Professional Documents
Culture Documents
Registered trademark
PIOLINK is a registered trademark of PIOLINK Inc.
Explanatory Notes
The copyright for this guide belongs to PIOLINK. This guide is legally protected by copyright law. Unauthorized extraction or
copying of this guide of any reason in whole or in part without prior written consent of the copyright holder is strictly prohibited.
This user guide is subject to change without notice, in order to improve product functions and correct printing errors.
PIOLINK will bear no legal responsibilities over the damage and property loss that can be directly or indirectly caused by this
user guide and its contents.
Sellers and users need to note that the electromagnetic compatibility of this product is registered for business use. If you have
purchased a wrong product type, please exchange it with a product designed for household use.
TiFRONT User Guide (May. 2014)
Copyright 2002-2014 PIOLINK, Inc. All rights reserved.
TEL: +82-1544-9890/ Web page: http://www.piolink.com
PLOS version
PLOS is the PIOLINK operating system that is installed in TiFRONT. This guide has been written for TiFRONT
version that is installed on PLOS-LS-V2.0.1 or higher versions. If an earlier PLOS version is installed, the
functions described in this guide may not be supported, or may not work properly even though it has been
configured correctly according to the instructions. The method of updating to the latest version of PLOS is
described in Chapter 4, System Management of this guide.
Configuration examples
The configuration examples provided in this guide are based on TiFRONT-G24/G24P. Therefore, the
illustrated product images and screen shots may differ from those of TiFRONT-F26/F26P, TiFRONTG48/G48P, and TiFRONT-GX24/GX24P/GX24M.
Caution: The "Caution" explains the circumstances that the data can be lost or the product can malfunction, and also explains how to cope with
those circumstances.
3
Before Getting Started
Description
Example
bold
# hostname
<Italics>
[]
{x | y | z}
# ping <ip-address>
[interface <IF-NAME>]
(config)#
disable}
mirroring
{enable
Customer Support
If you need customer service, technical support, or more information on technical training, please contact us
using the following information and we will provide you with the necessary support.
Technical Assistance Center (TAC)
+82-1544-9890
support@piolink.com
Address
4
TiFRONT User Guide
Guide Contents
The chapters of this guide are composed of the following.
Chapter 1
Introduction to TiFRONT
This chapter explains the procedure for accessing TiFRONT through CLI and the basic information about how
to use CLI. Furthermore, TiManager, which is a GUI-based management system for TiFRONT, is introduced.
Chapter 3
This chapter describes the procedures for configuring the network environment including ports, VLAN, MAC
address, and IP address. If you want to change TiFRONT settings according to your network environment, you
can do so by referring to this chapter.
Chapter 4
System Management
This chapter describes the procedures for setting and using the essential management functions of the
TiFRONT system such as system information view, PLOS update, user authentication and log management.
Chapter 5
This chapter explains the concept of Link Aggregation, the procedure for setting port trunking, and LACP
(Link Aggregation Control Protocol) in TiFRONT.
Chapter 6
SNMP Configuration
This chapter introduces SNMP (Simple Network Management Protocol) and describes the procedure for
setting SNMP in TiFRONT.
Chapter 7
RMON Configuration
This chapter introduces RMON (Remote Monitoring) and describes the procedure for setting RMON in
TiFRONT.
Chapter 8
STP Configuration
This chapter introduces STP (Spanning Tree Protocol), RSTP (Rapid Spanning-Tree Protocol), PVST+ (Per VLAN
Spanning Tree Plus), RPVST+ (Rapid Per VLAN Spanning Tree Plus), and MSTP (Multiple Spanning Tree
Protocol), and describes the procedure for setting STP in TiFRONT.
Chapter 9
This chapter introduces the routing protocols RIP (Routing Information Protocol), OSPF (Open Shortest Path
First), and BGP (Border Gateway Protocol), and describes the procedure for setting each routing protocol in
TiFRONT.
Chapter 10
Failover Configuration
This chapter introduces VRRP (Virtual Router Redundancy Protocol) for failover and the procedure for setting
VRRP in TiFRONT.
5
Before Getting Started
Chapter 11
QoS Configuration
This chapter introduces the QoS (Quality of Service) feature of TiFRONT and the procedure for setting QoS in
TiFRONT.
Chapter 12
This chapter describes the concept of IGMP Snooping and the procedure for setting IGMP Snooping.
Chapter 13
Security Configuration
This chapter introduces and describes the procedures for setting the security features of TiFRONT including
DoS/DDoS blocking, Protocol Anomaly blocking, ACL (Access Control List), and system access control.
6
TiFRONT User Guide
Contents
TiFRONT User Guide....................................................................................... 1
Before Getting Started...................................................................................................... 3
Guide overview ............................................................................................................. 3
Who should read this guide ......................................................................................................... 3
PLOS version .............................................................................................................................. 3
Configuration examples ............................................................................................................... 3
Notations of this guide ................................................................................................................. 3
Customer Support........................................................................................................................ 4
RSTP............................................................................................................................... 161
Port Statues ............................................................................................................................. 161
Changing BPDU Policy ............................................................................................................ 161
Shortening Network Convergence Time................................................................................... 162
13
Before Getting Started
16
TiFRONT User Guide
18
TiFRONT User Guide
19
Before Getting Started
Chapter 1
Introduction to TiFRONT
This chapter introduces the major features and characteristics of TiFRONT.
This chapter is composed of the following sections:
Product Overview
Main Features and Characteristics
Product Overview
TiFRONT is a highly efficient L2 switch that transmits traffic from personal PCs or Web servers in a VLAN or
network to a medium-sized switch or router. Besides switching features, TiFRONT also offers security
features to effectively improve security issues at the L2 level, which is the network access level that is
relatively more vulnerable than L4 and L7.
Various attacks at the network access level can spread to the core level and cause greater security problems.
To address this problem and protect the access level, TiFRONT monitors network traffic in real time and
effectively blocks malignant attacks such as viruses, worms, DoS/DDoS attacks, and IP/ARP spoofing. This
prevents security violation incidents in the network and enables stable services by improving the security of
the entire network.
The following figure shows an example network configuration using TiFRONT.
Core Level
Router
L4 switch
Firewall
Firewall
L4 switch
Backbone switch
Access level
Causes of problems are reported in real time
through TiManager
TiFRONT
Security features block attacks
Attackers
As shown in the above configuration diagram, TiFRONT is located at the access level of the network and
guarantees a stable network through intelligent L2 switching technology. Furthermore, its L2 security
features using the L2 switching technology not only prevent the excessive concentration of abnormal traffic
such as worms and DoS/DDoS on the server, which make the server unable to provide normal services, but
also block malignant attacks at the source, thereby preventing their spread to the core level.
Furthermore, the GUI-based TiFRONT management system TiManager allows you to monitor devices in real
time and remotely set security features, so as to quickly respond to attacks and resolve problems.
21
Chapter 1 Introduction to TiFRONT
Link Aggregation
TiFRONT supports Link Aggregation, a feature that groups multiple ports and uses each group as a logical
port. By grouping multiple ports into one trunk group through Link Aggregation, you can use it as one port
that has a large bandwidth. Furthermore, TiFRONT can implement port trunking through the IEEE 802.3ad
standard and uses LACP (Link Aggregation Control Protocol). LACP is a protocol that allows two or more ports
to work as one trunking group, and you can assign a greater bandwidth to devices that support LACP.
User
22
TiFRONT User Guide
QoS
TiFRONT supports QoS (Quality of Service) feature which differentiates the inflow level depending on the type
of traffic and assigns bandwidth according to the service priority. QoS ensures the network service quality
above a certain level. QoS restricts the occupation of the network by unimportant traffic such as chatting so
as to promote more efficient use of limited network resources.
Security Functions
To improve the stability and availability of the network and maintain the security of the devices themselves,
TiFRONT provides the following security functions.
Basic Security Functions
In addition to user ID and password registered in the device, TiFRONT allows the setting of user
authentication policy by port based on IEEE 802.1x for basic security. Furthermore, it uses the RADIUS
(Remote Authentication Dial-In User Service) and TACACS+(Terminal Access Controller Access Control
System+) protocols to provide user authentication for external access through Telnet, the Web, or the
console. U sing, the user authentication protocol, enhances the security level of system and network
management. Furthermore, TiFRONT can use SSH (Secure Shell) for network security. SSH can improve
network security because all data are encrypted.
DoS/DDoS Blocking
DoS/DDoS blocking is to block the DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks
which delay or paralyze normal services by attacking the structural weaknesses of the system or network.
The DoS/DDoS blocking feature allows you to protect the network from DoS/DDoS attacks such as
TCP/UDP/ICMP Flooding, IP/ARP Spoofing, and Port Scan.
Protocol Anomaly Blocking
Protocol Anomaly Blocking is to block abnormal traffic that has violated the standard protocols such as TCP,
UDP, and ICMP. The Protocol Anomaly Blocking feature allows you to protect the network from the LAND,
Invalid TCP Flag, TCP/ICMP Fragments, and Smurf attacks.
ACL (Access Control List)
ACL is to filter packets by inspecting the starting IP address, destination IP address, starting port number,
destination port number, and protocol. ACL allows you to improve security by blocking unauthorized network
or user packets and intercept unnecessary traffic, thus enhancing the network availability.
System Access Control
The system access control only allows specific packets to be received in order to protect the system. The
system access control feature can prevent unauthorized users from accessing TiFRONT and viewing
information or arbitrarily changing the settings.
23
Chapter 1 Introduction to TiFRONT
Chapter 2
Before You Begin
This chapter explains the procedure for accessing TiFRONT through CLI and the basic information about how
to use CLI, as well as the command mode of TiFRONT. Furthermore, TiManager, which is a GUI-based
management system for TiFRONT, is introduced.
This chapter is composed of the following contents:
Accessing CLI
How to Use Basic CLI
Command Mode
Introduction to TiManager
Accessing CLI
Booting TiFRONT
When you power on TiFRONT, it boots in the following sequence, then the login prompt will appear.
Check the software version.
Hardware reset power test
TiFRONT login prompt
25
Chapter 2 Before You Begin
When logging in for the first time, you must use the default root user account. The ID and password of the
root user account is root and admin, respectively. Root has the administrator permissions, so if you log in to
the root account, you can monitor the system status and change the settings.
Because root and admin are frequently used ID and password, you must change the user ID and password
after logging in to TiFRONT for security. The procedure for changing the user ID and password of TiFRONT is
described in Chapter 4. System Management of this guide.
Note: If you fail to log in with an ID three times, you cannot log in with the ID for 3 minutes.
26
TiFRONT User Guide
27
Chapter 2 Before You Begin
Functions
Ctrl+A
Ctrl+C
Stop the current command and change to the initial prompt status.
Ctrl+D
Ctrl+E
Ctrl+K
Erase the characters from the cursor position to the end of the command.
Ctrl+P, up arrow ()
Ctrl+W
28
TiFRONT User Guide
Command Modes
The CLI of TiFRONT has various command modes such as User, Privileged, Configuration, etc. Each mode
limits access according to user level and provides different commands for the configuration and maintenance
of TiFRONT and for network monitoring. You can check the available commands in the current command
mode by entering ? at the system prompt.
The following table describes the command modes supported by the CLI of TiFRONT and the tasks that can
be performed in each command mode.
Command Mode
Description
This is the default mode that appears when you log in to TiFRONT. User Mode is
User Mode
provided to every user who logs in to the system and only the read permission is given.
Only limited CLI commands such as checking the settings can be used and the system
settings cannot be changed.
To have system setting permission in addition to read permission, you must enter
Privileged mode. You can enter Privileged mode by using the enable command in User
Privileged Mode
Mode. When you enter Privileged mode, the system prompt changes from > to #. You
can change the terminal settings and check the network status and system information
in Privileged mode.
In Configuration mode, you can change the settings of TiFRONT and enter another
Configuration mode
configuration mode to configure VLAN, LACP, and SNMP. You can enter from Privileged
to Configuration mode by using the configure terminal command. When you enter
Configuration mode, the system prompt changes from # to (config)#.
Interface configuration
In this mode, you can configure the functions of specific ports or VLAN interface.
mode
QoS
configuration
mode
In this mode, you can configure the various QoS (Quality of Service) functions that are
supported by the system.
Class-map
You can specify the class map to which he QoS function will be applied.
configuration mode
Policy-map
In this mode, you can configure the policy map to apply to the class defined in the class-
configuration mode
map configuration mode. The policy map sets the QoS action.
Note: TiFRONT recommends Single-Access which only allows one user (session) in Configuration mode by default. If two or more users
simultaneously access the Configuration mode, the configure terminal force command is run.
To enter each command mode, you must run the command in a specific mode. The following table shows the
prompt of each command mode, the commands used to enter specific command modes, and the modes that
can run the command.
Command Mode
Prompt
Command Running
CLI Commands
Mode
None (default mode
User mode
>
Privileged mode
User mode
enable
Configuration mode
(config) #
Privileged mode
configure terminal
at log in)
29
Chapter 2 Before You Begin
Interface configuration
mode
QoS
configuration
mode
Class-map
configuration mode
Policy-map
configuration mode
Policy-map-class
configuration mode
(config-if-<IF-NAME>) #
Configuration mode
interface <IF-NAME>
(config-qos) #
Configuration mode
Qos
(config-qos-cmap) #
(config-qos-pmap) #
(config-qos-pmap-class)
Police-map
configuration mode
class <class-map-name>
Note: To enter the <Interface configuration mode> of a port, you can specify the range of ports by using the command interface range
<WORD>. To specify two or more ports in <WORD>, separate the ports by ,. To specify continuous ports, use -.
(config)# interface range ge1-5
(config-if-range)#
(config)# interface range ge2,4
(config-if-range)#
The following shows the commands used to stop the current mode and return to the previous mode or move
to <Privileged mode>.
Command
Description
end
exit
The following table describes the command modes and the corresponding commands when logging out of
TiFRONT. You must enter the commands in <User mode> or <Privileged mode> in order to log out.
Command Mode
Command
User Mode
logout or exit
Privileged Mode
logout
30
TiFRONT User Guide
Introduction to TiManager
TiManager is the TiFRONT management tool that allows you to effectively manage devices by monitoring the
events of network devices and the security information of the network through the GUI environment.
TiManager allows you to remotely manage multiple devices and configure the security features of TiFRONT.
TiManager stores the log files and other information received from the monitored devices in a database. It
monitors the device status and security status through the database and generates alarms or reports when
the received log information matches the alarm setting.
Because this process is automatically carried out in TiManager, the time for managing and analyzing log files
by security or network administrators is saved. You can use this saved time to analyze the network security
status based on the information provided by TiManager and establish measures to prevent security risks so
as to more safely protect the network.
Note: For details about the procedures for installing and using TiFRONT, please see the TiManager Server Installation Guide, which is supplied
together with this guide.
31
Chapter 2 Before You Begin
Chapter 3
Basic Network Configuration
This chapter explains the basic configuration setup for TiFRONT. As TiFRONT is shipped with its basic
configuration, you can use this product without configuring it as described in this chapter. However, if you
want to change the device settings according to your network environment, you can do so by referring to this
chapter.
This chapter is composed of the following parts:
Port Setting
VLAN Setting
Voice VLAN Setting
MAC Address Setting
IP Address Setting
ARP Table Setting
Console Data Transmission Speed Setting
Port Mirroring Setting
Port Failover Setting
DHCP Setting
NetBIOS Filtering
DHCP Filtering
Network Connection Check
PoE Setting
Packet Monitoring
sFlow Setting
Port Setting
In order to exchange data normally with the other device connected to a TiFRONT port, the following port
properties must be set correctly.
Speed
Set the speed of the cable to be connected to the port of TiFRONT.
Transmission Mode (Duplex Mode)
Select the data transmission mode between Half Duplex Mode and Full Duplex Mode. In Half Duplex Mode,
which works like a walkie-talkie, only one device can send data while the other device is receiving the data. In
Full Duplex Mode, which works like a telephone, both devices can send data to each other simultaneously.
MDI/MDI-X
MDI (Medium Dependent Interface) and MDIX (Medium Dependent Interface with Crossover) are connector
types for the Ethernet port. You must use a cross cable if the connector type is identical to that of the other
port (MDI-MDI, MDIX-MDIX); otherwise (MDI-MDIX, MDIX-MDI), you must use a serial cable.
Flow Control
Flow control controls the packet flow when packets are exchanged between two devices. If the port of each
device receives more packets than the limit, the packets are lost. Flow control is used to prevent this by
controlling the packet flow. Packet loss caused by differences in packet processing speeds between the
sender and receiver is avoided by sending a control packet (pause packet) to the device that transmits more
packets than the limit.
Port Operation Status (Interface Enable/Disable)
Individually enable or disable the Ethernet ports of TiFRONT. The enabled ports work, and the disabled ports
do not work.
By default, all the ports of TiFRONT are set as follows.
Item
Default Setting
Negotiation
AUTO
Transmission mode
Full Duplex
Operation status
Enabled
33
Chapter 3 Basic Network Configuration
Description
Set the port speed in Mbps.
auto
The speed of the other device port is identified and the
speed is set automatically in such a way that the two ports
can use the optimum sharing speed.
Description
Set the port transmission mode to Full Duplex or Half Duplex.
Note: If you set the transmission mode when Auto negotiation is enabled, Auto negotiation will be disabled.
MDI/MDI-X Setting
You can set the MDI/MDI-X of a port only on TiFRONT-G48/G48P, not on TiFRONT-F26/F26P/G24/G24P. To
set the MDI/MDI-X of a port, use the following command in <Interface Configuration Mode>.
Command
mdi-mdix {auto | mdi | mdix}
Description
Set the MDI/MDI-X of port.
Note: You must use a cross cable if the settings of two ports are identical (MDI-MDI, MDIX-MDIX); otherwise (MDI-MDIX, MDIX-MDI), you must use a
serial cable. If this is set to 'auto', you can use either of the two cables.
Caution: If the speed or transmission mode of a port is not set to auto, you cannot set MDI/MDI-X to auto. In other words, if you directly set the
speed or transmission mode of a port, you must also set the MDI/MDI-X as well.
Description
Enter the port description input mode.
When the message "Enter TEXT message" appears, enter a description
description
Note: To delete the port description, run the no description command in <Interface Configuration Mode>.
34
TiFRONT User Guide
Jumbo-frame Setting
The range of packets that are acceptable in the Internet environment is from 64 bytes to 1518 bytes. Thus,
devices do not handle packets that do not fall in this range. With TiFRONT, however, you can set Jumboframe to receive packets larger than 1518 bytes.
To set jumbo-frame and receive packets that are larger than 1518 bytes, use the following command in
<Interface Configuration Mode>.
Command
jumbo-frame {on | off}
Description
Select whether or not to receive jumbo-frames.
Description
Enable or disable the flow control function of the port.
receive
Description
Enable Storm Control and set the threshold value.
<LEVEL>
Setting range: 0~10000000 (pps)
Note: To disable Storm Conotrol, run the no storm-control {broadcast | multicast | dlf} command in <Interface Configuration
Mode>.
35
Chapter 3 Basic Network Configuration
Description
Enable or disable the Port Smart Auto-negotiation function.
Note: The copper fiber combo port does not support the Port Smart Auto-negotiation function. If you use the 4-strand UTP cable, the combo
port and the other device may not be interconnected normally. Therefore, you are advised to use an 8-strad UTP cable or general copper port.
Note: To use the Port Smart Auto-negotiation function, the port speed must be set to auto.
Description
Note: In order to use the port EEE function, the other device to be connected must support port EEE as well.
Aggressive mode
Note: In order to use the UDLD function, the other device to be connected must support UDLD as well.
You can set the UDLD message interval by using the following command in <Interface Configuration Mode>.
The same UDLD message interval is applied to every port.
36
TiFRONT User Guide
Command
Description
Set the UDLD message transmission interval.
<1-90>
Setting range: 1 ~ 90 sec, default value: 15 sec
Note: To reset the UDLD message interval, run the no udld message interval command in <Interface Configuration Mode>.
You can enable the UDLD function for a port by running the following command in <Interface Configuration
Mode>.
Command
Description
Enable the UDLD function of a port. To set Aggressive mode, enter
Note: To disable UDLD, run the command no udld port in <Interface Configuration Mode>. To change the port from aggressive to normal mode,
run the command no udld port aggressive.
Note: In the case of TiFRONT-F26/F26P, you can enter 1 or 2 in <1-4> of the command show port-sfp there are two fiber ports. In the case of
TiFRONT-G24/G24P, you can enter 1 to 4 because there are four fiber ports.
37
Chapter 3 Basic Network Configuration
Description
Shows the port name and the pair information of the UTP cable.
Shows the UTP cable state and the pair state of the UTP cable.
Ok:
Open:
Short:
Open-Short: At least one of the pairs of cables is not connected and at least one of
the pairs is shorted.
Crosstalk:
Unknown:
Pair Count
Fuzz
Shows the error range of the UTP cable length. (Only works with the fast Ethernet port.)
Cable Length
Caution: When you run the command show cable-diagnostic [<IFNAME>], the port link is temporarily shut down and switched on again to
check the cable status.
38
TiFRONT User Guide
Configuration examples
In this example, the port state was queried with the ge1 port set as shown in the following table.
Configuration item
Set value
Speed
100
full
Jumbo-frame
on
STATE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
39
Chapter 3 Basic Network Configuration
In the next example, the flow control and storm control information was queried with the ge1 port set, as
shown in the following table.
Configuration item
Flow Control
Storm
Control
Set value
Receive
on
Send
on
Broadcast
100000
Multicast
100000
DLF
100000
40
TiFRONT User Guide
VLAN Setting
VLAN is a virtual logical group of networks based on ports regardless of the physical locations of hosts. VLAN
with one broadcast domain has the same properties as a physical LAN. With VLAN, you can divide one
network into multiple broadcast domains or integrate them into groups for network management.
The nodes connected to the VLAN do not have to be physically connected to the same switch or in the same
area. The hosts in a VLAN behave as if connected to the same bridge or switch, but in actuality, they may be
connected to different switches in different buildings and still be on the same VLAN.
The
following
figure
shows
an
example
of
one
LAN
in
building
(http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/vlans.htm - 1041592)
divided by ports into three VLANs. In this figure, the host group connected to port no.1 of the switch is VLAN
A, the host group connected to port no.2 of the switch is VLAN B, and the host group connected to the no.3
of the switch is VLAN C.
VL
Because VLAN allows us to restrict broadcast domains to each logical group, the total broadcast traffic
decreases while the available network bandwidth increases. Furthermore, because the resources (hosts and
network devices) do not need to be physically in the same area, it is easier to manage resources.
41
Chapter 3 Basic Network Configuration
VLAN ID
In TiFRONT, you can create 4093 VLANs. You can set VLAN IDs between 2 and 4094 in TiFRONT.
Default VLAN
Every port belongs to the default VLAN. The name, ID, and port of the default VLAN are 'default', '1', and
'untagged port', respectively, and it uses every port. Because TiFRONT supports overlapped VLANs, one port
can be included in multiple VLANs.
Switchport
In order for a TiFRONT port function as an L2 switch, you must set the port as a switch port. You can set a
switch port in Access, Trunk, or Hybrid mode depending on the application. In Access mode, you can set only
one VLAN per port, and the traffic is transmitted to this VLAN only. In Trunk or Hybrid mode, however, you
can set multiple VLANs for one port and send traffic to multiple VLANS through the port.
42
TiFRONT User Guide
VLAN
IP address-based VLAN
Port-based VLAN
43
Chapter 3 Basic Network Configuration
VLAN Settings
Creating VLAN and Setting Port Mode
You can create a VLAN and set a port mode by using the following commands in <Configuration Mode>.
No.
Command
Description
Create a VLAN.
<2-4094>
interface <IFNAME>
hybrid:
Note: To delete the VLAN, run the command no vlan <2-4094> in <Configuration Mode>.
Access Mode
If the switchport mode is set to Access, run the following command in <Interface Configuration Mode> to
add a port to VLAN.
Command
switchport access vlan <2-4094>
44
TiFRONT User Guide
Description
Add a port to VLAN in Access mode. You can set this only
if the VLAN is already created.
Trunk Mode
If the switchport mode is set to Trunk, run the following commands in <Interface Configuration Mode> to
add, exclude, or remove a port to/from VLAN.
No.
Command
switchport
trunk
Description
allowed
vlan
add
<VLAN_ID>
switchport trunk allowed vlan all
<VLAN_ID>
2
switchport
trunk
native
vlan
<VLAN_ID>
Set the PVID of the port. PVID divides ports to each VLAN
during the communication of untagged frames.
Hybrid Mode
If the switchport mode is set to Hybrid, run the following commands in <Interface Configuration Mode> to
add, exclude, or remove a port to/from VLAN.
No.
Command
Description
egress-tagged
{enable
switchport
hybrid
except <VLAN_ID>
allowed
vlan
hybrid
remove <VLAN_ID>
allowed
vlan
disable:
Note: To remove a port from the VLAN, run the command no switchport {access vlan | trunk native | hybrid vlan} in the
<Interface Configuration Mode> of the port.
45
Chapter 3 Basic Network Configuration
Description
Generate rules for the MAC address-based VLAN.
<1-256>
VLAN rule ID. Setting range: 1 ~ 256
vlan
classifier
rule
<1-256>
mac
<WORD>
MAC address for applying VLAN
<2-4094>
VLAN ID to apply if the rule is satisfied.
Setting range: 2 ~ 4094
Generate rules for IP address-based VLAN.
<1-256>
vlan
classifier
rule
<1-256>
ipv4
vlan
classifier
rule
<1-256>
proto
snapllc:
nosnapllc:
<2-4094>
VLAN ID to apply if the rule is satisfied. Setting range: 2 ~ 4094
46
TiFRONT User Guide
Description
Add/delete a VLAN rule to/from the VLAN group. You can
add up to 256 VLAN rules to one VLAN group.
<1-16>
delete:
Description
Note: You can set one VLAN group for each port. To change a VLAN group, you must cancel the current VLAN group by using the command no
vlan classifier activate <1-16> before resetting it.
Note: If a MAC address/IP address-based VLAN is applied to one port, it is applied to all ports.
information for which a VLAN group is set, run the command show vlan classifier interface group
[<1-16>] in <User Mode> or <Privileged Mode>.
47
Chapter 3 Basic Network Configuration
Configuration examples
In this example, the settings were queried for VLANs composed of ge1 to ge5 ports, as shown in the
following table.
Composition of VLANs
VLAN
Ports
v1
v2
v3
ge4, ge5
Mode
PVID
ge1
Access
ge2
Access
ge3
Trunk
ge4
Trunk
ge5
Hybrid
(config-if-ge1)# exit
(config)# interface ge2 Enter the <Interface Configuration Mode> of ge2 port.
(config-if-ge2)# switchport mode access Set to access mode
(config-if-ge2)# switchport access vlan 2
(config-if-ge2)# exit
(config)# interface ge3 Enter the <Interface Configuration Mode> of ge3 port.
(config-if-ge3)# switchport mode trunk
(config-if-ge3)# exit
(config)# interface ge4 Enter the <Interface Configuration Mode> of ge4 port.
(config-if-ge4)# switchport mode trunk
(config-if-ge4)# exit
(config)# interface ge5 Enter the <Interface Configuration Mode> of ge5 port.
(config-if-ge5)# switchport mode hybrid
48
TiFRONT User Guide
-------------------------------------------------------------------PORT
| ge
|
111111111122222
|123456789012345678901234
----------------+-------------------------------------------------SWITCH MODE
|AATTHAAAAAAAAAAAAAAAAAAA
----------------+-------------------------------------------------default (
1)
|..TttUUUUUUUUUUUUUUUUUUU
v1
2) | U U . . t . . . . . . . . . . . . . . . . . . .
v2
3) | . . t T T . . . . . . . . . . . . . . . . . . .
v3
4) | . . . t t . . . . . . . . . . . . . . . . . . .
-------------------------------------------------------------------SWITCHPORT
49
Chapter 3 Basic Network Configuration
Command
Description
Create a VLAN to be used as voice VLAN.
<2-4094>
specified value.
<0-63>
Setting range: 0 ~ 63. Default value: 46
Specify the CoS value to be applied to the send packet. For IP
phones that support LLDP-MED, its CoS is changed to the
specified value.
<0-7>
Setting range: 0 ~ 7. Default value: 5
Set the OUI, OUI mask, and vender of the IP phone connected
to the port
<WORD>
Set
the
OUI
information
of
the
IP
in
the
format
HHHH.HHHH.HHHH.
<WORD>
Set the OUI mask of the IP in the format HHHH.HHHH.HHHH.
<WORD>
Set the vender name as a string of up to 32 characters.
For IP phones that support LLDP-MED, its CoS Override option
is enabled. If you enable this option, for IP phones that
interface <IFNAME>
50
TiFRONT User Guide
Note: To delete the VLAN ID of the Voice VLAN, run the command no voice vlan <2-4094> in <Configuration Mode>.
Note: To delete the OUI information, run the command no voice vlan oui <WORD> mask <WORD> vender <WORD> in <Configuration
Mode>.
Note: To disable the Voice VLAN setting of the port, run the command no voice vlan enable in <Interface Configuration Mode>.
Configuration examples
In this example, the settings were queried with the Voice VLAN set as shown in the following table.
Configuration item
Set value
VLAN ID
100
DSCP code
36
Priority
OUI
0003.6B00.0000
OUI Mask
FFFF.FF00.0000
Vender
Cisco
Port
ge10
51
Chapter 3 Basic Network Configuration
Description
Add a static MAC address.
<MAC>
MAC address to be added
Note: To delete the MAC addresses in the MAC address table, run the command clear mac address-table {dynamic | static |
multicast} {interface <IFNAME> | vlan <2-4094>} in <Privileged Mode>.
Description
Set the Ageing Time.
<10-1000000>
Setting range: 10 ~ 1,000,000 (sec). (Default value: 300 sec)
Note: To reset the Ageing Time to 300 sec, which is the default value, run the command no mac ageing-time in <Configuration Mode>.
52
TiFRONT User Guide
MAC Filtering
TiFRONT supports MAC filtering that restricts unnecessary network traffic by registering MAC filters in the
MAC address table. MAC filtering blocks packets received from a specific interface if they contain the
specified MAC address. If you set a MAC filter, it is registered as a static MAC address in the MAC address
table and is maintained until it is deleted by user.
Description
Add a MAC filter.
<MAC>
MAC address to be blocked
Note: To delete a MAC filter, run the command no mac address <MAC> discard <IFNAME> [vlan <2-4094>] in <Configuration Mode>.
Description
Set the maximum number of MAC addresses that can
53
Chapter 3 Basic Network Configuration
Configuration examples
In the following example, the static MAC address and the MAC filter were set as shown in the following table,
and the Ageing Time was set to 600. Then, the MAC address table information was queried.
Configuration item
MAC address
Port
VLAN
0002.2ADB.0C77
ge1
MAC filter
001E.8C8F.B333
ge1
-------------------------------------------------------
54
TiFRONT User Guide
IP Address Setting
You must set IP addresses for TiFRONT in order to communicate with other network devices, access TiFRONT
through a Telnet session, and to remotely manage it through the SNMP protocol. Carry out the following
procedure to set the IP address for TiFRONT.
Enable/Disable Interface
To set an IP address for a VLAN interface, you must first make sure that the interface is enabled for
communication. If it is disabled, no communication can be made through the interface. To check if an
interface is enabled, run the command show running-config in <Privileged Mode> or <Configuration
Mode>.
55
Chapter 3 Basic Network Configuration
The VLAN interface is enabled by default. If the VLAN interface is disabled, you can enable it by using the
following commands in <Configuration Mode>.
No.
Command
Description
interface <IFNAME>
no shutdown
Note: You can disable the interface by using the shutdown command in <Interface Configuration Mode>.
Description
ip address <A.B.C.D/M>
Note: To delete an IPv4 address, run the command no ip address <A.B.C.D/M> [secondary] in <Interface Configuration Mode>.
Description
Set an IPv6 address for a VLAN interface. If you use the anycast
option, this address is used for anycast.
Note: To delete an IPv6 address, run the command no ipv6 address <X:X::X:X/M> [anycast] in <Interface Configuration Mode>.
56
TiFRONT User Guide
You can add a default gateway by using the following commands in <Configuration Mode>.
Command
ip
route
0.0.0.0}
[<1-255>]
{0.0.0.0/0
{<A.B.C.D>
Description
Add a default gateway.
0.0.0.0 <A.B.C.D>
<INTERFACE>}
IPv4 address of the default gateway
|
<X:X::X:X>
IPv6 address of the default gateway
<INTERFACE>
Name of the interface connected to the default gateway
ipv6
route
::/0
{<X:X::X:X>
<INTERFACE>} [<1-255>]
<1-255>
Priority required for selection as the default gateway. The
gateway that has the highest priority becomes the default
gateway. Setting range: 1 - 255 (a smaller value has a higher
priority)
Note: To delete an IPv4 default gateway, run the command no ip route {0.0.0.0/0 | 0.0.0.0 0.0.0.0} {<A.B.C.D> | <INTERFACE>}
[<1-255>] in <Configuration Mode>.
Note: To delete an IPv6 default gateway, run the command no ipv6 route ::/0 {<X:X::X:X/M> | <INTERFACE>} [<1-255>]in
<Configuration Mode>.
57
Chapter 3 Basic Network Configuration
You can set a fixed route by using the following commands in <Configuration Mode>.
