth commercial release
 Upgraded software to V3.11.
 Added MRSTP, PVLAN, Voice VLAN, Smart PoE, and ARP attack protection.
 Updated management files, DHCP Server, OAM, and hardware monitoring.
Issue 04 (2016-05-12)
Fourth commercial release
 Added descriptions of PoE.
Issue 03 (2015-11-30)
Third commercial release
 Upgraded the software version to V3.10.
Issue 02 (2015-11-05)
Second commercial release
 Optimized the document.
Issue 01 (2015-08-15)
Initial commercial release

iv
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) Contents
Contents
1 Basic configurations ..................................................................................................................... 1

1.1 CLI ................................................................................................................................................................... 1
1.1.1 Introduction ............................................................................................................................................. 1
1.1.2 Privileges ................................................................................................................................................ 2
1.1.3 Modes...................................................................................................................................................... 2
1.1.4 Shortcut keys ........................................................................................................................................... 4
1.1.5 Acquiring help ......................................................................................................................................... 6
1.1.6 Display information ................................................................................................................................ 8
1.1.7 Command history .................................................................................................................................... 9
1.1.8 Restoring default value of command line ............................................................................................. 10
1.1.9 Logging commands ............................................................................................................................... 10
1.2 Accessing device ............................................................................................................................................ 11
1.2.1 Introduction ........................................................................................................................................... 11
1.2.2 Accessing through Console interface .................................................................................................... 11
1.2.3 Accessing through Telnet ...................................................................................................................... 13
1.2.4 Accessing through SSH ......................................................................................................................... 15
1.2.5 Accessing from Web ............................................................................................................................. 18
1.2.6 Managing users ..................................................................................................................................... 19
1.2.7 Configuring local password management ............................................................................................. 22
1.2.8 Configuring login through serial cable.................................................................................................. 23
1.2.9 Checking configurations ....................................................................................................................... 24
1.2.10 Maintenance ........................................................................................................................................ 24
1.2.11 Example for configuring user management ........................................................................................ 25
1.2.12 Example for configuring SSH login .................................................................................................... 26
1.3 File management ............................................................................................................................................ 29
1.3.1 Managing BootROM files ..................................................................................................................... 29
1.3.2 Managing system files .......................................................................................................................... 31
1.3.3 Managing configuration files ................................................................................................................ 32
1.3.5 Maintenance .......................................................................................................................................... 37
1.4 Loading and upgrade ...................................................................................................................................... 38
1.4.1 Introduction ........................................................................................................................................... 38

v
Raisecom
1.4.2 Upgrading system software through BootROM .................................................................................... 38

1.4.3 Upgrading system software through CLI .............................................................................................. 39
1.5 Time management .......................................................................................................................................... 41
1.5.1 Introduction ........................................................................................................................................... 41
1.5.2 Preparing for configurations ................................................................................................................. 43
1.5.3 Default configurations of time management ......................................................................................... 43
1.5.4 Configuring time and time zone ............................................................................................................ 45
1.5.5 Configuring DST .................................................................................................................................. 45
1.5.6 Configuring NTP .................................................................................................................................. 46
1.5.7 Configuring SNTP ................................................................................................................................ 48
1.5.9 Example for configuring NTP ............................................................................................................... 49
1.6 Interface management .................................................................................................................................... 52
1.6.1 Introduction ........................................................................................................................................... 52
1.6.2 Default configurations of interface management .................................................................................. 53
1.6.3 Configuring basic attributes of interfaces ............................................................................................. 53
1.6.4 Configuring interface rate statistics ...................................................................................................... 55
1.6.5 Configuring flow control on interfaces ................................................................................................. 56
1.6.6 Shutting down/Restarting interface ....................................................................................................... 56
1.6.7 Configuring Combo interface ............................................................................................................... 56
1.6.8 Configuring Console interface .............................................................................................................. 57
1.6.9 Configuring VLAN interface ................................................................................................................ 58
1.6.10 Configuring SNMP interface .............................................................................................................. 58
1.6.11 Checking configurations ..................................................................................................................... 59
1.7 Configuring basic information ....................................................................................................................... 59
1.8 Task scheduling .............................................................................................................................................. 61
1.8.1 Introduction ........................................................................................................................................... 61
1.8.2 Configuring task scheduling ................................................................................................................. 61
1.9 Watchdog ........................................................................................................................................................ 63
1.9.1 Introduction ........................................................................................................................................... 63
1.9.3 Default configurations of Watchdog ..................................................................................................... 63
1.9.4 Configuring Watchdog .......................................................................................................................... 63
1.10 Configuring Banner ...................................................................................................................................... 64
1.10.1 Preparing for configurations ............................................................................................................... 64
1.10.2 Configuring Banner............................................................................................................................. 64
1.10.3 Enabling Banner display ..................................................................................................................... 65

vi
Raisecom
2 Ethernet ......................................................................................................................................... 66
2.1 MAC address table ......................................................................................................................................... 66
2.1.1 Introduction ........................................................................................................................................... 66
2.1.3 Default configurations of MAC address table ....................................................................................... 69
2.1.4 Configuring static MAC address ........................................................................................................... 69
2.1.5 Configuring blackhole MAC address .................................................................................................... 69
2.1.6 Filtering unknown multicast packets..................................................................................................... 70
2.1.7 Configuring static Layer 2 multicast ..................................................................................................... 70
2.1.8 Configuring MAC address learning ...................................................................................................... 70
2.1.9 Configuring MAC address limit............................................................................................................ 71
2.1.10 Configuring aging time of MAC addresses ......................................................................................... 71
2.1.11 Enabling suppression of MAC address flapping ................................................................................. 72
2.1.13 Maintenance ........................................................................................................................................ 73
2.1.14 Example for configuring MAC address table...................................................................................... 74
2.2 VLAN ............................................................................................................................................................. 75
2.2.1 Introduction ........................................................................................................................................... 75
2.2.3 Default configurations of VLAN .......................................................................................................... 78
2.2.4 Configuring VLAN attributes ............................................................................................................... 79
2.2.5 Configuring interface mode .................................................................................................................. 79
2.2.6 Configuring VLAN on Access interface ............................................................................................... 79
2.2.7 Configuring VLAN on Trunk interface ................................................................................................. 81
2.2.8 Configuring VLAN based on MAC address ......................................................................................... 82
2.2.9 Configuring VLAN based on IP subnet ................................................................................................ 83
2.2.10 Configuring VLAN based on protocol ................................................................................................ 84
2.2.11 Configuring VLAN filtering in egress direction ................................................................................. 85
2.2.13 Example for configuring VLAN ......................................................................................................... 86
2.3 PVLAN .......................................................................................................................................................... 89
2.3.1 Introduction ........................................................................................................................................... 89
2.3.2 Preparing for configuration ................................................................................................................... 90
2.3.3 Default configurations of PVLAN ........................................................................................................ 90
2.3.4 Configuring PVLAN type ..................................................................................................................... 90
2.3.5 Configuring PVLAN association .......................................................................................................... 91
2.3.6 Configuring PVLAN mode on interface ............................................................................................... 91
2.3.7 Checking configuration ......................................................................................................................... 93
2.3.8 Example for configuring PVLAN ......................................................................................................... 93
2.4 QinQ ............................................................................................................................................................... 96
2.4.1 Introduction ........................................................................................................................................... 96
vii
Raisecom
2.4.3 Default configurations of QinQ ............................................................................................................ 98

2.4.4 Configuring basic QinQ ........................................................................................................................ 98
2.4.5 Configuring selective QinQ .................................................................................................................. 99
2.4.6 Configuring network-side interface to Trunk mode ............................................................................ 101
2.4.7 Configuring TPID ............................................................................................................................... 101
2.4.9 Example for configuring basic QinQ .................................................................................................. 102
2.4.10 Example for configuring selective QinQ .......................................................................................... 103
2.5 VLAN mapping ............................................................................................................................................ 105
2.5.1 Introduction ......................................................................................................................................... 105
2.5.3 Default configurations of VLAN mapping ......................................................................................... 106
2.5.4 Configuring VLAN mapping .............................................................................................................. 106
2.5.6 Example for configuring VLAN mapping .......................................................................................... 108
2.6 STP/RSTP .................................................................................................................................................... 110
2.6.1 Introduction ......................................................................................................................................... 110
2.6.2 Preparation for configuration .............................................................................................................. 113
2.6.3 Default configurations of STP ............................................................................................................ 113
2.6.4 Enabling STP ...................................................................................................................................... 114
2.6.5 Configuring STP parameters ............................................................................................................... 114
2.6.6 Configuring edge interface .................................................................................................................. 116
2.6.7 Configuring link type .......................................................................................................................... 117
2.6.8 Configuring BPDU filtering ................................................................................................................ 118
2.6.9 Configuring BPDU Guard .................................................................................................................. 118
2.6.10 Checking configurations ................................................................................................................... 119
2.6.11 Example for configuring STP ........................................................................................................... 119
2.7 MSTP ........................................................................................................................................................... 122
2.7.1 Introduction ......................................................................................................................................... 122
2.7.2 Preparation for configuration .............................................................................................................. 125
2.7.3 Default configurations of MSTP ......................................................................................................... 125
2.7.4 Enabling MSTP ................................................................................................................................... 126
2.7.5 Configuring MST region and its maximum number of hops .............................................................. 127
2.7.6 Configuring root/backup bridge .......................................................................................................... 128
2.7.7 Configuring interface priority and system priority.............................................................................. 129
2.7.8 Configuring network diameter for switch network ............................................................................. 130
2.7.9 Configuring internal path cost of interface ......................................................................................... 130
2.7.10 Configuring external path cost of interface ....................................................................................... 131
2.7.11 Configuring maximum transmission rate on interface ...................................................................... 131
2.7.12 Configuring MSTP timer .................................................................................................................. 132
2.7.13 Configuring edge interface ................................................................................................................ 133
2.7.14 Configuring BPDU filtering .............................................................................................................. 134

viii
Raisecom
2.7.15 Configuring BPDU Guard................................................................................................................. 134

2.7.16 Configuring STP/RSTP/MSTP mode switching ............................................................................... 135
2.7.17 Configuring link type ........................................................................................................................ 136
2.7.18 Configuring root interface protection................................................................................................ 136
2.7.19 Configuring interface loopguard ....................................................................................................... 137
2.7.20 Configuring TC packet suppression .................................................................................................. 138
2.7.21 Configuring TC protection ................................................................................................................ 138
2.7.23 Maintenance ...................................................................................................................................... 139
2.7.24 Example for configuring MSTP ........................................................................................................ 140
2.8 Loop detection .............................................................................................................................................. 144
2.8.1 Introduction ......................................................................................................................................... 144
2.8.3 Default configurations of loop detection ............................................................................................. 146
2.8.4 Configuring loop detection ................................................................................................................. 146
2.8.6 Maintenance ........................................................................................................................................ 148
2.8.7 Example for configuring inner loop detection .................................................................................... 148
2.9 Interface protection ...................................................................................................................................... 150
2.9.1 Introduction ......................................................................................................................................... 150
2.9.3 Default configurations of interface protection .................................................................................... 150
2.9.4 Configuring interface protection ......................................................................................................... 150
2.9.5 Configuring interface isolation ........................................................................................................... 151
2.9.7 Example for configuring interface protection ..................................................................................... 151
2.10 Port mirroring ............................................................................................................................................. 153
2.10.1 Introduction ....................................................................................................................................... 153
2.10.2 Preparing for configurations ............................................................................................................. 154
2.10.3 Default configurations of port mirroring ........................................................................................... 154
2.10.4 Configuring port mirroring on local port .......................................................................................... 154
2.10.6 Example for configuring port mirroring ............................................................................................ 156
2.11 L2CP .......................................................................................................................................................... 157
2.11.1 Introduction ....................................................................................................................................... 157
2.11.2 Preparing for configurations .............................................................................................................. 157
2.11.3 Defaul configurations of L2CP ......................................................................................................... 158
2.11.4 Configuring global L2CP .................................................................................................................. 158
2.11.5 Configuring L2CP profile ................................................................................................................. 158
2.11.6 Configuring L2CP profile on interface .............................................................................................. 160
2.11.8 Maintenance ...................................................................................................................................... 161

ix
Raisecom
2.11.9 Example for configuring L2CP ......................................................................................................... 161

2.12 Voice VLAN ............................................................................................................................................... 164
2.12.1 Introduction ....................................................................................................................................... 164
2.12.3 Default configurations of voice VLAN ............................................................................................. 165
2.12.4 Configuring QoS of voice VLAN ..................................................................................................... 166
2.12.5 Enabling voice VLAN....................................................................................................................... 167
2.12.6 Configuring OUI address .................................................................................................................. 168
2.12.8 Example for adding interface to voice VLAN and configuring it to work in manual mode ............. 168
2.12.9 Example for configuring IP phone to access voice VLAN packets through LLDP .......................... 170
2.13 GARP/GVRP ............................................................................................................................................. 172
2.13.1 Introduction ....................................................................................................................................... 172
2.13.3 Default configurations of GARP ....................................................................................................... 174
2.13.4 Configuring basic functions of GARP .............................................................................................. 175
2.13.5 Configuring GVRP ........................................................................................................................... 176
2.13.7 Maintenance ...................................................................................................................................... 177
2.13.8 Example for configuring GVRP ........................................................................................................ 177
3 Ring network protection .......................................................................................................... 181

3.1 G.8032 .......................................................................................................................................................... 181
3.1.1 Introduction ......................................................................................................................................... 181
3.1.3 Default configurations of G.8032 ....................................................................................................... 182
3.1.4 Creating G.8032 ring........................................................................................................................... 182
3.1.5 Configuring ERPS fault detection mode ............................................................................................. 185
3.1.6 (Optional) creating G.8032 tributary ring ........................................................................................... 185
3.1.7 (Optional) configuring G.8032 switching control ............................................................................... 188
3.1.9 Maintenance ........................................................................................................................................ 190
4 IP services ................................................................................................................................... 191

4.1 IP basis ......................................................................................................................................................... 191
4.1.1 Introduction ......................................................................................................................................... 191
4.1.3 Default configurations of VLAN interface ......................................................................................... 191
4.1.4 Configuring IPv4 adress of VLAN interface ...................................................................................... 192
4.1.5 Configuring IPv6 address of VLAN interface .................................................................................... 192
4.1.6 Configuring basic attributes ................................................................................................................ 193
4.1.7 Configuring function of forwarding IP broadcast packets .................................................................. 194

x
Raisecom
4.1.9 Example for configuring VLAN interface to interconnect with host .................................................. 195
4.2 Loopback interface ....................................................................................................................................... 196
4.2.1 Introduction ......................................................................................................................................... 196
4.2.3 Default configurations of loopback interface ...................................................................................... 197
4.2.4 Configuring IP address of loopback interface ..................................................................................... 197
4.3 Interface loopback ........................................................................................................................................ 198
4.3.1 Introduction ......................................................................................................................................... 198
4.3.3 Default configurations of interface loopback ...................................................................................... 199
4.3.4 Configuring interface loopback........................................................................................................... 199
4.3.6 Maintenance ........................................................................................................................................ 200
4.4 ARP .............................................................................................................................................................. 200
4.4.1 Introduction ......................................................................................................................................... 200
4.4.3 Default configurations of ARP ............................................................................................................ 201
4.4.4 Configuring static ARP entries ............................................................................................................ 202
4.4.5 Configuring dynamic ARP entries ...................................................................................................... 202
4.4.6 Configuring proxy ARP ...................................................................................................................... 203
4.4.8 Maintenance ........................................................................................................................................ 204
4.4.9 Example for configuring ARP ............................................................................................................. 204
4.5 NDP.............................................................................................................................................................. 206
4.5.1 Introduction ......................................................................................................................................... 206
4.5.3 Default configurations of NDP ........................................................................................................... 207
4.5.4 Configuring static neighbor entries ..................................................................................................... 207
4.5.5 Configuring aging time of dynamic NDPs .......................................................................................... 207
4.5.6 Configuring times of sending NS messages for detecting duplicated addresses ................................. 208
4.5.7 Configuring maximum number of NDPs allowed to be learnt ............................................................ 208
4.5.9 Maintenance ........................................................................................................................................ 209
4.6 Static route ................................................................................................................................................... 209
4.6.1 Introduction ......................................................................................................................................... 209
4.6.3 Configuring static route ...................................................................................................................... 210
4.6.4 Configuring route mangement ............................................................................................................ 212
4.6.6 Example for configuring static route ................................................................................................... 213
4.7 Routing policy .............................................................................................................................................. 215

xi
Raisecom
4.7.1 Introduction ......................................................................................................................................... 215

4.7.3 Default configurations of routing policy ............................................................................................. 217
4.7.4 Configuring IP prefix list .................................................................................................................... 217
4.7.5 Configuring routing table .................................................................................................................... 219
4.7.7 Maintenance ........................................................................................................................................ 222
5 PoE................................................................................................................................................ 224
5.1 Introduction .................................................................................................................................................. 224
5.1.1 Principles of PoE................................................................................................................................. 224
5.1.2 PoE modules ....................................................................................................................................... 225
5.1.3 PoE advantages ................................................................................................................................... 225
5.1.4 PoE concepts ....................................................................................................................................... 225
5.1.5 Smart PoE ........................................................................................................................................... 226
5.2 Configuring PoE........................................................................................................................................... 226
5.2.2 Default configurations of PoE ............................................................................................................. 227
5.2.3 Enabling interface PoE........................................................................................................................ 227
5.2.4 Configuring maximum output power of PoE ...................................................................................... 227
5.2.5 Configuring maximum output power of device .................................................................................. 228
5.2.6 Configuring priority of PoE ................................................................................................................ 228
5.2.7 Configuring PSE power utilization rate threshold .............................................................................. 229
5.2.8 Configuring identification of non-standard PDs ................................................................................. 229
5.2.9 Enabling forcible power supply on interface ...................................................................................... 229
5.2.10 Enabling overtemperature protection ................................................................................................ 230
5.2.11 Enabling global Trap ......................................................................................................................... 230
5.3 Configuring Smart PoE ................................................................................................................................ 231
5.3.2 Default configurations of PoE............................................................................................................. 231
5.3.3 Configuring PD active check .............................................................................................................. 232
5.3.4 Configuring PoE interface to stop supplying power ........................................................................... 232
5.4 Example for configuring PoE power supply ................................................................................................ 233
6 DHCP ........................................................................................................................................... 237

6.1 DHCP Client ................................................................................................................................................ 237
6.1.1 Introduction ......................................................................................................................................... 237
6.1.3 Default configurations of DHCP Client .............................................................................................. 240
6.1.4 Configuring DHCP Client ................................................................................................................... 241
6.1.5 Configuring DHCPv6 Client ............................................................................................................... 242

xii
Raisecom

6.1.7 Example for configuring DHCP Client ............................................................................................... 243
6.2 Zero-configuration ....................................................................................................................................... 245
6.2.1 Introduction ......................................................................................................................................... 245
6.2.2 Default configurations of zero-configuration ...................................................................................... 245
6.2.3 Preparing for configuration ................................................................................................................. 246
6.2.4 Configuring DHCP Client ................................................................................................................... 246
6.2.5 (Optional) configuring zero-configuration polling .............................................................................. 246
6.3 DHCP Snooping ........................................................................................................................................... 247
6.3.1 Introduction ......................................................................................................................................... 247
6.3.3 Default configurations of DHCP Snooping ......................................................................................... 248
6.3.4 Configuring DHCP Snooping ............................................................................................................. 249
6.3.5 Configure DHCP Snooping to support Option 82 ............................................................................... 250
6.3.6 Configuring DHCPv6 Snooping ......................................................................................................... 250
6.3.8 Maintenance ........................................................................................................................................ 252
6.3.9 Example for configuring DHCP Snooping.......................................................................................... 253
6.4 DHCP Options.............................................................................................................................................. 254
6.4.1 Introduction ......................................................................................................................................... 254
6.4.3 Default configurations of DHCP Option ............................................................................................. 256
6.4.4 Configuring DHCP Option field ......................................................................................................... 256
6.4.5 Configuring DHCP Option 18 over IPv6 ............................................................................................ 260
6.4.6 Configuring DHCP Option 37 over IPv6 ............................................................................................ 261
6.4.7 Configuring user-defined DHCP Option over IPv6 ............................................................................ 262
6.5 DHCP Server ................................................................................................................................................ 264
6.5.1 Introduction ......................................................................................................................................... 264
6.5.3 Creating and configuring IPv4 address pool ....................................................................................... 267
6.5.4 Enabling DHCP Server on VLAN interface ....................................................................................... 268
6.5.5 (Optional) recycling IP address or adress pool.................................................................................... 269
6.5.6 Configuring DHCP Server to support Option 82 ................................................................................ 269
6.5.8 Maintenance ........................................................................................................................................ 270
6.5.9 Example for configuring DHCPv4 Server .......................................................................................... 270
6.6 DHCP Relay ................................................................................................................................................. 272
6.6.1 Introduction ......................................................................................................................................... 272
6.6.3 Default configurations of DHCP Relay............................................................................................... 273

xiii
Raisecom
6.6.4 Configuring global DHCP Relay ........................................................................................................ 273

6.6.5 Configuring DHCP Relay on VLAN interface ................................................................................... 273
6.6.6 Configuring global DHCPv6 Relay .................................................................................................... 274
6.6.7 Configuring DHCPv6 Relay on VLAN interface ............................................................................... 274
6.6.8 (Optional) configuring DHCP Relay to support Option 82 ................................................................. 275
6.6.10 Maintenance ...................................................................................................................................... 276
6.6.11 Example for configuring DHCPv4 Relay.......................................................................................... 276
7 QoS ............................................................................................................................................... 278

7.1 Introduction .................................................................................................................................................. 278
7.1.1 Service model...................................................................................................................................... 278
7.1.2 Priority trust ........................................................................................................................................ 279
7.1.3 Traffic classification ............................................................................................................................ 279
7.1.4 Traffic policy ....................................................................................................................................... 281
7.1.5 Priority mapping ................................................................................................................................. 282
7.1.6 Queue scheduling ................................................................................................................................ 282
7.1.7 Congestion avoidance ......................................................................................................................... 284
7.1.8 Traffic shaping .................................................................................................................................... 285
7.1.9 Rate limiting based on interface and VLAN ....................................................................................... 285
7.1.10 QoS enhancement ............................................................................................................................. 285
7.2 Configuring priority ..................................................................................................................................... 286
7.2.2 Default configurations of basic QoS ................................................................................................... 286
7.2.3 Configuring types of priorities trusted by interface ............................................................................ 287
7.2.4 Configuring mapping from CoS to local priority ................................................................................ 288
7.2.5 Configuring mapping from DSCP to local priority and color ............................................................. 289
7.2.6 Configuring DSCP mutation ............................................................................................................... 289
7.2.7 Configuring CoS remarking ................................................................................................................ 290
7.3 Configuring congestion management ........................................................................................................... 292
7.3.2 Default configurations of congestion management ............................................................................. 292
7.3.3 Configuring SP queue scheduling ....................................................................................................... 292
7.3.4 Configuring WRR or SP+WRR queue scheduling ............................................................................. 293
7.3.5 Configuring DRR or SP+DRR queue scheduling ............................................................................... 293
7.3.6 Configuring queue bandwidth guarantee ............................................................................................ 294
7.4 Configuring congestion avoidance ............................................................................................................... 295
7.4.2 Default configurations of congestion avoidance ................................................................................. 295
7.4.3 Configuring SRED .............................................................................................................................. 295

xiv
Raisecom

7.5 Configuring traffic classification and traffic policy ..................................................................................... 296
7.5.2 Default configurations of traffic classification and traffic policy ....................................................... 297
7.5.3 Creating traffic class ........................................................................................................................... 297
7.5.4 Configuring traffic classification rules ................................................................................................ 297
7.5.5 Creating rate limiting rule and shapping rule ...................................................................................... 299
7.5.6 Creating traffic policy ......................................................................................................................... 302
7.5.7 Defining traffic policy mapping .......................................................................................................... 302
7.5.8 Defining traffic policy operation ......................................................................................................... 303
7.5.9 Applying traffic policy to interfaces .................................................................................................... 304
7.5.11 Maintenance ...................................................................................................................................... 306
7.6 Configuring traffic shaping and rate limiting ............................................................................................... 306
7.6.2 Configuring rate limiting based on interface ....................................................................................... 306
7.6.3 Configuring rate limiting based on VLAN.......................................................................................... 307
7.7 Bandwidth rate limiting ................................................................................................................................ 308
7.7.1 Introduction ......................................................................................................................................... 308
7.7.3 Default configurations of bandwidth rate limiting .............................................................................. 309
7.7.4 Configuring bandwidth guarantee ....................................................................................................... 310
7.7.5 Configuring hierarchical bandwidth guarantee ................................................................................... 313
7.8 Configuration examples ............................................................................................................................... 316
7.8.1 Example for configuring congestion management .............................................................................. 316
7.8.2 Example for configuring rate limiting based on traffic policy ............................................................ 319
7.8.3 Example for configuring rate limiting based on interface ................................................................... 321
8 Multicast ..................................................................................................................................... 324

8.1 Multicast....................................................................................................................................................... 324
8.2 Basic functions of Layer 2 multicast ............................................................................................................ 329
8.2.1 Introduction ......................................................................................................................................... 329
8.2.3 Default configurations of Layer 2 multicast basic functions ............................................................... 331
8.2.4 Configuring basic functions of Layer 2 multicast ............................................................................... 331
8.2.6 Maintenance ........................................................................................................................................ 333
8.3 IGMP Snooping............................................................................................................................................ 333
8.3.1 Introduction ......................................................................................................................................... 333

xv
Raisecom
8.3.3 Default configurations of IGMP Snooping ......................................................................................... 334

8.3.4 Configuring IGMP Snooping .............................................................................................................. 334
8.4 IGMP Querier ............................................................................................................................................... 336
8.4.1 Introduction ......................................................................................................................................... 336
8.4.3 Default configurations of IGMP Querier ............................................................................................ 337
8.4.4 Configuring IGMP Querier ................................................................................................................. 338
8.4.6 Example for configuring IGMP Snooping and IGMP Querier ............................................................ 339
8.5 IGMP MVR .................................................................................................................................................. 341
8.5.1 Introduction ......................................................................................................................................... 341
8.5.3 Default configurations of IGMP MVR ............................................................................................... 343
8.5.4 Configuring IGMP MVR .................................................................................................................... 343
8.5.6 Example for configuring IGMP MVR ................................................................................................ 345
8.6 IGMP filtering .............................................................................................................................................. 347
8.6.1 Introduction ......................................................................................................................................... 347
8.6.3 Default configurations of IGMP filtering ............................................................................................ 348
8.6.4 Enabling global IGMP filtering ........................................................................................................... 348
8.6.5 Configuring IGMP filtering profile ..................................................................................................... 348
8.6.6 Configuring maximum number of multicast groups ........................................................................... 350
8.6.8 Example for applying IGMP filtering on interface ............................................................................. 353
8.7 Multicast VLAN copy .................................................................................................................................. 355
8.7.1 Introduction ......................................................................................................................................... 355
8.7.3 Default configurations of multicast VLAN copy ................................................................................ 357
8.7.4 Configuring multicast VLAN copy ..................................................................................................... 358
8.7.5 Configuring static multicast members of VLAN copy........................................................................ 359
8.7.6 Configuring customer VLAN of VLAN copy..................................................................................... 359
8.7.7 Configuring host joining function of VLAN copy .............................................................................. 360
8.8 MLD ............................................................................................................................................................. 361
8.8.1 Introduction ......................................................................................................................................... 361
8.8.3 Default configurations of MLD .......................................................................................................... 362
8.8.4 Configuring basic functions of MLD .................................................................................................. 362
8.8.5 Configuring MLD Snooping ............................................................................................................... 363
8.8.6 Configuring MLD Querier .................................................................................................................. 364

xvi
Raisecom
8.8.7 Configuring MLD filtering ................................................................................................................. 364

8.8.9 Maintenance ........................................................................................................................................ 367
9 OAM ............................................................................................................................................ 368

9.1 Introduction .................................................................................................................................................. 368
9.2 EFM ............................................................................................................................................................. 370
9.2.1 Introduction ......................................................................................................................................... 370
9.2.3 Default configurations of EFM ........................................................................................................... 370
9.2.4 Configuring basic functions of EFM ................................................................................................... 371
9.2.5 Configuring active functions of EFM ................................................................................................. 372
9.2.6 Configuring EFM passive function ..................................................................................................... 374
9.2.8 Maintenance ........................................................................................................................................ 378
10 Security...................................................................................................................................... 379
10.1 ACL ............................................................................................................................................................ 379
10.1.1 Introduction ....................................................................................................................................... 379
10.1.3 Configuring MAC ACL .................................................................................................................... 380
10.1.4 Configuring ACL period ................................................................................................................... 388
10.1.5 Configuring filter .............................................................................................................................. 388
10.1.7 Maintenance ...................................................................................................................................... 390
10.2 AAA ........................................................................................................................................................... 391
10.2.1 Introduction ....................................................................................................................................... 391
10.2.3 Default configurations of AAA ......................................................................................................... 393
10.2.4 Configuring AAA domain ................................................................................................................. 394
10.2.5 Configuring RADIUS ....................................................................................................................... 395
10.2.6 Configuring TACACS+ .................................................................................................................... 396
10.2.8 Maintenance ...................................................................................................................................... 397
10.2.9 Example for configuring AAA .......................................................................................................... 398
10.3 Port security MAC ..................................................................................................................................... 402
10.3.1 Introduction ....................................................................................................................................... 402
10.3.3 Default configurations of port security MAC ................................................................................... 404
10.3.4 Configuring basic functions of port security MAC ........................................................................... 404
10.3.5 Configuring static secure MAC address ............................................................................................ 406
10.3.6 Configuring dynamic secure MAC address ...................................................................................... 406
10.3.7 Configuring sticky secure MAC address .......................................................................................... 407

xvii
Raisecom

10.3.9 Maintenance ...................................................................................................................................... 408
10.3.10 Example for configuring port security MAC .................................................................................. 409
10.4 Dynamic ARP inspection ........................................................................................................................... 411
10.4.1 Introduction ....................................................................................................................................... 411
10.4.3 Default configurations of dynamic ARP inspection .......................................................................... 413
10.4.4 Configuring trusted interfaces of dynamic ARP inspection .............................................................. 413
10.4.5 Configuring static binding of dynamic ARP inspection .................................................................... 413
10.4.6 Configuring dynamic binding of dynamic ARP inspection ............................................................... 414
10.4.7 Configuring protection VLAN of dynamic ARP inspection ............................................................. 414
10.4.8 Configuring rate limiting on ARP packets on interface .................................................................... 415
10.4.9 Configuring number of binding tables on interface .......................................................................... 415
10.4.10 Checking configurations ................................................................................................................. 416
10.4.11 Example for configuring dynamic ARP inspection ......................................................................... 416
10.5 Storm control .............................................................................................................................................. 419
10.5.1 Introduction ....................................................................................................................................... 419
10.5.3 Default configurations of storm control ............................................................................................ 420
10.5.4 Configuring storm control over interface .......................................................................................... 420
10.5.5 Configuring DLF packet forwarding................................................................................................. 422
10.5.7 Example for configuring storm control ............................................................................................. 423
10.6 802.1x ......................................................................................................................................................... 424
10.6.1 Introduction ....................................................................................................................................... 424
10.6.2 Preparing for configruations ............................................................................................................. 426
10.6.3 Default configurations of 802.1x ...................................................................................................... 426
10.6.4 Configuring basic functions of 802.1x .............................................................................................. 427
10.6.5 Configuring 802.1x re-authentication ............................................................................................... 430
10.6.6 Configuring 802.1x timers ................................................................................................................ 430
10.6.8 Maintenance ...................................................................................................................................... 432
10.6.9 Example for configuring 802.1x ....................................................................................................... 432
10.7 IP Source Guard ......................................................................................................................................... 434
10.7.1 Introduction ....................................................................................................................................... 434
10.7.3 Default configurations of IP Source Guard ....................................................................................... 436
10.7.4 Configuring interface trust status of IP Source Guard ...................................................................... 436
10.7.5 Configuring IP Source Guard binding............................................................................................... 437
10.7.6 Configuring priority and rate limit of IP source guard ...................................................................... 438
10.7.8 Example for configuring IP Source Guard ........................................................................................ 439

xviii
Raisecom
10.8 PPPoE+ ...................................................................................................................................................... 441

10.8.1 Introduction ....................................................................................................................................... 441
10.8.3 Default configurations of PPPoE+ .................................................................................................... 443
10.8.4 Configuring basic functions of PPPoE+ ........................................................................................... 443
10.8.5 Configuring PPPoE+ packet information .......................................................................................... 445
10.8.7 Maintenance ...................................................................................................................................... 447
10.8.8 Example for configuring PPPoE+ ..................................................................................................... 448
10.9 Configuring CPU protection ...................................................................................................................... 450
10.9.2 Configuring global CPU CAR .......................................................................................................... 450
10.9.4 Maintenance ...................................................................................................................................... 451
10.10 Configuring ARP attack protection .......................................................................................................... 452
10.10.1 Preparing for configurations ........................................................................................................... 452
10.10.2 Configuring ARP ............................................................................................................................ 452
10.11 ND Snooping ............................................................................................................................................ 454
10.11.1 Introduction ..................................................................................................................................... 454
10.11.2 Preparing for configurations ............................................................................................................ 454
10.11.3 Default configurations of ND Snooping ......................................................................................... 454
10.11.4 Configuring ND Snooping .............................................................................................................. 455
10.11.5 RA Snooping ................................................................................................................................... 455
10.11.7 Maintenance .................................................................................................................................... 456
10.11.8 Example for configuring ND Snooping .......................................................................................... 457
11 Reliability ................................................................................................................................. 460

11.1 Link aggregation......................................................................................................................................... 460
11.1.1 Introduction ....................................................................................................................................... 460
11.1.2 Preparing for configurations .............................................................................................................. 461
11.1.3 Configuring manual link aggregation ................................................................................................ 461
11.1.4 Configuring static LACP link aggregation ........................................................................................ 463
11.1.5 Configuring manual master/slave link aggregation ........................................................................... 466
11.1.7 Example for configuring static LACP link aggregation .................................................................... 468
11.2 Interface backup ......................................................................................................................................... 470
11.2.1 Introduction ....................................................................................................................................... 470
11.2.2 Preparing for configurations.............................................................................................................. 472
11.2.3 Default configurations of interface backup ....................................................................................... 472
11.2.4 Configuring basic functions of interface backup ............................................................................... 473

xix
Raisecom
11.2.5 (Optional) configuring FS on interfaces ............................................................................................ 474

11.2.7 Example for configuring interface backup ........................................................................................ 475
11.3 Link-state tracking ...................................................................................................................................... 478
11.3.1 Introduction ....................................................................................................................................... 478
11.3.3 Default configurations of link-state tracking ..................................................................................... 478
11.3.4 Configuring link-state tracking ......................................................................................................... 478
11.3.6 Example for configuring link-state tracking...................................................................................... 481
11.4 Key-chain ................................................................................................................................................... 483
11.4.1 Introduction ....................................................................................................................................... 483
11.5 UDLD ......................................................................................................................................................... 486
11.5.1 Introduction ....................................................................................................................................... 486
11.5.3 Default configurations of UDLD ...................................................................................................... 486
11.5.4 Configuring UDLD ........................................................................................................................... 486
12 System management ............................................................................................................... 488

12.1 SNMP ......................................................................................................................................................... 488
12.1.1 Introduction ....................................................................................................................................... 488
12.1.3 Default configurations of SNMP ...................................................................................................... 490
12.1.4 Configuring basic functions of SNMPv1/SNMPv2c ........................................................................ 491
12.1.5 Configuring basic functions of SNMPv3 .......................................................................................... 492
12.1.6 Configuring IP address authentication by SNMP server ................................................................... 496
12.1.7 Configuring other information about SNMP .................................................................................... 496
12.1.8 Configuring Trap ............................................................................................................................... 497
12.1.10 Example for configuring SNMPv1/SNMPv2c and Trap ................................................................. 500
12.1.11 Example for configuring SNMPv3 and Trap ................................................................................... 502
12.2 RMON ........................................................................................................................................................ 505
12.2.1 Introduction ....................................................................................................................................... 505
12.2.3 Default configurations of RMON ..................................................................................................... 506
12.2.4 Configuring RMON statistics ........................................................................................................... 507
12.2.5 Configuring RMON historical statistics ............................................................................................ 507
12.2.6 Configuring RMON alarm group ...................................................................................................... 508
12.2.7 Configuring RMON event group ...................................................................................................... 509
12.2.9 Maintenance ...................................................................................................................................... 510

xx
Raisecom
12.2.10 Example for configuring RMON alarm group ................................................................................ 511

12.3 LLDP .......................................................................................................................................................... 512
12.3.1 Introduction ....................................................................................................................................... 512
12.3.3 Default configurations of LLDP ....................................................................................................... 515
12.3.4 Enabling global LLDP ...................................................................................................................... 515
12.3.5 Enabling interface LLDP .................................................................................................................. 516
12.3.6 Configuring basic functions of LLDP ............................................................................................... 516
12.3.7 Configuring LLDP alarm .................................................................................................................. 517
12.3.8 Configuring TLV ............................................................................................................................... 517
12.3.10 Maintenance .................................................................................................................................... 519
12.3.11 Example for configuring LLDP ...................................................................................................... 520
12.4 Optical module DDM ................................................................................................................................. 523
12.4.1 Introduction ....................................................................................................................................... 523
12.4.3 Default configurations of optical module DDM ............................................................................... 524
12.4.4 Enabling optical module DDM ......................................................................................................... 524
12.4.5 Enabling optical module DDM Trap ................................................................................................. 524
12.5 System log .................................................................................................................................................. 526
12.5.1 Introduction ....................................................................................................................................... 526
12.5.3 Default configurations of system log ................................................................................................ 527
12.5.4 Configuring basic information of system log .................................................................................... 527
12.5.5 Configuring system log output .......................................................................................................... 529
12.5.7 Maintenance ...................................................................................................................................... 535
12.5.8 Example for configuring outputting system logs to log host ............................................................ 535
12.6 Alarm management .................................................................................................................................... 536
12.6.1 Introduction ....................................................................................................................................... 536
12.6.3 Configuring basic functions of alarm management .......................................................................... 541
12.7 Hardware environment monitoring ............................................................................................................ 545
12.7.1 Introduction ....................................................................................................................................... 545
12.7.3 Default configurations of hardware environment monitoring ........................................................... 548
12.7.4 Enabling global hardware environment monitoring .......................................................................... 548
12.7.5 Configuring temperature monitoring alarm ...................................................................................... 548
12.7.6 Configuring power supply alarm ...................................................................................................... 549
12.7.7 Clearing all hardware environment monitoring alarms manually ..................................................... 549

xxi
Raisecom

12.8 CPU monitoring ......................................................................................................................................... 550
12.8.1 Introduction ....................................................................................................................................... 550
12.8.3 Default configurations of CPU monitoring ....................................................................................... 551
12.8.4 Configuring CPU monitoring alarm .................................................................................................. 551
12.9 Fan monitoring ........................................................................................................................................... 552
12.9.1 Introduction ....................................................................................................................................... 552
12.9.3 Configuring fan monitoring .............................................................................................................. 553
12.10 Cable diagnosis ........................................................................................................................................ 553
12.10.1 Introduction ..................................................................................................................................... 553
12.10.3 Configuring cable diagnosis ............................................................................................................ 554
12.11 Memory monitoring ................................................................................................................................. 555
12.11.1 Preparing for configurations ............................................................................................................ 555
12.11.2 Configuring memory monitoring .................................................................................................... 555
12.12 PING ........................................................................................................................................................ 556
12.12.1 Introduction ..................................................................................................................................... 556
12.12.2 Configuring PING ........................................................................................................................... 556
12.13 Traceroute................................................................................................................................................. 558
12.13.1 Introduction ..................................................................................................................................... 558
12.13.2 Configuring Traceroute ................................................................................................................... 558
12.14 Performance statistics ............................................................................................................................... 560
12.14.1 Introduction ..................................................................................................................................... 560
12.14.3 Default configurations of performance statistics ............................................................................. 561
12.14.4 Configuring performance statistics ................................................................................................. 561
12.14.6 Maintenance .................................................................................................................................... 562
13 Appendix .................................................................................................................................. 563

13.1 Terms .......................................................................................................................................................... 563
13.2 Acronyms and abbreviations ...................................................................................................................... 568

xxii
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) Figures
Figures
Figure 1-1 Accessing device through PC connected with RJ45 Console interface .............................................. 12
Figure 1-2 Configuring communication parameters in Hyper Terminal .............................................................. 12
Figure 1-3 Networking with device as Telnet server ............................................................................................ 13
Figure 1-4 Networking with device as Telnet client ............................................................................................. 15

Figure 1-5 User management networking ............................................................................................................ 25
Figure 1-6 Configuring SSH login ....................................................................................................................... 27
Figure 1-7 Basic principles of NTP ...................................................................................................................... 42
Figure 1-8 NTP networking ................................................................................................................................. 50
Figure 2-1 Forwarding packets according to the MAC address table .................................................................. 67
Figure 2-2 MAC networking ................................................................................................................................ 74
Figure 2-3 VLAN partitions ................................................................................................................................. 76
Figure 2-4 VLAN and interface protection networking ....................................................................................... 87
Figure 2-5 Networking with PVLAN ................................................................................................................... 94
Figure 2-6 Principles of basic QinQ ..................................................................................................................... 96
Figure 2-7 Basic QinQ networking .................................................................................................................... 102
Figure 2-8 Selective QinQ networking .............................................................................................................. 104
Figure 2-9 Principles of VLAN mapping ........................................................................................................... 105
Figure 2-10 VLAN mapping networking ........................................................................................................... 108
Figure 2-11 Network storm due to loopback ...................................................................................................... 111

Figure 2-12 Loop networking with STP ............................................................................................................. 112
Figure 2-13 Failure in forwarding VLAN packets due to RSTP ........................................................................ 113
Figure 2-14 STP networking .............................................................................................................................. 120

Figure 2-15 Basic concepts of the MSTI network .............................................................................................. 123
Figure 2-16 MSTI concepts................................................................................................................................ 124
Figure 2-17 Networking with multiple spanning trees instances in MST region ............................................... 125
Figure 2-18 MSTP networking ........................................................................................................................... 140

xxiii
Raisecom
Figure 2-19 Loop detection networking ............................................................................................................. 144
Figure 2-20 Loop detection networking ............................................................................................................. 148

Figure 2-21 Interface protection networking ...................................................................................................... 152
Figure 2-22 Principles of port mirroring ............................................................................................................ 153
Figure 2-23 Port mirroring networking .............................................................................................................. 156

Figure 2-24 L2CP networking ............................................................................................................................ 161
Figure 2-25 Networking for IP phone to connect to switch ............................................................................... 165
Figure 2-26 Networking for IP phone to connect PC to the switch .................................................................... 165
Figure 2-27 Networking with adding interface to voice VLAN and configuring it to work in manual mode ... 169
Figure 2-28 Configuring IP phone to access voice VLAN packets through LLDP ............................................ 171
Figure 2-29 Principles of GVRP ........................................................................................................................ 174

Figure 2-30 GVRP networking .......................................................................................................................... 178
Figure 4-1 VLAN interface networking ............................................................................................................. 195
Figure 4-2 Interface loopback ............................................................................................................................ 199

Figure 4-3 Configuring ARP networking ........................................................................................................... 205
Figure 4-4 Principles of NDP address resolution ............................................................................................... 206
Figure 4-5 Configuring static route .................................................................................................................... 214
Figure 5-1 Principles of PoE .............................................................................................................................. 225
Figure 5-2 PD Active check ............................................................................................................................... 231
Figure 5-3 PoE switch power supply networking .............................................................................................. 233
Figure 6-1 DHCP typical networking................................................................................................................. 238
Figure 6-2 Structure of DHCP packet ................................................................................................................ 238
Figure 6-3 DHCP Client networking .................................................................................................................. 240
Figure 6-4 DHCP Client networking .................................................................................................................. 243
Figure 6-5 Zero-configuration server networking .............................................................................................. 245
Figure 6-6 DHCP Snooping ............................................................................................................................... 247
Figure 6-7 DHCP Snooping networking ............................................................................................................ 253
Figure 6-8 DHCP Server and Client networking ................................................................................................ 265
Figure 6-9 Structure of a DHCP packet ............................................................................................................. 265
Figure 6-10 DHCP Server networking ............................................................................................................... 271
Figure 6-11 Typical application of DHCP Relay ................................................................................................ 272
Figure 6-12 DHCP Relay networking ................................................................................................................ 276
Figure 7-1 Traffic classification ......................................................................................................................... 280

xxiv
Raisecom
Figure 7-2 Structure of an IP packet header ....................................................................................................... 280
Figure 7-3 Structures of the ToS priority and DSCP .......................................................................................... 280
Figure 7-4 Structure of a VLAN packet ............................................................................................................. 280
Figure 7-5 Structure of CoS ............................................................................................................................... 281
Figure 7-6 SP scheduling ................................................................................................................................... 283

Figure 7-7 WRR scheduling ............................................................................................................................... 283
Figure 7-8 DRR scheduling................................................................................................................................ 284
Figure 7-9 Queue scheduling networking .......................................................................................................... 317

Figure 7-10 Rate limiting based on traffic policy............................................................................................... 319
Figure 7-11 Rate limiting based on interface ..................................................................................................... 322
Figure 8-1 Multicast transmission networking ................................................................................................... 325

Figure 8-2 Basic concepts in multicast ............................................................................................................... 327
Figure 8-3 Mapping between IPv4 multicast address and multicast MAC address ........................................... 328
Figure 8-4 Operating of IGMP and Layer 2 multicast features .......................................................................... 328
Figure 8-5 IGMP Snooping networking ............................................................................................................. 334
Figure 8-6 IGMP Snooping networking ............................................................................................................. 340
Figure 8-7 IGMP MVR networking ................................................................................................................... 342
Figure 8-8 MVR networking .............................................................................................................................. 345
Figure 8-9 Applying IGMP filtering on interface ............................................................................................... 353
Figure 8-10 Data transmission of IGMP MVR .................................................................................................. 356
Figure 8-11 Data transmission of multicast VLAN copy ................................................................................... 356
Figure 8-12 Multicast VLAN copy networking ................................................................................................. 357
Figure 9-1 OAM loopback ................................................................................................................................. 370
Figure 10-1 Domain-based authentication application networking .................................................................... 398
Figure 10-2 Port security MAC networking ....................................................................................................... 409
Figure 10-3 Principles of dynamic ARP inspection ........................................................................................... 412
Figure 10-4 Configuring dynamic ARP inspection ............................................................................................ 417
Figure 10-5 Storm control networking ............................................................................................................... 423
Figure 10-6 802.1x structure .............................................................................................................................. 424
Figure 10-7 Dot1x networking ........................................................................................................................... 433
Figure 10-8 Principles of IP Source Guard ........................................................................................................ 435
Figure 10-9 Configuring IP Source Guard ......................................................................................................... 440
Figure 10-10 Accessing the network through PPPoE authentication ................................................................. 442

xxv
Raisecom
Figure 10-11 PPPoE+ networking ...................................................................................................................... 448
Figure 10-12 ND Snooping networking ............................................................................................................. 457

Figure 11-1 Static LACP mode Link aggregation networking ........................................................................... 468
Figure 11-2 Principles of interface backup ......................................................................................................... 471
Figure 11-3 Networking with interface backup in different VLANs .................................................................. 472
Figure 11-4 Interface backup networking .......................................................................................................... 476
Figure 11-5 Link-state tracking networking ....................................................................................................... 481
Figure 12-1 Principles of SNMP ........................................................................................................................ 489

Figure 12-2 SNMPv3 authentication mechanism ............................................................................................... 493
Figure 12-3 SNMPv1/SNMPv2c networking .................................................................................................... 500
Figure 12-4 SNMPv3 and Trap networking ....................................................................................................... 503

Figure 12-5 RMON networking ......................................................................................................................... 506
Figure 12-6 RMON networking ......................................................................................................................... 511
Figure 12-7 Structure of a LLDPDU .................................................................................................................. 513

Figure 12-8 Structure of a TLV packet ............................................................................................................... 513
Figure 12-9 LLDP networking ........................................................................................................................... 520
Figure 12-10 Networking of outputting system log to log host ......................................................................... 535
Figure 12-11 Principles of PING ........................................................................................................................ 556
Figure 12-12 Principles of Traceroute ................................................................................................................ 558

xxvi
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) Tables
Tables
Table 1-1 Shortcut keys for display features .......................................................................................................... 8

Table 2-1 Interface mode and packet processing.................................................................................................. 76
Table 6-1 Fields of a DHCP packet .................................................................................................................... 238

Table 6-2 Common DHCP options ..................................................................................................................... 254
Table 6-3 Fields of a DHCP packet .................................................................................................................... 265
Table 7-1 Mapping from DSCP or CoS to local priority .................................................................................... 282
Table 7-2 Mapping between local priority and queue ........................................................................................ 282
Table 7-3 Default mapping from CoS to local priority ...................................................................................... 287
Table 7-4 Default mapping from DSCP to local priority.................................................................................... 287
Table 7-5 Default mapping from local priority to CoS ...................................................................................... 287
Table 12-1 TLV types ......................................................................................................................................... 513
Table 12-2 IEEE 802.1 organization-defined TLVs ........................................................................................... 513
Table 12-3 IEEE 802.3 organization-defined TLVs ........................................................................................... 514
Table 12-4 Log levels ......................................................................................................................................... 526
Table 12-5 Alarm fields ..................................................................................................................................... 537
Table 12-6 Alarm levels ..................................................................................................................................... 538
Table 12-7 Trap information .............................................................................................................................. 546
Table 12-8 Syslog information ........................................................................................................................... 547

xxvii
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 1 Basic configurations
1 Basic configurations
This chapter describes basic configurations and configuration procedures of the

ISCOM2600G series switch, and provides related configuration examples, including the
following sections:
 CLI
 Accessing device
 File management
 Loading and upgrade
 Time management
 Interface management
 Configuring basic information
 Task scheduling
 Watchdog
 Configuring Banner
1.1 CLI
1.1.1 Introduction
The Command-line Interface (CLI) is a medium for you to communicate with the
ISCOM2600G series switch. You can configure, monitor, and manage the ISCOM2600G
series switch through the CLI.
You can log in to the ISCOM2600G series switch through the terminal equipment or through
a computer that runs the terminal emulation program. Enter commands at the system prompt.
The CLI supports the following features:
 You can configure the ISCOM2600G series switch locally through the Console interface.
 You can configure the ISCOM2600G series switch locally or remotely through
Telnet/Secure Shell v2 (SSHv2).
 Commands are protected by levels. Users with different privileges can execute
commands corresponding to their level only.

1
Raisecom
 Commands of different types belong to different commands modes. Users can configure
the command of a type in the corresponding command mode.
 Users can use shortcut keys to execute commands.
 Users can check or execute a history command by checking command history. The last
20 history commands can be saved on the ISCOM2600G series switch.
 Users can enter a question mark (?) to obtain online help.
 The ISCOM2600G series switch supports multiple intelligent analysis methods, such as
fuzzy match and context association.
1.1.2 Privileges
The ISCOM2600G series switch uses hierarchical protection methods to divide commands
into 16 privileges in an ascending order.
 Viewing level: users can execute viewing commands, such as the ping, clear, and
history commands.
 Monitoring level: users can execute monitoring commands, such as the show command.
 Configuring level: users can execute commands for configuring different services, such
as Virtual Local Area Network (VLAN) and Internet Protocol (IP).
 Administering level: users can execute basic commands for administering the system.
1.1.3 Modes
Command line mode is the CLI environment. All system commands are registered in one (or
multiple) command line mode, the command can only run in the corresponding mode.
Establish a connection with the ISCOM2600G series switch. If the ISCOM2600G series
switch is in default configuration, it will enter user EXEC mode, and the screen will display:
Raisecom#
In privileged EXEC mode, use the config command to enter global configuration mode.
Raisecom#config
Raisecom(config)#
 The CLI prompts that Raisecom is a default host name. You can modify it by using
the hostname name command in privileged EXEC mode.
 Commands executed in global configuration mode can also be executed in other
modes. The functions vary on command modes.
 You can use the exit or quit command to return to the upper command mode.
 You can execute the end command to return to privileged EXEC mode from any
modes but privileged EXEC mode.
The ISCOM2600G series switch supports the following command line modes:

2
Raisecom
Mode Enter method Description

Privileged EXEC After logging in to the device, at the Raisecom#
"Login:" prompt, use the user name
and password.
Global configuration In privileged EXEC mode, use the Raisecom(config)#
config terminal command.
Physical interface In global configuration mode, use the Raisecom(config-
configuration interface { gigaethernet | gigaethernet1/1/in
tengigabitethernet } terface)#
unit/slot/interface command. Raisecom(config-
tengigabitethernet
1/1/interface)#
SNMP interface In global configuration mode, use the Raisecom(config-
configuration interface fastethernet 1/0/1 fastethernet1/0/1)
command. #
Loopback interface In global configuration mode, use the Raisecom(config-

configuration interface loopback lb-number loopback*)#
command.
VLAN configuration In global configuration mode, use the Raisecom(config-
vlan vlan-id command. vlan*)#
Aggregation group In global configuration mode, use the Raisecom(config-

configuration interface port-channel channel- port-channel)#
number command.
Traffic classification In global configuration mode, use the Raisecom(config-
configuration class-map class-map-name command. cmap)#
Traffic policy In global configuration mode, use the Raisecom(config-

configuration policy-map policy-map-name pmap)#
command.
Traffic policy In floe policy configuration mode, use Raisecom(config-
configuration binding the class-map class-map-name pmap-c)#
with traffic command.
classification
Basic IP ACL In global configuration mode, use the Raisecom(config-
configuration access-list acl-number command. In acl-ip-std)#
this command, acl-number ranges from
1000 to 1999.
Extended IP ACL In global configuration mode, use the Raisecom(config-
configuration access-list acl-number command. In acl-ip-ext)#
2000 to 2999.
MAC ACL In global configuration mode, use the Raisecom(config-
configuration access-list acl-number command. In acl-mac)#
3000 to 3999.

3
Raisecom
Mode Enter method Description

User ACL In global configuration mode, use the Raisecom(config-
configuration access-list acl-number command. In acl-udf)#
5000 to 5999.
Advanced ACL In global configuration mode, use the Raisecom(config-
configuration access-list acl-number command. The acl-advanced)#
acl-number ranges from 7000 to 7999.
MST region In global configuration mode, use the Raisecom(config-
configuration spanning-tree region-configuration region)#
command.
Profile configuration In global configuration mode, use the Raisecom(config-
igmp filter profile profile-number igmp-profile)#
command.
cos-remark In global configuration mode, use the Raisecom(cos-
configuration mls qos mapping cos-remark profile- remark)#
id command.
cos-to-pri In global configuration mode, use the Raisecom(cos-to-
configuration mls qos mapping cos-to-localpri)#
priority profile-id command.
dscp-mutation In global configuration mode, use the Raisecom(dscp-
configuration mls qos mapping dscp-mutation mutation)#
profile-id command.
dscp-to-pri In global configuration mode, use the Raisecom(dscp-to-
configuration mls qos mapping dscp-to-localpri)#
priority profile-id command.
SRED profile In global configuration mode, use the Raisecom(sred)#
configuration mls qos sred profile profile-id
command.
Traffic monitoring In global configuration mode, use the Raisecom(traffic-
profile configuration mls qos policer-profile policer-name policer)#
command.
Chinese prompt In any configuration mode, use the Raisecom#
language chinese command.
English prompt In any configuration mode, use the Raisecom#
language english command.
1.1.4 Shortcut keys

The ISCOM2600G series switch supports the following shortcut keys.

4
Raisecom
Shortcut key Description

Up Arrow (↑) Show the previous command if there is any command entered
earlier; the displayed command does not change if the current
command is the earliest one in history records.
Down Arrow (↓) Show the next command if there is any newer command. The
displayed command does not change if the current command is the
newest one in history records.
Left Arrow (←) Move the cursor leftward by one character. The displayed command
does not change if the cursor is already at the beginning of the
command.
Right Arrow (→) Move the cursor rightward by one character. The displayed
command does not change if the cursor is already at the end of the
command.
Backspace Delete the character before the cursor. The displayed command does
not change if the cursor is already at the beginning of the command.
Tab Press Tab after entering a complete keyword, and the cursor will
automatically appear a space to the end. Press Tab again, and the
system will show the follow-up available keywords.
Press Tab after entering an incomplete keyword, and the system
automatically executes partial helps:
 When only one keyword matches the entered incomplete keyword,
the system takes the complete keyword to replace the entered
incomplete keyword and leaves one space between the cursor and
end of the keyword.
 When no keyword or multiple keywords match the entered
incomplete keyword, the system displays the prefix, and you can
press Tab to check words circularly. In this case, there is no space
from the cursor to the end of the keyword. Press Space bar to
enter the next word.
 If you enter an incorrect keyword, pressing Tab will move the
cursor to the next line and the system will prompt an error. In this
case, the entered keyword does not change.
Ctrl+A Move the cursor to the beginning of the command.
Ctrl+B Identical to the Left Arrow key.
Ctrl+C Interrupt the ongoing command, such as ping and traceroute. This
short key combination takes effect only when page-break is enabled.
Ctrl+D or Delete Delete the character at the cursor.
Ctrl+E Move the cursor to the end of the command.
Ctrl+F Identical to the Right Arrow key
Ctrl+K Delete all characters from the cursor to the end of the command.
Ctrl+L Clear screen information.
Ctrl+S Identical to the Down Arrow key
Ctrl+W Identical to the Up Arrow key

5
Raisecom

Ctrl+X Delete all characters before the cursor (except the cursor location).
Ctrl+Y Show history commands.
Ctrl+Z Return to privileged EXEC mode from the current mode.
Space bar or Y Scroll down one screen.
Enter Scroll down one line.
1.1.5 Acquiring help
Complete help
You can acquire complete help under following three conditions:
 You can enter a question mark (?) at the system prompt to display a list of commands
and brief descriptions available for each command mode.
Raisecom#?
The command output is as below.
aaa Authentication, Authorization, Accounting

boot system boot
bootrom Bootrom
clear Reset functions
clock System time and date
config Configuration from terminal interface
console Console
copy load configuration information
debug Debugging functions (see also 'undebug')
delete Delete flash file
……
 After you enter a keyword, press Space bar and enter a question mark (?), all correlated
commands and their brief descriptions are displayed if the question mark (?) matches
another keyword.
Raisecom(config)#ntp ?
authenticate Authenticate function

6
Raisecom
authentication-keyid Authentication keyid

peer Configure NTP peer
refclock-master Set local clock as reference clock
server Configure NTP server
trust-keyid Trusted authenticate keyid
 After you enter a keyword, press Space bar and enter a question mark (?), the value
range and descriptions are displayed if the question mark (?) matches a parameter.
Raisecom(config)#interface vlan ?
vlan1
<1-4094> Vlan number
Incomplete help
You can acquire incomplete help under following three conditions:
 After you enter part of a particular character string and a question mark (?), a list of
commands that begin with a particular character string is displayed.
Raisecom(config)#c?
class-map Set class map

clear Clear buffer content
command-log Log the command to the file
console console
cpu Configure cpu parameters
cpu-protect Config cpu protect information
create Create static VLAN
 After you enter a command, press Space bar, and enter a particular character string and
a question mark (?), a list of commands that begin with a particular character string is
displayed.
Raisecom(config)#show li?

7
Raisecom
link-state-tracking Fault tracking

link-trace Link trace
 After you enter a partial command name and press Tab, the full form of the keyword is
displayed if there is a unique match command. Otherwise, press Tab continuously to
display different keywords and then you can select the required one.
Error messages
The ISCOM2600G series switch prints out the following error messages according to error
type when you enter incorrect commands:
Error message Description

% Incomplete command. The user has entered an incomplete
command.
Error input in the position marked by '^'. The keyword marked "^" is invalid.
Ambiguous input in the position marked by '^' The keyword marked "^" is not clear.
If there is an error message mentioned above, use CLI help information to solve the
problem.
1.1.6 Display information
Display features
The CLI provides the following display features:
 The help information and prompt messages displayed at the CLI are in English.
 When messages are displayed at more than one screen, you can suspend displaying them
with one of the following operations, as listed in Table 1-1.
Table 1-1 Shortcut keys for display features

Press Space bar or Y Scroll down one screen.
Press Enter Scroll down one line.
Press any letter key (except Y) Stop displaying and executing commands.
Filtering displayed information

The ISCOM2600G series switch supports a series of commands starting with show, to check
device configurations, operation and diagnostic information. Generally, these commands can

8
Raisecom
output more information, and then you need to add filtering rules to filter out unnecessary
information.
The show command on the ISCOM2600G series switch supports three kinds of filter modes:
 | begin string: show all lines starting from the assigned string. Case-sensitivity is
optional.
 | exclude string: show all lines mismatching the assigned string. Case-sensitivity is
optional.
 | include string: show all lines only matching the assigned string. Case-sensitivity is
optional.
Step Command Description
1 Raisecom#show Configure whether to distinguish upper case and lower case
command-string when showing configurations, running status, and diagnosis
| { begin | information about the device.
include |
 command-string: command string
exclude }
 expression: key word to be filtered, a string, optionally
expression
[ igncase ] case sensitive
 begin: show all lines starting from the line matching the
specified string.
 exclude: show all lines mismatching the specified string.
 include: show all lines matching the specified string.
 igncase: ignore case-sensitivity.
Page-break
Page-break is used to suspend displaying messages when they are displayed at more than one
screen. After page-break is enabled, you can use shortcut keys listed in Table 1-1. If page-
break is disabled, all messages are displayed when they are displayed at more than one screen.
By default, page-break is enabled.
Configure terminal page-break for the ISCOM2600G series switch as below.

1 Raisecom#terminal page-break Enable or disable terminal page-break.
{ enable | disable }
 enable: enable terminal page-break.
Example:
 disable: disable terminal page-break.
Raisecom#terminal page-break
enable
1.1.7 Command history

The history commands can be automatically saved at the CLI. You can use the up arrow (↑) or
down arrow (↓) to schedule a history command. By default, the last 20 history commands are
saved. You can configure the number of commands to be saved at the CLI.
Configure the ISCOM2600G series switch as below.

9
Raisecom

1 Raisecom#terminal (Optional) configure the number of history
history number commands saved in the system.
Example:
 number: the number of displayed commands,
Raisecom#terminal
history 10 an integer, ranging from 1 to 20
2 Raisecom#terminal time- (Optional) configure the Console terminal
out second timeout period.
Example:
 second: logout waiting time of terminal
Raisecom#terminal time-
out 20 timeout, an integer, ranging from 0 to 6553, in
units of second
3 Raisecom#history Show history commands entered by the user.
4 Raisecom#show terminal Show terminal configurations of the user.
1.1.8 Restoring default value of command line

The default value of command line can be restored by no form or enable | disable form.
 no form: be provided in front of a command and used to restore the default value, disable
some feature, or delete a configuration. It is used to perform an operation that is opposite
to the command. Therefore, the command with a no form is also called a reverse
command.
 enable | disable form: be provided behind a command or in the middle of a command.
The enable parameter is used to enable some feature or function while the disable
parameter is used to disable some feature or function.
For example:
 In physical interface configuration mode, the description string command is used to
modify descriptions about an interface while the no description command is used to
delete descriptions about the interface and restore to the default values.
 In physical interface configuration mode, the shutdown command is used to disable an
interface while the no shutdown command is used to enable an interface.
 In global configuration mode, the terminal page-break enable command is used to
enable page-break while the terminal page-break disable command is used to disable
terminal page-break.
Most configuration commands have default values, which often are restored by the
no form.
1.1.9 Logging commands

Configure command log for the ISCOM2600G series switch as below.

1 Raisecom#config Enter global configuration mode.

10
Raisecom

2 Raisecom(config)#command-log Enable or disable command logging.
 enable: enable command loging.
Example:
 disable: disable command loging.
Raisecom(config)#command-log
enable
1.2 Accessing device

1.2.1 Introduction
The ISCOM2600G series switch can be configured and managed in Command Line Interface
(CLI) mode or NView NNM network management mode.
The ISCOM2600G series switch CLI mode has a variety of configuration modes:
 Console mode: it must use Console mode in the first configuration.
 Telnet mode: log on through the Console mode, open Telnet service on the Switch,
configure the IP address of the VLAN interface, configure the user name and password,
and then take remote Telnet configuration.
 SSH mode: before accessing the ISCOM2600G series switch through SSH, you need to
log in to the ISCOM2600G series switch and start SSH services through the Console
interface.
When configuring the ISCOM2600G series switch in network management mode, you must
first configure the IP address of the VLAN interface on CLI, and then configure the
ISCOM2600G series switch through the NView NNM system.
1.2.2 Accessing through Console interface
Introduction
The Console interface is commonly used to connect the network device with a PC running
terminal emulation programs. You can use this interface to configure and manage local
devices. In this management mode, devices can communicate with each other independent
from the network, so it is called out-of-band management. You can also perform configuration
and management on the ISCOM2600G series switch through the Console interface when the
network fails.
In the following two conditions, you can only log in to the ISCOM2600G series switch and
configure it through the Console interface:
 The ISCOM2600G series switch is powered on to start for the first time.
 Accessing the ISCOM2600G series switch through Telnet fails.
Accessing device through RJ45 Console interface

If you want to access the ISCOM2600G series switch through PC through RJ45 Console
interface, connect Console interface and PC RS-232 serial port, as shown in Figure 1-1; then

11
Raisecom
run the terminal emulation program in PC to configure communication parameters as shown

in Figure 1-2, and then log in to the ISCOM2600G series switch.
Figure 1-1 Accessing device through PC connected with RJ45 Console interface
Figure 1-2 Configuring communication parameters in Hyper Terminal
By default, the baud rate of the serial interface is 9600.

Configure the baud rate of the serial interface for the ISCOM2600G series switch as below.

12
Raisecom

1 Raisecom#config Modify the baud rate of the serial interface to 115200,
Raisecom(config) 19200, 38400, or 9600.
#console baud-
 baud-rate: baud rate of the Console interface
rate { 115200 |
 115200: configure the baud rate of the Console
19200 | 38400 |
9600 } interface to 115200 baud.
Example:
Raisecom(config) interface to 19200 baud.
#console baud-
rate 9600 interface to 38400 baud.
 9600: configure the baud rate of the Console interface
to 9600 baud.
1.2.3 Accessing through Telnet
By default, the default management IP address of the out-of-band management

interface (SNMP interface: fastethernet 1/0/1), and the subnet mask is 255.255.255.0.
To modify the IP address, log in to the ISCOM2600G series switch and configure it.
Both the default user name and password are raisecom. In Telnet connection status,
if you enter the password incorrectly for three 3 times, the Telnet connection will be
automatically disconnected.
You can use a PC to log in to the ISCOM2600G series switch remotely through Telnet. You
can log in to an ISCOM2600G series switch from PC at first, then Telnet another
ISCOM2600G series switch on the network. You do not need to connect a PC to each
ISCOM2600G series switch.
Telnet services provided by the ISCOM2600G-HI series switch are as below:
 Telnet Server: run the Telnet client program on a PC to log in to the ISCOM2600G series
switch, and take configuration and management. As shown in Figure 1-3, the
ISCOM2600G series switch is providing Telnet Server service at this time.
Figure 1-3 Networking with device as Telnet server
Before accessing the ISCOM2600G series switch through Telnet, you need to log in to the
ISCOM2600G series switch through the Console interface and start the Telnet service. Take
the following configurations on the ISCOM2600G series switch that needs to start Telnet
service.

13
Raisecom

2 Raisecom(config)#interface Enter out-of-band network management
fastethernet 1/0/1 interface configuration mode
3 Raisecom(config- Configure the IP address of the out-of-
fastethernet1/0/1)#ip band network management interface.
address ip-address [ ip-
mask ] By default, it is 192.168.0.1. Both the
Example: default user name and password are
Raisecom(config- raisecom.
fastethernet1/0/1)#ip  ip-address: IP address, in dotted
address 192.168.0.1 decimal notation, such as 10.0.0.1
255.255.255.0  ip-mask: mask of IP address, in dotted
decimal notation, such as 255.0.0.0

4 Raisecom(config- (Optional) shut down the out-of-band
fastethernet1/0/1)#shutdown management interface on the device.
5 Raisecom(config)#telnet- (Optional) configure the interface in
server accept interface-type support of Telnet function.
interface-number
 interface-type: interface type
Example:
 interface-number: interface ID. The
Raisecom(config)#telnet-
server accept gigaethernet form and value range depend on the
1/1/1 interface type.
6 Raisecom(config)#telnet- (Optional) release the specified Telnet
server close terminal-telnet connection.
session-number
 session-number: session number, an
Example:
Raisecom(config)#telnet- integer, ranging from 1 to 10
server close terminal-telnet
1
7 Raisecom(config)#telnet- (Optional) configure the maximum
server max-session session- number of Telnet sessions supported by
number the ISCOM2600G series switch.
Example:
Raisecom(config)#telnet- By default, it is 10.
server max-session 5  session-number: maximum number of
connections, an integer, ranging from 0
to 10
8 Raisecom(config)#telnet- (Optional) configure the ACL number of
server access-list { ip- the Telnet.
access-list-number | ipv6-
 ip access-list number: IPv4 standard
access-list-number }
Example: ACL number, an integer, ranging from
Raisecom(config)#telnet- 1000 to 1999; IPv4 ACL number, an
server access-list 1001 integer, ranging from 2000 to 2999
 ipv6 access-list number: IPv6 ACL
number, an integer, ranging from 6000

to 6999

14
Raisecom

9 Raisecom(config)#telnet- (Optional) enable or disable Telnet
server { enable | disable } Server. At the same time, the
Example: corresponding port number will be
Raisecom(config)#telnet- disabled.
server disable
 enable: enable Telnet server.
 disable: disable Telnet server.
10 Raisecom(config)#telnet- (Optional) configure the Telnet listening
server port port-id port number.
Example:
 port-id: Telnet listening port number,
Raisecom(config)#telnet-
server port 2000 an integer, ranging from 1 to 65535
 Telnet Client: when you connect to the ISCOM2600G series switch through the PC
terminal emulation program or Telnet client program on a PC, then telnet other
ISCOM2600G series switch and configure/manage them. As shown in Figure 1-4,
Switch A not only acts as Telnet server but also provides Telnet client service.
Figure 1-4 Networking with device as Telnet client
Configure Telnet Client device as below.

1 Raisecom#telnet Log in to another device through Telnet.
{ ipv4-address |
 ipv4-address: IPv4 address of the remote
ipv6-address }
[ port port-id ] destination host, in dotted decimal notation, such as
Raisecom#telnet 10.10.1.1
 ipv6-address: IPv6 address of the remote
ipv4-address [ port
port-id ] [ sourceip destination host, in form of A:B::C:D/M
 port-id: TCP port number corresponding to Telnet
source-ip-address ]
Example: service which is provided by the remote destination
Raisecom#telnet device, an integer, ranging from 1 to 65535
 source-ip-address: source IPv4 address, in dotted
192.168.1.1
1.2.4 Accessing through SSH

Telnet is lack of security authentication and it transports messages through Transmission
Control Protocol (TCP) which exists with big potential security hazard. Telnet service may
cause hostile attacks, such as Deny of Service (DoS), host IP spoofing, and routing spoofing.
15
Raisecom
The traditional Telnet and File Transfer Protocol (FTP) transmit password and data in plain
text, which cannot satisfy users' security demands. SSHv2 is a network security protocol,
which can effectively prevent the disclosure of information in remote management through
data encryption, and provides greater security for remote login and other network services in
network environment.
SSHv2 allows data to be exchanged through TCP and it establishes a secure channel over TCP.
Besides, SSHv2 supports other service ports besides standard port 22, avoiding illegal attacks
from the network.
Before accessing the ISCOM2600G series switch through SSHv2, you must log in to the
ISCOM2600G series switch through the Console interface and start SSH service.
Default configurations for accessing the ISCOM2600G series switch through SSHv2 are as
below.
Function Default value

SSH server status Disable
Local SSH key pair length 512 bits
Key renegotiation period 0h
SSH authentication method password
SSH authentication timeout 600s
Allowable failure times for SSH authentication 20
SSH snooping port number 22
SSH session status Disable
SSH version v2
3DES algorithm Disable
Configure SSH services for the ISCOM2600G series switch as below.

2 Raisecom(config)#gener Generate local SSHv2 key pair and designate its
ate ssh-key [ length ] length.
Example:
Raisecom(config)#gener By default, the length is 512 bits.
ate ssh-key 512  length: key pair length of the SSH server, an
integer, ranging from 512 to 2048, in units of
bit

16
Raisecom

3 Raisecom(config)#ssh2 Start the SSH server.
server
By default, it is not started.
Use the no ssh2 server command to shut down
the SSH server.
(Optional) configure SSH key renegotiation
period.
4 Raisecom(config)#ssh2 (Optional) configure SSHv2 authentication mode.
server authentication
{ password | rsa-key }
By default, it is password.
Example:  password: use local user name and password to
Raisecom(config)#ssh2 authenticate SSH clients.
server authentication  rsa-key: use "host key pairs + local user name
password and password" to authenticate SSH clients.

5 Raisecom(config)#ssh2 (Optional) record the public key of the client on
server authentication the ISCOM2600G series switch in rsa-key
public-key-name authentication mode.
public-key
 public-key-name: public key name
[ publickey ]
 publickey: public key contents, a string of 10
Example:
Raisecom(config)#ssh2 characters
server authentication
aa public-key
6 Raisecom(config)#ssh2 (Optional) configure the SSHv2 authentication
server authentication- timeout. The ISCOM2600G series switch refuses
timeout second to authenticate the client and then closes the
Example: connection when the client authentication time
Raisecom(config)#ssh2 exceeds this upper limit.
server authentication-
timeout 100 By default, it is 600s.
 second: SSH authentication timeout, an integer,
ranging from 100 to 65535, in units of second
7 Raisecom(config)#ssh2 (Optional) configure the allowable failure times
server authentication- for SSHv2 authentication. The ISCOM2600G
retries times series switch refuses to authenticate the client and
Example: then closes the connection when the number of
Raisecom(config)#ssh2 client authentication failure times exceeds the
server authentication- upper limit.
retries 20
By default, it is 20.
 times: number of failures allowed in SSH
authentication, an integer, ranging from 1 to
100

17
Raisecom

8 Raisecom(config)#ssh2 (Optional) configure SSHv2 snooping port
server port port- number.
number
Example: By default, it is 22.
Raisecom(config)#ssh2  port-id: SSH listening port number, an integer,
server port 20 ranging from 1 to 65535
When configuring SSHv2 snooping port

number, the entered parameter cannot
take effect until SSH is restarted.
9 Raisecom(config)#ssh2 (Optional) configure the maximum number of
server max-session SSHv2 sessions.
session-number
 session-number: maximum number of sessions,
Example:
Raisecom(config)#ssh2 an integer, ranging from 0 to 10
server max-session 1
10 Raisecom(config)#ssh2 (Optional) configure the ACL number.
access-list { ip-
 ip access-list number: IPv4 standard ACL
access-list-number |
ipv6-access-list- number, an integer, ranging from 1000 to 1999;
number } IPv4 extended ACL number, an integer, ranging
Example: from 2000 to 2999
 ipv6 access-list number: IPv6 ACL number, an
Raisecom(config)#ssh2
access-list 1001 integer, ranging from 6000 to 6999
11 Raisecom(config)#ssh2 (Optional) configure the SSH renegotiation time.
server rekey-interval
 value: renegotiation time, an integer, ranging
value
server rekey-interval
10
12 Raisecom(config)#ssh2 (Optional) close the specified SSHv2 session.
server close session
 session-number: SSH2 session ID, an integer,
session-number
Example: ranging from 1 to 10
server close session 5
13 Raisecom(config)#ssh (Optional) enable 3DES on the SSHv2 server. Use
2 server 3des the disable form of this command to disable this
{ enable | disable } function.
By default, it is enabled.
1.2.5 Accessing from Web

To facilitate users to configure and maintain the ISCOM2600G series switch, it supports Web
network management. Users can use the Web network management to intuitively manage and
configure devices under the graphical interface.
The web network management supports the following two text transmission protocols:
18
Raisecom
 Hypertext Transfer Protocol (HTTP): used to transmit information on Web pages on the
network. After HTTP is enabled on the device, the user can log in to the device through
HTTP, and access and control the device on the Web interface.
 Secure Hypertext Transfer Protocol (HTTPS): it uses the Secure Sockets Layer (SSL)
protocol to ensure that legal clients can access the device in a secure mode. The data
exchanged between the client and the device needs to be encrypted to ensure the security
and integrity of data transmission, so as to realize security management of the device.
After Web network management is enabled, remote users can log in to the device through the
Web browser and manage it. After Web network management is disabled, all established
HTTP/HTTPS connections are disconnected.
Default configurations of Web network management are as below.

HTTP status Enable
HTTPS status Enable
Configure Web network management for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip http server Enable HTTP.
enable
3 Raisecom(config)#ip https Enable HTTPS.
server enable
4 Raisecom(config)#ip http Configure the control on the list of IP
access-list access-list-number addresses of users that access the
device through Web.
1.2.6 Managing users
Introduction
When you start the ISCOM2600G series switch for the first time, connect the PC through
Console interface to the ISCOM2600G series switch, enter the initial user name and password
in HyperTerminal to log in and configure the ISCOM2600G series switch.
By default, both the user name and password are raisecom.

If there is no privilege restriction, any remote user can log in to the ISCOM2600G series
switch through Telnet or access network by establishing a Point to Point Protocol (PPP)
connection when service interfaces are configured with IP addresses. This is unsafe to the
ISCOM2600G series switch and network. Creating user accounts for the ISCOM2600G series
switch and configuring password and privilege help manage login users and ensures network
and device security.

19
Raisecom
Default configurations of user management

Default configurations of user management are as below.

 User name: raisecom
Local user information
 Password: raisecom
 Privilege: 15
New user privilege 15

New user activation status Activate
New user service type N/A
Login password raisecom
User login authentication mode local-user
Password valid period check Disable
Password valid period 90 days
Number of days for reminding prior to password invalidity 30 days
Login and logout alarm status Disable
Password check strength simple
Configuring local user management

Configure local user management for the ISCOM2600G series switch as below.

1 Raisecom#user name Create or modify the user name and password for
user-name password login.
[ cipher | simple ]
password [ confirm ] Use the no form of this command to delete a user
Raisecom#no username account.
user-name  user-name: user name, a string of 1 to 16
Example: characters
Raisecom#user name  password password: login password, a string of
user1 password characters with the length depending on the

aaAA1234@ password check mode
Raisecom#no username  simple: plaintext password
raisecom  cipher: ciphertext password

 confirm: confirm
2 Raisecom#user name Configure the login user privilege.

user-name privilege
 user-name: user name, a string of 1 to 16
privilege-level
Example: characters
 privilege-level: user privilege, an integer, ranging
Raisecom#user name
user1 privilege 5 from 1 to 15

20
Raisecom

3 Raisecom#user name (Optional) configure the status of a login user.
user-name state
{ active | inactive }
Example: characters
 active: the user is in active status.
Raisecom#user name
 inactive: the user is in inactive status.
user1 state active
3 Raisecom#user user- (Optional) configure the priority rule for login user
name { allow-exec | to perform the command line.
disallow-exec } first-
keyword [ second-
keyword ] [ confirm ] characters
 allow-exec: allow users to execute commands
Example:
Raisecom#user with priorities higher than theirs.
 disallow-exec: disallow users execute commands
raisecom1 allow-exec
write with priorities lower than theirs.
 first-keyword: first keyword of the command
 second-keyword: second keyword of the
command
 confirm: confirm
5 Raisecom#user user- (Optional) configure the service type supported by

name service-type the user.
{ lan-access | ssh |
telnet | web | console
| all } characters
 lan-access: LAN access
Example:
 ssh: SSH session
Raisecom#user
 telnet: Telnet session
raisecom1 service-type
 web: Web connection
telnet
 console: Console connection
 all: All service types

21
Raisecom

6 Raisecom#user login (Optional) configure the authentication mode for
{ console | telnet | different user login modes.
ssh | web } { local-
 console: Console interface login
radius | local-user |
 telnet: Telnet login
radius-local [ server-
 ssh: SSH login
no-response ] |
 web: Web login
radius-user | local-
 local-radius: when local authentication coexist
tacacs | tacacs-local
[ server-no-response ] with RADIUS authentication, use local
| tacacs-user } authentication in preference to RADIUS.
 local-user: sse local authentication.
Example:
 radius-local: when local authentication coexist
Raisecom#user login
local-radius with RADIUS authentication concurrently, use
RADIUS authentication in preference to local
authentication.
 radius-user: use RADIUS authentication.
 local-tacacs: when local authentication coexist
with TACACS+ authentication, use local

authentication in preference to TACACS+
authentication.
 tacacs-local: when local authentication coexist
with TACACS+ authentication, use TACACS+

authentication in preference to local
authentication.
 tacacs-user: use TACACS+ authentication.
 server-no-response: use local authentication if the
server stops responding.

7 Raisecom#enable (Optional) configure the user privilege.
[ privilege ]
 privilege: user privilege, an integer, ranging from
Example:
Raisecom#enable 11 1 to 15
8 Raisecom#logout Exit the system.
10 Raisecom(config)#login (Optional) configure the login/logout alarm status.
-trap { enable |
disable }
 Besides the default user raisecom, you can create up to 9 local user accounts.
 A local user with a level lower than 15, unless allowed to execute the command to
modify the login password, is not allowed to modify the login password.
1.2.7 Configuring local password management

Configure local password management for the ISCOM2600G series switch as below.

22
Raisecom

1 Raisecom#enable password [ cipher Modify the password for entering
password ] privileged EXEC mode. The user
Example: with the privilege under 11 does
Raisecom#enable password not need the password for entering
Please input password(Not exceed privileged EXEC mode.
16 and more than 8 characters):
 password: ciphertext password,
Please input password again(Not
exceed 16 and more than 8 a string of 1 to 36 characters
characters):
Set successfully
2 Raisecom#password check { complex Configure the password check
| none | simple } strength.
Example:
 simple: simple mode check
Raisecom#password check complex
 none: none mode check
 complex: complex mode check
3 Raisecom#password expire { enable Configure the password valid

| disable } period check.
Example:
 enable: enable password valid
Raisecom#password expire enable
period check.
 disable: disable password valid
period check.
4 Raisecom#password expire day time Configure the password valid
Example: period.
Raisecom#password expire day 100
 time: password valid period, an
integer, ranging from 1 to 999,
in units of day
5 Raisecom#password expire alert day Configure the number of days for
time reminding prior to password
Example: invalidity.
Raisecom#password expire alert day
 time: number of days for
10
reminding prior to password
invalidity, an integer, ranging
from 1 to 999, in units of day
The length of the login password depends on the password check mode:
 In complex mode, it is 8–16 characters, mandatorily including digits, lower-case
letters, and upper-case letters.
 In simple mode, it is 8–16 characters.
 In none mode, it is 1–16 characters.
1.2.8 Configuring login through serial cable

After login through the serial cable is enabled on the Console interface, only the linear user on
the Console interface can log in; in other words, the user logging in on the Console interface
need to enter the linear password only, without the user name.
Configuring login through serial cable for the ISCOM2600G series switch as below.
23
Raisecom

1 Raisecom#line password Configure the plaintext password for logging
password through the serial interface.
2 Raisecom#line encrypt- Configure the ciphertext password for logging
password password through the serial interface.
3 Raisecom#console login Configure the login mode on the Console
line interface to login through the serial interface.
1.2.9 Checking configurations

Use the following commands to check the configuration results.
No. Command Description

1 Raisecom#show user table Show login user information.
[ detail ]
2 Raisecom#show user active Show information about users logged in to
the ISCOM2600G series switch.
3 Raisecom#show user password Show configurations of the user valid
expire period.
4 Raisecom#show telnet-server Show configurations of the Telnet server.
5 Raisecom#show ssh2 public- Show the public key used for SSH
key [ authentication | authentication on the ISCOM2600G series
rsa ] switch and client.
6 Raisecom#show ssh2 Show SSHv2 server or session information.
{ server | session }
7 Raisecom#show privilege Show the privilege of the current user.

8 Raisecom#|{ begin | Configure the rule for filtering informabout
exclude | include } string the show command.
1.2.10 Maintenance
Maintain the ISCOM2600G series switch as below.
Command Description
Raisecom#delete Delete the user file.
user-file
Example:
Raisecom#delete
user-file
This command is applicable to the device that is
customized with the user password loss function.

24
Raisecom
1.2.11 Example for configuring user management
Networking requirements
As shown in Figure 1-5, to prevent malicious users from logging in to the ISCOM2600G
series switch and to eliminate risks on the ISCOM2600G series switch, configure user
management as below:
 Configure the user login mode to local-user.
 Create a local user user1 with plain password of aaAA123@.
 Configure the user1 privilege to privilege 10.
 Configure the user1 service type to Telnet.
Figure 1-5 User management networking
Configuration steps
Step 1 Configure user login authentication mode.
Raisecom#user login local-user
Step 2 Create a local user user1.
Raisecom#user name user1 password simple aaAA123@
Step 3 Configure the user privilege.
Raisecom#user user1 privilege 10
Step 4 Configure the service type of the user.
Raisecom#no user user1 service-type all

Raisecom#user user1 service-type telnet

25
Raisecom
Checking results
Use the show user table detail command to show configurations of local users.
Raisecom#show user table detail

Default Login:local-user
Username:raisecom
Priority:15
Server:Local
Login :console
Status :online
Service type: telnet
User State :active
Username:user1
Priority:10
Server:Local
Login :--
Status :offline
Service type:console telnet ssh web lan-access
User State :active
Use the newly-created user name user1 and password aaAA123@ to log in to the
ISCOM2600G series switch, and check whether the user privilege is correctly configured.
Login:user1
Password:
Raisecom#config
Raisecom(config)#arp 192.168.0.2 000E.5E12.3456
Set successfully.
To delete the default raisecom account, use the following command:
Raisecom#no username raisecom
1.2.12 Example for configuring SSH login
As shown in Figure 1-6, when a user logs in to the switch remotely from a PC through an
insecure network, you must configure SSH Server and RSA authentication on the switch to
guarantee security of data exchange to the maximum extent, with detailed requirements as
below:

26
Raisecom
 Configure the SSH authentication timeout to 400s and allowed authentication failure
times to 3.
 Configure the public key name of SSH authentication to raisecom and mode to rsa-key.
 Configure the name for SSH login to the default name raisecom.
Figure 1-6 Configuring SSH login
Configuration steps
Step 1 Configure a routing protocol to make the route between the switch and PC available.
Raisecom#config
Raisecom(config)#interface vlan 1
Raisecom(config-vlan1)#ip address 172.16.70.134
Raisecom(config-vlan1)#exit
Step 2 Generate a local SSH key pair, and enable SSH Server.
Raisecom(config)#generate ssh-key
Raisecom(config)#ssh2 server
Step 3 Configure the SSH authentication timeout to 400s and allowed authentication failure times to
3.
Raisecom(config)#ssh2 server authentication-timeout 400

Raisecom(config)#ssh2 server authentication-retries 3
Step 4 Generate a SSH key pair for login, including the server public key and server private key.
Save the server private key on the SSH client. This step is performed in a terminal emulation
program, such as SecureCRT.
Step 5 Write the server public key of the client to the switch. Copy the server public key generated in
step 4, paste it in the terminal emulation program, and press Ctrl+S to save the public key.
Raisecom(config)#ssh2 server authentication raisecom public-key

(Ctrl+s) for save input and return
(Ctrl+z) for discard input and return.

27
Raisecom
-------------------------------------------------------------.
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCwMf+rJOF3cccsbU9NnVSVKqlvvFDOJqYX
kwvMIzCmz1qKhhbguUxHTPnuuOyLbA9Yz+AFeaCdWxxdKvNCFXBJvu2pHjTZcJxm
cThqD3kvvRKnR3BjV9HioBjGHPO1gni2Bqc1z91/RoZ6oaNoQfN885SgwigbGt6K
eei/I8pJgQ==
Step 6 Configure the SSH authentication mode to rsa-key.
Raisecom(config)#ssh server authentication rsa-key
Step 7 Establish a SSH session. Log in to the switch in SSH mode.
Checking results
Use the following command to view configurations of SSH Server.
Raisecom#show ssh2 server

SSH server information:
------------------------
State: Enable
Version: sshv2
Authentication method(default:local user-password ): rsa-key
Authentication timeout(default 600): 400s
Authentication retries(default 20): 3
Rekey interval time(default 0): 0h
Max client count(default 10): 10
Current client count: 0
Current channel count: 0
Listen port on (default 22): 22
Use the following command to view the SSH public key.
Raisecom#show ssh2 public-key

RSA public key :
---- BEGIN SSH PUBLIC KEY ----
Comment: "rsa-key"
AAAAB3NzaC1yc2EAAAADAQABAAAAQwDG0mZvhPtWd5zo6naC6Vrz4cK4QEoj
01+WlD94RmPyF/atwjzH0jQOB63J3tg/vcazH2nNVG3jwu912u1cuYTsZWE=
Fingerprint: md5 b6:1b:e8:88:73:1b:11:a9:af:9f:7b:e6:08:b8:b8:9c
---- END SSH PUBLIC KEY ----
Authentication public key :

---- BEGIN SSH PUBLIC KEY ----
Comment: "rsa-key"
Public-key name: raisecom

28
Raisecom
Public-key:
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCwMf+rJOF3cccsbU9NnVSVKqlvvFDO
JqYXkwvMIzCmz1qKhhbguUxHTPnuuOyLbA9Yz+AFeaCdWxxdKvNCFXBJvu2p
HjTZcJxmcThqD3kvvRKnR3BjV9HioBjGHPO1gni2Bqc1z91/RoZ6oaNoQfN8
85SgwigbGt6Keei/I8pJgQ==
---- END SSH PUBLIC KEY ----
Use the following command to view information about the SSH session. SSH session 1 is
established.
Raisecom#show ssh2 session

ID Ver Cipher(IN/OUT) Auth-Type Con-Time State
UserId Ip
-------------------------------------------------------------------------
1 2.0 aes/aes rsa 0h:0m:23s OK(1channels) raisecom 172.16.70.110
2 -- --/-- -- -- Closed --
--
3 -- --/-- -- -- Closed --
--
4 -- --/-- -- -- Closed --
--
5 -- --/-- -- -- Closed --
--
6 -- --/-- -- -- Closed --
--
7 -- --/-- -- -- Closed --
--
8 -- --/-- -- -- Closed --
--
9 -- --/-- -- -- Closed --
--
10 -- --/-- -- -- Closed --
--
1.3 File management

1.3.1 Managing BootROM files
In Boot mode, you can do the following operations.
Operation Description
t Update system software to the ISCOM2600G series switch.
m Update the boot file to the ISCOM2600G series switch.
b Read system software from the ISCOM2600G series switch, and load it.

29
Raisecom
Operation Description
s Specify the sequence of system software to be loaded upon startup.
e Clear environment variables.
r Restart the ISCOM2600G series switch.
p Configure the BootROM password.
?/h Show information about system files and help.
Configure the ISCOM2600G series switch as below.

All the following steps are optional and in any sequence.

1 Raisecom#upload bootstrap (Optional) upload the BootROM file
{ ftp { ipv4-address |ipv6- through FTP, SFTP, or TFTP.
address } user-name
 bootstrap: upload the bootstrap file.
password file-name | tftp
 tftp: upload the file through TFTP.
{ ipv4-address |ipv6-
 ftp: upload the file through FTP.
address } file-name | sftp
 sftp: upload the file through SFTP.
 ipv4-address: IPv4 address of the server
address } user-name
password file-name }
 user-name: user name of the server
[ dir ]
 password: password of the server
Example:
 file-name: name of the uploaded file
Raisecom#upload bootstrap
 dir: file path
tftp 10.1.1.1 config
2 Raisecom#download bootstrap (Optional) download the BootROM file
{ ftp { ipv4-address | through FTP, SFTP, or TFTP.
ipv6-address } user-name
 bootstrap: download the bootstrap file.
password [ unit unit-id ]
file-name | tftp { ipv4-
address | ipv6-address }
[ unit unit-id ] file-name
| sftp { ipv4-address |
file-name } [ dir ]
 file-name: name of the downloaded file
Example:
 dir: file path
Raisecom#download bootstrap
 unit-id: specified unit ID, an integer,
ranging from 1 to 9
3 Raisecom#erase file-name (Optional) delete files saved in the Flash.
Example:
 file-name: file name. If you do not
Raisecom#erase text
configure the parameter, the startup
configuration file startup_config.conf
will be deleted by default.

30
Raisecom

4 Raisecom#bootrom password (Optional) configure the BootROM
word password.
Example:
 word: BootROM password, a string of
Raisecom#bootrom password
raisecom characters
1.3.2 Managing system files

System files are the files needed for system operation (such as system startup software and
configuration file). These files are usually saved in the memory. The ISCOM2600G series
switch manages them through a file system to facilitate managing the memory. The file
system can create, delete, and modify the file and directory.
In addition, the ISCOM2600G series switch supports dual-system. There are 2 independent
sets of system software saved at the memory. When the ISCOM2600G series switch fails to
work due to upgrade failure, you can use the other set to boot the ISCOM2600G series switch.
Manage system files for the ISCOM2600G series switch as below.

1 Raisecom#download system- (Optional) download the system boot file
boot { ftp { ipv4-address through FTP, SFTP, or TFTP to the device.
| ipv6-address } user-name
 tftp: download the file through TFTP.
 ftp: download the file through FTP.
file-name | tftp { ipv4-
 sftp: download the file through SFTP.
[ unit unit-id ] file-name
| sftp { ipv4-address |
file-name } [ system1.z |
 unit-id: specified unit ID, an integer,
system2.z ]
Raisecom#download system-
boot tftp 10.1.1.1 config
Example:
Raisecom#erase text
configuration file startup_config.conf will
be deleted by default.

31
Raisecom

3 Raisecom#upload system- (Optional) upload the system boot file
boot { ftp { ipv4-address through FTP, SFTP, or TFTP to the local
|ipv6-address } user-name device.
address } user-name
[ system1.z | system2.z ]
Example:
Raisecom#upload system-
boot tftp 10.1.1.1 config
1.3.3 Managing configuration files

Configuration files are loaded after starting the system; different files are used in different
scenarios to achieve different service functions. After starting the system, you can configure
the ISCOM2600G series switch and save the configuration files. New configurations will take
effect in next boot.
The configuration file has a suffix ".cfg", and can be opened by the text book program in
Windows system. The contents are in the following format:
 Be saved in the mode+command format.
 Just keep the non-default parameters to save space (see the command reference manual
for default values of configuration parameters).
 Use the command mode for basic frame to organize commands. Put parameters of one
mode together to form a section, and the sections are separated by the exclamation mark
(!).
The ISCOM2600G series switch starts initialization by reading configuration files from the
memory after being powered on. Thus, the configurations in configuration files are called the
default configurations. If there is no configuration file in the memory, the ISCOM2600G
series switch uses the default parameters for initialization.
The configuration that is currently used by the ISCOM2600G series switch is called the
running configuration.
You can modify the running configuration of ISCOM2600G series switch through CLI. The
running configuration can be used as initial configuration upon next power-on. You must use
the write command to save running configurations in the memory and form a configuration
file.
Manage configuration files for the ISCOM2600G series switch as below.

32
Raisecom

1 Raisecom#download startup- (Optional) download the startup
config { ftp { ipv4-address configuration file through FTP, SFTP, or
|ipv6-address } user-name TFTP.
{ ipv4-address | ipv6-
address } user-name
password file-name } }
[ dir ]
Example:
Raisecom#download startup-
 dir: file path
config tftp 10.1.1.1 config
2 Raisecom#download backup- (Optional) download the backup
 backup-config: backup configuration file
address } user-name
[ dir ]
Example:
Raisecom#download backup-
 dir: file path
3 Raisecom#download dhcplease (Optional) download the DHCP lease file

address } user-name
[ dir ]
Example:
 dir: file path
Raisecom#download dhcplease

33
Raisecom

4 Raisecom#download (Optional) download the DHCP Snooping
dhcpsnooping-binding { ftp binding table file through FTP, SFTP, or
{ ipv4-address | ipv6- TFTP.
address } user-name
address } user-name
[ dir ]
Example:
 dir: file path
Raisecom#download
dhcpsnooping-binding tftp
10.1.1.1 config
Example:
Raisecom#erase text
configuration file startup_config.conf
will be deleted by default.
6 Raisecom#upload startup- (Optional) upload the startup configuration
config { ftp { ipv4-address file through FTP or TFTP.
|ipv6-address } user-name
address } user-name
password file-name } }
[ dir ]
Example:
Raisecom#upload startup-
 dir: file path
7 Raisecom#upload backup- (Optional) upload the backup
address } user-name
[ dir ]
 user-name: user name of the FTP server
Example:
 password: password of the FTP server
Raisecom#upload backup-
 dir: file path

34
Raisecom

8 Raisecom#upload command-log (Optional) upload the command line
{ ftp { ipv4-address |ipv6- logging file and system logs through FTP,
address } user-name SFTP, or TFTP.
 command-log: command line logging
address } file-name | sftp file
address } user-name
[ dir ]
Example:
Raisecom#upload command-log
 dir: file path
9 Raisecom#upload logging- (Optional) upload the system log file

file { ftp { ipv4-address through FTP, SFTP, or TFTP.
|ipv6-address } user-name
 Logging-file: syslog file
address } user-name
 user-name: user name of the FTP server
[ dir ]
 password: password of the FTP server
Example:
Raisecom#upload logging-
 dir: file path
file tftp 10.1.1.1 config
10 Raisecom#upload running- (Optional) upload the running
 running-config: running configuration
address } file-name | sftp file
address } user-name
[ dir ]
Example:
Raisecom#upload running-
 dir: file path

35
Raisecom

11 Raisecom#upload license (Optional) upload the License file through
{ ftp { ipv4-address | FTP, SFTP, or TFTP.
address } user-name
[ dir ]
Example:
 dir: file path
Raisecom#upload license
12 Raisecom#upload dhcpLease (Optional) upload the DHCP lease file
address } user-name
[ dir ]
Example:
 dir: file path
Raisecom#upload dhcpLease
13 Raisecom#upload (Optional) upload the DHCP Snooping
dhcpsnooping-binding { ftp binding file through FTP, SFTP, or TFTP.
address } user-name
address } user-name
[ dir ]
 dir: file path
Example:
Raisecom#upload
dhcpsnooping-binding tftp
10.1.1.1 config
14 Raisecom#write (Optional) save the running configuration
file in the Flash.

Use the following commands to check configuration results.

36
Raisecom

1 Raisecom#show startup- Show configurations loaded upon device startup.
config
2 Raisecom#show running- Show running configurations.
config
3 Raisecom#show backup- Show backup configurations upon device startup.
config
1.3.5 Maintenance
Command Description
Raisecom#write Save running configurations as a startup configuration
[ backup-config ] file which can take effect upon next startup.
Example:
 backup-config: save running configurations as a backup
Raisecom#write backup-
config configuration file.
When you save running configurations as a

startup configuration file, the file will overwrite the
original startup configuration file; therefore back
up the original one in advance.
Raisecom#dir Show names of system files. You can view the remaining
size of the Flash.
Raisecom#erase [ file- Delete a specified system file. If the file-name parameter
name | backup-config ] is not configured, this configuration will delete the startup
Example: configuration file.
Raisecom#erase text
 file-name: file name. If you do not configure the
parameter, the startup configuration file
startup_config.conf will be deleted by default.
After a file is deleted through this command, it

cannot be restored. Use this command with
caution.
Raisecom(config)#syslog Save log files.
save
Raisecom#startup-config Save configurations.
write

37
Raisecom
1.4 Loading and upgrade

1.4.1 Introduction
Loading
Traditionally, configuration files are loaded through the serial interface, which takes a long
time due to low rate and unavailable remote loading. FTP and TFTP loading modes can solve
those problems and make operation more convenient.
The ISCOM2600G series switch supports TFTP auto-loading mode.
TFTP auto-loading refers that you can obtain the configuration files from a server and then
configure the ISCOM2600G series switch. Auto-loading allows configuration files to contain
loading related commands for multiple configurations loading to meet file auto-loading
requirements in complex network environment.
The ISCOM2600G series switch provides several methods to confirm configuration file name
on the TFTP server, such as manually entering, obtaining through DHCP, and using default
name of the configuration file. Besides, you can assign certain naming conventions for
configuration files, and then the ISCOM2600G series switch confirms the name according to
naming conventions and its attributes (device type, MAC address, software version, and so
on).
Upgrade
The ISCOM2600G series switch needs to be upgraded if you want to add new features,
optimize functions, or fix bugs in the current software version.
The ISCOM2600G series switch supports the following two upgrade modes:
 Upgrade through BootROM
 Upgrade through CLI
We recommend upgrading the BootROM under instructions of professional technical

engineers.
1.4.2 Upgrading system software through BootROM

You need to upgrade system software through BootROM under the following conditions:
 A system file is damaged.
 The card is started improperly.
Before upgrading system software through BootROM, you should establish a TFTP
environment, and use the PC as the TFTP server and the ISCOM2600G series switch as the
client. Basic requirements are as below.
 Configure the TFTP server. Ensure that the TFTP server is available.
 Configure the IP address of the TFTP server; keep it in the same network segment with
that of the ISCOM2600G series switch.

38
Raisecom
 Connect the Ethernet interface on the TFTP server to the SNMP interface on the
ISCOM2600G series switch. The default IP address of the SNMP interface is
192.168.0.1 by default.
Upgrade system software through BootROM for the ISCOM2600G series switch as below.
Step Operation
1 Log in to the ISCOM2600G series switch through serial interface as the
administrator, enter Privileged EXEC mode, and restart the ISCOM2600G series
switch with the reboot command.
Raisecom#reboot
2 When the system successfully loads the big BootROM, and it displays "Press
space to enter big boot menu", press Space bar to enter the interface starting with
[raisecom]. The command list is displayed as below:
BOOT
**************************************************
t: Update system from tftp.
m: Update boot from tftp.
b: Boot system from flash.
e: Erase bootline para.
s: Select system image to boot.
p: Password setting.
r: Reboot.
?/h: Help menu.
[Raisecom]:
3 Type "t" to upgrade system software to the ISCOM2600G series switch.
[Raisecom]:t
ipaddr: 192.168.5.100
serverip: 192.168.5.1
filename: uImage
Current system partiton info:

Partition number Name Size
----------------------------------------------------
1 iscom2600_image 16320072
2 None 0
Please input system partition number for upgrading(1-2):1

4 Type "r" to rapidly execute the big BootROM file. The ISCOM2600G series
switch is restarted and will load the downloaded startup file.
1.4.3 Upgrading system software through CLI

Before upgrading system software through CLI, you should establish a TFTP environment,
and use a PC as the TFTP server and the ISCOM2600G series switch as the client. Basic
requirements are as below.

39
Raisecom
 Connect the Ethernet interface on the TFTP server to the SNMP interface on the
ISCOM2600G series switch. The default IP address of the SNMP interface is
192.168.0.1 by default.
 Configure the TFTP server, and ensure that the server is available.
 Configure the IP address of the TFTP server; keep it in the same network segment with
that of the ISCOM2600G series switch so that the ISCOM2600G series switch can
access the TFTP server.
Upgrade system software through CLI for the ISCOM2600G series switch as below.

