Tifront Switch User Guide

Traffic Inspection + FRONT
Registered trademark
PIOLINK is a registered trademark of PIOLINK Inc.
Explanatory Notes
The copyright for this guide belongs to PIOLINK. This guide is legally protected by copyright law. Unauthorized extraction or
copying of this guide of any reason in whole or in part without prior written consent of the copyright holder is strictly prohibited.
This user guide is subject to change without notice, in order to improve product functions and correct printing errors.
PIOLINK will bear no legal responsibilities over the damage and property loss that can be directly or indirectly caused by this
user guide and its contents.
Sellers and users need to note that the electromagnetic compatibility of this product is registered for business use. If you have
purchased a wrong product type, please exchange it with a product designed for household use.
TiFRONT User Guide (May. 2014)
Copyright 2002-2014 PIOLINK, Inc. All rights reserved.
TEL: +82-1544-9890/ Web page: http://www.piolink.com
Before Getting Started

Guide overview
This User Guide has been prepared for TiFRONT users. This guide explains the procedures for setting and
managing TiFRONT through the CLI (Command Line Interface). You must carefully read this User Guide
before using TiFRONT and follow the instructions when operating it. For TiFRONTs Installation procedure,
please refer to the Installation Guide which is supplied together with this guide.
Who should read this guide

This User Guide has been written for network administrators who have knowledge about L2 switch,
understand LAN, WAN, STP, SNMP, Ethernet, routing, and have experience in building and operating LANs
(Local Area Network). Therefore, this guide does not explain these separately.
PLOS version
PLOS is the PIOLINK operating system that is installed in TiFRONT. This guide has been written for TiFRONT
version that is installed on PLOS-LS-V2.0.1 or higher versions. If an earlier PLOS version is installed, the
functions described in this guide may not be supported, or may not work properly even though it has been
configured correctly according to the instructions. The method of updating to the latest version of PLOS is
described in Chapter 4, System Management of this guide.
Configuration examples
The configuration examples provided in this guide are based on TiFRONT-G24/G24P. Therefore, the
illustrated product images and screen shots may differ from those of TiFRONT-F26/F26P, TiFRONTG48/G48P, and TiFRONT-GX24/GX24P/GX24M.
Notations of this guide

The following are descriptions of the "Note" and "Caution" marks used in this guide.
Note and caution marks

This guide uses the following icons and fonts to convey special messages to the reader.
Note: The "Note" provides the information that can be useful when understood together with the contents of this guide, additional information, or
related data that can be useful when using the product.
Caution: The "Caution" explains the circumstances that the data can be lost or the product can malfunction, and also explains how to cope with
those circumstances.
3
Screen content notations

In this User Guide, the following notations are user to denote the information displayed on the terminal, CLI
commands that are directly entered by user, and keywords.
Notation
Description
Example
System prompt symbol
bold
Commands and keywords are written in bold type.
# hostname
<Italics>
[]
{x | y | z}
Arguments (parameters) for specifying values are

written in italic font
# ping <ip-address>
Optional variables and commands are written in
(config)# show storm-control
square brackets ([]).
[interface <IF-NAME>]
Selectable variables are written in braces, divided by
(config)#
vertical lines. Users can select one of the variables.
disable}
mirroring
{enable
Customer Support
If you need customer service, technical support, or more information on technical training, please contact us
using the following information and we will provide you with the necessary support.
Technical Assistance Center (TAC)
+82-1544-9890
E-mail
support@piolink.com
Address
No.405, IT Castle 1 Building, 550-1, Gasan-dong,

Geumcheon-gu, Seoul, South Korea.
4
TiFRONT User Guide
Guide Contents
The chapters of this guide are composed of the following.
Chapter 1
Introduction to TiFRONT
This chapter introduces the major features and characteristics of TiFRONT.

Chapter 2
Before You Begin
This chapter explains the procedure for accessing TiFRONT through CLI and the basic information about how
to use CLI. Furthermore, TiManager, which is a GUI-based management system for TiFRONT, is introduced.
Chapter 3
Basic Network Configuration
This chapter describes the procedures for configuring the network environment including ports, VLAN, MAC
address, and IP address. If you want to change TiFRONT settings according to your network environment, you
can do so by referring to this chapter.
Chapter 4
System Management
This chapter describes the procedures for setting and using the essential management functions of the
TiFRONT system such as system information view, PLOS update, user authentication and log management.
Chapter 5
Link Aggregation Configuration
This chapter explains the concept of Link Aggregation, the procedure for setting port trunking, and LACP
(Link Aggregation Control Protocol) in TiFRONT.
Chapter 6
SNMP Configuration
This chapter introduces SNMP (Simple Network Management Protocol) and describes the procedure for
setting SNMP in TiFRONT.
Chapter 7
RMON Configuration
This chapter introduces RMON (Remote Monitoring) and describes the procedure for setting RMON in
TiFRONT.
Chapter 8
STP Configuration
This chapter introduces STP (Spanning Tree Protocol), RSTP (Rapid Spanning-Tree Protocol), PVST+ (Per VLAN
Spanning Tree Plus), RPVST+ (Rapid Per VLAN Spanning Tree Plus), and MSTP (Multiple Spanning Tree
Protocol), and describes the procedure for setting STP in TiFRONT.
Chapter 9
Routing Protocol Configuration
This chapter introduces the routing protocols RIP (Routing Information Protocol), OSPF (Open Shortest Path
First), and BGP (Border Gateway Protocol), and describes the procedure for setting each routing protocol in
TiFRONT.
Chapter 10
Failover Configuration
This chapter introduces VRRP (Virtual Router Redundancy Protocol) for failover and the procedure for setting
VRRP in TiFRONT.
5
Chapter 11
QoS Configuration
This chapter introduces the QoS (Quality of Service) feature of TiFRONT and the procedure for setting QoS in
TiFRONT.
Chapter 12
IGMP Snooping Configuration
This chapter describes the concept of IGMP Snooping and the procedure for setting IGMP Snooping.
Chapter 13
Security Configuration
This chapter introduces and describes the procedures for setting the security features of TiFRONT including
DoS/DDoS blocking, Protocol Anomaly blocking, ACL (Access Control List), and system access control.
6
TiFRONT User Guide
Contents
TiFRONT User Guide....................................................................................... 1
Before Getting Started...................................................................................................... 3
Guide overview ............................................................................................................. 3
Who should read this guide ......................................................................................................... 3
PLOS version .............................................................................................................................. 3
Configuration examples ............................................................................................................... 3
Notations of this guide ................................................................................................................. 3
Customer Support........................................................................................................................ 4
Guide Contents ............................................................................................................. 5

Contents........................................................................................................................ 7
Chapter 1 Introduction to TiFRONT ............................................................. 20

Product Overview ....................................................................................................... 21
Main Features and Characteristics ............................................................................. 22
Chapter 2 Before You Begin ......................................................................... 24

Accessing CLI ................................................................................................................. 24
Booting TiFRONT ...................................................................................................................... 25
Logging in through CLI .............................................................................................................. 26
How to Use Basic CLI ..................................................................................................... 27

Commands and Keyword Input/Output ...................................................................................... 27
Editing the command line........................................................................................................... 28
Command Modes ............................................................................................................ 29

Introduction to TiManager.............................................................................................. 31
Chapter 3 Basic Network Configuration ..................................................... 32

Port Setting ...................................................................................................................... 33
Port Speed Setting..................................................................................................................... 34
Transmission Mode Setting........................................................................................................ 34
MDI/MDI-X Setting ..................................................................................................................... 34
Port Description Setting ............................................................................................................. 34
Jumbo-frame Setting ................................................................................................................. 35
Flow Control Setting .................................................................................................................. 35
Strom Control Setting ................................................................................................................ 35
Port Smart Auto-negotiation Setting ........................................................................................... 36
Port EEE (Energy Efficient Ethernet) Setting ............................................................................. 36
7
UDLD (UniDirectional Link Detection) Setting ............................................................................ 36

Port Information Display............................................................................................................. 37
Configuration examples .............................................................................................. 39

VLAN Setting ................................................................................................................... 41
VLAN Settings ............................................................................................................ 44
Creating VLAN and Setting Port Mode ...................................................................................... 44
Setting Port-based VLAN ........................................................................................................... 44
Setting MAC Address/IP Address/Ethernet Protocol-based VLAN ............................................. 46
Checking the Settings ................................................................................................................ 47

Voice VLAN Setting ......................................................................................................... 50
Voice VLAN Setting ................................................................................................................... 50

MAC Address Setting ..................................................................................................... 52
MAC Address Table Setting ....................................................................................................... 52
MAC Filtering ............................................................................................................................. 53
Limiting the Number of MAC Addresses .................................................................................... 53

IP Address Setting .......................................................................................................... 55
Enable/Disable Interface ............................................................................................................ 55
IP Address Setting for Interface ................................................................................................. 56
Adding Default Gateway ............................................................................................................ 56
Adding Fixed Route ................................................................................................................... 57
IPv6 Neighbor Setting ................................................................................................................ 58
Interface Description Setting ...................................................................................................... 59

ARP Table Setting ........................................................................................................... 61
ECMP (Equal Cost Multi-Path) Setting .......................................................................... 62
Console Data Transmission Speed Setting.................................................................. 62
Port Mirroring Setting ..................................................................................................... 63
Overview ..................................................................................................................... 63
Port Mirroring Setting .................................................................................................. 64
Checking Port Mirroring Setting ................................................................................................. 65

8
TiFRONT User Guide
Port Failover Setting ....................................................................................................... 66

Overview ..................................................................................................................... 66
Port Failover Setting ................................................................................................... 66
Checking Port Failover Setting .................................................................................................. 66

DHCP Setting ................................................................................................................... 68
DHCP Server Settings ................................................................................................ 68
IP Pool Setting ........................................................................................................................... 68
Interface Setting......................................................................................................................... 69
Enabling DHCP Server .............................................................................................................. 70
Resetting IP Address Allocation ................................................................................................. 70
DHCP Packet Statistics Setting ................................................................................................. 70
Checking the DHCP Server Information..................................................................................... 70
Checking the DHCP Packet Statistics Information ..................................................................... 71
DHCP Relay Agent Setting ......................................................................................... 71

DHCP Relay Agent Setting ........................................................................................................ 71
DHCP Option-82 Setting ............................................................................................................ 71
Enabling DHCP Relay Agent ..................................................................................................... 72
Checking the DHCP Relay Agent Settings ................................................................................. 72

NetBIOS Filtering ............................................................................................................ 74
NetBIOS Filtering ....................................................................................................................... 74
DHCP Filtering ................................................................................................................. 74

Checking the DHCP Filtering Settings ....................................................................................... 74
Network Connection Check ........................................................................................... 75

Ping Connection Test .................................................................................................. 75
Configuration examples ............................................................................................................. 76
Packet Route Tracking................................................................................................ 77

Configuration examples ............................................................................................................. 78
PoE Setting ...................................................................................................................... 79

Overview ..................................................................................................................... 79
PoE Operation Method ............................................................................................... 79
PoE Setting ................................................................................................................. 80
Operation Mode Setting ............................................................................................................. 80
Power Mode Setting .................................................................................................................. 81
Maximum Power Supply Setting ................................................................................................ 81
Power Supply Priority Setting .................................................................................................... 81
Power Supply Time Setting ........................................................................................................ 82
9
Enabling PoE ............................................................................................................................. 82


Packet Monitoring ........................................................................................................... 84
sFlow Setting ................................................................................................................... 87
sFlow Settings ............................................................................................................ 87
sFlow Collector Setting .............................................................................................................. 87
sFlow Sampling Rate Setting ..................................................................................................... 87
Chapter 4 System Management ................................................................... 89

System Verification ......................................................................................................... 90
System Information Display ....................................................................................................... 90
PLOS Version Display ............................................................................................................... 90
System Resource Status Display ............................................................................................... 90
Hardware Status Display ........................................................................................................... 90

Port Monitoring ............................................................................................................... 92
Basic System Management ........................................................................................... 93
System Name Setting ................................................................................................. 93
Console Connection Timeout Setting ......................................................................... 93
Terminal Session Count/Connection Timeout Settings .............................................. 94
Terminal Port Setting .................................................................................................. 94
Terminal Type Setting ................................................................................................. 95
System Time/Date Setting .......................................................................................... 95
Time Zone Setting...................................................................................................................... 95
Direct Setting of System Time/Date ........................................................................................... 96
NTP (Network Time Protocol) Client Setting .............................................................................. 96
Manual System Rebooting.......................................................................................... 97

Remote Access ........................................................................................................... 97
Login Banner Setting .................................................................................................. 97
Showing Used Commands History ............................................................................. 98
Configuration File ......................................................................................................... 102
Overview ................................................................................................................... 102
Saving the Configuration File ................................................................................................... 102
10
TiFRONT User Guide
Restoring Initial Configuration .................................................................................................. 102

Showing the Content of Configuration File ............................................................................... 102
Configuration examples ............................................................................................ 103

PLOS .............................................................................................................................. 105
PLOS Update .......................................................................................................................... 105
Boot Loader Update ................................................................................................................. 106
Showing USB Memory Information .......................................................................................... 106
Showing PLOS and Boot Loader Information .......................................................................... 106

User Account ................................................................................................................. 108
Default User .............................................................................................................. 108
User Level ................................................................................................................. 108
User Account Settings .............................................................................................. 108
Setting User ID and Password Combination Rules .................................................................. 108
Setting Minimum Length for User ID and Password................................................................. 109
Adding User Account ............................................................................................................... 109
Changing Password................................................................................................................. 110
Setting Password Expiration Period ......................................................................................... 110
User Level Command Setting .................................................................................................. 111
User Level Password Setting ................................................................................................... 111
Showing User Account Information .......................................................................................... 112
Configuration examples ............................................................................................. 112

User Account Authentication........................................................................................ 113
RADIUS ..................................................................................................................... 113
RADIUS Server Configuration ................................................................................................. 113

TACACS+ .................................................................................................................. 115
TACACS+ Configuration .......................................................................................................... 115

Log Management ........................................................................................................... 117
Overview .................................................................................................................... 117
Log Buffer ................................................................................................................................ 117
Event Types and Levels ........................................................................................................... 117
Log Settings ............................................................................................................... 118

Setting Event Types and Levels ............................................................................................... 118
Sending Log Messages ........................................................................................................... 119
Checking the Log Settings ....................................................................................................... 119
Showing Logs ........................................................................................................... 120

11

Self Loop Detection ...................................................................................................... 123
LLDP Configuration ...................................................................................................... 124
LLDP Configuration ................................................................................................................. 124
Showing the Information of Neighbor Devices ......................................................................... 125
Showing Statistics.................................................................................................................... 125

Stacking Configuration ................................................................................................ 127
Cautions for Using Stacking..................................................................................................... 128
Registering the Stacking License ............................................................................................. 128
Setting the Stacking Status ...................................................................................................... 128
PLOS Update .......................................................................................................................... 129
Reboot the System. ................................................................................................................. 130
Checking the Settings .............................................................................................................. 130
Chapter 5 Link Aggregation Configuration ............................................... 131

Link Aggregation Overview ......................................................................................... 131
Port Trunking ............................................................................................................ 132
LACP......................................................................................................................... 132
Cautions for Link Aggregation Setting ...................................................................................... 133
Port Trunking Setting ................................................................................................... 134

Trunking Group Setting ............................................................................................................ 134
Load Balance Algorithm Setting ............................................................................................... 134
Configuration Example ............................................................................................. 135

LACP Setting ................................................................................................................. 136
Aggregator/LACP Operation Mode Setting .............................................................................. 136
LACP Device Priority Setting ................................................................................................... 136
Member Port Priority Setting .................................................................................................... 136
Load Balance Algorithm Setting ............................................................................................... 137
Chapter 6 SNMP Configuration .................................................................. 139

SNMP Overview ............................................................................................................. 139
Components of SNMP .............................................................................................. 140
Communication between SNMP Manager and Agent .............................................. 142
12
TiFRONT User Guide
Authentication .......................................................................................................................... 142

Communication Command ...................................................................................................... 142
SNMP Versions ......................................................................................................... 143

SNMP Configuration ..................................................................................................... 143
SNMP Configuration Items ...................................................................................................... 143
SNMP Community Setting ....................................................................................................... 144
SNMP User Setting .................................................................................................................. 144
SNMP Trap Host Setting .......................................................................................................... 144
SNMP Trap Host Community Setting ....................................................................................... 145
SNMP Trap Setting .................................................................................................................. 145
Setting Device Information (name, contact, location) ............................................................... 145
Enabling SNMP Trap ............................................................................................................... 146
Applying SNMP Settings .......................................................................................................... 146
Checking the SNMP Settings ................................................................................................... 146
Chapter 7 RMON Configuration ................................................................. 148

RMON Overview ............................................................................................................ 149
RMON Setting ................................................................................................................ 151
RMON Statistics Group Setting................................................................................................ 151
RMON History Group Setting ................................................................................................... 151
RMON Event Group Setting ..................................................................................................... 152
RMON Alarm Group Setting ..................................................................................................... 153
Chapter 8 STP Configuration ..................................................................... 156

STP ................................................................................................................................. 156
BPDU (Bridge Protocol Data Unit) ........................................................................................... 158
Port States ............................................................................................................................... 159
Selecting Route ....................................................................................................................... 160
RSTP............................................................................................................................... 161
Port Statues ............................................................................................................................. 161
Changing BPDU Policy ............................................................................................................ 161
Shortening Network Convergence Time................................................................................... 162
PVST+/RPVST+/MSTP .................................................................................................. 164

Spanning Tree Setting .................................................................................................. 167
Spanning Tree Mode Setting ................................................................................................... 167
13
Enabling Spanning Tree........................................................................................................... 167

Root Switch Setting ................................................................................................................. 167
Route Cost Setting................................................................................................................... 167
Port Priority Setting .................................................................................................................. 168
Edge Port Setting..................................................................................................................... 168
BPDU Filter Setting.................................................................................................................. 169
BPDU Guard Setting ................................................................................................................ 169
Root Guard Setting .................................................................................................................. 170
Hello Time Setting.................................................................................................................... 170
Forward Delay Time Setting ..................................................................................................... 171
Maximum Aging Time Setting .................................................................................................. 171
BPDU Hop Setting ................................................................................................................... 171
MST Region Setting ................................................................................................................. 172
Instance Setting ....................................................................................................................... 172
Operation Mode Setting ........................................................................................................... 174
Chapter 9 Routing Protocol Configuration ............................................... 179

L3 License Registration ............................................................................................... 179
Registering the License ........................................................................................................... 180
Setting the State of Routing Function ...................................................................................... 180
Filter Setting .................................................................................................................. 181

Prefix List Setting ..................................................................................................................... 181
Route Map Setting ........................................................................................................ 182

Creating a Route Map .............................................................................................................. 182
Setting the Conditions for Comparing Routing Information ...................................................... 182
Setting the Routing Information Attributes ................................................................................ 184
RIP Overview and Setting ............................................................................................ 187

RIP Overview ............................................................................................................ 187
RIP Settings .............................................................................................................. 189
Enabling RIP ............................................................................................................................ 190
RIP Timer Setting..................................................................................................................... 190
RIP Version Setting .................................................................................................................. 191
Route Redistribution Setting .................................................................................................... 191
Default Route Setting ............................................................................................................... 191
Default Metric Setting .............................................................................................................. 192
RIP Fixed Route Setting .......................................................................................................... 192
Limiting the Number of RIP Routes .......................................................................................... 192
14
TiFRONT User Guide
Neighbor Router Setting .......................................................................................................... 193

Authentication Key Chain Setting............................................................................................. 193
Routing Information Filtering .................................................................................................... 194
Deleting RIP Routing Information............................................................................................. 195
Cisco Metric Update Support Setting ....................................................................................... 196
RIP Setting of Interface ............................................................................................................ 196
Checking the RIP Settings ........................................................................................ 197

Checking the RIP Routing Table ............................................................................... 197
OSPF Overview and Setting ........................................................................................ 198
OSPF Overview ........................................................................................................ 198
OSPF Routing Topology .......................................................................................................... 198
OSPF Operation Method ......................................................................................................... 200
OSPF Settings .......................................................................................................... 201

OSPF Router ID Setting........................................................................................................... 201
Restarting OSPF Routing Process........................................................................................... 202
Area Setting ............................................................................................................................. 202
Area Authentication Setting...................................................................................................... 203
Stub Area Setting ..................................................................................................................... 203
NSSA (Not-So-Stubby-Area) Setting........................................................................................ 204
Route Summarization Setting .................................................................................................. 206
RFC 1583 Support Setting ....................................................................................................... 207
Virtual Route Setting ................................................................................................................ 207
Reference Bandwidth Setting .................................................................................................. 210
OSPF Interface Attribute Setting .............................................................................................. 211
Checking OSPF Information ..................................................................................... 215

Checking the OSPF Routing Table .......................................................................................... 215
Checking OSPF Configuration Information .............................................................................. 215
Checking OSPF Neighbor Router Information ......................................................................... 215
ABR/ASBR Router Information of OSPF Instance ................................................................... 216
Checking Virtual Route Information ......................................................................................... 216
Checking OSPF Interface Information ..................................................................................... 216
Checking OSPF Database Information .................................................................................... 216
BGP Overview and Setting........................................................................................... 217

BGP Overview .......................................................................................................... 217
Selecting BGP Route ............................................................................................................... 218
BGP Timers ............................................................................................................................. 219
15
Characteristics of BGP............................................................................................................. 219
BGP Settings ............................................................................................................ 220

Enabling BGP .......................................................................................................................... 221
Peer Group Setting .................................................................................................................. 221
BGP Neighbor Setting.............................................................................................................. 222
Network Setting for Sending Information to BGP Neighbor ...................................................... 224
Route Reflector Setting ............................................................................................................ 225
Setting the Removal of Private AS Numbers ............................................................................ 226
BGP Attribute Setting ............................................................................................................... 226
Route Aggregation Setting ....................................................................................................... 232
Timer Settings .......................................................................................................................... 232
Fast External Failover Setting .................................................................................................. 234
Neighbor State Change Log Setting ........................................................................................ 234
Validity Check Period Setting for BGP Routing Information ..................................................... 235
Nexthop Address Tracking Setting ........................................................................................... 235
eBGP Multihop Setting............................................................................................................. 236
Enforce Multihop Setting .......................................................................................................... 236
Maximum Prefix Setting ........................................................................................................... 237
Next Hop Self Setting .............................................................................................................. 237
RFC 1771 Support Setting ....................................................................................................... 238
Loopback Interface Setting ...................................................................................................... 238
BGP Session Reset ................................................................................................................. 239
Checking the BGP Information ................................................................................. 242

Showing the BGP Routing Table .............................................................................................. 242
Showing BGP Neighbor Information ........................................................................................ 242
Showing BGP Connection Information ..................................................................................... 242
Chapter 10 Failover Configuration ............................................................ 243

VRRP Overview ............................................................................................................. 243
VRRP Setting ................................................................................................................. 246
VRRP Setting Items ................................................................................................................. 246
Creating VRRP Group ............................................................................................................. 246
Virtual IP Address Setting ........................................................................................................ 246
Priority Setting ......................................................................................................................... 247
Advertisement Transmission Period Setting............................................................................. 247
Preempt Function Setting ........................................................................................................ 247
16
TiFRONT User Guide
Checking VRRP Settings ......................................................................................................... 247
Chapter 11 QoS Configuration ................................................................... 249

Understanding QoS ...................................................................................................... 249
Overview ................................................................................................................... 250
Class ......................................................................................................................... 250
Policy ......................................................................................................................... 251
Queue Scheduling .................................................................................................... 251
Bandwidth Limit (Rate Limit) ..................................................................................... 252
QoS Configuration ........................................................................................................ 252
Class Map Setting ..................................................................................................... 252
Policy Map Setting .................................................................................................... 253
Service Policy Setting ............................................................................................... 254
Queue Scheduling Method Setting ........................................................................... 255
Bandwidth Limit Setting ............................................................................................ 255
Checking the Settings ............................................................................................... 256
Chapter 12 IGMP Snooping Configuration................................................ 258

IGMP Snooping Overview ............................................................................................ 258
IGMP Snooping Configuration..................................................................................... 259
Enabling IGMP Snooping ......................................................................................................... 259
IGMP Snooping Version Setting............................................................................................... 259
IGMPv2 Snooping Configuration .............................................................................. 260

IGMP Snooping Querier Setting............................................................................................... 260
IGMP Snooping Query Transmission Period Setting ................................................................ 260
IGMP Snooping Query Response Time Limit Setting ............................................................... 260
IGMP Startup Query Transmission Period Setting ................................................................... 261
IGMP Startup Query Transmission Count Setting .................................................................... 261
IGMP Robustness Variable Setting .......................................................................................... 261
Transmission Period Setting for IGMP Snooping Last Member Query ..................................... 262
Transmission Count Setting for IGMP Snooping Last Member Query ...................................... 262
IGMP Fast-Leave Setting ......................................................................................................... 262
Multicast Router Port Setting ................................................................................................... 263
IGMP Multicast Filter Setting.................................................................................................... 263
IGMP Snooping Proxy Setting ................................................................................................. 264
Checking IGMP snooping settings ........................................................................................... 264

17
Chapter 13 Security Configuration ............................................................ 266

TiMatrix Setting ............................................................................................................. 266
DoS/DDoS Blocking .................................................................................................. 267
Setting the DoS/DDoS Blocking Function ................................................................................ 268
Permit List Setting.................................................................................................................... 271
Showing Statistics.................................................................................................................... 272
Showing Filter Information ....................................................................................................... 272
Deleting Filters ......................................................................................................................... 272
Showing the MAC flooding blocking list ................................................................................... 273

Protocol Anomaly Blocking ....................................................................................... 274
Setting the Protocol Anomaly Blocking Function ...................................................................... 274

Static Host Setting .................................................................................................... 276
Security Level Setting ............................................................................................... 276

Checking User IP Address ........................................................................................ 276

ACL (Access Control List) ........................................................................................... 277
ACL Setting.............................................................................................................................. 277

System Access Control ................................................................................................ 282
Priority of Access Rules ........................................................................................................... 282
Operation Process of System Access Control Functions ......................................................... 283
System Access Control Setting ................................................................................................ 283

Integrated Authentication ............................................................................................ 285
802.1x Authentication ............................................................................................... 286
MAC Authentication .................................................................................................. 287
Web Authentication ................................................................................................... 288
Authentication Mode ................................................................................................. 290
Integrated Authentication Setting .............................................................................. 291
Cautions for Integrated Authentication Setting ......................................................................... 291
Authentication Server Setting .................................................................................................. 291
Enabling Integrated Authentication .......................................................................................... 291
MAC Authentication Setting ..................................................................................................... 292
18
TiFRONT User Guide
Authentication Port Setting ...................................................................................................... 292

Initializing Port Authentication State ......................................................................................... 296
Checking the Integrated Authentication Setting ....................................................................... 296
Checking the 802.1x Authentication Statistics.......................................................................... 297
Setting EAPOL Packet Forwarding .......................................................................................... 297

IP Management Setting ................................................................................................ 299
Setting the State of IP Management Function .......................................................................... 299
Management Host Setting ....................................................................................................... 299
Permission Protocol Setting ..................................................................................................... 300
Uplink Port Setting ................................................................................................................... 300
TiManager Connection Setting ................................................................................................. 300

Web Alert Setting .......................................................................................................... 302
Web Alert Setting for Hazardous Traffic ................................................................................... 302
Web Alert Setting for IP Management ...................................................................................... 303
19
Chapter 1
Introduction to TiFRONT
This chapter introduces the major features and characteristics of TiFRONT.
This chapter is composed of the following sections:
Product Overview
Main Features and Characteristics
TiFRONT User Guide
Product Overview
TiFRONT is a highly efficient L2 switch that transmits traffic from personal PCs or Web servers in a VLAN or
network to a medium-sized switch or router. Besides switching features, TiFRONT also offers security
features to effectively improve security issues at the L2 level, which is the network access level that is
relatively more vulnerable than L4 and L7.
Various attacks at the network access level can spread to the core level and cause greater security problems.
To address this problem and protect the access level, TiFRONT monitors network traffic in real time and
effectively blocks malignant attacks such as viruses, worms, DoS/DDoS attacks, and IP/ARP spoofing. This
prevents security violation incidents in the network and enables stable services by improving the security of
the entire network.
The following figure shows an example network configuration using TiFRONT.
Core Level
Router
L4 switch
Firewall
Firewall
L4 switch
Backbone switch
Access level
Causes of problems are reported in real time
through TiManager
TiFRONT
Security features block attacks
Attackers
[Figure - General Configuration of TiFRONT]
As shown in the above configuration diagram, TiFRONT is located at the access level of the network and
guarantees a stable network through intelligent L2 switching technology. Furthermore, its L2 security
features using the L2 switching technology not only prevent the excessive concentration of abnormal traffic
such as worms and DoS/DDoS on the server, which make the server unable to provide normal services, but
also block malignant attacks at the source, thereby preventing their spread to the core level.
Furthermore, the GUI-based TiFRONT management system TiManager allows you to monitor devices in real
time and remotely set security features, so as to quickly respond to attacks and resolve problems.
21
Chapter 1 Introduction to TiFRONT
Main Features and Characteristics

The main features of TiFRONT are described below.
Link Aggregation
TiFRONT supports Link Aggregation, a feature that groups multiple ports and uses each group as a logical
port. By grouping multiple ports into one trunk group through Link Aggregation, you can use it as one port
that has a large bandwidth. Furthermore, TiFRONT can implement port trunking through the IEEE 802.3ad
standard and uses LACP (Link Aggregation Control Protocol). LACP is a protocol that allows two or more ports
to work as one trunking group, and you can assign a greater bandwidth to devices that support LACP.
Convenient Network Management Tools

TiFRONT provides the CLI (Command Line Interface) and GUI-based TiManager for network management.
Furthermore, it supports SNMP and provides a port mirroring feature for resolving network problems.
Logging in to the system is required to use these management tools.
Console Commands
You can directly connect from the console port to the terminal or remotely access TiFRONT through Telnet to
control TiFRONT or monitor the network through console commands in the CLI environment.
TiManager
The GUI management environment is provided through TiManager to allow you to more easily and
conveniently manage the TiFRONT system and the network. TiManager allows you to monitor TiFRONT in real
time and remotely control the TiFRONT system and the network environment. Furthermore, you can
collectively process the security settings of multiple TiFRONT systems.
TiManager is more intuitive and convenient than CLI because you can collectively configure specific features
on one page without having to use multiple CLI commands. For more details about the TiManager interface
screen components and how to use them, please see the TiManager
User
Guide which is supplied together
with this guide.

SNMP
SNMP is a standard protocol used to transmit management information between the Network Management
System (NMS) and the network devices. SNMP allows you to remotely check and manage network
performance and problems.
Port Mirroring
Port mirroring is a feature that transmits copies of all packets that are sent from and received at specific
ports to another port in order to analyze packets in preparation for network troubles. TiFRONT can perform
port mirroring without affecting the system performance.
STP & RSTP & PvSTP & MSTP
To prevent the generation of loops in a network that has multiple routes, TiFRONT supports STP (Spanning
Tree Protocol), RSTP (Rapid Spanning Tree Protocol), PVSTP (Per VLAN Spanning Tree Protocol), MSTP
(Multiple Spanning Tree Protocol) according to the IEEE 802.1D and IEEE 802.1W standards.
22
TiFRONT User Guide
QoS
TiFRONT supports QoS (Quality of Service) feature which differentiates the inflow level depending on the type
of traffic and assigns bandwidth according to the service priority. QoS ensures the network service quality
above a certain level. QoS restricts the occupation of the network by unimportant traffic such as chatting so
as to promote more efficient use of limited network resources.
Security Functions
To improve the stability and availability of the network and maintain the security of the devices themselves,
TiFRONT provides the following security functions.
Basic Security Functions
In addition to user ID and password registered in the device, TiFRONT allows the setting of user
authentication policy by port based on IEEE 802.1x for basic security. Furthermore, it uses the RADIUS
(Remote Authentication Dial-In User Service) and TACACS+(Terminal Access Controller Access Control
System+) protocols to provide user authentication for external access through Telnet, the Web, or the
console. U sing, the user authentication protocol, enhances the security level of system and network
management. Furthermore, TiFRONT can use SSH (Secure Shell) for network security. SSH can improve
network security because all data are encrypted.
DoS/DDoS Blocking
DoS/DDoS blocking is to block the DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks
which delay or paralyze normal services by attacking the structural weaknesses of the system or network.
The DoS/DDoS blocking feature allows you to protect the network from DoS/DDoS attacks such as
TCP/UDP/ICMP Flooding, IP/ARP Spoofing, and Port Scan.
Protocol Anomaly Blocking
Protocol Anomaly Blocking is to block abnormal traffic that has violated the standard protocols such as TCP,
UDP, and ICMP. The Protocol Anomaly Blocking feature allows you to protect the network from the LAND,
Invalid TCP Flag, TCP/ICMP Fragments, and Smurf attacks.
ACL (Access Control List)
ACL is to filter packets by inspecting the starting IP address, destination IP address, starting port number,
destination port number, and protocol. ACL allows you to improve security by blocking unauthorized network
or user packets and intercept unnecessary traffic, thus enhancing the network availability.
System Access Control
The system access control only allows specific packets to be received in order to protect the system. The
system access control feature can prevent unauthorized users from accessing TiFRONT and viewing
information or arbitrarily changing the settings.
23
Chapter 1 Introduction to TiFRONT
Chapter 2
Before You Begin
This chapter explains the procedure for accessing TiFRONT through CLI and the basic information about how
to use CLI, as well as the command mode of TiFRONT. Furthermore, TiManager, which is a GUI-based
management system for TiFRONT, is introduced.
This chapter is composed of the following contents:
Accessing CLI
How to Use Basic CLI
Command Mode
Introduction to TiManager
TiFRONT User Guide
Accessing CLI
Booting TiFRONT
When you power on TiFRONT, it boots in the following sequence, then the login prompt will appear.
Check the software version.
Hardware reset power test
TiFRONT login prompt
The following message appears when you turn on TiFRONT.
TiFRONT (PIOLINK Inc.)