Command
Description
Set a fixed route.
ip
route
{<A.B.C.D/M>
<A.B.C.D>
<A.B.C.D/M>
Destination IPv4 address and subnet mask bit
<A.B.C.D> <A.B.C.D>
Destination IPv4 address and subnet mask
<A.B.C.D>
Gateway IPv4 address
<X:X::X:X/M>
Destination IPv6 address and subnet mask bit
<X:X::X:X>
Gateway IPv6 address
<INTERFACE>
ipv6
route
<X:X::X:X/M>
<INTERFACE>} [<1-255>]
{<X:X::X:X>
Note: To delete a fixed rout from the IPv4 routing table, run the command no ip route {<A.B.C.D/M> | <A.B.C.D> <A.B.C.D>}
{<A.B.C.D> | <INTERFACE>} [<1-255>] in <Configuration Mode>.
Note: To delete a fixed route from the IPv6 routing table, run the command no ipv6 route <X:X::X:X/M> {<A.B.C.D> | <INTERFACE>}
[<1-255>] in <Configuration Mode>.
in <User Mode> or
<Privileged Mode>.
Description
Manually enter the neighbor information (IPv6 address and
MAC address).
<IP>
58
TiFRONT User Guide
Note: To delete the neighbor information, run the command no neighbor <X:X::X:X> <IFNAME> in <Configuration Mode>.
Note: To check the neighbor information, run the command show ipv6 neighbors in <User Mode> or <Privileged Mode>.
Description
description <LINE>
Note: To delete the interface description, run the no description command in <Interface Configuration Mode>.
Configuration examples
In this example, the IP address and the default gateway of the default VLAN were set as shown in the
following table. Then, the settings were queried.
Default VLAN Setting
Configuration item
Set value
Primary IP address
192.167.201.33/24
Secondary IP address
192.167.201.34/24
Interface Description
Set value
192.167.201.1
(config)# exit
59
Chapter 3 Basic Network Configuration
60
TiFRONT User Guide
Description
Note: To delete a static ARP cache item, run the command no arp <A.B.C.D> in <Configuration Mode>.
Note: To delete a dynamic ARP cache item, run the command clear arp <A.B.C.D> in <Configuration Mode>.
Note: In the ARP table of TiFRONT, you can store up to 10240 ARP data.
Configuration examples
In this example, the following IP address and MAC address were entered in the ARP table, and the settings
were queried.
Configuration item
Set value
IP address
192.168.201.236
MAC address
001E.8C8F.B333
61
Chapter 3 Basic Network Configuration
Description
Set the ECMP hash key calculation method. By default, all the three
values are used to calculate the hash key.
ip-dst:
ip-src:
l4port:
Note: To delete the ECMP hash key calculation method, run the command no ecmp {ip-dst | ip-src | l4port} in <Configuration Mode>.
The ECMP function does not work if all ECMP hash key calculation methods are deleted.
Description
Set the console data transmission speed.
62
TiFRONT User Guide
Port, and the port that monitors the mirrored port by receiving the traffic of
Mirroring Port
The mirroring port receives all the copied data from the mirrored port. You can use any port of TiFRONT as
the mirroring port except the management Ethernet port. In general, a network analyzer or RMON (Remote
Network Monitoring) is connected to the mirroring port for network monitoring. The mirroring port only
works for receiving data from the mirrored port while it is performing port mirroring. It returns to normal L2
operation if port mirroring is disabled.
Mirrored Port
The mirrored port is the port monitored by the mirroring port. Unlike the mirroring port, the mirrored port
performs normal L2 operation while it is performing port mirroring. TiFRONT allows the simultaneous setting
of multiple mirrored ports. However, the total bandwidth of the mirrored ports must not exceed the
bandwidth of the mirrored port.
The following figure shows an example of port mirroring in TiFRONT.
Ingress
Egress
Mirrored port
Mirrored port
Mirroring port
In the above figure, port 10 is the port that mirrors the ingress traffic of port 4 (traffic received at TiFRONT)
and the egress traffic of port 12 (traffic sent by TiFRONT). If you connect an IDS (Intrusion Detection System)
server to port 10 to mirror the traffic of ports 4 and 12, you can detect network attacks of ports 4 and 12,
With the port mirroring function of TiFRONT, you can monitor all traffic on the network connected to
TiFRONT. This function is mainly used as a tool for solving problems on the network or for providing better
network security.
63
Chapter 3 Basic Network Configuration
ge4
ge5
Mirrored port
Traffic direction
ge10 ~ ge12
Receiving
ge13 ~ ge14
Sending
ge15 ~ ge17
Receiving
ge18 ~ ge20
Sending
ge21 ~ ge22
ge23 ~ ge24
You can set the mirroring rule by using the following command in <Configuration Mode>.
Command
Description
Set the mirroring port, mirrored port, and traffic direction to be
mirrored.
<IFNAME>
Mirroring port number
mirror
<IFNAME>
{both | in | out}
mirrored
<IFNAME>
<IFNAME>
Mirrored port number
both:
in:
Caution: The sum of the bandwidths of mirrored ports must not be equal to or larger than the bandwidth of the mirroring port. If the sum of the
bandwidths of mirrored ports is larger than the bandwidth of the mirroring port, traffic that is equal to the difference will be lost.
Caution: If PVST+, RPVST+, and MSTP are set, the mirroring port and mirrored ports must belong to the same instance. Because only one VLAN can
be allocated for one instance of PVST+/RPVST+, the mirroring and mirrored ports must belong to the same VLAN. Otherwise, port mirroring does
not work properly.
Note: To delete the VLAN, run the command no mirror <IFNAME> mirrored <IFNAME> in <Configuration Mode>.
Note: If the mirrored port is an egress port, the mirrored packets are tagged before they are sent to the mirroring port.
Note: For TiFRONT-G48/G48P, ports are divided into two groups (ge1 ~ ge24, ge25 ~ ge48). When using the port mirroring function in these
products, you must set the mirroring and mirrored ports in the same group.
64
TiFRONT User Guide
or <Configuration Mode>.
Configuration examples
In the following example, port mirroring was set and the settings were queried.
65
Chapter 3 Basic Network Configuration
Description
Set the port failover group number and port weight.
<1-4>
Enter the number of the port failover group that is
defined in TiFRONT. Setting range: 1 ~ 4
<1-4>
Caution: You cannot set the port failover function for ports for which port trunking or LACP is set.
Note: To delete the port failover setting, run the command no failover-channel-group in <Interface Configuration Mode>.
66
TiFRONT User Guide
Configuration examples
In this example, the ports ge1 to ge4 are set as failover group 1 and the port failover setting is queried.
67
Chapter 3 Basic Network Configuration
DHCP Setting
DHCP (Dynamic Host Control Protocol) is a protocol having the client and server structure where the DHCP
server automatically allocates IP address to the DHCP clients and manages them. With the DHCP, the DHCP
client can easily access the network without knowledge about the network environment settings (IP address,
subnet mask, and DNS server). Furthermore, the limited IP resources can be saved because the IP address is
allocated only when the DHCP client is working.
TiFRONT provides the following functions to support the DHCP network environment.
DHCP Server
TiFRONT plays the role of a DHCP server and allocates IP addresses to the connected hosts.
Command
Description
Create an IP pool and enter the <DHCP server configuration
mode>.
<WORD>
IP pool name
default-router <A.B.C.D>
<A.B.C.D>
Starting IP address of the IP address range
<A.B.C.D>
Ending IP address of the IP address range
68
TiFRONT User Guide
lease
{<0-30>
<0-24>
<0-60>
infinite}
Set the lease time in the order of days, hours, and minutes.
Default value: 1 (day)
Infinite: No time limit
Note: To change the IP address lease time to the default value, run the
no lease command.
Set the DNS server.
<A.B.C.D>
dns-server <A.B.C.D>
domain-name <WORD>
fixedaddr
<HOSTNAME>
<HHHH.HHHH.HHHH> <A.B.C.D>
(Optional)
<HHHH.HHHH.HHHH>
MAC address of the client
<A.B.C.D>
Fixed IP to be allocated to client
Note: To cancel the fixed IP address, run the command no fixedaddr
<HOSTNAME>.
Note: To delete an IP pool, run the command no ip dhcp pool <WORD> in <Configuration Mode>.
Note: If a DHCP relay agent is connected, you must additionally set an IP pool whose IP address range and subnet is the IP address and subnet of
the DHCP relay agent.
Interface Setting
You can set a VLAN interface to which the DHCP server function will be applied by using the following
commands in <Configuration Mode>.
Command
ip dhcp server-interface <IFNAME>
Description
Set the VLAN interface to which the DHCP server function will
be applied.
Caution: You must specify the VLAN of the IP range that is identical to the subnet specified in the IP pool. If the IP range is different, the DHCP
server will not work normally.
Note: To delete the specified interface, run the command no dhcp server-interface <IFNAME> in <Configuration Mode>.
69
Chapter 3 Basic Network Configuration
Description
service dhcp
Note: You cannot enable the DHCP server function if an IP pool is not set.
Note: To disable the DHCP server function, run the command no service dhcp in <Configuration Mode>.
Description
Reset the IP address allocated to the DHCP client.
<A.B.C.D>
Description
Description
show ip dhcp
Check the enabled status of the DHCP server and the IP pool list.
70
TiFRONT User Guide
Description
Note: To reset the DHCP packet statistics, run the command clear ip dhcp statistics in <Configuration Mode>.
Command
ip dhcp-relay
Description
Enter the <DHCP relay configuration mode>.
Set the DHCP servers. You can set up to 8 DHCP servers.
<A.B.C.D/M>
server-list ip <A.B.C.D>
interface-list <IFNAME>
Command
Description
ip dhcp-relay
| replace}
request message from the client does not contain the Option-82
71
Chapter 3 Basic Network Configuration
information, the Option-82 for all the three methods is added and
sent to the DHCP server. When a DHCP request message containing
the Option-82 information is made, it works as follows depending on
the specified processing method.
append: The received Option-82 information is maintained and its
own Option-82 information is additionally sent.
forward: The received Option-82 information is sent as it is.
Description
service dhcp-relay
Note: You cannot enable the DHCP relay agent function if the DHCP server function is enabled.
Note: To disable the DHCP relay agent function, run the command no service dhcp-relay in <Configuration Mode>.
<Privileged Mode>.
Configuration examples
In this example, the IP pool and interface of the DHCP server function were set as shown in the following
table. Then, the settings were queried.
IP Pool Setting
Configuration item
Set value
Name
pool1
Subnet
192.168.200.0/24
Default gateway
192.168.1.1
IP address range
192.168.200.10 ~ 192.168.200.250
10 hours
DNS server
192.168.1.3
Domain name
tifront
72
TiFRONT User Guide
Interface Setting
Configuration item
Interface
Set value
vlan10
In the next example, the DHCP relay agent function was set as shown in the following table, and then the
settings were queried.
Configuration item
Set value
DHCP Server
192.168.1.5
Interface
vlan10, vlan20
Option-82
forward
(config)# ip dhcp-relay
Enter the <DHCP relay configuration mode>.
(dhcp-relay)# server-list ip 192.168.1.5
Set the DHCP server
(dhcp-relay)# interface-list vlan10
Set the interface
(dhcp-relay)# interface-list vlan20
Set the interface
(dhcp-relay)# option82 forward
Set the Option-82
(dhcp-relay)# exit
(config)# service dhcp-relay
Enable the DHCP relay agent
# show ip dhcp-relay
Show the DHCP relay agent settings
dhcp-relay enabled.
option82 status forward
dhcp-relay listen interface:
vlan10 vlan20
dhcp-server ip:
192.168.1.5
73
Chapter 3 Basic Network Configuration
NetBIOS Filtering
In the LAN (Local Area Network) environment, NetBIOS is used for communication between PCs. However,
NetBIOS is a protocol that is vulnerable to security issues. With the NetBIOS filtering function provided by
TiFRONT, you can prevent the situations where personal information is shared to ensure privacy.
You can set the NetBIOS filtering function by running the following command in <Interface Configuration
Mode>.
Command
filter netbios
Description
Set the NetBIOS filtering function.
NetBIOS Filtering
To check the NetBIOS filtering settings, run the command show filter netbios
in <User Mode>,
DHCP Filtering
DHCP (Dynamic Host Control Protocol) is a protocol that automatically allocates IP addresses to the DHCP
clients and manages them.
However, if a DHCP client is connected with a device that can be another DHCP server such as IP sharer, the
communication may have a trouble. In this case, you can use the DHCP filtering function to prevent the
request and reply packets from being sent to another device so that DHCP services can be provided normally.
You can set the DHCP filtering function by running the following command in <Interface Configuration
Mode>.
Command
filter dhcp {request | reply}
Description
Set the DHCP filtering function.
Caution: The DHCP server and the DHCP relay agent functions do not work if the DHCP filtering is set for a port.
74
TiFRONT User Guide
Description
Perform network connection test for a host using the following options.
Protocol
IP address version to be used for connection test
ip : IPv4, ipv6 : IPv6, Default value: ipv4
Target IP address
IP address of the host for connection test
Repeat count
ping
Type of service
Type of service field value of the IP header. (Default value: 0)
Set DF bit in IP header
DF bit value setting of the IP header. n: Not used, y: Used
(Default value: n)
Data pattern
DF bit value of the IP header. (Default value: 0xABCD)
Perform network connection test for a host.
<WORD>
ping <WORD> [src <WORD>]
Configuration examples
The following is an example of ping connect test.
# ping 125.7.199.131
Ping connection test for 125.7.199.131(www.piolink.com)
PING 125.7.199.131 (125.7.199.131) 56(84) bytes of data.
64 bytes from 125.7.199.131: icmp_seq=1 ttl=107 time=72.0 ms
64 bytes from 125.7.199.131: icmp_seq=2 ttl=107 time=70.9 ms
64 bytes from 125.7.199.131: icmp_seq=3 ttl=107 time=79.3 ms
64 bytes from 125.7.199.131: icmp_seq=4 ttl=107 time=74.4 ms
64 bytes from 125.7.199.131: icmp_seq=5 ttl=107 time=74.5 ms
64 bytes from 125.7.199.131: icmp_seq=6 ttl=107 time=59.1 ms
64 bytes from 125.7.199.131: icmp_seq=7 ttl=107 time=45.8 ms
64 bytes from 125.7.199.131: icmp_seq=8 ttl=107 time=68.5 ms
76
TiFRONT User Guide
command. The packet route tracking uses the TTL (Time To Live) field in the IP header. A packet
that sets the TTL field value is sent and the router and server that receive the packet are asked to send a
return message.
The detailed process of packet route tracking is described below. It begins when a datagram that sets the
TTL field value to 1 is sent to the destination host through the UDP User Datagram Protocol). The router
drops the datagram if the TTL of the received packet is 1 or 0, and sends a time-exceeded message to the
router that sent the packet through the ICMP Internet Control Message Protocol). Then, the router receiving
the time-exceeded message checks the sender address field of the time-exceeded message and finds the IP
address of the first hop.
To identify the next hop, the router sends the UDP packet again by setting the TTL value to 2. The first router
sends the data to the next router after subtracting 1 from the TTL value. After finding that the TTL value is 1,
the second router discards the data and sends time-exceeded message to the sender. This process continues
until the TTL value becomes sufficient for sending the datagram to the destination host or the TTL reaches
the maximum. When the packet arrives at the last destination, an echo response message is sent through the
ICMP protocol instead of the time-exceeded message.
To measure the time when the datagram arrived at the destination host, the traceroute
UDP destination port to a large value that the destination host is not likely to use. If a datagram is received
with an unrecognizable port number, the host sends the unreachable error message to the sender host
through the ICMP port. This message shows the arrived destination to the router that traces the route.
To trace the route of the packets sent to a remote host, run the following command in <Privileged Mode>.
Command
Description
Trace the route of the packets sent to the host using the following
options.
Protocol
IP address version to be used for route tracking
ip : IPv4, ipv6 : IPv6, Default value: ip
Target IP address
IP address of the host for tracing the route
Source address
Source IP address
Numeric Display
Whether or not to show only the IP address of the route in the
traceroute
result
n: IP address only, y: Host name and IP address, Default value: n
Timeout in seconds
Response waiting time. Default value: 2(sec)
Probe count
Number of packets to be sent through one route for route tracking.
Default value: 3
Maximum time to live
Maximum TTL value of the route tracking packet. Default value: 30
Port Number
Number of the UDP destination port to be used for route tracking.
Default value: 33434
Trace the route of the packets sent to the host.
traceroute <WORD>
<WORD>
IP address or domain name of the host for route tracking.
77
Chapter 3 Basic Network Configuration
Configuration examples
The following is an example of packet route tracking.
# traceroute 125.7.199.131
Route tracking for 125.7.199.131(www.piolink.com)
traceroute to 125.7.199.131 (125.7.199.131), 30 hops max, 46 byte packets
1 192.168.201.1 (192.168.201.1) 16.289 ms 2.006 ms 1.725 ms
2 192.168.200.252 (192.168.200.252) 2.124 ms 3.519 ms 3.919 ms
3 172.16.1.11 (172.16.1.11) 3.922 ms 3.514 ms 3.916 ms
4 * * *
5 125.7.199.131 (125.7.199.131) 4.011 ms 3.501 ms 3.930 ms
78
TiFRONT User Guide
PoE Setting
Overview
PoE (Power over Ethernet) is a technology for simultaneously sending data and power through Ethernet cables.
It is also called Active Ethernet. PoE can be useful for supplying power to VoIP phones, wireless LAN APs, PTZ
cameras, and small devices such as embedded computers.
Most of the small devices connected to a PoE device receive power from a USB or AC power supply. When
using the USB, it is impossible to supply stable power when a large amount of power is needed because the
USB can only supply a maximum of 2.5W. Furthermore, USB has four types of connectors, and to connect
multiple devices, you must prepare a different connector for each device. However, PoE can supply power
more stably because it can supply 25.5W (IEEE 802.3at), which is larger than the power supply of USB. It is
also convenient because it only uses one type of connector, RJ-45 for network connection.
When power is supplied through an AC power supply, the outlet, plug, and voltage can differ by country.
Furthermore, a separate power adapter is needed to connect an AC power supply, which is inconvenient. On
the other hand, PoE does not require a separate power adapter, so it is easier to supply power.
PoE also has other advantages. It can automatically stop supplying power in the event of an overload or
underload, and the security supervisor can remotely stop or resupply power through the network. Moreover,
it cuts costs due to the reduction of UPS (Uninterrupted Power Supply) and outlet connection devices. It is
also convenient to install various devices connected to the network because the installation space and time
are reduced.
Note: PoE is only supported on TiFRONT-F26P/F26P(D)/G24P/G24P(D)/G48P/G48P(D). Also, it is only supported with copper ports, and not for
fiber ports.
supply power such as switches, hubs, or separate power supplies. PD refers to every device that receives
power from the PSE such as VoIP phone, wireless LAN AP, PTZ camera, and embedded computers.
TiFRONT determines what the power supply is through detection of PD. First, when a PD is connected
through a cable, it is checked to see if it supports PoE. The identification process uses the resistance value of
PD. If it is found that the device does not support PoE, power is blocked. If it is found to support PoE, the PD
is classified depending on its power consumption requirements for normal operation.
In the classification process, a voltage is applied to the PD, and the measured current is compared with the
current range of each class. PoE efficiently uses limited power by supplying a different amount of power to
each class. The classification process varies by the power mode set for each port of TiFRONT. There are two
power modes: Normal and High-power. In normal mode, power is supplied in accordance with the 802.3af
standard, and the PDs are classified into classes 0 to 4 depending on the measured current. If the PD is
classified as class 4, the power corresponding to class 0 (16.2W) is supplied. In High-power mode, if the PD
is classified as class 4, the power specified in the 802.3 at standard (31.2W) is supplied, and for the other
classes, the same power as that for the normal mode is supplied.
Once the classification is completed, power is supplied depending on the operation mode of the PoE function
set in TiFRONT. The operation mode of the PoE function determines the adding up method of the total power
79
Chapter 3 Basic Network Configuration
consumption and the power supply sequence of the ports. The amount of power that can be supplied by the
PoE function of TiFRONT is limited. Therefore, when power shortage is expected due to the connection of
many PDs, the operation mode should be set to consider the priority and the power supply priorities should
be adjusted so that power will be supplied to the devices that require it most.
The maximum power supplied for each class is shown below.
Class
16.2
4.2
7.4
16.2
Note: The PoE function of TiFRONT provides power that is greater than the value stated in the product specification (IEEE 802.3af: 15.4W, IEEE
802.3at: 25.5W), considering the power loss in the cables.
PoE Setting
Operation Mode Setting
When using the PoE function of TiFRONT, you must set the operation mode so as to determine how to supply
power to each port. The power that can be provided by PoE cannot exceed the power budget. The current
available power can be determined by subtracting the total power consumption, which is the sum of power
consumption at each port, from the total power supply. If the total power consumption exceeds the total
power supply, the power of the port with a lower priority is blocked. By setting the operation mode, you can
select the calculation method for the total power consumption and the order that power will be supplied to
each port. You can set the operation mode by using the following command in <Configuration Mode>.
Command
Description
dynamic:
dynamicp:
none:
static:
staticp:
Note: The maximum power of each port varies by the class of the PD connected to the port.
80
TiFRONT User Guide
Note: When the priorities of each port are identical, the priority is determined by the order of port number. A lower port number has a higher
priority. In other words, ge1 port has a higher priority than ge2 port.
Note: The TiFRONT-F26P may not support the Operation Mode Setting depending on the hardware configuration. For detailed information on the
operation mode setting, please contact the product seller or PROLINK Technical Assistance Team (TAC: +82-1544-9890).
Caution: If you use dual power for TiFRONT-F26P(D)/G24P(D)/G48P(D), you should not turn off one of the two power supplies while using the
device. If you do this, the services may not be provided normally.
Description
Set the power mode.
poe power-mode
high-power:
{high-power | normal}
normal:
Note: The TiFRONT-F26P may not support the Operation Mode Setting depending on the hardware configuration. For detailed information on the
operation mode setting, please contact the product seller or PROLINK Technical Assistance Team (TAC: +82-1544-9890).
Note: If the port of Dual Power product is set to normal mode (IEEE 802.3af), you can use the PoE function for every port (TiFRONT-F26P(D):
ge1~ge2/fe1~fe24, TiFRONT-G24P(D): ge1~ge24, TiFRONT-G48P(D): ge1~ge48).
Description
Limit the maximum power supplied from the port.
poe power-threshold
{class | none}
class:
Power is supplied based on the class of PD, so that it does not exceed
specifications. The power supply is interrupted if the power used by the PD
exceeds the class power.
none:
Command
Description
poe port-priority
Set priority for supplying power to the port. The order of priorities is
critical > high > medium > low. (Default value: low).
Note: When you connect a new PD to TiFRONT that is using maximum power, the power to the port with the lowest priority is blocked. If the port
to which the new PD was connected has the lowest priority, no power is supplied to the PD.
Description
Set the power supply time.
<STIME>
Set the power supply start time as HH:MM.
Note: The power supply start time and ending time work once a day. For example, if the start time is 18:00 and the ending time is 09:00, power
supply begins at 6 pm and ends at 9 am the next morning.
Note: To delete the power supply time setting, run the command poe timer del in <Interface Configuration Mode>.
Enabling PoE
To enable the PoE function, run the following command in <Interface Configuration Mode> of the port.
Command
poe enable
Description
Enable the PoE function of a port. (Default value: disable)
Caution: If a PD that supports IEEE 802.3at is connected to a port set to normal mode, the PoE function may not work normally. Therefore, you
must enable PoE after checking the power mode setting.
Note: To disable the PoE function, run the command no poe in <Interface Configuration Mode> of the port. Disabling PoE resets all the existing
settings. If the status of PoE is Fault, you must disable PoE by running the command no poe and then reset it.
82
TiFRONT User Guide
Configuration examples
In the following example, PoE is set for ge1 and ge1 ports.
83
Chapter 3 Basic Network Configuration
Packet Monitoring
Packet monitoring monitors the packets of particular source/destination IP addresses and MAC addresses
that are directly sent and received by TiFRONT through the STP, LLDP, IGMP Snooping, DHCP, and SNMP
functions. This function can be used as an analysis tool for finding the cause of trouble that occurs during
operation.
To perform packet monitoring, run the following command in <User Mode> or <Privileged Mode>.
Command
Description
Monitor the packets that are sent and received through a specific
interface.
[capture <1-60000>]
<IFNAME>
Set the interface for monitoring packets.
You can use the following options to monitor specific packets by the conditions of protocol, source/destination
MAC addresses, source/destination IP addresses, source/destination ports, etc.
tcpdump interface <IFNAME> arp
[capture <1-60000>]
[capture <1-60000>]
dst <HHHH.HHHH.HHHH>
[capture <1-60000>]
[capture <1-60000>]
Monitor IP packets.
host <A.B.C.D>
src}
{host
<A.B.C.D>
net
net <A.B.C.D/M>
Packets are monitored by the IP range.
<A.B.C.D/M>}
[capture <1-60000>]
tcpdump interface <IFNAME> pim
[capture <1-60000>]
84
TiFRONT User Guide
port
<1-65535>
[capture
<1-
60000>]
tcpdump interface <IFNAME> udp
[capture <1-60000>]
port <1-65535>
port
<1-65535>
[capture
<1-
60000>]
The packets that have been captured most recently are
tcpdump capture-monitor [detail]
monitored.
The
detail
option
additionally
shows
the
Caution: When you specify the packets to be monitored/captured using the options excluding bpdu, you can only set a VLAN interface in
<IFNAME>.
Note: If you use the capture <1-60000> option, packets of the specified number are captured. You can see the captured packets by using the
command tcpdump capture-monitor [detail].
Note: TiFRONT saves only the packets captured recently. When new packets are captured, the packets captured before will be deleted.
Configuration examples
The following is an example of packet monitoring.
# tcpdump interface vlan2 tcp
Run TCP packet monitoring of the vlan2 interface
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan13, link-type EN10MB (Ethernet), capture size 96 bytes
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3755
>
133.115.188.103.445:
S
1554706813:1554706813(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3710
>
210.111.198.110.445:
S
3346811276:3346811276(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3715
>
195.93.83.111.445:
S
2154567122:2154567122(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3707
>
62.30.62.27.445:
S
1788392792:1788392792(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3708
>
52.83.156.84.445:
S
1693753009:1693753009(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3713
>
120.74.76.105.445:
S
677509890:677509890(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3712
>
117.19.182.33.445:
S
2410200967:2410200967(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3714
>
100.32.135.78.445:
S
2784612476:2784612476(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3766
>
80.46.52.11.445:
S
1040422993:1040422993(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3767
>
149.84.141.125.445:
S
3942230861:3942230861(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3768
>
71.77.205.108.445:
S
2114061504:2114061504(0)
win
65535
<mss
1460,nop,nop,sackOK>
85
Chapter 3 Basic Network Configuration
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3769
>
165.92.129.70.445:
S
996931326:996931326(0)
win
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3770
>
53.116.249.47.445:
S
2312396708:2312396708(0)
win
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3771
>
33.105.207.25.445:
S
3105073640:3105073640(0)
win
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3772
>
97.68.27.19.445:
S
1430269303:1430269303(0)
win
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3706
>
188.90.33.73.445:
S
3765558397:3765558397(0)
win
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3709
>
107.93.222.83.445:
S
2742585982:2742585982(0)
win
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3711
>
105.119.245.30.445:
S
225111700:225111700(0)
win
1460,nop,nop,sackOK>
Press Ctrl+C on the keyboard to stop the packet monitoring.
18 packets captured
36 packets received by filter
0 packets dropped by kernel
86
TiFRONT User Guide
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
sFlow Setting
sFlow is a real-time packet sampling function that monitors network traffic and is defined in RFC 3176.
sFlow consists of an sFlow Agent that sends sampled packets and an sFlow Collector that collects and shows
sampled data. TiFRONT plays the role of sFlow Agent and provides the following two kinds of information.
sFlow flow sampling
Packets received through a specific interface are sampled by the flow (source/destination IP addresses, TCP, UDP).
sFlow counter sampling
Statistics of the packets received through a specific interface. (sent every 30 seconds)
Note: The sFlow Collector must be configured separately from TiFRONT. You can download it for free from the InMon Corporation website
(http://www.inmon.com/products/sFlowTrend.php).
sFlow Settings
sFlow Collector Setting
You can set the sFlow Collector by using the following command in <Configuration Mode>.
Command
Description
Set sFlow Collector.
<A.B.C.D>
Note: To delete sFlow Collector, run the command no sflow collector in <Configuration Mode>.
Description
Set the sFlow sampling rate of a port.
<256-1677216>
Sampling rate. Setting range: 256 ~ 1677216.
Note: To delete the sFlow sampling rate for a port, run the command no sflow in <Interface Configuration Mode>. If you delete the sFlow
sampling rate, the sFlow information for the port will not be transmitted.
87
Chapter 3 Basic Network Configuration
Configuration examples
In the following example, the sFlow Collector is specified and the sFlow sample rates are set for ge1 and ge2
ports.
88
TiFRONT User Guide
Chapter 4
System Management
This chapter explains the procedures for configuring essential management functions of the TiFRONT system.
This chapter is composed of the following contents:
System Verification
Port Monitoring
Basic System Management
Configuration Files
PLOS
User Account
User Account Authentication
Log Management
Self Loop Detection
LLDP Configuration
Stacking Configuration
System Verification
System Information Display
You can check the basic system information including device name, serial number, MAC address, software
version, as well as the CPU processing speed and memory capacity.
To check the basic system information, run the following command in <User Mode>, <Privileged Mode>, or
<Configuration Mode>.
Command
show system
Description
Check the basic system information.
Description
Check the PLOS version.
Description
Check the current status of the CPU and memory.
90
TiFRONT User Guide
Description
Check the system hardware status information.
Configuration examples
The following examples sequentially show the system information, PLOS version, system resource status, and
hardware status.
91
Chatper 4 System Management
Port Monitoring
TiFRONT provides a port monitoring function for displaying real-time traffic information of the ports. To
display the port monitoring information, run the command show port-monitoring in <User Mode>,
<Privileged Mode>, or <Configuration Mode>. With this command, you can check the traffic that has been
sent and received per second by each port.
The following example shows the output when you run the command show port-monitoring.
> show port-monitoring
Port Monitoring Table
--------------------------------------------------------------Port | RxRate(pps) | RxRate(bps) | TxRate(pps)| TxRate(bps)
------+-------------+--------------+------------+-------------ge1 |
3
|
2024 |
0 |
0
ge2 |
3
|
2024 |
0 |
616
ge3 |
4
|
2648 |
0 |
0
ge4 |
3
|
2024 |
5 |
3744
ge5 |
0
|
0
|
0 |
0
ge6 |
0
|
0
|
0 |
0
ge7 |
0
|
0
|
0 |
0
ge8 |
0
|
0
|
0 |
0
ge9 |
0
|
0
|
0 |
0
ge10 |
0
|
0
|
0 |
0
ge11 |
12
|
7408 |
20
|
10800
ge12 |
0
|
0
|
0 |
0
ge13 |
0
|
0
|
0 |
0
ge14 |
0
|
0
|
0 |
0
ge15 |
0
|
0
|
0 |
0
ge16 |
0
|
0
|
0 |
0
ge17 |
0
|
0
|
0 |
0
ge18 |
0
|
0
|
0 |
0
ge19 |
0
|
0
|
0 |
0
ge20 |
0
|
0
|
0 |
0
ge21 |
0
|
0
|
0 |
0
ge22 |
0
|
0
|
0 |
0
ge23 |
0
|
0
|
0 |
0
ge24 |
0
|
0
|
0 |
0
--------------------------------------------------------------
Each item displayed by the show port-monitoring command shows the following information.
Item
Description
Port
Port number
RxRate(pps)
RxRate(bps)
TxRate(pps)
TxRate(bps)
92
TiFRONT User Guide
Description
Change the TiFRONT name.
<WORD>
hostname <WORD>
Note: After changing the system name, you must run the command write memory in <Privileged Mode> so that the change will be maintained
even after rebooting.
Command
Description
Enter the <Config-line configuration mode>.
<0-0>
Setting range: 0
Change the console connection timeout setting.
<0-35791>
93
Chatper 4 System Management
Command
Description
When you set the terminal session count, the system enters
the <Configuration mode>.
<0-9>
Set the start value of the session count range.
(Setting range: 0 ~ 9)
<0-9>
Set the last value of the session count range.
(Setting range: 0 ~ 9)
Note: For terminal sessions, five sessions from the index 0 to 4 are
set by default.
Change the terminal connection timeout setting.
<0-35791>
Note: To delete the terminal sessions that have been set, run the command no line vty <1-9> [<1-9>]; however, you may not delete session
no. 0 which is the default value.
Note: If you don't want to set connection timeout, set the exec-timeout value to 0.
Description
Change the SSH service port.
<0-65535>
<0-65535>
Setting range: 0 ~ 65535. (Default value: 23)
94
TiFRONT User Guide
default
Change the Telnet service port to the default (23).
Note: SSH and Telnet services cannot use the same port.
Note: When you change the SSH or Telnet service port, the current session is maintained as it is, and you can login to the changed port from the
next time.
Description
Note: If the terminal type is not set, SSH operates according to the terminal program of the client and Telnet operates in vt102.
Note: To delete the terminal type setting, run the command no terminal-type in <Configuration Mode>.
Description
Set the time zone.
hkt: Hong Kong standard time applicable to Beijing, Chongqing, Hong Kong,
etc. (GMT+8)
timezone {hkt | ict | jst ict: Bangkok standard time applicable to Bangkok, Hanoi, Jakarta, etc.
| kst | utc}
(GMT+7)
jst: Japan standard time applicable to Osaka, Sapporo, Tokyo, etc. (GMT+9)
kst: Korea standard time applicable to Seoul, etc. (GMT + 9)
utc: Universal time (Default)
95
Chatper 4 System Management
Description
Set the system time.