1 Raisecom#download system- Download the system boot file through FTP,
boot { ftp { ipv4-address SFTP, or TFTP. This command supports the
| ipv6-address } user-name IPv6 address.
 system-file: system boot file
address } file-name |
sftp { ipv4-address |
[ system1.z | system2.z ]
Example:
Raisecom#download system-
boot tftp 10.10.10.1
 unit-id: specified unit ID, an integer, ranging
config
from 1 to 9
2 Raisecom#boot sequence (Optional) configure the sequence for loading
system software.
3 Raisecom#reboot [ now | in Restart the ISCOM2600G series switch, and it
time ] will automatically load the downloaded
Example: system boot file.
Raisecom#reboot now
 now: immediately restart the device without
confirmation.
 in: restart the device after a specified period.
 time: delay period for restarting the device,
an integer, ranging from 1 to 1440, in units

of minute


1 Raisecom#show Show information about the startup configuration file.
startup-config
2 Raisecom#show Show information about the running configuration file.
running-config
3 Raisecom#show Show system version.
version

40
Raisecom
1.5 Time management

1.5.1 Introduction
With development and extension of Internet in all aspects, multiple applications involved in
time need accurate and reliable time, such as online realtime transaction, distributed network
calculation and processing, transport and flight management, and data management.
To ensure precise system time, the ISCOM2600G series switch provides complete time
management functions, including manually configuring system time and time zone, manually
configuring Daylight Saving Time (DST), Network Time Protocol (NTP), and Simple
Network Time Protocol (SNTP).
Time and time zone

The device time is usually configured to the local time of the device while the time zone is
configured to the local time zone based on Greenwich Mean Time (GMT) (for example,
China Beijing is in the eastern eight zone based on GMT, so its time zone is configured to
+08:00).
The ISCOM2600G series switch supports displaying time in the format of "year-month-day
hour:minute:second" and offset of the time zone. You can manually configure the time and
time zone of the ISCOM2600G series switch.
DST
DST is a kind of artificially regulated local time system for saving energy. Time is usually
advanced one hour in summer to make people sleep early and rise early to save energy, but
different countries have different stipulations for DST. In this case, you should consider local
conditions when configuring DST.
The ISCOM2600G series switch supports configuring the start time, end time, offset of the
DST.
NTP
Network Time Protocol (NTP) is a standard Internet protocol for time synchronization, used
to synchronize time between the distributed time servers and clients. NTP transmits data
based on UDP, using UDP port 123 and guaranteeing high precision (error around 10ms).
Figure 1-7 shows basic principles of NTP. Clock synchronization works as below:
Step 1 Switch A sends Switch B a NTP message which carries the timestamp of leaving Switch A.
The timestamp is 10:00:00am and recorded as t1.
Step 2 When the message reaches Switch B, it is added with the timestamp of reaching Switch B,
which is 11:00:01am and recorded as t2.
Step 3 When the message leaves Switch B, it is added with the timestamp of leaving Switch B,
which is 11:00:02am and recorded as t3.
Step 4 When switch A receives the response message, it adds a new timestamp, which is 11:00:03am
and recorded as t4.
At present, Switch A has enough information to calculate two important parameters:
 Round-trip delay of the NTP message: delay = (t4 - t1) - ( t3 - t2)
41
Raisecom
 Time offset between Switch A and Switch B: offset = ((t2 - t1) + (t3 - t4))/2
Switch A configures its clock based on previous two parameters to synchronize clock with
Switch B.
Figure 1-7 Basic principles of NTP
The ISCOM2600G series switch adopts multiple NTP working modes for time
synchronization:
 Client/Server mode
In this mode, the client sends clock synchronization messages to different servers. The servers
work in server mode automatically after receiving the synchronization message and sending
response messages. The client receives response messages, performs clock filtering and
selection, and is synchronized to the preferred server.
In this mode, the client can be synchronized to the server but the server cannot be
synchronized to the client. The ISCOM2600G series switch can work as a client or server.
 Symmetric mode
In this mode, you can configure the passive peer on the active peer. The active peer sends a
clock synchronization message to the passive peer. The passive peer works in passive mode
automatically after receiving the message and sends the answering message back. By
exchanging messages, the two peers establish the symmetric peer mode. The peer with fewer

42
Raisecom
stratum synchronizes time with the one with more stratum. The active and passive peers in
this mode can synchronize each other.
SNTP
Simple Network Time Protocol (SNTP) is used to synchronize the system time of the
ISCOM2600G series switch to the GMT and transmit the GMT to local time according to the
system settings of time zone. When the SNTP client and server are in different time zones, the
SNTP client will be synchronized to the GMT and then translated into the local time
according to system settings of time zone.
The SNTP client obtains time in two modes: actively sending a request packet or passively
monitoring the packet. They are implemented as below:
 Unicast mode: the SNTP client actively sends a request packet. After being configured
with the IP address of the SNTP unicast server, the device tries to obtain clock signals
every 10s from the SNTP server. The maximum timeout for obtaining clock signals from
the SNTP server is 60s.
 Multicast or broadcast mode: SNTP client passively monitors the packet.
– After being configured to multicast mode, the device monitors the multicast IP
address of 224.0.1.1 in real time and obtain clock signals from the SNTP multicast
server. The maximum timeout for obtaining clock signals from the SNTP server is
60s.
– After being configured to broadcast mode, the device monitors the broadcast IP
address of 255.255.255.255 in real time and obtain clock signals from the SNTP
broadcast server. The maximum timeout for obtaining clock signals from the SNTP
server is 60s.
1.5.2 Preparing for configurations
Scenario
Configure the system time of the ISCOM2600G series switch, and guarantee precision of the
system time.
 The time and time zone that is manually configured take effect immediately.
 After NTP or SNTP is enabled, the synchronized time will override the current system
time after a synchronization period.
 NTP and SNTP are mutually exclusive, so they cannot be concurrently configured.
Prerequisites
N/A
1.5.3 Default configurations of time management
Time and time zone

Default configurations of time and time zone are as below.

43
Raisecom

Time zone offset +08:00-CCT
Display mode of the system clock Default
China Coast Time (CCT) is the standard time code. Several countries define their
local time by reference to GMT by advancing or adjusting backward several hours on
the basis of GMT and their longitudes or time zones. To be convenient, establish a
series of standard time codes, including:
 China Coast Time (CCT): GMT +8:00
 Eastern Daylight Time (EDT): GMT +4:00
 Eastern Standard Time (EST): GMT +5:00
 Central Daylight Time (CDT): GMT -5:00
 Central Standard Time (CST): GMT -6:00
 Mountain Daylight Time (MDT): GMT -6:00
 Mountain Standard Time (MST): GMT -7:00
 Pacific Daylight Time (PDT): GMT -7:00
 Pacific Standard Time (PDT): GMT -8:00
DST
Default configurations of DST are as below.

DST status Disable
NTP
Default configurations of NTP are as below.

Whether the device is NTP master clock No
Global NTP server Inexistent
Global NTP equity Inexistent
Reference clock source 0.0.0.0
Identity authentication Disable
Identity authentication key ID N/A
Trusted key N/A

44
Raisecom
SNTP
Default configurations of SNTP are as below.

IP address of the SNTP server N/A
1.5.4 Configuring time and time zone

Configure the time and time zone for the ISCOM2600G series switch as below.

1 Raisecom#clock set Configure the system time.
hour minute second
 hour: hour, an integer, ranging from 0 to 23
year month day
 minute: minute, an integer, ranging from 0 to 59
Example:
 second: second, an integer, ranging from 0 to 59
Raisecom#clock set 8 0
 year: year, an integer, ranging from 2000 to 2037
0 2013 1 1
 month: month, an integer, ranging from 1 to 12
 day: day, an integer, ranging from 1 to 31
2 Raisecom#clock Configure the local time zone.

timezone { + | - }
 +: time zones in the Eastern Hemisphere
hour minute timezone-
 -: time zones in the Western Hemisphere
name
 Hour: time zone offset hour, an integer, ranging
Example:
Raisecom#clock from 0 to 11
 Minute: time zone offset minute, an integer,
timezone – 5 40 CCT
ranging from 0 to 59
 timezone-name: time zone name, a string of 1 to
7 characters
3 Raisecom#clock display Configure the system clock display mode.
{ default | utc }
 Default: default mode
Example:
 utc: UTC mode
Raisecom#clock display
utc
1.5.5 Configuring DST

Configure DST for the ISCOM2600G series switch as below.

1 Raisecom#clock Enable or disable DST.
summer-time
 enable: enable DST.
{ enable |
 disable: disable DST.
disable }
Example:
Raisecom#clock
summer-time enable

45
Raisecom

2 Raisecom#clock Configure calculation period for system DST.
summer-time
 start-week: week when DST begins, an integer,
recurring { start-
week | last } { sun ranging from 1 to 4
 last: DST begins or ends in the last week of a month.
| mon | tue | wed |
 sun: DST begins or ends on Sunday of a week.
thu | fri | sat }
 mon: DST begins or ends on Monday of a week.
start-month hour
 tue: DST begins or ends on Tuesday of a week.
minute { end-week |
 wed: DST begins or ends on Wednesday of a week.
last } { sun | mon
 thu: DST begins or ends on Thursday of a week.
| tue | wed | thu |
 fri: DST begins or ends on Friday of a week.
fri | sat } end-
 sat: DST begins or ends on Saturday of a week.
month hour minute
 start-month: month when DST begins, an integer,
offset
 hour: hour when DST begins or ends, an integer,
Raisecom#clock
summer-time ranging from 0 to 23
 minute: minute when DST begins or ends, an integer,
recurring 2 sun 4 2
0 2 sun 9 2 0 60 ranging from 0 to 59
 end-week: week of the month when : DST ends, an
integer, ranging from 1 to 4

 end-month: month when DST ends, an integer,
 offset: time offset of DST, an integer, ranging from 1
to 1440, in units of second
Underlined command lines indicate the

termination DST.
 When you configure system time manually, if the system uses DST, such as DST
from 2 A.M. on the second Sunday, April to 2 A.M. on the second Sunday,
September every year, you have to adjust the clock one hour forward during this
period, configure time offset as 60 minutes, and the period from 2 A.M. to 3 A.M.
on the second Sunday, April each year is inexistent. The time setting by manual
operation during this period shows failure.
 The summer time in southern hemisphere is opposite to the northern hemisphere,
which is from September to April of next year. If you configure the start time later
than the end time, the system will suppose that it is in the Southern Hemisphere.
In other words, the summer time is from the start time this year to the ending time
of next year.
1.5.6 Configuring NTP

Configure NTP for the ISCOM2600G series switch as below.


46
Raisecom

2 Raisecom(config)#ntp (Optional) configure the IP address of the NTP server
server { ipv4- for the client working in client/server mode.
address | ipv6-
 ipv4-address: IP address of the remote peer, in
address } [ version
version-number ] dotted decimal notation, such as 10.10.1.1
 ipv6-address: IPv6 address of the remote peer, in
[ key key-id ]
Example: colon decimal notation, such as 2001::3
 version-number: version number, the value is v1, v2,
Raisecom(config)#ntp
server 10.0.0.1 v3, or v4.
 key key-id: key ID, an integer, ranging from 1 to
4294967295
3 Raisecom(config)#ntp (Optional) configure the IP address of the NTP peer
peer { ipv4-address for the ISCOM2600G series switch working in
| ipv6-address } symmetric peer mode.
[ version version-
 ipv4-address: IP address of the remote peer, in
number ] [ key key-
id ] dotted decimal notation, such as 10.10.1.1
 ipv6-address: IPv6 address of the remote peer, in
Example:
Raisecom(config)#ntp colon decimal notation, such as 2001::3
 version-number: version number, the value is v1, v2,
peer 10.0.0.1
v3, or v4.
 key key-id: key ID, an integer, ranging from 1 to
4294967295
4 Raisecom(config)#ntp Configure the clock of the ISCOM2600G series
refclock-master switch as the NTP reference clock source for the
[ ip-address ] ISCOM2600G series switch.
[ stratum ]
 ip-address: IP address of the local reference clock, in
Example:
Raisecom(config)#ntp dotted decimal notation, with IP address ranging
refclock-master from 127.127.1.0 to 127.127.1.2. Take the local
clock as the NTP master clock. The defaulted value
should be local clock 127.127.1.0 if the parameter is
not configured.
 stratum: the layer of the tree-type NTP network
topology in which the device is, ranging from 2 to

15. The lower the layer is, the more accurate the
clock is. The default value is 8 if the parameter is
not configured.
If the ISCOM2600G series switch is configured as the NTP reference clock source, it
cannot be configured as the NTP server or NTP symmetric peer; vice versa.
Configuring NTP identity authentication

A network with high requirements for security requires identity authentication when NTP is
used. After enabled with identity authentication, a NTP client synchronizes with the NTP
server that passes identity authentication, thus guaranteeing network security. Only after the
NTP client is enabled with identity authentication can it authenticate the NTP server. If it is
disabled with identity authentication, it will directly synchronize time with the NTP server
without authentication regardless of that the NTP server carries key information.

47
Raisecom
Configure NTP identity authentication for the ISCOM2600G series switch as below.

2 Raisecom(config)#ntp Enable identity authentication on the NTP
authenticate { enable client/server.
| disable }
 enable: enable identity authentication.
Example:
 disable: disable identity authentication.
authenticate enable
3 Raisecom(config)#ntp Configure the key ID and key password for
authentication-keyid identity authentication on the NTP client/server.
key-id md5 password
Example:
authentication-keyid 1
md5 atestkey
4 Raisecom(config)#ntp Configure the key ID for identity authentication
trust-keyid key-id on the NTP client/server as a trusted ID.
Example:
trust-keyid 1
Only after the NTP client is enabled with
identity authentication can it authenticate
the NTP server, and can it synchronize
time with the NTP server that provides a
trusted key.
1.5.7 Configuring SNTP
Configuring unicast feature of SNTP client

Configure unicast feature of SNTP client for the ISCOM2600G series switch as below.

2 Raisecom(config Configure the IP address of the SNTP unicast server.
)#sntp server
{ ipv4-address
After the SNTP server is configured with an IP address,
| ipv6- the ISCOM2600G series switch tries to get the clock
address } information from the SNTP server every 10s. In addition,
[ version the maximum timeout is 60s.
version-  ipv4-address: IP address of the server, in dotted decimal
number ] notation, such as 10.10.1.1
Example:  ipv6-address: IPv6 address of the server, in colon
Raisecom(config decimal notation, such as 2001::3

)#sntp server  version: SNTP version
10.0.0.1  version-number: version, being v1, v2, v3, or v4

48
Raisecom


1 Raisecom#show clock Show configurations of the time zone and
[ summer-time-recurring ] DST.
2 Raisecom#show sntp Show SNTP configurations.
3 Raisecom#show ntp status Show NTP configurations.
4 Raisecom#show ntp Show information about NTP connection.
associations [ detail ]
5 Raisecom#show ntp Show information about NTP identity
authentication authentication.
1.5.9 Example for configuring NTP
Establish a clock synchronization system in a company to keep consistency and precision of
the system time. Basic planning is as below:
 Configure Switch A as the master clock source of the clock synchronization system.
 Configure Switch B as the client of the clock synchronization system. Configure the
upper-layer Switch A as the NTP server.
 Configure Switch C as the NTP entity of Switch B so that Switch C receives downlink
synchronization data from Switch B.

49
Raisecom
Figure 1-8 NTP networking
Configuration steps
Step 1 Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#config
SwitchA(config)#ntp refclock-master
Step 2 Configure Switch B.
Raisecom#hostname SwitchB
SwitchB#config
SwitchB(config)#ntp server 172.16.0.1
SwitchB(config)#ntp peer 172.16.0.3
Checking results
 Check Switch A.
Use the show ntp status command to view configurations of Switch A.
SwitchA#show ntp status

Clock status :synchronized

50
Raisecom
NTP peer :0.0.0.0

NTP version :3
NTP mode :ntpMaster
Leap :0
Poll :6
Stratum :8
Precision :2**-16
Reference clock :127.127.1.0
Reference time :00000000.00000000(Thu 1970-01-01,08:00:00)
Current time :5333d6de.33428f00(Thu 2014-03-27,15:45:44.070)
Root delay :0.000000
Root dispersion :0.000000
 Check Switch B.
Use the show ntp status command to view configurations of Switch B.
SwitchB#show ntp status

Clock status :synchronized
NTP peer :172.16.0.1
NTP version :3
NTP mode :ntpSlave
Leap :0
Poll :6
Stratum :9
Precision :2**-16
Reference clock :172.16.0.1
Reference time :5333d671.383980f6(Thu 2014-03-27,15:44:58.466)
Current time :5333d697.0a917f54(Thu 2014-03-27,15:45:58.765)
Root delay :0.000000
Root dispersion :0.010004
Use the show ntp associations command to view information about NTP sessions of Switch
B.
SwitchB#show ntp associations

Server(ip) refid stratum poll when delay
offset dispersion mode reach
-------------------------------------------------------------------------
(s)172.16.0.1 127.127.1.0 8 6 55 0.000000 -
1.965874 14.875517 4 255
Peer(ip) refid stratum poll when delay
offset dispersion mode reach
-------------------------------------------------------------------------
----------------------------------------
(u)172.16.0.3 0.0.0.0 16 6 125 0.000000
0.000000 16.000000 0 0
 Check Switch C.

51
Raisecom
Use the show ntp status command to view configurations of Switch C.
Raisecom#show ntp status

Clock status : synchronized
NTP peer : 172.16.0.2
NTP version : 3
NTP mode : ntpSlave
Leap : 0
Poll : 6
Stratum : 10
Precision : 2**-22
Reference clock : 172.16.0.2
Reference time : 4d62a905.00000000(Mon 2011-02-22,02:03:49)
Current time : 5333dd97.00000000(Thu 2014-03-27,16:13:11)
Root delay : 4.154726
Root dispersion : 14.034068
Use the show ntp associations command to view information about NTP sessions of Switch
C.
Raisecom#show ntp associations

Active(IP) refid stratum poll when delay offset
dispersion mode reach
-------------------------------------------------------------------------
(s)172.16.0.2 172.16.0.1 9 6 97596571 4.154726
13447.112484 0.000930 1 6
1.6 Interface management

1.6.1 Introduction
Ethernet is a very important LAN networking technology which is flexible, simple, and easy
to implement. The Ethernet interface includes the Ethernet electrical interface and Ethernet
optical interface.
The ISCOM2600G series switch supports both Ethernet electrical and optical interfaces.
Auto-negotiation
Auto-negotiation is used to make the devices at both ends of a physical link automatically
choose the same working parameters by exchanging information. The auto-negotiation
parameters include duplex mode, interface rate, and flow control. Once successful in
negotiation, the devices at both ends of the link can work in the same duplex mode and
interface rate.

52
Raisecom
Cable connection
Generally, the Ethernet cable can be categorized as the Medium Dependent Interface (MDI)
cable and Medium Dependent Interface crossover (MDI-X) cable. MDI provides physical and
electrical connection from terminal to network relay device while MDI-X provides connection
between devices of the same type (terminal to terminal). Hosts and routers use MDI cables
while hubs and switches use MDI-X interfaces. Usually, the connection of different devices
should use the MDI cable while devices of the same type should use the MDI-X cable.
Devices in auto-negotiation mode can be connected by the MDI or MDI-X cable.
The Ethernet cable of the ISCOM2600G series switch supports auto-MDI/MDIX.
1.6.2 Default configurations of interface management

Default configurations of interface management are as below.

Maximum forwarding frame length of interface 2000 bytes
Duplex mode of interface Auto-negotiation
Interface rate Auto-negotiation
Interval for monitoring the interface rate 5s
Interface rate statistics status Disable
Interval of interface dynamic statistics 5s
Interface flow control status Disable
Interface status Enable
L2protocol peer stp status Disable
1.6.3 Configuring basic attributes of interfaces

The interconnected devices cannot communicate normally if their interface attributes (such as
MTU, duplex mode, and rate) are inconsistent, and then you have to adjust the interface
attributes to make the devices at both ends match each other.
The Ethernet physical layer works in three modes as below:
 Half duplex: devices can receive or send messages at a time.
 Full duplex: devices can receive and send messages concurrently.
 Auto-negotiation: devices can automatically choose duplex mode by exchanging
information. Once successful in negotiation, the devices at both ends of the link can
work in the same duplex mode, interface rate, and flow control mode.
Configure the basic attributes of interface for the ISCOM2600G series switch as below.


53
Raisecom

2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode.
number
Example:
 interface-number: interface ID. The form
Raisecom(config)#interface
gigaethernet 1/1/1 and value range depend on the interface
type.
3 Raisecom(config- (Optional) configure the duplex mode of
gigaethernet1/1/*)#duplex the interface.
{ full | half | auto }
 full: forced full duplex mode
Example:
 half: forced half duplex mode
Raisecom(config-
 auto: auto-negotiation
gigaethernet1/1/1)#duplex
half
4 Raisecom(config- Configure the duplex mode of the
gigaethernet1/1/*)#speed interface.
{ auto | 10 | 100 | 1000 }
Example: The rate of an optical interface also
Raisecom(config- depends on parameters of the optical
gigaethernet1/1/1)#speed 10 module. When there is no 10 Gbit/s optical
interface on the device, its interface does
not support being configured to 10 Gbit/s.
 auto: auto-negotiation
 10: forcible 10 Mbit/s
5 Raisecom(config- (Optional) configure the interface TPID.

gigaethernet1/1/*)#tpid
{ 8100 | 9100 | 88a8 }
By default, it is 0x8100.
Example:  8100: configure the TPID to 0x8100.
Raisecom(config-  9100: configure the TPID to 0x9100.
gigaethernet1/1/1)#tpid  88a8: configure the TPID to 0x88a8.
88a8
6 Raisecom(config- (Optional) configure the description of the
gigaethernet1/1/*)#descript interface, a stirng of 1 to 225 characters,
ion string supporting special characters, such as
space, "\", "'", "<", ">", and "&".
7 Raisecom(config- (Optional) configure the MTU on the
gigaethernet1/1/*)#jumbofra interface.
me frame-size
 frame-size: maximum length of frame, an
Example:
Raisecom(config- integer, ranging from 1522 to 12288
gigaethernet1/1/1)#jumbofra bytes, in units of bytes.
me 2046
8 Raisecom(config- (Optional) configure the MDI/MDIX mode
gigaethernet1/1/*)#mdi of the electrical interface.
{ xover | auto | normal }
 xover: forcible crossover mode
Example:
 auto: auto-MDI/MDIX mode
Raisecom(config-
 normal: forcible straight-through mode
gigaethernet1/1/1)#mdi
xover

54
Raisecom

9 Raisecom(config- (Optional) configure the period for
gigaethernet1/1/*)#vibratio suppressing vibration on the interface.
n-suppress period value
 value: period for suppressing vibration,
Example:
Raisecom(config- an integer, ranging from 1 to 600, in
gigaethernet1/1/1)#vibratio units of second
n-suppress period 20
10 Raisecom(config- (Optional) enable interface EEE.
gigaethernet1/1/*)#eee
{ enable | disable } Use the disable form of this command to
Example: disable this function.
Raisecom(config-  enable: enable interface EEE.
gigaethernet1/1/1)#eee  disable: disable interface EEE.
enable
1.6.4 Configuring interface rate statistics

Configure interface rate statistics for the ISCOM2600G series switch as below.

2 Raisecom(config)#dynamic (Optional) configure the period
statistics time time-value for dynamic statistics.
Example:
 time time-value: interval, an
Raisecom(config)#dynamic
statistics time 100 integer, ranging from 3 to 300,
in units of second
3 Raisecom(config)#interface (Optional) configure the period
statistic period value for gathering statistics about
Example: interfaces.
 value: interval, an integer,
statistic period 100
ranging from 3 to 300, in units
of second
4 Raisecom(config)#interface vlan Enter VLAN interface
vlan-id configuration mode.
Example:
 vlan-id: VLAN ID, an integer,
5 Raisecom(config-vlan*)#statistics (Optional) enable interface
enable statistics.
6 Raisecom(config-vlan*)#clear Clear statistics about the interface
interface statistics rate.

55
Raisecom
1.6.5 Configuring flow control on interfaces

IEEE 802.3x is a flow control method for full duplex on the Ethernet data layer. When the
client sends a request to the server, it will send the PAUSE frame to the server if there is
system or network jam. Then, it delays data transmission from the server to the client.
Configure flow control on interfaces for the ISCOM2600G series switch as below.

number
Example:
gigaethernet 1/1/1 and value range depend on the interface
type.
3 Raisecom(config- Enable/Disable interface flow control over
gigaethernet1/1/*)#flowcontr 802.3x packets.
ol { receive | send } { off
| on } By default, it is disabled.
Example:  receive: received flow control
Raisecom(config-  send: sent flow control
gigaethernet1/1/1)#flowcontr  off: disable flow control.
ol receive on  on: enable flow control.
1.6.6 Shutting down/Restarting interface

Shut down/Restart an interface for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter physical interface configuration mode.
interface-type interface-
number
Example:
Raisecom(config)#interface and value range depend on the interface
gigaethernet 1/1/1 type.
3 Raisecom(config- Shut down the current interface.
gigaethernet1/1/*)#shutdown
Use the no shutdown command to re-enable
the disabled interface.
1.6.7 Configuring Combo interface

Configure the Combo interface for the ISCOM2600G series switch as below.

56
Raisecom

2 Raisecom(config)#interf Enter physical interface configuration mode.
ace interface-type
interface-number
 interface-number: in the form of unit/slot/port.
Example:
Raisecom(config)#interf The value range depends on the interface type.
ace gigaethernet 1/1/25
3 Raisecom(config- (Optional) configure the priority of the Combo
gigaethernet1/1/*)#medi interface; in other words, configure the optical
um-priority { copper | interface or electrical interface preferentially to
fiber } be used. By default, the optical interface prevails.
Example:
 cooper: electrical interface
Raisecom(config-
 fiber: optical interface
gigaethernet1/1/25)#med
ium-priority fiber
4 Raisecom(config- (Optional) configure the mode for selecting the
tengigabitethernet1/1/* optical interface or electrical interface of the
)#medium-type { auto | Combo interface.
fiber | copper }
 auto: automatic selection mode
Example:
 fiber: forcibly choosing the optical interface
Raisecom(config-
 copper: forcibly choosing the electrical
gigaethernet1/1/25)#med
ium-type fiber interface
The previous commands are applicable to the device that has a Combo interface.
1.6.8 Configuring Console interface

Configure the Console interface for the ISCOM2600G series switch as below.

2 Raisecom(config)#c (Optional) enable the Console interface.
onsole open
Use this command in non-Console command lines only.
If you use the console close command to

disable the Console interface, this will cause the
ISCOM2600G series switch to be out of control.
Use it with caution.
3 Raisecom(config)#l (Optional) enable Trap sending upon user login or exit.
ogin-trap enable

57
Raisecom
1.6.9 Configuring VLAN interface

Configure the VLAN interface for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter VLAN interface configuration mode.
vlan vlan-id
 vlan-id: VLAN ID, an integer, ranging
Example:
Raisecom(config)#interface from 1 to 4094
vlan 1
3 Raisecom(config-vlan1)#mtu (Optional) configure the maximum
max-frame-length transmission unit of the interface.
Example:
 max-frame-length: maximum
Raisecom(config-vlan1)#mtu
1800 framelength, an integer, ranging from 46
to 9600, in units of byte
1.6.10 Configuring SNMP interface
By default, the IP address of the SNMP interface is 192.168.0.1 and the subnet mask
is 255.255.255.0.
Configure the SNMP interface for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter SNMP interface configuration
fastethernet 1/0/1 mode. The device supports shutdown.
3 Raisecom(config- Configure the IPv4 address of the SNMP
fastethernet1/0/1)#ip address interface.
ip-address [ ip-mask ]
 ip-address: IP address, in dotted
Example:
Raisecom(config- decimal notation, such as 10.0.0.1
 ip-mask: mask of IP address, in dotted
fastethernet1/0/1)#ip address
10.2.2.2 decimal notation, such as 255.0.0.0
4 Raisecom(config- Configure the IPv6 address of the SNMP
fastethernet1/0/1)#ipv6 interface.
address ipv6-address/prefix-
 ipv6-address/prefix-length: IPv6
length [ eui-64]
Raisecom(config- address with prefix length, in form of
fastethernet1/0/1)#ipv6 A:B::C:D/M
 ipv6-address: IPv6 address, in colon
address ipv6-address link-
local hexadecimal notation
 eui-64: IPv6 local link address. The
Example:
Raisecom(config- eui-64 is the interface ID.
 link-local: IPv6 local link address
fastethernet1/0/1)#ipv6
address 1030:0::48AA:1A2B/60

58
Raisecom

5 Raisecom(config- (Optional) enable DHCP Server on the
fastethernet1/0/1)#ip dhcp SNMP interface.
server
6 Raisecom(config- (Optional) configure information about
fastethernet1/0/1)#ip dhcp the DHCP client on the SNMP interface,
client { class-id class-id | including the class ID, client ID, and host
client-id client-id | hostname name.
hostname }
 host-name: host name, a string of 1 to
Example:
Raisecom(config- 64 characters
 class-id: Class-ID, a string of 1 to 64
fastethernet1/0/1)#ip dhcp
client hostname myhost characters
 client-id: Client-ID, a string of 1 to 64
characters
7 Raisecom(config- (Optional) configure the IP address to be
fastethernet1/0/1)#ip dhcp renewed for the SNMP interface.
client renew


1 Raisecom#show interface [ range ] Show the interface status. The
[ interface-type interface-number ] device supports showing
blocked VLANs.
2 Raisecom#show interface interface-type Show interface statistics.
interface-number statistics [ dynamic ]
[ detail ]
Raisecom#show interface statistics
dynamic [ detail ]
3 Raisecom#show interface brief Show the interface list.
4 Raisecom#show interface [ interface- Show the interface summary.
type interface-number ] configuration
5 Raisecom#show interface [ interface- Show the interface description.
type interface-number ] description
6 Raisecom#show port split Show the status of interface
split.
1.7 Configuring basic information

Configure basic information for the ISCOM2600G series switch as below.

59
Raisecom

1 Raisecom#hostname (Optional) configure the device name.
name
Example: By default, the device name is Raisecom.
Raisecom#hostname A The system supports changing device name to make
users distinguish different devices on the network.
Once the device name changes, it can be seen in
terminal prompt.
 name: device name, a string of 1 to 64 characters,
supporting special characters, such as space, \, ',
<, >, &
2 Raisecom#language (Optional) configure language mode.
{ chinese |
english } By default, the language is English.
Example:  english: show descriptions of command lines in
Raisecom#language English.
english  chinese: show descriptions of command lines in
Chinese.
3 Raisecom#write (Optional) save configurations.
Save configurations to the ISCOM2600G series
switch after configurations, and the new
configurations will overwrite the original
configurations.
If new configurations are not saved, they will be lost
after restarting, and the ISCOM2600G series switch
will continue to working with the original
configurations.
Use the erase file-name command to delete

the configuration file. This operation cannot be
rolled back, so use this command with
caution.
4 Raisecom#reboot (Optional) configure restart options.
[ now ]
When the ISCOM2600G series switch fails, restart it
to try to solve the problem according to actual
condition.
5 Raisecom#show Show displayed information or logs.
{ assert | bootlog |
exception |
memory_errors |
ros_errors } [ last
[ count ] ]
6 Raisecom#clear [ all Clear displayed information or logs.
| assert | bootlog |
 all: clear all errored logs.
exception |
 assert: clear assertion information.
memory_errors |
 bootlog: clear boot logs.
ros_errors ]
 exception: clear abnormal logs.
Example:
 memory_errors: clear memory errors.
Raisecom#clear
 ros_errors: clear errors.
exception
60
Raisecom

7 Raisecom#show Show cache configurations.
loadcfg
8 Raisecom#show tech- Show common system information, such as the CPU,
support memory, terminal connection status, and DDM.
9 Raisecom#show Show information about the semaphore on the
semaphore platform.
[ semaphore-id ]
10 Raisecom#show timer Show timer information.
[ timer-id ]
11 Raisecom#show Show time information on the platform.
twltimer [ timer-
level ]
 Restarting the ISCOM2600G series switch interrupts services, so use the

command with caution.
 Save configurations before restarting to avoid loss of configurations.
1.8 Task scheduling

1.8.1 Introduction
To use some commands periodically or at a specified time, configure task scheduling.
The ISCOM2600G series switch supports scheduling tasks by combining the program list
with command lines. You just need to specify the start time of the task, period, and end time
in the program list, and then bind the program list to command lines to implement the periodic
execution of command lines.
1.8.2 Configuring task scheduling

Configure task scheduling for the ISCOM2600G series switch as below.


61
Raisecom

2 Raisecom(config)#sc Create a scheduling list, and configure it.
hedule-list list-
 list-number: schedule number, an integer, ranging
number start date-
time { mm-dd-yyyy from 0 to 99
 start: time when schedule begins, start executing
hh:mm:ss [ every
{ day | week } stop certain command.
 stop: time when schedule ends, stop executing
mm-dd-yyyy
hh:mm:ss ] | every certain command.
 date-time: absolute time, start or end scheduling
days-interval time-
interval [ stop mm- when the system time is the same as the configured
dd-yyyy time.
 up-time: relative time, start timing after the system is
hh:mm:ss ] }
Raisecom(config)#sc started and start or end scheduling after a period of
hedule-list list- configured time.
 mm-dd-yyyy: date of absolute time in a format of
number start date-
time mm-dd-yyyy month-day-year, such as 01-02-2011.
 hh:mm:ss: time of absolute time in a format of hour-
hh:mm:ss every
weekday-list { fri minute-second, such as 23:01:10.
 days-after-startup: relative period, an integer,
| mon | off-day |
sta | sun | thu | ranging from 0 to 365, in units of day, it means that
tue | wed | after how long you can start or end scheduling since
working-day | the system is started.
 every: schedule period, the frequency of scheduling
weekday-list }
 day: once a day
Raisecom(config)#sc
 week: once a week
hedule-list list-
 days-interval: interval, an integer, ranging from 0 to
number start up–
time days-after- 365, in units of day, the frequency of scheduling
 time-interval: time interval, in form of hh:mm:ss,
startup hh:mm:ss
[ every days- perform scheduling every how many days and hours
 command: delete schedule information of specified
interval time-
interval [ stop commands from the schedule list. It means this
days-after-startup command is not used for scheduling. If you do not
hh:mm:ss ] ] choose this parameter, the entire schedule list will be
deleted.
 command-number: command number, an integer,
3 Raisecom(config)#co Bind the command line which needs periodical
mmand-string execution and supports the scheduling list to the
schedule-list list- scheduling list.
number
 command-string: command line character string
Example:
 list-number: schedule list number, an integer,
Raisecom(config)#cl
ear mac-address all ranging from 0 to 99
schedule-list 2

Use the following command to check configuration results.

62
Raisecom

1 Raisecom#show schedule-list Show configurations of the scheduling list.
[ list-number ]
1.9 Watchdog
1.9.1 Introduction
The external electromagnetic field interferes with the working of the Microcontroller Unit
(MCU), and causes program elapsing and endless loop; consequently the system fails to work
normally. To monitor the realtime running status of the MCU, a program is specially used,
which is commonly known as Watchdog.
The ISCOM2600G series switch will be restarted when it fails to work due to task suspension
or endless loop, and it neither sends signals to restart the waterdog timer.
Watchdog can prevent the system program from endless loop due to uncertain fault, thus
improving system stability.
Scenario
By configuring Watchdog, you can prevent the system program from endless loop due to
uncertain fault, thus improving system stability.
Prerequisite
N/A
1.9.3 Default configurations of Watchdog

Default configurations of Watchdog are as below.

Watchdog status Enable
1.9.4 Configuring Watchdog

Configure Watchdog for the ISCOM2600G series switch as below.

1 Raisecom#watchdog { enable | Enable or disable Watchdog.
disable }
 enable: enable Watchdog.
Example:
 disable: disable Watchdog.
Raisecom#watchdog enable

63
Raisecom

Use the following command to check configuration results.

1 Raisecom#show watchdog Show Watchdog status.
1.10 Configuring Banner

Scenario
Banner is a message to display when you log in to or exit the ISCOM2600G series switch,
such as the precautions or disclaimer.
You can configure the Banner of the ISCOM2600G series switch as required. In addition, the
ISCOM2600G series switch provides the Banner switch. After Banner display is enabled, the
configured Banner information appears when you log in to or exit the ISCOM2600G series
switch.
After configuring Banner, use the write command to save configurations. Otherwise, Banner
information will be lost when the ISCOM2600G series switch is restarted.
Prerequisite
N/A
1.10.2 Configuring Banner

Configure Banner for the ISCOM2600G series switch as below.

2 Raisecom(config)#banner Configure the Banner contents. Enter the
login w Press Enter. banner login and w, press Enter, enter the
message w Banner contents, and then end with the w
Example: character.
Raisecom(config)#banner
 w: a character with the length of 1. It is the
login @
Enter text message beginning and end marker of the Banner
followed by the character contents. These 2 marks must be the
'@' to finish.User can identical character. We recommend
stop configuration by selecting the specified character that will not
inputing 'Ctrl+c'; occur at the message.
 message: Banner contents. Up to 2560
Welcome To Raisecom @
characters are supported.

64
Raisecom

3 Raisecom(config)#clear (Optional) clear contents of the Banner.
banner login
1.10.3 Enabling Banner display

Enable Banner display for the ISCOM2600G series switch as below.

2 Raisecom(config)#banner Enable or disable Banner display.
Example: By default, Banner display is disabled.
Raisecom(config)#banner enable  enable: enable Banner display.
 disable: disable Banner display.

Use the following commands to check configurations.

1 Raisecom#show Show Banner status and contents of the configured Banner.
banner login

65
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 2 Ethernet
2 Ethernet
This chapter describes basic principles and configuration procedures for Ethernet, and
provides related configuration examples, including the following sections:
 MAC address table
 VLAN
 PVLAN
 QinQ
 VLAN mapping
 STP/RSTP
 MSTP
 Loop detection
 Interface protection
 Port mirroring
 L2CP
 Voice VLAN
 GARP/GVRP
2.1 MAC address table

2.1.1 Introduction
The MAC address table records mappings between MAC addresses and interfaces. It is the
basis for an Ethernet device to forward packets. When the Ethernet device forwards packets
on Layer 2, it searches the MAC address table for the forwarding interface, implements
expedited forwarding of packets, and reduces broadcast traffic.
The MAC address table contains the following information:
 Destination MAC address
 Destination MAC address related interface ID
 Interface VLAN ID
 Flag bits

66
Raisecom
The ISCOM2600G series switch supports showing MAC address information by device,
interface, or VLAN.
Forwarding modes of MAC addresses

When forwarding packets, based on the information about MAC addresses, the ISCOM2600G
series switch adopts the following modes:
 Unicast: when a MAC address entry, related to the destination MAC address of a packet,
is listed in the MAC address table, the ISCOM2600G series switch will directly forward
the packet to the receiving interface through the egress interface of the MAC address
entry. If the entry is not listed, the ISCOM2600G series switch broadcasts the packet to
all interfaces except the receiving interface, as shown in Figure 2-1.
Figure 2-1 Forwarding packets according to the MAC address table
 Multicast: when the ISCOM2600G series switch receives a packet of which the
destination MAC address is a multicast address, it will broadcast the packet. If multicast
is enabled and storm control over unknown packets is also enabled, the packet will be
sent to the specified Report interface. If no Report interface is specified, the packet will
be discarded.
 Broadcast: when the ISCOM2600G series switch receives an all-F packet, or the MAC
address is not listed in the MAC address table, the ISCOM2600G series switch forwards
the packet to all interfaces except the interface that receives this packet. Broadcast
addresses are special multicast addresses.
Classification of MAC addresses

MAC address table is divided into static address entry and dynamic address entry.
 Static MAC address entry: also called permanent address, added and removed by the
user manually, not aged with time. For a network with small changes of devices, adding
67
Raisecom
static address entry manually can reduce the network broadcast flow, improve the
security of the interface, and prevent entries from being lost after the system is reset.
 Dynamic MAC address entry: the ISCOM2600G series switch can add dynamic MAC
address entries through MAC address learning. The entries are aged according to the
configured aging time, and will be empty after the system is reset.
Aging time of MAC addresses

There is limit on the capacity of the MAC address table on the ISCOM2600G series switch.
To maximize the use of the MAC address table, the ISCOM2600G series switch uses the
aging mechanism to update the MAC address table. For example, when the ISCOM2600G
series switch creates a dynamic entry, it starts the aging timer. If it does not receive packets
from the MAC address in the entry during the aging time, the ISCOM2600G series switch
will delete the entry.
The ISCOM2600G series switch supports automatic aging of MAC addresses. The aging time
ranges from 10s to 1000000s and can be 0. The value 0 indicates no aging.
The aging mechanism takes effect on dynamic MAC addresses.
Forwarding policies of MAC addresses

The MAC address table has two forwarding policies:
When receiving packets on an interface, the ISCOM2600G series switch searches the MAC
address table for the interface related to the destination MAC address of packets.
 If successful, it forwards packets on the related interface, records the source MAC
addresses of packets, interface ID of ingress packets, and VLAN ID in the MAC address
table. If packets from other interface are sent to the MAC address, the ISCOM2600G
series switch can send them to the related interface.
 If failed, it broadcasts packets to all interfaces except the source interface, and records
the source MAC address in the MAC address table.
MAC address limit

The MAC address limit is used to limit the number of MAC addresses, avoid extending the
searching time of forwarding entry caused by a too large MAC address table and degrading
the forwarding performance of the Ethernet switch, and it is effective to manage the MAC
address table.
The MAC address limit improves the speed of forwarding packets.
Scenario
Configure the static MAC address table in the following situations:
 The static MAC address can be configured for a fixed server, special persons (manager,
financial staff), fixed and important hosts to ensure that all data flow forwarding to these
MAC addresses are forwarded from static MAC address related interface in priority.

68
Raisecom
 For the interface with fixed static MAC address, you can disable MAC address learning
to avoid other hosts visiting LAN data from the interface.
Configure the aging time of dynamic MAC addresses to avoid saving excessive MAC address
entries in the MAC address table and running out of MAC address table resources, and to
achieve aging of dynamic MAC addresses.
Prerequisite
N/A
2.1.3 Default configurations of MAC address table

Default configurations of the MAC address table are as below.

MAC address learning status Enable
MAC address aging time 300s
MAC address limit Unlimited
Suppression of MAC address flapping Disable
MAC address flapping alarm Disable
2.1.4 Configuring static MAC address

Configure static MAC address as below.

2 Raisecom(config)#mac-address Configure static unicast MAC
static unicast mac-address vlan addresses.
vlan-id interface-type
 mac-address: MAC address, in
interface-number
Example: dotted hexadecimal notation
Raisecom(config)#mac-address
static unicast 0001.0001.0001 ranging from 1 to 4094
vlan 1 gigaethernet 1/1/1
 interface-number: interface ID
The MAC address of the source device, multicast MAC address, FFFF.FFFF.FFFF,
and 0000.0000.0000 cannot be configured as static unicast MAC address.
2.1.5 Configuring blackhole MAC address

Configure blackhole MAC addresses as below.

69
Raisecom

2 Raisecom(config)#mac-address Configure blackhole MAC
blackhole mac-address vlan addresses.
vlan-id
Example:
Raisecom(config)#mac-address dotted hexadecimal notation
 vlan vlan-id: VLAN ID, an
blackhole 000e.5e12.3456 vlan 3
2.1.6 Filtering unknown multicast packets

Filter unknown multicast packets for the ISCOM2600G series switch as below.

2 Raisecom(config)#mac- (Optional) filter unknown multicast packets.
address multicast drop-
 reserved-address: contain reserved address.
unknown [ reserved-
 vlan-list: forward unregistered multicast
address | vlan vlan-
list ] packets within VLAN. The vlan-list is an
Example: integer ranging from 1 to 4094. It supports
Raisecom(config)#mac- specific values, such as "1,2,3"; it also
address multicast drop- supports a range, such as "1-3".
unknown reserved-address
2.1.7 Configuring static Layer 2 multicast

Configure static Layer 2 multicast for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode or VLAN
configuration mode. Take
physical interface configuration
mode for example.
3 Raisecom(config- Configure static Layer 2
gigaethernet1/1/*)#mac-address multicast.
static multicast mac-address vlan
vlan-id
2.1.8 Configuring MAC address learning

Configure MAC address learning for the ISCOM2600G series switch as below.

70
Raisecom

interface-type interface-number configuration mode.
Example:
 interface-number: in the form of
gigaethernet 1/1/1 unit/slot/port. The value range
depends on the interface type.
3 Raisecom(config- Enable or disable MAC address
gigaethernet1/1/por)#mac- learning.
address learning { enable |
 enable: enable MAC address
disable }
Example: learning on the physical interface.
 disable: disable MAC address
Raisecom(config-(config-
gigaethernet1/1/por)#mac- learning on the physical interface.
address learning enable
2.1.9 Configuring MAC address limit

Configure the MAC address limit for the ISCOM2600G series switch as below.

Example:
 interface-number: interface ID.
gigaethernet 1/1/1
The form and value range
depend on the interface type.
3 Raisecom(config- Configure interface-based MAC
gigaethernet1/1/*)#mac-address address limit.
threshold threshold-value
 threshold: threshold-value:
Example:
Raisecom(config- threshold of dynamic MAC
gigaethernet1/1/1)#mac-address address learning, an integer,
threshold 200 ranging from 1 to 16384
2.1.10 Configuring aging time of MAC addresses

Configure the aging time of MAC addresses for the ISCOM2600G series switch as below.


71
Raisecom

2 Raisecom(config)#mac-address Configure the aging time of MAC
aging-time { 0 | time } addresses.
Example:
 time: aging time, an integer, being
Raisecom(config)#mac-address
aging-time 600 0 or ranging from 10 to 1000000
among which 0 means no aging, in
units of second
2.1.11 Enabling suppression of MAC address flapping

Enable suppression of MAC address flapping for the ISCOM2600G series switch as below.

2 Raisecom(config)#mac- Enable or disable global suppression of
address move-restrain MAC address flapping.
 enable: enable global suppression of
Example:
Raisecom(config)#mac- MAC address flapping.
 disable: disable global suppression of
address move-restrain
enable MAC address flapping.
3 Raisecom(config)#mac- (Optional) enable MAC address flapping
address mac-move trap Trap.
enable


1 Raisecom#show mac-address { all | Show information about MAC
static | dynamic | blackhole | mac- address entries.
address } [ vlan vlan-id ]
[ interface-type interface-number |
vlan vlan-id ]]
2 Raisecom#show mac-address multicast Show Layer 2 multicast addresses
[ vlan vlan-id ] [ count ] or the number of existing
multicast MAC address.
3 Raisecom#show mac-address blackhole Show the blackhole MAC address.
4 Raisecom#show mac-address threshold Show the dynamic MAC address
[ interface-type interface-number | limit.
vlan vlan-list ]
5 Raisecom#show mac-address aging-time Show the aging time of dynamic
MAC addresses.

72
Raisecom

6 Raisecom#show mac-address learning Show status of MAC address
[ interface-type interface- learning.
list ][number | vlan ]
7 Raisecom#show mac-address count Show the number of MAC address
[ vlan vlan-id ] [ interface-type entries.
interface-number ]
9 Raisecom#show mac-address mac-move Show information about MAC
address flapping.
2.1.13 Maintenance
Command Description
Raisecom(config)#clear Clear MAC addresses.

mac-address [{ all |  all: Clear all MAC address entries.
mac-address ]{ all |  blackhole: clear blackhole MAC address entries.
dynamic | blackhole |  static: clear static MAC address entries.
static } [ vlan vlan-  mac-address: unicast MAC address, in dotted
id ] [ interface-type hexadecimal notation, such as "000E.5E12.3456"
interface-number ]  vlan vlan-id: VLAN ID, an integer, ranging from 1
Example: to 4094
Raisecom(config)#clear  interface-type: interface type
mac-address all  interface-number: interface ID. The form and value
range depend on the interface type.

Raisecom(config)#clear Clear dynamic MAC addresses.
mac-address { all |  dynamic: clear dynamic MAC address entries.
dynamic | static }  mac-address: unicast MAC address, in dotted
[[ mac-address ][ vlan hexadecimal notation, such as 000E.5E12.3456
vlan-id ] [ interface-  vlan vlan-id: VLAN ID, an integer, ranging from 1
type interface-number ] to 4094
Example:  interface-type: interface type
 interface-number: interface ID. The form and value
Raisecom(config)#clear
mac-address all range depend on the interface type.
gigaethernet 1/1/1dynamic
Raisecom(config)#search Search for a MAC address.

mac-address mac-address  mac-address: MAC address, in dotted hexadecimal
{ all | dynamic | notation
static } [ interface-type  all: queue all MAC address entries.
interface-number ] [ vlan  dynamic: queue dynamic MAC address entries.
vlan-id ]  dynamic: queue dynamic MAC address entries.
Example:  interface-type: interface type

 interface-number: interface ID. The form and value
Raisecom(config)#search
mac-address range depend on the interface type.
 vlan: query the MAC address entry of the specified
F04D.A22D.7805 all
VLAN.
 vlan-id: VLAN ID, an integer, ranging from 1 to
4094
73
Raisecom
2.1.14 Example for configuring MAC address table
As shown in Figure 2-2, configure Switch A as below:
 Configure a static unicast MAC address 0001.0203.0405 on GE 1/1/2 and configure its
VLAN to VLAN 10.
 Configure the aging time to 500s.
Figure 2-2 MAC networking
Configuration steps
Step 1 Create VLAN 10, and activate it, and add GE 1/1/2 to VLAN 10.
Raisecom#config
Raisecom(config)#create vlan 10 active
Raisecom(config)#interface gigaethernet 1/1/2
Raisecom(config-gigaethernet1/1/2)#switchport mode access
Raisecom(config-gigaethernet1/1/2)#switchport access vlan 10
Raisecom(config-gigaethernet1/1/2)#exit
Step 2 Configure a static unicast MAC address 0001.0203.0405 on GE 1/1/2, which belongs to
VLAN 10.
Raisecom(config)#mac-address static unicast 0001.0203.0405 vlan 10

gigaethernet 1/1/2
Step 3 Configure the aging time to 500s.

74
Raisecom
Raisecom(config)#mac-address aging-time 500
Checking results
Use the show mac-address to show configurations of MAC addresses.
Raisecom#show mac-address all gigaethernet 1/1/2
Aging time: 500 seconds
Mac Address Port Vlan/Vxlan Flag
--------------------------------------------------------------------
0001.0203.0405 gigaethernet1/1/2 10 static
2.2 VLAN
2.2.1 Introduction
Overview
Virtual Local Area Network (VLAN) is a protocol to solve Ethernet broadcast and security
problem. It is a Layer 2 isolation technique that partitions a LAN into different broadcast
domains logically rather than physically, and then the different broadcast domains can work as
virtual groups without any influence from one another. In terms of functions, VLAN has the
same features as LAN, but members in one VLAN can access one another without restriction
by physical location.
VLAN partitions
There are multiple ways of VLAN partitions, such as by interface, by MAC address, by IP
subnet, and by protocol, as shown in Figure 2-3.

75
Raisecom
Figure 2-3 VLAN partitions
VLAN technique can partition a physical LAN into different broadcast domains logically.
Hosts without intercommunication requirements can be isolated by VLAN, so VLAN
partitions improve network security, and reduce broadcast flow and broadcast storm.
The ISCOM2600G series switch complies with IEEE 802.1Q standard VLAN and supports
4094 concurrent VLANs.
 VLAN partitions by interface
The ISCOM2600G series switch supports VLAN partitions by interface. The ISCOM2600G
series switch has two interface modes: Access mode and Trunk mode. The method for
processing packets for the two modes is shown as below.
Table 2-1 Interface mode and packet processing

Interface Processing ingress packets Processing egress packets
type
Untagged Tagged packets
packets
 If the VLAN ID of the  If the VLAN ID of the
Access Add the
Access packet is equal to the packet is equal to the
VLAN Tag to Access VLAN ID, the Access VLAN ID, the
the packet. interface will receive the interface will remove the
packet. Tag and send the packet.
packet is not equal to the packet is excluded from the

Access VLAN ID, the list of VLANs of which
interface will discard the packets are allowed to pass
packet. by the interface, the
interface will discard the
packet.

76
Raisecom
Interface Processing ingress packets Processing egress packets

type
Untagged Tagged packets
packets
Trunk Add the
Native VLAN packet is included in the packet of the packet is
Tag to the list of VLANs of which equal to the Native VLAN
packet. packets are allowed to ID, the interface will
pass by the interface, the remove the Tag and send
interface will receive the the packet.
packet.  If the VLAN ID of the
 If the VLAN ID of the packet is not equal to the
packet is excluded from Native VLAN ID and the
the list of VLANs of interface allows packets of
which packets are the VLAN to pass, the
allowed to pass by the interface will keep the
interface, the interface original Tag and send the
will discard the packet. packet.
 VLAN partitions by MAC address

This refers to VLAN partitions by the source MAC address of the packet.
– When an interface receives an untagged packet, it matches the source MAC address
of the packet with the VLAN MAC addresses. If they are the same, the match is
successful. In this case, the interface adds the VLAN ID specified by VLAN MAC
addresses, and forwards the packet. If they are different, the interface continues to
match the packet with the IP address-based VLAN and interface-based VLAN in
descending order.
– When a tagged packet reaches an interface, if its VLAN ID is in the VLAN ID list
allowed to pass by the interface, the interface receives it. Otherwise, the interface
discards it.
 VLAN partitions by IP subnet
This refers to VLAN partitions by the source IP subnet of the packet.
– When an interface receives an untagged packet, it determines the VLAN of the
packet by the source IP subnet of the packet, and then transmits the packet in the
specified VLAN.
– When a tagged packet reaches an interface, if its VLAN ID is in the VLAN ID list
allowed to pass by the interface, the interface receives it. Otherwise, the interface
discards it.
 VLAN partitions by protocol
This refers to VLAN partitions by the protocol type carried in the packet received by the
interface and assigning different VLAN IDs for packets. The protocol VLAN is defined by the
protocol profile. One interface can be associated with multiple protocol profiles. After an
interface is associated with protocol VLANs, it will process packets as below:
 After receiving an untagged packet from an interface, the device adds the VLAN Tag of
the protocol VLAN defined by the protocol profile if the packet matches the protocol
profile, or adds the default VLAN Tag if the packet does not match the protocol profile.
 When receiving a tagged packet from an interface, the device receives the packet if the
VLAN ID is in the list of VLANs of which packets are allowed to pass by the interface,
77
Raisecom
or discards the packet if the VLAN ID is not in the list of VLANs of which packets are
allowed to pass by the interface.
Scenario
The main function of VLAN is to partition logic network segments. There are 2 typical
application modes:
 One kind is that in a small LAN several VLANs are created on a device, the hosts that
connect to the device are divided by VLAN. So hosts in the same VLAN can
communicate, but hosts between different VLANs cannot communicate. For example,
the financial department needs to be separated from other departments and they cannot
access each other. Generally, the interface to connect host is in Access mode.
 The other kind is that in bigger LAN or enterprise network multiple devices connect to
multiple hosts and the devices are cascaded, and data packets carry VLAN Tag for
forwarding. The interfaces in the same VLAN on multiple devices can communicate, but
the interfaces in different VLANs cannot communicate. This mode is used in enterprise
that has many employees and needs a large number of hosts, in the same department but
different position, the hosts in one department can access one another, so users have to
partition VLANs on multiple devices. Layer 3 devices, such as routers, are required if
users want to communicate among different VLANs. The cascaded interfaces among
devices are configured in Trunk mode.
When configuring the IP address for VLAN, you can associate a Layer 3 interface for it. Each
Layer 3 interface corresponds to one IP address and one VLAN.
Prerequisite
N/A
2.2.3 Default configurations of VLAN

Default configurations of VLAN are as below.

Create VLAN VLAN 1 and VLAN 4093
Active status of static VLAN Active
Interface mode Access
Access VLAN VLAN 1
Native VLAN of Trunk interface VLAN 1
Allowable VLAN in Trunk mode VLAN 1
Allowable untagged VLAN in Trunk mode VLAN 1
VLAN mapping table ID VLAN ID

78
Raisecom
2.2.4 Configuring VLAN attributes

Configure VLAN attributes for the ISCOM2600G series switch as below.

2 Raisecom(config)#create Create a VLAN.
vlan vlan-list active
Example: The command can also be used to create
Raisecom(config)#create VLANs in batches.
vlan 4 active  vlan-list: an integer ranging from 1 to 4094.
It supports specific values, such as "2,3,4"; it
also supports a range, such as "2-4".
3 Raisecom(config)#vlan Enter VLAN configuration mode.
vlan-id
Example:
vlan-id: VLAN ID, an integer, ranging from 1
Raisecom(config)#vlan 100 to 4094
4 Raisecom(config- (Optional) configure the VLAN name.
vlan)#name vlan-name
 vlan-name: VLAN name, a string of 1 to 32
Example:
Raisecom(config- characters
vlan)#name HR
 The VLAN created by the vlan vlan-id command is in active status.

 All configurations of VLAN do not take until the VLAN is activated.
2.2.5 Configuring interface mode

Configure the interface mode for the ISCOM2600G series switch as below.

2 Raisecom(config)#inter Enter physical interface configuration mode.
face interface-type
interface-number
 interface-number: interface ID. The form and
Example:
Raisecom(config)#inter value range depend on the interface type.
face gigaethernet
1/1/1
3 Raisecom(config- Configure the interface to Access or Trunk mode.
gigaethernet1/1/*)#swi
 access: configure the interface to Access mode.
tchport mode { access
 trunk: configure the interface to Trunk mode.
| trunk }
2.2.6 Configuring VLAN on Access interface

Configure the VLAN on the Access interface for the ISCOM2600G series switch as below.
79
Raisecom

2 Raisecom(config)#interfa Enter physical interface configuration mode, or
ce interface-type aggregation group configuration mode. Take
interface-number physical interface configuration mode for
Example: example.
Raisecom(config)#interfa
ce gigaethernet 1/1/1
3 Raisecom(config- Configure the interface to Access mode, and
gigaethernet1/1/*)#switc add the Access interface to the VLAN.
hport mode access
 vlan-id: VLAN ID, an integer, ranging from 1
Raisecom(config-
gigaethernet1/1/*)#switc to 4094
hport access vlan vlan-
id
Example:
Raisecom(config-
gigaethernet1/1/1)#switc
hport access vlan 100
4 Raisecom(config- (Optional) configure the VLAN allowed to pass
gigaethernet1/1/*)#switc by the Access interface.
hport access egress-
 all: the access interface allows all VLANs to
allowed vlan { all |
[ add | remove ] vlan- pass.
 vlan-list: VLAN list allowed to pass by the
list } [ confirm ]
Example: Access interface, an integer, ranging from 1 to
Raisecom(config- 4094. It supports specific values, such as
gigaethernet1/1/1)#switc "1,2,3"; it also supports a range, such as "1-3".
 confirm: confirmed
hport access egress-
 add: add VLANs which are allowed to pass
allowed vlan 100,200
through the interface to the old VLAN list.
 remove: delete VLANs which are allowed to
pass through the interface from the old VLAN

list.
 The interface allows Access VLAN packets to pass regardless of configuration for
VLAN allowed by the Access interface. The forwarded packets do not carry the
VLAN Tag.
 When configuring the Access VLAN, the system creates and activates a VLAN
automatically if you have not created and activated a VLAN in advance.
 If you delete the Access VLAN manually, the system will automatically configure
the interface Access VLAN as the default VLAN.
 When you configure the interface Access VLAN as the non-default Access VLAN,
the default Access VLAN 1 is the VLAN allowed by the Access the egress
interface, you can delete Access VLAN 1 from the allowed VLAN list of the egress
Access interface.
 If the configured Access VLAN is not the default VLAN and there is no default
VLAN in the allowed VLAN list of the Access interface, the interface does not
allow packets of the default VLAN to pass.

80
Raisecom
 The allowed VLAN list of the Access interface is effective to static VLANs only,
and ineffective to cluster VLAN, GVRP dynamic VLAN, and so on.
2.2.7 Configuring VLAN on Trunk interface

Configure the VLAN on the Trunk interface for the ISCOM2600G series switch as below.

interface-type interface-number mode, or aggregation group
Example: configuration mode. Take physical
Raisecom(config)#interface interface configuration mode for
gigaethernet 1/1/1 example.
3 Raisecom(config- Configure the interface to Trunk
gigaethernet1/1/*)#switchport mode.
mode trunk
4 Raisecom(config- Configure the Native VLAN of the
gigaethernet1/1/*)#switchport interface.
trunk native vlan vlan-id
Example:
Raisecom(config- ranging from 1 to 4094
gigaethernet1/1/1)#switchport
trunk native vlan 100
5 Raisecom(config- (Optional) configure VLANs allowed
gigaethernet1/1/*)#switchport to pass by the Trunk interface.
trunk allowed vlan { all |
 all: the access interface allows all
[ add | remove ] vlan-list }
[ confirm ] VLANs to pass.
 vlan-list: VLAN list allowed to pass
Example:
Raisecom(config- by the Access interface, an integer,
gigaethernet1/1/1)#switchport ranging from 1 to 4094. It supports
trunk allowed vlan 100,200 specific values, such as "1,2,3"; it
 add: add VLANs which are allowed
to pass through the interface to the

old VLAN list.
 remove: delete VLANs which are
allowed to pass through the interface

from the old VLAN list.

81
Raisecom

6 Raisecom(config- (Optional) configure VLANs from
gigaethernet1/1/*)#switchport which the Trunk interface can remove
trunk untagged vlan { all | Tag.
[ add | remove ] vlan-list }
 all: the access interface allows all
[ confirm ]
Example: VLANs to pass.
 vlan-list: VLAN list allowed to pass
Raisecom(config-
gigaethernet1/1/1)#switchport by the Access interface, an integer,
trunk untagged vlan 100,200 ranging from 1 to 4094. It supports
specific values, such as "1,2,3"; it
 add: add VLANs which are allowed
to pass through the interface to the

old VLAN list.
 remove: delete VLANs which are
allowed to pass through the interface

from the old VLAN list.
7 Raisecom(config- (Optional) configure the Tag attribute
gigaethernet1/1/*)#switchport of the Native VLAN egress interface
trunk native vlan { tagged | of the Trunk interface.
untagged }
 Tagged: the Tag attribute of the
Example:
Raisecom(config- egress interface is tagged.
 Untagged: the Tag attribute of the
trunk native vlan tagged egress interface is untagged.
 The system will create and activate the VLAN if no VLAN is created and activated
in advance when configuring the Native VLAN.
 The system configures the interface Trunk Native VLAN as default VLAN if you
have deleted or blocked Native VLAN manually.
 The interface allows incoming and outgoing VLAN packet allowed by the Trunk
interface. If the VLAN is Trunk untagged VLAN, the VLAN Tag is removed from the
packets at the egress interface. Otherwise the packets are not modified.
 When configuring Trunk untagged VLAN list, the system automatically adds all
untagged VLAN to the VLAN allowed by the Trunk interface.
 The VLAN list and untagged VLAN list allowed by the Trunk interface are only
effective to static VLAN, and ineffective for cluster VLAN, GVRP dynamic VLAN.
2.2.8 Configuring VLAN based on MAC address

Configure the VLAN based on MAC address for the ISCOM2600G series switch as below.


82
Raisecom

2 Raisecom(config)#mac-vlan mac- Associate a MAC address with a VLAN.
address [ mask mac-address-
 mac-address: MAC address, in dotted
mask ] vlan vlan-id [ priority
value ] hexadecimal notation
Example:
Raisecom(config)#mac-vlan from 1 to 4094
 mac-address-mask: MAC address
0001.0001.0001 vlan 2
mask, in dotted hexadecimal notation
 value: VLAN priority, an integer,
ranging from 0 to 7
number
Example:
gigaethernet 1/1/1 form and value range depend on the
interface type.
4 Raisecom(config- Enable or disable MAC-VLAN.
gigaethernet1/1/*)#mac-vlan
 enable: enable MAC-VLAN.
 disable: disable MAC-VLAN.
Example:
Raisecom(config-
gigaethernet1/1/1)#mac-vlan
enable
5 Raisecom(config- (Optional) configure priorities of MAC-
gigaethernet1/1/*)#vlan VLAN and IP subnet VLAN.
precedence { mac-vlan | ip-
 mac-vlan: high priority of MAC-based
subnet-vlan }
Example: VLAN
 ip-subnet-vlan: high priority of IP-
Raisecom(config-
gigaethernet1/1/1)#vlan based VLAN
precedence mac-vlan
 If the IP address or subnet mask is invalid, the configuration will fail.

 If you associate a created IP subnet to a VLAN but this association conflict with an
existing association (for example, the IP subnet or VLAN is already associated),
the association will fail.
2.2.9 Configuring VLAN based on IP subnet

Configure the VLAN based on IP subnet for the ISCOM2600G series switch as below.


83
Raisecom

2 Raisecom(config)#ip-subnet- Associate a MAC address with an IP
vlan ip-address [ ip-mask ] subnet.
vlan vlan-id [ priority
value ]
Example: decimal notation, such as "10.0.0.1"
 ip-mask: IP address mask, in dotted
Raisecom(config)#ip-subnet-
vlan 192.168.1.5 255.255.255.0 decimal notation, such as "255.0.0.0"
vlan 2
from 1 to 4094
 priority value: VLAN priority value, an

number
Example:
gigaethernet 1/1/1 form and value range depend on the
interface type.
4 Raisecom(config- Enable VLAN partitions based on IP
gigaethernet1/1/*)#ip-subnet- subnet.
vlan { enable | disable }
 enable: enable IP subnet-based VLAN
Example:
Raisecom(config- partitions.
 disable: disable IP subnet-based VLAN
gigaethernet1/1/1)#ip-subnet-
vlan enable partitions.
5 Raisecom(config- (Optional) configure priorities of MAC-
gigaethernet1/1/*)#vlan VLAN and IP subnet VLAN.
precedence { mac-vlan | ip-
 mac-vlan: high priority of MAC-based
subnet-vlan }
Example: VLAN
 ip-subnet-vlan: high priority of IP-
Raisecom(config-
gigaethernet1/1/1)#vlan based VLAN
precedence ip-subnet-vlan
 If the IP address or subnet mask is invalid, the configuration will fail.

 If you associate a created IP subnet to a VLAN but this association conflict with an
existing association (for example, the IP subnet is associated with different
VLANs), the association will fail.
2.2.10 Configuring VLAN based on protocol

Configure the VLAN based on protocol for the ISCOM2600G series switch as below.


84
Raisecom

2 Raisecom(config)#protocol- Configure the rule for associating the
vlan protocol-index { ipv4 protocol VLAN with Ethernet packets.
| ipv6 | ethertype
 protocol-index: protocol template index,
protocol-id }
Example: an integer, ranging from 1 to 16
 ethertype protocol-id: support the
Raisecom(config)#protocol-
vlan 1 ipv4 associated Ethernet packet protocol ID, an
integer, ranging from 0x600–ffff
(excluding 800, 809b, 8137, and 86dd)
number
Example:
4 Raisecom(config- Configure the rule for associating the
gigaethernet1/1/*)#switchpo interface with the protocol VLAN.
rt protocol-vlan protocol-
 vlan vlan-id: VLAN ID, an integer,
index vlan vlan-id
 protocol-index: protocol template index,
Raisecom(config-
gigaethernet1/1/1)#switchpo an integer, ranging from 1 to 16
rt protocol-vlan 1 vlan 100
2.2.11 Configuring VLAN filtering in egress direction

Configure VLAN filtering in the egress direction for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter physical interface configuration mode
interface-type interface- or aggregation group configuration mode.
number Take physical interface configuration mode
Example: for example.
gigaethernet 1/1/1
3 Raisecom(config- Configure VLAN filtering in the egress
gigaethernet1/1/*)#egress- direction. After VLAN filtering in the egress
filtering vlan vlan-list direction is configured in Layer 2 interface
Example: configuration mode, the device will discard
Raisecom(config- traffic of the VLAN in the egress direction.
gigaethernet1/1/1)# egress-  vlan-list: VLAN list. The vlan-list is an
filtering vlan 100 integer, ranging from 2 to 4094. It supports

specific values, such as "2,3,4"; it also
supports a range, such as "2-4".

85
Raisecom


1 Raisecom#show vlan [ vlan-list Show VLAN configurations.
| static | dynamic ] [ detail ]
2 Raisecom#show vlan precedence Show priorities of the MAC-VLAN and
IP subnet VLAN.
3 Raisecom#show mac-vlan [ mask | Show MAC VLAN configurations.
efficient ] { all | vlan vlan-
id }
4 Raisecom#show mac-vlan aging- Show the aging time of MAC VLANs.
time
5 Raisecom#show switchport Show configurations of switching on
interface interface-type the interface.
interface-number
6 Raisecom#show protocol-vlan all Show configurations of all protocol
VLANs.
7 Raisecom#show protocol-vlan Show configurations of the protocol
interface [ interface-type VLAN on the interface.
interface-number ]
8 Raisecom#show ip-subnet-vlan Show configurations of the IP subnet
{ all | vlan vlan-id } VLAN.
9 Raisecom#show egress-filtering Show configurations of VLAN filtering
in the egress direction.
2.2.13 Example for configuring VLAN
As shown in Figure 2-4, PC 1, PC 2, and PC 5 belong to VLAN 10, PC 3 and PC 4 belong to
VLAN 20; Switch A and Switch B are connected by the Trunk interface; PC 3 and PC 4
cannot communicate because VLAN 20 is not allowed to pass in the link; PC 1 and PC 2
under the same Switch B are enabled with interface protection function so that they cannot
communicate with each other, but can respectively communicate with PC 5.

86
Raisecom
Figure 2-4 VLAN and interface protection networking
Configuration steps
Step 1 Create VLAN 10 and VLAN 20 on the two switches respectively, and activate them.
Configure Switch A.
SwitchA#config
SwitchA(config)#create vlan 10,20 active
Configure Switch B.
SwitchB#config
SwitchB(config)#create vlan 10,20 active
Step 2 Add GE 1/1/2 and GE 1/1/3 in Access mode on Switch B to VLAN 10, add GE 1/1/4 as
Access mode to VLAN 20, configure GE 1/1/1 to Trunk mode, and allow VLAN 10 to pass.
SwitchB(config)#interface gigaethernet 1/1/2

SwitchB(config-gigaethernet1/1/2)#switchport mode access
SwitchB(config-gigaethernet1/1/2)#switchport access vlan 10
SwitchB(config-gigaethernet1/1/2)#exit

87
Raisecom

SwitchB(config-gigaethernet1/1/1)#switchport mode trunk
SwitchB(config-gigaethernet1/1/1)#switchport trunk allowed vlan 10
confirm
Step 3 Add GE 1/1/2 as Access mode on Switch A to VLAN 10, add GE 1/1/3 as Access mode to
VLAN 20, configure GE 1/1/1 to Trunk mode, and allow VLAN 10 to pass.
SwitchA(config)#interface gigaethernet 1/1/2

SwitchA(config-gigaethernet1/1/2)#switchport mode access
SwitchA(config-gigaethernet1/1/2)#switchport access vlan 10
SwitchA(config-gigaethernet1/1/2)#exit
SwitchA(config-gigaethernet1/1/3)#switchport mode trunk
SwitchA(config-gigaethernet1/1/3)#switchport trunk native vlan 20
SwitchA(config-gigaethernet1/1/1)#switchport trunk allowed vlan 10
confirm
Checking results
Use the show vlan command to show VLAN configurations.
Take Switch B for example.
SwitchB#show vlan
Switch Mode: --
VLAN Name State Status Priority Member-Ports
------------------------------------------------------------------------
1 Default active static -- gigaethernet1/1/1
10 VLAN0010 active static -- gigaethernet1/1/2
gigaethernet1/1/3
20 VLAN0020 active static -- gigaethernet1/1/4
Use the show switchport interface interface-type interface-number command to show

configurations of the interface VLAN.
Take Switch B for example.
SwitchB#show switchport interface gigaethernet 1/1/2

88
Raisecom
Interface: gigaethernet1/1/2
Switch Mode: switch
Reject frame type: none
Administrative Mode: access
Operational Mode: access
Access Mode VLAN: 10
Administrative Access Egress VLANs:
Operational Access Egress VLANs: 10
Trunk Native Mode VLAN: 1
Trunk Native VLAN: untagged
Administrative Trunk Allowed VLANs:
Operational Trunk Allowed VLANs: 1
Administrative Trunk Untagged VLANs:
Operational Trunk Untagged VLANs: 1
Administrative private-vlan host-association: 1
Administrative private-vlan mapping: 1
Operational private-vlan: --
Check whether the Trunk interface permitting VLAN passing is correct by making PC 1 ping
PC 5, PC 2 ping PC 5, and PC 3 ping PC 4.
 PC 1 can ping through PC 5, so VLAN 10 communication is normal.
 PC 2 can ping through PC 5, so VLAN 10 communication is normal.
 PC 3 fails to ping through PC 4, so VLAN 20 communication is abnormal.
2.3 PVLAN
2.3.1 Introduction
Private VLAN (PVLAN) provides Layer 2 isolation between interfaces in a VLAN, and it is
effective to distribute VLAN resources.
PVLAN type
VLANs are divided into two types: primary VLAN and secondary VLAN. The primary
VLAN and secondary VLAN form a PVLAN domain. The primary VLAN can communicate
both in and out of PVLANs, but the secondary VLAN can communicate in the PVLAN only.
 Primary VLAN: each PVLAN can be configured with only one primary VLAN.
Interface of all types in PVLAN are members of primary VLAN.
 Secondary VLAN: it can be divided into isolated VLAN and community VLAN
according to the different forwarding and isolation rules.
− Isolated VLAN: each PVLAN can be configured with only one isolated VLAN.
− Community VLAN: each PVLAN can be configured with multiple community
VLANs.
Interface modes of PVLAN

The interface to be able to communicate with the external network is called the Promiscuous
interface. The interface in the secondary VLAN is the Host interface.

89
Raisecom
 Promiscuous interface: it belongs to all PVLANs in the PVLAN domain. It can

communicate with all interfaces.
 Isolated interface: isolated interfaces cannot communicate with each other, but they can
communicate with the Promiscuous interface and Trunk interface.
 Community interface: community interfaces in a community can communicate with each
other, but community interfaces in different communities cannot communicate with each
other. All community interfaces can communicate with the Promiscuous interface and
Trunk interface.
2.3.2 Preparing for configuration
Scenario
PVLAN, used on an enterprise Intranet, allows devices inside the VPLAN to communicate
with the default gateway only rather than the Intranet.
Prerequisite
Create a static VLAN and activate it.
2.3.3 Default configurations of PVLAN

Default configurations of PVLAN are as below.

PVLAN mode on the interface Access mode
2.3.4 Configuring PVLAN type

Configure the PVLAN type for the ISCOM2600G series switch as below.

2 Raisecom(config)#private- Configure the PVLAN type.
vlan { primary vlan vlan-
 primary: primary VLAN type of a PVLAN
id | isolated vlan vlan-
 isolated: isolated VLAN of PVLAN
id | community
 vlan-id: VLAN ID, an integer, ranging from
vlan vlan-list }
Example: 2 to 4094
 vlan-list: VLAN list. The vlan-list is an
Raisecom(config)#private-
vlan primary vlan 3 integer, ranging from 2 to 4094. It supports
specific values, such as "2,3,4"; it also
 Up to 32 primary VLANs and 2048 secondary VLANs are allowed.

90
Raisecom
 If the VLAN is associated, its PVLAN type cannot be modified nor deleted.
2.3.5 Configuring PVLAN association

Configure PVLAN association for the ISCOM2600G series switch as below.

2 Raisecom(config)#priva Configure the PVLAN type.
te-vlan { primary vlan
 primary: primary VLAN type of a PVLAN
vlan-id | isolated
 isolated: isolated VLAN of PVLAN
vlan vlan-id |
community
vlan vlan-list } to 4094
 vlan-list: VLAN list. The vlan-list is an integer,
Example:
Raisecom(config)#priva ranging from 2 to 4094. It supports specific
te-vlan primary vlan 3 values, such as "2,3,4"; it also supports a range,
such as "2-4".
3 Raisecom(config)#priva Configuration association of the primary VLAN
te-vlan association and secondary VLANs.
primary-vlan-list
 primary-vlan-list: primary VLAN ID. The vlan-
[ add | remove ]
secondary-vlan-list list is an integer, ranging from 2 to 4094.
 secondary-vlan-list: secondary VLAN ID. The
Example:
Raisecom(config)#priva vlan-list is an integer, ranging from 2 to 4094.
 add: add secondary VLAN ID list.
te-vlan association 2
 remove: delete secondary VLAN ID list.
3
 Before configuring VLAN association, create a VLAN and activate it, configure
PVLAN type, configure the primary VLAN and secondary VLANs, and choose the
correct association type. Otherwise, VLAN association cannot be configured.
 The primary VLAN and secondary VLANs cannot be configured to the default
VLAN 1.
 A secondary VLAN can be added to only one PVLAN.
 A primary VLAN can be associated with only one isolated VLAN, or up to 64
secondary VLANs.
2.3.6 Configuring PVLAN mode on interface

The VLAN of the ISCOM2600G series switch supports Access and Trunk interface modes,
and the PVLAN supports promiscuous interface mode and host interface mode.
 The promiscuous interface mode and host interface mode can be configured with
association or mapping which already exists. Otherwise, the configuration will fail.
 When an interface is configured to the host interface mode or promiscuous
interface mode without being associated with or mapped to a primary VLAN or
secondary VLAN, the interface allows untagged packets to enter.

91
Raisecom
 IGMP runs on the primary VLAN only. The VLANs to data flow to pass in uplink
and downlink of PVLAN are different, so you cannot configure IGMP Snooping to
implement multicast; instead, you need to configure IGMP MVR.
Configure the PVLAN mode on the interface for the ISCOM2600G series switch as below.

number
Example:
3 Raisecom(config- Configure the PVLAN mode on the
gigaethernet1/1/*)#switchpo interface.
rt mode private-vlan
 host: host interface mode
{ host| promiscuous }
 promiscuous: promiscuous interface mode
Example:
Raisecom(config)#switchport
mode private-vlan host
4 Raisecom(config- Associate the primary VLAN of the host
gigaethernet1/1/*)#switchpo interface with the secondary VLAN.
rt private-vlan host-
association primary-vlan-id Use the no switchport private-vlan host-
secondary-vlan-id association command to delete the
Example: association between the primary VLAN of
Raisecom(config- the host interface with the secondary VLAN.
gigaethernet1/1/1)#switchpo  primary-vlan-id: primary VLAN ID. The
rt private-vlan host- vlan-list is an integer, ranging from 2 to
association 2 3 4094.
 secondary-vlan-id: secondary VLAN ID.
The vlan-list is an integer, ranging from 2

to 4094.
5 Raisecom(config- Configure the host interface associated with
gigaethernet1/1/*)#switchpo the secondary VLAN to be able to forward
rt private-vlan trunk host- tagged packets.
association secondary-vlan-
id Use the no switchport private-vlan trunk
Example: host-association command to delete this
Raisecom(config- configuration.
gigaethernet1/1/1)#switchpo  secondary-vlan-id: secondary VLAN ID.
rt private-vlan trunk host- The vlan-list is an integer ranging from 2
association 3 to 4094.

92
Raisecom

6 Raisecom(config- Configure the mapping of the primary
gigaethernet1/1/*)#switchpo VLAN and secondary VLANs on the
rt private-vlan mapping promiscuous interface.
primary-vlan-id [ add |
remove ] secondary-vlan-id Use the no switchport private-vlan
Example: mapping command to delete the association
Raisecom(config- between the primary VLAN of the
gigaethernet1/1/1)#switchpo promiscuous interface with the secondary
rt private-vlan mapping 2 3 VLAN.
 primary-vlan-id: primary VLAN ID. The
vlan-list is an integer, ranging from 2 to
4094.
 secondary-vlan-list: secondary VLAN ID.
The vlan-list is an integer, ranging from 2

to 4094.
7 Raisecom(config- Configure the interface mapped with the
gigaethernet1/1/*)#switchpo primary VLAN to be able to forward tagged
rt private-vlan trunk packets.
mapping primary-vlan-id
Example: Use the no switchport private-vlan trunk
Raisecom(config- mapping command to delete this
gigaethernet1/1/1)#switchpo configuration.
rt private-vlan trunk  primary-vlan-id: primary VLAN ID. The
mapping 2 vlan-list is an integer ranging from 2 to
4094.
2.3.7 Checking configuration


1 Raisecom#show vlan private-vlan [ vlan vlan-id ] Show PVLAN
[ type { primary | community | isolated } ] configurations.
2.3.8 Example for configuring PVLAN
To effectively distribute VLAN resources, you need to properly partition and configure
VLANs. As shown in Figure 2-5, on Switch A, configure VLAN 10 as the primary VLAN,
VLAN 20 as the isolated VLAN, and VLAN 30 as the community VLAN. The detailed
configurations are as below:
 Configure GE 1/1/1 and GE 1/1/2 as community interfaces. Associate primary VLAN 10
with secondary VLAN 30.
 Configure GE 1/1/3 and GE 1/1/4 as isolated interfaces. Associate primary VLAN 10
with secondary VLAN 20.

93
Raisecom
 Configure GE 1/1/5 as the promiscuous interface. Map PVLAN with VLAN 10, VLAN
20, and VLAN 30.
 Connect PC 1 and PC 2 to community interfaces GE 1/1/1 and GE 1/1/2 respectively,
and they can communicate with these two interfaces and the promiscuous interface GE
1/1/5.
 Connect PC 3 and PC 4 to isolated interfaces GE 1/1/3 and GE 1/1/4respectively, and
they can communicate with the promiscuous interface GE 1/1/5 only.
Figure 2-5 Networking with PVLAN
Configuration steps
Step 1 Configure the PVLAN type.
Raisecom#config
Raisecom(config)#create vlan 10,20,30 active
Raisecom(config)#private-vlan primary vlan 10
Raisecom(config)#private-vlan community vlan 30
Raisecom(config)#private-vlan isolated vlan 20
Raisecom(config)#private-vlan association 10 20,30
Step 2 Configure the promiscuous interface mode and mapping of the primary VLAN and secondary
VLAN on the promiscuous interface.

94
Raisecom

Raisecom(config-gigaethernet1/1/5)#switchport mode private-vlan
promiscuous
Raisecom(config-gigaethernet1/1/5)#switchport private-vlan mapping 10
20,30
Step 3 Configure the host interface mode and association of the primary VLAN with the secondary
VLAN on the host interface.
Configuration on GE 1/1/1 and GE 1/1/2, GE 1/1/3 and GE 1/1/4 are identical. Take GE 1/1/1
and GE 1/1/3 for example.

Raisecom(config-gigaethernet1/1/1)#switchport mode private-vlan host
Raisecom(config-gigaethernet1/1/1)#switchport private-vlan host-
association 10 30
Raisecom(config-gigaethernet1/1/3)#switchport mode private-vlan host
Raisecom(config-gigaethernet1/1/3)#switchport private-vlan host-
association 10 20
Checking results
Use the show vlan private-vlan command to show PVLAN configurations on the
Raisecom#show vlan private-vlan

VLAN ID: 10
Pvlan type: primary
Associated-isolated vlan: 20
Associated-community vlan: 30
Member Port-list:
gigaethernet1/1/1 gigaethernet1/1/3
gigaethernet1/1/5
Untag Port-list:
gigaethernet1/1/5
VLAN ID: 20
Pvlan type: isolated
Associated-primary vlan: 10
Member Port-list:
Untag Port-list:
VLAN ID: 30
Pvlan type: community

95
Raisecom
Associated-primary vlan: 10
Member Port-list:
Untag Port-list:
2.4 QinQ
2.4.1 Introduction
QinQ (also known as Stacked VLAN or Double VLAN) technique is an extension to 802.1Q
defined in IEEE 802.1ad standard.
Basic QinQ
Basic QinQ is a simple Layer 2 VPN tunnel technique, which encapsulates outer VLAN Tag
for user private network packets at carrier access end, then the packet with double VLAN Tag
traverse backbone network (public network) of the carrier. On the public network, packets are
transmitted according to outer VLAN Tag (namely, the public network VLAN Tag), the user
private network VALN Tag is transmitted as data in packets.
Figure 2-6 Principles of basic QinQ
Typical networking of basic QinQ is shown as Figure 2-6; the ISCOM2600G series switch is
the PE.
Packets are transmitted from the user device to the PE, and the VLAN ID of packet tag is 100.
Packet will be added with outer tag with VLAN 1000 when traversing from the PE device at
the network side interface to the carrier network.
Packets with the VLAN 1000 outer Tag are transmitted to PE device on the other side by the
carrier, and then the PE will remove the outer tag VLAN 1000 and send packets to the user
device. Now the packets return to carrying only one tag VLAN 100.
This technique can save public network VLAN ID resources. You can plan private network
VLAN ID to avoid conflict with public network VLAN ID.

96
Raisecom
Selective QinQ
Selective QinQ is an enhancement to basic QinQ, which classifies flow according to user data
features, then encapsulates different types flow into different outer VLAN Tags. This
technique is implemented through combination of interface and VLAN. Selective QinQ can
perform different actions on different VLAN Tags received by one interface and add different
outer VLAN IDs for different inner VLAN IDs. According to configured mapping rules for
inner and outer Tags, you can encapsulate different outer Tags for different inner tagged
packets.
Selective QinQ makes structure of the carrier network more flexible. You can classify
different terminal users on the access device interface by VLAN Tag and then, encapsulate
different outer Tags for users in different classes. On the public network, you can configure
QoS policy according to outer Tag and configure data transmission priority flexibly to make
users in different classes receive corresponding services.
Scenario
Basic QinQ configuration and selective QinQ configuration for the ISCOM2600G series
switch are based on different service requirements.
 Basic QinQ
With application of basic QinQ, you can add outer VLAN Tag to plan the private VLAN ID
freely to make the user device data at both ends of carrier network transparently transmitted
without conflicting with VLAN ID on the service provider network.
 Selective QinQ
Different from basic QinQ, outer VLAN Tag of selective QinQ can be selectable according to
different services. There are multiple services and different private VLAN ID on the user
network which are divided by adding different outer VLAN Tag for voice, video, and data
services, then implementing different distributaries and inner and outer VLAN mapping for
forwarding different services.
Prerequisite
 Connect the interface.
 Configure its physical parameters to make it Up.
 Create VLANs.
 Basic QinQ and 1:1 VLAN mapping can be concurrently configured. VLAN
mapping functions normally before or after basic QinQ is enabled.
 Selective QinQ and 1:1 VLAN mapping can be concurrently configured. When
they are concurrently configured, they function normally. They also function
normally when basic QinQ is enabled or disable. When one of them is disabled,
other configurations function normally.
 Basic QinQ, selective QinQ, and 2:2 VLAN mapping are mutually exclusive. When
selective QinQ and 1:1 VLAN mapping are configurrently configured, their
matching VLANs cannot be the same, and VLANs after mapping cannot be the
same.

97
Raisecom
2.4.3 Default configurations of QinQ

Default configurations of QinQ are as below.

Outer VLAN Tag TPID 0x8100
Basic QinQ status Disable
Selective QinQ status Disable
2.4.4 Configuring basic QinQ

Configure basic QinQ on the ingress interface for the ISCOM2600G series switch as below.

3 Raisecom(config- Enable basic QinQ on the interface.
gigaethernet1/1/*)#dot1q-tunnel The device supports this configuration
on the LAG interface or in ISF mode.
4 Raisecom(config- Configure basic QinQ, add double
gigaethernet1/1/*)#switchport Tags, and specify the PVID used by
qinq default-cvlan vlan-id the CVLAN and SVLAN.
Example:
 vlan-id: user VLAN ID, an integer,
Raisecom(config-
gigaethernet1/1/1)#switchport ranging from 1 to 4094
qinq default-cvlan 2
5 Raisecom(config- Configure the types of packets
gigaethernet1/1/*)#switchport disallowed to be forwarded.
reject-frame { tagged |
 tagged: packets with Tags
untagged }
 untagged: packets without Tags
Example:
Raisecom(config-
reject-frame tagged

98
Raisecom

6 Raisecom(config- Configure the TPID of the inner
gigaethernet1/1/*)#dot1q-tunnel VLAN Tag on the interface. It is used
tpid tpid identify the inner VLAN, or is used to
Example: identify the outer VLAN when QinQ is
Raisecom(config- enabled.
gigaethernet1/1/1)#dot1q-tunnel
 tpid: TPID, in hexadecimal notation,
tpid 9100
an integer, being 0x8100, 0x88a8, or
0x9100
7 Raisecom(config- Configure the trust mode of basic
gigaethernet1/1/*)#dot1q-tunnel QinQ to interface priority trust mode.
trust port-priority
Example:
Raisecom(config-
gigaethernet1/1/1)#dot1q-tunnel
trust port-priority
 To use basic QinQ functions on an interface, configure its attributes first by

configuring it to the Access or Trunk interface and configuring the default VLAN.
 When basic QinQ is enabled on the interface, all packets are processed as
untagged packets. If you configure the untagged packets to be discarded, tagged
packets are also discarded.
 VLAN mapping based on VLAN+CoS and VLAN mapping based on VLAN cannot
be concurrently configured.
2.4.5 Configuring selective QinQ

Configure selective QinQ on the ingress interface for the ISCOM2600G series switch as
below.

3 Raisecom(config- Configure the interface to discard
gigaethernet1/1/*)#switchport tagged packets that fail to match
vlan-mapping-miss discard selective QinQ or VLAN mapping
rules.

99
Raisecom

4 Raisecom(config- Configure EtherType selective QinQ,
gigaethernet1/1/*)#switchport and add mapping rules for Tag
vlan-mapping ethertype { arp | VLAN.
eapol | ip | ipv6 | loopback |
 arp: address resolution protocol
mpls | mpls-mcast | pppoe |
 eapol: EAPOL PAE/802.1x
pppoedisc | user-define
protocol-id | x25 | x75 } add- protocol
 ip: Internet protocol
outer outer-vlan-id
 ipv6: IPv6
Example:
 loopback: loop protocol
Raisecom(config-
 mpls: MPLS unicast protocol
 mpls-mcast: MPLS multicast
vlan-mapping ethertype arp add-
outer 2 protocol
 pppoe: PPPOE session protocol
 pppoedisc: PPPOE discovery
protocol
 x25: X.25 Layer 3 protocol
 x75: X.75 interconnection protocol
 user-define protocol id: user-defined
protocol number
 add-outer outer-vlan-id: ID of the
added outer VLAN, an integer,

5 Raisecom(config- (Optional) configure bidirectional
gigaethernet1/1/1)#switchport selective QinQ, and add outer VLAN
vlan-mapping both priority- rules. The device supports this
tagged translate vlan-id configuration on the LAG or in ISF
Raisecom(config- mode.
 vlan custom-vlan-list: customer
vlan-mapping both vlan custom-
vlan-id [cos cos-value ] add- VLAN list, an integer, ranging from
outer outer-vlan-id 1 to 4094
 cos cos-value: customer Tag CoS,
Raisecom(config-
gigaethernet1/1/1)#switchport an integer, ranging from 0 to 7
 add-outer outer-vlan-id: ID of the
vlan-mapping both untag add-
outer outer-vlan-id outer VLAN to be added, an
Example: integer, ranging from 1 to 4094
 translate vlan-id: ID of the inner
Raisecom(config-
gigaethernet1/1/1)#switchport VLAN Tag to be modified, an
vlan-mapping both priority- integer, ranging from 1 to 4094
 untag: without tags
tagged translate 10
 priority-tagged: match tagged
packets with priority
 Selection QinQ and 1:1 VLAN mapping can be concurrently configured on the
same interface.
 Double-tagged VLAN mapping cannot be concurrently configured with basic QinQ
or tagged CVLAN/Priority-tagged VLAN mapping on the same interface.

100
Raisecom
2.4.6 Configuring network-side interface to Trunk mode

Configure the network-side interface to Trunk mode for the ISCOM2600G series switch as
below.

3 Raisecom(config- Configure interface trunk mode, permit
gigaethernet1/1/*)#switchport double-tagged packet to pass.
mode trunk
2.4.7 Configuring TPID

Configure the TPID on the network side interface for the ISCOM2600G series switch as
below.

3 Raisecom(config- Configure the TPID of the outer
gigaethernet1/1/*)#tpid tpid VLAN Tag on the interface.
Example:
 tpid: TPID value, in dotted
Raisecom(config-
gigaethernet1/1/1)#tpid 9100 hexadecimal notation, an integer,
being 0x8100, 0x88a8, or 0x9100


1 Raisecom#show dot1q-tunnel Show configurations of basic QinQ.

101
Raisecom

2 Raisecom#show vlan-mapping both Show configurations of selective
interface interface-type QinQ.
interface-number
3 Raisecom#show vlan-mapping Show configurations of selective QinQ
interface interface-type of EtherType on the interface.
interface-number add-outer
2.4.9 Example for configuring basic QinQ
As shown in Figure 2-7, Switch A and Switch B are connected to two branches of Department
C, which are in different locations. Department C uses VLAN 100, and needs to communicate
through VLAN 1000 of the carrier network. The carrier TPID is 9100.
Configure basic QinQ on Switch A and Switch B to enable normal communication inside a
department through the carrier's network.
Figure 2-7 Basic QinQ networking
Configuration steps
Configure Switch A and Switch B.
Configurations of Switch A are the same with those of Switch B. Take Switch A for example.
Step 1 Create VLAN 100 and VLAN 1000, and activate them. TPID is 9100.

102
Raisecom
Raisecom#config
Raisecom(config)#create vlan 100,1000 active
Raisecom(config-gigaethernet1/1/1)#switchport mode trunk
Raisecom(config-gigaethernet1/1/1)#switchport trunk allowed vlan 1000
Raisecom(config-gigaethernet1/1/1)#tpid 9100
Step 2 Configure basic QinQ on the interface.

Raisecom(config-gigaethernet1/1/2)#switchport trunk native vlan 1000
Raisecom(config-gigaethernet1/1/2)#dot1q-tunnel
Raisecom(config-gigaethernet1/1/2)#switchport qinq 100
Checking results
Use the show dot1q-tunnel command to show QinQ configurations.
Raisecom#show dot1q-tunnel
Interface QinQ Status Outer TPID on port Cos override Vlan-
map-miss drop
--------------------------------------------------------
gigaethernet1/1/1 - 0x9100 - disable
gigaethernet1/1/2 Dot1q-tunnel 0x8100 - disable
2.4.10 Example for configuring selective QinQ
As shown in Figure 2-8, the carrier network contains common PC Internet access services and
IP phone services. PC Internet access services are assigned to VLAN 1000, and IP phone
services are assigned to VLAN 2000.
Configure Switch A and Switch B as below to make the user and server communicate through
the carrier network:
 Add outer Tag VLAN 1000 to VLAN 100 assigned to PC Internet access services.
 Add outer Tag 2000 to VLAN 200 for IP phone services.
 The carrier TPID is 9100.

103
Raisecom
Figure 2-8 Selective QinQ networking
Configuration steps
Configurations of Switch A are the same with those of Switch B. Take Switch A for example.
Step 1 Create and activate VLAN 100, VLAN 200, VLAN 1000, and VAN 2000. The TPID is 9100.
SwitchA#config
SwitchA(config)#create vlan 100,200,1000,2000 active
SwitchA(config-gigaethernet1/1/1)#switchport trunk allowed vlan 1000,2000
SwitchA(config-gigaethernet1/1/1)#tpid 9100
Step 2 Enable selective QinQ on GE 1/1/2.

SwitchA(config-gigaethernet1/1/2)#switchport trunk allowed vlan
100,200,1000,2000
SwitchA(config-gigaethernet1/1/2)#switchport vlan-mapping both vlan 100
add-outer 1000
SwitchA(config-gigaethernet1/1/2)#switchport vlan-mapping both vlan 200
add-outer 2000
Checking results
Use the following command to show configurations of selective QinQ.
Take Switch A for example.

104
Raisecom
SwitchA#show vlan-mapping both interface gigaethernet 1/1/2

Both Direction VLAN QinQ mapping rule:
Interface : GE1/1/2
Default cvlan: --
--------------------------------
Original Outer VLANs: --
Original Outer COS: --
Original Inner VLANs: 100
Original Inner COS: --
Vlan mapping Mode: S-ADD
New Outer-VID: 1000
New Outer-COS: --
New Inner-VID: --
New Inner-COS: --
---------------------------
Original Outer VLANs: --
Original Inner VLANs: 200
Vlan mapping Mode: S-ADD
New Outer-VID: 2000
New Outer-COS: --
New Inner-VID: --
New Inner-COS: --
---------------------------
2.5 VLAN mapping

2.5.1 Introduction
VLAN mapping is used to replace the private VLAN Tag of Ethernet packets with carrier's
VLAN Tag, making packets transmitted according to carrier's VLAN forwarding rules. When
packets are sent to the peer private network from the ISP network, the VLAN Tag is restored
to the original private VLAN Tag according to the same VLAN forwarding rules. Therefore
packets are correctly sent to the destination.
Figure 2-9 shows principles of VLAN mapping.
Figure 2-9 Principles of VLAN mapping

105
Raisecom
After receiving a user private network packet with a VLAN Tag, the ISCOM2600G series
switch matches the packet according to configured VLAN mapping rules. If successful, it
maps the packet according to configured VLAN mapping rules.
By supporting 1: 1 VLAN mapping, the ISCOM2600G series switch replaces the VLAN Tag
carried by a packet from a specified VLAN to the new VLAN Tag.
Different from QinQ, VLAN mapping does not encapsulate packets with multiple layers of
VLAN Tags, but needs to modify VLAN Tag so that packets are transmitted according to the
carrier's VLAN forwarding rule.
Scenario
Different from QinQ, VLAN mapping is used to change the VLAN Tag without encapsulating
multilayer VLAN Tag so that packets are transmitted according to the carrier's VLAN
mapping rules. VLAN mapping does not increase the frame length of the original packet. It
can be used in the following scenarios:
 A user service needs to be mapped to a carrier's VLAN ID.
 Multiple user services need to be mapped to a carrier's VLAN ID.
Prerequisite
 Create VLANs.
2.5.3 Default configurations of VLAN mapping

Default configurations of VLAN mapping are as below.

VLAN mapping status Disable
2.5.4 Configuring VLAN mapping

Configure VLAN mapping for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
unit/slot/port. The value range

106
Raisecom

3 Raisecom(config- Configure the VLAN mapping rule
gigaethernet1/1/*)#switchport based on outer and inner VLAN
vlan-mapping both outer outer- Tag in both the ingress and egress
vlan-id translate outer-vlan-id directions of the interface.
Raisecom(config-
 outer-vlan-id: outer VLAN ID, an
gigaethernet1/1/*)#switchport
vlan-mapping both outer outer- integer, ranging from 1 to 4094
 inner-vlan-id: inner VLAN ID, an
vlan-id inner inner-vlan-id
translate outer outer-vlan-id integer, ranging from 1 to 4094
 cos-value: outer Tag CoS, an
inner inner-vlan-id
vlan-mapping both outer outer-
vlan-id cos cos-value translate
outer-vlan-id
Example:
Raisecom(config-
vlan-mapping both outer 50
translate 100
4 Raisecom(config- Configure the bidirectional N:1
gigaethernet1/1/*)#switchport VLAN mapping rule.
vlan-mapping both vlan-list
 vlan-list: customer VLAN list, an
translate vlan-id
Example: integer, ranging from 1 to 4094. It
Raisecom(config- supports specific values, such as
gigaehternet1/1/1)#switchport "1,2,3"; it also supports a range,
vlan-mapping both 5-10 translate such as "1-3".
 vlan-id: inner VLAN ID, an
100
 Basic QinQ and 1:1 VLAN mapping can be concurrently configured. VLAN
mapping functions normally before or after basic QinQ is enabled.
 Selective QinQ and 1:1 VLAN mapping can be concurrently configured. When
they are concurrently configured, they function normally. They also function
normally when basic QinQ is enabled or disable. When one of them is disabled,
other configurations function normally.
 Basic QinQ, selective QinQ, and 2:2 VLAN mapping are mutually exclusive. When
selective QinQ and 1:1 VLAN mapping are configurrently configured, their
matching VLANs cannot be the same, and VLANs after mapping cannot be the
same.
 To concurrently configure N:1 VLAN mapping and VLAN Copy, configure VLAN
Copy, and then configure N:1 VLAN mapping.


107
Raisecom

1 Raisecom#show vlan-mapping both interface Show configurations of
interface-type interface-number VLAN mapping.
2 Raisecom#show vlan-mapping interface Show configurations of
interface-type interface-number both N:1 VLAN mapping on
translate the interface.
2.5.6 Example for configuring VLAN mapping
Scenario
As shown in Figure 2-10, GE 1/1/2 and GE 1/1/3 on Switch A are connected to Department E
using VLAN 100 and Department F using VLAN 200; GE 1/1/2 and GE 1/1/3 on Switch A
are connected to Department C using VLAN 100 and Department D using VLAN 200. The
carrier's network uses VLAN 1000 to transmit services between Department E and
Department C and uses VLAN 2008 to transmit services between Department F and
Department D.
Configure 1:1 VLAN mapping between Switch A and Switch B to implement normal
communication inside each department.
Figure 2-10 VLAN mapping networking
Configuration steps
Configuration steps for Switch A and Switch B are the same. Take Switch A for example.

108
Raisecom
Step 1 Create VLANs 100, 200, 1000, and 2008, and activate them.
SwitchA#config
SwitchA(config)#create vlan 100,200,1000,2008 active
Step 2 Configure GE 1/1/1 to Trunk mode, allowing packets of VLAN 1000 and VLAN 2008 to pass.

SwitchA(config-gigaethernet1/1/1)#switchport trunk allowed vlan 1000,2008
confirm
Step 3 Configure GE 1/1/2 to Trunk mode, allowing packets of VLAN 100 to pass. Configure
VLAN mapping rules.

confirm
SwitchA(config-gigaethernet1/1/2)#switchport vlan-mapping both outer 100
translate 1000
Step 4 Configure GE 1/1/3 to Trunk mode, allowing packets of VLAN 200 to pass. Configure
VLAN mapping rules.

confirm
SwitchA(config-gigaethernet1/1/3)#switchport vlan-mapping bother outer
200 translate 2008
Checking results
Use the show vlan-mapping both interface command to show configurations of 1:1 VLAN
mapping.

Interface : GE 1/1/2

109
Raisecom
Default cvlan: --
---------------------------
Original Outer VLANs: 100
Original Inner VLANs: --
Vlan mapping Mode: S-TRANS
New Outer-VID: 1000
New Outer-COS: --
New Inner-VID: --
New Inner-COS: --
---------------------------

Interface : GE 1/1/3
Default cvlan: --
---------------------------
Original Outer VLANs: 200
Original Inner VLANs: --
Vlan mapping Mode: S-TRANS
New Outer-VID: 2008
New Outer-COS: --
New Inner-VID: --
New Inner-COS: --
---------------------------
2.6 STP/RSTP
2.6.1 Introduction
STP
With the increasing complexity of network structure and growing number of switches on the
network, the Ethernet network loops become the most prominent problem. Because of the
packet broadcast mechanism, a loop causes the network to generate storms, exhaust network
resources, and have serious impact to forwarding normal data. The network storm caused by
the loop is shown in Figure 2-11.

110
Raisecom
Figure 2-11 Network storm due to loopback
Spanning Tree Protocol (STP) is compliant to IEEE 802.1d standard and used to remove data
physical loop in data link layer in the LAN.
The ISCOM2600G series switch running STP can process Bridge Protocol Data Unit (BPDU)
with each other for the election of root switch and selection of root port and designated port. It
also can block loop interface on the ISCOM2600G series switch logically according to the
selection results, and finally trims the loop network structure to tree network structure without
loop which takes an ISCOM2600G series switch as root. This prevents the continuous
proliferation and limitless circulation of packet on the loop network from causing broadcast
storms and avoids declining packet processing capacity caused by receiving the same packets
repeatedly.
Figure 2-12 shows loop networking with STP.

111
Raisecom
Figure 2-12 Loop networking with STP
Although STP can eliminate loop network and prevent broadcast storm well, its shortcomings
are still gradually exposed with thorough application and development of network technology.
The major disadvantage of STP is the slow convergence speed.
RSTP
For improving the slow convergent speed of STP, IEEE 802.1w establishes Rapid Spanning
Tree Protocol (RSTP), which increases the mechanism to change interface blocking state to
forwarding state, speed up the topology convergence rate.
The purpose of STP/RSTP is to simplify a bridged LAN to a unitary spanning tree in logical
topology and to avoid broadcast storm.
The disadvantages of STP/RSTP are exposed with the rapid development of VLAN
technology. The unitary spanning tree simplified from STP/RSTP leads to the following
problems:
 The whole switching network has only one spanning tree, which will lead to longer
convergence time on a larger network.
 After a link is blocked, it does not carry traffic any more, causing waste of bandwidth.
 Packet of partial VLAN cannot be forwarded when network structure is unsymmetrical.
As shown in Figure 2-13, Switch B is the root switch; RSTP blocks the link between
Switch A and Switch C logically and makes that the VLAN 100 packet cannot be
transmitted and Switch A and Switch C cannot communicate.

112
Raisecom
Figure 2-13 Failure in forwarding VLAN packets due to RSTP
2.6.2 Preparation for configuration
Networking situation
In a big LAN, multiple devices are concatenated for accessing each other among hosts. They
need to be enabled with STP to avoid loop among them, MAC address learning fault, and
broadcast storm and network down caused by quick copy and transmission of data frame. STP
calculation can block one interface in a broken loop and ensure that there is only one path
from data flow to the destination host, which is also the best path.
Preconditions
N/A
2.6.3 Default configurations of STP

Default configurations of STP are as below.

Global STP status Disable
Interface STP status Enable
STP priority of device 32768
STP priority of interface 128
Path cost of interface 0
Max Age timer 20s
Hello Time timer 2s

113
Raisecom

Forward Delay timer 15s
2.6.4 Enabling STP

Enable STP for the ISCOM2600G series switch as below.

2 Raisecom(config)#spanning-tree Enable or disable global STP.
 enable: enable STP.
Example:
 disable: disable STP.
Raisecom(config)#spanning-tree
enable
3 Raisecom(config)#spanning-tree mode Configure spanning tree mode.
{ stp | rstp | mrstp }
 STP: the device is working in
Example:
Raisecom(config)#spanning-tree mode the global STP-compatible
stp mode.
 RSTP: the device is working in
the global RSTP mode.

 MRSTP: the device is working
in the global MRSTP mode.

interface-type interface-number configuration mode, or
Example: aggregation group configuration
Raisecom(config)#interface mode. Take physical interface
gigaethernet 1/1/1 configuration mode for example.
5 Raisecom(config- Enable interface STP.
gigaethernet1/1/*)#spanning-tree
 enable: enable STP.
 disable: disable STP.
Example:
Raisecom(config-
gigaethernet1/1/*)#spanning-tree
enable
2.6.5 Configuring STP parameters

Configure STP parameters for the ISCOM2600G series switch as below.