Bootloader version : 2.0 (Build time: Jul 6 2012 - 17:53:53)
TiFRONT G24 board revision serial #: R210T7400A04338
MAC address: 00:06:c4:74:13:7a
PLOS-LS version: 1.0.30 (size: 33554432) is uploading....
Board: TiFRONT-G24
/sbin/rc starting
TiFRONT INIT SCRIPT
Updating module dependencies
Setting up loopback
TiFRONT running......
QC module loading
localtime link
Starting syslogd
logfiler started.
Starting snmpd
Switch module Init
Switch Port Mapping TiFRONT G24
User defined switch configuration is loaded
Starting switch IMISH
Starting Cron
Starting xinetd
Starting Health check
Hardware Monitoring
watchdog enable ENABLE
TiFRONT login:
Note: The above description may differ by software version of TiFRONT.
25
Chapter 2 Before You Begin
Logging in through CLI

When TiFRONT boots up, the login prompt appears on the console window as shown below. Enter your user
ID and password to log in to TiFRONT.
TiFRONT login: root
password:
When logging in for the first time, you must use the default root user account. The ID and password of the
root user account is root and admin, respectively. Root has the administrator permissions, so if you log in to
the root account, you can monitor the system status and change the settings.
Because root and admin are frequently used ID and password, you must change the user ID and password
after logging in to TiFRONT for security. The procedure for changing the user ID and password of TiFRONT is
described in Chapter 4. System Management of this guide.
Note: If you fail to log in with an ID three times, you cannot log in with the ID for 3 minutes.
26
TiFRONT User Guide
How to Use Basic CLI

CLI is the basic user interface used to configure, monitor, and maintain TiFRONT. You can access TiFRONT
through a console port or terminal, or another remote access tool. After logging into TiFRONT, you can use
CLI to directly manage or define various settings of TiFRONT.
Commands and Keyword Input/Output

You can check the available commands in the current command mode by entering ? at the system prompt.
Furthermore, you can check the keywords and parameters that you can use with the command by entering ?
at the back of a command.
You can use ? to get help with the name, keyword, and parameters of a command in command mode as
follows:
# ?
If you enter a part of a command and type ?" right after it, commands starting with the entered alphabet are
listed. In this case, there must not be a space between the last letter of the command youve entered and ?.
# s?
If you enter ? after a command without any keyword or parameter, the available keywords and parameters
for that command are listed. In this case, there must be one space between the last letter of the command
youve entered and ?.
(config)# snmp ?
You can shorten some commands and keywords to a minimum number of characters to differentiate them
from other commands or keywords. For example, the command show can be shortened to sh.
# sh
Furthermore, if you press the <Tab> key after entering the shortened characters, the command is
automatically completed. For example, if you enter sh and press the <Tab> key as follows, the show
command is automatically completed.
# sh<TAB>
27
Editing the command line

The history buffer stores the last 50 commands that you used in the command line. In addition, you can
reuse or edit the commands that you used at the prompt. Refer to the shortcut keys and descriptions in the
following table.
Shortcut keys
Functions
Ctrl+A
Move the cursor to the very front of the command.
Ctrl+B, left arrow ()
Move the cursor one character to the left.
Ctrl+C
Stop the current command and change to the initial prompt status.
Ctrl+D
Erase the character at the cursor.
Ctrl+E
Move the cursor to the very end of the command.
Ctrl+F, right arrow ()
Move the cursor one character to the right.
Ctrl+K
Erase the characters from the cursor position to the end of the command.
Ctrl+N, down arrow ()
Move to the next command line stored in the history buffer.
Ctrl+P, up arrow ()
Move to the previous command line stored in the history buffer.
Ctrl+W
Erase the word immediately before the cursor.
28
TiFRONT User Guide
Command Modes
The CLI of TiFRONT has various command modes such as User, Privileged, Configuration, etc. Each mode
limits access according to user level and provides different commands for the configuration and maintenance
of TiFRONT and for network monitoring. You can check the available commands in the current command
mode by entering ? at the system prompt.
The following table describes the command modes supported by the CLI of TiFRONT and the tasks that can
be performed in each command mode.
Command Mode
Description
This is the default mode that appears when you log in to TiFRONT. User Mode is
User Mode
provided to every user who logs in to the system and only the read permission is given.
Only limited CLI commands such as checking the settings can be used and the system
settings cannot be changed.
To have system setting permission in addition to read permission, you must enter
Privileged mode. You can enter Privileged mode by using the enable command in User
Privileged Mode
Mode. When you enter Privileged mode, the system prompt changes from > to #. You
can change the terminal settings and check the network status and system information
in Privileged mode.
In Configuration mode, you can change the settings of TiFRONT and enter another
Configuration mode
configuration mode to configure VLAN, LACP, and SNMP. You can enter from Privileged
to Configuration mode by using the configure terminal command. When you enter
Configuration mode, the system prompt changes from # to (config)#.
Interface configuration
In this mode, you can configure the functions of specific ports or VLAN interface.
mode
QoS
configuration
mode
In this mode, you can configure the various QoS (Quality of Service) functions that are
supported by the system.
Class-map
You can specify the class map to which he QoS function will be applied.
configuration mode
Policy-map
In this mode, you can configure the policy map to apply to the class defined in the class-
configuration mode
map configuration mode. The policy map sets the QoS action.
Note: TiFRONT recommends Single-Access which only allows one user (session) in Configuration mode by default. If two or more users
simultaneously access the Configuration mode, the configure terminal force command is run.
To enter each command mode, you must run the command in a specific mode. The following table shows the
prompt of each command mode, the commands used to enter specific command modes, and the modes that
can run the command.
Command Mode
Prompt
Command Running
CLI Commands
Mode
None (default mode
None (default mode at log in)
User mode
>
Privileged mode
User mode
enable
Configuration mode
(config) #
Privileged mode
configure terminal
at log in)
29
Interface configuration
mode
QoS
configuration
mode
Class-map
configuration mode
Policy-map
configuration mode
Policy-map-class
configuration mode
(config-if-<IF-NAME>) #
Configuration mode
interface <IF-NAME>
(config-qos) #
Configuration mode
Qos
(config-qos-cmap) #
QoS configuration mode class-map <class-map-name>
(config-qos-pmap) #
QoS configuration mode policy-map <policy-map-name>
(config-qos-pmap-class)
Police-map
configuration mode
class <class-map-name>
Note: To enter the <Interface configuration mode> of a port, you can specify the range of ports by using the command interface range
<WORD>. To specify two or more ports in <WORD>, separate the ports by ,. To specify continuous ports, use -.
(config)# interface range ge1-5
(config-if-range)#
(config)# interface range ge2,4
(config-if-range)#
The following shows the commands used to stop the current mode and return to the previous mode or move
to <Privileged mode>.
Command
Description
end
Stop the current mode and move to Privileged mode.
exit
Stop the current mode and return to the previous mode.
The following table describes the command modes and the corresponding commands when logging out of
TiFRONT. You must enter the commands in <User mode> or <Privileged mode> in order to log out.
Command Mode
Command
User Mode
logout or exit
Privileged Mode
logout
30
TiFRONT User Guide
Introduction to TiManager
TiManager is the TiFRONT management tool that allows you to effectively manage devices by monitoring the
events of network devices and the security information of the network through the GUI environment.
TiManager allows you to remotely manage multiple devices and configure the security features of TiFRONT.
TiManager stores the log files and other information received from the monitored devices in a database. It
monitors the device status and security status through the database and generates alarms or reports when
the received log information matches the alarm setting.
Because this process is automatically carried out in TiManager, the time for managing and analyzing log files
by security or network administrators is saved. You can use this saved time to analyze the network security
status based on the information provided by TiManager and establish measures to prevent security risks so
as to more safely protect the network.
Note: For details about the procedures for installing and using TiFRONT, please see the TiManager Server Installation Guide, which is supplied
together with this guide.
31
Chapter 3
Basic Network Configuration
This chapter explains the basic configuration setup for TiFRONT. As TiFRONT is shipped with its basic
configuration, you can use this product without configuring it as described in this chapter. However, if you
want to change the device settings according to your network environment, you can do so by referring to this
chapter.
This chapter is composed of the following parts:
Port Setting
VLAN Setting
Voice VLAN Setting
MAC Address Setting
IP Address Setting
ARP Table Setting
Console Data Transmission Speed Setting
Port Mirroring Setting
Port Failover Setting
DHCP Setting
NetBIOS Filtering
DHCP Filtering
Network Connection Check
PoE Setting
Packet Monitoring
sFlow Setting
TiFRONT User Guide
Port Setting
In order to exchange data normally with the other device connected to a TiFRONT port, the following port
properties must be set correctly.
Speed
Set the speed of the cable to be connected to the port of TiFRONT.
Transmission Mode (Duplex Mode)
Select the data transmission mode between Half Duplex Mode and Full Duplex Mode. In Half Duplex Mode,
which works like a walkie-talkie, only one device can send data while the other device is receiving the data. In
Full Duplex Mode, which works like a telephone, both devices can send data to each other simultaneously.
MDI/MDI-X
MDI (Medium Dependent Interface) and MDIX (Medium Dependent Interface with Crossover) are connector
types for the Ethernet port. You must use a cross cable if the connector type is identical to that of the other
port (MDI-MDI, MDIX-MDIX); otherwise (MDI-MDIX, MDIX-MDI), you must use a serial cable.
Flow Control
Flow control controls the packet flow when packets are exchanged between two devices. If the port of each
device receives more packets than the limit, the packets are lost. Flow control is used to prevent this by
controlling the packet flow. Packet loss caused by differences in packet processing speeds between the
sender and receiver is avoided by sending a control packet (pause packet) to the device that transmits more
packets than the limit.
Port Operation Status (Interface Enable/Disable)
Individually enable or disable the Ethernet ports of TiFRONT. The enabled ports work, and the disabled ports
do not work.
By default, all the ports of TiFRONT are set as follows.
Item
Default Setting
Negotiation
AUTO
Transmission mode
Full Duplex
Operation status
Enabled
33
Chapter 3 Basic Network Configuration
Port Speed Setting

You can set the port speed by using the following command in <Interface Configuration Mode>.
Command
Description
Set the port speed in Mbps.
speed {10 | 100 | 1000 | 10000 | auto}
auto
The speed of the other device port is identified and the
speed is set automatically in such a way that the two ports
can use the optimum sharing speed.
Transmission Mode Setting

You can set the port transmission mode by using the following command in <Interface Configuration Mode>.
Command
duplex {full | half}
Description
Set the port transmission mode to Full Duplex or Half Duplex.
Note: If you set the transmission mode when Auto negotiation is enabled, Auto negotiation will be disabled.
MDI/MDI-X Setting
You can set the MDI/MDI-X of a port only on TiFRONT-G48/G48P, not on TiFRONT-F26/F26P/G24/G24P. To
set the MDI/MDI-X of a port, use the following command in <Interface Configuration Mode>.
Command
mdi-mdix {auto | mdi | mdix}
Description
Set the MDI/MDI-X of port.
Note: You must use a cross cable if the settings of two ports are identical (MDI-MDI, MDIX-MDIX); otherwise (MDI-MDIX, MDIX-MDI), you must use a
serial cable. If this is set to 'auto', you can use either of the two cables.
Caution: If the speed or transmission mode of a port is not set to auto, you cannot set MDI/MDI-X to auto. In other words, if you directly set the
speed or transmission mode of a port, you must also set the MDI/MDI-X as well.
Port Description Setting

You can set the port description by using the following command in <Interface Configuration Mode>.
Command
Description
Enter the port description input mode.
When the message "Enter TEXT message" appears, enter a description
description
and press the [Enter] key.

For the port description, you can enter a string of up to 255 characters
composed of letters, numbers, and special characters.
Note: To delete the port description, run the no description command in <Interface Configuration Mode>.
34
TiFRONT User Guide
Jumbo-frame Setting
The range of packets that are acceptable in the Internet environment is from 64 bytes to 1518 bytes. Thus,
devices do not handle packets that do not fall in this range. With TiFRONT, however, you can set Jumboframe to receive packets larger than 1518 bytes.
To set jumbo-frame and receive packets that are larger than 1518 bytes, use the following command in
<Interface Configuration Mode>.
Command
jumbo-frame {on | off}
Description
Select whether or not to receive jumbo-frames.
Note: TiFRONT can receive jumbo-frames of up to 10000 bytes.
Flow Control Setting

You can set the port flow control by using the following command in <Interface Configuration Mode>.
Command
Description
Enable or disable the flow control function of the port.
receive
flowcontrol {receive | send} {on | off}
Set the flow control for packets received at the port.

send
Set the flow control for packets sent from the port.
Strom Control Setting

Storm Control prevents the network from slowing or crashing during the transmission of large volumes of
broadcast packets, multicast packets, and DLF (Destination Lookup Fail) packets. When you set Storm Control,
TiFRONT discards the broadcast, multicast, and DLF packets exceeding the threshold set by user to maintain
the network availability.
You can set Storm Control by using the following command in <Interface Configuration Mode>. The Storm
Control function is disabled by default.
Command
storm-control {broadcast | multicast |
dlf} pps <LEVEL>
Description
Enable Storm Control and set the threshold value.
<LEVEL>
Setting range: 0~10000000 (pps)
Note: To disable Storm Conotrol, run the no storm-control {broadcast | multicast | dlf} command in <Interface Configuration
Mode>.
35
Port Smart Auto-negotiation Setting

Port Smart Auto-negotiation automatically detects the connection of a 4-strand UTP cable and sets the port
speed to 100 Mbps. You can set Port Smart Auto-negotiation by using the following command in <Interface
Configuration Mode>.
Command
smart-autonego {enable | disable}
Description
Enable or disable the Port Smart Auto-negotiation function.
Note: The copper fiber combo port does not support the Port Smart Auto-negotiation function. If you use the 4-strand UTP cable, the combo
port and the other device may not be interconnected normally. Therefore, you are advised to use an 8-strad UTP cable or general copper port.
Note: To use the Port Smart Auto-negotiation function, the port speed must be set to auto.
Port EEE (Energy Efficient Ethernet) Setting

Port EEE is to reduce power consumption by operating in low-power mode when the port is in idle condition
with no traffic. The low-power mode can reduce power consumption from the device operation because only
about 30% of the power in general mode is used. You can set the port EEE by using the following command in
Command
Description
eee {enable | disable}
Enable or disable the port EEE function.
Note: In order to use the port EEE function, the other device to be connected must support port EEE as well.
UDLD (UniDirectional Link Detection) Setting

UDLD prevents looping or black hole events by shutting down the port when a unidirectional link occurs in a
connection between switches. The UDLD function operates for each port. When it is set to Aggressive mode,
UDLD messages are regularly sent to the other device and if it does not respond, the link is regarded as
having a problem and the port is shut down.
UDLD operates in one of the following two modes, which can be set differently for each port.
Normal mode
The unidirectional link of optical cable is detected.
Aggressive mode
The unidirectional link of optical cable and UTP cable is detected.

The port is shut down when a unidirectional link occurs.
Note: In order to use the UDLD function, the other device to be connected must support UDLD as well.
You can set the UDLD message interval by using the following command in <Interface Configuration Mode>.
The same UDLD message interval is applied to every port.
36
TiFRONT User Guide
Command
Description
Set the UDLD message transmission interval.
udld message interval <1-90>
<1-90>
Setting range: 1 ~ 90 sec, default value: 15 sec
Note: To reset the UDLD message interval, run the no udld message interval command in <Interface Configuration Mode>.
You can enable the UDLD function for a port by running the following command in <Interface Configuration
Mode>.
Command
Description
Enable the UDLD function of a port. To set Aggressive mode, enter
udld port [aggressive]
the aggressive option. If you dont enter the aggressive option,

it is set to normal mode.
Note: To disable UDLD, run the command no udld port in <Interface Configuration Mode>. To change the port from aggressive to normal mode,
run the command no udld port aggressive.
Port Information Display

Status Information Display
To check the current status of the Ethernet port in TiFRONT, run the command show portstatus in <User
Mode>, <Privileged Mode>, <Configuration Mode>, or <Interface Configuration Mode>.
Flow Control Information Display

To check the flow control information of the Ethernet port in TiFRONT, run the command show mdi-mdix in
<Privileged Mode>, <Configuration Mode>, or <Interface Configuration Mode>.
MDI/MDI-X Information Display

To check the MDI/MDI-X information of the Ethernet port in TiFRONT, run the command show flowcontrol
in <User Mode>, <Privileged Mode>, <Configuration Mode>, or <Interface Configuration Mode>.

Note: You can use the command show mdi-mdix only with TiFRONT-G48/G48P.
Strom Control Setting Display

To check the Storm Control setting, run the command show storm-control [<IFNAME>] in <User Mode> or
<Privileged Mode>.
SFP Module Information Display

To check the SFP module information of the gigabit Ethernet fiber port, run the command show port-sfp
<1-4> in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
Note: In the case of TiFRONT-F26/F26P, you can enter 1 or 2 in <1-4> of the command show port-sfp there are two fiber ports. In the case of
TiFRONT-G24/G24P, you can enter 1 to 4 because there are four fiber ports.
37
Port Smart Auto-negotiation Information Display

To check the Port Smart Auto-negotiation information, run the command show smart-autonego in <User
Mode> or <Privileged Mode>.
Port EEE Information Display

To check the Port EEE information, run the command show eee in <User Mode> or <Privileged Mode>.
UDLD Information Display

To check the UDLD operation information, run the command show udld [<IFNAME>] in <User Mode> or
<Privileged Mode>.
Cable Diagnostic Information Display

TiFRONT provides the cable diagnostic function for checking the status of the UTP cable connected to a port.
To check the UTP cable status through the cable diagnostic function, run the command show cablediagnostic [<IFNAME>] in <Privileged Mode>. If you specify a port, the pair information of the cable
connected to the port is also displayed.
The following information is displayed through the cable diagnostic function.

Output Information
Port/Port(Pair)
Description
Shows the port name and the pair information of the UTP cable.
Shows the UTP cable state and the pair state of the UTP cable.
Cable State/Pair State
Ok:
The cable is connected normally.
Open:
The cable is not connected
Short:
The cable is shorted.
Open-Short: At least one of the pairs of cables is not connected and at least one of
the pairs is shorted.
Crosstalk:
Pairs A, B, C, and D are connected incorrectly.
Unknown:
Diagnosis failed and no cable status information is known.
Pair Count
Shows the number of UTP cable pairs. (1 ~ 4)
Fuzz
Shows the error range of the UTP cable length. (Only works with the fast Ethernet port.)
Cable Length
Shows the length of the UTP cable. (Unit: meters)
Caution: When you run the command show cable-diagnostic [<IFNAME>], the port link is temporarily shut down and switched on again to
check the cable status.
38
TiFRONT User Guide
In this example, the port state was queried with the ge1 port set as shown in the following table.
Configuration item
Set value
Speed
100
Transmission mode (duplex)
full
Jumbo-frame
on
(config)# interface ge1

Enter the <Interface Configuration Mode> of ge1 port.
(config-if-ge1)# speed 100
Set the port speed to 100 Mbps.
(config-if-ge1)# duplex full
Set the transmission mode to full duplex.
(config-if-ge1)# jumbo-frame on Set the jumbo-frame function.
(config-if-ge1)# show portstatus Show the port status information.
------------------------------------------------------------PORT
|
ACT |
LINK
|
NEGO
|
SPEED |
DPLX
|
JUM |
MED
------+-----+------+------+-------+------+-----+-------+----ge1 |
EN |
UP |
AUTO
|
100 |
FULL
|
EN |
FWD |
CO
ge2 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge3 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge4 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge5 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge6 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge7 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge8 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge9 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge10 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge11 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge12 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge13 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge14 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge15 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge16 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge17 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge18 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
BLK
ge19 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
BLK
ge20 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
BLK
ge21 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
BLK
ge22 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
BLK
ge23 |
EN |
UP |
AUTO
|
1000
|
FULL
|
DIS |
FWD
ge24 |
EN |
UP |
AUTO
|
100 |
FULL
|
DIS |
BLK
|
------------------------------------------------------------ACT : Port ENable / DISable
LINK : Link UP / DOWN
NEGOtiation : AUTO / FORCe
SPEED
: 10000 / 1000 / 100 / 10 Mbps
DuPLeX
: FULL / HALF Duplex
JUMbo Frame : Port ENable / DISable
STATE
: FWD / LRN / LIS / BLK / DIS
MEDIUM
: COpper / FIber
STATE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
CO
39
In the next example, the flow control and storm control information was queried with the ge1 port set, as
shown in the following table.
Configuration item
Flow Control
Storm
Control
Set value
Receive
on
Send
on
Broadcast
100000
Multicast
100000
DLF
100000
(config-if-ge1)# flowcontrol receive on

(config-if-ge1)# flowcontrol send on
Set the flow control for received packets.

Set the flow control for sent packets.
(config-if-ge1)# storm-control broadcast pps 100000

Set the broadcast threshold to 100000.
(config-if-ge1)# storm-control multicast pps 100000
Set the multicast threshold to 100000.
(config-if-ge1)# storm-control dlf pps 100000
Set the DLF threshold to 100000.
(config-if-ge1)# show flowcontrol
Show the flow control Information.
Flow Control Status Table
---------------------------------------Port | TX Flow Control | RX Flow Control
-----+-----------------+---------------ge1 |
on
|
on
ge2 |
off
|
off
ge3 |
off |
off
ge4 |
off |
off
ge5 |
off
|
off
ge6 |
off
|
off
ge7 |
off
|
off
ge8 |
off
|
off
ge9 |
off
|
off
ge10 |
off
|
off
ge11 |
off
|
off
ge12 |
off
|
off
ge13 |
off
|
off
ge14 |
off
|
off
ge15 |
off
|
off
ge16 |
off
|
off
ge17 |
off
|
off
ge18 |
off
|
off
ge19 |
off
|
off
ge20 |
off
|
off
ge21 |
off
|
off
ge22 |
off
|
off
ge23 |
off
|
off
ge24 |
off
|
off
---------------------------------------(config-if-ge1)# end
# show storm-control
Show the storm control settings.
Storm-Control Status Table

-----------------------------------Port |
BcastPPS McastPPS
DlfPPS
-----------------------------------ge1
100000 100000 100000
ge2
Disable Disable Disable
ge3
ge4
ge5
ge6
ge7
ge8
ge9
ge10
ge11
ge12
ge13
ge14
ge15
ge16
ge17
ge18
ge19
ge20
ge21
ge22
ge23
ge24
40
TiFRONT User Guide
VLAN Setting
VLAN is a virtual logical group of networks based on ports regardless of the physical locations of hosts. VLAN
with one broadcast domain has the same properties as a physical LAN. With VLAN, you can divide one
network into multiple broadcast domains or integrate them into groups for network management.
The nodes connected to the VLAN do not have to be physically connected to the same switch or in the same
area. The hosts in a VLAN behave as if connected to the same bridge or switch, but in actuality, they may be
connected to different switches in different buildings and still be on the same VLAN.
The
following
figure
shows
an
example
of
one
LAN
in
building
(http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/vlans.htm - 1041592)
divided by ports into three VLANs. In this figure, the host group connected to port no.1 of the switch is VLAN
A, the host group connected to port no.2 of the switch is VLAN B, and the host group connected to the no.3
of the switch is VLAN C.
VL
[Figure - Example of VLAN Configuration]
Because VLAN allows us to restrict broadcast domains to each logical group, the total broadcast traffic
decreases while the available network bandwidth increases. Furthermore, because the resources (hosts and
network devices) do not need to be physically in the same area, it is easier to manage resources.
41
VLAN ID
In TiFRONT, you can create 4093 VLANs. You can set VLAN IDs between 2 and 4094 in TiFRONT.
Default VLAN
Every port belongs to the default VLAN. The name, ID, and port of the default VLAN are 'default', '1', and
'untagged port', respectively, and it uses every port. Because TiFRONT supports overlapped VLANs, one port
can be included in multiple VLANs.
Switchport
In order for a TiFRONT port function as an L2 switch, you must set the port as a switch port. You can set a
switch port in Access, Trunk, or Hybrid mode depending on the application. In Access mode, you can set only
one VLAN per port, and the traffic is transmitted to this VLAN only. In Trunk or Hybrid mode, however, you
can set multiple VLANs for one port and send traffic to multiple VLANS through the port.
IEEE 802.1Q Tagged VLAN

IEEE 802.1Q is a standard on the tags inserted in Ethernet frames. The operation process of IEEE 802.1Q
Tagged VLAN is as follows. To identify the VLAN group to which the frames sent through a bridge belong,
insert a tag between the SA (Source Address) field and the Length/Type field of the Ethernet frame. In the tag
filed for the frame, a 12-bit VID for VLAN identification is included. TiFRONT sends the frame to the VID in
the tag, and ports having the same VID can communicate with one another without going through the router.
IEEE 802.1Q Tagged VLAN performs the Ingress and Egress processes during communication between VLANs
as described below.
Ingress Process
The IEEE 802.1Q port can send tagged or untagged frames. The Ingress port detects tags in the received
frames. If a tagged frame is sent to the port, the VLAN ID is checked with the VID in the tag and then the
tagged frame is directly sent to the Egress port. If an untagged frame is received, the port inserts its PVID in
the untagged frame. PVID is the default VID allocated to each physical port. This PVID is allocated to
untagged frames sent to a port or to frames whose VID is Null.
Egress Process
In the Egress process, if the switch port is in Trunk mode (for tagged port), a tag is attached to the frame. If
the switch port is in Access mode (for untagged port), no tag is attached to the frame. Furthermore, if the
switch port is in Hybrid mode, you must determine whether to send tagged or untagged frames. Among the
network devices connected to TiFRONT, there may be devices that can only accommodate tagged frames and
even devices that request tagged frames as untagged frames. If you choose Hybrid mode in this case, you
can set the port to be connected to a network device as tagged or untagged port when creating a VLAN.
42
TiFRONT User Guide
MAC Address/IP Address/Ethernet Protocol-based VLAN

TiFRONT offers VLANs based on the source MAC address, IP address, and Ethernet protocol as well as VLAN
based on port. Using this feature, you can apply different VLANs to specific hosts or traffic.
You can set different types of VLANs simultaneously to the ports of TiFRONT, and the traffic is handled
according to the priority of VLANs. Each VLAN is applied in the following order of priority.
Priority
VLAN
MAC address-based VLAN
IP address-based VLAN
Ethernet protocol-based VLAN
Port-based VLAN
43
VLAN Settings
Creating VLAN and Setting Port Mode
You can create a VLAN and set a port mode by using the following commands in <Configuration Mode>.
No.
Command
Description
Create a VLAN.
<2-4094>
vlan <2-4094> <WORD>
ID for VLAN identification. Setting range: 2 ~ 4094

<WORD>
Specify a VLAN name that consists of up to 16 characters
composed of letters, numbers, and special characters.
interface <IFNAME>
Change to the <Interface Configuration Mode> of the port for

which to set the VLAN.
Set the mode of the switch port.
access:
trunk:
hybrid:
Set to untagged mode

Set to tagged mode
Set to hybrid mode
If you set it to hybrid mode, both tagged and untagged frames

3
switchport mode {access | trunk |

hybrid}
are received. The tagged and untagged frames are sent

according to the egress-tagged option setting.
Note: The switchport mode of the port for setting the MAC address/IP
address/protocol-based VLAN must be set to trunk or hybrid. If the
switchport mode is set to access, the MAC address/IP
address/protocol-based VLAN does not work normally even if you set
it.
Note: To delete the VLAN, run the command no vlan <2-4094> in <Configuration Mode>.
Setting Port-based VLAN

The command for setting a port-based VLAN varies by the switchport mode. The commands for adding a port
in each mode are described below.
Access Mode
If the switchport mode is set to Access, run the following command in <Interface Configuration Mode> to
add a port to VLAN.
Command
switchport access vlan <2-4094>
44
TiFRONT User Guide
Description
Add a port to VLAN in Access mode. You can set this only
if the VLAN is already created.
Trunk Mode
If the switchport mode is set to Trunk, run the following commands in <Interface Configuration Mode> to
add, exclude, or remove a port to/from VLAN.
No.
Command
switchport
trunk
Description
allowed
vlan
add
<VLAN_ID>
switchport trunk allowed vlan all
Add the port to all VLANs.
switchport trunk allowed vlan except

<VLAN_ID>
Exclude the port from a VLAN.

Note: When you set except for a port, all the other ports are
added to the VLAN.
switchport trunk allowed vlan none
Add the port only to the default VLAN.
switchport trunk allowed vlan remove
Remove the port from a VLAN.
<VLAN_ID>
2
Add the port to a VLAN.
switchport
trunk
native
vlan
<VLAN_ID>
Set the PVID of the port. PVID divides ports to each VLAN
during the communication of untagged frames.
Hybrid Mode
If the switchport mode is set to Hybrid, run the following commands in <Interface Configuration Mode> to
add, exclude, or remove a port to/from VLAN.
No.
Command
Description
switchport hybrid allowed vlan add

<VLAN_ID>
disable}
egress-tagged
{enable
switchport hybrid allowed vlan all
switchport
hybrid
except <VLAN_ID>
allowed
vlan
switchport hybrid allowed vlan none

switchport
hybrid
remove <VLAN_ID>
allowed
vlan
switchport hybrid vlan <VLAN_ID>
Add the port to a VLAN.

enable:
disable:
Set the port as tagged port (default)

Set the port as untagged port
Add the port to all VLANs.

Exclude the port from a VLAN.
Add the port only to the default VLAN.
Remove the port from a VLAN.
Set the PVID of the port. PVID divided ports to each VLAN
during the communication of untagged frames.
Note: To remove a port from the VLAN, run the command no switchport {access vlan | trunk native | hybrid vlan} in the
<Interface Configuration Mode> of the port.
45
Setting MAC Address/IP Address/Ethernet Protocol-based VLAN

To use the MAC address/IP address/Ethernet protocol-based VLAN, you must generate VLAN rules and add
them to the VLAN group and specify the VLAN group for the port.
Generating VLAN Rules

You can generate VLAN rules by using the following commands in <Configuration Mode>.
Command
Description
Generate rules for the MAC address-based VLAN.
<1-256>
VLAN rule ID. Setting range: 1 ~ 256
vlan
classifier
rule
<1-256>
<WORD> vlan <2-4094>
mac
<WORD>
MAC address for applying VLAN
<2-4094>
VLAN ID to apply if the rule is satisfied.
Setting range: 2 ~ 4094
Generate rules for IP address-based VLAN.
<1-256>
vlan
classifier
rule
<1-256>
<A.B.C.D/M> vlan <2-4094>
ipv4

<A.B.C.D/M>
IP address or IP bandwidth and netmask bit for applying VLAN
<2-4094>
VLAN ID to apply if the rule is satisfied. Setting range: 2 ~ 4094
Generate rules for Ethernet protocol-based VLAN.
<1-256>
<ETHERTYPE>
Ethernet protocol for applying VLAN Enter the Ethernet protocol
number as a decimal number (setting range: 0 - 65535) or
directly enter it for representative Ethernet protocols.
vlan
classifier
rule
<1-256>
proto
<ETHERTYPE> encap {ethv2 | nosnapllc

| snapllc} vlan <2-4094>
Note: You can enter the following Ethernet protocols:

arp, atalkaarp, atalkddp, atmmulti, atmtransport, dec, deccustom,
decdiagnostics, decdnadumpload, decdnaremoteconsole, decdnarouting,
declat, decsyscomm, g8bpqx25, ieeeaddrtrans, ieeepup, ip, ipv6, ipx,
pppdiscovery, pppsession, rarp, x25, xeroxaddrtrans, xeroxpup
ethv2:
LLC (Logical Link Control) sublayer not included
snapllc:
LLC sublayer and SNAP included.
nosnapllc:
LLC sublayer and SNAP not included.
<2-4094>
VLAN ID to apply if the rule is satisfied. Setting range: 2 ~ 4094
46
TiFRONT User Guide
VLAN Group Setting

You can set the VLAN group by using the following command in <Configuration Mode>.
Command
Description
Add/delete a VLAN rule to/from the VLAN group. You can
add up to 256 VLAN rules to one VLAN group.
<1-16>
vlan classifier group <1-16> {add | delete}

rule <1-256>
VLAN group ID. Setting range: 1 ~ 16

add:
delete:
Add the VLAN rule to the group.

Remove the VLAN rule from the group.
<1-256>: VLAN rule ID to be added to or removed

from the VLAN group.
(Setting range: 1 ~ 256)
Applying VLAN Group

You can apply a VLAN group to a port by running the following command in <Interface Configuration Mode>.
Command
Description
vlan classifier activate <1-16>
Set the VLAN group to be applied to the port.
Note: You can set one VLAN group for each port. To change a VLAN group, you must cancel the current VLAN group by using the command no
vlan classifier activate <1-16> before resetting it.
Note: If a MAC address/IP address-based VLAN is applied to one port, it is applied to all ports.
Checking the Settings

Checking the VLAN settings
To check the VLAN settings in TiFRONT, run the command show vlan in <User Mode>, <Privileged Mode>,
<Configuration Mode>, or <Interface Configuration Mode>. You can also use the command show vlan {<24094> | all | brief | static} in <User Mode> or <Privileged Mode> to check the detailed
information of VLAN.
Checking the VLAN rule information

To check the rule settings of the MAC address/IP address/Ethernet protocol-based VLAN, run the command
show vlan classifier rule [<1-256>] in <User Mode> or <Privileged Mode>.
Checking the VLAN group information

To check the group settings of the MAC address/IP address/Ethernet protocol-based VLAN, run the command
show vlan classifier group [<1-16>]
in <User Mode> or <Privileged Mode>. To check the port
information for which a VLAN group is set, run the command show vlan classifier interface group
[<1-16>] in <User Mode> or <Privileged Mode>.
47
In this example, the settings were queried for VLANs composed of ge1 to ge5 ports, as shown in the
following table.
Composition of VLANs
VLAN
Ports
v1
ge1, ge2, ge5
v2
ge3, ge4, ge5
v3
ge4, ge5
Switchport Mode and PVID

Port
Mode
PVID
ge1
Access
ge2
Access
ge3
Trunk
ge4
Trunk
ge5
Hybrid
(config)# vlan 2 name v1 Create a VLAN named v1 with the ID 2
(config)# vlan 3 name v2 Create a VLAN named v2 with the ID 3
(config)# vlan 4 name v3 Create a VLAN named v3with the ID 4

(config-if-ge1)# switchport mode access
(config-if-ge1)# switchport access vlan 2
Set to access mode

Add the port ge1 to v1
(config-if-ge1)# exit
(config)# interface ge2 Enter the <Interface Configuration Mode> of ge2 port.
(config-if-ge2)# switchport mode access Set to access mode
(config-if-ge3)# switchport mode trunk
Set to trunk mode
(config-if-ge3)# switchport trunk allowed vlan add 3
(config-if-ge4)# switchport mode trunk
Set to trunk mode
(config-if-ge4)# switchport trunk allowed vlan except 2

(config-if-ge4)# switchport trunk native vlan 3
Add to all VLANs except v1
Set the PVID to 3.
(config-if-ge5)# switchport mode hybrid
48
TiFRONT User Guide
Set to hybrid mode
(config-if-ge5)# switchport hybrid allowed vlan all
Add to all VLANs
(config-if-ge5)# switchport hybrid vlan 3
Set the PVID to 3
(config-if-ge5)# show vlan
Show the VLAN settings
-------------------------------------------------------------------PORT
| ge
|
111111111122222
|123456789012345678901234
----------------+-------------------------------------------------SWITCH MODE
|AATTHAAAAAAAAAAAAAAAAAAA
----------------+-------------------------------------------------default (
1)
|..TttUUUUUUUUUUUUUUUUUUU
v1
2) | U U . . t . . . . . . . . . . . . . . . . . . .
v2
3) | . . t T T . . . . . . . . . . . . . . . . . . .
v3
4) | . . . t t . . . . . . . . . . . . . . . . . . .
-------------------------------------------------------------------SWITCHPORT
: A(Access) / H(Hybrid) / T(Trunk)
A - All frame receive.

T - Only VLAN Tagged frame receive.
U - Only VLAN Untagged frame receive.
U - Untagged VLAN (PVID)
u - Untagged shared VLAN (VID)
T - Tagged VLAN (PVID)
t - Tagged shared VLAN (VID)
VLANNAME ( VID) : IEEE 802.1q Port based VLAN information
49
Voice VLAN Setting

Voice VLAN minimizes data loss and ensures bandwidth by using a dedicated VLAN for voice traffic to
improve the call quality of VoIP (Voice over IP). Using the Voice VLAN, you can automatically classify voice
traffic of IP phones and process them before other data traffic to provide a high quality VoIP environment.
Voice VLAN Setting

You can set the voice VLAN group by using the following commands in <Configuration Mode>.
No.
Command
Description
Create a VLAN to be used as voice VLAN.
<2-4094>
vlan <2-4094> [name <WORD>]
ID for VLAN identification. Setting range: 2 ~ 4094

<WORD>
Specify a VLAN name of up to 16 characters that consist of
letters, numbers, and special characters.
voice vlan <2-4094>
Specify a VLAN ID to be used for voice VLAN.