Command
ntp server <A.B.C.D>
Description
Set the NTP server.
Set the cycle for retrieving the time from the NTP server and
ntp enable
(Optional)
96
TiFRONT User Guide
Description
Reboot the system.
Note: When you run the reload command, the message reboot system? (y/n) : appears. Type 'y' and press the Enter key to reboot the system.
Remote Access
To remotely access another system, run the following command in <Privileged Mode>.
Command
Description
Remotely access another system.
<WORD>
Description
Set the message displayed on the screen before user logs in to the
system.
<LINE>
Enter the banner message after typing '&' and a line feed. You can
enter up to 4096 characters composed of alpha-numeric, Korean,
and special characters. After entering the message, type a line
feed and '&'.
Set the message to be displayed on the screen after a user logs in
to the system.
<LINE>
You can enter up to 2048 characters composed of letters,
numbers, and special characters.
97
Chatper 4 System Management
Note: After changing the login banner, you must run the command write memory in <Privileged Mode> so that the changes will be applied.
Description
Show the history of commands that have been run after logging in
show history
to TiFRONT.
Show the history of commands run by all users and the history of
all commands before rebooting. Running this command shows the
command date and time, accessed IP address, user ID, and the
commands.
Configuration examples
The following is an example of system name setting.
TiFRONT(config)# hostname TestName
TestName(config)#
The following shows examples of the console connection timeout setting and the terminal session
count/connection timeout setting.
----------------------------Type
| Index | Timeout
---------+-------+----------vty
| 0
| 10.0
vty
| 1
| 10.0
vty
| 2
| 10.0
vty
| 3
| 10.0
vty
| 4
| 10.0
console | 0
| 10.0
----------------------------(config)# line console 0
Enter the <config-line configuration mode> of the console
(config-line)# exec-timeout 0 0
Delete the console connection timeout setting.
(config-line)# show exec-timeout
Show the settings.
----------------------------Type | Index | Timeout
---------+-------+----------vty
| 0
| 10.0
vty
| 1
| 10.0
vty
| 2
| 10.0
vty
| 3
| 10.0
vty
| 4
| 10.0
console | 0
| Unlimit
----------------------------(config-line)#
(config)# line
(config-line)#
(config-line)#
exit
vty 7 8
Create a terminal session and enter the <config-line configuration mode>
exec-timeout 5 30
Set the terminal connection timeout to 5 min 30 sec
show exec-timeout
Show the settings.
----------------------------Type
| Index | Timeout
---------+-------+----------vty
| 0
| 10.0
vty
| 1
| 10.0
vty
| 2
| 10.0
vty
| 3
| 10.0
vty
| 4
| 10.0
98
TiFRONT User Guide
vty
| 7
| 5.30
vty
| 8
| 5.30
console | 0
| Unlimit
-----------------------------
In the following example, the NPT client function is set and the NTP settings are queried.
(config)# reload
Enter the system rebooting command
reboot system? (y/n): y Run rebooting by entering "y."
TiFRONT shutdown processing....
Logging backup...
The system is going down NOW !!..
Sending SIGTERM to all processes.
...Done
% Connection is closed by administrator!
Sending SIGKILL to all processes.
Requesting system reboot.
Restarting system.
TiFRONT (PIOLINK Inc.)
Bootloader version : 1.2 (Build time: Jul 14 2010 - 09:33:44)
TiFRONT_LSG board revision serial #: R210T7200A03113
MAC address: 00:de:ad:10:ff:00
DRAM: 512 MB
Flash: 32 MB
Clearing DRAM....... done
Using default environment
PLOS-LS version: 1.1.0 (size: 32505856) is uploading....
Board: TiFRONT-G24
/sbin/rc starting
TiFRONT LSG INIT SCRIPT
Updating module dependencies
Setting up loopback
TiFRONT LSG running......
QC module loading
99
Chatper 4 System Management
plos_info_proc_init!!
Starting syslogd
logfiler started.
Check PoE device
/sbin/rc: line 83: /bin/poe_init: No such file or directory
Starting snmpd
Switch Port Mapping TiFRONT LSG
<<XSWITCH INFO>>
SYSTEM PRODUCT ID : 0x1020000
SYSTEM PLATFORM ID: 1
SYSTEM BOARD ID : 2
SYSTEM REVISION : 0
SYSTEM FUNCTON
: 0x0
26 User port
VLAN : 4096
L2table : 16 K
L3table : 0 K
User defined switch configuration is loaded
Starting switch IMISH
Staring Cron
Starting xinetd
Starting Health check
Switching port(ge1) link UP!!
Hardware Monitoring
watchdog enable ENABLE
Please, wait..
Switching port(ge2) link UP!!
TiFRONT login:
# telnet 192.167.203.30 23
100
TiFRONT User Guide
# show history
Show the history of commands that you have run after logging in.
1 en
2 configure terminal
3 sh system
4 sh ip route
5 exit
6 sh history
# show history record
Show the history of commands that all users have run
[2011.10.29 07:52:14] console
(root
): en
[2011.10.29 07:52:17] console
(root
): show web-alert
[2011.10.29 07:52:20] console
(root
): show log conf
[2011.10.29 07:52:51] console
(root
): show hostacl config host
[2011.10.29 07:58:54] console
(root
): conf
[2011.10.29 07:59:04] console
(root
): no web-alert display-company
[2011.10.29 08:08:16] console
(root
): access-group aaa interface ge1
[2011.10.29 08:08:42] console
(root
): access-list 1 deny any any any
[2011.10.29 08:08:55] console
(root
): access-group aaa access-list 1
[2011.11.03 09:51:58] 192.168.201.224 (root
): show user-list
[2011.11.03 09:52:02] 192.168.201.224 (root
): configure terminal force
[2011.11.03 09:52:10] 192.168.201.224 (root
): username kauri password !piolink
[2011.11.03 09:52:29] 192.168.201.224 (kauri
): en
[2011.11.03 09:52:30] 192.168.201.224 (kauri
): conf t
[2011.11.03 09:52:37] 192.168.201.224 (kauri
): username root password !piolink
[2011.11.03 09:52:46] 192.168.201.224 (kauri
): username root password !piolink
[2011.12.13 02:32:33] 192.168.201.185 (piolink ): show ip int b
[2011.12.13 02:32:33] 192.168.201.185 (piolink ): conf t
[2011.12.13 02:32:34] 192.168.201.185 (piolink ): end
[2011.12.13 04:05:33] 192.168.200.222 (piolink ): sh ip route
--More--
101
Chatper 4 System Management
Configuration File
Overview
The configuration file contains the configuration information of TiFRONT. The configuration file that contains
the basic configuration information is stored in the flash memory when TiFRONT is shipped and can be
restored whenever necessary.
When the device boots up, the configuration file is loaded from the flash memory to SDRAM. The
configuration file that is stored in the flash memory and loaded when booting is called startup-config.
When TiFRONT is booted for the first time, the factory default configuration file (factory-default-config) is
configuration information, but since it is in SDRAM, the content is erased when the device is rebooted.
Description
Description
Reset the configuration.
Caution: After running the above command, you must reboot TiFRONT to apply the initialized configuration to the system. To reboot TiFRONT, run
the command reload in <Configuration Mode>.
102
TiFRONT User Guide
Configuration examples
The following is an example of restoring the system to its initial configuration.
# show running-config
Show the running-config to check the current configuration.
!
no service password-encryption
!
hostname TiFRONT
!
spanning-tree mst config
!
no ip forwarding
!
vlan 2 name v1
vlan 2 state enable
!
interface lo
ip address 127.0.0.1/8
no shutdown
!
interface mgmt0
ip address 10.1.1.1/24
no shutdown
!
interface eth0
shutdown
!
interface eth1
shutdown
!
interface ge1
switchport
switchport mode access
switchport access vlan 2
flowcontrol receive off
flowcontrol send off
auto-negotiation on
jumbo-frame off
no shutdown
!
interface ge2
switchport
switchport mode access
switchport access vlan 2
flowcontrol receive off
flowcontrol send off
auto-negotiation on
jumbo-frame off
no shutdown
!
--More
< Omitted>
# configure
Enter configuration commands, one per line. End with CNTL/Z.
(config)# copy factory-default startup-config
Enter the initial configuration restoring
command
clear written configuration? (y/n): y
Run the command by entering "y"
[OK]
(config)# reload
Enter the system rebooting command
reboot system? (y/n): y
Run the command by entering "y"
TiFRONT shutdown processing....
Logging backup...
The system is going down NOW !!..
Sending SIGTERM to all processes.
...Done
% Connection is closed by administrator!
Sending SIGKILL to all processes.
Requesting system reboot.
Restarting system.
< Omitted>
(config)# show running-config
!
no service password-encryption
!
hostname TiFRONT
103
Chatper 4 System Management
!
spanning-tree mst config
!
no ip forwarding
!
interface lo
ip address 127.0.0.1/8
no shutdown
!
interface mgmt0
no shutdown
!
interface eth0
shutdown
!
interface eth1
shutdown
!
interface ge1
switchport
switchport mode access
flowcontrol receive off
flowcontrol send off
auto-negotiation on
jumbo-frame off
no shutdown
!
interface ge2
switchport
switchport mode access
flowcontrol receive off
flowcontrol send off
auto-negotiation on
jumbo-frame off
no shutdown
!
--More
104
TiFRONT User Guide
PLOS
PLOS is the PIOLINK operating system that is installed on TiFRONT when it is shipped. There are various
versions of TiFRONT PLOS and each version may provide different features. When necessary, you can update
the PLOS to higher or lower versions than the currently installed version. Also, there are multiple versions of
the boot loader which is necessary for normal booting of PLOS and it must be updated separately from PLOS.
You can update TiFRONT PLOS using one of the following three methods:
Update through the TFTP server
Update through the FTP server
Update through the USB memory (only available for TiRFONT-GX24/GX24P models)
PLOS Update
To update PLOS using CLI commands, perform the following steps in <Configuration Mode>.
No.
Command
Description
Download PLOS from the TFTP server to TiFRONT.
<A.B.C.D>
1-1
1-2
<ID>
ID for logging in to the FTP server
<PASSWORD>
Password of the ID that was entered before
<FILE>
Path and name of the PLOS file
Download PLOS from a USB memory to TiFRONT.
1-3
<FILE>
Path and name of the PLOS file
reload
Note: To update PLOS through the FTP server, the PLOS file must be in the home directory of the FTP server.
Note: If you use the Al FTP from East Soft as the FTP server program, the PLOS update cannot be done normally.
105
Chatper 4 System Management
Command
Description
Download Boot Loader from the TFTP server to
TiFRONT.
1-1
<A.B.C.D>
1-2
TiFRONT.
<FILE>
Boot Loader file name
reload
Description
Show the file contents of the USB memory.
<DIR>
Name of the directory of which to show the file information
106
TiFRONT User Guide
Configuration examples
The following is an example of a PLOS update.
>show system
Show system information to check the PLOS version.
--------------------------------------------system information
--------------------------------------------Product Name
: TiFRONT V1.0 G24
Serial number
: R210T7200A02113
BL version
: boot-lsg-v1.8
OS version
: PLOS-LS-V1.0.25
CPU clock
: 600Mhz
Number of core
: 2
Memory size
: 512MB
Mgmt MAC address : 00:06:c4:72:02:02
--------------------------------------------(config)# os update 192.168.201.236 PLOS-LS-V1.0.31
Receiving file.
################################
Receiving OS data is Done
PLOS size : 25986519 bytes
Update OS to FLASH memory
................................................................................
................................................................................
.............................................................
PLOS update is completed successfully
(config)# reload
Enter the system rebooting command
reboot system? (y/n): y
Run rebooting by entering "y."
TiFRONT shutdown processing....
Logging backup...
The system is going down NOW !!..
Sending SIGTERM to all processes.
...Done
% Connection is closed by administrator!
Sending SIGKILL to all processes.
Requesting system reboot.
Restarting system.
(config)# boot update 192.168.201.236 plos/boot-lsg-v2.0 Update Boot Loader to v2.0
Receiving file.
#
Receiving Bootloader data is Done
Bootloader size : 316480 bytes
Update Bootloader to FLASH memory
....
Bootloader update is completed successfully
(config)# reload
Enter the system rebooting command
reboot system? (y/n): y
Run rebooting by entering "y."
TiFRONT shutdown processing....
Logging backup...
The system is going down NOW !!..
Sending SIGTERM to all processes.
...Done
% Connection is closed by administrator!
Sending SIGKILL to all processes.
Requesting system reboot.
Restarting system.
PLOS-LS PIOLINK Inc.
>show system
Show system information to check the PLOS and Boot Loader versions
--------------------------------------------system information
--------------------------------------------Product Name
: TiFRONT V1.0 G24
Serial number
: R210T7200A02102
BL version
: boot-lsg-v2.0
OS version
: PLOS-LS-V1.0.31
CPU clock
: 600Mhz
Number of core
: 2
Memory size
: 512MB
Mgmt MAC address : 00:06:c4:72:02:02
107
Chatper 4 System Management
User Account
Default User
TiFRONT provides basic security functions through the authentication of users who access TiFRONT via HTTP,
Telnet, console, SNMP, etc.
To manage TiFRONT through CLI or TiManager, you must log in to it with a registered user account. TiFRONT
has a default user account with administrator level rights (ID: root, password: admin).
User Level
In TiFRONT, you can add up to 8 users including the root user, who is the default user. There are user levels
1 to 15, and the commands available in CLI depend on the user level. The higher the level is (the greater the
number is), the more commands are available. The level of the default user, root, is 15.
Description
Set the user ID combination rules.
low
Any letters, numbers, or special characters (*~!@#$&%^_+=\\|{}[].,/) are acceptable.
username-password
medium | high}
combination
{low
| medium
Only a combination of two or more of letters, numbers, and
special characters are acceptable (default).
high
Only a combination of all three of letters, numbers, and
special characters are acceptable.
108
TiFRONT User Guide
Description
Set the minimum length of a user ID.
<4-64>
Setting range: 4 ~ 64. (Default value: 4 characters)
Set the minimum length of a user password.
<5-24>
Setting range: 5 ~ 24. (Default value: 5 characters)
Note: The default minimum lengths of a user ID and password are 4 and 5, respectively. If you change the minimum length of a user ID or
password, you must enter a value of the minimum length or a longer value when adding or changing a user ID or password.
Description
Add a user.
<WORD>
Set a user ID with a string of 4-64 characters consisting of letters,
Note: To delete the content of description, run the command no username <WORD> desc in <Configuration Mode>.
Note: To delete a user account, run the command no username <WORD> in <Configuration Mode>. You cannot delete the root account which is
the default user of TiFRONT.
Note: To change the user level, run the command username <WORD> privilege <1-15> in <Configuration Mode>.
109
Chatper 4 System Management
Changing Password
You can change the user password by using the following command in <Configuration Mode>.
Command
username <WORD> password <LINE>
Description
Change the user password.
Note: You can set a password with a string of 5-25 characters consisting of letters, numbers, and special characters (*~!@#$&%^_-+=\\|{}[].,/). It
also must contain at least one number or one special character. It is recommended to create a password that contains uppercase and lower case
letters, and numbers and special characters.
Note: For security, you are advised to change the password after first logging in to the system with the root user account.
Password Reset
If you forget your password, you can reset the password of the default account (root). If you run the following
commands in <boot mode> of the Boot Loader, the password of the default account is changed to the
default value 'admin'.
No.
Command
Description
run bootcmd
Caution: When you run the above steps, the login prompt for logging in to CLI appears. You must change the password after logging in to the root
account. To save the changed password in the system, run the command write memory in <Privileged Mode>.
Note: To use this feature, you must use the Boot Loader version LSF 1.7, LSG 1.5, or higher. For more details about the Boot Loader, see the User
Guide for the Boot Loader or contact our Technical Assistance Center (+82-1544-9890).
Description
Set the user password expiration period. There is no default
value. Once you set this, the password expiration function is
password-expired-interval <1-365>
enabled.
<1-365>
Setting range: 1 ~ 365(day)
Note: When you set the password expiration period, it begins on the day it is set for existing user account. For newly added accounts, it begins on
the account creation date.
Note: To disable the password expiration period, run the command no password-expired-interval in <Configuration Mode>.
110
TiFRONT User Guide
Note: When a user logs in after their password has expired, the following message appears and they are prompted to specify a new password.
Your pw is expired, so need to reset your password.
Enter new password: <new_password>
Retype new UNIX password: <new_password>
OK, save your new password to the startup config file.
Note: If 15 days or less remain until password expiration, the following message appears to inform the password expiration date after user logs in.
#######################################################
Your password will be expired at 2013-Mar-30 13:58:34.
#######################################################
Caution: After changing the password, you must save the new password in the system by running the command write memory in <Privileged
Mode>. If the setting is not saved, the message prompting the user to reset their password will appear every time the system is rebooted.
Description
privilege {class-map | configure | exec Set the command mode, user level, and command.
| interface | interface-range | key | <1-15>
line | mstp-cfg | policy-map | qos |
15> <LINE>
Caution: Higher level users can use the commands of the lower level users, but lower level users cannot use commands of the higher level users.
For example, level 8 users can use commands of levels 1-8.
Caution: If a command is set for two or more levels, the higher level will be applied to the command. For example, if the command ip route
is applied to levels '10' and '13', it will be considered a level 13 command.
Description
Set the level that the user can temporarily change to and the
password.
enable
<LINE>
password
level
<1-15>
password <1-15>
Level that the user can temporarily change to
<LINE>
Password for changing the level
111
Chatper 4 System Management
Description
User can temporarily change his/her level.
enable <1-15>
<1-15>
Level that is temporarily changed to
Note: To temporarily change user level, a password for changing to that level must be entered.
Configuration examples
The following is an example of adding a user account.
In the following, you set the password expiration period and show expiration times by user.
The following is an example of setting a command that is available for a user level.
(config)# privilege exec level 3 configure terminal
112
TiFRONT User Guide
Command
radius enable
(Optional)
Description
To use the RADIUS server for user authentication, enable the
RADIUS function. (Default: Disabled)
Specify the RADIUS server. Use primary to specify the default
| secondary}
secret.
<WORD>
Enter the secret key for authentication. You can enter a string
of up to 16 characters using letters, numbers, _, and -.
Set the RADIUS server response timeout.
<1-65535>
Setting range: 1 ~ 65535. (Default value: 3 sec)
Set the number of retries that users can perform when there is
radius telnet
(Optional)
113
Chatper 4 System Management
radius console
(Optional)
Note: To disable the RADIUS function, run the command no radius enable in <Configuration Mode>.
Configuration examples
In this example, you enable the RADIUS authentication function, set it as shown in the following table, and
query the settings.
Item
Settings
192.168.203.30
192.168.203.31
Port number
1645
Secret key
radius-1234
5 sec
5 times
5 sec
Enabled
Enabled
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
radius
radius
radius
radius
radius
radius
radius
radius
radius
radius
enable
Enable the RADIUS function
server 192.168.203.40 primary
Set the default RADIUS server
server 192.168.203.41 secondary
Set the secondary RADIUS server
port 1645
Set the port number
secret radius_1234
Set the secret key
timeout 5
Set the RADIUS server response timeout
retry 5
Set the number of retrials for accessing the RADIUS server
dead-time 5
Set the waiting time for accessing the secondary RADIUS server
telnet
Enable Telnet authentication function
console
Enable console authentication function
114
TiFRONT User Guide
TACACS+
Besides RADIUS, TiFRONT can also use the TACACS+ (Terminal Access Controller Access Control System Plus)
protocol to authenticate users accessing remotely. When TiFRONT receives a request for remote access, it
performs authentication, as with the RADIUS server. Once authentication is successful and the user can
access TiFRONT, every command used by the user is checked for availability through the TACACS+ server
(Authorization). In this case, every command performed by the user can be sent to the TACACS+ server for
recording (Accounting).
Using the user authentication protocol, TACACS+, enhances the security of system and network management
because you must receive authentication through the server.
Note: The commands used by normal users who access in Privileged Mode are not recorded. Only the commands used by the administrator level
users (Super Users) are recorded.
TACACS+ Configuration
To configure TACACS+, perform the following steps in <Configuration Mode>.
No.
1
Command
tacacs-plus server <IPADDR>
Description
Set the TACACS+ server.
Set the secret key for authentication with the TACACS+ server
and TiFRONT.
<WORD>
Enter the secret key for authentication. You can enter a
string of up to 16 characters using letters, numbers, _, and
-.
tacacs-plus authentication
tacacs-plus authorization
(Optional)
(Default: disable)
tacacs-plus accounting
(Optional)
(Default: disable)
tacacs-plus log
(Optional)
(Optional)
(Default: disable)
Note: To delete the TACACS+ configuration information in <TACACS+ configuration mode>, run the command no tacacs-plus {secret |
authentication | authorization | accounting | log} in <Configuration Mode>.
115
Chatper 4 System Management
Configuration examples
In this example, the TACACS+ authentication function is set as shown in the following table, and then the
settings are queried.
Item
Settings
TACACS+ server
192.168.203.30
Secret key
tacacs-1234
authentication
Enabled
authorization
Enabled
accounting
Enabled
log
Enabled
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
tacacs-plus
tacacs-plus
tacacs-plus
tacacs-plus
tacacs-plus
tacacs-plus
server 192.168.203.30
secret tacacs-1234
authentication
authorization
accounting
log
116
TiFRONT User Guide
Log Management
Overview
When any problem occurs in the device or events occur such as a change of settings, TiFRONT creates log
messages that contain the related information. The log messages are time-stamped and stored in the buffer,
and you can see them when necessary.
Log Buffer
Because the log buffer size is limited, you cannot store all log messages indefinitely. Thus, when the buffer is
full, the oldest log messages are deleted and new log messages are saved. To address the buffer size
problem, TiFRONT specifies the types and levels of events for creating log messages to reduce the number of
log messages.
Description
auth
authpriv
cron
ftp
daemon
kern
Kernel events
local0-7
lpr
Print events
Mail events
news
syslog
user
uucp
Among these events, you can select which events for which log messages will be created. By default, every
event generates a log message.
117
Chatper 4 System Management
TiFRONT events are divided into the following eight levels depending on their effect on the device.
Level names
Levels
Keywords
Description
Emergency
emerg
Alert
alert
Critical
crit
Critical event
Error
error
Error message
Warning
warn
Warning message
Notice
notice
Information
info
An informational event
Debug
debug
A debugging event
The emergency level at the top is the most serious event and the lower the level is, the less serious the event
becomes. By default, TiFRONT generates log messages when notice level or higher events occur. You can set
the event level for generating log messages.
Log Settings
Setting Event Types and Levels
To set the event types and levels for creating log messages, run the following command in <Configuration
Mode>.
Command
Description
Set the event level and type for generating log messages.
logging severity
Note: If you specify an event level, logs are saved only for the levels equal to, or higher than the specified level. For example, if you specify the
Critical level, the logs of the Critical, Alert, and Emergency levels are saved in the buffer. If you specify the Debug level, all levels of logs are
saved in the buffer.
118
TiFRONT User Guide
Description
Note: In TiFRONT, you can register 5 TiManagers to which log messages will be sent.
Note: The settings you previously changed regarding which message are sent to TiManager can be deleted by using the command no logging
timanager <A.B.C.D> in <Configuration Mode>.
Description
Set the syslog server for sending log messages as well as the
event level and type for generating log messages.
<A.B.C.D>
IP address of the syslog server
default
logging
host
<A.B.C.D>
{default
Note: In TiFRONT, you can register 5 syslog servers to which log messages will be sent.
Note: You can delete a syslog server by using the command no logging host <A.B.C.D> {default | <WORD>} {default | <WORD>}
{alert | crit | debug | emerg | error | info | notice | warn} [<WORD>]. If you use this command, all the syslog servers having
the same IP address will be deleted.
119
Chatper 4 System Management
Showing Logs
To check the detailed information about log messages, run the following commands in <User Mode>,
<Privileged Mode>, or <Configuration Mode>.
Command
Description
Show the log messages for security and user settings.
<1-65535>
Number of lines in the displayed log messages Setting range:
1 ~ 65535
Show log messages about security.
<1-65535>
Number of lines in the displayed log messages Setting range:
1 ~ 65535
Show log messages about system status.
<1-65535>
Number of lines in the displayed log messages Setting range:
1 ~ 65535
Show log messages about user access.
<1-65535>
Number of lines in the displayed log messages Setting range:
1 ~ 65535
Show all the other log messages except the above four types of log
messages.
<1-65535>
Number of lines in the displayed log messages Setting range:
1 ~ 65535
Show all log messages.
<1-65535>
Number of lines in the displayed log messages Setting range:
1 ~ 65535
Configuration examples
In the following example, the log settings are changed and the log messages are sent to the syslog server
and TiManager.
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
L3table : 0 K
L2table : 16 K
VLAN : 4096
28 User port
<<XSWITCH INFO>>
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
7
7
7
7
7
7
7
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
Jul
Jul
Jul
Jul
Jul
L3table : 0 K
L2table : 16 K
VLAN : 4096
28 User port
<<XSWITCH INFO>>
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
121
Chatper 4 System Management
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
7
7
7
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
122
TiFRONT User Guide
Description
self-loop disable
You can set the transmission period for the self loop detection packets by using the following command in
<Configuration Mode>.
Command
Description
Set the transmission period for self loop detection packets.
<1-10>
Setting range: 1 ~ 10. (Default value: 1 sec)
You can set the time required for releasing the port blocking and enabling the port by using the following
command in <Configuration Mode>.
Command
Description
Set the time required for re-enabling the blocked port.
<0-3600>
Setting range: 0 ~ 3,600. (Default value: 90 sec)
The enabled self loop detection function is applied to all ports in the same way. When necessary, however, you can
disable the self loop detection of a specific port. To set the self loop detection function of specific ports, run the
following commands in <Configuration Mode>. The self loop detection function is enabled for every port by default.
Command
Description
self-loop detect
no self-loop detect
Note: Even if you enable the self loop detection function of a port, it does not work unless you enable the self loop detection function in
<Configuration Mode>.
123
Chatper 4 System Management
LLDP Configuration
LLDP (Link Layer Discovery Protocol) is a protocol that periodically sends and receives system information for
network management between devices in a LAN to identify the physical network configuration and status
information.
LLDP is defined by the IEEE 802.1ab standard and sends information through TLV (Type-Length-Value). TLVs
are divided into mandatory TLVs that must be included in LLDP frames and option TLVs that can be selected
by users.
TLV
Type
Chassis ID
Mandatory
Port ID
Mandatory
TTL(Time-to-Live)
Mandatory
Port Description
Option
Option
System Name
Option
System Description
Option
System Capabilities
Option
Management Address
Option
You can selectively include option TLVs in the LLDP frame. In addition, there are LLDP-MED (Media Endpoint
Discovery) TLVs to support the QoS of IP phones in VoIP environments.
LLDP Configuration
To configure LLDP, run the following command in <Configuration Mode>.
No.
Command
Description
Set the value of Management Address TLV. For
interface <IFNAME>
txonly
Only send LLDP frames.
txrx
Send and receive LLDP frames.
Note: To disable LLDP, run the command set lldp
disable.
124
TiFRONT User Guide
<VALUE>
Setting range: 1 ~ 10. (Default value: 2 sec)
lldp
chassis-id-tlv
set
set
10
mac-address}
lldp
{ip-address
management-address-tlv
address | mac-address}
{ip-
11
<VALUE>
Setting range: 2 ~ 10. (Default value: 4)
Set the transmission delay time for LLDP messages.
12
<1-8192>
Setting range: 1 ~ 8192. (Default value: 2 sec)
Set the number of neighbor devices for maintaining
LLDP MIB information and the discarding period.
<1-65535>
Limit of the number of neighbor devices. Setting
range: 1 ~ 65535
13
set
lldp
65535>
too-many-neighbors
discard
limit
{existing-info
<1-
<MAC>
existing-info <MAC>
After the time limit, the information of the devices
with the same MAC address is deleted.
received-info
After the time limit, the information of the devices
that have exceeded the limit is deleted.
<1-65535>
Discarding period. Setting range: 1 ~ 65535(sec)
lldp
tlv
specific
14
{chassis-id
|
ieee-8021-org-
ieee-8023-org-specific
management-address | port-description |
port-id
capabilities
power-via-mdi
|
system-
system-description
You
can
specify
multiple
items
Showing Statistics
To see the statistics of LLDP messages exchanged through the port, run the command show lldp port
<IFNAME> statistics in <User Mode> or <Privileged Mode>.
125
Chatper 4 System Management
Configuration examples
In this example, the LLDP function is set as shown in the following table.
Configuration item
Set value
192.168.206.5
TiFRONT-G24
TD Team Switch
Interface
ge5
Operation mode
txrx
Transmission period
60
Number of transmissions
type
(config-if-ge5)# set lldp timer msg-tx-interval 60 Set the transmission period for LLDP
messages.
(config-if-ge5)# set lldp msg-tx-hold 2
Set the number of transmissions for LLDP
messages.
(config-if-ge5)# set lldp too-many-neighbors limit 1000 discard received-info timer 120
Limit of the number of neighbor devices and discarding period
(config-if-ge5)# lldp tlv system-name system-description management-address
126
TiFRONT User Guide
Stacking Configuration
Stacking connects multiple switches and makes them work as one switch. Only the TiFRONT-GX24M/GX24P
models support stacking. Two 10 gigabit Ethernet fiber ports are provided as stacking ports for connection
between devices.
Caution: You can connect up to 8 TiFRONTs through stacking. However, it is recommended not to exceed 5 devices for smooth operation and stable
performance of the functions of TiFRONT.
Note: If you don't use stacking, the stacking ports can be used in the same way as general ports. Furthermore, you can only use one of the two
stacking ports for stacking and the other port as general port.
The following figure shows an example of connecting three TiFRONTs through stacking.
Host
TiFRONT B(Slave)
Stacking ID: 2
Host
Router
TiFRONT A(Master)
Stacking ID: 1
Host
TiFRONT C(Slave)
Stacking ID: 3
10Gbps
In the above configuration, TiFRONT A operates as the master device and TiFRONTs B and C operate as slave
devices. Each TiFRONT is connected through a 10 gigabit Ethernet port, and the master device TiFRONT A is
connected to the router for communication with external networks. TiFRONTs A, B and C work as one switch
having 72 Ethernet ports and are managed through the master device TiFRONT A.
The ports of each device connected through stacking are divided into the following format:
<Interface Prefix><Stacking ID>.<Port Number>
For example, the ge10 port of a device with two stacking IDs is "ge2.10". When the functions are set or the
settings are shown, this port name is entered or displayed.
127
Chatper 4 System Management
You must directly set the master/slave devices. If a slave device has a problem, the master device
excludes the slave device from the stacking configuration. However, if the master device has a problem,
you must change the stacking configuration by setting another switch as the master device.
For connections between devices in the stacking configuration, you must use the 10 gigabit Ethernet fiber
When using the stacking function, you can use the spanning tree function in only two modes of STP and
You must reboot the slave devices after enabling the stacking function. When the slave device is rebooted,
the startup-config remains the same, and the configuration file sent from the master device is used as
running-config.
Every setting after enabling the stacking is performed and saved in the master device. In the slave device,
you can only set the stacking status, rebooting, and management Ethernet port (mgmt0).
To use the stacking function, each device must have the same version of PLOS on them.
Description
Register the L3 license in the system.
<LICENSE>
License received at the time of purchase
Note: You cannot use stacking unless the stacking license is registered. When you run the command for enabling this function, the following
message appears:
% This switch doesn't have a stacking License.
Note: For detailed information on the stacking license, please contact the product distributor or PROLINK Technical Assistance Team (+82-15449890).
Caution: As the stacking license key is generated using the device's serial number, the license cannot be registered for other devices.
Description
Set the stacking ID in the device and enable the stacking
function.
stacking id <1-8>
<1-8>
Enter the stacking ID.
Setting range: 1 ~ 8 (1: master, 2-8: slave)
Note: To disable the stacking function, run the command no stacking in <Configuration Mode>.
128
TiFRONT User Guide
Note: When you enable stacking, the 10 gigabit Ethernet fiber ports xg1 and xg2 work as the stacking ports. To use one of these two ports as
general port, run the command switchport in <Interface Configuration Mode> of the port to change the mode of the port. To change a general
port to a stacking port, run the command stacking-port in <Interface Configuration Mode>.
PLOS Update
To update PLOS for the stacking configuration, perform the following steps in <Configuration Mode> of the
master device.
No.
Command
Description
Download PLOS from the TFTP server to TiFRONT.
<A.B.C.D>
IP address of the TFTP server
<FILE>
1-1
os
1-2
update
<PASSWORD>
ftp
<A.B.C.D>
<FILE>
<ID>
[stacking
<PASSWORD>
Password of the ID that was entered before
<FILE>
Path and name of the PLOS file
all
Update PLOS on every slave device.
<2-8>
Stacking ID of the slave device for which to update PLOS.
Setting range: 2 ~ 8
Download PLOS from a USB memory to TiFRONT.
<FILE>
Path and name of the PLOS file
1-3
os
update
usb
<FILE>
[stacking
all
Update PLOS on every slave device.
<2-8>
Stacking ID of the slave device for which to update PLOS.
Setting range: 2 ~ 8
reload
129
Chatper 4 System Management
Description
Reboot every device in the stacking configuration. To reboot only a
specific device, enter the stacking ID of the device to be rebooted using
130
TiFRONT User Guide
Chapter 5
Link Aggregation Configuration
This chapter explains the concept of Link Aggregation and the procedure for setting port trunking and LACP
(Link Aggregation Control Protocol) in TiFRONT.