114
Raisecom

2 Raisecom(config)#spanning- (Optional) configure device priorities.
tree [ instance instance-
 instance-id: MSTI ID, an integer, ranging
id ] priority priority-value
 priority-value: priority. The system
Raisecom(config)#spanning-
tree instance 1 priority priority ranges from 0 to 61440 in step of
8192 4096, such as 0, 4096, and 8192. The
interface priority ranges from 0 to 240 in
step of 16, such as 0, 16, and 32.
3 Raisecom(config)#spanning- (Optional) configure the device as the root
tree [ instance instance- or backup device.
id ] root { primary |
 instance-id: MSTI number, an integer,
secondary }
 primary: configure the device as the
tree root primary primary root device.
 secondary: configure the device as the
backup root device.

4 Raisecom(config)#interface (Optional) configure interface priorities on
interface-type interface- the device.
number
Raisecom(config-
gigaethernet1/1/*)#spanning- from 0 to 4095
id ] priority priority-value priority ranges from 0 to 61440 in step of
Example: 4096, such as 0, 4096, and 8192. The
Raisecom(config- interface priority ranges from 0 to 240 in
gigaethernet1/1/1)#spanning- step of 16, such as 0, 16, and 32.
tree priority 64
5 Raisecom(config- (Optional) configure the path cost of the
gigaethernet1/1/*)#spanning- external interface on the device.
tree extern-path-cost cost
 cost: path cost value, an integer, ranging
Raisecom(config-
gigaethernet1/1/*)#exit from 0 to 200000000
Example:
Raisecom(config-
gigaethernet1/1/1)#spanning-
tree extern-path-cost 10
6 Raisecom(config- (Optional) configure the path cost of the
gigaethernet1/1/*)#spanning- internal interface on the device.
id ] inter-path-cost cost
 cost: path cost value, an integer, ranging
Raisecom(config-
gigaethernet1/1/1)#spanning- from 0 to 200000000
tree instance 1 inter-path-
cost 10
7 Raisecom(config)#spanning- (Optional) configure the value of Hello
tree hello-time period Time.
Example:
 period: interval for sending BPDUs, an
tree hello-time 3 integer, ranging from 1 to 10, in units of
second

115
Raisecom

8 Raisecom(config)#spanning- (Optional) configure the maximum
tree transmit-limit max-num transmission rate of the interface.
Example:
 max-num: maximum number of packets,
tree transmit-limit 10 an integer, ranging from 1 to 10
9 Raisecom(config)#spanning- (Optional) configure forward delay.
tree forward-delay period
 period: forward-delay period, an integer,
Example:
Raisecom(config)#spanning- ranging from 4 to 30, in units of second
tree forward-delay 10
10 Raisecom(config)#spanning- (Optional) configure the maximum age.
tree max-age period
 period: time value, an integer, ranging
Example:
from 6 to 40, in units of second
tree max-age 30
11 Raisecom(config)#spanning- (Optional) configure the standard for
tree pathcost-standard calculating path cost of the panning tree.
{ dot1d-1998 | dot1t }
 dot1d-1998: the standard for calculating
Example:
Raisecom(config)#spanning- path cost of the panning tree is dot1d-
tree pathcost-standard dot1t 1998.
 dot1t: the standard for calculating path
cost of the panning tree is dot1t.
2.6.6 Configuring edge interface

The edge interface indicates that the interface neither directly connects to any devices nor
indirectly connects to any device through the network.
The edge interface can change the interface status to forward quickly without any waiting
time. You had better configure the Ethernet interface connected to user client as edge interface
to make it quick to change to forward status.
The edge interface attribute depends on actual condition when it is in auto-detection mode;
the real port will change to false edge interface after receiving BPDU when it is in force-true
mode; when the interface is in force-false mode, whether it is true or false edge interface in
real operation, it will maintain the force-false mode until the configuration is changed.
By default, all interfaces on the ISCOM2600G series switch are configured in auto-detection
attribute.
Configure the edge interface for the ISCOM2600G series switch as below.


116
Raisecom

3 Raisecom(config- Configure attributes of the RSTP
gigaethernet1/1/*)#spanning-tree edge interface.
edged-port { auto | force-true |
 auto: automatically detect
force-false }
Example: whether it is an edge interface
 force-true: forced to be an edge
Raisecom(config-
gigaethernet1/1/1)#spanning-tree interface
 force-false: forced to be a non-
edged-port force-true
edge interface
2.6.7 Configuring link type

Two interfaces connected by a point-to-point link can quickly transit to forward status by
transmitting synchronization packets. By default, MSTP configures the link type of interfaces
according to duplex mode. The full duplex interface is considered as the point-to-point link,
and the half duplex interface is considered as the shared link.
You can manually configure the current Ethernet interface to connect to a point-to-point link,
but the system will fail if the link is not point to point. Generally, we recommend configuring
this item in auto status and the system will automatically detect whether the interface is
connected to a point-to-point link.
Configure the link type for the ISCOM2600G series switch as below.

interface-type interface- mode, or aggregation group configuration
number mode. Take physical interface
Example: configuration mode for example.
gigaethernet 1/1/1
3 Raisecom(config- Configure the link type for interface.
gigaethernet1/1/*)#spanning-
 auto: automatically detect whether the
tree link-type { auto |
point-to-point | shared } link connected to the interface is a point-
Example: to-point link.
 point-to-point: the link connected to the
Raisecom(config-
gigaethernet1/1/1)#spanning- current interface is a point-to-point link.
 shared: the link connected to the current
tree link-type point-to-
point interface is a shared link.

117
Raisecom
2.6.8 Configuring BPDU filtering

After being enabled with BPDU filtering, the edge interface does not send BPDUs nor process
received BPDUs.
Configure BPDU filtering for the ISCOM2600G series switch as below.

3 Raisecom(config- Enable or disable BPDU filtering
gigaethernet1/1/*)#spanning-tree on the edge interface.
edged-port bpdu-filter { enable |
 enable: enable the BPDU filter
disable }
Example: on the edge interface.
 disable: disable the BPDU filter
Raisecom(config-
gigaethernet1/1/1)#spanning-tree on the edge interface.
edged-port bpdu-filter enable
2.6.9 Configuring BPDU Guard

Generally, on a switch, interfaces are directly connected with terminals (such as a PC) or file
servers are configured to an edge interfaces. Therefore, these interfaces can be transferred
quickly.
In normal status, these edge interfaces will not receive BPDUs. If somebody attacks the
switch by forging the BPDU, the device will configure these edge interfaces to non-edge
interfaces when these edge interfaces receive the forged BPDU and re-perform spanning tree
calculation. This may cause network vibration.
BPDU Guard provided by MSTP can prevent this attack. After BPDU Guard is enabled, edge
interfaces can avoid attack from forged BPDUs.
After BPDU Guard is enabled, the device will shut down the edge interfaces if they receive
BPDUs and notify the NView NNM system of the case. The blocked edge interface is restored
only by the administrator through the CLI.

2 Raisecom(config)#spanning-tree Enable BPDU Guard.
bpduguard { enable | disable }
 enable: enable BPDU Guard.
Example:
 disable: disable BPDU Guard.
bpduguard enable

118
Raisecom

4 Raisecom(config- Manually restore interfaces that
gigaethernet1/1/*)#no spanning-tree are shut down by BPDU Guard.
bpduguard shutdown port
When the edge interface is enabled with BPDU filtering and the device is enabled
with BPDU Guard, BPDU Guard takes effect first. Therefore, an edge interface is
shut down if it receives a BPDU.


1 Raisecom#show spanning-tree Show basic configurations of
[ instance instance-id ] [ detail ] STP.
2 Raisecom#show spanning-tree Show configurations of the
[ instance instance-id ] interface- spanning tree on the interface.
type interface-list [ detail ]
2.6.11 Example for configuring STP
As shown in Figure 2-14, Switch A, Switch B, and Switch C form a ring network, so the loop
must be eliminated in the situation of a physical link forming a ring. Enable STP on them,
configure the priority of Switch A to 0, and path cost from Switch B to Switch A to 10.

119
Raisecom
Figure 2-14 STP networking
Configuration steps
Step 1 Enable STP on Switch A, Switch B, and Switch C.
Configure Switch A.
SwitchA#config
SwitchA(config)#spanning-tree enable
SwitchA(config)#spanning-tree mode stp
Configure Switch B.
SwitchB#config
SwitchB(config)#spanning-tree enable
SwitchB(config)#spanning-tree mode stp
Configure Switch C.
Raisecom#hostname SwitchC
SwitchC#config
SwitchC(config)#spanning-tree enable
SwitchC(config)#spanning-tree mode stp
Step 2 Configure interface modes on three switches.

Configure Switch A.


120
Raisecom

Configure Switch B.

Configure Switch C.
SwitchC(config)#interface gigaethernet 1/1/1

SwitchC(config-gigaethernet1/1/1)#switchport mode trunk
SwitchC(config-gigaethernet1/1/1)#exit
Step 3 Configure priority of spanning tree and interface path cost.

Configure Switch A.
SwitchA(config)#spanning-tree priority 0
SwitchA(config-gigaethernet1/1/2)#spanning-tree extern-path-cost 10
Configure Switch B.

SwitchB(config-gigaethernet1/1/1)#spanning-tree extern-path-cost 10
Checking results
Use the show spanning-tree command to show bridge status.
SwitchA#show spanning-tree

121
Raisecom
Spanning-tree admin state: enable

Spanning-tree protocol mode: STP
Spanning-tree pathcost-standard: Dot1t

BridgeId: Mac 000E.5EAB.CDEF Priority 0
Root: Mac 000E.5EAB.CDEF Priority 0 RootCost 0
Operational: HelloTime 2 ForwardDelay 15 MaxAge 20
Configured: HelloTime 2 ForwardDelay 15 MaxAge 20 TransmitLimit 3
MaxHops 20 Diameter 7
Use the show spanning-tree port-list port-list command to show interface status.
SwitchA#show spanning-tree gigaethernet 1/1/1

GE1/1/1
PortProtocolEnable: admin: enable oper: enable
Rootguard: disable
Loopguard: disable
Bpduguard: disable
TcRejection:disable
ExternPathCost:20000
Partner STP Mode: stp
Bpdus send: 48 (TCN<0> Config<48> RST<0> MST<0>)
Bpdus received:0 (TCN<0> Config<0> RST<0> MST<0>)
State:forwarding Role:designated Priority:128 Cost: 20000
Root: Mac 5051.5051.5053 Priority 0 RootCost 0
DesignatedBridge: Mac 5051.5051.5053 Priority 0 DesignatedPort
33041
2.7 MSTP
2.7.1 Introduction
Multiple Spanning Tree Protocol (MSTP) is defined by IEEE 802.1s. Recovering the
disadvantages of STP and RSTP, the MSTP implements fast convergence and distributes
different VLAN flow following its own path to provide an excellent load balancing
mechanism.
MSTP divides a switch network into multiple regions, called MST region. Each MST region
contains several spanning trees but the trees are independent from each other. Each spanning
tree is called a Multiple Spanning Tree Instance (MSTI).
MSTP protocol introduces Common Spanning Tree (CST) and Internal Spanning Tree (IST)
concepts. CST refers to taking MST region as a whole to calculate and generating a spanning
tree. IST refers to generating spanning tree in internal MST region.
Compared with STP and RSTP, MSTP also introduces total root (CIST Root) and region root
(MST Region Root) concepts. The total root is a global concept; all switches running
STP/RSTP/MSTP can have only one total root, which is the CIST Root. The region root is a
122
Raisecom
local concept, which is relative to an instance in a region. As shown in Figure 2-15, all
connected devices only have one total root, and the number of region root contained in each
region is associated with the number of instances.
Figure 2-15 Basic concepts of the MSTI network
There can be different MST instance in each MST region, which associates VLAN and MSTI
by configuring the VLAN mapping table (relationship table of VLAN and MSTI). The
concept sketch map of MSTI is shown in Figure 2-16.

123
Raisecom
Figure 2-16 MSTI concepts
Each VLAN can map to one MSTI; in other words, data of one VLAN can only be
transmitted in one MSTI but one MSTI may correspond to several VLANs.
Compared with STP and RSTP mentioned previously, MSTP has obvious advantages,
including cognitive ability of VLAN, load balancing, similar RSTP interface status switching,
and binding multiple VLAN to one MST instance, to reduce resource occupancy rate. In
addition, devices running MSTP on the network are also compatible with the devices running
STP and RSTP.

124
Raisecom
Figure 2-17 Networking with multiple spanning trees instances in MST region
Apply MSTP to the network as shown in Figure 2-17. After calculation, there are two
spanning trees generated at last (two MST instances):
 MSTI 1 takes B as the root switch, forwarding packet of VLAN 100.
 MSTI 2 takes F as the root switch, forwarding packet of VLAN 200.
In this case, all VLANs can communicate internally, different VLAN packets are forwarded in
different paths to share loading.
2.7.2 Preparation for configuration
Scenario
In a big LAN or residential region aggregation, the aggregation devices make up a ring for
link backup, avoiding loop and realizing load balancing. MSTP can select different and
unique forwarding paths for each one or a group of VLANs.
Prerequisite
N/A
2.7.3 Default configurations of MSTP

Default configurations of MSTP are as below.

125
Raisecom

Global MSTP status Disable
Interface MSTP status Enable
Maximum number of hops in the MST region 20
MSTP priority of the device 32768
MSTP priority of the interface 128
Path cost of the interface 0
Maximum number of packets sent within each Hello time 3

Max Age timer 20s
Hello Time timer 2s
Forward Delay timer 15s
Revision level of the MST region 0
2.7.4 Enabling MSTP

Enable MSTP for the ISCOM2600G series switch as below.

2 Raisecom(config)#spanning-tree mode Configure spanning tree for
mstp MSTP.
3 Raisecom(config)#spanning-tree Enable or disable global or
{ enable | disable } interface STP.
Example:
 enable: enable MSTP.
 disable: disable MSTP.
enable
5 Raisecom(config- Enable or disable interface STP.
gigaethernet1/1/*)#spanning-tree The device supports this
{ enable | disable } configuration on the LAG
Example: interface.
Raisecom(config-
 enable: enable MSTP.
gigaethernet1/1/1)#spanning-tree
 disable: disable MSTP.
enable

126
Raisecom
2.7.5 Configuring MST region and its maximum number of hops

You can configure region information about the ISCOM2600G series switch when it is
running in MSTP mode. The device MST region is determined by the region name, VLAN
mapping table and configuration of MSTP revision level. You can configure current device in
a specific MST region through following configuration.
The MST region scale is restricted by the maximum number of hops. Starting from the root
bridge of spanning tree in the region, the number of forwarding hops decreases by 1 when the
configuration message (BPDU) passes a device; the ISCOM2600G series switch discards the
configuration message whose number of hops is 0. The device exceeding the maximum
number of hops cannot join spanning tree calculation, so the MST region scale is restricted.
Configure MSTP region and its maximum number of hops for the ISCOM2600G series
switch as below.

2 Raisecom(config)#spanning-tree Enter MST region configuration mode.
region-configuration
3 Raisecom(config-region)#name Configure the MST region name.
name
 name: MST region name, a string of
Example:
Raisecom(config-region)#name 1 to 32 characters
mst1
4 Raisecom(config- Configure the revision level for the
region)#revision-level level MST region.
Example:
 level: revision level, an integer,
Raisecom(config-
region)#revision-level 20 ranging from 0 to 65535
5 Raisecom(config- Configure mapping from the MST
region)#instance instance-id region VLAN to instance.
vlan vlan-list
 instance-id: MSTI ID, an integer,
Raisecom(config-region)#exit
 vlan-list: VLAN list, an integer,
Raisecom(config-
region)#instance 1 vlan 100-200 ranging from 1 to 4094. It supports
specific values, such as "1,2,3"; it
While using the no form of this
command, the MSTI will be deleted
if the parameter is not configured; if
the parameter is configured, certain
VLAN corresponding to the MSTI
will be deleted.
6 Raisecom(config)#spanning-tree Configure the maximum number of
max-hops hops hops for the MST region.
Example:
 hops: maximum number of hops, an
max-hops 10 integer, ranging from 1 to 40

127
Raisecom
Only when the configured device is the region root can the configured maximum
number of hops be used as the maximum number of hops for MST region; other non-
region root cannot be configured this item.
2.7.6 Configuring root/backup bridge

Two methods for MSTP root selection are as below:
 To configure device priority and calculated by STP to confirm STP root bridge or backup
bridge
 To assign MSTP root directly by a command
When the root bridge has a fault or is powered off, the backup bridge can replace the root
bridge of related instance. In this case, if a new root bridge is assigned, the backup bridge will
not become the root bridge. If several backup bridges for a spanning tree are configured, once
the root bridge stops working, MSTP will choose the backup root with the lowest MAC
address as the new root bridge.
We do not recommend modifying the priority of any device on the network if you
directly assign the root bridge. Otherwise, the assigned root bridge or backup bridge
may be invalid.
Configure the root bridge or backup bridge for the ISCOM2600G series switch as below.

2 Raisecom(config)#spann Configure the ISCOM2600G series switch as the
ing-tree [ instance root bridge or backup bridge of a STP instance.
instance-id ] root
 instance-id: MSTI ID, an integer, ranging from 0
{ primary |
secondary } to 4095
 primary: configure the device as the primary root
Example:
Raisecom(config)#spann device.
 secondary: configure the device as the backup
ing-tree root primary
root device.
 You can confirm the effective instance of the root bridge or backup bridge through
the instance instance-id parameter. The current device will be assigned as the
root bridge or backup bridge of CIST if instance-id is 0 or the instance instance-id
parameter is omitted.
 The roots in device instances are mutually independent; in other words, they
cannot only be the root bridge or backup bridge of one instance, but also the root
bridge or backup bridge of other spanning tree instances. However, in a spanning
tree instance, a device cannot be used as the root bridge and backup bridge
concurrently.

128
Raisecom
 You cannot assign two or more root bridges for one spanning tree instance, but
can assign several backup bridges for one spanning tree. Generally, you had
better assign one root bridge and several backup bridges for a spanning tree.
2.7.7 Configuring interface priority and system priority

Whether the interface is elected as the root interface depends on interface priority. Under the
same condition, the interface with smaller priority will be elected as the root interface. An
interface may have different priorities and play different roles in different instances.
The Bridge ID determines whether the ISCOM2600G series switch can be elected as the root
of the spanning tree. Configuring smaller priority helps obtain smaller Bridge ID and
designate the ISCOM2600G series switch as the root. If priorities of two ISCOM2600G series
switch devices are identical, the ISCOM2600G series switch with lower MAC address will be
elected as the root.
Similar to configuring root and backup root, priority is mutually independent in different
instances. You can confirm priority instance through the instance instance-id parameter.
Configure bridge priority for CIST if instance-id is 0 or the instance instance-id parameter is
omitted.
Configure the interface priority and system priority for the ISCOM2600G series switch as
below.

gigaethernet 1/1/1
3 Raisecom(config- Configure the interface priority for a STP
gigaethernet1/1/*)#spanning- instance.
Raisecom(config- from 0 to 4095
gigaethernet1/1/*)#exit
Example: priority ranges from 0 to 61440 in step of
Raisecom(config- 4096, such as 0, 4096, and 8192. The
gigaethernet1/1/1)#spanning- interface priority ranges from 0 to 240 in
tree priority 64 step of 16, such as 0, 16, and 32.
4 Raisecom(config)#spanning- Configure the system priority for a STP
tree [ instance instance- instance.
Example:
Raisecom(config)#spanning- from 0 to 4095
tree instance 1 priority
8192 priority ranges from 0 to 61440 in step of
4096, such as 0, 4096, and 8192. The
interface priority ranges from 0 to 240 in
step of 16, such as 0, 16, and 32.

129
Raisecom
The value of priorities must be multiples of 4096, such as 0, 4096, and 8192. It is
32768 by default.
2.7.8 Configuring network diameter for switch network

The network diameter indicates the number of nodes on the path that has the most devices on
a switching network. In MSTP, the network diameter is valid only to CIST, and invalid to
MSTI instance. No matter how many nodes in a path in one region, it is considered as just one
node. Actually, network diameter should be defined as the region number in the path crossing
the most regions. The network diameter is 1 if there is only one region on the entire network.
The maximum number of hops of the MST region is used to measure the region scale, while
network diameter is a parameter to measure the whole network scale. The greater the network
diameter is, the larger the network scale is.
Similar to the maximum number of hops of the MST region, only when the ISCOM2600G
series switch is configured as the CIST root device can this configuration take effect. MSTP
will automatically configure the Hello Time, Forward Delay and Max Age parameters to a
privileged value through calculation when configuring the network diameter.
Configure the network diameter for the switching network as below.

2 Raisecom(config)#spanning-tree Configure the network diameter
bridge-diameter bridge-diameter- for the switching network.
value
 bridge-diameter-value: network
Example:
Raisecom(config)#spanning-tree diameter, an integer, ranging
bridge-diameter 5 from 2 to 7
2.7.9 Configuring internal path cost of interface

When selecting the root interface and designated interface, the smaller the interface path cost
is, the easier it is to be selected as the root interface or designated interface. Inner path costs
of interface are independently mutually in different instances. You can configure internal path
cost for instance through the instance instance-id parameter. Configure internal path cost of
interface for CIST if instance-id is 0 or the instance instance-id parameter is omitted.
By default, interface cost often depends on the physical features:
 10 Mbit/s: 2000000
 100 Mbit/s: 200000
 1000 Mbit/s: 20000
 10 Gbit/s: 2000
Configure the internal path cost for the ISCOM2600G series switch as below.

130
Raisecom

gigaethernet 1/1/1 example
3 Raisecom(config- Configure the internal path cost of the
gigaethernet1/1/*)#spanning-tree interface.
[ instance instance-id ] inter-
 instance-id: MSTI ID, an integer,
path-cost cost
 cost: path cost value, an integer,
Raisecom(config-
gigaethernet1/1/1)#spanning-tree ranging from 0 to 200000000
instance 1 inter-path-cost 10
2.7.10 Configuring external path cost of interface

The external path cost is the cost from the device to the CIST root, which is equal in the same
region.
Configure the external path cost for the ISCOM2600G series switch as below.

3 Raisecom(config- Configure the external path cost of
gigaethernet1/1/*)#spanning-tree the interface.
extern-path-cost cost
 cost: path cost value, an integer,
Example:
extern-path-cost 10
2.7.11 Configuring maximum transmission rate on interface

The maximum transmission rate on an interface means the maximum number of transmitted
BPDUs allowed by MSTP in each Hello Time. This parameter is a relative value and of no
unit. The greater the parameter is configured, the more packets are allowed to be transmitted

131
Raisecom
in a Hello Time, the more device resources it takes up. Similar with the time parameter, only
the configurations on the root device can take effect.
Configure the maximum transmission rate on the interface for the ISCOM2600G series switch
as below.

2 Raisecom(config)#spanning- Configure the maximum transmission rate
tree transmit-limit max-num on the interface.
Example:
 max-num: maximum number of packets,
tree transmit-limit 10 an integer, ranging from 1 to 10
2.7.12 Configuring MSTP timer

 Hello Time: the interval for the ISCOM2600G series switch to send BPDUs. It is used to
detect whether a link fails on the ISCOM2600G series switch. The ISCOM2600G series
switch sends Hello packets to other devices around in the Hello time to check if there is
fault in the link. The default value is 2s. You can adjust the interval value according to
network conditions. Reduce the interval when network link changes frequently to
enhance the stability of STP. However, increasing the interval reduces CPU utilization
rate for STP.
 Forward Delay: the time parameter to ensure the safe transit of device status. Link fault
causes the network to recalculate spanning tree, but the new configuration message
recalculated cannot be transmitted to the whole network immediately. There may be
temporary loop if the new root interface and designated interface start transmitting data
at once. This protocol adopts status remove system: before the root interface and
designated interface starts forwarding data, it needs a medium status (learning status);
after delay for the interval of Forward Delay, it enters forwarding status. The delay
guarantees the new configuration message to be transmitted through whole network. You
can adjust the delay according to actual condition; in other words, reduce it when
network topology changes infrequently and increase it under opposite conditions.
 Max Age: the bridge configurations used by STP have a life time that is used to judge
whether the configurations are outdated. The ISCOM2600G series switch will discard
outdated configurations and STP will recalculate spanning tree. The default value is 20s.
Over short age may cause frequent recalculation of the spanning tree, while a too great
age value will make STP not adapt to network topology change timely.
All devices in the whole switching network adopt the three time parameters on CIST root
device, so only the root device configuration is valid.
Configure the MSTP timer for the ISCOM2600G series switch as below.

2 Raisecom(config)#spanning-tree Configure the Hello Time.
hello-time period
 period: interval for sending
Example:
Raisecom(config)#spanning-tree BPDUs, an integer, ranging from
hello-time 3 1 to 10, in units of second

132
Raisecom

3 Raisecom(config)#spanning-tree Configure the Forward Delay.
forward-delay period
 period: forward-delay period, an
Example:
Raisecom(config)#spanning-tree integer, ranging from 4 to 30, in
forward-delay 10 units of second
4 Raisecom(config)#spanning-tree Configure the Max Age.
max-age period
 period: time value, an integer,
Example:
Raisecom(config)#spanning-tree ranging from 6 to 40, in units of
max-age 30 second
2.7.13 Configuring edge interface

The edge interface indicates the interface neither directly connecting to any devices nor
indirectly connecting to any device through the network.
The edge interface can change the interface status to forward quickly without any waiting
time. You had better configure the Ethernet interface connected to user client as edge interface
to make it quick to change to forward status.
The edge interface attribute depends on actual condition when it is in auto-detection mode;
the real port will change to false edge interface after receiving BPDU when it is in force-true
mode; when the interface is in force-false mode, whether it is true or false edge interface in
real operation, it will maintain the force-false mode until the configuration is changed.
By default, all interfaces on the ISCOM2600G series switch are configured in auto-detection
attribute.
Configure the edge interface for the ISCOM2600G series switch as below.

 interface-type: interface ID
3 Raisecom(config- Configure attributes of the RSTP edge
gigaethernet1/1/*)#spanning- interface.
tree edged-port { auto | force-
 auto: automatically detect whether it
true | force-false }
Example: is an edge interface.
 force-true: forced to be an edge
Raisecom(config-
gigaethernet1/1/1)#spanning- interface
 force-false: forced to be a non-edge
tree edged-port force-true
interface

133
Raisecom
2.7.14 Configuring BPDU filtering

After being enabled with BPDU filtering, the edge interface does not send BPDU packets nor
process received BPDU packets.
Configure BPDU filtering for the ISCOM2600G series switch as below.

3 Raisecom(config- Enable BPDU filtering on the
gigaethernet1/1/*)#spanning-tree edge interface.
edged-port bpdu-filter { enable |
 enable: enable BPDU filtering
disable }
Example: on the edge interface.
 disable: disable BPDU filtering
Raisecom(config-
gigaethernet1/1/1)#spanning-tree on the edge interface.
edged-port bpdu-filter enable
2.7.15 Configuring BPDU Guard

On a switch, interfaces directly connected with non-switch devices, such as terminals (such as
a PC) or file servers, are configured as edge interfaces to implement fast transition of these
interfaces.
In normal status, these edge interfaces do not receive BPDUs. If forged BPDU attacks the
switch, the switch will configure these edge interfaces to non-edge interfaces when these edge
interfaces receive forged BPDUs and re-perform spanning tree calculation. This may cause
network vibration.
BPDU Guard provided by MSTP can prevent this type of attacks. After BPDU Guard is
enabled, edge interfaces can avoid attacks from forged BPDU packets.
After BPDU Guard is enabled, the switch will shut down the edge interfaces if they receive
BPDUs and notify the NView NNM system of the case. The blocked edge interface is restored
only by the administrator through the CLI.
Configure BPDU Guard for the ISCOM2600G series switch as below.


134
Raisecom

2 Raisecom(config)#spanning-tree Enable BPDU Guard.
bpduguard { enable | disable }
 enable: enable BPDU Guard on
Example:
Raisecom(config)#spanning-tree the ring interface.
 disable: disable BPDU Guard on
bpduguard enable
the ring interface.
4 Raisecom(config- Manually restore interfaces that
gigaethernet1/1/*)#no spanning- are shut down by BPDU Guard.
tree bpduguard shutdown port
When the edge interface is enabled with BPDU filtering and the device is enabled
with BPDU Guard, BPDU Guard takes effect first. Therefore, an edge interface is
shut down if it receives a BPDU.
2.7.16 Configuring STP/RSTP/MSTP mode switching

When STP is enabled, three spanning tree modes are supported as below:
 STP compatible mode: the ISCOM2600G series switch does not implement fast
switching from the replacement interface to the root interface and expedited forwarding
by a specified interface; instead it sends STP configuration BPDU and STP Topology
Change Notification (TCN) BPDU. After receiving MST BPDU, it discards
unidentifiable part.
 RSTP mode: the ISCOM2600G series switch implements fast switching from the
replacement interface to the root interface and expedited forwarding by a specified
interface. It sends RST BPDUs. After receiving MST BPDUs, it discards unidentifiable
part. If the peer device runs STP, the local interface is switched to STP compatible mode.
If the peer device runs MSTP, the local interface remains in RSTP mode.
 MSTP mode: the ISCOM2600G series switch sends MST BPDU. If the peer device runs
STP, the local interface is switched to STP compatible mode. If the peer device runs
MSTP, the local interface remains in RSTP mode, and process packets as external
information of region.
Configure the STP/RSTP/MSTP mode switching for the ISCOM2600G series switch as below.


135
Raisecom

2 Raisecom(config)#spanning-tree Configure the spanning tree mode.
mode { stp | rstp | mstp }
 STP: the device is working in global
Example:
Raisecom(config)#spanning-tree STP-compatible mode.
 RSTP: the device is working in
mode mstp
global RSTP mode.
 MRSTP: the device is working in
global MRSTP mode.

3 Raisecom(config- (Optional) forcibly configure the
gigaethernet1/1/*)#spanning- interface to MSTP mode.
tree mcheck
2.7.17 Configuring link type

Two interfaces connected by a point-to-point link can quickly transit to forward status by
transmitting synchronization packets. By default, MSTP configures the link type of interfaces
according to duplex mode. The full duplex interface is considered as the point-to-point link,
and the half duplex interface is considered as the shared link.
You can manually configure the current Ethernet interface to connect to a point-to-point link,
but the system will fail if the link is not point to point. Generally, we recommend configuring
this item in auto status and the system will automatically detect whether the interface is
connected to a point-to-point link.
Configure the link type for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter physical interface configuration mode,
gigaethernet 1/1/1
3 Raisecom(config- Configure the link type of the interface.
gigaethernet1/1/*)#spanning
 auto: automatically detect whether the link
-tree link-type { auto |
point-to-point | shared }
connected to the interface is a point-to-
Example: point link.
 point-to-point: the link connected to the
Raisecom(config-
gigaethernet1/1/1)#spanning current interface is a point-to-point link.
 shared: the link connected to the current
-tree link-type point-to-
point interface is a shared link.
2.7.18 Configuring root interface protection

The bridge will re-elect a root interface when it receives a packet with higher priority, which
influents network connectivity and also consumes CPU resource. For the MSTP network, if

136
Raisecom
someone sends BPDUs with higher priority, the network may become unstable due to
continuous election.
Generally, priority of each bridge has already been configured in network planning phase. The
nearer a bridge is to the edge, the lower the bridge priority is. So the downlink interface
cannot receive the packets higher than bridge priority unless under someone attacks. For these
interfaces, you can enable rootguard to refuse to process packets with priority higher than
bridge priority and block the interface for a period to prevent other attacks from attacking
sources and damaging the upper layer link.
Configure root interface protection for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
3 Raisecom(config- Enable/Disable root interface
gigaethernet1/1/*)#spanning-tree protection.
rootguard { enable | disable }
Example:
Raisecom(config-
rootguard enable
2.7.19 Configuring interface loopguard

The spanning tree has two functions: loopguard and link backup. Loopguard requires carving
up the network topology into tree structure. There must be redundant links in the topology if
link backup is required. Spanning tree can avoid loop by blocking the redundant link and
enable link backup function by opening redundant link when the link breaks down.
The spanning tree module exchanges packets periodically, and the link has failed if it has not
received packet in a period. Then select a new link and enable backup interface. In actual
networking, the cause to failure in receiving packets may not link fault. In this case, enabling
the backup interface may lead to loop.
Loopguard is used to keep the original interface status when it cannot receive packet in a
period.
Loopguard and link backup are mutually exclusive; in other words, loopguard is
implemented on the cost of disabling link backup.
Configure interface loop protection for the ISCOM2600G series switch as below.


137
Raisecom

 interface-number: interface
3 Raisecom(config- Configure interface loopguard
gigaethernet1/1/*)#spanning-tree attributes.
loopguard { enable | disable }
Example:
Raisecom(config-
loopguard enable
2.7.20 Configuring TC packet suppression

When the topology of the user access network is changed, the forward address of the core
network will be updated. When the topology becomes unstable, it will affect the core network.
To avoid unstable topology, you can configure TC packet suppression on the interface. In this
case, after the interface receives a TC packet, it will not forward the TC packet to other
interfaces.
Configure TC packet suppression for the ISCOM2600G series switch as below.

3 Raisecom(config- Configure TC packet
gigaethernet1/1/*)#spanning-tree suppression.
tc-rejection { enable | disable }
 enable: enable TC packet
Example:
Raisecom(config- suppression.
 disable: disable TC packet
tc-rejection enable suppression.
2.7.21 Configuring TC protection

TC protection prevents BPDU attacks related to topology change, thus enhancing security of
the device and network.

138
Raisecom
 After TC protection is enabled, the device receives TC packets of which the number is
within the threshold in the Hello Time of STP, and discards TC packets beyond the
threshold in the Hello Time. The device recalculates the number of received TC packets
from the next Hello Time.
 After TC protection is disabled, the device will process all TC packets. When it is
attacked by massive TC packets, services may be interrupted, and the device may
malfunction due to too high CPU utilization.
Configure TC protection for the ISCOM2600G series switch as below.

2 Raisecom(config)#spanning-tree Configure the TC protection
tc_protection threshold threshold.
3 Raisecom(config)#spanning-tree Configure TC protection.
tc_protection { enable | disable }


1 Raisecom#show spanning-tree Show basic configurations of STP.
[ instance instance-id ] [ detail ]
2 Raisecom#show spanning-tree Show configurations of spanning
[ instance instance-id ] interface- tree on the interface.
type interface-list [ detail ]
3 Raisecom#show spanning-tree region- Show operation information about
operation the MST region.
4 Raisecom(config-region)#show Show configurations of the MST
spanning-tree region-configuration region.
5 Raisecom(config- Configure the interface to MSTP
gigaethernet1/1/*)#spanning-tree mode to check whether the peer
mcheck device supports MSTP.
2.7.23 Maintenance
Command Description
Raisecom(config-gigaethernet1/1/*)#spanning- Clear statistics about spanning
tree clear statistics tree on the interface.

139
Raisecom
2.7.24 Example for configuring MSTP
As shown in Figure 2-18, three ISCOM2600G series switch devices are connected to form a
ring network through MSTP, with the region name aaa. Switch B, connected with a PC,
belongs to VLAN 3. Switch C, connected with another PC, belongs to VLAN 4. Instant 3 is
associated with VLAN 3. Instant 4 is associated with VLAN 4. Configure the path cost of
instance 3 on Switch B so that packets of VLAN 3 and VLAN 4 are forwarded respectively in
two paths, which eliminates loops and implements load balancing.
Figure 2-18 MSTP networking
Configuration steps
Step 1 Create VLAN 3 and VLAN 4 on Switch A, Switch B, and switch C respectively, and activate
them.
Configure Switch A.
SwitchA#config
SwitchA(config)#create vlan 3,4 active
Configure Switch B.
SwitchB#config
SwitchB(config)#create vlan 3,4 active

140
Raisecom
Configure Switch C.
SwitchC#config
SwitchC(config)#create vlan 3,4 active
Step 2 Configure GE 1/1/1 and GE 1/1/2 on Switch A to allow packets of all VLAN to pass in Trunk
mode. Configure GE 1/1/1 and GE 1/1/2 on Switch B to allow packets of all VLANs to pass
in Trunk mode. Configure GE 1/1/1 and GE 1/1/2 on Switch C to allow packets of all VLANs
to pass in Trunk mode. Configure GE 1/1/3 and GE 1/3/4 on Switch B and Switch C to allow
packets of VLAN 3 and VLAN 4 to pass in Access mode.
Configure Switch A.

Configure Switch B.

Configure Switch C.

SwitchC(config-gigaethernet1/1/3)#switchport access vlan 3

141
Raisecom
SwitchC(config-gigaethernet1/1/4)#switchport access vlan 4
SwitchC(config-port)#exit
Step 3 Configure spanning tree mode of Switch A, Switch B, and Switch C to MSTP, and enable
STP. Enter MSTP configuration mode, and configure the region name to aaa and revision
version to 0. Map instance 3 to VLAN 3, and instance 4 to VLAN 4. Exist from MST
configuration mode.
Configure Switch A.
SwitchA(config)#spanning-tree mode mstp

SwitchA(config)#spanning-tree enable
SwitchA(config)#spanning-tree region-configuration
SwitchA(config-region)#name aaa
SwitchA(config-region)#revision-level 0
SwitchA(config-region)#instance 3 vlan 3
SwitchA(config-region)#instance 4 vlan 4
Configure Switch B.
SwitchB(config)#spanning-tree mode mstp

SwitchB(config)#spanning-tree enable
SwitchB(config)#spanning-tree region-configuration
SwitchB(config-region)#name aaa
SwitchB(config-region)#revision-level 0
SwitchB(config-region)#instance 3 vlan 3
SwitchB(config-region)#instance 4 vlan 4
SwitchB(config-region)#exit
Configure Switch C.
SwitchC(config)#spanning-tree mode mstp

SwitchC(config)#spanning-tree enable
SwitchC(config)#spanning-tree region-configuration
SwitchC(config-region)#name aaa
SwitchC(config-region)#revision-level 0
SwitchC(config-region)#instance 3 vlan 3
SwitchC(config-region)#instance 4 vlan 4
Step 4 Configure the internal path cost of GE 1/1/3 of spanning tree instance 3 to 500000 on Switch
B.

142
Raisecom
SwitchB(config-gigaethernet1/1/3)#spanning-tree instance 3 inter-path-

cost 500000
Checking results
Use the show spanning-tree region-operation command to show configurations of the MST
region.
SwitchA#show spanning-tree region-operation

Operational Information:
-----------------------------------------------
Name: aaa
Revision level: 0
Instances running: 3
Digest: 0X024E1CF7E14D5DBBD9F8E059D2C683AA
Instance Vlans Mapped
-------- ------------------------------
1-2,5-4094
3
4
Use the show spanning-tree instance 3 command to show basic information about spanning
tree instance 3.
SwitchA#show spanning-tree instance 3

Spanning-tree protocol mode: MSTP
MST ID: 3
-----------------------------------------------------------
BridgeId: Mac 5051.5051.5053 Priority 32768
RegionalRoot: Mac 5051.5051.5053 Priority 32768 InternalRootCost 0
Port PortState PortRole PathCost PortPriority LinkType
------------------------------------------------------------------
Use the show spanning-tree instance 4 command to show basic information about spanning
tree instance 4.
SwitchA#show spanning-tree instance 4

Spanning-tree protocol mode: MSTP

143
Raisecom
MST ID: 4
-----------------------------------------------------------
BridgeId: Mac 5051.5051.5053 Priority 32768
RegionalRoot: Mac 5051.5051.5053 Priority 32768 InternalRootCost 0
Port PortState PortRole PathCost PortPriority LinkType
2.8 Loop detection

2.8.1 Introduction
Loop detection can address the influence on network caused by a loop, providing the self-
detection, fault-tolerance, and robustness.
During loop detection, an interface enabled with loop detection periodically sends loop
detection packets (Hello packets). Under normal conditions, the edge interface should not
receive any loop detection packets because loop detection is applied to the edge interface.
However, if the edge interface receives a loop detection packet, it is believed that a loop
occurs on the network. There are two conditions that an edge interface receives a loop
detection packet: receiving a loop detection packet from itself or receiving a loop detection
packet from other devices, which can be told by comparing the MAC address of the device
and the MAC address carried in the packet.
Loop types
Common loop types include self-loop and inner loop.
As shown in Figure 2-19, Switch B and Switch C are connected to the user network.
 Self-loop: a user loop on the same Ethernet interface of the same device. User network B
has a loop, which forms self-loop on GE 1/1/2 on Switch B.
 Inner loop: a loop forming on different Ethernet interfaces of the same device. GE 1/1/1
and GE 1/1/3 on Switch C forms an inner loop with the user network A.
Figure 2-19 Loop detection networking

144
Raisecom
Principles for processing loops

The ISCOM2600G series switch processes loops as below:
 If the device sending the loop detection packet is the one receiving the packet but the
interface sending the packet and the interface receiving the packet are different, process
the interface with the smaller interface ID to eliminate the loop (inner loop).
 If the interface sending the packet and the interface receiving the packet are the same,
process the interface to eliminate the loop (self-loop).
In Figure 2-19, assume that both Switch B and Switch C connect user network interfaces
enabled with loop detection. The system processes loops for the three loop types as below:
 Self-loop: the interface sending the packet and the interface receiving the packet on
Switch B are the same, the configured loop detection action will be taken to eliminate the
loop on GE 1/1/2.
 Inner loop: Switch C receives the loop detection packets sent by it and the interface
sending the packet and the interface receiving the packet are the same, the configured
loop detection action will be taken to eliminate the loop on the interface with a bigger
interface ID, namely, GE 1/1/1.
Action for processing loops

The action for processing loops is the method for the ISCOM2600G series switch to use upon
loop detection. You can define different actions on the specified interface according to actual
situations, including:
 Block: block the interface and send a Trap.
 Trap-only: send Trap only.
 Shutdown: shut down the interface and send a Trap.
Loop detection modes

The loop detection mode is port mode.
When a loop occurs, the system blocks the interface and sends Trap in the loopback
processing mode of Block, or shuts down the physical interface and sends Trap information in
the loopback processing mode of shutdown.
If the loop detection processing mode is Trap-only, the ISCOM2600G series switch sends
Traps only.
Loop restoration
After an interface is blocked or shut down, you can configure it, such as no automatic
restoration and automatic restoration after a specified period.
 If an interface is configured as automatic restoration after a specified period, the system
will start loop detection after the period. If the loop disappears, the interface will be
restored. Otherwise, it will be kept in blocking or shutdown status.
 If an interface is configured as no automatic restoration, in other words, the automatic
restoration time is infinite, it will not be automatically restored.

145
Raisecom
Scenario
On the network, hosts or Layer 2 devices connected to access devices may form a loop
intentionally or involuntarily. Enable loop detection on downlink interfaces on all access
devices to avoid the network congestion generated by unlimited copies of data traffic. Once a
loopback is detected on an interface, the interface will be blocked.
Prerequisite
Loopback interface, interface backup, STP, and G.8032 affect each other. We do not
recommend configuring two or more of them concurrently.
2.8.3 Default configurations of loop detection

Default configurations of loop detection are as below.

Loop detection status Disable
Automatic recovery time for the blocked Infinite, namely, no automatic recovery
interface
Mode for processing detected loops trap-only
Loop detection period 4s
Loop detection mode port mode
2.8.4 Configuring loop detection
 Loop detection and STP are exclusive, so only one can be enabled at a time.
 Loop detection cannot be concurrently enabled on both two directly-connected
devices.
Configure loop detection based on interface+VLAN for the ISCOM2600G series switch as
below.

2 Raisecom(config)#inter Enter interface configuration mode.
face interface-type
interface-number
Example:
Raisecom(config)#inter The value range depends on the interface type.
face gigaethernet
1/1/1

146
Raisecom

3 Raisecom(config- Enable loop detection on the interface.
gigaethernet1/1/*)#loo Configure the VLAN for sending loop detection
pback-detection [ pkt- packets.
vlan { untag | vlan- (Optional) configure the period for sending Hello
id } ] [ hello-time packets.
second ] [ restore-time
second ] [ action { block (Optional) configure the time for automatically
| trap-only | shutdown | restoring the blocked interface due to loop
shutdown-restore } ] detection and the action for processing loops.
[ log-interval log-  untag: specify packets to not carry Tag.
interval time ]  vlan-id: VLAN ID, an integer, ranging from 1 to
4094
Example:  hello-time second: loop detection period, an
Raisecom(config- integer, ranging from 1 to 3600, in units of
gigaethernet1/1/1)#loo second
pback-detection pkt-  restore-time second: lLoop recovery time, an
vlan 5 hello-time 3 integer, ranging from 1 to 18000, in units of
restore-time 15 action second
block  block: send alarms and block the interface upon
detection of a loop. After the loop is eliminated,

the interface will be Up when the recovery time
elapses.
 trap-only: send alarms only upon detection of a
loop. After the loop is eliminated, the interface

will be Up when the recovery time elapses.
 shutdown: send alarms and shut down the
interface upon detection of a loop. After the loop

is eliminated, the interface will be Up when the
recovery time elapses.
 shutdown-restore: when a loop is detected, the
alarm information is sent and the interface is

closed. The restore time is calculated from the
detection of the loop. When the recovery time
elapses, the interface will be Up.
 log-interval time: log time interval, an integer,
ranging from 0 to 1440, in units of minute, with

the value 0 indicating no periodic report
4 Raisecom(config- Manually restore the interface blocked due to loop
gigaethernet1/1/*)#loo detection.
pback-detection manual
restore


1 Raisecom#show loopback-detection Show configurations and
[ interface-type interface-number ] status of loop detection.
[ detail ]

147
Raisecom
2.8.6 Maintenance
Use the following commands to maintain the ISCOM2600G series switch.
Command Description
Raisecom(config)#clear loopback- Clear statistics about loop detection.
detection statistic [ interface-type
interface-number ]
Example:
Raisecom(config)#clear loopback- unit/slot/port. The value range
detection statistic depends on the interface type.
2.8.7 Example for configuring inner loop detection
As shown in Figure 2-20, GE 1/1/2 and GE 1/1/3 on Switch A are connected to the user
network. To avoid loops on the user network, enable loop detection on Switch A to detect
loops on user network, and then take actions accordingly. Detailed requirements are as below:
 Enable loop detection on GE 1/1/2 and GE 1/1/3.
 Configure the interval for sending loop detection packets to 3s.
 Configure the VLAN for sending loop detection packets to VLAN 3.
 Configure the loop detection processing action to discarding, namely, sending Trap and
blocking the interface.
Figure 2-20 Loop detection networking

148
Raisecom
Configuration steps
Step 1 Create VLAN 3, and add interfaces to VLAN 3.
Raisecom#config
Step 2 Configure the VLAN for sending loop detection packets, action taken for detected loops, and
period for sending loop detection packets.

Raisecom(config-gigaethernet1/1/1)#loopback-detection pkt-vlan 3 hello-
time 3 action block
Raisecom(config-gigaethernet1/1/2)#loopback-detection pkt-vlan 3 hello-
time 3 action block
Checking results
Use the show loopback-detection command to show loop detection status. GE 1/1/1 is
already blocked because of its smaller interface ID, so the loop is eliminated.
Raisecom#show loopback-detection
Interface pktVlan detect-vlanlist hellotime restoretime loop-act
log-interval Status loop-srcMAC loop-srcPort loop-Duration loop-
vlanlist
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-----------------
GE1/1/1 3 -- 3 15 block 0
yes 000E.5E55.0001 GE1/1/2 121 --
GE1/1/2 3 -- 3 15 block 0
no -- -- -- --

149
Raisecom
2.9 Interface protection

2.9.1 Introduction
With interface protection, you can add an interface, which needs to be controlled, to an
interface protection group, isolating Layer 2/Layer 3 data in the interface protection group.
This can provide physical isolation between interfaces, enhance network security, and provide
flexible networking scheme for users.
After being configured with interface protection, interfaces in an interface protection group
cannot transmit packets to each other. Interfaces in and out of the interface protection group
can communicate with each other. So do interfaces out of the interface protection group.
Scenario
Interface protection can implement mutual isolation of interfaces in the same VLAN, enhance
network security and provide flexible networking solutions for you.
Prerequisite
N/A
2.9.3 Default configurations of interface protection

Default configurations of interface protection are as below.

Interface protection status of each interface Disable
2.9.4 Configuring interface protection
Interface protection is unrelated with the VLAN to which the interface belongs.
Configure interface protection for the ISCOM2600G series switch as below.

2 Raisecom(config)#inter Enter physical interface configuration mode, or
face interface-type aggregation group configuration mode. Take
Example: example.
Raisecom(config)#inter
face gigaethernet
1/1/1

150
Raisecom

3 Raisecom(config- Enable interface protection. Interface isolation is
gigaethernet1/1/*)#swi supported across devices in the ISF. Interface
tchport protect isolation can be implemented based on LAG
interface, namely, between LAG interfaces, and
between a LAG interface and common interface.
2.9.5 Configuring interface isolation

Configure interface isolation for the ISCOM2600G series switch as below.

2 Raisecom(config)#protect- Create an interface isolation group. Configure
group group-id vlan vlan- isolation VLANs associated with the group
id interface-type and the list of isolated interfaces.
interface-number [ add |
 group-id: isolated group ID, an integer,
remove ]
 vlan-id: isolated VLAN associated with the
Raisecom(config)#protect-
group 1 vlan 1 isolated group, an integer, ranging from 1 to
gigaethernet 1/1/1 4094
unit/slot/port. The value range depends on

the interface type.
 add: add an isolated interface.
 remove: delete an isolated interface.


1 Raisecom#show switchport Show configurations of interface protection.
protect
2 Raisecom#show protect- Show configurations of interface isolation.
group { all | group-id }
2.9.7 Example for configuring interface protection
As shown in Figure 2-21, to prevent PC 1 and PC 2 from interconnecting with each other and
to enable them to interconnect with PC 3 respectively, enable interface protection on GE 1/1/1
and GE 1/1/2 on Switch A.

151
Raisecom
Figure 2-21 Interface protection networking
Configuration steps
Step 1 Enable interface protection on the GE 1/1/1.
Raisecom#config
Raisecom(config-gigaethernet1/1/1)#switchport protect
Step 2 Enable interface protection on the GE 1/1/2.

Raisecom(config-gigaethernet1/1/2)#switchport protect
Checking results
Use the show switchport protect command to show configurations of interface protection.
Raisecom#show switchport protect

Port Protected State
--------------------------
gigaethernet1/1/1 enable
gigaethernet1/1/2 enable
gigaethernet1/1/3 disable
……

152
Raisecom
Check whether PC 1 and PC 2 can ping PC 3 successfully.

 PC 1 can ping PC 3 successfully.
 PC 2 can ping PC 3 successfully.
Check whether PC 1 can ping PC 2 successfully.
PC 1 fails to ping PC 3, so interface protection has taken effect.
2.10 Port mirroring

2.10.1 Introduction
Port mirroring refers to mirroring some packets from a specified source port to the destination
port, namely, the monitor port, without affecting normal packet forwarding. You can monitor
the sending and receiving status of packets on a port through this function and analyze the
related network conditions.
Figure 2-22 Principles of port mirroring
Figure 2-22 shows principles of port mirroring. PC 1 is connected to the external network by
the GE 1/1/1; PC 3 is the monitor PC, connecting the external network by GE 1/1/2.
When monitoring packets from the PC 1, you need to assign GE 1/1/1 to connect to PC 1 as
the mirror source port, enable port mirroring on the ingress port and assign GE 1/1/2 as
monitor port to mirror packets to destination port.
When service packets from PC 1 enter the ISCOM2600G series switch, the ISCOM2600G
series switch will forward and copy them to monitor port (GE 1/1/2). The monitor device
connected to the monitor port can receive and analyze these mirrored packets.
The ISCOM2600G series switch supports traffic mirroring on the ingress port and egress port.
The packets on the ingress/egress mirroring port will be copied to the monitor port after the

153
Raisecom
switch is enabled with port mirroring. The monitor port and mirroring port cannot be the same
one.
Scenario
Port mirroring is used to monitor the type and flow of network data regularly for the network
administrator.
Port mirroring copies the port flow monitored to a monitor port or CPU to obtain the
ingress/egress port failure or abnormal flow of data for analysis, discovers the root cause, and
solves them timely.
Prerequisite
N/A
2.10.3 Default configurations of port mirroring

Default configurations of port mirroring are as below.

Port mirroring status Disable
Mirroring the source port N/A
2.10.4 Configuring port mirroring on local port

Configure local port mirroring for the ISCOM2600G series switch as below.
Step Configure Description

2 Raisecom(config)#mirror-group group- Create a port mirroring group.
id
 group-id: mirroring group ID,
Example:
Raisecom(config)#mirror-group 1
an integer, ranging from 1 to 4
3 Raisecom(config)#mirror-group group- Configure the remote mirroring
id remote-vlan vlan-id VLAN for the mirroring group.
Example:
remote-vlan 2 an integer, ranging from 1 to 4
 vlan-id: remote mirror VLAN
ID, an integer, ranging from 1

to 4094

154
Raisecom
Step Configure Description

4 Raisecom(config)#mirror-group group- Configure the reflector interface
id reflector-port interface-type for the mirroring group.
interface-number
Example:
Raisecom(config)#mirror-group 1 an integer, ranging from 1 to 4
reflector-port gigaethernet 1/1/1
 interface-number: in the form
of unit/slot/port. The form and

value range depend on the
interface type.
Example:
gigaethernet 1/1/1
of unit/slot/port. The form and
value range depend on the
interface type.
6 Raisecom(config- Configure the monitor port for
gigaethernet1/1/*)#mirror-group mirroring.
group-id monitor-port
Example:
Raisecom(config- an integer, ranging from 1 to 4
gigaethernet1/1/1)#mirror-group 1
monitor-port
7 Raisecom(config- Configure the mirroring port of
gigaethernet1/1/*)#mirror-group port mirroring, and designate the
group-id source-port [ ingress | mirroring rule for port mirroring.
egress ] Port mirroring supports
Example: mirroring packets in both the
Raisecom(config- ingress and egress directions of
gigaethernet1/1/1)#mirror-group 1 the port.
source-port ingress
 ingress: ingress direction
 egress: egress direction
8 Raisecom(config- Configure port mirroring to

gigaethernet1/1/*)#exit mirror packets to or from the
Raisecom(config)#mirror-group group- CPU.
id source-cpu [ ingress | egress ]
Example:
Raisecom(config)#mirror-group 1 an integer, ranging from 1 to 4
source-cpu ingress
 egress: egress direction
 Before enabling remote VLAN mirroring, disable MAC address learning of the
remote mirroring VLAN on the source device, intermediate device, and destination
device so as to enable the mirroring function to work properly.

155
Raisecom
 When configuring the source mirroring port, you cannot add it to the remote
mirroring VLAN; otherwise, port mirroring will malfunction.


1 Raisecom#show mirror- Show configurations of port mirroring.
group [ group-id ]
2.10.6 Example for configuring port mirroring
As shown in Figure 2-23, the network administrator wants to monitor user network 1 through
the monitor device, then to catch the fault or abnormal data flow for analyzing and
discovering faults and then solve them in time.
The ISCOM2600G series switch is disabled with storm control and automatic packets sending.
User network 1 accesses the ISCOM2600G series switch through GE 1/1/1, user network 2
accesses the ISCOM2600G series switch through GE 1/1/2, and the data monitor device is
connected to GE 1/1/3.
Figure 2-23 Port mirroring networking
Configuration steps
Enable port mirroring on the Switch.
Raisecom#config
156
Raisecom
Raisecom(config-gigaethernet1/1/3)#mirror-group 1 monitor-port
Raisecom(config-gigaethernet1/1/1)#mirror-group 1 source-port ingress
Checking results
Use the show mirror command to show configurations of port mirroring.
Raisecom#show mirror-group
Mirror Group 1:
Monitor Port:
gigaethernet1/1/3
Source Port:
gigaethernet1/1/1 : ingress
Reflector Port:
Remote Vlan:
2.11 L2CP
2.11.1 Introduction
Metro Ethernet Forum (MEF) introduces service concepts, such as EPL, EVPL, EP-LAN, and
EVP-LAN. Different service types have different processing modes for Layer 2 Control
Protocol (L2CP) packets.
MEF6.1 defines processing modes for L2CP as below.
 Discard: discard the packet, by applying the configured L2CP profile on the ingress
interface of the ISCOM2600G series switch, to complete configuring processing mode.
 Peer: send packets to the CPU in the same way as the discard action.
 Tunnel: send packets to the MAN. It is more complex than discard and peer mode,
requiring cooperating profile at network side interface and carrier side interface tunnel
terminal to allow packets to pass through the carrier network.
Scenario
On the access device of MAN, you can configure profile on user network interface according
to services from the carrier to configure L2CP of the user network.
Prerequisite
N/A

157
Raisecom
2.11.3 Defaul configurations of L2CP

Default configurations of L2CP are as below.

Global L2CP status Disable
Applying the profile on the interface Disable
Destination MAC address of transparently transmitted packets 010E.5E00.0003
Description of the L2CP profile N/A
Channel type of transparently transmitted packets none
2.11.4 Configuring global L2CP

Configure global L2CP for the ISCOM2600G series switch as below.

2 Raisecom(config)#l2cp- (Optional) configure the destination MAC
process tunnel address for transparently transmitted packets. It
destination-address must be a multicast address that does not start
mac-address with 0180.c200 or 010E.5E00, but its default
Example: value is 010E.5E00.0003.
Raisecom(config)#l2cp-
process tunnel
destination-address
0180.c300.0001
3 Raisecom(config)#l2cp- Configure user-defined MAC address rules.
process user-defined-
 name: name of the user default protocol, a
protocol name
protocol-mac mac- string of 1 to 16 characters
 mac-address: protocol MAC address, in dotted
address encaptype
{ ethernetI ethertype hexadecimal notation, being 0180.c200.0000–
| llc dsap dsap value 0180.c200.00ff, 010e.5e00.0000–010e.5eff.ffff,
ssap ssap value } or 0100.0c00.00000–0100.0cff.fff
 ethertype: IEEE 802.3 protocol type, ranging
Example:
Raisecom(config)#l2cp- from 0x0600 to 0xffff
 dsap value: LLC DSAP, used to identify the
process user-defined-
protocol aa protocol- type of upper layer data carried by Ethernet
mac 0180.c200.0001 frames, ranging from 0 to 0x05ff
 ssap value: LLC SSAP, used to identify the
encaptype ethernetI
0x0601 type of upper layer data carried by Ethernet
frames, ranging from 0 to 0x05ff
2.11.5 Configuring L2CP profile

Configure the L2CP profile for the ISCOM2600G series switch as below.

158
Raisecom

2 Raisecom(config)#l2cp-process Create and enter the L2CP profile.
profile profile-number
 profile-number: L2CP profile ID, an
Example:
Raisecom(config)#l2cp-process integer, ranging from 1 to 32. L2CP
profile 4 profiles 1 and 2 are default profiles,
so they cannot be created, deleted,
and modified.
3 Raisecom(config-l2cp- (Optional) add the profile description.
profile)#name string
 string: description of the L2CP
Example:
Raisecom(config-l2cp- profile, a character string starting
profile)#name epl with a letter or number, with length
4 Raisecom(config-l2cp-profile)# (Optional) configure the mode for
l2cp-process protocol { stp processing L2CP packets.
|lacp| lamp |oam | esmc |
 stp: STP packets
dot1x | elmi | lldp | gvrp |
 lacp: LACP packets
gmrp | cdp | vtp | pvst | udld
 lamp: Lamp packets
| pagp | all } action { tunnel
 oam: OAM packets
| drop | peer }
 esmc: ESMC packets
Example:
 Dot1x: Dot1x packets
Raisecom(config-l2cp-
 elmi: ELMI packets
profile)#l2cp-process protocol
 lldp: LLDP packets
all action peer
 gvrp: GVRP packets
 gmrp: GMRP packets
 cdp: CDP packets
 vtp: VTPtp packets
 pvst: PVST packets
 udld: UDLD packets
 pagp: PAGP packets
 all: all L2CP packets (excluding
self-defined protocol packets)

 drop: discard packets.
 peer: submit packets to the CPU.
 tunnel: transparently transmit
packets.
5 Raisecom(config-l2cp- (Optional) configure the specified
profile)#tunnel vlan vlan-id VLAN for transparent transmission.
Example:
profile)#tunnel vlan 20 ranging from 1 to 4094
6 Raisecom(config-l2cp- (Optional) configure the specified
profile)#tunnel interface-type egress interface for transparent
interface-number transmission.
Example:
profile)#tunnel gigaethernet
1/1/1 range depends on the device type.
7 Raisecom(config-l2cp- (Optional) configure the type of the
profile)#tunnel tunnel-type tunnel for transparent transmission.
mac

159
Raisecom

8 Raisecom(config-l2cp- (Optional) configure the CoS of
profile)#tunnel cos cos-value encapsulated packets. It is the CoS
Example: priority in the header of 802.1q
Raisecom(config-l2cp- packets, an integer, ranging from 0 to
profile)#tunnel cos 1 7.
2.11.6 Configuring L2CP profile on interface

Configure the L2CP profile on the interface for the ISCOM2600G series switch as below.

interface-type interface-number configuration mode, or aggregation
Example: group configuration mode. Take
Raisecom(config)#interface physical interface configuration
gigaethernet 1/1/1 mode for example.
3 Raisecom(config- Apply the L2CP profile on the
gigaethernet1/1/*)#l2cp-process interface.
 profile-number: L2CP profile ID,
Example:
Raisecom(config- an integer, ranging from 1 to 32
gigaethernet1/1/1)#l2cp-process
profile 1
Only when global L2CP is enabled can the profile applied to the interface take effect.
You can configure global L2CP but it will not take effect if it is disabled.

Use the following commands check configuration results.

1 Raisecom#show l2cp-process profile Show information about the
[ profile-number ] created L2CP profile.
2 Raisecom#show l2cp-process Show configurations of L2CP on
[interface-type interface-number ] the interface.
3 Raisecom#show l2cp-process Show statistics about L2CP
[ tunnel statistics ] [ interface- packets on the interface.
type interface-number]

160
Raisecom
2.11.8 Maintenance
Command Description
Raisecom(config)#clear l2cp-process Clear statistics about L2CP packets on
tunnel statistics [interface-type the interface.
interface-number ]
Example:
Raisecom(config)#clear l2cp-process
tunnel statistics range depends on the device type.
2.11.9 Example for configuring L2CP
As shown in Figure 2-24, configure L2CP on Switch A and Switch B as below.
 Specify the multicast destination MAC address of them to 0100.1234.1234.
 Configure the STP packets of Customer A to traverse the MAN, and discard other
packets.
 Configure the STP and VTP packets of Customer B to traverse the MAN, send elmi
packets to the CPU, and discard other packets.
Figure 2-24 L2CP networking
Configuration steps
Configurations of Switch A and Switch B are identical. Take Switch A for example.
Step 1 Configure the switch name.
Step 2 Configure the specified multicast destination MAC address.

161
Raisecom
Raisecom(config)#l2cp-process tunnel destination-address 0100.1234.1234
Step 3 Configure L2CP profile 1, and apply the profile to GE 1/1/1 for Customer A.
Raisecom(config)#l2cp-process profile 1
Raisecom(config-l2cp-profile)#name CustomerA
Raisecom(config-l2cp-profile)#l2cp-process protocol all action drop
Raisecom(config-l2cp-profile)#l2cp-process protocol stp action tunnel
Raisecom(config-l2cp-profile)#exit
Raisecom(config-gigaethernet1/1/1)#l2cp-process profile 1
Step 4 Configure L2CP profile 2, and apply the profile to GE 1/1/2 for Customer B.
Raisecom(config)#l2cp-process profile 2
Raisecom(config-l2cp-proflie)#name CustomerB
Raisecom(config-l2cp-proflie)#l2cp-process protocol all action drop
Raisecom(config-l2cp-proflie)#l2cp-process protocol stp action tunnel
Raisecom(config-l2cp-proflie)#l2cp-process protocol vtp action tunnel
Raisecom(config-l2cp-proflie)#l2cp-process protocol elmi action peer
Raisecom(config-l2cp-proflie)#exit
Raisecom(config-gigaethernet1/1/2)#l2cp-process profile 2
Checking results
Use the show l2cp-profile command to show L2CP configurations.
Raisecom#show l2cp-process profile

Destination MAC Address for Encapsulated Packets: 0100.1234.1234
ProfileId: 1
Name: customerA
BpduType Mac-address l2cp-process Mac-vlan EgressPort tunneltype
-------------------------------------------------------------------------
-------------
stp 0180.C200.0000 tunnel -- none
dot1x 0180.C200.0003 drop -- none
lacp 0180.C200.0002 drop -- none
oam 0180.C200.0002 drop -- none
cdp 0100.0CCC.CCCC drop -- none
vtp 0100.0CCC.CCCC drop -- none
pvst 0100.0CCC.CCCD drop -- none
lldp 0180.C200.000E drop -- none
elmi 0180.C200.0007 drop -- none
udld 0100.0CCC.CCCC drop -- none

162
Raisecom
pagp 0100.0CCC.CCCC drop -- none

ProfileId: 2
Name: customerB
BpduType Mac-address l2cp-process Mac-vlan EgressPort tunneltype
-------------------------------------------------------------------------
-------------
stp 0180.C200.0000 tunnel -- none
dot1x 0180.C200.0003 drop -- none
lacp 0180.C200.0002 drop -- none
oam 0180.C200.0002 drop -- none
cdp 0100.0CCC.CCCC drop -- none
vtp 0100.0CCC.CCCC tunnel -- none
pvst 0100.0CCC.CCCD drop -- none
lldp 0180.C200.000E drop -- none
elmi 0180.C200.0007 peer -- none
udld 0100.0CCC.CCCC drop -- none
pagp 0100.0CCC.CCCC drop -- none
…
Use the show l2cp-process command to show interface configurations.
Raisecom#show l2cp-process
L2CP running informatiom
Port ProfileID BpduType mac-address l2cp-process
-------------------------------------------------------------------------
-----
GE1/1/1 1 stp 0180.C200.0000 tunnel
dot1x 0180.C200.0003 drop
lacp 0180.C200.0002 drop
oam 0180.C200.0002 drop
cdp 0100.0CCC.CCCC drop
vtp 0100.0CCC.CCCC drop
pvst 0100.0CCC.CCCD drop
lldp 0180.C200.000E drop
elmi 0180.C200.0007 drop
udld 0100.0CCC.CCCC drop
pagp 0100.0CCC.CCCC drop
GE1/1/2 2 stp 0180.C200.0000 tunnel
dot1x 0180.C200.0003 drop
lacp 0180.C200.0002 drop
oam 0180.C200.0002 drop
cdp 0100.0CCC.CCCC drop
vtp 0100.0CCC.CCCC tunnel
pvst 0100.0CCC.CCCD drop
lldp 0180.C200.000E drop
elmi 0180.C200.0007 peer
udld 0100.0CCC.CCCC drop
pagp 0100.0CCC.CCCC drop
GE1/1/3 -- -- -- --
GE1/1/4 -- -- -- --
GE1/1/5 -- -- -- --
…

163
Raisecom
2.12 Voice VLAN

2.12.1 Introduction
With increasing growth of voice technologies, voice devices are more and more widely used,
especially in broadband residential communities. The network usually transmits voice traffic
and data traffic concurrently, but voice traffic requires a higher priority than data traffic in
transmission to avoid delay and packet loss.
A voice VLAN is especially partitioned for voice traffic of users. By partitioning voice
VLANs and add interfaces of the voice device to voice VLANs, you can configure QoS of
voice traffic to increase the priority of transmitting voice traffic and guarantee call quality.
Compared with other methods for managing voice traffic, the voice VLAN has the following
advantages:
 Easy configuration: after you configure the voice device in global configuration mode
and interface configuration mode and enable the voice VLAN, the voice device can
classify and process voice traffic.
 Easy maintenance: you can modify rules (voice VLAN OUI address) for matching voice
traffic in global configuration mode. When a new IP voice device joins the network, its
interfaces can rapidly identify voice traffic by updated matching rules.
 Flexible implementation: The voice VLAN supports safe mode and common mode in
global configuration mode and automatic mode and manual mode on the interface, so it
is flexible in implementation. You can combine these modes as required to meet users'
requirements to the maximum extent.
– Secure mode: in the voice VLAN, the packets mismatching OUI are discarded while
the packets matching OUI are modified with the priority and then forwarded.
– Common mode: in the voice VLAN, the packets mismatching OUI are not modified
with the priority and are normally forwarded while the packets matching OUI are
modified with the priority and then forwarded.
– Automatic mode: in this mode, the interface automatically joins the voice VLAN.
You do not need to add the interface to the voice LAN; when the switch receives
voice packets, it will automatically add the interface to the voice VLAN. When the
interface fails to receive voice packets for a specified period, it will automatically
quit the voice VLAN.
– Manual mode: in this mode, you need to manually add the interface to the voice
VLAN. The interface does not automatically join and leave the voice VLAN.
The ISCOM2600G series switch supports the following two networking modes.
Figure 2-25 shows the networking mode for IP phone (with its interfaces transmitting voice
traffic only) to connect to the switch. This mode enables these interfaces to transmit voice
traffic only, thus minimizing the impact on voice traffic from data traffic.

164
Raisecom
Figure 2-25 Networking for IP phone to connect to switch
Figure 2-26 shows the networking mode for the IP phone to connect the PC to the switch
(transmitting voice packets only), so the link transmits both voice traffic and data traffic. In
this networking mode, voice traffic and data traffic are transmitted in the voice VLAN and
data VLAN respectively with affecting each other. When office staff need data
communication through PCs and also need voice communication through IP phones, you can
adopt this networking mode.
Figure 2-26 Networking for IP phone to connect PC to the switch
Scenario
The voice VLAN can transmit voice traffic. You can choose one of the following networking
schemes according to whether voice packets are tagged or not:
 If the IP phone sends untagged voice packets, see section Example for adding interface
to voice VLAN and configuring it to work in manual mode.
 If the IP phone supports obtaining the voice VLAN configured on the switch through
LLDP, it will send tagged voice packets. For details, see section 2.12.9 Example for
configuring IP phone to access voice VLAN packets through LLDP.
Prerequisite
Create a VLAN, and configure its parameters.
2.12.3 Default configurations of voice VLAN

Default configurations of Organizationally Unique Identifier (OUI) of the voice VLAN are as
below.
165
Raisecom
OUI-Address Mask address Description

0001.E300.0000 FFFF.FF00.0000 Siemens-phone
0003.6B00.0000 FFFF.FF00.0000 Cisco-phone
0004.0D00.0000 FFFF.FF00.0000 Avaya-phone
00D0.1E00.0000 FFFF.FF00.0000 Pingtel-phone
0060.B900.0000 FFFF.FF00.0000 Philips/NEC-phone
00E0.7500.0000 FFFF.FF00.0000 Verilink-phone
00E0.BB00.0000 FFFF.FF00.0000 NBX-phone
Other default configurations of the voice VLAN are as below.

Voice VLAN Disable
Voice VLAN secure working mode Disable
Voice VLAN common working mode Enable
Automatic mode for the interface to join the voice VLAN Disable
Manual mode for the interface to join the voice VLAN Enable
CoS and DSCP of Voice VLAN packets 6 and 46 respectively
QoS trust priority of Voice VLAN N/A
2.12.4 Configuring QoS of voice VLAN

Configure the QoS of the voice VLAN for the ISCOM2600G series switch as below.

number
Example:
 interface-number: interface ID, in the
gigaethernet 1/1/1 form of unit/slot/port. The range
depends on the device type.

166
Raisecom

3 Raisecom(config- Configure CoS and DSCP of voice
gigaethernet1/1/*)#voice-vlan VLAN packets.
qos cos cos-value dscp dscp-
 cos-value: CoS priority in the 802.1Q
value
Example: packet header, an integer, ranging
 dscp-value: DSCP priority in the
gigaethernet1/1/1)#voice-vlan
qos cos 2 dscp 10 802.1Q packet header, an integer,
4 Raisecom(config- Configure QoS trust priority of the
gigaethernet1/1/*)#voice-vlan voice VLAN. Then, the interface does
qos trust not modify the priority of voice VLAN
packets.
2.12.5 Enabling voice VLAN

Enable the voice VLAN for the ISCOM2600G series switch as below.

number
Example:
 interface-number: interface ID, in the
gigaethernet 1/1/1 form of unit/slot/port. The value
range depends on the interface type.
3 Raisecom(config- Enable or disable the voice VLAN.
gigaethernet1/1/*)#voice-vlan
 enable: enable the Voice VLAN.
vlan-id { enable | disable }
 disable: disable the Voice VLAN.
[ include-untagged ]
Example:
 include-untagged: add Voice VLAN
3 enable Tags to untagged packets which
match the OUI.
4 Raisecom(config- Configure the working mode for the
gigaethernet1/1/*)#voice-vlan interface to join the voice VLAN.
auto { enable | disable }
 enable: the Voice VLAN works in
Example:
Raisecom(config- automatic mode.
 disable: the Voice VLAN works in
auto disable manual mode.
5 Raisecom(config)#voice-vlan Configure the aging time for the
aging-time time interface to leave the voice VLAN in
Example: automatic mode.
Raisecom(config)#voice-vlan
 time: aging time, an integer, ranging
aging-time 600
from 30 to 1440, in units of minute

167
Raisecom
2.12.6 Configuring OUI address

Configure the OUI address for the ISCOM2600G series switch as below.

2 Raisecom(config)#voice-vlan Configure the OUI of the voice VLAN.
mac-address mac-address
[ mask address ]
[ description word ] hexadecimal notation
 mask-address: MAC address mask,
Example:
Raisecom(config)#voice-vlan ranging from 0x0000.0000.0000 to
mac-address 0001.E300.0000 0xFFFF.FFFF.FFFF
 word: description of the OUI address
FFFF.FF00.0000 description
siemens

Use the following commands check configuration results.

1 Raisecom#show voice- Show the OUI address, its mask, and description.
vlan mac-address
2 Raisecom#show voice- Show the status of the voice VLAN on the current
vlan status device.
3 Raisecom#show voice- Show the automatic mode of the voice VLAN on
vlan auto the current device.
2.12.8 Example for adding interface to voice VLAN and configuring

it to work in manual mode
GE 1/1/1 on the Switch connects the IP phone and PC to the Internet. It is required to
concurrently forward and isolate voice traffic and data traffic.
You can configure GE 1/1/1 as a Trunk interface, making the Native VLAN forward data
traffic and voice VLAN forward voice traffic. The PC sends untagged packets which are
transmitted in the Native VLAN of GE 1/1/1. Configure VLAN 100 as the Native VLAN to
transmit data traffic sent from the PC. The IP phone also sends untagged packets. Configure
the source MAC address to the OUI address of the voice VLAN so that the device can add
voice VLAN Tag when these packets pass the voice VLAN interface. Configure VLAN 200
as the voice VLAN to transmit voice traffic sent from the IP phone.

168
Raisecom
Figure 2-27 Networking with adding interface to voice VLAN and configuring it to work in
manual mode
Configuration steps
Step 1 Create VLAN 100 and VLAN 200, activate them, and configure VLAN 200 as the voice
VLAN.

Raisecom(config-gigaethernet1/1/1)#switchport trunk untag vlan 200
Raisecom(config-gigaethernet1/1/1)#voice-vlan 200 enable include-untagged
Step 2 Configure the MAC address (supporting the mask) of the IP phone as the OUI address of the
voice VLAN on the switch, namely, 0001.ED00.0000. Configure the mask to
FFFF.FF00.0000. For the OUI supported by the device by default, see section 2.12.3 Default
configurations of voice VLAN.
Raisecom(config)#voice-vlan mac-address 0001.ED00.0000 FFFF.FF00.0000
Step 3 (Optional) by default, the interface modifies the CoS and DSCP of voice packets to 6 and 46
respectively. To modify them to other values, you should use the following command in the
interface view before the voice VLAN is enabled on the interface.
Raisecom(config-gigaethernet1/1/1)#voice-vlan qos cos 6 dscp 46
respectively. To prevent the interface from modifying them, you should use the following
command:

169
Raisecom
Raisecom(config-gigaethernet1/1/1)#voice-vlan qos trust
Checking configurations
Use the show voice-vlan status command to view the current status of the voice VLAN.
Use the show voice-vlan mac-address command to view the OUI address of the voice
VLAN.
Raisecom(config)#show voice-vlan mac-address

OUI-Address Mask Description
----------------------------------------------------------------
0001.ED00.0000 FFFF.FF00.0000
2.12.9 Example for configuring IP phone to access voice VLAN

packets through LLDP
As shown in Figure 2-28, when the IP phone supports LLDP, it can obtain the voice VLAN
through LLDP. You can configure LLDP and voice VLAN on the switch to connect the IP
phone. Configure LLDP on the switch to advertise the voice VLAN of the interface to the IP
phone. To guarantee call quality, configure the voice VLAN to prioritize voice packets.
GE 1/1/1 on the Switch connects the IP phone and PC to the Internet. It is required to
concurrently forward and isolate voice traffic and data traffic.
You can configure GE 1/1/1 as a Trunk interface, making the Native VLAN forward data
traffic and voice VLAN forward voice traffic. The PC sends untagged packets which are
transmitted in the Native VLAN of GE 1/1/1. Configure VLAN 100 as the Native VLAN to
transmit data traffic sent from the PC. Configure VLAN 200 as the voice VLAN to transmit
voice traffic sent from the IP phone. The IP phone obtains the voice VLAN through LLDP and
sends packets with the voice VLAN Tag.

170
Raisecom
Figure 2-28 Configuring IP phone to access voice VLAN packets through LLDP
Configuration steps
Step 1 Create VLAN 100 and VLAN 200, activate them, and configure VLAN 200 as the voice
VLAN.

Raisecom(config-gigaethernet1/1/1)#voice-vlan 200 enable
Step 2 Enable global LLDP and interface LLDP to advertise the voice VLAN of the interface to the
IP phone.
Raisecom(config)#lldp enable
Raisecom(config-gigaethernet1/1/1)#lldp enable
Step 3 Configure the MAC address (supporting the mask) of the IP phone as the OUI address of the
voice VLAN on the switch, namely, 0001.ED00.0000. Configure the mask to
FFFF.FF00.0000. For the OUI supported by the device by default, see section 2.12.3 Default
configurations of voice VLAN.
Raisecom(config)#voice-vlan mac-address 0001.ED00.0000 FFFF.FF00.0000
respectively. To modify them to other values, you should use the following command in the
interface view before the voice VLAN is enabled on the interface.
Raisecom(config-gigaethernet1/1/1)#voice-vlan qos cos 6 dscp 46

171
Raisecom
respectively. To prevent the interface from modifying them, you should use the following
command:
Raisecom(config-gigaethernet1/1/1)#voice-vlan qos trust
Checking configurations
Use the show voice-vlan mac-address command to view the OUI address of the voice VLAN.
Raisecom(config)#show voice-vlan mac-address

OUI-Address Mask Description
----------------------------------------------------------------
0001.ED00.0000 FFFF.FF00.0000
2.13 GARP/GVRP
2.13.1 Introduction
Generic Attribute Registration Protocol (GARP) provides a mechanism to help GARP
members in the same LAN to distribute, broadcast, and register information (such as VLAN
and multicast information).
GARP is not an entity on a device. Those applications complying with GARP are called
GARP applications. GARP VLAN Registration Protocol (GVRP) is a GARP application.
When a GARP application entity is connected to an interface of a device, the interface is
mapped into the GARP application entity.
Packets of the GARP application entity use a specific multicast MAC address as its
destination MAC address. When receiving packets of the GARP application entity, a device
distinguishes them by the destination MAC address and transmits them to different GARP
applications (such as GAVP) for processing.
GARP messages
GARP members exchange data by transmitting messages, including the following three types
of messages:
 Join message: a GARP application entity sends a Join message when:
– It needs another device to register its attributes (such as VLAN information).

172
Raisecom
– It receives a Join message from other entities; or it has been statically configured with
some parameters, and needs another GARP application entity to register.
 Leave message: a GARP application entity sends a Leave message when:
– It needs another device to register its attributes.
– It receives a Join message from other entities to deregister its attributes or it statically
deregisters its attributes.
 LeaveAll message: when the GARP application entity is started, the LeaveAll timer
starts. It sends a LeaveAll message when this timer expires. The LeaveAll message is
used to deregister all attributes so that other GARP application entities can register all
attributes of the GARP application entity. When the GARP application entity receives a
LeaveAll message from the peer, its LeaveAll time is restored and then starts.
 The Leave message or LeaveAll message cooperates with the Join message to deregister
or reregister attributes. Through message exchange, all attributes to be registered can be
transmitted to all GARP entities in the same LAN.
GARP timer
The interval for sending the GARP message is controlled by timers. GARP defines three
timers to control the interval.
 Join timer: if no message is replied to the first Join message sent by the GARP
application entity, this entity will send another Join message to ensure secure
transmission. The interval between sending these two messages is controlled by the Join
timer. If the entity has received reply from other GARP application entities, it will not
send the Join message.
 Leave timer: when a GARP application entity needs to deregister an attribute, it sends a
Leave message to another GARP application entity which will later start a Leave timer.
It deregisters the attribute if failing to receive the Join message to deregister the attribute
before the Leave timer expires.
 LeaveAll timer: when a GARP application entity starts, its LeaveAll timer also starts.
When the LeaveAll timer expires, the GARP application entity sends a LeaveAll
message so that other GARP application entities can register all attributes of the GARP
application entity. Then, the LeaveAll timer is restored and starts retiming.
GVRP
GARP VLAN Registration Protocol (GVRP) is a GARP application. Based on GARP
working mechanism, it maintains VLAN dynamic registration information of the switch, and
sends the information to other switches.
All GVRP-supportive switches can receive VLAN registration information from other
switches, and dynamically update local VLAN registration information. In addition, all
GVRP-supportive switches can send local VLAN registration information to other switches so
that they have consistent VLAN registration information in the same VLAN. VLAN
registration information sent by GVRP includes manually configured local static registration
information and dynamic registration information from other switches.
GVRP has three registration modes:
 Normal: in this mode, GVRP allows dynamic registration and deregistration of VLANs,
and sends dynamic and static VLAN information.
 Fixed: in this mode, GVRP forbids dynamic registration and deregistration of VLANs,
and sends static VLAN information rather than dynamic VLAN information.

173
Raisecom
 Forbidden: in this mode, GVRP forbids dynamic registration and deregistration of

VLANs, forbids creating static VLANs on the interface, deletes all VLANs except
VLAN 1, allows packets of the default VLAN (VLAN 1) to pass, and transmits packets
of the default VLAN to other GARP members.
As shown in Figure 2-29, to configure VLANs on multiple devices on a network and allow
packets of the specified VLAN to pass are complex. By using GVRP to dynamically register
and transmit the specified VLAN, the network administrator can improve working efficiency
and accuracy.
Figure 2-29 Principles of GVRP
As shown in Figure 2-29, GE 1/1/1 on Switch 1, GE 1/1/1 and GE 1/1/2 on Switch 2, and GE
1/1/1 on Switch N are Trunk interfaces. Create VLANs 5–50 on Switch 1, and then these
VLANs will be dynamically registered on the Rx interface along the red direction until
Switch N is registered. Create VLANs 51–100 on Switch N, and then these VLANs will be
dynamically registered on the Rx interface along the blue direction so that each switch can
completely process packets of VLANs 5–100.
Scenario
GARP enables configurations of a GARP member to fast spread to all GARP-enabled devices
in the LAN.
The values of the Join timer, Leaver timer, and LeaveAll timer configured through GARP will
be applied to all GARP applications in the LAN, including GVRP and GMRP features.
Prerequisite
N/A
2.13.3 Default configurations of GARP

Default configurations of GARP are as below.

GARP Join timer 20 (in units of 10ms)
GARP Leave timer 600 (in units of 10ms)
GARP LeaveAll timer 1000 (in units of 10ms)

174
Raisecom

Global GVRP status Enable
Interface GVRP status Disable
GVRP registration mode Normal
Global GMRP status Disable
Interface GMRP status Disable
GMRP registration mode Normal
2.13.4 Configuring basic functions of GARP

Configure basic functions of GARP for the ISCOM2600G series switch as below.

2 Raisecom(config)#in Enter physical interface configuration mode.
terface interface-
type interface-
 interface-number: interface ID, in the form of
number
Example: unit/slot/port. The value range depends on the
Raisecom(config)#in interface type.
terface
gigaethernet 1/1/1
3 Raisecom(config- Configure the GARP timer.
gigaethernet1/1/*)#
 join time-value: configure the Join timer. The time-
garp timer { join |
leave | leaveall } value refers to the timer value, which is an integer,
time-value ranging from 20 to 20000, in units of 10ms.
 leave time-value: configure the Leave timer. The
Example:
Raisecom(config- time-value refers to the timer value, which is an
gigaethernet1/1/1)# integer, ranging from 60 to 20000, in units of
garp timer join 60 10ms.
 leaveall time-value: configure the LeaveAll timer.
The time-value refers to the timer value, which is

an integer, ranging from 500 to 20000, in units of
10ms.
 The value of the Join timer must be smaller than half of that of the Leave timer.
 The value of the Leave timer must be greater than twice of that of the Join timer,
and smaller than that of the LeaveAll timer.
 The value of the LeaveAll timer must be greater than that of the Leave timer.
 In actual networking, we recommend configuring the Join timer, Leave timer, and
LeaveAll timer to 3000, 15000, and 20000, in units of 10ms.

175
Raisecom
2.13.5 Configuring GVRP

Configure GVRP for the ISCOM2600G series switch as below.

2 Raisecom(config)#gvrp { enable | Enable or enable global GVRP.
disable }
 enable: enable GVRP.
Example:
 disable: disable GVRP.
Raisecom(config)#gvrp enable
Example:
 interface-number: interface ID,
gigaethernet 1/1/1
in the form of unit/slot/port. The
value range depends on the
interface type.
4 Raisecom(config- Configure the interface to Trunk
gigaethernet1/1/*)#switchport mode mode.
trunk
5 Raisecom(config- (Optional) configure GVRP
gigaethernet1/1/*)#gvrp registration mode.
registration { fixed | forbidden
 fixed: fixed mode
| normal }
 forbidden: forbidden mode
Example:
 normal: normal mode
Raisecom(config-
gigaethernet1/1/1)#gvrp
registration fixed
6 Raisecom(config- Enable or disable interface GVRP.
gigaethernet1/1/*)#gvrp { enable |
 enable: enable GVRP.
disable }
 disable: disable GVRP.
Example:
Raisecom(config-
gigaethernet1/1/1)#gvrp enable
 Interface GVRP can be enabled only after the interface is configured to Trunk
mode.
 We do not recommend enabling GVRP on a LAG member interface.


1 Raisecom#show garp [ interface- Show configurations of the
type interface-number] GARP timer.
2 Raisecom#show garp [ interface- Show GARP statistics.
type interface-number] statistics
176
Raisecom

3 Raisecom#show gvrp [ interface- Show GVRP configurations.
type interface-number]
4 Raisecom#show gvrp [ interface- Show GVRP statistics.
type interface-number] statistics
5 Raisecom#show gvrp local-vlan Show the local VLAN of GMRP.
interface-type interface-number
2.13.7 Maintenance
Command Description
Raisecom(config)#clear gvrp [ interface- Clear GVRP statistics.
type interface-number ] statistics
Example:
 interface-number: interface ID.
Raisecom(config)#clear gvrp statistics
The value range depends on the
interface type.
2.13.8 Example for configuring GVRP
As shown in Figure 2-30, to dynamically register, deregister, and update VLAN information
between switches, configure GVRP on these switches. Detailed requirements are as below:
 Configure static VLANs 5–10 on Switch A and Switch C.
 Configure static VLANs 15–20 on Switch D.
 Configure static VLANs 25–30 on Switch E.
 Configure the interfaces that are connected to other switches to Trunk mode, and enable
GVRP on these interfaces.
 Configure the Join timer, Leave timer, and LeaveAll timer of GARP on each interface to
3000, 15000, and 20000, in units of 10ms.

177
Raisecom
Figure 2-30 GVRP networking
Configuration steps
Step 1 Create VLANs and enable global GVRP.
Configure Switch A.
SwitchA#config
SwitchA(config)#create vlan 5-10 active
SwitchA(config)#gvrp enable
Configure Switch B.
SwitchB#config
SwitchB(config)#gvrp enable
Configure Switch C.
SwitchC#config
SwitchC(config)#create vlan 5-10 active
SwitchC(config)#gvrp enable
Configure Switch D.
Raisecom#hostname SwitchD

178
Raisecom
SwitchD#config
SwitchD(config)#create vlan 15-20 active
SwitchD(config)#gvrp enable
Configure Switch E.
Raisecom#hostname SwitchE
SwitchE#config
SwitchE(config)#create vlan 25-30 active
SwitchE(config)#gvrp enable
Step 2 Configure GE 1/1/1, GE 1/1/2, and GE 1/1/3 on Switch A, GE 1/1/1, GE 1/1/2, and GE 1/1/3
on Switch B, GE 1/1/1 on Switch C, and GE 1/1/1 on Switch D to Trunk mode, and enable
GVRP on them. Take GE 1/1/1 on Switch A for example. Configurations of other interfaces
are the same.

SwitchA(config-gigaethernet1/1/1)#gvrp enable
Step 3 Configure GARP timers of GE 1/1/1, GE 1/1/2, and GE 1/1/3 on Switch A, GE 1/1/1, GE
1/1/2, and GE 1/1/3 on Switch B, GE 1/1/1 on Switch C, and GE 1/1/1 on Switch D, and
enable GVRP on them. Take GE 1/1/1 on Switch A for example. Configurations of other
interfaces are the same.

SwitchA(config-gigaethernet1/1/1)#garp timer leaveall 20000
SwitchA(config-gigaethernet1/1/1)#garp timer leave 15000
SwitchA(config-gigaethernet1/1/1)#garp timer join 3000
Checking results
Use the show gvrp command to show GVRP configurations on the interface.
SwitchA#show gvrp gigaethernet 1/1/1

Gvrp Globle Status: Enable
Port PortStatus RegMode
--------------------------------------------------
GE1/1/1 Enable Normal

179
Raisecom
GE1/1/4 Disable Normal

Use the show vlan command to view information about VLANs on the device. Take Switch A
for example.
SwitchA#show vlan
VLAN Name State Status Priority Member-
Ports
-------------------------------------------------------------------------
-----------------------------------------------------
1 Default active static --
5 VLAN0005 active static --
15 VLAN0015 active dynamic-gvrp --
gigaethernet1/1/3

gigaethernet1/1/3

gigaethernet1/1/3

gigaethernet1/1/3

gigaethernet1/1/3

gigaethernet1/1/3
--More--

180
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 3 Ring network protection
3 Ring network protection
This chapter describes principles and configuration procedures of ring network protection,
including the following section:
 G.8032
3.1 G.8032
3.1.1 Introduction
G.8032 Ethernet Ring Protection Switching (ERPS) is an APS protocol based on the ITU-T
G.8032 recommendation. It is a link-layer protocol specially used in Ethernet rings. Generally,
ERPS can avoid broadcast storm caused by data loopback in Ethernet rings. When a
link/device on the Ethernet ring fails, traffic can be quickly switched to the backup link to
ensure restoring services quickly.
G.8032 uses the control VLAN on the ring network to transmit ring network control
information. Meanwhile, combining with the topology feature of the ring network, it
discovers network fault quickly and enable the backup link to restore service fast.
Scenario
With the development of Ethernet to Telecom-grade network, voice and video multicast
services bring higher requirements on Ethernet redundant protection and fault-recovery time.
The fault-recovery time of current STP system is in second level that cannot meet
requirements.
By defining different roles for nodes on a ring, G.8032 can block a loopback to avoid
broadcast storm in normal condition. Therefore, the traffic can be quickly switched to the
protection line when working lines or nodes on the ring fail. This helps eliminate the loop,
perform protection switching, and automatically recover from faults. In addition, the
switching time is shorter than 50ms.
The ISCOM2600G series switch supports the single ring, intersecting ring, and tangent ring.

181
Raisecom
G.8032 provides a mode for detecting faults based on physical interface status. The
ISCOM2600G series switch learns link fault quickly and switches services immediately, so
this mode is suitable for detecting the fault between neighboring devices.
Prerequisite
 Create VLANs.
 Add interfaces to VLANs.
3.1.3 Default configurations of G.8032

Default configurations of G.8032 are as below.

Protocol VLAN 1
Protection ring mode Revertive
Ring WTR timer 6min
Ring protocol version 2
Guard timer 500ms
Ring Hold-off timer 0ms
ERPS fault reported to NMS Enable
Tributary ring virtual channel mode in intersecting node With
Ring Propagate switch in crossing node Disable
3.1.4 Creating G.8032 ring

Configure the G.8032 ring for the ISCOM2600G series switch as below.
 Only one device on the protection ring can be configured as the Ring Protection
Link (RPL) Owner and only one device is configured as the RPL Neighbor. Other
devices are configured as ring forwarding nodes.
 The tangent ring consists of 2 independent single rings. Configurations of the
tangent ring are identical to those of the common single ring. The intersecting ring
consists of a main ring and a tributary ring. Configurations of the main ring are
identical to those of the common single ring. For detailed configurations of the
tributary ring, see section 3.1.6 (Optional) creating G.8032 tributary ring.

182
Raisecom

2 Raisecom(config)#ethernet Create a G.8032 protection ring.
ring-protection ring-id east
 ring-id: Ethernet ring ID, an integer,
{ interface-type interface-
number | port-channel port- ranging from 1 to 255
 east: eastward interface
channel-number } west
 west: west interface
{ interface-type interface-
number | port-channel port-
channel-number } [ node-type
 port-channel-number: LAG ID, an
{ rpl-owner | rpl-neighbour }
rpl { east | west } ] [ not- integer, ranging from 1 to 32
 rpl-owner: the node type is the RPL
revertive ] [ protocol-vlan
vlan-id ] [ block-vlanlist Owner. The RPL Owner is at one end
vlan-list ] of the RPL. It is in interface blocking
Raisecom(config)#ethernet status under normal conditions. It
ring-protection ring-id automatically enters the active mode
{ east | west } { interface- when a fault occurs.
 rpl-neighbour: the node type is the RPL
type interface-number | port-
channel port-channel-number } Neighbor. The RPL Neighbor is at one
[ node-type { rpl-owner | end of the RPL. It is in interface
rpl-neighbour } ] [ not- blocking status under normal
revertive ] [ protocol-vlan conditions.
 non-revertive: the protection ring
vlan-id ] [ block-vlanlist
vlan-list ] changes to non-revertive mode. When
Raisecom(config)#ethernet the working link is recovered in
ring-protection ring-id east revertive mode, traffic is switched back
{ interface-type interface- to the working link from the protection
number | port-channel port- link, while the traffic will not be
channel-number } west switched in non-revertive mode. If this
{ interface-type interface- parameter is not used, the revertive
number | port-channel port- mode is used.
 protocol-vlan: protocol VLAN, for
channel-number } [ not-
revertive ] [ protocol-vlan transmitting ERPS packets
vlan-id ] [ block-vlanlist
vlan-list ] from 1 to 4094
 block-vlanlist: list of blocked service
Example: VLANs
 vlan-list: VLAN ID list, an integer,
Raisecom(config)#ethernet
ring-protection 1 east ranging from 1 to 4094. It supports
gigaethernet 1/1/1 west specific values, such as "1,2,3"; it also
gigaethernet 1/1/2 node-type supports a range, such as "1-3".
rpl-owner rpl east
The eastbound and westbound

interfaces cannot be the same one.
3 Raisecom(config)#ethernet (Optional) configure a name for the
ring-protection ring-id name protection ring. Up to 32 bytes are
string available.
Example:
ring-protection 1 name ranging from 1 to 255
Raisecom  string: name of the protection ring, a
string of 1 to 32 characters

183
Raisecom

4 Raisecom(config)#ethernet (Optional) configure the protocol
ring-protection ring-id version. The protocol version of all nodes
version { 1 | 2 } on a protection ring should be identical.
Example:
Raisecom(config)#ethernet In protocol version 1, protection rings are
ring-protection 1 version 2 distinguished based on the protocol
VLAN. Therefore, you need to configure
different protocol VLANs for protection
rings.
We recommend configuring different
protocol VLANs for protection rings
even if protocol version 2 is used.
 1: versio 1
 2: version 2
5 Raisecom(config)#ethernet (Optional) after the ring Guard timer is

ring-protection ring-id configured, the failed node does not
guard-time guard-time process APS packets during a period. In a
Example: bigger ring network, if the failed node
Raisecom(config)#ethernet recovers from a fault immediately, it may
ring-protection 1 guard-time receive the fault notification sent by the
1000 neighboring node on the protection ring.
Therefore, the node is in Down status
again. You can configure the ring Guard
timer to solve this problem.
 guard-time: Guard time, an integer,
ranging from 20 to 2000, in units of

millisecond
6 Raisecom(config)#ethernet (Optional) configure the ring WTR timer.
ring-protection ring-id wtr- In revertive mode, when the working line
time wtr-time recovers from a fault, traffic is not
Example: switched to the working line unless the
Raisecom(config)#ethernet WTR timer times out.
ring-protection 1 wtr-time 10
 wtr-time: WTR time, an integer,
ranging from 1 to 12, in units of minute

184
Raisecom

7 Raisecom(config)#ethernet (Optional) configure the ring Hold-off
ring-protection ring-id timer. After the Hold-off timer is
holdoff-time holdoff-time configured, the system will delay
Example: processing the fault when the working
Raisecom(config)#ethernet line fails. In other words traffic is
ring-protection 1 holdoff- delayed to be switched to the protection
time 1 line. This helps prevent frequent
switching caused by working line
vibration.
 holdoff-time: hold-off time, an integer,
ranging from 0 to 100, in units of 100

millisecond
If the ring Hold-off timer value is too

great, it may influence 50ms
switching performance. Therefore,
we recommend configuring the ring
Hold-off timer value to 0.
3.1.5 Configuring ERPS fault detection mode

Configure the ERPS fault detection mode for the ISCOM2600G series switch as below.

2 Raisecom(config)#ethernet Configure the fault detection mode to
ring-protection ring-id physical link.
{ east | west } failure-
detect physical-link By default, it is physical link.
Example:  ring-id: Ethernet ring ID, an integer,
Raisecom(config)#ethernet ranging from 1 to 255
ring-protection 1 east  east: fault detection mode of the
failure-detect physical-link eastward interface

 west: fault detection mode of the
westward interface
3.1.6 (Optional) creating G.8032 tributary ring
 Only the intersecting ring consists of a main ring and a tributary ring.
 Configurations of the main ring are identical to those of the single/tangent ring. For
details, see section 3.1.4 Creating G.8032 ring.

185
Raisecom
 For the intersecting ring, configure its main ring and then the tributary ring,
otherwise the tributary ring will fail to find the interface of the main ring, thus failing
to establish the virtual channel of the tributary ring.
 Configurations of non-intersecting nodes of the intersecting ring are identical to
those of the single/tangent ring. For details, see section 3.1.4 Creating G.8032
ring.
Configure G.8032 intersecting rings for ISCOM2600G series switch as below.

2 Raisecom(config)#ethernet Create a tributary ring on the intersecting node
ring-protection ring-id and configure the intersecting node as the RPL
{ east | west } Owner.
{ interface-type
 ring-id: Ethernet ring ID, an integer, ranging
interface-number | port-
channel port-channel- from 1 to 255
number } node-type rpl-
owner [ not-revertive ]
[ protocol-vlan vlan-id ]
[ block-vlanlist vlan-
 port-channel-number: LAG ID, an integer,
list ]
 rpl-owner: the node type is the RPL Owner.
ring-protection 1 east The RPL Owner is at one end of the RPL. It
gigaethernet 1/1/1 node- is in interface blocking status under normal
type rpl-owner conditions. It automatically enters the active
mode when a fault occurs.
 non-revertive: the protection ring changes to
non-revertive mode. When the working link

is recovered in revertive mode, traffic is
switched back to the working link from the
protection link, while the traffic will not be
switched in non-revertive mode. If this
parameter is not used, the revertive mode is
used.
transmitting ERPS packets

to 4094
 block-vlanlist: list of blocked service VLANs
 vlan-list: VLAN ID list, an integer, ranging
from 1 to 4094. It supports specific values,

such as "1,2,3"; it also supports a range, such
as "1-3".

186
Raisecom

Raisecom(config)#ethernet Create a tributary ring on the intersecting node,
ring-protection ring-id and configure the intersecting node as the RPL
{ east | west } Neighbour.
{ interface-type
number } node-type rpl-
neighbour [ not-
revertive ] [ protocol-
vlan vlan-id ] [ block-
vlanlist vlan-list ]
 rpl-neighbour: the node type is the RPL
ring-protection 1 east Neighbor. The RPL Neighbor is at one end of
gigaethernet 1/1/1 node- the RPL. It is in interface blocking status
type rpl-neighbour under normal conditions.
non-revertive mode. When the working link

used.

to 4094

as "1-3".

187
Raisecom

Raisecom(config)#ethernet Create a tributary ring on the intersecting node,
ring-protection ring-id and configure the intersecting node as the
{ east | west } protection forwarding node.
{ interface-type
 ast: eastward interface
number } [ not-
revertive ] [ protocol-
vlan vlan-id ] [ block-
vlanlist vlan-list ]
Example:
Raisecom(config)#ethernet ranging from 1 to 32
ring-protection 1 east
gigaethernet 1/1/1 non-revertive mode. When the working link
used.

to 4094

as "1-3".
3 Raisecom(config)#ethernet (Optional) configure the tributary ring virtual
ring-protection ring-id channel mode.
raps-vc { with |
without }
 with: the tributary ring virtual channel mode
ring-protection 1 raps-vc is with.
 without: the tributary ring virtual channel
without
mode is without.
4 Raisecom(config)#ethernet Enable the ring Propagate switch on the
ring-protection ring-id intersecting node.
propagate { enable |
disable } Because data of the tributary ring needs to be
Example: transmitted through the main ring, there is a
Raisecom(config)#ethernet MAC address table of the tributary ring on the
ring-protection 1 main ring. When the tributary ring fails, it
propagate enable needs to use the Propagate switch to inform the
main ring of refreshing the MAC address table
to avoid traffic loss.
3.1.7 (Optional) configuring G.8032 switching control

Configure G.8032 switching control for the ISCOM2600G series switch as below.

188
Raisecom

2 Raisecom(config)#ethernet Switch the traffic on the protection ring to the
ring-protection ring-id west/east interface forcedly.
force-switch { east |
west } FS can be configured on multiple interfaces of
Example: multiple ring nodes.
Raisecom(config)#ethernet  ring-id: Ethernet ring ID, an integer, ranging
ring-protection 1 force- from 1 to 255
switch east  east: block the eastward interface, and
forcibly switch the traffic to the westward

interface.
 west: block the westward interface, and
forcibly switch the traffic to the eastward

interface.
3 Raisecom(config)#ethernet Switch the traffic on the protection ring to the
ring-protection ring-id west/east interface manually. Its priority is
manual-switch { east | lower than the one of FS and APS.
west }
Example: MS can be configured on one interface of a
Raisecom(config)#ethernet ring node.
ring-protection 1 manual-  ring-id: Ethernet ring ID, an integer, ranging
switch west from 1 to 255
 east: block the eastward interface, and
forcibly switch the traffic to the westward

interface.
 west: block the westward interface, and
forcibly switch the traffic to the eastward

interface.
4 Raisecom(config)#clear Clear switching control commands, including
ethernet ring-protection force-switch, manual-switch, WTR timer, and
ring-id { command | WTB timer.
statistics }
Example:
Raisecom(config)#clear from 1 to 255
ethernet ring-protection
1 command
By default, traffic is automatically switched to the other line when the current line fails
to forward traffic.


1 Raisecom#show ethernet ring- Show configurations of the G.8032 ring.
protection [ ring-id ]

189
Raisecom

2 Raisecom#show ethernet ring- Show G.8032 ring status.
protection status [ ring-id ]
3 Raisecom#show ethernet ring- Show G.8032 ring statistics.
protection statistics [ ring-
id ]
3.1.9 Maintenance
Command Description
Raisecom(config)#clear ethernet Clear the effect of the ring protection
ring-protection ring-id command control command (force-switch, manual-
Example: switch, WTR timer timeout, and WTB
Raisecom(config)#clear ethernet timer timeout).
ring-protection 1 command
Raisecom(config)#clear ethernet Clear statistics on the protection ring.
ring-protection ring-id statistics
Example:
Raisecom(config)#clear ethernet ranging from 1 to 255
ring-protection 1 statistics

190
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 4 IP services
4 IP services
This chapter describes basic principles and configuration procedures for IP services, and
 IP basis
 Loopback interface
 Interface loopback
 ARP
 NDP
 Static route
 Routing policy
4.1 IP basis
4.1.1 Introduction
The IP interface is the virtual interface based on VLAN. Configuring Layer 3 interface is
generally used for network management or routing link connection of multiple devices.
The ISCOM2600G series switch supports double-tagged management VLAN packets; in
other words, it can send and process double-tagged packets.
Scenario
Configure the IP address of each VLAN interface, SNMP interface, or loopback interface.
Prerequisite
 Create VLANs.
 Activate them.
4.1.3 Default configurations of VLAN interface

Default configurations of the VLAN interface are as below.
191
Raisecom

Management VLAN inner TPID 0x8100
Management VLAN inner VLAN 1
Management VLAN CoS 0
IP address of the SNMP interface 192.168.0.1
Forwarding IP broadcast packets Disable
4.1.4 Configuring IPv4 adress of VLAN interface

Configure the IPv4 address of the VLAN interface for the ISCOM2600G series switch as
below.