Specify the DSCP value to be applied to the send packet. For IP
phones that support LLDP-MED, its DSCP is changed to the
voice vlan dscp <0-63>
specified value.
<0-63>
Setting range: 0 ~ 63. Default value: 46
Specify the CoS value to be applied to the send packet. For IP
phones that support LLDP-MED, its CoS is changed to the
voice vlan priority <0-7>
specified value.
<0-7>
Setting range: 0 ~ 7. Default value: 5
Set the OUI, OUI mask, and vender of the IP phone connected
to the port
<WORD>
voice vlan oui <WORD> mask <WORD>

vender <WORD>
Set
the
OUI
information
of
the
IP
in
the
format
HHHH.HHHH.HHHH.
<WORD>
Set the OUI mask of the IP in the format HHHH.HHHH.HHHH.
<WORD>
Set the vender name as a string of up to 32 characters.
For IP phones that support LLDP-MED, its CoS Override option
is enabled. If you enable this option, for IP phones that
voice vlan cos override

(Optional)
support LLDP-MED but do not change their DSCP or CoS

values, TiFRONT changes the DSCP or CoS values of the
packet. (Default value: Disable)
Note: To disable the CoS Override option, run the command no voice
vlan cos override.
interface <IFNAME>
voice vlan enable
50
TiFRONT User Guide
Change to the <Interface Configuration Mode> of the port for

which to set the Voice VLAN.
Set the port to Voice VLAN.
Note: To delete the VLAN ID of the Voice VLAN, run the command no voice vlan <2-4094> in <Configuration Mode>.
Note: To delete the OUI information, run the command no voice vlan oui <WORD> mask <WORD> vender <WORD> in <Configuration
Mode>.
Note: To disable the Voice VLAN setting of the port, run the command no voice vlan enable in <Interface Configuration Mode>.

To check the Voice VLAN settings, run the command show voice vlan in <User Mode>, <Privileged Mode>,
or <Configuration Mode>.
In this example, the settings were queried with the Voice VLAN set as shown in the following table.
Configuration item
Set value
VLAN ID
100
DSCP code
36
Priority
OUI
0003.6B00.0000
OUI Mask
FFFF.FF00.0000
Vender
Cisco
Port
ge10
(config)# vlan 100

Create a VLAN
(config)# voice vlan 100
Set the created VLAN as Voice VLAN
(config)# voice vlan dscp 36
Set the DSCP code value
(config)# voice vlan priority 7
Set the priority
(config)# voice vlan oui 0006.C400.0000 mask FFFF.FF00.0000 vender Piolink OUI setting
Go to the port to be set to Voice VLAN
(config-if-ge10)# voice vlan enable Set the VLAN of the port ge10 as Voice VLAN
(config)# show voice vlan
Show the VoiceVLAN settings.
Voice Vlan ID
: 100
Voice Vlan DSCP : 36
Voice Vlan Priority : 7
Voice Vlan CoS Override : disable
Voice Vlan Port
ge10
Voice Vlan OUI List
--------------------------------------------------------NUM |
OUI Address
|
OUI Mask
| Vender
--------------------------------------------------------1 | 0003.6B00.0000 | FFFF.FF00.0000 | Piolink
---------------------------------------------------------
51
MAC Address Setting

MAC Address Table Setting
TiFRONT supports a MAC address table which can store up to 16384 MAC addresses.
There are three types of MAC addresses:
Dynamic MAC address
This MAC address is automatically entered in the MAC address table by TiFRONT. It is automatically deleted
if it is not used for the Ageing Time set by user.
Static MAC address
This is the MAC address that is directly entered by user. This address remains in the MAC address table
until it is deleted by user.
Multicast MAC address
This is a MAC address for multicast which can be directly entered and deleted by user. If IGMP Snooping is
enabled, TiFRONT can automatically enter and delete this address.
Setting a static MAC address

You can set a static MAC address by using the following command in <Configuration Mode>. Repeat this
command to set multiple static MAC addresses.
Command
Description
Add a static MAC address.
<MAC>
MAC address to be added
mac address <MAC> forward <IFNAME> [vlan <2-4094>]
Input format: HHHH.HHHH.HHHH

<IFNAME>
Port number
<2-4094>
VLAN ID of the port
Note: To delete the MAC addresses in the MAC address table, run the command clear mac address-table {dynamic | static |
multicast} {interface <IFNAME> | vlan <2-4094>} in <Privileged Mode>.
Ageing Time Setting

Ageing Time is the time for which the dynamic MAC address is maintained in the MAC address table. You can
set the Ageing Time by using the following command in <Configuration Mode>.
Command
Description
Set the Ageing Time.
mac ageing-time <10-1000000>
<10-1000000>
Setting range: 10 ~ 1,000,000 (sec). (Default value: 300 sec)
Note: To reset the Ageing Time to 300 sec, which is the default value, run the command no mac ageing-time in <Configuration Mode>.
52
TiFRONT User Guide
Checking the MAC Address Table Information

To check the MAC address table information, run the command show mac-table [vlan <1-4094> |
interface <INTERFACE>] in <User Mode>, <Privileged Mode> or <TiMatrix Configuration Mode>.
MAC Filtering
TiFRONT supports MAC filtering that restricts unnecessary network traffic by registering MAC filters in the
MAC address table. MAC filtering blocks packets received from a specific interface if they contain the
specified MAC address. If you set a MAC filter, it is registered as a static MAC address in the MAC address
table and is maintained until it is deleted by user.
MAC filter setting

You can set MAC filters for an interface by using the following command in <Configuration Mode>. You can
define up to 16384 MAC filters in TiFRONT, and you can repeat this command to set multiple MAC filters.
Command
Description
Add a MAC filter.
<MAC>
MAC address to be blocked
mac address <MAC> discard <IFNAME> [vlan <2-4094>]
Input format: HHHH.HHHH.HHHH

<IFNAME>
Port number
<2-4094>
VLAN ID of the port
Note: To delete a MAC filter, run the command no mac address <MAC> discard <IFNAME> [vlan <2-4094>] in <Configuration Mode>.
Checking the MAC Filter Settings

To check the MAC filter settings, run the command show mac-table [vlan <1-4094> | interface
<INTERFACE>] in <User Mode>, <Privileged Mode> or <TiMatrix Configuration Mode>.
Limiting the Number of MAC Addresses

You can store up to 16 KB of MAC addresses in the MAC address table. However, if you want to limit the
number of MAC addresses that can be learnt for a specific port, run the following command in <Interface
Command
Description
Set the maximum number of MAC addresses that can
mac-address limit {<1-1024> | unlimited}
stored for a specific port. If you set unlimited, the

number of MAC addresses to be stored is not restricted.
(Setting range: 1 ~ 1024, Default value: unlimited)
Checking the MAC address limit setting

To check the MAC address limit setting, run the command show mac-address limit in <User Mode> or
<Privileged Mode>.
53
In the following example, the static MAC address and the MAC filter were set as shown in the following table,
and the Ageing Time was set to 600. Then, the MAC address table information was queried.
Configuration item
MAC address
Port
VLAN
Static MAC address
0002.2ADB.0C77
ge1
MAC filter
001E.8C8F.B333
ge1
(config)# mac address 0002.2ADB.0C77 forward ge1 vlan 2

Set a static MAC address
(config)# mac address 001E.8C8F.B333 discard ge1 vlan 2
Set a MAC filter
(config)# mac ageing-time 600
Set ageing time to 600
(config)# show mac-table
Show the MAC Address Table Information
aging-time 600
Ageing Time
-------------------------------------------------------No | VLAN | PORT | MAC ADDRESS
| FWD/DIS | STATIC
-----+------+------+----------------+---------+--------1 |
2 | ge1 | 001f:c601:6e80
| FORWARD |
2 |
2 | ge1 | 0024:8cb2:e403
| FORWARD |
3 |
2 | ge1 | 0024:5424:58f8
| FORWARD |
4 |
2 | ge1 | 001e:8c90:aff5
| FORWARD |
5 |
2 | ge1 | e0cb:4eb8:ca85
| FORWARD |
6 |
2 | ge1 | 0008:9bbf:4994
| FORWARD |
7 |
2 | ge1 | 0800:27f8:a392
| FORWARD |
8 |
2 | ge1 | 001e:8cdb:16cd
| FORWARD |
9 |
2 | ge1 | 0011:433b:ad0c
| FORWARD |
10 |
2 | ge1 | 0024:8cb2:e409
| FORWARD |
11 |
2 | ge1 | 0006:c472:11dd
| FORWARD |
12 |
2 | ge1 | 0024:8c6e:d644
| FORWARD |
13 |
2 | ge1 | 0024:8c6e:d537
| FORWARD |
14 |
2 | ge1 | 0800:27ae:58fa
| FORWARD |
15 |
2 | ge1 | 0800:2742:4d6d
| FORWARD |
16 |
2 | ge1 | 001e:8c78:635e
| FORWARD |
17 |
2 | ge1 | 0024:8c6e:d533
| FORWARD |
18 |
2 | ge1 | 001e:8c31:6baf
| FORWARD |
19 |
2 | ge1 | 001e:8c8f:bd59
| FORWARD |
20 |
2 | ge1 | 0016:d337:352a
| FORWARD |
21 |
2 | ge1 | 0002:2adb:0c77
| FORWARD | STATIC
Static MAC address
22 |
2 | ge1 | 00a0:b011:5de1
| FORWARD |
23 |
2 | ge1 | 0024:8c6e:d535
| FORWARD |
24 |
2 | ge1 | 0024:8cc6:aacd
| FORWARD |
25 |
2 | ge1 | 001e:8c8f:bd49
| FORWARD |
26 |
2 | ge1 | 001d:7d02:fc6c
| FORWARD |
27 |
2 | ge1 | 0006:c472:021f
| FORWARD |
28 |
2 | ge1 | 0800:377d:453d
| FORWARD |
29 |
2 | ge1 | 0048:5451:a393
| FORWARD |
30 |
2 | ge1 | 001e:8c8f:bd55
| FORWARD |
31 |
2 | ge1 | 0006:c432:027f
| FORWARD |
32 |
2 | ge1 | 6cf0:4979:9a76
| FORWARD |
33 |
2 | ge1 | 001e:8c8f:b333
| DISCARD | STATIC
MAC filter
34 |
2 | ge1 | 021e:8c8f:b46e
| FORWARD |
35 |
2 | ge1 | 0024:8c6e:d529
| FORWARD |
-------------------------------------------------------
54
TiFRONT User Guide
IP Address Setting
You must set IP addresses for TiFRONT in order to communicate with other network devices, access TiFRONT
through a Telnet session, and to remotely manage it through the SNMP protocol. Carry out the following
procedure to set the IP address for TiFRONT.
Enable/Disable Interface
To set an IP address for a VLAN interface, you must first make sure that the interface is enabled for
communication. If it is disabled, no communication can be made through the interface. To check if an
interface is enabled, run the command show running-config in <Privileged Mode> or <Configuration
Mode>.
(config)# show running-config

!
no service password-encryption
!
hostname TiFRONT
!
spanning-tree mst config
!
no ip forwarding
!
interface lo
ip address 127.0.0.1/8
no shutdown
!
interface mgmt0
no shutdown
!
interface eth0
shutdown
!
interface eth1
shutdown
!
interface ge1
switchport
switchport mode access
flowcontrol receive off
flowcontrol send off
auto-negotiation on
jumbo-frame off
no shutdown
!
--More--
55
The VLAN interface is enabled by default. If the VLAN interface is disabled, you can enable it by using the
following commands in <Configuration Mode>.
No.
Command
Description
interface <IFNAME>
Change to the <Interface Configuration Mode> of the VLAN to be enabled.
no shutdown
Enable the VLAN interface.
Note: You can disable the interface by using the shutdown command in <Interface Configuration Mode>.
IP Address Setting for Interface

IPv4 Address Setting
You can set an IPv4 address for a VLAN interface by running the following command in <Interface
Command
Description
ip address <A.B.C.D/M>
Set a Primary IPv4 address for a VLAN interface.
ip address <A.B.C.D/M> secondary
Set a Secondary IPv4 address for a VLAN interface.
Note: To delete an IPv4 address, run the command no ip address <A.B.C.D/M> [secondary] in <Interface Configuration Mode>.
IPv6 Address Setting

You can set an IPv6 address for a VLAN interface by running the following command in <Interface
Command
ipv6 address <X:X::X:X/M> [anycast]
Description
Set an IPv6 address for a VLAN interface. If you use the anycast
option, this address is used for anycast.
Note: To delete an IPv6 address, run the command no ipv6 address <X:X::X:X/M> [anycast] in <Interface Configuration Mode>.
Checking the IP Settings

To check the IP address of an interface, run the command show {ip | ipv6} interface brief in <User
Adding Default Gateway

A default gateway is a device that plays the role of a gateway when you access a different network. For
TiFRONT to send frames to a network bandwidth that does not exist in the routing table, you must set the
default gateway.
56
TiFRONT User Guide
You can add a default gateway by using the following commands in <Configuration Mode>.
Command
ip
route
0.0.0.0}
[<1-255>]
{0.0.0.0/0
{<A.B.C.D>
Description
Add a default gateway.
0.0.0.0 <A.B.C.D>
<INTERFACE>}
IPv4 address of the default gateway
|
<X:X::X:X>
IPv6 address of the default gateway
<INTERFACE>
Name of the interface connected to the default gateway
ipv6
route
::/0
{<X:X::X:X>
<INTERFACE>} [<1-255>]
<1-255>
Priority required for selection as the default gateway. The
gateway that has the highest priority becomes the default
gateway. Setting range: 1 - 255 (a smaller value has a higher
priority)
Note: To delete an IPv4 default gateway, run the command no ip route {0.0.0.0/0 | 0.0.0.0 0.0.0.0} {<A.B.C.D> | <INTERFACE>}
[<1-255>] in <Configuration Mode>.
Note: To delete an IPv6 default gateway, run the command no ipv6 route ::/0 {<X:X::X:X/M> | <INTERFACE>} [<1-255>]in
<Configuration Mode>.
Checking the Gateway Settings

To check the gateway settings, run the command show {ip | ipv6} route in <User Mode> or <Privileged
Mode>.
Adding Fixed Route

A fixed route is a user-defined route to be passed through when packets move from the source to the
destination. A fixed route is necessary when setting TiFRONT as a route for a specific destination host or
network. A fixed route consists of the destination IP address, subnet mask, and gateway IP address or
interface name.
TiFRONT supports routing path backup for the same destination. When you enter a priority when setting a
fixed route, the route with the highest priority becomes the master route. If the master route has a problem,
the traffic is sent through the backup route that has the next highest priority.
57
You can set a fixed route by using the following commands in <Configuration Mode>.
Command
Description
Set a fixed route.
ip
route
{<A.B.C.D/M>
<A.B.C.D>
<A.B.C.D>} {<A.B.C.D> | <INTERFACE>} [<1255>]
<A.B.C.D/M>
Destination IPv4 address and subnet mask bit
<A.B.C.D> <A.B.C.D>
Destination IPv4 address and subnet mask
<A.B.C.D>
Gateway IPv4 address
<X:X::X:X/M>
Destination IPv6 address and subnet mask bit
<X:X::X:X>
Gateway IPv6 address
<INTERFACE>
ipv6
route
<X:X::X:X/M>
<INTERFACE>} [<1-255>]
{<X:X::X:X>
Name of the interface connected to the gateway. If you

enter null, black hole routing is performed where the
traffic to the specified destination is forwarded to a
virtual interface and the traffic is discarded.
<1-255>
This priority is used for setting the routing backup path
for the same destination. Setting range: 1 255 (a
smaller value has a higher priority)
Note: To delete a fixed rout from the IPv4 routing table, run the command no ip route {<A.B.C.D/M> | <A.B.C.D> <A.B.C.D>}
{<A.B.C.D> | <INTERFACE>} [<1-255>] in <Configuration Mode>.
Note: To delete a fixed route from the IPv6 routing table, run the command no ipv6 route <X:X::X:X/M> {<A.B.C.D> | <INTERFACE>}
[<1-255>] in <Configuration Mode>.
Checking Fixed Route Information

To check the fixed route information, run the command show {ip | ipv6} route
in <User Mode> or
<Privileged Mode>.
IPv6 Neighbor Setting

In the IPv6 environment, the information (IP address and MAC address) of neighbor nodes obtained through
the NDP(Neighbor Discovery Protocol) is automatically entered in a neighbor table, but the network
administrator may manually enter it. You can enter the neighbor information (IPv6 address and MAC address)
by using the following command in <Configuration Mode>.
Command
Description
Manually enter the neighbor information (IPv6 address and
MAC address).
<IP>
ipv6 neighbor <X:X::X:X> <IFNAME> <MAC>
IPv6 address of the neighbor

<IFNAME>
Interface connected to the neighbor
<MAC>
MAC address of the neighbor
58
TiFRONT User Guide
Note: To delete the neighbor information, run the command no neighbor <X:X::X:X> <IFNAME> in <Configuration Mode>.
Note: To check the neighbor information, run the command show ipv6 neighbors in <User Mode> or <Privileged Mode>.
Interface Description Setting

You can set the description of an interface by running the following command in <Interface Configuration
Mode>.
Command
Description
description <LINE>
Enter a description of the interface.
Note: To delete the interface description, run the no description command in <Interface Configuration Mode>.
Checking Interface Description

To check the interface description, run the command show interface [<IFNAME>] in <User Mode> or
<Privileged Mode>.
In this example, the IP address and the default gateway of the default VLAN were set as shown in the
following table. Then, the settings were queried.
Default VLAN Setting
Configuration item
Set value
Primary IP address
192.167.201.33/24
Secondary IP address
192.167.201.34/24
Interface Description
This is a description test.
Default Gateway Setting

Configuration item
Gateway address
Set value
192.167.201.1
(config)# interface vlan1

Enter the <Interface Configuration Mode> of the default VLAN
(config-if-vlan1)# ip address 192.167.201.33/24
Set the primary IP address
(config-if-vlan1)# ip address 192.167.201.34/24 secondary Set the secondary IP address
(config-if-vlan1)# description This is a description test. Enter the interface description
(config-if-vlan1)# exit
(config)# show ip interface brief
Interface
IP-Address Status Protocol
lo
127.0.0.1 up up
mgmt0
UNASSIGNED up up
mon
UNASSIGNED up up
vlan1
192.167.201.33 up up
Show the IP settings
(config)# exit
59
# show interface vlan1

Show the default VLAN settings.
Interface vlan1
Hardware is Ethernet, address is 0006.c472.0203
Description: This is a description test.
index 39 metric 1 mtu 1500 <UP,BROADCAST,RUNNING,MULTICAST>
VRF Binding: Not bound
inet 192.167.201.33/24 broadcast 192.167.201.255
inet 192.167.201.34/24 broadcast 192.167.201.255 secondary
VRRP Master of : VRRP is not configured on this interface.
input packets 11379, bytes 773772, dropped 0, multicast packets 11379
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 6, bytes 492, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
(config)# ip route 0.0.0.0/0 192.167.201.1 Add a default gateway
(config)# show ip route
Show the gateway settings
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Gateway of last resort is 192.167.201.1 to network 0.0.0.0
S*
C
C
0.0.0.0/0 [1/0] via 192.167.201.1, vlan1

127.0.0.0/8 is directly connected, lo
192.167.201.0/24 is directly connected, vlan1
60
TiFRONT User Guide
ARP Table Setting

ARP (Address Resolution Protocol) is a protocol used to match IP addresses to MAC addresses on the network.
The ARP table content is automatically written when the MAC address matching the IP address is found
through ARP (dynamic ARP). The network administrator may directly enter the MAC addresses of specific IP
addresses and use them on the network.
You can match an IP address to a MAC address by using the following command in <Configuration Mode>.
Command
Description
arp <A.B.C.D> <MAC>
Enter an IP address and a MAC address in the ARP table.
Note: To delete a static ARP cache item, run the command no arp <A.B.C.D> in <Configuration Mode>.
Note: To delete a dynamic ARP cache item, run the command clear arp <A.B.C.D> in <Configuration Mode>.
Note: In the ARP table of TiFRONT, you can store up to 10240 ARP data.
Checking the ARP Settings

To check the ARP settings, run the command show arp in <User Mode> or <Privileged Mode>.
In this example, the following IP address and MAC address were entered in the ARP table, and the settings
were queried.
Configuration item
Set value
IP address
192.168.201.236
MAC address
001E.8C8F.B333
(config)# arp 192.168.201.236 001E.8C8F.B333

(config)# exit
# show arp
Show the ARP settings
Address
HWaddress
Interface
192.168.201.236
00:1E:8C:8F:B3:33 vlan2
Enter an IP address and a MAC address in the

ARP table.
Type
Static
61
ECMP (Equal Cost Multi-Path) Setting

ECMP sends traffic through multiple paths that have the same cost for one destination. The interface
overload is prevented by sending packets through multiple interfaces. TiFRONT performs packet routing
through the ECMP function by default. For load distribution, the hashing method is used. The hash key is
calculated by using the source IP address, destination IP address, and source and destination port numbers.
You can set the ECMP hash key calculation method by using the following command in <Configuration
Mode>.
Command
Description
Set the ECMP hash key calculation method. By default, all the three
values are used to calculate the hash key.
ecmp {ip-dst | ip-src | l4port}
ip-dst:
The destination IP address is used to calculate the hash

key.
ip-src:
l4port:
The source IP address is used to calculate the hash key.

The source/destination port numbers are used to calculate
the hash key.
Note: To delete the ECMP hash key calculation method, run the command no ecmp {ip-dst | ip-src | l4port} in <Configuration Mode>.
The ECMP function does not work if all ECMP hash key calculation methods are deleted.
Checking the ECMP Setting

To check the ECMP settings, run the command show ecmp in <User Mode> or <Privileged Mode>.
Console Data Transmission Speed Setting

In TiFRONT, you can change the console data transmission speed (bits per second). To set the console data
transmission speed, run the following command in <Configuration Mode>.
Command
Description
Set the console data transmission speed.
console baud-rate {9600 | 115200 | boot}
boot: Use the environment variable of the boot loader.

(The device must be rebooted before the setting is
changed.)
62
TiFRONT User Guide

Overview
Port mirroring sends copies of all the packets of a specific port to another port. The target port of port
mirroring is called the Mirrored
Port, and the port that monitors the mirrored port by receiving the traffic of
the mirrored port is called the Mirroring Port.
Mirroring Port
The mirroring port receives all the copied data from the mirrored port. You can use any port of TiFRONT as
the mirroring port except the management Ethernet port. In general, a network analyzer or RMON (Remote
Network Monitoring) is connected to the mirroring port for network monitoring. The mirroring port only
works for receiving data from the mirrored port while it is performing port mirroring. It returns to normal L2
operation if port mirroring is disabled.
Mirrored Port
The mirrored port is the port monitored by the mirroring port. Unlike the mirroring port, the mirrored port
performs normal L2 operation while it is performing port mirroring. TiFRONT allows the simultaneous setting
of multiple mirrored ports. However, the total bandwidth of the mirrored ports must not exceed the
bandwidth of the mirrored port.
The following figure shows an example of port mirroring in TiFRONT.
Ingress
Egress
Mirrored port
Mirrored port
Mirroring port
[Figure - Port Mirroring]
In the above figure, port 10 is the port that mirrors the ingress traffic of port 4 (traffic received at TiFRONT)
and the egress traffic of port 12 (traffic sent by TiFRONT). If you connect an IDS (Intrusion Detection System)
server to port 10 to mirror the traffic of ports 4 and 12, you can detect network attacks of ports 4 and 12,
With the port mirroring function of TiFRONT, you can monitor all traffic on the network connected to
TiFRONT. This function is mainly used as a tool for solving problems on the network or for providing better
network security.
63

To use port mirroring, you must set the mirroring rules. The maximum number of mirroring rules that can be
set depends on the traffic direction of the mirrored port and the model. For TiFRONT-F26/F26P/G24/G24P,
four mirroring rules each for sending and receiving can be set. For TiFRONT-G48/G48P, two mirroring rules
each for sending and receiving can be set. When setting for both directions, one rule is calculated as the
setting of one rule each for sending and receiving. The following is the maximum setting of mirroring rules
for TiFRONT-G24.
Mirroring port
ge3
ge4
ge5
Mirrored port
Traffic direction
ge10 ~ ge12
Receiving
ge13 ~ ge14
Sending
ge15 ~ ge17
Receiving
ge18 ~ ge20
Sending
ge21 ~ ge22
Sending and receiving
ge23 ~ ge24
Sending and receiving
You can set the mirroring rule by using the following command in <Configuration Mode>.
Command
Description
Set the mirroring port, mirrored port, and traffic direction to be
mirrored.
<IFNAME>
Mirroring port number
mirror
<IFNAME>
{both | in | out}
mirrored
<IFNAME>
<IFNAME>
Mirrored port number
both:
Both the incoming and outgoing traffic of the mirrored
in:
The incoming traffic of the mirrored port is mirrored.
port are mirrored.

out:
The outgoing traffic of the mirrored port is mirrored.
Caution: The sum of the bandwidths of mirrored ports must not be equal to or larger than the bandwidth of the mirroring port. If the sum of the
bandwidths of mirrored ports is larger than the bandwidth of the mirroring port, traffic that is equal to the difference will be lost.
Caution: If PVST+, RPVST+, and MSTP are set, the mirroring port and mirrored ports must belong to the same instance. Because only one VLAN can
be allocated for one instance of PVST+/RPVST+, the mirroring and mirrored ports must belong to the same VLAN. Otherwise, port mirroring does
not work properly.
Note: To delete the VLAN, run the command no mirror <IFNAME> mirrored <IFNAME> in <Configuration Mode>.
Note: If the mirrored port is an egress port, the mirrored packets are tagged before they are sent to the mirroring port.
Note: For TiFRONT-G48/G48P, ports are divided into two groups (ge1 ~ ge24, ge25 ~ ge48). When using the port mirroring function in these
products, you must set the mirroring and mirrored ports in the same group.
64
TiFRONT User Guide
Checking Port Mirroring Setting

To check the port mirroring settings, run the command show mirror
in <User Mode>, <Privileged Mode>,
or <Configuration Mode>.
In the following example, port mirroring was set and the settings were queried.
(config)# mirror ge1 mirror ge2,ge3 both
The incoming and outgoing traffic of g2 and

g3 ports are mirrored by the ge1 port
(config)# show mirroring
Show port mirroring settings
---------------------------------------------------Mirroring configuration
---------------------------------------------------Monitor Port = ge1
Mirrored Port : ge2 (both)
Mirrored Port : ge3 (both)
65

Overview
Port Failover sets multiple ports (up to 4) as a group so that when the master port has a problem, a backup
port can replace it. In TiFRONT, you can set up to 4 port failover groups, and specify 2-4 ports in one port
failover group. When you set a port failover group, the port having the highest priority becomes the master
port and works in link up state. Other ports that are not the master port become the backup ports. While
working in link down state, when there is a trouble in the master port, the port having the highest priority
among the backup ports changes to link up state and replaces the master port.
The priorities of the ports in each port failover group are determined by the weight, port number, and
bandwidth (port speed). By default, the port with a greater weight has a higher priority. If the weights are
equal (no weight is set. Default value: 0) the port with a smaller port number has a higher priority. Lastly, if
the port numbers are identical such as fe1 ~ fe2 and ge1 ~ ge2 of TiFRONT-F26/F26P, the port with a
greater bandwidth has a higher priority.

You can set port failover by running the following command in <Interface Configuration Mode>.
Command
Description
Set the port failover group number and port weight.
<1-4>
Enter the number of the port failover group that is
defined in TiFRONT. Setting range: 1 ~ 4
<1-4>
failover-channel-group <1-4> [weight <1-4>]
Set the port weight. A larger value has a greater

weight. You cannot set the same weight for ports in
the same group.
(Setting range: 1 ~ 4. Default value: 0)
Note: The weight is set to 0, which is the lowest priority, if no
weight is specified.
Caution: You cannot set the port failover function for ports for which port trunking or LACP is set.
Note: To delete the port failover setting, run the command no failover-channel-group in <Interface Configuration Mode>.
Checking Port Failover Setting

To check the port failover setting, run the command show failover-channel-group in <Privileged
Mode>.
66
TiFRONT User Guide
In this example, the ports ge1 to ge4 are set as failover group 1 and the port failover setting is queried.

(config-if-ge1)# failover-channel-group 1 weight 4 Set port backup group
(config-if-ge4)# end
# show failover-channel-group
Show the settings
-------------------------------------------PORT |
GROUP
|
WEIGHT |
SPEED |
STATE
| 1 2 3 4 |
|
|
------+-------------+--------+-------+-----ge1 | o . . . |
4
|
1000 | ON |
ge2 | o . . . |
3
|
1000 | OFF |
ge3 | o . . . |
2
|
1000 | OFF |
ge4 | o . . . |
1
|
1000 | OFF |
ge5 | . . . . |
0
|
1000 | OFF |
ge6 | . . . . |
0
|
1000 | OFF |
ge7 | . . . . |
0
|
1000 | OFF |
ge8 | . . . . |
0
|
1000 | OFF |
ge9 | . . . . |
0
|
1000 | OFF |
ge10 | . . . . |
0
|
1000 | OFF |
ge11 | . . . . |
0
|
1000 | OFF |
ge12 | . . . . |
0
|
1000 | OFF |
ge13 | . . . . |
0
|
1000 | OFF |
ge14 | . . . . |
0
|
1000 | OFF |
ge15 | . . . . |
0
|
1000 | OFF |
ge16 | . . . . |
0
|
1000 | OFF |
ge17 | . . . . |
0
|
1000 | OFF |
ge18 | . . . . |
0
|
1000 | OFF |
ge19 | . . . . |
0
|
1000 | OFF |
ge20 | . . . . |
0
|
1000 | OFF |
ge21 | . . . . |
0
|
1000 | OFF |
ge22 | . . . . |
0
|
1000 | OFF |
ge23 | . . . . |
0
|
1000 | OFF |
ge24 | . . . . |
0
|
1000 | OFF |
-------------------------------------------FAILOVER Group : Group 1 / 2 / 3 / 4
FAILOVER Weight : Weight Value(1~4)
FAILOVER Speed : 10000 / 1000 / 100 / 10 Mbps
FAILOVER State : Operation ON / OFF
67
DHCP Setting
DHCP (Dynamic Host Control Protocol) is a protocol having the client and server structure where the DHCP
server automatically allocates IP address to the DHCP clients and manages them. With the DHCP, the DHCP
client can easily access the network without knowledge about the network environment settings (IP address,
subnet mask, and DNS server). Furthermore, the limited IP resources can be saved because the IP address is
allocated only when the DHCP client is working.
TiFRONT provides the following functions to support the DHCP network environment.
DHCP Server
TiFRONT plays the role of a DHCP server and allocates IP addresses to the connected hosts.
DHCP Relay Agent

This is located between a DHCP server and a DHCP client and relays DHCP messages.
DHCP Server Settings

IP Pool Setting
In order to use the DHCP server function, you must set the IP Pool that stores the subnet, default gateway,
DNS server, and IP address range to be allocated to clients. You can set the IP Pool by using the following
commands in <Configuration Mode>. In TiFRONT, you can set up to 8 IP pools.
No.
Command
Description
Create an IP pool and enter the <DHCP server configuration
ip dhcp pool <WORD>
mode>.
<WORD>
IP pool name
Set the subnet to be used in a DHCP server.

<A.B.C.D/M>
network {<A.B.C.D/M> | <A.B.C.D>

<A.B.C.D>}
Subnet IP range and subnet mask bit

<A.B.C.D> <A.B.C.D>
Subnet IP range and subnet mask

Note: To delete a subnet, run the command no network.
Set the default gateway of subnet.
<A.B.C.D>
default-router <A.B.C.D>
IP address of the default gateway

Note: To delete a default gateway, run the command no defaultrouter <A.B.C.D>.
Set the IP address range to be allocated to the DHCP client. You
can set an IP address range including up to 512 IP addresses
for one IP pool.
range <A.B.C.D> <A.B.C.D>
<A.B.C.D>
Starting IP address of the IP address range
<A.B.C.D>
Ending IP address of the IP address range
68
TiFRONT User Guide
Note: To delete an IP address range, run the command no range

[<A.B.C.D> <A.B.C.D>].
Set the lease time of IP address.
<0-30> <0-24> <0-60>
lease
{<0-30>
<0-24>
<0-60>
infinite}
Set the lease time in the order of days, hours, and minutes.
Default value: 1 (day)
Infinite: No time limit
Note: To change the IP address lease time to the default value, run the
no lease command.
Set the DNS server.
<A.B.C.D>
DNS server IP address
dns-server <A.B.C.D>
Note: To delete a DNS server, run the command no dns-server

<A.B.C.D>.
Set the domain name to be used in the IP pool.
7
domain-name <WORD>
Note: To delete a domain name, run the command no domain-name.

Allocate a fixed IP address to a specific client.
<HOSTNAME>
Host name of the client
fixedaddr
<HOSTNAME>
<HHHH.HHHH.HHHH> <A.B.C.D>
(Optional)
<HHHH.HHHH.HHHH>
MAC address of the client
<A.B.C.D>
Fixed IP to be allocated to client
Note: To cancel the fixed IP address, run the command no fixedaddr
<HOSTNAME>.
Note: To delete an IP pool, run the command no ip dhcp pool <WORD> in <Configuration Mode>.
Note: If a DHCP relay agent is connected, you must additionally set an IP pool whose IP address range and subnet is the IP address and subnet of
the DHCP relay agent.
Interface Setting
You can set a VLAN interface to which the DHCP server function will be applied by using the following
commands in <Configuration Mode>.
Command
ip dhcp server-interface <IFNAME>
Description
Set the VLAN interface to which the DHCP server function will
be applied.
Caution: You must specify the VLAN of the IP range that is identical to the subnet specified in the IP pool. If the IP range is different, the DHCP
server will not work normally.
Note: To delete the specified interface, run the command no dhcp server-interface <IFNAME> in <Configuration Mode>.
69
Enabling DHCP Server

You can enable the DHCP server function by using the following commands in <Configuration Mode>.
Command
Description
service dhcp
Enable the DHCP server function.
Note: You cannot enable the DHCP server function if an IP pool is not set.
Note: To disable the DHCP server function, run the command no service dhcp in <Configuration Mode>.
Resetting IP Address Allocation

To reset the IP address allocated for the DHCP client, run the following command in <User Mode> or
<Privileged Mode>.
Command
Description
Reset the IP address allocated to the DHCP client.
<A.B.C.D>
clear ip dhcp binding-list {<A.B.C.D> | all}
IP address of the client to be reset

all
The IP address allocations of all clients are reset.
DHCP Packet Statistics Setting

You can set the DHCP packet statistics function by using the following commands in <Configuration Mode>.
Command
Description
ip dhcp statistics {enable | disable}
Set the status of the DHCP packet statistics.
Checking the DHCP Server Information

To check the settings and status of the DHCP server, run the following command in <User Mode> or
<Privileged Mode>.
Command
Description
show service dhcp
Check the enabled status of the DHCP server function.
show ip dhcp
Check the enabled status of the DHCP server and the IP pool list.
show ip dhcp pool [<WORD>]
Check the settings of the IP pool.
show ip dhcp pool binding
Check the allocated IP address and the DHCP client information.
show ip dhcp pool usage
Check the usage of the IP pool.
show ip fixed-ip host
Check the fixed IP address allocations setting.
70
TiFRONT User Guide
Checking the DHCP Packet Statistics Information

To check the statistics of DHCP packets, run the following command in <User Mode> or <Privileged Mode>.
Command
Description
show ip dhcp statistics
Check the DHCP packet statistics Information.
Note: To reset the DHCP packet statistics, run the command clear ip dhcp statistics in <Configuration Mode>.
DHCP Relay Agent Setting

As the DHCP messages between the DHCP server and client are broadcasted, the DHCP server and client must
be located in the same subnet. This is irrelevant if a single subnet is used, but in a network environment
using multiple subnets, each subnet needs a DHCP server.
To address this problem, TiFRONT provides the DHCP relay agent function. With the DHCP relay agent
function, TiFRONT relays DHCP messages and allows DHCP servers and clients that are in different subnets to
exchange DHCP messages.
DHCP Relay Agent Setting

To use the DHCP relay agent, you must set the DHCP server information and the DHCP message receiving
interface. You can set the DHCP relay agent by using the following commands in <Configuration Mode>.
No.
1
Command
ip dhcp-relay
Description
Enter the <DHCP relay configuration mode>.
Set the DHCP servers. You can set up to 8 DHCP servers.
<A.B.C.D/M>
server-list ip <A.B.C.D>
IP address of the DHCP server

Note: To delete a DHCP server, run the command no server-list
ip <A.B.C.D>.
Set the VLAN interface to receive DHCP messages. You must
set the VLAN to which the client belongs and the VLAN to
interface-list <IFNAME>
which the server belongs.