This chapter is composed of the following contents:
Link Aggregation Overview
Port Trunking Setting
LACP Setting
Port Trunking
Port Trunking integrates two or more ports into one logical port so as to use a larger bandwidth. If you have
to connect with a different device in the network through a logical port with port trunking, you must
manually define the settings between the devices.
LACP
LACP (Link Aggregation Control Protocol), which is a general-purpose protocol, combines two or more ports
into one logical port so as to use a larger bandwidth.
One characteristic of LACP that is different from port trunking is that the integrated bandwidth is formed
automatically when you set the logical integrated port (aggregator) and the physical member ports to be
combined into the logical port. Therefore, it is easier to configure than port trunking and quickly responds to
environmental changes.
132
TiFRONT User Guide
Meaning
dst-ip
dst-mac
src-dst-ip
src-dst-mac
Hash method using the XOR value of the destination and source IP
addresses
Hash method using the XOR value of the destination and source
MAC addresses
src-ip
src-mac
In TiFRONT, you can set up to 8 trunk groups, and each trunk group can contain up to 8 ports.
Every port in a trunk group must have the same speed and the transmission mode must be full duplex.
One port cannot belong to two or more trunk groups simultaneously. Each port must belong to only one trunk
group.
If you set IGMP snooping for a port that belongs to a trunk group, the IGMP snooping may malfunction.
Therefore, you must not set IGMP snooping to these ports.
Note: You can not create eight trunk groups separately for port trunking and LACP. The sum of the trunk groups for port trunking and LACP must be
eight.
133
Chapter 5 Link Aggregation Configuration
Description
Set the port trunking.
static-channel-group <1-8>
<1-8>
Trunk group ID. Setting range: 1 ~ 8
Note: To delete the port trunking setting, run the command no static-channel-group in <Interface Configuration Mode>.
Description
Specify the load balance algorithm.
(Default: src-dest-mac).
Note: To enter <Interface Configuration Mode> of the trunk group, run the command interface <channel-group-name> in <Configuration
Mode>. For channel-group-name, enter agg and then enter the ID (channel-group-number) of the trunk group with no space between them. For
example, if the trunk group ID is 1, you can enter the <Interface Configuration Mode> by using the following command.
(config)# interface agg1
Note: To delete the load balance algorithm, run the command no port-channel load-balance in <Interface Configuration Mode> of the
trunk group.
Caution: You cannot assign the same ID for the trunk group ID of port trunking and the aggregator ID of LACP.
Mode>.
134
TiFRONT User Guide
Configuration Example
In the following example, ge1 to ge3 ports are set as a trunk group.
135
Chapter 5 Link Aggregation Configuration
LACP Setting
The procedure for setting LACP is described below.
Description
Set the aggregator/LACP operation mode.
<1-8>
Aggregator ID. Setting range: 1 ~ 8.
Note: To delete the aggregator setting, run the command no channel-group in <Interface Configuration Mode> of the port.
Caution: You cannot assign the same ID for the trunk group ID of port trunking and the aggregator ID of LACP.
Description
Set the device priority.
<1-65535>
Setting range: 1 ~ 65535
Note: To delete the device priority setting, run the command no lacp system-priority in <Configuration Mode>.
Description
Set the member port priority.
<1-65535>
Setting range: 1 ~ 65535
Note: To delete the member port priority setting, run the command no lacp port-priority in <Configuration Mode>.
136
TiFRONT User Guide
Description
src-mac}
Note: To enter <Interface Configuration Mode> of an aggregator, run the command interface <channel-group-name> in <Configuration
Mode>. Enter agg for channel-group-name and then enter the ID (channel-group-number) of the aggregator with no space between them. For
example, if the aggregator ID is 1, you can enter the <Interface Configuration Mode> by using the following command:
(config)# interface agg1
Note: To delete the load balance algorithm setting, run the command no port-channel load-balance in <Interface Configuration Mode>.
Note: To delete the LACP-related statistics, run the command clear lacp {<1-8> statistics | counters | statistics}.
137
Chapter 5 Link Aggregation Configuration
Configuration Example
In the following example, LACP is set for ge1 and ge1 ports.
# show lacp-counter
Show LACP PDU transmission count
% Traffic statistics
Port
LACPDUs
Marker
Pckt err
Sent
Recv
Sent
Recv
Sent
Recv
% Aggregator agg1 42
ge1
121
120
0
0
0
0
ge2
121
122
0
0
0
0
# show lacp statistics
138
TiFRONT User Guide
Chapter 6
SNMP Configuration
This chapter introduces SNMP (Simple Network Management Protocol) and the procedure for setting SNMP in
TiFRONT.
This chapter is composed of the following contents:
SNMP Overview
SNMP Configuration
SNMP Overview
SNMP is a standard protocol used to communicate management information between the Network
Management System (NMS) and the network devices. SNMP belongs to the L7 application layer which is the
highest layer of the OSI model. Network administrators can perform the following tasks remotely through
SNMP.
Network Configuration Management
Configure or check the structure of the entire network.
Performance Management
You can get statistics required for performance analysis such as network usage between network segments,
error occurrences, processing speed, and response time.
Device Management
You can get information about a devices operation status, status of modules including port, power, and
cooling fan, and system information such as CPU and memory. This information greatly helps you to solve
device problems on the network.
Security Management
SNMP provides security features for controlling and protecting the MIN information of devices. In particular,
the latest version SNMP v3 has greatly strengthened the security function.
Components of SNMP
SNMP largely consists of the following three components:
SNMP Manager
SNMP Agent
MIB (Management Information Base)
Each of the above components is described in detail below.
SNMP Manager
SNMP Manager acts as an interface for users to see the status of the entire network. Through communication
with SNMP Agent, SNMP Manager can get information about devices in the MIB and monitor them, and send
action requests to SNMP Agent to change device settings.
SNMP Agent
SNMP Agent is a software module embedded in network devices such as the switch, router, UNIX workstation,
and printer. When it receives an information request from SNMP Manager, SNMP Agent collects the
information from the MIB and sends it to SNMP Manager. When it receives a request for changing settings,
SNMP Agent changes the corresponding MIB values. Furthermore, even if it does not receive a request from
SNMP Manager, when important events occur such as a user authentication error, system restart, or
disconnection between neighbor devices, SNMP generates a trap and sends it to SNMP Manager.
140
TiFRONT User Guide
SNMP MIB
SNMP MIB is a database that contains information for managing network devices such as system information,
network usage, and network interface information. Each data in the MIB is called an object. For each
management, the objects of MIB have a hierarchical tree structure as shown in the following figure.
In the hierarchical structure of MIB, the top part represents the network broadcast information. The lower
objects are more concrete than the higher objects. The number beside each object in MIB is the OID number
used to get desired data. For example, the OID of enterprise is 1.3.6.1.4.1.
The MIB is expandable because of its hierarchical structure. You need to add private MIBs to use within your
company or monitor network status of a limited network area. You can define these private MIBs in the
enterprises (1) of private (4).
There are two versions of MIB: MIB-I and MIB-II. MIB-II is an extended version of MIB-1. It includes about 171
objects in addition to all the objects of MIB-1.
Note: There are standard MIBs provided by TiFRONT: MIB-II and UCD-SNMP.
Note: The MIB-II supported by TiFRONT contains system information and interface information (32 bit type, 64 bit type). The UCD-SNMP contains
CPU and memory information.
141
Chapter 6 SNMP Configuration
Communication Command
Communication between SNMP Manager and Agent consists of information request messages and response
messages by default. The following figure illustrates the communication between SNMP Manager and Agent.
SNMP
SNMP Agent
(TiFRONT)
The following commands are used for communication between SNMP Manager and Agent.
Get
The Get command is used by SNMP Manager to request information from SNMP Agent. When it receives an
information request from SNMP Manager, SNMP Agent collects the information from the MIB and sends it to
SNMP Manager.
Get Next
The Get Next command is used by SNMP Manager to request information from SNMP Agent, just like the Get
command. However, when you use the Get Next command, you can get the information of the next OID item,
rather than only the requested information as with the Get command.
Set
The Set command is used by SNMP Manager to request SNMP Agent to set a specific value for an MIB object.
When it receives a request for changing settings, SNMP Agent changes the corresponding MIB values.
Trap
Even if no request is received from SNMP Manager, when important events occur such as a user authentication
error, system restart, or disconnection between neighbor devices, SNMP Agent generates a trap and sends it to
SNMP Manager. The trap message is sent only when each trap is enabled and the corresponding event occurs. If
you specify a specific trap host, SNMP Agent only sends trap messages to the specified trap host.
142
TiFRONT User Guide
SNMP Versions
TiFRONT supports the following SNMP versions.
SNMP v1
SNMP v1 is defined in RFC 1157. SNMP v1 briefly defines the basic MIB-I and MIB-II and contains information
about systems, networks, applications, services, etc. SNMP v1 supports community-based security functions.
The communication between SNMP Manager and Agent is possible only if the community names of SNMP
Manager and Agent match.
SNMP v2
SNMP v2 is defined in RFC 1902. In addition to containing the content of SNMP v1, SNMP v2 has reinforced
security and access control features by adding data types, counter size, and protocol motions. As with v1, SNMP
v2 supports community-based security functions.
SNMP v3
SNMP v3 is the latest version and is defined in RFC 2571-2575. SNMP v3 has greatly reinforced security
functions by enforcing user authentication with a secret key before allowing access to devices and encrypting
data.
Note: The versions of SNMP Manager and Agent must be identical for them to communicate with each other. Therefore, you must set the version of
SNMP Manager according to the SNMP Agent version. TiFRONT acts as SNMP Agent and can simultaneously enable three versions of SNMP. Therefore,
if there are multiple SNMP Managers and set different versions of SNMP for the SNMP Managers, they can only communicate with the SNMP Agent of
the same version.
SNMP Configuration
SNMP Configuration Items
You can set the following items to use SNMP in TiFRONT.
SNMP Community
SNMP User
SNMP Trap
Default Setting
The default settings of SNMP items are shown below.
Item
Default Setting
SNMP status
Disabled
Community
User
None
Device information
None
Trap
Disabled
Trap host
None
143
Chapter 6 SNMP Configuration
Description
Set a SNMP community.
<WORD>
Note: You can delete an SNMP community by using the command no snmp-server community <WORD> in <Configuration Mode>.
Note: Community implies the meaning of a general password as we know it. Users type the desired password in the parameter <WORD>. Based on
this password, you can limit the access rights of SNMP Agent to read-only or grant both read and right permissions. ro and rw at the back of the
command stand for read-only and read/write, respectively.
Description
Set an SNMP user.
<WORD>
You can set a User ID as a string of 1-12 characters consisting of
letters, numbers, -, and _. The first character must be a letter.
Note: You can delete an SNMP user by using the command no snmp-server user <WORD> in <Configuration Mode>.
trap
<WORD>} [<WORD>]
144
TiFRONT User Guide
host
Description
{<A.B.C.D>
<WORD>
Name of SNMP trap host
<WORD>
SNMP community used for trap transmission
Note: You can delete an SNMP trap host by using the command no snmp-server trap host {<A.B.C.D> | <WORD>} [<WORD>] in
<Configuration Mode>.
Description
Enable an SNMP trap host community.
<WORD>
SNMP community used for trap transmission
Description
Enable SNMP trap.
auth
Trap is generated when an SNMP action is attempted with an
snmp-server
| all}}
invalid community.
port
Trap is generated when the interface link is up or down.
<WORD>
Port number to be monitored for link status.
Note: You can disable the SNMP trap by using the command no snmp-server trap {auth | port {<WORD> | all} in <Configuration Mode>.
Description
Set the device name. Use a string that suggests which kind of device it
is and the purpose for which it is used.
145
Chapter 6 SNMP Configuration
Description
Set contact information for a device. E-mail address or telephone number
of the administrator is mainly used.
<WORD>
The contact information can be composed of up to 128 characters of
letters, numbers, and special characters except quotation marks (").
Description
Set the device location. The address where the device is installed is often
used for location.
<WORD>
The location can be composed of up to 128 characters of letters,
numbers, and special characters except quotation marks (").
Description
Enable SNMP trap.
Note: To disable the SNMP trap, run the command no snmp-server enable trap in <Configuration Mode>.
Description
Apply the changed SNMP settings to the system.
146
TiFRONT User Guide
in <User Mode>,
Configuration Example
The following is an example of the SNMP community, user, trap host, trap, and device information settings.
147
Chapter 6 SNMP Configuration
Chapter 7
RMON Configuration
This chapter introduces RMON (Remote Monitoring) and the procedure for setting RMON for TiFRONT.
This chapter is composed of the following contents:
RMON Overview
RMON Configuration
RMON Overview
RMON (Remote MONitoring) is a traffic monitoring feature for LAN environments through the SNMP
transmission structure and commands. In SNMP, the Agent monitors the information about one node that is
operating. RMON, in contrast, monitors traffic information such as the number of crashes in a LAN segment,
packet size distribution, and the volume of data exchanged between terminals connected to the LAN.
RMON also offers alert and event functions. It predicts potential problems based on monitored traffic
information and alerts users. This alert and event function of RMON reports a state in which a problem may
occur (exceeding a specified threshold, etc.) so that problems in a network can be easily detected and
addressed before they become serious.
There are 9 RMON MIB groups (1. Statistics 2. History 3. Alarm 4. Host 5. Host Top N 6. Matrix 7. Filter 8.
Packet Capture 9. Event). TiFRONT supports the following four groups which are the most basic among them.
Rising threshold
An alarm goes off if the value is greater than the threshold.
Falling threshold
An alarm goes off if the value is smaller than the threshold.
Absolute comparison
An alarm goes off after comparing the continuously accumulated value with the threshold.
Delta comparison
An alarm goes off after comparing the value accumulated for the specified time with the threshold.
The RMON alarm group is linked to the events defined in the RMON event group. An event defines the action
to be performed when the value exceeds the threshold. For the event that will be activated when there is a
RMON alarm, you must specify one of the entries of the RMON event table and it must be predefined.
149
Chapter 7 RMON Configuration
150
TiFRONT User Guide
RMON Setting
This chapter describes the procedure for performing RMON setting tasks in CLI.
Description
Set data collection for a port in the RMON Statistics Group.
<1-65535>
rmon
collection
[owner <WORD>]
stats
<1-65535>
Caution: To set RMON Statistics Groups for multiple ports, the RMON Statistics Group ID must be different for each port. If you set the same RMON
Statistics Group ID for two or more ports, only the data for the port that was set last are collected in the RMON Statistics Group.
Note: To disable statistics data collection for a specific port, run the command no rmon collection stats <1-65535> in <Interface
Configuration Mode>.
Description
Set data collection for a port in the RMON History Group.
<1-65535>
RMON History Group ID. Setting range: 1 ~ 65535
<1-65535>
Number of tables to be recorded in the sampling period.
rmon
collection
history
<1-65535>
151
Chapter 7 RMON Configuration
Caution: To set RMON History Groups for multiple ports, the RMON History Group IDs of the ports must be different from one another. If you set the
same RMON History Group ID for two or more ports, the data for the port that was set last will be collected in the RMON History Group.
Note: To disable history data collection for a specific port, run the command no rmon collection history <1-65535> in <Interface
Configuration Mode>.
<Privileged Mode>.
Description
Set the RMON Event Group.
<1-65535>
RMON Event Group ID. Setting range: 1 ~ 65535
log
Save alarm information in the log table.
log trap
Perform log saving and trap generation simultaneously.
<WORD>
<WORD>]
trap
Note: To delete the RMON Event Group setting, run the command no rmon event <1-65535> in <Interface Configuration Mode>.
152
TiFRONT User Guide
Description
Save and apply the RMON alarm setting to the system.
<1-65535>
RMON Alarm Group ID. Setting range: 1 ~ 65535
<WORD>
OID name or number of the MIB to be monitored in the RMON alarm
group in RMON MiB.
<1-65535>
RMON MIB value monitoring cycle: Setting range: 1 ~ 65535(sec)
absolute
Comparison of the cumulative value of the monitored MIB and the
threshold value.
rmon
alarm
interval
delta
<1-65535>
<1-65535>
delta}
<RISING_THRES>
{absolute
rising-threshold
event
falling-threshold
<WORD>
<1-65535>
<FALL_THRES>
The MIB values monitored for the specified period are compared
with the threshold.
<RISING_THRES>
Rising threshold to be compared with the monitored value of RMON
MIB. Setting range: 1 ~ 65535
<1-65535>
ID of the RMON Event Group to be run when an alarm goes off
generated after value exceeds rising threshold.
<FALL_THRES>
Falling threshold to be compared with the monitored RMON MIB
value. Setting range: 1 ~ 65535
<1-65535>
ID of the RMON Event Group to be run when an alarm is generated
by comparing with the falling threshold.
<WORD>
Name of entity using the RMON alarm group information. A string
of up to 15 characters consisting of letters, numbers, and special
characters.
Note: To add an RMON alarm, you must enable the RMON Event Group.
Note: In the RMON alarm group, you can add statistics about the objects under etherStatsEntry(1.3.6.1.2.1.16.1.1.1) as follow:
etherStatsDropEvents(1.3.6.1.2.1.16.1.1.1.3)
etherStatsOctets(1.3.6.1.2.1.16.1.1.1.4)
etherStatsPkts(1.3.6.1.2.1.16.1.1.1.5)
etherStatsBroadcastPkts(1.3.6.1.2.1.16.1.1.1.6)
etherStatsMulticastPkts(1.3.6.1.2.1.16.1.1.1.7)
etherStatsCRCAlignErrors(1.3.6.1.2.1.16.1.1.1.8)
etherStatsUndersizePkts(1.3.6.1.2.1.16.1.1.1.9)
etherStatsOversizePkts(1.3.6.1.2.1.16.1.1.1.10)
etherStatsFragments(1.3.6.1.2.1.16.1.1.1.11)
etherStatsJabbers(1.3.6.1.2.1.16.1.1.1.12)
etherStatsCollisions(1.3.6.1.2.1.16.1.1.1.13)
etherStatsPkts64Octets(1.3.6.1.2.1.16.1.1.1.14)
153
Chapter 7 RMON Configuration
etherStatsPkts65to127Octets(1.3.6.1.2.1.16.1.1.1.15)
etherStatsPkts128to255Octets(1.3.6.1.2.1.16.1.1.1.16)
etherStatsPkts256to511Octets(1.3.6.1.2.1.16.1.1.1.17)
etherStatsPkts512to1023Octets(1.3.6.1.2.1.16.1.1.1.18)
etherStatsPkts1024to1518Octets(1.3.6.1.2.1.16.1.1.1.19)
When setting the RMON alarm group, you can enter the MIB OID in the format <OID name or number>.<RMON statistics group ID> or
etherStatsEntry.<3-19>.<RMON statistics group ID>.
The following is an example of setting etherStatsDropEvents where the RMON statistics group ID is 5. (The tree lines indicate the same value.)
etherStatsDropEvents.5
1.3.6.1.2.1.16.1.1.1.3.5
etherStatsEntry.3.5
154
TiFRONT User Guide
Configuration Example
The following is an example RMON statistics group, history group, alarm group, and event group settings.
155
Chapter 7 RMON Configuration
Chapter 8
STP Configuration
This chapter introduces STP (Spanning Tree Protocol), RSTP (Rapid Spanning-Tree Protocol), PVST+ (Per VLAN
Spanning Tree Plus), RPVST+ (Rapid Per VLAN Spanning Tree Plus), and MSTP (Multiple Spanning Tree
Protocol), and describes the procedure for setting STP in TiFRONT.
This chapter is composed of the following sections:
STP
RSTP
PVST+/RPVST+/MSTP
Spanning Tree Setting
STP
One problem of a network connected via switches is that there must be only one route between two random
nodes. If there are two or more routes between two nodes, packets will be transmitted twice or an infinite
loop will be created on the network. A Loop generates a flood of network traffic which makes the network
unstable.
In the network illustrated below, there are two routes from switch A to switch C: path 2 which is a direct
route and the indirect route through switch B that uses paths 1 and 3. A Loop is generated in a network like
this where there are two or more routes for a destination. For example, when switch A broadcasts a packet in
this example, switch C broadcasts the packet received through path 2 to switch B through path 3, and switch
B sends the packet received through path 3 to switch A through path 21. Thus, a loop is generated.
Conversely, the loop of A->B->C->A is also generated.
Switch A
Path
Path
Path
Switch C
Switch B
STP (Spanning Tree Protocol) is a protocol that prevents loops from occurring when there are two or more
routes to the destination and is stated in the IEEE 802.1D standard. If there are two or more routes at one
node in a spanning tree, the optimum route is selected considering the priority. Furthermore, other routes
than this route are changed into blocked status (frames are not sent) and excluded from the spanning tree.
Therefore, when traffic is processed, packets are transmitted through the optimum route only.
In the above network, if path 3 is turned into blocking state, there is only one route from switch A to switch C
(path 2), thereby preventing the loop.
Switch A
Path 2
Path 1
(Forwarding)
(Forwarding)
Switch B
Path 3
Switch C
(Blocking)
157
Chapter 8 STP Configuration
When a problem occurs in a route in STP that has only a single route, the route that has been blocked is
changed to a (traffic) forwarding state to improve network availability.
Root Port
Root Port
Designated Switch
Designated Switch
Designated Port
Designated Switch
In the above figure, the switches exchange BPDU to determine the switches and ports to be included in the
spanning tree. The BPDU contains the following information:
Bridge ID is a value that is used when electing the root switch, which is the central switch in a spanning tree.
A Bridge ID consists of a switchs priority (top 2 bytes) and MAC address, and the switch having the highest
priority is elected as the root switch. A lower priority number means a higher priority. If every switch has the
same priority, the switch having the lowest MAC address is selected as the root switch.
Root cost is a value used when selecting the root port and the designated switch. The port that provides the
best route (lowest cost) when a switch sends packets to the root switch, in other words, the port having the
lowest route cost to the root switch becomes the root port. Furthermore, the switch that has the lowest route
cost when packets are forwarded from the LAN to the root switch becomes the designated switch. The port
that is directly connected to the LAN among the ports of the designated switch becomes the designated port.
A port that is blocked from communication, excluding the root port and the designated port are called
blocked ports. When the route cost is identical, the switch whose bridge ID has the lowest priority is selected
as the designated switch.
158
TiFRONT User Guide
BPDU contains three timer values (Hello, Forward delay, Max age). These timers influence the performance of
the entire spanning tree and play the following functions.
Timer
Hello time
Description
This is the hello message sending period. This time value determines how often the root
switch will broadcast the BPDU message to other switches.
This time value determines the listening status and how long the listening status will be
maintained. The listening state changes to the learning state when the forward delay
time passes, and the learning state changes to the forwarding state when the forward
delay time passes. This time prevents the port from becoming forwarding state before
the changed topology information is sufficiently spread to the spanning tree, thereby
creating a loop.
This is the aging time (effective time) of a BPDU. This time determines for how long the
switch will keep a BPDU. The BPDU is discarded when the max age time has passed.
Port States
STP sets a port on a network to one of the following five states:
Blocking state:
No frame is sent. This is the default sate of a port at which STP is enabled.
Listening state:
This is the first state that is passed when moving from blocking to forwarding state.
Learning state:
Forwarding state:
Disabled state:
Blocking State
Listening State
Disabled State
Learning State
Forwarding State
The port at which STP is enabled always starts in the blocking state. The STP enabled switch assumes that it
is the root switch when it is initialized and sends BPDU to devices connected through every port. The port in
the blocking state discards all frames except BPDU. The ports receiving BPDU change to the listening state.
159
Chapter 8 STP Configuration
Ports in the listening state exchange BPDU with other devices and determine the root switch or perform other
tasks. Furthermore, it changes to the learning state when the forward delay time passes.
The port in the learning state learns the MAC address to send frames. Then, it changes to the forwarding
state when the forward delay time passes. The frames received up until the port changes to the forwarding
state are all discarded, and the frames received after the change are sent through the port.
Disabled ports do not participate in the spanning tree; the ports do not work, their links are not connected,
and the STP is disabled. Ports in this state do not send or receive BPDU, and also do not send frames.
Selecting Route
STP uses the spanning tree algorithm when deciding on which switch to use to send packets. The spanning
tree algorithm calculates the best route that does not generate a loop through the network based on the port
role on an actual topology.
In case two interfaces of a switch form a loop, it determines which interface will be in the forwarding state
and which interfaces will be in the blocking state depending on port priority and route cost. The port priority
indicates the location of the interface on the network (how easy the location is for traffic forwarding), and the
route cost indicates the media speed of the interface.
The spanning tree turns the extra routes that are not used into standby, or blocking states. When a specific
network segment of a spanning tree does not work (disconnected link), or there is an extra route, the
spanning tree algorithm recalculates the spanning tree topology and changes the extra route from a blocking
state to a forwarding state.
160
TiFRONT User Guide
RSTP
While STP is enabled and BPDUs are sent to the network, the topology changes continuously in other parts of
the network. It takes much time to converge the frequently changed topology to the spanning tree. RSTP
(Rapid Spanning-Tree Protocol), which is defined in the IEEE 802.1w standard, has improved this shortcoming
of the conventional STP and allows for faster convergence.
Because RSTP (802.1w) uses the professional terms and most parameters of STP (802.1D) as they are, you
can quickly and easily set the new protocol. It is also compatible with STP as it contains STP.
The biggest difference between STP and RSTP is the change of port status. STP changes to a forwarding state
in which it can send traffic after passing through the whole process of Blocking->Listening->Learning. On
the other hand, RSTP directly changes from a blocking state to a forwarding state. In this way, RTSP can
instantly apply the changed topology to the spanning tree.
Port Statues
RSTP 802.1w defines three port states: discarding, learning, and forwarding. Learning and forwarding states
are identical to those of STP, and the discarding state includes all the three states of STP: disabled, blocking,
and listening.
RSTP sets the root and designated ports to the forwarding state, and the alternate and backup ports to the
discarding state. Alternate port means a port that has been blocked by receiving a BDPU of a higher priority
from another device. Backup port means a port that has been blocked by receiving a BPDU with a high
priority from another port of the same device. BPDU transmission only occurs at the root port and the
designated port.
The following figure illustrates the alternate port and backup port.
Root switch
Designated port
Designated port
Switch B
Switch C
Designated port
Alternate port
Backup port
Switch D
: Flow of BPDUs
Switch A
Send BPDUs
in Listening state
Switch C
Switch B
Flow of BPDUs
Switch D
[Figure Network convergence of STP]
It is a very innovative way to prevent loops, but the problem is that the forward delay time of BPDU must be
passed before switch D can block the port connected to switch C.
The RSTP function, however, performs the following process to shorten the communication disconnection
time. A new link is made between switch A and the root switch. As soon as they are connected, switch A and
the root switch can send BPDU although they cannot exchange packets.
Root switch
New link is connected
Switch A
Negotiation between switch A
and root switch (Traffic Blocking)
Switch B
Switch C
Switch D
[Figure Network convergence of RSTP ]
162
TiFRONT User Guide
The root switch and switch A negotiate through BPDUs. To turn the link between the root switch and switch A
into the forwarding state, the non-edge designated port of switch A is changed to the blocking state.
Although switch A is connected with the root switch, no loop is generated because the connection of switch A
with switch B and C is blocked.
In this state, as shown in the following figure, the BPDU of the root switch are sent to switches B and C
through switch A. To turn switch A into the forwarding state, there will be negotiation between switch A and
switch B and between switch A and switch C.
Root switch
Forwarding status
Switch A
Switch C
Switch B
Switch D
[Figure Network convergence of RSTP ]
Switch B only has an edge designated port. Because the edge designated port does not generate loops, it can
be changed to the forwarding state in RSTP. Therefore, to change switch A to a forwarding state, switch B has
no specific port to change to a blocking state.
However, because switch C has a port that is connected to switch D, you must set this port to a blocking
state in order to change switch A to a forwarding state.
Root switch
Forwarding status
Switch A
Forwarding status
Forwarding status
Switch C
Switch B
163
Chapter 8 STP Configuration
As a result, it is the same as when STP blocks the connection between switches D and C. However, RTSP does
not use any time criteria ((Hello time, Forward delay time, Max aging time) set by the user for negotiation
with devices to set a specific port to a forwarding state. Furthermore, it does not undergo listening and
hearing processes in the process where a port is changed to the forwarding status. Therefore, the network
convergence time can be dramatically shortened.
PVST+/RPVST+/MSTP
TiFRONT supports PVST+(Per VLAN Spanning Tree Plus), RPVST+(Rapid Per VLAN Spanning Tree Plus),
MSTP(Multiple Spanning Tree Protocol), which allows STP configuration by VLAN or VLAN group through the
introduction of the VLAN concept which is a logical division of existing LAN domains, for efficient network
operation.
Whereas the existing STP is used to prevent loops in one LAN domain, PVST+(Per VLAN Spanning Tree Plus)
has improved it so that STP can be configured by VLAN for route setting in line with the VLAN environment.
In PVST+, only one VLAN can be specified for each instance, and one STP works for each instance. If a
network has six VLANs with the VLAN IDs of 10, 20, 30, 40, 50, and 60 in a network, there will be six STPs
because one STP works for each VLAN.
One weakness of PVST+ is that the convergence time is slow and hardware load will increase if there are
many VLANs. RPVST+(Rapid Per VLAN Spanning Tree Plus) and MSTP(Multiple Spanning Tree Protocol) have
improved this weakness.
RPVST+ has combined the strengths of PVST+ and RSTP. There is an STP working for each VLAN while highspeed convergence is supported. However, as with PVST+, the hardware load increases if there are many
VLANs.
MSTP uses high-speed convergence just as RSTP does. MSTP can reduce the number of STPs compared to
PVST+ because multiple VLANs can be assigned to one instance and one STP operates for each instance. The
instances of MSTP can be integrated into one region. There is no limit to the number of regions that can be
set in one network, and up to 64 instances can be set for one region.
Regions used in MSTP are called MST regions and VLANs are divided into groups by configuration ID. The
configuration ID consists of region name, revision, and VLAN map. Therefore, these three values must be
identical for configuration IDs to be identical.
The spanning tree working in each region is called the IST (Internal Spanning-Tree), and the spanning tree
that results when all spanning trees of the regions are interconnected is called the CST (Common SpanningTree). When IST and CST are joined together, it is called the CIST (Common & Internal Spanning-Tree). The
following figure illustrates the relationships among the IST, CST, and CIST.
164
TiFRONT User Guide
IST
IST
CST
Boundary
IST
IST
Boundary
In an MST region, there are IST instances and MSTIs (Multiple Spanning Tree Instances). An IST instance is a
spanning tree instance that is assigned to an MST region by default and is also called MSTI0 because the ID 0
is assigned. An instance that is additionally assigned to one MST region is called MSTI, and this instance must
contain at least one VLAN.
The spanning tree in an MST region operates in the same way as RSTP. As illustrated in the figure below, if
there are six VLANs with the VLAN IDs 10, 20, 30, 40, 50, and 60, and VLANs 10, 20, and 30 are assigned to
MSTI 1, and VLANs 40, 50, and 60 are assigned to MSTI 2, the spanning tree inside the MST region works as
follows.
First, the switch with the lowest bridge ID is determined as the IST root switch. If the priority is not adjusted,
MSTI works in the same way as the IST root switch by default. However, each MSTI can work differently if you
adjust the priority of MSTI at each switch as shown below.
Priority
MSTI1 = 8
MSTI2 = 8
Priority
MSTI1 = 8
MSTI2 = 8
Switch B
Priority
Switch C
MSTI1 = 8
MSTI2 = 8
Priority
Switch A
Priority
Switch A
MSTI1 = 8
MSTI1 = 0
MSTI1 = 0
MSTI2 = 8
MSTI2 = 8
Switch B
(MSTI1 root switch)
MSTI2 = 8
Priority
MSTI2 = 8
Priority
MSTI1 = 8
Priority
MSTI1 = 8
Priority
Switch C
MSTI1 = 8
Switch B
MSTI2 = 8
Switch C
MSTI2 = 1
One CIST root switch exists in each CIST region, and one IST root switch exists in each MST region. The
switch that has the lowest bridge ID out of all switches is selected as the CIST root switch, and the boundary
switch that has the lowest route cost to the CIST root switch in each MST region is selected as the IST root
165
Chapter 8 STP Configuration
switch. The boundary switch is the switch that receives BPDU from another region outside the MST region,
and the boundary port is the port that receives the BDPU.
All the boundary ports of the MST region containing the CIST root switch are selected as designated ports and
become forwarding state ports. The IST root switch of the MST region containing the CIST root switch is
identical to the CIST root switch.
For the boundary switch selected as the IST root switch, one of the boundary ports is selected as the root
switch, and the other boundary ports are changed to the blocking state. In addition, the boundary ports of all
switches except the IST root switch are selected as designated or alternate ports.
Region 3
Switch 8
Switch 9
Route
10
CIST
10
Switch 7
Switch 3
Switch 1
IST
root
switch
10
IST
Switch 4
Switch 6
10
Region 1
Switch 2
20
Switch 5
Region 2
If the route costs are as shown in the above figure, switch 1 has the lowest bridge ID, and the lower the
number at the end of the switch is, the lower the bridge ID. The root switch selection and port state changing
process are as follows:
1.
Switch 1 is selected as the root switch of CIST and MST Region 1, and every boundary port of MST Region
1 becomes a forwarding state port.
2.
Switches 4 and 7, which have the lowest BID in each MST region, are selected as the IST root switch of
MST Region 2 and MST Region 3, respectively. When the IST root switch is selected in each MST region,
the non-designated port of the switch having the highest bridge ID in the MST region changes to a
blocking state as with the case of STP.
3.
Lastly, among the boundary ports of the IST root switch, the port having the lowest route cost for
connecting to the CIST root switch is selected as the root port, and all the other ports are changed to a
blocking state.