2 Raisecom(config)#inte Enter VLAN interface configuration mode.
rface vlan vlan-id
Example:
Raisecom(config)#inte 4094
rface vlan 1
3 Raisecom(config- Configure the primary IP address of the VLAN
vlan*)#ip address ip- interface.
address [ ip-mask ]
Example: Use the no ip address ip-address command to
Raisecom(config- delete configuration of the primary IP address.
vlan1)#ip address  ip-address: IP address, in dotted decimal
192.168.11.101 notation, such as 10.0.0.1
255.255.0.0  ip-mask: mask of IP address, in dotted decimal
notation, such as 255.0.0.0

 sub: sub-IP address
4 Raisecom(config- Configure the secondary IP address of the VLAN

vlan*)#ip address ip- interface.
address [ ip-mask ]
sub Use the no ip address ip-address sub command
to delete configuration of the secondary IP
address.
4.1.5 Configuring IPv6 address of VLAN interface

Configure the IPv6 address of the VLAN interface for the ISCOM2600G series switch as
below.


192
Raisecom

2 Raisecom(config)#interface Enter Layer 3 interface configuration
vlan vlan-id mode.
Example:
vlan 1 from 1 to 4094
3 Raisecom(config-vlan*)#ipv6 Configure the IPv6 address of the VLAN
address ipv6-address link- interface.
local
Raisecom(config-vlan*)#ipv6
address ipv6-address/prefix- address with prefix length, in form of
length [ eui-64 ] A:B::C:D/M
 eui-64: IPv6 local link address. The
Example:
Raisecom(config-vlan1)#ipv6 eui-64 is the interface ID.
address 1030:0::48AA:1A2B/60
hexadecimal notation
 link-local: IPv6 local link address
4.1.6 Configuring basic attributes

Configure basic attributes for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface vlan Enter VLAN interface configuration
vlan-id mode.
Example:
Raisecom(config)#interface vlan
1 ranging from 1 to 4094
3 Raisecom(config-vlan*)#ip Configure CoS of the management
management-traffic cos cos- VLAN.
value
Example: By default, it is 6.
Raisecom(config-vlan1)#ip  cos-value: outer CoS, an integer,
management-traffic cos 2 ranging from 0 to 7
4 Raisecom(config-vlan*)#ip Configure the double-tagged mode
management-traffic mode double- for management packets.
tagging [ inner-vlan vlan-id ]
[ inner-cos cos-id ]
 cos-id: inner CoS, an integer,
Raisecom(config-vlan1)#ip
management-traffic mode double- ranging from 0 to 7
tagging
5 Raisecom(config-vlan*)#exit Exit global configuration mode.
6 Raisecom(config)#ip dest- Enable or disable the function of
address illegal syslog { enable processing IP packets of which
| disable } destination addresses include illegal
addresses.
7 Raisecom(config)#ip packet Configure the device to forward IP
unknown forward packets of unknown types.

193
Raisecom

8 Raisecom(config)#icmp unreach Enable the function of sending ICMP
send unreachable packets.
9 Raisecom(config)#exit Return to privileged EXEC mode.
10 Raisecom#ip soft-forward Enable the device to forward
{ enable | disable } generated control packets.
Example:
Raisecom#ip soft-forward enable Use the disable form of this
command to disable this function.
 enable: enable the device to forward
generated control packets.
 disable: disable the device to
forward generated control packets.
4.1.7 Configuring function of forwarding IP broadcast packets

 The VLAN interfaces that are enabled with the function of forwarding IP broadcast
packets can forward IP broadcast packets between them to implement the customized
application of transparently transmitting IP broadcast packets across different network
segments. When the function of forwarding IP broadcast packets based on ACL rule is
configured, the VLAN interface transparently transmits IP broadcast packets that comply
with the ACL rule only, thus enhancing network security.
 The VLAN interfaces that are disabled with the function of forwarding IP broadcast
packets cannot forward IP broadcast packet between them so as to isolate IP broadcast
packets.
Configure the function of forwarding IP broadcast packets for the ISCOM2600G series switch
as below.

2 Raisecom(config)#int Enter VLAN interface configuration mode.
erface vlan vlan-id
3 Raisecom(config- Configure the function of forwarding IP
vlan*)#ip forward- broadcast packets.
broadcast
This command is applicable to forwarding
packets related to IP broadcast.
Raisecom(config- Configure the function of forwarding IP
vlan*)#ip forward- broadcast packets based on ACL rule.
broadcast access-
list acl-number This command is applicable to forwarding
packets of the specified ACL.


194
Raisecom

1 Raisecom#show ip interface Show configurations of the IP address of
brief the VLAN interface.
2 Raisecom#show ipv6 interface Show configurations of the IPv6 address
brief of the VLAN interface.
3 Raisecom#show ip management- Show information about management
traffic packets on the VLAN interface.
4.1.9 Example for configuring VLAN interface to interconnect with

host
As shown in Figure 4-1, configure the VLAN interface to the switch so that the host and the
ISCOM2600G series switch can ping each other.
Figure 4-1 VLAN interface networking
Configuration steps
Step 1 Create a VLAN and add the interface to the VLAN.
Raisecom#config
Step 2 Configure Layer 3 interface on the ISCOM2600G series switch, configure its IP address, and
associate the interface with the VLAN.
Raisecom(config-vlan10)#ip address 192.168.1.2 255.255.255.0

195
Raisecom
Checking results
Use the show vlan command to show mapping between the physical interface and VLAN.
Raisecom#show vlan 10
VLAN Name State Status Priority Member-Ports
-------------------------------------------------------------------------
Use the show ip interface brief to show configurations of the Layer 3 interface.
Raisecom#show ip interface brief

VRF IF Address NetMask
Catagory
-------------------------------------------------------------------------
------------------------------
Default-IP-Routing-Table fastethernet1/0/1 192.168.0.1 255.255.255.0
primary
Default-IP-Routing-Table vlan10 192.168.1.2 255.255.255.0
primary
Use the ping command to check whether the ISCOM2600G series switch and PC can ping
each other.
Raisecom#ping 192.168.1.3
Type CTRL+C to abort
Sending 5, 8-byte ICMP Echos to 192.168.1.3, timeout is 3 seconds:
Reply from 192.168.1.3: time<1ms
---- PING Statistics----

5 packets transmitted, 5 packets received,
Success rate is 100 percent(5/5),
round-trip (ms) min/avg/max = 0/0/0.
4.2 Loopback interface

4.2.1 Introduction
The loopback interface is a virtual interface and can be classified into two types:

196
Raisecom
 Loopback interface automatically created by the system: the IP address is fixed to

127.0.0.1. This type of interfaces receives packets sent to the device. It does not
broadcast packets through routing protocols.
 Loopback interface created by users: without affecting physical interface configurations,
configure a local interface with a specified IP address, and make the interface Up
permanently so that packets can be broadcasted through routing protocols.
The loopback interface status is independent from the physical interface status (Up/Down). As
long as the ISCOM2600G series switch is working normally, the loopback interface will not
become Down. Thus, it is used to identify the physical device as a management address.
Scenario
Use the IP address of the loopback interface to log in through Telnet so that the Telnet
operation does not become Down due to change of physical status. To enable the PC to ping
through the IP address of the loopback interface, configure the corresponding static route
entry on the PC. The loopback interface ID is also used as the router ID of dynamic routing
protocols, such as OSPF, to uniquely identify a device.
Prerequisite
N/A
4.2.3 Default configurations of loopback interface

N/A
4.2.4 Configuring IP address of loopback interface

Configure the IP address of the loopback interface for the ISCOM2600G series switch as
below.

2 Raisecom(config)#interface Enter loopback interface
loopback loopback-number configuration mode.
Example:
 loopback-number: loopback
loopback 0 interface ID, an integer, ranging
from 0 to 128
3 Raisecom(config-loopback*)#ip Configure the IP address of the
address ip-address [ ip-mask ] loopback interface.
[ sub ]
Example:
Raisecom(config-loopback0)#ip decimal notation
 ip-mask: IP subnet mask, in dotted
address 192.168.1.1
decimal notation
 sub: sub IP address

197
Raisecom

4 Raisecom(config-loopback*)#ipv6
Configure the IPv6 address of the
address ipv6-address link-local loopback interface.
Raisecom(config-loopback*)#ipv6 address with prefix length, such as
address ipv6-address/prefix- A:B::C:D/M
length [ eui-64 ]  eui-64: IPv6 local link address
Example:  ipv6-address: IPv6 address, in
Raisecom(config-loopback0)#ipv6 colon hexadecimal notation
address 1030:0::48AA:1A2B/60


1 Raisecom#show interface Show configurations of the loopback
loopback [ loopback-number ] interface.
4.3 Interface loopback

4.3.1 Introduction
Interface loopback (local loopback) refers to sending packets, which comply with user-
defined loopback rules and parameter requirements according to these rules, by the receiving
interface to the sending device at the peer end, thus checking communication of the network.
Interface loopback is executed without affecting services; in other words, packets that comply
with rules are looped back and concurrently forwarded or sent to the CPU.
As shown in Figure 4-2, the customer configures loopback rules on GE 1/1/1 on Switch A.
When packets sent by GE 1/1/2 on Switch B reaches GE 1/1/1 on Switch A, Switch A checks
whether these packets comply with current loopback rules.
 If yes, Switch A loops back these packets through its GE 1/1/1 to GE 1/1/2 on Switch B.
 If no, Switch A normally forwards them or sends them to the CPU.
The customer can check communication of the network by comparing packets sent by Switch
B with those received by switch B.

198
Raisecom
Figure 4-2 Interface loopback
Scenario
Interface loopback refers to sending packets, which comply with user-defined loopback rules
and parameter requirements according to these rules, by the receiving interface to the sending
device at the peer end, thus checking communication of the network.
Prerequisites
N/A
4.3.3 Default configurations of interface loopback

N/A
4.3.4 Configuring interface loopback

Configure interface loopback for the ISCOM2600G series switch as below.

Example:
 interface-number: interface ID,
gigaethernet 1/1/1
in the form of unit/slot/port. The
value range depends on the
interface type.

199
Raisecom

3 Raisecom(config- Configure interface loopback.
gigaethernet1/1/*)#loopback
external [ cvlan vlan-id [ cos
cos-value ] ] [ svlan vlan-id ranging from 1 to 4094
 cos-value: CoS priority, an
[ cos cos-value ] ] [ dmac mac-
address ] [ smac mac- integer, ranging from 0 to 7
address ][ swap smac mac-
address ] [ swap dmac-disable ] dotted decimal notation
Example:
Raisecom(config-
gigaethernet1/1/1)#loopback
external dmac 0001.0002.0003 smac
0005.0002.0001 swap smac
0002.0003.0004 swap dmac-disable


1 Raisecom#show loopback [ interface- Show configurations of
type interface-number ] interface loopback.
2 Raisecom#show loopback-statistics Show statistics on loopback
[ interface-type interface-number ] packets.
4.3.6 Maintenance
Command Description
Raisecom(config)#clear loopback- Clear statistics on loopback packets.
statistics [ interface-type
interface-number ]
Example:
Raisecom(config)#clear loopback- and value range depend on the interface
statistics type.
4.4 ARP
4.4.1 Introduction
In TCP/IP network environment, each host is assigned with a 32-bit IP address that is a logical
address used to identify hosts between networks. To transmit packets in physical link, you

200
Raisecom
must know the physical address of the destination host, which requires mapping the IP
address to the physical address. In Ethernet environment, the physical address is 48-bit MAC
address. The system has to transfer the 32-bit IP address of the destination host to the 48-bit
Ethernet address for transmitting packet to the destination host correctly. Then Address
Resolution Protocol (ARP) is applied to resolve IP address to MAC address and configure
mapping between IP address and MAC address.
The ARP address table contains the following two types:
 Static entry: bind the IP address and MAC address to avoid ARP dynamic learning
cheating.
− The static ARP address entry needs to be added/deleted manually.
− The static ARP address entry is not aged.
 Dynamic entry: MAC address automatically learned through ARP.
− This dynamic ARP address entry is automatically generated by switch. You can adjust
partial parameters of it manually.
− The dynamic ARP address entry will be aged after the aging time if not used.
The ISCOM2600G series switch supports the following two modes of dynamically learning
ARP address entries:
 Learn-all: in this mode, the ISCOM2600G series switch learns both ARP request packets
and response packets. When device A sends its ARP request, it writes mapping between
its IP address and physical address in ARP request packets. When device B receives ARP
request packets from device A, it learns the mapping in its address table. In this way,
device B will no longer send ARP request when sending packets to device A.
 learn-reply-only mode: in this mode, the ISCOM2600G series switch learns ARP
response packets with corresponding ARP request only sent by itself. For ARP request
packets from other devices, it responds with ARP response packets only rather than
learning ARP address mapping entry. In this way, network load is heavier but some
network attacks based on ARP request packets can be prevented.
Scenario
The mapping of IP address and MAC address is saved in the ARP address table.
Generally, the ARP address table is dynamically maintained by the ISCOM2600G series
switch. The ISCOM2600G series switch searches for the mapping between IP address and
MAC address automatically according to ARP. You just need to configure the ISCOM2600G
series switch manually for preventing ARP dynamic learning from cheating and adding static
ARP address entries.
Prerequisite
N/A
4.4.3 Default configurations of ARP

Default configurations of ARP are as below.

201
Raisecom

Static ARP entry N/A
Dynamic ARP entry learning mode learn-all
Aging time of dynamic ARP entries 1200s
Dynamic ARP entry learning on the interface Enable
Local proxy ARP Disable
Maximum number of dynamically learnt ARP entries 4096
Gratuitous ARP packet learning on the interface Enable
4.4.4 Configuring static ARP entries
 The IP address in static ARP entry must belong to the IP network segment of
Layer 3 interface on the switch.
 The static ARP entry needs to be added and deleted manually.
Configure static ARP entries for the ISCOM2600G series switch as below.

2 Raisecom(config)#arp ip- Configure static ARP entry.
address mac-address [ vid
 ip-address: IP address, in dotted decimal
vlan-id interface
interface-type interface- notation, such as 10.10.10.1
number ]
Example: hexadecimal notation, such as
Raisecom(config)#arp 000E.5E12.3456
192.168.27.26
000e.5e12.3456
4.4.5 Configuring dynamic ARP entries

Configure dynamic ARP entries for the ISCOM2600G series switch as below.


202
Raisecom

2 Raisecom(config)#arp Configure the aging time of dynamic ARP
mode { learn-all | entries.
learn-reply-only }
 learn-all: learn MAC addresses contained in the
Example:
Raisecom(config)#arp reply packets of all hosts.
 learn-reply-only: learn the MAC address
mode learn-all
contained in the reply packet from the requested
host.
3 Raisecom(config)#arp (Optional) configure the aging time of dynamic
aging-time time ARP entries.
Example:
 time: aging time, an integer, ranging from 60 to
Raisecom(config)#arp
aging-time 1500 2147483, in units of second
4 Raisecom(config)#arp (Optional) configure the maximum number of
max-learning-num dynamic ARP entries allowed to learn on the
number Layer 3 interface.
Example:
 number: maximum number, an integer, ranging
Raisecom(config)#arp
max-learning-num 100 from 1 to 4000
5 Raisecom(config)#inter Enter VLAN interface configuration mode.
face vlan vlan-id
Example:
Raisecom(config)#inter to 4094
face vlan 1
6 Raisecom(config- (Optional) configure dynamic ARP learning.
vlan*)#arp learning
 strict: strictly learn ARP entries.
[ strict ]{ enable |
 enable: enable dynamic ARP learning on the
disable }
Example: interface.
 disable: disable dynamic ARP learning on the
Raisecom(config-
vlan1)#arp learning interface.
disable
7 Raisecom(config- (Optional) configure gratuitous ARP packet
vlan*)#gratuitous-arp- learning.
learning { enable |
 enable: enable gratuitous ARP packet learning.
disable }
 disable: disable gratuitous ARP packet learning.
Example:
Raisecom(config-
vlan1)#gratuitous-arp-
learning disable
7 Raisecom(config- (Optional) configure the maximum number of
vlan*)#arp max- ARP entries allowed to be learnt on the Layer 3
learning-num number interface.
4.4.6 Configuring proxy ARP

Configure proxy ARP for the ISCOM2600G series switch as below.


203
Raisecom

vlan-id mode.
Example:
3 Raisecom(config-vlan*)#arp local- Enable local proxy ARP.
proxy { enable | disable }
 enable: enable local proxy ARP.
Example:
 disable: disable local proxy ARP.
Raisecom(config-vlan1)#arp local-
proxy enable


1 Raisecom#show arp [ ip-address | Show information about entries in the
interface vlan vlan-id [ valid ] ARP address table.
| static | valid ]
2 Raisecom#show arp local-proxy Show information about local proxy
[ interface vlan vlan-id ] ARP.
4.4.8 Maintenance
Command Description
Raisecom(config)#clear Clear all entries in the ARP address table.
arp[ ip-address | interface
 ip-address: IP address, in dotted decimal notation,
vlan vlan-id ]
Example: such as 10.10.10.1
Raisecom(config)#clear arp
4094
4.4.9 Example for configuring ARP
As shown in Figure 4-3, the ISCOM2600G series switch is connected to the host, and is also
connected to the upstream Router through GE 1/1/1. For the Router, the IP address and
submask are 192.168.1.10/24, and the MAC address is 0050-8d4b-fd1e.
To improve communication security between the Switch and Router, you need to configure
related static ARP entry on the ISCOM2600G series switch.

204
Raisecom
Figure 4-3 Configuring ARP networking
Configuration steps
Add a static ARP entry.
Raisecom#config
Raisecom(config)#arp 192.168.1.10 0050.8d4b.fd1e
Checking results
Use the show arp command to show configurations of the ARP address table.
Raisecom#show arp
ARP aging-time: 1200 seconds(default: 1200s)
ARP mode: Learn all
ARP table:
Total: 1 Static: 1 Dynamic: 0
IP Address Mac Address Interface vlan Type Age(s) status
-------------------------------------------------------------------------
192.168.1.10 0050.8D4B.FD1E vlan10 10 static -- PERMANENT

205
Raisecom
4.5 NDP
4.5.1 Introduction
Neighbor Discovery Protocol (NDP) is a neighbor discovery mechanism used on IPv6 devices
in the same link. It is used to discover neighbors, obtain MAC addresses of neighbors, and
maintain neighbor information.
NDP obtains data link layer addresses of neighbor devices in the same link, namely, MAC
address, through the Neighbor Solicitation (NS) message and Neighbor Advertisement (NA)
message.
Figure 4-4 Principles of NDP address resolution
As shown in Figure 4-4, take Switch A for example. Switch A obtains the data link layer
address of Switch B as below:
Step 1 Switch A sends a NS message in multicast mode. The source address of the NS message is the
IPv6 address of Layer 3 interface on Switch A, and the destination address of the NS message
is the multicast address of the requested node of the Switch B. The NS message even contains
the data link layer address of Switch A.
Step 2 After receiving the NS message, Switch B judges whether the destination address of the NS
message is the multicast address of the request node corresponding to the IPv6 address of
Switch B. If yes, Switch B can obtain the data link layer address of Switch A, and sends a NA
message which contains its data link layer address in unicast mode.
Step 3 After receiving the NA message from Switch B, Switch A obtains the data link layer address
of Switch B.
By sending ICMPv6 message, IPv6 NDP even has the following functions:
 Verify whether the neighbor is reachable.
 Detect duplicated addresses.
 Discover routers or prefix.
 Automatically configure addresses.
 Support redirection.
Scenario
IPv6 NDP not only implements IPv4 ARP, ICMP redirection, and ICMP device discovery, but
also supports detecting whether the neighbor is reachable.
206
Raisecom
Prerequisite
 Connect interfaces.
 Configure physical parameters to make interfaces Up at the physical layer.
 Configure the IPv6 address of the Layer 3 interface.
4.5.3 Default configurations of NDP

Default configurations of NDP are as below.

Times of sending NS messages for detecting duplicated addresses 1
Maximum number of NDPs allowed to learn 2048
Aging time of dynamic NDPs 1200s
4.5.4 Configuring static neighbor entries

To resolute the IPv6 address of a neighbor into the data link layer address, you can use the NS
message and NA message, or manually configure static neighbor entries.
Configure static neighbor entries for the ISCOM2600G series switch as below.

2 Raisecom(config)#ipv6 Configure static neighbor entries.
neighbor ipv6-address mac-
 ipv6-address: IPv6 unicast address, in
address
Example: colon hexadecimal notation
Raisecom(config)#ipv6
neighbor 2001::3 hexadecimal notation. It should not be a
000E.5E12.3456 multicast MAC address or an all-0
address.
4.5.5 Configuring aging time of dynamic NDPs

NDP entries are not permanently valid but valid for only a period. After the period expires, a
NDP entry will be deleted if it is not updated. The period is called the aging time.
Configure the aging time of dynamic NDPs for the ISCOM2600G series switch as below.


207
Raisecom

2 Raisecom(config)#ipv6 neighbor Configure the aging time of
aging-time time dynamic NDPs.
Example:
 Time: aging time, an integer,
Raisecom(config)#ipv6 neighbor
aging-time 1500 ranging from 60 to 2147483, in
units of second
4.5.6 Configuring times of sending NS messages for detecting

duplicated addresses
Configure times of sending NS messages for detecting duplicated addresses for the
ISCOM2600G series switch as below.

2 Raisecom(config)#ipv6 Configure times of sending NS messages for
nd dad attempts value detecting duplicated addresses.
Example:
 value: times for sending NS, an integer, ranging
nd dad attempts 5 from 0 to 600 where the value 0 means
forbidding checking whether the address is
occupied
When the ISCOM2600G series switch obtains an IPv6 address, it uses the duplicated
address detection function to determine whether the IPv6 address is already used by
another device. After sending NS messages for a specified times and receiving no
response, it determines that the IPv6 address is not duplicated and thus can be used.
4.5.7 Configuring maximum number of NDPs allowed to be learnt

Configure the maximum number of NDPs allowed to be learnt on the Layer 3 interface for the

2 Raisecom(config)#ipv6 Configure the maximum number of
neighbors max-learning-num NDPs allowed to be learnt on the Layer 3
number interface.
Example:
 number: maximum number of NDPs,
neighbors max-learning-num 4 an integer, ranging from 1 to 2000

208
Raisecom


1 Raisecom#show ipv6 Show all NDP neighbor information.
neighbors
2 Raisecom#show ipv6 Show neighbor information about a
neighbors ipv6-address specified IPv6 address.
neighbors vlan vlan-id specified layer 3 interface.
4 Raisecom#show ipv6 Show information about IPv6 static
neighbors static [ count ] neighbor.
neighbors interface-type specified interface.
interface-number
6 Raisecom#show ipv6 Show the number of dynamic IPv6
neighbors dynamic count neighbors.
7 Raisecom#show ipv6 Show the number of all IPv6 neighbors.
neighbors all count
8 Raisecom#show ipv6 Show ND information configured on the
interface nd [interface- interface.
type interface-number ]
9 Raisecom#show ipv6 Show the prefix of the IPv6 address.
interface prefix
[ interface-type interface-
number ]
4.5.9 Maintenance
Command Description
Raisecom(config)#clear ipv6 Clear information about all IPv6 neighbors.
neighbors
4.6 Static route

4.6.1 Introduction
A route is required for communication among different devices in one VLAN, or different
VLANs. The route is used to transmit packets through network to destination, which adopts
routing table for forwarding packets.

209
Raisecom
Default route
The default route is a special route that can be used only when there is no matched item in the
routing table. The default route appears as a route to network 0.0.0.0 (with mask 0.0.0.0) in
the routing table. You can show configurations of the default route by using the show ip route
command. If the ISCOM2600G series switch has not been configured with default route and
the destination IP of the packet is not in the routing table, the ISCOM2600G series switch will
discard the packet and return an ICMP packet to the Tx end to inform that the destination
address or network is unavailable.
Static route
A static route is the route configured manually, thus bringing low requirements on the system.
It is available to simple, small, and stable network. The disadvantage is that it cannot adapt to
network topology changes automatically and needs manual intervention.
Scenario
Configure the static route for simple network topology manually to establish an
intercommunication network.
Prerequisite
Configure the IP address of the VLAN interface correctly.
4.6.3 Configuring static route

Configure the static route for the ISCOM2600G series switch as below.


210
Raisecom

2 Raisecom(config)#ip Configure the IPv4 static route. The device
route ip-address ip- supports BFD. When the interface is Down,
mask { next-hop-ip- BFD becomes Down and the static route is
address [ interface- deleted. When the interface is Up, BFD
type interface-num ]| becomes Up and the static route is added to the
NULL 0 } [ distance routing table.
distance-num ]
 ip-address: destination IP address, in dotted
[ description
description-text ] decimal notation, such as 10.0.0.1
 ip-address/mask-length: destination IP
[ tag tag-id ] [ track
bfd-session session- address/mask length, such as 192.168.1.0/24.
id ] The mask length is an integer, ranging from 0
Raisecom(config)#ip to 32.
 ip-mask: mask length, in dotted decimal
route ip-address/mask-
length { next-hop-ip- notation, such as 255.255.255.255
 next-hop-ip-address: next-hop IP address, in
address | NULL 0 }
[ distance distance- dotted decimal notation, such as 10.0.0.1
num ] [ description
 interface-num: interface ID
description-text ]
 distance distance-num: administrative
[ tag tag-id ] [ track
bfd-session session- distance of static route. The distance is the
id ] administrative distance, which is an integer,
ranging from 1 to 255.
 Description description-text: description of
Example:
Raisecom(config)#ip the static route. The description is the
route 10.0.0.0 description, a string of 1 to 60 characters.
 tag-id: identification of static route. The tag-id
255.0.0.0 10.0.1.2
is the identification ID, an integer, ranging
from 1 to 4294967295.
 session-id: ID of the BFD session to be added
to the static route, an integer, ranging from 1

to 64
 NULL0: NULL interface
Raisecom(config)#ipv6 Configure the IPv6 static route.

route { ipv6-
 ipv6-address/prefix-length: IPv6 router prefix,
address/prefix-length |
ipv6-address/0 }{ next- in IPv6 address with prefix length, such as
hop-ipv6-address | NULL 1:123::0:1/96.
 ipv6-address/0: default IPv6 address, with
0 } [ distance
distance-num ] prefix of 0, such as 1:123::0:1/0
 ipv6-address: IPv6 address of next hop, such
[ description text ]
[ tag tag-id ] as 1:123::0:1
 distance-num: administrative distance of the
Example:
Raisecom(config)#ipv6 static route, an integer, ranging from 1 to 255.
route 1:123::1:1/96 When this parameter is not selected, use the ip
1:123::0:1 distance 100 route static distance command to configure
description route1 tag the default administrative distance.
 text: description of the static route. The
20
description is a string of 1 to 60 characters.
 tag-id: Tag of the static route. The tag-id is the
tag ID, an integer, ranging from 1 to

4294967295.
 NULL0: NULL interface

211
Raisecom

3 Raisecom(config)#ip (Optional) configure the default administrative
route static distance distance of the IPv4 static route.
distance-num
 Distance-num: administrative distance of the
Example:
Raisecom(config)#ip static route, an integer, ranging from 1 to 255
route static distance 2
Raisecom(config)#ipv6 (Optional) configure the default administrative
route static distance distance of the IPv6 static route.
distance-num
 Distance-num: administrative distance of the
Example:
Raisecom(config)#ipv6 static route, an integer, ranging from 1 to 255
route static distance 2
4 Raisecom(config)#ip (Optional) enable the recovery of static route
route linktrace recover association linktrace according to the Up status
enable of linktrace.
4.6.4 Configuring route mangement

Configure route management for the ISCOM2600G series switch as below.

2 Raisecom(config)#router Configure the router ID.
id router-id
Example: By default, it is 192.168.1.1.
Raisecom(config)#router  router-id: routing device ID, identifying a
id 192.168.1.2 router device, in dotted decimal notation,
such as 10.10.10.1. IP addresses starting
with 0 and 127, D type IP addresses, and E
type IP addresses are not allowed to be
configured.
3 Raisecom(config)#route Configure non-labeled public network routes
recursive-lookup tunnel to be recursive to a LSP tunnel.
[ ip-prefix list-name ]
 ip-prefix list-name: specify the IP prefix
Example:
Raisecom(config)#route names to limit the route ranges which will
recursive-lookup tunnel be iterated to tunnels. The list-name is a
string of 1 to 20 characters.

No. Item Description

1 Raisecom#show router id Show information about
IPv4 routes.

212
Raisecom
No. Item Description

2 Raisecom#show ip route protocol { static Show information about the
| connected | bgp | ospf | isis | rip } routing table.
[ detail ]
Raisecom#show ipv6 route [[ all ]
protocol { static | connected | bgp |
ospf | isis | rip } ] [ detail ]
3 Raisecom#show ip route ip-address1 Show information about
[ mask-address1 ] ip-address2 [ mask- routes between two IP
address2 ] [ detail ] addresses.
4 Raisecom#show { ip | ipv6 } route Show route statistics.
summary
5 Raisecom#show ip route ip-address Show information about a
[ mask-address ] [ longer-prefixes ] route to a destination.
6 Raisecom#show ip fib [ ip-address | Show information about
nexthop ip-address ] FIB entries.
Raisecom#show ipv6 fib [ ipv6-address |
nexthop ipv6-address ]
7 Raisecom#show ip fib summary Show statistics in the
Raisecom#show ipv6 fib summary routing table.
4.6.6 Example for configuring static route
Configure the static route to enable any two hosts or ISCOM2600G series switch devices
successfully to ping through each other, as shown in Figure 4-5.

213
Raisecom
Figure 4-5 Configuring static route
Configuration steps
Step 1 Configure the IP address of each device. Detailed configurations are omitted.
Step 2 Configure the static route on Switch A.
SwitchA#config
SwitchA(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.4
SwitchA(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.4
Step 3 Configure the default gateway on Switch B.
SwitchB#config
SwitchB(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.3
Step 4 Configure the default gateway on Switch C.
SwitchC#config
SwitchC(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.3

214
Raisecom
Step 5 Configure the default gateway of host A to 10.1.5.3. Detailed configurations are omitted.
Configure the default gateway of host B to 10.1.1.3. Detailed configurations are omitted.
Configure the default gateway of host C to 10.1.4.3. Detailed configurations are omitted.
Checking results
Use the ping command to check whether any two of all devices can ping through each other.
SwitchA#ping 10.1.1.3
Type CTRL+C to abort
Sending 5, 8-byte ICMP Echos to 10.1.1.3, timeout is 3 seconds:
---- PING Statistics----

5 packets transmitted, 5 packets received,
Success rate is 100 percent(5/5),
round-trip (ms) min/avg/max = 0/0/0.
4.7 Routing policy

4.7.1 Introduction
The routing policy is used to:
 Filter broadcasted, received, and imported routing information.
 Modify route attributes after match.
 Modify content of the routing table.
 Support special networking applications.
For example,
 A route needs to apply some policy when a routing device broadcasts or receivs routing
information so that it can filter routing information, such as receiving or broadcasting
routing information that matches certain conditions.
 Routing protocols, such as RIP and OSPF, need routing information discovered by other
routing protocols to rich their own routing information. Sometimes, they only need some
routing information that matches certain conditions, and configures the routing
information to meet their own requirements.
To implement a routing policy, define matching rules first, which are characteristics of
routing information targeted towards the routing policy. You can apply these rules to route
advertisement, receiving, importing, and so on. You can use different attributes of routing
information as matching rules, such as destination address, the address of the device that
advertises routing information.

215
Raisecom
Classification of matching rules

When configured with unicast routing policy, the Gazelle S1500i-LI supports matching with
the following modes.
 Access Control List (ACL)
An ACL can contain multiple matching rules, such as source address or destination address of
packets, and protocol port number. When the ACL is applied to a routing policy, only the IP
ACL with specified IP address and mask information is supported to match prefix information
of the router address.
 IP Prefix-list
The IP prefix list acts like the ACL, but is more flexible and easier to be understood. When
being applied to a routing policy, its matching target is the prefix of the route address.
The IP prefix list is identified by the name of the prefix list. Each prefix list can contain
multiple prefix list nodes, which are in OR relation to each other. Each node defines a
matching rule and is identified by a serial number (SN). Each entry (matching rule) can
independently specify a matching range of network prefix and is identified by an
identification number, which indicates the sequence for matching. Different tables of the same
node are in AND relation. During matching, the device matches each entry identified by SN
in the ascending order. Once an entry is matched, this matching process ends and no more
matching for next entry will be performed. If all nodes do not match, the packet will not be
filtered by matching rules.
 Route-Map
The routing map is a complex filter. Besides matching routing information, it can even change
attributes of routing information if permitted. When applied to a routing policy, its matching
target is routing information or some attributes of routing information, such as prefix, matrix
value, route mark, and route type. It can even use the ACL and IP prefix list to match routing
information.
A routing map consists of multiple nodes which are in OR relation to each other. During
matching, the device matches each node identified by SN in the ascending order. Once a node
is matched, this policy takes effect and no more matching for next node will be performed.
Each node of a routing map consists of a group of match and set sub-sentences.
– The match subsentence defines match rules and its matching object is some attributes
of routing information. Different match sub-sentences of the same node are in AND
relation. Only conditions specified by all match sub-sentences are met can the node
be matched.
– The set sub-sentence specifies the action. In other words, when routing information
matches the match sub-sentences of the node, some attributes of routing information
will be modified.
Modes for applying routing policy

A routing policy consists of multiple nodes. Each node is a unit for matching check. During
matching, the device matches each node identified by SN in the ascending order. Different
nodes are in OR relation. Once a node is matched, this policy takes effect and no more
matching for next node will be performed.
A routing policy is applied in the following two modes:

216
Raisecom
 When a routing protocol uses routes discovered by other routing protocols, it can apply a
routing policy to use the routing information that meets specified conditions.
 When a routing protocol advertises or receives routes discovered by it, it can apply a
routing policy to filter routing information so that it receives or advertises route
information meeting specified conditions.
Scenario
The routing policy can control the advertisement, receiving, and importing of routing
information and modify attributes of the route that complies with the routing policy.
To implement the routing policy, define its route characteristics, which contain a group of
matching rules and configuration rules. Then apply these rules to the advertisement, receiving,
and importing of RIP and OSPF routing information.
Prerequisite
N/A
4.7.3 Default configurations of routing policy

Default configurations of the unicast routing policy are as below:

Address prefix list Not configured
Route mapping table Not configured
4.7.4 Configuring IP prefix list

Configure the IP prefix list for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip Create an IP prefix list or add a node to the IP
prefix-list prefix-name prefix list.
[ seq seq-number ]
{ deny | permit } any If no prefix list ID (seq-number) is configured,

217
Raisecom

Raisecom(config)#ip the system will generate a prefix list ID
prefix-list prefix-name automatically. The generated pre-fix list ID has 5
[ seq seq-number ] digits.
{ deny | permit } ip-  prefix-name: name of the prefix list, a string of
address/mask [ ge min- 1 to 20 characters
length ] [ le max-  seq seq-number: sequence of the prefix list. The
length ] seq-number is an integer, ranging from 1 to
Example: 4294967295.
Raisecom(config)#ip  deny: deny the access to the route that matches
prefix-list pre1 seq 2 conditions.
permit 172.16.0.0/16  permit: permit the access to the route that
matches conditions.
 any: match any IP address.
 ip-address: matching IP address, in dotted

 mask: length of the mask of the matching IP
address, an integer, ranging from 1 to 32

 ge min-length: minimum length of the mask of
the matching IP address. The min-length is an

integer, ranging from 0 to 32.
 le max-length: maximum length of the mask of
the matching IP address. The max-length is an

3 Raisecom(config)#ip Configure the description of the IP prefix list.
prefix-list prefix-name
description string
If the length of descriptions exceeds 80
Example: characters, the configuration will not take effect.
Raisecom(config)#ip  prefix-name: name of the prefix list, a string of
prefix-list pre01 characters
description test  string: description, a string of 1 to 80
characters. If the description contains spaces,

use quotation marks to embrace it.

218
Raisecom

4 Raisecom(config)#ipv6 Create an IPv6 prefix list, or add a node to it.
 prefix-name: name of the prefix list, a string of
[ seq seq-number ]
{ deny | permit } any 1 to 20 characters
 seq seq-number: sequence of the prefix list. The
prefix-list prefix-name seq-number is an integer, ranging from 1 to
seq seq-number { deny | 4294967295.
 deny: deny the access to the route that matches
permit } ipv6-
address/mask [ ge min- conditions.
 permit: permit the access to the route that
length ] [ le max-
length ] matches conditions.
Example:
 Ipv6-address: matching IPv6 address, in colon
prefix-list pre1 seq 2 hexadecimal notation, such as 3001::1
 mask: length of the mask of the matching IPv6
permit 3FFE::2/128
address, an integer
 ge min-length: minimum length of the mask of
the matching IPv6 address. The min-length is

an integer, ranging from 0 to 128.
 le max-length: maximum length of the mask of
the matching IPv6 address. The max-length is

an integer, ranging from 0 to 128.
5 Raisecom(config)#ipv6 Configure the description of the IPv6 prefix list.
 prefix-name: name of the prefix list, a string of
description string
Example: characters
 string: description, a string of 1 to 80
prefix-list pre01 characters. If the description contains spaces,
description test use quotation marks to embrace it.
 If one record is the permit type, all mismatched routes are the deny type by
default. Only matched routes can pass filtering of the IP prefix list.
 If one record is the deny type, all mismatched routes are the deny type by default.
Even matched routes cannot pass filtering of the IP prefix list. Therefore, you need
to add a permit record after multiple deny records to allow other routes to pass.
 If there are multiple records in the IP prefix list, there must be a record of the
permit type.
4.7.5 Configuring routing table

Configure the routing table for the ISCOM2600G series switch as below.


219
Raisecom

2 Raisecom(config)#route-map Create a routing table, and enter route
map-name { permit | deny } mapping configuration mode.
number
 map-name: name of the routing table, a
Example:
Raisecom(config)#route-map string of 1 to 20 characters
 permit: permit the access to the route that
map1 permit 1
matches conditions.
 deny: deny the access to the route that
matches conditions.
 number: number of the node in the routing
table, an integer, ranging from 1 to 65535

3 Raisecom(config-route- (Optional) configure the description of the
map)#description string routing table.
Example:
Raisecom(config-route-
map)#description test characters. If the description contains
spaces, use quotation marks to embrace it.
4 Raisecom(config-route- (Optional) configure the on-match clause to
map)#on-match next continue to match at the next node.
By default, the process is finished after
matching.
5 Raisecom(config-route- (Optional) configure the on-match clause to
map)#on-match goto number continue to match at some node.
Example:
Raisecom(config-route- By default, the process is finished after
map)#on-match goto 10 matching.
 number: number of the node in the routing
table, an integer, ranging from 1 to 65535
6 Raisecom(config-route- (Optional) continue to match routes by
map)#call map-name scheduling other routing table after matching
Example: the route.
map)#call map2 By default, the process is finished after
matching.
 map-name: name of the routing table, a
7 Raisecom(config-route- (Optional) configure the match clause to
map)#match ip next-hop match the next hop based on extended IP
acl-number ACL.
Example:
 acl-number: advanced IP ACL number, an
map)#match ip next-hop integer, ranging from 2000 to 2999
2982
map)#match ip next-hop match the next hop based on IP prefix list.
 prefix-name: name of the prefix list, a
Example:
Raisecom(config-route- string of 1 to 20 characters
map)#match ip next-hop
prefix-list pre01

220
Raisecom

map)#match ip address matching the IP address based on extended
acl-number IP ACL.
Example:
 acl-number: advanced IP ACL number, an
map)#match ip address 2002 integer, ranging from 2000 to 2999
map)#match ip address matching the IP address based on IP prefix
prefix-list prefix-name list.
Example:
 prefix-name: name of the prefix list, a
map)#match ip address string of 1 to 20 characters
prefix-list pre02
map)#match interface name matching the interface name.
Example:
 name: interface name, a string of characters
map)#match interface port1
12 Raisecom(config-route- (Optional) configure the match clause to the
map)#match metric metric- matching rule that is based on route metric
value value.
Example:
 metric-value: route metric, an integer,
map)#match metric 1000 ranging from 4294967295
map)#match tag tag-id matching rule that is based on Tag field of
Example: the route tagging.
 tag-id: route Tag value, an integer, ranging
map)#match tag 5
from 1 to 4294967295
map)#set metric [ + | - ] BGP routing information matching rule that
metric-value is based on prefix list matching with source
Example: address of the route.
 metric-value: route metric, an integer,
map)#set metric 20
ranging from 4294967295
 +: increase the route metric.
 -: decrease the route metric.
15 Raisecom(config-route- (Optional) configure the set clause to

map)#set metric-type modifying the route metric value after
{ type-1 | type-2 } matching.
Example:
 type-1: OSPF external metric type 1
 type-2: OSPF external metric type 2
map)#set metric-type type-
1
map)#set src ip-address modifying the route metric type after
Example: matching.
map)#set src 172.16.20.1

221
Raisecom

map)#set ip next-hop ip- modifying the source IP address after
address matching.
Example:
map)#set ip next-hop notation, such as 10.10.10.1
172.16.20.3
map)#set tag tag-id modifying the next-hop IP address of the
Example: route after matching.
 tag-id: route Tag value, an integer, ranging
map)#set tag 10
from 1 to 4294967295


1 Raisecom#show ip prefix-list [ prefix-name ] Show information
[ seq seq-number ] about the IP prefix
Raisecom#show ip prefix-list prefix-name ip- list.
address/mask { longer | first-match }
2 Raisecom#show ip prefix-list [ summary Show summary of
prefix-name ] the IP prefix list.
3 Raisecom#show ip prefix-list detail [ prefix- Show statistics on
name ] the IP prefix list.
4 Raisecom#show ipv6 prefix-list [ prefix- Show information
name ] [ seq seq-number ] about the IPv6
Raisecom#show ipv6 prefix-list prefix-name prefix list.
ipv6-address/mask { longer | first-match }
5 Raisecom#show ipv6 prefix-list summary Show summary of
[ prefix-name ] the IPv6 prefix list.
6 Raisecom#show ipv6 prefix-list detail Show statistics on
[ prefix-name ] the IPv6 prefix list.
7 Raisecom#show route-map [ map-name ] Show
configurations of
the routing table.
4.7.7 Maintenance

222
Raisecom
Command Description
Rasiecom#clear ip Clear information about all IPv6 neighbors.
prefix-list [ prefix-
 prefix-name: name of the prefix list, a string of 1 to 20
name [ ip-
address/mask ] ] characters
 ip-address: matching IP address, in dotted decimal
Example:
Rasiecom#clear ip notation, such as 10.10.10.1
 mask: length of the mask of the matching IP address,
prefix-list
Rasiecom#clear ipv6 Clear statistics on the IPv6 prefix list.
prefix-list [ prefix-
 prefix-name: name of the prefix list, a string of 1 to 20
name [ ipv6-
address/mask ] ] characters
 ipv6-address: matching IPv6 address, in colon
Example:
Rasiecom#clear ipv6 hexadecimal notation, such as 3001::1
 mask: length of the mask of the matching IPv6
prefix-list
address, an integer

223
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 5 PoE
5 PoE
This chapter describes basic principles and configuration procedures of PoE, and provides
related configuration examples, including the following sections:
 Introduction
 Configuring PoE
 Configuring Smart PoE
 Example for configuring PoE power supply
This chapter is supported by PoE switches only. PoE switches support uninterrupted
power supply during hot restart. Save running configurations before restart, otherwise
PoE parameters will be restored to default values and thus power supply will fail to
meet requirements.
5.1 Introduction
5.1.1 Principles of PoE
Power over Ethernet (PoE) means that the Power Sourcing Equipment (PSE) both supplies
power and transmits data to the remote Power Device (PD) through the Ethernet cable and
Power Interface (PI).
Figure 5-1 shows principles of PoE.

224
Raisecom
Figure 5-1 Principles of PoE
5.1.2 PoE modules

The PoE system consists of the following modules:
 PSE: consist of the power module and PSE functional module. The PSE can detect PDs,
obtain PD power information, remotely supply power, monitor power supply, and power
off PDs.
 PD: supplied with power by the PSE. There are standard PDs and non-standard PDs.
Standard PDs must comply with IEEE 802.3af or IEEE 802.3at, such as the IP phone and
web camera.
 PI: the interface connecting the PSE/PD to the Ethernet cable, namely, the RJ45 interface
5.1.3 PoE advantages

PoE has the following advantages:
 Reliability: a centralized PSE supplies power with convenient backup, uniform
management of power modules, and high security.
 Convenient connection: the network terminal does not need an external power supply;
instead, it needs only one Ethernet cable connected to the PoE interface.
 Standardization: PoE complies with IEEE 802.3at and uses globally uniform power
interface.
 Wide applications: applicable to IP phones, wireless Access Point (AP), portable device
charger, credit card reader, web camera, and data collection system.
5.1.4 PoE concepts

 Maximum output power of PoE
It is the maximum output power output by the interface to the connected PD.
 Priority of PoE
There are three levels of priorities for power supply: critical, high, and low. The PSE supplies
power to the PD connected to the PI with critical priority preferentially, the PD connected to
the PI with the high priority, and finally the PD connected to the PI with the low priority.
 Overtemperature protection

225
Raisecom
When the current temperature exceeds the overtemperature threshold, overtemperature alarms
occur and the system sends Trap to the Network Management System (NMS).
 Global Trap
When the current temperature exceeds the overtemperature threshold, the current PSE power
utilization rate exceeds the threshold, or the status of PoE changes, the ISCOM2600G series
switch sends Trap to the NMS.
 PSE power utilization rate threshold
When the PSE power utilization rate exceeds the threshold for the first time, the system sends
Trap.
5.1.5 Smart PoE

Compared with common PoE, Smart PoE supports smarter device management features as
below:
 Support PD active detection to detect whether PDs are active.
 Support PoE scheduling to periodically restart PDs.
 Support PoE scheduling to supply power in the specified period.
 Support monitoring status, including PoE status, power, current, voltage, and Trap
sending status.
Through linktrace, PD Active check monitors in realtime whether PDs are active. It will
generate an alarm or restart the PoE interface according to configured action if a PD fails to
respond.
PoE scheduling enables a PoE interface to supply power in the specified period to save power
and money for the enterprise, or restarts the PoE interface at a specified interval to minimize
possibility of PD damage or buffer overflowing.
A PoE scheduling profile is a set of configurations. If you apply the PoE scheduling profile to
multiple PoE interfaces, these PoE interfaces will have the same PoE features. If a PoE
interface needs to be replaced, apply the PoE scheduling profile, which was applied to the
original PoE interface, to the new PoE interface, without configuring the new PoE interface
parameter by parameter. In this way, the network management staff can easily configure PoE.
The ISCOM2600G series switch supports multiple PoE scheduling profiles. Save different
PoE configurations for different PDs in different PoE scheduling profiles, and apply the
corresponding PoE scheduling profile on the PoE interface. By configuring PoE scheduling,
you can specify PoE parameters on the PoE interface, such as the start time and restart
interval, to enable the ISCOM2600G series switch to intelligently supply power and to control
when to shut down the PoE interface.
5.2 Configuring PoE

Scenario
When the remotely connected PE is inconvenient to take power, it needs to take power from
the Ethernet electrical interface to concurrently transmit power and data.

226
Raisecom
Prerequisite
N/A
5.2.2 Default configurations of PoE

Default configurations of PoE are as below.

PI PoE status Enable
Non-standard PD identification Enable
Maximum output power of PoE 30000 mW
Power supply management mode Auto
PoE priority Low
Overtemperature protection status Enable
Power supply global Trap switch status Enable
PSE power utilization rate threshold 100%
5.2.3 Enabling interface PoE

Enable interface PoE for the ISCOM2600G series switch as below:

Example:
gigaethernet 1/1/1
3 Raisecom(config- Enable or disable interface PoE.
gigaethernet1/1/*)#poe
 enable: enable interface PoE.
 disable: disable interface PoE.
Example:
Raisecom(config-
gigaethernet1/1/1)#poe enable
5.2.4 Configuring maximum output power of PoE

Configure the maximum output power of PoE for the ISCOM2600G series switch as below:


227
Raisecom

Example:
gigaethernet 1/1/1
3 Raisecom(config- Configure the maximum output
gigaethernet1/1/*)#poe max-power power of PoE.
max-power-value
 max-power-value: maximum
Example:
Raisecom(config- output power, an integer,
gigaethernet1/1/1)#poe max-power ranging from 4000 to 30000, in
6050 units of mW
5.2.5 Configuring maximum output power of device

Configure the maximum output power of the device for the ISCOM2600G series switch as
below:

2 Raisecom(config)#poe pse max- Configure the maximum output
power max-power-value power of the device.
Example:
 max-power-value: maximum
Raisecom(config)#poe pse max-
power 300 output power of the device, an
integer, ranging from 0 to 600,
in units of W
5.2.6 Configuring priority of PoE

Configure the priority of PoE for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
3 Raisecom(config- Configure the priority of PoE.
gigaethernet1/1/*)#poe priority
 critical: critical priority
{ critical | high | low }
 high: high priority
Example:
 low: low priority
Raisecom(config-
gigaethernet1/1/1)#poe priority
high

228
Raisecom
5.2.7 Configuring PSE power utilization rate threshold

Configure the PSE power utilization rate threshold for the ISCOM2600G series switch as
below.

2 Raisecom(config)#poe pse power- Configure the PSE power
threshold percent utilization rate threshold.
Example:
 percent: threshold ratio, an
Raisecom(config)#poe pse power-
thredshold 60 integer, ranging from 1 to 100,
indicating 1% to 100%
5.2.8 Configuring identification of non-standard PDs
To use other non-standard PD, confirm its power consumption, voltage, and current
in advance to properly configure the maximum output power on the PSE and to avoid
damaging the PD due to too high output power.
Configure identification of non-standard PDs for the ISCOM2600G series switch as below.

2 Raisecom(config)#poe Enable or disable the PSE to identify non-standard
legacy { enable | PDs.
disable }
 enable: enable the PSE to identify the non-
Example:
Raisecom(config)#poe standard PD.
 disable: disable the PSE to identify the non-
legacy enable
standard PD.
5.2.9 Enabling forcible power supply on interface
When using the ISCOM2600G series switch to supply power for a remote PD, we
recommend using a standard PD, pre-standard PD, or Cisco-primate standard PD.
To use other non-standard PD in forcible power supply mode, confirm its power
consumption, voltage, and current in advance to properly set the maximum output
power on the PSE and to avoid damaging the PD due to too high output power.
Enable forcible power supply on interfaces for the ISCOM2600G series switch as below.


229
Raisecom

Example:
gigaethernet 1/1/1
3 Raisecom(config- Enable forcible PoE power supply
gigaethernet1/1/*)#poe force-power on the interface.
5.2.10 Enabling overtemperature protection

Enable overtemperature protection for the ISCOM2600G series switch as below.

2 Raisecom(config)#poe Enable or disable overtemperature
temperature-protection { enable protection.
| disable }
 enable: enable overtemperature
Example:
Raisecom(config)#poe protection.
 disable: disable overtemperature
temperature-protection enable
protection.
5.2.11 Enabling global Trap

Enable global Trap for the ISCOM2600G series switch as below.

2 Raisecom(config)#poe pse trap Enable or disable global Trap.
 enable: enable global Trap
Example:
 disable: disable global Trap
Raisecom(config)#poe pse trap
enable


1 Raisecom#show poe interface Show power supply status on specified
interface-type interface- interfaces.
number [ detail ]
2 Raisecom#show poe pse Show PSE configurations and realtime
[ detail ] operating information.

230
Raisecom
5.3 Configuring Smart PoE

Scenario
Through linktrace, PD Active check monitors in realtime whether PDs are active. It will
generate an alarm or restart the PoE interface according to configured action if a PD fails to
respond. You can configure the PoE interface and PD linktrace on this page.
As shown in Figure 5-2, by configuring PD Active check, you can monitor PD active status
through realtime ping operations. When a PD fails to respond, the PoE switch will restart the
corresponding PoE interface to resume the PD. PD Active check can improve reliability of
PoE power supply and lower cost on device management.
Figure 5-2 PD Active check
PoE scheduling enables a PoE interface to supply power in the specified period to save power
and money for the enterprise, or restarts the PoE interface at a specified interval to minimize
possibility of PD damage or buffer overflow.
Prerequisite
N/A
5.3.2 Default configurations of PoE

Default configurations of PoE are as below.

PD Active check Enable
PD check action N/A
Restart interval N/A

231
Raisecom
5.3.3 Configuring PD active check

Configure PD active check for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
3 Raisecom(config- Configuring the action for PD
gigaethernet1/1/*)#poe alive active check.
action { reboot | reboot-alarm |
 reboot: reboot the device.
alarm }
 reboot-alarm: reboot the device
Example:
Raisecom(config- and send an alarm.
 alarm: send an alarm.
gigaethernet1/1/1)#poe alive
action reboot
4 Raisecom(config- Configure the restart interval.
gigaethernet1/1/*)#poe reboot
 period: PD check reboot
interval period
Example: interval, an integer, ranging
Raisecom(config- from 30 to 300, in units of
gigaethernet1/1/1)#poe reboot second
interval 100
Before configuring linktrace for PD active check, create a linktrace of the

corresponding PD, and then bind the PoE interface with the linktrace ID.
5.3.4 Configuring PoE interface to stop supplying power

Configure the period for the PoE interface to stop supplying power, thus saving energy.
Configure PD active check for the ISCOM2600G series switch as below.


232
Raisecom

2 Raisecom(config)#time-range Create a period. Use the no form of
time-range-name start-time to this command to delete the
end-time { weekday-list | mon | configuration.
tue | wed | thu | fri | sta |
sun | off-day | working-day |
daily } [ from start-time
start-day [ to end-time end-
day ] | to end-time end-day ]
Raisecom(config)#time-range
time-range-name { from start-
time start-day [ to end-time
end-day ] | to end-time end-
day }
interface-type interface-number mode.
4 Raisecom(config- Configure the period for the PoE
gigaethernet1/1/*)#poe power- interface to stop supplying power.
off time-range time-range-name Use the no form of this command to
delete the configuration.


1 Raisecom#show poe interface Show the power supply status of the
interface-type interface-number specified PoE interface.
[ detail ]
5.4 Example for configuring PoE power supply

As shown in Figure 5-3, both Switch B and Switch C connect Switch A to the WAN, and PoE-
supportive Switch A is used to supply power to an IP phone and a monitor camera. Switch A
is required to supply power to the monitor camera preferentially when it runs at full load.
Detailed requirements are as below:
 Configure the maximum output power of GE 1/1/1 and GE 1/1/2 to 30000 mW.
 Enable overtemperature protection on Switch A.
 Enable Trap for power supply on Switch A.
 Configure the priorities of GE 1/1/2 and GE 1/1/1 to high and low respectively.
Figure 5-3 PoE switch power supply networking

233
Raisecom
Configuration steps
Step 1 Enable PoE on GE 1/1/1 and GE 1/1/2.
Raisecom#config
Raisecom(config-gigaethernet1/1/1)#poe enable
Raisecom(config-gigaethernet1/1/2)#poe enable
Step 2 Configure the maximum output power of GE 1/1/1 and GE 1/1/2 to 30000 mW.

Raisecom(config-gigaethernet1/1/1)#poe max-power 30000
Raisecom(config-gigaethernet1/1/2)#poe max-power 30000
Step 3 Enable overtemperature protection.
Raisecom(config)#poe temperature-protection enable

234
Raisecom
Step 4 Enable global Trap.
Raisecom(config)#poe pse trap enable
Step 5 Configure priorities of GE 1/1/2 and GE 1/1/1 to high and low respectively.

Raisecom(config-gigaethernet1/1/2)#poe priority high
Raisecom(config-gigaethernet1/1/1)#poe priority low
Checking results
Use the show poe interface gigaethernet 1/1/1 detail and show interface poe gigaethernet
1/1/2 detail commands to show PoE configurations on GE 1/1/2 and GE 1/1/1.
Raisecom#show poe interface gigaethernet 1/1/1 detail

Port: gigaethernet1/1/1
-------------------------------------------------
POE administrator status: Enable
POE force-power status: Disable
POE operation status: Enable
POE actual running status: Enable
POE power-off time-range:
POE PD check status: Enable
POE PD fail action: N/A
POE PD fail reboot interval :30(s)
POE PD linktrace : 1
POE PD status : N/A
Power detection status:Searching
POE Power Pairs mode:Signal
PD power classification:Class0
POE power Priority:Low
POE power max:30000 (mW)
POE power output:0 (mW)
POE power average:0 (mW)
POE power peak:0 (mW)
POE current output:0 (mA)
POE voltage output:0 (mV)
Raisecom#show poe interface gigaethernet 1/1/2 detail

Port: gigaethernet1/1/2
-------------------------------------------------
POE administrator status: Enable
POE force-power status: Disable
POE operation status: Enable
POE actual running status: Enable

235
Raisecom
POE power-off time-range:

POE PD check status: Enable
POE PD fail action: N/A
POE PD fail reboot interval :30(s)
POE PD linktrace : 0
POE PD status : N/A
Power detection status:Searching
POE Power Pairs mode:Signal
PD power classification:Class0
POE power Priority:High
POE power max:30000 (mW)
POE power output:0 (mW)
POE power average:0 (mW)
POE power peak:0 (mW)
POE current output:0 (mA)
POE voltage output:0 (mW)

236
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 6 DHCP
6 DHCP
This chapter describes basic principles and configurations procedures of DHCP, and providing
 DHCP Client
 Zero-configuration
 DHCP Snooping
 DHCP Options
 DHCP Server
 DHCP Relay
6.1 DHCP Client

6.1.1 Introduction
Dynamic Host Configuration Protocol (DHCP) refers to the protocol which assigns
configurations, such as the IP address, to users on the TCP/IP network. Based on BOOTP
(Bootstrap Protocol) protocol, it has additional features, such as automatically assigning
available network addresses, reusing network addresses, and other extended configuration
features.
With the enlargement of network scale and development of network complexity, the number
of PCs on a network usually exceeds the maximum number of distributable IP addresses.
Meanwhile, the widely use of laptops and wireless networks lead to frequent changes of
locations and also related IP addresses must be updated frequently. As a result, network
configurations become more and more complex. DHCP is developed to solve these problems.
DHCP adopts client/server communication mode. A client applies for configurations to the
server (including the IP address, subnet mask, and default gateway), and the server replies
with IP address to the client and other related configurations to implement dynamic
configurations.
Typical applications of DHCP usually include a set of DHCP server and multiple clients (such
as the PC or laptop), as shown in Figure 6-1.

237
Raisecom
Figure 6-1 DHCP typical networking
DHCP ensures rational allocation, avoid waste, and improve the utilization rate of IP
addresses on the entire network.
Figure 6-2 shows the structure of a DHCP packet. The DHCP packet is encapsulated in a UDP
data packet.
Figure 6-2 Structure of DHCP packet
Table 6-1 describes fields of DHCP packets.
Table 6-1 Fields of a DHCP packet

Field Length Description
OP 1 Packet type
 1: a request packet
 2: a reply packet
Hardware type 1 Hardware address type of a DHCP client
Hardware length 1 Hardware address size of a DHCP client
Hops 1 Number of DHCP hops passed by a DHCP packet
This field increases by 1 every time the DHCP request
packet passes a DHCP hop.

238
Raisecom

Transaction ID 4 The client chooses a number at random when starting a
request, used to mark process of address request.
Seconds 2 Passing time for the DHCP client after starting DHCP
request. It is unused now, fixed as 0.
Flags 2 Bit 1 is the broadcast reply flag, used to mark whether
the DHCP server replies packets in unicast or broadcast
mode.
 0: unicast
 1: broadcast
Other bits are reserved.
Client IP address 4 DHCP client IP address, only filled when the client is in
bound, updated or re-bind status, used to reply ARP
request.
Your (client) IP 4 IP address of the client distributed by the DHCP server
address
Server IP 4 IP address of the DHCP server
address
Relay agent IP 4 IP address of the first DHCP hop after the DHCP client
address sends request packets.
Client hardware 16 Hardware address of the DHCP client
address
Server host name 64 Name of the DHCP server
File 128 Name of the startup configuration file of the DHCP
client and path assigned by the DHCP server
Options Modifiable A modifiable option field, including packet type,
available lease period, IP address of the DNS server,
and IP address of the WINS server
The ISCOM2600G series switch can be used as a DHCP client to obtain the IP address from
the DHCP server for future management, as shown in Figure 6-3.

239
Raisecom
Figure 6-3 DHCP Client networking
Scenario
As a DHCP client, the ISCOM2600G series switch obtains the IP address from the DHCP
server.
The IP address assigned by the DHCP client is limited with a certain lease period when
adopting dynamic assignment of IP addresses. The DHCP server will take back the IP address
when it is expired. The DHCP client has to renew the IP address for continuous use. The
DHCP client can release the IP address if it does not want to use the IP address before
expiration.
We recommend configuring the number of DHCP relay devices smaller than 4 if the DHCP
client needs to obtain IP address from the DHCP server through multiple DHCP relay devices.
Prerequisite
 Create VLANs
 DHCP Snooping is disabled.
 FE 1/0/1 supports obtaining the IP address through DHCP or zero-configuration.
6.1.3 Default configurations of DHCP Client

Default configurations of DHCP Client are as below.

hostname Raisecom
class-id Raisecom-ROS
client-id Raisecom-SYSMAC-IF0

240
Raisecom
6.1.4 Configuring DHCP Client

Before a DHCP client applies for an IP address, you must create a VLAN. Meanwhile you
must configure the DHCP server, otherwise the interface will fail to obtain the IP address
through DHCP.
 By default, the ISCOM2600G series switch is enabled with DHCP Client. Use the
no ip address dhcp command to disable DHCP Client.
 If the ISCOM2600G series switch obtains the IP address from the DHCP server
through DHCP previously, it will restart the application process for IP address if
you use the ip address dhcp command to modify the IP address of the DHCP
server.
Configure DHCP Client for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp Configure the working mode of the DHCP
client mode normal client to normal client mode.
By default, the zero-configuration mode is

enabled. To configure DHCP Client, switch the
working mode to normal client mode first; in
other words, disable zero-configuration.
3 Raisecom(config)#interfa Enter VLAN interface configuration mode.
ce vlan vlan-id
 vlan-id: VLAN ID, an integer, ranging from
Example:
Raisecom(config)#interfa 1 to 4094
ce vlan 1
4 Raisecom(config- (Optional) configure DHCP client information,
vlan*)#ip dhcp client including the type identifier, client identifier,
{ class-id class-id | and host name.
client-id client-id |
 host-name: host name, a string of 1 to 64
hostname host-name }
Example: characters
 class-id: class-ID, a string of 1 to 64
Raisecom(config-
vlan1)#ip dhcp client characters
 client-id: client-ID, a string of 1 to 64
hostname myhost
characters
After the IP address is obtained by a

DHCP client, client information cannot be
modified.

241
Raisecom

5 Raisecom(config- Configure the DHCP client to obtain IP
vlan*)#ip address dhcp address through DHCP.
[ server-ip ip-address ]
 server-ip: IP address of the specified DHCP
Raisecom(config-
vlan1)#ip address dhcp server. Only the specified server assigns IP
server-ip 10.0.0.1 address if the parameter is configured.

6 Raisecom(config- (Optional) renew the IP address.
vlan*)#ip dhcp client
renew If the Layer 3 interface of the DHCP client has
obtained an IP address through DHCP, the IP
address will automatically be renewed when
the lease period expires.
7 Raisecom(config- (Optional) release the IP address.
vlan*)#no ip address
dhcp
6.1.5 Configuring DHCPv6 Client

Configure the DHCPv6 client for the ISCOM2600 series switch as below.

2 Raisecom(config)#in Enter VLAN interface configuration mode.
terface vlan vlan-
id
Example: 4094
Raisecom(config)#in
terface vlan 1
3 Raisecom(config- Configure applying for IPv6 address through
vlan*)#ipv6 address DHCPv6.
dhcp [ server-ip
ipv6-address ] If the ISCOM2600G series switch has obtained an IP
Example: address from the DHCP server through DHCPv6
Raisecom(config- before, it will restart the application process for the IP
vlan1)#ipv6 address address if you use the command to modify the IPv6
dhcp server-ip address of the DHCP server.
2000::3  server-ip: IP address of the specified DHCP server.
Only the specified server assigns IP addresses if the
parameter is configured.
 ipv6-address: ipv6 address, in colon hexadecimal
notation, such as 3001::1

4 Raisecom(config- (Optional) renew the IPv6 address.
vlan*)#ipv6 dhcp
client renew
If the Layer 3 interface on the ISCOM2600G series
switch has obtained an IP address through DHCP, the
IPv6 address will automatically be renewed when the
lease period expires.

242
Raisecom

5 Raisecom(config- (Optional) enable DHCPv6 Client to apply for rapid
vlan*)#ipv6 dhcp interaction.
client rapid-commit


1 Raisecom#show ip dhcp client Show configurations of DHCP
[ fastethernet 1/0/1 | vlan vlan-id ] Client.
2 Raisecom#show ipv6 dhcp client Show configurations of
[ interface { interface-type DHCPv6 Client.
interface-number | vlan vlan-id } ]
6.1.7 Example for configuring DHCP Client
As shown in Figure 6-4, the Switch is used as a DHCP client, and the host name is raisecom.
The Switch is connected to the DHCP server and NMS. The DHCP server should assign IP
addresses to the SNMP interface on the Switch and make NMS manage the Switch.
Figure 6-4 DHCP Client networking
Configuration steps
Step 1 Configure the DHCP client.
Raisecom#config
Raisecom(config-vlan1)#ip dhcp client hostname raisecom

243
Raisecom
Step 2 Configure the function of applying for IP addresses through DHCP.
Raisecom(config-vlan1)#ip address dhcp server-ip 192.168.1.1
Checking results
Use the show ip dhcp client command to show configurations of DHCP Client.
Raisecom#show ip dhcp client

DHCP Client Mode: Normal Mode
Interface : vlan1
Hostname: Raisecom
Class-ID: Raisecom-ROS_5.2.1
Client-ID: Raisecom-000e5e112233-IF0
DHCP Client Is Requesting For A Lease.
Assigned IP Addr: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway: --
Client Lease Starts: Jan-01-1970 08:00:00
Client Lease Ends: Jan-01-1970 08:00:00
Client Lease Duration: 0(sec)
DHCP Server: 0.0.0.0
TFTP Server Name: --
TFTP Server IP Addr: --
Bootfile Filename: --
NTP Server IP Addr: --
Root Path: --
DHCP Client Mode: Normal Mode

Interface : vlan10
Hostname: Raisecom
Class-ID: Raisecom-ROS_5.2.1
Client-ID: Raisecom-000e5e112233-IF0
DHCP Client Is Disabled.
Assigned IP Addr: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway: --
Client Lease Starts: Jan-01-1970 08:00:00
Client Lease Ends: Jan-01-1970 08:00:00
Client Lease Duration: 0(sec)
DHCP Server: 0.0.0.0
TFTP Server Name: --
TFTP Server IP Addr: --
Bootfile Filename: --
NTP Server IP Addr: --
Root Path: --

244
Raisecom
6.2 Zero-configuration
6.2.1 Introduction
Zero-configuration refers to that the device needs no manual configurations; it automatically
sends DHCP packets for applying for an IP address to the zero-configuration server, and
automatically downloads the configurations file from the zero-configuration server to update
its configurations after obtaining the IP address from the zero-configuration server. Figure 6-5
shows zero-configuration server networking.
Figure 6-5 Zero-configuration server networking
By default, zero-configuration is enabled on the device. To disable it, configure the

device to common client mode.
6.2.2 Default configurations of zero-configuration

Default configurations of zero-configuration are as below.

Zero-configuration polling period 2h
Zero-configuration mode Enable

245
Raisecom
6.2.3 Preparing for configuration
Scenario
To enable the remote device to automatically apply for the IP address after being powered on,
configure zero-configuration. To configure zero-configuration parameters, see the following
section.
Prerequisite
 Connect the device to the DHCP server correctly. Configure the DHCP server correctly.
 Configure the interface connected to the zero-configuration server to be Up.
 Configure the upstream switch to allow packets of a VLAN of the remote device to pass.
 Out-of-band interface FE 1/0/1 supports obtaining the IP address through DHCP or zero-
configuration.
6.2.4 Configuring DHCP Client

Configure DHCP Client for the ISCOM2600G series switch as below.

2 Raisecom(config)#{ ip Configure the DHCP client to work in zero-
| ipv6 } dhcp client configuration mode or common client mode.
mode { zeroconfig |
normal }
By default, it works in zero-configuration mode.
Example:  zeroconfig: zero-configuation mode
Raisecom(config)#ip  normal: normal DHCP client mode
dhcp client mode
normal
To disable zero-configuration, use the

command to configure the DHCP client to
common client mode.
6.2.5 (Optional) configuring zero-configuration polling

Configure zero-configuration polling for the ISCOM2600G series switch as below.

2 Raisecom(config)# { ip | Configure the zero-configuration polling
ipv6 } dhcp client zeroconfig period, in units of hour, ranging from 1
polling period hour to 24.
Example:
Raisecom(config)#ip dhcp By default, it is 2h.
client zeroconfig polling  hour: polling period, an integer,
period 3 ranging from 1 to 24, in units of hour

246
Raisecom


1 Raisecom#show ip dhcp client Show configurations and
[ fastethernet 1/0/1 | vlan vlan- information automatically
id ] obtained by the DHCP client.
2 Raisecom#show ipv6 dhcp client Show configurations of
[ interface { interface-type DHCPv6 Client.
interface-number | vlan vlan-id } ]
6.3 DHCP Snooping

6.3.1 Introduction
DHCP Snooping is a security feature of DHCP with the following functions:
 Make the DHCP client obtain the IP address from a legal DHCP server.
If a false DHCP server exists on the network, the DHCP client may obtain incorrect IP address
and network configuration parameters, but cannot communicate normally. As shown in Figure
6-6, to make DHCP client obtain the IP address from a legal DHCP server, the DHCP
Snooping security system permits you to configure an interface as the trusted interface or
untrusted interface: the trusted interface forwards DHCP packets normally; the untrusted
interface discards reply packets from the DHCP server.
Figure 6-6 DHCP Snooping
 Record mapping between DHCP client IP address and MAC address.

DHCP Snooping records entries through monitor request and reply packets received by the
trusted interface, including client MAC address, obtained IP address, DHCP client connected
interface and VLAN of the interface. Then implement following by the record information:

247
Raisecom
– ARP detection: judge legality of a user that sends ARP packet and avoid ARP attack
from illegal users.
– IP Source Guard: filter packets forwarded by interfaces by dynamically getting
DHCP Snooping entries to avoid illegal packets to pass the interface.
– VLAN mapping: modify mapped VLAN of packets sent to users to original VLAN
by searching IP address, MAC address, and original VLAN information in DHCP
Snooping entry corresponding to the mapped VLAN.
The Option field in DHCP packet records position information of DHCP clients. The
Administrator can use this Option filed to locate DHCP clients and control client security and
accounting.
If the ISCOM2600G series switch is configured with DHCP Snooping to support Option
function:
 When the ISCOM2600G series switch receives a DHCP request packet, it processes
packets according to Option field included or not, filling mode, and processing policy
configured by user, then forwards the processed packet to DHCP server.
 When the ISCOM2600G series switch receives a DHCP reply packet, it deletes the
Optional field and forwards the rest part of the packet to the DHCP client if the packet
contains the Option field, or it forwards the packet directly if the packet does not contain
the Option field.
Scenario
DHCP Snooping is a security feature of DHCP, used to make DHCP client obtain its IP
address from a legal DHCP server and record mapping between IP address and MAC address
of a DHCP client.
The Option field of a DHCP packet records location of a DHCP client. The administrator can
locate a DHCP client through the Option field and control client security and accounting. The
device configured with DHCP Snooping and Option can perform related process according to
Option field status in the packet.
Prerequisite
N/A
6.3.3 Default configurations of DHCP Snooping

Default configurations of DHCP Snooping are as below.

Global DHCP Snooping status Disable
Interface DHCP Snooping status Enable
Interface trusted/untrusted status Untrust
DHCP Snooping in support of Option 82 Disable

248
Raisecom
6.3.4 Configuring DHCP Snooping

Generally, you must ensure that the ISCOM2600G series switch interface connected to DHCP
server is in trusted status while the interface connected to the user is in untrusted status.
If enabled with DHCP Snooping but without the feature of DHCP Snooping supporting DHCP
Option, the ISCOM2600G series switch will do nothing to Option fields in packets. For
packets without Option fields, the ISCOM2600G series switch does not conduct the insertion
operation.
By default, DHCP Snooping is enabled on all interfaces, but only when global DHCP
Snooping is enabled can interface DHCP Snooping take effect.
Configure DHCP Snooping for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp snooping Enable global DHCP Snooping.
Example:
gigaethernet 1/1/1
4 Raisecom(config- (Optional) enable interface DHCP
gigaethernet1/1/*)#ip dhcp Snooping. The device supports this
snooping configuration on the QinQ interface.
5 Raisecom(config- Configure the trusted interface of
gigaethernet1/1/*)#ip dhcp DHCP Snooping.
snooping trust
6 Raisecom(config- Configure the maximum number of
gigaethernet1/1/*)#ip dhcp entries in the DHCP Snooping
snooping binding max number binding table.
Example:
 number: maximum number of
Raisecom(config-
gigaethernet1/1/1)#ip dhcp entries in the DHCP Snooping
snooping binding max 100 binding table, an integer, ranging
from 1 to 512
7 Raisecom(config- (Optional) enable DHCP Snooping
gigaethernet1/1/*)#ip dhcp based on interface or double VLAN
snooping outer vlan-id inner Tags.
vlan-list
 vlan-id: outer VLAN ID, an
Example:
 vlan-list: inner VLAN ID, an
gigaethernet1/1/1)#ip dhcp
snooping outer 1 inner 1 integer, ranging from 1 to 4094. It
supports specific values, such as
"1,2,3"; it also supports a range,
such as "1-3".
8 Raisecom(config- Return to global configuration
gigaethernet1/1/*)#exit mode.

249
Raisecom

9 Raisecom(config)#ip dhcp snooping (Optional) configure DHCP
option client-id Snooping to support Option 61
field.
10 Raisecom(config)#ip dhcp snooping (Optional) enable or disable auto-
autosave { enable | disable } saving of the DHCP Snooping
Example: binding table.
Raisecom(config)#ip dhcp snooping
 enable: enable auto-saving of the
autosave enable
DHCP Snooping binding table.
 disable: disable auto-saving of the
DHCP Snooping binding table.

11 Raisecom(config)#ip dhcp snooping (Optional) configure the interval for
autosave write-interval time automatically saving the DHCP
Example: Snooping binding table.
 time: interval for automatically
autosave write-interval 360
saving the DHCP Snooping
binding table, an integer, ranging
from 60 to 157680000, in units of
second
6.3.5 Configure DHCP Snooping to support Option 82

Configure DHCP Snooping to support Option 82 for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp snooping Configure global DHCP Snooping
information option to support Option 82.
Example:
gigaethernet 1/1/1
4 Raisecom(config- (Optional) configure the lists of
gigaethernet1/1/*)#ip dhcp snooping VLANs that support Option 82
information option vlan-list vlan- through interface DHCP
list Snooping.
Example:
 vlan-list: VLAN ID, an integer,
Raisecom(config-
gigaethernet1/1/1)#ip dhcp snooping ranging from 1 to 4094
information option vlan-list 1
6.3.6 Configuring DHCPv6 Snooping

Configure DHCPv6 Snooping for the ISCOM2600G series switch as below.

250
Raisecom

2 Raisecom(config)#ipv6 dhcp Enable global DHCPv6 Snooping.
snooping
Example:
gigaethernet 1/1/1
4 Raisecom(config- (Optional) enable interface
gigaethernet1/1/*)#ipv6 dhcp DHCPv6 Snooping.
snooping
5 Raisecom(config- Configure the trusted interface of
gigaethernet1/1/*)#ipv6 dhcp DHCPv6 Snooping.
snooping trust[ access-list acl-
 access-list acl-number: ACL
number ]
Example: number, an integer, ranging from
Raisecom(config- 6000 to 6999
gigaethernet1/1/1)#ipv6 dhcp
snooping trust
6 Raisecom(config- Enable IPv6 DHCP Snooping on
gigaethernet1/1/*)#ipv6 dhcp the specified interface and in the
snooping vlan vlan-id specified VLAN.
Example:
Raisecom(config-
gigaethernet1/1/1)#ipv6 dhcp ranging from 1 to 4094
snooping vlan 2
7 Raisecom(config- Configure the maximum number
gigaethernet1/1/*)#ipv6 dhcp of entries in the DHCPv6
snooping binding max number Snooping binding table.
Example:
 number: maximum number of
Raisecom(config-
gigaethernet1/1/1)#ipv6 dhcp entries in the DHCP Snooping
snooping binding max 100 binding tables, an integer,
8 Raisecom(config- (Optional) configure DHCPv6
gigaethernet1/1/*)#exit Snooping to support user-defined
Raisecom(config)#ipv6 dhcp Options.
snooping option number
Example: number: ID of user-defined Option
Raisecom(config)#ipv6 dhcp supported, an integer, ranging from
snooping option 30 1 to 254
9 Raisecom(config)#ipv6 dhcp (Optional) configure DHCP
snooping option interface-id Snooping to support Option 18.
 interface-id: enable DHCP
Snooping to support Option 18.
10 Raisecom(config)#ipv6 dhcp (Optional) configure DHCPv6
snooping option remote-id Snooping to support Option 37.
 remote-id: enable DHCP
Snooping to support Option 37.

251
Raisecom


1 Raisecom#show ip dhcp Show configurations of DHCP Snooping.
snooping
2 Raisecom#show ip dhcp Show configurations of the DHCP
snooping binding Snooping binding table.
3 Raisecom#show ipv6 dhcp Show configurations of DHCPv6
snooping Snooping.
4 Raisecom#show ipv6 dhcp Show configurations of the DHCPv6
snooping binding [ prefix ] Snooping binding table.
5 Raisecom#show ip dhcp Show auto-saving status of the DHCP
snooping autosave Snooping binding table.
6.3.8 Maintenance
Command Description
Raisecom(config)#clear ip Clear information about the IPv4 binding table.
dhcp snooping binding
number | vlan vlan-id | ip-
address ip-address ] value range depend on the interface type.
 vlan vlan-id: VLAN ID, an integer, ranging
Example:
Rasiecom(config)#clear ip from 1 to 4094
 ip-address ip-address: IP address, in dotted
Raisecom(config)#clear ipv6 Clear information about the IPv6 binding table.
number | vlan vlan-id | ipv6-
address ipv6-address | ipv6- value range depend on the interface type.
 vlan vlan-id: VLAN ID, an integer, ranging
prefix ipv6-address/prefix-
length ] from 1 to 4094
 ipv6-address ipv6-address: IPv6 address, in
Example:
Raisecom(config)#clear ipv6 colon hexadecimal notation, such as 3001::1
 ipv6-prefix ipv6-address/prefix-length: IPv6
address with a prefix, such as 1:123::0:1/96

252
Raisecom
6.3.9 Example for configuring DHCP Snooping
As shown in Figure 6-7, the Switch is used as the DHCP Snooping device. The network
requires DHCP clients to obtain the IP address from a legal DHCP server and support Option
82 to facilitate client management. You can configure padding information of about circuit ID
sub-option to raisecom on GE 1/1/3, and padding information about remote ID sub-option to
user01.
Figure 6-7 DHCP Snooping networking
Configuration steps
Step 1 Configure global DHCP Snooping.
Raisecom#config
Step 2 Configure the trusted interface.

Raisecom(config-gigaethernet1/1/1)#ip dhcp snooping
Raisecom(config-gigaethernet1/1/1)#ip dhcp snooping trust
Raisecom(config-gigaethernet1/1/1)#quit
Step 3 Configure DHCP Relay to support Option 82 field and configure Option 82 field.
Raisecom(config)#ip dhcp snooping information option

Raisecom(config)#ip dhcp information option remote-id string user01

253
Raisecom

Raisecom(config-gigaethernet1/1/3)#ip dhcp information option circuit-id
raisecom
Checking results
Use the show ip dhcp snooping command to show configurations of DHCP Snooping.
Raisecom#show ip dhcp snooping

DHCP Snooping: Enabled
DHCP Option 82: Enabled
Port vlan Enabled Status Trusted Status
Option82 Vlanlist
-------------------------------------------------------------------------
------------------------
gigaethernet1/1/1 -- enabled yes 1-
4094
gigaethernet1/1/2 -- enabled no 1-
4094
4094
4094
4094
4094
……
6.4 DHCP Options

6.4.1 Introduction
DHCP transmits control information and network configuration parameters through Option
field in packet to dynamically assign addresses to provide abundant network configurations
for clients. DHCP has 255 types of options, with the final option as Option 255. Table 6-2 lists
frequently used DHCP options.
Table 6-2 Common DHCP options

Options Description
3 Router option, used to assign the gateway address of DHCP clients
6 DNS server option, used to specify the IP address of the DNS server assigned
for DHCP clients

254
Raisecom
Options Description
18 IPv6 DHCP client flag option, used to specify interface information about
DHCP clients
37 IPv6 DHCP client flag option, used to specify device information about
DHCP clients
51 IP address lease option
53 DHCP packet type option, used to mark the type of DHCP packets
55 Request parameter list option, used to indicate network configuration
parameters to be obtained from the server, containing values of these
parameters
61 DHCP client flag option, used to assign device information for DHCP clients
66 TFTP server name option, used to specify the domain name of the TFTP
server assigned for DHCP clients
67 Startup file name option, used to specify the name of the startup file assigned
for DHCP clients
82 DHCP client flag option, user-defined, used to mark the position of DHCP
clients, including Circuit ID and remote ID
150 TFTP server address option, used to specify the IP address of the TFTP server
assigned for DHCP clients
184 DHCP reserved option. At present Option 184 is used to carry information
required by voice calling. Through Option 184, the DHCP server can
distribute IP addresses for DHCP clients with voice function and meanwhile
provide information about voice calling.
255 Complete option
Options 18, 37, 61, and 82 in DHCP Option are relay information options in DHCP packets.
When a DHCP client sends request packets to the DHCP server by passing a DHCP Relay or
DHCP Snooping device, the DHCP Relay or DHCP Snooping device will add Option fields to
the request packets.
Options 18, 37, 61, and 82 implement recording of information about DHCP clients on the
DHCP server. By cooperating with other software, it can implement functions, such as limit
on IP address distribution and accounting. For example, by cooperating with IP Source Guard,
Options 18, 61, 82 can defend deceiving through IP address + MAC address.
Option 82 can include up to 255 sub-options. If the Option 82 field is defined, at least one
sub-option must be defined. The ISCOM2600G series switch supports the following two sub-
options:
 Sub-Option 1 (Circuit ID): it contains the interface ID, interface VLAN, and additional
information about request packets of the DHCP client.
 Sub-Option 2 (Remote ID): it contains interface MAC address (DHCP Relay), or bridge
MAC address (DHCP Snooping device) of the ISCOM2600G series switch, or user-
defined string in request packets of the DHCP client.

255
Raisecom
Scenario
Options 18, 37, 61, and 82 in DHCP Option are relay information options in DHCP packets.
When request packets from DHCP clients reach the DHCP server, DHCP Relay or DHCP
Snooping added Option field into request packets if request packets pass the DHCP relay
device or DHCP snooping device is required.
Options 18, 37, 61, and 82 are used to record DHCP client information on the DHCP server.
By cooperating with other software, it can implement functions such as limit on IP address
distribution and accounting.
Prerequisite
N/A
6.4.3 Default configurations of DHCP Option

Default configurations of DHCP Option are as below.

attach-string in global configuration mode N/A
remote-id in global configuration mode Switch-mac
circuit-id in interface configuration mode N/A
6.4.4 Configuring DHCP Option field

Configure DHCP Option field for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp (Optional) configure additional
information option attach- information for Option 82 field.
string attach-string
 attach-string: attached string, a string
Example:
Raisecom(config)#ip dhcp of 1 to 32 characters
information option attach-
string raisecom
Raisecom(config)#interface Enter physical interface configuration
Example:
gigaethernet 1/1/1

256
Raisecom

Raisecom(config- (Optional) configure circuit ID sub-
gigaethernet1/1/*)#ip dhcp option information for Option 82 field
information option circuit-id on the interface.
circuit-id [ prefix-mode ]
 circuit-id: circuit ID, a string of 1 to
Example:
Raisecom(config- 64 characters
 prefix-mode: prefix mode
information option circuit-id
10
Raisecom(config- (Optional) configure the interface or
gigaethernet1/1/*)#ip dhcp VLAN description to be padded into
option vlan vlan-id description Option 82 fields.
string
Raisecom(config-
gigaethernet1/1/*)#exit ranging from 1 to 4094
 string: description of the interface and
Example:
Raisecom(config- VLAN, a string up to 64 characters.
option vlan 10 description
raisecom
Raisecom(config)#ip dhcp (Optional) configure the attached string
information option attach- in Option 82 of DHCP packets.
string attach-string
 attach-string: attached string, a string
Example:
Raisecom(config)#ip dhcp of 1 to 32 characters
information option attach-
string raisecom

257
Raisecom

Raisecom(config)#ip dhcp (Optional) configure the format for
information option circuit-id padding the sub-option in the Circuit
{ mac-format | format | hex } ID in Option 82 of DHCP packets.
string
 mac-format string: MAC address
Example:
Raisecom(config)#ip dhcp format, a string, supporting the
information option circuit-id following types:
– hhhhhhhhhhhh
mac-format hhhh.hhhh.hhhh
– hhhh.hhhh.hhhh
– hhhh-hhhh-hhhh
– hhhh:hhhh:hhhh
– hh.hh.hh.hh.hh.hh
– hh-hh-hh-hh-hh-hh
– hh:hh:hh:hh:hh:hh
 format string: string format:
– %h: HostName
– %s: Slot
– %v: SVLAN
– %c: CVLAN
– %p: Port
– %m: Local MAC
– %r: Remote MAC
– %i: IP Address
– %u: Unit
– %d: Port-Description
– %bd: Bussiness-Description
 hex string: hexadecimal string:
– %h: HostName
– %s: Slot
– %v: SVLAN
– %c: CVLAN
– %p: Port
– %m: Local MAC
– %r: Remote MAC
– %i: IP Address
– %u: Unit

258
Raisecom

Raisecom(config)#ip dhcp (Optional) configure remote ID sub-
information option remote-id option information for Option 82 field.
{ client-mac | client-mac-
string | hostname | string DHCP Relay supports the Remote ID
string | switch-mac | switch- of Option 82 to be compatible with the
mac-string } Huawei Default mode.
Raisecom(config)#ip dhcp  client-mac: the remote ID is the MAC
information option remote-id address of the user device, sent in
extend { client-mac | client- binary form.
mac-string | switch-mac |  client-mac-string: the remote ID is the
switch-mac-string } MAC address of the user device, sent

Example: in form of a string of characters.
Raisecom(config)#ip dhcp  hostname: the remote ID is the host
information option remote-id name, sent in form of a string of

switch-mac-string characters.
 string: value of the user-defined
remote ID, with the length no more

than 64 bytes:
– %h: HostName
– %s: Slot
– %v: SVLAN
– %c: CVLAN
– %p: Port
– %m: Local MAC
– %r: Remote MAC
– %i: IP Address
– %u: Unit
 switch-mac: the remote ID is the
MAC address of the device, sent in

binary form.
 switch-mac-string: the remote ID is
the MAC address of the device, sent

in form of a string of characters.
 extend: extended format, compatible
with Huawei default mode

3 Raisecom(config)#ipv4 dhcp (Optional) create user-defined Option
option option-id { ascii ascii- based on IPv4.
string | hex hex-string | ip-
 option-id: relay agent option, an
address ip-address }
 ascii-string: a string, in units of byte,
Raisecom(config)#ipv4 dhcp
option 100 ip-address 10.0.0.1 sent in form of ASCII code
 hex-string: a string, sent in form of
hexadecimal code. The device will

add 0 to the header of the character
string if the bytes of the character
string are odd numbered.
 ip-address: in dotted decimal
notation, sent in form of IP address

259
Raisecom

Raisecom(config)#interface Enter physical interface configuration
Example:
gigaethernet 1/1/1
Raisecom(config- (Optional) create user-defined Option
gigaethernet1/1/*)#ipv4 dhcp field information on the interface.
option option-id { ascii ascii-
 option-id: relay agent option, an
address ip-address } integer, ranging from 1 to 254
Example:
Raisecom(config- sent in form of ASCII code
option 100 ip-address 10.0.0.1 hexadecimal code. The device will
add 0 to the header of the character
string if the bytes of the character
string are odd numbered.

4 Raisecom(config- (Optional) configure Option 61 field
gigaethernet1/1/*)#exit information.
option client-id { ascii ascii-
string | hex hex-string | ip- sent in form of ASCII code
address ip-address }
Example: hexadecimal code
option client-id ip-address notation, sent in form of IP address
10.0.0.1
Raisecom(config- (Optional) configure Option61 field
gigaethernet1/1/*)#ipv4 dhcp information on the interface.
option client-id { ascii ascii-
address ip-address } sent in form of ASCII code
Example:
Raisecom(config- hexadecimal code
option client-id ip-address notation, sent in form of IP address
10.0.0.1
6.4.5 Configuring DHCP Option 18 over IPv6

Configure DHCP Option 18 over IPv6 for the ISCOM2600G series switch as below.
Option 18 over IPv6 should be configured on the device that is enabled with DHCP Snooping.


260
Raisecom

2 Raisecom(config)#ipv6 dhcp (Optional) configure information about
option interface-id { ascii Option 18.
ascii-string | hex hex-string
| ipv6-address ipv6-address }
Example: sent in form of ASCII code
option interface-id ascii hexadecimal code
 ipv6-address: in colon hexadecimal
raisecom
number
Example:
gigaethernet 1/1/1
Raisecom(config- (Optional) configure information about
gigaethernet1/1/*)#ipv6 dhcp Option 18 on the interface.
option interface-id { ascii
ascii-string | hex hex-string
| ipv6-address ipv6-address } sent in form of ASCII code
Example:
Raisecom(config- hexadecimal code
option interface-id ascii notation, sent in form of IP address
raisecom
6.4.6 Configuring DHCP Option 37 over IPv6

Configure DHCP Option 37 over IPv6 for the ISCOM2600G series switch as below.
Option 37 over IPv6 should be configured on the device that is enabled with DHCP Snooping.


261
Raisecom

2 Raisecom(config (Optional) configure information about Option 37.
)#ipv6 dhcp
 ascii: a string of characters
option remote-
 hex: in hexadecimal notation
id { ascii |
 string: value of the user-defined remote ID, with the
hex } string
Example: length no more than 64 bytes:
– %h: HostName
Raisecom(config
– %s: Slot
)#ipv6 dhcp
– %v: SVLAN
option remote-
– %c: CVLAN
id ascii
– %p: Port
raisecom
– %m: Local MAC
– %r: Remote MAC
– %i: IP Address
– %u: Unit
3 Raisecom(config (Optional) configure the format of the MAC address of the

)#ipv6 dhcp Remote ID variable in Option 37 in DHCPv6 packets.
option remote-
 string: MAC address format, a string, supporting the
id mac-format
string following types:
– hhhhhhhhhhhh
Example:
– hhhh.hhhh.hhhh
Raisecom(config
– hhhh-hhhh-hhhh
)#ipv6 dhcp
– hhhh:hhhh:hhhh
option remote-
– hh.hh.hh.hh.hh.hh
id mac-format
– hh-hh-hh-hh-hh-hh
hhhh.hhhh.hhhh
– hh:hh:hh:hh:hh:hh
6.4.7 Configuring user-defined DHCP Option over IPv6

Configure user-defined DHCP Option over IPv6 for the ISCOM2600G series switch as below.
User-defined Option over IPv6 should be configured on the device that is enabled with DHCP
Snooping.


262
Raisecom

2 Raisecom(config)#ipv6 dhcp (Optional) create user-defined Option
option number { ascii information over IPv6.
ascii-string | hex hex-
 number: relay agent option, an integer,
string | ipv6-address
ipv6-address } ranging from 1 to 254. Specify the number
Example: which supports self-defined Option.
 ascii-string: a string, in units of byte, sent in
option 10 ascii raisecom form of ASCII code
hexadecimal code

number
Example:
gigaethernet 1/1/1
Raisecom(config- (Optional) create user-defined Option
gigaethernet1/1/*)#ipv6 information over IPv6 on the interface.
dhcp option number
 number: relay agent option, an integer,
{ ascii ascii-string | hex
hex-string | ipv6-address ranging from 1 to 254. Specify the number
ipv6-address } which supports self-defined Option.
 ascii-string: a string, in units of byte, sent in
Example:
Raisecom(config- form of ASCII code
gigaethernet1/1/1)#ipv6
dhcp option 10 ascii hexadecimal code
raisecom


1 Raisecom#show ip dhcp Show configurations of DHCP Option fields.
information option
2 Raisecom#show ip dhcp Show the interface or VLAN description to
option port vlan be padded into Option 82 fields.
description

263
Raisecom
6.5 DHCP Server

6.5.1 Introduction
Dynamic Host Configuration Protocol (DHCP) refers to assigning IP address configurations
dynamically for users on the TCP/IP network. It is based on BOOTP (Bootstrap Protocol)
protocol, and automatically adds the specified available network address, network address re-
use, and other extended configuration options over BOOTP protocol.
With the enlargement of network scale and development of network complexity, the number
of PCs on a network usually exceeds the maximum number of distributable IP addresses.
Meanwhile, the widely use of laptops and wireless networks lead to frequent change of PC
positions and also related IP addresses must be updated frequently. As a result, network
configurations become more and more complex. DHCP is developed to solve these problems.
DHCP adopts client/server communication mode. A client applies configuration to the server
(including IP address, subnet mask, and default gateway), and the server replies with an IP
address for the client and other related configurations to implement dynamic configurations of
IP address.
In DHCP Client/Server communication mode, a specific host is configured to assign IP
addresses, and send network configurations to related hosts. The host is called the DHCP
server.
DHCP application
Under normal circumstances, use the DHCP server to assign IP addresses in following
situations:
 The network scale is large. It requires much workload for manual configurations, and is
difficult to manage the entire network intensively.
 The number of hosts on the network is greater than that of IP addresses, which makes it
unable to assign a fixed IP address for each host and restricts the number of users
connected to network simultaneously.
 Only the minority of hosts on the network need fixed IP addresses, most of hosts have no
requirement for fixed IP address.
After a DHCP client obtains the IP address from the DHCP server, it cannot use the IP address
permanently but in a fixed period, which is called the lease period. You can specify the
duration of the lease period.
DHCP ensures rational allocation, avoids waste of IP addresses, and improves the utilization
rate of IP addresses on the entire network.
The ISCOM2600G series switch, as the DHCP server, assigns dynamic IP addresses to clients,
as shown in Figure 6-8.

264
Raisecom
Figure 6-8 DHCP Server and Client networking
DHCP packets
Figure 6-9 shows the structure of a DHCP packet. The DHCP packet is encapsulated in a UDP
data packet.
Figure 6-9 Structure of a DHCP packet
Table 6-3 describes fields of a DHCP packet.
Table 6-3 Fields of a DHCP packet

OP 1 Packet type
 1: a request packet
 2: a reply packet
Hardware type 1 Hardware address type of a DHCP client
Hardware length 1 Hardware address length of a DHCP client
Hops 1 Number of DHCP hops passing by the DHCP packet
This field increases 1 every time the DHCP request
packet passes a DHCP relay.

265
Raisecom

Transaction ID 4 A random number selected by the client to initiate a
request, used to identify an address request process
Seconds 2 Duration after the DHCP request for the DHCP client,
fixed to 0, being idle currently
Flags 2 Bit 1 is the broadcast reply flag, used to mark that the
DHCP server response packet is transmitted in unicast
or broadcast mode.
 0: unicast
 1: broadcast
Other bits are reserved.
Client IP address 4 IP address of the DHCP client, only filled when the
client is in bound, updated or re-bound status, used to
respond to ARP request
Your (client) IP 4 IP address of the DHCP client assigned by the DHCP
address server
Server IP 4 IP address of the DHCP server
address
Relay agent IP 4 IP address of the first DHCP relay passing by the
address request packet sent by the DHCP client
Client hardware 16 Hardware address of the DHCP client
address
Server host name 64 Name of the DHCP server
File 128 Startup configuration file name and path assigned by the
DHCP server to the DHCP client
Options Modifiable A modifiable option field, including packet type,
available lease period, IP address of the DNS server, IP
address of the WINS
Scenario
When working as the DHCPv4 server, the ISCOM2600G series switch can assign IP
addresses to DHCPv4 clients.
Prerequisite
 Disable DHCPv4 Client on the ISCOM2600G series switch.
 The DHCP server is a common one.

266
Raisecom
6.5.3 Creating and configuring IPv4 address pool

Configure the IPv4 address pool for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp Create an IPv4 address pool, and enter
server pool pool-name address pool configuration mode.
Example:
 pool-name: IP address pool, a string of
Raisecom(config)#ip dhcp
server pool pool 1 to 16 characters
3 Raisecom(config-pool)#address Configure the range of IP addresses in the
start-ip-address end-ip- IPv4 address pool. The mask length
address mask { mask | mask- ranges from 1 to 30.
length }
 start-ip-address: start IP address of
Example:
Raisecom(config-pool)#address address pool, in dotted decimal
172.31.0.1 172.31.0.10 mask notation, such as 10.10.10.1
 end-ip-address: end IP address of
255.255.255.0
address pool, in dotted decimal
 mask: mask of IP address, in dotted

 mask-length: mask length of IP address,
16-bit mask is supported, an integer,

4 Raisecom(config- Configure the range of excluded IP
pool)#excluded-ip-address addresses in the IPv4 address pool.
start-ip-address [ end-ip-
 start-ip-address: start IP address of
address ]
Example: address pool, in dotted decimal
Raisecom(config- notation, such as 10.10.10.1
 end-ip-address: end IP address of
pool)#excluded-ip-address
172.31.0.2 address pool, in dotted decimal
5 Raisecom(config-pool)#lease Configure the lease period for the IPv4
expired { minute | infinite } address pool.
Example:
 minute: lease time, an integer, ranging
Raisecom(config-pool)#lease
expired 600 from 30 to 10080, in units of minute
 infinite: infinite lease time
6 Raisecom(config-pool)#dns- Configure the DNS server address of the

server ip-address IPv4 address pool.
[ secondary ]
 ip-address: IPv4 address. The ip-address
Example:
Raisecom(config-pool)#dns- is in dotted decimal notation, such as
server 192.168.100.1 10.10.10.1.
 secondary: specify the IP address of the
backup DNS server.

7 Raisecom(config-pool)#gateway Configure the default gateway of the IPv4
ip-address address pool.
Example:
Raisecom(config-pool)#gateway
192.168.1.1 notation, such as 10.10.10.1

267
Raisecom

8 Raisecom(config-pool)#option Configure information carried by Option
60 string 60.
Example:
 string: Option 60 value, a string of 1 to
Raisecom(config-pool)#option
60 Raisecom001 16 characters
9 Raisecom(config-pool)#option Configure information carried by Option
43 [ sub-option option-code ] 43.
{ ascii ascii-string | hex
 sub-option option-code: sub-field of
hex-string }
Example: Option 43, an integer, ranging from 1 to
Raisecom(config-pool)#option 254
43 ascii raisecom
If there is no configured sub-


option, the default sub-option is 0.

 There is no conflict from 1 to 254;
namely, there can be multiple sub-

options (except sub-option 0).
 If commands without sub-option
are configured, configuring

command with sub-option from 1
to 254 will cause the previous
configuration to be deleted.
 ascii ascii-string: sent in ASCII. The
ascii-string is a string of characters.

 hex hex-string: sent in hexadecimal
notation. The hex-string is a string of

characters.
10 Raisecom(config-pool)#tftp- Configure the TFTP server of the IPv4
server ip-address address pool.
Example:
Raisecom(config-pool)#tftp-
server 192.168.1.201 notation, such as 10.10.10.1
11 Raisecom(config-pool)#trap Configure the Trap server of the IPv4
server-ip ip-address address pool.
Example:
Raisecom(config-pool)#trap ip-address: IP address, in dotted decimal
server-ip 192.168.1.201 notation, such as 10.10.10.1
6.5.4 Enabling DHCP Server on VLAN interface

Only when global DHCP Server and Layer 3 interface DHCP Server are enabled can the
Layer 3 interface receive and process DHCP request packets from clients.
Enable DHCPv6 Server on the VLAN interface for the ISCOM2600G series switch as below.


268
Raisecom

vlan-id mode.
Example:
3 Raisecom(config-vlan*)#ip dhcp Enable DHCP Server on the VLAN
server interface.
6.5.5 (Optional) recycling IP address or adress pool

Recycle the IP address or adress pool for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp address Configure DHCP Server to support
ip-address release Option 82.
Raisecom(config)#ip dhcp address
 ip-address: IP address to be
release [ pool pool-name ]
Example: recycled, in dotted decimal
Raisecom(config)#ip dhcp address notation, such as 10.0.0.1
 pool-name: IP address pool to be
192.168.1.1 release
recycled, a string of 1 to 16
characters
3 Raisecom(config)#ip dhcp lease Save DHCPv4 lease information in
save the Flash.
Use the erase format of this
command to delete the DHCPv4
lease information.
4 Raisecom(config)#ip dhcp lease Delete the lease file saved by the
erase DHCP server on the Flash.
6.5.6 Configuring DHCP Server to support Option 82

Configure DHCP Server to support Option 82 for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp server Configure DHCP Server to support
information option Option 82.


269
Raisecom

1 Raisecom(config)#show ip dhcp Show configurations of DHCP Server.
server
2 Raisecom(config)#show ip dhcp Show assigned IPv4 addresses and
server lease clients information.
3 Raisecom(config)#show ip dhcp Show packet statistics on the DHCPv4
server statistics Server.
4 Raisecom(config)#show ip dhcp Show information about DHCPv4
static-bind static binding.
5 Raisecom(config)#show ip server Show configurations of the address
pool [ excluded-ip-address ] pool of DHCPv4 Server.
[ pool-name ]
6 Raisecom#show ip server pool Show statistics on address pools of the
statistics [ pool-name ] DHCPv4 server.
6.5.8 Maintenance
Command Description
Rasiecom(config)#clear ip dhcp server Clear statistics on DHCP Server.
statistics
6.5.9 Example for configuring DHCPv4 Server
As shown in Figure 6-10, the switch as a DHCP server assigns IP addresses to DHCP clients.
The lease period is 8h. The name of the IP address pool is pool. The range of IP addresses is
172.31.1.2–172.31.1.100. The IP address of the DNS server is 172.31.100.1.

270
Raisecom
Figure 6-10 DHCP Server networking
Configuration steps
Step 1 Create an IP address pool, and configure it.
Raisecom#config
Raisecom(config)#ip dhcp server pool pool
Raisecom(config-pool)#address 172.31.1.2 172.31.1.100 mask 24
Raisecom(config-pool)#lease expired 480
Raisecom(config-pool)#dns-server 172.31.100.1
Raisecom(config-pool)#exit
Step 2 Configure interface DHCP Server.
Raisecom(config-vlan1)#ip dhcp server
Checking results
Use the show ip dhcp server command to show configurations of DHCP Server.
Raisecom#show ip dhcp server

Interface Status
------------------------------------
vlan 1 Enable
Use the show ip server pool command to show configurations of the address pool of the
DHCP server.

271
Raisecom
Raisecom#show ip server pool

Pool Name : poo1
pool type : DHCP
Address Range : 172.31.1.2~172.31.1.100
Address Mask : 255.255.255.0
Gateway : 0.0.0.0
DNS Server : 172.31.100.1
Secondary DNS : 0.0.0.0
Tftp Server : 0.0.0.0
Lease time : 480 minutes
Trap Server : 0.0.0.0
interface : vlan1
option60 :
6.6 DHCP Relay

6.6.1 Introduction
At the beginning, DHCP requires the DHCP server and clients to be in the same segment,
instead of different segments. As a result, a DHCP server is configured for all segments for
dynamic host configuration, which is not economic.
DHCP Relay is introduced to solve this problem. It can provide relay service between DHCP
clients and the DHCP server that are in different segments. It relays packets across segments
to the DHCP server or clients.
Figure 6-11 shows typical application of DHCP Relay.
Figure 6-11 Typical application of DHCP Relay
When a DHCP client sends a request packet to the DHCP server through a DHCP relay, the
DHCP relay processes the request packet and sends it to the DHCP server in the specified
segment. The DHCP server sends required information to the DHCP client through the DHCP
relay according to the request packet, thus implementing dynamic configuration of the DHCP
client.

272
Raisecom
Scenario
When DHCP Client and DHCP Server are not in the same segment, you can use DHCP Relay
function to make DHCP Client and DHCP Server in different segments carry relay service,
and relay DHCP protocol packets across segment to destination DHCP server, so that DHCP
Client in different segments can share the same DHCP server.
Prerequisite
N/A
6.6.3 Default configurations of DHCP Relay

Default configurations of DHCP Relay are as below.