Note: To delete a DHCP message reception interface, run the
command no interface-list <IFNAME>.
DHCP Option-82 Setting

DHCP Option-82 is a function of the DHCP relay agent which sends DHCP request messages together to the
port number from which the message was received and its own MAC address. The DHCP server authenticates
a client and determines whether or not to allocate an IP address using this information. You can set the DHCP
Option-82 function by using the following commands in <Configuration Mode>.
No.
Command
Description
ip dhcp-relay
option82 {append | forward
Enable Option-82 and specify the processing method. If the DHCP
| replace}
request message from the client does not contain the Option-82
71
information, the Option-82 for all the three methods is added and
sent to the DHCP server. When a DHCP request message containing
the Option-82 information is made, it works as follows depending on
the specified processing method.
append: The received Option-82 information is maintained and its
own Option-82 information is additionally sent.
forward: The received Option-82 information is sent as it is.
replace: The received Option-82 information is deleted and its own

Option-82 information is sent.
Note: To disable the Option-82 function, run the command no
option82.
Enabling DHCP Relay Agent

You can enable the DHCP relay agent function by using the following commands in <Configuration Mode>.
Command
Description
service dhcp-relay
Enable the DHCP relay agent function.
Note: You cannot enable the DHCP relay agent function if the DHCP server function is enabled.
Note: To disable the DHCP relay agent function, run the command no service dhcp-relay in <Configuration Mode>.
Checking the DHCP Relay Agent Settings

To check the DHCP relay agent settings, run the command show ip dhcp-relay in <User Mode> or
<Privileged Mode>.
In this example, the IP pool and interface of the DHCP server function were set as shown in the following
table. Then, the settings were queried.
IP Pool Setting
Configuration item
Set value
Name
pool1
Subnet
192.168.200.0/24
Default gateway
192.168.1.1
IP address range
192.168.200.10 ~ 192.168.200.250
Usage time of IP address.
10 hours
DNS server
192.168.1.3
Domain name
tifront
72
TiFRONT User Guide
Interface Setting
Configuration item
Interface
Set value
vlan10
(config)# ip dhcp pool pool1

Create an IP pool and enter the <DHCP server configuration mode>.
(dhcp-config)# network 192.168.200.0/24
Set the subnet
(dhcp-config)# default-route 192.168.1.1
Set the default gateway
(dhcp-config)# range 192.168.200.10 192.168.200.250
Set the IP address range
(dhcp-config)# lease 0 10 0
Set the usage time of IP address.
(dhcp-config)# dns-server 192.168.1.3
Set the DNS server
(dhcp-config)# domain-name tifront
Set the domain name
(dhcp-config)# exit
(config)# ip dhcp server-interface vlan10
Set the interface
(config)# service dhcp
Enable the DHCP server
(config)# end
# show service dhcp
Show the enabled state of the DHCP server
service dhcp enabled
# show ip dhcp pool
Show the IP pool settings
Pool pool1 :
network: 192.168.200.0/24
address range(s):
add: 192.168.200.10 to 192.168.200.250
lease <days:hours:minutes> <0:10:0>
domain: tifront
dns-server(s): 192.168.1.3
default-router(s): 192.168.1.1
no fixed address
In the next example, the DHCP relay agent function was set as shown in the following table, and then the
settings were queried.
Configuration item
Set value
DHCP Server
192.168.1.5
Interface
vlan10, vlan20
Option-82
forward
(config)# ip dhcp-relay
(dhcp-relay)# server-list ip 192.168.1.5
Set the DHCP server
(dhcp-relay)# interface-list vlan10
Set the interface
(dhcp-relay)# interface-list vlan20
Set the interface
(dhcp-relay)# option82 forward
Set the Option-82
(dhcp-relay)# exit
(config)# service dhcp-relay
Enable the DHCP relay agent
# show ip dhcp-relay
Show the DHCP relay agent settings
dhcp-relay enabled.
option82 status forward
dhcp-relay listen interface:
vlan10 vlan20
dhcp-server ip:
192.168.1.5
73
NetBIOS Filtering
In the LAN (Local Area Network) environment, NetBIOS is used for communication between PCs. However,
NetBIOS is a protocol that is vulnerable to security issues. With the NetBIOS filtering function provided by
TiFRONT, you can prevent the situations where personal information is shared to ensure privacy.
You can set the NetBIOS filtering function by running the following command in <Interface Configuration
Mode>.
Command
filter netbios
Description
Set the NetBIOS filtering function.
NetBIOS Filtering
To check the NetBIOS filtering settings, run the command show filter netbios
in <User Mode>,
<Privileged Mode>, or <Configuration Mode>.
DHCP Filtering
DHCP (Dynamic Host Control Protocol) is a protocol that automatically allocates IP addresses to the DHCP
clients and manages them.
However, if a DHCP client is connected with a device that can be another DHCP server such as IP sharer, the
communication may have a trouble. In this case, you can use the DHCP filtering function to prevent the
request and reply packets from being sent to another device so that DHCP services can be provided normally.
You can set the DHCP filtering function by running the following command in <Interface Configuration
Mode>.
Command
filter dhcp {request | reply}
Description
Set the DHCP filtering function.
Caution: The DHCP server and the DHCP relay agent functions do not work if the DHCP filtering is set for a port.
Checking the DHCP Filtering Settings

To check the DHCP filtering settings, run the command show filter dhcp in <User Mode>, <Privileged
Mode>, or <Configuration Mode>.
74
TiFRONT User Guide
Network Connection Check

After finishing the basic network configuration, you can perform the following tasks to check the network
connection:
Ping Connection test
Packet route tracking
Ping Connection Test

You can use the ping command to check the network connection of a remote host. The ping command sends
the ICMP (Internet Control Message Protocol) echo request packet to a specified destination and waits for a
response from it. When a response is received from the remote host, the time required for the requested
packet to arrive at the destination is given. You can use an IP address or host name as the destination
address of the ping command.
The types of responses to the ping command area as follows.
Normal response
The network connection of the host is normal.
Destination does not respond
The host does not respond
Unknown host
The host does not exist
Destination unreachable
The destination network specified by the gateway cannot be reached.
Network or host unreachable
The host or network does not exist in the routing table.
To run the network connection test for a specific host, run the following commands in <User Mode> or
<Privileged Mode>.
Command
Description
Perform network connection test for a host using the following options.
Protocol
IP address version to be used for connection test
ip : IPv4, ipv6 : IPv6, Default value: ipv4
Target IP address
IP address of the host for connection test
Repeat count
ping
Packet transmission count. Default value: 5 (times)

Datagram size
Packet size. Setting range: 1 ~ 18024, Default value: 100(byte)
Timeout in seconds
Response waiting time. Default value: 2(sec)
Extended commands
Use of additional options. n: Not used, y: Used, Default value: n
Source address or interface
Source IP address or interface
75
Type of service
Type of service field value of the IP header. (Default value: 0)
Set DF bit in IP header
DF bit value setting of the IP header. n: Not used, y: Used
(Default value: n)
Data pattern
DF bit value of the IP header. (Default value: 0xABCD)
Perform network connection test for a host.
<WORD>
ping <WORD> [src <WORD>]
IP address or domain name of the host for network connection test

<WORD>
Source IP address or domain name
The following is an example of ping connect test.
# ping 125.7.199.131
Ping connection test for 125.7.199.131(www.piolink.com)
PING 125.7.199.131 (125.7.199.131) 56(84) bytes of data.
64 bytes from 125.7.199.131: icmp_seq=1 ttl=107 time=72.0 ms
Press Ctrl+C on the keyboard to stop the ping connection test

--- 125.7.199.131 ping statistics --8 packets transmitted, 8 received, 0% packet loss, time 7003ms
rtt min/avg/max/mdev = 45.820/68.103/79.367/10.061 ms
76
TiFRONT User Guide
Packet Route Tracking

Packet route tracking traces the route of the packets sent to a remote host. To trace the packet route, run the
traceroute
command. The packet route tracking uses the TTL (Time To Live) field in the IP header. A packet
that sets the TTL field value is sent and the router and server that receive the packet are asked to send a
return message.
The detailed process of packet route tracking is described below. It begins when a datagram that sets the
TTL field value to 1 is sent to the destination host through the UDP User Datagram Protocol). The router
drops the datagram if the TTL of the received packet is 1 or 0, and sends a time-exceeded message to the
router that sent the packet through the ICMP Internet Control Message Protocol). Then, the router receiving
the time-exceeded message checks the sender address field of the time-exceeded message and finds the IP
address of the first hop.
To identify the next hop, the router sends the UDP packet again by setting the TTL value to 2. The first router
sends the data to the next router after subtracting 1 from the TTL value. After finding that the TTL value is 1,
the second router discards the data and sends time-exceeded message to the sender. This process continues
until the TTL value becomes sufficient for sending the datagram to the destination host or the TTL reaches
the maximum. When the packet arrives at the last destination, an echo response message is sent through the
ICMP protocol instead of the time-exceeded message.
To measure the time when the datagram arrived at the destination host, the traceroute
command sets the
UDP destination port to a large value that the destination host is not likely to use. If a datagram is received
with an unrecognizable port number, the host sends the unreachable error message to the sender host
through the ICMP port. This message shows the arrived destination to the router that traces the route.
To trace the route of the packets sent to a remote host, run the following command in <Privileged Mode>.
Command
Description
Trace the route of the packets sent to the host using the following
options.
Protocol
IP address version to be used for route tracking
ip : IPv4, ipv6 : IPv6, Default value: ip
Target IP address
IP address of the host for tracing the route
Source address
Source IP address
Numeric Display
Whether or not to show only the IP address of the route in the
traceroute
result
n: IP address only, y: Host name and IP address, Default value: n
Timeout in seconds
Response waiting time. Default value: 2(sec)
Probe count
Number of packets to be sent through one route for route tracking.
Default value: 3
Maximum time to live
Maximum TTL value of the route tracking packet. Default value: 30
Port Number
Number of the UDP destination port to be used for route tracking.
Default value: 33434
Trace the route of the packets sent to the host.
traceroute <WORD>
<WORD>
IP address or domain name of the host for route tracking.
77
The following is an example of packet route tracking.
# traceroute 125.7.199.131
Route tracking for 125.7.199.131(www.piolink.com)
traceroute to 125.7.199.131 (125.7.199.131), 30 hops max, 46 byte packets
1 192.168.201.1 (192.168.201.1) 16.289 ms 2.006 ms 1.725 ms
2 192.168.200.252 (192.168.200.252) 2.124 ms 3.519 ms 3.919 ms
3 172.16.1.11 (172.16.1.11) 3.922 ms 3.514 ms 3.916 ms
4 * * *
5 125.7.199.131 (125.7.199.131) 4.011 ms 3.501 ms 3.930 ms
78
TiFRONT User Guide
PoE Setting
Overview
PoE (Power over Ethernet) is a technology for simultaneously sending data and power through Ethernet cables.
It is also called Active Ethernet. PoE can be useful for supplying power to VoIP phones, wireless LAN APs, PTZ
cameras, and small devices such as embedded computers.
Most of the small devices connected to a PoE device receive power from a USB or AC power supply. When
using the USB, it is impossible to supply stable power when a large amount of power is needed because the
USB can only supply a maximum of 2.5W. Furthermore, USB has four types of connectors, and to connect
multiple devices, you must prepare a different connector for each device. However, PoE can supply power
more stably because it can supply 25.5W (IEEE 802.3at), which is larger than the power supply of USB. It is
also convenient because it only uses one type of connector, RJ-45 for network connection.
When power is supplied through an AC power supply, the outlet, plug, and voltage can differ by country.
Furthermore, a separate power adapter is needed to connect an AC power supply, which is inconvenient. On
the other hand, PoE does not require a separate power adapter, so it is easier to supply power.
PoE also has other advantages. It can automatically stop supplying power in the event of an overload or
underload, and the security supervisor can remotely stop or resupply power through the network. Moreover,
it cuts costs due to the reduction of UPS (Uninterrupted Power Supply) and outlet connection devices. It is
also convenient to install various devices connected to the network because the installation space and time
are reduced.
Note: PoE is only supported on TiFRONT-F26P/F26P(D)/G24P/G24P(D)/G48P/G48P(D). Also, it is only supported with copper ports, and not for
fiber ports.
PoE Operation Method

PoE largely consists of PSE
(Power Sourcing Equipment) and PD
(Powered Device). PSE refers to all devices that
supply power such as switches, hubs, or separate power supplies. PD refers to every device that receives
power from the PSE such as VoIP phone, wireless LAN AP, PTZ camera, and embedded computers.
TiFRONT determines what the power supply is through detection of PD. First, when a PD is connected
through a cable, it is checked to see if it supports PoE. The identification process uses the resistance value of
PD. If it is found that the device does not support PoE, power is blocked. If it is found to support PoE, the PD
is classified depending on its power consumption requirements for normal operation.
In the classification process, a voltage is applied to the PD, and the measured current is compared with the
current range of each class. PoE efficiently uses limited power by supplying a different amount of power to
each class. The classification process varies by the power mode set for each port of TiFRONT. There are two
power modes: Normal and High-power. In normal mode, power is supplied in accordance with the 802.3af
standard, and the PDs are classified into classes 0 to 4 depending on the measured current. If the PD is
classified as class 4, the power corresponding to class 0 (16.2W) is supplied. In High-power mode, if the PD
is classified as class 4, the power specified in the 802.3 at standard (31.2W) is supplied, and for the other
classes, the same power as that for the normal mode is supplied.
Once the classification is completed, power is supplied depending on the operation mode of the PoE function
set in TiFRONT. The operation mode of the PoE function determines the adding up method of the total power
79
consumption and the power supply sequence of the ports. The amount of power that can be supplied by the
PoE function of TiFRONT is limited. Therefore, when power shortage is expected due to the connection of
many PDs, the operation mode should be set to consider the priority and the power supply priorities should
be adjusted so that power will be supplied to the devices that require it most.
The maximum power supplied for each class is shown below.
Class
Maximum Power (W)
16.2
4.2
7.4
16.2
16.2 (Normal mode)

31.2 (High-power mode)
Note: The PoE function of TiFRONT provides power that is greater than the value stated in the product specification (IEEE 802.3af: 15.4W, IEEE
802.3at: 25.5W), considering the power loss in the cables.
PoE Setting
Operation Mode Setting
When using the PoE function of TiFRONT, you must set the operation mode so as to determine how to supply
power to each port. The power that can be provided by PoE cannot exceed the power budget. The current
available power can be determined by subtracting the total power consumption, which is the sum of power
consumption at each port, from the total power supply. If the total power consumption exceeds the total
power supply, the power of the port with a lower priority is blocked. By setting the operation mode, you can
select the calculation method for the total power consumption and the order that power will be supplied to
each port. You can set the operation mode by using the following command in <Configuration Mode>.
Command
Description
Set the operation mode of the PoE function.
poe pm-mode {dynamic | dynamicp |

none | static | staticp}
dynamic:
The actual power consumption at each port is added up

to calculate the total power consumption, and the power
supply order is determined by the order of port number.
dynamicp:
The actual power consumption at each port are added up to

calculate the total power consumption, and the power
supply order is determined by the priority of power supply
set for each port.
none:
No power is supplied to any port.
static:
The maximum power supplies required by the class of the

connected devices are added up to calculate the total power
consumption, and the power supply order is determined by
the order of port number.
staticp:
The maximum power supplies required by the class of the

connected devices are added up to calculate the total power
consumption, and the power supply order is determined by
the predefined power supply priority.
Note: The maximum power of each port varies by the class of the PD connected to the port.
80
TiFRONT User Guide
Note: When the priorities of each port are identical, the priority is determined by the order of port number. A lower port number has a higher
priority. In other words, ge1 port has a higher priority than ge2 port.
Note: The TiFRONT-F26P may not support the Operation Mode Setting depending on the hardware configuration. For detailed information on the
operation mode setting, please contact the product seller or PROLINK Technical Assistance Team (TAC: +82-1544-9890).
Caution: If you use dual power for TiFRONT-F26P(D)/G24P(D)/G48P(D), you should not turn off one of the two power supplies while using the
device. If you do this, the services may not be provided normally.
Power Mode Setting

For the PoE function of TiFRONT, you can set the power mode to change the maximum power that can be
supplied to each port. To set the power mode, run the following command in <Interface Configuration
Mode> of the port.
Command
Description
Set the power mode.
poe power-mode
high-power:
{high-power | normal}
Power is supplied according to the class specified in the IEEE

802.3at standard.
normal:
Power is supplied according to the class specified in the IEEE

802.3af standard. (Default)
Note: The TiFRONT-F26P may not support the Operation Mode Setting depending on the hardware configuration. For detailed information on the
operation mode setting, please contact the product seller or PROLINK Technical Assistance Team (TAC: +82-1544-9890).
Note: If the port of Dual Power product is set to normal mode (IEEE 802.3af), you can use the PoE function for every port (TiFRONT-F26P(D):
ge1~ge2/fe1~fe24, TiFRONT-G24P(D): ge1~ge24, TiFRONT-G48P(D): ge1~ge48).
Maximum Power Supply Setting

For the PoE function of TiFRONT, you can limit the maximum power depending on the class of the PD
connected to the port. To limit the maximum power supply, run the following command in <Interface
Configuration Mode> of the port.
Command
Description
Limit the maximum power supplied from the port.
poe power-threshold
{class | none}
class:
Power is supplied based on the class of PD, so that it does not exceed
specifications. The power supply is interrupted if the power used by the PD
exceeds the class power.
none:
Power is supplied up to the maximum power specified in the IEEE 802.3af

and IEEE 802.3at standards. (Default)
Power Supply Priority Setting

You can set the power supply priorities by port with the PoE function of TiFRONT. If the power required by
the PD connected to TiFRONT exceeds the power supplied by TiFRONT, the power supply to the port having a
low priority can be blocked to prevent power blocking to the device having a high priority.
To set the power supply priority, run the following command in <Interface Configuration Mode> of the port.
81
Command
Description
poe port-priority
Set priority for supplying power to the port. The order of priorities is
{critical | high | medium | low}
critical > high > medium > low. (Default value: low).
Note: When you connect a new PD to TiFRONT that is using maximum power, the power to the port with the lowest priority is blocked. If the port
to which the new PD was connected has the lowest priority, no power is supplied to the PD.
Power Supply Time Setting

You can set the power supply time by port with the PoE function of TiFRONT. To set the power supply time,
run the following command in <Interface Configuration Mode> of the port.
Command
Description
Set the power supply time.
<STIME>
Set the power supply start time as HH:MM.
poe timer add <STIME> <ETIME>
Setting range: 0 ~ 23:0 ~ 59

<ETIME>
Set the power supply ending time as HH:MM.
Setting range: 0 ~ 23:0 ~ 59
Note: The power supply start time and ending time work once a day. For example, if the start time is 18:00 and the ending time is 09:00, power
supply begins at 6 pm and ends at 9 am the next morning.
Note: To delete the power supply time setting, run the command poe timer del in <Interface Configuration Mode>.
Enabling PoE
To enable the PoE function, run the following command in <Interface Configuration Mode> of the port.
Command
poe enable
Description
Enable the PoE function of a port. (Default value: disable)
Caution: If a PD that supports IEEE 802.3at is connected to a port set to normal mode, the PoE function may not work normally. Therefore, you
must enable PoE after checking the power mode setting.
Note: To disable the PoE function, run the command no poe in <Interface Configuration Mode> of the port. Disabling PoE resets all the existing
settings. If the status of PoE is Fault, you must disable PoE by running the command no poe and then reset it.

To check the PoE settings, run the command show poe-info [<IF-NAME>]
Mode>, or <Configuration Mode>.
82
TiFRONT User Guide
in <User Mode>, <Privileged
In the following example, PoE is set for ge1 and ge1 ports.
(config)# poe pm-mode dynamic
Set the Operation Mode to dynamic

Enter the ge1 port
(config-if-ge1)# poe power-mode normal
Set Power Mode to normal
(config-if-ge1)# poe port-priority medium
Set Power Supply Priority to medium
(config-if-ge1)# poe enable
Enable the PoE function of the ge1 port.
(config-if-ge2)# poe power-mode high-power
Set Power Mode to high-power
(config-if-ge2)# poe port-priority high
Set Power Supply Priority to high
(config-if-ge2)# poe enable
Enable the PoE function of the ge2 port.
(config)# show poe-info
Show the PoE settings.
----------------------------------------------Port | Oper | Status
| Priori
| Class | Power
------+------+--------+--------+-------+------ge1 | On | Enable
| Medium |
4 | 5.8
ge2 | On | Enable
|
High
|
4 | 5.9
ge3 | Off | Disable|
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
Low | N/A | 0.0
----------------------------------------------Total Power Consumption
: 10.7 W
(config)# show poe-info ge1
===========================================================
Interface Dependency Information
----------------------------------------------------------Interface Name : ge1
Interface name
Operation
: On
Enabled state of PoE
Port Status : Enable
Power supply status
Priority : Medium
Power supply priority
Classification : 4
Class information
Voltage : 47.1 V
Present voltage
Current : 123 mA
Present current
Temperature : 32 C
PoE chip temperature
Power Consumption
: 5.8 W
Current power consumption
Power Mode : Normal (802.3af)
Power mode
Power Threshold Type
: None
Power threshold type
===========================================================
PoE Common Information
----------------------------------------------------------Power Management Mode : Dynamic Mode without priority
Management mode
Total Power Consumption : 11.3 W
Total power consumption (sum of power supplies
to each port)
Power Budget : 200.0 W
Total power that can be supplied by PoE
83
Packet Monitoring
Packet monitoring monitors the packets of particular source/destination IP addresses and MAC addresses
that are directly sent and received by TiFRONT through the STP, LLDP, IGMP Snooping, DHCP, and SNMP
functions. This function can be used as an analysis tool for finding the cause of trouble that occurs during
operation.
To perform packet monitoring, run the following command in <User Mode> or <Privileged Mode>.
Command
Description
Monitor the packets that are sent and received through a specific
tcpdump interface <IFNAME>
interface.
[capture <1-60000>]
<IFNAME>
Set the interface for monitoring packets.
You can use the following options to monitor specific packets by the conditions of protocol, source/destination
MAC addresses, source/destination IP addresses, source/destination ports, etc.
tcpdump interface <IFNAME> arp
Monitor ARP packets.
[capture <1-60000>]
tcpdump interface <IFNAME> bpdu
Monitor BPDU packets.
[capture <1-60000>]
Monitor packets by the Ethernet frame type.

broadcast
Broadcast packets are monitored.
tcpdump interface <IFNAME> ether
dst <HHHH.HHHH.HHHH>
{broadcast | dst <HHHH.HHHH.HHHH>
| multicast | src <HHHH.HHHH.HHHH>}

[capture <1-60000>]
Packets are monitored by the destination MAC address.

multicast
Multicast packets are monitored.
src <HHHH.HHHH.HHHH>
Packets are monitored by the source MAC address.
tcpdump interface <IFNAME> icmp
Monitor ICMP packets.
[capture <1-60000>]
tcpdump interface <IFNAME> igmp
Monitor IGMP packets.
[capture <1-60000>]
tcpdump interface <IFNAME> ip

[capture <1-60000>]
tcpdump interface <IFNAME>
Monitor IP packets.
ip {host <A.B.C.D> | net
host <A.B.C.D>
<A.B.C.D/M>} [capture <1-60000>]

tcpdump interface <IFNAME> ip
{dst
src}
{host
<A.B.C.D>
Packets are monitored by the IP address.

|
net
net <A.B.C.D/M>
Packets are monitored by the IP range.
<A.B.C.D/M>}
[capture <1-60000>]
tcpdump interface <IFNAME> pim
[capture <1-60000>]
tcpdump interface <IFNAME> rarp

[capture <1-60000>]
tcpdump interface <IFNAME> tcp

[capture <1-60000>]
84
TiFRONT User Guide
Monitor PIM (Protocol Independent Multicast) packets.

Monitor RARP (Reverse Address Resolution Protocol) packets.
Monitor TCP packets.
port <1-65535>
tcpdump interface <IFNAME> tcp port
Packets are monitored by the port number.
<1-65535> [capture <1-60000>]
tcpdump interface <IFNAME> tcp {dst |

src}
port
<1-65535>
[capture
<1-
60000>]
tcpdump interface <IFNAME> udp
[capture <1-60000>]
tcpdump interface <IFNAME> udp port

<1-65535> [capture <1-60000>]
port <1-65535>
tcpdump interface <IFNAME> udp {dst |

src}
port
<1-65535>
[capture
Monitor UDP packets.

Packets are monitored by the port number.
<1-
60000>]
The packets that have been captured most recently are
tcpdump capture-monitor [detail]
monitored.
The
detail
option
additionally
shows
the
source/destination MAC addresses, ether type, and packet

length.
Caution: When you specify the packets to be monitored/captured using the options excluding bpdu, you can only set a VLAN interface in
<IFNAME>.
Note: If you use the capture <1-60000> option, packets of the specified number are captured. You can see the captured packets by using the
command tcpdump capture-monitor [detail].
Note: TiFRONT saves only the packets captured recently. When new packets are captured, the packets captured before will be deleted.
The following is an example of packet monitoring.
# tcpdump interface vlan2 tcp
Run TCP packet monitoring of the vlan2 interface
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan13, link-type EN10MB (Ethernet), capture size 96 bytes
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3755
>
133.115.188.103.445:
S
1554706813:1554706813(0)
win
65535
<mss
1460,nop,nop,sackOK>
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3710
>
210.111.198.110.445:
S
3346811276:3346811276(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3715
>
195.93.83.111.445:
S
2154567122:2154567122(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3707
>
62.30.62.27.445:
S
1788392792:1788392792(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3708
>
52.83.156.84.445:
S
1693753009:1693753009(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3713
>
120.74.76.105.445:
S
677509890:677509890(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3712
>
117.19.182.33.445:
S
2410200967:2410200967(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3714
>
100.32.135.78.445:
S
2784612476:2784612476(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3766
>
80.46.52.11.445:
S
1040422993:1040422993(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3767
>
149.84.141.125.445:
S
3942230861:3942230861(0)
win
65535
<mss
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
length
66:
100.1.3.71.3768
>
71.77.205.108.445:
S
2114061504:2114061504(0)
win
65535
<mss
85
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3769
>
165.92.129.70.445:
S
996931326:996931326(0)
win
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3770
>
53.116.249.47.445:
S
2312396708:2312396708(0)
win
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3771
>
33.105.207.25.445:
S
3105073640:3105073640(0)
win
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3772
>
97.68.27.19.445:
S
1430269303:1430269303(0)
win
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3706
>
188.90.33.73.445:
S
3765558397:3765558397(0)
win
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3709
>
107.93.222.83.445:
S
2742585982:2742585982(0)
win
00:15:17:ed:47:d1
>
00:06:c4:76:03:23,
ethertype
IPv4
(0x0800),
100.1.3.71.3711
>
105.119.245.30.445:
S
225111700:225111700(0)
win
Press Ctrl+C on the keyboard to stop the packet monitoring.
18 packets captured
36 packets received by filter
0 packets dropped by kernel
86
TiFRONT User Guide
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
length
65535
66:
<mss
sFlow Setting
sFlow is a real-time packet sampling function that monitors network traffic and is defined in RFC 3176.
sFlow consists of an sFlow Agent that sends sampled packets and an sFlow Collector that collects and shows
sampled data. TiFRONT plays the role of sFlow Agent and provides the following two kinds of information.
sFlow flow sampling
Packets received through a specific interface are sampled by the flow (source/destination IP addresses, TCP, UDP).
sFlow counter sampling
Statistics of the packets received through a specific interface. (sent every 30 seconds)
Note: The sFlow Collector must be configured separately from TiFRONT. You can download it for free from the InMon Corporation website
(http://www.inmon.com/products/sFlowTrend.php).
sFlow Settings
sFlow Collector Setting
You can set the sFlow Collector by using the following command in <Configuration Mode>.
Command
Description
Set sFlow Collector.
<A.B.C.D>
sflow collector <A.B.C.D> [<0-65535>]
IP address of sFlow Collector

<0-65535>
Port number of sFlow Collector Setting range: 0 ~ 65535.
(Default value: 6343)
Note: To delete sFlow Collector, run the command no sflow collector in <Configuration Mode>.
sFlow Sampling Rate Setting

To send information through sFlow, you must set the sampling rate for each port. You can set the sFlow
sampling rate for a port by running the following command in <Interface Configuration Mode>.
Command
Description
Set the sFlow sampling rate of a port.
sflow sampling-rate <256-1677216>
<256-1677216>
Sampling rate. Setting range: 256 ~ 1677216.
Note: To delete the sFlow sampling rate for a port, run the command no sflow in <Interface Configuration Mode>. If you delete the sFlow
sampling rate, the sFlow information for the port will not be transmitted.

To check the sFlow settings, run the command show sflow in <User Mode> or <Privileged Mode>.
87
In the following example, the sFlow Collector is specified and the sFlow sample rates are set for ge1 and ge2
ports.
(config)# sflow collector 192.168.200.10

(config)# interface range ge1-2
Specify sFlow Collector.

Enter the <Interface Configuration Mode> of ge1 and
ge2 ports
(config-if-range)# sflow sampling-rate 1000
Set the sFlow sampling rate to 1000
(config-if-range)# exit
(config)# exit
# show sflow
Show the sFlow settings.
===============================
COLLECTOR IP : 192.168.200.10
COLLECTOR PORT : 6343
===============================
PORT | SAMPLING_RATE
------+-----------------------ge1 |
1000
ge2 |
1000
ge3 |
DISABLED
ge4 |
DISABLED
ge5 |
DISABLED
ge6 |
DISABLED
ge7 |
DISABLED
ge8 |
DISABLED
ge9 |
DISABLED
ge10 |
DISABLED
ge11 |
DISABLED
ge12 |
DISABLED
ge13 |
DISABLED
ge14 |
DISABLED
ge15 |
DISABLED
ge16 |
DISABLED
ge17 |
DISABLED
ge18 |
DISABLED
ge19 |
DISABLED
ge20 |
DISABLED
ge21 |
DISABLED
ge22 |
DISABLED
ge23 |
DISABLED
ge24 |
DISABLED
===============================
88
TiFRONT User Guide
Chapter 4
System Management
This chapter explains the procedures for configuring essential management functions of the TiFRONT system.
System Verification
Port Monitoring
Basic System Management
Configuration Files
PLOS
User Account
User Account Authentication
Log Management
Self Loop Detection
LLDP Configuration
Stacking Configuration
TiFRONT User Guide
System Verification
System Information Display
You can check the basic system information including device name, serial number, MAC address, software
version, as well as the CPU processing speed and memory capacity.
To check the basic system information, run the following command in <User Mode>, <Privileged Mode>, or
Command
show system
Description
Check the basic system information.
PLOS Version Display

To check the PLOS version of TiFRONT, run the following command in <User Mode>, <Privileged Mode>, or
Command
show version
Description
Check the PLOS version.
System Resource Status Display

To check the current status of the CPU and memory, run the following command in <User Mode>,
Command
show resource
Description
Check the current status of the CPU and memory.
Hardware Status Display

To check the current temperature, fan operation status, and power supply status of the system, run the
following command in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
Command
show hardware-status
90
TiFRONT User Guide
Description
Check the system hardware status information.
The following examples sequentially show the system information, PLOS version, system resource status, and
hardware status.
> show system

System information display
--------------------------------------------system information
--------------------------------------------Product Name
: TiFRONT V1.0 G24
Serial number
: R210T7200A02102
BL version
: boot-g24-v1.5
OS version
: PLOS-LS-V1.0.25
CPU clock
: 600Mhz
Number of core
: 2
Memory size
: 512MB
Mgmt MAC address : 00:06:c4:72:02:02
--------------------------------------------> show version
PLOS-LS-V1.0.25
PLOS version display
> show resource

System resource status display
--------------------------------------------CPU Usage
: 2 %
Total Memory : 497484 KB
Used Memory
: 144136 KB
Free Memory
: 353348 KB
Memory Usage : 28.97 %
--------------------------------------------> show hardware-status
Hardware status display
--------------------------------------------Hardware status
--------------------------------------------Temperature 42
--------------------------------------------Fan 1 Status OK
Fan 2 Status OK
Fan 3 Status OK
--------------------------------------------DC 1 [12 V] Status OK
DC 2 [12 V] Status OK
---------------------------------------------
91
Chatper 4 System Management
Port Monitoring
TiFRONT provides a port monitoring function for displaying real-time traffic information of the ports. To
display the port monitoring information, run the command show port-monitoring in <User Mode>,
<Privileged Mode>, or <Configuration Mode>. With this command, you can check the traffic that has been
sent and received per second by each port.
The following example shows the output when you run the command show port-monitoring.
> show port-monitoring
Port Monitoring Table
--------------------------------------------------------------Port | RxRate(pps) | RxRate(bps) | TxRate(pps)| TxRate(bps)
------+-------------+--------------+------------+-------------ge1 |
3
|
2024 |
0 |
0
ge2 |
3
|
2024 |
0 |
616
ge3 |
4
|
2648 |
0 |
0
ge4 |
3
|
2024 |
5 |
3744
ge5 |
0
|
0
|
0 |
0
ge6 |
0
|
0
|
0 |
0
ge7 |
0
|
0
|
0 |
0
ge8 |
0
|
0
|
0 |
0
ge9 |
0
|
0
|
0 |
0
ge10 |
0
|
0
|
0 |
0
ge11 |
12
|
7408 |
20
|
10800
ge12 |
0
|
0
|
0 |
0
ge13 |
0
|
0
|
0 |
0
ge14 |
0
|
0
|
0 |
0
ge15 |
0
|
0
|
0 |
0
ge16 |
0
|
0
|
0 |
0
ge17 |
0
|
0
|
0 |
0
ge18 |
0
|
0
|
0 |
0
ge19 |
0
|
0
|
0 |
0
ge20 |
0
|
0
|
0 |
0
ge21 |
0
|
0
|
0 |
0
ge22 |
0
|
0
|
0 |
0
ge23 |
0
|
0
|
0 |
0
ge24 |
0
|
0
|
0 |
0
--------------------------------------------------------------
Each item displayed by the show port-monitoring command shows the following information.
Item
Description
Port
Port number
RxRate(pps)
Number of packets received per second by the port
RxRate(bps)
Number of bits received per second by the port
TxRate(pps)
Number of packets sent per second by the port
TxRate(bps)
Number of bits sent per second by the port
92
TiFRONT User Guide
Basic System Management

System Name Setting
You can differentiate devices on a network by the name of TiFRONT. The TiFRONT name is shown at the head
of the CLI prompt. The default name of TiFRONT is 'TiFRONT'. You can change the TiFRONT name with the
following steps.
To change the TiFRONT name, run the following command in <Configuration Mode>.
Command
Description
Change the TiFRONT name.
<WORD>
hostname <WORD>
Set a string of up to 30 characters consisting of letters and numbers.