166
TiFRONT User Guide
Description
Description
Enable or disable spanning tree.
Description
Set the priority of a TiFRONT.
<0-61440>
Setting range: 0 ~ 61440. (Default value: 32768)
Note: You can set the following values for the bridge priority:
0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
167
Chapter 8 STP Configuration
Speed
RSTP/RPVST+/MSTP
10 Mbps
100
2,000,000
100 Mbps
19
200,000
1000 Mbps
20,000
To set the route cost of a port, run the following command in <Interface Configuration Mode>.
Command
Description
Set a route cost for a port.
<1-200000000>
Setting range: 1 ~ 200,000,000
Description
Set the priority of a port.
<0-240>
Setting range: 0 ~ 240. (Default value: 128)
Note: You can set the following values for the port priority:
0 , 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240
Description
Set an edge port.
Caution: You must take care when doing this because a loop can be generated if you set an edge port incorrectly.
Note: To delete an edge port, run the command spanning-tree portfast in <Interface Configuration Mode>.
168
TiFRONT User Guide
Description
Set the default value of BPDU filter to enabled. The initial default
value of the BPDU filter is disabled.
Note: To set the default value of the BPDU filter to disabled, run the command no spanning-tree portfast bpdu-filter in <Interface
Configuration Mode>.
To set the BPDU Filter state of a port, run the following command in <Interface Configuration Mode>.
Command
Description
Set the BPDU filter state of a port. (Default: default)
default
Set the state of the BPDU filter to the default value. The default is
only applied when the port is set as an edge port.
disable
Disable the BPDU Filter.
enable
Enable the BPDU Filter.
Note: The default state is applicable only for an edge port. If it is not an
edge port, the BPDU filter is disabled even if the default is enabled.
Description
Set the default value of the BPDU guard to enabled. The initial
default value of the BPDU guard is disabled.
Note: To set the default value of BPDUs Guard to disabled, run the command no spanning-tree portfast bpdu-guard in <Interface
Configuration Mode>.
169
Chapter 8 STP Configuration
To set the BPDU Guard state for a port, run the following command in <Interface Configuration Mode>.
Command
Description
Set the BPDU Guard state for a port. (Default: default)
default
Set the state of BPDU Guard to the default value.
disable
Disable the BPDU Guard.
enable
Enable the BPDU Guard.
Note: The default state is applicable only for an edge port. If it is not an
edge port, the BPDU filter is disabled even if the default is enabled.
Description
Enable the Root Guard function. (Default: disable)
Note: To disable Root Guard, run the command no spanning-tree guard root in <Interface Configuration Mode>.
Description
Set the hello time.
<1-10>
Setting range: 1 ~ 10(sec). (Default value: 2 sec)
Note: To delete the hello time setting, run the command no spanning-tree hello-time in <Configuration Mode>.
170
TiFRONT User Guide
Description
Set the forward delay time.
<4-30>
Setting range: 4 ~ 30. (Default value: 15 sec)
Note: To delete the forward delay time setting, run the command no spanning-tree forward-time in <Configuration Mode>.
Description
Set the maximum aging time of BPDU packets.
<6-40>
Setting range: 6 ~ 40. (Default value: 20 sec)
Note: To delete the maximum aging time setting, run the command no spanning-tree max-age in <Configuration Mode>.
Note: To set the maximum aging time, you must enter a hello time and a forward delay time that satisfy the following formulas:
Maximum aging time(Hello time+1)*2
Maximum aging time(Forward delay time-1)*2
For example, if the maximum aging time is 6, you can set only 1 or 2 for hello time. If the maximum aging time is 10, you must set the forward
delay time to 6 or a higher value.
Description
Set the hop count of BPDUs in MSTP.
<1-40>
Setting range: 1 ~ 40. (Default value: 20)
Note: If you dont want to set the hop count of BPDUs in MSTP, run the command no spanning-tree max-hops in <Configuration Mode>.
171
Chapter 8 STP Configuration
Command
Description
region <REGION_NAME>
Enter
the
<MSTP
configuration
mode>
from
the
<Configuration mode>.
Specify the region name.
Specify a revision number.
All switches within the same MST boundary are set to the
revision <0-65535>
Note: To delete the MST region, run the no region command in <MSTP Configuration Mode>.
Instance Setting
To set PVST+/RPVST+/MSTP in TiFRONT, you must first set a VLAN as one instance.
Description
Configure a VLAN map by setting a VLAN to be included in an
instance.
<1-63>
After specifying the VLAN to be included in an MSTP instance, you must include the ports that belong to the
VLAN in the MSTP instance. To include a port in the MSTP instance, run the following commands in
<Interface Configuration Mode>.
No.
Command
Description
Include a port in an instance.
<1-63>
Instance ID. Setting range: 1 ~ 63
<1-200000000>
(Optional)
spanning-tree
3
<0-240>
(Optional)
172
TiFRONT User Guide
<1-200000000>
Setting range: 1 ~ 200,000,000
instance
<1-63>
Note: You can set the following values for the port priority:
0 , 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240
To set the priority of an MSTP instance, run the following command in <Configuration Mode>.
Command
Description
Set the priority of an instance.
<1-63>
Note: You can set the following values for the instance priority:
0 , 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
Description
Create an instance and set a VLAN to be included in the instance.
<2-4094>
VLAN ID. Setting range: 2 ~ 4094
To set the priority of a PVST+/RPVST+ instance, run the following command in <Configuration Mode>.
Command
Description
Set the priority of an instance.
<0-61440>
Instance priority
Setting range: 0 ~ 61440. (Default value: 32768)
Note: You can set the following values for the instance priority:
0 , 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
After specifying the VLAN to be included in an instance, you must include the ports that belong to the VLAN
in the PVST+/RPVST+ instance as well. To include a port in the PVST+/RPVST+ instance, run the following
commands in <Interface Configuration Mode>.
No.
1
Command
Description
<1-200000000>
<1-200000000>
(Optional)
<0-240>
(Optional)
<0-240>
Setting range: 0 ~ 240. (Default value: 128)
173
Chapter 8 STP Configuration
Note: You can set the following values for the port priority:
0 , 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240
Description
Change the spanning tree operation mode of a port.
<0-3>
Setting range: 0 ~ 3 (0: STP, 1: Not set, 2: RSTP, 3: MSTP)
Note: The operation modes that can be changed to are limited as follows depending on the current mode.
- STP:
Cannot be changed to RSTP or MSTP
- RSTP: Cannot be changed to MSTP
- MSTP: No limit
174
TiFRONT User Guide
Configuration Example
In this example, STP is enabled and the priority of the device is changed. As the priority is changed, the
switch is changed to the root switch, and the port state is changed as well.
0 - forwarding
0 blocked
instance name
: default instance(0)
protocol(1d) : enabled
ageing time : 300 (sec)
bridge id
: 0000-0006c4720229 ( priority : 0 )
root id
: 0000-0006c4720229
root port
--/ path cost 0
forward delay 15 (sec)
/ bridge forward delay 15 (sec)
hello time 2 (sec)
/ bridge hello time 2 (sec)
max age 20 (sec)
/ bridge max age 20 (sec)
current hello timer remaining
- 1 (sec)
current tcn timer remaining - 0 (sec)
current topology change timer remaining - 0 (sec)
ge1: portid 8005 - path cost 200000 - desig-path cost
ge2: portid 8006 - path cost 200000 - desig-path cost
0 - forwarding
0 - forwarding
In the following example, the port priority is changed and settings are queried.
0 forwarding
0 - forwarding
root id
: 8000-0006c4720203
root port --/ path cost 0
forward delay 15 (sec)
/ bridge forward delay 15 (sec)
hello time 2 (sec)
/ bridge hello time 2 (sec)
max age 20 (sec)
/ bridge max age 20 (sec)
current hello timer remaining
- 1 (sec)
current tcn timer remaining - 0 (sec)
current topology change timer remaining - 0 (sec)
ge1: portid 8005 - path cost 200000 - desig-path cost
ge2: portid
6 - path cost 200000 - desig-path cost
0 - forwarding
0 - forwarding
In the following example, the route cost is changed and settings are queried.
0 - blocked
0 - forwarding
In the following example, Hello time, Forward delay time, and Maximum aging time are set.
0 - forwarding
0 - forwarding
instance name
: default instance(0)
protocol(1d) : enabled
ageing time : 15 (sec)
bridge id
: 8000-0006c4720203 ( priority : 32768 )
root id
: 8000-0006c4720203
root port --/ path cost 0
forward delay 20 (sec)
/ bridge forward delay 20 (sec)
hello time 1 (sec)
/ bridge hello time 1 (sec)
max age 10 (sec)
/ bridge max age 10 (sec)
current hello timer remaining
- 0 (sec)
current tcn timer remaining
- 0 (sec)
current topology change timer remaining - 0 (sec)
ge1: portid 8005 - path cost 200000 - desig-path cost
ge2: portid
6 - path cost 200000 - desig-path cost
0 forwarding
0 - forwarding
177
Chapter 8 STP Configuration
Set a VLAN
access vlan 2
access vlan 2
access vlan 3
access vlan 3
name
: CIST
protocol(1s)
: enabled
cist bridge id
: 8000-0006c4440207 ( priority : 32768 )
region root id
: 8000-0006c4440207
cist root id
: 8000-0006c4440207
cist root port --/ external path cost 0
forward delay 15 (sec)
/ bridge forward delay 15 (sec)
hello time 2 (sec)
/ bridge hello time 2 (sec)
max age 20 (sec)
/ bridge max age 20 (sec)
max hops 20
(config)# spanning-tree mst configuration
Enter <MSTP configuration mode>
(config-mst)# region mst-exam
Set the region name
(config-mst)# revision 1
Set the revision number to 1.
(config-mst)# instance 1 vlan 2
Add a VLAN with the ID of 2 in instance 1
(config-mst)# instance 1 vlan 3
Add a VLAN with the ID of 2 in instance 1
(config-mst)# exit
TiFRONT(config)# interface ge1
TiFRONT(config-if-ge1)# spanning-tree
TiFRONT(config-if-ge1)# exit
TiFRONT(config)# interface ge2
TiFRONT(config-if-ge2)# spanning-tree
TiFRONT(config-if-ge2)# exit
TiFRONT(config)# interface ge3
TiFRONT(config-if-ge3)# spanning-tree
TiFRONT(config-if-ge3)# exit
TiFRONT(config)# interface ge4
TiFRONT(config-if-ge4)# spanning-tree
TiFRONT(config-if-ge4)# exit
instance 1
instance 1
instance 1
instance 1
Set priority to 0.
name
: CIST
protocol(1s) : enabled
cist bridge id : 8000-0006c4440207 ( priority : 32768 )
region root id : 8000-0006c4440207
cist root id : 8000-0006c4440207
cist root port --/ external path cost 0
forward delay 15 (sec)
/ bridge forward delay 15 (sec)
hello time 2 (sec)
/ bridge hello time 2 (sec)
max age 20 (sec)
/ bridge max age 20 (sec)
max hops 20
Instance 1: Vlans: 2-3
MSTI Root Path Cost 0 - MSTI Root Port (0) - MSTI Bridge Priority 0
MSTI Root Id 00010006c4440207
MSTI Bridge Id 00010006c4440207
178
TiFRONT User Guide
Chapter 9
Routing Protocol Configuration
This chapter introduces the routing protocols RIP (Routing Information Protocol), OSPF (Open Shortest Path
First), and BGP (Border Gateway Protocol), and describes the procedure for setting each routing protocol for
TiFRONT.
This chapter is composed of the following contents:
L3 License Registration
Filter Setting
Route Map Setting
RIP Overview and Setting
OSPF Overview and Setting
BGP Overview and Setting
Note: The routing protocol is supported only for the TiFRONT-G24/G24P/GX24M/GX24P models.
L3 License Registration
This section describes the procedures for registering a license to use the routing protocol function in CLI and
for enabling the dynamic routing function.
Description
Register the L3 license in the system.
<LICENSE>
License received at the time of purchase
Note: You cannot use the routing protocol unless the L3 license is registered. When you run the command for enabling this function, the following
message appears:
% This switch doesn't have the layer 3 License.
Note: The L3 license is available only for the TiFRONT-G24/G24P/GX24M/GX24P models that support the routing protocol.
Note: For detailed information on the issuance of an L3 license, please contact the product seller or PROLINK Technical Assistance Team (+82-15449890).
Caution: As the L3 license key is generated using the device's serial number, the license cannot be registered for other devices.
Description
Enable the routing function.
Note: To disable the routing function, run the command no ip forwarding in <Configuration Mode>.
Note: If you disable the routing function, the static routing function through a fixed route setting is disabled as well.
Note: If you run the command for enabling the routing protocol without enabling the routing function, the following message will appear:
% Should be set "ip forwarding" for using L3-related CLI commands.
180
TiFRONT User Guide
Filter Setting
The routing protocol uses access lists and prefix lists to block unnecessary routing information. The access
list uses the protocol, source/destination IP addresses, and source/destination port numbers as conditions
for comparing packets. The prefix list uses only IP address and subnet mask as the conditions for comparing
packets. This section describes the procedures for setting the prefix list. For information about the access
list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List Setting]
in this Guide.
Description
Add a prefix list.
<WORD>
Specify the name of prefix list.
<1-4294967295>
Sequential number of the rule. If not specified, it starts from 5
and increases by 5 according to the setting sequence. Setting
range: 1 ~ 4294967295
ip
prefix-list
4294967295>]
{<A.B.C.D/M>
32>] | any}
<WORD>
{deny
[ge
<0-32>
[seq
|
deny | permit
<1-
permit}
le
<0-
ip
prefix-list
<LINE>
(Optional)
<WORD>
description
<WORD>
Name of the prefix list for which to enter a description.
<LINE>
You can enter up to 80 characters composed of letters, numbers,
and special characters.
Note: To delete a prefix list, run the command no ip prefix-list <WORD> [seq <1-4294967295>] {deny | permit} {<A.B.C.D/M> [ge
<0-32> | le <0-32>] | any} in <Configuration mode>.
181
Chapter 9 Routing Protocol Configuration
Description
Create a route map and enter the <Route map configuration mode>.
<WORD>
Specify the name of the route map.
deny | permit
Specify the policy of the route map rule. deny: blocked, permit:
allowed
<1-65535>
<1-65535>
Sequential number of the route map rule. The route map rule
performs inspection in the ascending order of the sequence
number. Setting range: 1 ~ 65535
Note: To delete the route map, run the command no route-map <WORD> [{deny | permit} <1-65535>] in <Configuration Mode>.
Description
Set the AS path as a comparing condition.
<WORD>
Name of the as-path list for which the AS path is set.
Set the BGP community list as a comparing condition.
<1-99>
Standard community list number. Setting range: 1 ~ 99
<100-199>
Extended community list number. Setting range: 100 ~ 199
<WORD>
Name of community list.
exact-match
List of communities that match exactly
Set the external community of BGP as a comparing condition.
<1-99>
182
TiFRONT User Guide
exact-match
List of communities that match exactly
Set a specific interface as a comparing condition.
match interface <IFNAME>
<IFNAME>
Name of interface
Set a specific IP address as a comparing condition. To use this
command, the access list or prefix list for the IP address must
be defined.
<1-199>
match
ip
next-hop
{<1-199> <1300-
<1-199>
Access list number. Setting range: 1 ~ 199
<1300-2699>
Extended access list number. Setting range: 1300 ~ 2699
<WORD>
Access list name.
Set a specific metric as a comparing condition.
<0-4294967295>
Metric. Setting range: 0 ~ 4294967295
Set the BGP origin property as a comparing condition.
egp
BGP information created from an external routing protocol
igp
type-2}
route-type
external
{type-1
condition.
type-1
The sum of external and internal costs is used for route cost.
type-2
183
Chapter 9 Routing Protocol Configuration
<0-4294967295>
Tag number. Setting range: 0 ~ 4294967295
Note: Each comparing condition can be deleted by running the no <command for comparing the condition to be deleted> in <Route
Map setting mode>.
Description
Set the AS number for a router ID of BGP.
<1-4294967295>
Set an AS number.
<A.B.C.D>
Router ID for which to set the AS number
Add an AS to an AS path.
<1-4294967295>
Set the AS number to add.
Set
set atomic-aggregate
the
atomic-aggregate
attribute.
This
attribute
Setting range: 1 ~ 99
<100-199>
Extended community list number.
Setting range: 100 ~ 199
<WORD>
Community name
Set a community value.
<1-65535>
Set the community value as a decimal number.
Setting range: 1 ~ 65535
<AA:NN>
Specify the community value as AS number: random
set
community
{<1-65535>
<AA:NN>
number.
internet
Set the community value as internet.
local-AS
Do not send the routing information to another sub AS
in the confederation.
no-advertise
Do not send the routing information to BGP neighbor.
no-export
184
TiFRONT User Guide
soo
Specify SOO (Site of Origin) to prevent routing loop.
<AA:NN>
Specify the community value as AS number: random
number.
Set the next hop.
<A.B.C.D>
IP address of next hop
set
ip
next-hop
<A.B.C.D>
[interface
<IFNAME>
Name of interface connected to the next hop
primary
Specify the next hop as primary next hop.
secondary
Specify the next hop as secondary next hop.
Set the BGP local preference value.
<0-4294967295>
Setting range: 0 ~ 4294967295
Change the metric.
<+/-><0-4294967295>
Differentiate the increase or decrease of metric by +/and enter the metric to be increased or decreased.
Setting range: 0 ~ 4294967295
Set the BGP origin attribute.
egp
BGP information created from an external routing
185
Chapter 9 Routing Protocol Configuration
protocol
igp
BGP information created from an internal routing
protocol
incomplete
Information of BGP that is not EGP or IGP
Set a router ID where the routing information is included
set originator-id <A.B.C.D>
in BGP.
<A.B.C.D>
Set the router ID in IP address format.
Set a tag for routing information.
<0-4294967295>
Setting range: 0 ~ 4294967295
Set the weight of route information. This weight is only
Note: Each attribute described above can be deleted by running the no <command for setting the attribute to be deleted> in
<Route Map setting mode>.
186
TiFRONT User Guide
RIP Overview
RIP is an internal gateway protocol (IGP) designed to be used in a small-scale network. The IGP is a dynamic
routing protocol that exchanges routing information in an autonomous system (AS). An AS is a group of
networks to which the same routing and administration policies are applied. A corporate intranet consisting
of multiple networks to which the same policies apply is an example of AS. External gateway protocols for
exchanging routing information between ASs include BGP.
RIP selects the shortest route using the distance-vector algorithm when there are multiple routes to the
destination in the routing table. The distance-vector algorithm selects the route that has the shortest
distance (or cost) to the next hop and the final destination as the optimum route. This method is
advantageous because it is easy to configure and uses a small amount of memory.
Metric
In RIP, the number of hops to the destination is regarded as the path distance and is expressed in metric. In
the route, the metric is set to 1 by default. The network administrator can change the metric by referring to
the route state, physical speed, etc. RIP selects the route that has the smallest metric when choosing the best
route to a destination. Therefore, a lower metric value must be set for a route that has a better state or faster
speed.
Restriction of Metric
RIP restricts the metric value to 15 or lower and regards the path with a metric of 16 as an unreachable path.
When the metric becomes 16, it determines that the route cannot be used anymore and the route is not sent
to the router. Due to this restriction of metric, RIP is mainly used within a single AS.
187
Chapter 9 Routing Protocol Configuration
RIP Timers
RIP uses the following timers to periodically send routing update packets and identify invalid routing
information.
Timer
Functions
Update
This timer indicates the time when the router sends its routing update packets. Whenever the time
timer
set in this timer passes, the routing update packet is sent to neighbor routers. (Default: 30 sec)
This timer indicates whether or not the router is valid. If no routing update packet is received from
Timeout
a neighbor router for the time set in this timer, that router is determined as abnormal and the
timer
routing information received from that router is treated as invalid (metric value is changed to 16).
(Default: 180 sec)
This timer determines whether or not to delete invalid routing information. Before the time set in
Collect
this timer has passed, even invalid routing information is sent to neighbor routers through routing
timer
update packets. After the time set in this timer passes, the invalid routing information is removed
from the routing table. (Default: 120 sec)
Let us take an example network illustrated above in which router A is directly connected to the network
10.1.1.0. Router B is connected to the network 10.1.1.0 through router A, and router C is connected to the
network 10.1.1.0 through router B and router A.
Let us assume that the link connecting router A and network 10.1.1.0 is disconnected. Upon detecting the
disconnection with the network 10.1.1.0, router A is removed from the routing table because it cannot
connect with the network 10.1.1.0 through the direct route. However, router B does not know this yet and
sends its routing table to router A through a routing message. Router A increases the metric value of the
route entry whose destination is 10.1.1.0 which it does not have in the routing table sent from router B and
adds it to its routing table. Then, router B also increases the metric value of the route entry of network
10.1.1.0 sent from router C, and adds it to its routing table before sending it to router A again. If this
continues, even though it is actually impossible to reach network 10.1.1.0, the route entry for this network is
continuously updated in the routing table of each router while the metric value is increased. In the end, the
metric value of the route entry for network 10.1.1.0 must increase to 16 until it becomes an invalid route
entry and is treated as unreachable destination.
This phenomenon is called a routing loop, and this routing loop can be resolved only when the metric value
of the route entry becomes 16. However, one method that can solve the routing loop phenomenon without
waiting until the metric value of the route entry becomes 16 is split horizon. Split horizon does not allow the
transmission of route information that has been sent through oneself from other routers. If this method is
applied to the above network, because the information about network 10.1.1.0 was sent to router B through
router A, router B excludes the route entry about network 10.1.1.0 from the information that it sends to router
A.
188
TiFRONT User Guide
RIP Versions
The RIP versions supported by TiFRONT are RIPv1 and RIPv2. The differences between these two versions are
shown below.
Item
RFC
Subnet mask
Authentication
RIPv1
RIPv2
RFC1923
RFC2453
not
support
an
authentication
function
AFI(2) : Address Family Identifier
Message format
(RTE part)
Routing update
transmission
method
routing
update
messages
to
the
When you enable RIP in TiFRONT, RIPv1 is used by default. Because RIPv1 does not support subnet mask,
route information containing a subnet mask cannot be sent through RIPv1. Therefore, you should enable
RIPv2 depending on your network environment.
RIP Settings
The RIP setting process in TiFRONT includes the following steps:
189
Chapter 9 Routing Protocol Configuration
Enabling RIP
To enable RIP in TiFRONT, run the following commands in <Configuration Mode>.
No.
Command
Description
router rip
Note: To disable RIP for the specified network, run the command no router rip in <Configuration Mode>.
Description
RIP changes the value of routing timer.
<5-2147483647>
Update timer. Setting range: 5 ~ 2147483647, Default value: 30 (sec)
timers
basic
<5-2147483647>
<5-2147483647> <5-2147483647>
<5-2147483647>
Timeout timer. Setting range: 5 ~ 2147483647, Default value: 180 (sec)
<5-2147483647>
Collection timer. Setting range: 5 ~ 2147483647,
Default value: 120 (sec)
Note: To delete the changed timer value and restore the default value, run the command no timers basic in <RIP Configuration Mode>.
In TiFRONT, you can change the timer values when necessary due to an adjustment of routing protocol
performance or a change of network environment. Take special care about the following points when
changing the timer values.
Update Timer
Special care must be taken because this timer value can have great influence on network traffic. If this timer
value is too small, the routing update messages can burden the network; if it is too large, accurate routing is
impossible because the reliability of the routing information that the routers have becomes low. You should
use the default value 30 if possible.
Timeout Timer
This timer value must be at least three times as large as the update timer value. In other words, the route entry
must be treated as valid even if it is not updated while routing update messages are sent three times.
Collection Timer
The collection timer value is the waiting time after the timeout timer is updated until the route is deleted.
Therefore, the duration from the moment when an invalid route is detected until it is deleted equals timeout
190
TiFRONT User Guide
Description
Set the RIP version. Enter 1 to set version 1 or 2 to set version 2.
Note: Instead of the RIP version set in <RIP Configuration Mode>, you can set the RIP version for each interface. To set the RIP version to be applied
to a specific interface, use the command ip rip send version and ip rip receive version in <Interface Configuration Mode>.
Description
Send information to neighbor routers.
bgp
connected
isis
kernel
ospf
static
Static route
<0-16>
Initial metric of the redistributed route.
Setting range: 0 ~ 16
<WORD>
Redistributed route map name.
Note: If you dont want to redistribute the routes, run the command no redistribute in <RIP Configuration Mode>. The RIP router does not
redistribute the routes by default.
Description
Generate a default route and send it to other routers in the RIP network.
Note: To disable the default route setting, run the command no default-information originate in <RIP Configuration Mode>.
191
Chapter 9 Routing Protocol Configuration
Description
Set the default metric.
default-metric <1-16>
<1-16>
Setting range: 1 ~ 16
Note: To delete the default route setting, run the command no default-metric in <RIP Configuration Mode>.
Description
Set a fixed RIP route.
route <A.B.C.D/M>
<A.B.C.D/M>
IP address and net mask bit of the fixed route
Note: To delete the RIP fixed route setting, run the command no route <A.B.C.D/M> in <RIP Configuration Mode>.
Description
Set a fixed RIP route.
<1-65535>
Maximum number of RIP routes
Note: To delete the limitation setting on the number of RIP routes, run the command no maximum-prefix in <RIP Configuration Mode>.
192
TiFRONT User Guide
Description
Set a neighbor router.
neighbor <A.B.C.D>
<A.B.C.D>
IP address of the neighbor router
Note: To delete the neighbor router setting, run the command no neighbor <A.B.C.D> in <RIP Configuration Mode>.
Command
Description
Create an authentication key chain and enter <Key Chain
Configuration Mode>.
<WORD>
Name of authentication key chain
Set an authentication key ID and enter <Key Configuration
Mode>. The key ID must be identical for every connected
key <0-2147483647>
device.
<0-2147483647>
Authentication key ID. Setting range: 1 ~ 2147486347
Set an authentication key value. The authentication key
key-string <LINE>
<WORD>
String to be used as key value
Set the effective period of the received authentication key.
Enter the starting date and time of the effective period and
then the expiration date.
<HH:MM:SS>
Enter the hour, minute, and second.
accept-lifetime
<HH:MM:SS>
<1-31>
<1-31>
Enter the day of the month.
<MONTH>
(Optional)
<1993-2035>
<1-2147483646> | infinite}
<HH:MM:SS>
<1-31>
<1-2147483646> | infinite}
(Optional)
Caution: For RIP to work normally, the authentication key IDs and strings of the connected devices must be identical.
Note: To delete an authentication key chain, run the command no key chain <WORD> in <Configuration Mode>.
Note: To delete an authentication key, run the command no key <0-2147483647> in <Key Chain Configuration Mode>.
Note: To delete a key string, run the command no key-string in <Key Configuration Mode>.
Note: To delete an effective period of the accept key, run the command no accept-lifetime in <Key Configuration Mode>.
Note: To delete an effective period of the send key, run the command no send-lifetime in <Key Configuration Mode>.
Description
The reception and transmission of RIP routing information
satisfying specific conditions are blocked.
<WORD>
Name of access list to be used as filtering condition
<WORD>
Name of prefix-list to be used as filtering condition
in
out
<IFNAME>
Name of interface to apply the filtering rule
passive-interface <IFNAME>
194
TiFRONT User Guide
interface is blocked.
<IFNAME>
Name of interface to be blocked from transmission of
routing information
The metric of RIP routing information satisfying specific
conditions is increased.
<WORD>
Name of access list to be used as filtering condition
offset-list
<WORD>
[<IFNAME>]
{in
out}
in
<0-16>
out
<0-16>
Metric to be increased. Setting range: 0 ~ 16
<IFNAME>
Name of interface to apply the filtering rule
Note: Before you can set the routing information transmission/reception blocking rules using specific conditions, the access list and prefix list,
which are the filtering conditions, must be defined. For information about the access list setting, see [Chapter 12 Security Settings ACL (Access
Control List) - ACL Setting - Access List Setting] in this guide. For information about the prefix list setting, see [Filter Setting - Prefix List
Setting] section in this chapter.
Note: To delete the routing information exchange blocking rule through specific conditions, run the command no distribute-list {<WORD> |
prefix <WORD>} {in | out} [<IFNAME>] in <RIP Configuration Mode>.
Note: To delete the routing information transmission blocking rule of a specific interface, run the command no passive-interface <IFNAME>
in <Configuration Mode>.
Note: To delete the routing information metric increasing rule, run the command no offset-list <WORD> {in | out} <0-16> [<IFNAME>]
in <RIP Configuration Mode>.
Description
Delete routing information from a RIP routing table.
<A.B.C.D/M>
all
bgp
connected
isis
kernel
ospf
static
Static route
rip
195
Chapter 9 Routing Protocol Configuration
Description
Update the metric in the same way as with CISCO.
Note: To disable the CISCO metric update support setting, run the command cisco-metric-behavior disable or no cisco-metricbehavior in <RIP Configuration Mode>.
Command
Description
Set the RIP version to use for sending packets.
1 2
Note: To use the RIP version set in <RIP Configuration Mode> instead of the RIP version specified at the interface, run the command no ip rip
send version and no ip rip receive version.
Description
Enable the Split Horizon function.
poisoned
Note: To disable Split Horizon, run the command no ip rip split-horizon in <Interface Configuration Mode>.
196
TiFRONT User Guide
Command
Description
Set the RIP authentication mode.
md5
text
Note: You must specify a key chain that has been created.
The procedure for setting a key chain, see [RIP Overview and
Setting - RIP Setting - Key Chain Setting] section of this
chapter.
Enter a string to be used as a key if you have set the
authentication mode to Text.
Note: To disable RIP authentication, run the command no ip rip authentication key-chain in <Interface Configuration Mode>.
Note: To delete the authentication key string, run the command no ip rip authentication string in <Interface Configuration Mode>.
Description
ip rip send-packet
ip rip receive-packet
Note: To enable/disable the sending and receiving of the RIP packets at an interface, run the command no ip rip send-packet and no ip
rip receive-packet in <Interface Configuration Mode>.
Mode>.
197
Chapter 9 Routing Protocol Configuration
OSPF Overview
As with RIP, OSPF is an internal gateway protocol for exchanging routing information in AS. The routing
information exchanged between routers in OSPF is called LSA (Link State Advertisement). OSPF selects the
shortest route to a destination through the Link State Algorithm. The Link State Algorithm checks the
network interface state and the network connected to the interface, and calculates the route cost used in an
interface. Then it selects the route with the smallest cost as the best route.
Unlike RIP, which periodically sends routing information even when there is no change in the network, OSPF
sends routing information only when the network is changed, thus preventing unnecessary traffic.
Every OSPF router in AS maintains routing information in the Link State Database. The Link State contains the
router's IP address, subnet mask, relation with neighbor routers, and the Link State Database is a set of such
link states. Because every OSPF router has a link state database that contains all information of the network,
complex and elaborate network control is possible.
OSPF can be configured in such a way that a network is divided into multiple parts and the link state
information is exchanged only in a limited part. In OSPF, this limited part is called "area." You can maintain
the optimum link state database by limiting the number of routers in this area.
AS 20
AS 10
RIP
ASBR3
ASBR2
ASBR1
ABR1
ABR2
Internal Router
Area 1.1.1.1
198
TiFRONT User Guide
AS (Autonomous System)
AS is the largest topology, and a set of networks managed by one management system while sharing a
common routing policy. AS is also called "routing domain." In this OSPF topology, there are two AS's: AS 10
and AS 20. AS consists of multiple areas.
Area
Area is a part of AS and a set of neighboring networks and the hosts that belong to the networks. In the area
network topology, you cannot see routers that belong to an external area. The OSPF routing inside the area is
called intra-area routing. In this OSPF topology, AS 10 consists of three areas (0.0.0.0, 1.1.1.1, 1.1.1.2).
Backbone Area
The Backbone Area distributes the routing information between an area and AS. The Backbone Area is at the
center of OSPF areas and is physically connected with every area. The ID of the Backbone Area must be set to
0.0.0.0.
Stub Area
Stub area is the area that does not receive external routing information. In the stub area, there is only one
router that is connected to another AS. The router in the stub area uses the paths inside as well as outside AS
to send packets to the destination. For the area specified as stub area, you can decrease the topology
database size and the memory size required to save the database. In the above figure, Area 1.1.1.2 is the
stub area and can be connected to an external AS only through ABR 2.
199
Chapter 9 Routing Protocol Configuration
200
TiFRONT User Guide
OSPF Settings
To use OSPF as the routing protocol for TiFRONT, you must perform the following configuration tasks.
NSSA Setting
Command
Description
Enter the <OSPF configuration mode>.
<1-65535>
OSPF Routing Process ID. Setting range: 1 ~ 65535
Set the router ID. This must be a unique value that is not used by
any other routers. If router ID is not set, the largest IP address of
router-id <A.B.C.D>
When the router ID is changed, the OSPF router sends every LSA to neighboring routers. If a fixed router ID is
assigned to TiFRONT using the router-id command, the router ID is not changed, even if every interface is
down.
Note: To delete the router ID set in TiFRONT, run the command no router-id <A.B.C.D> in <OSPF Configuration Mode>.
201
Chapter 9 Routing Protocol Configuration
Description
Restart OSPF routing process. If you enter an OSPF routing
process ID, only that process is restarted. If you don't enter
Area Setting
To specify a network for running OSPF and an area to which the interface connected to the network belongs,
run the following command in <OSPF Configuration Mode>.
Command
Description
Specify the area to which the interface connected to the
network will belong.