Global DHCP Relay Disable
Interface DHCP Relay Disable
Global DHCPv6 Relay Disable
Interface DHCPv6 Relay Disable
6.6.4 Configuring global DHCP Relay

Configure global DHCP Relay for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp relay Enable global DHCP Relay.
6.6.5 Configuring DHCP Relay on VLAN interface

Configure DHCP Relay on the VLAN interface for the ISCOM2600G series switch as below.

vlan-id mode.
Example:
Raisecom(config)#interface vlan

273
Raisecom

3 Raisecom(config-vlan*)#ip dhcp Enable DHCP Relay on the VLAN
relay interface.
4 Raisecom(config-vlan*)#ip dhcp Configure the destination IP address
relay target-ip ip-address for forwarding packets.
Example:
 ip-address: destination IP address,
Raisecom(config-vlan1)#ip dhcp
relay target-ip 192.168.12.34 in dotted decimal notation
5 Raisecom(config-vlan*)#ip dhcp Configure the IP address of the
realy relay-ip ip-address DHCP relay to implement Layer 2
DHCP Relay.
6.6.6 Configuring global DHCPv6 Relay

Configure global DHCPv6 Relay for the ISCOM2600G series switch as below.

2 Raisecom(config)#ipv6 dhcp relay Enable global DHCPv6 Relay.
3 Raisecom(config)#ipv6 dhcp relay Enable DHCPv6 Relay to support
option interface-id Option 18.
4 Raisecom(config)#ipv6 dhcp relay Enable DHCPv6 Relay to support
option remote-id Option 37.
6.6.7 Configuring DHCPv6 Relay on VLAN interface

Configure DHCPv6 Relay on the VLAN interface for forwarding packets for the

2 Raisecom(config)#interface Enter VLAN interface configuration
vlan vlan-id mode.
Example:
vlan 1 from 1 to 4094
3 Raisecom(config-vlan*)#ipv6 Enable DHCPv6 Relay on the VLAN
dhcp relay interface.

274
Raisecom

4 Raisecom(config-vlan*)#ipv6 Configure the destination IPv6 address
dhcp relay target-ip ipv6- for forwarding packets.
address [ vlan vlan-id ]
Example:
Raisecom(config-vlan1)#ipv6 hexadecimal notation
dhcp relay target-ip 3001::1
from 1 to 4094
6.6.8 (Optional) configuring DHCP Relay to support Option 82

Configure DHCP Relay to support Option 82 for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip dhcp relay Configure DHCP Relay to support
information option Option 82. DHCP Relay supports the
Remote ID of Option 82 and is
compatible with Huawei Default mode.
3 Raisecom(config)#ip dhcp relay Configure the policy for DHCP Relay to
information policy { drop | process Option 82 request packets.
keep | replace }
 drop: discard Option 82 packets.
Example:
 keep: directly forward Option 82
Raisecom(config)#ip dhcp relay
information policy keep packets.
 replace: replace the Option 82 field
and then transmit the packet.

interface-type interface- mode, or VLAN interface configuration
Example: configuration mode for example .
gigaethernet 1/1/1
5 Raisecom(config- Configure the trusted interface of DHCP
gigaethernet1/1/*)#ip dhcp Relay.
relay information trusted


1 Raisecom#show ip dhcp relay Show configurations of DHCP Relay.
2 Raisecom#show ip dhcp relay Show binding information about DHCP
binding Relay.

275
Raisecom

3 Raisecom#show ip dhcp relay Show information about Option 82
information supported by DHCP Relay.
4 Raisecom#show ip dhcp relay Show static information about DHCP Relay.
statistics
5 Raisecom#show ipv6 dhcp Show configurations of DHCPv6 Relay.
relay
6.6.10 Maintenance
Command Description
Rasiecom#clear ip dhcp relay statistics Clear statistics on DHCP Relay.
6.6.11 Example for configuring DHCPv4 Relay
As shown in Figure 6-12, the switch works as the DHCP relay device. The host name is
raisecom. The switch is connected to the DHCP server through a service interface. The DHCP
server assigns IP addresses to clients so that the NMS can discover and manage these clients.
Figure 6-12 DHCP Relay networking
Configuration steps
Step 1 Enable global DHCP Relay.
Raisecom#config

276
Raisecom
Raisecom(config)#ip dhcp relay

Raisecom(config-vlan2)#ip dhcp relay relay-ip 192.168.1.1
Raisecom(config-vlan3)#ip dhcp relay relay-ip 192.168.1.1
Step 2 Configure the destination IP address of DHCP Relay.
Raisecom(config-vlan2)#ip dhcp relay target-ip 10.0.0.1
Checking results
Use the show ip dhcp relay command to show configurations of DHCP Relay.
Raisecom#show ip dhcp relay

DHCP Relay Global Status: Enable
Interface Status Relay Address Target Address
-------------------------------------------------------------------------
-------
vlan2 Enable 192.168.1.1 10.0.0.1
vlan3 Enable 192.168.1.1 --

277
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 7 QoS
7 QoS
This chapter describes basic principles and configuration procedures for QoS, and provides
 Introduction
 Configuring priority
 Configuring congestion management
 Configuring congestion avoidance
 Configuring traffic classification and traffic policy
 Configuring traffic shaping and rate limiting
 Bandwidth rate limiting
 Configuration examples
7.1 Introduction
When network applications become more and more versatile, users bring forward different
Quality of Service (QoS) requirements on them. In this case, the network should distribute
and schedule resources for different network applications as required. When network is
overloaded or congested, QoS can ensure service timeliness and integrity and make the entire
network run efficiently.
QoS is composed of a group of flow management technologies:
 Service model
 Priority trust
 Traffic classification
 Traffic policy
 Priority mapping
 Congestion management
7.1.1 Service model

QoS technical service models:
 Best-effort Service

278
Raisecom
 Differentiated Services (DiffServ)
Best-effort
Best-effort service is the most basic and simplest service model on the Internet (IPv4 standard)
based on storing and forwarding mechanism. In Best-effort service model, the application can
send a number of packets at any time without being allowed in advance and notifying the
network. For the Best-effort service, the network will send packets as possible as it can, but it
does not guarantee the delay and reliability.
Best-effort is the default Internet service model now, suitable to most network applications,
such as FTP and Email. It is implemented by First In First Out (FIFO) queue.
DiffServ
The DiffServ model is a multi-service model, which can satisfy different QoS requirements.
The DiffServ model does not need to maintain state for each flow. It provides differentiated
services according to the QoS classification of each packet. Many different methods can be
used for classifying QoS packets, such as IP packet priority (IP precedence), the packet source
address or destination address.
Generally, DiffServ is used to provide end-to-end QoS services for a number of important
applications, which is implemented through the following techniques:
 Committed Access Rate (CAR): CAR refers to classifying the packets according to the
preconfigured packet matching rules, such as IP packets priority, the packet source
address or destination address. The system continues to send the packets if the flow
complies with the rules of token bucket. Otherwise, it discards the packets or remarks IP
precedence, DSCP, EXP CAR can not only control the flows, but also mark and remark
the packets.
 Queuing technology: the queuing technologies of SP, WRR, DRR, SP+WRR, and
SP+DRR cache and schedule the congestion packets to implement congestion
management.
7.1.2 Priority trust

Priority trust means that the ISCOM2600G series switch uses priority of packets for
classification and performs QoS management.
The ISCOM2600G series switch supports packet priority trust based on interface, including:
 Differentiated Services Code Point (DSCP) priority
 Class of Service (CoS) priority
 ToS priority
7.1.3 Traffic classification

Traffic classification refers to identifying certain packets according to specified rules and
performing different QoS policies on packets matched with different rules. Traffic
classification is the premise and basis for differentiated services.
The ISCOM2600G series switch supports traffic classification based on ToS priority, DSCP,
and CoS over IP packets, and classification based on Access Control List (ACL) rules and
VLAN ID. The traffic classification procedure is shown in Figure 7-1.

279
Raisecom
Figure 7-1 Traffic classification
IP precedence and DSCP

Figure 7-2 shows the structure of the IP packet header. The head contains an 8-bit ToS field.
Defined by RFC 1122, IP priority (IP Precedence) uses the highest 3 bits (0–3) with value
range of 0–7; RFC2474 defines ToS field again, and applies the first 6 bits (0–5) to DSCP
with value ranging from 0 to 63, the last 2 bits (bit-6 and bit-7) are reserved. Figure 7-3 shows
the structure of ToS and DSCP.
Figure 7-2 Structure of an IP packet header
Figure 7-3 Structures of the ToS priority and DSCP
CoS
IEEE802.1Q-based VLAN packets are modifications of Ethernet packets. A 4-byte 802.1Q
header is added between the source MAC address and protocol type, as shown in Figure 7-4.
The 802.1Q header consists of a 2-byte Tag Protocol Identifier (TPID, valuing 0x8100) filed
and a 2-byte Tag Control Information (TCI) field.
Figure 7-4 Structure of a VLAN packet

280
Raisecom
The first 3 bits of the TCI field represent CoS, which ranges from 0 to 7, as shown in Figure
7-5. CoS is used to guarantee QoS on the Layer 2 network.
Figure 7-5 Structure of CoS
7.1.4 Traffic policy

After performing traffic classification on packets, you need to perform different operations on
packets of different categories. A traffic policy is formed when traffic classifiers are bound to
traffic behaviours.
Rate limiting based on traffic policy

Rate limiting refers to controlling network traffic, monitoring the rate of traffic entering the
network, and discarding overflow part, so it controls ingress traffic in a reasonable range, thus
protecting network resources and carrier interests.
The ISCOM2600G series switch supports rate limiting based on traffic policy in the ingress
direction on the interface.
The ISCOM2600G series switch supports using token bucket for rate limiting, including
single-token bucket and dual-token bucket.
Redirection
Redirection refers to redirecting packets to a specified interface, instead of forwarding packets
according to the mapping between the original destination address and interface, thus
implementing policy routing.
The ISCOM2600G series switch supports redirecting packets to the specified interface for
forwarding in the ingress direction of the interface.
Remarking
Remarking refers to configuring some priority fields in packets again and then classifying
packets by user-defined standards. Besides, downstream nodes on the network can provide
differentiated QoS service according to remarking information.
The ISCOM2600G series switch supports remarking packets by the following priority fields:
 IP precedence
 DSCP
 CoS
Traffic statistics
Traffic statistics is used to gather statistics about data packets of a specified service flow; in
other words, the number of packets and bytes matching traffic class that pass the network or
are discarded.

281
Raisecom
Traffic statistics is not a QoS control measure, but can be used in combination with other QoS
actions to improve network supervision.
7.1.5 Priority mapping

Priority mapping refers to sending packets to different queues with different local priorities
according to pre-configured mapping from external priority to local priority. Therefore,
packets in different queues can be scheduled on the egress interface.
The ISCOM2600G series switch supports performing priority mapping based on DSCP of IP
packets or CoS of VLAN packets. The Traffic-Class field of IPv6 packets corresponds to
DSCP of IPv4 packets. The mapping from DSCP to local priority is applicable to IPv6 packets.
Take the first 6 bits of the Traffic-Class field for use.
By default, the mapping from the DSCP or CoS to local priority of the ISCOM2600G series
switch is listed in Table 7-1 and Table 7-2.
Table 7-1 Mapping from DSCP or CoS to local priority

Local priority 0 1 2 3 4 5 6 7
DSCP 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63
CoS 0 1 2 3 4 5 6 7
Local priority refers to a kind of packet priority with internal meaning assigned by the
ISCOM2600G series switch and is the priority corresponding to queue in QoS queue
scheduling.
Local priority ranges from 0 to 7. Each interface of the ISCOM2600G series switch supports
8 queues. Local priority and interface queue are in one-to-one mapping. The packet can be
sent to the assigned queue according to the mapping between local priority and queue, as
shown in Table 7-2.
Table 7-2 Mapping between local priority and queue

Queue 1 2 3 4 5 6 7 8
7.1.6 Queue scheduling

The ISCOM2600G series switch needs to perform queue scheduling when delay-sensitive
services need better QoS services than non-delay-sensitive services and when the network is
congested once in a while.
Queue scheduling adopts different scheduling algorithms to send packets in a queue.
Scheduling algorithms supported by the ISCOM2600G series switch include Strict-Priority
(SP), Weight Round Robin (WRR), Deficit Round Robin (DRR), SP+WRR, and SP+DRR.
All scheduling algorithms are designed for addressing specified traffic problems. And they
have different effects on bandwidth distribution, delay, and jitter.

282
Raisecom
 SP: the ISCOM2600G series switch strictly schedules packets in a descending order of
priority. Packets with lower priority cannot be scheduled until packets with higher
priority are scheduled, as shown in Figure 7-6.
Figure 7-6 SP scheduling
 WRR: on the basis of scheduling packets in a polling manner according to the priority,
the ISCOM2600G series switch schedules packets according to the weight (based on
bytes) of the queue, as shown in Figure 7-7.
Figure 7-7 WRR scheduling
 DRR: similar with WRR, on the basis of scheduling packets in a polling manner
according to the scheduling sequence, the ISCOM2600G series switch schedules packets
according to the weight of the queue (based on packet), as shown in DRR scheduling

283
Raisecom
Figure 7-8 DRR scheduling
 SP+WRR: a scheduling mode combining the SP scheduling and WRR scheduling. In this
mode, queues on an interface are divided into 2 groups. You can specify the queues
where SP scheduling/WRR scheduling is performed.
 SP+DRR: a scheduling mode combining the SP scheduling and DRR scheduling. In this
mode, queues on an interface are divided into 2 groups. You can specify the queues
where SP scheduling/DRR scheduling is performed.
7.1.7 Congestion avoidance

By monitoring utilization of network resources (queues/memory buffer), congestion
avoidance can discard packets actively when congestion occurs or network traffic increases. It
is a traffic control mechanism that is used to resolve network overload by adjusting network
traffic.
The traditional packet loss policy uses the Tail-Drop mode to process all packets equally
without differentiating class of services. When congestion occurs, packets at the end of a
queue are discarded until congestion is resolved.
This Tail-Drop policy may cause TCP global synchronization, making network traffic change
between heavy and low and affecting link utilization.
RED
Random Early Detection (RED) discards packets randomly and prevents multiple TCP
connection from reducing transmission rate simultaneously to avoid TCP global
synchronization.
The RED algorithm configures a minimum threshold and maximum threshold for length of
each queue. In addition:
 Packets are not discarded when the queue length is smaller than the minimum threshold.
 All received packets are discarded when the queue length is greater than the maximum
threshold.
 Packets to be received are discarded randomly when the queue length is between the
minimum and maximum thresholds. The greater the queue size is, the higher the packet
drop probability is.

284
Raisecom
7.1.8 Traffic shaping

When the rate of the interface on the downstream device is smaller than that of the interface
on the upstream device, traffic congestion may occur on the interface on the downstream
device. In this case, you can configure traffic shaping in the egress direction of the interface
on the upstream device to shape the irregular traffic from the upstream device and to output a
regular traffic, thus avoiding traffic congestion on the downstream device.
Traffic shaping is a traffic control technology applied to queues on the interface. It can limit
the rate of all packets on the specified queue on the interface. It caches excess packets when
the configured bandwidth is exceeded, and forwards them when the bandwidth for these
packets is available. It discards packets if all packets exceed the length of the cached queue.
7.1.9 Rate limiting based on interface and VLAN

The ISCOM2600G series switch supports rate limiting both based on traffic policy, interface,
or VLAN ID. Similar to rate limiting based on traffic policy, the ISCOM2600G series switch
discards the excess traffic.
7.1.10 QoS enhancement

QoS enhancement is a subfunction of QoS and is more flexible than basic QoS. It is widely
used on switches.
QoS enhancement has the following functions:
 Ingress interface
– Bandwidth guarantee: QoS enhancement implements the bandwidth service based on
interface or flow. It also supports hierarchical bandwidth guarantee and refining
bandwidth of different service flows.
– Awaring: this function determines whether to conduct color-aware of packets when a
flow enters the bandwidth-guaranteed interface.
 Egress interface
– Bandwidth guarantee: bandwidth service based on interface or flow is implemented.
QoS enhancement does not support hierarchical bandwidth guarantee.
– Marking: this function determines whether to mark a packet with color when a flow
leaves the bandwidth-guaranteed interface.
Bandwidth guarantee
The bandwidth guarantee function guarantees that the traffic entering the network is within
the defined range, and it discards or schedules packets. Bandwidth guarantee can meet users'
requirements on service bandwidth, and also protect network resources and carriers' benefits.
By configuring the bandwidth guarantee profile and applying it to an interface, you can mark
different flows green, yellow, and red. The ISCOM2600G series switch takes different actions
over flows of different colors: forward green flows, schedule yellow flows, and discard red
flows.
Hierarchical bandwidth guarantee

Hierarchical bandwidth guarantee is a more flexible bandwidth guarantee. You can configure
guaranteed bandwidth for each flow independently and even configure guaranteed bandwidth
for sum of multiple flows through hierarchical bandwidth guarantee.
285
Raisecom
Color-aware and marking

If enabled with color-aware, the ISCOM2600G series switch is in color-aware status, in which
it can identify whether the ingress flow is marked with color. If disabled with color-aware, the
ISCOM2600G series switch is in color-blind status, in which it can neglect whether the
ingress flow is marked with color, but identify the flow color again.
The function of color marking judges the color of a flow according to Committed Information
Rate (CIR), Committed Burst Size (CBS), Excess Information Rate (EIR), and Excess Burst
Size (EBS) configured in the bandwidth guarantee profile, and modifies the flag bit to mark it
with color according to the packet format defined in IEEE 802.1ad.
7.2 Configuring priority

Scenario
You can choose to trust the priority carried by packets from an upstream device, or process
packets with untrusted priority through the traffic class and traffic policy. After being
configured to priority trust mode, the ISCOM2600G series switch processes packets
according to their priorities and provides services accordingly.
To specify local priority for packets is the prerequisite for queue scheduling. For packets from
the upstream device, you can not only map the external priority carried by packets to different
local priorities, but also configure local priority for packets based on interface. Then the
ISCOM2600G series switch will conduct queue scheduling according to local priority of
packets. Generally, IP packets need to be configured with mapping from IP precedence/DSCP
to local priority; while VLAN packets need to be configured with mapping from CoS to local
priority.
Prerequisite
N/A
7.2.2 Default configurations of basic QoS

Default configurations of basic QoS are as below.

Global QoS status Enable
Interface trust priority type Trust CoS
Mapping from CoS to local priority See Table 7-3.
Mapping from DSCP to local priority See Table 7-4.
Mapping from local priority to CoS See Table 7-5.
Interface priority 0

286
Raisecom
Table 7-3 Default mapping from CoS to local priority

CoS 0 1 2 3 4 5 6 7
Local 0 1 2 3 4 5 6 7
priority (green) (green) (green) (green) (green) (green) (green) (green)
Table 7-4 Default mapping from DSCP to local priority

DSCP 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63
Local 0 1 2 3 4 5 6 7
priority (green) (green) (green) (green) (green) (green) (green) (green)
Table 7-5 Default mapping from local priority to CoS

CoS 0 1 2 3 4 5 6 7
7.2.3 Configuring types of priorities trusted by interface

Configure types of priorities trusted by interface for the ISCOM2600G series switch as below.

gigaethernet 1/1/1
3 Raisecom(config- Configure types of priorities trusted by
gigaethernet1/1/*)#mls qos interface.
trust { cos | dscp | dscp-
 cos: trust CoS priority which exists in the
or-cos | port-priority }
Example: header of the 802.1Q packet.
 dscp: trust DSCP priority which exists in
Raisecom(config-
gigaethernet1/1/1)#mls qos the header of the IP packet.
 dscp-or-cos: trust DSCP priority of CoS
trust dscp
priority. Layer 3 packets trust DSCP
priority and Layer 2 packets trust CoS
priority.
 port-priority: priority trusted by the
interface

287
Raisecom

4 Raisecom(config- Configure the interface priority.
gigaethernet1/1/*)#mls qos
 priority-value: interface priority, an
priority priority-value
Raisecom(config-
gigaethernet1/1/1)#mls qos
priority 2
7.2.4 Configuring mapping from CoS to local priority

Configure the mapping from CoS to local priority and color for the ISCOM2600G series
switch as below.

2 Raisecom(config)#mls qos Create a profile of mapping from CoS to
mapping cos-to-local-priority local priority, and enter cos-to-pri
profile-id configuration mode.
Example:
 profile-id: profile ID, an integer,
Raisecom(config)#mls qos
mapping cos-to-local-priority ranging from 1 to 7
1
3 Raisecom(cos-to-pri)#cos cos- (Optional) modify the profile of mapping
value to local-priority from CoS to local priority and color.
localpri-value [ color { green
 cos-value: CoS priority, an integer,
| red | yellow } ]
 localpri-value: local priority, an
Raisecom(cos-to-pri)#cos 2 to
local-priority 3 color red integer, ranging from 0 to 7
 green: specify the green.
 red: specify the red.
 yellow: specify the yellow.
4 Raisecom(cos-to-pri)#exit Enter physical interface configuration

Raisecom(config)#interface mode, or aggregation group
interface-type interface- configuration mode. Take physical
number interface configuration mode for
Example: example.
gigaethernet 1/1/1
5 Raisecom(config- Apply the profile of mapping from CoS
gigaethernet1/1/*)#mls qos to local priority on the interface.
cos-to-local-priority profile-
id [ dei { enable |
disable } ] ranging from 1 to 7
 enable: enable the function of marking
Example:
Raisecom(config- egress packets with a color on the
gigaethernet1/1/1)#mls qos interface.
 disable: disable the function of marking
cos-to-local-priority 1
egress packets with a color on the
interface.

288
Raisecom
7.2.5 Configuring mapping from DSCP to local priority and color

Configure the mapping from DSCP to local priority and color for the ISCOM2600G series
switch as below.

2 Raisecom(config)#mls qos Create a profile of mapping from DSCP
mapping dscp-to-local-priority to local priority, and enter dscp-to-pri
profile-id configuration mode.
Example:
mapping dscp-to-local-priority ranging from 1 to 7
1
3 Raisecom(dscp-to-pri)#dscp (Optional) modify the profile of
dscp-value to local-priority mapping from DSCP to local priority
localpri-value [ color { green and color.
| red | yellow } ]
 dscp-value: DSCP priority, an integer,
Example:
Raisecom(dscp-to-pri)#dscp 2 ranging from 0 to 63
to local-priority 3 color red
 green: specify the green.
 red: specify the red.
 yellow: specify the yellow.

interface-type interface- configuration mode. Take physical
number interface configuration mode for
Example: example.
gigaethernet 1/1/1
5 Raisecom(config- Apply the profile of mapping from
gigaethernet1/1/*)#mls qos DSCP to local priority on the interface.
dscp-to-local-priority The profile used in this configuration is
profile-id the same profile used by DSCP
Example: mutation.
Raisecom(config-
dscp-to-local-priority 1 ranging from 1 to 7
7.2.6 Configuring DSCP mutation

Configure DSCP mutation for the ISCOM2600G series switch as below.


289
Raisecom

2 Raisecom(config)#mls qos mapping Create a DSCP mutation mapping
dscp-mutation profile-id profile, and enter dscp mutation
Example: configuration mode.
Raisecom(config)#mls qos mapping
dscp-mutation 1
ranging from 1 to 7
3 Raisecom(dscp-mutation)#dscp dscp- (Optional) modify the DSCP
value to new-dscp dscp-value mutation profile. The profile used
Example: in this configuration is the same
Raisecom(dscp-mutation)#dscp 2 to profile used by the mapping from
new-dscp 20 DSCP to local priority.
 dscp-value: DSCP priority, an
4 Raisecom(cos-to-pri)#exit Enter physical interface
Raisecom(config)#interface configuration mode, or
interface-type interface-number aggregation group configuration
Example: mode. Take physical interface
Raisecom(config)#interface configuration mode for example.
gigaethernet 1/1/1
5 Raisecom(config- Apply the DSCP mutation profile
gigaethernet1/1/*)#mls qos dscp- on the interface.
mutation profile-id
Example:
gigaethernet1/1/1)#mls qos dscp-
mutation 1
7.2.7 Configuring CoS remarking

Configure CoS remarking for the ISCOM2600G series switch as below.


290
Raisecom

3 Raisecom(config- Enable or disable mapping from local
gigaethernet1/1/*)#mls qos cos- priority to CoS.
remark-mapping { enable |
 enable: enable mapping from local
disable } [ dei { enable |
disable } ] priority to CoS.
 disable: disable mapping from local
Raisecom(config-
gigaethernet1/1/*)#exit priority to CoS.
 dei enable: enable the function of
Example:
Raisecom(config- marking egress packets with a color
gigaethernet1/1/1)#mls qos cos- on the interface.
 dei disable: disable the function of
remark-mapping enable
marking egress packets with a color
on the interface.
4 Raisecom(config)#mls qos Create a CoS remarking profile, and
mapping cos-remark profile-id enter cos-remark configuration mode.
Example:
mapping cos-remark 1 ranging from 1 to 7
5 Raisecom(cos-remark)#local- Modify the CoS remarking profile.
priority localpri-value to cos
cos-value
 cos-value: CoS priority, an integer,
Raisecom(cos-remark)#local-
priority 2 to cos 3 ranging from 0 to 7
interface-type interface-number configuration mode. Take physical
Example: interface configuration mode for
Raisecom(config)#interface example.
gigaethernet 1/1/1
7 Raisecom(config- Apply the DSCP remarking profile on
gigaethernet1/1/*)#mls qos cos- the interface.
remark profile-id
Example: profile-id: profile ID, an integer,
gigaethernet1/1/1)#mls qos cos-
remark 1


1 Raisecom#show mls qos interface Show QoS priority, trust mode, and
[ interface-type interface- scheduling mode on the interface.
number ]
2 Raisecom#show mls qos mapping Show information about mapping from
cos-to-local-priority [ default CoS to local priority and color profile.
| profile-id ]

291
Raisecom

3 Raisecom#show mls qos mapping Show information about mapping from
dscp-to-local-priority DSCP to local priority and color
[ default | profile-id ] profile.
4 Raisecom#show mls qos mapping Show mapping information about the
dscp-mutation [ profile-id ] DHCP mutation profile
5 Raisecom#show mls qos mapping Show information about the CoS
cos-remark [ default | profile- remarking profile.
id ]
7.3 Configuring congestion management

Scenario
When the network is congested, you can configure queue scheduling if you want to:
 Balance delay and delay jitter of various packets, preferentially process packets of key
services (such as video and voice).
 Fairly process packets of secondary services (such as Email) with identical priority.
 Process packets of different priorities according to respective weight values.
The scheduling algorithm to be chosen depends on the current service condition and customer
requirements.
Prerequisite
Enable global QoS.
7.3.2 Default configurations of congestion management

Default configurations of congestion management are as below.

Queue scheduling mode SP
 WRR weight for scheduling 8 queues is 1.
Queue weight
 DRR weight for scheduling 8 queues is 81.
7.3.3 Configuring SP queue scheduling

Configure SP queue scheduling for the ISCOM2600G series switch as below.

292
Raisecom

gigaethernet 1/1/1
3 Raisecom(config- Configure queue scheduling mode as SP
gigaethernet1/1/*)#mls qos on the interface.
queue scheduler sp
7.3.4 Configuring WRR or SP+WRR queue scheduling

Configure WRR or SP+WRR for the ISCOM2600G series switch as below.

3 Raisecom(config- Configure queue scheduling mode as
gigaethernet1/1/*)#mls qos queue WRR on the interface and the weight
scheduler wrr weigh1 weight2 for each queue.
weight3…weight8
 weight1–weight8: weight, an
Example:
Raisecom(config- integer, ranging from 0 to 127, with
gigaethernet1/1/1)#mls qos queue the value 0 indicating the SP queue
scheduler wrr 1 1 1 1 1 1 1 1
7.3.5 Configuring DRR or SP+DRR queue scheduling

Configure DRR or SP+DRR for the ISCOM2600G series switch as below.


293
Raisecom

3 Raisecom(config- Configure queue scheduling mode as
gigaethernet1/1/*)#mls qos DRR, and configure weight for
queue scheduler drr weigh1 various queues.
weight2 weight3…weight8
Example: Conduct SP scheduling when priority
Raisecom(config- of a queue is 0.
gigaethernet1/1/1)#mls qos  weight1–weight8: weight, an
queue scheduler drr 1 1 1 1 1 1 integer, ranging from 0 to 127
1 1
7.3.6 Configuring queue bandwidth guarantee

Configure queue bandwidth guarantee for the ISCOM2600G series switch as below.

interface-type interface- mode, or aggregation group
number configuration mode. Take physical
gigaethernet 1/1/1
3 Raisecom(config- (Optional) configure queue bandwidth
gigaethernet1/1/*)#mls qos guarantee on the interface and configure
queue queue-id shaping cir burst size.
cir-value cbs cbs-value
 queue-id: queue ID, an integer, ranging
Example:
 cir-value: CIR, an integer, ranging from
queue 2 shaping cir 2000 cbs 0 to 10000000, in units of kbit/s
 cbs-value: PIR, an integer, ranging
200
from 1 to 262144, in units of Kbyte


294
Raisecom

1 Raisecom#show mls qos queue interface Show the weight of queues
interface-type interface-number on the interface.
2 Raisecom#show mls qos queue statistics Show statistics about
interface interface-type interface- queues on the interface.
number
3 Raisecom#show mls qos queue shaping Show queue shaping on the
interface interface-type interface-list interface.
7.4 Configuring congestion avoidance

Scenario
To avoid network congestion and solve the problem of TCP global synchronization, you can
configure congestion avoidance to adjust network flow and relieve network overload.
The ISCOM2600G series switch conducts congestion avoidance based on WRED.
Prerequisite
Enable global QoS.
7.4.2 Default configurations of congestion avoidance

Default configurations of congestion avoidance are as below.

Global WRED status Enable
7.4.3 Configuring SRED

Configure SRED for the ISCOM2600G series switch as below.

2 Raisecom(config)#mls qos sred Create a SRED profile, and enter
profile profile-id SRED configuration mode.
Example:
 profile-id: SRED profile ID, an
Raisecom(config)#mls qos sred
profile 1 integer, ranging from 1 to 8

295
Raisecom

3 Raisecom(sred)#sred [ color { red Modify the SRED profile.
| yellow } ] start-drop-threshold
 red: red packets
start-drop-value drop-probability
 yellow: yellow packets
drop-probability-value
 start-drop-value: start-drop
Example:
Raisecom(sred)#sred start-drop- threshold, ranging from 0 to 100
 drop probability value: discard
threshold 20 drop-probability 5
probability, an integer, ranging
from 0 to 7
5 Raisecom(config- Apply the SRED profile to the
gigaethernet1/1/*)#mls qos queue interface.
queue-id sred sredprofile-num
 queue-id: queue ID, an integer,
Example:
 sredprofile-num: SRED profile
gigaethernet1/1/1)#mls qos queue 2
sred 1 ID, an integer, ranging from 1 to
8


1 Raisecom#show mls qos sred Show information about the SRED
profile [ profile-list ] profile.
2 Raisecom#show mls qos queue Show SRED information about the
sred interface interface-type interface.
interface-number
7.5 Configuring traffic classification and traffic policy

Scenario
Traffic classification is the basis of QoS. You can classify packets from the upstream device
according to the priorities and ACL rules. After classification, the ISCOM2600G series switch
can perform corresponding operations on packets in different categories and provide
corresponding services.

296
Raisecom
A traffic classification rule will not take effect until it is bound to a traffic policy. You should
apply traffic policy according to current network loading conditions and period. Usually, the
ISCOM2600G series switch limits the rate for transmitting packets according to CIR when
packets enter the network, and remarks priority according to service feature of packets.
Prerequisite
Enable global QoS.
7.5.2 Default configurations of traffic classification and traffic policy

Default configurations of traffic classification and traffic policy are as below.

Traffic policy status Disable
Traffic policy statistics status Disable
7.5.3 Creating traffic class

Create a traffic class for the ISCOM2600G series switch as below.

2 Raisecom(config)#class- Create a traffic class and enter traffic
map class-map-name classification cmap configuration mode.
[ match-all | match-
 class-map: name of the traffic class, a string
any ]
Example: of 1 to 16 characters
 match-all: specify match type to satisfy all
Raisecom(config)#class-
map class1 match-all defined classification rules.
 match-any: specify match type to satisfy one
defined or more defined classification rules.

3 Raisecom(config- (Optional) configure the description of the
cmap)#description string traffic class.
Example:
Raisecom(config-
cmap)#description this- characters
is-a-test-class-map
7.5.4 Configuring traffic classification rules

Configure traffic classification rules for the ISCOM2600G series switch as below.


297
Raisecom

2 Raisecom(config)#class- Create a traffic class and enter traffic
map class-map-name classification cmap configuration mode.
[ match-all | match-
 class-map: name of the traffic class, a string
any ]
 match-all: specify match type to satisfy all
Raisecom(config)#class-
map class1 match-all defined classification rules.
 match-any: specify match type to satisfy one
defined or more defined classification rules.

3 R Raisecom(config- (Optional) configure the traffic classification
cmap)#match access-list based on the ACL rule. The ACL rule must be
{ acl-number | name defined firstly and the type must be permit.
word }
 acl-number: number of ACL list, in form of
Raisecom(config-
cmap)#exit integer
– When the value ranges from 1000 to 1999,
Example:
Raisecom(config- it means basic IP ACL.
cmap)#match access-list
1001 it means extended IP ACL.
it means MAC ACL.

it means MAP ACL.

it means IPv6 ACL.

it means IPv6 extended ACL.

 name word: ACL name
4 Raisecom(config- (Optional) configure the traffic class based on

cmap)#match cos cos- CoS of packets.
value
 cos-value: classify packets based on CoS
Example:
Raisecom(config- values. The cos-value indicates the CoS value.
cmap)#match cos 1 It is an integer ranging from 0 to 7.
cmap)#match inner-vlan inner VLAN of packets.
inner-vlan-value
 inner-vlan-value: classify packets based on
Example:
Raisecom(config- inner and outer VLANs. The inner-vlan-value
cmap)#match inner-vlan 2 indicates the inner VLAN ID. It is an integer
cmap)#match vlan vlan-id VLANs of packets.
[ vlan-mask ]
 vlan-id: classify packets based on VLANs.
Example:
Raisecom(config- The vlan-id indicates VLAN ID. It is an
cmap)#match vlan 3 integer ranging from 1 to 4094.
 vlan-mask: VLAN mask, in hexadecimal
notation
cmap)#match dscp dscp- DSCP rule.
value
 dscp-value: classify packets based on DSCP
Example:
Raisecom(config- values. The dscp-value indicates the DSCP
cmap)#match dscp 4 value. It is an integer ranging from 0 to 63.
298
Raisecom

8 Raisecom(config)#policy- (Optional) configure the traffic class based on
map policy-map-name traffic policy.
Raisecom(config-
pmap)#class-map class- The traffic policy must have been created, and it
map-name matching type must be consistent with the
Example: matching type of the traffic class.
Raisecom(config)#policy-  policy-map-name: name of the traffic policy,
map policy1 a string of 1 to 16 characters
Raisecom(config-  class-map-name: name of the traffic class, a
pmap)#class-map class1 string of 1 to 16 characters
 Traffic classification rules must be created for the traffic class; in other words, the
match parameter must be configured.
 For the traffic class quoted by a traffic policy, do not modify the traffic classification
rule; in other words, do not modify the match parameter of the traffic class.
7.5.5 Creating rate limiting rule and shapping rule

To limit rate of packets based on traffic policy, create a token bucket, configure rate limiting
and shaping rules on the token bucket, quote these rules to the traffic class bound to the traffic
policy.
Create rate limiting rules and shaping rule for the ISCOM2600G series switch as below.

2 Raisecom(config)#mls Create a traffic policer profile, and enter traffic-
qos policer-profile policer configuration mode.
policer-name [ single
 policer-name: name of traffic policing profile, a
| hierarchy |
aggregate ] string of 1 to 16 characters
 single: specify the traffic regulation mode as
Example:
Raisecom(config)#mls single.
 aggregate: specify the traffic regulation mode as
qos policer-profile tb
single aggregate token bucket.
 hierarchy: specify the traffic regulation mode as
hierarchy token bucket.

299
Raisecom

3 Raisecom(traffic- (Optional) configure flow mode token bucket
policer)#cir cir cbs parameters.
cbs
 cir: committed information rate. The cir is an
Example:
Raisecom(traffic- integer ranging from 0 to 10000000, in units of
policer)#cir 20 cbs 30 kbit/s.
 cbs: committed burst size. The cbs is an integer
ranging from 1 to 262144, in units of Kbyte.
Flow mode token bucket is single token

bucket, only supporting to configure red and
green packets operation.
4 Raisecom(traffic- (Optional) configure RFC2697 mode token bucket
cbs ebs ebs
Example:
ebs 30
 ebs: excess burst size. The ebs is an integer

5 Raisecom(traffic- (Optional) configure RFC2698 mode token bucket
cbs pir pir pbs pbs
Example:
pir 20 pbs 30
 pir: peak information rate. The pir is an integer

 pbs: peak burst size. The pbs is an integer ranging
from 1 to 262144, in units of Kbyte.

6 Raisecom(traffic- (Optional) configure RFC4115 mode or MEF
policer)#cir cir cbs token bucket parameters.
cbs eir eir ebs ebs
[ coupling ]
Example: integer ranging from 1 to 10000000, in units of
Raisecom(traffic- kbit/s.
policer)#cir 20 cbs 30
eir 20 ebs 30 ranging from 1 to 262144, in units of Kbyte.
 eir: excess information rate. The eir is an integer
ranging from 1 to 10000000, in units of kbit/s.

 ebs: excess burst size. The ebs is an integer

300
Raisecom

7 Raisecom(traffic- (Optional) configure the color mode of the token
policer)#color-mode bucket.
{ aware | blind }
 aware: color aware mode
Example:
 blind: color blind mode
Raisecom(traffic-
policer)#color-mode
blind
8 Raisecom(traffic- (Optional) configure the token bucket to discard
policer)#drop-color packets with any color.
red
 red: discard red packets.
Example:
Raisecom(traffic-
policer)#drop-color
red
9 Raisecom(traffic- (Optional) configure packet recoloring.
policer)#recolor
 green-recolor: recolor green packets.
green-recolor { yellow
 red-recolor: recolor red packets.
| red } [ red-recolor
 red: recolor packets with red.
{ green | yellow } ]
 green: recolor packets with green.
Raisecom(traffic-
 yellow: recolor packets with yellow.
policer)#recolor red-
recolor { green |
yellow }
Example:
Raisecom(traffic-
policer)#recolor
green-recolor red
10 Raisecom(traffic- (Optional) configure the mapping from packets
policer)# set-cos color to CoS.
[ green cos ] red
 green cos: specify the CoS value mapped to green
Example:
Raisecom(traffic- packets. It is an integer ranging from 0 to 7.
 red cos: specify the CoS value mapped to red
policer)#set-cos red 2
packets. It is an integer ranging from 0 to 7.
policer)#set-dscp color to DSCP.
[ green green-value ]
 green-value: specify the DSCP value mapped to
red red-value
Example: green packets. It is an integer ranging from 0 to
Raisecom(traffic- 63.
 red-value: specify the DSCP value mapped to red
policer)#set-dscp red
2 packets. It is an integer ranging from 0 to 63.
policer)#set-pri color to local priority.
[ green green-value ]
 green-value: specify the local priority mapped to
red red-value
Example: green packets. It is an integer ranging from 0 to 7.
 red-value: specify the local priority mapped to
Raisecom(traffic-
policer)#set-pri red 2 red packets. It is an integer ranging from 0 to 7.

301
Raisecom
7.5.6 Creating traffic policy

Create a traffic policy for the ISCOM2600G series switch as below.

2 Raisecom(config)#policy-map Create a traffic policy, and enter traffic
policy-map-name policy pmap configuration mode.
Example:
 policy-map-name: name of the traffic
Raisecom(config)#policy-map
policy1 policy, a string of 1 to 16 characters
3 Raisecom(config- (Optional) configure the description of
pmap)#description string the traffic policy.
Example:
 string: description, a string of 1 to
Raisecom(config-
pmap)#description this-is-a- 255 characters
test-policy-map
7.5.7 Defining traffic policy mapping
Define one or more defined traffic classes to one traffic policy.

Define traffic policy mapping for the ISCOM2600G series switch as below.

2 Raisecom(config)#policy-
Create a traffic policy, and enter traffic policy
map policy-map-name
pmap configuration mode.
Example:
 policy-map-name: name of the traffic policy, a
Raisecom(config)#policy-
map policy1 string of 1 to 16 characters
3 Raisecom(config- Bind a traffic class with a traffic policy. The
pmap)#class-map class- traffic policy is applied to the packets matching
map-name the traffic class.
Example:
 class-map-name: name of the traffic class, a
Raisecom(config-
pmap)#class-map class1 string of 1 to 16 characters
At least one rule is required for the traffic

class to be bount with a traffic policy,
otherwise the binding will fail.

302
Raisecom
7.5.8 Defining traffic policy operation
Define different operations to different flows in policy.

Define a traffic policy operation for the ISCOM2600G series switch as below.

2 Raisecom(config)#poli
cy-map policy-map- Create a traffic policy, and enter traffic policy pmap
name configuration mode.
Example:  policy-map-name: name of the traffic policy, a
Raisecom(config)#poli string of 1 to 16 characters
cy-map policy1
3 Raisecom(config- Bind a traffic class with a traffic policy. The traffic
pmap)#class-map policy is applied to the packets matching the traffic
class-map-name class.
Example:
 class-map-name: name of the traffic class, a string
Raisecom(config-
pmap)#class-map of 1 to 16 characters
class1
At least one rule is required for the traffic

class to be bound with the traffic policy,
otherwise the binding will fail.
4 Raisecom(config-pmap- (Optional) apply the token bucket on traffic policy
c)#police policer- and conduct rate limiting and shaping.
name [ hierarchy-
 policier-name: name of the traffic policier, a string
police hierarchy-
police-name mode of 1 to 16 characters
 hierarchy-police hierarchy-police-name: name of
{ and | or } ]
Example: the hierarchical policier, a string of 1 to 16
Raisecom(config-pmap- characters
 mode: hierarchical token bucket mode
c)#police policer1
 and: the hierarchical token bucket mode is and.
 or: the hierarchical token bucket mode is or.
The token bucket needs to be created in

advance and be configured with rate limiting
and shaping rules. Otherwise, the operation
will fail.

303
Raisecom

5 Raisecom(config-pmap-
(Optional) configure redirection rules under the
c)#redirect-to
traffic class, forwarding classified packets from
interface-type
assigned interface.
interface-number |
next-hop next-hop-
 interface-number: interface ID. The type and
ipaddress }
Example: value range depend on the interface type.
 next-hop next-hop-ipaddress: IP address of the
Raisecom(config-pmap-
c)#redirect-to next hop, in dotted decimal notation, such as
gigaethernet 1/1/1 10.1.1.1
6 Raisecom(config-pmap- (Optional) configure remarking rules under the
c)#set { cos cos- traffic class, modify packet CoS, local priority,
value | dscp dscp- inner VLAN, DSCP, IP precedence, and VLAN ID.
value | local-
 cos-value: new CoS priority. The cos-value is an
priority value }
Example: integer ranging from 0 to 7.
 dscp-value: new DSCP. The dscp-value is an
c)#set cos 5 integer ranging from 0 to 63.
 value: new local priority. The value is an integer
c)#copy-to-mirror (Optional) configure traffic mirroring to the monitor
group-id interface.
Example:  group-id: ID of the port mirroring group, an
Raisecom(config-pmap- integer, ranging from 1 to 4
c)#copy-to-mirror 1
(Optional) configure traffic statistic rules under the
c)#statistics
traffic class, statistic packets for the matched traffic
class.
Example:
 enable: enable traffic statistics.
 disable: disable traffic statistics.
c)#statistics enable
9 Raisecom(config-pmap- (Optional) configure traffic to be forwarded to the
c)#forward-to-cpu CPU.
7.5.9 Applying traffic policy to interfaces

Apply a traffic policy to the interface for the ISCOM2600G series switch as below.

interface-type interface- mode, VLAN interface configuration
number mode, or aggregation group configuration
Example: mode. Take physical interface
Raisecom(config)#interface configuration mode for example.
gigaethernet 1/1/1

304
Raisecom

3 Raisecom(config- Apply the configured traffic policy to the
gigaethernet1/1/*)#service- ingress or egress direction of the interface.
policy ingress policy-map-
 policy-map-name: policy name, a string
name
Raisecom(config-
gigaethernet1/1/1)#service-
policy ingress policy1
4 Raisecom(config- Return to global configuration mode.
5 Raisecom(config)#interface Enter aggregation group interface
port-channel channel-number configuration mode.
6 Raisecom(config-port- Apply the configured traffic policy to the
channel*)#service-policy interface.
ingress policy-map-name
7 Raisecom(config-port- Return to global configuration mode.
channel*)#exit
8 Raisecom(config)#service- Apply the traffic policy to the VLAN.
policy { ingress | egress }
policy-map-name vlanlist
vlan-list


1 Raisecom#show service-policy Show statistics about applied
statistics interface { interface-type traffic policy.
interface-number | vlan vlan-id }
ingress [ class-map class-map-name ]
2 Raisecom#show service-policy interface Show information about the
[ interface-type interface-number applied traffic policy.
[ ingress ] | vlan vlan-id
[ ingress ] ]
3 Raisecom#show class-map [ class-map- Show information about the
name ] traffic class.
4 Raisecom#show policy-map [ policy-map- Show information about traffic
name ] policy.
5 Raisecom#show policy-map [ policy-map- Show information about the
name ] [ class class-map-name ] traffic class in the traffic
policy.
6 Raisecom#show mls qos policer Show information about the
[ policer-name ] assigned token bucket (rate
limiting and shaping).

305
Raisecom
7.5.11 Maintenance
Command Description
Raisecom(config)#clear service-policy Clear statistics on QoS packets.
statistics interface interface-type
interface-number ingress
Example:
 ingress: clear statistics on traffic
Raisecom(config)#clear service-policy
statistics interface gigaethernet policies in the ingress direction of the
1/1/1 ingress interface.
7.6 Configuring traffic shaping and rate limiting

Scenario
When the network is congested, you want to restrict burst flow on an interface or VLAN to
make packets transmitted at a well-proportioned rate to remove network congestion. In this
case, you need to configure rate limiting.
Prerequisite
N/A
7.6.2 Configuring rate limiting based on interface

Configure rate limiting based on interface for the ISCOM2600G series switch as below.

number
Example:
gigaethernet 1/1/1

306
Raisecom

3 Raisecom(config- Configure rate limiting based on interface.
gigaethernet1/1/*)#rate-
 egress: rate limiting in the egress
limit { ingress | egress }
cir cir-value cbs cbs-value direction
 ingress: rate limiting in the ingress
Example:
Raisecom(config- direction
 cir-value: committed information rate.
gigaethernet1/1/1)#rate-
limit egress cir 100 cbs 20 The cir-value is an integer ranging from
0 to 10000000, in units of kbit/s.
 cbs-value: committed burst size. The cbs-
value is an integer ranging from 1 to

262144, in units of Kbytes.
5 Raisecom(config)#rate-limit Configure the rate limiting mode.
mode { l1 | l2 }
 l1: physical layer mode
Example:
 l2: data link layer mode
Raisecom(config)#rate-limit
mode l1
 By default, no interface-based rate limiting is configured.

 Adopt the drop processing mode for packets on the ingress interface if they
exceed the configured rate limit.
 When you configure the rate limit and burst for an interface, the burst value should
not be much greater if the configured rate limit is smaller than 256 kbit/s.
Otherwise, packets may be inconsecutive.
 When the rate limit is too small, we recommend that the burst value is 4 times
greater than then rate limit. If packets are inconsecutive, reduce the burst value or
increase the rate limit.
 Packets discarded due to rate limiting on the egress interface are included in
statistics about packet loss of the ingress interface.
7.6.3 Configuring rate limiting based on VLAN

Configure rate limiting based on VLAN for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter VLAN interface configuration mode.
vlan vlan-id
Example:
vlan 1

307
Raisecom

3 Raisecom(config- Configure rate limiting based on VLAN.
vlan*)#rate-limit ingress
 ingress: rate limiting in the ingress
cir cir-value cbs cbs-value
Example: direction
 cir-value: committed information rate. The
Raisecom(config-
vlan1)#rate-limit ingress cir-value is an integer ranging from 0 to
cir 100 cbs 20 10000000, in units of kbit/s.
 cbs-value: committed burst size. The cbs-
value is an integer ranging from 1 to

262144, in units of Kbyte.


1 Raisecom#show rate-limit interface
Raisecom#show rate-limit interface vlan Show configurations of

vlan-id [ ingress ] rate limiting on
Raisecom#show rate-limit interface interfaces.
interface-type interface-number [ ingress
| egress ]
2 Raisecom#show rate-limit mode Show the rate limiting
mode on the interface.
7.7 Bandwidth rate limiting

7.7.1 Introduction
Bandwidth rate limiting is a subfunction of QoS and is more flexible than basic QoS.
Bandwidth rate limiting has the following functions:
 Ingress interface
– Bandwidth guarantee: bandwidth rate limiting implements the bandwidth service
based on interface or flow. It also supports hierarchical bandwidth guarantee and
refining bandwidth of different service flows.
– Awaring: this function determines whether to be aware of packet color when a flow
enters the bandwidth-guaranteed interface.
 Egress interface
– Bandwidth guarantee: bandwidth service based on interface or flow is implemented.
Bandwidth rate limiting does not support hierarchical bandwidth guarantee.

308
Raisecom
Bandwidth guarantee
The bandwidth guarantee function guarantees that the traffic entering the network is within
the defined range, and it discards or schedules packets. Bandwidth guarantee can meet users'
requirements on service bandwidth, and also protect network resources and carriers' benefits.
By configuring the bandwidth guarantee profile and applying it to an interface, you can mark
different flows green, yellow, and red. The ISCOM2600G series switch takes different actions
over flows of different colors: forward green flows, schedule yellow flows, and discard red
flows.
Hierarchical bandwidth guarantee

Hierarchical bandwidth guarantee is more flexible. You can configure the token bucket action
or aggregation token bucket for each flow independently and then configure hierarchical
token buckets to limit the sum of multiple flows.
Color-aware and marking

If enabled with color-aware, the ISCOM2600G series switch is in color-aware status, in which
it can identify whether the ingress flow is marked with color. If disabled with color-aware, the
ISCOM2600G series switch is in color-blind status, in which it can neglect whether the
ingress flow is marked with color, but identify the flow color again.
The function of color marking judges the color of a flow according to Committed Information
Rate (CIR), Committed Burst Size (CBS), Excess Information Rate (EIR), and Excess Burst
Size (EBS) configured in the bandwidth guarantee profile, and modifies the flag bit to mark it
with color according to the packet format defined in IEEE 802.1ad.
Scenario
Bandwidth rate limiting is used to guarantee service bandwidth for users and protect network
resources and carriers' profits.
Prerequisite
N/A
7.7.3 Default configurations of bandwidth rate limiting

Default configurations of bandwidth rate limiting are as below.

Color awaring Disable

309
Raisecom
7.7.4 Configuring bandwidth guarantee
Creating bandwidth guarantee profile

Create a bandwidth guarantee profile for the ISCOM2600G series switch as below.

2 Raisecom(config)#bandwidth Create a bandwidth guarantee profile.
-profile bwp-profile-id
 bwp-profile-id: bandwidth guarantee profile
cir cir cbs cbs [ color-
aware ] ID, an integer, ranging from 1 to 128
 cir: committed information rate, an integer,
Raisecom(config)#bandwidth ranging from 0 to 10000000, in units of
-profile bwp-profile-id kbit/s
cir cir cbs cbs eir eir  cbs: committed burst size, an integer,
ebs ebs [ color-aware ranging from 1 to 262144, in units of Kbyte
[ coupling ] ]  eir: excess information rate, an integer,
Example: ranging from 1 to 10000000, in units of

Raisecom(config)#bandwidth kbit/s
-profile 1 cir 20 cbs 30  ebs: excess burst size, an integer, ranging
eir 20 ebs 30 color-aware from 1 to 262144, in units of Kbyte

 color-aware: packet color identification
mode
 coupling: bucket coupling
3 Raisecom(config)#bandwidth Configure the description of the bandwidth

-profile bwp-profile-id guarantee profile.
description word
Example:
Raisecom(config)#bandwidth ID, an integer, ranging from 1 to 128
 word: description, a string of 1–32
-profile 1 description
profile1 characters
gigaethernet 1/1/1
5 Raisecom(config- Apply the bandwidth guarantee profile on the
gigaethernet1/1/*)#bandwid interface.
th ingress bwp-profile-id
Example:
Raisecom(config-
gigaethernet1/1/1)#bandwid ID, an integer, ranging from 1 to 128
th ingress 2

310
Raisecom

6 Raisecom(config- Enable color-aware on packets in the ingress
gigaethernet1/1/*)#bandwid direction of the bandwidth guarantee
th color-aware { enable | interface.
disable } Use the disable form of this command to
Raisecom(config-  enable: enable color-aware on packets in the
gigaethernet1/1/1)#bandwid ingress direction of the bandwidth guarantee
th color-mode enable interface.
 disable: disable color-aware on packets in
the ingress direction of the bandwidth

guarantee interface.
Configuring bandwidth guarantee based on interface+VLAN

Configure bandwidth guarantee based on interface+VLAN for the ISCOM2600G series
switch as below.

2 Raisecom(config)#bandwid Create a bandwidth guarantee profile.
th-profile bwp-profile-  bwp-profile-id: bandwidth guarantee profile
id cir cir cbs cbs [ eir ID, an integer, ranging from 1 to 128
eir ebs ebs ] [ color-  cir: committed information rate, an integer,
aware [ coupling ] ] ranging from 1 to 10000000, in units of kbit/s
Example:  cbs: committed burst size, an integer, ranging
Raisecom(config)#bandwid from 1 to 262144, in units of Kbyte

 eir: excess information rate, an integer,
th-profile 1 cir 20 cbs
30 eir 20 ebs 30 color- ranging from 1 to 10000000, in units of kbit/s
 ebs: excess burst size, an integer, ranging
aware
 color-aware: packet color identification mode

Example: example.
gigaethernet1/1/*)#bandw interface+VLAN.
idth ingress vlan vlan-  ingress: ingress direction
id bwp-profile-id  vlan-id: VLAN list, an integer, ranging from 1
Example: to 4094
Raisecom(config-
gigaethernet1/1/1)#bandw ID, an integer, ranging from 1 to 128
idth ingress vlan 3 2

311
Raisecom
Configuring bandwidth guarantee based on interface+VLAN+CoS

Configure bandwidth guarantee based on interface+VLAN+CoS for the ISCOM2600G series
switch as below.

2 Raisecom(config)#ban Create a bandwidth guarantee profile.
dwidth-profile bwp-  bwp-profile-id: bandwidth guarantee profile ID, an
profile-id cir cir integer, ranging from 1 to 128
cbs cbs [ eir eir  cir: committed information rate, an integer, ranging
ebs ebs ] [ color- from 1 to 10000000, in units of kbit/s
aware [ coupling ] ]  cbs: committed burst size, an integer, ranging from
Example: 1 to 262144, in units of Kbyte

 eir: excess information rate, an integer, ranging
Raisecom(config)#ban
dwidth-profile 1 cir from 1 to 10000000, in units of kbit/s
 ebs: excess burst size, an integer, ranging from 1 to
20 cbs 30 eir 20 ebs
30 color-aware 262144, in units of Kbyte
3 Raisecom(config)#int Enter physical interface configuration mode, or

erface interface- aggregation group configuration mode. Take
type interface- physical interface configuration mode for example.
number
Example:
Raisecom(config)#int
erface gigaethernet
1/1/1
gigaethernet1/1/*)#b interface+VLAN+CoS.
andwidth ingress  ingress: ingress direction
[ vlan vlan-id ]  vlan-id: VLAN list, an integer, ranging from 1 to
coslist cos-value- 4094
list bwp-profile-id  cos-value-list: CoS value list, an integer, ranging
Example: from 0 to 7. It supports specific values, such as

Raisecom(config- "1,2,3"; it also supports a range, such as "1-3".
 bwp-profile-id: bandwidth guarantee profile ID, an
gigaethernet1/1/1)#b
andwidth ingress integer, ranging from 1 to 128
vlan 3 coslist 1-3 2
If a bandwidth guarantee profile is used by other profiles or applied, it cannot be

deleted.
Configuring bandwidth guarantee based on VLAN interface

Configure bandwidth guarantee based on VLAN interface for the ISCOM2600G series switch
as below.

312
Raisecom

2 Raisecom(config)#ban Create a bandwidth guarantee profile.
dwidth-profile bwp-  bwp-profile-id: bandwidth guarantee profile ID, an
profile-id cir cir integer, ranging from 1 to 128
cbs cbs [ eir eir  cir: committed information rate, an integer, ranging
ebs ebs ] [ color- from 1 to 10000000, in units of kbit/s
aware [ coupling ] ]  cbs: committed burst size, an integer, ranging from
Example: 1 to 262144, in units of Kbyte

Raisecom(config)#ban  eir: excess information rate, an integer, ranging
dwidth-profile 1 cir from 1 to 10000000, in units of kbit/s

20 cbs 30 eir 20 ebs  ebs: excess burst size, an integer, ranging from 1 to
30 color-aware 262144, in units of Kbyte

3 Raisecom(config)#int Enter VLAN interface configuration mode.

erface vlan vlan-id
Example:
Raisecom(config)#int
4094
erface vlan 1
4 Raisecom(config- Apply the bandwidth guarantee profile on the VLAN
vlan*)#bandwidth interface.
ingress bwp-profile-  ingress: ingress direction
id  bwp-profile-id: bandwidth guarantee profile ID, an
Raisecom(config-
vlan1)#bandwidth
ingress 2
vlan*)#bandwidth interface+VLAN.
ingress coslist cos-  ingress: ingress direction
value-list bwp-  cos-value-list: CoS value list, an integer, ranging
profile-id from 0 to 7. It supports specific values, such as
Example: "1,2,3"; it also supports a range, such as "1-3".
 bwp-profile-id: bandwidth guarantee profile ID, an
Raisecom(config-
vlan1)#bandwidth integer, ranging from 1 to 128
ingress coslist 3 2
7.7.5 Configuring hierarchical bandwidth guarantee
Creating hierarchical CoS bandwidth guarantee

Create a hierarchical CoS bandwidth guarantee for the ISCOM2600G series switch as below.


313
Raisecom

2 Raisecom(config)#bandwidth Create a bandwidth guarantee profile.
-profile bwp-profile-id
 bwp-profile-id: bandwidth guarantee
cir cir cbs cbs [ eir eir
ebs ebs ] [ color-aware profile ID, an integer, ranging from 1 to
[ coupling ] ] 128
Example:
Raisecom(config)#bandwidth ranging from 1 to 10000000, in units of
-profile 1 cir 20 cbs 30 kbit/s
 cbs: committed burst size, an integer,
eir 20 ebs 30 color-aware
Kbyte

kbit/s

 color-aware: packet color identification
mode
3 Raisecom(config)#hierarchy Create a hierarchical CoS profile, and enter

-cos bandwidth-profile hc- HCoS configuration mode.
profile-id
 hc-profile-id: hierarchical CoS profile ID,
Example:
Raisecom(config)#hierarchy an integer, ranging from 1 to 128
-cos bandwidth-profile 3
4 Raisecom(config- Configure the hierarchical CoS profile.
hcos)#bandwidth coslist
 cos-list: CoS list value, an integer, ranging
cos-list bwp-profile-id
Raisecom(config-hcos)#exit from 0 to 7. It supports specific values,
Example: such as "1,2,3"; it also supports a range,
Raisecom(config- such as "1-3".
hcos)#bandwidth coslist 2
2 profile ID, an integer, ranging from 1 to
128
gigaethernet 1/1/1
6 Raisecom(config- Apply the hierarchical CoS profile on the
gigaethernet1/1/*)#bandwid ingress interface+VLAN.
th ingress vlan vlan-id
bwp-profile-id hierarchy-
 vlan-id: VLAN list, an integer, ranging
cos hc-profile-id
Raisecom(config-
gigaethernet1/1/1)#bandwid profile ID, an integer, ranging from 1 to
th ingress vlan 1 2 128
 hc-profile-id: hierarchical CoS profile ID,
hierarchy-cos 2

314
Raisecom
Configuring hierarchical VLAN bandwidth guarantee

Create a hierarchical VLAN bandwidth guarantee for the ISCOM2600G series switch as
below.

2 Raisecom(config)#bandwid Create a bandwidth guarantee profile.
th-profile bwp-profile-
id cir cir cbs cbs [ eir
eir ebs ebs ] [ color- ID, an integer, ranging from 1 to 128
aware [ coupling ] ]
Example: ranging from 1 to 10000000, in units of kbit/s
 cbs: committed burst size, an integer, ranging
Raisecom(config)#bandwid
th-profile 1 cir 20 cbs from 1 to 262144, in units of Kbyte
30 eir 20 ebs 30 color-
aware ranging from 1 to 10000000, in units of kbit/s

3 Raisecom(config)#hierarc Create a hierarchical VLAN profile, and enter

hy-vlan bandwidth- Hvlan configuration mode.
profile hv-profile-id
 hv-profile-id: hierarchical VLAN profile ID,
Example:
Raisecom(config)#hierarc an integer, ranging from 1 to 128
hy-vlan bandwidth-
profile 4
4 Raisecom(config- Configure the hierarchical VLAN profile.
hvlan)#bandwidth
 vlan-list: VLAN list, an integer, ranging from
vlanlist vlan-list
profile-id 1 to 4094. It supports specific values, such as
Raisecom(config- "1,2,3"; it also supports a range, such as "1-3".
hvlan)#exit
Example: ID, an integer, ranging from 1 to 128
Raisecom(config-
hvlan)#bandwidth
vlanlist 2-4 2
Example: example.
6 Raisecom(config- Apply the hierarchical VLAN profile to the
gigaethernet1/1/*)#bandw ingress or egress interface.
idth ingress bwp-
profile-id hierarchy-
vlan hv-profile-id
Example: ID, an integer, ranging from 1 to 128
 hv-profile-id: hierarchical VLAN profile ID,
Raisecom(config-
gigaethernet1/1/1)#bandw an integer, ranging from 1 to 128
idth ingress 2
hierarchy-vlan 2
315
Raisecom
If a hierarchical bandwidth guarantee profile is applied, it cannot be deleted or

modified.


1 Raisecom#show bandwidth- Show information about the bandwidth
profile [ bwp-profile-id ] guarantee profile.
2 Raisecom#show bandwidth Show information about the bandwidth
interface interface-type guarantee profile on the interface.
interface-number
3 Raisecom#show hierarchy-cos- Show information about the hierarchical
bandwidth profile [ hc- CoS bandwidth guarantee profile.
profile-id ]
4 Raisecom#show hierarchy- Show information about the hierarchical
vlan-bandwidth profile [ hv- VLAN bandwidth guarantee profile.
profile-id ]
7.8 Configuration examples

7.8.1 Example for configuring congestion management
As shown in Figure 7-9, the user uses voice, video and data services.
The CoS of voice services is 5, the CoS of video services is 4, and the CoS of data services is
2. The local priorities for these three types of services are mapping 6, 5, and 2 respectively.
Congestion can easily occur on Switch A. To reduce network congestion, make the following
rules according to different services types:
 For voice services, perform SP scheduling to assign voice services with a high priority.
 For video services, perform WRR scheduling, with weight of 50.
 For data services, perform WRR scheduling, with weight of 20.

316
Raisecom
Figure 7-9 Queue scheduling networking
Configuration steps
Step 1 Configure interface priority trust mode.
SwitchA#config
SwitchA(config-gigaethernet1/1/2)#mls qos trust cos
SwitchA(config-gigaethernet1/1/2)#quit
Step 2 Configure the profile for mapping from CoS to local priority.
SwitchA(config)#mls qos mapping cos-to-local-priority 1

SwitchA(cos-to-pri)#cos 5 to local-priority 6
SwitchA(cos-to-pri)#quit
Step 3 Apply the profile for mapping from CoS to local priority on GE 1/1/2.

SwitchA(config-gigaethernet1/1/2)#mls qos cos-to-local-priority 1
Step 4 Conduct SP+WRR queue scheduling in the egress direction of GE 1/1/1.

SwitchA(config-gigaethernet1/1/1)#mls qos queue scheduler wrr 1 1 20 1 1
50 0 0

317
Raisecom
Checking results
Use the following command to show priority trust mode on the interface.
Raisecom#show mls qos interface

Interface TrustMode Priority Cos-PriProfile Dscp-
PriProfile Dscp-Mutation Cos-Remark DEI-Status
-------------------------------------------------------------------------
---------------------------------------------
gigaethernet1/1/1 cos untagged 0 0 0
0 0 --
gigaethernet1/1/2 cos untagged 0 1 0
0 0 --
Use the following command to show configurations of mapping from CoS to local priority
Raisecom#show mls qos mapping cos-to-local-priority

G:GREEN
Y:YELLOW
R:RED
cos-to-localpriority(color)
Index Description Ref CoS: 0 1 2 3 4
5 6 7
-------------------------------------------------------------------------
--------------------------------
1 1 localpri(color) :0(G) 1(G) 2(G) 3(G) 5(G)
6(G) 6(G) 7(G)
Use the following command to show configurations of queue scheduling on the interface.
Raisecom#show mls qos queue interface gigaethernet 1/1/1

gigaethernet1/1/1
Queue Weight(WRR)
-------------------------
2 1
3 20
4 1
5 1
6 50
7 0
8 0

318
Raisecom
7.8.2 Example for configuring rate limiting based on traffic policy
As show in Figure 7-10, User A, User B, and User C respectively belong to VLAN 1, VLAN
2, and VLAN 3, and are connected to the ISCOM2600G series switch by Switch A, Switch B,
and Switch C.
User A uses voice and video services, User B uses voice, video and data services, and User C
uses video and data services.
According to service requirements, user needs to make rules as below.
 Provide User A with 25 Mbit/s guaranteed bandwidth, permitting burst flow of 100
Kbytes and discarding excess flow.
 Provide User B with 35 Mbit/s guaranteed bandwidth, permitting burst flow of 100
 Provide User C with 30 Mbit/s guaranteed bandwidth, permitting burst flow of 100
Figure 7-10 Rate limiting based on traffic policy
Configuration steps
Step 1 Create and configure the traffic class, and classify users by VLAN ID.
Raisecom#config
Raisecom(config)#class-map usera match-any
Raisecom(config-cmap)#match vlan 1
Raisecom(config-cmap)#quit
Raisecom(config)#class-map userb match-any
Raisecom(config)#class-map userc match-any

319
Raisecom
Step 2 Create rate limiting rules.
Raisecom(config)#mls qos policer-profile usera single

Raisecom(traffic-policer)#cir 25000 cbs 100
Raisecom(traffic-policer)#drop-color red
Raisecom(traffic-policer)##quit
Raisecom(config)#mls qos policer-profile userb single
Raisecom(config)#mls qos policer-profile userc single
Step 3 Create and configure the traffic policy.
Raisecom(config)#policy-map usera
Raisecom(config-pmap)#class-map usera
Raisecom(config-pmap-c)#police usera
Raisecom(config-pmap-c)#quit
Raisecom(config-pmap)#quit
Raisecom(config-gigaethernet1/1/1)#service-policy ingress usera
Raisecom(config)#policy-map userb
Raisecom(config-pmap)#class-map userb
Raisecom(config-pmap-c)#police userb
Raisecom(config-gigaethernet1/1/2)#service-policy ingress userb
Raisecom(config)#policy-map userc
Raisecom(config-pmap)#class-map userc
Raisecom(config-pmap-c)#police userc
Raisecom(config-gigaethernet1/1/3)#service-policy userc ingress 4
Checking results
Use the show class-map command to show configurations of traffic classification.

320
Raisecom
Raisecom#show class-map usera

Class Map match-any usera (id 0)(ref 1)
Match vlan 1
Raisecom#show class-map userb
Class Map match-any userb (id 1)(ref 1)
Match vlan 2
Raisecom#show class-map userc
Class Map match-any userb (id 2)(ref 1)
Match vlan 3
Use the show mls qos policer command to show configurations of rate limiting rules.
Raisecom(config)#show mls qos policer

single-policer: USERC mode:flow color:blind
cir: 30000 kbps cbs: 100 kB
single-policer: usera mode:flow color:blind

single-policer: userb mode:flow color:blind

Use the show policy-map command to show configurations of traffic policy.
Raisecom(config)#show policy-map
Policy Map usera
Class usera
police usera
Policy Map userb

Class userb
police userb
Policy Map userc

Class userc
police userc
7.8.3 Example for configuring rate limiting based on interface
As shown in Figure 7-11, User A, User B, and User C are respectively connected to the
ISCOM2600G series switch by Switch A, Switch B, and Switch C.
User A uses voice and video services. User B uses voice, video and data services. User C uses
video and data services.
According to service requirements, make rules as below.

321
Raisecom
 Provide User A with 25 Mbit/s guaranteed bandwidth, permitting burst flow of 100
 Provide User B with 35 Mbit/s guaranteed bandwidth, permitting burst flow of 100
 Provide User C with 30 Mbit/s guaranteed bandwidth, permitting burst flow of 100
Figure 7-11 Rate limiting based on interface
Configuration steps
Configure rate limiting based on interface.
Raisecom#config
Raisecom(config-gigaethernet1/1/1)#rate-limit ingress cir 25000 cbs 100
Checking results
Use the show rate-limit port-list command to show configurations of rate limiting based on
interface.
Raisecom(config)#show rate-limit interface

Interface Direction Cir(kbps) Cbs(kb)
CirOper(kbps) CbsOper(kb)

322
Raisecom
-------------------------------------------------------------------------
---------------------------------------
gigaethernet1/1/1 ingress 25000 100 25024
101
101
101

323
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 8 Multicast
8 Multicast
This chapter describes basic principles and configuration procedures for multicast, and
 Multicast
 Basic functions of Layer 2 multicast
 IGMP Snooping
 IGMP Querier
 IGMP MVR
 IGMP filtering
 Multicast VLAN copy
 MLD
8.1 Multicast
With the continuous development of Internet, more and more interactive data, voice, and
video of various types emerge on the network. On the other hand, the emerging e-commerce,
online meetings, online auctions, video on demand, remote learning, and other services also
rise gradually. These services bring higher requirements on network bandwidth, information
security, and paid feature. Traditional unicast and broadcast cannot meet these requirements
well, while multicast has met them timely.
Multicast is a point-to-multipoint data transmission method. The method can effectively solve
the single point sending and multipoint receiving problems. During transmission of packets on
the network, multicast can save network resources and improve information security.
Comparison among unicast, broadcast, and multicast

Multicast is a kind of packets transmission method which is parallel with unicast and
broadcast.
 Unicast: the system establishes a data transmission path for each user who needs the
information, and sends separate copy information about them. Through unicast, the
amount of information transmitted over the network is proportional to the number of
users, so when the number of users becomes huge, there will be more identical
information on the network. In this case, bandwidth will become a bottleneck, and
unicast will not be conducive to transmission of large-scale information.

324
Raisecom
 Broadcast: the system sends information to all users regardless of whether they need or
not, so any user will receive it. Through broadcast, the information source delivers
information to all users in the segment, which fails to guarantee information security and
paid service. In addition, when the number of users who require this kind of information
decreases, the utilization of network resources will be very low, and the bandwidth will
be wasted seriously.
 Multicast: when some users in the network need specific information, the sender only
sends one piece of information, then the transmitted information can be reproduced and
distributed in fork junction as far as possible.
As shown in Figure 8-1, assume that User B and User C need information, you can use
multicast transmission to combine User B and User C to a receiver set, then the information
source just needs to send one piece of information. Each switch on the network will establish
their multicast forwarding table according to IGMP packets, and finally transmits the
information to the actual receiver User B and User C.
Figure 8-1 Multicast transmission networking
In summary, the unicast is for a network with sparse users and broadcast is for a network with
dense users. When the number of users in the network is uncertain, unicast and broadcast will
present low efficiency. When the number of users are doubled and redoubled, the multicast
mode does not need to increase backbone bandwidth, but sends information to the user in
need. These advantages of multicast make itself become a hotspot in study of the current
network technology.
Advantages and application of multicast

Compared with unicast and broadcast, multicast has the following advantages:
 Improve efficiency: reduce network traffic, relieve server and CPU load.
 Optimize performance: reduce redundant traffic and guarantee information security.
 Support distributed applications: solve the problem of point-point data transmission.
The multicast technology is used in the following aspects:
 Multimedia and streaming media, such as, network television, network radio, and
realtime video/audio conferencing

325
Raisecom
 Training, cooperative operations communications, such as: distance education,

telemedicine
 Data warehousing and financial applications (stock)
 Any other point-to-multipoint applications
Basic concepts in multicast

 Multicast group
A multicast group refers to the recipient set using the same IP multicast address identification.
Any user host (or other receiving device) will become a member of the group after joining the
multicast group. They can identify and receive multicast data with the destination address as
IP multicast address.
 Multicast group members
Each host joining a multicast group will become a member of the multicast group. Multicast
group members are dynamic, and hosts can join or leave multicast group at any time. Group
members may be widely distributed in any part of the network.
 Multicast source
A multicast source refers to a server which regards multicast group address as the destination
address to send IP packet. A multicast source can send data to multiple multicast groups;
multiple multicast sources can send to a multicast group.
 Multicast router
A multicast router is a router that supports Layer 3 multicast. The multicast router can achieve
multicast routing and guide multicast packet forwarding, and provide multicast group member
management to distal segment connecting with users.
 Routed interface
A routed interface refers to the interface towards the multicast router between a multicast
router and a host. The ISCOM2600G series switch receives multicast packets from this
interface.
 Member interface
Known as the Rx interface, a member interface is the interface towards the host between
multicast router and the host. The ISCOM2600G series switch sends multicast packets from
this interface.
Figure 8-2 shows basic concepts in multicast.

326
Raisecom
Figure 8-2 Basic concepts in multicast
Multicast address
To make multicast source and multicast group members communicate across the Internet, you
need to provide network layer multicast address and link layer multicast address, namely, the
IP multicast address and multicast MAC address.
 IP multicast address
Internet Assigned Numbers Authority (IANA) assigns Class D address space to IPv4 multicast;
the IPv4 multicast address ranges from 224.0.0.0 to 239.255.255.255.
 Multicast MAC address
When the Ethernet transmits unicast IP packets, it uses the MAC address of the receiver as the
destination MAC address. However, when multicast packets are transmitted, the destination is
no longer a specific receiver, but a group with an uncertain number of members, so the
Ethernet needs to use the multicast MAC address.
The multicast MAC address identifies receivers of the same multicast group on the link layer.
According to IANA, high bit 24 of the multicast MAC address are 0x01005E, bit 25 is fixed
to 0, and the low bit 23 corresponds to low bit 23 of the IPv4 multicast address.
Figure 8-3 shows mapping between the IPv4 multicast address and MAC address.

327
Raisecom
Figure 8-3 Mapping between IPv4 multicast address and multicast MAC address
The first 4 bits of IP multicast address are 1110, indicating multicast identification. In the last
28 bits, only 23 bits are mapped to the multicast MAC address, and the missing of 5 bits
makes 32 IP multicast addresses mapped to the same multicast MAC address. Therefore, in
Layer 2, the ISCOM2600G series switch may receive extra data besides IPv4 multicast group,
and these extra multicast data needs to be filtered by the upper layer on the ISCOM2600G
series switch.
Basis of multicast protocol

To implement complete set of multicast services, you need to deploy a variety of multicast
protocols in various positions of network and make them cooperate with each other.
Typically, IP multicast working at network layer is called Layer 3 multicast, so the
corresponding multicast protocol is called Layer 3 multicast protocol, including Internet
Group Management Protocol (IGMP). IP multicast working at data link layer is called Layer 2
multicast, so the corresponding multicast protocol is called Layer 2 multicast protocol,
including Internet Group Management Protocol (IGMP) Snooping.
Figure 8-4 shows operating of IGMP and Layer 2 multicast features.
Figure 8-4 Operating of IGMP and Layer 2 multicast features
IGMP, a protocol in TCP/IP protocol suite, is responsible for managing IPv4 multicast
members. IGMP runs between the multicast router and host, defines the establishment and
maintenance mechanism of multicast group membership between hosts and the multicast
router. IGMP is not involved in transmission and maintenance of group membership between
multicast routers, which is completed by the multicast routing protocol.

328
Raisecom
IGMP manages group members through interaction of IGMP packets between the host and
multicast router. IGMP packets are encapsulated in IP packets, including Query packets,
Report packets, and Leave packets. Basic functions of IGMP are as below:
 The host sends Report packets to join the multicast group, sends Leave packets to leave
the multicast group, and automatically determines which multicast group packets to
receive.
 The multicast router sends Query packets periodically, and receives Report packets and
Leave packets from hosts to understand the multicast group members in connected
segment. The multicast data will be forwarded to the segment if there are multicast group
members, and not forward if there are no multicast group members.
Up to now, IGMP has three versions: IGMPv1, IGMPv2, and IGMPv3. The newer version is
fully compatible with the older version. Currently the most widely used version is IGMPv2,
while IGMPv1 does not support the Leave packet.
Layer 2 multicast runs on Layer 2 devices between the host and multicast router.
Layer 2 multicast manages and controls multicast groups by monitoring and analyzing IGMP
packets exchanged between hosts and multicast routers to implement forwarding multicast
data at Layer 2 and suppress multicast data diffusion at Layer 2.
Supported multicast features

The ISCOM2600G series switch supports the following multicast features:
 Basic functions of IGMP
 IGMP Snooping
 IGMP Multicast VLAN Registration (MVR)
 IGMP filtering
Any two of IGMP Snooping, IGMP MVR, and multicast VLAN copy cannot be
concurrently enabled in the same multicast VLAN. Multicast VLAN copy and IGMP
MVR cannot be enabled concurrently in the same multicast group of the same
multicast VLAN.
8.2 Basic functions of Layer 2 multicast

8.2.1 Introduction
Basic IGMP functions are as below:
 Assign the multicast router interface.
 Enable immediate leave.
 Configure multicast forwarding entries and the aging time of router interfaces.
 Enable IGMP ring network forwarding.
Basic functions of Layer 2 multicast provide Layer 2 multicast common features, which must
be used on the ISCOM2600G series switch enabled with IGMP Snooping or IGMP MVR.

329
Raisecom
Configurations of basic function take effect on IGMP Snooping or IGMP MVR

concurrently.
The concepts related to IGMP basic functions are as below.
Multicast router interface

The router interface can be learnt dynamically (learnt through IGMP query packets, on the
condition that the multicast routing protocol is enabled on multicast routers) on Layer 2
multicast switch, or configured manually to forward downstream multicast report and leave
packets to the router interface.
The router interface learnt dynamically has an aging time, while the router interface
configured manually will not be aged.
Aging time
The configured aging time takes effect on both multicast forwarding entries and the router
interface.
On Layer 2 switch running multicast function, each router interface learnt dynamically starts a
timer, of which the expiration time is the aging time of IGMP Snooping. The router interface
will be deleted if no IGMP Query packets are received in the aging time. The timer of the
router interface will be updated when an IGMP Query packet is received.
Each multicast entry starts a timer, namely, the aging time of a multicast member. The
expiration time is IGMP Snooping aging time. The multicast member will be deleted if no
IGMP Report packets are received in the aging time. Update timeout for multicast entry when
receiving IGMP Report packets. The timer of the multicast entry will be updated when an
IGMP Report packet is received.
Immediate leave
On Layer 2 switch running multicast function, the system will not delete the corresponding
multicast entry immediately, but wait until the entry is aged after sending Leave packets. You
can enable this function to delete the corresponding multicast entry quickly when there are a
large number of downstream users and adding or leaving is more frequently required.
Scenario
Basic functions of Layer 2 multicast provide common features of Layer 2 multicast, and must
be used on the ISCOM2600G series switch enabled with IGMP Snooping or IGMP MVR.
Prerequisite
 Disable IGMP MVR and multicast VLAN copy in the Snooping multicast VLAN.
 Add related interfaces to VLANs.

330
Raisecom
8.2.3 Default configurations of Layer 2 multicast basic functions

Default configurations of Layer 2 multicast basic functions are as below.

IGMP immediate leave status Disable
Aging time of multicast entries 260s
Interface IGMP ring network forwarding status Disable
8.2.4 Configuring basic functions of Layer 2 multicast

Configure basic functions of Layer 2 multicast for the ISCOM2600G series switch as below.

2 Raisecom(config)#igmp (Optional) configure the aging time of IGMP
member-timeout { seconds | members.
infinite }
 seconds: start time, in units of minute, an
Example:
Raisecom(config)#igmp integer, ranging from 5 to 3600
 infinite: never aged
member-timeout 100
3 Raisecom(config)#igmp (Optional) enable Report suppression. Report
report-suppression suppression and Proxy are mutually exclusive.
4 Raisecom(config)#igmp (Optional) configure the CoS priority of the
snooping mrouter vlan IGMP route VLAN.
vlan-list priority
 vlan-list: VLAN of the multicast router
priority-number
Example: interface, an integer, ranging from 1 to
Raisecom(config)#igmp 4094. It supports specific values, such as
snooping mrouter vlan 1 "2,3,4"; it also supports a range, such as "2-
priority 1 4".
 priority-number: CoS priority, an integer,
ranging from 0 to 7
5 Raisecom(config)#igmp (Optional) enable the function of forwarding
unknown forward-router unknown IGMP multicast packets to the
router interface.
Use the no form of this command to disable
this function.
6 Raisecom(config)#igmp (Optional) enable the function of forwarding
forward-router known IGMP multicast packets to the router
interface.
Use the no form of this command to disable
this function.

331
Raisecom

7 Raisecom(config)#interface (Optional) enter physical interface
interface-type interface- configuration mode, or aggregation group
number configuration mode. Take physical interface
configuration mode for example.
8 Raisecom(config- (Optional) configure the multicast router
gigaethernet1/1/*)#igmp interface.
mrouter vlan vlan-id
9 Raisecom(config- (Optional) configure immediate leave.
gigaethernet1/1/*)#igmp
immediate-leave [ vlan
If immediate leave is disabled on the
vlan-list | user-mac ] downlink interface, the router interface, after
Example: receiving a Leave packet, will calculate the
Raisecom(config- aging time according to robust factor and
gigaethernet1/1/1)#igmp configure the expiration time for a member to
immediate-leave vlan 100 leave the group as Group Membership
Interval (GMI). GMI = robust-
value*lastmember-queryinterval.
 vlan-list: VLAN of the multicast router
interface, an integer, ranging from 1 to
4094. It supports specific values, such as
"1,2,3"; it also supports a range, such as "1-
3".
 user-mac: MAC address based on user


1 Raisecom#show igmp configuration Show IGMP basic configurations.
2 Raisecom#show igmp mrouter Show configurations of the
multicast route interface.
3 Raisecom#show igmp immediate- Show configuration of immediate
leave [ interface-type interface- leave on Layer 2 multicast.
number ]
4 Raisecom#show igmp statistics Show Layer 2 multicast statistics.
number ]
5 Raisecom#show igmp snooping Show the CoS priority of the
mrouter vlan-priority IGMP route VLAN.
6 Raisecom#show igmp user-mac Show information about user
[ interface-type interface-number MAC addresses of IGMP.
| user-vlan vlan-id ]
7 Raisecom#show igmp user-mac count Show the number of user MAC
[ interface-type interface-number addresses of IGMP.
| vlan vlan-id ]

332
Raisecom
8.2.6 Maintenance
Command Description
Raisecom(config)#clear igmp statistics Clear statistics about Layer 2
[ interface-type interface-number ] multicast IGMP.
Example:
Raisecom(config)#clear igmp statistics
Raisecom(config)#no igmp member Delete a specified multicast entry.
Example:
Raisecom(config)#no igmp member
gigaethernet 1/1/1
8.3 IGMP Snooping

8.3.1 Introduction
IGMP Snooping is a multicast constraining mechanism running on Layer 2 devices, used for
managing and controlling multicast groups, and implementing Layer 2 multicast.
IGMP Snooping allows the ISCOM2600G series switch to monitor IGMP sessions between
the host and multicast router. When monitoring the IGMP Report packet from the host to a
group, the ISCOM2600G series switch will add host-related interface to the forwarding entry
of this group. Similarly, when a forwarding entry reaches the aging time, the ISCOM2600G
series switch will delete host-related interface from the forwarding table.
IGMP Snooping forwards multicast data through Layer 2 multicast entry. When receiving
multicast data, the ISCOM2600G series switch will forward them directly according to the
corresponding receiving interface of the multicast entry, instead of flooding them to all
interfaces, to save bandwidth of the ISCOM2600G series switch effectively.
IGMP Snooping establishes a Layer 2 multicast forwarding table, of which entries can be
learnt dynamically or configured manually.
Scenario
As shown in Figure 8-5, multiple hosts belonging to a VLAN receive data from the multicast
source. You can enable IGMP Snooping on the Switch that connects the multicast router and
hosts. By listening IGMP packets transmitted between the multicast router and hosts, creating
and maintaining the multicast forwarding table, you can implement Layer 2 multicast.

333
Raisecom
Figure 8-5 IGMP Snooping networking
Prerequisite
 Disable multicast VLAN copy on the ISCOM2600G series switch.
 Create VLANs.
 Add related interfaces to the VLANs.
8.3.3 Default configurations of IGMP Snooping

Default configurations of IGMP Snooping are as below.

Global IGMP Snooping status Disable
VLAN IGMP Snooping status Disable
IGMP robustness 2
8.3.4 Configuring IGMP Snooping

Configure IGMP Snooping for the ISCOM2600G series switch as below.

2 Raisecom(config)#igmp snooping Enable global IGMP Snooping.
3 Raisecom(config)#igmp member- (Optional) configure the aging time of
timeout { seconds | infinite } IGMP members.
Example:
 seconds: timeout, in units of second,
Raisecom(config)#igmp member-
timeout 100 an integer, ranging from 5 to 3600
 infinite: never aged

334
Raisecom

4 Raisecom(config)#igmp snooping (Optional) enable IGMP Snooping on
vlan vlan-list all VLANs.
Example:
 vlan-list: VLAN enabled with
Raisecom(config)#igmp snooping
vlan 2-3 IGMP Snooping, an integer, ranging
from 1 to 4094. It supports specific
values, such as "2,3,4"; it also
7 Raisecom(config)#interface Enter physical layer configuration
8 Raisecom(config- Configure the host joining function.
gigaethernet1/1/*)#igmp snooping
 group-address: multicast group
host-join group-address vlan
vlan-id member IP address, in dotted
Example: decimal notation
 vlan-id: VLAN enabled with IGMP
Raisecom(config-
gigaethernet1/1/1)#igmp snooping Snooping, an integer, ranging from
host-join 224.0.1.10 vlan 2 1 to 4094
 IGMP Snooping and IGMP MVR cannot be enabled concurrently in the same
multicast VLAN. Otherwise, the configuration will fail.
 IGMP Snooping and multicast VLAN copy cannot be enabled concurrently in the
same multicast VLAN. Otherwise, the configuration will fail.


1 Raisecom#show igmp snooping Show configurations of IGMP
Snooping.
2 Raisecom#show igmp snooping Show information about multicast
member [ interface-type group members of IGMP Snooping.
interface-number | vlan vlan-id ]
3 Raisecom#show igmp snooping Show the number of multicast group
member count [ interface-type members of IGMP Snooping.
interface-number | vlan vlan-id ]
4 Raisecom#show igmp snooping vlan Show configurations of IGMP
vlan-id Snooping in the specified VLAN.

335
Raisecom
8.4 IGMP Querier

8.4.1 Introduction
MVR Querier is an MVR protocol proxy mechanism. It runs on Layer 2 devices to assist in
managing and controlling multicast groups. MVR Querier will terminate IGMP packets. It can
agent host functions upstream and also proxy multicast router functions downstream. The
Layer 2 network device enabled with MVR Querier has two roles:
 At the user side, it is a query builder and undertakes the role of the server, sending Query
packets and periodically checking user information, and processing the Report and Leave
packets from users.
 At the network routing side, it is a host and undertakes the role of the client, responding
the multicast router Query packet and sending Report and Leave packets. It sends the
user information to the network as required.
The proxy mechanism can control and access user information effectively, and reduce the
network side protocol packet and network load.
IGMP Querier establishes a multicast packet forwarding list by intercepting IGMP packets
between the user and multicast routers.
IGMP Querier is used in cooperation with IGMP Snooping/MVR.

The following concepts are related to IGMP Querier.
 IGMP packet suppression
IGMP packet suppression means that the switch filters identical Report packets. When
receiving multiple Report packets from a multicast group member in a query interval, the
switch sends the first Report packet to the multicast router only while it suppresses other
identical Report packets, to reduce packet quantity on the network.
When IGMP Snooping, IGMP MVR, or multicast VLAN copy is enabled, IGMP packet
suppression can be enabled or disabled respectively.
 IGMP Querier
If a switch is enabled with this function, it can actively send IGMP Query packets to query
information about multicast members on the interface. If it is disabled with this function, it
only forwards IGMP Query packets from routers.
When IGMP Snooping, IGMP MVR, or multicast VLAN copy is enabled, IGMP
Querier can be enabled or disabled respectively.
 Source IP address of Query packets sent by IGMP Querier
IGMP querier sends the source IP address of Query packets. By default, the IP address of IP
interface 0 is used. If the IP address is not configured, 0.0.0.0 is used. When receiving Query
packets with IP address of 0.0.0.0, some hosts take it illegal and do not respond. Thus,
specifying the IP address for the Query packet is recommended.

336
Raisecom
 Query interval
It is the query interval for common groups. The query message of common group is
periodically sent by the switch in multicast mode to all hosts in the shared network segment,
to query which multicast groups have members.
 Maximum response time for Query packets
The maximum response time for Query packets is used to control the deadline for reporting
member relations by a host. When the host receives Query packets, it starts a timer for each
added multicast group. The value of the timer is between 0 and maximum response time.
When the timer expires, the host sends the Report packet to the multicast group.
 Interval for the last member to send Query packets
It is also called the specified group query interval. It is the interval for the switch continues to
send Query packets for the specified group when receiving IGMP Leave packet for a specified
group by a host.
The Query packet for the specified multicast group is sent to query whether the group has
members on the interface. If yes, the members must send Report packets within the maximum
response time; after the switch receives Report packets in a specie period, it continues to
maintain multicast forwarding entries of the group; If the members fail to send Report packets
within the maximum response time, the switch judges that the last member of the multicast
group has left and thus deletes multicast forwarding entries.
Scenario
On a network with multicast routing protocol widely applied, multiple hosts and client
subnets receive multicast information. Enable IGMP Querier on the switch connecting the
multicast router and hosts to block IGMP packets between hosts and the multicast router and
relieve the network load.
Configure IGMP Querier to relieve configuration and management of client subnet for the
multicast router and to implement multicast connection with the client subnet.
IGMP Querier is used in cooperation with IGMP Snooping/MVR.
Prerequisite
 Create VLANs.
 Add related interfaces to VLANs.
8.4.3 Default configurations of IGMP Querier

Default configurations of IGMP Querier area as below.

IGMP Querier status Disable
IGMP packet suppression status Disable

337
Raisecom

Source IP address for IGMP Querier to send Use the IP address of IP address 0.
packets If IP interface 0 is not configured,
use 0.0.0.0.
IGMP query interval 125s
Maximum response time to send Query packets 10s
Interval for the last member to send Query packets 1s
8.4.4 Configuring IGMP Querier

Configure IGMP Querier for the ISCOM2600G series switch as below.

2 Raisecom(config)#igmp Enable IGMP Querier.
querier
3 Raisecom(config)#igmp (Optional) configure the source IP
source-ip ip-address address for the IGMP querier to send
Example: Query packets.
Raisecom(config)#igmp
 ip-address: source IP address, in dotted
source-ip 10.0.0.1
4 Raisecom(config)#igmp (Optional) configure the IGMP query
query-interval period interval.
Example:
 period: interval for general groups to
Raisecom(config)#igmp
query-interval 20 send Query packets, an integer, ranging
5 Raisecom(config)#igmp (Optional) configure the maximum
query-max-response-time response time to send Query packets.
period
 period: maximum response time for
Example:
Raisecom(config)#igmp general groups to send Query packets,
query-max-response-time 20 an integer, ranging from 1 to 25, in
units of second
6 Raisecom(config)#igmp last- (Optional) configure the interval for the
member-query-interval period last member to send Query packets.
Example:
 period: specified interval, an integer,
Raisecom(config)#igmp last-
member-query-interval 10 ranging from 1 to 25, in units of second
7 Raisecom(config)#igmp proxy Configure IGMP proxy.
 When IGMP Querier is disabled, the following parameters can be configured:

source IP address, query interval, maximum response time to send Query packets,

338
Raisecom
and interval for the last member to send Query packets. After IGMP Querier is
enabled, these configurations will take effect immediately.
 Though IGMP Snooping or IGMP MVR is enabled, IGMP Querier can be still
enabled.
 IGMP Proxy and IGMP Querier are mutually exclusive. IGMP Proxy and IGMP
report suppression are mutually exclusive.


1 Raisecom#show igmp querier Show configurations of IGMP Querier.
8.4.6 Example for configuring IGMP Snooping and IGMP Querier
As shown in Figure 8-6, GE 1/1/1 on the switch is connected to the multicast router; GE 1/1/2
and GE 1/1/3 are connected to users. All multicast users belong to the same VLAN 10; you
need to configure IGMP Snooping on the switch to receive multicast data with the address
234.5.6.7.
Enable the IGMP Querier on the switch to reduce communication between the hosts and
multicast routers and implement the multicast function.
When the PC and set-top box are added to the same multicast group, the switch receives two
IGMP Report packets and only sends one of them to the multicast router. The IGMP Query
packet sent by the multicast router is not forwarded downstream, but the switch periodically
sends IGMP Query packets.

339
Raisecom
Figure 8-6 IGMP Snooping networking
Configuration steps
Step 1 Create VLANs and add interfaces to VLANs.
Raisecom#config
Step 2 Enable IGMP Snooping.
Raisecom(config)#igmp snooping
Raisecom(config)#igmp snooping vlan 10
Step 3 Configure IGMP Querier.
Raisecom(config)#igmp querier
Raisecom(config)#igmp source-ip 192.168.1.2

340
Raisecom
Checking results
Use the following command to show configurations of IGMP Snooping.
Raisecom#show igmp snooping

IGMP snooping :Enable
IGMP report-suppression :Disable
IGMP version :v2
IGMP snooping active vlan :10
IGMP aging-time(s) :260
Use the following command to show information about IGMP Snooping multicast group
members.
Raisecom#show igmp snooping member vlan 10

R- ring port D - Dynamic S - Static
Vlan Group Port Live-time(s) Flag
-------------------------------------------------------------------------
10 234.5.6.7 GE1/1/1 --
D
Use the following command to show configurations of IGMP Querier.
Raisecom#show igmp querier

Global IGMP querier configuration:
----------------------------------
Querier Status : Enable
Querier Source Ip : 192.168.1.2
Query Interval(s) :125
Query Max Response Interval(s) :10
Last Member Query Interval(s) :1
Robust Count :2
Next General Query(s) :--
8.5 IGMP MVR

8.5.1 Introduction
IGMP Multicast VLAN Registration (MVR) is multicast constraining mechanism running on
Layer 2 devices, used for multicast group management and control and achieve Layer 2
multicast.
IGMP MVR adds member interfaces belonging to different user VLAN in switch to multicast
VLAN by configuring multicast VLAN and makes different VLAN user uses one common
multicast VLAN, then the multicast data will be transmitted only in one multicast VLAN
341
Raisecom
without copying one for each user VLAN, thus saving bandwidth. At the same time, multicast
VLAN and user VLAN are completely isolated which also increases the security.
Both IGMP MVR and IGMP Snooping can implement Layer 2 multicast, but the difference is
that the multicast VLAN in IGMP Snooping is the same as the customer VLAN while the
multicast VLAN in IGMP MVR can be different from the customer VLAN.
One switch can configure up to 10 multicast VLAN, at least one multicast VLAN and
group addresses. The supported maximum number of multicast groups is 1024.
Scenario
As shown in Figure 8-7, multiple users receive data from the multicast source. These users
and the multicast router belong to different VLAN. Enable IGMP MVR on Switch A, and
configure multicast VLAN. In this way, users in different VLAN can share a multicast VLAN
to receive the same multicast data, and bandwidth waste is reduced.
Figure 8-7 IGMP MVR networking
Prerequisite
 Disable multicast VLAN copy.
 Create VLANs.

342
Raisecom
8.5.3 Default configurations of IGMP MVR

Default configurations of MVR are as below.

Global IGMP MVR status Disable
Interface IGMP MVR status Disable
Multicast VLAN and group address set N/A
8.5.4 Configuring IGMP MVR

Configure IGMP MVR for the ISCOM2600G series switch as below.

2 Raisecom(config)#igmp mvr Enable global IGMP MVR.
3 Raisecom(config)#igmp mvr Configure the group address set for multicast
mcast-vlan vlan-id group VLAN.
{ start-ip-address [ end-
 vlan-id: multicast VLAN, VLAN to which
ip-address ] | any }
Example: the multicast routing interface is attached, an
Raisecom(config)#igmp mvr integer, ranging from 1 to 4094
 group: configure the multicast source group
mcast-vlan 10 group
224.0.1.1 224.0.1.10 address contained in multicast VLAN.
 start-ip-address: start IP multicast address, in
dotted decimal notation, ranging from

224.0.0.1 to 239.255.255.255
 end-ip-address: end IP multicast address, in

224.0.0.1 to 239.255.255.255
 any: any multicast address
After IGMP MVR is enabled, you need

to configure multicast VLAN and bind
group address set. If the received IGMP
Report packet does not belong to a
group address set of any VLAN, it is not
processed and the user cannot make
multicast traffic on demand.
4 Raisecom(config)#interfac Enter interface configuration mode, or
e interface-type aggregation group configuration mode. Take
Example: example.
Raisecom(config)#interfac
e gigaethernet 1/1/1

343
Raisecom

5 Raisecom(config- (Optional) configure static multicast members
gigaethernet1/1/*)#igmp of MVR for a specified customer VLAN.
mvr mcast-vlan vlan-id
 vlan-id: multicast VLAN, VLAN to which
static ip-address [ user-
vlan vlan-id ] the multicast router interface belongs, an
 ip-address: IP multicast address, in dotted
Raisecom(config-
gigaethernet1/1/1)#igmp decimal notation, ranging from 224.0.0.1 to
mvr mcast-vlan 2 static 239.255.255.255
 user-vlan vlan-id: user VLAN, an integer,
224.0.1.1 user-vlan 10
6 Raisecom(config- (Optional) configure the range for multicast
gigaethernet1/1/*)#igmp inter-VLAN copy to take effect.
mvr user-vlan vlan-id
 vlan-id: user VLAN, an integer, ranging
Example:
gigaethernet1/1/1)#igmp
mvr user-vlan 1
7 Raisecom(config- (Optional) configure the host joining function
gigaethernet1/1/*)#igmp of MVR.
mvr mcast-vlan vlan-id
 mcast-vlan vlan-id: multicast VLAN, an
host-join ip-address
[ user-vlan vlan-id ] integer, ranging from 1 to 4094
 ip-address: IP multicast address, in dotted
Example:
Raisecom(config- decimal notation, ranging from 224.0.0.1 to
gigaethernet1/1/1)#igmp 239.255.255.255
 user-vlan vlan-id: user VLAN, an integer,
mvr mcast-vlan 2 host-
join 224.0.1.1 ranging from 1 to 4094
multicast VLAN. Otherwise, the configuration will fail.
same multicast VLAN. Otherwise, the configuration will fail.


1 Raisecom#show igmp mvr Show configurations of IGMP MVR.
2 Raisecom#show igmp mvr Show configurations of IGMP MVR
{ interface | interface-type on the specified interface.
interface-number }
3 Raisecom#show igmp mvr member Show information about multicast
[ interface-type interface- group members of IGMP MVR.
number | user-vlan vlan-id ]

344
Raisecom

4 Raisecom#show igmp mvr member Show the number of multicast group
count [ interface-type members of IGMP MVR.
interface-number | user-vlan
vlan-id ]
5 Raisecom#show igmp mvr vlan- Show multicast VLAN and its group
group [ mcast-vlan vlan-id ] address set.
8.5.6 Example for configuring IGMP MVR
As shown in Figure 8-8, GE 1/1/1 on Switch A connects with the multicast router, and GE
1/1/2 and GE 1/1/3 connect with users in different VLANs to receive data from multicast
addresses 234.5.6.7 and 225.1.1.1.
Configure IGMP MVR on Switch A to specify VLAN 3 as a multicast VLAN, and then the
multicast data needs to be duplicated with one copy in the multicast VLAN instead of copying
for each customer VLAN, thus saving bandwidth.
Figure 8-8 MVR networking
Configuration steps
Step 1 Create VLANs on Switch A and add interfaces to them.
Raisecom(config)#config

345
Raisecom

Raisecom(config-gigaethernet1/1/1)#switchport trunk untagged vlan 12
Raisecom(config-gigaethernet1/1/3)#switchport trunk untagged vlan 12,13
Step 2 Configure IGMP MVR on Switch A.
Raisecom(config)#igmp mvr
Raisecom(config-gigaethernet1/1/1)#igmp mvr
Raisecom(config-gigaethernet1/1/1)#igmp mvr user-vlan 13
Raisecom(config-gigaethernet1/1/2)#igmp mvr user-vlan 12
Raisecom(config)#igmp mvr mcast-vlan 3 group 234.5.6.7
Raisecom(config)#igmp mvr mcast-vlan 3 group 225.1.1.1
Checking results
Use the following command to show IGMP MVR configurations on Switch A.
Raisecom#show igmp mvr

igmp mvr running :Enable
igmp mvr port :GE1/1/1 GE1/1/2
igmp mvr multicast vlan(ref) :3(2)
igmp aging time(s) :260
Use the following command to show information about the multicast VLAN and group
address.
Raisecom#show igmp mvr vlan-group

-----------------------------------------------------
Mcast-vlan Start-group End-group
-------------------------------------------

346
Raisecom
3 225.1.1.1 225.1.1.1
3 234.5.6.7 234.5.6.7
8.6 IGMP filtering

8.6.1 Introduction
To control user access, you can configure IGMP filtering. IGMP filtering includes limiting the
range of accessible multicast groups by using the filtering profile and limiting the maximum
number of multicast groups.
 IGMP filtering profile
To ensure information security, the administrator needs to limit the multicast users, such as
what multicast data are allowed to receive and what are not.
You can configure IGMP Profile filtering profile to control the interface. One IGMP Profile
can be configured one or more multicast group access control restrictions and access the
multicast group according to the restriction rules (permit and deny). If a rejected IGMP
Profile filtering profile is applied to the interface, the interface will discard the IGMP report
packet from this group directly once receiving it and disallow the interface to receive this
group of multicast data.
IGMP filtering profile can be configured on an interface or interface+VLAN.
IGMP Profile only applies to dynamic multicast groups, but not static ones.
 Limit to the maximum number of multicast groups
You can configure the maximum number of multicast groups allowed to join based on
interface or interface+VLAN and the rules to restrict the maximum number.
The maximum group number rule defines the actions to be taken for reaching the maximum
number of multicast groups jointed by users, namely, disallowing new users to join the
multicast group or overriding a joined group.
IGMP filtering is generally used with IGMP Snooping/IGMP MVR/multicast VLAN

copy.
Scenario
Different users in the same multicast group receive different multicast requirements and
permissions. You can configure filtering rules on the switch which connects the multicast
router and user host to restrict multicast users. You also can configure the maximum number
of multicast groups jointed by users. IGMP Proxy is generally used with IGMP Snooping or
IGMP MVR.

347
Raisecom
Prerequisite
 Create VLANs.
8.6.3 Default configurations of IGMP filtering

Default configurations of IGMP filtering are as below.

Global IGMP filtering Disable
IGMP filtering profile Profile N/A
IGMP filtering profile action Refuse
IGMP filtering under interface No maximum group limit, the largest group
action is drop, no application filtering profile
IGMP filtering under interface+VLAN No maximum group limit, the largest group
action is drop, no application filtering profile
8.6.4 Enabling global IGMP filtering

Enable global IGMP filtering for the ISCOM2600G series switch as below.

1 Raisecom#config Enter global configuration mode
2 Raisecom(config)#igmp filter Enable global IGMP filtering
When configuring IGMP filtering profile or the maximum group number, use the igmp
filter command to enable global IGMP filtering.
8.6.5 Configuring IGMP filtering profile

The IGMP filtering profile can be used to interface or interface+VLAN.
Configure the IGMP filtering profile for the ISCOM2600G series switch as below.