The first character must be a letter.
Note: After changing the system name, you must run the command write memory in <Privileged Mode> so that the change will be maintained
even after rebooting.
Console Connection Timeout Setting

For efficient use of the session resources in TiFRONT, you can set the connection timeout. If there is no
action in the connected session for the set time, TiFRONT terminates the session connection. To change the
console connection timeout, run the following commands in <Configuration Mode>.
No.
Command
Description
Enter the <Config-line configuration mode>.
line console <0-0>
<0-0>
Setting range: 0
Change the console connection timeout setting.
<0-35791>
exec-timeout <0-35791> [<0-2147483>]
Setting range: 0 ~ 35791(min). (Default value: 10 min)

<0-2147483>
Setting range: 0 ~ 2147483(sec). (Default value: 0 sec)
93
Terminal Session Count/Connection Timeout Settings

You can set the session count as well as connection timeout for terminal sessions such as SSH and Telnet. To
change the terminal session count and connection timeout settings, run the following commands in
No.
Command
Description
When you set the terminal session count, the system enters
the <Configuration mode>.
<0-9>
Set the start value of the session count range.
line vty <0-9> [<0-9>]
<0-9>
Set the last value of the session count range.
Note: For terminal sessions, five sessions from the index 0 to 4 are
set by default.
Change the terminal connection timeout setting.
<0-35791>
exec-timeout <0-35791> [<0-2147483>]
Setting range: 0 ~ 35791(min). (default: 10 min)

<0-2147483>
Setting range: 0 ~ 2147483(sec)
Note: To delete the terminal sessions that have been set, run the command no line vty <1-9> [<1-9>]; however, you may not delete session
no. 0 which is the default value.
Note: If you don't want to set connection timeout, set the exec-timeout value to 0.
Checking Console & Terminal Session Count/Connection Timeout Settings

To check the console connection timeout, terminal session count and connection timeout settings, run the
command show exec-timeout in <User Mode>, <Privileged Mode>, <Configuration Mode>, or <Configline Configuration Mode>.
Terminal Port Setting

When you boot TiFRONT, SSH and Telnet services are enabled to allow administrators to configure devices
through the CLI. By default, SSH uses the TCP port no.22 and Telnet uses the TCP port no.23, and you can
change them as needed. To change the SSH and Telnet service ports, run the following commands in
Command
Description
Change the SSH service port.
<0-65535>
service-port ssh {<0-65535> | default}
Setting range: 0 ~ 65535. (Default value: 22)

default
Change the SSH service port to the default (22).
Change the Telnet service port.
service-port telnet {<0-65535> | default}
<0-65535>
94
TiFRONT User Guide
default
Change the Telnet service port to the default (23).
Note: SSH and Telnet services cannot use the same port.
Note: When you change the SSH or Telnet service port, the current session is maintained as it is, and you can login to the changed port from the
next time.
Terminal Type Setting

You can set the terminal type of the SSH and Telnet services in TiFRONT. The terminal type setting applies to
both SSH and Telnet services, and there is no default terminal type. To set the terminal type, run the
following commands in <Configuration Mode>.
Command
Description
terminal-type {ansi | linux | vt100 | vt102}
Set the terminal type of SSH and Telnet services.
Note: If the terminal type is not set, SSH operates according to the terminal program of the client and Telnet operates in vt102.
Note: To delete the terminal type setting, run the command no terminal-type in <Configuration Mode>.
System Time/Date Setting

TiFRONT records the current time and date of the system whenever various events, troubles, and commands
run by users are logged. These logs are critical for solving any problems that may occur in the system, so it
is very important to keep the system time accurate.
You can directly set the time of TiFRONT or use the NTP client function to automatically set accurate time
from the NT server after a set cycle.
Time Zone Setting

Time Zone refers UTC zone that TiFRONT refers to when calibrating the system time. The time set by the NTP
client function is based on UTC. Therefore, this time may differ from the time zone of the place where the
TiFRONT is being used. In this case, you can set the time zone in TiFRONT to match that of your region.
To set the time zone in TiFRONT, run the following command in <Configuration Mode>.
Command
Description
Set the time zone.
hkt: Hong Kong standard time applicable to Beijing, Chongqing, Hong Kong,
etc. (GMT+8)
timezone {hkt | ict | jst ict: Bangkok standard time applicable to Bangkok, Hanoi, Jakarta, etc.
| kst | utc}
(GMT+7)
jst: Japan standard time applicable to Osaka, Sapporo, Tokyo, etc. (GMT+9)
kst: Korea standard time applicable to Seoul, etc. (GMT + 9)
utc: Universal time (Default)
95
Direct Setting of System Time/Date

To directly set the system time and date, run the following commands in <Configuration Mode>.
Command
Description
Set the system time.
clock <0-23> <0-59> <0-59>
<0-23> <0-59> <0-59>

Enter the system time as hour, minute and second, with a
space between them.
Set the system date.
date <2000-2099> <1-12> <1-31>
<2000-2099> <1-12> <1-31>

Enter the system date as year, month and day, with a space
between them.
Checking System Time/Date

To check the current system time and date, run the command show clock and show date in <User Mode>,
NTP (Network Time Protocol) Client Setting

NTP (Network Time Protocol) is a protocol that allows the synchronization of devices connected to a network.
TiFRONT also allows the NTP client function to set the system time. The devices for which the NTP client
function is enabled request time information from the NTP server. Then, they compare the time received
from the NTP server with the current time of the device, and adjust the device time if there is a difference.
This process is repeated after a set cycle, so the devices for which the NTP client function is enabled can
keep accurate system time.
This NTP client function is disabled by default and the NTP server is not set in TiFRONT. The synchronization
cycle is set to 600 sec (10 min) by default.
The cycle for synchronizing with the time received from the NTP server is calculated by the following formula:
Time left until the next synchronization = Cycle - ((Current time - January 1, 1970 0 h 0 m 0 s) % Cycle)
In general, if the cycle is set to 10 min, and the NTP client function is enabled at 9:05 am, you might expect
that the time will be retrieved from the NTP server at 9:05, 9:15, 9:25, etc. However, according to the above
formula, TiFRONT retrieves the time from the NTP server at 9:05, 9:10, 9:20, etc. As an another example, if
you set the cycle to 12 min, TiFRONT retrieves the time from the NTP server and synchronizes the system
time at 9:05, 9:12, 9:24, etc.
To set the NTP client function in TiFRONT, run the following commands in <Configuration Mode>.
No.
1
Command
ntp server <A.B.C.D>
Description
Set the NTP server.
Set the cycle for retrieving the time from the NTP server and
ntp interval <1-65535>
synchronizing with the device time.

<1-65535>
Setting range: 1 ~ 65535. (Default value: 600 sec)
ntp enable
(Optional)
96
TiFRONT User Guide
Enable the NTP client function. (Default: disable)

Note: To disable the NTP client function, run the command no
ntp enable in <Configuration Mode>.
Checking the NTP Settings

To check the NTP settings including the IP address of the NTP server, NTP synchronization cycle, and NTP
client status, run the command show ntp in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
Manual System Rebooting

If you have downloaded PLOS from the TFTP server to TiFRONT, you must reboot TiFRONT in order to apply
PLOS to the system. Furthermore, you may have to reboot the system when configuring and managing
TiFRONT using a terminal program. In these cases, you can manually reboot TiFRONT.
To manually reboot the system, use the following command in <Configuration Mode>.
Command
reload
Description
Reboot the system.
Note: When you run the reload command, the message reboot system? (y/n) : appears. Type 'y' and press the Enter key to reboot the system.
Remote Access
To remotely access another system, run the following command in <Privileged Mode>.
Command
Description
Remotely access another system.
<WORD>
telnet <WORD> [<PORT>]
System IP address or host name

<PORT>
TCP port number
Login Banner Setting

The Login Banner setting of TiFRONT allows you to enter messages or warnings so that users can see them
on their login screen when accessing TiFRONT through the console terminal program, FTP or Telnet.
You can set the login banner by using the following command in <Configuration Mode>.
Command
Description
Set the message displayed on the screen before user logs in to the
system.
<LINE>
banner login <LINE>
Enter the banner message after typing '&' and a line feed. You can
enter up to 4096 characters composed of alpha-numeric, Korean,
and special characters. After entering the message, type a line
feed and '&'.
Set the message to be displayed on the screen after a user logs in
to the system.
banner motd {<LINE> | default}
<LINE>
You can enter up to 2048 characters composed of letters,
numbers, and special characters.
97
Note: After changing the login banner, you must run the command write memory in <Privileged Mode> so that the changes will be applied.
Showing Used Commands History

The Used Commands History function displays the history of commands that have been run after logging in
to TiFRONT.
To display the used commands history, run the following commands in <Privileged Mode>.
Command
Description
Show the history of commands that have been run after logging in
show history
to TiFRONT.
Show the history of commands run by all users and the history of
all commands before rebooting. Running this command shows the
show history record
command date and time, accessed IP address, user ID, and the
commands.
The following is an example of system name setting.
TiFRONT(config)# hostname TestName
TestName(config)#
System name changed to TestName

The changed name is shown at the beginning of the prompt
The following shows examples of the console connection timeout setting and the terminal session
count/connection timeout setting.
(config)# show exec-timeout
Show the current settings.
----------------------------Type
| Index | Timeout
---------+-------+----------vty
| 0
| 10.0
vty
| 1
| 10.0
vty
| 2
| 10.0
vty
| 3
| 10.0
vty
| 4
| 10.0
console | 0
| 10.0
----------------------------(config)# line console 0
Enter the <config-line configuration mode> of the console
(config-line)# exec-timeout 0 0
Delete the console connection timeout setting.
(config-line)# show exec-timeout
Show the settings.
----------------------------Type | Index | Timeout
---------+-------+----------vty
| 0
| 10.0
vty
| 1
| 10.0
vty
| 2
| 10.0
vty
| 3
| 10.0
vty
| 4
| 10.0
console | 0
| Unlimit
----------------------------(config-line)#
(config)# line
(config-line)#
(config-line)#
exit
vty 7 8
Create a terminal session and enter the <config-line configuration mode>
exec-timeout 5 30
Set the terminal connection timeout to 5 min 30 sec
show exec-timeout
Show the settings.
----------------------------Type
| Index | Timeout
---------+-------+----------vty
| 0
| 10.0
vty
| 1
| 10.0
vty
| 2
| 10.0
vty
| 3
| 10.0
vty
| 4
| 10.0
98
TiFRONT User Guide
vty
| 7
| 5.30
vty
| 8
| 5.30
console | 0
| Unlimit
-----------------------------
The following is an example of the system date and time setting.
(config)# date 2012 12 12

Set the system date to December 12, 2012
(config)# show date
Show the system date
Wed Dec 12 2012 (2012-12-12)
(config)# clock 12 12 12
Set the system time to 12:12:12
(config)# show clock
Show system time
12:12:15 UTC
In the following example, the NPT client function is set and the NTP settings are queried.
(config)# ntp server 211.115.194.21

NTP server setting
(config)# ntp interval 300
Synchronization cycle setting
12:13:18 UTC
Show the current time
(config)# ntp enable
Enable the NTP client function.

06:21:33 UTC
Show the changed time after enabling the NTP function
(config)# show ntp

Show the NTP settings
=============================
NTP client : Running
----------------------------Update Interval : 300 sec
NTP server : 211.115.194.21
=============================
The following is an example of manual system rebooting.
(config)# reload
Enter the system rebooting command
reboot system? (y/n): y Run rebooting by entering "y."
TiFRONT shutdown processing....
Logging backup...
The system is going down NOW !!..
Sending SIGTERM to all processes.
...Done
% Connection is closed by administrator!
Sending SIGKILL to all processes.
Requesting system reboot.
Restarting system.
TiFRONT (PIOLINK Inc.)
Bootloader version : 1.2 (Build time: Jul 14 2010 - 09:33:44)
TiFRONT_LSG board revision serial #: R210T7200A03113
MAC address: 00:de:ad:10:ff:00
DRAM: 512 MB
Flash: 32 MB
Clearing DRAM....... done
Using default environment
PLOS-LS version: 1.1.0 (size: 32505856) is uploading....
Board: TiFRONT-G24
/sbin/rc starting
TiFRONT LSG INIT SCRIPT
Updating module dependencies
Setting up loopback
TiFRONT LSG running......
QC module loading
99
plos_info_proc_init!!
Starting syslogd
logfiler started.
Check PoE device
/sbin/rc: line 83: /bin/poe_init: No such file or directory
Starting snmpd
Switch Port Mapping TiFRONT LSG
<<XSWITCH INFO>>
SYSTEM PRODUCT ID : 0x1020000
SYSTEM PLATFORM ID: 1
SYSTEM BOARD ID : 2
SYSTEM REVISION : 0
SYSTEM FUNCTON
: 0x0
26 User port
VLAN : 4096
L2table : 16 K
L3table : 0 K
User defined switch configuration is loaded
Starting switch IMISH
Staring Cron
Starting xinetd
Starting Health check
Switching port(ge1) link UP!!
Hardware Monitoring
watchdog enable ENABLE
Please, wait..
TiFRONT login:
The following is an example of remote access.
# telnet 192.167.203.30 23
Remote access through the port 23 with the IP address 192.167.203.30
Entering character mode

Escape character is '^]'.
TiFRONT login: root
Password:
PLOS-LS PIOLINK Inc.
TiFRONT>
The following is an example of changing the login banner.
(config)# banner login c

Change the banner before login
===================
Banner Login ....
===================
c
(config)# banner motd This is a banner test.
Change the banner after login
(config)# exit
# write memory
Save the changes
[OK]
# logout
Lot out to check the changed log-in banner
===================
Banner Login ....
===================
TiFRONT login:root
Password:
This is a banner test.
100
TiFRONT User Guide
The following is an example of querying the commands history.
# show history
Show the history of commands that you have run after logging in.
1 en
2 configure terminal
3 sh system
4 sh ip route
5 exit
6 sh history
# show history record
Show the history of commands that all users have run
[2011.10.29 07:52:14] console
(root
): en
[2011.10.29 07:52:17] console
(root
): show web-alert
[2011.10.29 07:52:20] console
(root
): show log conf
[2011.10.29 07:52:51] console
(root
): show hostacl config host
[2011.10.29 07:58:54] console
(root
): conf
[2011.10.29 07:59:04] console
(root
): no web-alert display-company
[2011.10.29 08:08:16] console
(root
): access-group aaa interface ge1
[2011.10.29 08:08:42] console
(root
): access-list 1 deny any any any
[2011.10.29 08:08:55] console
(root
): access-group aaa access-list 1
[2011.11.03 09:51:58] 192.168.201.224 (root
): show user-list
[2011.11.03 09:52:02] 192.168.201.224 (root
): configure terminal force
[2011.11.03 09:52:10] 192.168.201.224 (root
): username kauri password !piolink
[2011.11.03 09:52:29] 192.168.201.224 (kauri
): en
[2011.11.03 09:52:30] 192.168.201.224 (kauri
): conf t
[2011.11.03 09:52:37] 192.168.201.224 (kauri
): username root password !piolink
[2011.11.03 09:52:46] 192.168.201.224 (kauri
): username root password !piolink
[2011.12.13 02:32:33] 192.168.201.185 (piolink ): show ip int b
[2011.12.13 02:32:33] 192.168.201.185 (piolink ): conf t
[2011.12.13 02:32:34] 192.168.201.185 (piolink ): end
[2011.12.13 04:05:33] 192.168.200.222 (piolink ): sh ip route
--More--
101
Configuration File
Overview
The configuration file contains the configuration information of TiFRONT. The configuration file that contains
the basic configuration information is stored in the flash memory when TiFRONT is shipped and can be
restored whenever necessary.
When the device boots up, the configuration file is loaded from the flash memory to SDRAM. The
configuration file that is stored in the flash memory and loaded when booting is called startup-config.
When TiFRONT is booted for the first time, the factory default configuration file (factory-default-config) is
used as the startup-config.

The content of the configuration file loaded to SDRAM is changed whenever a user changes the device
configuration. This configuration file is called running-config. The running-config file has the current
configuration information, but since it is in SDRAM, the content is erased when the device is rebooted.
Saving the Configuration File

To preserve the current configuration even after the device is rebooted, you must save running-config as
startup-config. To do this, run one of the following commands in <Privileged Mode>.
Command
Description
copy running-config startup-config

Save running-config as startup-config.
write memory
Restoring Initial Configuration

To delete the current configuration on the device and restore the factory default configuration, run the
following command in <Configuration Mode>.
Command
copy factory-default startup-config
Description
Reset the configuration.
Caution: After running the above command, you must reboot TiFRONT to apply the initialized configuration to the system. To reboot TiFRONT, run
the command reload in <Configuration Mode>.
Showing the Content of Configuration File

To show the content of the running-config file, run the command show running-config in <Privileged
Mode> or <Configuration Mode>.
102
TiFRONT User Guide
The following is an example of restoring the system to its initial configuration.
# show running-config
Show the running-config to check the current configuration.
!
!
hostname TiFRONT
!
!
no ip forwarding
!
vlan 2 name v1
vlan 2 state enable
!
interface lo
no shutdown
!
interface mgmt0
no shutdown
!
interface eth0
shutdown
!
interface eth1
shutdown
!
interface ge1
switchport
switchport access vlan 2
auto-negotiation on
jumbo-frame off
no shutdown
!
interface ge2
switchport
switchport access vlan 2
auto-negotiation on
jumbo-frame off
no shutdown
!
--More
< Omitted>
# configure
Enter configuration commands, one per line. End with CNTL/Z.
(config)# copy factory-default startup-config
Enter the initial configuration restoring
command
clear written configuration? (y/n): y
Run the command by entering "y"
[OK]
(config)# reload
reboot system? (y/n): y
Run the command by entering "y"
Logging backup...
...Done
Restarting system.
< Omitted>
(config)# show running-config
!
!
hostname TiFRONT
Show the running-config to check the restoration to initial

configuration.
103
!
!
no ip forwarding
!
interface lo
no shutdown
!
interface mgmt0
no shutdown
!
interface eth0
shutdown
!
interface eth1
shutdown
!
interface ge1
switchport
auto-negotiation on
jumbo-frame off
no shutdown
!
interface ge2
switchport
auto-negotiation on
jumbo-frame off
no shutdown
!
--More
104
TiFRONT User Guide
PLOS
PLOS is the PIOLINK operating system that is installed on TiFRONT when it is shipped. There are various
versions of TiFRONT PLOS and each version may provide different features. When necessary, you can update
the PLOS to higher or lower versions than the currently installed version. Also, there are multiple versions of
the boot loader which is necessary for normal booting of PLOS and it must be updated separately from PLOS.
You can update TiFRONT PLOS using one of the following three methods:
Update through the TFTP server
Update through the FTP server
Update through the USB memory (only available for TiRFONT-GX24/GX24P models)
PLOS Update
To update PLOS using CLI commands, perform the following steps in <Configuration Mode>.
No.
Command
Description
Download PLOS from the TFTP server to TiFRONT.
<A.B.C.D>
1-1
os update [tftp] <A.B.C.D> <FILE>
IP address of the TFTP server

<FILE>
Path and name of the PLOS file
Download PLOS from the FTP server to TiFRONT.
<A.B.C.D>
IP address of the FTP server
1-2
os update ftp <A.B.C.D> <ID> <PASSWORD>

<FILE>
<ID>
ID for logging in to the FTP server
<PASSWORD>
Password of the ID that was entered before
<FILE>
Download PLOS from a USB memory to TiFRONT.
1-3
os update usb <FILE>
<FILE>
reload
Restart TiFRONT applies the downloaded PLOS to

the system.
Note: To update PLOS through the FTP server, the PLOS file must be in the home directory of the FTP server.
Note: If you use the Al FTP from East Soft as the FTP server program, the PLOS update cannot be done normally.
105
Boot Loader Update

You can update the boot loader through the TFTP server and USB memory. To update the Boot Loader using
CLI commands, perform the following steps in <Configuration Mode>.
No.
Command
Description
Download Boot Loader from the TFTP server to
TiFRONT.
1-1
<A.B.C.D>
boot update <A.B.C.D> <FILE>

<FILE>
Boot Loader file name
Download Boot Loader from a USB memory to
1-2
TiFRONT.
boot update usb <FILE>
<FILE>
Boot Loader file name
Restart TiFRONT to apply the downloaded Boot
reload
Loader to the system.
Showing USB Memory Information

To check the file information of the USB memory connected to TiFRONT, run the following command in
Command
Description
Show the file contents of the USB memory.
show usb [<DIR>]
<DIR>
Name of the directory of which to show the file information
Showing PLOS and Boot Loader Information

To check the versions of PLOS and Boot Loader that are installed on TiFRONT, run the command show
system in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
106
TiFRONT User Guide
The following is an example of a PLOS update.
>show system
Show system information to check the PLOS version.
--------------------------------------------Product Name
: TiFRONT V1.0 G24
Serial number
: R210T7200A02113
BL version
: boot-lsg-v1.8
OS version
: PLOS-LS-V1.0.25
CPU clock
: 600Mhz
Number of core
: 2
Memory size
: 512MB
--------------------------------------------(config)# os update 192.168.201.236 PLOS-LS-V1.0.31
Update the PLOS to V1.0.31 through a TFTP server
Receiving file.
################################
Receiving OS data is Done
PLOS size : 25986519 bytes
Update OS to FLASH memory
................................................................................
................................................................................
.............................................................
PLOS update is completed successfully
(config)# reload
Run rebooting by entering "y."
Logging backup...
...Done
Restarting system.
(config)# boot update 192.168.201.236 plos/boot-lsg-v2.0 Update Boot Loader to v2.0
Receiving file.
#
Receiving Bootloader data is Done
Bootloader size : 316480 bytes
Update Bootloader to FLASH memory
....
Bootloader update is completed successfully
(config)# reload
Run rebooting by entering "y."
Logging backup...
...Done
Restarting system.
PLOS-LS PIOLINK Inc.
>show system
Show system information to check the PLOS and Boot Loader versions
--------------------------------------------Product Name
: TiFRONT V1.0 G24
Serial number
: R210T7200A02102
BL version
: boot-lsg-v2.0
OS version
: PLOS-LS-V1.0.31
CPU clock
: 600Mhz
Number of core
: 2
Memory size
: 512MB
107
User Account
Default User
TiFRONT provides basic security functions through the authentication of users who access TiFRONT via HTTP,
Telnet, console, SNMP, etc.
To manage TiFRONT through CLI or TiManager, you must log in to it with a registered user account. TiFRONT
has a default user account with administrator level rights (ID: root, password: admin).
User Level
In TiFRONT, you can add up to 8 users including the root user, who is the default user. There are user levels
1 to 15, and the commands available in CLI depend on the user level. The higher the level is (the greater the
number is), the more commands are available. The level of the default user, root, is 15.
User Account Settings

Setting User ID and Password Combination Rules
To set the user ID and password combination rules when adding a user account, run the following command
in <Configuration Mode>.
Command
Description
Set the user ID combination rules.
low
Any letters, numbers, or special characters (*~!@#$&%^_+=\\|{}[].,/) are acceptable.
username combination {low | medium | medium

high}
Only a combination of two or more of letters, numbers, and

special characters are acceptable (default).
high
Only a combination of all three of letters, numbers, and
special characters are acceptable.
Set the user password combination rule.
low
Any letters, numbers, or special characters (*~!@#$&%^_+=\\|{}[].,/) can be entered.
username-password
medium | high}
combination
{low
| medium
Only a combination of two or more of letters, numbers, and
special characters are acceptable (default).
high
Only a combination of all three of letters, numbers, and
special characters are acceptable.
108
TiFRONT User Guide
Setting Minimum Length for User ID and Password

To set the minimum length for a user ID and password, run the following commands in <Configuration
Mode>.
Command
Description
Set the minimum length of a user ID.
username min-length <4-64>
<4-64>
Setting range: 4 ~ 64. (Default value: 4 characters)
Set the minimum length of a user password.
username-password min-length <5-24>
<5-24>
Setting range: 5 ~ 24. (Default value: 5 characters)
Note: The default minimum lengths of a user ID and password are 4 and 5, respectively. If you change the minimum length of a user ID or
password, you must enter a value of the minimum length or a longer value when adding or changing a user ID or password.
Adding User Account

To add a new user account or change the level of an existing user account, run the following commands in
Command
Description
Add a user.
<WORD>
Set a user ID with a string of 4-64 characters consisting of letters,
username <WORD> [privilege <1-15>]

password <LINE>
numbers, and special characters (*~!@#$&%^_-+=\\|{}[].,/).

<1-15>
Set a user level. If this is not specified, it is set to 1.
<LINE>
Set a password with a string of 5-24 characters consisting of
letters, numbers, and special characters (*~!@#$&%^_-+=\\|{}[].,/).
Enter a description about the added user.
<WORD>
username <WORD> desc <LINE>

(Optional)
User ID for which to enter a description

<LINE>
Set a string of up to 20 characters consisting of letters and
numbers. The first character must be a letter.
Note: To delete the content of description, run the command no username <WORD> desc in <Configuration Mode>.
Note: To delete a user account, run the command no username <WORD> in <Configuration Mode>. You cannot delete the root account which is
the default user of TiFRONT.
Note: To change the user level, run the command username <WORD> privilege <1-15> in <Configuration Mode>.
109
Changing Password
You can change the user password by using the following command in <Configuration Mode>.
Command
username <WORD> password <LINE>
Description
Change the user password.
Note: You can set a password with a string of 5-25 characters consisting of letters, numbers, and special characters (*~!@#$&%^_-+=\\|{}[].,/). It
also must contain at least one number or one special character. It is recommended to create a password that contains uppercase and lower case
letters, and numbers and special characters.
Note: For security, you are advised to change the password after first logging in to the system with the root user account.
Password Reset
If you forget your password, you can reset the password of the default account (root). If you run the following
commands in <boot mode> of the Boot Loader, the password of the default account is changed to the
default value 'admin'.
No.
Command
Description
setenv default_passwd yes
Rest the password to 'admin'.
run bootcmd
Apply the reset password to the system.
Caution: When you run the above steps, the login prompt for logging in to CLI appears. You must change the password after logging in to the root
account. To save the changed password in the system, run the command write memory in <Privileged Mode>.
Note: To use this feature, you must use the Boot Loader version LSF 1.7, LSG 1.5, or higher. For more details about the Boot Loader, see the User
Guide for the Boot Loader or contact our Technical Assistance Center (+82-1544-9890).
Setting Password Expiration Period

You can set the user password expiration period by using the following command in <Configuration Mode>.
Command
Description
Set the user password expiration period. There is no default
value. Once you set this, the password expiration function is
password-expired-interval <1-365>
enabled.
<1-365>
Setting range: 1 ~ 365(day)
Note: When you set the password expiration period, it begins on the day it is set for existing user account. For newly added accounts, it begins on
the account creation date.
Note: To disable the password expiration period, run the command no password-expired-interval in <Configuration Mode>.
110
TiFRONT User Guide
Note: When a user logs in after their password has expired, the following message appears and they are prompted to specify a new password.
Your pw is expired, so need to reset your password.
Enter new password: <new_password>
Retype new UNIX password: <new_password>
OK, save your new password to the startup config file.
Note: If 15 days or less remain until password expiration, the following message appears to inform the password expiration date after user logs in.
#######################################################
Your password will be expired at 2013-Mar-30 13:58:34.
#######################################################
Caution: After changing the password, you must save the new password in the system by running the command write memory in <Privileged
Mode>. If the setting is not saved, the message prompting the user to reset their password will appear every time the system is rebooted.
User Level Command Setting

To set a command that is available to users by their user level, run the following command in <Configuration
Mode>.
Command
Description
privilege {class-map | configure | exec Set the command mode, user level, and command.
| interface | interface-range | key | <1-15>
line | mstp-cfg | policy-map | qos |
User level that can use the command
15> <LINE>
Command to be used at the level
route-map | router | timatrix} level <1- <LINE>
Caution: Higher level users can use the commands of the lower level users, but lower level users cannot use commands of the higher level users.
For example, level 8 users can use commands of levels 1-8.
Caution: If a command is set for two or more levels, the higher level will be applied to the command. For example, if the command ip route
is applied to levels '10' and '13', it will be considered a level 13 command.
User Level Password Setting

To allow a user to use a command by temporarily changing the user's level, run the following command in
Command
Description
Set the level that the user can temporarily change to and the
password.
enable
<LINE>
password
level
<1-15>
password <1-15>
Level that the user can temporarily change to
<LINE>
Password for changing the level
111
Temporary Change of User Level

To change the level of the user who has logged in now, run the following command in <User Mode>,
Command
Description
User can temporarily change his/her level.
enable <1-15>
<1-15>
Level that is temporarily changed to
Note: To temporarily change user level, a password for changing to that level must be entered.
Showing User Account Information

You can see the information of the added user name and level, the currently logged-in users, etc. by using
the command show user-list in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
Password Expiration Information

You can see the password expiration period and time by user by using the command show passwordexpired in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
The following is an example of adding a user account.
(config)# username test privilege 8 password test1234

Add user account
(config)# username test desc Normal-user
Add user description
(config)# show user-list
Show user account information
root
: Privilege(15), password(d033e22ae348aeb5660fc2140aec35850c4da997)
test
: Privilege(8), password(9bc34549d565d9505b287de0cd20ac77be1d3f2c)
description(Normal-user)
In the following, you set the password expiration period and show expiration times by user.
(config)# password-expired-interval 60 Set password expiration period

(config)# show password-expired
Show password expiration period and time by user.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CURRENT TIME
: 2011-Dec-12 07:58:26
EXPIRED INTV TIME: 365 (unit:day)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
USER
BASE TIME
EXPIRED TIME
EXPIRED
root
2011-Dec-12 07:58:23
2012-Dec-11 07:58:23 NO
test
2011-Dec-12 07:58:23
2012-Dec-11 07:58:23 NO
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The following is an example of setting a command that is available for a user level.
(config)# privilege exec level 3 configure terminal
112
TiFRONT User Guide
Add command that is available for user level 3.
User Account Authentication

RADIUS
TiFRONT provides the RADIUS (Remote Authentication Dial In User Service) server for authenticating users
who remotely access through Telnet, the Web or a console. To enable this, you must set the TCP port to be
used for communicating between the RADIUS server and TiFRONT, and the authentication key.
When TiFRONT receives an access request from an external user, TiFRONT sends the user information to the
RADIUS server. Then, the RADIUS server checks the secret key value and user information, and informs
TiFRONT whether or not to allow access. If authentication is successful, the user can access TiFRONT.
RADIUS Server Configuration

To configure the RADIUS server, perform the following steps in <Configuration Mode>.
No.
Command
radius enable
radius server <IPADDR> {primary
(Optional)
Description
To use the RADIUS server for user authentication, enable the
RADIUS function. (Default: Disabled)
Specify the RADIUS server. Use primary to specify the default
| secondary}
RADIUS server, or secondary to specify the secondary RADIUS

server that will be used when the default RADIUS server is not
normal. Omitting this option specifies the default RADIUS server.
Set the TCP port to be used for communication between the
radius port <1-65535>
RADIUS server and TiFRONT.

<1-65535>
Set the secret key for authentication with the RADIUS server and
TiFRONT. To delete the secret key, run the command no radius
radius secret <WORD>
secret.
<WORD>
Enter the secret key for authentication. You can enter a string
of up to 16 characters using letters, numbers, _, and -.
Set the RADIUS server response timeout.
radius timeout <1-65535>
<1-65535>
Set the number of retries that users can perform when there is
radius retry <1-65535>
no response from the server.

<1-65535>
Setting range: 1~65535. (Default value: 3)
Set the wait time before trying to access the secondary RADIUS
server when the default RADIUS server does not respond for the
radius dead-time <dead-time>
set number of retries.

<dead-time>
radius telnet
(Optional)
Enable RADIUS server authentication for accessing TiFRONT

through Telnet. To disable this function, run the command no
radius telnet. (Default: disable)
113
Enable RADIUS server authentication for accessing TiFRONT
radius console
through the console. To disable this function, run the command
(Optional)
no radius console. (Default: Disabled)
Note: To disable the RADIUS function, run the command no radius enable in <Configuration Mode>.

To check the RADIUS server settings for the current TiFRONT session, run the command show radius in
<User Mode>, <Privileged Mode>, or <Configuration Mode>.
In this example, you enable the RADIUS authentication function, set it as shown in the following table, and
query the settings.
Item
Settings
Default RADIUS server
192.168.203.30
Secondary RADIUS server
192.168.203.31
Port number
1645
Secret key
radius-1234
RADIUS server response timeout
5 sec
Number of retries for accessing the RADIUS server
5 times
Waiting time for accessing the secondary RADIUS server
5 sec
Console authentication function
Enabled
Telnet authentication function
Enabled
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
radius
radius
radius
radius
radius
radius
radius
radius
radius
radius
enable
Enable the RADIUS function
server 192.168.203.40 primary
Set the default RADIUS server
server 192.168.203.41 secondary
Set the secondary RADIUS server
port 1645
Set the port number
secret radius_1234
Set the secret key
timeout 5
Set the RADIUS server response timeout
retry 5
Set the number of retrials for accessing the RADIUS server
dead-time 5
Set the waiting time for accessing the secondary RADIUS server
telnet
Enable Telnet authentication function
console
Enable console authentication function
(config)# show radius

Show the settings.
RADIUS configuration
==================================
Status
: Enable
Telnet
: Enable
Console
: Enable
---------------------------------Primary Server
: 192.168.203.40
Secondary Server : 192.168.203.41
Secret
: radius-1234
Port
: 1645
Retry count
: 5
Timeout
: 5 sec.
Dead Time
: 5 sec.
===================================
114
TiFRONT User Guide
TACACS+
Besides RADIUS, TiFRONT can also use the TACACS+ (Terminal Access Controller Access Control System Plus)
protocol to authenticate users accessing remotely. When TiFRONT receives a request for remote access, it
performs authentication, as with the RADIUS server. Once authentication is successful and the user can
access TiFRONT, every command used by the user is checked for availability through the TACACS+ server
(Authorization). In this case, every command performed by the user can be sent to the TACACS+ server for
recording (Accounting).
Using the user authentication protocol, TACACS+, enhances the security of system and network management
because you must receive authentication through the server.
Note: The commands used by normal users who access in Privileged Mode are not recorded. Only the commands used by the administrator level
users (Super Users) are recorded.
TACACS+ Configuration
To configure TACACS+, perform the following steps in <Configuration Mode>.
No.
1
Command
tacacs-plus server <IPADDR>
Description
Set the TACACS+ server.
Set the secret key for authentication with the TACACS+ server
and TiFRONT.
tacacs-plus secret <WORD>
<WORD>
Enter the secret key for authentication. You can enter a
string of up to 16 characters using letters, numbers, _, and
-.
tacacs-plus authentication
tacacs-plus authorization
(Optional)
(Default: disable)
tacacs-plus accounting
Send the commands run by user to the TACACS+ server.
(Optional)
(Default: disable)
tacacs-plus log
Record logs in TiFRONT for every command run by user.
(Optional)
(Optional)
Enable login authentication. (Default: Disable)

Enable authentication for every command run by user.
(Default: disable)
Note: To delete the TACACS+ configuration information in <TACACS+ configuration mode>, run the command no tacacs-plus {secret |
authentication | authorization | accounting | log} in <Configuration Mode>.