<A.B.C.D> <A.B.C.D>
IP address range and subnet mask of the OSPF network
Area 20
Vlan3
128.213.10.1
Area 0.0.0.1
VLAN1
192.213.1.1
Vlan2
192.213.20.2
As shown in the above figure, you can set the network 192.213.0.0/24 to which the Vlan1 and Vlan 2
interfaces belong so that it will be in the area whose ID is 0.0.0.1, and the network 128.213.0.1/32 to which
the Vlan3 interface belongs so that it will be in the area whose ID is 20, as follows:
(config-ospf)# network 192.213.0.0/24 area 0.0.0.1
(config-ospf)# network 128.213.10.1/32 area 20
Note: To disable OSPF in the specified network, run the command no network {<A.B.C.D> <A.B.C.D> | <A.B.C.D/M>} area {<1-4294967295> |
<A.B.C.D>} in OSPF Configuration Mode>
202
TiFRONT User Guide
Description
Enable the area authentication function.
<0-4294967295>
Enter the area ID for which to enable authentication.
Setting range: 0 ~ 4294967295
Note: To disable area authentication, run the command no area {<0-4294967295> | <A.B.C.D>} authentication in <OSPF Configuration
Mode>.
Description
Set an area as stub area.
<0-4294967295>
Enter the area ID to be set as stub area.
Note: To release the specified area from being a stub area, run the command no area {<0-4294967295> | <A.B.C.D>} stub [no-summary]
in <OSPF Configuration Mode>.
203
Chapter 9 Routing Protocol Configuration
Description
Set an area as stub area.
<0-4294967295>
Enter the area ID to be set as a NSSA.
Setting range: 0 ~ 4294967295
<A.B.C.D>
Enter the area ID to be set as a NSSA in IP address format.
area
{<0-4294967295>
<A.B.C.D>} <0-16777214>
nssa [default-information-originate
no-redistribution
no-
Note: To release the specified area from being an NSSA, run the command no area {<0-4294967295> | <A.B.C.D>} nssa [defaultinformation-originate [metric <0-16777214> | metric-type <1-2>] | no-redistribution | no-summary | translatorrole {always | never | candidate}] in <OSPF Configuration Mode>.
204
TiFRONT User Guide
Description
Specify the filter to block the exchange of route information
between areas.
<0-4294967295>
Enter the OSPF area ID. Setting range: 0 ~ 4294967295
<A.B.C.D>
Enter the OSPF area ID in IP address format.
access
Block the route information by using an access list.
prefix
Block the route information by using a prefix list.
<WORD>
Access list or prefix list name
in
Incoming route information is blocked.
out
Outgoing route information is blocked.
Note: To delete the specified route information filter, run the command no area {<0-4294967295> | <A.B.C.D>} filter-list
{access | prefix} <WORD> {in | out} in <OSPF Configuration Mode>.
Note: Before you can set the route information filter, the access list and prefix list which contain the filtering conditions must be defined. For
information about the access list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List Setting] in this
guide. For information about the prefix list setting, see [Filter Setting - Prefix List Setting] section in this chapter.
To filter the transmission and reception of specific route information in the routes that are directly connected
to a router, user-defined static routes, and the route information learned from other routing protocols, run
the following command in <OSPF Configuration Mode>.
Command
Description
Filter the transmission and reception of specific route
information.
Name of access list in which the route
<WORD>
information is specified
in
connected
isis
kernel
ospf
static
Static route
rip
205
Chapter 9 Routing Protocol Configuration
Note: To delete the specified route information filter, run the command no distribute-list <WORD> {in | out {bgp |
connected | isis | kernel | ospf | rip | static} in <OSPF Configuration Mode>.
Note: Before you can set the route information filter, the access list which contains the filtering conditions must be defined. For information about
the access list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List Setting] in this Guide.
Note: When filtering incoming route information, you cannot set the bgp, connected, isis, kernel, ospf, rip and static options.
Description
Specify a range of networks whose routes will be integrated.
<0-4294967295>
Enter the OSPF area ID. Setting range: 0 ~ 4294967295
<A.B.C.D>
Enter the OSPF area ID in IP address format.
<A.B.C.D/M>
Network address of the route to be summarized
advertise
Send the summarized route information to the outside
(default).
not-advertise
Do not send the summarized route information to the
outside.
The following is an example of summarizing and sending the route of area 10 that belongs to the address
range 192.168.0.0~192.168.255.255 (192.168.0.0/24 network):
(config-ospf)# area 10 range 192.168.0.0/16
Note: To disable route summarization in a specified network, run the command no area {<0-4294967295> | <A.B.C.D>} range
<A.B.C.D/M> in <OSPF Configuration Mode>.
206
TiFRONT User Guide
If the TiFRONT session is ASBR, specify a range of networks whose routes will be integrated by running the
following command in <OSPF Configuration Mode>.
Command
Description
Specify a range of networks whose routes will be integrated.
<0-4294967295>
Enter the OSPF area ID. Setting range: 0 ~ 4294967295
<A.B.C.D/M>
summary-address
<A.B.C.D/M>
[not-
Note: To disable route summarization, run the command no summary-address <A.B.C.D/M> [not-advertise | tag <0-4294967295>]
in <OSPF Configuration Mode>.
Description
Support RFC 1583 when calculating route summarization.
Note: To disable RFC 1583 support, run the command no compatible rfc1583 in <OSPF Configuration Mode>.
information. You can set a value between 1 and 3600 (sec). The default is 5 (sec).
transmit-delay
Set the transmission delay to other routers for LSA information. You can set a value between 1 and 3600
(sec). The default is 1 (sec).
To set a virtual route, run the following command in <OSPF Configuration Mode>.
Command
Description
Set the virtual route for connecting to the backbone area.
<0-4294967295>
Enter the area ID for the virtual route setting.
area
{<0-4294967295>
virtual-link <A.B.C.D>
<A.B.C.D>}
Note: To delete the specified disabled area, run the command no area {<0-4294967295> | <A.B.C.D>} virtual-link <A.B.C.D> in
<OSPF Configuration Mode>.
Command
Description
Enable authentication and select whether or not to
area
1
{<0-4294967295>
virtual-link
<A.B.C.D>
[message-digest | null]
<A.B.C.D>}
authentication
area
{<0-4294967295>
virtual-link
<A.B.C.D>
<A.B.C.D>}
message-digest-
<1-255>
Authentication key ID. Setting range: 1 ~ 255
<LINE>
Authentication key value. Specify a string of up to
16 characters.
Enter a string to be used as key if you have set the
area
{<0-4294967295>
virtual-link
key <LINE>
<A.B.C.D>
<A.B.C.D>}
authentication-
Note: To disable the authentication option for virtual routes, run the command no area {<0-4294967295> | <A.B.C.D>} virtual-link
<A.B.C.D> authentication [message-digest] in <OSPF Configuration Mode>.
Note: To delete the authentication key for virtual routes, run the command no area {<0-4294967295> | <A.B.C.D>} virtual-link
<A.B.C.D> message-digest-key <1-255> md5 <LINE> or no area {<0-4294967295> | <A.B.C.D>} virtual-link <A.B.C.D>
authentication-key <LINE> in <OSPF Configuration Mode>.
208
TiFRONT User Guide
{<0-4294967295>
Description
<A.B.C.D>}
virtual-
area
{<0-4294967295>
<A.B.C.D>}
virtual- dead.
<1-65535>
Setting range: 1 ~ 65535(sec). (Default value: 40 sec)
area
{<0-4294967295>
<A.B.C.D>}
virtual-
{<0-4294967295>
<A.B.C.D>}
virtual-
Description
Change the default metric.
default-metric <1-16777214>
<1-16777214>
Enter the value to be used as default metric.
Setting range: 1 ~ 16777214. (Default value: 20)
Note: To return the default metric 20, run the command no default-metric.
209
Chapter 9 Routing Protocol Configuration
To select which routes to redistribute, run the following command in <OSPF Configuration Mode>.
Command
Description
Specify the routes to be redistributed.
bgp
kernel
isis
ospf
redistribute {bgp | connected | isis | kernel
| ospf | rip | static} [metric <0-16777214> |
metric-type {1 | 2} | route-map <WORD> | tag
<0-4294967295>]
connected
rip
static
<0-16777214>
Enter the metric of the default route.
Setting range: 1 ~ 16777214
<WORD>
Name of the route map to be used for handling
routes
<0-4294967295>
Tag number of the route map.
Setting range: 1 ~ 4294967295
If the redistributed route is an external route that is outside the AS, you can set the type of external route by
using the metric-type option. Enter metric-type 1 to specify an external route of type 1, which uses the sum
of the external route cost and the internal cost (cost used to reach the router inside an area) as the route cost.
Enter metric-type 2 to specify an external route of type 2, which uses external cost as route cost. If you dont
specify the type of external route, it will be set as type 2 by default.
Description
Set the reference bandwidth.
<1-4294967>
Setting range: 1 ~ 4294967(Mbps).
(Default value: 100 Mbps)
Note: To delete the reference bandwidth, run the command no auto-cost reference-bandwidth.
210
TiFRONT User Guide
Description
Generate a default route and send it to other routers in the
OSPF network.
always
Send the default route to other routers in the OSPF
network.
default-information
originate
[always
metric <0-16777214>
Set the metric of the default route.
Note: To disable the default route setting, run the command no default-information originate [always | metric <0-16777214> |
metric-type {1 | 2} | routemap <WORD>] in <OSPF Configuration Mode>.
Note: You can set the options multiple times regardless of the sequence when setting the default route.
Cost of Interface
Hello Interval
Dead Interval
Priority
MTU Setting
Cost Setting
The cost of the OSPF interface is the overhead required when packets are transmitted through an interface.
OSPF refers to the cost of the interface which a route passes through when selecting the optimum route. By
default, the cost of OSPF interface is set to 10. You should set a low cost if the interface bandwidth is high or
the links state is not good, and a high cost in the opposite case so that routes that pass through an interface
will be chosen, if possible.
211
Chapter 9 Routing Protocol Configuration
To set the cost of a specific interface, perform the following procedure in <Configuration Mode>. You must
enter the <Interface Configuration Mode> in which you can set the interface.
No.
1
Command
interface <IF-NAME>
Description
Enter the <Interface Configuration Mode>.
Enter a cost to be assigned to the interface.
<1-65535>
Setting range: 1 ~ 65535. (Default value: 10)
Note: To use the default value instead of the cost set in the OSPF interface, run the command no ip ospf cost in <Interface Configuration
Mode>.
Description
Chang the hello interval of the OSPF interface.
<1-65535>
Setting range: 1 ~ 65535. (Default: 10 sec)
Note: To use the default value instead of the hello interval set in the OSPF interface, run the command no ip ospf hello-interval in
<Interface Configuration Mode>.
Description
Chang the dead interval of the OSPF interface.
<1-65535>
Setting range: 1 ~ 65535. (Default value: 40 sec)
Note: To use the default value instead of the dead interval set in the OSPF interface, run the command no ip ospf dead-interval in
<Interface Configuration Mode>.
212
TiFRONT User Guide
Command
Description
Enable authentication and select whether or not to
encrypt the authentication key.
<A.B.C.D>
ip
ospf
[<A.B.C.D>]
[message-digest | null]
authentication
ip
ospf
[<A.B.C.D>]
message-digest-key
<1-255>
Authentication key ID. Setting range: 1 ~ 255
<LINE>
Authentication key value. Specify a string of up to
16 characters.
Enter a string to be used as key if the key is not
ip
ospf
[<A.B.C.D>]
authentication-key
<LINE>
encrypted.
<LINE>
Authentication key value. Specify a string of up to 8
characters.
Note: To disable the authentication function, run the command no ip ospf authentication in <Interface Configuration Mode>.
Note: To delete the authentication key, run the command no ip ospf authentication-key in <Interface Configuration Mode>.
Priority Setting
OSPF elects the designated router (DR) representing a network to prevent the transmission of routing
information from every router. The designated router creates and distributes route information of a network.
Furthermore, when a new router is detected, it is synchronized by exchanging route information with the
router.
When the designated router is elected, the priority set in each interface is used. The interface with the
highest interface becomes the designated router of the network. By default, the priority of every OSPF
interface is set to 1.
You can set the priority of an OSPF interface by running the following command in <Interface Configuration
Mode>.
Command
Description
Set the priority of the OSPF interface. Set the priority to 0 for the interface of a
Note: To reset the priority of an OSPF interface to 1, run the command no ip ospf priority in <Interface Configuration Mode>.
MTU Setting
The MTU sizes of neighbor routers in an OSPF network must be identical. By default, it is impossible to
configure an OSPF network with routers having different MTU sizes. If you set to ignore the MTU size,
however, routers can be included in an OSPF network regardless of their MTU size.
To set the MTU size of OSPF interface, run the following command in <Interface Configuration Mode>.
Command
Description
Set the MTU size of OSPF interface.
<576-65535>
Setting range: 576 ~ 65535. (Default value: 1500)
Note: To reset the MTU size of an OSPF interface to 1500, run the command no ip ospf mtu in <Interface Configuration Mode>.
To ignore the MTU size of OSPF interface, run the following command in <Interface Configuration Mode>.
Command
Description
The MTU size of OSPF interface is ignored.
<A.B.C.D>
IP Address of the interface
Note: To stop ignoring the MTU size of an OSPF interface, run the command no ip ospf mtu-ignore in <Interface Configuration Mode>.
214
TiFRONT User Guide
The OSPF network type can be directly set by user depending on the network configuration. To set the type
of OSPF network, run the following command in <Interface Configuration Mode>. TiFRONT is set as
broadcast network by default.
Command
Description
Set the network type of OSPF interface.
broadcast
Set as broadcast network (default)
ip
ospf
broadcast
network
|
{broadcast
non- non-broadcast
point-to-multipoint
point-to-point}
Note: To reset the network type of an OSPF interface to the default broadcast network, run the command no ip ospf network in <Interface
Configuration Mode>.
OSPF configuration
in <User Mode> or
<Privileged Mode>.
<Privileged Mode>. You can enter the options to show only the information of a specific neighbor router or
the information of neighbor routers connected to a specific interface.
215
Chapter 9 Routing Protocol Configuration
asbr-summary
external
max-age
network
nssa-external
opaque-area
opaque-as
opaque-link
router
summary
216
TiFRONT User Guide
BGP Overview
BGP is a routing protocol for exchanging routing information between ASs. In one AS, you can use an interior
gateway protocol (IGP) such as RIP or OSPF to exchange routing information. However, in order to exchange
routing information with other ASs such as ISPs (Information Service Providers), you must use an exterior
gateway protocol (EGP) such as BGP.
The following figure is a simple example showing two ASs to which BGP was applied. Each AS contains three
routers. Every router that belongs to the same AS exchanges BGP information through iBGP (Internal BGP),
and they exchange BGP information with routers that belong to another AS through eBGP (external BGP).
Furthermore, each router runs iBGP. The routers that belong to AS1 are OSPF routers and the routers that
belong to AS2 are RIP routers. The routing information can be redistributed between BGP and RIP and
between BGP and OSPF, and the static routes of other routing protocols can be redistributed as well.
AS1
AS2
Once a TCP connection with a neighbor is established, the BGP router exchanges its BGP routing table
information with its neighbors. After this initial information exchange process is finished, they do not
regularly send update messages containing routing information, unlike RIP, but they only send the update
messages to neighbors when their own BGP routing table is changed (added routes, changed routes, invalid
routes, etc.).
217
Chapter 9 Routing Protocol Configuration
Weight
Local preference
AS path
Community
In BGP, you can apply these attributes when sending information to or receiving information from BGP
neighbors. Because you can directly set the BGP attributes, they can be used to adjust the traffic direction by
reflecting the network policy or network status. For details about each BGP attribute, see [BGP
Settings
BGP
2.
If the weights of two routes are identical, select the route that has the highest local preference.
3.
If the local preferences are identical, select the route that has occurred in the local BGP router.
4.
If there is no route that has occurred in a local BGP router, select the route that has the shortest AS
path.
5.
If the lengths of AS paths are identical, select the route that has the lowest MED (Multi-exit
discriminator).
6.
If MEDs are identical, select the route that was obtained by eBGP, not iBGP.
7.
If the routes were obtained by the same iBGP or eBGP, select the route that has the nearest IGP
neighbor.
In general, BGP routes have the same weight or local preference, so the factor that has the greatest effect on
route selection is the length of the AS path in many cases.
218
TiFRONT User Guide
BGP Timers
BGP uses the following four types of timers to maintain connections with neighbors and send routing
information.
Timer
Keepalive
Functions
Default
60 sec
Waiting time after receiving the KEEPALIVE message from a BGP neighbor until
the next message is received (3 65535 sec). If the KEEPALIVE message is not
Holdtime
received within this time, the BGP neighbor is regarded as dead, the TCP
180 sec
connection is stopped, and all the routing information received from that
neighbor is deleted.
Connect
Waiting time after the connection with a BGP neighbor is stopped until
connection is tried again (0 - 65535 sec).
60 sec
Minimum time after an update packet is sent to a BGP neighbor until a new
Update
30 sec (eBGP)
packets are not sent until the minimum update timer has expired (0 - 65535
5 sec (iBGP)
sec).
Characteristics of BGP
BGP has the following characteristics which are different from RIP and OSPF which are IGPs:
BGP is not completely a distance vector protocol or link state protocol.
Because BGP is an EGP, its goal is to exchange routing information between ASs.
Like the distance vector protocol, BGP provides the next hop information to each destination.
Unlike the distance routing protocol that only sends ones own routing table, BGP can apply the routing policy
defined by the network administrator.
Unlike other routing protocols, BGP uses TCP communication when sending routing information.
BGP provides not only the net hop information for the destination, but also the route information for the ASs that
the update message has passed through.
BGP reduces the use of bandwidth due to the regular transmission of update messages by sending update
messages only when something has changed except when sending the entire routing table information when it
first establishes a relationship with a BGP neighbor.
BGP supports CIDR (Classless Inter Domain Routing).
BGP supports route aggregation that integrates multiple routes into one route. Route aggregation reduces the use
of network bandwidth by BGP.
219
Chapter 9 Routing Protocol Configuration
BGP Settings
The BGP configuration process in TiFRONT includes the following steps:
220
TiFRONT User Guide
Enabling BGP
To enable BGP in TiFRONT, run the following commands in <Configuration Mode>.
No.
Command
Description
Enable the BGP routing process and enter <BGP configuration mode>.
<1-4294967295>
Number of AS to which TiFRONT belongs
Setting range: 1 ~ 4294967295
Set the BGP router ID. This must be a unique value that is not used by
any other routers. If router ID is not set, the largest IP address of the
Note: To delete the BGP router ID, run the command no bgp router-id <A.B.C.D> in <BGP Configuration Mode>.
Note: To disable the BGP routing process, run the command no router bgp <1-4294967295> in <Configuration Mode>.
Description
Create a peer group.
<WORD>
Peer group name
Note: To delete a peer group, run the command no neighbor <WORD> peer-group in <BGP Configuration Mode>.
221
Chapter 9 Routing Protocol Configuration
To specify routers to be included in a peer group, run the following command in <BGP Configuration Mode>.
Command
Description
Create a peer group.
<A.B.C.D>
neighbor
{<A.B.C.D>
peer-group <WORD>
<X:X::X:X>}
Note: To delete a router from a peer group, run the command no neighbor {<A.B.C.D> | <X:X::X:X>} peer-group <WORD> in <BGP
Configuration Mode>.
AS 100
Router A
Router E
129.213.1.1
30.0.0.1
AS 200
129.213.1.2
30.0.0.2
Router D
Router B
20.0.0.2
10.0.0.2
20.0.0.1
10.0.0.1
Router C
222
TiFRONT User Guide
To specify a BGP neighbor, run the following command in <BGP Configuration Mode>.
Command
Description
Specify a BGP neighbor.
<A.B.C.D>
IPv4 address of the other device to become a BGP neighbor
<WORD>
neighbor
{<A.B.C.D>
<WORD>
Note: To release the BGP neighbor relationship, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} remote-as <14294967295> in <Configuration Mode>.
The procedures for specifying a BGP neighbor in each router in the figure are as follows:
[Router A]
(config)# router bgp 100
(config-router)# neighbor 129.213.1.2 remote-as 200
[Router B]
(config)# router bgp 200
(config-router)# neighbor 129.213.1.1 remote-as 100
(config-router)# neighbor 20.0.0.2 remote-as 200
[Router D]
(config)# router bgp 200
(config-router)# neighbor 10.0.0.2 remote-as 200
(config-router)# neighbor 30.0.0.1 remote-as 300
[Router E]
(config)# router bgp 300
(config-router)# neighbor 30.0.0.2 remote-as 200
To release only the TCP connection with a neighbor while maintaining the BGP neighbor relationship, run the
following command in <BGP Configuration Mode>.
Command
Description
Release only the TCP connection with neighbor.
<A.B.C.D>
IPv4 address of the other device with which to release
only the TCP connection
<WORD>
Name of a peer group with which to release only the TCP
connection
<X:X::X:X>
IPv6 address of the other device with which to release
only the TCP connection
Note: To make a TCP connection after disconnecting the TCP connection with a neighbor, run the command no neighbor {<A.B.C.D> |
<WORD> | <X:X::X:X>} shutdown in <BGP Configuration Mode>.
223
Chapter 9 Routing Protocol Configuration
Description
Specify the network of the routing information to send to a BGP
neighbor.
<A.B.C.D>
Network address of the routing information
<A.B.C.D/M>}
[backdoor]
[route-map
<WORD>]
mask <A.B.C.D>
Subnet mask
<A.B.C.D/M>
Network address and netmask bit of the routing information
<WORD>
Name of the route map to be applied when sending the routing
information
backdoor
The AD value of the routing is changed to 200.
Note: If you dont want to send the routing information of the specified network to BGP neighbors, run the command no network <ipaddress>/<mask> in <BGP Configuration Mode>.
Description
Specify the routes to be redistributed.
connected
isis
kernel
ospf
rip
static
Static route
<WORD>
Note: If you dont want to perform the redistribution of the routes, run the command no redistribute {connected | isis | kernel |
ospf | rip | static} [route-map <WORD>] in <BGP Configuration Mode>.
224
TiFRONT User Guide
Description
Specify a neighbor router or peer group to which to send the default
route.
<A.B.C.D>
default-originate
[route-map <WORD>]
IPv4 address of the neighbor router to which to send the default route
<WORD>
Name of a peer group to which to send the default route
<X:X::X:X>
IPv6 address of the neighbor router to which to send the default route
<WORD>
Name of the route map to be applied when sending the default route
Note: To delete the default route setting, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} default-originate
[route-map <WORD>] in <BGP Configuration Mode>.
Description
Specify a Route Reflector Client.
<A.B.C.D>
Note: To delete the Route Reflector Client, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} route-reflectorclient in <BGP Configuration Mode>.
The route reflector structure and route reflector client is called a cluster. You can set multiple route reflectors
in one AS. In this case, you set a cluster ID to the route reflector to differentiate each cluster. To set a cluster
ID, run the following command in <BGP Configuration Mode>.
Command
Description
Specify a Route Reflector Client.
bgp
cluster-id
<A.B.C.D>}
{<1-4294967295>
<1-4294967295>
Specify a cluster ID. Setting range: 1 ~ 4294967295
Specify the cluster ID in IP address format.
225
Chapter 9 Routing Protocol Configuration
Note: To delete the cluster ID, run the command no bgp cluster-id in <BGP Configuration Mode>.
Description
Remove
the
private
AS
number
from
the
routing
information.
<A.B.C.D>
neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>}
remove-private-AS
Note: To delete the private AS number removal, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} removeprivate-AS in <BGP Configuration Mode>.
226
TiFRONT User Guide
To specify a weight value of the route received from the specified BGP neighbor, run the following command
in <BGP Configuration Mode>.
Command
Description
Specify the weight value of the route received from a BGP
neighbor.
<A.B.C.D>
IPv4 address of the neighbor
neighbor
{<A.B.C.D>
<WORD>
<WORD>
Note: To ignore the weight set by user and use the default value, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>}
weight in <BGP Configuration Mode>.
Description
Change the local preference value.
<0-4294967295>
Local preference value. Setting range: 0 ~ 4294967295.
(Default value: 100)
Note: To return the local preference value to the default 100, run the command bgp default local-preference in <BGP Configuration Mode>
227
Chapter 9 Routing Protocol Configuration
As with the local preference of route, you must use a route map when changing the AS path. The set
command of the route map used to change the AS path is set as-path prepend. For details about the
types of set commands and the route map, see the route map setting section.
To define a route map and change the AS path of the route map, perform the following procedure in
<Configuration Mode>.
No.
Command
Description
Define a route map and enter the <Route map configuration
mode>. The serial number is used as the order of applying the
route map when a route map of the same name is already
defined.
<WORD>
Name of the route map.
<1-65535>
Sequential number of the route map rule.
Setting range: 1 ~ 65535
Change the AS path of the route.
<1-4294967295>
Number of AS to be added to the current AS path.
<1-4294967295>
exit
configuration mode>.
Enter the <BGP Configuration Mode>.
Specify the route for sending which neighbor to which the
route map will be applied defined in steps 1 and 2.
<A.B.C.D>
IPv4 address of the neighbor to which the route map will be
applied.
neighbor
{<A.B.C.D>
<WORD>
<WORD>
Name of a peer group to which the route map will be
applied.
<X:X::X:X>
IPv6 address of the neighbor to which the route map will be
applied.
<WORD>
Name of the route map.
In the following example, the as-path route map is defined (set to 500), and the route map is applied to
send routing information to a BGP neighbor with the IP address 200.1.1.2.
(config)# route-map aspath permit 10
(config-route-map)# set as-path prepend 500
(config-route-map)# exit
(config)# router bgp 100
(config-router)# neighbor 200.1.1.2 route-map aspath out
(config-router)#
With the above settings, when TiFRONT sends routing information to a neighbor with the IP address
200.1.1.2, 500, which has been set in the route map, is added to the AS path attribute
228
TiFRONT User Guide
Description
Enable the comparison of the metric values of routing information
bgp always-compare-med
Note: If you want to change the settings to compare the metric values of routing information received only from the local AS, run the command no
bgp always-compare-med in <BGP Configuration Mode>.
You must use a route map to set ones own metric value. The set command of the route map used to change
the metric value is set metric. For details about the types of set command and the route map, see the route
map setting section.
To define a route map and change the metric value of the route map, perform the following procedure in
<Configuration Mode>.
No.
Command
Description
Define a route map and enter <Route map configuration
mode>. The serial number is used as the order of
applying the route map when a route map of the same
name is already defined.
<WORD>
Name of the route map.
<1-65535>
Sequential number of the route map rule.
Setting range: 1 - 65535
Change the metric value of a route.
<+/-><0-4294967295>
exit
configuration mode>.
Enter the <BGP Configuration Mode>.
Specify the route for sending which neighbor the route
map will be applied as defined in steps 1 and 2.
<A.B.C.D>
IPv4 address of the neighbor to which the route map
neighbor
{<A.B.C.D>
<WORD>
will be applied.
<WORD>
Name of a peer group to which the route map will be
applied.
<X:X::X:X>
IPv6 address of the neighbor to which the route map
229
Chapter 9 Routing Protocol Configuration
will be applied.
<WORD>
Name of the route map.
In the following example, the med route map, which sets the metric value of the route to 15, is defined, and
this route map is applied to the route for sending to a BGP neighbor with the IP address 200.1.1.2.
(config)# route-map med permit 1
(config-route-map)# set metric 15
(config-route-map)# exit
(config)# router bgp 100
(config-router)# neighbor 200.1.1.2 route-map med out
(config-router)#
With the above settings, the route information with the metric value 15 will be sent to the neighbor 200.1.1.2.
Community Attribute
The community attribute indicates the processing method for routing information to neighbors. Depending
on the community attribute setting, the neighbor receiving the routing information determines whether to
send the routing information to external ASs or only to the local AS. There are three types of communities:
local-AS
The routing information is sent only to the local AS and not to other eBGP neighbors.
no-advertise
The routing information is not sent to other BGP neighbors (cannot send to both local and external ASs).
no-export
The routing information is sent only to the local AS to which the neighbor belongs and not outside the AS.
To send the community attribute to neighbors, run the following command in <BGP Configuration Mode>.
Command
neighbor <ip-address> send-community
Description
Send the community attribute to neighbors.
Note: To stop sending community attributes to neighbors, run the command no neighbor send-community in <BGP Configuration Mode>.
230
TiFRONT User Guide
You can set the community attribute to send to neighbors through a route map. The set command of the
route map used to set the community attribute is set metric. For details about the types of set commands
and the route map, see the route map settings section. To define a route map and change the attribute
values of the route map, perform the following procedure in <Configuration Mode>.
No.
Command
Description
Define a route map and enter <Route map configuration
mode>. The serial number is used as the order of
applying the route map when a route map of the same
name is already defined.
<WORD>
Name of the route map.
<1-65535>
Sequential number of the route map rule.
Setting range: 1 - 65535
Change the community attribute.
local-AS
Send routing information only to local AS.
set
community
{local-AS
advertise | no-export}
no-
no-advertise
The routing information cannot be sent to other BGP
neighbors.
no-export
Send routing information only to local AS to which the
neighbor belongs.
Exit to <Configuration mode> from the <Router map
exit
configuration mode>.
Enter the <BGP Configuration Mode>.
Specify the route to send to which neighbor and which
route map will be applied as defined in steps 1 and 2.
<A.B.C.D>
IPv4 address of the neighbor to which the route map
will be applied.
neighbor
{<A.B.C.D>
<WORD>
<WORD>
Name of a peer group to which the route map will be
applied.
<X:X::X:X>
IPv6 address of the neighbor to which the route map
will be applied.
<WORD>
Name of the route map.
In the following example, the comm route map, which sets the community attribute to no-export, is
defined, and this community is sent to a BGP neighbor with the IP address 200.1.1.2.
(config)# route-map comm permit 10
(config-route-map)# set community no-export
(config-route-map)# exit
(config)# router bgp 100
(config-router)# neighbor 200.1.1.2 send-community
(config-router)# neighbor 200.1.1.2 route-map comm out
(config-router)#
231
Chapter 9 Routing Protocol Configuration
When you make the above settings, neighbor 200.1.1.2 may send the BGP information to other neighbors in
the AS to which the neighbor that sent this information belongs to, but not to other ASs.
Description
Specify a network for sending to an aggregated route. You can
use the as-set and summary-only options simultaneously
regardless of the order.
<A.B.C.D/M>
Note: To delete the route aggregation setting, run the command no aggregate-address <A.B.C.D/M> [as-set] [summary-only] in <BGP
Configuration Mode>.
Timer Settings
BGP uses four types of timers to maintain connection with neighbors and send routing information: keepalive,
holdtime, connect, and update. The keepalive, holdtime, and connect timers are set to 60 sec, 180 sec, and
60 sec, respectively. The update timer is set to 5 sec in iBGP and 30 sec in eBGP by default. You can use
different values than the default set in each timer by setting the desired timer value by referring to the
following explanation.
Description
Change the Keepalive timer and Holdtime timer settings.
<0-65535>
Keepalive timer. Setting range: 0 ~ 65535.
232
TiFRONT User Guide
Note: To delete the Keepalive and Holdtime timer values and reset them, run the command no timers bgp.
The timer values set by the timers bgp command described above are commonly used for all BGP neighbors.
You can use the following command in <BGP Configuration Mode> to set the keepalive and holdtime timer
values to be applied to specific neighbors only.
Command
Description
Set the keepalive and holdtime timer values to be applied to the
specified neighbor only.
<A.B.C.D>
IPv4 address of the neighbor
<WORD>
Peer group name.
neighbor
{<A.B.C.D>
<WORD>
| <X:X::X:X>
IPv6 address of the neighbor
<0-65535>
Keepalive timer. Setting range: 0 ~ 65535.
(Default value: 60 sec)
<0-65535>
Holdtime timer. Setting range: 0 ~ 65535.
(Default value: 180 sec)
Note: To delete the keepalive and holdtime timer values set for the specified neighbor and use the value set by the timers bgp command instead,
run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} timers.
Description
Set the connect timer value to be applied to the specified
neighbor only.
<A.B.C.D>
IPv4 address of the neighbor
neighbor
{<A.B.C.D>
<WORD>
<WORD>
Peer group name.
<X:X::X:X>
IPv6 address of the neighbor
<1-65535>
Connect timer. Setting range: 0~65535.
(Default value: 60 sec)
Note: To delete the connect timer value and use the default value 60 sec again, run the command no neighbor {<A.B.C.D> | <WORD> |
<X:X::X:X>} timers connect.
233
Chapter 9 Routing Protocol Configuration
Description
Set the update timer value to be applied to the specified neighbor
only. If you set this to 0, the update packet will be sent to the
neighbor
immediately
whenever
the
routing
information
is
changed.
<A.B.C.D>
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} advertisement-interval
<0-600>
<X:X::X:X>
IPv6 address of the neighbor
<0-600>
Setting range: 0 ~ 600.
(Default value: iBGP-5 sec, eBGP-30 sec)
Note: To delete the update timer value and use the default value again, run the command no neighbor {<A.B.C.D> | <WORD> |
<X:X::X:X>} advertisement-interval.
Description
Enable Fast External Failover.
Note: To disable the Fast External Failover function, run the command no bgp fast-external-failover in <BGP Configuration Mode>.
Description
Record the state change logs of BGP neighbor.
Note: To disable the recording of state change logs of a BGP neighbor, run the command no bgp fast-external-failover in <BGP
Configuration Mode>.
234
TiFRONT User Guide
Description
Set the validity check period for BGP routing information. If you set
this to 0, the routing information validity check is not performed.