348
Raisecom

2 Raisecom(config)#igmp Create IGMP Profile and enter Profile
filter profile profile- configuration mode.
number
 profile-number: number of the filtering
Example:
Raisecom(config)#igmp profile, an integer, ranging from 1 to 100
filter profile 1
3 Raisecom(config-igmp- Configure the IGMP Profile action.
profile)#{ permit | deny }
 permit: permit users to receive data from
Example:
Raisecom(config-igmp- the filtered multicast address.
 deny: deny users to receive data from the
profile)#permit
filtered multicast address.
4 Raisecom(config-igmp- Configure the IP multicast address or rang
profile)#range range-id under access control.
start-ip-address [ end-ip-
 range-id: index number of the specified
address ]
Example: multicast address range, an integer,
Raisecom(config-igmp- ranging from 1 to 10
 start-ip-address: start IP address of the
profile)#range 1 224.0.1.1
224.0.10.1 multicast address range, in dotted decimal
notation, within the range of multicast
address, ranging from 224.0.0.1 to
239.255.255.255
 end-ip-address: end IP address of the
multicast address range, in dotted decimal

notation, within the range of multicast
address, ranging from 224.0.0.1 to
239.255.255.255. If this parameter is not
selected, the filtered address is a multicast
address, namely, the start-ip-address,
instead of an address range.
5 Raisecom(config-igmp- Enter physical interface configuration mode
profile)#exit or aggregation group configuration mode.
number
Example:
gigaethernet 1/1/1
port-channel 1

349
Raisecom

6 Raisecom(config- Configure IGMP Profile filtering profile to
gigaethernet1/1/*)#igmp physical interface or interface+VLAN.
filter profile profile-
number [ vlan vlan-list ]
Example: profile, an integer, ranging from 1 to 100
 vlan-list: specified VLAN, an integer,
Raisecom(config-
gigaethernet1/1/1)#igmp ranging from 1 to 4094. It supports
filter profile 1 specific values, such as "1,2,3"; it also
supports a range, such as "1-3". If this
parameter is selected, the IGMP filtering
profile will be applied to interface+VLAN.
If this parameter is not selected, the IGMP
filtering profile will be applied to
interface.
Raisecom(config-port- Configure IGMP Profile filtering profile to
channel*)#igmp filter LAG interface or interface+VLAN.
[ vlan vlan-list ]
Raisecom(config-port- profile, an integer, ranging from 1 to 100
 vlan-list: specified VLAN, an integer,
channel*)#exit
Example: ranging from 1 to 4094. It supports
Raisecom(config-port- specific values, such as "1,2,3"; it also
channel1)#igmp filter supports a range, such as "1-3". If this
profile 1 parameter is selected, the IGMP filtering
profile is applied to interface+VLAN. If
this parameter is not selected, the IGMP
filtering profile is applied to interface.
7 Raisecom(config- (Optional) enable IGMP to filter query
gigaethernet1/1/*)#igmp packets from the user interface or join or
drop { query | report } leave packets from the upstream interface.
Example:
 query: query packets
Raisecom(config-
 report: join packets
gigaethernet1/1/1)#igmp
drop query
Use the igmp filter profile profile-number command in interface configuration mode
to make the created IGMP profile apply to the specified interface. One IGMP profile
can be applied to multiple interfaces, but each interface can have only one IGMP
profile.
8.6.6 Configuring maximum number of multicast groups

You can add the maximum number of multicast groups applied to interface or
interface+VLAN.
Configure the maximum number of multicast groups for the ISCOM2600G series switch as
below.

350
Raisecom

1 Raisecom#config Enter global configuration mode
2 Raisecom(config Enter physical interface configuration mode or aggregation
)#interface group configuration mode.
interface-type
interface-
number
Example:
Raisecom(config
)#interface
gigaethernet
1/1/1
Raisecom(config
)#interface
port-channel 1
3 Raisecom(config Configure the maximum number of multicast groups to
- physical interface or interface+VLAN.
gigaethernet1/1
 group-number: maximum number of multicast groups, an
/*)#igmp filter
max-groups integer, ranging from 1 to 1024
 vlan-list: specified VLAN, an integer, ranging from 1 to
group-number
[ vlan vlan- 4094. It supports specific values, such as "1,2,3"; it also
list ] supports a range, such as "1-3". If this parameter is
Example: selected, the maximum number of multicast groups
Raisecom(config allowed to join based on interface+VLAN is configured.
- If this parameter is not selected, the maximum number of
gigaethernet1/1 multicast groups allowed to join based on interface is
/1)#igmp filter configured.
max-groups 10
Raisecom(config Configure the maximum number of multicast groups to
-port- LAG interface or interface+VLAN.
channel*)#igmp
 group-number: maximum number of multicast groups, an
filter max-
groups group- integer, ranging from 1 to 1024
number [ vlan
vlan-list ] 4094. It supports specific values, such as "1,2,3"; it also
Example: supports a range, such as "1-3". If this parameter is
Raisecom(config selected, the maximum number of multicast groups
-port- allowed to join based on interface+VLAN is configured.
channel1)#igmp If this parameter is not selected, the maximum number of
filter max- multicast groups allowed to join based on interface is
groups 10 configured.

351
Raisecom

4 Raisecom(config (Optional) configure the action upon reach of the maximum
- number of multicast groups in physical interface or
gigaethernet1/1 interface+VLAN.
/*)#igmp filter
 drop: new multicast groups are not allowed to be added to
max-groups
action { drop | the interface or interface+VLAN.
 replace: the multicast group with the shortest Time-to-
replace }
[ vlan vlan- leave time overrides the new multicast group.
list ]
Example: 4094. It supports specific values, such as "1,2,3"; it also
Raisecom(config supports a range, such as "1-3". If this parameter is
- selected, the action upon reach of the maximum number
gigaethernet1/1 of multicast groups allowed to join based on
/1)#igmp filter interface+VLAN is configured. If this parameter is not
max-groups selected, the action upon reach of the maximum number
action drop of multicast groups allowed to join based on interface is
vlan 10 configured.
Raisecom(config (Optional) configure the action upon reach of the maximum
-port- number of multicast groups in LAG interface or
channel*)#igmp interface+VLAN.
filter max-
 drop: new multicast groups are not allowed to be added to
groups action
{ drop | the interface or interface+VLAN.
 replace: the multicast group with the shortest Time-to-
replace }
[ vlan vlan- leave time overrides the new multicast group.
list ]
Example: 4094. It supports specific values, such as "1,2,3"; it also
Raisecom(config supports a range, such as "1-3". If this parameter is
-port- selected, the action upon reach of the maximum number
channel1)#igmp of multicast groups allowed to join based on
filter max- interface+VLAN is configured. If this parameter is not
groups action selected, the action upon reach of the maximum number
drop vlan 10 of multicast groups allowed to join based on interface is
configured.


1 Raisecom#show igmp filter [ { interface | Show configurations of
interface-type interface-number } [ vlan IGMP filtering.
[ vlan-id ] ] ]
2 Raisecom#show igmp filter profile Show information about
[ profile-number ] the IGMP profile.

352
Raisecom
8.6.8 Example for applying IGMP filtering on interface
Enable IGMP filtering on the switch. Add filtering rules on the interface to filter multicast
users.
As shown in Figure 8-9,
 Create an IGMP filtering rule Profile 1, and configure the action to pass for the multicast
group ranging from 234.5.6.7 to 234.5.6.10.
 Apply filtering rule on GE 1/1/1, allow the STB to join the 234.5.6.7 multicast group,
forbid it to join the 234.5.6.11 multicast group.
 Apply no filtering rule on Port 3, and allow PCs to join the 234.5.6.11 multicast group.
Configure the maximum number of multicast groups on GE 1/1/1. After the STB is added to
the 234.5.6.7 multicast group, add it to the 234.5.6.8 multicast group while it quits the
234.5.6.7 multicast group.
Figure 8-9 Applying IGMP filtering on interface
Configuration steps
Step 1 Create VLANs, and add interfaces to VLANs.
Raisecom#config

353
Raisecom

Raisecom(config-gigaethernet1/1/3)#switchport trunk untagged vlan 12,13
Step 2 Enable IGMP MVR.
Raisecom(config)#igmp mvr
Raisecom(config-tengigabitethernet1/1/1)#igmp mvr user-vlan 12
Raisecom(config-tengigabitethernet1/1/2)#igmp mvr user-vlan 13
Raisecom(config)#igmp mvr mcast-vlan 3 group any
Step 3 Configure the IGMP filtering profile.
Raisecom(config)#igmp filter profile 1

Raisecom(config-igmp-profile)#permit
Raisecom(config-igmp-profile)#range 1 234.5.6.7 234.5.6.10
Raisecom(config-igmp-profile)#exit
Step 4 Configure the STB to apply the IGMP filtering profile.
Raisecom(config)#igmp filter
Raisecom(config-gigaethernet1/1/1)#igmp filter profile 1
Step 5 Configure the maximum number of multicast groups on the STB interface.
Raisecom(config-gigaethernet1/1/1)#igmp filter max-groups 1

Raisecom(config-gigaethernet1/1/1)#igmp filter max-groups action replace

354
Raisecom
Checking results
Use the following command to show configurations of IGMP filtering on the interface.
Raisecom#show igmp filter gigaethernet 1/1/1

profile: 1
max group: 1
current group: 0
action: replace
8.7 Multicast VLAN copy

8.7.1 Introduction
Multicast VLAN copy refers to specifying different VLANs as one user VLAN of the
multicast VLAN when different user VLANs require the same multicast source on the switch.
After multicast VLAN copy is enabled, the upper layer device copies multicast data in the
multicast VLAN, instead of copying multicast data for each user VLAN, thus saving
bandwidth. The system searches for the egress interface according to the multicast VLAN and
multicast group address, and copies multicast data for each user VLAN on the egress interface.
Both multicast VLAN copy and IGMP MVR can implement multicast functions when user
VLANs and the multicast VLAN are in different VLANs. Their difference is that multicast
data of IGMP MVR can be forwarded in a multicast VLAN but multicast VLAN copy is used
to copy multicast data to each user VLAN.
IGMP MVR transmits data in a way as shown in Figure 8-10 while multicast VLAN copy
transmits data in a way as shown in Figure 8-11.

355
Raisecom
Figure 8-10 Data transmission of IGMP MVR
Figure 8-11 Data transmission of multicast VLAN copy

356
Raisecom
The ISCOM2600G series switch can be configured with 1–10 multicast VLANs and at
least one multicast VLAN and corresponding group address set. It supports up to
1024 multicast groups.
Scenario
As shown in Figure 8-12, multiple hosts belonging to different VLANs receive data of the
multicast source. Enable multicast VLAN copy on Switch B and configure multicast VLAN
so that multicast data is copied on the receiving interface to the user VLAN and users of
different VLANs can share a multicast VLAN to receive the same multicast data and reduce
waste of bandwidth.
Figure 8-12 Multicast VLAN copy networking
Prerequisite
Create VLANs, and add related interfaces to VLANs.
8.7.3 Default configurations of multicast VLAN copy

Default configurations of multicast VLAN copy are as below.

Global multicast VLAN copy status Disable
Interface multicast VLAN copy status Disable

357
Raisecom

Multicast VLAN and group address set N/A
 To concurrently configure N:1 VLAN mapping and VLAN copy, you must configure
VLAN copy and then configure N:1 VLAN mapping.
8.7.4 Configuring multicast VLAN copy

Configure multicast VLAN copy for the ISCOM2600G series switch as below.

2 Raisecom(config)#igmp Enable global multicast VLAN copy.
vlan-copy
3 Raisecom(config)#igmp Configure the group address set of the
vlan-copy mcast-vlan multicast VLAN.
vlan-id group { start-ip
 vlan-id: multicast VLAN, an integer,
[ end-ip ] | any }
Example: ranging from 1 to 4094, namely, the
Raisecom(config)#igmp VLAN from the multicast route interface
 group: multicast source group address of
vlan-copy mcast-vlan 10
group 224.0.1.1 224.0.1.10 multicast VLAN
 start-ip: start IP multicast address, in

224.0.0.1 to 239.255.255.255
 end-ip: end IP multicast address, in dotted
decimal notation, ranging from 224.0.0.1

to 239.255.255.255
 any: any multicast address
After multicast VLAN copy is enabled,

you need to configure the multicast
VLAN and bound group address set.
If the received IGMP Report packet
does not belong to a group address
set of any VLAN, it is not processed
and the user cannot make multicast
traffic on demand.
number mode. Take physical interface configuration
Example: mode for example.
gigaethernet 1/1/1

358
Raisecom

5 Raisecom(config- Enable multicast VLAN copy in interface
gigaethernet1/1/*)#igmp configuration mode.
vlan-copy
8.7.5 Configuring static multicast members of VLAN copy

Configure static multicast members of VLAN copy for the ISCOM2600G series switch as
below.

gigaethernet 1/1/1
3 Raisecom(config- Configure static multicast members of
gigaethernet1/1/*)#igmp VLAN copy.
vlan-copy mcast-vlan vlan-id
 vlan-id: multicast VLAN, an integer,
static ip-address [ user-
vlan vlan-id ] ranging from 1 to 4094, namely, the
Example: VLAN from the multicast route interface
 ip-address: multicast address, in dotted
Raisecom(config-
gigaethernet1/1/1)#igmp decimal notation, ranging from 224.0.0.1
vlan-copy mcast-vlan 2 to 239.255.255.255
 user-vlan vlan-id: user VLAN, an
static 224.0.1.1 user-vlan
10 integer, ranging from 1 to 4094
multicast VLAN, otherwise the configuration will fail.
same multicast VLAN, otherwise the configuration will fail.
8.7.6 Configuring customer VLAN of VLAN copy

Configure the customer VLAN of VLAN copy for the ISCOM2600G series switch as below.


359
Raisecom

gigaethernet 1/1/1
3 Raisecom(config- Configure the customer VLAN of
gigaethernet1/1/*)#igmp multicast VLAN copy.
vlan-copy user-vlan vlan-id
 vlan-id: customer VLAN, an integer,
Example:
gigaethernet1/1/1)#igmp vlan-
copy user-vlan 2
8.7.7 Configuring host joining function of VLAN copy

Configure the host joining function of VLAN copy for the ISCOM2600G series switch as
below.

gigaethernet 1/1/1
3 Raisecom(config- Configure the host joining function of
gigaethernet1/1/*)#igmp multicast VLAN copy.
vlan-copy mcast-vlan vlan-id
 mcast-vlan vlan-id: multicast VLAN,
host-join ip-address [ user-
vlan vlan-id ] VLAN to which the multicast router
Example: interface belongs, an integer, ranging
 ip-address: multicast IP address, in
gigaethernet1/1/1)#igmp vlan-
copy mcast-vlan 2 host-join dotted decimal notation, ranging from
224.0.1.1 224.0.0.1 to 239.255.255.255
 user-vlan vlan-id: user VLAN, an


360
Raisecom

1 Raisecom#show igmp vlan- Show configurations of multicast VLAN
copy copy.
2 Raisecom#show igmp vlan- Show configurations of multicast VLAN
copy { interface | copy on the specified interface.
interface-type
interface-number }
3 Raisecom#show igmp vlan- Show information about multicast group
copy member members of multicast VLAN copy.
copy member interface- members of multicast VLAN copy on the
type interface-number specified interface.
copy member user-vlan members of multicast VLAN copy in the
vlan-id specified user VLAN.
6 Raisecom#show igmp vlan- Show the number of members in the
copy member count multicast group of multicast VLAN copy.
{ interface-type
interface-number | user-
vlan vlan-id }
7 Raisecom#show igmp vlan- Show the multicast VLAN and bound group
copy vlan-group [ mcast- address set of multicast VLAN copy.
vlan vlan-id ]
8.8 MLD
8.8.1 Introduction
MLD is a network protocol used in multicast technologies. Through MLD, a router can snoop
whether there is a snooper of the IPv6 multicast group in the directly-connected network
segment, and then record the result in the database. The router also maintains timer
information about these IPv6 multicast addresses. Through MLD, the user host and the
expected directly-connected multicast router establish and maintain multicast membership.
A MLD router uses the local address of IPv6 unicast link as the source address to send MLD
packets, and uses ICMPv6 packets. All MLD packets are limited to local links, with hops of 1.
The device supports two MLD versions:
 MLDv1: defined by RFC2710, derived from IGMPv2
 MLDv2: defined by RFC3810, derived from IGMPv3
MLDv1 is used to manage IPv6 multicast group members through the querying and response
mechanism. Based on MLDv1, MLDv2:
 Additionally support filtering IPv6 multicast sources. When a host joins an IPv6
multicast group, it can request to receive or deny messages from a specified IPv6
multicast source.

361
Raisecom
 Additionally support configuring the maximum response time. Thus, MLDv2 is

applicable to larger networks.
 Cancel response suppression; in other words, the host does not need to process packets
from other hosts, thus simplifying hosts operations.
 Add an S flag bit in the querying packet to enhance robustness of the system.
 Add the retransmission mechanism to the querying and response packets.
Scenarios
Multicast arising in the IPv4 era solves the problem of single-point sending and multi-point
receiving, and transmits data efficiently point to multiple points on the network, thus saving
network bandwidth and lowering network load. It is enhanced on the IPv4 network. By
listening MLD messages and thus creating a forwarding table for multicast packets, the
ISCOM2600G series switch can manage and control the forwarding of multicast packets, and
forward multicast packets to the target host.
Prerequisite
Configure the IPv6 address of the interface.
8.8.3 Default configurations of MLD

Default configurations of MLD are as below.

MLD ring network forwarding on the interface Disable
MLD Snooping Disable
Aging time of MLD members 260s
MLD robustness 2
8.8.4 Configuring basic functions of MLD

Configure basic functions of MLD for the ISCOM2600G series switch as below.

2 Raisecom(config)#interfa Enter physical interface configuration mode.
ce interface-type
interface-number
3 Raisecom(config- Create a multicast router interface on the
gigaethernet1/1/*)#mld specified VLAN.
mrouter vlan vlan-id

362
Raisecom

6 Raisecom(config)#mld (Optional) enable Report suppression. When
report-suppression receiving multiple Report packets from the
same group in a specified period, the
ISCOM2600G series switch forwards only one
Report packet to the router interface while it
suppresses others.
7 Raisecom(config)#mld (Optional) configure the aging time of MLD
member-timeout { second members.
| infinite }
8 Raisecom(config)#interfa Configure the MLD version.
ce interface-type
interface-number
9 Raisecom(config- Configure the host joining function for MLD
gigaethernet1/1/*)#mld Snooping.
vlan-list | user-mac ]
10 Raisecom(config- (Optional) enable immediate leave of MLD on
gigaethernet1/1/*)#mld the interface or interface+VLAN.
vlan-list | user-mac ] If immediate leave is disabled on the downlink
interface, the router interface, after receiving a
Leave packet, will calculate the aging time
according to robust factor and configure the
expiration time for a member to leave the group
as Group Membership Interval (GMI). GMI =
robust-value*lastmember-queryinterval.
8.8.5 Configuring MLD Snooping

Configure MLD Snooping for the ISCOM2600G series switch as below.

2 Raisecom(config)#mld Enable global MLD Snooping.
snooping
3 Raisecom(config)#mld (Optional) enable MLD Snooping in all
snooping vlan vlan-list VLANs.
6 Raisecom(config)#interface (Optional) configure the function of the
interface-type interface- emulating host to join for MDL Snooping.
number
Raisecom(config-
gigaethernet1/1/*)#mld
snooping host-join group-
address vlan vlan-id

363
Raisecom
8.8.6 Configuring MLD Querier

Configure MLD Querier for the ISCOM2600G series switch as below.

2 Raisecom(config)#mld Enable MLD querier.
querier
3 Raisecom(config)#mld (Optional) configure the source IP address for
source-ip ip-address MLD Querier to send Query packets.
4 Raisecom(config)#mld (Optional) configure the MLD query interval.
query-interval period
5 Raisecom(config)#mld (Optional) configure the maximum response time
query-max-response- of Query packets.
time period
6 Raisecom(config)#mld (Optional) configure the interval for the last
last-member-query- member to send Query packets.
interval period
7 Raisecom(config)#mld Configure the robustness factor of MLD.
robust-count value
8 Raisecom(config)#mld Enable MLD Proxy.
proxy
 When IGMP Querier is disabled, the following parameters can be configured:

source IP address, query interval, maximum response time to send Query packets,
and interval for the last member to send Query packets. After IGMP Querier is
enabled, these configurations will take effect immediately.
 MLD proxy and MLD Querier are mutually exclusive. MLD proxy and MLD report-
suppression are mutually exclusive.
8.8.7 Configuring MLD filtering
Enable global MLD filtering

Enable global MLD filtering for the ISCOM2600G series switch as below.

2 Raisecom(config)#mld Enable global MLD filtering.
filter
3 Raisecom(config- (Optional) enable IGMP to filter Query
gigaethernet1/1/*)# mld packets from the user interface or Join or
drop { query | report } Leave packets from the upstream interface.

364
Raisecom
Before applying the MLD filtering profile or configuring the maximum number of
groups, use the mld filter command to enable global MLD filtering.
Configuring MLD filtering profile

The MLD filtering profile can be used on the interface or interface+VLAN.
Configure the MLD filtering profile for the ISCOM2600G series switch as below.

2 Raisecom(config)#mld filter Create a MLD profile, and enter
profile profile-number profile configuration mode.
3 Raisecom(config-mld- Configure the action of the MLD
profile)#{ permit | deny } profile.
4 Raisecom(config-mld-profile)#range Configure the IPv6 multicast
range-id start-ip-address [ end- address or range for access
ip-address ] control.
5 Raisecom(config-mld-profile)#exit Enter physical interface
Raisecom(config)#interface configuration mode or
interface-type interface-number aggregation group configuration
mode.
6 Raisecom(config- Apply the MLD filtering profile
gigaethernet1/1/*)#mld filter to the physical interface or
profile profile-number [ vlan interface+VLAN.
vlan-list ]
Raisecom(config-port-channel*)#mld Apply the MLD filtering profile
filter profile profile-number to the LAG interface or
[ vlan vlan-list ] interface+VLAN.
Raisecom(config-port-
channel*)#exit
By using the mld filter profile profile-number command in interface configuration

mode, you can apply a created MLD profile to the specified interface. A MLD profile
can be applied to multiple interfaces, but only one MLD profile can be applied to each
interface.
Configuring maximum number of groups

The maximum number of groups for the user to join can be applied to the interface or
interface+VLAN.
Configure the maximum number of groups for the ISCOM2600G series switch as below.

365
Raisecom

interface-type interface- mode or aggregation group
number configuration mode.
3 Raisecom(config- Apply the maximum number of groups
gigaethernet1/1/*)#mld to the physical interface or
filter max-groups group- interface+VLAN.
number [ vlan vlan-list ]
Raisecom(config-port- Apply the maximum number of groups
channel*)#mld filter max- to the LAG interface or
groups group-number [ vlan interface+VLAN.
vlan-list ]
4 Raisecom(config- (Optional) configure the action to be
gigaethernet1/1/*)#mld taken when the number of groups for
filter max-groups action the physical interface or
{ drop | replace } [ vlan interface+VLAN to join exceeds the
vlan-list ] maximum number of groups.
Raisecom(config-port- (Optional) configure the action to be
channel*)#mld filter max- taken when the number of groups for
groups action { drop | the LAG interface or interface+VLAN
replace } [ vlan vlan-list ] to join exceeds the maximum number
of groups.


1 Raisecom#show mld immediate-leave Show configurations of immediate
[ interface-type interface-number leave of MLD.
| port-channel port-channel-id ]
2 Raisecom#show mld mrouter Show information about the
multicast router interface of MLD.
3 Raisecom#show mld snooping [ vlan Show configurations of MLD
vlan-id ] Snooping.
4 Raisecom#show mld snooping member Show information about multicast
[interface-type interface-number group members of MLD
| vlan vlan-id ] Snooping.
5 Raisecom#show mld snooping member Show the number of multicast
count [interface-type interface- group members of MLD
number | vlan vlan-id ] Snooping.
6 Raisecom#show mld statistics Show statistics of MLD statistics.
[interface-type interface-number]

366
Raisecom

7 Raisecom#show mld filter Show configuration of MLD
[ { interface | interface-type filtering.
interface-number } [ vlan [ vlan-
id ] ] ]
8 Raisecom#show mld filter profile Show configurations of the MLD
[ profile-number ] filtering profile.
9 Raisecom#show mld configuration Show basic configurations of
MLD.
10 Raisecom#show mld ring Show information about the ring
network interface for MLD.
11 Raisecom#show mld querier Show information about MLD
Querier.
12 Raisecom#show mld user-mac Show information about user
[ interface-type interface-number MAC addresses for MLD.
| user-vlan vlan-id ]
13 Raisecom#show mld user-mac count Show the number of user MAC
[ interface-type interface-number addresses for MLD.
| vlan vlan-id ]
8.8.9 Maintenance
Command Description
Rasiecom#clear mld statistics Clear MLD statistics.
[ interface-type interface-number ]
Rasiecom#no mld member interface-type Clear multicast entries of the
interface-number specified interface.

367
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 9 OAM
9 OAM
This chapter describes basic principles and configuration procedures for OAM and provide
 Introduction
 EFM
9.1 Introduction
Initially, Ethernet is designed for LAN. Operation, Administration and Maintenance (OAM) is
weak because of its small size and a NE-level administrative system. With continuous
development of Ethernet technology, the application scale of Ethernet in Telecom network
becomes wider and wider. Compared with LAN, the link length and network size of Telecom
network is bigger and bigger. The lack of effective management and maintenance mechanism
has seriously obstructed Ethernet technology applying to the Telecom network.
To confirm connectivity of Ethernet virtual connection, effectively detect, confirm, and locate
faults on network, balance network utilization, measure network performance, and provide
service according Service Level Agreement (SLA), implementing OAM on Ethernet has
becoming an inevitable developing trend.
Working mode
An interface enabled with EFM OAM is called an OAM entity. EFM OAM supports the
following two working modes:
 Active mode: initialized by the OAM entity that is in active mode
 Passive mode: the OAM entity in passive mode just waits for connection request of the
active OAM entity. If OAM entities of both ends of a link are in passive mode, the OAM
link cannot be established.
OAM discovery
The Ethernet OAM connection process is the OAM discovery phase, where an OAM entity
discovers a remote OAM entity and establishes a session with it.
This phase is initiated by an OAM entity that is in active mode. One ends informs the other of
its Ethernet OAM configurations and Ethernet OAM capabilities supported by the local node

368
Raisecom
by exchanging OAM PDU. Both ends determine whether to establish OAM connection. If yes,
Ethernet OAM protocol will work on the link layer.
Only the OAM entity in active mode can initiate OAM connection.
After the OAM connection is established, both ends keep connected by exchanging OAM
PDU. If one end fails to receive OAM PDU within the timeout time, it believes that
connection expires and reconnection is required.
Monitoring link
In the OAM connection, an OAM entity keeps sending Information OAM PDUs. The local
OAM entity can inform the peer OAM entity of threshold events through Information OAM
PDUs. In this way, the network administrator can learn the link state and take actions
accordingly.
The network administrator monitors Ethernet OAM through the Event Notification OAM
PDU. When a link fails, the passive OAM entity detects the failure, and actively sends Event
Notification OAM PDU to the peer active OAM entity to inform the following threshold
events. By default, 3 Dying Gasp Traps are sent. Therefore, the network administrator can
dynamically master the network status through the link monitoring process.
 Error frame event: the number of error frames exceeds the threshold in a time unit.
 Error frame period event: the number of error frames exceeds the threshold in a period
(specified N frames).
 Error frame second event: the number of error frames in M seconds exceeds the
threshold. The second when an errored frame is generated is called the errored frame
second.
 Error symbol period event: the number of error symbols received in a period (monitor
window) exceeds the threshold.
Informing of peer fault

When a device is faulty or fails, it may cause network failure. Thus a flag is defined in OAM
PDU packet to allow an OAM entity to transmit fault information to the peer. The flag may
stand for the following threshold events:
 Link fault: signals from the peer are lost. OAM PDUs are sent every 1s.
 Dying gasp: an unpredictable event occurs which causes the system to be irrevocable,
such as power failure. In this case, OAM PDUs are sent ceaselessly.
 Critical event: an uncertain critical event occurs, such as abnormal temperature. In this
case, OAM PDUs are sent ceaselessly,
Remote loopback
Remote loopback is used to locate the area with the fault and help you test link quality with
instruments. Periodical loop detection helps you find network faults in time and segmental
loop detection helps you locate the specified area with the fault and clear the fault.
OAM loopback occurs only after the Ethernet OAM connection is established. When
connected, the active OAM entity initiates the OAM loopback command, and the peer OAM
entity responds to the command. When the peer OAM entity is in loopback mode, all packets
except OAM PDU will be retraced.

369
Raisecom
Switch A, in active mode, determines link status through returned packets, as shown in Figure
9-1.
Figure 9-1 OAM loopback
9.2 EFM
9.2.1 Introduction
Complying with IEEE 802.3ah protocol, Ethernet in the First Mile (EFM) is a link-level
Ethernet OAM technology. It provides link connectivity detection, link fault monitoring, and
remote fault notification for a link between two directly connected devices. EFM is mainly
used for Ethernet links on edges of the network accessed by users.
Scenario
Deploying EFM feature between directly connected devices can efficiently improve Ethernet
link management and maintenance capability and ensure stable network operation.
Prerequisite
 Connect interfaces.
 Configure physical parameters to make interfaces Up at the physical layer.
9.2.3 Default configurations of EFM

Default configurations of EFM are as below.

EFM working mode Passive mode
Interval for sending messages 10 ×100ms
Link timeout 5s
OAM Disable
Remote OAM event alarm Enable
EFM remote loopback status Not response
Monitor window of errored frame event 1s
Monitor threshold of errored event 1 errored frame

370
Raisecom

Monitor window of errored frame period event 1000ms
Monitor threshold of errored frame period event 1 errored frame
Monitor window of link errored frame second statistics event 60s
Monitor threshold of link errored frame second statistics event 1s
Monitor window of link errored coding statistics event 1s
Monitor threshold of errored coding statistic event 1s
Fault indication Enable
Local OAM event alarm Enable
9.2.4 Configuring basic functions of EFM

Configure basic functions of EFM for the ISCOM2600G series switch as below.

2 Raisecom(config)#oam (Optional) configure the period for sending
send-period period- OAM PDUs.
number timeout time
 period-number: period of sending OAM
Example:
Raisecom(config)#oam PDU, an integer, ranging from 1 to 100, in
send-period 20 timeout units of 100ms
 time: timeout, an integer, ranging from 1 to
10
50, in units of second
ace interface-type
interface-number
Example:
Raisecom(config)#interf
4 Raisecom(config- Configure the working mode of EFM OAM.
gigaethernet1/1/*)#oam
{ active | passive } At least one end should be in active mode,
Raisecom(config- otherwise link detection will fail.
gigaethernet1/1/*)#exit  active: active mode. An interface sends OAM
Example: Protocol Data Unit (PDU) initiating peer
Raisecom(config- discovery or remote loopback.
gigaethernet1/1/1)#oam  passive: passive mode. An interface waits for
active receiving the peer OAM PDU.



371
Raisecom

4 Raisecom(config- Enable interface OAM.
gigaethernet1/1/*)#oam
 enable: enable EFM OAM of links.
 disable: disable EFM OAM of links.
Example:
Raisecom(config-
gigaethernet1/1/1)#oam
enable
5 Raisecom(config- (Optional) enter global configuration mode.
6 Raisecom(config)#ip oam (Optional) create an address pool based on
server pool pool-name OAM, and define attributes of the address pool
Example: so that it can be used in assigning IP addresses
Raisecom(config)#ip oam for interfaces.
server pool pool
 pool pool-name: IP address pool. The pool-
name is a string of 1 to 16 characters.
9.2.5 Configuring active functions of EFM
The active function of EFM OAM can be configured only when the ISCOM2600G
series switch is in active mode.
Configuring OAM remote loopback

OAM provides a link-layer remote loopback mechanism for locating link faults and
measuring performance and quality. In link loopback status, the ISCOM2600G series switch
sends back all packets except OAM packets received by the link to the peer device. The local
device initiates or disables remote loopback through the OAM remote loopback command.
The remote device, through the loopback configuration command, controls whether to
respond to the loopback command.
Configure OAM remote loopback for the ISCOM2600G series switch as below.

ace interface-type
interface-number
Example:
Raisecom(config)#interf
3 Raisecom(config- Configure the interface to start EFM OAM
gigaethernet1/1/*)#oam remote loopback.
remote-loopback
Only the active OAM end can initiate remote
loopback.

372
Raisecom

4 Raisecom(config- (Optional) configure the timeout for remote
gigaethernet1/1/*)#oam loopback.
loopback timeout time
Example: If the remote end fails to respond within the
Raisecom(config- timeout time, the local end will retry. After the
gigaethernet1/1/1)#oam local end fails in retry, it will send a timeout
loopback timeout 5 alarm.
 time: timeout, an integer, ranging from 1 to
5 Raisecom(config- (Optional) configure the retry times for remote
gigaethernet1/1/*)#oam loopback.
loopback retry times
 times: retry times, an integer, ranging from 1
Example:
Raisecom(config- to 10
loopback retry 3
6 Raisecom(config- (Optional) disable remote loopback.
gigaethernet1/1/*)#no
oam remote-loopback
After loop detection is complete, disable
remote loopback in time.
Configuring peer OAM event alarm

Configure the peer OAM event alarm for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
3 Raisecom(config- Enable peer OAM event alarm to
gigaethernet1/1/*)#oam peer send link monitoring events to the
event trap { enable | disable } NMS.
Example:
 enable: enable peer OAM link
Raisecom(config-
gigaethernet1/1/1)#oam peer event Trap.
 disable: disable peer OAM link
event trap enable
event Trap.
(Optional) configuring OAM variable obtaining

OAM variable obtaining is a link monitoring method. By obtaining the current variable of the
peer, you can learn status of current link. IEEE802.3 Clause 30 defines and explains
supported variable and its denotation obtained by OAM in details. The variable takes object as
the maximum unit. Each object contains Package and Attribute. A package contains several
attributes. Attribute is the minimum unit of a variable. When getting an OAM variable, it
defines object, package, branch, and leaf description of attributes by Clause 30 to describe
373
Raisecom
requesting object, and the branch and leaf are followed by variable to denote object responds
variable request.
The ISCOM2600G series switch supports obtaining OAM information and interface statistics.
Configure OAM variable obtaining for the ISCOM2600G series switch as below.

1 Raisecom#show oam peer { link- Obtain EFM OAM information
statistic | oam-info } [ interface- about the peer device or
type interface-number ] interface statistical variable.
Peer variable cannot be obtained until EFM is connected.
9.2.6 Configuring EFM passive function
The EFM passive function can be configured regardless the ISCOM2600G series
switch is in active or passive mode.
Configuring device to respond with EFM remote loop

Configure the ISCOM2600G series switch to respond with EFM remote loop as below.

number
Example:
gigaethernet 1/1/1
3 Raisecom(config- Configure the Layer 2 physical interface
gigaethernet1/1/*)#oam to ignore or process EFM remote
loopback { ignore | loopback.
process }
 ignore: ignore the remote loopback
Example:
Raisecom(config- command sent by the peer end.
 process: process the remote loopback
loopback process command sent by the peer end.
Only when the local end is configured with remote loopback response can EFM OAM
remote loopback of the peer end take effect.

374
Raisecom
Configuring OAM link monitoring

OAM link monitoring is used to detect and report link error in different conditions. When the
detection link has a fault, the ISCOM2600G series switch notifies the peer of the error
generated time, window and threshold by OAM event, the peer receives event notification and
reports the NView NNM system through SNMP Trap. Besides, the local device can directly
report events from a specified interface to the NView NNM system center through SNMP
Trap.
Configure OAM link monitoring for the ISCOM2600G series switch as below.

number
Example:
gigaethernet 1/1/1
3 Raisecom(config- Configure errored frame monitor window and
gigaethernet1/1/*)#oam threshold.
errored-frame window
 errored-frame: errored frame event. It will
framewindow threshold
framethreshold produce error event when the number of
Example: error frames exceeds the threshold in
Raisecom(config- monitoring window.
 framewindow: errored frame event window,
errored-frame window 20 an integer, ranging from 1 to 60, in units of
threshold 100 second
 framethreshold: errored frame threshold, an

4 Raisecom(config- Configure errored frame period event monitor
gigaethernet1/1/*)#oam window and threshold.
errored-frame-period
 errored-frame-period: errored frame period
window frameperiodwindow
threshold event, generated when the number of error
frameperiodthreshold frames exceeds the threshold in a period
 frameperiodwindow: errored frame period
Example:
Raisecom(config- event window, an integer, ranging from 1 to
gigaethernet1/1/1)#oam 600, in units of 100ms
 frameperiodthreshold: errored frame period
errored-frame-period
window 20 threshold 100 event threshold, an integer, ranging from 1
to 65535
5 Raisecom(config- Configure link errored frame second window
gigaethernet1/1/*)#oam and threshold.
errored-frame-seconds
 errored-frame-seconds: errored frame
window framesecswindow
threshold second event, generated when the number of
framesecsthreshold error frame seconds exceeds the threshold.
 framesecswindow: errored frame second
Example:
Raisecom(config- event window, an integer, ranging from 10
gigaethernet1/1/1)#oam to 900, in units of second
 framesecsthreshold: errored frame second
window 200 threshold 100 event threshold, an integer, ranging from 1
to 65535

375
Raisecom

6 Raisecom(config- Configure errored code window and
gigaethernet1/1/*)#oam threshold.
errored-symbol-period
 errored-symbol-period: errored symbol
window symperiodwindow
threshold period event, generated when the number of
symperiodthreshold error symbols received in a period (monitor
Example: window) exceeds the threshold
 symperiodwindow: errored symbol period
Raisecom(config-
gigaethernet1/1/1)#oam event window, an integer, ranging from 1 to
errored-symbol-period 60, in units of second
 symperiodthreshold: errored symbol period
window 20 threshold 100
event threshold, ranging from 1 to 65535, an
integer
(Optional) configuring OAM fault indication

OAM fault indication is used by the local device to inform the peer device of local
abnormalities, such as link fault, power failure, abnormal temperature, which cause faulty link
and device restart.
You can enable or disable fault indications except link fault which must be sent to the peer
end.
Configure OAM fault indication for the ISCOM2600G series switch as below.

face interface-type
interface-number
Example:
face gigaethernet
1/1/1

376
Raisecom

3 Raisecom(config- Enable the OAM fault notification to notify the
gigaethernet1/1/*)#oam peer device of local fault.
notify { critical-
 critical-event: when detecting critical faults
event | dying-gasp |
errored-frame | such as abnormal temperature and voltage, the
errored-frame-period | interface notifies the peer.
 dying-gasp: when detecting power failure, the
| errored-symbol- interface notifies the peer.
 errored-frame: when detecting errored frame
period } { enable |
disable } events, the interface notifies the peer.
 errored-frame-period: when detecting errored
Example:
Raisecom(config- frame period events, the interface notifies the
gigaethernet1/1/1)#oam peer.
 errored-frame-seconds: when detecting
notify errored-frame
disable errored frame second events, the interface
notifies the peer.
 errored-symbol-period: when detecting
errored symbol period events, the interface

notifies the peer.
 enable: enable notification of faults and OAM
link events.
 disable: disable notification of faults and
OAM link events.
Configuring local OAM event Trap

Configure local OAM event alarm for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
3 Raisecom(config- Enable local OAM event Trap to
gigaethernet1/1/*)#oam event report link monitoring events to the
trap { enable | disable } NView NNM system immediately.
Example:
 enable: enable OAM link event
Raisecom(config-
gigaethernet1/1/1)#oam event Trap.
 disable: disable OAM link event
trap enable
Trap.


377
Raisecom

1 Raisecom#show oam [ gigaethernet Show basic configurations of
interface-number ] EFM OAM.
2 Raisecom#show oam event Show remote loopback
[ gigaethernet interface-number ] configurations of EFM OAM.
[ critical ]
3 Raisecom#show oam loopback Show configurations of link
[ gigaethernet interface-number ] monitoring and fault indication of
EFM OAM.
4 Raisecom#show oam notify Show statistics on EFM OAM
[ gigaethernet interface-number ] packets.
5 Raisecom#show oam peer event Show configurations of EFM
[ gigaethernet interface-number ] OAM event Trap.
[ critical ]
6 Raisecom#show oam peer link- Show information about local
statistic [ gigaethernet critical faults detected by the EFM
interface-number ] OAM interface.
7 Raisecom#show oam statistics Show information about the peer
[ gigaethernet interface-number ] EFM OAM device.
8 Raisecom#show oam trap Show information about the peer
[ gigaethernet interface-number ] EFM OAM and interface
statistical variable.
9.2.8 Maintenance
Command Description
Raisecom(config-gigaethernet1/1/*)#clear Clear statistics on links of the
oam statistics EFM OAM interface.
Raisecom(config-gigaethernet1/1/*)#clear Clear EFM OAM link events.
oam event
Raisecom(config)#clear oam config Clear EFM OAM configurations.

378
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 10 Security
10 Security
This chapter describes basic principles and configuration procedures for security, and
provides related configuration examples, including the following sections.
 ACL
 AAA
 Port security MAC
 Dynamic ARP inspection
 Storm control
 802.1x
 IP Source Guard
 PPPoE+
 Configuring CPU protection
 Configuring ARP attack protection
 ND Snooping
10.1 ACL
10.1.1 Introduction
Access Control List (ACL) is a set of ordered rules, which can control the ISCOM2600G
series switch to receive or refuse some data packets.
You need to configure rules on the network to prevent illegal packets from affecting network
performance and determine the packets allowed to pass. These rules are defined by ACL.
ACL is a series of rule composed of permit | deny sentences. The rules are described
according to source address, destination address, and port number of data packets. The
ISCOM2600G series switch judges receiving or rejecting packets according to the rules.

379
Raisecom
Scenario
ACL can help a network device recognize filter data packets. The device recognizes special
objects and then permits/denies packets to pass according to the configured policy.
ACL is divided into the following types:
 Basic IPv4 ACL: define classification rules according to attributes carried in the header
of IP packets, such as the source IP address and destination IP address.
 Extended IPv4 ACL: define classification rules according to attributes carried in the
header of IP packets, such as the source IP address, destination IP address, bearing
protocol type, and TCP or UDP port number (being 0 by default). This type can restrict
Telnet/SSH login.
 MAC ACL: define classification rules according to attributes carried in the header of
Layer 2 frames, such as the source MAC address, destination MAC address, and Layer 2
protocol type. When ACL denies packets with a destination MAC address, the device
will not learn and show the source MAC address.
 User ACL: this type can perform the AND operation with the mask from a specified byte
in the packet header or IP header, compares the character string extracted from the packet
with the user-defined character string, and thus find matching packets. This type supports
matching any field in the first 64 bytes of the Ethernet frame.
 IPv6 ACL: define classification rules according to attributes carried in the header of IP
packets, such as the source IPv6 address, destination IPv6 address, IPv6 bearing protocol
type, and TCP or UDP port number (being 0 by default). This type can restrict
Telnet/SSH login.
 Advanced ACL: define classification rules according to attributes carried in the header of
Layer 2 frames, such as the source MAC address and destination MAC address, and
attributed carried in the header of IP packets, such as the source IP address and
destination IP address.
There are 4 ACL modes according to different application environments:
 ACL based on device
 ACL based on interface
 ACL based on flow from the ingress interface to egress interface
 ACL based on VLAN
Prerequisite
N/A
10.1.3 Configuring MAC ACL

Configure MAC ACL for the ISCOM2600G series switch as below.


380
Raisecom

2 Raisecom(config)#access-list Create an ACL, and enter ACL
acl-number [ name acl-name ] configuration mode.
Example:
 acl-number: ACL number, an integer
Raisecom(config)#access-list
– When the ACL number is 1000–1999,
2001
this configuration enters basic IP ACL
configuration mode.
this configuration enters extended IP

ACL configuration mode.
this configuration enters MAC ACL

configuration mode.
this configuration enters User ACL

configuration mode.
this configuration enters IPv6 ACL

configuration mode.
this configuration enters advanced

 acl-name: ACL name, a string of 1 to 32
characters
3 Raisecom(config-acl-ip- (Optional) configure the matching rule for
std)#rule [ rule-id ] { deny basic IP ACL.
| permit } { source-ip-
 rule-id: rule ID, an integer, ranging from
address source-ip-mask |
any } [ time-range time- 1 to 65535
 deny: deny access when the rule is
range-name ]
Example: matched.
 permit: allow access when the rule is
Raisecom(config-acl-ip-
std)#rule permit matched.
 source-ip-address: source IP address of
192.168.27.27 255.255.255.0
the packet, in dotted decimal notation,
such as 10.10.10.1
 source-ip-mask: source IP mask of the
packet, in dotted decimal notation, such

as 255.255.255.0
 time-range time-range-name: time range,
a string of characters

381
Raisecom

4 Raisecom(config-acl-ip- (Optional) configure the matching rule for
ext)#rule [ rule-id ] { deny extended IP ACL.
| permit } { protocol-id |
icmp | igmp | ip } { source-
ip-address source-ip-mask | 1 to 65535
any } { destination-ip-
address destination-ip-mask | matched.
any } [ dscp dscp-value ]
[ ttl ttl-value ] matched.
 protocol-id: protocol ID, an integer,
[ fragment ] [ icmp-type
icmp-type-value ] [[ icmp- ranging from 1 to 255
 icmp: ICMP
message-code ] ] [ igmp-type
 igmp: IGMP
igmp-type-value ] [ igmp-
 ip: IP address
group igmp-ip-address igmp-
ip-mask ] [ dscp dscp-value |
precedence precedence- the packet, in dotted decimal notation,
value ] [| tos tos-value ] such as 10.10.10.1
 source-ip-mask: source IP mask of the
[ ttl ttl-value ]
[ fragment ] [ time-range packet, in dotted decimal notation, such
time-range-name ] as 255.255.255.0
Example:
 destination-ip-address: destination IP
Raisecom(config-acl-ip-
ext)#rule permit icmp address of the packet, in dotted decimal
192.168.27.27 255.255.255.0 notation, such as 10.10.10.1
 destination-ip-mask: destination IP mask
192.168.27.28 255.255.255.0

382
Raisecom

Raisecom(config-acl-ip- of the packet, in dotted decimal notation,
ext)#rule [ rule-id ] { deny such as 255.255.255.0
| permit } { tcp | udp }  ack ack-value: match ACK bit, an
{ source-ip-address source- integer, ranging from 0 to 1.

ip-mask | any } [ source-  fin fin-value: match FIN bit, an integer,
port ] [ range minimum- ranging from 0 to 1

source-port maximum-source-  psh psh-value: match PSH bit, an
port ] { destination-ip- integer, ranging from 0 to 1.

address destination-ip-mask |  rst rst-value: match RST bit, an integer,
any } [ destination-port ] ranging from 0 to 1.

[ ack ack-value ] [ dscp  syn syn-value: match SYN bit, an
dscp-value ] [ fin fin- integer, ranging from 0 to 1.

value ] [ fragment ]  urg urg-value: match URG bit, an
[ precedence precedence- integer, ranging from 0 to 1.

value ] [ psh psh-value ]  dscp dscp-value: DSCP priority, an
[ range minimum-source-port integer, ranging from 0 to 63

maximum-source-port ] [ ack  ttl ttl-value Packet lifetime, an integer,
ack-value ] [ fin fin-value ] ranging from 1 to 255
[ psh psh-value ] [ rst rst-  icmp-type icmp-type-value: ICMP type,
value ] [ syn syn-value ] an integer, ranging from 0 to 255
[ urg urg-value ] [ tos tos-  icmp-message-code: ICMP message
value ] [ urg urgdscp dscp- code, an integer, ranging from 0 to 255
value ] [| precedence  igmp-type igmp-type-value: IGMP type,
precedence-value | ttl ttl- an integer, ranging from 0 to 255
value ] [ fragment ] [ time-  igmp-group igmp-ip-address: IP address
range time-range-name ] of the IGMP group, in dotted decimal
Example: notation, such as 10.10.10.1
Raisecom(config-acl-ip-  igmp-ip-mask: mask of the IP address of
ext)#rule permit tcp the IGMP group, in dotted decimal
192.168.27.27 255.255.255.0 notation, such as 255.255.255.0
10000 192.168.27.28  precedence precedence-value: priority
255.255.255.0 10000 used to match the packet, an integer,
ranging from 0 to 7
 tos tos-value: TOS used to match the
packet, an integer, ranging from 0 to 15

 fragment: fragment
 tcp: TCP
 udp: UDP
 source-port: source interface of the
packet, an integer, ranging from 1 to

65535
 destination-port: destination of the port,

 range minimum-source-port: maximum
source interface: source port batch

configuration mode, used to configure
the minimum and maximum number of
source interfaces. The minimum number
of source interfaces is an integer, ranging
from 1 to 65535. The maximum number
of source interfaces is an integer, ranging
from 1 to 65535.
 time-range time-range-name: period, a
string of characters
383
Raisecom

5 Raisecom(config-acl-mac)#rule (Optional) configure the matching rule for
[ rule-id ] { deny | MAC ACL.
permit } { source-mac-address
source-mac-mask | any }
{ destination-mac-address 1 to 65535
destination-mac-mask | any }
[ ethertype { ethertype matched.
[ ethertype-mask ] | ip |
arp } ] [ svlan svlanid ] matched.
 source-mac-address: source MAC
[ cvlan cvlanid ] [ cos cos-
value ] [ inner-cos inner- address of physical frame, in dotted
cos-value ] [ time-range hexadecimal notation, such as
time-range-name ] 000E.5E12.3456
 source-mac-mask: source MAC mask of
Example:
Raisecom(config-acl-mac)#rule physical frame, in dotted hexadecimal
1 permit 000E.5E12.3456 notation, such as FFFF.FFFF.FFFF
 any: match any MAC address
FFFF.FFFF.FFFF 000E.5E34.5678
 destination-mac-address: destination
FFFF.FFFF.FFFF ethertype ip
MAC address of physical frame, in
dotted hexadecimal notation, such as
000E.5E12.3456
 destination-mac-mask: destination MAC
mask of physical frame, in dotted

hexadecimal notation, such as
FFFF.FFFF.FFFF
 ethertype ethertype: Ethernet frame type,
in hexadecimal notation, ranging from

0x0000 to 0xFFFF
 ethertype-mask: Ethernet frame type
mask, in hexadecimal notation, ranging

from 0x0000 to 0xFFFF
 ip: IP
 arp: ARP
 svlan svlanid: SVLAN ID, an integer,

 cos cos-value: CoS priority of SVLAN.
The cos-value is an integer, ranging from

0 to 7.
 cvlan cvlanid: CVLAN ID, an integer,

 inner-cos inner-cos-value: CoS priority
of CVLAN. The inner-cos-value is an


384
Raisecom

6 Raisecom(config-acl-udf)#rule (Optional) configure the matching rule for
[ rule-id ] { deny | User ACL.
permit } { layer2 | l2-
head } rule-string rule-mask
offset [ second rule-string 1 to 65535
rule-mask offset ] [ third
rule-string rule-mask matched.
offset ] [ fourth rule-string
rule-mask offset ] [ fifth matched.
 ipv4: offset starts from IPv4 packet
rule-string rule-mask
offset ] [ sixth rule-string head+20 bytes
 layer2: offset starts from protocol field
rule-mask offset ] [ seventh
 l2-head: offset starts from the header
offset ] [ time-range time- field of the L2 packet
 second: match the second field.
range-name ]
 third: match the third field.
Raisecom(config-acl-udf)#rule
 fourth: match the fourth field.
[ rule-id ] { deny |
 fifth: match the fifth field.
permit } ipv4 rule-string
 sixth: match the sixth field.
rule-mask offsets [ second
 seventh: match the seventh field.
 rule-string: user-defined string, in
offsets ] [ third rule-string
rule-mask offsets ] [ fourth hexadecimal notation, with even
rule-string rule-mask characters
 rule-mask: user-defined string mask, in
offsets ] [ fifth rule-string
rule-mask offsets ] [ sixth hexadecimal notation, with even
rule-string rule-mask characters
 offset: beginning field of the user-
offsets ] [ seventh rule-
string rule-mask offsets ] defined string, starting from the physical
[ time-range time-range- frame, an integer, being 4n + 2 (n = 0, 1,
name ] 2, and 3...), ranging from 0 to 115
 offsets: beginning field of the user-
Example:
Raisecom(config-acl-udf)#rule defined string, starting from the physical
1 permit layer2 2D FF 22 frame, an integer, being 4n + 2 (n = 0, 1,
2, and 3...), ranging from 0 to 93
 time-range: time period, a string of no
more than 32 characters

385
Raisecom

7 Raisecom(config-acl- (Optional) configure the matching rule for
ipv6)#rule [ rule-id ] { deny IPv6 ACL.
| permit } { protocol-id |
ipv6 | icmpv6 } { source-
ipv6-address/prefix | any } 1 to 65535
{ destination-ipv6-
address/prefix | any } matched.
[ icmpv6-type icmp-type-
value [ icmp-message-code ] ] matched.
 protocol-id: protocol ID, an integer,
[ dscp dscp-value ]
[ fragment ] [flow-label ranging from 1 to 255
 ipv6: IPv6
flow-label-value ]
 igmpv6: IGMPv6
[ fragment ] [ time-range
 source-ipv6-address/prefix: source IPv6
time-range-name ]
Raisecom(config-acl- address and prefix length of the packet,
ipv6)#rule [ rule-id ] { deny in colon hexadecimal notation
| permit } { tcp | udp }
 destination-ipv6-address/prefix:
{ source-ipv6-address/prefix|
any } [ source-ip-mask | destination IPv6 address of the packet, in
any }port ] { destination- colon hexadecimal notation
 icmpv6-type icmp-type-value: type value
ipv6-address/prefix | any }
[ destination-port ] [ ack of the ICMP message, an integer,
ack-value ] [ dscp dscp- ranging from 0 to 255
 icmp-message-code: code of the ICMP
value ] [ fin fin-value ]
[ fragment ] [flow-label message, an integer, ranging from 0 to
flow-label-value ] [ psh psh- 255
 ack ack-value: match ACK bit, an
value ] [ rst rst-value ]
[ syn syn-value ] [ urg urg- integer, ranging from 0 to 1.
 fin fin-value: match FIN bit, an integer,
value ] [ dscp dscp-value ]
[ flow-label flow-label- ranging from 0 to 1
 psh psh-value: match PSH bit, an
value ] [ fragment ] [ time-
range time-range-name ] integer, ranging from 0 to 1.
 rst rst-value: match RST bit, an integer,
Example:
Raisecom(config-acl- ranging from 0 to 1.
 syn syn-value: match SYN bit, an
ipv6)#rule 1 permit ipv6
1030:0::48AA:1A2B/60 any integer, ranging from 0 to 1.
 urg urg-value: match URG bit, an

 dscp dscp-value: match packets with
DSCP. The dscp-value is an integer,

 flow-label flow label-value: flow label,

 tcp: TCP
 udp: UDP
 source-port: source port of the packet, an

 destination-port: destination port of the
packet, an integer, ranging from 1 to

65535

386
Raisecom

8 Raisecom(config-acl- (Optional) configure the matching rule for
advanced)#rule [ rule-id ] advanced ACL.
{ deny | permit } { source-
mac-address source-mac-mask |
any } { destination-mac- 1 to 65535
address destination-mac-mask
| any } [ svlan svlanid ] matched.
[ cvlan cvlanid ] [ cos cos-
value ] [ cvlan cvlanid ] matched.
 source-mac-address: source MAC
[ inner-cos inner-cos-
value ] { source-ip-address address of physical frame, in dotted
source-ip-mask | any } hexadecimal notation, such as
{ destination-ip-address 000E.5E12.3456
 source-mac-mask: source MAC address
destination-ip-mask | any }[}
[ dscp dscp-value ] [ ttl mask of physical frame, in dotted
ttl-value ] [ fragment ] [| hexadecimal notation, such as
precedence precedence- FFFF.FFFF.FFFF
 any: match any MAC address
value ] [| tos tos-value ]
 destination-mac-address: destination
[ ttl ttl-value ]
[ fragment ] [ time-range MAC address of physical frame, in
time-range-name ] dotted hexadecimal notation, such as
Raisecom(config-acl- 000E.5E12.3456
 destination-mac-mask: destination MAC
advanced)#exit
Example: address mask of physical frame, in
Raisecom(config-acl- dotted hexadecimal notation, such as
advanced)#rule 1 permit FFFF.FFFF.FFFF
 svlan svlanid: SVLAN ID, an integer,
000E.5E12.3456 FFFF.FFFF.FFFF
000E.5E34.5678 FFFF.FFFF.FFFF ranging from 1 to 4094
 cos cos-value: SVLAN CoS priority. The
192.168.1.2 255.255.255.0
192.168.1.5 255.255.255.0 cos-value is an integer, ranging from 0 to
7.
 cvlan cvlanid: CVLAN ID, an integer,

 inner-cos inner-cos-value: CVLAN CoS
priority. The inner-cos-value is an

the packet, in dotted decimal notation

such as 10.10.10.1
 source-ip-mask: source IP address mask
of the packet, in dotted decimal notation,

such as 255.255.255.0
 dscp dscp-value: match packets with
DSCP. The dscp-value is an integer,

 ttl ttl-value: packet lifetime, an integer,

 precedence precedence-value: priority
used to match packet, an integer, ranging

from 0 to 7
 tos tos-value: ToS priority used to match
packet, an integer, ranging from 0 to 15

387
Raisecom

9 Raisecom(config)#interface Enter VLAN interface mode.
vlan vlan-id
Example:
vlan 1
10 Raisecom(config-vlan*)#local- (Optional) configure the SNMP ACL IP.
access access-list acl-
 acess-list acl-number: ACL number, an
number
Example: integer
– When the rangg is 1000 to 1999, enter
Raisecom(config-vlan1)#local-
access access-list 1001 standard IP ACL configuration mode.
– When the range is 6000 to 6999, enter
IPv6 ACL configuration mode.
10.1.4 Configuring ACL period

Configure the ACL period for the ISCOM2600G series switch as below.

1 Raisecom#config Enter global
configuration
mode.
2 Raisecom(config)#time-range time-range-name { hour Create a
minute seconds to hour minute seconds { weekday- period for
list | sun | mon | tue | wed | thu | fri | satsta applying ACL
| off-day | working-day | daily } [ from hour rules.
minute seconds month-day-year ] [ to hour minute
seconds month-day-year ] | from hour minute
seconds month-day-year [ to hour minute seconds
month-day-year ] | to hour minute seconds month-
day-year }
Example:
Raisecom(config)#time-range a 1:00:00 to 3:00:00
mon
10.1.5 Configuring filter

Configure the filter for the ISCOM2600G series switch as below.


388
Raisecom

2 Raisecom(config)#in
terface interface-
Enter physical interface configuration mode, or VLAN
type interface-
interface configuration mode. Take physical interface
number
configuration mode for example.
Example:
Raisecom(config)#in
terface
gigaethernet 1/1/1
3 Raisecom(config- Apply ACL to the interface.
gigaethernet1/1/*)#
 ingress: apply ACL to the ingress direction.
filter ingress
 access-list acl-number: access control list number, an
access-list { acl-
number | name acl- integer
– When the range is 1000 to 1999, enter standard IP
name }
[ statistics ] ACL configuration mode.
– When the range is 2000 to 2999, enter extended IP
[ statistics ]
Example: ACL configuration mode.
– When the range is 3000 to 3999, enter MAC ACL
Raisecom(config-
gigaethernet1/1/1)# configuration mode.
– When the range is 5000 to 5999, enter user ACL
filter ingress
access-list 1001 configuration mode.
– When the range is 6000 to 6999, enter IPv6 ACL
configuration mode.
– When the range is 7000 to 7999, enter advanced

 statistics: enable ACL statistics.
 name acl-name: ACL name, a string of 1 to 32
characters
gigaethernet1/1/*)#
exit
5 Raisecom(config)#fi Apply ACL to the VLAN.
lter ingress
 ingress: apply ACL to the ingress direction.
access-list { acl-
 access-list acl-number: access control list number, an
number | name acl-
name } vlanlist integer
– When the range is 1000 to 1999, enter standard IP
vlan-list
[ statistics ] ACL configuration mode.
– When the range is 2000 to 2999, enter extended IP
Example:
Raisecom(config)#fi ACL configuration mode.
– When the range is 3000 to 3999, enter MAC ACL
lter ingress
access-list 2001 configuration mode.
– When the range is 5000 to 5999, enter user ACL
vlanlist 2
configuration mode.
– When the range is 6000 to 6999, enter IPv6 ACL
configuration mode.
– When the range is 7000 to 7999, enter advanced

 name acl-name: ACL name, a string of 1 to 32
characters
 vlan-list: VLAN list, an integer, ranging from 1 to
4094. It supports specific values, such as "1,2,3"; it

 statistics: enable ACL statistics.

389
Raisecom


1 Raisecom#show access-list [ acl- Show ACL configurations.
number | name acl-name ]
2 Raisecom#show acl resource Show resources used by ACL.
ingress
3 Raisecom#show filter interface Show filter configurations.
Raisecom#show filter interface
[ ingress ]
Raisecom#show filter statistics
interface interface-type
interface-number [ ingress
[ access-list { acl-number |
name acl-name } ]
Raisecom#show filter vlanlist
[ vlan-list ]
4 Raisecom#show local-access Show information about
access-list authentication by the SNMP server.
5 Raisecom#show time-range [ time- Show configurations of the time
range-name ] range.
10.1.7 Maintenance
Command Description
Raisecom(config)#clear filter statistics interface Clear statistics
{ interface-type interface-number | vlan vlan-id } on ACL filter
ingress [ access-list { acl-number | name acl-name } ] configurations.
Example:
Raisecom(config)#clear filter statistics interface
gigaethernet 1/1/1 ingress

390
Raisecom
10.2 AAA
10.2.1 Introduction
AAA
Authentication, Authorization, and Accounting (AAA) is a management mechanism for
network security. AAA adopts a client/server structure and provides three security functions of
authentication, authorization, and accounting.
 Authentication: confirm the identity of the remote user accessing the network, and
determine whether the visitor is a legitimate network user.
 Authorization: grant different permissions to different users to limit the services that
users can use. For example, the administrator authorizes office users to access and print
files on the server, but other temporary visitors do not have this permission.
 Accounting: record all operations during the user's use of network services, including the
type of service used, starting time, data flow, to collect and record the user's use of
network resources, and implement the accounting for time and traffic. It also has a
monitoring effect on the network.
AAA adopts a client/server structure. The client runs on the NAS (Network Access Server),
which is responsible for verifying user identity and managing user access. The server centrally
manages user information.
AAA can be implemented through multiple protocols that specify how user information is
communicated between the NAS and the server. Currently, the device supports the Remote
Authentication Dial-In User Service (RADIUS) protocol and Terminal Access Controller
Access Control System (TACACS+).
RADIUS
Remote Authentication Dial In User Service (RADIUS) is a standard communication protocol
that provides centralized authentication of remote access users. RADIUS uses UDP as the
transmission protocol (port 1812 and port 1813) which has a good instantaneity; at the same
time, RADIUS features good reliability by supporting retransmission mechanism and standby
server mechanism.
 RADIUS authentication
RADIUS adopts client/server mode. The network access device is used as client of RADIUS
server. The RADIUS server receives user connection requests, authenticates users, and replies
them with configurations for providing services. In this way, RADIUS can control user to
access devices and network, thus improving network security.
Communication between clients and RADIUS server is authenticated by the shared key,
which will not be transmitted on the network. Besides, any user password to be transmitted
between clients and RADIUS server must be encrypted to prevent it from being intercepted
through sniffing through any insecure network.
 RADIUS accounting
RADIUS accounting is used on users that have passed RADIUS authentication. When a user
logs in, the device sends an Account-Start packet to the RADIUS accounting server. During
user login, the device sends Account-Update packets to the RADIUS accounting server
according to the accounting policy. When the user logs off, the device sends an Account-Stop

391
Raisecom
packet, which contains user online time, to the RADIUS accounting server. The RADIUS
accounting server can record the access time and operations of each user through these
packets.
TACACS+
Terminal Access Controller Access Control System (TACACS+) is a kind of network access
authentication protocol similar to RADIUS. The differences between them are:
 TACACS+ uses TCP port 49, which has higher transmission reliability compared with
UPD port used by RADIUS.
 TACACS+ encrypts the holistic of packets except the standard head of TACACS+, and
there is a field to show whether the data packets are encrypted in the head of packet.
Compared to RADIUS user password encryption, the TACACS+ is much safer.
 TACACS+ authentication function is separated from authorization and accounting
functions; it is more flexible in deployment.
In a word, TACACS+ is safer and more reliable than RADIUS; however, as an open protocol,
RADIUS is more widely used.
Domain-based authentication
On the actual network, there are many types of access users which are in a large number. To
facilitate the differentiated management of users with different access authentication modes
and provide more refined and differentiated AAA services, domain-based authentication is
proposed to meet certain user authentication management policy.
 A domain is a group of users. Because different users have different requirements for
AAA, multiple domains need to be configured on the device.
 The AAA scheme and properties of each domain are different. By binding AAA
templates, configure different AAA schemes and related properties. The corresponding
domain is automatically matched according to the domain name carried by the
authenticated user, and the corresponding AAA scheme in the domain is executed.
 A default domain exists on the device, and the default AAA scheme is provided for users
who do not carry a domain name. The default administrative domain is default-admin.
The default access domain is default.
Scenario
To control users' access to devices and the network, you can deploy the RADIUS/TACACS+
server to authenticate and account users. The ISCOM2600G series switch can work as an
agent of the RADIUS/TACACS+ server, and authorize users with access rights according to
the feedback by the RADIUS/TACACS+ server. TACACS+ is more secure and reliable than
RADIUS.
Prerequisite
N/A

392
Raisecom
10.2.3 Default configurations of AAA

AAA domain status Active
Authentication scheme of the domain administrator user local
Authorization scheme of the domain administrator user No authorization
Accounting scheme of the domain access user No Accounting
Domain command policy Disable
Command authorization scheme of the domain administrator N/A
user
Domain command authorization switch Disable
Command accounting scheme of the domain administrator N/A
user
Domain command accounting switch Disable
Accounting failure policy for the domain user online

Period for sending AAA accounting update packets 0
Name of the domain to be renamed The name of the access
domain is default.
The name of the
administrative domain is
default-admin.
Shared key and encrypted shared key used to communicate Null
with the RADIUS authentication server
RADIUS NAS IP address 0.0.0.0
Processing policy for RADIUS authorization failure 15
Response timeout time of the RADIUS authentication server 3s
Times for retransmitting RADIUS packets 3
Silence time of the RADIUS server 5min
Format of the user name to be sent to the RADIUS server Keeping unchanged
RADIUS Trap sending Disable
Shared key and encrypted shared key used to communicate Null
with the TACACS+ authentication server
Response timeout time of the TACACS+ authentication 5s
server
Authentication mode of TACACS+ services ASCII
Times for retransmitting TACACS+ packets 3

393
Raisecom

Silence time of the TACACS+ server 5min
Format of the user name to be sent to the TACACS+ server Keeping unchanged
TACACS+ Trap sending Disable
10.2.4 Configuring AAA domain

2 Raisecom(config)#domain Create an AAA domain. Enter it or an
domain-name existing one.
3 Raisecom(config-domain)#state Configure the AAA domain status.
{ active | block }
4 Raisecom(config- Configure the authentication scheme
domain)#authentication for the administrator user in the
[console | telnet | ssh | domain.
web] scheme { local | radius-
template radius-template-name If the local authentication scheme is
[ local ] [server-no- configured as the backup authentication
response] | tacacs-template scheme, we recommend using the local
tacacs-template-name authorization scheme as the backup
[ local ] [server-no- authorization scheme.
response] }
5 Raisecom(config- Configure the authorization scheme of
domain)#authorization scheme the domain administrator user.
tacacs-template tacacs-
template-name [ local
[ server-no-response ] ]
6 Raisecom(config- Configure the accounting scheme of the
domain)#accounting scheme domain access user.
{ tacacs-template tacacs-
template-name | radius-
template radius-template-
name }
7 Raisecom(config- Configure the accounting failure policy
domain)#accounting fail of the domain user.
{ online | offline }
8 Raisecom(config- Configure the period for sending AAA
domain)#accounting update- accounting update packets.
time minute
9 Raisecom(config- Configure domain command policy.
domain)#command {accounting |
authorization } { enable |
disable }

394
Raisecom

10 Raisecom(config- Configure the command authorization
domain)#command authorization scheme of the domain administrator
scheme tacacs-template user.
tacacs-template-name [ none
server-no-response ] We recommend configuring the backup
authorization scheme none server-no-
response in case that the command fails
to be executed if the server stops
responding.
11 Raisecom(config- Configure the command accounting
domain)#command accounting scheme of the domain administrator
scheme { tacacs-template user.
tacacs-template-name |
radius-template radius-
template-name }
12 Raisecom(config-domain)#exit Rename the domain.
Raisecom(config)#domain old-
domain-name rename new-
domain-name
10.2.5 Configuring RADIUS

2 Raisecom(config)#radius Create a RADIUS template. Enter the
template template-name RADIUS template configuration mode
of the created one or existing one.
3 Raisecom(config-radius- Configure the IP address, protocol port
template)#radius [ backup ] number, key, and source IP address of
{accounting | the RADIUS authentication server and
authentication } { ipv4- RADIUS accounting server.
[ auth-port port-id ]
[ encrypt-key encrypt-key |
key key ] [ source-ip { ipv4-
address | ipv6-address }]
4 Raisecom(config-radius- Configure the shared key and encrypted
template)#radius {accounting shared key used to communicate with
| authentication }{ encrypt- the RADIUS authentication server.
key encrypt-key | key key }
5 Raisecom(config-radius- Configure the IP address of the source
template)#radius source-ip interface used to send packets for all
{ ipv4-address | ipv6- servers in the template.
address }
6 Raisecom(config-radius- Configure the RADIUS NAS IP
template)#radius nas-ip- address.
address { ipv4-address |
ipv6-address }

395
Raisecom

7 Raisecom(config-radius- Configure the processing policy for
template)#radius RADIUS authorization failure.
authorization no-privilege
{ default | offline |
priority }
8 Raisecom(config-radius- Enable RADIUS authorization of
template)#radius VLAN compatible standard protocol.
authorization vlan-mode
standard
9 Raisecom(config-radius- Configure the response timeout time of
template)#radius response- the RADIUS authentication server.
timeout time
10 Raisecom(config-radius- Configure the times for retransmitting
template)#radius retry-times RADIUS packets.
times
11 Raisecom(config-radius- Configure the silence time of the
template)#radius quiet-time RADIUS server.
time
12 Raisecom(config-radius- Configure the format of the user name
template)#user-name-format to be sent to the RADIUS server.
{ keep-original | with-domain
| without-domain }
13 Raisecom(config-radius- Enable RADIUS Trap sending.
template)#exit
Raisecom(config)#radius trap
10.2.6 Configuring TACACS+

2 Raisecom(config)#tacacs Create a TACACS+ template. Enter the
template template-name TACACS+ template configuration
mode of the created one or existing
one.
3 Raisecom(config-tacacs- Configure the IP address, protocol port
template)#tacacs [ backup ] number, key, and source IP address of
{accounting | authentication the TACACS+ authentication server,
| authorization } { ipv4- TACACS+ accounting server, and
address | ipv6-address } TACACS+ authorization.
[ auth-port port-id ]
[ encrypt-key encrypt-key |
key key ] [ source-ip { ipv4-
address | ipv6-address }]
4 Raisecom(config-tacacs- Configure the shared key and encrypted
template)#tacacs {accounting shared key used to communicate with
| authentication | the TACACS+ authentication server.
authorization }{ encrypt-key
encrypt-key | key key }

396
Raisecom

5 Raisecom(config-tacacs- Configure the IP address of the source
template)# tacacs source-ip interface used to send packets for all
{ ipv4-address | ipv6- servers in the template.
address }
6 Raisecom(config-tacacs- Configure the response timeout time of
template)#tacacs response- the TACACS+ authentication server.
timeout time
7 Raisecom(config-tacacs- Configure the authentication mode of
template)#tacacs authenticate TACACS+ services.
type { ascii | pap }
8 Raisecom(config-tacacs- Configure the silence time of the
template)#tacacs quiet-time TACACS+ server.
time
9 Raisecom(config-tacacs- Configure the format of the user name
template)#user-name-format to be sent to the TACACS+ server.
{ keep-original | with-domain
| without-domain }
10 Raisecom(config-tacacs- Enable TACACS+ Trap sending.
template)#exit
Raisecom(config)#tacacs trap


1 Raisecom#show domain Show information about the AAA
[ domain-name ] [ details ] domain.
2 Raisecom#show radius template Show configurations of the RADIUS
[ template-name] [ details ] template.
3 Raisecom#show radius Show RADIUS statistics.
statistics
4 Raisecom#show tacacs template Show configurations of the TACACS+
[ template-name] [ details ] template.
5 Raisecom#show tacacs Show TACACS+ statistics.
statistics
10.2.8 Maintenance
Command Description
Raisecom(config)#clear radius statistics Clear RADIUS statistics.
Raisecom(config)#clear tacacs statistics Clear TACACS+ statistics.

397
Raisecom
10.2.9 Example for configuring AAA
Networking requirement
As shown in Figure 10-1, to make access users and the administrator user to access different
servers, configure two domains. The administrator user uses the default administrative domain,
namely, the default-admin domain. The access user uses the default access domain, namely,
the default domain. Required configurations are as below:
 Configure the IP address, VLAN, and route on the switch for user connection and
authentication.
 Create a local user account. Configure the AAA template and scheme for the
administrator user. Use TACACS server 3 for authentication and authorization. Use
RADIUS server 2 for accounting.
 Enable Dot1x. Configure the AAA template and scheme for access users. Use RADIUS
server 1 for authentication, accounting, and authorization.
Figure 10-1 Domain-based authentication application networking
Configuration steps
Step 1 Configure the IP address and user view.
Raisecom(config)#ip route 0.0.0.0 0.0.0.0 10.1.0.1
Step 2 Configure the administrator user to use TACACS Server 3 for authentication and
authorization. The template name is t1.

398
Raisecom
Raisecom(config)#tacacs template t1
Raisecom(config-tacacs-template)#tacacs authentication 10.1.3.2 key
123456
Raisecom(config-tacacs-template)#tacacs authorization 10.1.3.2 key 123456
Raisecom(config-tacacs-template)#quit
Step 3 Configure the administrator user to use RADIUS Server 2 for accounting. The template name
is r1.
Raisecom(config)#radius template r1
Raisecom(config-radius-template)#radius accounting 10.1.2.2 key 123456
Raisecom(config-radius-template)#quit
Step 4 Associate the template in the management domain.
Raisecom(config)domain default-admin
Raisecom(config-domain)#authentication scheme tacacs-template t1 local
Raisecom(config-domain)#authorization scheme tacacs-template t1
Raisecom(config-domain)#accounting scheme radius-template r1
Raisecom(config-domain)#quit
Step 5 Enable dot1x.
Raisecom(config)#dot1x enable
Raisecom(config-gigaethernet1/1/1)#dot1x enable
Raisecom(config-gigaethernet1/1/1)#quit
Step 6 Configure the AAA template and scheme required for accessing users. Use RADIUS server 1
for authentication. The template name is r2.
Raisecom(config)#radius template r2
Raisecom(config-radius-template)#radius authentication 10.1.1.2 key
123456
Raisecom(config-radius-template)#radius accounting 10.1.1.2 key 123456
Raisecom(config-radius-template)#quit
Raisecom(config)#domain default
Raisecom(config-domain)#authentication scheme radius-template r2
Raisecom(config-domain)#accounting scheme radius-template r2
Raisecom(config-domain)#quit
Step 7 After configurations are complete, enable command authorization and command accounting.

399
Raisecom
Raisecom(config)#domain default-admin
Raisecom(config-domain)#command accounting scheme radius-template r1
Raisecom(config-domain)#command authorization scheme tacacs-template t1
Raisecom(config-domain)#command accounting enable
Raisecom(config-domain)#command authorization enable
Checking results
Step 1 Use the show radius template details command to show configurations of the RADIUS
server.
Raisecom#show radius template details

Total Radius Template:3
Template Name:system
Retry Times: 3
Server Response Timeout(seconds):3
Server Quiet Time(minutes):5
User Name Format:keep-original
Authorization Fail Policy:15
Authorization Vlan Mode:private
NAS IP Address:
Source IP Address:
Authentication Encrypted Key:
Accounting Encrypted Key:
Template Name:r1
Retry Times: 3
NAS IP Address:
Source IP Address:
Accounting Server Master:10.1.2.2
Port:1813
State:block
Source Ip:
Encrypted Key:zpt4gfNEnOMo
Template Name:r2
Retry Times: 3
NAS IP Address:

400
Raisecom
Source IP Address:
Accounting Server Master:10.1.1.2
Port:1812
State:active
Source Ip:
Encrypted Key:KMsJq1kTTiyc
Step 2 Use the show tacacs template details command to show configurations of the TACACS+
server.
Raisecom#show tacacs template details

Total Tacacs Template:2
Template Name:system
Source IP Address:
Authenticate type: ASCII
Authorization Encrypted Key:
Template Name:t1
Source IP Address:
Authenticate type: ASCII
Authorization Encrypted Key:
Authentication Server Master:10.1.3.2

Port:49
State:active
Source Ip:
Encrypted Key:CJ1vJ9kM2g4b
Step 3 Use the show domain details command to show configurations of the AAA domain.
Raisecom(config)#show domain details

Total Domain:2
Domain Name:default-admin
Command Accounting: enable
Command Authorization: enable

401
Raisecom
Accounting Fail Policy: online

Accounting Update-time: 0
L:Local N:None R:Radius T:Tacacs
R-L:Radius-Local R-L(NP):Radius-Local(No Response)
T-L:Tacacs-Local T-L(NP):Tacacs-Local(No Response)
T-N(NP):Tacacs-None(No Response)
AAA Method Template Name
-------------------------------------------------------------------------
---
Login Authentication T t1
Login Console Authentication -- --
Login Telnet Authentication -- --
Login Ssh Authentication -- --
Login Web Authentication -- --
Login Accounting R r1
Login Authorization T t1
Command Accounting R r1
Command Authorization T t1
Domain Name:default
Command Accounting: disable
Command Authorization: disable
Accounting Fail Policy: online
Accounting Update-time: 0
L:Local N:None R:Radius T:Tacacs
R-L:Radius-Local R-L(NP):Radius-Local(No Response)
T-L:Tacacs-Local T-L(NP):Tacacs-Local(No Response)
T-N(NP):Tacacs-None(No Response)
AAA Method Template Name
-------------------------------------------------------------------------
---
Login Authentication R r2
Login Console Authentication -- --
Login Telnet Authentication -- --
Login Ssh Authentication -- --
Login Web Authentication -- --
Login Accounting R r2
Login Authorization -- --
Command Accounting -- --
10.3 Port security MAC

10.3.1 Introduction
Port security MAC is used for the switching device on the edge of the network user side. It
can ensure security of accessed data on an interface, and control the incoming packets
according to the source MAC address.
You can enable port security MAC to limit and distinguish which users can access the
network through secure interfaces. Only secure MAC addresses can access the network,
unsecure MAC addresses will be dealt with as configured interface access violation mode.

402
Raisecom
Secure MAC address classification

Secure MAC addresses supported by the device are divided into the following three categories:
 Static secure MAC address
The static secure MAC address is configured by user on secure interface manually; this MAC
address will take effect when port security MAC is enabled. Static secure MAC address does
not age and supports loading configuration.
 Dynamic secure MAC address
The dynamic secure MAC address is learnt by the device. You can configure the learnt MAC
address to secure MAC address in the range of the maximum number of learnt MAC address.
The dynamic secure MAC addresses are aged and does not support configuration load.
The dynamic secure MAC address can be converted to the sticky secure MAC address if
necessary, so as not to be aged and supports auto-loading.
 Sticky secure MAC address
The sticky secure MAC address is generated from the manual configuration of user in secure
interface or converted from dynamic secure MAC address. Different from static secure MAC
address, the sticky secure MAC address needs to be used in conjunction with sticky learning:
 When sticky learning is enabled, the sticky secure MAC address will take effect and this
address will not be aged.
 When sticky learning is disabled, the sticky secure MAC address will become invalid
and be saved only in the system.
 When sticky learning is enabled, all dynamic secure MAC addresses learnt from
an interface will be converted to sticky secure MAC addresses.
 When sticky learning is disabled, all sticky secure MAC addresses on an interface
will be converted to dynamic secure MAC addresses.
Processing mode for violating port security MAC

When the number of secure MAC addresses has already reached the maximum number,
inputting of packets from a strange source MAC address will be regarded as a violation
operation. For the illegal user access, there are different processing modes for configuring the
switch according to secure MAC violation policy:
 Protect mode: for illegal access users, the secure interface will discard the user's packets
directly.
 Restrict mode: for illegal access users, the secure interface will discard the user's packets,
and the console will print Syslog information and send an alarm to the NMS.
 Shutdown mode: for illegal access users, the secure interface will discard the user's
packets, and the console will print Syslog information, send an alarm to the NMS, and
then shut down the secure interface.
When the MAC address is flapping, in other words, secure interface A is accessed by
a user corresponding to a secure MAC address that is already on secure interface B,
secure interface A will process the access as violation.

403
Raisecom
Scenario
To ensure the security of data accessed by the interface of the switch, you can control the
incoming packets according to source MAC address. With port security MAC, you can
configure the feature of permitting specified users to access the interface, or permitting
specified number of users to access from this interface only. However, when the number of
users exceeds the limit, the accessed packets will be processed in accordance with port
security MAC violation policies.
Prerequisite
N/A
10.3.3 Default configurations of port security MAC

Default configurations of port security MAC are as below.

Interface secure MAC Disable
Aging time of dynamic secure MAC address 300s
Aging type of dynamic secure MAC address Absolute
Restoration time of port security MAC Disable, namely, no restoration
Dynamic secure MAC sticky learning Disable
Port secure MAC Trap Disable
Port secure MAC violation processing mode Protect
Maximum number of port security MAC 1024
10.3.4 Configuring basic functions of port security MAC
 We do not recommend enabling port security MAC on member interfaces of the

LAG.
 We do not recommend using the MAC address management function to configure
static MAC addresses when port security MAC is enabled.
 When the 802.1x interface adopts a MAC address-based authentication mode,
port security MAC and 802.1x are mutually exclusive. We do not recommend co-
configuring them concurrently.
 Port security MAC and interface-/interface VLAN-based MAC number limit are
mutually exclusive, which cannot be configured concurrently.
Configure basic functions of port security MAC for the ISCOM2600G series switch as below.

404
Raisecom

number
Example:
gigaethernet 1/1/1 unit/slot/port. The value range depends
on the interface type.
3 Raisecom(config- Enable port security MAC.
gigaethernet1/1/*)#switchpor
t port-security
4 Raisecom(config- (Optional) configure the maximum
gigaethernet1/1/*)#switchpor number of secure MAC addresses.
t port-security maximum
 maximum-number: maximum number
maximum-number
Example: of secure MAC addresses, an integer,
gigaethernet1/1/1)#switchpor
t port-security maximum 10
5 Raisecom(config- (Optional) configure secure MAC
gigaethernet1/1/*)#switchpor violation mode.
t port-security violation
 protect: protect the interface. The
{ protect | restrict |
shutdown } secure port will discard packets from
Example: unauthorized users.
 restrict: restrict packets. The secure
Raisecom(config-
gigaethernet1/1/1)#switchpor port will discard packets from
t port-security violation unauthorized users, print Syslog at
restrict console, and send a trap to the NMS.
 shutdown: shut down the interface. The
secure port will discard packets from

unauthorized users, print Syslog
information at console, send a trap to
the NMS, and shut down the interface.
6 Raisecom(config- (Optional) re-enable the interface which
gigaethernet1/1/*)#no port- is shut down due to violating port
security shutdown security MAC.
Raisecom(config-
7 Raisecom(config)#port- (Optional) configure the restoration time
security recovery-time of port security MAC.
second
 second: recovery time, an integer,
Example:
Raisecom(config)#port- ranging from 30 to 86400, in units of
security recovery-time 30 second
When secure MAC violation policy is in Shutdown mode, you can use this command
to re-enable this interface which is shut down due to violating port security MAC.

405
Raisecom
When the interface is Up, the configured secure MAC violation mode will continue to
be valid.
10.3.5 Configuring static secure MAC address

Configure the static secure MAC address for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
port-security
4 Raisecom(config- Configure the static secure MAC
gigaethernet1/1/*)#switchport address.
port-security mac-address mac-
address vlan vlan-id
Raisecom(config-
port-security mac-address
0000.0000.0001 vlan 1
10.3.6 Configuring dynamic secure MAC address

Configure the dynamic secure MAC address for the ISCOM2600G series switch as below.

2 Raisecom(config)#port-security (Optional) configure the aging
aging-time period time of dynamic secure MAC
Example: address.
Raisecom(config)#port-security
 period: aging time, an integer,
aging-time 10
ranging from 0 to 1440s, in units
of second
Example:
gigaethernet 1/1/1

406
Raisecom

4 Raisecom(config- (Optional) configure the aging
gigaethernet1/1/*)#switchport type of secure MAC addresses.
port-security aging-type
 absolute: be aged after absolute
{ absolute | inactivity }
Example: period.
 inactivity: be aged when there is
Raisecom(config-
gigaethernet1/1/1)#switchport no traffic on the interface.
port-security aging-type
inactivity
5 Raisecom(config- (Optional) enable port dynamic
gigaethernet1/1/*)#switchport security MAC learning.
port-security
6 Raisecom(config- (Optional) enable port security
gigaethernet1/1/*)#switchport MAC Trap.
port-security trap { enable |
 enable: enable port security
disable }
Example: MAC learning Trap
 disable: disable port security
Raisecom(config-
gigaethernet1/1/1)#switchport MAC learning Trap
port-security trap enable
7 Raisecom(config- (Optional) configure the period for
gigaethernet1/1/*)#switchport sending Traps on the interface.
port-security trap period value
 value: Trap interval, an integer,
Example:
Raisecom(config- ranging from 1 to 60 seconds
port-security trap period 60
The switchport port-security command can enable port security MAC and dynamic
secure MAC learning at the same time.
10.3.7 Configuring sticky secure MAC address
We do not recommend configuring sticky secure MAC addresses when port sticky
security MAC is disabled. Otherwise, port sticky security MAC may malfunction.
Configure the sticky secure MAC address for the ISCOM2600G series switch as below.


407
Raisecom

Example:
gigaethernet 1/1/1
port-security
4 Raisecom(config- Enable sticky secure MAC
gigaethernet1/1/*)#switchport learning.
port-security mac-address sticky
5 Raisecom(config- (Optional) manually configure
gigaethernet1/1/*)#switchport sticky secure MAC addresses.
mac-address vlan vlan-id
Raisecom(config-
0000.0000.0001 vlan 1
After sticky secure MAC address learning is enabled, the dynamic secure MAC
address will be converted to the sticky secure MAC address; the manually configured
sticky secure MAC address will take effect.


1 Raisecom#show port-security Show configurations of port
[ interface-type interface-number ] security MAC.
2 Raisecom#show port-security mac- Show configurations of secure
address [interface-type interface- MAC address and secure MAC
number ] address learning.
10.3.9 Maintenance

408
Raisecom
Command Description
Raisecom(config- Clear a specified type of secure MAC
gigaethernet1/1/*)#clear port- addresses on a specified interface.
security { all | configured | dynamic
 all: all secure MAC addresses
| sticky }
 configured: configured MAC
Example:
Raisecom(config- addresses
 dynamic: dynamic MAC addresses
gigaethernet1/1/1)#clear port-
 sticky: sticky MAC addresses
security all
10.3.10 Example for configuring port security MAC
As shown in Figure 10-2, the Switch connects 3 user networks. To ensure security of data
accessed from the interface, configure the Switch as below.
 GE 1/1/1 allows up to 3 users to access the network. One of specified user MAC
addresses is 0000.0000.0001. The other two users are in dynamic learning mode. The
NMS can receive Trap information once the user learns a MAC address. The violation
mode is Protect mode and the aging time of the two learning user MAC addresses is
10min.
 GE 1/1/2 allows up to 2 users to access the network. MAC addresses of the 2 users are
determined through learning; once they are learnt, they will not be aged. The violation
mode is Restrict mode.
 GE 1/1/3 allows up to 1 user to access the network. The specified user MAC address is
0000.0000.0002. Whether MAC addresses are aged can be controlled. The violation
mode is Shutdown mode.
Figure 10-2 Port security MAC networking
Configuration steps
Step 1 Configure the secure MAC address on GE 1/1/1.

409
Raisecom
Raisecom#config
Raisecom(config-gigaethernet1/1/1)#switchport port-security
Raisecom(config-gigaethernet1/1/1)#switchport port-security maximum 3
Raisecom(config-gigaethernet1/1/1)#switchport port-security mac-address
0000.0000.0001 vlan 1
Raisecom(config-gigaethernet1/1/1)#switchport port-security violation
protect
Raisecom(config-gigaethernet1/1/1)#switchport port-security trap enable
Raisecom(config-gigaethernet1/1/1)#switchport port-security trap period
10
Raisecom(config)#port-security aging-time 10
Raisecom(config)#
Step 2 Configure the secure MAC address on GE 1/1/2.

sticky
restrict
Step 3 Configure the secure MAC address for GE 1/1/3.

sticky 0000.0000.0002 vlan 1
sticky
shutdown
Checking results
Use the show port-security command to show configurations of port security MAC.
Raisecom#show port-security
Port security aging time:10 (mins)
Port security recovery time:Disable (s)
port status Max-Num Cur-Num His-MaxNum vio-
Count vio-action Dynamic-Trap Aging-Type trap-period

410
Raisecom
-------------------------------------------------------------------------
-----------------------------------------------------
gigaethernet1/1/1 Enable 3 1 1 0
protect Enable Absolute 10
restrict Disable Absolute 0
shutdown Disable Absolute 0
Use the show port-security mac-address command to show configurations and learning of
secure MAC addresses.
Raisecom#show port-security mac-address
VLAN Security-MAC-Address Flag Port Age(min)
--------------------------------------------------------------------------
1 0000.0000.0001 Security-static gigaethernet1/1/1 --
1 0000.0000.0002 sticky gigaethernet1/1/3 --
10.4 Dynamic ARP inspection

10.4.1 Introduction
Dynamic ARP inspection is used for ARP protection of unsecure interface and prevents from
responding ARP packets which do not meet the requirements, thus preventing ARP spoofing
attack on the network.
There are 2 modes for dynamic ARP inspection:
 Static binding mode: configure the binding manually.
 Dynamic binding mode: in cooperation with the DHCP snooping to generate dynamic
binding. When DHCP Snooping entry is changed, the dynamic ARP inspection will also
update dynamic binding entry synchronously.
The ARP inspection table, which is used for preventing ARP attacks, consists of DHCP
snooping entries and statically configured ARP inspection rules, including IP address, MAC
address, and VLAN binding information. In addition, the ARP inspection table associates this
information with specific interfaces. The dynamic ARP inspection binding table supports the
combination of following entries:
 Interface+IP
 Interface+IP+MAC
 Interface+IP+VLAN
 Interface+IP+MAC+VLAN
Dynamic ARP inspection interfaces are divided into the following two types according to trust
status:
 Trusted interface: the interface will stop ARP inspection, which conducts no ARP
protection on the interface. All ARP packets are allowed to pass.

411
Raisecom
 Untrusted interface: the interface takes ARP protection. Only ARP packets that match the
binding table rules are allowed to pass. Otherwise, they are discarded.
Figure 10-3 Principles of dynamic ARP inspection
Figure 10-3 shows principles of dynamic ARP inspection. When the ISCOM2600G series
switch receives an ARP packet, it compares the source IP address, source MAC address,
interface ID, and VLAN information of the ARP packet with the DHCP Snooping entry
information. If matched, it indicates that it is a legal user and the ARP packets are permitted to
pass. Otherwise, it is an ARP attack and the ARP packet is discarded.
Dynamic ARP inspection also provides rate limiting on ARP packets to prevent unauthorized
users from attacking the ISCOM2600G series switch by sending a large number of ARP
packets to the ISCOM2600G series switch.
 When the number of ARP packets received by an interface per second exceeds the
threshold, the system will determine that the interface encounters ARP attacks, and then
discard all received ARP packets to avoid ARP attacks.
 The system provides auto-recovery and supports configuring the recovery time. The
interfaces, where the number of received ARP packets is greater than the threshold, will
recover to normal Rx/Tx status automatically after the recovery time expires.
Dynamic ARP inspection can also protect the specified VLAN. After the protection VLAN is
configured, the ARP packets in specified VLAN on an untrusted interface will be protected.
Only the ARP packets, which meet binding table rules, are permitted to pass. Other packets
are discarded.
Scenario
Dynamic ARP inspection is used to prevent common ARP spoofing attacks on the network,
which isolates ARP packets from unsafe sources. Whether to trust ARP packets depend on the
trusting status of an interface while ARP packets meet requirements depends on the ARP
binding table.
Prerequisite
Enable DHCP Snooping if there is a DHCP user.

412
Raisecom
10.4.3 Default configurations of dynamic ARP inspection

Default configurations of dynamic ARP inspection are as below.

Dynamic ARP inspection interface trust status Untrusted
Dynamic ARP inspection static binding Disable
Dynamic ARP inspection dynamic binding Disable
Dynamic ARP inspection static binding table N/A
Dynamic ARP inspection protection VLAN All VLANs
Interface rate limiting on ARP packets 60 pps
Limit on the number of binding tables on the interface No limit
10.4.4 Configuring trusted interfaces of dynamic ARP inspection

Configure trusted interfaces of dynamic ARP inspection for the ISCOM2600G series switch
as below.

number
Example:
gigaethernet 1/1/1 unit/slot/port. The value range depends on
the interface type.
3 Raisecom(config- Configure the interface as a trusted
gigaethernet1/1/*)#ip arp- interface. Use the no ip arp-inspection
inspection trust trust command to configure the interface to
an untrusted interface; in other words, the
interface does not trust the ARP packet.
10.4.5 Configuring static binding of dynamic ARP inspection

Configure static binding of dynamic ARP inspection for the ISCOM2600G series switch as
below.

2 Raisecom(config)#ip Enable global static ARP binding.
arp-inspection static-
config

413
Raisecom

3 Raisecom(config)#ip Configure the static binding.
arp-inspection binding
 ip-address: bound IP address, in dotted decimal
ip-address [ ip-mask ]
[ mac-address ] [ vlan notation, such as 10.0.0.1
 ip mask: bound IP address mask, in dotted
vlan-id ] interface-
type interface-number decimal notation, such as 255.255.255.0
 mac-address: binding MAC address, in dotted
Example:
Raisecom(config)#ip hexadecimal notation, such as 000E.5E12.3456
 vlan vlan-id: binding VLAN ID, an integer,
arp-inspection binding
10.0.0.1 vlan 10 ranging from 1 to 4094
gigaethernet 1/1/1
value range depend on the interface type.
10.4.6 Configuring dynamic binding of dynamic ARP inspection
Before enabling dynamic binding of dynamic ARP inspection, you need to use the ip
dhcp snooping command to enable DHCP Snooping.
Configure dynamic binding of dynamic ARP inspection for the ISCOM2600G series switch as
below.

2 Raisecom(config)#ip arp- Enable global dynamic ARP binding.
inspection dhcp-snooping
10.4.7 Configuring protection VLAN of dynamic ARP inspection

Configure protection VLAN of dynamic ARP inspection for the ISCOM2600G series switch
as below.

2 Raisecom(config)#ip arp- Configure ARP entry conversion.
inspection binding dhcp-
 auto-update: automatically converted into
snooping { auto-update |
static } static entries
 static: converted into static entries
Example:
Raisecom(config)#ip arp-
inspection binding dhcp-
snooping auto-update

414
Raisecom

3 Raisecom(config)#ip arp- Configure the protection VLAN of dynamic
inspection vlan vlan- ARP inspection.
list
 vlan-list: protection VLAN ID list, an
Example:
Raisecom(config)#ip arp- integer, ranging from 1 to 4094. It supports
inspection vlan 1-3 specific values, such as "1,2,3"; it also
10.4.8 Configuring rate limiting on ARP packets on interface

Configure rate limiting on ARP packets on the interface for the ISCOM2600G series switch as
below.

number
Example:
3 Raisecom(config- Configure the rate limit of ARP
gigaethernet1/1/*)#ip arp- packets on the interface.
rate-limit rate rate-value
 rate-value: threshold, an integer,
Example:
Raisecom(config- ranging from 1 to 1000, in units of
gigaethernet1/1/1)#ip arp- packet/s
rate-limit rate 200
10.4.9 Configuring number of binding tables on interface

Configure the number of binding tables on the interface for the ISCOM2600G series switch as
below.

2 Raisecom(config)#interface Enter global configuration mode.
Example:

415
Raisecom

3 Raisecom(config- Configure the number of binding
gigaethernet1/1/*)#ip arp- tables on the interface, including
inspection binding-number number static binding tables and DHCP
Example: Snooping binding tables.
Raisecom(config-
 number: number of binding tables,
gigaethernet1/1/1)#ip arp-
inspection binding-number 100 an integer, ranging from 1 to 512


1 Raisecom#show ip arp-inspection Show configurations of dynamic ARP
inspection.
2 Raisecom#show ip arp-inspection Show information about the dynamic
binding [ interface-type ARP inspection binding table.
interface-number ]
3 Raisecom#show ip arp-rate-limit Show configurations of rate limiting
on ARP packets.
10.4.11 Example for configuring dynamic ARP inspection
To prevent ARP attacks, configure dynamic ARP inspection on Switch A, as shown in Figure
10-4.
 Uplink GE 1/1/3 allows all ARP packets to pass.
 Downlink GE 1/1/1 allows ARP packets with specified IP address 10.10.10.1 to pass.
 Other interfaces allow ARP packets complying with dynamic binding learnt by DHCP
Snooping to pass.
 Configure rate limiting on ARP packets on downlink GE 1/1/2. The rate threshold is
configured to 20 pps.

416
Raisecom
Figure 10-4 Configuring dynamic ARP inspection
Configuration steps
Step 1 Configure GE 1/1/3 as the trusted interface.
Raisecom#config
Raisecom(config-gigaethernet1/1/3)#ip arp-inspection trust
Step 2 Configure static binding.
Raisecom(config)#ip arp-inspection static-config

Raisecom(config)#ip arp-inspection binding 10.10.10.1 gigaethernet 1/1/1
Step 3 Enable dynamic ARP inspection binding.

Raisecom(config)#ip arp-inspection dhcp-snooping
Step 4 Configure rate limiting on ARP packets on the interface.

Raisecom(config-gigaethernet1/1/2)#ip arp-rate-limit rate 20

417
Raisecom
Checking results
Use the show ip arp-inspection command to show configurations of interface trust status and
static/dynamic ARP binding.
Raisecom#show ip arp-inspection
Static Config ARP Inspection: Enable
DHCP Snooping ARP Inspection: Enable
ARP Inspection Protect Vlan : 1-4094
Bind Rule Num : 1
Vlan Rule Num : 0
Bind Acl Num : 1
Vlan Acl Num : 0
Remained Rule Num : 511
Remained Acl Num : 511
Port Trust
----------------------------------------
gigaethernet1/1/1 no
gigaethernet1/1/3 yes
……
Use the show ip arp-inspection binding command to show information about the dynamic
ARP binding table.
Raisecom#show ip arp-inspection binding

Current Rules Num : 1
History Max Rules Num : 1
Ip Address Mask Mac Address VLAN Port Type Inhw
-------------------------------------------------------------------------
-------------------------------------------
10.10.10.1 255.255.255.255 -- -- gigaethernet1/1/1 static yes
Use the show ip arp-rate-limit command to show configurations of rate limiting on the
interface and auto-recovery time for rate limiting.
Raisecom#show ip arp-rate-limit
Port Rate(Num/Sec)
---------------------------------------------
gigaethernet1/1/1 --
gigaethernet1/1/2 20

418
Raisecom
10.5 Storm control

10.5.1 Introduction
The Layer 2 network is a broadcast domain. When an interface receives excessive broadcast,
unknown multicast, and unknown unicast packets, broadcast storm occurs. If you do not
control broadcast packets, broadcast storm may occur and occupy much network bandwidth.
Broadcast storm can degrade network performance and impact forwarding of unicast packets
or even lead to communication halt.
Restricting broadcast flow generated from network on Layer 2 device can suppress broadcast
storm and ensure common unicast forwarding normally.
Occurrence of broadcast storm

The following flows may cause broadcast flow:
 Unknown unicast packets: unicast packets of which the destination MAC is not in the
MAC address table, namely, the Destination Lookup Failure (DLF) packets. If these
packets are excessive in a period, the system floods them and broadcast storm may occur.
 Unknown multicast packets: the ISCOM2600G series switch neither supports multicast
nor has a multicast MAC address table, so it processes received multicast packets as
unknown multicast packets.
 Broadcast packets: packets of which the destination MAC is a broadcast address. If these
packets are excessive in a period, broadcast storm may occur.
Principles of storm control

Storm control allows an interface to filter broadcast packets received by the interface. After
storm control is enabled, when the number of received broadcast packets reaches the pre-
configured threshold, the interface will automatically discard the received packets. If storm
control is disabled or if the number of received broadcast packets does not reach the pre-
configured threshold, the broadcast packets are broadcasted to other interfaces of the switch
properly.
Types of storm control

Storm controls is performed in the following forms:
 Radio (bandwidth ratio): the allowed percentage of broadcast, unknown multicast, or
unknown unicast traffic to total bandwidth
 Bits Per Second (BPS): the number of bits allowed to pass per second
 Packet Per Second (PPS): the number of packets allowed to pass per second
The ISCOM2600G series switch supports BPS and PPS storm control.

419
Raisecom
Scenario
Configuring storm control on Layer 2 devices can prevent broadcast storm from occurring
when broadcast packets increase sharply on the network. In this case, normal packets can be
properly forwarded.
Prerequisite
N/A
10.5.3 Default configurations of storm control

Default configurations of storm control are as below.

Broadcast storm control Enable
Storm control detection Disable
Storm control mode pps
Number of allowed storm packets per second, namely, PPS 1024
DLF packet forwarding Enable
Action for storm control on the interface Discarding packets
Restoration period of the interface 300s
Strom control Trap Disable
10.5.4 Configuring storm control over interface
Storm control and VLAN-based rate limiting are exclusive. We do not recommend
enabling them on the same interface concurrently.
Configure storm control for the ISCOM2600G series switch as below.

2 Raisecom(config)#storm- Enable or disable storm control
control detection { enable | detection.
disable }
 enable: enable storm control
Example:
Raisecom(config)#storm- detection.
 disable: disable storm control
control detection enable
detection.

420
Raisecom

number configuration mode.
Example:
gigaethernet 1/1/1
port-channel 1
4 Raisecom(config- Enable storm control on the physical
gigaethernet1/1/*)#storm- interface or LAG, and configure the
control { broadcast | storm control threshold.
unknown-multicast | dlf |
 broadcast: execute storm control over
all } { bps value [ burst
value ] | pps value } broadcast traffic.
 unknown-multicast: execute storm
channel*)#storm-control control over unknown multicast
{ broadcast | unknown- traffic.
 dlf: execute storm control over
multicast | dlf | all } { bps
value [ burst value ] | pps unknown unicast traffic.
 all: control the traffic of the
value }
Example: broadcast, the unknown multicast,
Raisecom(config- and the unknown unicast.
 pps value: the number of packets
gigaethernet1/1/1)#storm-
control broadcast bps 1024 allowed to pass per second, an
integer, ranging from 1 to 262143, in
units of pcs
 bps value: packet rate allowed to pass
per second, an integer, ranging from 0

to 100000 in step of 64, in units of
bit/s
 burst value: burst packet rate, an

units of Kbyte/s
5 Raisecom(config- Configure the action for storm control
gigaethernet1/1/*)#storm- on the interface.
control action { shutdown |
 shutdown: shut down the interface.
drop }
 drop: discard packets.
Example:
Raisecom(config-
control action shutdown
6 Raisecom(config- Configure the restoration period of the
gigaethernet1/1/*)#storm- shutdown interface.
control interval second
 interval: restoration interval of the
interval
Example: interface, an integer, ranging from 1
Raisecom(config- to 9000, in units of second
control interval second 10

421
Raisecom

7 Raisecom(config- Enable or disable storm control Trap.
gigaethernet1/1/*)#storm-
 enable: enable storm control Trap on
control trap { enable |
disable } the interface.
 disable: disable storm control Trap on
Example:
Raisecom(config- the interface.
control trap enable
 Storm control supports only one rate limiting mode at a time. When you change
the rate limiting mode of one type of packets, the ISCOM2600G series switch will
prompt you that the change of the rate limiting mode will cause the mode of other
two types of packets to change to the same mode.
 If you configure storm control on the LAG, you cannot configure storm control on
the interface; otherwise the later configuration will not take effect.
10.5.5 Configuring DLF packet forwarding

Configure DLF packet forwarding for the ISCOM2600G series switch as below.

2 Raisecom(config)#dlf- Enable or disable DLF packet forwarding
forwarding { enable | on an interface.
disable }
 enable: enable DLF packet forwarding.
Example:
 disable: disable DLF packet forwarding.
Raisecom(config)#dlf-
forwarding enable


1 Raisecom#show storm-control interface Show configurations
[ interface-type interface-number ] of storm control.
2 Raisecom#show dlf-forwarding Show DLF packet
forwarding status.
3 Raisecom#show storm-control status Show storm control
interface [ interface-type interface- status.
number ]

422
Raisecom
10.5.7 Example for configuring storm control
As shown in Figure 10-5, when GE 1/1/1 and GE 1/1/2 on the Switch receive excessive
unknown unicast packets or broadcast packets, the Switch forwards these packets to all
interfaces except the Rx interface, which may cause broadcast storm and lower forwarding
performance of the Switch.
To restrict impacts on Switch A caused by broadcast storm, you need to configure storm
control on Switch A to control broadcast packets from user networks 1 and 2, with the
threshold of 640 pps.
Figure 10-5 Storm control networking
Configuration steps
Enable storm control, and configure the threshold for storm control.