To check the TACACS+ settings for the current TiFRONT, run the command show tacacs-plus in <User
Mode>, <Privileged Mode>, or <Configuration Mode>.
115
In this example, the TACACS+ authentication function is set as shown in the following table, and then the
settings are queried.
Item
Settings
TACACS+ server
192.168.203.30
Secret key
tacacs-1234
authentication
Enabled
authorization
Enabled
accounting
Enabled
log
Enabled
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
tacacs-plus
tacacs-plus
tacacs-plus
tacacs-plus
tacacs-plus
tacacs-plus
server 192.168.203.30
secret tacacs-1234
authentication
authorization
accounting
log
(config)# show tacacs-plus

TACACS+ Configuration
============================================
Authentication Status : Enable
Authorization Status : Enable
Accounting Status
: Enable
-------------------------------------------Server
: 192.168.203.30
Secret
: tacacs-1234
Log
: Enable
============================================
116
TiFRONT User Guide
Set the TACACS+ server

Set the secret key
Enable authentication
Enable authorization
Enable accounting
Enable log
Log Management
Overview
When any problem occurs in the device or events occur such as a change of settings, TiFRONT creates log
messages that contain the related information. The log messages are time-stamped and stored in the buffer,
and you can see them when necessary.
Log Buffer
Because the log buffer size is limited, you cannot store all log messages indefinitely. Thus, when the buffer is
full, the oldest log messages are deleted and new log messages are saved. To address the buffer size
problem, TiFRONT specifies the types and levels of events for creating log messages to reduce the number of
log messages.
Event Types and Levels

You can set the types and levels of events for creating log messages to save the logs for specific events or
only save the logs of a higher level than the specified level.
There are 13 event types for creating log messages in TiFRONT.
Event type
Description
auth
Security and authentication events
authpriv
Personal security and authentication events
cron
Clock and daemon (cron, at) events
ftp
FTP server events
daemon
Events related to general system daemons
kern
Kernel events
local0-7
Events related to areas preserved for local system
lpr
Print events
mail
Mail events
news
News server events
syslog
Internal events created by syslog
user
General user level events
uucp
Events related to UNIX-to-UNIX Copy
Among these events, you can select which events for which log messages will be created. By default, every
event generates a log message.
117
TiFRONT events are divided into the following eight levels depending on their effect on the device.
Level names
Levels
Keywords
Description
Emergency
emerg
An event that is critical to the system
Alert
alert
An event that requires immediate action
Critical
crit
Critical event
Error
error
Error message
Warning
warn
Warning message
Notice
notice
An unimportant general event (default)
Information
info
An informational event
Debug
debug
A debugging event
The emergency level at the top is the most serious event and the lower the level is, the less serious the event
becomes. By default, TiFRONT generates log messages when notice level or higher events occur. You can set
the event level for generating log messages.
Sending Log Messages and Log Backup

Log messages play an important role in finding and solving problems on the device. Therefore, if the buffer
is full and log messages are deleted, you can lose important information. To prevent this problem, TiFRONT
has a function that periodically sends log messages to TiManager and the syslog server, as well as a log
backup function.
Log Settings
Setting Event Types and Levels
To set the event types and levels for creating log messages, run the following command in <Configuration
Mode>.
Command
Description
Set the event level and type for generating log messages.
logging severity
| emerg | error | info | notice | warn}

[<WORD>]
(Default event level: notice)
{alert | crit | debug <WORD>
Specify the event type for saving logs

(Event types that can be specified: auth, authpriv, cron,
daemon, ftp, kern, local0~local7, lpr, mail, news, syslog, user,
uucp, all) (Default value: all)
Note: If you specify an event level, logs are saved only for the levels equal to, or higher than the specified level. For example, if you specify the
Critical level, the logs of the Critical, Alert, and Emergency levels are saved in the buffer. If you specify the Debug level, all levels of logs are
saved in the buffer.
118
TiFRONT User Guide
Sending Log Messages

Sending Log Messages to TiManager
You can send the log messages to TiManager by using the following command in <Configuration Mode>.
Command
Description
logging timanager <A.B.C.D>
Send log messages to TiManager
Note: In TiFRONT, you can register 5 TiManagers to which log messages will be sent.
Note: The settings you previously changed regarding which message are sent to TiManager can be deleted by using the command no logging
timanager <A.B.C.D> in <Configuration Mode>.
Sending Log Messages to Syslog Server

You can send the log messages to the Syslog server by using the following command in <Configuration
Mode>.
Command
Description
Set the syslog server for sending log messages as well as the
event level and type for generating log messages.
<A.B.C.D>
IP address of the syslog server
default
logging
host
<A.B.C.D>
{default
<WORD>} {alert | crit | debug | emerg |

error | info | notice | warn} [<WORD>]
Default port number 514

<WORD>
Port number of the syslog server
Default event level for saving logs: information
<WORD>
Specify the event type for saving logs
(Event types that can be specified: auth, authpriv, cron,
daemon, ftp, kern, local0-7, lpr, mail, news, syslog, user,
uucp, all) Default value: all
Note: In TiFRONT, you can register 5 syslog servers to which log messages will be sent.
Note: You can delete a syslog server by using the command no logging host <A.B.C.D> {default | <WORD>} {default | <WORD>}
{alert | crit | debug | emerg | error | info | notice | warn} [<WORD>]. If you use this command, all the syslog servers having
the same IP address will be deleted.
Checking the Log Settings

To check the log settings of the current system, run the command show logging in <User Mode>,
119
Showing Logs
To check the detailed information about log messages, run the following commands in <User Mode>,
Command
Description
Show the log messages for security and user settings.
show log config [all | <1-65535>]
<1-65535>
Number of lines in the displayed log messages Setting range:
1 ~ 65535
Show log messages about security.
show log security [all | <1-65535>]
<1-65535>
1 ~ 65535
Show log messages about system status.
show log system [all | <1-65535>]
<1-65535>
1 ~ 65535
Show log messages about user access.
show log user [all | <1-65535>]
<1-65535>
1 ~ 65535
Show all the other log messages except the above four types of log
messages.
show log etc [all | <1-65535>]
<1-65535>
1 ~ 65535
Show all log messages.
show log all [all | <1-65535>]
<1-65535>
1 ~ 65535
In the following example, the log settings are changed and the log messages are sent to the syslog server
and TiManager.
> show logging

Show the log settings.
Logging Configuration Informations
==============================================
Facility : All
Severity : Notice
---------------------------------------------Logging Host : (None)
==============================================
(config)# logging severity debug syslog
Change event level to Debug and event type to syslog
(config)# show logging
==============================================
Facility : syslog
Severity : Debug
---------------------------------------------Logging Host : (None)
==============================================
(config)# logging host 192.167.203.230 514 alert all
(config)# logging timanager 192.168.200.245
120
TiFRONT User Guide
Set the syslog server

Set TiManager
(config)# show logging

Show the log settings.
==============================================
Facility : syslog
Severity : Debug
---------------------------------------------Logging Host :
Address
Severity
Facility
-------------------- ----------- --------192.167.203.230:514
Alert
all
---------------------------------------------T1iMANAGER
192.168.200.245
==============================================
The following is an example of the log display command.
> show log config

Show log messages for configuration
Jul 7 07:06:43 [LSG/CONF:SEC] Adding Permit IP Address (ether_type="ip",proto="ip",
src_ip="210.168.127.129/24",dst_ip="any",sport="any",dport="any",user="root",by="cli")
Jul 7 07:05:56 [LSG/CONF:SEC] Arp Spoofing (status="2",user="root",by="cli")
Jul 7 06:30:49 [LSG/CONF:SEC] DoS/DDoS (status="2",user="root",by="cli")
> show log security
Show security log messages
Jul 7 06:22:06 KST [LSG/SEC:DETECT] ARP Spoofing Dest (id="3305",num="1",mac="00:06:c4:
11:33:45")
Jul 7 06:22:06 KST [LSG/SEC:DETECT] ARP Spoofing Dest (id="3305",num="2",mac="40:61:86:
b4:0c:94")
Jul 7 06:22:06 KST [LSG/SEC:DETECT] ARP Spoofing Host (id="3305",mac="00:06:c4:11:33:45
",src="192.168.203.78",dest="172.31.2.15",time="6582031652",num_dest="2",weight="2")
> show log system
Show log messages about system status.
Jul 7 06:23:06 [LSG/SYS:HISTORY] Xinetd Debug (msg="Started working with 2 available
services")
Jul 7 06:23:06 [LSG/SYS:HISTORY] Xinetd Debug (msg="Reading included configuration
file: /etc/xinetd.d/telnet")
Jul 7 06:23:06 [LSG/SYS:HISTORY] Xinetd Debug (msg="Reading included configuration
file: /etc/xinetd.d/sshd")
Jul 7 06:23:04 [LSG/SYS:HISTORY] Logfiler Message (msg="log filer started")
Jul 7 06:23:04 [LSG/SYS:HISTORY] Logfiler Running (cmd="start")
> show log user
Show log messages about user access.
Jul 7 06:50:16 [LSG/USER:HISTORY] Log In (user="root", from="console")
Jul 7 06:46:50 [LSG/USER:HISTORY] Log In (user="root", from="pts/0")
Jul 7 06:23:29 [LSG/USER:HISTORY] Log In (user="root", from="console")
> show log etc
Show other log messages except the above four types of log messages
Jul 7 06:23:13 Switching port(ge2) link UP!!
Jul 7 06:23:13 Switching port(ge1) link UP!!
Jul
Jul
Jul
Jul
Jul
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
L3table : 0 K
L2table : 16 K
VLAN : 4096
28 User port
<<XSWITCH INFO>>
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
7
7
7
7
7
7
7
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
linux_kernel_bde: module license 'Proprietary' taints kernel.

Mem Handler loading success!!
mdio Handler loading success!!
i2c Handler loading success!!
cf: Compact flash interface not present.
cf: Octeon bootbus compact flash driver version 2.0
0x05f00000-0x08000000 : "Reserved"
0x05d00000-0x05f00000 : "Backup Configuration"
0x04000000-0x05d00000 : "Backup OS"
0x00000000-0x04000000 : "log"
Creating 4 MTD partitions on "onenand":
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
> show log all

Jul 7 06:50:16
Jul 7 06:46:50
Jul 7 06:30:49
Jul 7 06:26:03
Jul 7 06:23:29
Jul 7 06:23:13
Jul 7 06:23:13
Show all log messages

[LSG/USER:HISTORY] Log In (user="root", from="console")
[LSG/USER:HISTORY] Log In (user="root", from="pts/0")
[LSG/CONF:SEC] DoS/DDoS (status="2",user="root",by="cli")
[LSG/CONF:SEC] DoS/DDoS (status="1",user="root",by="cli")
[LSG/USER:HISTORY] Log In (user="root", from="console")
Jul
Jul
Jul
Jul
Jul
L3table : 0 K
L2table : 16 K
VLAN : 4096
28 User port
<<XSWITCH INFO>>
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
121
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
7
7
7
7
7
7
7
7
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
06:23:13
122
TiFRONT User Guide
linux_kernel_bde: module license 'Proprietary' taints kernel.

Mem Handler loading success!!
mdio Handler loading success!!
i2c Handler loading success!!
cf: Compact flash interface not present.
cf: Octeon bootbus compact flash driver version 2.0
0x05f00000-0x08000000 : "Reserved"
0x05d00000-0x05f00000 : "Backup Configuration"
Self Loop Detection

Even if there arent two or more routes between two nodes on a network, loops may occur depending on the
network environment or the cables connected to the devices. To prevent loops, TiFRONT utilizes a Self Loop
Detection function.
Using the Self Loop Detection function, TiFRONT periodically sends self loop detection packets to check for
any loops in the network. When the packets are received by the same device, the port that sent the packets is
blocked to prevent a loop.
Self Loop Detection Setting

You can set the self loop detection function by using the following commands in <Configuration Mode>. The
self loop detection function is disabled by default.
Command
Description
self-loop enable [block]
Enable the Self Loop Detection function.
self-loop disable
Disable the Self Loop Detection function.
You can set the transmission period for the self loop detection packets by using the following command in
Command
Description
Set the transmission period for self loop detection packets.
self-loop interval <1-10>
<1-10>
You can set the time required for releasing the port blocking and enabling the port by using the following
command in <Configuration Mode>.
Command
Description
Set the time required for re-enabling the blocked port.
self-loop aging-time <0-3600>
<0-3600>
Setting range: 0 ~ 3,600. (Default value: 90 sec)
The enabled self loop detection function is applied to all ports in the same way. When necessary, however, you can
disable the self loop detection of a specific port. To set the self loop detection function of specific ports, run the
following commands in <Configuration Mode>. The self loop detection function is enabled for every port by default.
Command
Description
self-loop detect
Disable the Self Loop Detection function for the port.
no self-loop detect
Enable the Self Loop Detection function for the port.
Note: Even if you enable the self loop detection function of a port, it does not work unless you enable the self loop detection function in

To see the self loop detection settings for the current TiFRONT, run the command show self-loop detect-
list in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
123
LLDP Configuration
LLDP (Link Layer Discovery Protocol) is a protocol that periodically sends and receives system information for
network management between devices in a LAN to identify the physical network configuration and status
information.
LLDP is defined by the IEEE 802.1ab standard and sends information through TLV (Type-Length-Value). TLVs
are divided into mandatory TLVs that must be included in LLDP frames and option TLVs that can be selected
by users.
TLV
Type
Chassis ID
Mandatory
Port ID
Mandatory
TTL(Time-to-Live)
Mandatory
Port Description
Option
Power via MDI
Option
System Name
Option
System Description
Option
System Capabilities
Option
Management Address
Option
You can selectively include option TLVs in the LLDP frame. In addition, there are LLDP-MED (Media Endpoint
Discovery) TLVs to support the QoS of IP phones in VoIP environments.
LLDP Configuration
To configure LLDP, run the following command in <Configuration Mode>.
No.
Command
Description
Set the value of Management Address TLV. For
lldp ip address <A.B.C.D>
Management Address, specify the IP address of the

VLAN interface or the management Ethernet port.
lldp system-name <NAME>
Set the value of System Name TLV.
lldp system-description <LINE>
Set the value of System Description TLV.
interface <IFNAME>
Change to the <Interface Configuration Mode> of the

port for which to set the LLDP.
Enable LLDP and set the operation mode.
rxonly
Only receive LLDP frames.
set lldp enable {rxonly | txonly | txrx}
txonly
Only send LLDP frames.
txrx
Send and receive LLDP frames.
Note: To disable LLDP, run the command set lldp
disable.
124
TiFRONT User Guide
Set the time between the enabling of the LLDP

6
function and the start of LLDP message transmission.
set lldp timer reinitDelay <VALUE>
<VALUE>
lldp
chassis-id-tlv
set
set
set lldp locally-assigned <NAME>
10
set lldp timer msg-tx-interval <5-32768>
mac-address}
lldp
{ip-address
management-address-tlv
address | mac-address}
{ip-
Set the type of Chassis ID TLV.

Set the type of Management Address TLV.
Set the type of Port ID TLV.
Set the transmission period for LLDP messages.
<5-32768>
Set the number of transmissions for LLDP messages.
11
set lldp msg-tx-hold <VALUE>
<VALUE>
Set the transmission delay time for LLDP messages.
12
set lldp timer tx-delay <1-8192>
<1-8192>
Set the number of neighbor devices for maintaining
LLDP MIB information and the discarding period.
<1-65535>
Limit of the number of neighbor devices. Setting
range: 1 ~ 65535
13
set
lldp
65535>
too-many-neighbors
discard
limit
{existing-info
<1-
<MAC>
received-info} timer <1-65535>
existing-info <MAC>
After the time limit, the information of the devices
with the same MAC address is deleted.
received-info
After the time limit, the information of the devices
that have exceeded the limit is deleted.
<1-65535>
Discarding period. Setting range: 1 ~ 65535(sec)
lldp
tlv
specific
14
{chassis-id
|
ieee-8021-org-
ieee-8023-org-specific
management-address | port-description |
port-id
capabilities
power-via-mdi
|
system-
system-description
system-name | ttl | MED}
Set the TLV item to be included in the LLDP

messages.
You
can
specify
multiple
items
simultaneously by additionally entering other items.

MED
For VoIP environment, set the MED (Media Endpoint
Discovery) TLV.
Showing the Information of Neighbor Devices

To see the LLDP information of neighbor devices received through the port, run the command show lldp
port <IFNAME> in <User Mode> or <Privileged Mode>.
Showing Statistics
To see the statistics of LLDP messages exchanged through the port, run the command show lldp port
<IFNAME> statistics in <User Mode> or <Privileged Mode>.
125
In this example, the LLDP function is set as shown in the following table.
Configuration item
Set value
Management Address TLV
192.168.206.5
System Name TLV
TiFRONT-G24
System Description TLV
TD Team Switch
Interface
ge5
Operation mode
txrx
Transmission period
60
Number of transmissions
Limit of the number of

neighbor devices and period
TLVs including LLD message
Number: 1000, Period: 120

system-name, system-description, management-address
(config)# lldp ip address 192.168.206.5

Set Management Address TLV
(config)# lldp system-name TiFRONT-G24
Set System Name TLV
(config)# lldp system-description TD Team Switch
Set System Description TLV
Move to the port for using LLDP
(config-if-ge5)# set lldp enable txrx
Enable LLDP and set the operation mode
(config-if-ge5)# set lldp management-address-tlv ip-address
Set Management Address TLV
type
(config-if-ge5)# set lldp timer msg-tx-interval 60 Set the transmission period for LLDP
messages.
(config-if-ge5)# set lldp msg-tx-hold 2
Set the number of transmissions for LLDP
messages.
(config-if-ge5)# set lldp too-many-neighbors limit 1000 discard received-info timer 120
Limit of the number of neighbor devices and discarding period
(config-if-ge5)# lldp tlv system-name system-description management-address
Set the TLV item to be included in the LLDP messages.

(config-if-ge5)# show running-config interface ge5
show the ge5 settings
!
interface ge5
no shutdown
switchport
jumbo-frame off
set lldp enable txrx
lldp tlv chassis-id port-id ttl system-name system-description management-address
set lldp msg-tx-hold 2
set lldp timer msg-tx-interval 60
set lldp management-address-tlv ip-address
set lldp too-many-neighbors limit 1000 discard received-info timer 120
!
126
TiFRONT User Guide
Stacking Configuration
Stacking connects multiple switches and makes them work as one switch. Only the TiFRONT-GX24M/GX24P
models support stacking. Two 10 gigabit Ethernet fiber ports are provided as stacking ports for connection
between devices.
Caution: You can connect up to 8 TiFRONTs through stacking. However, it is recommended not to exceed 5 devices for smooth operation and stable
performance of the functions of TiFRONT.
Note: If you don't use stacking, the stacking ports can be used in the same way as general ports. Furthermore, you can only use one of the two
stacking ports for stacking and the other port as general port.
The following figure shows an example of connecting three TiFRONTs through stacking.
Host
TiFRONT B(Slave)
Stacking ID: 2
Host
Router
TiFRONT A(Master)
Stacking ID: 1
Host
TiFRONT C(Slave)
Stacking ID: 3
10Gbps
In the above configuration, TiFRONT A operates as the master device and TiFRONTs B and C operate as slave
devices. Each TiFRONT is connected through a 10 gigabit Ethernet port, and the master device TiFRONT A is
connected to the router for communication with external networks. TiFRONTs A, B and C work as one switch
having 72 Ethernet ports and are managed through the master device TiFRONT A.
The ports of each device connected through stacking are divided into the following format:
<Interface Prefix><Stacking ID>.<Port Number>
For example, the ge10 port of a device with two stacking IDs is "ge2.10". When the functions are set or the
settings are shown, this port name is entered or displayed.
127
Cautions for Using Stacking

The following cautions must be taken when stacking in TiFRONT.
You must directly set the master/slave devices. If a slave device has a problem, the master device
excludes the slave device from the stacking configuration. However, if the master device has a problem,
you must change the stacking configuration by setting another switch as the master device.
For connections between devices in the stacking configuration, you must use the 10 gigabit Ethernet fiber
When using the stacking function, you can use the spanning tree function in only two modes of STP and
ports (xg1, xg2).

PVST+.
You must reboot the slave devices after enabling the stacking function. When the slave device is rebooted,
the startup-config remains the same, and the configuration file sent from the master device is used as
running-config.
Every setting after enabling the stacking is performed and saved in the master device. In the slave device,
you can only set the stacking status, rebooting, and management Ethernet port (mgmt0).
To use the stacking function, each device must have the same version of PLOS on them.
Registering the Stacking License

To register the stacking license, run the following command in <Configuration Mode>.
Command
Description
Register the L3 license in the system.
stacking license <LICENSE>
<LICENSE>
License received at the time of purchase
Note: You cannot use stacking unless the stacking license is registered. When you run the command for enabling this function, the following
message appears:
% This switch doesn't have a stacking License.
Note: For detailed information on the stacking license, please contact the product distributor or PROLINK Technical Assistance Team (+82-15449890).
Caution: As the stacking license key is generated using the device's serial number, the license cannot be registered for other devices.
Setting the Stacking Status

To use the stacking function, run the following command in <Configuration Mode>.
Command
Description
Set the stacking ID in the device and enable the stacking
function.
stacking id <1-8>
<1-8>
Enter the stacking ID.
Setting range: 1 ~ 8 (1: master, 2-8: slave)
Note: To disable the stacking function, run the command no stacking in <Configuration Mode>.
128
TiFRONT User Guide
Note: When you enable stacking, the 10 gigabit Ethernet fiber ports xg1 and xg2 work as the stacking ports. To use one of these two ports as
general port, run the command switchport in <Interface Configuration Mode> of the port to change the mode of the port. To change a general
port to a stacking port, run the command stacking-port in <Interface Configuration Mode>.
PLOS Update
To update PLOS for the stacking configuration, perform the following steps in <Configuration Mode> of the
master device.
No.
Command
Description
Download PLOS from the TFTP server to TiFRONT.
<A.B.C.D>
<FILE>
1-1
os update [tftp] <A.B.C.D> <FILE>

[stacking slave-id {all | <2-8>}]

all
Update PLOS in every slave device.
<2-8>
Stacking ID of the slave device for which to update PLOS.
Download PLOS from the FTP server to TiFRONT.
<A.B.C.D>
IP address of the FTP server
<ID>
ID for logging in to the FTP server
os
1-2
update
<PASSWORD>
ftp
<A.B.C.D>
<FILE>
slave-id {all | <2-8>}]
<ID>
[stacking
<PASSWORD>
Password of the ID that was entered before
<FILE>
all
Update PLOS on every slave device.
<2-8>
Download PLOS from a USB memory to TiFRONT.
<FILE>
1-3
os
update
usb
<FILE>
slave-id {all | <2-8>}]
[stacking
all
Update PLOS on every slave device.
<2-8>
reload
Restart every TiFRONT in the stacking configuration to apply

the downloaded PLOS to the system.
129
Reboot the System.

To reboot the devices in the stacking configuration, run the following command on <Configuration Mode> of
the master device.
Command
Description
Reboot every device in the stacking configuration. To reboot only a
specific device, enter the stacking ID of the device to be rebooted using
reload [stacking-id <1-8>]
the stacking-id option.

<1-8>
Enter the stacking ID of the device to reboot. Setting range: 1 ~ 8

To see the stacking settings, run the command show stacking in <User Mode> or <Privileged Mode>.
You can see the settings of slave devices in the master device. You can see the settings of a specific device
by adding the option stacking-id <1-8> when running the show command to check the settings or status
information. If you don't enter the stacking ID, only the master device information will be displayed.
130
TiFRONT User Guide
Chapter 5
Link Aggregation Configuration
This chapter explains the concept of Link Aggregation and the procedure for setting port trunking and LACP
(Link Aggregation Control Protocol) in TiFRONT.
Link Aggregation Overview
Port Trunking Setting
LACP Setting
TiFRONT User Guide
Link Aggregation Overview

Link Aggregation allows the combining of multiple ports into a group and using this group as a logical port.
You can use Link Aggregation to group multiple fast Ethernet or gigabit Ethernet ports into a trunk group
and use this group as a port with a large bandwidth. Multiple ports work as if they are one port, and they are
managed as one port in VLAN, STP, and IGMP.
In addition to expanding the bandwidth, using Link Aggregation can improve the system stability because
even if some ports in a trunk group do not work normally due to a problem, the system can still
communicate with the other ports.
TiFRONT supports two types of Link Aggregation: port trunking and LACP.
Port Trunking
Port Trunking integrates two or more ports into one logical port so as to use a larger bandwidth. If you have
to connect with a different device in the network through a logical port with port trunking, you must
manually define the settings between the devices.
LACP
LACP (Link Aggregation Control Protocol), which is a general-purpose protocol, combines two or more ports
into one logical port so as to use a larger bandwidth.
One characteristic of LACP that is different from port trunking is that the integrated bandwidth is formed
automatically when you set the logical integrated port (aggregator) and the physical member ports to be
combined into the logical port. Therefore, it is easier to configure than port trunking and quickly responds to
environmental changes.
LACP Operation Mode

TiFRONT supports two LACP operation modes: Active and Passive. In passive mode, the port performs the
LACP operation only if the port of the other device is in active mode. Because the active mode port has a
higher priority than the passive mode port, it becomes the standard. Therefore, the port of the passive mode
follows the settings of the active mode port.
LACP Priority Setting

If the LACP operation mode of two connected devices is set to active mode, you need to set their priorities to
decide which device will be the standard. For this case, TiFRONT allows the priority setting of devices. When
two connected devices are set as Active and Passive modes, the device set as Active mode becomes the
standard. If both are set as Active mode, the device with a lower priority becomes the standard. If they have
the same priority, the device with a smaller MAC address is given higher priority.
Member Port Priority Setting

One integrated port (aggregator) can have up to eight member ports. If there are 10 member ports, the 8
ports are determined by their priorities (port IDs). However, if you have a port that you want to specify as a
member port regardless of priority, you can set a higher priority for the port.
132
TiFRONT User Guide
Load Balance Algorithm Setting

The packets passing through the aggregator are distributed to the member ports according to the given
criteria. This prevents traffic congestion in specific member ports and allows the aggregator to operate more
stably and efficiently.
You can specify the following load balance algorithms.
Load Balance Algorithm
Meaning
dst-ip
Hash method based on the destination IP address
dst-mac
Hash method based on the destination MAC address
src-dst-ip
src-dst-mac
Hash method using the XOR value of the destination and source IP
addresses
Hash method using the XOR value of the destination and source
MAC addresses
src-ip
Hash method based on the source IP address
src-mac
Hash method based on the source MAC address
Cautions for Link Aggregation Setting

You must use caution regarding the following when setting port trunking and LACP in TiFRONT.
In TiFRONT, you can set up to 8 trunk groups, and each trunk group can contain up to 8 ports.
Every port in a trunk group must have the same speed and the transmission mode must be full duplex.
One port cannot belong to two or more trunk groups simultaneously. Each port must belong to only one trunk
group.
The ports of a trunk group must be in the same VLAN.
If you set IGMP snooping for a port that belongs to a trunk group, the IGMP snooping may malfunction.
Therefore, you must not set IGMP snooping to these ports.
Note: You can not create eight trunk groups separately for port trunking and LACP. The sum of the trunk groups for port trunking and LACP must be
eight.
133
Chapter 5 Link Aggregation Configuration
Port Trunking Setting

The procedure for setting the port trunking function is described below.
Trunking Group Setting

To set a trunk group, run the following command in <Interface Configuration Mode> of the port. In TiFRONT,
you can set up to 8 trunk groups.
Command
Description
Set the port trunking.
static-channel-group <1-8>
<1-8>
Trunk group ID. Setting range: 1 ~ 8
Note: To delete the port trunking setting, run the command no static-channel-group in <Interface Configuration Mode>.

To set the load balance algorithm, run the following command in <Interface Configuration Mode> of the
trunk group.
Command
port-channel load-balance {dst-ip | dst-mac |
src-dst-ip | src-dst-mac | src-ip | src-mac}
Description
Specify the load balance algorithm.
(Default: src-dest-mac).
Note: To enter <Interface Configuration Mode> of the trunk group, run the command interface <channel-group-name> in <Configuration
Mode>. For channel-group-name, enter agg and then enter the ID (channel-group-number) of the trunk group with no space between them. For
example, if the trunk group ID is 1, you can enter the <Interface Configuration Mode> by using the following command.
(config)# interface agg1
Note: To delete the load balance algorithm, run the command no port-channel load-balance in <Interface Configuration Mode> of the
trunk group.
Caution: You cannot assign the same ID for the trunk group ID of port trunking and the aggregator ID of LACP.

To check the port trunking settings, run the command show etherchannel
Mode>.
134
TiFRONT User Guide
in <User Mode> or <Privileged
Configuration Example
In the following example, ge1 to ge3 ports are set as a trunk group.

(config-if-ge1)# static-channel-group 1
Set port trunking
Set port trunking
Enter the <Interface Configuration Mode> of the trunk group.
(config-if-agg1)# port-channel load-balance dst-ip
Set the load balance algorithm
(config-if-agg1)# end
# show etherchannel
Show the settings
----------------------------------------------------------------------Admin Group for | ge
LACP/STATIC TRUNK
|
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2
| 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
-------------------+---------------------------------------------------agg1 (STATIC)
| o o o . . . . . . . . . . . . . . . . . . . . .
agg2 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg3 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg4 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg5 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg6 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg7 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg8 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
------------------------------------------------------------------------
135
LACP Setting
The procedure for setting LACP is described below.
Aggregator/LACP Operation Mode Setting

To set the aggregator and LACP operation mode, run the following command in <Interface Configuration
Mode> of the port.
Command
Description
Set the aggregator/LACP operation mode.
channel-group <1-8> mode {active | passive}
<1-8>
Aggregator ID. Setting range: 1 ~ 8.
Note: To delete the aggregator setting, run the command no channel-group in <Interface Configuration Mode> of the port.
Caution: You cannot assign the same ID for the trunk group ID of port trunking and the aggregator ID of LACP.
LACP Device Priority Setting

To set LACP device priority, run the following command in <Configuration Mode>.
Command
Description
Set the device priority.
lacp system-priority <1-65535>
<1-65535>
Note: To delete the device priority setting, run the command no lacp system-priority in <Configuration Mode>.
Member Port Priority Setting

To set a member port priority, run the following command in <Interface Configuration Mode>.
Command
Description
Set the member port priority.
lacp port-priority <1-65535>
<1-65535>
Note: To delete the member port priority setting, run the command no lacp port-priority in <Configuration Mode>.
136
TiFRONT User Guide

To set the load balance algorithm, run the following command in <Interface Configuration Mode> of the
aggregator.
Command
Description
port-channel load-balance {dst-ip | dst-
mac | src-dst-ip | src-dst-mac | src-ip |
Specify the load balance algorithm. (Default: src-dst-mac)
src-mac}
Note: To enter <Interface Configuration Mode> of an aggregator, run the command interface <channel-group-name> in <Configuration
Mode>. Enter agg for channel-group-name and then enter the ID (channel-group-number) of the aggregator with no space between them. For
example, if the aggregator ID is 1, you can enter the <Interface Configuration Mode> by using the following command:
Note: To delete the load balance algorithm setting, run the command no port-channel load-balance in <Interface Configuration Mode>.

Showing the LACP PDU Transmission Count
The port for which LACP is enabled exchanges LACP PDU (Protocol Data Unit) messages with the other device
at the opposite end of the link to configure a port and trunk group. To check the transmission count of LACP
PDU, run the command show lacp-counter [<1-8>] in <User Mode> or <Privileged Mode>.
Note: To reset the transmission count of LACP PDU, run the command clear lacp <1-8> counters in <User Mode> or <Privileged Mode>.
Showing LACP Statistics

To check the LACP-related statistics, run the command show lacp statistic in <User Mode> or
<Privileged Mode>.
Note: To delete the LACP-related statistics, run the command clear lacp {<1-8> statistics | counters | statistics}.
Showing LACP Port Information

To check detailed information about the aggregator, run the command show etherchannel [<1-8>
admin-key-list-details | detail | load-balance | summary] in <User Mode> or <Privileged Mode>.
Showing Device Information

To check information about the devices for which LACP is set, run the command show lacp sys-id in
<User Mode> or <Privileged Mode>.
137
In the following example, LACP is set for ge1 and ge1 ports.