<0-60>
Setting range: 0 ~ 60. (Default value: 60 sec)
Note: To reset the validity check period to the default value, run the command no bgp scan-time in <BGP Configuration Mode>.
Command
Description
Set the waiting time until the state change of nexthop is
reflected in the BGP process.
<0-100>
Hop count with neighbor. Setting range: 1 ~ 100.
(Default value: 5 sec)
Note: To return to the default setting, run the command no nexthop-trigger delay in <Configuration Mode>.
Note: To disable the nexthop address tracking function, run the command no nexthop-trigger enable in <Configuration Mode>.
235
Chapter 9 Routing Protocol Configuration
Description
Specify the hop count for an eBGP neighbor.
<A.B.C.D>
IPv4 address of the neighbor
<WORD>
Peer group name.
<X:X::X:X>
IPv6 address of the neighbor
<0-255>
Hop count with neighbor. Setting range: 1 ~ 255
Note: To delete the hop count setting for a neighbor, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} ebgpmultihop [<1-255>] in <BGP Configuration Mode>.
Description
Set the specified neighbor as an eBGP neighbor that is not
directly connected.
<A.B.C.D>
Note: To disable the enforce multihop function for a neighbor, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>}
enforce-multihop in <BGP Configuration Mode>.
236
TiFRONT User Guide
Description
Specify the routing information count received from a
neighbor or peer group.
<A.B.C.D>
IPv4 address of the neighbor
<WORD>
Peer group name.
<X:X::X:X>
<1-4294967295>
[warning-only]
[<1-100>]
routing
information
count
that
can
be
Description
Enable the next hop self function for the specified neighbor.
<A.B.C.D>
neighbor
{<A.B.C.D>
<X:X::X:X>} next-hop-self
<WORD>
Note: To disable the next hop self function for a neighbor, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} nexthop-self in <BGP Configuration Mode>.
237
Chapter 9 Routing Protocol Configuration
Description
bgp rfc1771-path-select
Note: To disable RFC 1771 support, run the command no bgp rfc1771-path-select in <Configuration Mode>.
To set the support for the RFC 1771 standard as the only BGP route selection method, run the following
command in <Configuration Mode>.
Command
Description
bgp rfc1771-strict
Set RFC 1771 as the only method for selecting a BGP route.
Note: To cancel the exclusive use of RFC 1771, run the command no bgp rfc1771-strict in <Configuration Mode>.
Command
Description
Enter <Interface Configuration Mode> in the loopback
interface lo
interface.
Set the IP address of the loopback interface.
ip address <A.B.C.D/M>
<A.B.C.D/M>
IP Address of the loopback interface
Exit to <Configuration mode> from the <Interface
exit
configuration mode>.
Enter <BGP Configuration Mode>.
Enable the use of the loopback interface for connections
with neighbors.
<A.B.C.D>
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} update-source lo
Note: To delete the loopback interface setting, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} update-source in
<BGP Configuration Mode>.
238
TiFRONT User Guide
Description
Reset BGP sessions.
*
Reset the sessions with all neighbors.
<A.B.C.D>
IPv4 address of the neighbor with whom the session will
be reset.
<X:X::X:X>
IPv6 address of the neighbor with whom the session will
be reset.
<1-4294967295>
AS number for resetting the session. The sessions with
all neighbors who belong to this AS are reset.
<WORD>
Peer group name of the session to be reset.
Distribute list
Prefix list
Route Map
To filter routing information, you must first set the conditions and policies for comparing routing information
in the access list, prefix list, AS path access list, or route map depending on the filtering method.
Note: For information about the access list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List
Setting] in this guide.
Note: For information about the prefix list setting, see [Filter Settings Prefix List Setting] in this chapter.
Note: For information about the route map setting, see [Route Map Setting] in this chapter.
239
Chapter 9 Routing Protocol Configuration
To set an AS path access list, run the following command in <Configuration Mode>.
Command
Description
Create an AS path access list.
<WORD>
Name of AS path access list.
deny
Discard routing information that meets the condition.
permit
Permit routing information that meets the condition.
<LINE>
Enter the condition for comparing with AS route as a regular
expression.
Note: AS path access list uses AS route as the comparing condition. The comparing condition is entered as a regular expression by using the
following symbols.
Symbol
Description
A random character
A string of which the character right before it appears never or multiple times
[]
Note: To delete the AS path access list, run the command no ip as-path access-list <WORD> {deny | permit} <LINE> in
<Configuration Mode>.
To filter routing information exchanged with a specific neighbor through each method, run the following
command in <BGP Configuration Mode>.
Command
Description
Filter the routing information by using an access list.
<A.B.C.D>
IPv4 address of the neighbor for which to filter the
routing information.
<WORD>
Name of a peer group for which to filter the routing
information
<X:X::X:X>
IPv6 address of the neighbor for which to filter the
routing information.
<1-199>
Access list number for which the filtering policy has been
set. Setting range: 1 ~ 199
<1300-2699>
Number of extended access list with which the filtering
policy has been set. Setting range: 1300 ~ 2699
240
TiFRONT User Guide
<WORD>
Name of access list with which the filtering policy has
been set.
in
out
<WORD>
Name of prefix list with which the filtering policy has
been set.
Filter the routing information by using an AS path access
list.
<WORD>
Name of the AS path access list with which the filtering
policy has been set.
Filter the routing information by using a route map.
<WORD>
Name of route map with which the filtering policy has
been set.
Note: To delete the routing information filtering setting, run the following command in <BGP Configuration Mode>.
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} distribute-list {<1-199> | <1300-2699> |
<WORD>} {in | out}
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} prefix-list <WORD> {in | out}
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} filter-list <WORD> {in | out}
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} route-map <WORD> {in | out}
241
Chapter 9 Routing Protocol Configuration
242
TiFRONT User Guide
Chapter 10
Failover Configuration
This chapter introduces the VRRP (Virtual Router Redundancy Protocol) for failover and the procedure for
setting the VRRP to configure failover in TiFRONT.
This chapter is composed of the following contents:
VRRP Overview
VRRP Configuration
VRRP Overview
There are two routing methods used to search routes used for sending data from a host to a destination:
dynamic routing and static routing. Dynamic routing determines the best route between networks through
routing protocols such as RIP and OSPF and maintains the routing table. If any route in the routing table is
invalid due to a down device or related issue, another route is searched for automatically. Dynamic routing is
convenient because you don't have to separately configure routes, but it may cause a large network load due
to the time required to search and the large amount of traffic.
For static routing, you must configure the routing table by specifying a fixed route for each destination.
Because there is no need to search routes, static routing has a small load. However, communication troubles
may be caused when the routes in the routing table become invalid because alternative routes are not
automatically set. In the worst case, when a device set as the default gateway is down, it becomes impossible
to communicate with external networks. In static routing, the one route, such as the default gateway, that
causes loss of communication when the route is down is called the 'single point of failure.'
The VRRP additionally supports the redundancy function using a master router and one or more backup
routers in static routing by which the backup router takes up the master role when the master router goes
down. This master/backup router redundancy function allows for uninterrupted service even when the
master router is down. Using the VRRP not only reduces the route search load resulting from dynamic routing,
but also prevents the single point of failure which is the greatest problem of static routing.
The following figure illustrates the single point of failure that may occur in a network that does not use the
VRRP.
Router B
Router A
single point of failure
IP address:10.0.0.1
Host 1
Default gateway: 10.0.0.1
[Figure - Single point of failure in a network that does not use VRRP]
In the above figure, host 1 uses router A with the IP address 10.0.0.1 as the default gateway. If router A goes
down, host 1 cannot communicate with other networks. In this case, router A which brought about the
communication trouble of host 1 is the single point of failure.
Now, let us examine the case where the same network is configured with the VRRP and router A is set as
master and router B as backup.
Router A (Master)
Router B (Backup)
IP Address:10.0.0.1
Host 1
Default gateway: 10.0.0.1
244
TiFRONT User Guide
In the VRRP configuration, even when router A, which is the default gateway of host 1, goes down, it is
possible to communicate with external networks through router B which is the backup (using the route
marked by a dotted line). Therefore, communication trouble by single point of failure is prevented.
VRRP Group
In the VRRP, a group of one master router and multiple backup routers is called a VRRP group. A VRRP group
is also referred to as virtual router because multiple routers work like one router. The following figure shows
a VRRP group consisting of router A and router B.
Router A
Router B
(Master)
(Back)
VRRP group
(VRID=1,Virtual IP=10.1.1.1)
A VRRP group has a unique VRID, virtual IP address, and a virtual MAC address. Routers that belong to a VRRP
group are called 'VRRP routers.'
Master Router
A master router is a router that uses the virtual IP address of a VRRP group as its interface address among
the VRRP routers of a VRRP group. The data sent to a VRRP group through a virtual IP address are actually
sent to the master router that uses an interface address and the master router sends this data to the
destination. Furthermore, the ARP request for a virtual IP address is also replied by the master router.
The master router periodically sends its information including its state and priority to other VRRP routers in
the VRRP group. This information sent by the master router is called an advertisement. The backup router
identifies the state and priority of the master router through the received advertisement and determines
whether or not to select a new master.
Backup Router
Backup routers are the remaining VRRP routers excluding one master router in a VRRP group. Backup routers
have nothing to do except receive advertisements while the master router is working normally. If no
advertisement is received from the master router within the specified time, the backup router determines
that the master router is not working normally and the backup router that has the highest priority takes over
the role of master router.
Virtual IP Address
The virtual IP address is the IP address of the VRRP group that the master router uses as its interface address.
The master router replies to ARP requests for a virtual IP address.
VRRP Setting
This section describes the procedure for setting the VRRP in TiFRONT.
Virtual IP Address
Priority
Advertisement Period
Preempt Function
Description
Create a VRRP group and enter the <VRRP configuration mode>.
<1-255>
Note: To delete a VRRP group, run the command no router vrrp <1-255> <IFNAME> in <Configuration Mode>.
Description
Set a virtual IP address.
virtual-ip <A.B.C.D>
<A.B.C.D>
Virtual IP address of a VRRP group
Note: To delete a virtual IP address, run the command no virtual-ip in <VRRP Configuration Mode>.
246
TiFRONT User Guide
Priority Setting
To set a priority, run the following command in <VRRP Configuration Mode>.
Command
Description
Set a priority. A higher value has a higher priority.
priority <1-254>
<1-254>
Setting range: 1 ~ 254. (Default value: 100)
Note: To change the priority to the default value, run the command no priority in <VRRP Configuration Mode>.
Description
Set the advertisement transmission period.
advertisement-interval <1-10>
<1-10>
Setting range: 1 ~ 10. (Default: 1 sec)
Note: To change the advertisement transmission period to the default value, run the command no advertisement-interval in <VRRP
Configuration Mode>.
Description
Set the preempt function of the switch. The preempt function is enabled
by default.
false
true
in <User
247
Chapter 10 Failover Configuration
Configuration Example
The following is an example of VRRP group setting.
(config)# router vrrp 10 vlan2
Create a VRRP group and specify a VLAN interface
(config-router)# virtual-ip 192.168.200.10
Set a virtual IP address
(config-router)# priority 200
Set a priority
(config-router)# advertisement-interval 2
Set the advertisement transmission period
(config-router)# preempt-mode false
Disable the preempt function
(config-router)# exit
(config)# exit
# show router vrrp
Show the VRRP settings.
Address family IPv4
VRRP Id: 10 on interface: vlan2
State: AdminUp - Init (interface is down or not running)
Virtual IP address: 192.168.200.10
Priority is 200
Advertisement interval: 2 sec
Preempt mode: FALSE
Multicast membership on IPv4 interface vlan2: LEFT
248
TiFRONT User Guide
Chapter 11
QoS Configuration
This chapter describes the QoS (Quality of Service) feature of TiFRONT and the procedure for setting QoS for
TiFRONT.
This chapter is composed of the following sections.
Understanding QoS
QoS Configuration
Understanding QoS
Overview
TiFRONT supports the QoS (Quality of Service) feature that allows you set different bandwidths by the type of
traffic. With QoS in TiFRONT, you can limit the bandwidth to a specified value for specific traffic or ports.
If QoS is not used, TiFRONT sends traffic in the order it was received. In other words, the traffic that arrived
first is sent first. If the bandwidth is insufficient, the traffic that arrives later waits until there is enough
bandwidth, and if it becomes available, the packet that waited for the longest is sent. However, the following
problems may occur if the traffic is sent in the order it was received:
Important traffic may be sent later or not sent at all because the characteristics of traffic are not
considered.
Because the bandwidth of specific traffic cannot be restricted, when the bandwidth is fully occupied by
specific traffic, other traffic cannot be sent at all.
These problems can be solved by the QoS feature. To prevent using too much bandwidth on specific traffic,
you have to classify the traffic by such conditions as source/destination IP addresses, source/destination
MAC addresses, source/destination port numbers, DSCP, Ethernet type, protocol, interface, and assign the
maximum bandwidth (peak rate) to this class.
Class
Class is used to check the satisfaction of specific conditions by packets. Therefore, a class consists of various
conditions for comparison of packets. You can use the following conditions in a class. Of the following eleven
items, select only those that you need and use them as the class conditions.
Item
Description
Source IP address
Destination IP address
DSCP
Packets are classified by the DSCP (Differentiated Services Code Point) value in
the IP header.
Ethernet type
Protocol
VLAN
250
TiFRONT User Guide
Policy
Policy is used to define the bandwidth policy to be applied to a specific class. Policy consists of a class, the
maximum bandwidth to be assigned to the traffic of that class, and priority.
Item
Class
Description
This is the traffic condition for policy application. You can set multiple classes for one policy or
a different class to each class.
This is class priority. This priority is used when there are multiple classes defined for one
Priority
policy and the remaining bandwidth is allocated after the minimum bandwidth is allocated to
each class.
This is the maximum bandwidth that can be used by the traffic of a class. The maximum
bandwidth is used to restrict the transmission of traffic to the specified bandwidth. Even if
there is sufficient bandwidth due to low traffic, the traffic of the class can only use up to the
maximum bandwidth. If the transmitted traffic exceeds the maximum bandwidth of the class, it
will be shaped through buffering so that the traffic would not exceed the maximum bandwidth.
Traffic shaping is a traffic transmission method that stores traffic exceeding the specified
Maximum
bandwidth (maximum bandwidth) in the buffer and send it when the bandwidth has a room.
bandwidth
(peak rate)
Queue Scheduling
The output ports have a defined method of deciding on which packet will be processed first when there are
more packets in the queue than can be transmitted. This is called queue scheduling. In TiFRONT, you can use
the following methods of queue scheduling.
SPQ (Strict Priority Queuing)
A priority is set for each queue, and after all the packets in a queue of a higher priority are processed, the
packets of a queue of the next priority are processed.
RR (Round Robin)
Queues are selected sequentially.
WRR (Weight Round Robin)
The packet size to be processed is set differently for each queue using weights and the packets are
processed sequentially for the specified weight.
DRR (Deficit Round Robin)
The quantum (size of the largest packet that can be processed) and deficit counter are defined for each
queue, and the packets of the queue are processed for the size of the deficit counter. The deficit counter is
set to zero by default and is combined with the quantum value at the moment when the data of the queue
are serviced. After the packets are processed, the deficit counter decreases for the size of the processed
packets.
251
Chapter 11 QoS Configuration
QoS Configuration
In TiFRONT, you can set QoS by using a class map (classifier) for packet classification and policy map (QoS
action) to be applied to the classified packets. The QoS configuration process in TiFRONT includes the
following steps:
1. Set a class map
The packets received with TiFRONT are classified to specific classes. When packets are classified into classes, the
criteria defined in each class are used. The information in the packet is compared with the criteria defined in the
class and if they match, it is classified as a packet of the class.
2. Set a policy map
The QoS action to be applied to the packet classified into a specific traffic class through the class map is defined.
3. Apply the policy map (service map)
Specify the policy map to be applied to TiFRONT among the defined policy maps.
4. Send traffic by applying the QoS policy
Send the packets of each class according to the defined policy (bandwidth allocation method).
The class is used when classifying the received traffic and the policy is used when sending the traffic.
The QoS class is added to the QoS policy and the policy is applied to the class. Furthermore, the QoS policy is
included in the QoS interface and applied to the traffic sent through the interface.
Command
qos
class-map <WORD>
Description
Enter the <QoS configuration mode>.
Define a class map and enter the <Class map configuration mode>.
<WORD>
Class map name
Define the criterion for classifying classes. The classification criteria
that come after the match command are as follows:
match
destination-ip-address <A.B.C.D/M>
Packets are classified by destination IP address (IPv4).
destination-ipv6-address <X:X::X:X/M>
Packets are classified by destination IP address (IPv6).
252
TiFRONT User Guide
destination-mac-address <MAC>
Packets are classified by destination MAC address.
dscp <0-63>
Packets are classified by the DSCP value. (Setting range: 0 ~ 63)
ethertype <HEX>
Packets are classified by the Ethernet type field value.
input-interface <IFNAME>
Packets are classified by the input interface.
ip-destination-port <0-65535>
Packets are classified by the destination port number.
(Setting range: 0 ~ 65535)
ip-protocol <0-255>
Packets are classified by the protocol. (Setting range: 0 ~ 255)
ip-source-port <0-65535>
Packets are classified by source port number. (Setting range: 0 ~
65535)
source-ip-address <A.B.C.D/M>
Packets are classified by source IP address (IPv4).
source-ipv6-address <X:X::X:X/M>
Packets are classified by source IP address (IPv6).
source-mac-address <MAC>
Packets are classified by source MAC address.
vlan-id <1-4094>
Packets are classified by the VLAN ID to which they belong.
(Setting range: 1 ~ 4094)
Note: To delete a class map, run the command no class-map <WORD> in <QoS Configuration Mode>.
Note: To delete the classification criterion for classes, run the command no match with the classification criterion in <QoS Configuration Mode>.
Command
qos
policy-map <WORD>
Description
Enter the <QoS configuration mode>.
Define a policy map and enter the <Policy map configuration mode>.
<WORD>
Policy map name
Specify a class map to which to apply a policy and enter the <Policymap-class configuration mode>.
253
Chapter 11 QoS Configuration
<WORD>
Class map name to which to apply policy
<1-12>
Priority of the class map Setting range: 1 ~ 12
Set the QoS action to apply to the defined class map.
deny
Block the classified packet.
drop-precedence
Block the classified packet before others.
insert-dscp <0-63>
Insert a DSCP value in the classified packet. (Setting range: 0 ~ 63)
insert-priority <0-7>
Set a priority to the classified packet. (Setting range: 0 ~ 7)
4
confirm-action
insert-top <0-7>
Insert a Top value in the classified packet. (Setting range: 0 ~ 7)
permit
Permit the classified packet.
priority-to-tos
Use the ToS value as the priority of the classified packet.
tos-to-priority
Use the ToS value of the classified packet as the priority.
Caution: For TiFRONT-G48/G48P, you cannot set QoS action as inserttop, priority-to-tos, tos-to-priority.
Limit the bandwidth of traffic that belongs to a specific class.
<1-1000000>
rate-limit <1-1000000>
<1-16000>
Note: To delete a policy map, run the command no policy-map <WORD> in <QoS Configuration Mode>.
Note: To delete a QoS action, run the command no confirm-action with the QoS action in <Policy-map-class Configuration Mode>.
Note: To delete a bandwidth limit setting, run the command no rate-limit in <Policy-map-class Configuration Mode>.
Description
Apply a service policy to TiFRONT.
Note: In TiFRONT, you can apply only one policy map as service policy.
Note: To delete a service policy that has been defined, run the command no service-policy in <QoS Configuration Mode>.
output
<IFNAME>
Description
schedule
mode
To set the transmission queue to be processed by the priority of the CoS field, run the following command in
<QoS Configuration Mode>.
Command
Description
Set the queue processing method by the priority of CoS
field.
<0-7>
Priority of the CoS field. Setting range: 0~7
<0-7>
Queue number. Setting range: 0~7
If you set this to default, the queue numbers that are
assigned by default by the priority of the CoS field are
shown below.
Priority
Queue number
Description
Limit the bandwidth of the traffic that is sent through the
255
Chapter 11 QoS Configuration
<1-128000>
Maximum burst to be permitted for the port Setting range:
1 ~ 128,000 (kbps)
none
Bandwidth is not limited.
To set a bandwidth limit for the defined queue, run the following command in <QoS Configuration Mode>.
Command
Description
Set a bandwidth limit for the defined queue.
<0-7>
Queue number. Setting range: 0 ~ 7
<1-1000000>
service-queue
output
<IFNAME>
cos-rate-limit
Minimum
bandwidth.
Setting
range:
Setting
range:
1,000,000 (kbps)
<1-1000000>
Maximum
bandwidth.
1,000,000 (kbps)
none
Bandwidth is not limited.
<QoS Configuration Mode>. To check the detailed settings for a class map, run the command show class-
map [<WORD>].
256
TiFRONT User Guide
Configuration Example
The following is an example of QoS setting.
(config)# qos
Enter the <QoS configuration mode>.
(config-qos)# class-map testmap-c
Define a class map and enter the <Class map configuration
mode>.
(config-qos-cmap)# match vlan-id 2
Classify packets by VLAN ID
(config-qos-cmap)# exit
(config-qos)# policy-map testmap-p
(config-qos-pmap)# class
(config-qos-pmap-class)#
(config-qos-pmap-class)#
(config-qos-pmap-class)#
(config-qos-pmap)# exit
(config-qos)#
(config-qos)#
(config-qos)#
(config-qos)#
service-policy testmap-p
Apply the service policy
service-queue out ge1 schedule mode rr
Set the scheduling method
service-queue input ge1 cos-map default
Set the queue processing method
service-queue output ge1 rate-limit 100000 128000 Set the bandwidth limit of the
ge1 port
(config-qos)# service-queue output ge1 cos-rate-limit queue 0 10000 20000
Set the queue bandwidth limit
CLASS-MAP: testmap-c
vlan id : 2
protocol : 6
(config-qos)# show policy-map
POLICY-MAP : testmap-p
CLASS-MAP : testmap-c precedence 6
commit info :
insert priority : 1
limit info :
rate limit
rate value: 10000
burst value: 16000
(config-qos)# show service-policy
-----------------------------SERVICE POLICY : testmap-p
------------------------------
257
Chapter 11 QoS Configuration
Chapter 12
IGMP Snooping Configuration
This chapter describes the concept of IGMP Snooping and the procedure for setting IGMP Snooping.
This chapter is composed of the following sections:
IGMP Snooping Overview
IGMP Snooping Configuration
Description
Enable IGMP snooping.
Note: To disable the IGMP snooping function, run the command no ip igmp snooping in <Configuration Mode>.
Description
Specify the IGMP snooping version of the VLAN interface.
<1-3>
IGMP Snooping version. Setting range: 1 ~ 3.
(Default value: 2)
Note: To change the IGMP snooping version set in the VLAN interface to the default value, run the command no ip igmp version in <Interface
Configuration Mode>.
259
Chapter 12 IGMP Snooping Configuration
Description
Enable the IGMP Snooping Querier at the VLAN interface.
Note: To disable the IGMP Snooping Querier set in the VLAN interface, run the command no ip igmp snooping querier in <Interface
Configuration Mode>.
Description
Set
the
transmission
period
of
the
IGMP
snooping
Note: To change the membership query message transmission period set in the VLAN interface to the default value, run the command no ip
igmp query-interval in <Interface Configuration Mode>.
Description
Set the response time limit of the host to the
Note: To change the response time limit of the host to the membership query message to the default value, run the command no ip igmp
query-max-response-time in <Interface Configuration Mode>.
260
TiFRONT User Guide
Description
Set the transmission period of IGMP snooping startup query
Note: To change the startup query message transmission period set in the VLAN interface to the default value, run the command no ip igmp
startup-query-interval in <Interface Configuration Mode>.
Description
Set the transmission count of IGMP snooping startup query
Note: To change the startup query message transmission count set in the VLAN interface to the default value, run the command no ip igmp
startup-query-count in <Interface Configuration Mode>.
Description
Set a value for the robustness variable.
<2-7>
Setting range: 2 ~ 10. (Default value: 2)
Note: To change the robustness variable set in the VLAN interface to the default value, run the command no ip igmp robustness-variable
in <Interface Configuration Mode>.
261
Chapter 12 IGMP Snooping Configuration
Description
Set the transmission period of query messages for
checking if the last host in the VLAN interface has left.
Description
Set the transmission count of query messages for
Note: To change the transmission count of the group-specific query messages to the default, run the command no ip igmp last-memberquery-count in <Interface Configuration Mode>.
Description
Set the IGMP Fast-Leave function at the VLAN interface.
Note: To cancel the IGMP fast-leave function, run the command no ip igmp snooping fast-leave in <Interface Configuration Mode>.
262
TiFRONT User Guide
To directly set a multicast router port in TiFRONT, run the following command in <Interface Configuration
Mode>.
Command
ip igmp snooping mrouter interface <IFNAME>
Description
Set a multicast router port in a VLAN interface.
Note: To delete the multicast router port set in the VLAN interface, run the command no ip igmp snooping mrouter interface
<IFNAME> in <Interface Configuration Mode>.
Description
Set the IGMP multicast filter function.
multicast-flood-all
Send multicast traffic to every port regardless of
multicast group membership.
multicast-flood-none
multicast-filter mode
{multicast-flood-all | multicast-flood-none |
multicast-flood-unknown} vlan <1-4094>
263
Chapter 12 IGMP Snooping Configuration
Description
Note: To disable the IGMP snooping proxy, run the command no ip igmp snooping proxy in <Configuration Mode>.
Description
Configuration Example
In the following example, IGMP snooping is set and the settings are queried.
(config)# vlan 2 name v1
Create a VLAN to set IGMP snooping for.
(config)# interface ge1
(config-if-ge1)# switchport access vlan 2
(config-if-ge1)# exit
(config)# interface ge2
(config-if-ge2)# switchport access vlan 2
(config-if-ge2)# exit
(config)# ip igmp snooping
(config)# interface vlan2
(config-if-vlan2)# ip igmp
(config-if-vlan2)# ip igmp
(config-if-vlan2)# ip igmp
(config-if-vlan2)# ip igmp
(config-if-vlan2)# ip igmp
(config-if-vlan2)# ip igmp
(config-if-vlan2)# ip igmp
(config-if-vlan2)# end
# show ip igmp interface vlan 2
IGMP
IGMP
IGMP
IGMP
Snooping
Snooping
Snooping
Snooping
is globally enabled
fast-leave is enabled
querier is enabled
report suppression is enabled
Expires
00:02:58
00:02:58
00:02:58
00:02:58
Last Reporter
10.10.10.9
10.10.10.9
10.10.10.9
10.10.10.9
265
Chapter 12 IGMP Snooping Configuration
Chapter 13
Security Configuration
This chapter introduces the security features of TiFRONT and the procedures for using each security feature.
This chapter is composed of the following sections:
TiMatrix Setting
ACL (Access Control List)
System Access Control
Integrated Authentication
IP Management Setting
Web Alert Setting
TiMatrix Setting
TiMatrix is a security engine that has important security functions provided by TiFRONT.
The security functions of TiMatrix are as follows:
DoS/DDoS Blocking
Each function and the procedure for setting them up are described below.
DoS/DDoS Blocking
(DoS Denial of Service) is an attack that tries to monopolize or destroy system resources so that other
processes of the system cannot provide services properly. In particular, DoS attacks spread through the
network, paralyzing networks and system services, thereby causing considerable inconveniences and
enormous damages to users. TiFRONT can block such DoS attacks and protect the internal network from DoS
attacks.
Note: DDoS (Distribute Denial of Service) is to distribute multiple attackers and perform DoS attacks simultaneously through them.
Description
Sends large volumes of SYN data for TCP connections to a target system to
paralyze the services and systems that receive the connection requests.
Sends large volumes of UDP packets with forged source IPs or MAC addresses to
a target system to paralyze the network.
Broadcasts unreachable ICMP packets to exhaust the network resources.
Continuously sends ICMP echo request messages to prevent the target host
from requesting other services. For example if the maximum number of "ping
target.com" messages are sent, the target host (target.com) has to continuously
send responses to the ICMP requests which prevents the host from sending
other service requests and slows down the network speed.
This attack is usually targeted at network devices such as switches. It sends
MAC flooding
large volumes of packets with forged MAC addresses to saturate the MAC
address table of the target system, thus preventing the system from providing
normal services.
The attacker's collection of information about the target is called 'scan.' The
Port scanning
attacker uses port scanning tools such as Nmap to collect the information about
ports used by a specific host.
Host scanning
IP spoofing
ARP spoofing
packets are sent to the device set by the attacker, resulting in disabled
communication or the communication of unwanted information.
This is similar to ARP spoofing. This attack manipulates the NDP (Neighbor
NS/NA spoofing
IGMP DoS
MLD DoS
used in IPv6 networks to prevent the target from handling the packets and
providing normal services.
This attack interferes with duplicate IP address checks when a new host is
DAD
To set the DoS/DDoS blocking function, perform the following steps in <TiMatrix Configuration Mode>.
No.
Command
Description
Enable the DoS/DDoS blocking function. If you omit the mode,
the block mode will be set.
detect
268
TiFRONT User Guide
Enable the ARP snooping function. If you omit the mode, the
block mode will be set.
You must enable the ARP spoofing blocking function separately
from the DoS/DDoS blocking function.
2
detect
Packets are not blocked and only logs are recorded.
block
Packets are blocked and logs are recorded.
Note: To disable the ARP spoofing function, run the command no arpspoof in <TiMatrix Configuration Mode>.
Enable the MAC flooding blocking function. You must enable the
MAC flooding blocking function separately from the DoS/DDoS
mac-flooding
blocking function.
Note: To disable the MAC flooding blocking function, run the command
no mac-flooding in <TiMatrix Configuration Mode>.
Set the number of MAC addresses which is the criterion for MAC
flooding attack. If the MAC addresses registered in the MAC
address table of each port is greater than this number, the
packets from unregistered MAC addresses are blocked.
<WORD>
<1-500>
(Optional)
Enter the port name. To enter more than one port, separate
the ports with "," and for continuous ports, use "-".
<1-500>
Number of permitted MAC addresses.
Setting range: 1 ~ 500. (Default value: 500)
Note: To change the number of MAC addresses to the default value, run
the command no mac-flooding limit <WORD> in <TiMatrix
Configuration Mode>.
Enable the IPv6 security function. You must enable the IPv6
security function with this command so as to enable the NS/NA
timatrix-ipv6
detect
Packets are not blocked and only logs are recorded.
block
Packets are blocked and logs are recorded.
Note: To disable the NS/NA spoofing blocking function, run the command
no neighbor-spoof in <TiMatrix Configuration Mode>.
269
Chapter 13 Security Configuration
Enable the DAD attack blocking function. If you omit the mode,
the block mode will be set.
You must enable the DAD attack blocking separately from the
DoS blocking function. The block mode is set by default.
7
detect
Packets are not blocked and only logs are recorded.
block
Packets are blocked and logs are recorded.
Note: To disable the DAD attack blocking function, run the command no
dad-attack in <TiMatrix Configuration Mode>.
Enable the IPv6 host scan blocking function. If you omit the
mode, the block mode will be set.
You must enable host scan blocking separately from the DoS
blocking function. The block mode is set by default.
detect
Packets are not blocked and only logs are recorded.
block
Packets are blocked and logs are recorded.
Note: To disable the host scan blocking function, run the command no
host-scan in <TiMatrix Configuration Mode>.
Specify the secure port for which to apply the security functions
set in steps 1 to 8.
<WORD>
secure-port <WORD>
Enter the port name. To enter more than one port, separate
the ports with "," and for continuous ports, use "-".
Note: To cancel the security port setting, run the command no
secure-port <WORD> in <QoS Configuration Mode>.
Specify an uplink port connected to an external network.
<WORD>
10
uplink-port <WORD>
(Optional)
Enter the port name. To enter more than one port, separate
the ports with "," and for continuous ports, use "-".
Note: To cancel the uplink port setting, run the command no uplinkport <WORD> in <QoS Configuration Mode>.
Note: When you run the timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS blocking, ARP spoofing blocking, NS/NA
spoofing blocking, DAD attack blocking, and host scan blocking functions are set in block mode, and the MAC flooding blocking and the Protocol
Anomaly blocking functions are enabled.
Note: When you run the no timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS blocking, ARP spoofing blocking, NS/NA
spoofing blocking, DAD attack blocking, and host scan blocking functions are set in block mode, whereas the MAC flooding blocking and the Protocol
Anomaly blocking functions are disabled.
Note: The security functions of TiFRONT detect attacks at the access level by default, thus preventing the spread of the attack. When traffic
coming from external networks is inspected, the device performance may drop. Therefore, it is recommended to set the port connected to an
external network as the uplink port so that the DoS/DDoS blocking will not be applied.
270
TiFRONT User Guide
Caution: If you set the MAC address count limit by using the mac-address limit command for a port, the MAC flooding blocking function does
not work at the port.
Description
Specify a permit list by the protocol, source/destination
iIPv4
addresses,
and
the
source/destination
port
any | <A.B.C.D/M>
any | <A.B.C.D/M>
Destination IPv4 address and net mask bit of the
packets
addresses,
and
the
source/destination
port
any | <X:X::X:X/M>
<1-65535>
range
<1-65534>
<2-65535>}
any | <X:X::X:X/M>
packets
any
{any
{any | <HHHH.HHHH.HHHH>}
<HHHH.HHHH.HHHH>}
any |
<HHHH.HHHH.HHHH>
Source MAC address of the packets. You can specify
a range by using the wildcard character (*) for the
characters at the back.