Raisecom(config-gigaethernet1/1/1)#storm-control broadcast bps 640
Raisecom(config-gigaethernet1/1/2)#storm-control broadcast bps 640
Checking results
Use the show storm-control command to show configurations of storm control.
Raisecom#show storm-control interface

Interface Packet-Type Pps(pps) Bps(Kbps)
------------------------------------------------------------------------
GE1/1/1 Broadcast -- 640
Multicast -- 0
Dlf -- 0
GE1/1/2 Broadcast -- 640

423
Raisecom
Multicast -- 0
Dlf -- 0
10.6 802.1x
10.6.1 Introduction
802.1x, based on IEEE 802.1x, is a VLAN-based network access control technology. It is
used to solve authentication and security problems for LAN users.
It is used to authenticate and control access devices at the physical later of the network device.
It defines a point-to-point connection mode between the device interface and user devices.
User devices, connected to the interface, can access resources in the LAN if they are
authenticated. Otherwise, they cannot access resources in the LAN through the switch.
802.1x structure
As shown in Figure 10-6, 802.1x authentication uses Client/Server mode, including the
following 3 parts:
 Supplicant: a user-side device installed with the 802.1x client software (such as Windows
XP 802.1x client), such as a PC
 Authenticator: an access control device supporting 802.1x authentication, such as a
switch
 Authentication Server: a device used for authenticating, authorizing, and accounting
users. Generally, the RADIUS server is taken as the 802.1x authentication server.
Figure 10-6 802.1x structure
Interface access control modes

The authenticator uses the authentication server to authenticate clients that need to access the
LAN and controls interface authorized/ unauthorized status through the authentication results.
You can control the access status of an interface by configuring access control modes on the
interface. 802.1x authentication supports the following 3 interface access control modes:
 Protocol authorized mode (auto): the protocol state machine determines the authorization
and authentication results. Before clients are successfully authenticated, only EAPoL
packets are allowed to be received and sent. Users are disallowed to access network
resources and services provided by the switch. If clients are authorized, the interface is
switched to the authorized state, allowing users to access network resources and services
provided by the switch.

424
Raisecom
 Force interface authorized mode (authorized-force): the interface is in authorized state,

allowing users to access network resources and services provided by the switch without
being authorized and authenticated.
 Force interface unauthorized mode (unauthorized-force): the interface is in unauthorized
mode. Users are disallowed to access network resources and services provided by the
switch; in other words, users are disallowed to be authenticated.
802.1x authentication procedure

The 802.1x system supports the authentication process between the supplicant and the
RADIUS server through EAP relay and EAP termination.
 EAP relay
The supplicant and the authentication server exchange information through the Extensible
Authentication Protocol (EAP) packet while the supplicant and the authenticator exchange
information through the EAP over LAN (EAPoL) packets. The EAP packet is encapsulated
with authentication data. This authentication data will be encapsulated into the RADIUS
packet to be transmitted to the authentication server through a complex network. This
procedure is called EAP relay.
Both the authenticator and the suppliant can initiate the 802.1x authentication procedure. This
document takes the suppliant for example, as shown below:
Step 1 The user enters the user name and password. The supplicant sends an EAPoL-Start packet to
the authenticator to start the 802.1x authentication.
Step 2 The authenticator sends an EAP-Request/Identity to the suppliant, asking the user name of the
suppliant.
Step 3 The suppliant replies an EAP-Response/Identity packet to the authenticator, which includes
the user name.
Step 4 The authenticator encapsulates the EAP-Response/Identity packet to the RADIUS packet and
sends the RADIUS packet to the authentication server.
Step 5 The authentication server compares the received user name with the one in the database, finds
the password for the user, and encrypts the password with a randomly-generated encryption
word. Meanwhile it sends the encryption word to the authenticator who then sends the
encryption word to the suppliant.
Step 6 The suppliant encrypts the password with the received encryption password, and sends the
encrypted password to the authentication server.
Step 7 The authentication server compares the received encrypted password with the one generated
by itself. If identical, the authenticator modifies the interface state to authorized state,
allowing users to access the network through the interface and sends an EAP-Success packet
to the suppliant. Otherwise, the interface is in unauthorized state and sends an EAP-Failure
packet to the suppliant.
 EAP termination
Terminate the EAP packet at the device and map it to the RADIUS packet. Use standard
RADIUS protocol to finish the authorization, authentication, and accounting procedure. The
device and RADIUS server adopt Password Authentication Protocol (PAP)/Challenge
Handshake Authentication Protocol (CHAP) to perform authentication.

425
Raisecom
In the EAP termination mode, the random encryption character, used for encrypting the
password, is generated by the device. And then the device sends the user name, random
encryption character, and encrypted password to the RADIUS server for authentication.
802.1x timers
802.1x authentication involves the following 5 timers:
 Reauth-period: re-authorization t timer. After the period is exceeded, the ISCOM2600G
series switch re-initiates authorization.
 Quiet-period: quiet timer. When user authorization fails, the ISCOM2600G series switch
needs to keep quiet for a period. After the period is exceeded, the ISCOM2600G series
switch re-initiates authorization. During the quiet time, the ISCOM2600G series switch
does not process authorization packets.
 Tx-period: transmission timeout timer. When the ISCOM2600G series switch sends a
Request/Identity packet to users, the ISCOM2600G series switch will initiate the timer.
If users do not send an authorization response packet during the tx-period, the
ISCOM2600G series switch will re-send an authorization request packet. The
ISCOM2600G series switch sends this packet three times in total.
 supp-timeout: Supplicant authorization timeout timer. When the ISCOM2600G series
switch sends a Request/Challenge packet to users, the ISCOM2600G series switch will
initiate supp-timeout timer. If users do not send an authorization response packet during
the supp-timeout, the ISCOM2600G series switch will re-send the Request/Challenge
packet. The ISCOM2600G series switch sends this packet twice in total.
 Server-timeout: authentication server timeout timer. The timer defines the total timeout
of sessions between the authorizer and RADIUS server. When the configured time
expires, the authenticator will end the session with the RADIUS server and start a new
authorization process.
10.6.2 Preparing for configruations
Scenario
To realize access authentication on LAN users and ensure access user security, you need to
configure 802.1x authentication on the ISCOM2600G series switch.
If users are authenticated, they are allowed to access network resources. Otherwise, they
cannot access network resources. By performing authentication control on user access
interface, you can manage the users.
Prerequisite
If RADIUS authentication server is used, you need to perform following operations before
configuring 802.1x authentication:
 Configure the IP address of the RADIUS server and the RADIUS shared key.
 The ISCOM2600G series switch can ping through the RADIUS server successfully.
10.6.3 Default configurations of 802.1x

Default configurations of 802.1x are as below.

426
Raisecom

Global 802.1x Disable
Interface 802.1x Disable
Global authentication mode Chap
Interface access control mode Auto
Authentication method Portbased
RADIUS server expiration timer 5s
Re-authentication Disable
802.1x re-authentication timer 3600s
802.1x quiet timer 60s
Transmission timeout timer 30s
Supplicant authorization timeout timer 30s
Maximum number of users 512
10.6.4 Configuring basic functions of 802.1x
 802.1x and STP are exclusive on the same interface. You cannot enable them
concurrently.
 Only one user authentication request is processed on an interface at a time.
Configure basic functions of 802.1x for the ISCOM2600G series switch as below.

2 Raisecom(config)#dot1x Enable or disable global 802.1x.
 enable: enable global 802.1x.
Example:
 disable: disable global 802.1x.
Raisecom(config)#dot1x
enable

427
Raisecom

3 Raisecom(config)#dot1x Configure global authentication mode.
authentication-method
 chap: three-way handshaking protocol that
{ chap | pap | eap }
Example: only transmits user name through the
Raisecom(config)#dot1x network. It does not transmit password
authentication-method chap during authentication and thus is more
secure and reliable.
 pap: two-way handshaking protocol that
transmits the password in clear text

 eap: the switch will directly send
authorization information of 802.1x users

to the RADIUS server in form of EAP
packets without converting them into
standard RADIUS packets. To configure
this mode, the RADIUS server must
support EAP.
4 Raisecom(config)#dot1x Configure the mode of 802.1x
auth-mode { radius | local authentication.
| tacacs+ }
 radius: configure the 802.1x
Example:
Raisecom(config)#dot1x authentication mode to RADIUS server
auth-mode local authentication.
 local: configure the 802.1x authentication
mode to local authentication.

 tacacs+: configure the 802.1x
authentication mode to TACACS+ server

authentication.
5 Raisecom(config)#dot1x Configure the IP address segment available
free-ip ip-address [ ip- for 802.1x terminal users who fail to be
mask | mask-length ] authenticated or exit authentication.
Example:
 ip-address: IP address segment that is free
Raisecom(config)#dot1x
free-ip 10.1.1.0 24 of authentication, in dotted decimal
 ip-mask: mask address, in dotted decimal

 mask-length: mask length, an integer,
number
Example:
gigaethernet 1/1/1 unit/slot/port. The value range depends on
the interface type.
7 Raisecom(config- Enable or disable interface 802.1x.
gigaethernet1/1/*)#dot1x
 enable: enable interface 802.1x.
 disable: enable interface 802.1x.
Example:
Raisecom(config-
gigaethernet1/1/1)#dot1x
enable

428
Raisecom

8 Raisecom(config- Configure access control mode on the
gigaethernet1/1/*)#dot1x interface.
auth-control { auto |
 authorized-force: forced-authorized mode.
authorized-force |
unauthorized-force } The interface is in authorized status. Users
Example: can access the network without
Raisecom(config- authentication.
 unauthorized-force: forced-unauthorized
auth-control authorized- mode. The interface is in unauthorized
force status. User authentication is not allowed.
Users cannot access the network.
 auto: automatic-recognition mode. User
authentication is allowed. The user can

access the network once being
authenticated.
9 Raisecom(config- Configure access control mode of 802.1x
gigaethernet1/1/*)#dot1x authentication on the interface.
auth-method { portbased |
 macbased: MAC-based mode. Users
macbased }
Example: cannot access the network through one
Raisecom(config- account on the same interface. Only the
gigaethernet1/1/1)#dot1x last user authenticated by the interface can
auth-method macbased access the network.
 portbased: port-based mode. Users can
access the network without authentication

as long as the first user on the interface is
successfully authenticated.
10 Raisecom(config- Enable or disable 802.1x handshake on the
gigaethernet1/1/*)#dot1x interface.
keepalive { enable |
 keepalive: interface handshake
disable }
 enable: enable 802.1x handshake.
Example:
 disable: disable 802.1x handshake.
Raisecom(config-
keepalive disable
11 Raisecom(config- Configure the maximum number of users
gigaethernet1/1/*)#dot1x allowed to be authenticated by the 802.1x
max-user user-number interface.
Example:
 user-number: maximum number of users,
Raisecom(config-
gigaethernet1/1/1)#dot1x an integer, ranging from 1 to 400
max-user 100
12 Raisecom(config- Configure the 802.1x Guest VLAN of the
gigaethernet1/1/*)#dot1x specified interface.
guest-vlan vlan-id
 vlan-id: Guest VLAN ID, an integer,
Example:
guest-vlan 1

429
Raisecom

13 Raisecom(config- Configure authentication-free for voice
gigaethernet1/1/*)#dot1x terminals on the specified interface.
auth-free voice-vlan
Example:
Raisecom(config-
auth-free voice-vlan
If 802.1x is disabled in global/interface configuration mode, the interface access

control mode of 802.1x is configured to force interface authorized mode.
10.6.5 Configuring 802.1x re-authentication
Re-authentication is initiated for authorized users. Before enabling re-authentication,

you must ensure that global/interface 802.1x is enabled. Authorized interfaces are
still in this mode during re-authentication. If re-authentication fails, the interfaces are
in unauthorized state.
Configure 802.1x re-authentication for the ISCOM2600G series switch as below.

number
Example:
3 Raisecom(config- Enable or disable 802.1x re-
gigaethernet1/1/*)#dot1x authentication.
reauthentication { enable |
 enable: enable 802.1x re-
disable }
Raisecom(config- authentication.
 disable: disable 802.1x re-
reauthentication enable authentication.
10.6.6 Configuring 802.1x timers

Configure 802.1x timers for the ISCOM2600G series switch as below.


430
Raisecom

Example:
gigaethernet 1/1/1
3 Raisecom(config- Configure the time of the re-
gigaethernet1/1/*)#dot1x timer authentication timer.
reauth-period second
 second: time of the re-
Example:
Raisecom(config- authentication timer, an integer,
gigaethernet1/1/1)#dot1x timer ranging from 1 to 65535, in units
reauth-period 1000 of second
4 Raisecom(config- Configure the time of the quiet
gigaethernet1/1/*)#dot1x timer timer.
quiet-period second
 second: time of the quiet timer, an
Example:
Raisecom(config- integer, ranging from 1 to 120, in
gigaethernet1/1/1)#dot1x timer units of second
quiet-period 100
5 Raisecom(config- Configure the time of the supplicant
gigaethernet1/1/*)#dot1x timer authorization timeout timer.
supp-timeout second
 second: time of the supplicant
Example:
Raisecom(config- authorization timeout timer, an
gigaethernet1/1/1)#dot1x timer integer, ranging from 1 to 120, in
supp-timeout 100 units of second
6 Raisecom(config- Configure the period for sending
gigaethernet1/1/*)#dot1x timer Request/Identity packets, namely,
tx-period second the packet retransmission period.
Example:
 Second: timer time, an integer,
Raisecom(config-
gigaethernet1/1/1)#dot1x timer ranging from 10 to 120, in units of
tx-period 100 second
7 Raisecom(config- Configure the time of the
gigaethernet1/1/*)#dot1x timer authentication server timeout timer.
server-timeout second
 second: time of the authorization
Example:
Raisecom(config- server timeout timer, an integer,
gigaethernet1/1/1)#dot1x timer ranging from 3 to 300, in units of
server-timeout 200 second
8 Raisecom(config- Configure the period for
gigaethernet1/1/*)#dot1x timer retransmitting KeepAlive packets by
keepalive-period second interface 802.1x.
Example:
 second: period for retransmitting
Raisecom(config-
gigaethernet1/1/1)#dot1x timer KeepAlive packets, an integer,
keepalive-period 30 ranging from 1 to 65535, in units
of second

431
Raisecom


1 Raisecom#show dot1x interface- Show 802.1x configurations on the
type interface-number interface.
2 Raisecom#show dot1x interface- Show 802.1x statistics on the
type interface-number interface.
statistics
3 Raisecom#show dot1x interface- Show user information of 802.1x
type interface-number user authentication on the interface.
4 Raisecom#show dot1x free-ip Configure the IP address segment
available for 802.1x terminal users
who fail to be authenticated or exit
authentication.
10.6.8 Maintenance
Command Description
Raisecom(config)#clear dot1x interface- Clear interface 802.1x statistics.
type interface-number statistics
Example:
Raisecom(config)#clear dot1x
gigaethernet 1/1/1 statistics unit/slot/port. The value range
10.6.9 Example for configuring 802.1x
As shown in Figure 10-7, the network administrator configures 802.1x to control the PC to
access the Internet.
 For the switch: the IP address is 10.10.0.1, the mask is 255.255.0.0, and default gateway
is 10.10.0.2.
 The RADIUS server works to authenticate and authorize PCs. Its IP address is
192.168.0.1, and the password is raisecom.
 The interface control mode is auto.
 After the PC passes authentication, the Switch will start reauthentication every 600s.

432
Raisecom
Figure 10-7 Dot1x networking
Configuration steps
Step 1 Configure the IP addresses of the Switch and RADIUS server.
Raisecom#config
Raisecom(config)#ip route 0.0.0.0 0.0.0.0 10.10.0.2
Raisecom(config)#exit
Raisecom#radius 192.168.0.1
Raisecom#radius-key raisecom
Step 2 Enable global 802.1x and interface 802.1x.
Raisecom#config
Raisecom(config)#dot1x enable
Raisecom(config-gigaethernet1/1/1)#dot1x enable
Step 3 (Optional) configure interface authorization mode to auto. By default, authentication is

required and thus does not need to be configured.
Raisecom(config-gigaethernet1/1/1)#dot1x auth-control auto
Step 4 Enable reauthentication, and configure the timer to 600s.
Raisecom(config-gigaethernet1/1/1)#dot1x reauthentication enable

Raisecom(config-gigaethernet1/1/1)#dot1x timer reauth-period 600

433
Raisecom
Checking results
Use the show dot1x command to show 802.1x configurations on the interface.
Raisecom#show dot1x gigaethernet 1/1/1

802.1x Global Admin State: enable
802.1x Authentication Method: chap
802.1x Authentication Mode: radius
802.1x allowed max user number: 512
--------------------------------------------------------
Port gigaethernet1/1/1
--------------------------------------------------------
802.1X Port Admin State: Enable
PAE: Authenticator
PortMethod: Portbased
PortControl: Auto
ReAuthentication: Enable
KeepAlive: Enable
QuietPeriod: 60(s)
ServerTimeout: 5(s)
SuppTimeout: 30(s)
ReAuthPeriod: 600(s)
TxPeriod: 30(s)
KeepalivePeriod: 60(s)
MaxUserNum: 512
GuestVlanID: 0
AuthFree Protocol: None
10.7 IP Source Guard

10.7.1 Introduction
IP Source Guard uses a binding table to defend against IP Source spoofing and solve IP
address embezzlement without identity authentication. IP Source Guard can cooperate with
DHCP Snooping to generate dynamic binding. In addition, you can configure static binding
manually. DHCP Snooping filters untrusted DHCP packets by establishing and maintaining
the DHCP binding database.
IP Source Guard binding entry

IP Source Guard is used to match packet characteristics, including source IP address, source
MAC address, and VLAN tags, and can support the interface to be combined with the
following characteristics (hereinafter referred to as binding entries):
 Interface+IP
 Interface+IP+MAC
 Interface+IP+VLAN
 Interface+IP+MAC+VLAN

434
Raisecom
According to the generation mode of binding entries, IP Source Guard can be divided into
static binding and dynamic binding:
 Static binding: configure binding information manually and generate binding entry to
complete the interface control, which fits for the case where the number of hosts is small
or where you need to perform separate binding on a single host.
 Dynamic binding: obtain binding information automatically from DHCP Snooping to
complete the interface control, which fits for the case where there are many hosts and
you need to adopt DHCP to perform dynamic host configurations. Dynamic binding can
effectively prevent IP address conflict and embezzlement.
Principles of IP Source Guard

Principles of IP Source Guard are to create an IP source binding table within the
ISCOM2600G series switch. The IP source binding table is taken as the basis for each
interface to test received data packets. Figure 10-8 shows principles of IP Source Guard.
 If the received IP packets meet the relationship of Port/IP/MAC/VLAN binding entries
in IP source binding table, forward these packets.
 If the received IP packets are DHCP data packets, forward these packets.
 Otherwise, discard these packets.
Figure 10-8 Principles of IP Source Guard
Before forwarding IP packets, the ISCOM2600G series switch compares the source IP address,
source MAC address, interface ID, and VLAN ID of the IP packets with the binding table. If
the information matches, it indicates that the user is legal and the packets are permitted to
forward normally. Otherwise, the user is an attacker and the IP packets are discarded.
Scenario
There are often some IP source spoofing attacks on the network. For example, the attacker
forges legal users to send IP packets to the server, or the attacker forges the source IP address
of another user to communicate. This prevents legal users from accessing network services
normally.

435
Raisecom
With IP Source Guard binding, you can filter and control packets forwarded by the interface,
prevent the illegal packets from passing through the interface, thus to restrict the illegal use of
network resources and improve the interface security.
Prerequisite
Enable DHCP Snooping if there are DHCP users.
10.7.3 Default configurations of IP Source Guard

Default configurations of IP Source Guard are as below.

IP Source Guard static binding Disable
IP Source Guard dynamic binding Disable
Interface trust status Untrusted
10.7.4 Configuring interface trust status of IP Source Guard

Configure the interface trust status of IP Source Guard for the ISCOM2600G series switch as
below.

ce interface-type
interface-number
Example:
Raisecom(config)#interfa The value range depends on the interface type.
3 Raisecom(config- (Optional) configure the interface to a trusted
gigaethernet1/1/*)#ip interface.
verify source trust
Use the no ip verify source trust command to
configure the interface as an untrusted interface.
In this case, all packets, except DHCP packets
and IP packets that meet binding relation, are
not forwarded. When the interface is in trusted
status, all packets are forwarded normally.
4 Raisecom(config- (Optional) configure the IPv6 interface to
gigaethernet1/1/*)#ipv6 trusted status.
verify source trust

436
Raisecom
10.7.5 Configuring IP Source Guard binding
Configuring IP Source Guard static binding

Configure IP Source Guard static binding for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip Enable IP Source Guard static binding.
verify source
3 Raisecom(config)#ip Configure static binding.
source binding ip-
address [ ip-mask-
address |] [ mac-address notation, such as 10.0.0.1
 ip-mask-address: IP address mask, in dotted
|] [ vlan vlan-id }]
interface-type decimal notation, such as 255.0.0.0
interface-number
Example: hexadecimal notation, such as
Raisecom(config)#ip 000E.5E12.3456
source binding 1.2.3.4
gigaethernet 1/1/1 to 4094
value range depend on the interface type.

4 Raisecom(config)#ipv6 Enable IPv6 static binding.
verify source
5 Raisecom(config)#ipv6 Configure IPv6 static binding.
source binding ipv6-
address [ mac-address |]
[ vlan vlan-id ] hexadecimal notation, such as 3001::1
 mac-address: MAC address, in colon
interface-type
interface-number hexadecimal notation, such as
Raisecom(config)#ipv6 000E.5E12.3456
source binding prefix
ipv6-address/prefix- to 4094
length [ mac-address ]
[ vlan vlan-id ]
interface-type value range depend on the interface type.
 static-all: all existing static binding entries
interface-number
 prefix ipv6-address/prefix-length: IPv6
Example:
Raisecom(config)#ipv6 address with a prefix, such as 1:123::0:1/96
source binding 3001::1
gigaethernet 1/1/1
 The configured static binding does not take effect when global static binding is
disabled. Only when global static binding is enabled can the static binding take
effect.
 For an identical IP address, the manually configured static binding will cover the
dynamic binding. However, it cannot cover the existing static binding. When the

437
Raisecom
static binding is deleted, the system will recover the covered dynamic binding
automatically.
Configuring IP Source Guard dynamic binding

Configure IP Source Guard dynamic binding for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip verify Enable IP Source Guard dynamic binding.
source dhcp
3 Raisecom(config)#ipv6 verify Enable IPv6 Source Guard dynamic
source dhcp-snooping binding.
 The dynamic binding learnt through DHCP Snooping does not take effect when
global dynamic binding is disabled. Only when global dynamic binding is enabled
can the dynamic binding take effect.
 If an IP address exists in the static binding table, the dynamic binding does not
take effect. In addition, it cannot cover the existing static binding.
Configuring binding translation

Configure binding translation for the ISCOM2600G series switch as below.

2 Raisecom(config)#ip verify Enable IP Source Guard dynamic binding.
source dhcp
3 Raisecom(config)#ip source Translate the dynamic binding to the static
binding dhcp static binding.
4 Raisecom(config)#ip source (Optional) enable auto-translation. After it is
binding auto-update enabled, dynamic binding entries learned
through DHCP Snooping are directly
translated into static binding entries.
10.7.6 Configuring priority and rate limit of IP source guard

Configure the priority and rate limit of IP source guard for the ISCOM2600G series switch as
below.


438
Raisecom

2 Raisecom(config)#ip Configure the priority and rate limit of IP source
verify source guard.
[ ip-address ip-
 ip-address: source IP address of the data packet, in
mask ] set-cos
cos-value [ rate- dotted decimal notation, such as 10.0.0.1
 ip-mask: mask of the source IP address of the data
limit rate-value
burst-value ] packet, in dotted decimal notation, such as 255.0.0.0
 cos-value: CoS priority, an integer, ranging from 0 to
Example:
Raisecom(config)#ip 7
 rate-value: rate limit, an integer, ranging from 1 to
verify source set-
cos 1 1048576, in units of Kbps
 burst-value: burst value, an integer, ranging from 1
to 2048, in units of Kbyte


1 Raisecom#show ip verify Show global binding status and interface
source trusted status.
2 Raisecom#show ip source Show configurations of IP Source Guard
binding [ interface-type binding, interface trusted status, and
interface-number ] binding table.
3 Raisecom#show ip verify Show priority configurations.
source set-cos
4 Raisecom#show ipv6 source Show binding information about IPv6
binding [ interface-type Source Guard.
interface-number ]
5 Raisecom#show ipv6 verify Show the IPv6 global binding status and
source interface trusted status.
10.7.8 Example for configuring IP Source Guard
As shown in Figure 10-9, to prevent IP address embezzlement, you need to configure IP
Source Guard on the Switch.
 The Switch permits all IP packets on GE 1/1/1 to pass.
 GE 1/1/2 permits those IP packets to pass, of which the IP address is 10.10.10.1, the
subnet mask is 255.255.255.0, and the status meets the dynamic binding learnt by DHCP
Snooping.
 Other interfaces only permit the packets meeting DHCP Snooping learnt dynamic
binding to pass.

439
Raisecom
Figure 10-9 Configuring IP Source Guard
Configuration steps
Step 1 Configure GE 1/1/1 to the trusted interface.
Raisecom#config
Raisecom(config-gigaethernet1/1/1)#ip verify source trust
Step 2 Configure static binding.
Raisecom(config)#ip verify source

Raisecom(config)#ip source binding 10.10.10.1 gigaethernet 1/1/2
Step 3 Enable global dynamic IP Source Guard binding.
Raisecom(config)#ip verify source dhcp
Checking results
Use the show ip source binding command to show configurations of the static binding table.
Raisecom#show ip source binding

440
Raisecom
History Max Entry Num: 1

Current Entry Num: 1
Ip Address Mask Mac Address VLAN Port
Type Inhw
-------------------------------------------------------------------------
----------------------------------------------
10.10.10.1 255.255.255.255 -- --
gigaethernet1/1/2 static yes
Use the show ip verify source command to show interface trusting status and configurations
of IP Source Guard static/dynamic binding.
Raisecom#show ip verify source

Static Bind: Enable
Dhcp Bind: Enable
Port Trust
----------------------------------------
gigaethernet1/1/1 yes
……
10.8 PPPoE+
10.8.1 Introduction
PPPoE Intermediate Agent (PPPoE+) is used to process authentication packets. PPPoE+ adds
more information about access devices into the authentication packet to bind account and
access device so that the account is not shared and stolen, and the carrier's and users' interests
are protected. This provides the server with enough information to identify users, avoiding
account sharing and theft and ensuring the network security.
In PPPoE dial-up mode, you can access the network through various interfaces on the device
as long as authentication by the authentication server is successful.
However, the server cannot accurately differentiate users just by the authentication
information, which contains the user name and password. With PPPoE+, besides the user
name and the password, other information, such as the interface ID, is included in the
authentication packet for authentication. If the interface ID identified by the authentication
server cannot match with the configured one, authentication will fail. This helps prevent
illegal users from stealing accounts of other legal users for accessing the network.

441
Raisecom
The PPPoE protocol adopts Client/Server mode, as shown in Figure 10-10. The Switch acts as
a relay agent. Users access the network through PPPoE authentication. If the PPPoE server
needs to locate users, more information should be contained in the authentication packet.
Figure 10-10 Accessing the network through PPPoE authentication
To access the network through PPPoE authentication, you need to pass through the following
2 stages: discovery stage (authentication stage) and session stage. PPPoE+ is used to process
packets at the discovery stage. The following steps show the whole discovery stage.
Step 1 To access the network through PPPoE authentication, the client sends a broadcast packet
PPPoE Active Discovery Initiation (PADI). This packet is used to query the authentication
server.
Step 2 After receiving the PADI packet, the authentication server replies a unicast packet PPPoE
Active Discovery Offer (PADO).
Step 3 If multiple authentication servers reply PADO packets, the client selects one from them and
then sends a unicast PPPoE Active Discovery Request (PADR) to the authentication server.
Step 4 After receiving the PADR packet, if the authentication server believes that the user is legal, it
sends a unicast packet PPPoE Active Discovery Session-confirmation (PADS) to the client.
PPPoE is used to add user identification information in to PADI and PADR. Therefore, the
server can identify whether the user identification information is identical to the user account
for assigning resources.
Scenario
To prevent illegal client access during PPPoE authentication, you need to configure PPPoE+
to add additional user identification information in PPPoE packets for network security.
Because the added user identification information is related to the specified switch and
interface, the authentication server can bind the user with the switch and interface to
effectively prevent account sharing and theft. In addition, this helps users enhance network
security.
Prerequisite
N/A

442
Raisecom
10.8.3 Default configurations of PPPoE+

Default configurations of I PPPoE+ are as below.

Global PPPoE Disable
Interface PPPoE Disable
Padding mode of Circuit ID Switch
Circuit ID information Interface ID/VLAN ID/attached string
Attached string of Circuit ID hostname
Padded MAC address of Remote ID MAC address of the switch
Padding mode of Remote ID Binary
Interface trusted status Untrusted
Tag overriding Disable
By default, PPPoE packets are forwarded without being attached with any
information.
10.8.4 Configuring basic functions of PPPoE+
PPPoE+ is used to process PADI and PADR packets. It is designed for the PPPoE
client. Generally, PPPoE+ is only enabled on interfaces that are connected to the
PPPoE client. Trusted interfaces are interfaces through which the switch is connected
to the PPPoE server. PPPoE+ and trusted interface are exclusive; in other words, an
interface enabled with PPPoE+ cannot be configured as a trusted interface.
Enabling PPPoE+
After global PPPoE+ and interface PPPoE+ is enabled, PPPoE authentication packets sent to
the interface will be attached with user information and then are forwarded to the trusted
interface.
Enable PPPoE+ for the ISCOM2600G series switch as below.

2 Raisecom(config)#pppoeagent Enable or disable global PPPoE+.
Example:
Raisecom(config)#pppoeagent enable

443
Raisecom

Example:
gigaethernet 1/1/1
4 Raisecom(config- Enable or disable interface
gigaethernet1/1/*)#pppoeagent PPPoE+.
 enable: enable PPPoE+.
Example:
 disable: disable PPPoE+.
Raisecom(config-
gigaethernet1/1/1)#pppoeagent
enable
Configuring PPPoE trusted interface

The PPPoE trusted interface can be used to prevent PPPoE server from being cheated and
avoid security problems because PPPoE packets are forwarded to other non-service interfaces.
Generally, the interface connected to the PPPoE server is configured to the trusted interface.
PPPoE packets from the PPPoE client to the PPPoE server are forwarded by the trusted
interface only. In addition, only PPPoE received from the trusted interface can be forwarded
to the PPPoE client.
Configure the PPPoE trusted interface for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
3 Raisecom(config- Configure the PPPoE trusted
gigaethernet1/1/*)#pppoeagent interface.
trust
Because PPPoE+ is designed for the PPPoE client instead of the PPPoE server,
downlink interfaces of the device cannot receive the PADO and PADS packets. It
means that interfaces, where PPPoE+ is enabled, should not receive PADO and
PADS packet. If there interfaces receive these packets, it indicates that there are
error packets and the packets should be discarded. However, these interfaces can
forward PADO and PADS packets of trusted packet. In addition, PADI and PADR
packets are forwarded to the trusted interface only.

444
Raisecom
10.8.5 Configuring PPPoE+ packet information

PPPoE is used to process a specified Tag in PPPoE packets. This Tag contains Circuit ID and
Remote ID.
 Circuit ID: is padded with the VLAN ID, interface ID, and host name of request packets
at the RX client.
 Remote ID: is padded with the MAC address of the client or the switch.
Configuring Circuit ID
The Circuit ID has 2 padding modes: Switch mode and ONU mode. By default, Switch mode
is adopted. In ONU mode, the Circuit ID has a fixed format. The following commands are
used to configure the padding contents of the Circuit ID in Switch mode.
In switch mode, the Circuit ID supports 2 padding modes:
 Default mode: when customized Circuit ID is not configured, the padding content is the
VLAN ID, interface ID, or the attached string. If the attached string is not defined, it is
configured to hostname by default.
 Customized mode: when customized Circuit ID is configured, the padding content is the
Circuit ID string.
Configure Circuit ID for the ISCOM2600G series switch as below.

2 Raisecom(config)#pppoeagent Configure the attached string of
circuit-id { attach-string | Circuit ID.
format | hex } string
 attach-string: any fixed string
Example:
 format: variable parameters
Raisecom(config)#pppoeagent
 hex: hexadecimal notion
circuit-id attach-string user01
 string: attached string, with the
length ranging from 1 to 55 bytes. If

the string contains spacing, bracket
the string in double-quotes.
Example:
gigaethernet 1/1/1
4 Raisecom(config- (Optional) configure the Circuit ID to
gigaethernet1/1/*)#pppoeagent the customized string.
circuit-id string
Example: string: content of the circuit ID, a
Raisecom(config- string 1 to 63 characters. If the circuit
gigaethernet1/1/1)#pppoeagent ID contains spacing, bracket the
circuit-id raisecom whole character string with quotes.
In default mode, the Circuit ID contains an attached string. By default, the attached string is
configured to the hostname of the switch. You can configure it to a customized string.
445
Raisecom
Configure the attached string of the Circuit ID for the ISCOM2600G series switch as below.

2 Raisecom(config)#ppp (Optional) configure the attached string of the
oeagent circuit-id Circuit ID.
attach-string string
Example: If the Circuit ID is in default mode, attached string
Raisecom(config)#ppp configured by this command will be added to the
oeagent circuit-id Circuit ID.
attach-string user01  attach-string: any fixed string
 string: attached string, with the length ranging from
1 to 55 bytes. If the string contains spacing, bracket
the string in double-quotes.
Configuring Remote ID
The Remote ID is padded with a MAC address of the switch or a client. In addition, you can
specify the form (binary/ASCII) of the MAC address.
Configure the Remote ID for the ISCOM2600G series switch as below.

number
Example:
Raisecom(config)#interface unit/slot/port. The value range depends on
gigaethernet 1/1/1 the interface type.
3 Raisecom(config- (Optional) configure PPPoE+ Remote ID to
gigaethernet1/1/*)#pppoeag be padded with the MAC address.
ent remote-id { client-mac
 client-mac: pad the remote ID with the
| switch-mac | user-define
string } client MAC address.
 switch-mac: pad the remote ID with the
Example:
Raisecom(config- switch MAC address.
 user-define string: string defined by the
gigaethernet1/1/1)#pppoeag
ent remote-id client-mac user
4 Raisecom(config- (Optional) configure the padding modes of
gigaethernet1/1/*)#pppoeag the PPPoE+ Remote ID.
ent remote-id format
 ascii: padding the remote ID in the ASCII
{ ascii | binary }
Example: format
 binary: padding the remote ID in the
Raisecom(config-
gigaethernet1/1/1)#pppoeag binary format.
ent remote-id format ascii

446
Raisecom
Configuring Tag overriding

Tags of some fields may be forged by the client because of some reasons. The client overrides
the original Tags. After Tag overriding is enabled, if PPPoE packets contain Tags, these Tags
are overridden. If not, add Tags to these PPPoE packets.
Configure Tag overriding for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
of unit/slot/port. The value
range depends on the interface
type.
3 Raisecom(config- Enable or disable Tag overriding
gigaethernet1/1/1)#pppoeagent on the specified interface.
vendor-specific-tag overwrite
 enable: enable Tag overriding
Example: on the specified interface.
 disable: disable Tag overriding
Raisecom(config-
gigaethernet1/1/1)#pppoeagent on the specified interface.
vendor-specific-tag overwrite enable


1 Raisecom#show pppoeagent [ interface- Show PPPoE+ configurations.
type interface-number ]
2 Raisecom#show pppoeagent statistic Show PPPoE+ statistics.
[ interface-type interface-number ]
10.8.7 Maintenance
Command Description
Raisecom(config)#clear pppoeagent Clear PPPoE+ statistics. The device supports
statistic [ interface-type clearing PPPoE+ statistics on the specified
interface-number ] interface.
Example:
Raisecom(config)#clear pppoeagent
statistic gigaethernet 1/1/1
unit/slot/port. The value range depends on
the interface type.

447
Raisecom
10.8.8 Example for configuring PPPoE+
As shown in Figure 10-11, to prevent illegal clients from accessing and managing legal users,
you can configure PPPoE+ on the Switch.
 GE 1/1/1 and GE 1/1/2 are connected to Client 1 and Client 2 respectively. GE 1/1/3 is
connected to the PPPoE server.
 Enable global PPPoE+, and PPPoE on GE 1/1/1 and GE 1/1/2. Configure GE 1/1/3 as
the trusted interface.
 Configure the attached string of Circuit ID to raisecom, padding information about
Circuit ID on GE 1/1/1 to user01, padding information about Circuit ID on GE 1/1/2 to
the MAC address of Client 2, in ASCII format.
 Enable Tag overwriting on GE 1/1/1 and GE 1/1/2.
Figure 10-11 PPPoE+ networking
Configuration steps
Step 1 Configure GE 1/1/3 as the trusted interface.
Raisecom#config
Raisecom(config-gigaethernet1/1/3)#pppoeagent trust
Step 2 Configure packet information about GE 1/1/1 and GE 1/1/2.
Raisecom(config)#pppoeagent circuit-id attach-string raisecom

Raisecom(config-gigaethernet1/1/1)#pppoeagent circuit-id user01
Raisecom(config-gigaethernet1/1/2)#pppoeagent remote-id client-mac

448
Raisecom
Raisecom(config-gigaethernet1/1/2)#pppoeagent remote-id format ascii

Step 3 Enable Tag overwriting on GE 1/1/1 and GE 1/1/2.

Raisecom(config-gigaethernet1/1/1)#pppoeagent vendor-specific-tag
overwrite enable
Raisecom(config-gigaethernet1/1/2)#pppoeagent vendor-specific-tag
overwrite enable
Step 4 Enable global PPPoE+, and PPPoE on GE 1/1/1 and GE 1/1/2.
Raisecom(config)#pppoeagent enable
Raisecom(config-gigaethernet1/1/1)#pppoeagent enable
Raisecom(config-gigaethernet1/1/2)#pppoeagent enable
Checking results
Use the show pppoeagent command to show PPPoE+ configurations.
Raisecom#show pppoeagent
Global PPPoE+ status: enable
Attach-string: %default%
Circuit ID padding mode: switch
Port :gigaethernet1/1/1
State :enable
Overwrite :enable
Format-rules :binary
Remote-ID :client-mac
Circuit-ID :(21ra
State :disable
Overwrite :disable
Remote-ID :switch-mac
Circuit-ID :%default%

449
Raisecom
State :disable
Overwrite :disable
10.9 Configuring CPU protection

Scenario
When the ISCOM2600G series switch receives massive attacking packets in a short period,
the CPU will run with full load and the CPU utilization rate will reach 100%. This will cause
device malfunction. CPU CAR helps efficiently limit the speed of packets which enters the
CPU.
Prerequisite
N/A
10.9.2 Configuring global CPU CAR

2 Raisecom(config)#cp Configure the protocol type, CIR, and CBS of global
u-protect car CPU packet protection.
global kbps cir
 cpu-protect: CPU protection
cir-value cbs cbs-
 car: committed access rate
value
 global: global information
Example:
 kbps: in units of kbit/s
Raisecom(config)#cp
 cir cir-value: CIR, an integer, ranging from 1 to
u-protect car
global kbps cir 400 10000 kbit/s
 cbs cbs-value: CBS, an integer, ranging from 1 to
cbs 600
10000 Kbytes
3 Raisecom(config)#cp Configure the CIR and CBS of packets in the queue.
u-protect car queue
queue-id kbps cir
 car: committed access rate
cir-value cbs cbs-
 queue-id: queue ID, an integer, ranging from 0 to 7
value
 kbps: in units of kbit/s
Example:
 cir cir-value: CIR, an integer, ranging from 1 to
Raisecom(config)#cp
u-protect car queue 10000 kbit/s
 cbs cbs-value: CBS, an integer, ranging from 1 to
1 kbps cir 400 cbs
600 10000 Kbytes

450
Raisecom

4 Raisecom(config)#in Enter physical interface configuration mode.
terface interface-
type interface-
 interface-number: in the form of unit/slot/port. The
number
Example: value range depends on the interface type.
Raisecom(config)#in
terface
gigaethernet 1/1/1
5 Raisecom(config- Configure the mapping between the protocol and
gigaethernet1/1/*)# queue.
cpu-protect car
type { arp | dhcp |
 car: commited access rate
igmp | lacp | lldp
 arp: ARP packet
| mld | oam | stp }
 dhcp: DHCP packet
queue queue-id
 igmp: IGMP packet
Example:
 lacp: LACP packet
Raisecom(config-
 lldp: LLDP packet
gigaethernet1/1/1)#
 mld: MLD packet
cpu-protect car
 oam: OAM packet
type igmp queue 2
 stp: STP packet
 queue-id: Queue ID, an integer, ranging from 0 to 7
Configurations of CPU protection affect other protocol modules, so we do not

recommend modifying them. Only professional personnel can modify them.


1 Raisecom#show cpu-protect car statistics Show CPU CAR statistics.
[ dynamic ]
2 Raisecom#show cpu-protect car [ arp | Show global mappings
dhcp | igmp | lacp | lldp | mld | oam | between protocols and
stp ] queues.
10.9.4 Maintenance

451
Raisecom
Command Description
Raisecom(config)#clear cpu-protect car Clear global CPU CAR
queue [ queue-id ] statistics statistics.
Example:
 queue-id: queue ID, an
Raisecom(config)#clear cpu-protect car
queue 1 statistics integer, ranging from 0 to 7
10.10 Configuring ARP attack protection

Scenario
ARP is simple and easy to use, but vulnerable to attacks due to no security mechanism.
Attackers can forge ARP packets from users or gateways. When they send excessive IP
packets, whose IP addresses cannot be resolved, to the ISCOM2600G series switch, they will
cause the following harms:
 The ISCOM2600G series switch sends excessive ARP request packets to the destination
network segment, so this network segment is overburdened.
 The ISCOM2600G series switch repeatedly resolve destination IP addresses, so the CPU
is overburdened.
To prevent theses harms due to attacks on IP packets, the ISCOM2600G series switch
supports ARP attack protection.
Prerequisite
N/A
10.10.2 Configuring ARP

Configure ARP for the ISCOM2600G series switch as below.

vlan-id mode.
Example:
3 Raisecom(config-vlan*)#arp Enable or disable the device to learn
learning strict { enable | ARP entries requested by itself.
disable }
 enable: enable the device to learn
Example:
aisecom(config-vlan1)#arp ARP entries requested by itself.
 disable: disable the device to learn
learning strict enable
ARP entries requested by itself.

452
Raisecom

4 Raisecom(config-vlan*)#arp check- Enable or disable the check of ARP
destination-ip { enable | destination IP address.
disable }
 enable: enable the check of ARP
Example:
Raisecom(config-vlan1)#arp check- destination IP address.
 disable: disable the check of ARP
destination-ip enable
destination IP address.
5 Raisecom(config-vlan*)#arp filter Configure ARP filtering.
{ gratuitous | mac-illegal | tha-
 gratuitous: gratuitous ARP packets
filled-request }
 mac-illegal: illegal MAC
Example:
 tha-filled-request: ARP request
Raisecom(config-vlan1)#arp filter
gratuitous packets with non-empty
destination MAC
6 Raisecom(config-vlan*)#arp anti- Configure the fixing of ARP entries.
attack entry-check { fixed-all |
 fixed-all: fix entries.
fixed-mac | send-ack }
 fixed-mac: MAC will not be
Example:
Raisecom(config-vlan1)#arp anti- updated.
 send-ack: send ACK for
attack entry-check fixed-all
confirmation.
Example:
gigaethernet 1/1/1
8 Raisecom(config- Configure rate limiting of ARP.
gigaethernet1/1/*)#ip arp-rate-
 rate-value: rate limit, an integer,
limit rate rate-value
Example: ranging from 1 to 1000, in units of
Raisecom(config- packet/s
gigaethernet1/1/1)#ip arp-rate-
limit rate 30


1 Raisecom#show ip arp-rate- Show information about rate limiting on
limit ARP packets.
2 Raisecom#show ip arp filter Show information about ARP filtering.

453
Raisecom
10.11 ND Snooping
10.11.1 Introduction
Neighbor Discovery (ND) is a group of messages or processes for determining relations
between neighboring nodes. Its messages replace IPv4 Address Resolution Protocol (ARP),
ICMP Router Discovery (RD), and ICMP Redirect messages, and it also supports the
following functions:
 Detecting address conflicts
 Resolving the neighbor address
 Determining neighbor reachability
 Configuring the IP address of the host
ND Snooping is used on the ISCOM2600G to check user validity. It normally forwards ND
packets of authorized users and discards those of unauthorized users, thus preventing attacks
from pseudo users and gateways.
User validity check is used to determine whether a user is an authorized user of the VLAN to
which the interface receiving the ND packet belongs, according to the source IPv6 address
and source MAC address carried in the ND packet.
ND Snooping divides interfaces of the access device into the following two types:
 ND trusted interface: this interface does not check user validity.
 ND untrusted interface: the device takes RA packets received by the ND untrusted
interface invalid and thus discards them directly.
Scenarios
ND Snooping is used to prevent common ND spoofing attacks on the network, thus able to
isolate ND packets from unauthorized sources. You can configure the trusted status of an
interface to trust ND packets or not and configure the binding table to determine whether ND
packets comply with requirements.
Prerequisite
N/A
10.11.3 Default configurations of ND Snooping

Default configurations of ND Snooping are as below.

Interface trusted status of ND Snooping Untrusted
ND Snooping status Disable
RA Snooping status Disable
RA Snooping interface trusted status Not trusted

454
Raisecom
10.11.4 Configuring ND Snooping

Enable static binding of ND Snooping for the ISCOM2600G series switch as below.

2 Raisecom(config)#ipv6 nd snooping Enable global ND Snooping.
3 Raisecom(config)#vlan vlan-id (Optional) enter physical interface
interface interface-type configuration mode.
interface-number
Example:
4 Raisecom(config)#interface (Optional) enable ND Snooping on
interface-type interface-number- the interface that is connected to the
gigaethernet1/1/*)#ipv6 nd gateway.
snooping
5 Raisecom(config- Configure the interface that is
gigaethernet1/1/*)#ipv6 nd connected to the gateway as a
snooping trust trusted interface.
6 Raisecom(config- (Optional) enable validity check on
gigaethernet1/1/*)#ipv6 nd NS/NA/RS packets by ND
snooping trustcheck { na | ns | Snooping.
rs }
 na: NA packets
Example:
 ns: NS packets
Raisecom(config-
 rs: RS packets
gigaethernet1/1/1)#ipv6 nd
snooping check ns
10.11.5 RA Snooping
The Router Advertisement (RA) message carries network configurations, including

the default router, network prefix list, and enabling status of the DHCP server. If the
victim receives the forged RA message, network configurations will be incorrect and
thus spoofing attacks are generated.
Configure RA Snooping for the ISCOM2600G series switch as below.

2 Raisecom(config)#ipv6 ra snooping Enable global RA Snooping.

455
Raisecom

3 Raisecom(config)#interface (Optional) enter physical
interface-type interface-number interface configuration mode, or
4 Raisecom(config-gigaethernet Configure the interface as the
1/1/*)#ipv6 ra snooping trust trusted interface.


1 Raisecom#show ipv6 nd snooping Show static binding and
[ interface interface-type interface- interface trusted status.
number ]
2 Raisecom#show ipv6 nd snooping Show the binding relation of a
binding [ interface interface-type specified interface or all
interface-number ] interfaces.
3 Raisecom#show ipv6 nd- snooping Show statistics on ND
statistics [ interface interface-type Snooping packets.
interface-number ]
4 Raisecom#show ipv6 ra snooping Show configurations of RA
[ interface-type interface-number ] Snooping.
10.11.7 Maintenance

1 Raisecom(config)#clear ipv6 nd Clear statistics on ND Snooping
snooping statistics [ interface user packets received by the device.
interface-type interface-number ]
Example:
Raisecom(config)#clear ipv6 nd
snooping statistics unit/slot/port. The value range
2 Raisecom(config)#clear ipv6 nd Delete entries dynamically learnt by
snooping ip-address ipv6-address ND Snooping in a specified VLAN.
vlan vlan-id
 ipv6-address: IPv6 address, such
Example:
Raisecom(config)#clear ipv6 nd as A:B::C:D
snooping ip-address 3000::1 vlan

456
Raisecom
10.11.8 Example for configuring ND Snooping
As shown in Figure 10-12, the host of a LAN user is connected to the gateway by Switch A. It
has to obtain the IPv6 address through stateless automatic configuration according to the
prefix assigned by the gateway to the user network because no DHCPv6 server is deployed on
the network. To prevent illegal users from sending NA/NS/RS/RA packets, which causes legal
hosts to fail to obtain IPv6 addresses, enable ND Snooping on Switch A to intercept illegal
packets.
Figure 10-12 ND Snooping networking
Configuration steps
Step 1 Create VLAN 10 on Switch A, and activate it.
Configure Switch.
SwitchA#config
SwitchA(config)#create vlan 10 active
Step 2 Add GE 1/1/2 on Switch A to VLAN 10 in Access mode. Configure it to Trunk mode,
allowing packets of VLAN 10 to pass.

SwitchA(config-gigaethernet1/1/2)#switchport mode access
confirm

457
Raisecom
Step 3 Enable global ND Snooping and enable ND Snooping in VLAN 10. Configure GE 1/1/1 as
the trusted interface.
SwitchA(config)#ipv6 nd snooping
SwitchA(config)#vlan 10
SwitchA(config-vlan)#ipv6 nd snooping
SwitchA(config-vlan)#exit
SwitchA(config-gigaethernet1/1/1)#ipv6 nd snooping trust
Step 4 Configure GE 1/1/3 as an untrusted interface. Enable validity check on ND packets.

SwitchA(config-gigaethernet1/1/3)#ipv6 nd snooping
SwitchA(config-gigaethernet1/1/3)#ipv6 nd snooping check ns
SwitchA(config-gigaethernet1/1/3)#ipv6 nd snooping check na
SwitchA(config-gigaethernet1/1/3)#ipv6 nd snooping check rs
Checking results
Use show ipv6 nd snooping command to check configurations of ND Snooping.
Raisecom#show ipv6 nd snooping

Global ND Snooping: Enable
Vlan Port Trust RRRAEnable NSEnable NAEnable
RSEnable
-------------------------------------------------------------------------
-----------
--
1 -- -- Disable Disable Disable
Disable
10 gigaethernet1/1/1 yes Enable Enable
Enable Enable
Use the show ipv6 nd snooping binding command to show information about the binding
table.
Raisecom# show ipv6 nd snooping binding

History Max Entry Num: 4
Current Entry Num: 2
IP Address VLAN MAC Address Port sec
Type Inhw

458
Raisecom
-------------------------------------------------------------------------
---------------------------------------------
FE80::C49:FE9:1CFE:437F 10 484d.7eaa.1a15
gigaethernet1/1/2 1385 nd yes
FE80::415A:E214:F155:6163 10 509a.4c13.2020
gigaethernet1/1/2 1455 nd yes

459
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 11 Reliability
11 Reliability
This chapter describes basic principles and configuration procedures for reliability, and
 Link aggregation
 Interface backup
 Link-state tracking
 Key-chain
 UDLD
11.1 Link aggregation

11.1.1 Introduction
Link aggregation refers to aggregating multiple physical Ethernet interfaces to a Link
Aggregation Group (LAG) and taking multiple physical links in the same LAG as one logical
link. Link aggregation helps share traffic among members in the LAG. Besides effectively
improving reliability on links between two devices, link aggregation helps gain higher
bandwidth without upgrading hardware.
Generally, the link aggregation consists of manual link aggregation, static Link Aggregation
Control Protocol (LACP) link aggregation, and dynamic LACP link aggregation.
 Manual link aggregation
Manual link aggregation refers to aggregating multiple physical interfaces to one logical
interface so that they can balance load.
 Static LACP link aggregation
Link Aggregation Control Protocol (LACP) is a protocol based on IEEE802.3ad. LACP
communicates with the peer through the Link Aggregation Control Protocol Data Unit
(LACPDU). In addition, you should manually configure the LAG. After LACP is enabled on
an interface, the interface sends a LACPDU to inform the peer of its system LACP protocol
priority, system MAC address, interface LACP priority, interface ID, and operation Key.
After receiving the LACPDU, the peer compares its information with the one received from
other interfaces to select an interface able to be in Selected status, on which both sides can

460
Raisecom
agree. The operation key is a configuration combination automatically generated based on

configurations of the interface, such as the speed, duplex mode, and Up/Down status. In a
LAG, interfaces in the Selected status share the identical operation key.
 Dynamic LACP link aggregation
In dynamic LACP link aggregation, the system automatically creates and deletes the LAG and
member interfaces through LACP. Interfaces cannot be automatically aggregated into a group
unless their basic configurations, speeds, duplex modes, connected devices, and the peer
interfaces are identical.
In manual aggregation mode, all member interfaces are in forwarding status, sharing loads. In
static/dynamic LACP mode, there are backup links.
Link aggregation is the most widely used and simplest Ethernet reliability technology.
Scenario
To provide higher bandwidth and reliability for a link between two devices, configure link
aggregation.
Prerequisite
 Configure physical parameters of interfaces and make them Up.
 In the same LAG, member interfaces that share loads must be identically configured.
Otherwise, data cannot be forwarded properly. These configurations include QoS, QinQ,
VLAN, interface properties, and MAC address learning.
– QoS: traffic policing, traffic shaping, congestion avoidance, rate limit, SP queue,
WRR queue scheduling, interface priority and interface trust mode
– QinQ: QinQ enabling/disabling status on the interface, added outer VLAN tag,
policies for adding outer VLAN Tags for different inner VLAN IDs
– VLAN: the allowed VLAN, default VLAN and the link type (Trunk or Access) on
the interface, subnet VLAN configurations, protocol VLAN configurations, and
whether VLAN packets carry Tag
– Port properties: whether the interface is added to the isolation group, interface rate,
duplex mode, and link Up/Down status
– MAC address learning: whether MAC address learning is enabled and whether the
interface is configured with MAC address limit.
11.1.3 Configuring manual link aggregation

Configure manual link aggregation for the ISCOM2600G series switch as below.


461
Raisecom

2 Raisecom(config)#i Enter aggregation group configuration mode.
nterface port-
 channel-number: LAG interface ID, an integer,
channel channel-
number ranging from 1 to 32
Example:
Raisecom(config)#i
nterface port-
channel 1
3 Raisecom(config- Configure manual link aggregation mode.
port-
channel*)#mode
manual
4 Raisecom(config- (Optional) configure the maximum or minimum
port- number of active links in LACP LAG.
channel*)#{ max-
active | min-
By default, the maximum number is 8 while the
active } links minimum is 1.
number  max-active: maximum number of active interfaces
Example:  min-active: minimum number of active interfaces
Raisecom(config-  number: threshold of the active interface, an integer,
port- ranging from 1 to 8

channel1)#max-
active links 3

462
Raisecom

5 Raisecom(config- (Optional) configure a load balancing mode for link
port- aggregation.
channel1)#load-
sharing mode By default, the load balancing algorithm is configured
{ dst-ip | dst-mac to sxordmac. In this mode, select a forwarding
| src-dst-ip | interface based on the OR result of the source and
src-dst-mac | src- destination MAC addresses.
ip | src-mac }  dst-ip: select the forwarding interface based on the
Example: destination IP address, ensuring packets with the
Raisecom(config- same destination IP address being forwarded through
port- the same interface.
channel1)#load-  dst-mac: select the forwarding interface based on the
sharing mode src- destination MAC address, ensuring packets with the
ip same destination MAC address being forwarded
through the same interface.
 src-dst-ip: select the forwarding interface based on
the result of logical XOR of source and destination

IP addresses, ensuring packets with the same result
being forwarded through the same interface.
 src-dst-mac: select the forwarding interface based on
the result of logical XOR of source and destination

MAC addresses, ensuring packets with the same
result being forwarded through the same interface.
 src-ip: select the forwarding interface based on the
source IP address, ensuring packets with the same

source IP address being forwarded through the same
interface.
 src-mac: select the forwarding interface based on the
source MAC address, ensuring packets with the same

source MAC address being forwarded through the
same interface.
6 Raisecom(config- (Optional) enter global configuration mode.
port-
channel*)#exit
7 Raisecom(config)#l (Optional) enable local load balancing with a high
ink-aggregation priority in link aggregation.
load-sharing mode
local-first
11.1.4 Configuring static LACP link aggregation

Configure static LACP link aggregation for the ISCOM2600G series switch as below.


463
Raisecom

2 Raisecom(config)#lacp (Optional) configure the system LACP priority.
system-priority The device with higher priority is the active end.
system-priority LACP chooses active and backup interfaces
Example: according to configurations of the active end.
Raisecom(config)#lacp The smaller the number is, the higher the priority
system-priority 1 is. The device with the smaller MAC address will
be chosen as the active end if system LACP
priorities of the two devices are identical.
By default, the system LACP priority is 32768.
 system-priority: LACP priority, an integer,
ranging from 0 to 65535. The smaller the value,
the higher the priority, and the more likely the
device can be an active end.
3 Raisecom(config)#lacp (Optional) configure LACP timeout mode.
timeout { fast |
slow } By default, it is slow.
Example:  fast: fast mode. The interval of sending packets
Raisecom(config)#lacp is 1s and the period of timeout is 3s.
timeout fast  slow: slow mode. The interval of sending
packets is 30s and the period of timeout is 90s.

4 Raisecom(config)#inte Enter aggregation group configuration mode.
rface port-channel
 channel-number: LAG interface ID, an integer,
channel-number
Raisecom(config)#inte
rface port-channel 1
5 Raisecom(config-port- Configure the working mode of the LAG to static
channel*)#mode lacp LACP LAG.
6 Raisecom(config-port- (Optional) configure maximum or minimum
channel*)#{ max- number of active links in LACP LAG.
active | min-active }
links number
By default, the maximum number is 8 while the
Example: minimum number is 1.
Raisecom(config-port-  max-active: maximum number of active
channel1)#max-active interfaces
links 3  min-active: minimum number of active
interfaces
 number: threshold of the active interface, an

7 Raisecom(config-port- Enable priority preempt on the LAG.
channel*)#lacp
 enable: enable priority preempt.
priority preempt
 disable: disable priority preempt.
Example:
channel1)#lacp
priority preempt
enable

464
Raisecom

8 Raisecom(config-port- Configure the wait time on the interface.
channel*)#lacp wait-
 time: WTR time on the interface, in units of
timer time
Example: millisecond, ranging from 0 to 6000
channel1)#lacp wait-
timer 1
channel*)#exit
10 Raisecom(config)#inte Enter physical interface configuration mode.
rface interface-type
interface-number
Example:
Raisecom(config)#inte The value range depends on the interface type.
rface gigaethernet
1/1/1
11 Raisecom(config- Add the physical interface to the LAG.
gigaethernet1/1/*)#po
 channel-number: LAG ID, an integer, ranging
rt-channel channel-
number from 1 to 32
Example:
Raisecom(config-
gigaethernet1/1/1)#po
rt-channel 2
12 Raisecom(config- (Optional) configure the LACP mode for
gigaethernet1/1/*)#la member interfaces. The LACP connection will
cp mode { active | fail to be established when both ends of it are in
passive } passive mode.
Example:
Raisecom(config- By default, it is in active mode.
gigaethernet1/1/1)#la  active: the interface periodically sends LACP
cp mode passive packets to the peer for negotiation.
 passive: the interface does not send any LACP
packets, but receives and responds to the LACP

packets sent by the peer.
13 Raisecom(config- (Optional) configure the interface LACP priority.
gigaethernet1/1/*)#la The priority affects election for the default
cp port-priority interface for LACP. The smaller the value is, the
port-priority higher the priority is.
Example:
Raisecom(config- By default, it is 32768.
gigaethernet1/1/1)#la  port-priority: LACP priority of the interface, an
cp port-priority 1 integer, ranging from 0 to 65535. The smaller
the value, the higher the priority, and the more
likely that the interface can be an active
interface.

465
Raisecom
 In a static LACP LAG, a member interface can be an active/standby one. Both the
active interface and standby interface can receive and send LACPDU. However,
the standby interface cannot forward user packets.
 The system chooses default interface in the order of neighbor discovery, interface
maximum speed, interface highest LACP priority, and interface minimum ID. The
interface is in active status by default, the interface with identical speed, identical
peer and identical device operation key is also in active status; other interfaces
are in standby status.
11.1.5 Configuring manual master/slave link aggregation

Configure manual master/slave link aggregation for the ISCOM2600G series switch as below.

2 Raisecom(config)#interface Enter aggregation group configuration
port-channel channel-number mode.
Example:
 channel-number: LAG interface ID, an
port-channel 1 integer, ranging from 1 to 32
3 Raisecom(config-port- Configure the working mode of the LAG
channel*)#mode manual backup to manual backup LAG.
4 Raisecom(config-port- Configure the active interface of the
channel*)#master-port LAG.
number
Example:
Raisecom(config-port- unit/slot/port. The value range depends
channel1)#master-port on the interface type.
gigaethernet 1/1/1
5 Raisecom(config-port- Configure the restoration mode and
channel*)#restore-mode wait-to-restore time of the LAG.
{ non-revertive | revertive
[ restore-delay second ] } By default, the restoration mode is non-
Example: revertive.
Raisecom(config-port-  non-revertive: non-revertive mode
channel1)#restore-mode non-  revertive: revertive mode
revertive  restore-delay second: restore delay, an

units of second
channel*)#exit
number
Example:
gigaethernet 1/1/1 unit/slot/port. The value range depends
on the interface type.

466
Raisecom

8 Raisecom(config- Add member interfaces to the LAG.
gigaethernet1/1/*)#port-
 channel-number: LAG ID, an integer,
channel channel-number
Raisecom(config-
gigaethernet1/1/1)#port-
channel 2
Before configuring the revertive mode of faults in the LAG to non-revertive, you must
use the master-port command to configure the master interface.


1 Raisecom#show Show local system LACP interface status, flag, interface
lacp internal priority, administration key, operation key, and interface
status machine status.
2 Raisecom#show Show information about LACP neighbors, including tag,
lacp neighbor interface priority, device ID, Age, operation key value,
interface ID, and interface status machine status.
3 Raisecom#show Show statistics about interface LACP, including the total
lacp number of received/sent LACP packets, the number of
statistics received/sent Marker packets, the number of received/sent
Marker Response packets, and the number of errored
Marker Response packets,
4 Raisecom#show Show global LACP status of the local system, device ID,
lacp sys-id including system LACP priority and system MAC address.
5 Raisecom#show Show link aggregation status of the current system, load
port-channel balancing mode of link aggregation, all LAG member
[ channel- interfaces, and active member interfaces.
number ]
The active member interface refers to the one

whose interface status is Up.

467
Raisecom
11.1.7 Example for configuring static LACP link aggregation
As shown in Figure 11-1, to improve link reliability between Switch A and Switch B, you can
configure static LACP link aggregation. That is to add GE 1/1/1, GE 1/1/2, and GE 1/1/3 to
one LAG; GE 1/1/1 and GE 1/1/2 are used as the active interface while GE 1/1/3 as the
standby interface.
Figure 11-1 Static LACP mode Link aggregation networking
Configuration steps
Step 1 Create static LACP link aggregation on Switch A. Configure Switch A as the active end.
SwitchA#config
SwitchA(config)#lacp system-priority 1000
SwitchA(config)#interface port-channel 1
SwitchA(config-port-channel1)#mode lacp
SwitchA(config-port-channel1)#max-active links 2
SwitchA(config-port-channel1)#exit
SwitchA(config-gigaethernet1/1/1)#port-channel 1
SwitchA(config-gigaethernet1/1/1)#lacp port-priority 1000
SwitchA(config-gigaethernet1/1/2)#lacp port-priority 1000
Step 2 Create static LACP link aggregation on Switch B.

468
Raisecom
SwitchB#config
SwitchB(config-gigaethernet1/1/1)#port-channel 1
Checking results
Use the show port-channel command to show global configurations of the static LACP link
aggregation on Switch A.
SwitchA#show port-channel
Group 1 information:
Mode : Lacp Load-sharing mode : src-dst-mac
MinLinks: 1 Max-links : 2
UpLinks : 3 Priority-Preemptive: Disable
Member Port : gigaethernet1/1/1 gigaethernet1/1/2 gigaethernet1/1/3
Efficient Port: gigaethernet1/1/1 gigaethernet1/1/2
Use the show lacp internal command to show configurations of local LACP interface status,
flag, interface priority, administration key, operation key, and interface state machine on
Switch A.
SwitchA#show lacp internal

Flags:
S - Device is requesting Slow LACPDUs F - Device is requesting Fast
LACPDUs
A - Device in Active mode P - Device in Passive mode MP - MLACP Peer
Port
Interface State Flag Port-Priority Admin-key Oper-
key Port-State
-------------------------------------------------------------------------
----------------------
gigaethernet1/1/1 Active SA 1000 1 2
0x3D
gigaethernet1/1/2 Active SA 1000 1 2
0x3D
gigaethernet1/1/3 Standby SA 32768 1 2
0x5

469
Raisecom
Use the show lacp neighbor command to show configurations of LACP interface status, flag,
interface priority, administration key, operation key, and interface state machine of the peer
system on Switch A.
Raisecom#show lacp neighbor

Flags:
S - Device is requesting Slow LACPDUs F - Device is requesting Fast
LACPDUs
A - Device in Active mode P - Device in Passive mode MP - MLACP Peer
Port
Interface Flag Port-Priority Age Device-ID Oper-key
Partner-Port Port-State
-------------------------------------------------------------------------
---------------------------
gigaethernet1/1/1 SA 32768 23s 000E.5EAB.CDEF 1 17
0x3D
0xD
0xD
11.2 Interface backup

11.2.1 Introduction
In dual uplink networking, Spanning Tree Protocol (STP) is used to block the redundancy link
and implements backup. Though STP can meet users' backup requirements, it fails to meet
switching requirements. Though Rapid Spanning Tree Protocol (RSTP) is used, the
convergence is second level only. This is not a satisfying performance parameter for high-end
Ethernet switch which is applied to the core of the carrier-grade network.
Interface backup, targeted for dual uplink networking, implements redundancy backup and
quick switching through working and protection lines. It ensures performance and simplifies
configurations.
Interface backup is another STP solution. When STP is disabled, you can realize basic link
redundancy by manually configuring interfaces. If the switch is enabled with STP, you should
disable interface backup because STP has provided similar functions.
When the primary link fails, traffic is switched to the backup link. In this way, not only 50ms
fast switching is ensured, but also configurations are simplified.
Principles of interface backup

Interface backup is implemented by configuring the interface backup group. Each interface
backup group contains a primary interface and a backup interface. The link, where the
primary interface is, is called a primary link while the link, where the backup interface is, is
called the backup interface. Member interfaces in the interface backup group supports
physical interfaces and LAGs. However, they do not support Layer 3 interfaces.

470
Raisecom
In the interface backup group, when an interface is in Forward status, the other interface is in
Block status. At any time, only one interface is in Forward status. When the Forward interface
fails, the Block interface is switched to the Forward status.
Figure 11-2 Principles of interface backup
As shown in Figure 11-2, GE 1/1/1 and GE 1/1/2 on Switch A are connected to their uplink
devices respectively. The interface forwarding states are shown as below:
 Under normal conditions, GE 1/1/1 is the primary interface while GE 1/1/2 is the backup
interface. GE 1/1/1 and the uplink device forward packet while GE 1/1/2 and the uplink
device do not forward packets.
 When the link between GE 1/1/1 and its uplink device fails, the backup GE 1/1/2 and its
uplink device forward packets.
 When GE 1/1/1 restores normally and keeps Up for a period (restore-delay), GE 1/1/1
restores to forward packets and GE 1/1/2 restores standby status.
When a switching between the primary interface and the backup interface occurs, the switch
sends a Trap to the NView NNM system.
Application of interface backup in different VLANs

By applying interface backup to different VLANs, you can enable two interfaces to share
service load in different VLANs, as shown in Figure 11-3.

471
Raisecom
Figure 11-3 Networking with interface backup in different VLANs

In different VLANs, the forwarding status is shown as below:
 Under normal conditions, configure Switch A in VLANs 100–150.
 In VLANs 100–150, GE 1/1/1 is the primary interface and GE 1/1/2 is the backup
interface.
 In VLANs 151–200, GE 1/1/2 is the primary interface and GE 1/1/1 is the backup
interface.
 GE 1/1/1 forwards traffic of VLANs 100–150, and GE 1/1/2 forwards traffic of VLANs
151–200.
 When GE 1/1/1 fails, GE 1/1/2 forwards traffic of VLANs 100–200.
 When GE 1/1/1 restores normally and keeps Forward for a period (restore-delay), GE
1/1/1 forwards traffic of VLANs 100–150, and GE 1/1/2 forwards VLANs 151–200.
Interface backup is used to balance service load in different VLANs without depending on
configurations of uplink switches, thus facilitating users' operation.
Scenario
By configuring interface backup in a dual uplink network, you can realize redundancy backup
and fast switching of the primary/backup link, and load balancing between different interfaces.
Compared with STP, interface backup not only ensures millisecond-level switching, also
simplifies configurations.
Prerequisite
N/A
11.2.3 Default configurations of interface backup

Default configurations of interface backup are as below.

472
Raisecom

Interface backup group N/A
Restore-delay 15s
Restoration mode Revertive mode
11.2.4 Configuring basic functions of interface backup

Configure basic functions of interface backup for the ISCOM2600G series switch as below.
Interface backup may interfere with STP, loop detection, and G.8032. We do not
recommend configuring them concurrently on the same interface.
interface-type interface- mode or aggregation group configuration
number mode.
Example:
gigaethernet 1/1/1
3 Raisecom(config- Configure the interface backup group.
gigaethernet1/1/*)#port
backup interface-type
In the VLAN list, configure the interface
backup-interface-number backup-interface-number to the backup
[ vlanlist vlan-list ] interface and configure the interface
Example: primary-interface-number to the primary
Raisecom(config- interface.
gigaethernet1/1/1)#port If no VLAN list is specified, the VLAN
backup gigaethernet 1/1/2 ranges from 1 to 4094.
 backup-interface-number: interface ID
 vlan-list: VLAN list, an integer, ranging
from 1 to 4094. It supports specific

values, such as "1,2,3"; it also supports a
range, such as "1-3". If you do not
specify the VLAN list for the interface
backup group, the VLAN ID ranges from
1 to 4094 by default.
4 Raisecom(config- (Optional) configure LLDP fault detection.
backup fault-detect lldp

473
Raisecom

5 Raisecom(config- (Optional) configure restoration mode.
 non-revertive: non-revertive mode
backup restore-mode
 revertive: revertive mode
{ revertive [ restore-delay
 restore-delay second: restore delay, an
second ] | non-revertive }
Example: integer, ranging from 0 to 65535, in units
Raisecom(config- of second
gigaethernet1/1/1)#port
backup restore-mode
revertive restore-delay 600
 In an interface backup group, an interface is either a primary interface or a backup

interface.
 In a VLAN, an interface or a LAG cannot be a member of two interface backup
groups simultaneously.
11.2.5 (Optional) configuring FS on interfaces
 After FS is successfully configured, the primary/backup link will be switched; in

other words, the current link is switched to the backup link (without considering
Up/Down status of the primary/backup interface).
 In the FS command, the backup interface ID is optional. If different VLANs of the
primary interface are configured with multiple interface backup groups, you should
enter the backup interface ID.
Configure FS on interfaces for the ISCOM2600G series switch as below.

interface-type interface-number configuration mode or
Raisecom(config)#interface mode.
gigaethernet 1/1/1
3 Raisecom(config- Configure FS on the interface.
gigaethernet1/1/*)#port backup
[ interface-type backup-interface-
Use the no port backup
number ] force-switch [ interface-type backup-
Example: interface-number ] force-switch
Raisecom(config- command to cancel FS.
gigaethernet1/1/1)#port backup  interface-type: interface type
gigaethernet 1/1/2 force-switch

474
Raisecom

Raisecom(config-port-channel*)#port interface-number: interface ID
backup [ interface-type backup-
interface-number ] force-switch
Example:
Raisecom(config-port-channel1)#port
backup port-channel 2 force-switch


1 Raisecom#show port Show status information about interface backup.
backup
2 Raisecom#show port Show configurations of interface backup.
backup group
11.2.7 Example for configuring interface backup
As shown in Figure 11-4, the PC accesses the server through the Switch. To implement a
reliable remote access from the PC to the server, configure an interface backup group on
Switch A and specify the VLAN list so that the two interfaces concurrently forward services
in different VLANs and balance load. Configure Switch A as below:
 Add GE 1/1/1 to VLANs 100–150 as the primary interface and GE 1/1/2 as the backup
interface.
 Add GE 1/1/2 to VLANs 151–200 as the primary interface and GE 1/1/1 as the backup
interface.
When GE 1/1/1 or its link fails, the system switches traffic to the backup interface GE 1/1/2 to
resume the link.
Switch A is required to support interface backup while other switches are not.

475
Raisecom
Figure 11-4 Interface backup networking
Configuration steps
Step 1 Create VLANs 100–400, and add GE 1/1/1 and GE 1/1/2 to these VLANs.
Raisecom#config
Raisecom(config)#create vlan 100-200 active
Raisecom(config-gigaethernet1/1/1)#switchport trunk allowed vlan 100-200
confirm
Raisecom(config-gigaethernet1/1/2)#switchport trunk allowed vlan 100-200
confirm
Step 2 Configure GE 1/1/1 as the primary interface of VLANs 100–150 and GE 1/1/2 as the backup
interface.

Raisecom(config-gigaethernet1/1/1)#port backup gigaethernet 1/1/2
vlanlist 100-150
Step 3 Configure GE 1/1/2 as the primary interface of VLANs 151–200 and GE 1/1/1 as the backup
interface.

476
Raisecom
Raisecom(config-gigaethernet1/1/2)#port backup gigaethernet 1/1/1

vlanlist 151-200
Checking results
Use the show port backup group command to show status of interface backup under normal
or faulty conditions.
When both GE 1/1/1 and GE 1/1/2 are Forward, GE 1/1/1 forwards traffic of VLANs 100–
150, and GE 1/1/2 forwards traffic of VLANs 151–200.
Raisecom#show port backup group

Active Port(State) Backup Port(State) ForceSwitch Vlanlist
-------------------------------------------------------------------------
-------------------------------------
GE1/1/1(Forward) GE1/1/2(Block) NO 100-150
Manually disconnect the link between Switch A and Switch B to emulate a fault. Then, GE
1/1/1 becomes Down, and GE 1/1/2 forwards traffic of VLANs 100–200.

-------------------------------------------------------------------------
-------------------------------------
GE1/1/1(Down) GE1/1/2(Forward) NO 100-150
GE1/1/2(Forward) GE1/1/1(Down) NO 151-200
When GE 1/1/1 resumes and keeps Forward for 15s (restore-delay), it forwards traffic of
VLANs 100–150 while GE 1/1/2 forwards traffic of VLANs 151–200.

-------------------------------------------------------------------------
-------------------------------------

477
Raisecom
11.3 Link-state tracking

11.3.1 Introduction
Link-state tracking is used to provide interface linkage scheme for specific application and it
can extend range of link backup. By monitoring uplinks and synchronizing downlinks, add
uplink and downlink interfaces to a link-state group. Therefore, the fault of the upstream
device can be informed to the downstream device to trigger switching. Link-state tracking can
be used to prevent traffic loss due to failure in sensing the uplink fault by the downstream
device.
When all uplink interfaces fail, down link interfaces are configured to Down status. When at
least one uplink interface recovers, the downlink interface recovers to Up status. Therefore,
the fault of the upstream device can be informed to the downlink device immediately. Uplink
interfaces are not influenced when the downlink interface fail.
Scenario
When uplink fails, traffic cannot be switched to the standby link if the downlink device fails
to be notified in time. Then traffic will be disrupted.
Link-state tracking can be used to add downlink interfaces and uplink interfaces of the middle
device to a link-state group and monitor uplink interfaces. When all uplink interfaces fails, the
fault of the upstream device can be informed to the downstream device to trigger switching.
Prerequisite
N/A
11.3.3 Default configurations of link-state tracking

Default configurations of link-state tracking are as below.

Link-state group N/A
Action for processing faults on the interface N/A
Link-state group Trap Disable
11.3.4 Configuring link-state tracking
Link-state tracking supports being configured on the physical interface and LAG
interface.
Configure link-state tracking for the ISCOM2600G series switch as below.

478
Raisecom

2 Raisecom(config)#li Create the link-state group and enable link-state
nk-state-tracking tracking.
group group-number
 group-number: link-state group number, an
Example:
Raisecom(config)#li integer, ranging from 1 to 100
nk-state-tracking
group 1
3 Raisecom(config)#li Configure the mode for processing fault on the
nk-state-tracking link-state interface.
group group-number
 group-number: link-state group ID, an integer,
action { block-vlan
vlan-id interface- ranging from 1 to 100
type interface-
number | delete-
vlan vlan-id | value range depend on the interface type.
 block-vlan vlan-id: block a VLAN. The vlan-id is
flush-erps rind-id
| suspend-vlan an integer ranging from 1 to 4094.
 delete-vlan vlan-id: delete a VLAN. The vlan-id
vlan-id }
Example: is an integer ranging from 1 to 4094.
 flush-erps rind-id: clear the specified G.8032 ring
Raisecom(config)#li
nk-state-tracking ID. The rind-id is an integer ranging from 1 to
group 1 action 255.
 suspend-vlan vlan-id: suspend a VLAN. The
delete-vlan 30
vlan-id is an integer ranging from 1 to 4094.
4 Raisecom(config)#li Configure link-state tracking group Trap.
nk-state-tracking
 group-number: link-state group ID, an integer,
group group-number
trap { enable |
 enable: enable link-state group Trap.
disable }
 disable: disable link-state group Trap.
Example:
Raisecom(config)#li
nk-state-tracking
group 1 trap enable
5 Raisecom(config)#in Enter physical interface configuration mode, or
terface interface- aggregation group configuration mode. Take
type interface- physical interface configuration mode for example.
number
Example:
Raisecom(config)#in
terface
gigaethernet 1/1/1

479
Raisecom

6 Raisecom(config- Configure the uplink interface and downlink
gigaethernet1/1/*)# interface of the link-state group.
link-state-tracking
 group-number: link-state group number, an
group group-number
{ downstream | integer, ranging from 1 to 100
 downstream: configure the interface as a
upstream }
Example: downlink interface. The downlink interface is
Raisecom(config- connected with the downstream links. If the
gigaethernet1/1/1)# uplink fails, all downlink interfaces will shut
link-state-tracking down informing the downlinks of service
group 1 upstream switching.
 upstream: configure the interface as an uplink
interface. The uplink interface is connected with

the upstream links to monitor the uplink faults. In
addition, there can be multiple uplink and
downlink interfaces in a link-state group.
7 Raisecom(config- Configure the action for the link-state group to
gigaethernet1/1/*)# modifying PVID.
link-state-tracking
 group-number: LAG number, an integer, ranging
group group-number
action modify-pvid from 1 to 100
 modify-pvid vlan-id: PVID to be modified, an
vlan-id
Raisecom(config-
gigaethernet1/1/1)#
link-state-tracking
group 1 action
modify-pvid 30
 One link-state group can contain several uplink interfaces. Link-state tracking will
not be performed when at least one uplink interface is Up. Only when all uplink
interfaces are Down will link-state tracking occur.
 In global configuration mode, when you use the no link-state-tracking group
group-number command to disable link-state tracking, the link-state group without
interfaces will be deleted.
 In physical interface configuration mode, use the no link-state-tracking group
group-number command to delete an interface. During the execution of this
command, if the link-state group contains no other interfaces and is disabled, it
will also be deleted.


1 Raisecom#show link-state-tracking Show configurations and
group [ group-number ] status of the link-state group.

480
Raisecom
11.3.6 Example for configuring link-state tracking
As shown in Figure 11-5, to improve network reliability, Link 1 and Link 2 of Switch B are
connected to Switch A and Switch C respectively. Link 1 is the active link and Link 2 is the
standby link. Link 2 will not be used to forward data until Link 1 is faulty.
Switch A and Switch C are connected to the uplink network in link aggregation mode. When
all uplink interfaces on Switch A and Switch C fails, Switch B needs to sense the fault in time
and switches traffic to the standby link. Therefore, you should deploy link-state tracking on
Switch A and Switch C.
Figure 11-5 Link-state tracking networking
Configuration steps
Step 1 Configure link-state tracking on Switch A.
Create a LAG. Add uplink interfaces GE 1/1/1 and GE 1/1/2 to the LAG.
Raisecom#config
Raisecom(config-gigaethernet1/1/1)#port-channel 1
Raisecom(config-gigaethernet1/1/2)#port-channel 1
Create link-state group 1. Add LAG interfaces to the link-state group.

481
Raisecom
Raisecom(config)#link-state-tracking group 1
Raisecom(config)#interface port-channel 1
Raisecom(config-port-channel1)#link-state-tracking group 1 upstream
Raisecom(config-port-channel1)#exit
Add downlink interface GE 1/1/3 to the link-state group.

Raisecom(config-gigaethernet1/1/3)#link-state-tracking group 1 downstream
Step 2 Configure link-state tracking on Switch C.

Configurations are identical to the ones on Switch A.
Checking results
Use the show link-state-tracking group command to show configurations of the link-state
group.
SwitchA#show link-state-tracking group 1

Link-state-tracking Group: 1
Trap State: disable
UpStream Type: port
UpStream PortList: portchannel 1
Action Mode: Shutdown-port
Action PortList: gigaethernet 1/1/3
Link-state-tracking State: normal
Fault-type: none
Use the show link-state-tracking group command to show configurations of the link-state
group after all uplinks of Switch A fails. In this case, you can learn that link-state tracking is
performed.
SwitchA#show link-state-tracking group 1

Link-state-tracking Group: 1
Trap State: enable
UpStream Type: port
UpStream PortList: portchannel 1
Action Mode: Shutdown-port
Action PortList: gigaethernet 1/1/3
Link-state-tracking State: failover
Fault-type: port-shutdown

482
Raisecom
11.4 Key-chain
11.4.1 Introduction
To implement security, the network has to keep changing authentication information at the
application layer. The authentication algorithm and shared key determine whether information
is altered during transmission on an insecure network. When this authentication mode is used
to authenticate data, the data sender and receiver must share the security key and
authentication algorithm, and cannot transmit the security key on the network.
If each application layer protocol maintains a set of authentication rules (including the
authentication algorithm and key), there will be a large number of applications that use the
same authentication modes. As a result, authentication information is copied and altered.
Similarly, if each application adopts a fixed authentication key, it requires the network
administrator to change the key every time; however, manually changing a key or
authentication algorithm is complex, and modifying passwords of all routers without losing
packets is difficult.
In this case, the system is required to collectively manage all authentication processings and
change authentication algorithms and keys without manual intervention. To meet the
requirement, Key-chain is used, which can authenticate all protocols at the application layer
and dynamically change the password chain without losing packets.
Scenario
In this case, the system is required to collectively manage all authentication processings and
change authentication algorithms and keys without manual intervention. To meet this
requirement, Key-chain is used, which can authenticate all protocols at the application layer
and dynamically change the password chain without losing packets.
Prerequisite
N/A
11.4.3 Default configurations of Key-chain

N/A
11.4.4 Configuring Key-chain

Configure Key-chain on interfaces for the ISCOM2600G series switch as below.

483
Raisecom

2 Raisecom(config)#key-chain Create a key chain, and enter key-chain
keychain-name configuration mode.
Example:
Raisecom(config)#key-chain Use the no key-chain keychain-name
raisecom command to delete the configuration.
 keychain-name: name of the key chain, a
3 Raisecom(config-keychain)#key Configure the key and password.
key-id key-string [ 0 | 7 ]
 key-id: ID of key chain, an integer,
string
 0: the password is in plaintext mode.
Rasiecom(config-keychain)#key
 7: the password is in ciphertext mode.
1 key-string 0 raisecom
 string: content of the password
4 Raisecom(config-keychain)#key (Optional) configure the receiving time of

key-id accept-lifetime start- the key.
time { infinite | end-time |
duration duration-time } Use the no key key-id accept-lifetime
Example: command to restore the default condition.
Rasiecom(config-keychain)#key  key-id: ID of key chain, an integer,
1 accept-lifetime 1 0 0 2011 ranging from 1 to 255
1 1 2 0 0 2012 2 2  start-time: start time for receiving the key,
in format of hour minute second year

month day
– hour: ranging from 0 to 23
– minute: ranging from 0 to 59
– second: ranging from 0 to 59
– year: ranging from 2000 to 2037
– month: ranging from 1 to 12
– day: ranging from 1 to 31
 infinite: the receiving time is permanently
valid.
 end-time: end time for receiving the key,

month day
 duration duration-time: duration for
receiving the key, an integer, ranging


484
Raisecom

5 Raisecom(config-keychain)#key (Optional) configure the sending time of
key-id send-lifetime start- the key.
time { infinite | end-time |
duration duration-time } Use the no key key-id send-lifetime
Example: command to restore the default condition.
Rasiecom(config-keychain)#key
 key-id: ID of key chain, an integer,
1 send-lifetime 1 0 0 2011 1
1 2 0 0 2012 2 2 ranging from 1 to 255
 start-time: start time for receiving the key,

month day
valid.
 end-time: end time for receiving the key,

month day
 duration duration-time: duration for
receiving the key, an integer, ranging

6 Raisecom(config-
keychain)#accept-tolerance
(Optional) configure the tolerance time for
{ time | infinite }
receiving the key chain.
Example: Use the no accept-tolerance command to
Rasiecom(config- restore the default condition.
keychain)#accept-tolerance
100  time: tolerance time for receiving the key,
an integer, ranging from 1 to 14400, in
units of minute
valid.


1 Raisecom#show key-chain [ keychain- Show information about the
name [ key key-id ] ] key chain.

485
Raisecom
11.5 UDLD
11.5.1 Introduction
UniDirectional Link Detection (UDLD) is used to monitor configurations of the physical
connection by the fiber or Ethernet cable. When a unidirectional link (transmitting data in
only one direction) is present, UDLD can detect it, shut down the corresponding interface, and
send a Trap. The unidirectional link may cause various problems, such as the spanning tree
problems which may cause a loop.
Scenario
When a unidirectional link (transmitting data in only one direction) is present, UDLD can
detect the fault, shut down the corresponding interface, and send a Trap.
Prerequisite
Devices at both ends of the link should support UDLD.
11.5.3 Default configurations of UDLD

Default configurations of UDLD are as below.

UDLD Disable
11.5.4 Configuring UDLD

Configure UDLD for the ISCOM2600G series switch as below.

Example:
gigaethernet 1/1/1
3 Raisecom(config)#uldp { enable | Enable global UDLD or interface
disable } UDLD.
Raisecom(config-
 enable: enable UDLD.
gigaethernet1/1/*)#uldp { enable |
 disable: disable UDLD.
disable }
Example:
Raisecom(config)#uldp enable

486
Raisecom

4 Raisecom(config)#uldp recovery- (Optional) configure the recovery
time time time for the unidirectional link.
Example:
 time: recovery time, an integer,
Raisecom(config)#uldp recovery-
time 20 ranging from 15 to 86400, in
units of second


1 Raisecom#show uldp Show UDLD configurations.

487
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 12 System management
12 System management
This chapter describes basic principles and configuration procedures for system management
and maintenance, and provides related configuration examples, including the following
sections:
 SNMP
 RMON
 LLDP
 Optical module DDM
 System log
 Alarm management
 Hardware environment monitoring
 CPU monitoring
 Fan monitoring
 Cable diagnosis
 Memory monitoring
 PING
 Traceroute
 Performance statistics
12.1 SNMP
12.1.1 Introduction
Simple Network Management Protocol (SNMP) is designed by the Internet Engineering Task
Force (IETF) to resolve problems in managing network devices connected to the Internet.
Through SNMP, a network management system that can manage all network devices that
support SNMP, including monitoring network status, modifying configurations of a network
device, and receiving network alarms. SNMP is the most widely used network management
protocol in TCP/IP networks.

488
Raisecom
Principles
A SNMP system consists of two parts: Agent and the NView NNM system. The Agent and the
NView NNM system communicate through SNMP packets sent through UDP. Figure 12-1
shows the SNMP principle.
Figure 12-1 Principles of SNMP
The Raisecom NView NNM system can provide friendly Human Machine Interface (HMI) to
facilitate network management. The following functions can be implemented through it:
 Send request packets to the managed device.
 Receive reply packets and Trap packets from the managed device, and show result.
The Agent is a program installed on the managed device, implementing the following
functions:
 Receive/Reply request packets from the NView NNM system
 To read/write packets and generate replay packets according to the packets type, then
return the result to the NView NNM system
 Define trigger condition according to protocol modules, enter/exit system or restart the
ISCOM2600G series switch when conditions are satisfied; replying module sends Trap
packets to the NView NNM system through agent to report current status of the
An Agent can be configured with several versions, and different versions

communicate with different NMSs. But SNMP version of the NMS must be consistent
with that of the connected agent so that they can intercommunicate properly.
Version of protocol
Till now, SNMP has three versions: v1, v2c, and v3, described as below.
 SNMPv1 uses community name authentication mechanism. The community name, a
string defined by an agent, acts like a secret. The network management system can visit
the agent only by specifying its community name correctly. If the community name
carried in a SNMP packet is not accepted by the ISCOM2600G series switch, the packet
will be discarded.
 Compatible with SNMPv1, SNMPv2c also uses community name authentication
mechanism. SNMPv2c supports more operation types, data types, and errored codes, and
thus better identifying errors.

489
Raisecom
 SNMPv3 uses User-based Security Model (USM) authentication mechanism. You can
configure whether USM authentication is enabled and whether encryption is enabled to
provide higher security. USM authentication mechanism allows authenticated senders
and prevents unauthenticated senders. Encryption is used to encrypt packets transmitted
between the network management system and agents, thus preventing interception.
The ISCOM2600G series switch supports v1, v2c, and v3 of SNMP.
MIB
Management Information Base (MIB) is the collection of all objects managed by the NMS. It
defines attributes for the managed objects:
 Name
 Access right
 Data type
The device-related statistic contents can be reached by accessing data items. Each proxy has
its own MIB. MIB can be taken as an interface between NMS and Agent, through which NMS
can read/write every managed object in Agent to manage and monitor the ISCOM2600G
series switch.
MIB stores information in a tree structure, and its root is on the top, without name. Nodes of
the tree are the managed objects, which take a uniquely path starting from root (OID) for
identification. SNMP packets can access network devices by checking the nodes in MIB tree
directory.
The ISCOM2600G series switch supports standard MIB and Raisecom-customized MIB.
Scenario
To log in to the ISCOM2600G series switch through NMS, configure SNMP basic functions
for the ISCOM2600G series switch in advance.
Prerequisite
Configure the routing protocol and ensure that the route between the ISCOM2600G series
switch and NMS is reachable.
12.1.3 Default configurations of SNMP

Default configurations of SNMP are as below.

SNMP view system and internet views (default)
SNMP community public and private communities (default)
Index CommunityName ViewName Permission
1 public internet ro
2 private internet rw
SNMP access group initialnone and initial access groups (default)

490
Raisecom

SNMP user none, md5nopriv, shapriv, md5priv, and shanopriv
users (default)
Mapping relationship between Index GroupName UserName SecModel
SNMP user and access group -----------------------------------------------------------
0 initialnone none usm
1 initial md5priv usm
2 initial shapriv usm
3 initial md5nopriv usm
4 initial shanopriv usm
Logo and the contact method of support@Raisecom.com
the administrator
Device physical location world china raisecom
Trap Enable
SNMP target host address N/A
SNMP engine ID 800022B603000E5E000016
12.1.4 Configuring basic functions of SNMPv1/SNMPv2c

To protect itself and prevent its MIB from unauthorized access, the SNMP Agent proposes the
concept of community. Management stations in the same community must use the community
name in all Agent operations, or their requests will not be accepted.
The community name is used by different SNMP strings to identify different groups. Different
communities can have read-only or read-write access permission. Groups with read-only
permission can only query the device information, while groups with read-write access
permission can configure the ISCOM2600G series switch in addition to querying the device
information.
SNMPv1/SNMPv2c uses the community name authentication scheme, and the SNMP packets
of which the names are inconsistent to the community name will be discarded.
Configure basic functions of SNMPv1/SNMPv2c for the ISCOM2600G series switch as
below.


491
Raisecom

2 Raisecom(config (Optional) create SNMP view and configure MIB variable
)#snmp-server range.
view view-name
oid-tree The default view is internet view. The MIB variable range
[ mask ] contains all MIB variables below "1.3.6" node of MIB
{ excluded | tree.
included }  view-name: view name, up to 32 characters
[ confirm ]  oid-tree: MIB subtree OID corresponding to the view
Example:  mask: subtree OID mask. The mask is configured to 0 or
Raisecom(config 1. A maximum of 16 characters are supported, such as

)#snmp-server 1.1.1.1.0.1. If some bit configured set to 0, it indicates
view mib1 that the value of the MIB variable of a view may not be
1.3.6.1.2.1 identical to the one of the OID. If some bit is configured
1.1.1.1.0.1 to 1, it indicates that the value of the MIB variable of a
included view must be identical to the one of the OID. For
example, the OID of a MIB subtree in a view is set to
1.3.6.1.2.1. The mask is set to 1.1.1.1.0.1. The first four
bits and the last bit of the MIB variable must be
identical to the ones of the subtree, that is, 1.3.6.1.x.1.
The fifth x may be any number from 0 to 9. That is, the
MIB variable of this view may be set to 1.3.6.1.0.1,
1.3.6.1.1.1 …1.3.6.1.9.1. If you do not select this
parameter, the default mask is null.
 included: MIB variables of the view are included in the
subtree.
 excluded: MIB variables of the view are excluded from
the subtree.
3 Raisecom(config Create community name and configure the corresponding
)#snmp-server view and authority. Use default view internet if view
community view-name option is empty.
[ encryption ]
 encryption: encrypt data.
string [ view
 string: community name, a string of less than or equal to
view-name ]
{ ro | rw } 32 characters
 view view-name: MIB view name, a string of less than
Example:
Raisecom(config or equal to 32 characters. If you do not select this
)#snmp-server parameter, the default name of an accessible view is
community guest internet.
 ro: the community can only read data from the Agent.
view mib1 ro
 rw: the community can read data from and write data
into the Agent.
12.1.5 Configuring basic functions of SNMPv3

SNMPv3 uses USM over user authentication mechanism. USM comes up with the concept of
access group: one or more users correspond to one access group, each access group configures
the related read, write and announce view; users in access group have access permission in
this view. The user access group to send Get and Set request must have permission
corresponding to the request, otherwise the request will not be accepted.
As shown in Figure 12-2, the network management station uses the normal access from
SNMPv3 to switch and the configuration is as below.

492
Raisecom
 Configure users.
 Check the access group to which the user belongs.
 Configure view permission for access groups.
 Create views.
Figure 12-2 SNMPv3 authentication mechanism
Configure basic functions of SNMPv3 for the ISCOM2600G series switch as below.


493
Raisecom

2 Raisecom(config)#snmp- (Optional) create SNMP view and configure MIB
server view view-name variable range. The default view is internet view.
oid-tree [ mask ] The MIB variable range contains all MIB
{ excluded | variables below "1.3.6" node of MIB tree.
included } [ confirm ]
 view-name: view name, up to 32 characters
Example:
 oid-tree: MIB subtree OID corresponding to the
Raisecom(config)#snmp-
server view mib1 view
 mask: subtree OID mask. The mask is
1.3.6.1.2.1
1.1.1.1.0.1 included configured to 0 or 1. A maximum of 16
characters are supported, such as 1.1.1.1.0.1. If
some bit configured set to 0, it indicates that the
value of the MIB variable of a view may not be
identical to the one of the OID. If some bit is
configured to 1, it indicates that the value of the
MIB variable of a view must be identical to the
one of the OID. For example, the OID of a MIB
subtree in a view is set to 1.3.6.1.2.1. The mask
is set to 1.1.1.1.0.1. The first four bits and the
last bit of the MIB variable must be identical to
the ones of the subtree, that is, 1.3.6.1.x.1. The
fifth x may be any number from 0 to 9. That is,
the MIB variable of this view may be set to
1.3.6.1.0.1, 1.3.6.1.1.1 …1.3.6.1.9.1. If you do
not select this parameter, the default mask is
null.
 included: MIB variables of the view are
included in the subtree.

 excluded: MIB variables of the view are
excluded from the subtree.

3 Raisecom(config)#snmp- Create users and configure authentication modes.
server user user-name
 user-name: SNMP group name, up to 32
[ remote engine-id ]
authentication { md5 | characters
 remote: ID of the specified remote SNMP
sha } authpassword
[ privacy engine
 engine-id: SNMP engine ID related to a user
privacypassword ]
[ confirm ] name
 authentication: user authentication mode
Example:
 md5: configure the MD5 hash function for
server user user1 authentication.
 sha: configure the SHA-1 hash function for
authentication md5
raisecom authentication.
 authpassword: key, generated through
combination with the Hash function to

implement authentication
 privacy: encryption information
 privacypassword: encryption password

494
Raisecom

4 Raisecom(config)#snmp- (Optional) modify the authentication key and the
server user user-name encryption key.
[ remote engine-id ]
 user-name: SNMP group name, up to 32
authkey { md5 | sha }
authpassword [privkey characters
 remote: ID of the specified remote SNMP
privkeypassword ]
[ confirm ] engine
 engine-id: SNMP engine ID related to a user
Example:
Raisecom(config)#snmp- name
 md5: configure the MD5 hash function for
server user user1
authkey md5 raisecom authentication.
 sha: configure the SHA-1 hash function for
authentication.
 authpassword: key, generated through
combination with the Hash function to

implement authentication
 authkey: modify the user password.
 privkey: encryption key information
 privkeypassword: encryption key
5 Raisecom(config)#snmp- Create and configure the SNMPv3 access group.

server access group-
 group-name: SNMP group name, up to 32
name [ read view-
name ] [ write view- characters
 read: users in a SNMP group can only read data
name ] [ notify view-
name ] [ context from the Agent.
 write: users in a SNMP group can write data
context-name { exact |
prefix } ] usm into the Agent.
 notify: users in a SNMP group can use Trap.
{ authnopriv |
 view-name: view name, up to 32 characters
authpriv |
 context context-name: specify the context name
noauthnopriv }
[ confirm ] or prefix.
 exact: string and the context name match each
Example:
Raisecom(config)#snmp- other.
 prefix: string and the first characters of the
server access
guestgroup read mib2 context name match each other.
 usm: adopt the SNMPv3 security model.
usm authnopriv
 noauthnopriv: neither authenticate nor encrypt
SNMP packets. It is applicable to the SNMPv3

security model.
 authpriv: authenticate and encrypt SNMP
packets. It is applicable to the SNMPv3 security

model.
 authnopriv: authenticate but not encrypt SNMP
packets. It is applicable to the SNMPv3 security

model.
6 Raisecom(config)#snmp- Configure the mapping between users and the
server group group- access group.
name user user-name
 group-name: SNMP group name, up to 32
usm
Example: characters
 user-name: user name, up to 32 characters
 usm: adopt SNMPv3 security model, supporting
server group
guestgroup user authentication and encryption.
guestuser1 usm

495
Raisecom
12.1.6 Configuring IP address authentication by SNMP server

Configure IP address authentication by SNMP server for the ISCOM2600G series switch as
below.

2 Raisecom(config)#snmp-server Enable or disable IP address
server-auth { enable | authentication by the SNMP server.
disable }
 enable: enable IP address
Example:
Raisecom(config)#snmp-server authentication by the SNMP server.
 disable: disable IP address
server-auth enable
authentication by the SNMP server.
3 Raisecom(config)#snmp-server Configure the IP address of the SNMP
server-auth ip-address server for authentication.
Example:
 ip-address: IP address of the SNMP
Raisecom(config)#snmp-server
server-auth 192.168.1.100 server, in dotted decimal notation
4 Raisecom(config)#snmp-server Configure the IP ACL number for
access-list { ipv4-acl- SNMP.
number | ipv6-acl-number }
 ipv4-acl-number: IPv4 ACL number,
Example:
Raisecom(config)#snmp-server an integer, ranging from 1000 to 1999
access-list 1200  ipv6-acl-number: IPv6 ACL number,
12.1.7 Configuring other information about SNMP

Other information about SNMP includes:
 Logo and contact method of the administrator: used to identify and contact the
administrator
 Physical location of the device: device location
SNMPv1, SNMPv2c, and SNMPv3 support configuring this information.
Configure other information about SNMP for the ISCOM2600G series switch as below.

2 Raisecom(config)#snmp-server (Optional) configure the logo and contact
contact string method of the administrator.
Example:
 string: a string, such as Email.
contact service@raisecom.com
For example, configure the Email to

the logo and contact method of the
administrator.

496
Raisecom

3 Raisecom(config)#snmp-server (Optional) specify the physical location
location location-string of the device.
Example:
 location-string: location information
location raisecom
4 Raisecom(config)#snmp-agent (Optional) configure the source IP
source ip-address address of the response packets when the
Example: device walks the MIB.
Raisecom(config)#snmp-agent
source 10.3.3.3
12.1.8 Configuring Trap
Trap configurations on SNMPv1, SNMPv2c, and SNMPv3 are identical except for
Trap target host configurations. Configure Trap as required.
Trap is unrequested information sent by the ISCOM2600G series switch to the NMS
automatically, which is used to report some critical events.
Before configuring Trap, you need to perform the following configurations:
 Configure basic functions of SNMP. For SNMPv1/v2c, configure the community name;
for SNMPv3, configure the user name and SNMP view.
 Configure the routing protocol and ensure that the route between the ISCOM2600G
series switch and NMS is available.
Configure Trap of SNMP for the ISCOM2600G series switch as below.


497
Raisecom

2 Raisecom(config)#snmp-server (Optional) configure the SNMPv3 Trap
host { ip-address | ipv6- target host.
address } version 3
 ip-address: IP address of the destination
{ authnopriv | authpriv |
noauthnopriv } user-name host, in dotted decimal notation
 ipv6-address: IPv6 address of the
[ udpport port-id ]
Example: destination host, in colon hexadecimal
Raisecom(config)#snmp-server notation
 3: SNMPv3
host 10.0.0.1 version 3
 udpport: UDP port number of the
authnopriv raisecom
destination host for receiving traps. If
you do not select this parameter, the
default port number is configured to
162.
 port-id: port number, an integer, ranging
from 1 to 65535
 authnopriv: authenticate but not encrypt
SNMP packets.
 authpriv: authenticate and encrypt
SNMP packets, applied to the SNMPv3

security model.
 noauthnopriv: neither authenticate nor
encrypt SNMP packets

 user-name: community name. SNMPv3
uses the user name to authenticate

SNMP packets. If the user name of the
NMS is inconsistent with the one on the
Agent, the NMS cannot receive the trap.
3 Raisecom(config)#snmp-server (Optional) configure the
host { ip-address | ipv6- SNMPv1/SNMPv2c Trap target host.
address }version { 1 | 2c }
 ip-address: IP address of the destination
community-string [ udpport
port-id ] host, in dotted decimal notation
 ipv6-address: IPv6 address of the
Example:
Raisecom(config)#snmp-server destination host, in colon hexadecimal
host 10.2.2.2 version 2c notation
 1: SNMPv1
raisecom udpport 1
 2: SNMPv2
 community-string: community name.
SNMPv1 and SNMPv2c use the

community to authenticate SNMP
packets. If the community of the NMS is
inconsistent with the one on the Agent,
the NMS cannot receive the trap.
 udpport: UDP port number of the
destination host for receiving traps. If

you do not select this parameter, the
default port number is configured to
162.
 port-id: port number, an integer, ranging
from 1 to 65535

498
Raisecom

4 Raisecom(config)#snmp-server (Optional) enable the switch to send alarm
alarm-trap { enable traps| Traps to the NMS.
disable }
 enable: enable the switch to send alarm
Example:
Raisecom(config)#snmp-server Traps to the NMS.
 disable: disable the switch to send alarm
alarm-trap enable
Traps to the NMS.
5 Raisecom(config)#snmp-server Enable Trap sending.
enable traps
6 Raisecom(config)#snmp-server Specify the source interface for the switch
trap-source interface-type to send Traps.
interface-number
Example:
trap-source loopback 0
7 Raisecom(config)#snmp-server Configure the source IP address of SNMP
trap-source ip-address Trap packets.
Example:
trap-source 10.3.3.3 notation, such as 10.0.0.1
number
Example:
gigaethernet 1/1/1
9 Raisecom(config- Enable SNMP to generate Link Traps.
gigaethernet1/1/*)#snmp trap
link-status { enable | Use the disable form of this command to
disable } disable this function.
Example:  enable: disable SNMP to generate Link
Raisecom(config- Traps.
gigaethernet1/1/1)#snmp trap  disable: disable SNMP to generate Link
link-status enable Traps.