Enter the ge1 port
(config-if-ge1)# channel-group 1 mode active
Set LACP as active mode
(config-if-ge1)# lacp port-priority 1
Set the port priority to 1.
Enter the ge2 port
(config-if-ge2)# channel-group 1 mode active
Set LACP as active mode
(config-if-ge2)# lacp port-priority 1
Set the port priority to 1.
(config)# lacp system-priority 1
Set the device priority to 1.
Enter the <Interface Configuration Mode> of aggregator.
(config-if-agg1)# port-channel load-balance src-mac
Set the load balance algorithm
(config-if-agg1)# exit
(config)# exit
# show etherchannel
----------------------------------------------------------------------Admin Group for | ge
LACP/STATIC TRUNK
|
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2
| 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
-------------------+---------------------------------------------------agg1 (LACP)
| o o . . . . . . . . . . . . . . . . . . . . . .
agg2 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg3 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg4 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg5 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg6 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg7 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
agg8 (NO EXIST) | . . . . . . . . . . . . . . . . . . . . . . . .
------------------------------------------------------------------------
In the following example, the LACP settings are queried.
# show lacp-counter
Show LACP PDU transmission count
% Traffic statistics
Port
LACPDUs
Marker
Pckt err
Sent
Recv
Sent
Recv
Sent
Recv
% Aggregator agg1 42
ge1
121
120
0
0
0
0
ge2
121
122
0
0
0
0
# show lacp statistics
Show LACP statistics
-----------------------------------------------------------------------------AGGREGATOR TRAFFIC STATISTICS

-----------------------------------------------------------------------------| # OF PACKETs
| DROPPED
| ERROR
PORT |-------------------------------------+---------------------+----------|
Rx
Tx
|
Rx
Tx |
Rx Tx
------+-------------------------------------+---------------------+----------agg1 |
209881230 --209832637 --|
317276
0
|
0
0
ge1 |
107581069(51%)
102301636(48%) |
215589
0
|
0
0
ge2 |
102300161(48%)
107531001(51%) |
101687
0
|
0
0
-----------------------------------------------------------------------------# show etherchannel 1
Show LACP port information
% Aggregator agg1 42 Admin Key: 0001 - Oper Key 0001 Partner LAG: 0x8000,00-06-c
4-72-02-28 Partner Oper Key 0001
% Link: ge1 (5) sync: 1
% Link: ge2 (6) sync: 1
138
TiFRONT User Guide
Chapter 6
SNMP Configuration
This chapter introduces SNMP (Simple Network Management Protocol) and the procedure for setting SNMP in
TiFRONT.
SNMP Overview
SNMP Configuration
TiFRONT User Guide
SNMP Overview
SNMP is a standard protocol used to communicate management information between the Network
Management System (NMS) and the network devices. SNMP belongs to the L7 application layer which is the
highest layer of the OSI model. Network administrators can perform the following tasks remotely through
SNMP.
Network Configuration Management
Configure or check the structure of the entire network.
Performance Management
You can get statistics required for performance analysis such as network usage between network segments,
error occurrences, processing speed, and response time.
Device Management
You can get information about a devices operation status, status of modules including port, power, and
cooling fan, and system information such as CPU and memory. This information greatly helps you to solve
device problems on the network.
Security Management
SNMP provides security features for controlling and protecting the MIN information of devices. In particular,
the latest version SNMP v3 has greatly strengthened the security function.
Components of SNMP
SNMP largely consists of the following three components:
SNMP Manager
SNMP Agent
MIB (Management Information Base)
Each of the above components is described in detail below.
SNMP Manager
SNMP Manager acts as an interface for users to see the status of the entire network. Through communication
with SNMP Agent, SNMP Manager can get information about devices in the MIB and monitor them, and send
action requests to SNMP Agent to change device settings.
SNMP Agent
SNMP Agent is a software module embedded in network devices such as the switch, router, UNIX workstation,
and printer. When it receives an information request from SNMP Manager, SNMP Agent collects the
information from the MIB and sends it to SNMP Manager. When it receives a request for changing settings,
SNMP Agent changes the corresponding MIB values. Furthermore, even if it does not receive a request from
SNMP Manager, when important events occur such as a user authentication error, system restart, or
disconnection between neighbor devices, SNMP generates a trap and sends it to SNMP Manager.
140
TiFRONT User Guide
SNMP MIB
SNMP MIB is a database that contains information for managing network devices such as system information,
network usage, and network interface information. Each data in the MIB is called an object. For each
management, the objects of MIB have a hierarchical tree structure as shown in the following figure.
In the hierarchical structure of MIB, the top part represents the network broadcast information. The lower
objects are more concrete than the higher objects. The number beside each object in MIB is the OID number
used to get desired data. For example, the OID of enterprise is 1.3.6.1.4.1.
The MIB is expandable because of its hierarchical structure. You need to add private MIBs to use within your
company or monitor network status of a limited network area. You can define these private MIBs in the
enterprises (1) of private (4).
There are two versions of MIB: MIB-I and MIB-II. MIB-II is an extended version of MIB-1. It includes about 171
objects in addition to all the objects of MIB-1.
Note: There are standard MIBs provided by TiFRONT: MIB-II and UCD-SNMP.
Note: The MIB-II supported by TiFRONT contains system information and interface information (32 bit type, 64 bit type). The UCD-SNMP contains
CPU and memory information.
141
Chapter 6 SNMP Configuration
Communication between SNMP Manager and Agent

Authentication
When SNMP Manager accesses SNMP Agent to retrieve MIB information or change MIB values, it must pass an
authentication process. For the authentication process, SNMP v1 and v2 use community, where as SNMP v3
uses user ID, MDS password, and DES password. TiFRONT has a public community with read and write
permissions by default. Users for SNMP v3 are not defined.
Communication Command
Communication between SNMP Manager and Agent consists of information request messages and response
messages by default. The following figure illustrates the communication between SNMP Manager and Agent.
SNMP
SNMP Agent
(TiFRONT)
The following commands are used for communication between SNMP Manager and Agent.
Get
The Get command is used by SNMP Manager to request information from SNMP Agent. When it receives an
information request from SNMP Manager, SNMP Agent collects the information from the MIB and sends it to
SNMP Manager.
Get Next
The Get Next command is used by SNMP Manager to request information from SNMP Agent, just like the Get
command. However, when you use the Get Next command, you can get the information of the next OID item,
rather than only the requested information as with the Get command.
Set
The Set command is used by SNMP Manager to request SNMP Agent to set a specific value for an MIB object.
When it receives a request for changing settings, SNMP Agent changes the corresponding MIB values.
Trap
Even if no request is received from SNMP Manager, when important events occur such as a user authentication
error, system restart, or disconnection between neighbor devices, SNMP Agent generates a trap and sends it to
SNMP Manager. The trap message is sent only when each trap is enabled and the corresponding event occurs. If
you specify a specific trap host, SNMP Agent only sends trap messages to the specified trap host.
142
TiFRONT User Guide
SNMP Versions
TiFRONT supports the following SNMP versions.
SNMP v1
SNMP v1 is defined in RFC 1157. SNMP v1 briefly defines the basic MIB-I and MIB-II and contains information
about systems, networks, applications, services, etc. SNMP v1 supports community-based security functions.
The communication between SNMP Manager and Agent is possible only if the community names of SNMP
Manager and Agent match.
SNMP v2
SNMP v2 is defined in RFC 1902. In addition to containing the content of SNMP v1, SNMP v2 has reinforced
security and access control features by adding data types, counter size, and protocol motions. As with v1, SNMP
v2 supports community-based security functions.
SNMP v3
SNMP v3 is the latest version and is defined in RFC 2571-2575. SNMP v3 has greatly reinforced security
functions by enforcing user authentication with a secret key before allowing access to devices and encrypting
data.
Note: The versions of SNMP Manager and Agent must be identical for them to communicate with each other. Therefore, you must set the version of
SNMP Manager according to the SNMP Agent version. TiFRONT acts as SNMP Agent and can simultaneously enable three versions of SNMP. Therefore,
if there are multiple SNMP Managers and set different versions of SNMP for the SNMP Managers, they can only communicate with the SNMP Agent of
the same version.
SNMP Configuration
SNMP Configuration Items
You can set the following items to use SNMP in TiFRONT.
SNMP Community
SNMP User
SNMP Trap Host
SNMP Trap
Device information (name, contact, location)
Default Setting
The default settings of SNMP items are shown below.
Item
Default Setting
SNMP status
Disabled
Community
public (read permission)
User
None
Device information
None
Trap
Disabled
Trap host
None
143
SNMP Community Setting

The SNMP community is a string that acts as a password for checking access and read/write permissions, etc.
when accessing SNMP Agent. The default community is public. Because public is a generally used community,
you are advised to change it to a different value for security.
To set an SNMP community to be used for authentication in SNMP v1 and v2, run the following command in
Command
Description
Set a SNMP community.
<WORD>
snmp-server community <WORD> {ro | rw}
You can set an SNMP community name as a string of 2-32

characters consisting of letters, numbers, -, and _. The
first character must be a letter.
Note: You can delete an SNMP community by using the command no snmp-server community <WORD> in <Configuration Mode>.
Note: Community implies the meaning of a general password as we know it. Users type the desired password in the parameter <WORD>. Based on
this password, you can limit the access rights of SNMP Agent to read-only or grant both read and right permissions. ro and rw at the back of the
command stand for read-only and read/write, respectively.
SNMP User Setting

To set an SNMP user to be used for authentication in SNMP v3, run the following command in <Configuration
Mode>.
Command
Description
Set an SNMP user.
<WORD>
You can set a User ID as a string of 1-12 characters consisting of
letters, numbers, -, and _. The first character must be a letter.
snmp-server user <WORD> md5 <WORD> <WORD>

des <WORD> {ro | rw}
Set an MDS password as a string of 8-10 characters that combine

characters and numbers.
<WORD>
Set an 8DES password as a string of 8-10 characters that combine
characters and numbers.
Note: You can delete an SNMP user by using the command no snmp-server user <WORD> in <Configuration Mode>.
SNMP Trap Host Setting

To set an SNMP trap host, run the following command in <Configuration Mode>.
Command
snmp-server
trap
<WORD>} [<WORD>]
144
TiFRONT User Guide
host
Description
{<A.B.C.D>
Set a SNMP trap host.

<A.B.C.D>
IP address of the SNMP trap host
<WORD>
Name of SNMP trap host
<WORD>
SNMP community used for trap transmission
Note: You can delete an SNMP trap host by using the command no snmp-server trap host {<A.B.C.D> | <WORD>} [<WORD>] in
SNMP Trap Host Community Setting

To set an SNMP trap host community, run the following command in <Configuration Mode>.
Command
Description
Enable an SNMP trap host community.
snmp-server trap-community <WORD>
<WORD>
SNMP community used for trap transmission
SNMP Trap Setting

To enable an SNMP trap, run the following command in <Configuration Mode>.
Command
Description
Enable SNMP trap.
auth
Trap is generated when an SNMP action is attempted with an
snmp-server
| all}}
trap {auth | port {<WORD>
invalid community.
port
Trap is generated when the interface link is up or down.
<WORD>
Port number to be monitored for link status.
Note: You can disable the SNMP trap by using the command no snmp-server trap {auth | port {<WORD> | all} in <Configuration Mode>.
Setting Device Information (name, contact, location)

TiFRONT allows you to set the device name, contact information for enquiring about the device and the
device location in each device. If you accurately set this information, it is convenient when remotely
managing TiFRONT through TiManager because you can easily find out where and for which purpose the
device is being used and who the administrator is. By default, the device name, location, and contact are not
set in TiFRONT. The procedure for setting this information is described below.
Device Name Setting

To set a device name, run the following command in <Configuration Mode>.
Command
snmp-server name <WORD>
Description
Set the device name. Use a string that suggests which kind of device it
is and the purpose for which it is used.
145
Device Contact Setting

To set contact information for a device, run the following command in <Configuration Mode>.
Command
Description
Set contact information for a device. E-mail address or telephone number
of the administrator is mainly used.
snmp-server contact <WORD>
<WORD>
The contact information can be composed of up to 128 characters of
letters, numbers, and special characters except quotation marks (").
Device Location Setting

To set a device location, run the following command in <Configuration Mode>.
Command
Description
Set the device location. The address where the device is installed is often
used for location.
snmp-server location <WORD>
<WORD>
The location can be composed of up to 128 characters of letters,
numbers, and special characters except quotation marks (").
Enabling SNMP Trap

To enable the SNMP trap, run the following command in <Configuration Mode>.
Command
snmp-server enable trap
Description
Enable SNMP trap.
Note: To disable the SNMP trap, run the command no snmp-server enable trap in <Configuration Mode>.
Applying SNMP Settings

To save SNMP settings and apply them to the system, run the following command in <Configuration Mode>.
Command
snmp-server apply
Description
Apply the changed SNMP settings to the system.
Checking the SNMP Settings

To see the current SNMP settings and status, run the command show snmp-server
146
TiFRONT User Guide
in <User Mode>,
The following is an example of the SNMP community, user, trap host, trap, and device information settings.
(config)# snmp-server community testsnmp rw

Set SNMP community
(config)# snmp-server user testsnmp md5 pass-md5 des pass-des rw
Set a SNMP user
(config)# snmp-server trap host 192.168.203.236 testsnmp
Set SNMP trap host
(config)# snmp-server trap-community testsnmp
Set SNMP trap host community
(config)# snmp-server trap auth
Set SNMP trap
(config)# snmp-server name PIOLINK
Set device name
(config)# snmp-server contact 02-2025-6969
Set the device contact
(config)# snmp-server location Gasan-dong,Geumchen-gu,Seoul,Kerea
Set the device location
(config)# show snmp-server
Show the SNMP settings.
SNMP service information
================================================
Community :
public
: Read-Only
testsnmp
: Read-Write
-----------------------------------------------User :
Name
MD5
DES
priv.
--------------------------------------------testsnmp pass-md5 pass-des ro
-----------------------------------------------TRAP service : Running
-----------------------------------------------TRAP configurations :
Community
: testsnmp
Authentication : Enable
Host
: 192.168.201.236 testsnmp
Port
: (None)
-----------------------------------------------Name
: PIOLINK
Contact
: 02-2025-6969
Location : Gasan-dong,Geumchen-gu,Seoul,Kerea
================================================
147
Chapter 7
RMON Configuration
This chapter introduces RMON (Remote Monitoring) and the procedure for setting RMON for TiFRONT.
RMON Overview
RMON Configuration
TiFRONT User Guide
RMON Overview
RMON (Remote MONitoring) is a traffic monitoring feature for LAN environments through the SNMP
transmission structure and commands. In SNMP, the Agent monitors the information about one node that is
operating. RMON, in contrast, monitors traffic information such as the number of crashes in a LAN segment,
packet size distribution, and the volume of data exchanged between terminals connected to the LAN.
RMON also offers alert and event functions. It predicts potential problems based on monitored traffic
information and alerts users. This alert and event function of RMON reports a state in which a problem may
occur (exceeding a specified threshold, etc.) so that problems in a network can be easily detected and
addressed before they become serious.
There are 9 RMON MIB groups (1. Statistics 2. History 3. Alarm 4. Host 5. Host Top N 6. Matrix 7. Filter 8.
Packet Capture 9. Event). TiFRONT supports the following four groups which are the most basic among them.
Statistics Group (RMON Group 1)

The RMON Statistic Group continuously collects and accumulates data including total number of packets sent
or received through the Ethernet port, broadcast packet count, multicast packet count, collision count, and
error count. The data types collected by the Statistics Group are predefined and cannot be changed by the
user. Users can specify the Ethernet port from which to collect data.
History Group (RMON Group 2)

Whereas the RMON Statistics Group continuously accumulates data from the starting of RMON Agent until
now, the RMON History Group collects data only for a time set by user. The data types provided by the
History Group are identical to those provided by the Statistics Group.
Alarm Group (RMON Group 3)

The RMON Alarm Group sets the threshold and monitoring period for MIB to maintain normal network status
and defines the relationship with events so that the related events will occur when the MIB values deviate
from the threshold. There are two thresholds: rising and falling thresholds. Furthermore, there are two
comparison methods: absolute and delta.
Rising threshold
An alarm goes off if the value is greater than the threshold.
Falling threshold
An alarm goes off if the value is smaller than the threshold.
Absolute comparison
An alarm goes off after comparing the continuously accumulated value with the threshold.
Delta comparison
An alarm goes off after comparing the value accumulated for the specified time with the threshold.
The RMON alarm group is linked to the events defined in the RMON event group. An event defines the action
to be performed when the value exceeds the threshold. For the event that will be activated when there is a
RMON alarm, you must specify one of the entries of the RMON event table and it must be predefined.
149
Chapter 7 RMON Configuration
Event Group (RMON Group 9)

The RMON Event Group specifies the actions to be performed when the alarm conditions in the RMON Alarm
Group are met. There are two actions that can be specified in the Event Group: "Send SNMP trap" and "Save
log message with alarm content".
150
TiFRONT User Guide
RMON Setting
This chapter describes the procedure for performing RMON setting tasks in CLI.
RMON Statistics Group Setting

To set data collection for a specific port in the RMON Statistics Group, run the following command in
Command
Description
Set data collection for a port in the RMON Statistics Group.
<1-65535>
rmon
collection
[owner <WORD>]
stats
<1-65535>
RMON Statistics Group ID. Setting range: 1 ~ 65535

<WORD>
Name of the entity that uses the RMON Statistics Group information.
A string of up to 15 characters consisting of letters, numbers, and
special characters.
Caution: To set RMON Statistics Groups for multiple ports, the RMON Statistics Group ID must be different for each port. If you set the same RMON
Statistics Group ID for two or more ports, only the data for the port that was set last are collected in the RMON Statistics Group.
Note: To disable statistics data collection for a specific port, run the command no rmon collection stats <1-65535> in <Interface
Showing RMON Statistics Group Information

To check the RMON Statistics Group settings, run the command show rmon statistics in <User Mode> or
<Privileged Mode>.
RMON History Group Setting

To set data collection for a specific port in the RMON History Group, run the following command in the
Command
Description
Set data collection for a port in the RMON History Group.
<1-65535>
RMON History Group ID. Setting range: 1 ~ 65535
<1-65535>
Number of tables to be recorded in the sampling period.
rmon
collection
history
<1-65535>
[buckets <1-65535>] [interval <1-3600>]

[owner <WORD>]
Setting range: 1 ~ 65535. (Default value: 50 (pieces))

<1-3600>
Sampling period for data collection.
Setting range: 1 ~ 3600. (Default value: 1800 (sec))
<WORD>
Name of the entity using the information related to the
RMON History Group. A string of up to 15 characters
consisting of letters, numbers, and special characters.
151
Caution: To set RMON History Groups for multiple ports, the RMON History Group IDs of the ports must be different from one another. If you set the
same RMON History Group ID for two or more ports, the data for the port that was set last will be collected in the RMON History Group.
Note: To disable history data collection for a specific port, run the command no rmon collection history <1-65535> in <Interface
Showing RMON History Group Information

To check the RMON history group settings, run the command show rmon history in <User Mode> or
<Privileged Mode>.
RMON Event Group Setting

To define events in the RMON Event Group, run the following command in <Configuration Mode>.
Command
Description
Set the RMON Event Group.
<1-65535>
RMON Event Group ID. Setting range: 1 ~ 65535
log
Save alarm information in the log table.
log trap
Perform log saving and trap generation simultaneously.
rmon event <1-65535> [log | log trap <WORD>
<WORD>
<WORD>]
trap
| trap <WORD>] [description <WORD>] [owner
Name of community to send before SNMP trap.

Generation of SNMP trap
<WORD>
Description about the event group
<WORD>
Name of entity using the information about the RMON
Event Group. A string of up to 15 characters consisting
of letters, numbers, and special characters.
Note: To delete the RMON Event Group setting, run the command no rmon event <1-65535> in <Interface Configuration Mode>.
Showing RMON Event Group Information

To see the RMON event group settings, run the command show rmon event in <User Mode> or <Privileged
<Mode>.
152
TiFRONT User Guide
RMON Alarm Group Setting

To add RMON alarms to the RMON alarm group using the CLI, run the following command in <Configuration
Mode>.
Command
Description
Save and apply the RMON alarm setting to the system.
<1-65535>
RMON Alarm Group ID. Setting range: 1 ~ 65535
<WORD>
OID name or number of the MIB to be monitored in the RMON alarm
group in RMON MiB.
<1-65535>
RMON MIB value monitoring cycle: Setting range: 1 ~ 65535(sec)
absolute
Comparison of the cumulative value of the monitored MIB and the
threshold value.
rmon
alarm
interval
delta
<1-65535>
<1-65535>
delta}
<RISING_THRES>
{absolute
rising-threshold
event
falling-threshold
<WORD>
<1-65535>
<FALL_THRES>
event <1-65535> [owner <WORD>]
The MIB values monitored for the specified period are compared
with the threshold.
<RISING_THRES>
Rising threshold to be compared with the monitored value of RMON
MIB. Setting range: 1 ~ 65535
<1-65535>
ID of the RMON Event Group to be run when an alarm goes off
generated after value exceeds rising threshold.
<FALL_THRES>
Falling threshold to be compared with the monitored RMON MIB
value. Setting range: 1 ~ 65535
<1-65535>
ID of the RMON Event Group to be run when an alarm is generated
by comparing with the falling threshold.
<WORD>
Name of entity using the RMON alarm group information. A string
of up to 15 characters consisting of letters, numbers, and special
characters.
Note: To add an RMON alarm, you must enable the RMON Event Group.
Note: In the RMON alarm group, you can add statistics about the objects under etherStatsEntry(1.3.6.1.2.1.16.1.1.1) as follow:
etherStatsDropEvents(1.3.6.1.2.1.16.1.1.1.3)
etherStatsOctets(1.3.6.1.2.1.16.1.1.1.4)
etherStatsPkts(1.3.6.1.2.1.16.1.1.1.5)
etherStatsBroadcastPkts(1.3.6.1.2.1.16.1.1.1.6)
etherStatsMulticastPkts(1.3.6.1.2.1.16.1.1.1.7)
etherStatsCRCAlignErrors(1.3.6.1.2.1.16.1.1.1.8)
etherStatsUndersizePkts(1.3.6.1.2.1.16.1.1.1.9)
etherStatsOversizePkts(1.3.6.1.2.1.16.1.1.1.10)
etherStatsFragments(1.3.6.1.2.1.16.1.1.1.11)
etherStatsJabbers(1.3.6.1.2.1.16.1.1.1.12)
etherStatsCollisions(1.3.6.1.2.1.16.1.1.1.13)
etherStatsPkts64Octets(1.3.6.1.2.1.16.1.1.1.14)
153
etherStatsPkts65to127Octets(1.3.6.1.2.1.16.1.1.1.15)
When setting the RMON alarm group, you can enter the MIB OID in the format <OID name or number>.<RMON statistics group ID> or
etherStatsEntry.<3-19>.<RMON statistics group ID>.
The following is an example of setting etherStatsDropEvents where the RMON statistics group ID is 5. (The tree lines indicate the same value.)
etherStatsDropEvents.5
1.3.6.1.2.1.16.1.1.1.3.5
etherStatsEntry.3.5
Showing RMON Alarm Group Information

To see the RMON alarm group settings, use the command show rmon alarm
<Privileged Mode>.
154
TiFRONT User Guide
event in <User Mode> or
The following is an example RMON statistics group, history group, alarm group, and event group settings.

Go to the Interface Configuration Mode of ge1 port
(config-if-ge1)# rmon collection stats 1
Collect data about ge1 port in the RMON statistics group whose ID is 1.
(config-if-ge1)# rmon collection history 1 buckets 500 interval 600
Collect data about ge1 port in the RMON history group whose ID is 1
Go to Configuration mode.
(config)# rmon event 1 log trap public
Set RMON event group whose ID is 1.
(config)# rmon alarm 1 etherStatsEntry.1.1 interval 50 delta rising-threshold 600 event
1 falling-threshold 400 event 1
Set RMON alarm group whose ID is 1.
(config)# exit
Go to Privileged mode
# show rmon statistics
Show RMON statistics group settings.
rmon collection index 1
stats->ifindex = 16(ge1) -> snmp-ifindex(101)
stats->owner = RMON_SNMP
stats->status = valid_status
------------------------------------------------------------------------EtherStats : 0 octets
0 packets
0 broadcast packets
0 multicast packets
0 undersized packets
0 oversized packets
0 fragments packets
0 jabbers packets
0 CRC alignment errors
0 collisions
# of dropped packet events (due to lack of resources) -> 0
# of packets received of length (in octets):
64 -> 0
65-127 -> 0
128-255 -> 0
256-511 -> 0
512-1023 -> 0
1024-1518 -> 0
=========================================================================
# show rmon history
Show RMON history group settings
history index = 1
data source ifindex = 16(snmp-ifindex = 101)
buckets requested = 500
buckets granted = 500
Interval = 600
Owner RMON_SNMP
# show rmon event
Show RMON event group settings
event Index = 1
Description RMON_SNMP
Event type Log & Trap
Event community name public
Last Time Sent = 00:00:00
Owner RMON_SNMP
# show rmon alarm
Show RMON alarm group settings
alarm Index = 1
alarm status = VALID
alarm Interval = 50
alarm Type is Delta
alarm Value = 0
alarm Rising Threshold = 600
alarm Rising Event = 1
alarm Falling Threshold = 400
alarm Falling Event = 1
alarm Owner is RMON_SNMP
155
Chapter 8
STP Configuration
This chapter introduces STP (Spanning Tree Protocol), RSTP (Rapid Spanning-Tree Protocol), PVST+ (Per VLAN
Spanning Tree Plus), RPVST+ (Rapid Per VLAN Spanning Tree Plus), and MSTP (Multiple Spanning Tree
Protocol), and describes the procedure for setting STP in TiFRONT.
STP
RSTP
PVST+/RPVST+/MSTP
Spanning Tree Setting
TiFRONT User Guide
STP
One problem of a network connected via switches is that there must be only one route between two random
nodes. If there are two or more routes between two nodes, packets will be transmitted twice or an infinite
loop will be created on the network. A Loop generates a flood of network traffic which makes the network
unstable.
In the network illustrated below, there are two routes from switch A to switch C: path 2 which is a direct
route and the indirect route through switch B that uses paths 1 and 3. A Loop is generated in a network like
this where there are two or more routes for a destination. For example, when switch A broadcasts a packet in
this example, switch C broadcasts the packet received through path 2 to switch B through path 3, and switch
B sends the packet received through path 3 to switch A through path 21. Thus, a loop is generated.
Conversely, the loop of A->B->C->A is also generated.
Switch A
Path
Path
Path
Switch C
Switch B
[Figure A network structure that generates a loop]
STP (Spanning Tree Protocol) is a protocol that prevents loops from occurring when there are two or more
routes to the destination and is stated in the IEEE 802.1D standard. If there are two or more routes at one
node in a spanning tree, the optimum route is selected considering the priority. Furthermore, other routes
than this route are changed into blocked status (frames are not sent) and excluded from the spanning tree.
Therefore, when traffic is processed, packets are transmitted through the optimum route only.
In the above network, if path 3 is turned into blocking state, there is only one route from switch A to switch C
(path 2), thereby preventing the loop.
Switch A
Path 2
Path 1
(Forwarding)
(Forwarding)
Switch B
Path 3
Switch C
(Blocking)
[Figure A network structure that prevents loop]
157
Chapter 8 STP Configuration
When a problem occurs in a route in STP that has only a single route, the route that has been blocked is
changed to a (traffic) forwarding state to improve network availability.
BPDU (Bridge Protocol Data Unit)

BPDU is a transmission message used in a LAN to set and maintain STP/RSTP/MSTP. A spanning tree consists
of a root switch, a designated switch, a root port, and a designated port. A root switch is a switch that
becomes the root of a spanning tree. In other words, the spanning tree is created from the root switch as its
base. The designated switch is used when packets are forwarded from each LAN segment to the root switch.
The root port is used when packets are forwarded from the designated switch to the root switch. The
designated port is directly connected to the subordinate LAN among the ports of the designated switch.
Root Switch
Root Port
Root Port
Designated Switch
Designated Switch
Designated Port
Designated Switch
[Figure Components of STP]
In the above figure, the switches exchange BPDU to determine the switches and ports to be included in the
spanning tree. The BPDU contains the following information:
Route cost to the root switch
Bridge ID of the root switch
Bridge ID of the switch that forwards BPDU
Aging time of BPDU
Interface ID that forwards BPDU
Timer values of spanning tree (Hello, Forward delay, Max-age)
Bridge ID is a value that is used when electing the root switch, which is the central switch in a spanning tree.
A Bridge ID consists of a switchs priority (top 2 bytes) and MAC address, and the switch having the highest
priority is elected as the root switch. A lower priority number means a higher priority. If every switch has the
same priority, the switch having the lowest MAC address is selected as the root switch.
Root cost is a value used when selecting the root port and the designated switch. The port that provides the
best route (lowest cost) when a switch sends packets to the root switch, in other words, the port having the
lowest route cost to the root switch becomes the root port. Furthermore, the switch that has the lowest route
cost when packets are forwarded from the LAN to the root switch becomes the designated switch. The port
that is directly connected to the LAN among the ports of the designated switch becomes the designated port.
A port that is blocked from communication, excluding the root port and the designated port are called
blocked ports. When the route cost is identical, the switch whose bridge ID has the lowest priority is selected
as the designated switch.
158
TiFRONT User Guide
BPDU contains three timer values (Hello, Forward delay, Max age). These timers influence the performance of
the entire spanning tree and play the following functions.
Timer
Hello time
Description
This is the hello message sending period. This time value determines how often the root
switch will broadcast the BPDU message to other switches.
This time value determines the listening status and how long the listening status will be
maintained. The listening state changes to the learning state when the forward delay
Forward delay time
time passes, and the learning state changes to the forwarding state when the forward
delay time passes. This time prevents the port from becoming forwarding state before
the changed topology information is sufficiently spread to the spanning tree, thereby
creating a loop.
Max age time
This is the aging time (effective time) of a BPDU. This time determines for how long the
switch will keep a BPDU. The BPDU is discarded when the max age time has passed.
Port States
STP sets a port on a network to one of the following five states:
Blocking state:
No frame is sent. This is the default sate of a port at which STP is enabled.
Listening state:
This is the first state that is passed when moving from blocking to forwarding state.
Learning state:
This is the state in which frame transmission is prepared.
Forwarding state:
This is the state in which traffic is sent.
Disabled state:
This is the state in which STP is disabled or frame transmission is impossible.
The process of a port undergoing these five states is illustrated below.
Blocking State
Listening State
Disabled State
Learning State
Forwarding State
[Figure Change of states of an STP enabled port]
The port at which STP is enabled always starts in the blocking state. The STP enabled switch assumes that it
is the root switch when it is initialized and sends BPDU to devices connected through every port. The port in
the blocking state discards all frames except BPDU. The ports receiving BPDU change to the listening state.
159
Ports in the listening state exchange BPDU with other devices and determine the root switch or perform other
tasks. Furthermore, it changes to the learning state when the forward delay time passes.
The port in the learning state learns the MAC address to send frames. Then, it changes to the forwarding
state when the forward delay time passes. The frames received up until the port changes to the forwarding
state are all discarded, and the frames received after the change are sent through the port.
Disabled ports do not participate in the spanning tree; the ports do not work, their links are not connected,
and the STP is disabled. Ports in this state do not send or receive BPDU, and also do not send frames.
Selecting Route
STP uses the spanning tree algorithm when deciding on which switch to use to send packets. The spanning
tree algorithm calculates the best route that does not generate a loop through the network based on the port
role on an actual topology.
In case two interfaces of a switch form a loop, it determines which interface will be in the forwarding state
and which interfaces will be in the blocking state depending on port priority and route cost. The port priority
indicates the location of the interface on the network (how easy the location is for traffic forwarding), and the
route cost indicates the media speed of the interface.
The spanning tree turns the extra routes that are not used into standby, or blocking states. When a specific
network segment of a spanning tree does not work (disconnected link), or there is an extra route, the
spanning tree algorithm recalculates the spanning tree topology and changes the extra route from a blocking
state to a forwarding state.
160
TiFRONT User Guide
RSTP
While STP is enabled and BPDUs are sent to the network, the topology changes continuously in other parts of
the network. It takes much time to converge the frequently changed topology to the spanning tree. RSTP
(Rapid Spanning-Tree Protocol), which is defined in the IEEE 802.1w standard, has improved this shortcoming
of the conventional STP and allows for faster convergence.
Because RSTP (802.1w) uses the professional terms and most parameters of STP (802.1D) as they are, you
can quickly and easily set the new protocol. It is also compatible with STP as it contains STP.
The biggest difference between STP and RSTP is the change of port status. STP changes to a forwarding state
in which it can send traffic after passing through the whole process of Blocking->Listening->Learning. On
the other hand, RSTP directly changes from a blocking state to a forwarding state. In this way, RTSP can
instantly apply the changed topology to the spanning tree.
Port Statues
RSTP 802.1w defines three port states: discarding, learning, and forwarding. Learning and forwarding states
are identical to those of STP, and the discarding state includes all the three states of STP: disabled, blocking,
and listening.
RSTP sets the root and designated ports to the forwarding state, and the alternate and backup ports to the
discarding state. Alternate port means a port that has been blocked by receiving a BDPU of a higher priority
from another device. Backup port means a port that has been blocked by receiving a BPDU with a high
priority from another port of the same device. BPDU transmission only occurs at the root port and the
designated port.
The following figure illustrates the alternate port and backup port.
Root switch
Designated port
Designated port
Switch B
Switch C
Designated port
Alternate port
Backup port
Switch D
: Flow of BPDUs
[Figure - Alternate port and backup port]
Changing BPDU Policy

In STP, only the root switch sends BPDUs according to the hello time, and other switches, except the root
switch, send their BPDUs only when they receive BPDUs from the root switch. In RSTP, however, all switches
except the root switch send BPDUs according to the hello time. BPDUs change more frequently than the time
interval for exchanging with the root switch, but the RSTP function allows you to respond faster to the
changing network environment.
161
Shortening Network Convergence Time

In the case of STP, convergence occurs as shown in the figure below when the link topology is changed. In
the figure, it is assumed that there is a new link between switch A and the root switch. The root switch and
switch A are not directly connected, but indirectly through switch D. When switch A and the root switch are
initially connected, the two switches are in the listening state and cannot exchange packets through the port,
so no loop is generated. In this state, when the root switch sends BPDUs to switch A, switch A sends a new
BPDUs to switches B and C, and switch C also sends a new BPDU to switch D. Upon receiving a BPDU from
switch C, switch D turns the port connected to switch C into the blocking state to prevent the generation of a
loop by the new link.
Root switch
New link is connected
Switch A
Send BPDUs
in Listening state
Switch C
Switch B
Blocking to prevent loop
Flow of BPDUs
Switch D
[Figure Network convergence of STP]
It is a very innovative way to prevent loops, but the problem is that the forward delay time of BPDU must be
passed before switch D can block the port connected to switch C.
The RSTP function, however, performs the following process to shorten the communication disconnection
time. A new link is made between switch A and the root switch. As soon as they are connected, switch A and
the root switch can send BPDU although they cannot exchange packets.
Root switch
New link is connected
Switch A
Negotiation between switch A
and root switch (Traffic Blocking)
Switch B
Switch C
Switch D
[Figure Network convergence of RSTP ]
162
TiFRONT User Guide
The root switch and switch A negotiate through BPDUs. To turn the link between the root switch and switch A
into the forwarding state, the non-edge designated port of switch A is changed to the blocking state.
Although switch A is connected with the root switch, no loop is generated because the connection of switch A
with switch B and C is blocked.
In this state, as shown in the following figure, the BPDU of the root switch are sent to switches B and C
through switch A. To turn switch A into the forwarding state, there will be negotiation between switch A and
switch B and between switch A and switch C.
Root switch
Forwarding status
Switch A
Negotiation between Switch A
Negotiation between Switch A
and Switch C (Traffic Blocking)
and Switch B (Traffic Blocking)
Switch C
Switch B
Switch D
Switch B only has an edge designated port. Because the edge designated port does not generate loops, it can
be changed to the forwarding state in RSTP. Therefore, to change switch A to a forwarding state, switch B has
no specific port to change to a blocking state.
However, because switch C has a port that is connected to switch D, you must set this port to a blocking
state in order to change switch A to a forwarding state.
Root switch
Forwarding status
Switch A
Forwarding status
Forwarding status
Switch C
Switch B
Blocking to turn switch A

to Forwarding state
Switch D
163
As a result, it is the same as when STP blocks the connection between switches D and C. However, RTSP does
not use any time criteria ((Hello time, Forward delay time, Max aging time) set by the user for negotiation
with devices to set a specific port to a forwarding state. Furthermore, it does not undergo listening and
hearing processes in the process where a port is changed to the forwarding status. Therefore, the network
convergence time can be dramatically shortened.
PVST+/RPVST+/MSTP
TiFRONT supports PVST+(Per VLAN Spanning Tree Plus), RPVST+(Rapid Per VLAN Spanning Tree Plus),
MSTP(Multiple Spanning Tree Protocol), which allows STP configuration by VLAN or VLAN group through the
introduction of the VLAN concept which is a logical division of existing LAN domains, for efficient network
operation.
Whereas the existing STP is used to prevent loops in one LAN domain, PVST+(Per VLAN Spanning Tree Plus)
has improved it so that STP can be configured by VLAN for route setting in line with the VLAN environment.
In PVST+, only one VLAN can be specified for each instance, and one STP works for each instance. If a
network has six VLANs with the VLAN IDs of 10, 20, 30, 40, 50, and 60 in a network, there will be six STPs
because one STP works for each VLAN.
One weakness of PVST+ is that the convergence time is slow and hardware load will increase if there are
many VLANs. RPVST+(Rapid Per VLAN Spanning Tree Plus) and MSTP(Multiple Spanning Tree Protocol) have
improved this weakness.
RPVST+ has combined the strengths of PVST+ and RSTP. There is an STP working for each VLAN while highspeed convergence is supported. However, as with PVST+, the hardware load increases if there are many
VLANs.
MSTP uses high-speed convergence just as RSTP does. MSTP can reduce the number of STPs compared to
PVST+ because multiple VLANs can be assigned to one instance and one STP operates for each instance. The
instances of MSTP can be integrated into one region. There is no limit to the number of regions that can be
set in one network, and up to 64 instances can be set for one region.
Regions used in MSTP are called MST regions and VLANs are divided into groups by configuration ID. The
configuration ID consists of region name, revision, and VLAN map. Therefore, these three values must be
identical for configuration IDs to be identical.
The spanning tree working in each region is called the IST (Internal Spanning-Tree), and the spanning tree
that results when all spanning trees of the regions are interconnected is called the CST (Common SpanningTree). When IST and CST are joined together, it is called the CIST (Common & Internal Spanning-Tree). The
following figure illustrates the relationships among the IST, CST, and CIST.
164
TiFRONT User Guide
CIST = IST + CST

MST
MST
IST
IST
CST
Boundary
IST
IST
Boundary
[Figure - Relationships among IST, CST, and CIST.]
In an MST region, there are IST instances and MSTIs (Multiple Spanning Tree Instances). An IST instance is a
spanning tree instance that is assigned to an MST region by default and is also called MSTI0 because the ID 0
is assigned. An instance that is additionally assigned to one MST region is called MSTI, and this instance must
contain at least one VLAN.
The spanning tree in an MST region operates in the same way as RSTP. As illustrated in the figure below, if
there are six VLANs with the VLAN IDs 10, 20, 30, 40, 50, and 60, and VLANs 10, 20, and 30 are assigned to
MSTI 1, and VLANs 40, 50, and 60 are assigned to MSTI 2, the spanning tree inside the MST region works as
follows.
First, the switch with the lowest bridge ID is determined as the IST root switch. If the priority is not adjusted,
MSTI works in the same way as the IST root switch by default. However, each MSTI can work differently if you
adjust the priority of MSTI at each switch as shown below.
Switch A (IST root switch)