271
Chapter 13 Security Configuration
any
|
<HHHH.HHHH.HHHH>
Destination MAC address of the packets. You can
specify a range by using the wildcard character (*) for
the characters at the back.
permit-list arp
{any
{any | <HHHH.HHHH.HHHH>}
<HHHH.HHHH.HHHH>}
any
|
<HHHH.HHHH.HHHH>
MAC address of ARP sender. You can specify a
range by using the wildcard character (*) for the
characters at the back.
any
|
<HHHH.HHHH.HHHH>
MAC address of ARP target. You can specify a range
by using the wildcard character (*) for the
characters at the back.
Note: To delete a permit list, run the command no permit-list {ip | ipv6 | tcp | udp} <OPTION> in <TiMatrix Configuration Mode>.
Note: For the packets in the permit list of TiMatrix, the ACL, IP management, QoS, DHCP server, and DHCP relay agent functions may not apply.
Therefore, you must set the rule by accurately specifying the protocol, source/destination IP addresses, and the source/destination port numbers
when specifying a permit list.
Showing Statistics
To check the statistics about the packets detected by the DoS/DDoS blocking function, run the command
show timatrix statistics in <User Mode>, <Privileged Mode>, or <TiMatrix Configuration Mode>.
Deleting Filters
To delete TiMatrix filters regardless of the hold time, run the following command in <TiMatrix Configuration
Mode>.
Command
Description
Delete a TiMatrix filter.
<WORD>
Filter ID to delete.
all
272
TiFRONT User Guide
flooding-list <WORD> in <User Mode>, <Privileged Mode>, or <TiMatrix Configuration Mode>. Up to 100
Configuration Example
The following example shows the settings of the DoS/DDoS blocking function and a permit list.
(config)# timatrix
(config-timatrix)#
(config-timatrix)#
(config-timatrix)#
(config-timatrix)#
:
:
:
:
Disable
Block mode
Block mode
Enable
Permit List
-------------------------------------------#1
Ethertype
: ip
IP Protocol
: tcp
Src IP address
: 192.168.201.231/24
Dst IP address
: 192.168.202.232/24
Src port
: 1850
Dst port
: 21
-------------------------------------------Static Host List
None
------------------------------------------------------(config-timatrix)# show timatrix statistics
Protocol Anomaly
-------------------------------------------TCP Fragments
:
0
ICMP Fragments
:
0
Land
:
0
Equal-ports, Invalid TCP Flag :
0
--------------------------------------------
273
Chapter 13 Security Configuration
Description
When sending packets to a target host, the attacker sets both the source and destination
Land
IP addresses to the IP address of the target host. Upon receiving the packets, the target
host continuously sends packets to itself, thus causing system overload.
Abnormally manipulates the TCP flags such as SYN, FIN, URG, and PSH so as to cause an
overload or malfunction because the target host cannot handle the abnormal TCP flags.
Divides TCP headers into small fragments to hide the destination port so as to bypass
intrusion detection systems or packet filtering systems. Packet filtering systems and
TCP fragments
intrusion detection systems generally check port numbers to determine filtering, and they
pass the first fragment that is too small to include the port number. After this, they pass
the second fragment that actually includes the port number without inspecting it.
ICMP fragments
Sends large ICMP packets over the length specified in the standard so as to cause system
overload because the target host cannot handle the packets.
This attack uses the vulnerability of the ICMP protocol. When ICMP echo messages are
broadcast to a network address with the destination IP address of the message disguised,
Smurf
all the hosts in the network that receive the broadcast message send response packets to
the disguised source IP address, which paralyzes the target network and the hosts having
the disguised source IP address.
To enable the Protocol Anomaly blocking function, run the following command in <TiMatrix Configuration
Mode>.
Command
proto-anomaly
Description
Enable the protocol anomaly blocking function.
Note: To disable the protocol anomaly blocking function, run the command no proto-anomaly in <TiMatrix Configuration Mode>.
Note: When you run the timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS blocking and ARP spoofing blocking functions
are set in block mode, and the MAC flooding and the Protocol Anomaly blocking functions are enabled.
Note: When you run the no timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS, ARP spoofing, MAC flooding, and protocol
anomaly blocking functions are all disabled.
274
TiFRONT User Guide
Configuration Example
In the following example, the protocol anomaly blocking function is enabled.
(config)# timatrix
Enter the <TiMatrix configuration mode>.
(config-timatrix)# proto-anomaly
Enable the Protocol Anomaly Blocking function.
(config-timatrix)# show timatrix
Show the settings.
TiMatrix Information
------------------------------------------------------security-level : 3
Secure Port List
None
Uplink Port List
None
Protocol Anomaly Detection
DoS/DDoS Detection
ARP-Spoof Detection
MAC-Flooding Detection
:
:
:
:
Enable
Disable
Disable
Disable
Permit List
None
Static Host List
None
------------------------------------------------------(config-timatrix)# no proto-anomaly
Disable the Protocol Anomaly Blocking function.
(config-timatrix)# show timatrix
Show the settings.
TiMatrix Information
------------------------------------------------------security-level : 3
Secure Port List
None
Uplink Port List
None
Protocol Anomaly Detection
DoS/DDoS Detection
ARP-Spoof Detection
MAC-Flooding Detection
:
:
:
:
Disable
Disable
Disable
Disable
Permit List
None
Static Host List
None
-------------------------------------------------------
275
Chapter 13 Security Configuration
Description
Set a static host.
notice
When an ARP spoofing attack is detected, the MAC address table
of every host connected to the TiFRONT is updated.
Description
Set the level of TiMatrixs security function.
security-level <1-5>
<1-5>
Setting range: 1 ~ 5. (Default value: 3)
276
TiFRONT User Guide
ACL Setting
Access List Setting
To set an access list, perform the following steps in <Configuration Mode>. In TiFRONT, you can define up to
1000 access lists for each ID type (number, string) (2000 in total), and up to 50 rules for one access list. To
set multiple access lists or set rules, repeat the following steps.
No.
Command
Description
Add an access list.
<1-1000> | <WORD>
Set the access list ID with a number or string.
Number setting range: 1 ~ 1000
String setting range: 1-10 characters (combination of
letters, numbers, and special characters)
<1-1000>
Priority of the rule. If this is omitted, the lowest priority
will be set. Setting range: 1 ~ 1000
If there are rules having the same priority, a newly added
rule has that priority and the priority of the existing rules
any
tcp
udp}
{<A.B.C.D/M>
deny | permit
eq
<1-65535>
65534> <2-65535>}
range
<1-
access-list
{<1-1000>
interface <IFNAME>
<WORD>}
<1-1000> | <WORD>
Access list ID.
<IFNAME>
Port or VLAN name
Caution: When you apply an access list to an interface, a rule that blocks all packets except the ARP packets will be added as the last rule.
Note: To delete an access list, run the command no access-list {<1-1000> | <WORD>} in <Configuration Mode>. You cannot delete an
access list that has been applied to an interface and access group.
Note: To delete the rules of an access list, run the command no access-list {<1-1000> | <WORD>} [<1-1000>] { | {deny |
permit} {<0-255> | any | tcp | udp} {<A.B.C.D/M> | <X:X::X:X/M> | any} {<A.B.C.D/M> | <X:X::X:X/M> | any} {any
| eq <1-65535> | range <1-65534> <2-65535>} {any | eq <1-65535> | range <1-65534> <2-65535>} in <Configuration
Mode>. When you add or delete an access list, it is immediately applied to the access group and interface for which the access list has been
applied.
Note: To cancel an access list that has been applied to an interface, run the command no access-list interface <IFNAME> in
<Configuration Mode>.
Note: Only one access list or access group can be specified for one interface.
Note: If access lists are set for a port and the VLAN to which the port belongs, the access list set for the port will be applied first.
To check the access list information set in an interface, run the command show access-list interface in
<User Mode>, <Privileged Mode>, or <Configuration Mode>.
Command
Description
<WORD>
Specify the access group ID with a string.
Setting range: 1-10 characters. (combination of letters,
numbers, and special characters)
1000> | <WORD>]
<1-1000> | <WORD>
ID of the access list to be included in the access group
Specify the port to which to apply the access group.
2
access-group
<IFNAME>
<WORD>
interface
<WORD>
Access group ID.
<IFNAME>
Port or VLAN name
278
TiFRONT User Guide
Note: To delete an access group, run the command no access-group {<1-1000> | <WORD>} in <Configuration Mode>. You cannot delete an
access group that has been applied to an interface.
Note: To delete an access group rule, run the command no access-group <WORD> access-list {<1-1000> | <WORD>} in <Configuration
Mode>. When you add or delete an access list in an access group, it is immediately applied to the interface for which the access group has been
applied.
Note: To cancel an access group that has been applied to an interface, run the command no access-group interface <IFNAME> in
<Configuration Mode>.
Note: Only one access list or access group can be specified for one interface.
Note: If access groups are set for a port and the VLAN to which the port belongs, the access group set for the port will be applied first.
To check the access group information set in an interface, run the command show access-group
interface in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
Command
Description
access-group
3
<TIMEMAP>}
(Optional)
<WORD>
time
{any
<WORD>
Access group name for which to specify the applied time
any
<TIMEMAP>
Specify the applied time in the format 'start time-end time'.
To specify multiple time blocks, separate them by using ','.
Setting range: 0 ~ 24
279
Chapter 13 Security Configuration
Note: To set time-based ACL, you must first define the access list and access group.
Note: When you set the applied time to an access group, it will be applied to all the access lists in that group regardless of the applied time set in
the access lists.
Note: To disable the time-based ACL function, run the command no access-list mode time-based in <Configuration Mode>.
Configuration Example
In this example, an access list is set as shown in the following table, and then the settings are queried.
Configuration item
Set value
ID
acl-01
acl-02
Policy
permit
deny
Protocol
TCP
UDP
Source IP address
192.168.201.231/24 192.168.203.233/24
Destination IP address
192.168.202.232/24 192.168.204.234/24
any
any
any
any
ge19
|
None
ge20
|
None
ge21
|
None
ge22
|
None
ge23
|
None
ge24
|
None
vlan1
|
None
vlan2
|
None
---------------------------
281
Chapter 13 Security Configuration
282
TiFRONT User Guide
Satisfy
access
rule
permit
Permit packet
deny
Deny packet
When a host sends packets to access TiFRONT, TiFRONT compares the access rules with the packets starting
from the packet that was set first in order to find access rule that the packets satisfy. If there is an access
rule that is satisfied by the packet, the packet is permitted or denied by the policy of the access rule. If there
is no access rule that is satisfied by the packet or no access rule is defined, the packet is permitted.
283
Chapter 13 Security Configuration
Command
Description
Add a system access control rule.
deny | permit
Enter a policy. deny: blocked, permit: allowed
range
<1-65534>
<2-
Note: To delete an access rule, run the command no system-access {deny | permit} {any | icmp | tcp | udp} {<A.B.C.D/M> |
any} {<A.B.C.D/M> | any} {any | eq <1-65535> | range <1-65534> <2-65535>} {any | eq <1-65535> | range <1-65534>
<2-65535>} in <Configuration Mode>.
Configuration Example
The following is an example of system access control setting.
284
TiFRONT User Guide
Integrated Authentication
TiFRONT provides the following three types of authentication for network access control of the connected
hosts:
802.1x Authentication
MAC Authentication
Web Authentication
The integrated authentication feature of TiFRONT allows the use of only one authentication function or a
combination of different authentication functions through the following methods:
When the multi-step authentication method is used, both authentication functions must be passed
successfully before network access to the host is permitted. The multi-step authentication method combines
the following authentication functions:
User Terminal
Authentication
User Authentication
MAC authentication
802.1x authentication
MAC authentication
Web Authentication
802.1x authentication
Web Authentication
For the fall-back authentication method, if the 802.1x authentication fails, other authentication functions are
performed sequentially, and if one authentication is successful, network access is permitted. If all
authentication fails, the authentication process must be restarted from 802.1x authentication. The fail-back
authentication method can use the following combinations:
1st authentication
2nd authentication
3rd authentication
802.1x authentication
MAC authentication
802.1x authentication
Web authentication
802.1x authentication
MAC authentication
Web authentication
Each authentication function determines approval through the RADIUS server and can be set by each port. If
you set the authentication function, authentication mode, and authentication method to use by considering
the characteristics of the host connected to each port, you can shorten the time required for the
authentication process and use the integrated authentication function more efficiently.
TiFRONT supports the VLAN Assignment function, which means that if the authentication is successful, the
VLAN of the port to which the host is connected is changed to a VLAN set in the RADIUS server. VLAN
Assignment is enabled by default without a separate setting. If the VLAN ID is not registered in the RADIUS
285
Chapter 13 Security Configuration
server or the VLAN ID does not exist in TiFRONT, the current VLAN is maintained. If the port authentication
mode is host mode, it is set to the VLAN of the host that succeeded in authentication for the first time
through the port.
Each of the authentication functions provided by TiFRONT is described in detail below.
802.1x Authentication
802.1x is an IEEE standard related to port-based network access control. TiFRONT provides the
authentication function that authenticates a host and gives access permission based on IEEE 802.1x. Setting
the 802.1x authentication policy can raise network security because only the hosts having the access
permission can access the network.
The following shows the 802.1x authentication process.
Host (Supplicant)
RADIUS server
(Authentication Server)
TiFRONT (Authenticator)
EAPOL-Start
EAP-Request/Identity
Radius-Access-Request
EAP-Response/Identity
Radius-Access-Challenge
EAP-Request
EAP-Response
Radius-Access-Request
EAP-Success
Radius-Access-Accept
[Figure - 802.1x Authentication Process]
1. EAPOL-Start
When accessing the network first, the host (supplicant) requests network access by sending the EAPOL-Start
packet to the TiFRONT (Authenticator).
2. EAP-Request/Identity
TiFRONT sends the EAP-Request/Identity packet requesting identification of the host.
3. EAP-Response/Identity
The host sends the EAP-Response/Identity packet containing the identity information to TiFRONT.
4. Radius-Access-Request
TiFRONT sends the Radius-Access-Request packet containing identity information to the RADIUS server.
5. Radius-Access-Challenge
The RADIUS server sends the Radius-Access-Challenge packet requesting a certificate or password to TiFRONT.
6. EAP-Request
TiFRONT sends the EAP-Request packet requesting a certificate or password to the host.
7. EAP-Response
The host sends the EAP-Response packet containing a certificate or password to TiFRONT.
8. Radius-Access-Request
TiFRONT sends the Radius-Access-Request packet containing a certificate or password to the RADIUS server.
286
TiFRONT User Guide
9. Radius-Access-Accept
The RADIUS server notifies successful authentication by sending the Radius-Access-Accept packet to TiFRONT.
10. EAP-Success
TiFRONT notifies of successful authentication by sending the EAP-Success packet to the host.
Note: The 802.1x authentication process generally starts by the host sending the EAPOL-Start packet. If TiFRONT starts authentication first,
however, the authentication process begins from the part where the EAP-Request/Identity packet is sent.
Note: The authentication information of the host that is used in the 802.1x authentication process is saved in the RADIUS server and not in
TiFRONT.
TiFRONT provides the Guest VLAN function that allows devices that do not support 802.1x is to access the
network normally regardless of the 802.1x authentication. When a device that does not support 802.1x is
connected to an authentication port for which Guest VLAN is set, the VLAN of that port is changed to Guest
VLAN and the communication is performed normally. However, even if the Guest VLAN function is enabled,
devices that fail authentication are blocked.
MAC Authentication
MAC authentication supports authentication for such hosts as printers and VoIP phones that do not support
the IEEE 802.1x standard or which cannot accept IDs and passwords. It controls network access through the
MAC address of hosts.
For MAC authentication, the MAC address is acquired from the ARP packet or DHCP discover packet that the
host sends to TiFRONT, and this MAC address is used as the ID for authentication. Therefore, in order to use
the MAC authentication function, the MAC address of the host that will be permitted to access the network
must be registered in the RADIUS server.
The following shows the MAC authentication process.
RADIUS server
Host (Supplicant)
(Authentication Server)
TiFRONT (Authenticator)
ARP/DHCP discover
Radius-Access-Request
Radius-Access-Accept
1. ARP/DHCP discover
The host sends an ARP packet or a DHCP discover packet containing its MAC address to TiFRONT.
2. Radius-Access-Request
TiFRONT sends the Radius-Access-Request packet containing the MAC address and password of the host to the
RADIUS server.
3. Radius-Access-Accept
The RADIUS server notifies of successful authentication by sending the Radius-Access-Accept packet to TiFRONT,
and TiFRONT permits the network access of the host.
Note: For the password used in the MAC authentication process, a password that is commonly applied to all hosts must be set. If the MAC
authentication password is not set, the MAC address of the host is used for MAC authentication.
287
Chapter 13 Security Configuration
Web Authentication
Web authentication controls network access by sending an authentication page from TiFRONT and accepting
the ID and password when a host tries to access the network through a Web browser.
In order to use the Web authentication function, the ID and password of the host that will be permitted to
access the network must be registered in the RADIUS server. Furthermore, Web authentication can be used
only in an environment where the fixed IP address is used for HTTP communication between TiFRONT and
host.
When a host tries to access through the Web, the following authentication page appears.
The success/failure of authentication is informed to the host by showing the following Web page, and the
host is permitted to access the network only if authentication is successful.
Caution: Before Web authentication is successful, TiFRONT responds with its IP address to the ARP Request and DNS Query sent by the host.
Therefore, after Web authentication is complete, the Web browser must be restarted to update the network access information. In this process,
the network access of host can be delayed a little.
288
TiFRONT User Guide
Host (Supplicant)
TiFRONT (Authenticator)
(Authentication Server)
HTTP Request
HTTP Login Page
HTTP Get
Radius-Access-Request
HTTP Response
Radius-Access-Accept
[Figure - Web Authentication Process]
1. HTTP Request
The host sends the HTTP Request packet to TiFRONT.
2. HTTP Login Page
TiFRONT sends a login page where an ID and password for Web authentication will displayed in the browser.
3. HTTP Get
The host enters an ID and password on the login page and sends the HTTP Get packet.
4. Radius-Access-Request
TiFRONT sends the Radius-Access-Request packet containing the ID and password of the host to the RADIUS
server.
5. Radius-Access-Accept
The RADIUS server notifies of successful authentication by sending the Radius-Access-Accept packet to TiFRONT,
and TiFRONT permits network access of the host.
6. HTTP Response
TiFRONT responds with a Web page that informs of successful authentication.
Note: The authentication information of the host that is used in the Web authentication process is saved in the RADIUS server and not in TiFRONT.
289
Chapter 13 Security Configuration
Authentication Mode
TiFRONT supports the following two authentication modes:
Port Mode
Authentication is performed based on the port. When authentication is successful, the port passing the
authentication is changed from a Blocked to a Forwarding state and is allowed to access the network.
Host Mode
Authentication is performed based on the MAC address of the host. When authentication is successful, the MAC
address of the host passing the authentication is registered in the MAC address table and the host is permitted to
access the network.
TiFRONT performs authentication based on the port by default. When authentication is performed based on
the port, there is no problem if one host is connected to one port, but when multiple hosts are connected to
one port through a hub, etc., unauthorized hosts can access the network. In this case, you must use the host
mode and let only the host passing the authentication can access the network.
The following shows the port mode authentication process.
TiFRONT
Blocked
Forwarding
Hub
Host
As shown in the above figure for the port-based method, when host no. 1 succeeds in authentication, all
hosts connected to the port through a hub can access the network. Therefore, even hosts no. 2 and 3, which
have not been authenticated, can access the network. On the other hand, if host no.1 fails authentication,
hosts no.2 and 3 cannot access the network, either.
The following figure shows the host mode authentication process.
TiFRONT
Hub
Host
As shown in the above figure, the host mode allows you to block network access of each host. In other words,
unlike the port mode, even if host no.1 passes authentication, hosts no.2 and 3 cannot access the network.
290
TiFRONT User Guide
Command
Description
Register the RADIUS server.
<HOSTNAME>
<KEY>
Setting range: 1-64 characters (combination of letters,
numbers, and special characters)
Set the IP address or host name of the RADIUS client and
the port.
<HOSTNAME>
IP address or host name of the device
<PORT>
<PORT>
Port number of the device. Setting range: 1 ~ 65535
Note: To delete the RADIUS server, run the command no dot1x radius-server host in <Configuration Mode>.
Note: To delete the encryption key, run the command no dot1x radius-server key in <Configuration Mode>.
Note: To delete the RADIUS client setting, run the command no dot1x radius-client host in <Configuration Mode>.
Description
Enable Integrated Authentication
291
Chapter 13 Security Configuration
Note: To disable the integrated authentication function, run the command no dot1x system-auth-ctrl in <Configuration Mode>.
Command
Description
Set the password to be used for MAC authentication.
<WORD>
dot1x
mac-auth
addr-format
{no-
no-delimiter
Specify as HHHHHHHHHHHH format
multi-dash
Specify as HH-HH-HH-HH-HH-HH format
multi-colon
Specify as HH:HH:HH:HH:HH:HH format (default)
Note: To delete the password for MAC authentication, run the command no dot1x mac-auth password in <Configuration Mode>.
Note: To change the MAC address format to the default format, run the command no dot1x mac-auth addr-format in <Configuration Mode>.
Description
Enable the integrated authentication function for port.
Note: If you enable the integrated authentication function, 802.1x authentication is also enabled.
Note: To disable the integrated authentication function, run the command no dot1x port-control in <Configuration Mode>.
292
TiFRONT User Guide
Command
Description
Set
the
transmission
count for
EAP-Request/Identity
packets to host.
<1-10>
Setting range: 1 ~ 10. (Default value: 2)
Set the transmission count for EAP-Request packets to
host.
<1-10>
Setting range: 1 ~ 10. (Default value: 2)
Set the retransmission period for EAP-Request/Identity
password request.
<1-65535>
Setting range: 1 ~ 65,535(sec). (Default value: 30 sec)
Set the retransmission period for EAP-Request/Identity
packets when there is no response from host after an
identity request.
<1-65535>
Setting range: 1 ~ 65,535(sec). (Default value: 30 sec)
In port mode, when a device that does not support 802.1x
is connected to the port, the Guest VLAN is set to allow the
Note: In the following cases, the port that was set as a Guest VLAN is restored to the previous VLAN. In other words, it belongs to the VLAN it
was in right before it was changed to a Guest VLAN again. If the previous VLAN has been deleted, it will belong to the default VLAN.
- The port is down.
- The integrated authentication function is disabled (no dot1x system-auth-ctrl)
- The 802.1x function is disabled for the port (no dot1x port-control)
- The authentication mode has been changed to host mode.
Caution: When the port belongs to a Guest VLAN because the device connected to TiFRONT does not support 802.1x, if you save the configuration
file by using the command write memory, the port is saved as if it belongs to the Guest VLAN instead of the previous VLAN. In this case, even
after the system is rebooted, the port is not restored to the previous VLAN, but keeps belonging to the Guest VLAN. Therefore, you must save the
configuration file after the port is restored to the previous VLAN.
Note: To delete the Guest VLAN setting, run the command no dot1x guest-vlan in <Interface Configuration Mode>.
293
Chapter 13 Security Configuration
Description
Enable MAC authentication.
Note: To disable the MAC authentication function, run the command no dot1x mac-auth in <Interface Configuration Mode>.
Description
Enable Web authentication.
Note: To disable the Web authentication function, run the command no dot1x web-auth in <Interface Configuration Mode>.
Command
Description
Select the authentication mode of the port. If you enable
the integrated authentication function, the authentication
mode is set to port mode by default.
host
Select host mode as the authentication mode.
port
Select port mode as the authentication mode (default).
Select the integrated authentication mode of the port. The
integrated authentication works in stand-alone mode by
default.
fall-back
In
the
fall-back
authentication
mode,
802.1x
294
TiFRONT User Guide
terminal authentication.
Note: To perform user terminal authentication only with MAC
authentication, run the command no dot1x multi-step
terminal-dot1x in <Interface Configuration Mode>.
Description
Set the direction of the packet to be blocked in the
event of failed authentication.
both
Block all packets sent from and received by the port.
in
Block only the packets received by the port (default).
Set the waiting time for response from the RADIUS
server. If there is no response from the RADIUS server
the
reauthentication
function.
(Default:
Disabled)
dot1x reauthentication
the
reauthentication
period
for
renewing
authentication.
dot1x timeout reauth-period <1-4294967295>
<1-4294967295>
Setting range: 1 ~ 4,294,967,295(sec)
(Default value: 3,600 sec)
Set the authentication sate of the port by force.
unauthorized}
force-authorized
Every authentication is regarded as successful.
force-unauthorized
Every authentication is regarded as failed.
Note: If you have not enabled the integrated authentication function, you cannot set the authentication port. Therefore, before setting an
authentication port, you must enable the integrated authentication function by using the command dot1x system-auth-ctrl in
<Configuration Mode>.
Caution: You must not set a MAC filter for ports for which the integrated authentication has been set. If both integrated authentication and MAC
filter are set for one port, both functions may malfunction.
295
Chapter 13 Security Configuration
Note: To reset the integrated authentication settings, run the command dot1x default-configuration in <Configuration Mode>.
Note: To disable the reauthentication function in port mode, run the command no dot1x reauthentication in <Interface Configuration
Mode>.
If you perform Web authentication with the authentication mode set as fall-back, you can set the options for
Web authentication by running the following commands in <Interface Configuration Mode>.
Command
Description
Specify the waiting time for accepting ID and password for
Web authentication. If the ID and password are not entered
Note: To change the waiting time for Web authentication to the default, run the command no dot1x web-auth state-timer in <Interface
Configuration Mode>.
Note: To change the maximum failure count for Web authentication to the default, run the command no dot1x web-auth login-attemptmax in <Interface Configuration Mode>.
Command
Description
Specify
state will be
interface <IFNAME>
<IFNAME>
Number of the port whose authentication state will be
initialized.
dot1x initialize
interface <IFNAME>}] in <User Mode> or <Privileged Mode>. To check the authentication setting of a
specific port, use the interface <IFNAME> option.
296
TiFRONT User Guide
Description
Note: To disable the forwarding of EAPOL packets, run the command no dot1x system-auth-ctrl in <Configuration Mode>.
Configuration Example
In this example, the RADIUS server for integrated authentication is set as shown in the following table, and
the settings are queried.
Item
Settings
192.167.201.237
Encryption key
radius-key01
192.168.203.236
49153
# show dot1x
Show the 802.1x authentication settings
802.1X Port-Based Authentication Disabled
RADIUS server address: not configured
RADIUS client address: not configured
Next radius message id: 0
# configure
(config)# dot1x
(config)# dot1x
(config)# dot1x
(config)# dot1x
system-auth-ctrl
Enable the 802.1x authentication function
radius-server host 192.167.201.237
Set the RADIUS server
radius-server key radius-key01
Set the encryption key.
radius-client host 192.168.203.236 49153
Set the RADIUS client
(config)# exit
# show dot1x
Show the 802.1x authentication settings
802.1X Port-Based Authentication Enabled
RADIUS server address: 192.167.201.237:1812
RADIUS client address: 192.168.203.236:49153
Next radius message id: 0
297
Chapter 13 Security Configuration
In the next example, the integrated authentication function is enabled, and the integrated authentication
function is set for the ge1 port as shown below.
Item
Settings
Authentication Mode
Port Mode
Multi-step
MAC Authentication
User Authentication
802.1x Authentication
298
TiFRONT User Guide
IP Management Setting
IP Management controls the traffic of host access to the network through TiFRONT. If you set the IP
management function in TiFRONT, you can permit or deny the traffic of hosts having specific IP
addresses/MAC addresses/ports.
Description
Set the state of IP management function.
disable
Disable the IP management function. (Default)
filter black
Permit the network access of every host by default, and only the
hosts
specified
as
management
hosts
are
blocked
from
Description
Enter the IP address and MAC address of the host that will control
network access.
port
Only the access to the specified port is permitted/denied
according to the filter mode. If you omit this, access to every
port is permitted/denied.
time
Set the network access control time. If you omit this, network
299
Chapter 13 Security Configuration
Note: To delete a specific management host, use the command no hostacl <A.B.C.D> <XX:XX:XX:XX:XX:XX> [block] [port <PORT>]
| [time <TIMEMAP>]. To delete all management hosts that have been set until now, run the command no hostacl all.
Note: The IP management function has a higher priority than the ACL function. Therefore, the packets of the host set as management host of the
IP management function are not blocked by the ACL function. Furthermore, even the packets permitted in ACL may be blocked, depending on the
IP management settings.
Description
Set the use of the DHCP or DNS protocol.
Note: To delete the permission protocol setting, run the command no hostacl proto {dhcp | dns}.
Description
Set an uplink port connected to an external network.
Note: To delete the uplink port setting, run the command no hostacl uplink <PORT>.
Note: The IP management function controls network access of hosts in the internal network. Because the IP management function does not need to
be applied to the ports connected to an external network, you can specify them as uplink ports to prevent the lowering of device performance by
unnecessary inspections.
Description
Set the connection with TiManager for IP management.
<A.B.C.D>
IP address of TiManager
<1-65535>
Port number of TiManager. Setting range: 1 ~ 65535
Note: To delete the connection setting with TiManager, run the command no logging hostacl in <Configuration Mode>.
300
TiFRONT User Guide
<Configuration Mode>.
To check the hosts that have been denied, permitted, or learned by the IP management function, run the
command show hostacl iplist [block | permit | learnt] in <Privileged Mode> or <Configuration
Mode>.
To check the IP address and MAC address of the host that will control network access, run the command
show hostacl rulelist in <Privileged Mode> or <Configuration Mode>.
To check the connection settings with TiManager, run the command show logging hostacl in <Privileged
Mode> or <Configuration Mode>.
Configuration Example
In this example, the IP management functions are configured so that the host with the IP address and MAC
address shown in the following table can access the specified port, and the settings are queried.
Configuration item
Set value
192.168.201.236
0006.c473.f28d
fe11
IP address
MAC address
PORT Name
Action Status Since
-------------------------------------------------------------------------------192.168.201.236 0006.c473.f28d fe11
permit Off
12/13 04:26:19
(config)#
301
Chapter 13 Security Configuration
To enable Web Alert for hazardous traffic, run the following commands in <Configuration Mode>.
No.
Command
Description
Set the company name to be displayed on the screen.
<WORD>
Enter up to 64 characters composed of letters, numbers,
and special characters.
Set the e-mail address of the administrator to be displayed
on the screen.
<WORD>
Enter up to 64 characters composed of letters, numbers,
and special characters.
Set the phone number of the administrator to be displayed
on the screen.
<WORD>
Enter a four-digit number.
Set the warning page display method.
up | web-page}
pop-up
Show the warning on a pop up window. (default)
web-page
Show the warning on a Web browser screen.
Note: To disable Web Alert for hazardous traffic, run the command no web-alert timatrix enable in <Configuration Mode>.
Note: The company name, e-mail address, and phone are applied to the Web Alert for IP Management in the same way.
302
TiFRONT User Guide
To set the Web Alert for IP management in TiFRONT, run the following commands in <Configuration Mode>.
No.
Command
Description
Set the IP address and port of the Web server to redirect
the Web requests of blocked users to.
<A.B.C.D>
IP address of the Web server
<1-65535>
<1-65535>
Port number of the Web server
Set the warning page sending period.
alert-per-block
Send whenever a packet is blocked.
alert-per-day
Send once a day to the blocked hosts.
web-alert
hostacl
{alert-per-block
alert-per-time
alert-interval
alert-per-day
<TIMEMAP>,[<TIMEMAP>]
| no-alert}
alert-per-time
Send only for the set time.
<TIMEMAP>
Specify the start and end times for sending the warning
page using '-' in the range of 0-24. To specify multiple
time ranges, separate them with ','.
Note: The start time must not be greater than the end time. For
example, if you want to set 24-1, you must change 24 to 0.
no-alert
The warning page response is not given. (default)
Set the company name to be displayed on the screen.
<WORD>
Enter up to 64 characters composed of
letters,
<WORD>
Enter up to 64 characters composed of
letters,
303
Chapter 13 Security Configuration
<WORD>
Enter a four-digit number.
Set the warning page display method.
| web-page}
pop-up
Show the warning on a pop up window. (Default)
web-page
Show the warning on a Web browser screen.
Note: To disable Web Alert for IP management, run the command no web-alert hostacl enable in <Configuration Mode>.
Note: The company name, e-mail address, and phone are applied to the Web Alert for hazardous traffic in the same way.
Mode>.
To check the hosts handled by the Web Alert for IP Management function, run the command show hostacl
web-alert list in <Privileged Mode> or <Configuration Mode>.
Configuration Example
In this example, the Web Alert for hazardous traffic and Web Alert for IP management have been set and the
settings are queried.
Configuration item
Set value
Company name
PIOLINK
Administrator e-mail
admin@piolink.com
9876
web-page
alert-per-block
192.168.200.50/8080
(config)# web-alert display-company PIOLINK Set the company name to be displayed on the alert page
(config)# web-alert display-mail admin@piolink.com Set the administrator e-mail to be
displayed on the warning page.
(config)# web-alert display-phone 9876 Set the administrator phone number to be displayed
on the warning page.
(config)# web-alert timatrix alert-type web-page Set the display method for Web Alert for
hazardous traffic
(config)# web-alert hostacl alert-type web-page Set the output method of the Web Alert for IP management.
(config)# web-alert hostacl alert-interval alert-per-block Set the transmission period for IP
Management Web Alert.
(config)# web-alert hostacl server-ip 192.168.200.50 8080 Redirect the Web Server for IP
management. Server settings
(config)# web-alert timatrix enable Enable Web Alert for hazardous traffic
(config)# web-alert hostacl enable Enable Web Alert for IP management
304
TiFRONT User Guide
305
Chapter 13 Security Configuration