1 Raisecom#show Show SNMP access group configurations.
snmp access
2 Raisecom#show Show information about access and authentication of the
snmp access-list SNMP server.
3 Raisecom#show Show SNMP community configurations.
snmp community
4 Raisecom#show Show SNMP basic configurations, including the local
snmp config SNMP engine ID, logo and contact method of the
administrator, physical location of the device, and Trap
status.

499
Raisecom

5 Raisecom#show Show the mapping between SNMP users and the access
snmp group group.
6 Raisecom#show Show Trap target host information.
snmp host
7 Raisecom#show Show SNMP statistics.
snmp statistics
8 Raisecom#show Show SNMP user information.
snmp user
9 Raisecom#show Show SNMP view information.
snmp view
10 Raisecom#show Show SNMP server authentication configurations.
snmp server-auth
12.1.10 Example for configuring SNMPv1/SNMPv2c and Trap
As shown in Figure 12-3, the route between the NView NNM system and the ISCOM2600G
series switch is available. The NView NNM system can check the MIB under view
corresponding to the remote Switch by SNMPv1/SNMPv2c, and the ISCOM2600G series
switch can send Trap automatically to the NView NNM system in emergency.
By default, there is VLAN 1 on the ISCOM2600G series switch and all physical interfaces
belong to VLAN 1.
Figure 12-3 SNMPv1/SNMPv2c networking
Configuration steps
Step 1 Configure the IP address of the ISCOM2600G series switch.
Raisecom#config
Step 2 Configure SNMPv1/SNMPv2c views.

500
Raisecom
Raisecom(config)#snmp-server view mib2 1.3.6.1.2.1 included
Step 3 Configure SNMPv1/SNMPv2c community.
Raisecom(config)#snmp-server community raisecom view mib2 ro
Step 4 Configure Trap sending.
Raisecom(config)#snmp-server enable traps

Raisecom(config)#snmp-server host 20.0.0.221 version 2c raisecom
Checking results
Use the show ip interface brief command to show configurations of the IP address.
Raisecom#show ip interface brief

VRF IF Address NetMask
Catagory
-------------------------------------------------------------------------
------------------------------
Default-IP-Routing-Table fastethernet1/0/1 192.168.0.1
255.255.255.0 primary
Default-IP-Routing-Table vlan1 20.0.0.10
255.255.255.0 primary
Use the show snmp view command to show view configurations.
Raisecom#show snmp view

Index: 0
View Name: mib2
OID Tree: 1.3.6.1.2.1
Mask: 1.1.1.1.1.1.1.1
Type: included
Index: 1
View Name: system
OID Tree: 1.2.840.10006.300.43
Mask: --
Type: included
Index: 2
View Name: system
OID Tree: 1.3.6.1.2.1.1
Mask: --

501
Raisecom
Type: included
Index: 3
View Name: internet
OID Tree: 1.3.6
Mask: --
Type: included
Index: 4
View Name: internet
OID Tree: 1.2.840.10006.300.43
Mask: --
Type: included
Use the show snmp community command to show community configurations.
Raisecom#show snmp community

Index Community Name View Name Permission
------------------------------------------------------------
1 private internet rw
2 public internet ro
3 raisecom mib2 ro
Use the show snmp host command to show configurations of the target host.
Raisecom#show snmp host

Index: 0
IP family: IPv4
IP address: 20.0.0.221
Port: 162
User Name: raisecom
SNMP Version: v2c
Security Level: noauthnopriv
TagList: bridge config interface rmon snmp ospf
12.1.11 Example for configuring SNMPv3 and Trap
As shown in Figure 12-4, the route between the NView NNM system and ISCOM2600G
series switch is available, the NView NNM system monitors the Agent through SNMPv3, and
the ISCOM2600G series switch can send Trap automatically to the NView NNM system
when the Agent is in emergency.
By default, there is VLAN 1 on the ISCOM2600G series switch and all physical interfaces
belong to VLAN 1.

502
Raisecom
Figure 12-4 SNMPv3 and Trap networking
Configuration steps
Raisecom#config
Step 2 Configure SNMPv3 access.

Create access view mib2, including all MIB variables under 1.3.6.1.2.1.
Raisecom(config)#snmp-server view mib2 1.3.6.1.2.1 1.1.1.1.0.1 included
Create user guestuser1, and use md5 authentication algorithm. The password is raisecom.
Raisecom(config)#snmp-server user guestuser1 authentication md5 raisecom
Create a guest group access group. The security mode is usm, security level is authentication
without encryption, and readable view name is mib2.
Raisecom(config)#snmp-server access guestgroup read mib2 usm authnopriv
Configure the guestuser1 user to be mapped to the access group guestgroup.
Raisecom(config)#snmp-server group guestgroup user guestuser1 usm
Step 3 Configure Trap sending.
Raisecom(config)#snmp-server enable traps

Raisecom(config)#snmp-server host 20.0.0.221 version 3 authnopriv
guestuser1

503
Raisecom
Checking results
Use the show snmp access command to show configurations of the SNMP access group.
Raisecom#show snmp access

Index: 0
Group: initial
Security Model: usm
Security Level: authnopriv
Context Prefix: --
Context Match: exact
Read View: internet
Write View: internet
Notify View: internet
Index: 1
Group: guestgroup
Security Model: usm
Context Prefix: --
Read View: mib2
Write View: --
Index: 2
Group: initialnone
Security Model: usm
Security Level: noauthnopriv
Context Prefix: --
Read View: system
Write View: --
Use the show snmp group command to show mapping between users and access groups.
Raisecom#show snmp group

Index GroupName UserName SecModel
-----------------------------------------------------------
0 initialnone none usm
1 initial md5priv usm
2 initial shapriv usm
3 initial md5nopriv usm
4 initial shanopriv usm
5 guestgroup guestuser1 usm
Use the show snmp host command to show configurations of the Trap target host.

504
Raisecom
Raisecom#show snmp host

Index: 0
IP family: IPv4
IP address: 20.0.0.221
Port: 162
User Name: guestuser1
SNMP Version: v3
TagList: bridge config interface rmon snmp ospf
12.2 RMON
12.2.1 Introduction
Remote Network Monitoring (RMON) is a standard stipulated by Internet Engineering Task
Force (IETF) for network data monitoring through different network Agents and NMS.
RMON is achieved based on SNMP architecture, including the NView NNM system and the
Agent running on network devices. On the foundation of SNMP, increase the subnet flow,
statistics, and analysis used to achieve the monitoring to one segment and the whole network,
while SNMP only can monitor the partial information about a single device and it is difficult
for it to monitor one segment.
The RMON Agent is commonly referred to as the probe program. The RMON Probe can take
the communication subnet statistics and performance analysis. Whenever it finds network
failure, RMON Probe can report the NView NNM system, and describes the capture
information under unusual circumstances so that the NView NNM system does not need to
poll the device constantly. Compared with SNMP, RMON can monitor remote devices more
actively and more effectively, network administrators can track the network, segment or
device malfunction more quickly. This method reduces the data flows between the NView
NNM system and Agent, makes it possible to manage large networks simply and powerfully,
and makes up the limitations of SNMP in growing distributed Internet.
RMON Probe collects data in the following modes:
 Distributed RMON. The NMS obtains network management information and controls
network resources directly from RMON Probe through dedicated RMON Probe
collection data.
 Embedded RMON. Embed RMON Agent directly to network devices (such as switches)
to make them with RMON Probe function. The NMS will collect network management
information through the basic operation of SNMP and the exchange data information
about RMON Agent.
The Raisecom ISCOM2600G series switch is embedded with RMON. As shown in Figure 12-
5, the ISCOM2600G series switch implements RMON Agent function. Through this function,
the management station can obtain the overall flow, error statistics and performance statistics
about this segment connected to the managed network device interface so as to achieve the
monitoring to one segment.

505
Raisecom
Figure 12-5 RMON networking
RMON MIB can be divided into nine groups according to function. Currently, there are four
function groups achieved: statistics group, history group, alarm group, and event group.
 Statistic group: collect statistics on each interface, including receiving packets accounts
and size distribution statistics.
 History group: similar with statistic group, it only collects statistics in an assigned
detection period.
 Alarm group: monitor an assigned MIB object and configure upper threshold and lower
threshold in assigned interval, trigger an event if the monitor object receives threshold
value.
 Event group: cooperating with alarm group. When an alarm triggers an event, it records
the event, such as sending Trap, and writes the event into log.
Scenario
RMON helps monitor and account network traffics.
Compared with SNMP, RMON is a more high-efficient monitoring method. After you
specifying the alarm threshold, the ISCOM2600G series switch actively sends alarms when
the threshold is exceeded without obtaining variable information. This helps reduce traffic of
Central Office (CO) and managed devices and facilitates network management.
Prerequisite
The route between the ISCOM2600G series switch and the NView NNM system is reachable.
12.2.3 Default configurations of RMON

Default configurations of RMON are as below.

Statistics group Enabled on all interfaces
History group Disable
Alarm group N/A
Event group N/A

506
Raisecom
12.2.4 Configuring RMON statistics

RMON statistics is used to gather statistics on an interface, including the number of received
packets, undersized/oversized packets, collision, CRC and errors, discarded packets,
fragments, unicast packets, broadcast packets, multicast packets, and received packet size.
Configure RMON statistics for the ISCOM2600G series switch as below.

2 Raisecom(config)#rmon statistics Enable RMON statistics on an
interface-type interface-number interface and configure related
[ owner owner-name ] parameters.
Example:
Raisecom(config)#rmon statistics
gigaethernet 1/1/1 owner
 owner: description of the creator
raisecom
of the statistics group
 owner-name: description string
When using the no rmon statistics interface-type interface-number command to

disable RMON statistics on an interface, you cannot continue to obtain the interface
statistics, but the interface can still count data.
12.2.5 Configuring RMON historical statistics

Configure RMON historical statistics for the ISCOM2600G series switch as below.


507
Raisecom

2 Raisecom(config)#rmon Enable RMON historical statistics on an interface
history interface- and configure related parameters.
type interface-number
[ shortinterval
short-period ]
 shortinterval: short sampling interval. Collect the
[ longinterval long-
period ] [ buckets network status statistics every short period.
 short-period: short period, an integer, ranging
buckets-number ]
[ owner owner-name ] from 1 to 299, in units of second
 longinterval: long sampling interval. Collect the
Example:
Raisecom(config)#rmon network status statistics every long period.
 long-period: long period, an integer, ranging from
history gigaethernet
1/1/1 shortinterval 300 to 3600, in units of second
 buckets: history group data storage queue
60 buckets 50 owner
 buckets-number: queue size, an integer, ranging
raisecom
from 10 to 1000
 owner: description of the creator of the history
group
 owner-name: description string, a string of 1 to
127 characters
When you use the no rmon history interface-type interface-number command to

disable RMON historical statistics on an interface, the interface will not count data
and clear all historical data collected previously.
12.2.6 Configuring RMON alarm group

Configure one RMON alarm group instance (alarm-id) to monitor one MIB variable (mibvar).
When the value of monitoring data exceeds the defined threshold, an alarm event will
generate. Record the log to send Trap to network management station according to the
definition of alarm event.
The monitored MIB variable must be real, and the data value type is correct.
 If the configured variable does not exist or value type variable is incorrect, return error.
 In the successfully configured alarm, if the variable cannot be collected later, close the
alarm; reconfigure the alarm if you want to monitor the variable again.
By default, the triggered event number is 0; in other words, no event will be triggered. If the
number is not zero, and there is no corresponding configuration in event group, when the
control variable is abnormal, it cannot trigger the event successfully until the event is
established.
An alarm will be triggered as long as matching the condition when the upper or lower limit
for one of the events is configured in the event table. If there is no configuration for the upper
and lower limits related alarm event (rising-event-id, falling-event-id) in the event table, no
alarm will not be generated even alarm conditions are met.
Configure the RMON alarm group for the ISCOM2600G series switch as below.

508
Raisecom

2 Raisecom(config Add alarm instances to the RMON alarm group and
)#rmon alarm configure related parameters.
alarm-id mibvar
 alarm-id: alarm index, an integer, ranging from 1 to
[ interval
period ] 65535
 mibvar: MIB variables (MIB OIDs) that need to be
{ absolute |
delta } rising- remotely monitored.
 interval: sampling interval of MIB variables. It is used
threshold
rising-num to monitor MIB changes periodically. If you do not
[ rising- select this parameter, the default interval 2s will be
event ] used.
 period: interval, an integer, ranging from 2 to 3600, in
falling-
threshold units of second
 absolute: show the absolute change of MIB variables.
falling-num
[ falling- It is a method for generating alarms. Compare the
event ] [ owner changed MIB variable value to the configured
owner-name ] threshold, if the value is smaller than the minimum
Example: value or greater than the maximum value, an alarm
Raisecom(config will be generated.
 delta: show the relative change of MIB variables. It is
)#rmon alarm 1
1.3.6.1.2.1.2.2 a method for generating alarms. If the delta increases,
.1.20.1 compare the delta to the maximum value, if the delta is
interval 20 greater than the maximum value, an alarm will be
absolute generated. If the delta decreases, compare the delta to
rising- the minimum value, if the delta is greater than the
threshold 10000 minimum value, an alarm will be generated.
 rising-threshold: maximum threshold
1 falling-
 falling-threshold: minimum threshold
threshold 500 2
 rising-num Maximum value, an integer, ranging from 0
owner raisecom
to 2147483647
 falling-num: minimum value, an integer, ranging from
0 to 2147483647
 falling-event: number of the event triggered when the
value exceeds the minimum value, an integer, ranging

from 1 to 65535
 owner: description of the creator of the RMON alarm
 owner-name: description string
12.2.7 Configuring RMON event group

Configure the RMON event group for the ISCOM2600G series switch as below.


509
Raisecom

2 Raisecom(config Add events to the RMON event group and configure
)#rmon event processing modes of events.
event-id
 event-id: event number, an integer, ranging from 1 to
[ log ]
[ trap ] 65535
 log: write the event to the system log.
[ description
 trap: send a trap to the NView NNM.
string ]
 description: event descriptions
[ owner owner-
 string: description, a string of 1 to 127 characters
name ]
 owner: description of the event creator. If you do not
Example:
Raisecom(config select this parameter, the descriptions will be
)#rmon event 1 configured to monitor Event by default.
 owner-name: description string, a string of 1 to 127
trap owner
raisecom characters


1 Raisecom#show rmon Show RMON configurations.
2 Raisecom#show rmon alarms Show information about the RMON
alarm group.
3 Raisecom#show rmon events Show information about the RMON
event group.
4 Raisecom#show rmon statistics Show information about the RMON
[ interface-type interface- statistics group.
list]
5 Raisecom#show rmon latest Show RMON statistics in the last 5s or
statistics [ long | short ] 5min.
portlist interface-type
interface-number
6 Raisecom#show rmon history Show information about the RMON
interface-type interface-list history group.
12.2.9 Maintenance
Command Description
Raisecom(config)#clear rmon Clear all RMON configurations.

510
Raisecom
12.2.10 Example for configuring RMON alarm group
As shown in Figure 12-6, the ISCOM2600G series switch is the Agent, connected to terminal
through the Console interface, connected to remote NView NNM system through Internet.
Enable RMON statistics and gather performance statistic on GE 1/1/1. When packets received
on GE 1/1/1 exceeds the threshold in a period, logs are recorded and Trap is sent.
Figure 12-6 RMON networking
Configuration steps
Step 1 Create an event with index ID 1, used to record and send logs with description string High-
ifOutErrors. The owner of logs is system.
Raisecom#config
Raisecom(config)#rmon statistics gigaethernet 1/1/1
Raisecom(config)#rmon event 1 log description High-ifOutErrors owner
system
Step 2 Create an alarm item with index ID 10, used to monitor MIB variables 1.3.6.1.2.1.2.2.1.20.1
every 20s. If the variable increases by more than 15, the Trap alarm will be triggered. The
owner of alarm message is also system.
Raisecom(config)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 interval 20 delta

rising-threshold 15 1 falling-threshold 0 owner system
Checking results
Use the show rmon alarms command to check whether there is information about event
group events on the ISCOM2600G series switch.

511
Raisecom
Raisecom#show rmon alarms

Alarm group information:
Alarm 10 is active, owned by system
Monitors 1.3.6.1.2.1.2.2.1.20.1 every 20 seconds
Taking delta samples, last value was 0
Rising threshold is 15, assigned to event 1
Falling threshold is 0, assigned to event 0
On startup enable rising and falling alarm
Use the show rmon events command to check whether there is information about alarm
group on the ISCOM2600G series switch.
Raisecom#show rmon events

Event group information:
Event 1 is active, owned by system
Event description: High-ifOutErrors
Event generated at 0:0:0
Register log information when event is fired.
When an alarm event is triggered, you can also check related information in the alarm
management part of the NView NNM system.
12.3 LLDP
12.3.1 Introduction
With the enlargement of network scale and increase of network devices, the network topology
becomes more and more complex and network management becomes more important. A lot of
network management software adopts auto-detection function to trace changes of network
topology, but most of the software can only analyze the Layer 3 network and cannot ensure
the interfaces to be connected to other devices.
Link Layer Discovery Protocol (LLDP) is based on IEEE 802.1ab standard. The NMS can
fast grip the Layer 2 network topology and changes.
LLDP organizes the local device information in different Type Length Value (TLV) and
encapsulates in Link Layer Discovery Protocol Data Unit (LLDPDU) to transmit to straight-
connected neighbour. It also saves the information from neighbour as standard Management
Information Base (MIB) for the NMS querying and judging link communication.
LLDP packet
The LLDP packet is used to encapsulate LLDPDU Ethernet packet in data unit and
transmitted by multicast.
LLDPDU is the data unit of LLDP. The device encapsulates local information in TLV before
forming LLDPDU, then several TLV fit together in one LLDPDU and encapsulated in
Ethernet data for transmission.

512
Raisecom
As shown in Figure 12-7, LLDPDU is made by several TLV, including 4 mandatory TLV and
several optional TLV.
Figure 12-7 Structure of a LLDPDU
As shown in Figure 12-8, each TLV denotes a piece of information at local. For example, the
device ID and interface ID correspond with the Chassis ID TLV and Port ID TLV respectively,
which are fixed TLVs.
Figure 12-8 Structure of a TLV packet
Table 12-1 lists TLV types. At present only types 0–8 are used.
Table 12-1 TLV types

TLV type Description Optional/Required
0 End Of LLDPDU Required
1 Chassis ID Required
2 Interface number Required
3 Time To Live Required
4 Interface description Optional
5 System name Optional
6 System description Optional
7 System capabilities Optional
8 Management address Optional
Organization-defined TLVs are optional TLVs and are advertised in the LLDPDU as required.
Table 12-2 and Table 12-3 list common organization-defined TLVs.
Table 12-2 IEEE 802.1 organization-defined TLVs

Type Description
Port VLAN ID TLV VLAN ID on the interface
Port And Protocol VLAN ID TLV Protocol VLAN ID on the interface

513
Raisecom
Type Description
VLAN Name TLV VLAN name on the interface
Protocol Identity TLV Type of the protocol supported by the interface
Table 12-3 IEEE 802.3 organization-defined TLVs

Type Description
MAC/PHY Rate and duplex mode of the interface, whether auto-
Configuration//Status TLV negotiation is supported or enabled
Power Via MDI TLV Power supply capability on the interface
Link Aggregation TLV Link aggregation capability on the interface and current
link aggregation status
Maximum Frame Size TLV Size of the maximum frame able to be transmitted by the
interface
Principles
LLDP is a kind of point-to-point one-way issuance protocol, which notifies local device link
status to peer end by sending LLDPDU (or sending LLDPDU when link status changes)
periodically from the local end to the peer end.
The procedure of packet exchange:
 When the local device transmits packet, it gets system information required by TLV from
NView NNM (Network Node Management) and gets configurations from LLDP MIB to
generate TLV and form LLDPDU to transmit to peer.
 The peer receives LLDPDU and analyzes TLV information. If there is any change, the
information will be updated in neighbor MIB table of LLDP and notifies the NView
NNM system.
When the device status is changed, the ISCOM2600G series switch sends a LLDP packet to
the peer. To avoid sending LLDP packet continuously because of frequency change of device
status, you can configure a delay timer for sending the LLDP packet.
The aging time of Time To Live (TTL) in local device information about the neighbour node
can be adjusted by modifying the parameter values of aging coefficient, sends LLDP packets
to neighbour node, after receiving LLDP packets, neighbour node will adjust the aging time of
its neighbour nodes (sending side) information. Aging time formula, TTL = Min {65535,
(interval × hold-multiplier)}:
 Interval indicates the time period to send LLDP packets from neighbor node.
 Hold-multiplier refers to the aging coefficient of device information in neighbor node.

514
Raisecom
Scenario
When you obtain connection information between devices through NView NNM system for
topology discovery, the ISCOM2600G series switch needs to enable LLDP, notify their
information to the neighbours mutually, and store neighbour information to facilitate the
NView NNM system queries.
Prerequisite
N/A
12.3.3 Default configurations of LLDP

Default configurations of LLDP are as below.

Global LLDP Disable
LLDP interface status Enable
Delay timer 2s
Period timer 30s
Aging coefficient 4
Restart timer 2s
Alarm function Enable
Alarm notification timer 5s
Destination MAC address of LLDP packets 0180.c200.000e
12.3.4 Enabling global LLDP
After global LLDP is disabled, you cannot re-enable it immediately. Global LLDP
cannot be enabled unless the restart timer times out.
When you obtain connection information between devices through the NView NNM system
for topology discovery, the ISCOM2600G series switch needs to enable LLDP, sends their
information to the neighbours mutually, and stores neighbour information to facilitate query
by the NView NNM system.
Enable global LLDP for the ISCOM2600G series switch as below.


515
Raisecom

2 Raisecom(config)#lldp Enable or disable global LLDP.
 enable: enable global LLDP.
Example:
 disable: disable global LLDP.
Raisecom(config)#lldp enable
12.3.5 Enabling interface LLDP

Enable interface LLDP for the ISCOM2600G series switch as below.

3 Raisecom(config- Enable interface LLDP.
gigaethernet1/1/*)#lldp { enable |
 enable: enable interface LLDP.
disable }
 disable: disable interface
Example:
Raisecom(config- LLDP.
gigaethernet1/1/1)#lldp enable
12.3.6 Configuring basic functions of LLDP
When configuring the delay timer and period timer, the value of the delay timer
should be smaller than or equal to a quarter of the period timer value.
Configure basic functions of LLDP for the ISCOM2600G series switch as below.

2 Raisecom(config)#lldp message- (Optional) configure the period timer
transmission interval second of the LLDP packet.
Example:
 second: interval for sending LLDP
Raisecom(config)#lldp message-
transmission interval 50 packets, an integer, ranging from 5

516
Raisecom

3 Raisecom(config)#lldp message- (Optional) configure the delay timer
transmission delay second of the LLDP packet.
Example:
 second: delay time, an integer,
Raisecom(config)#lldp message-
transmission delay 5 ranging from 1 to 8192, in units of
second
4 Raisecom(config)#lldp message- (Optional) configure the aging
transmission hold-multiplier coefficient of the LLDP packet.
coefficient
 coefficient: neighbor aging
Example:
Raisecom(config)#lldp message- coefficient, an integer, ranging from
transmission hold-multiplier 2 to 10
10
5 Raisecom(config)#lldp restart- (Optional) restart the timer. When
delay second configuring the delay timer and
Example: period timer, the value of the delay
Raisecom(config)#lldp restart- timer should be smaller than or equal
delay 10 to a quarter of the period timer value.
 second: restart delay time, an
units of second
12.3.7 Configuring LLDP alarm

When the network changes, you need to enable LLDP alarm notification function to send
topology update alarm to the NView NNM system immediately.
Configure the LLDP alarm for the ISCOM2600G series switch as below.

2 Raisecom(config)#lldp (Optional) configure the period of the timer for
trap-interval second sending LLDP alarm Traps.
Example:
 second: LLDP trap interval, an integer, ranging
Raisecom(config)#lldp
trap-interval 10 from 5 to 3600, in units of second
12.3.8 Configuring TLV

Configure TLV for the ISCOM2600G series switch as below.


517
Raisecom

3 Raisecom(config- Configure the basic TLV allowed
gigaethernet1/1/*)#lldp tlv- to issue.
select basic-tlv { all | port-
 all: all basic TLV
description | system-capability |
 port-description: interface
system-name | system-
description } description TLV
 system-capability: system TLV
Example:
 system-name: device name TLV
Raisecom(config-
 system-description: System
gigaethernet1/1/1)#lldp tlv-
select basic-tlv system- description TLV
description
4 Raisecom(config- Configure the MED TLV allowed
gigaethernet1/1/*)#lldp tlv- to issue.
select med-tlv { all |
 all: all MED TLV, excluding
capability| inventory | network-
policy| location-id } { civic- location TLV
 capability: LLDP-MED TLV
address device-type country-code
 inventory: inventory TLV
civic-address-type ca-value |
 network-policy: network policy
elin-address tel-number }
Example: TLV
 location-id: location ID TLV
Raisecom(config-
gigaethernet1/1/1)#lldp tlv-  civic-address: the location ID
select med-tlv all format is an address.
 device-type: device type, an
integer, ranging from 0 to 2. The
value 0 indicates the DHCP
server, the value 1 indicates the
switch, and the value 2 indicates
the MED terminal.
 country-code: country code, a
string of 2 characters
 civic-address-type: address type,
an integer, ranging from 0 to
255
 ca-value: address value, a string
of 1 to 250 characters
 elin-address: the position ID
format is an emergency
telephone number.
 tel-number: emergency
telephone number, 10–25 digits

518
Raisecom

5 Raisecom(config- Enable 802.1 TLV type allowed to
gigaethernet1/1/*)#lldp tlv- issue.
select dot1-tlv { all | port-
 all: all 802.1 TLV
vlan-id | vlan-name [ vlan-id ] }
 port-vlan-id: interface VLAN ID
Example:
Raisecom(config- TLV
 vlan-name: VLAN name TLV
select dot1-tlv port-vlan-id
6 Raisecom(config- Enable 802.3 TLV type allowed to
gigaethernet1/1/*)#lldp tlv- be issued.
select dot3-tlv { all | link-
 all: all TLV defined by the IEEE
aggregation | mac-physic | max-
frame-size | power } 802.3
 link-aggregation: advertise Link
Example:
Raisecom(config- Aggregation TLV.
 mac-physic: advertise
select dot3-tlv link-aggregation MAC/PHY Configuration/Status
TLV.
 max-frame-size: advertise
Maximum Frame Size TLV.

 power: advertise Power Via
MDI TLV.


1 Raisecom#show lldp local Show LLDP local configurations.
config
2 Raisecom#show lldp local Show information about the LLDP
system-data [ interface-type local system.
interface-number ]
3 Raisecom#show lldp remote Show information about the LLDP
[ interface-type interface- neighbor.
number ] [ detail ]
4 Raisecom#show lldp statistic Show statistics about LLDP packets.
number ]
5 Raisecom#show lldp tlv-select Show information about the optional
[ interface-type interface- TLV sent by the interface.
number ]
12.3.10 Maintenance

519
Raisecom
Command Description
Raisecom(config)#clear lldp statistic Clear LLDP statistics.
Example:
Raisecom(config)#clear lldp statistic
gigaethernet 1/1/1
Raisecom(config)#clear lldp remote-table Clear LLDP neighbor
[ interface-type interface-number ] information.
Example:
Raisecom(config)#clear lldp remote-table
gigaethernet 1/1/1
Raisecom(config)#clear lldp global Clear global LLDP statistics.
statistic
12.3.11 Example for configuring LLDP
As shown in Figure 12-9, the Switch is connected to the NView NNM system; enable LLDP
between Switch A and Switch B, query Layer 2 link change through the NView NNM system.
The neighbor aging, new neighbor and neighbor information changes will be reported as
LLDP alarms to the NView NNM system.
Figure 12-9 LLDP networking
Configuration steps
Step 1 Enable global LLDP and LLDP alarm.
Configure Switch A.

520
Raisecom
SwitchA#config
SwitchA(config)#lldp enable
Configure Switch B.
SwitchB#config
SwitchB(config)#lldp enable
Step 2 Configure the management IP address.

Configure Switch A.
SwitchA(config)#create vlan 1024 active

SwitchA(config)#interface vlan 1024
SwitchA(config-vlan1024)#ip address 10.10.10.1 255.255.255.0
SwitchA(config-vlan1024)#exit
Configure Switch B.
SwitchB(config)#create vlan 1024 active

SwitchB(config)#interface vlan 1024
SwitchB(config-vlan1024)#ip address 10.10.10.2 255.255.255.0
SwitchB(config-vlan1024)#exit
Step 3 Configure LLDP attributes.

Configure Switch A.
SwitchA(config)#lldp message-transmission interval 60

SwitchA(config)#lldp message-transmission delay 9
SwitchA(config)#lldp trap-interval 10
Configure Switch B.
SwitchB(config)#lldp message-transmission interval 60

SwitchB(config)#lldp message-transmission delay 9
521
Raisecom
SwitchB(config)#lldp trap-interval 10
Checking results
Use the show lldp local config command to show local configurations.
SwitchA#show lldp local config

System configuration:
------------------------------------------------------------------
LLDP enable status: enable (default is disabled)
LldpMsgTxInterval: 60 (default is 30s)
LldpMsgTxHoldMultiplier: 4 (default is 4)
LldpReinitDelay: 2 (default is 2s)
LldpTxDelay: 9 (default is 2s)
LldpNotificationInterval: 10 (default is 5s)
LldpNotificationEnable: enable (default is enabled)
------------------------------------------------------------------
Port Status Packet destination-mac
--------------------------------------------------------
GE1/1/1 enable 0180.C200.010e
GE1/1/2 enable 0180.C200.010e
GE1/1/3 enable 0180.C200.010e
GE1/1/4 enable 0180.C200.010e
GE1/1/5 enable 0180.C200.010e
GE1/1/6 enable 0180.C200.010e
……
SwitchB#show lldp local config
System configuration:
------------------------------------------------------------------
LLDP enable status: enable (default is disabled)
LldpMsgTxInterval: 60 (default is 30s)
LldpMsgTxHoldMultiplier: 4 (default is 4)
LldpReinitDelay: 2 (default is 2s)
LldpTxDelay: 9 (default is 2s)
LldpNotificationInterval: 10 (default is 5s)
LldpNotificationEnable: enable (default is enabled)
------------------------------------------------------------------
Port Status Packet destination-mac
--------------------------------------------------------
GE1/1/1 enable 0180.C200.000E
GE1/1/2 enable 0180.C200.000E
GE1/1/3 enable 0180.C200.000E
GE1/1/4 enable 0180.C200.000E
GE1/1/5 enable 0180.C200.000E
GE1/1/6 enable 0180.C200.000E
……
Use the show lldp remote command to show neighbor information.
SwitchA#show lldp remote

522
Raisecom
Port ChassisId PortId SysName MgtAddress ExpiredTime

-------------------------------------------------------------------------
gigaethernet1/1/1 000E.5E02.B010 gigaethernet1/1/1 SwitchB
10.10.10.2 106
……
SwitchB#show lldp remote
Port ChassisId PortId SysName MgtAddress ExpiredTime
-------------------------------------------------------------------------
gigaethernet1/1/1 000E.5E12.F120 gigaethernet1/1/1 SwitchA
10.10.10.1 106
……
12.4 Optical module DDM

12.4.1 Introduction
Optical module Digital Diagnostics Monitoring (DDM) on the ISCOM2600G series switch
supports Small Form-factor Pluggable (SFP) and 10GE SFP+ diagnosis.
The fault diagnostics function of SFP provides the system a performance monitor method.
The network administrator analysis the monitor data provided by SFP to predict the age of
transceiver, isolate system fault and authenticate modules compatibility during installation.
The performance parameters of optical module which are monitored by optical module DDM
are as below:
 Modular temperature
 Inner power voltage
 Tx offset current
 Tx optical power
 Rx optical power
When the performance parameters reach alarm threshold or status information changes, the
corresponding Trap alarm will be generated.
Scenario
Fault diagnostics f optical modules provide a method for detecting SFP performance
parameters. You can predict the service life of optical module, isolate system fault and check
its compatibility during installation through analyzing monitoring data.
Prerequisite
The optical module used on the ISCOM2600G series switch should be a Raisecom-certified
one. If you use an optical module of other vendors, problems of unstable services, failure in
supporting DDM, or incorrect DDM information will happen.

523
Raisecom
12.4.3 Default configurations of optical module DDM

Default configurations of optical module DDM are as below.

Global optical module DDM Disable
Interface optical module DDM Disable
Global optical DDM Trap Disable
Interface optical DDM Trap Disable
12.4.4 Enabling optical module DDM

Enable optical module DDM for the ISCOM2600G series switch as below.

2 Raisecom(config)#trans Enable or disable optical module DDM.
ceiver ddm { enable |
 enable: enable optical module DDM.
disable }
 disable: disable optical module DDM.
Example:
Raisecom(config)#trans
ceiver ddm enable
3 Raisecom(config)#trans Configure the polling interval for optical module
ceiver ddm poll- DDM.
interval interval
 interval: polling interval, an integer, ranging
Raisecom(config)#trans
ceiver ddm poll- from 5 to 300, in units of second
interval 30
face interface-type
interface-number
Example:
face gigaethernet
1/1/1
4 Raisecom(config- Enable interface optical module DDM.
gigaethernet1/1/*)#tra
nsceiver ddm { enable Only when global optical DDM is enabled, the
| disable } optical module, where interface optical module
Example: DDM is enabled, can the ISCOM2600G series
Raisecom(config- switch perform DDM.
gigaethernet1/1/1)#tra  enable: enable optical module DDM.
nsceiver ddm enable  disable: disable optical module DDM.
12.4.5 Enabling optical module DDM Trap

Enable optical module DDM Trap for the ISCOM2600G series switch as below.
524
Raisecom

2 Raisecom(config)#snmp- Enable global optical module DDM Trap.
server trap transceiver
 enable: enable global optical module DDM
Example: trap. When the system detects abnormal
Raisecom(config)#snmp- parameters, it generates a trap.
 disable: disable global optical module DDM
server trap transceiver
disable trap.
ce interface-type
interface-number
Example:
4 Raisecom(config- Enable interface optical module DDM Trap.
gigaethernet1/1/*)#trans
ceiver trap { enable |
Only when global optical DDM Trap is
disable } enabled, the optical module, where interface
Example: optical module DDM Trap is enabled, can the
Raisecom(config- ISCOM2600G series switch send Traps.
gigaethernet1/1/1)#trans  enable: enable interface optical module
ceiver trap enable DDM trap. When the system detects
abnormal parameters, it generates a trap.
 disable: disable interface optical module
DDM trap.


1 Raisecom#show transceiver Show global optical module DDM and
interface optical module DDM
configurations.
2 Raisecom#show transceiver Show optical module DDM performance
ddm interface-type parameters.
interface-list [ detail ]
3 Raisecom#show transceiver Show historical information about optical
interface-type interface- module DDM.
list history [ 15m | 24h ]
4 Raisecom#show transceiver Show basic information about the optical
information interface-type module.
interface-list
5 Raisecom#show transceiver Show the information when the optical
threshold-violations module parameters exceed the thresholds.
list
6 Raisecom#show transceiver Show brief information about optical
ddm brief module DDM.

525
Raisecom
12.5 System log

12.5.1 Introduction
The system log refers that the ISCOM2600G series switch records the system information and
debugging information in a log and sends the log to the specified destination. When the
ISCOM2600G series switch fails to work, you can check and locate the fault easily.
The system information and some scheduling output will be sent to the system log to deal
with. According to the configuration, the system will send the log to various destinations. The
destinations that receive the system log are divided into:
 Console: send the log message to the local console through Console interface.
 Host: send the log message to the host.
 Monitor: send the log message to the monitor, such as Telnet terminal.
 File: send the log message to the Flash of the device.
 Buffer: send the log message to the buffer.
 SNMP server: convert logs to Trap and then outputs Trap to the SNMP server.
According to the severity level, the log is identified by 8 severity levels, as listed in Table 12-
4.
Table 12-4 Log levels

Severity Level Description
Emergency 0 The system cannot be used.
Alert 1 Need to deal immediately.
Critical 2 Serious status
Error 3 Errored status
Warning 4 Warning status
Notice 5 Normal but important status
Informational 6 Informational event
Debug 7 Debugging information
The severity of output information can be manually configured. When you send
information according to the configured severity, you can just send the information
whose severity is less than or equal to that of the configured information. For
example, when the information is configured with the level 3 (or the severity is errors),
the information whose level ranges from 0 to 3, in other words, the severity ranges
from emergencies to errors, can be sent.

526
Raisecom
Scenario
The ISCOM2600G series switch generates the login successes or failures, key information,
debugging information, and error information to system log, outputs them as log files, and
sends them to the logging host, Console interface, or control console to facilitate checking and
locating faults.
Prerequisite
N/A
12.5.3 Default configurations of system log

Default configurations of system log are as below.

System log Enable
Output log information to Console Enable, the default level is information (6).
Output log information to host N/A, the default level is information (6).
Output log information to file Enable, the default level is debugging (7).
Output log information to monitor Disable, the default level is information (6).
Output log information to buffer Disable, the default level is information (6).
Log Debug level Low
Output log information to history list Disable
Log history list size 1
Transfer log to Trap Disable. The default level is warning (4).
Log buffer size 4 Kbytes
Transmitting rate of system log No limit
 Debug: no timestamp to debug level (7)
Timestamp of system log information
Syslog information.
 Log: The timestamp to 0–6 levels Syslog
information is absolute time.
12.5.4 Configuring basic information of system log

Configure basic information of system log for the ISCOM2600G series switch as below.


527
Raisecom

2 Raisecom(config)#l (Optional) enable system log.
ogging on
3 Raisecom(config)#l (Optional) configure timestamp for system log.
ogging time-stamp
 debug: configure the timestamp for level 7 logs.
{ debug | log }
 log: configure the timestamp for level 0¬6 logs.
{ datetime | none
 datetime: the timestamp is an absolute time, a
| uptime }
Example: time point, namely, the system time.
 uptime: the timestamp is a relative time, a period,
Raisecom(config)#l
ogging time-stamp name, the period after the device is started.
 none: there is no timestamp.
log uptime
4 Raisecom(config)#l (Optional) configure transmitting rate of system
ogging rate-limit log.
log-num
 log-num: number of logs processed per second,
Example:
Raisecom(config)#l an integer, ranging from 1 to 10000
ogging rate-limit
100
5 Raisecom(config)#l (Optional) configure sequence of system log.
ogging sequence-
number
The sequence number only applies to the console,
monitor, log file, and log buffer, but not log host
and history list.
6 Raisecom(config)#l (Optional) create and configure system log filter.
ogging
discriminator The filter can filter output log from the console,
discriminator- monitor, log file and log buffer.
number { facility  distriminator-number: discriminator number, an
| mnemonics | msg- integer, ranging from 1 to 5
body } { { drops |  facility: filter a log based on its module name.
includes } key |  mnemonics: filter a log based on its name.
none }  msg-body: filter a log based on its body text.
Example:  drops: discard logs that contain keywords and
Raisecom(config)#l allow logs that do not contain keywords.

ogging  includes: drop logs that do not contain keywords
discriminator 1 and allow logs that contain keywords.

mnemonics drops  none: do not filter selected fields.
test  key: keyword, a string of characters

– facility: the length of the key ranges from 1 to
20 characters.
– mnemonics: the length of the key ranges from
1 to 30 characters.
– msg-body: the length of the key ranges from 1
to 64 characters.
– Logs that contain these keywords will be
selected as filtering objects.

7 Raisecom(config)#l (Optional) configure sending Debug-level logs.
ogging buginf
 high: send debugging information of the highest
[ high | normal |
low | none ] level only.
 normal: send debugging information of normal
Example:
Raisecom(config)#l and higher levels.
 low: send all debugging information.
ogging buginf high
 none: do not send debugging information.

528
Raisecom
12.5.5 Configuring system log output

Configure system log output for the ISCOM2600G series switch as below.

1 Raisecom#conf Enter global configuration mode.
ig
2 Raisecom(conf (Optional) output system logs to the console.
ig)#logging
 log-level: severity level of logs, an integer ranging from 0
console
[ log-level | to 7. It has the same function with the following 8
alerts | parameters. The difference is that severity level is shown
critical | in number, but the following 8 parameters are shown in
debugging | characters.
 emergencies: level 0, emergency. The system cannot be
emergencies |
errors | used and need to be restarted.
 alerts: level 1, alert. Must take actions immediately.
informational
 critical: level 2, critical. Must take actions or analyze
|
notifications reasons.
 errors: level 3, error. Do not affect serviced but need
| warnings |
discriminator attention.
 warnings: level 4, warning. May cause service fault and
discriminator
-number ] need attention.
 notifications: level 5, normal. Provide key operation
Example:
Raisecom(conf information when the device works properly.
 informational: level 6, notification event. Provide general
ig)#logging
console operation information when the device works properly.
 debugging: level 7, debugging information. Provide
errors
general operation information when the device works
properly. Need no attention.
 distriminator: establish a connection with the
discriminator. Output discriminated logs to the log history

table.
 distriminator-number: discriminator number, an integer,
ranging from 1 to 5

529
Raisecom

3 Raisecom(conf (Optional) output system logs to the log host.
ig)#logging
host [ dport Up to 10 log hosts are supported.
port-number ]  ip-address: IP address of the log host, in dotted decimal
{ ip-address notation
| ipv6-  ipv6-address: IPv6 address of the log host, in colon
address } hexadecimal notation

[ log-level |  log-level: severity level of logs, an integer ranging from 0
alerts | to 7. It has the same function with the following 8

critical | parameters. The difference is that severity level is shown
debugging | in number, but the following 8 parameters are shown in
emergencies | characters.
errors |  emergencies: level 0, emergency. The system cannot be
informational used and need to be restarted.

|  alerts: level 1, alert. Must take actions immediately.
notifications  critical: level 2, critical. Must take actions or analyze
| warnings | reasons.
discriminator  errors: level 3, error. Do not affect serviced but need
-number ]  warnings: level 4, warning. May cause service fault and
Example: need attention.
Raisecom(conf  notifications: level 5, normal. Provide key operation
ig)#logging information when the device works properly.
host 10.0.0.1  informational: level 6, notification event. Provide general
alerts operation information when the device works properly.


table.
ranging from 1 to 5

530
Raisecom

Raisecom(conf Configure the facility field of the log to be sent to the log
ig)#logging host.
[ host { ip-
address | Configuration may fail if you do not create the log host.
ipv6- This configuration is available for all log hosts configured
address } ] on the ISCOM2600G series switch.
facility  host ip-address: IP address of the host, in dotted decimal
{ alert | notion
audit | auth  ipv6-address: IPv6 address of the log host, in colon
| clock | hexadecimal notation
cron | daemon  alert: logs generated by system alarms
| ftp | kern  audit: logs generated when audited
| local0 |  auth: logs generated when authenticated
local1 |  clock: information about clock management process
local2 |  cron: cron/at tool information
local3 |  daemon: information about system guard process
local4 |  ftp: information about FTP process
local5 |  kern: logs generated by kernel
local6 |  local0-7: locally-generated logs
local7 | lpr  lpr: logs generated by Line Printer system
| mail | news  mail: logs generated by mail system
| ntp |  news: logs generated by USENET network news system
security |  ntp: logs generated by network time sub-system
syslog | user  security: logs generated when authorized
| uucp }  syslog: logs generated by system log
Example:  user: logs generated by user process
Raisecom(conf  uucp: UUCP system information
ig)#logging
facility auth

531
Raisecom

4 Raisecom(conf (Optional) output system logs to the monitor.
ig)#logging
monitor
emergencies |
informational
|
| warnings |
discriminator
Example:
ig)#logging
monitor operation information when the device works properly.
warnings

table.
ranging from 1 to 5
5 Raisecom(conf (Optional) output system logs to the Flash of the
ig)#logging ISCOM2600G series switch.
file
[ discriminat Only warning-level logs are available.
or  distriminator: establish a connection with the
discriminator discriminator. Output discriminated logs to the log history
-number ] table.
Example:  distriminator-number: discriminator number, an integer,
Raisecom(conf ranging from 1 to 5

ig)#logging
file

532
Raisecom

6 Raisecom(conf (Optional) output system logs to the buffer.
ig)#logging
buffered
emergencies |
informational
|
| warnings |
discriminator
Example:
ig)#logging
buffered operation information when the device works properly.
errors

table.
ranging from 1 to 5
Raisecom(conf (Optional) configure the system log buffer size.
ig)#logging
 size: buffer size, an integer, ranging from 4 to 256, in
buffered size
size units of Kbyte
Example:
Raisecom(conf
ig)#logging
buffered size
10
7 Raisecom(conf (Optional) output system logs to the log history list.
ig)#logging
history
The level of the output logs is the one of the translated
Trap.
Raisecom(conf (Optional) configure the log history list size.
ig)#logging
 size: log history size, an integer, ranging from 1 to 500
history size
size
Example:
Raisecom(conf
ig)#logging
history size
100

533
Raisecom

Raisecom(conf (Optional) enable translating specified logs in the history
ig)#logging list to Traps.
trap [ log-
level | Configurations may fail if the system logs are not output to
alerts | the log history list.
critical |  log-level: severity level of logs, an integer ranging from 0
debugging | to 7. It has the same function with the following 8
emergencies | parameters. The difference is that severity level is shown
errors | in number, but the following 8 parameters are shown in
informational characters.
|  emergencies: level 0, emergency. The system cannot be
notifications used and need to be restarted.

| warnings |  alerts: level 1, alert. Must take actions immediately.
distriminator  critical: level 2, critical. Must take actions or analyze
distriminator reasons.
-number ]  errors: level 3, error. Do not affect serviced but need
Example: attention.
Raisecom(conf  warnings: level 4, warning. May cause service fault and
ig)#logging need attention.
trap errors  notifications: level 5, normal. Provide key operation
information when the device works properly.

operation information when the device works properly.



table.
ranging from 1 to 5


1 Raisecom#show logging Show configurations of system log.
2 Raisecom#show logging Show information about the system log buffer.
buffer
3 Raisecom#show logging Show filter information.
discriminator
4 Raisecom#show logging Show contents of system log. The device
file supports this configuration at millisecond level.
5 Raisecom#show logging Show information about the system log history
history list.

534
Raisecom
12.5.7 Maintenance
Command Description
Raisecom(config)#clear logging buffer Clear log information in the buffer.
Raisecom(config)#clear logging Clear log statistics.
statistics
12.5.8 Example for configuring outputting system logs to log host
As shown in Figure 12-10, configure system log, and output device log information to log
host for user to check.
Figure 12-10 Networking of outputting system log to log host
Configuration steps
Raisecom#config
Step 2 Configure the system log to be output to the log host.
Raisecom(config)#logging on
Raisecom(config)#logging time-stamp log datetime
Raisecom(config)#logging rate-limit 2
Raisecom(config)#logging host 20.0.0.168 warnings
Checking results
Use the show logging command to show configurations of system log.

535
Raisecom
Raisecom#show logging
Syslog logging: enable
Dropped Log messages: 0
Dropped debug messages: 0
Rate-limited: 2 messages per second
Squence number display: disable
Debug level time stamp: none
Log level time stamp: datetime
Log buffer size: 4kB
Debug level: low
Syslog history logging: disable
Syslog history table size:1
Dest Status Level LoggedMsgs DroppedMsgs Discriminator
-------------------------------------------------------------------------
---
buffer enable informational(6) 10 0 0
console enable informational(6) 10 0 0
trap disable warnings(4) 0 0 0
file enable debugging(7) 17 0 0
Log host information:
Max number of log server: 10
Current log server number: 1
Target Address Level Facility Sent Drop
Discriminator
-------------------------------------------------------------------------
--------------
20.0.0.168 warnings(4) local7 0 0 0
12.6 Alarm management

12.6.1 Introduction
Alarm means when a fault is generated on the ISCOM2600G series switch or some working
condition changes, the system will generate alarm according to different faults.
Alarm information is used to report some urgent and important events and notify them to the
network administrator promptly, which provides strong support for monitoring device
operation and diagnosing faults.
Alarm information is stored in the alarm buffer. Meanwhile, the alarm is generated to log
information. If a Network Management System (NMS), the alarm will be sent to the NMS
through SNMP. The information sent to the NMS is called Trap information.
Alarm classification
Alarms can be divided into three types according to properties:
 Fault alarm: refer to alarms for some hardware fault or some abnormal important
functions, such as port Down alarm;
 Recovery alarm: refer to alarms that are generated when device failure or abnormal
function returns to normal, such as port Up alarm;

536
Raisecom
 Event alarm: refer to prompted alarms or alarms that are generated because of failure in
relating the fault to the recovery, such as alarms generated by failing to ping.
Alarms can be divided into five types according to functions:
 Communication alarm: refer to alarms related to the processing of information
transmission, including alarms that are generated by communication fault between
Network Elements (NE), NEs and NMS, or NMS and NMS.
 Service quality alarm: refer to alarms caused by service quality degradation, including
congestion, performance decline, high resource utilization rate, and the bandwidth
reducing.
 Processing errored alarm: refer to alarms caused by software or processing errors,
including software errors, memory overflow, version mismatching, and the abnormal
program aborts.
 Environmental alarm: refer to alarms caused by equipment location-related problems,
including the environment temperature, humidity, ventilation and other abnormal
working conditions.
 Device alarm: refer to alarms caused by failure of physical resources, including power,
fan, processor, clock, Rx/Tx interfaces, and other hardware.
Alarm output
There are three alarm output modes:
 Alarm buffer: alarm is recorded in tabular form, including the current alarm table and
history alarm table.
− Current alarm table, recording alarm which is not cleared, acknowledged or restored.
− History alarm table, consisting of acknowledged and restored alarm, recording the
cleared, auto-restored or manually acknowledged alarm.
 Log: alarm is generated to system log when recorded in the alarm buffer, and stored in
the alarm log buffer.
 Trap information: alarm sent to NMS when the NMS is configured.
Alarm will be broadcasted according to various terminals configured by the ISCOM2600G
series switch, including CLI terminal and NMS.
Log output of alarm starts with the symbol "#", and the output format is as below:
#Index TimeStamp HostName ModuleName/Severity/name:Arise From Description.
Table 12-5 describes alarm fields.
Table 12-5 Alarm fields

Field Description
TimeStamp Time when an alarm is generated
ModuleName Name for a module where alarms are generated
Severity Alarm level

537
Raisecom
Field Description
Arise From Description Descriptions about an alarm
Alarm levels
The alarm level is used to identify the severity degree of an alarm. The level is defined in
Table 12-6.
Table 12-6 Alarm levels

Level Description Syslog
Critical (3) This alarm has affected system services and 1 (Alert)
requires immediate troubleshooting. Restore the
device or source immediately if they are
completely unavailable, even it is not during
working time.
Major (4) This alarm has affected the service quality and 2 (Critical)
requires immediate troubleshooting. Restore the
device or source service quality if they decline; or
take measures immediately during working hours
to restore all performances.
Minor (5) This alarm has not influenced the existing service 3 (Error)
yet, which needs further observation and take
measures at appropriate time to avoid more serious
fault.
Warning (6) This alarm will not affect the current service, but 4 (Warning)
maybe the potential error will affect the service, so
it can be considered as needing to take measures.
Indeterminate (2) Uncertain alarm level, usually the event alarm. 5 (Notice)
Cleared (1) This alarm shows to clear one or more reported 5 (Notice)
alarms.
Related concepts
Related concepts about alarm management are displayed as below:
 Alarm suppression
The ISCOM2600G series switch only records root-cause alarms but incidental alarms when
enabling alarm suppression. For example, the generation of alarm A will inevitably produce
alarm B which is in the inhibition list of alarm A, then alarm B is inhibited and does not
appear in alarm buffer and record the log information when enabling alarm suppression. By
enabling alarm suppression, the ISCOM2600G series switch can effectively reduce the
number of alarms.

538
Raisecom
Alarm A and alarm B will be recorded on the ISCOM2600G series switch and reported to the
NMS when alarm suppression is disabled.
 Alarm auto-report
Auto-report refers that an alarm will be reported to NMS automatically with its generation
and you do not need to initiate inquiries or synchronization.
You can configure auto-report to some alarm, some alarm source, or the specified alarm from
specified alarm source.
The alarm source refers to an entity that generates related alarms, such as ports,
devices, and cards.
 Alarm monitoring
Alarm monitoring is used to process alarms generated by modules:
− When the alarm monitoring is enabled, the alarm module will receive alarms
generated by modules, and process them according to the configurations of the alarm
module, such as recording alarm in alarm buffer, or recording system logs.
− When the alarm monitoring is disabled, the alarm module will discard alarms
generated by modules without follow-up treatment. In addition, alarms will not be
recorded on the ISCOM2600G series switch.
You can perform the alarm monitoring on some alarm, alarm source or specified alarm on
from specified alarm source.
 Alarm reverse mode
Alarm reverse refers to the device will report the information opposite to actual status when
recording alarm, or report the alarm when there is no alarm. Alarms are not reported if there
are alarms.
Currently, the device is only in support of reverse mode configuration of the interface. There
are three reverse modes to be configure; the specific definitions are as below:
− Non-reverse mode
The device alarm is reported normally.
− Manual reverse mode
Configure the alarm reverse mode of an interface as manual reverse mode. In this mode, no
matter what the current alarm status is, the reported alarm status of the interface will be
changed opposite to the actual alarm status immediately; in other words, alarms are not
reported when there are alarms, and alarms are reported when there are no alarms actually.
The interface will maintain the opposite alarm status regardless of the alarm status changes
before the alarm reverse status being restored to non-reverse mode.
− Auto-reverse mode
Configure the alarm reverse mode as auto-reverse mode. If no reversible alarm is on the
interface, this configuration will be prompted as failure. If reversible alarms are on the
interface, this configuration will succeed and enter reverse mode; in other words, the reported
alarm status of the interface will be changed opposite to the actual alarm status immediately.
After the alarm is finished, the enabling state of interface alarm reverse will end automatically

539
Raisecom
and changes to non-reverse alarm mode so that the alarm status can be reported normally in
the next alarm.
 Alarm delay
Alarm delay refers that the ISCOM2600G series switch will record alarms and report them to
NMS after a delay but not immediately when alarms generate. Delay for recording and
reporting alarms are identical.
By default, the device alarm is reported once generating (0s), which is instant reporting; clear
alarm once it ends (0s), which is instant clearing.
 Alarm storage mode
Alarm storage mode refers to how to record new generated alarms when the alarm buffer is
full. There are two ways:
− stop: stop mode, when the alarm buffer is full, new generated alarms will be
discarded without recording.
− loop: wrapping mode, when the alarm buffer is full, the new generated alarms will
replace old alarm and take rolling records.
Use configured storage mode to deal with new generated alarm when the alarm in device
alarm table is full.
 Clearing alarms
Clear the current alarm, which means deleting current alarms from the current alarm table.
The cleared alarms will be saved to the history alarm table.
 Viewing alarms
The administrator can check alarms and monitor alarm directly on the ISCOM2600G series
switch. If the ISCOM2600G series switch is configured with NView NNM system, the
administrator can monitor alarms on the NView NNM system.
Scenario
When the device fails, alarm management module will collect fault information and output
alarm occurrence time, alarm name and description information in log format to help users
locate problem quickly.
If the device is configured with the NMS, alarm can be reported directly to the NMS,
providing possible alarm causes and treatment recommendations to help users deal with fault.
If the device is configured with hardware monitoring, it will record the hardware monitoring
alarm table, generated Syslog, and sent Trap when the operation environment of the device
becomes abnormal, and notify the user of taking actions accordingly and prevent faults.
Alarm management facilitates alarm suppression, alarm auto-reporting, alarm monitoring,
alarm reverse, alarm delay, alarm memory mode, alarm clear and alarm view directly on the
device.
Prerequisite
Hardware environment monitoring alarm output:

540
Raisecom
 In Syslog output mode: alarms will be generated into system logs. To send alarm to the
system log host, configure the IP address of the system log host for the device.
 In Trap output mode: configure the IP address of the NMS for the device.
12.6.3 Configuring basic functions of alarm management

Configure basic information of alarm management for the ISCOM2600G series switch as
below.
All following steps are optional and no sequence between them.

2 Raisecom(config)#alar Enable or disable alarm suppression.
m inhibit { enable |
disable }
By default, it is enabled.
Example:  enable: enable alarm suppression.
Raisecom(config)#alar  disable: disable alarm suppression.
m inhibit enable
3 Raisecom(config)#alar Enable alarm auto-reporting.
m auto-report all
 all: all alarms
 enable: enable alarm auto-report.
Example:
 disable: disable alarm auto-report.
Raisecom(config)#alar
m auto-report all
enable
Raisecom(config)#alar Enable or disable alarm auto-reporting of a
m auto-report alarm- specified alarm source.
restype alarm-
 alarm-restype: alarm source type, a string. The
restype-value
{ enable | disable } value is the name of an alarm source type,
Example: such as port-channel.
 alarm-restype-value: alarm source value, an
m auto-report integer, related to the alarm source type
gigaethernet 1/1/1
enable
Raisecom(config)#alar Enable alarm auto-reporting of a specified
m auto-report type alarm type.
alarm-type { enable |
 type alarm-type: alarm type, a string. The
disable }
Example: value is an alarm name, such as
Raisecom(config)#alar aiblightparameterhigh.
m auto-report type
system_authfailure
disable

541
Raisecom

Raisecom(config)#alar Enable alarm auto-reporting of a specified
m auto-report type alarm source and type.
alarm-type alarm-
restype alarm-
restype-value value is an alarm name, such as
{ enable | disable } aiblightparameterhigh.
Example:
Raisecom(config)#alar value is the name of an alarm source type,
m auto-report type such as port-channel.
erroredframeevent
gigaethernet 1/1/1 integer, related to the alarm source type
enable
4 Raisecom(config)#alar Enable alarm monitoring.

m monitor all
 all: all alarms
 enable: enable alarm monitoring.
Example:
 disable: disable alarm monitoring.
m monitor all enable
Raisecom(config)#alar Enable alarm monitoring of a specified alarm
m monitor alarm- source.
restype alarm-
restype-value
{ enable | disable } value is the name of an alarm source type,
Example: such as port-channel.
m monitor integer, related to the alarm source type
gigaethernet 1/1/1
enable
m monitor type alarm- type.
type { enable |
disable }
Example: value is an alarm name, such as
Raisecom(config)#alar blightparameterhigh.
m monitor type
erroredframeevent
enable
m monitor type alarm- source and type.
type alarm-restype
alarm-restype-value
{ enable | disable } value is an alarm name, such as
Example: blightparameterhigh.
m monitor type value is the name of an alarm source type,
erroredframeevent such as port-channel.
gigaethernet 1/1/1
enable integer, related to the alarm source type

542
Raisecom

5 Raisecom(config)#alar (Optional) configure the level of alarm
m monitor-level monitoring.
{ critical | major |
 critical: monitoring level 1, critical alarm
minor | warning }
 major: monitoring level 2, major alarm
Example:
 minor: monitoring level 3, minor alarm
 warning: monitoring level 4, warning alarm
m monitor-level minor
6 Raisecom(config)#alar Configure alarm reverse modes.
m inverse interface-
type interface-number By default, it is none; in other words, alarm
{ none | auto | reverse is disabled.
manual }  interface-type: interface type
Example:  interface-number: interface ID. The form and
Raisecom(config)#alar value range depend on the interface type.
m inverse  auto: automatic inverse mode
gigaethernet 1/1/1  manual: manual inverse mode
auto  none: non-inverse mode
7 Raisecom(config)#alar Configure alarm delay.

m { active | clear }
delay second
By default, it is 0s.
Example:  delay second: alarm delay time, an integer,
Raisecom(config)#alar ranging from 0 to 600, in units of second
m active delay 200
8 Raisecom(config)#alar Configure alarm storage modes.
m active storage-mode
{ loop | stop } By default, it is stop.
Example:  loop: specify the alarm storage mode to loop.
Raisecom(config)#alar  stop: specify the alarm storage mode to stop.
m active storage-mode
loop
9 Raisecom(config)#alar (Optional) clear all current alarms.
m clear all
Raisecom(config)#alar (Optional) clear current alarms of the specified
m clear index index- alarm index.
value
 index index-value: index of the specified
Example:
Raisecom(config)#alar alarm, an integer, ranging from 1 to
m clear index 2 4294967295
m clear alarm-restype alarm source.
alarm-restype-value
Example:
Raisecom(config)#alar value is the name of an alarm source type,
m clear gigaethernet such as cpuindex and port-channel.
1/1/1
integer, related to the alarm source type
m clear type alarm- alarm type.
type
Example:
Raisecom(config)#alar value is an alarm name, such as
m clear type blightparameterhigh and criticalevent.
erroredframeevent

543
Raisecom

m clear type alarm- alarm source and type.
type alarm-restype
alarm-restype-value
Example: value is an alarm name, such as ais,
Raisecom(config)#alar blightparameterhigh, and criticalevent.
m clear type
erroredframeevent value is the name of an alarm source type,
gigaethernet 1/1/1 such as boardindex, fanindex, and port-
channel.
integer, related to the alarm source type

9 Raisecom(config)#alar (Optional) enable or disable alarms to be output
m syslog { enable | to system logs.
disable }
Example: By default, it is disabled.
Raisecom(config)#alar  enable: enable alarms to be output to system
m syslog enable logs.
 disable: disable alarms to be output to system
logs.
10 Raisecom(config)#alar (Optional) enable relevant alarm inhibition.
m correlation-Inhibit
{ enable | disable } Use the disable form of this command to
Raisecom(config)#alar  enable: enable relevant alarm inhibition.
m correlation-Inhibit  disable: disable relevant alarm inhibition.
enable
You can enable/disable alarm monitoring, alarm auto-reporting, and alarm clearing on
modules that support alarm management.


1 Raisecom#show alarm management Show parameters of current
[ alarm_type ] alarms, including status of alarm
suppression, alarm reverse
mode, alarm delay, and alarm
storage mode, maximum alarm
buffer size, and alarm log size.
2 Raisecom#show alarm log Show alarm statistics in the
system log.
3 Raisecom#show alarm management Show statistics about alarm
statistics management module.

544
Raisecom

4 Raisecom#show alarm active Show information about current
[ module_name alarm_manage | aps alarms.
| bfd | cfm | cpcar |
digitaldiagnotic | fanmonitor |
hw_monitor | lbd | oam | ospf |
portbackup | portlib |
powermonitor | system | severity
severity ]
5 Raisecom#show alarm cleared Show information about history
[ module_namealarm_manage | aps | alarms.
bfd | cfm | cpcar |
digitaldiagnotic | fanmonitor |
hw_monitor | lbd | oam | ospf |
portbackup | portlib |
powermonitor | system | severity
severity ]
12.7 Hardware environment monitoring
Some models of the ISCOM2600G series switch do not support abnormal

temperature alarms. For details, see their descriptions.
12.7.1 Introduction
Hardware environment monitoring mainly refers to monitor the running environment of the
ISCOM2600G series switch. The monitoring alarm events include:
 Power supply state alarm
 Temperature beyond threshold alarm
 Flash monitoring alarm
There are several ways to notify users when an alarm is generated. The alarm event output
methods are as below:
 Save to the device hardware environment monitoring alarm buffer.
 Output Syslog system log.
 Send Trap to the NMS.
You can take appropriate measures to prevent failure when alarm events happen.
Alarm events
 Power supply monitoring alarms
 Power supply state change alarms
Power supply state change refers that unplugged power supply is plugged into the device and
vice versa. The ISCOM2600G series switch supports dual power supplies. Therefore, power

545
Raisecom
supply state change alarms are divided into the single power supply state change alarm and
device dying gasp alarm.
– Dual power supply state change alarm: notify uses that power supply 1/power supply
2 changes. The ISCOM2600G series switch supports saving to the device hardware
environment monitoring alarm buffer, sending Trap to the NView NNM system, and
outputting to the system log and relay.
– Device dying gasp alarm: dual power modules are unplugged, in other words, two
power modules are out of position. The ISCOM2600G series switch supports saving
to the device hardware environment monitoring alarm buffer, sending Trap to the
NView NNM system, and outputting to the system log and relay.
 Temperature beyond threshold alarm
The device supports temperature beyond threshold alarm event, when the current temperature
is lower than low temperature threshold, the low temperature alarm event will generate. The
ISCOM2600G series switch supports saving to the device hardware environment monitoring
alarm buffer, sending Trap to the NView NNM system, and outputting to the system log and
relay.
When the device current temperature is higher than high temperature threshold, the high
temperature alarm event will generate. The ISCOM2600G series switch supports saving to the
device hardware environment monitoring alarm buffer, sending Trap to the NView NNM
system, and outputting to the system log and relay.
Alarm output modes

Hardware environment monitoring alarm output modes are as below.
 Hardware environment monitoring alarm buffer output, which is recorded to the
hardware environment monitoring alarm table
− The hardware environment monitoring current alarm table, recording current alarm
which has not been cleared and restored.
− The hardware environment monitoring history alarm table, recording current, restored,
and manually cleared alarms.
Hardware environmental monitoring alarm can be recorded in the current hardware
environment monitoring alarm table and hardware environment monitoring history alarm
table automatically without configuring manually.
 Trap output
Alarms are output to the NMS in Trap mode.
Trap output has global switch and all monitored alarm events still have their own Trap alarm
output switches. When enabling the global switch and monitored alarm events switches
simultaneously, the alarm will generate Trap output.
Table 12-7 describes Trap information.
Table 12-7 Trap information

Field Description
 asserted (current alarm)
Alarm status
 cleared (alarm recovery)
 clearall (clear all alarm)

546
Raisecom
Field Description
 device (global alarm)
Alarm source
 Interface number (interface status alarm)
Timestamp Alarm time, in the form of absolute time
 dev-power-down (power-down alarm)
Alarm event type
 power-abnormal (power-abnormal alarm, one of two powers
is power down.)
 high-temperature (high-temperature alarm)
 low-temperature (low-temperature alarm)
 all-alarm (clear all alarms)
 Syslog output
Record alarms to Syslog.
Syslog output has global switch and all monitored alarm events still have their own Syslog
alarm output switches. When the global switch and monitored alarm events switches are
concurrently enabled, the alarm will generate Syslog output.
Table 12-8 describes Syslog information.
Table 12-8 Syslog information

Field Description
Facility The module name generating alarm, the hardware environment monitoring
module is fixed as alarm.
Severity Level, the same as defined in system logs. For details, see Table 12-4.
Mnemonics Alarm event type. For details, see Table 12-7.
Msg-body Main body, describing alarm event contents.
Scenario
Hardware environment monitoring provides environment monitoring for the devices, through
which you can monitor the fault. When device operation environment is abnormal, this
function will record hardware environment monitoring alarm list, generate system log, or send
Trap and other alarms to notify taking corresponding measures and preventing fault.
Prerequisite
Hardware environment monitoring alarm output:
 In Syslog output mode: alarms will be generated into system logs. To send alarm to the
system log host, configure system log host IP address for the device.
 In Trap output mode: configure the management IP address of the device.

547
Raisecom
12.7.3 Default configurations of hardware environment monitoring

Default configurations of hardware environment monitoring are as below.

Global hardware environment monitoring alarm Syslog output Disable
Global hardware environment monitoring alarm Trap output Enable
 Enable Trap output.
Power down event alarm
 Enable Syslog system
Temperature alarm output log output.
High temperature alarm threshold 90ºC

Low temperature alarm threshold -10ºC
12.7.4 Enabling global hardware environment monitoring

Enable global hardware environment monitoring for the ISCOM2600G series switch as below.

2 Raisecom(config)#loggi (Optional) enable global hardware environment
ng alarm monitoring alarm Syslog output.
3 Raisecom(config)#snmp- (Optional) enable or disable global hardware
server alarm-trap environment monitoring alarm Trap.
 enable: enable global hardware environment
Example:
Raisecom(config)#snmp- monitoring alarm Trap.
 disable: disable global hardware environment
server alarm-trap
enable monitoring alarm Trap.
 When enabling global hardware environment monitoring alarm Syslog output,

alarm event can generate Syslog only when Syslog output under alarm event is
also enabled.
 When enabling global hardware environment monitoring alarm sending Trap,
alarm event can send Trap only when Trap output under alarm event is also
enabled.
12.7.5 Configuring temperature monitoring alarm

Configure temperature monitoring alarm for the ISCOM2600G series switch as below.


548
Raisecom

2 Raisecom(config)# Enable temperature monitoring alarm output and
alarm temperature configure temperature monitoring alarm output
{ high high-value modes.
| low low-value |
 high-value: high temperature threshold, an integer,
notifies |
syslog } ranging from 10 to 70°C
 low-value: low temperature threshold, an integer,
Example:
Raisecom(config)# ranging from 10 to 90°C
 notifies: output temperature alarms in form of
alarm temperature
low 10 Trap.
 syslog: output temperature alarms in form of
Syslog.
12.7.6 Configuring power supply alarm

Configure voltage monitoring alarm for the ISCOM2600G series switch as below.

2 Raisecom(config)#alarm Enable power supply alarm and
power-supply { notifies | configure alarm output mode.
syslog }
 notifies: output temperature alarms in
Example:
Raisecom(config)#alarm form of Trap.
 syslog: output temperature alarms in
power-supply notifies
form of Syslog.
12.7.7 Clearing all hardware environment monitoring alarms

manually
Clear all hardware environment monitoring alarms manually for the ISCOM2600G series
switch as below.

1 Raisecom#conf Enter global configuration mode.
ig
2 Raisecom(conf Clear alarms manually.
ig)#clear
alarm
Use this command to clear all alarms in current

alarm list and generate an all-alarm alarm in history
alarm list.
If enabling global sending Trap, the all-alarm alarm
will be output in Trap mode; if enabling global
Syslog, the all-alarm alarm will be output in Syslog
mode.

549
Raisecom


1 Raisecom#show alarm Show global hardware environment
monitoring alarm configurations.
2 Raisecom#show alarm Show current alarms of hardware environment
current monitoring.
3 Raisecom#show alarm Show history alarms of hardware environment
history monitoring.
4 Raisecom#show Show information about the current
environment environment, such as power supply,
{ temperature | power } temperature, and alarms.
12.8 CPU monitoring

12.8.1 Introduction
The ISCOM2600G series switch supports CPU monitoring. It can monitor state, CPU
utilization rate, and application of stacking of each task in real time in the system. It helps
locate faults.
CPU monitoring can provide the following functions:
 Viewing CPU utilization rate
It can be used to view unitization of CPU in each period (5s, 1minute, 10minutes, 2hours).
Total unitization of CPU in each period can be shown dynamically or statically.
It can be used to view the operational status of all tasks and the detailed running status
information about assigned tasks.
It can be used to view history utilization of CPU in each period.
It can be used to view information about dead tasks.
 Threshold alarm of CPU unitization
If CPU utilization of the system is more than configured upper threshold or less than
preconfigured lower threshold in specified sampling period, Trap will be sent, and Trap will
provide serial number of 5 tasks whose unitization rate of CPU is the highest in the latest
period (5s, 1minute, 10minutes) and their CPU utilization rate.

550
Raisecom
Scenario
CPU monitoring can provide realtime monitoring to the task status, CPU utilization rate and
stack usage in the system, provide CPU utilization rate threshold alarm, detect and eliminate
hidden dangers, or help administrator for fault location.
Prerequisite
When the CPU monitoring alarm needs to be output in Trap mode, configure Trap output
target host address, which is IP address of NView NNM system.
12.8.3 Default configurations of CPU monitoring

Default configurations of CPU monitoring are as below.

CPU utilization rate alarm Trap output Enable
Upper threshold of CPU utilization alarm 99%
Lower threshold of CPU utilization alarm 79%
Sampling period of CPU utilization 60s
12.8.4 Configuring CPU monitoring alarm

Configure CPU monitoring alarm for the ISCOM2600G series switch as below.

2 Raisecom(config)#cpu (Optional) configure the recovering threshold and
threshold recovering rising threshold for CPU alarms.
recovering-threshold-
 recovering-threshold-value: recovering
value rising rising-
threshold-value threshold, an integer, ranging from 1 to 98,
Example: indicating 1% to 98%
 rising-threshold-value: rising threshold, an
Raisecom(config)#cpu
threshold recovering integer, ranging from 2 to 99, indicating 2% to
20 rising 80 99%
3 Raisecom(config)#cpu (Optional) configure the interval for sampling
interval interval- CPU alarms.
value
 interval-value: sample collection interval, an
Example:
Raisecom(config)#cpu integer, ranging from 5 to 36000, in units of
interval 60 second

551
Raisecom


1 Raisecom#show cpu-utilization Show CPU utilization.
[ dynamic | history { 10min |
1min | 2hour | 5sec } ]
2 Raisecom#show process [ sorted Show states of all tasks.
{ priority | name } |
taskname ]
3 Raisecom#show process cpu Show CPU utilization of all tasks.
[ sorted [ 10mins | 1min |
5secs | invoked ] ]
4 Raisecom#show process dead Show information about dead tasks.
5 Raisecom#show process pid range Show information about the
specified task.
12.9 Fan monitoring

12.9.1 Introduction
The ISCOM2600G series switch supports monitoring the fan, including the rotational speed
and temperature. It sends Trap when the rotational speed or temperature is abnormal.
The ISCOM2600G series switch monitors the fan in two modes:
 Forcible monitoring: forcibly configure the rotational speed of the fan.
 Automatic monitoring: the fan adjusts its rotational speed by temperature.
In automatic monitoring mode, the rotational speed of the fan has four levels, each of which
corresponds to a temperature range. The fan adjusts its rotational speed by temperature.
Scenario
In hot environment, too high temperature affects heat dissipation of the ISCOM2600G series
switch. Thus fan monitoring must be configured so that the rotational speed is automatically
adjusted according to environment temperature and the ISCOM2600G series switch runs
properly.
Precondition
N/A

552
Raisecom
12.9.3 Configuring fan monitoring

Configure fan monitoring for the ISCOM2600G series switch as below.

2 Raisecom(config)#fan- Configure the monitoring mode for the
monitor mode { auto | rotational speed.
enforce }
Example: By default, it is auto.
Raisecom(config)#fan-  auto: configure fan monitor mode to auto.
monitor mode auto  enforce: configure fan monitor mode to
enforce.
3 Raisecom(config)#fan- (Optional) configure the rotational speed in
monitor enforce level enforced mode.
level
 level: rotational speed level, an integer,
Example:
Raisecom(config)#fan- ranging from 1 to 4, corresponding to 0 r/s,
monitor enforce level 3 7880 r/s, 11300 r/s, and 11500 r/s
respectively
4 Raisecom(config)#fan- (Optional) enable or disable Trap sending for
monitor trap send fan monitoring.
 enable: enable Trap sending for fan
Example:
Raisecom(config)#fan- monitoring.
 disable: disable Trap sending for fan
monitor trap send enable
monitoring.


1 Raisecom#show fan-monitor Show configurations of fan monitoring.
information
2 Raisecom#show fan-monitor Show fan monitoring status.
status
12.10 Cable diagnosis

The ISCOM2600G series switch supports cable diagnosis, which helps you detect lines.
Cable diagnosis contains the following results:
 Detection result of the Tx cable
 Errored location of the Tx cable

553
Raisecom
 Detection result of the Rx cable

 Errored location of the Rx cable
Scenario
After cable diagnosis is enabled, you can learn the running status of cables, locate and clear
faults, if any, in time.
Prerequisite
N/A
12.10.3 Configuring cable diagnosis

Configure cable diagnosis for the ISCOM2600G series switch as below.

1 Raisecom(config)#test Enable or disable the function of not restarting
cable-diagnostics the interface upon cable diagnosis.
noshutdown { enable |
 enable: enable the function of not restarting
disable } [ confirm ]
Example: the interface upon cable diagnosis.
 disable: disable the function of not restarting
Raisecom(config)#test
cable-diagnostics the interface upon cable diagnosis.
 confirm: confirm.
noshutdown enable
2 Raisecom#test cable- Enable cable diagnosis. The device supports
diagnostics interface- this configuration on multiple interfaces.
type interface-number
Example:
Raisecom#test cable-
diagnostics and value range depend on the interface
When you enable the function of not restarting the interface upon cable diagnosis,
the interface that is in Up status will be restarted once and then obtain cable
diagnosis data. Then, when cable diagnosis is ongoing, the interface that is in Up
status will not be restarted but directly read cable diagnosis data saved in the buffer,
and the interface that is in Down status will obtain the length to the faulty point during
cable diagnosis. The newly inserted interface will automatically execute cable
diagnosis and save results in the buffer.


554
Raisecom

1 Raisecom#show cable-diagnostics Show results of cable
[ interface-type interface-number ] diagnosis.
12.11 Memory monitoring

Scenario
Memory monitoring enables you to learn the memory utilization in real time, and provides
memory utilization threshold alarms, thus facilitating you to locate and clear potential risks
and help network administrator to locate faults.
Prerequisite
To output memory utilization threshold alarms as Trap, configure the IP address of the target
host, namely, the IP address of the NMS server.
12.11.2 Configuring memory monitoring

Configure memory monitoring for the ISCOM2600G series switch as below.

2 Raisecom(config)#memory Configure the rising threshold and recovering
threshold recovering threshold for memory utilization alarms.
recovering-threshold-
 recovering-threshold-value: recovering
value rising rising-
threshold-value threshold of memory, an integer, ranging
Example: from 1 to 98, indicating 1% to 98%
 rising-threshold-value: rising threshold of
Raisecom(config)#memory
threshold recovering 10 memory, an integer, ranging from 2 to 99,
rising 90 indicating 2% to 99%
 threshold: configure the threshold of
memory utilization rate.

3 Raisecom(config)#memory Configure the interval for sampling memory
interval Observation- alarms.
interval-value
 interval: configure sample collection time.
Example:
 observation-interval-value: sampling
Raisecom(config)#memory
interval 60 interval, an integer, ranging from 5 to

555
Raisecom


1 Raisecom#show Show information about the system memory, including
memory [ module the alarm enabling status, rising threshold, recovering
{ value | threshold, sampling interval, total memory, used
bufferpool | memory, idle memory, memory utilization, and memory
diff } used by each module, and memory change.
12.12 PING
Packet Internet Groper (PING) derives from the sonar location operation, which is used to
detect whether the network is normally connected. PING is achieved with ICMP echo packets.
If an Echo Reply packet is sent back to the source address during a valid period after the Echo
Request packet is sent to the destination address, it indicates that the route between source and
destination address is reachable. If no Echo Reply packet is received during a valid period and
timeout information is displayed on the sender, it indicates that the route between source and
destination addresses is unreachable.
Figure 12-11 shows principles of PING.
Figure 12-11 Principles of PING
12.12.2 Configuring PING

Configure PING for the ISCOM2600G series switch as below.

556
Raisecom

1 Raisecom#ping [ vrf (Optional) test the connectivity of the IPv4 network
name ]ip-address by the ping command.
[ count
 vrfname: VPN router name, a string of 1 to 31
countvalue ] [ size
sizevalue ] characters
 ip-address: destination IP address
[ waittime period ]
 count: specify the numbers of detection packets
[ source ip-
address ] sent for exiting the PING program.
 count value: number of detection packets, an
Example:
Raisecom#ping integer, ranging from 1 to 65535
 size: specify the size of the detection packet.
10.0.0.1
 sizevalue: size of the detection packet, an integer,
ranging from 0 to 12242, in units of Byte

 waittime: specify the wait time for PING
program. If no response is received when the wait

time expires, it is believed the destination is
unreachable.
 period: timeout time, an integer, ranging from 1

 source ip-address: source IP address.
2 Raisecom#ping ipv6 (Optional) test the connectivity of the IPv6 network

ipv6-address by the ping command.
[ count
 ipv6-address: destination IPv6 address
countvalue ] [ size
 count: specify the numbers of detection packets
sizevalue ]
[ waittime period ] sent for exiting the PING program.
 count value: number of detection packets, an
Example:
Raisecom#ping ipv6 integer, ranging from 1 to 65535
 size: specify the size of the detection packet.
3001::1
 sizevalue: size of the detection packet, an integer,
ranging from 0 to 12242, in units of Byte

 waittime: specify the wait time for PING
program. If no response is received when the wait

time expires, it is believed the destination is
unreachable.
 period: timeout time, an integer, ranging from 1
The ISCOM2600G series switch cannot perform other operations in the process of
PING. It can perform other operations only when PING is finished or break off PING
by pressing Ctrl+C.

557
Raisecom
12.13 Traceroute
Similar with PING, Traceroute is a commonly-used maintenance method in network
management. Traceroute is often used to test the network nodes of packets from sender to
destination, detect whether the network connection is reachable, and analyze network fault
Traceroute works as below:
Step 1 Send a piece of TTL1 sniffer packet (where the UDP port number of the packet is unavailable
to any application programs in destination side).
Step 2 TTL deducts 1 when reaching the first hop. Because the TTL value is 0, in the first hop the
device returns an ICMP timeout packet, indicating that this packet cannot be sent.
Step 3 The sending host adds 1 to TTL and resends this packet.
Step 4 Because the TTL value is reduced to 0 in the second hop, the device will return an ICMP
timeout packet, indicating that this packet cannot be sent.
The previous steps continue until the packet reaches the destination host, which will not return
ICMP timeout packets. Because the port number of destination host is not be used, the
destination host will send the port unreachable packet and finish the test. Thus, the sending
host can record the source address of each ICMP TTL timeout packet and analyze the path to
the destination according to the response packet.
Figure 12-12 shows principles of traceroute.
Figure 12-12 Principles of Traceroute
12.13.2 Configuring Traceroute

Before using Traceroute, you should configure the IP address and default gateway of the
Configure Traceroute for the ISCOM2600G series switch as below.

558
Raisecom

1 Raisecom#trace (Optional) test the connectivity of the IPv4 network and
route [ vrf view nodes passed by the packet by the traceroute
name ] ip- command.
address
 vrf name: VPN router name, a string of 1 to 31
[ firstttl
first-ttl ] characters
 ip-address: IP address of the destination host/network
[ maxttl max-
 firstttl: first TTL
ttl ] [ port
 first-ttl: value of the first TTL, an integer, ranging from
port-number ]
[ waittime 1 to 255
 maxttl: maximum TTL. When this value is exceeded,
period ]
[ count the destination is unreachable.
 max-ttl: value of the maximum TTL, an integer, ranging
times ] [ size
sizevalue ] from 1 to 255
 port: port number of the UDP packet
Example:
 port-number: interface ID, an integer, ranging from 1 to
Raisecom#trace
route 10.0.0.1 65535
 waittime: specify the timeout for Traceroute program. If
no response is received when the timeout expires, the

destination is unreachable.
 period: timeout, an integer, ranging from 1 to 60, in
units of second
 count: configure the number of detection packets sent at
the same hop.

 times: number of detection packets, an integer, ranging
from 1 to 10
 size: specify the size of detection packets.
 sizevalue: size of detection packets, an integer, ranging
from 0 to 4096, in units of Byte

559
Raisecom

2 Raisecom#trace (Optional) test the connectivity of the IPv6 network and
route ipv6 view nodes passed by the packet by the traceroute
ipv6-address command.
[ firstttl
 ipv6-address: IPv6 address, in colon hexadecimal
fitst-ttl ]
[ maxttl max- notation, such as 3001::1
 firstttl: first TTL
ttl ] [ port
 first-ttl: value of the first TTL, an integer, ranging from
port-number]
[ waittime 1 to 255
 maxttl: maximum TTL. When this value is exceeded,
period ]
[ count the destination is unreachable.
 max-ttl: value of the maximum TTL, an integer, ranging
times ] [ size
sizevalue ] from 1 to 255
 port: port number of the UDP packet
Example:
 port-number: interface ID, an integer, ranging from 1 to
Raisecom#trace
route 3000::1 65535
 waittime: specify the timeout for Traceroute program. If
no response is received when the timeout expires, the

destination is unreachable.
 period: timeout, an integer, ranging from 1 to 60, in
units of second
 count: configure the number of detection packets sent at
the same hop.

 times: number of detection packets, an integer, ranging
from 1 to 10
 size: specify the size of detection packets.
 sizevalue: size of detection packets, an integer, ranging
from 0 to 4096, in units of Byte
12.14 Performance statistics

Performance statistics is used to gather statistics about service packets on the interface of a
monitoring device and enable you to learn network performance. It can be based on interface
or service flow in a short or long period. The short period is 15 minutes while the long period
is 24 hours. Data in a statistical period is written as data block to the Flash for your review.
Scenario
To learn performance of the ISCOM2600G series switch, you can use performance statistics
to gather current or historical statistics about packets based on interface or service flow.
Prerequisite
N/A

560
Raisecom
12.14.3 Default configurations of performance statistics

Default configurations of performance statistics are as below.

Performance statistics Enable
Number of data blocks saved in period statistics mode 16
12.14.4 Configuring performance statistics

Configure performance statistics for the ISCOM2600G series switch as below.

2 Raisecom(config)#performance Configure the number of data blocks
statistics interval buckets saved in the Flash for performance
buckets-number statistics in different statistics period
Example: mode.
Raisecom(config)#performance
 buckets-number: bucket value, an
statistics interval buckets 10
integer, ranging from 10 to 64, in units
of pcs
3 Raisecom(config)#interface Enable cable diagnosis. The device
interface-type interface- supports this configuration on multiple
number interfaces.
Example:
gigaethernet 1/1/1
form and value range depend on the
interface type.
4 Raisecom(config- Enable performance statistics in the
gigaethernet1/1/*)#performance VLAN or CoS list.
statistics [ vlan vlan-id
[ cos statistics-cos ] ] Use the disable form of this command to
{ enable | disable } disable this function.
Example:  vlan-id: VLAN ID, an integer, ranging
gigaethernet1/1/1)#performance  statistics-cos: CoS, an integer, ranging
statistics enable from 0 to 7

 enable: enable performance statistics in
the VLAN or CoS list.

 disable: disable performance statistics
in the VLAN or CoS list.
The time for gathering statistics is not related to the time for configuring the command,
but related to the system time. Performance statistics take 15min as a period to
complete a round of statistics. For example, if the first round of performance statistics
561
Raisecom
is enabled at the 5th minute, the first round actually starts at the 15th minute and
ends at 30th minute.


1 Raisecom#show performance statistics interface Show
interface-type interface-number { current | history } performance
Raisecom#show performance statistics interval
statistics.
buckets
Raisecom#show interface interface-type interface-
number vlan vlan-id [ cos cos-value ] { current |
history }
12.14.6 Maintenance
Command Description
Raisecom(config)#clear performance Clear performance statistics.
statistics history

562
Raisecom
ISCOM2600G (A) Series Configuration Guide (CLI) 13 Appendix
13 Appendix
This chapter list terms, acronyms, and abbreviations involved in this document, including the
following sections:
 Terms
 Acronyms and abbreviations
13.1 Terms
A
A series of ordered rules composed of permit | deny sentences. These
Access
rules are based on the source MAC address, destination MAC address,
Control List
source IP address, destination IP address, and interface ID. The device
(ACL)
determines to receive or refuse the packets based on these rules.
Automatic
The technology that is used for automatically shutting down the laser to
Laser
avoid the maintenance and operation risks when the fiber is pulled out or
Shutdown
the output power is too great.
(ALS)
The interface automatically chooses the rate and duplex mode according
to the result of negotiation. The auto-negotiation process is: the interface
Auto-
adapts its rate and duplex mode to the highest performance according to
negotiation
the peer interface; in other words, both ends of the link adopt the highest
rate and duplex mode they both support after auto-negotiation.
Automatic APS is used to monitor transport lines in real time and automatically
Protection analyze alarms to discover faults. When a critical fault occurs, through
Switching APS, services on the working line can be automatically switched to the
(APS) protection line, thus the communication is recovered in a short period.
B
Small parts at both sides of the chassis, used to install the chassis into
Bracket
the cabinet

563
Raisecom
C
CHAP is a widely supported authentication method in which a
representation of the user's password, rather than the password itself, is
sent during the authentication process. With CHAP, the remote access
server sends a challenge to the remote access client. The remote access
client uses a hash algorithm (also known as a hash function) to compute
Challenge a Message Digest-5 (MD5) hash result based on the challenge and a
Handshake hash result computed from the user's password. The remote access client
Authentication sends the MD5 hash result to the remote access server. The remote
Protocol access server, which also has access to the hash result of the user's
(CHAP) password, performs the same calculation using the hash algorithm and
compares the result to the one sent by the client. If the results match, the
credentials of the remote access client are considered authentic. A hash
algorithm provides one-way encryption, which means that calculating
the hash result for a data block is easy, but determining the original data
block from the hash result is mathematically infeasible.
D
A security feature that can be used to verify the ARP data packets in the
Dynamic ARP
network. With DAI, the administrator can intercept, record, and discard
Inspection
ARP packets with invalid MAC address/IP address to prevent common
(DAI)
ARP attacks.
Dynamic Host A technology used for assigning IP address dynamically. It can
Configuration automatically assign IP addresses for all clients in the network to reduce
Protocol workload of the administrator. In addition, it can implement centralized
(DHCP) management of IP addresses.
E
Complying with IEEE 802.3ah protocol, EFM is a link-level Ethernet
Ethernet in the OAM technology. It provides the link connectivity detection, link fault
First Mile monitoring, and remote fault notification for a link between two directly-
(EFM) connected devices. EFM is mainly used for the Ethernet link on edges of
the network accessed by users.
It is an APS protocol based on ITU-T G.8032 standard, which is a link-
Ethernet Ring layer protocol specially used for the Ethernet ring. In normal conditions,
Protection it can avoid broadcast storm caused by the data loop on the Ethernet
Switching ring. When the link or device on the Ethernet ring fails, services can be
(ERPS) quickly switched to the backup line to enable services to be recovered in
time.
F
In a communication link, both parties can receive and send data
Full duplex
concurrently.

564
Raisecom
Generic Framing Procedure (GFP) is a generic mapping technology. It

GFP can group variable-length or fixed-length data for unified adaption,
encapsulation making data services transmitted through multiple high-speed physical
transmission channels.
The cable to connect the device to ground, usually a yellow/green
coaxial cable. Connecting the ground cable properly is an important
Ground cable
guarantee to lightning protection, anti-electric shock, and anti-
interference.
H
Half duplex In a communication link, both parties can receive or send data at a time.
I
Institute of
A professional society serving electrical engineers through its
Electrical and
publications, conferences, and standards development activities. The
Electronics
body responsible for the Ethernet 802.3 and wireless LAN 802.11
Engineers
specifications.
(IEEE)
Internet The organization operated under the IAB. IANA delegates authority for
Assigned IP address-space allocation and domain-name assignment to the NIC and
Numbers other organizations. IANA also maintains a database of assigned
Authority protocol identifiers used in the TCP/IP suite, including autonomous
(IANA) system numbers.
A worldwide organization of individuals interested in networking and
the Internet. Managed by the Internet Engineering Steering Group
Internet (IESG), the IETF is charged with studying technical problems facing the
Engineering Internet and proposing solutions to the Internet Architecture Board
Task Force (IAB). The work of the IETF is carried out by various working groups
(IETF) that concentrate on specific topics, such as routing and security. The
IETF is the publisher of the specifications that led to the TCP/IP
protocol standard.
L
Label Symbols for cable, chassis, and warnings
With link aggregation, multiple physical Ethernet interfaces are
combined to form a logical aggregation group. Multiple physical links in
one aggregation group are taken as a logical link. Link aggregation helps
Link
share traffic among member interfaces in an aggregation group. In
Aggregation
addition to effectively improving the reliability on links between
devices, link aggregation can help gain greater bandwidth without
upgrading hardware.

565
Raisecom
Link
Aggregation
A protocol used for realizing link dynamic aggregation. The LACPDU is
Control
used to exchange information with the peer device.
Protocol
(LACP)
Link-state tracking provides an interface linkage scheme, extending the
range of link backup. Through monitoring upstream links and
Link-state synchronizing downstream links, faults of the upstream device can be
tracking transferred quickly to the downstream device, and primary/backup
switching is triggered. In this way, it avoids traffic loss because the
downstream device does not sense faults of the upstream link.
M
Multi-Mode
In this fiber, multi-mode optical signals are transmitted.
Fiber (MMF)
N
A time synchronization protocol defined by RFC1305. It is used to
synchronize time between distributed time server and clients. NTP is
Network Time
used to perform clock synchronization on all devices that have clocks in
Protocol
the network. Therefore, the devices can provide different applications
(NTP)
based on a unified time. In addition, NTP can ensure a very high
accuracy with an error of 10ms or so.
O
Open Shortest
An internal gateway dynamic routing protocol, which is used to
Path First
determine the route in an Autonomous System (AS)
(OSPF)
A distribution connection device between the fiber and a communication
Optical
device. It is an important part of the optical transmission system. It is
Distribution
mainly used for fiber splicing, optical connector installation, fiber
Frame (ODF)
adjustment, additional pigtail storage, and fiber protection.
P
Password PAP is an authentication protocol that uses a password in Point-to-Point
Authentication Protocol (PPP). It is a twice handshake protocol and transmits
Protocol unencrypted user names and passwords over the network. Therefore, it is
(PAP) considered unsecure.
Point-to-point
PPPoE is a network protocol for encapsulating PPP frames in Ethernet
Protocol over
frames. With PPPoE, the remote access device can control and account
Ethernet
each access user.
(PPPoE)

566
Raisecom
PVLAN adopts Layer 2 isolation technology. Only the upper VLAN is

Private VLAN visible globally. The lower VLANs are isolated from each other. If you
(PVLAN) partition each interface of the switch or IP DSLAM device into a lower
VLAN, all interfaces are isolated from each other.
Q
QinQ is (also called Stacked VLAN or Double VLAN) extended from
802.1Q, defined by IEEE 802.1ad recommendation. Basic QinQ is a
simple Layer 2 VPN tunnel technology, encapsulating outer VLAN Tag
QinQ for client private packets at carrier access end, the packets take double
VLAN Tag passing through trunk network (public network). In public
network, packets only transmit according to outer VLAN Tag, the
private VLAN Tag are transmitted as data in packets.
A network security mechanism, used to solve problems of network delay
and congestion. When the network is overloaded or congested, QoS can
Quality of ensure that packets of important services are not delayed or discarded
Service (QoS) and the network runs high efficiently. Depending on the specific system
and service, it may relate to jitter, delay, packet loss ratio, bit error ratio,
and signal-to-noise ratio.
R
Rapid
Spanning Tree Evolution of the Spanning Tree Protocol (STP), which provides
Protocol improvements in the speed of convergence for bridged networks
(RSTP)
Remote RADIUS refers to a protocol used to authenticate and account users in
Authentication the network. RADIUS works in client/server mode. The RADIUS server
Dial In User is responsible for receiving users' connection requests, authenticating
Service users, and replying configurations required by all clients to provide
(RADIUS) services for users.
A network management protocol defined by Internet Engineering Task

Simple Force (IETF) used to manage devices in the Internet. SNMP can make
Network the network management system to remotely manage all network
Management devices that support SNMP, including monitoring network status,
Protocol modifying network device configurations, and receiving network event
(SNMP) alarms. At present, SNMP is the most widely-used network management
protocol in the TCP/IP network.
Simple
Network Time
SNTP is mainly used for synchronizing time of devices in the network.
Protocol
(SNTP)
Single-Mode
In this fiber, single-mode optical signals are transmitted.
Fiber (SMF)

567
Raisecom
Spanning Tree STP can be used to eliminate network loops and back up link data. It
Protocol blocks loops in logic to prevent broadcast storms. When the unblocked
(STP) link fails, the blocked link is re-activated to act as the backup link.
V
VLAN is a protocol proposed to solve broadcast and security issues for
Virtual Local
Ethernet. It divides devices in a LAN into different segments logically
Area Network
rather than physically, thus implementing multiple virtual work groups
(VLAN)
which are based on Layer 2 isolation and do not affect each other.
VLAN mapping is mainly used to replace the private VLAN Tag of the
Ethernet service packet with the ISP's VLAN Tag, making the packet
transmitted according to ISP's VLAN forwarding rules. When the packet
VLAN
is sent to the peer private network from the ISP network, the VLAN Tag
mapping
is restored to the original private VLAN Tag according to the same
VLAN forwarding rules. Thus, the packet is sent to the destination
correctly.
13.2 Acronyms and abbreviations

A
AAA Authentication, Authorization and Accounting
ABR Area Border Router
AC Alternating Current
ACL Access Control List
ANSI American National Standards Institute
APS Automatic Protection Switching
ARP Address Resolution Protocol
AS Autonomous System
ASCII American Standard Code for Information Interchange
ASE Autonomous System External
ATM Asynchronous Transfer Mode
AWG American Wire Gauge
B
BC Boundary Clock
BDR Backup Designated Router

568
Raisecom
BITS Building Integrated Timing Supply System

BOOTP Bootstrap Protocol
BPDU Bridge Protocol Data Unit
BTS Base Transceiver Station
C
CAR Committed Access Rate
CAS Channel Associated Signaling
CBS Committed Burst Size
CE Customer Edge
CHAP Challenge Handshake Authentication Protocol
CIDR Classless Inter-Domain Routing
CIR Committed Information Rate
CIST Common Internal Spanning Tree
CLI Command Line Interface
CoS Class of Service
CPU Central Processing Unit
CRC Cyclic Redundancy Check
CSMA/CD Carrier Sense Multiple Access/Collision Detection
CST Common Spanning Tree
D
DAI Dynamic ARP Inspection
DBA Dynamic Bandwidth Allocation
DC Direct Current
DHCP Dynamic Host Configuration Protocol
DiffServ Differentiated Service
DNS Domain Name System
DRR Deficit Round Robin
DS Differentiated Services
DSL Digital Subscriber Line

569
Raisecom
EAP Extensible Authentication Protocol

EAPoL EAP over LAN
EFM Ethernet in the First Mile
EMC Electro Magnetic Compatibility
EMI Electro Magnetic Interference
EMS Electro Magnetic Susceptibility
ERPS Ethernet Ring Protection Switching
ESD Electro Static Discharge
EVC Ethernet Virtual Connection
F
FCS Frame Check Sequence
FE Fast Ethernet
FIFO First Input First Output
FTP File Transfer Protocol
G
GARP Generic Attribute Registration Protocol
GE Gigabit Ethernet
GMRP GARP Multicast Registration Protocol
GPS Global Positioning System
GVRP Generic VLAN Registration Protocol
H
HDLC High-level Data Link Control
HTTP Hyper Text Transfer Protocol
I
IANA Internet Assigned Numbers Authority
ICMP Internet Control Message Protocol
IE Internet Explorer
IEC International Electro technical Commission
IEEE Institute of Electrical and Electronics Engineers

570
Raisecom
IETF Internet Engineering Task Force

IGMP Internet Group Management Protocol
IP Internet Protocol
IS-IS Intermediate System to Intermediate System Routing Protocol
ISP Internet Service Provider
ITU-T International Telecommunications Union - Telecommunication
Standardization Sector
L
LACP Link Aggregation Control Protocol
LACPDU Link Aggregation Control Protocol Data Unit
LAN Local Area Network
LCAS Link Capacity Adjustment Scheme
LLDP Link Layer Discovery Protocol
LLDPDU Link Layer Discovery Protocol Data Unit
M
MAC Medium Access Control
MDI Medium Dependent Interface
MDI-X Medium Dependent Interface cross-over
MIB Management Information Base
MSTI Multiple Spanning Tree Instance
MSTP Multiple Spanning Tree Protocol
MTBF Mean Time Between Failure
MTU Maximum Transmission Unit
MVR Multicast VLAN Registration
N
NMS Network Management System
NNM Network Node Management
NTP Network Time Protocol
NView NNM NView Network Node Management

571
Raisecom
O
OAM Operation, Administration and Management
OC Ordinary Clock
ODF Optical Distribution Frame
OID Object Identifiers
Option 82 DHCP Relay Agent Information Option
OSPF Open Shortest Path First
P
P2MP Point to Multipoint
P2P Point-to-Point
PADI PPPoE Active Discovery Initiation
PADO PPPoE Active Discovery Offer
PADS PPPoE Active Discovery Session-confirmation
PAP Password Authentication Protocol
PDU Protocol Data Unit
PE Provider Edge
PIM-DM Protocol Independent Multicast-Dense Mode
PIM-SM Protocol Independent Multicast-Sparse Mode
PING Packet Internet Grope
PPP Point to Point Protocol
PPPoE PPP over Ethernet
PTP Precision Time Protocol
Q
QoS Quality of Service
R
RADIUS Remote Authentication Dial In User Service
RCMP Raisecom Cluster Management Protocol
RED Random Early Detection
RH Relative Humidity
RIP Routing Information Protocol

572
Raisecom
RMON Remote Network Monitoring

RNDP Raisecom Neighbor Discover Protocol
ROS Raisecom Operating System
RPL Ring Protection Link
RRPS Raisecom Ring Protection Switching
RSTP Rapid Spanning Tree Protocol
RSVP Resource Reservation Protocol
RTDP Raisecom Topology Discover Protocol
S
SCADA Supervisory Control And Data Acquisition
SF Signal Fail
SFP Small Form-factor Pluggable
SFTP Secure File Transfer Protocol
SLA Service Level Agreement
SNMP Simple Network Management Protocol
SNTP Simple Network Time Protocol
SP Strict-Priority
SPF Shortest Path First
SSHv2 Secure Shell v2
STP Spanning Tree Protocol
T
TACACS+ Terminal Access Controller Access Control System
TC Transparent Clock
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TLV Type Length Value
ToS Type of Service
TPID Tag Protocol Identifier
TTL Time To Live

573
Raisecom
UDP User Datagram Protocol

UNI User Network Interface
USM User-Based Security Model
V
VLAN Virtual Local Area Network
VRRP Virtual Router Redundancy Protocol
W
WAN Wide Area Network
WRR Weight Round Robin

574
Address: Raisecom Building, No. 11, East Area, No. 10 Block, East Xibeiwang Road, Haidian
District, Beijing, P.R.China Postal code: 100094 Tel: +86-10-82883305
Fax: 8610-82883056 http://www.raisecom.com Email: export@raisecom.com

ISCOM2600G (A) Series Configuration Guide (CLI) (Rel - 12)

Uploaded by

Copyright:

Available Formats

ISCOM2600G (A) Series Configuration Guide (CLI) (Rel - 12)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISCOM2600G (A) Series Configuration Guide (CLI) (Rel - 12)

Uploaded by

Copyright:

Available Formats

www.raisecom.

ISCOM2600G (A) Series

is the trademark of Raisecom Technology Co., Ltd.

Product name Software version Hardware version

Indicate a potentially hazardous situation that, if not avoided,

Raisecom Proprietary and Confidential

Book Antiqua Heading 1, Heading 2, Heading 3, and Block are in Book

Raisecom Proprietary and Confidential

Raisecom Proprietary and Confidential

 Updated commands of BootROM, interface management, QoS, DHCP, multicast, storm

Raisecom Proprietary and Confidential

1 Basic configurations ..................................................................................................................... 1

Raisecom Proprietary and Confidential

1.4.2 Upgrading system software through BootROM .................................................................................... 38

Raisecom Proprietary and Confidential

2.4.3 Default configurations of QinQ ............................................................................................................ 98

Raisecom Proprietary and Confidential

2.7.15 Configuring BPDU Guard................................................................................................................. 134

Raisecom Proprietary and Confidential

2.11.9 Example for configuring L2CP ......................................................................................................... 161

3 Ring network protection .......................................................................................................... 181

4 IP services ................................................................................................................................... 191

Raisecom Proprietary and Confidential

Raisecom Proprietary and Confidential

4.7.1 Introduction ......................................................................................................................................... 215

6 DHCP ........................................................................................................................................... 237

Raisecom Proprietary and Confidential

6.1.6 Checking configurations ..................................................................................................................... 243

Raisecom Proprietary and Confidential

6.6.4 Configuring global DHCP Relay ........................................................................................................ 273

7 QoS ............................................................................................................................................... 278

Raisecom Proprietary and Confidential

7.4.4 Checking configurations ..................................................................................................................... 296

8 Multicast ..................................................................................................................................... 324

Raisecom Proprietary and Confidential

8.3.3 Default configurations of IGMP Snooping ......................................................................................... 334

Raisecom Proprietary and Confidential

8.8.7 Configuring MLD filtering ................................................................................................................. 364

9 OAM ............................................................................................................................................ 368

Raisecom Proprietary and Confidential

10.3.8 Checking configurations ................................................................................................................... 408

Raisecom Proprietary and Confidential

10.8 PPPoE+ ...................................................................................................................................................... 441

11 Reliability ................................................................................................................................. 460

Raisecom Proprietary and Confidential

11.2.5 (Optional) configuring FS on interfaces ............................................................................................ 474

12 System management ............................................................................................................... 488

Raisecom Proprietary and Confidential

12.2.10 Example for configuring RMON alarm group ................................................................................ 511

Raisecom Proprietary and Confidential

12.7.8 Checking configurations ................................................................................................................... 550

13 Appendix .................................................................................................................................. 563

Raisecom Proprietary and Confidential

Figure 1-3 Networking with device as Telnet server ............................................................................................ 13

Figure 1-4 Networking with device as Telnet client ............................................................................................. 15

Figure 1-6 Configuring SSH login ....................................................................................................................... 27

Figure 1-7 Basic principles of NTP ...................................................................................................................... 42

Figure 1-8 NTP networking ................................................................................................................................. 50

Figure 2-2 MAC networking ................................................................................................................................ 74