MSTI 1 = VLAN 10, 20, 30
Priority
MSTI1 = 8
MSTI 2 = VLAN 40, 50, 60
MSTI2 = 8
Priority
MSTI1 = 8
MSTI2 = 8
Switch B
Priority
Switch C
MSTI1 = 8
MSTI2 = 8
Priority
Switch A
Priority
Switch A
MSTI1 = 8
MSTI1 = 0
MSTI1 = 0
MSTI2 = 8
MSTI2 = 8
Switch B
(MSTI1 root switch)
MSTI2 = 8
Priority
MSTI2 = 8
Priority
MSTI1 = 8
Priority
MSTI1 = 8
Priority
Switch C
MSTI1 = 8
Switch B
MSTI2 = 8
Switch C
MSTI2 = 1
(MSTI2 root switch)
[Figure - Operation of spanning tree in MST region]
One CIST root switch exists in each CIST region, and one IST root switch exists in each MST region. The
switch that has the lowest bridge ID out of all switches is selected as the CIST root switch, and the boundary
switch that has the lowest route cost to the CIST root switch in each MST region is selected as the IST root
165
switch. The boundary switch is the switch that receives BPDU from another region outside the MST region,
and the boundary port is the port that receives the BDPU.
All the boundary ports of the MST region containing the CIST root switch are selected as designated ports and
become forwarding state ports. The IST root switch of the MST region containing the CIST root switch is
identical to the CIST root switch.
For the boundary switch selected as the IST root switch, one of the boundary ports is selected as the root
switch, and the other boundary ports are changed to the blocking state. In addition, the boundary ports of all
switches except the IST root switch are selected as designated or alternate ports.
Region 3
Switch 8
Switch 9
Route
10
CIST
10
Switch 7
Switch 3
Switch 1
IST
root
switch
10
IST
Switch 4
Switch 6
10
Region 1
Switch 2
20
Switch 5
Region 2
[Figure - Selection of CIST root switch and port blocking]
If the route costs are as shown in the above figure, switch 1 has the lowest bridge ID, and the lower the
number at the end of the switch is, the lower the bridge ID. The root switch selection and port state changing
process are as follows:
1.
Switch 1 is selected as the root switch of CIST and MST Region 1, and every boundary port of MST Region
1 becomes a forwarding state port.
2.
Switches 4 and 7, which have the lowest BID in each MST region, are selected as the IST root switch of
MST Region 2 and MST Region 3, respectively. When the IST root switch is selected in each MST region,
the non-designated port of the switch having the highest bridge ID in the MST region changes to a
blocking state as with the case of STP.
3.
Lastly, among the boundary ports of the IST root switch, the port having the lowest route cost for
connecting to the CIST root switch is selected as the root port, and all the other ports are changed to a
blocking state.
166
TiFRONT User Guide
Spanning Tree Setting

Spanning Tree Mode Setting
To set the spanning tree mode, run the following command in <Configuration Mode>.
Command
Description
spanning-tree mode {mstp | pvst+ | rpvst+ | rstp

| stp}
Set the spanning tree mode.
Enabling Spanning Tree

To enable spanning tree in TiFRONT, run the following command in <Configuration Mode>.
Command
spanning-tree {enable | disable}
Description
Enable or disable spanning tree.
Root Switch Setting

To enable STP/RSTP/PVSTP/MSTP, you must first define the root switch. In STP/RSTP, it becomes the root
switch and in MSTP, it becomes the IST root switch. Bridge ID is a priority value that is used when electing the
root switch in a spanning tree. You can raise the priority of a TiFRONT to make it the root switch (a lower
priority value has a higher priority). This makes the spanning tree recalculate the topology and the TiFRONT
having the highest priority becomes the root switch.
To set the bridge priority of a VLAN, run the following command in <Configuration Mode>.
Command
Description
Set the priority of a TiFRONT.
spanning-tree priority <0-61440>
<0-61440>
Note: You can set the following values for the bridge priority:
0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
Route Cost Setting

You can control the route of traffic to the root bridge by setting the route cost. In general, a low cost is set
for a port having a high bandwidth, and a high cost for a port having a low bandwidth. The range of cost that
can be set is 1 200,000.000. The following route costs are set by default depending on the spanning tree
ode and port speed.
167
Speed
Default Root Cost

STP/PVST+
RSTP/RPVST+/MSTP
10 Mbps
100
2,000,000
100 Mbps
19
200,000
1000 Mbps
20,000
[Table Default route cost by port speed]
To set the route cost of a port, run the following command in <Interface Configuration Mode>.
Command
Description
Set a route cost for a port.
spanning-tree path-cost <1-200000000>
<1-200000000>
Setting range: 1 ~ 200,000,000
Port Priority Setting

The port having the lowest priority value forwards frames for every VLAN. You can change the port priority by
running the following command in <Interface Configuration Mode>.
Command
Description
Set the priority of a port.
spanning-tree priority <0-240>
<0-240>
Note: You can set the following values for the port priority:
0 , 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240
Edge Port Setting

You dont have to enable STP if the device connected to a port is not a network bridge but a terminal (general
host). The port connected to a terminal in this way is called edge port. If you set a port as edge port, the
state of the port changes to forwarding state. An edge port does not work as edge port any more when it
receives BPDU. In this case, you must set the port as edge port again.
To set a port as edge port, run the following command in <Interface Configuration Mode>.
Command
spanning-tree portfast
Description
Set an edge port.
Caution: You must take care when doing this because a loop can be generated if you set an edge port incorrectly.
Note: To delete an edge port, run the command spanning-tree portfast in <Interface Configuration Mode>.
168
TiFRONT User Guide
BPDU Filter Setting

The BPDU filter prevents the wasting of unnecessary resources by blocking the exchange of BPDU packets
through a specific port. If you enable the BPDU filter for a specific port, the port operates as if STP is disabled
and does not recognize BPDU nor send BPDU.
To enable the default value of the BPDU filter, run the following commands in <Configuration Mode>.
Command
spanning-tree portfast bpdu-filter
Description
Set the default value of BPDU filter to enabled. The initial default
value of the BPDU filter is disabled.
Note: To set the default value of the BPDU filter to disabled, run the command no spanning-tree portfast bpdu-filter in <Interface
To set the BPDU Filter state of a port, run the following command in <Interface Configuration Mode>.
Command
Description
Set the BPDU filter state of a port. (Default: default)
default
Set the state of the BPDU filter to the default value. The default is
only applied when the port is set as an edge port.
spanning-tree bpdu-filter {default |

disable | enable}
disable
Disable the BPDU Filter.
enable
Enable the BPDU Filter.
Note: The default state is applicable only for an edge port. If it is not an
edge port, the BPDU filter is disabled even if the default is enabled.
BPDU Guard Setting

BPDU Guard blocks the unauthorized connection of network devices such as switch or hub, as well as STPrelated attacks. Enabling BPDU Guard prevents changes of the STP topology by downing the link of the port
that received the BPDU packet.
To set the default value of the BPDU Guard to enabled, run the following command in <Configuration Mode>.
Command
spanning-tree portfast bpdu-guard
Description
Set the default value of the BPDU guard to enabled. The initial
default value of the BPDU guard is disabled.
Note: To set the default value of BPDUs Guard to disabled, run the command no spanning-tree portfast bpdu-guard in <Interface
169
To set the BPDU Guard state for a port, run the following command in <Interface Configuration Mode>.
Command
Description
Set the BPDU Guard state for a port. (Default: default)
default
Set the state of BPDU Guard to the default value.
spanning-tree bpdu-guard {default |

disable | enable}
disable
Disable the BPDU Guard.
enable
Enable the BPDU Guard.
Note: The default state is applicable only for an edge port. If it is not an
edge port, the BPDU filter is disabled even if the default is enabled.
Root Guard Setting

Root Guard prevents the unintentional change of the root switch. If you enable Root Guard, when a BPDU
whose bridge ID is lower than the current root switch (Superior STP BPDU) is received, the port is changed to
the blocking state. After this, if no Superior STP BPDU is received for the forward delay time, the port state is
changed.
To enable Root Guard, run the following command in <Interface Configuration Mode>.
Command
spanning-tree guard root
Description
Enable the Root Guard function. (Default: disable)
Note: To disable Root Guard, run the command no spanning-tree guard root in <Interface Configuration Mode>.
Hello Time Setting

You can set how often to broadcast hello messages from a TiFRONT to another TiFRONT. To change the hello
time (time interval for sending hello messages), run the following command in <Configuration Mode>.
Command
Description
Set the hello time.
spanning-tree hello-time <1-10>
<1-10>
Note: To delete the hello time setting, run the command no spanning-tree hello-time in <Configuration Mode>.
170
TiFRONT User Guide
Forward Delay Time Setting

Forward delay time is the time required for changing the state of a port at which STP is enabled. For example,
if the forward delay time is 10 sec, it takes 10 sec for the port to change its state. To change the forward
delay time, run the following command in <Configuration Mode>.
Command
Description
Set the forward delay time.
spanning-tree forward-time <4-30>
<4-30>
Note: To delete the forward delay time setting, run the command no spanning-tree forward-time in <Configuration Mode>.
Maximum Aging Time Setting

Maximum aging time is the expiration time of the received BPDU packet. The received BPDU packets are
discarded when the maximum aging time is exceeded. To change the maximum aging time of a VLAN, run
the following command in <Configuration Mode>.
Command
Description
Set the maximum aging time of BPDU packets.
spanning-tree max-age <6-40>
<6-40>
Note: To delete the maximum aging time setting, run the command no spanning-tree max-age in <Configuration Mode>.
Note: To set the maximum aging time, you must enter a hello time and a forward delay time that satisfy the following formulas:
Maximum aging time(Hello time+1)*2
Maximum aging time(Forward delay time-1)*2
For example, if the maximum aging time is 6, you can set only 1 or 2 for hello time. If the maximum aging time is 10, you must set the forward
delay time to 6 or a higher value.
BPDU Hop Setting

When using MSTP, you can specify the hop count for sending BPDU. To set a hop count so that BPDU will be
sent to the number of devices equal to the hop count set in MSTP, run the following command in
Command
Description
Set the hop count of BPDUs in MSTP.
spanning-tree max-hops <1-40>
<1-40>
Note: If you dont want to set the hop count of BPDUs in MSTP, run the command no spanning-tree max-hops in <Configuration Mode>.
171
MST Region Setting

To set MSTP in TiFRONT, you must set the MST configuration ID to determine to which MST region the device
will belong to. The configuration ID consists of region name, revision, and VLAN map. To set a configuration
ID, run the following commands in <Configuration Mode>.
No.
Command
Description
spanning-tree mst configuration
region <REGION_NAME>
Enter
the
<MSTP
configuration
mode>
from
the
<Configuration mode>.
Specify the region name.
Specify a revision number.
All switches within the same MST boundary are set to the
revision <0-65535>
same revision number.

<0-65535>
Note: To delete the MST region, run the no region command in <MSTP Configuration Mode>.
Instance Setting
To set PVST+/RPVST+/MSTP in TiFRONT, you must first set a VLAN as one instance.
MSTP Instance Setting

To configure a VLAN map by setting a VLAN to be included in an MSTP instance, run the following command
in <MSTP configuration mode>.
Command
Description
Configure a VLAN map by setting a VLAN to be included in an
instance.
<1-63>
instance <1-63> vlan <VLANID>
instance ID. Setting range: 1 ~ 63

<VLANID>
ID of the VLAN to be included in the instance.
After specifying the VLAN to be included in an MSTP instance, you must include the ports that belong to the
VLAN in the MSTP instance. To include a port in the MSTP instance, run the following commands in
No.
Command
Description
Include a port in an instance.
spanning-tree instance <1-63>
<1-63>
Instance ID. Setting range: 1 ~ 63
spanning-tree instance <1-63> path-cost Set a route cost.

2
<1-200000000>
(Optional)
spanning-tree
3
<0-240>
(Optional)
172
TiFRONT User Guide
<1-200000000>
instance
<1-63>
priority Set the priority of the port.

<0-240>
0 , 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240
To set the priority of an MSTP instance, run the following command in <Configuration Mode>.
Command
Description
Set the priority of an instance.
<1-63>
spanning-tree instance <1-63>

priority <0-61140>
Instance ID. Setting range: 1 ~ 63

<0-61140>
Instance priority
Setting range: 0 ~ 61140 (Default value: 32768)
Note: You can set the following values for the instance priority:
0 , 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
PVST+/RPVST+ Instance Setting

To set an instance of PVST+/RPVST+, run the following command in <Configuration Mode>.
Command
Description
Create an instance and set a VLAN to be included in the instance.
spanning-tree vlan <2-4094>
<2-4094>
VLAN ID. Setting range: 2 ~ 4094
To set the priority of a PVST+/RPVST+ instance, run the following command in <Configuration Mode>.
Command
Description
Set the priority of an instance.

priority <0-61440>
<0-61440>
Instance priority
Note: You can set the following values for the instance priority:
0 , 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440
After specifying the VLAN to be included in an instance, you must include the ports that belong to the VLAN
in the PVST+/RPVST+ instance as well. To include a port in the PVST+/RPVST+ instance, run the following
commands in <Interface Configuration Mode>.
No.
1
Command
Description
Include a port in an instance.
<1-200000000>
<1-200000000>
spanning-tree vlan <2-4094> path-cost Set the route cost.

2
(Optional)
spanning-tree vlan <2-4094> priority Set the priority of the port.

3
<0-240>
(Optional)
<0-240>
173
0 , 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240
Operation Mode Setting

To change the operation mode of a spanning tree, run the following command in <Interface Configuration
Mode> of the port.
Command
Description
Change the spanning tree operation mode of a port.
spanning-tree force-version <0-3>
<0-3>
Setting range: 0 ~ 3 (0: STP, 1: Not set, 2: RSTP, 3: MSTP)
Note: The operation modes that can be changed to are limited as follows depending on the current mode.
- STP:
Cannot be changed to RSTP or MSTP
- RSTP: Cannot be changed to MSTP
- MSTP: No limit

Showing the Spanning Tree Setting
To check the spanning tree settings, run the command show spanning-tree in <User Mode>, <Privileged
Mode>, or <Configuration Mode>. To check the details of spanning tree settings, run the command show
spanning-tree detail [interface <IFNAME>] in <User Mode> or <Privileged Mode>.
Showing the Instance Settings

To check the instance settings, run the command show spanning-tree instance <1-63> [interface
<IFNAME>] in <User Mode> or <Privileged Mode>.
Showing the Interface Settings

To check the spanning tree settings of an interface, run the command show spanning-tree interface
<IFNAME> in <User Mode> or <Privileged Mode>.
Showing the VLAN settings

To check the spanning tree settings of a VLAN, run the command show spanning-tree vlan <1-4094>
[interface <IFNAME>] in <User Mode> or <Privileged Mode>.
Showing the RPVST+/MSTP Settings

To check the RPVST+/MSTP settings, run the command show spanning-tree {rpvst+ | mst} config in
<User Mode> or <Privileged Mode>.
174
TiFRONT User Guide
In this example, STP is enabled and the priority of the device is changed. As the priority is changed, the
switch is changed to the root switch, and the port state is changed as well.
(config)# spanning-tree mode stp

(config)# spanning-tree enable
(config)# show spanning-tree
Set spanning tree mode

Enable spanning tree
Show the settings.
spanning-tree: STP enable

instance name
: default instance(0)
protocol(1d) : enabled
ageing time : 300 (sec)
bridge id
: 8000-0006c4720229 ( priority : 32768 )
root id
: 8000-0006c4720203
root port
ge1
/ path cost 200000
forward delay 15 (sec)
/ bridge forward delay 15 (sec)
hello time 2 (sec)
/ bridge hello time 2 (sec)
max age 20 (sec)
/ bridge max age 20 (sec)
current hello timer remaining
- 0 (sec)
current tcn timer remaining
- 0 (sec)
current topology change timer remaining - 0 (sec)
ge1: portid 8005 - path cost 200000 - desig-path cost
(config)# spanning-tree priority 0
0 - forwarding
0 blocked
Set the priority
instance name
bridge id
: 0000-0006c4720229 ( priority : 0 )
root id
: 0000-0006c4720229
root port
--/ path cost 0
hello time 2 (sec)
max age 20 (sec)
- 1 (sec)
current tcn timer remaining - 0 (sec)
0 - forwarding
0 - forwarding
In the following example, the port priority is changed and settings are queried.

Show the settings.
instance name : default instance(0)

bridge id
: 8000-0006c4720203 ( priority : 32768 )
root id
: 8000-0006c4720203
root port --/ path cost 0
hello time 2 (sec)
max age 20 (sec)
- 0 (sec)
- 0 (sec)
0 forwarding
0 - forwarding

Enter the <Interface configuration mode> of the port
(config-if-ge2)# spanning-tree priority 0
Change the port priority to 0.
Show the settings

bridge id
: 8000-0006c4720203 ( priority : 32768 )
175
root id
: 8000-0006c4720203
hello time 2 (sec)
max age 20 (sec)
- 1 (sec)
ge2: portid
6 - path cost 200000 - desig-path cost
0 - forwarding
0 - forwarding
In the following example, the route cost is changed and settings are queried.

Show the settings

bridge id
: 8000-0006c4720229 ( priority : 32768 )
root id
: 8000-0006c4720203
root port
ge2
/ path cost 200000
hello time 2 (sec)
max age 20 (sec)
- 0 (sec)
- 0 (sec)
(config-if-ge1)# spanning-tree path-cost 2000
0 - blocked
0 - forwarding
Change the route cost
Show the settings

bridge id
: 8000-0006c4720229 ( priority : 32768 )
root id
: 8000-0006c4720203
root port ge1
/ path cost 2000
hello time 2 (sec)
max age 20 (sec)
- 0 (sec)
- 0 (sec)
ge1: portid 8005 - path cost
2000
- desig-path cost
0 - forwarding
0 blocked
2
In the following example, Hello time, Forward delay time, and Maximum aging time are set.

Show the settings

bridge id
: 8000-0006c4720203 ( priority : 32768 )
root id
: 8000-0006c4720203
hello time 2 (sec)
max age 20 (sec)
- 0 (sec)
- 0 (sec)
ge2: portid
6
- path cost 200000 - desig-path cost
(config)# spanning-tree hello-time 1
176
TiFRONT User Guide
Change the hello time to 1
0 - forwarding
0 - forwarding
(config)# spanning-tree forward-time 20 Change the forward delay time to 20.

(config)# spanning-tree max-age 10
Change the maximum aging time to 10
Show the settings
instance name
bridge id
: 8000-0006c4720203 ( priority : 32768 )
root id
: 8000-0006c4720203
hello time 1 (sec)
max age 10 (sec)
- 0 (sec)
- 0 (sec)
ge2: portid
6 - path cost 200000 - desig-path cost
0 forwarding
0 - forwarding
The following is an example of PVST+ setting.
(config)# vlan 2 name v1

Set a VLAN
(config)# spanning-tree mode pvstp
spanning-tree: PVST+ enable
Set the spanning tree mode

Show the settings

bridge id
: 8001-0006c4440207 ( priority : 32768 )
root id
: 8001-0006c4440207
hello time 2 (sec)
max age 20 (sec)
(config)# spanning-tree vlan 2
(config-if-ge1)# spanning-tree vlan 2
(config-if-ge2)# spanning-tree vlan 2
spanning-tree: PVST+ enable
Create an instance and specify a VLAN

Include a port in the instance
Include a port in the instance
Show the settings

bridge id
: 8001-0006c4440207 ( priority : 32768 )
root id
: 8001-0006c4440207
hello time 2 (sec)
max age 20 (sec)
Instance 1: Vlans: 2
Root Path Cost 0 - Root Port (0) - Bridge Priority 32768
Root Id 80020006c4440207
Bridge Id 80020006c4440207
177
The following is an example of MSTP setting.

(config-if-ge1)# switchport
Set a VLAN
access vlan 2
access vlan 2
access vlan 3
access vlan 3
(config)# spanning-tree mode mstp
Set spanning tree mode

spanning-tree: MSTP enable
Show the settings
name
: CIST
protocol(1s)
: enabled
cist bridge id
: 8000-0006c4440207 ( priority : 32768 )
region root id
: 8000-0006c4440207
cist root id
: 8000-0006c4440207
cist root port --/ external path cost 0
hello time 2 (sec)
max age 20 (sec)
max hops 20
(config)# spanning-tree mst configuration
Enter <MSTP configuration mode>
(config-mst)# region mst-exam
Set the region name
(config-mst)# revision 1
Set the revision number to 1.
(config-mst)# instance 1 vlan 2
Add a VLAN with the ID of 2 in instance 1
(config-mst)# instance 1 vlan 3
Add a VLAN with the ID of 2 in instance 1
(config-mst)# exit
TiFRONT(config)# interface ge1
TiFRONT(config-if-ge1)# spanning-tree
TiFRONT(config-if-ge1)# exit
instance 1
Add ge1 port to an instance
instance 1
instance 1
instance 1
(config)# spanning-tree instance 1 priority 0

spanning-tree: MSTP enable
Set priority to 0.
Show the settings
name
: CIST
protocol(1s) : enabled
cist bridge id : 8000-0006c4440207 ( priority : 32768 )
region root id : 8000-0006c4440207
cist root id : 8000-0006c4440207
cist root port --/ external path cost 0
hello time 2 (sec)
max age 20 (sec)
max hops 20
Instance 1: Vlans: 2-3
MSTI Root Path Cost 0 - MSTI Root Port (0) - MSTI Bridge Priority 0
MSTI Root Id 00010006c4440207
MSTI Bridge Id 00010006c4440207
178
TiFRONT User Guide
Chapter 9
Routing Protocol Configuration
This chapter introduces the routing protocols RIP (Routing Information Protocol), OSPF (Open Shortest Path
First), and BGP (Border Gateway Protocol), and describes the procedure for setting each routing protocol for
TiFRONT.
L3 License Registration
Filter Setting
Route Map Setting
RIP Overview and Setting
OSPF Overview and Setting
BGP Overview and Setting
Note: The routing protocol is supported only for the TiFRONT-G24/G24P/GX24M/GX24P models.
TiFRONT User Guide
L3 License Registration
This section describes the procedures for registering a license to use the routing protocol function in CLI and
for enabling the dynamic routing function.
Registering the License

To register the L3 license, run the following command in <Configuration Mode>.
Command
Description
Register the L3 license in the system.
layer3 license <LICENSE>
<LICENSE>
License received at the time of purchase
Note: You cannot use the routing protocol unless the L3 license is registered. When you run the command for enabling this function, the following
message appears:
% This switch doesn't have the layer 3 License.
Note: The L3 license is available only for the TiFRONT-G24/G24P/GX24M/GX24P models that support the routing protocol.
Note: For detailed information on the issuance of an L3 license, please contact the product seller or PROLINK Technical Assistance Team (+82-15449890).
Caution: As the L3 license key is generated using the device's serial number, the license cannot be registered for other devices.
Setting the State of Routing Function

To use the routing protocol, you must first enable the routing function. You can enable the routing function
by running the following command in <Configuration mode>.
Command
ip forwarding
Description
Enable the routing function.
Note: To disable the routing function, run the command no ip forwarding in <Configuration Mode>.
Note: If you disable the routing function, the static routing function through a fixed route setting is disabled as well.
Note: If you run the command for enabling the routing protocol without enabling the routing function, the following message will appear:
% Should be set "ip forwarding" for using L3-related CLI commands.
180
TiFRONT User Guide
Filter Setting
The routing protocol uses access lists and prefix lists to block unnecessary routing information. The access
list uses the protocol, source/destination IP addresses, and source/destination port numbers as conditions
for comparing packets. The prefix list uses only IP address and subnet mask as the conditions for comparing
packets. This section describes the procedures for setting the prefix list. For information about the access
list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List Setting]
in this Guide.
Prefix List Setting

To set a prefix list, run the following command in <Configuration Mode>. The prefix list rule performs
inspection in the ascending order of the sequence number.
Command
Description
Add a prefix list.
<WORD>
Specify the name of prefix list.
<1-4294967295>
Sequential number of the rule. If not specified, it starts from 5
and increases by 5 according to the setting sequence. Setting
range: 1 ~ 4294967295
ip
prefix-list
4294967295>]
{<A.B.C.D/M>
32>] | any}
<WORD>
{deny
[ge
<0-32>
[seq
|
deny | permit
<1-
permit}
le
<0-
Specify the policy. deny: blocked, permit: allowed

<A.B.C.D/M>
Network address for comparing packets
ge <0-32>
The rule applies if the subnet mask length in a network address
is greater than the specified value. Setting range: 0 ~ 32
le <0-32>
The rule applies if the subnet mask length in a network address
is equal to or smaller than the specified value.
any
The rule applies to all packets.
Enter a description about the prefix list.
ip
prefix-list
<LINE>
(Optional)
<WORD>
description
<WORD>
Name of the prefix list for which to enter a description.
<LINE>
You can enter up to 80 characters composed of letters, numbers,
and special characters.
Note: To delete a prefix list, run the command no ip prefix-list <WORD> [seq <1-4294967295>] {deny | permit} {<A.B.C.D/M> [ge
<0-32> | le <0-32>] | any} in <Configuration mode>.
181
Chapter 9 Routing Protocol Configuration
Route Map Setting

A route map defines the routing information transmission and reception policy of the routing protocol. It is
used to apply the routing protocol for specific routing information or to set the properties of the routing
information. This section describes the procedure for setting a route map.
Creating a Route Map

To create a route map, run the following commands in <Configuration Mode>.
Command
Description
Create a route map and enter the <Route map configuration mode>.
<WORD>
Specify the name of the route map.
route-map <WORD> {deny | permit}
deny | permit
Specify the policy of the route map rule. deny: blocked, permit:
allowed
<1-65535>
<1-65535>
Sequential number of the route map rule. The route map rule
performs inspection in the ascending order of the sequence
number. Setting range: 1 ~ 65535
Note: To delete the route map, run the command no route-map <WORD> [{deny | permit} <1-65535>] in <Configuration Mode>.
Setting the Conditions for Comparing Routing Information

To set the conditions for comparing the routing information, run the following commands in <Route map
configuration mode>.
Command
Description
Set the AS path as a comparing condition.
match as-path <WORD>
<WORD>
Name of the as-path list for which the AS path is set.
Set the BGP community list as a comparing condition.
<1-99>
Standard community list number. Setting range: 1 ~ 99
match community {<1-99> <100-199>

<WORD>} [exact-match]
<100-199>
Extended community list number. Setting range: 100 ~ 199
<WORD>
Name of community list.
exact-match
List of communities that match exactly
Set the external community of BGP as a comparing condition.
<1-99>
match extcommunity {<1-99> <100-199>

<WORD>} [exact-match]
Standard community list number. Setting range: 1 ~ 99

<100-199>
Extended community list number. Setting range: 100 ~ 199
<WORD>
Name of community list.
182
TiFRONT User Guide
exact-match
List of communities that match exactly
Set a specific interface as a comparing condition.
match interface <IFNAME>
<IFNAME>
Name of interface
Set a specific IP address as a comparing condition. To use this
command, the access list or prefix list for the IP address must
be defined.
<1-199>
match ip address {<1-199> <1300-2699>

<WORD> | prefix-list <WORD>}
Access list number. Setting range: 1 ~ 199

<1300-2699>
Extended access list number. Setting range: 1300 ~ 2699
<WORD>
Access list name.
<WORD>
Prefix list name.
Set the IP address of a specific next-hop as a comparing
condition. To use this command, the access list or prefix list
for the IP address of the next-hop must be defined.
<1-199>
match
ip
next-hop
{<1-199> <1300-
2699> <WORD> | prefix-list <WORD>}

<1300-2699>
<WORD>
Access list name.
<WORD>
Prefix list name.
Set the IP address of a BGP peer (neighbor) as a comparing
condition. To use this command, the access list for the IP
address of the BGP peer must be defined.
match ip peer {<1-199> <1300-2699>

<WORD>}
<1-199>
<1300-2699>
<WORD>
Access list name.
Set a specific metric as a comparing condition.
match metric <0-4294967295>
<0-4294967295>
Metric. Setting range: 0 ~ 4294967295
Set the BGP origin property as a comparing condition.
egp
BGP information created from an external routing protocol
igp
match origin {egp | igp | incomplete}
BGP information created from an internal routing protocol

incomplete
Information of BGP that is not EGP or IGP
Set the route cost calculation method as a comparing
match
type-2}
route-type
external
{type-1
condition.
type-1
The sum of external and internal costs is used for route cost.
type-2
183
Only the external cost is used as route cost.

Set the tag of specific routing information as a comparing
condition.
match tag <0-4294967295>
<0-4294967295>
Tag number. Setting range: 0 ~ 4294967295
Note: Each comparing condition can be deleted by running the no <command for comparing the condition to be deleted> in <Route
Map setting mode>.
Setting the Routing Information Attributes

To set the attributes of the routing information through a route map, run the following commands in <Route
map configuration mode>.
Command
Description
Set the AS number for a router ID of BGP.
<1-4294967295>
set aggregator as <1-4294967295> <A.B.C.D>
Set an AS number.
<A.B.C.D>
Router ID for which to set the AS number
Add an AS to an AS path.
set as-path prepend <1-4294967295>
<1-4294967295>
Set the AS number to add.
Set
set atomic-aggregate
the
atomic-aggregate
attribute.
This
attribute
indicates that the AS path information may have been

removed due to route summarization.
Delete a community list.
<1-99>
Standard community list number.
set comm-list {<1-99> <100-199> <WORD>}

delete
<100-199>
Extended community list number.
<WORD>
Community name
Set a community value.
<1-65535>
Set the community value as a decimal number.
<AA:NN>
Specify the community value as AS number: random
set
community
{<1-65535>
<AA:NN>
internet | local-AS | no-advertise | noexport} [additive]
number.
internet
Set the community value as internet.
local-AS
Do not send the routing information to another sub AS
in the confederation.
no-advertise
Do not send the routing information to BGP neighbor.
no-export
184
TiFRONT User Guide
Do not send the routing information to another AS.

additive
Add a new value to the existing community value.
A penalty is given when the path to the network is down.
If the penalty exceeds the threshold, the transmission of
the routing information to the network is blocked.
<1-45>
Half life period of penalty for the network that can be
reached.
Setting range: 1 ~ 45 (Default value: 15 min)
<1-20000>
Blocking release value. Setting range: 1 ~ 20000.
set dampening [<1-45> [<1-20000> <1-20000>
<1-255> [<1-45>]]]

<1-20000>
Blocking start value. Setting range: 1 ~ 20000.
<1-255>
Maximum blocking time. Setting range: 1 ~ 255.
(Default value: 60 min)
<1-45>
Half life period of penalty for the network that cannot
be reached.
Setting range: 1 ~ 45 (Default value: 15 min)
Set an extended community value.
rt
Specify RT (Route Target) for differentiating VPN.
set extcommunity {rt | soo} <AA:NN>
soo
Specify SOO (Site of Origin) to prevent routing loop.
<AA:NN>
Specify the community value as AS number: random
number.
Set the next hop.
<A.B.C.D>
IP address of next hop
set
ip
next-hop
<A.B.C.D>
<IFNAME>] [primary | secondary]
[interface
<IFNAME>
Name of interface connected to the next hop
primary
Specify the next hop as primary next hop.
secondary
Specify the next hop as secondary next hop.
Set the BGP local preference value.
set local-preference <0-4294967295>
<0-4294967295>
Change the metric.
<+/-><0-4294967295>
set metric <+/-><0-4294967295>
Differentiate the increase or decrease of metric by +/and enter the metric to be increased or decreased.
Set the BGP origin attribute.
set origin {egp | igp | incomplete}
egp
BGP information created from an external routing
185
protocol
igp
BGP information created from an internal routing
protocol
incomplete
Information of BGP that is not EGP or IGP
Set a router ID where the routing information is included
set originator-id <A.B.C.D>
in BGP.
<A.B.C.D>
Set the router ID in IP address format.
Set a tag for routing information.
set tag <0-4294967295>
<0-4294967295>
Set the weight of route information. This weight is only
set weight <0-4294967295>
used for the corresponding router.

<0-4294967295>
Note: Each attribute described above can be deleted by running the no <command for setting the attribute to be deleted> in
<Route Map setting mode>.
186
TiFRONT User Guide
RIP Overview and Setting

This section introduces the basic concepts about RIP (Routing Information Protocol), and describes the
procedures for setting RIP in TiFRONT through CLI commands.
RIP Overview
RIP is an internal gateway protocol (IGP) designed to be used in a small-scale network. The IGP is a dynamic
routing protocol that exchanges routing information in an autonomous system (AS). An AS is a group of
networks to which the same routing and administration policies are applied. A corporate intranet consisting
of multiple networks to which the same policies apply is an example of AS. External gateway protocols for
exchanging routing information between ASs include BGP.
RIP selects the shortest route using the distance-vector algorithm when there are multiple routes to the
destination in the routing table. The distance-vector algorithm selects the route that has the shortest
distance (or cost) to the next hop and the final destination as the optimum route. This method is
advantageous because it is easy to configure and uses a small amount of memory.
Routing Update Message

The dynamic routing protocol reflects the changed network state in the routing table by exchanging
information between routers when the network state is changed due to a topology change or error. RIP
periodically sends its routing information (routing update messages) to every neighbor router connected
through the UDP no. 520.
Upon receiving a routing update message from a neighbor router, the router updates its routing table to
reflect this information. At this time, the router increases the metric of the route by 1 in order to calculate
the route and shows the source IP address of the routing update message to the next hop.
Metric
In RIP, the number of hops to the destination is regarded as the path distance and is expressed in metric. In
the route, the metric is set to 1 by default. The network administrator can change the metric by referring to
the route state, physical speed, etc. RIP selects the route that has the smallest metric when choosing the best
route to a destination. Therefore, a lower metric value must be set for a route that has a better state or faster
speed.
Restriction of Metric
RIP restricts the metric value to 15 or lower and regards the path with a metric of 16 as an unreachable path.
When the metric becomes 16, it determines that the route cannot be used anymore and the route is not sent
to the router. Due to this restriction of metric, RIP is mainly used within a single AS.
187
RIP Timers
RIP uses the following timers to periodically send routing update packets and identify invalid routing
information.
Timer
Functions
Update
This timer indicates the time when the router sends its routing update packets. Whenever the time
timer
set in this timer passes, the routing update packet is sent to neighbor routers. (Default: 30 sec)
This timer indicates whether or not the router is valid. If no routing update packet is received from
Timeout
a neighbor router for the time set in this timer, that router is determined as abnormal and the
timer
routing information received from that router is treated as invalid (metric value is changed to 16).
(Default: 180 sec)
This timer determines whether or not to delete invalid routing information. Before the time set in
Collect
this timer has passed, even invalid routing information is sent to neighbor routers through routing
timer
update packets. After the time set in this timer passes, the invalid routing information is removed
from the routing table. (Default: 120 sec)
Routing Loop and Split Horizon

The greatest shortcoming of routing protocols that determine the route by using the distance vector
algorithm such as RIP is the possibility of a routing loop. Routing loop refers to the phenomenon that routers
keep exchanging routing information, thinking that they can reach the route through each other.
Let us take an example network illustrated above in which router A is directly connected to the network
10.1.1.0. Router B is connected to the network 10.1.1.0 through router A, and router C is connected to the
network 10.1.1.0 through router B and router A.
Let us assume that the link connecting router A and network 10.1.1.0 is disconnected. Upon detecting the
disconnection with the network 10.1.1.0, router A is removed from the routing table because it cannot
connect with the network 10.1.1.0 through the direct route. However, router B does not know this yet and
sends its routing table to router A through a routing message. Router A increases the metric value of the
route entry whose destination is 10.1.1.0 which it does not have in the routing table sent from router B and
adds it to its routing table. Then, router B also increases the metric value of the route entry of network
10.1.1.0 sent from router C, and adds it to its routing table before sending it to router A again. If this
continues, even though it is actually impossible to reach network 10.1.1.0, the route entry for this network is
continuously updated in the routing table of each router while the metric value is increased. In the end, the
metric value of the route entry for network 10.1.1.0 must increase to 16 until it becomes an invalid route
entry and is treated as unreachable destination.
This phenomenon is called a routing loop, and this routing loop can be resolved only when the metric value
of the route entry becomes 16. However, one method that can solve the routing loop phenomenon without
waiting until the metric value of the route entry becomes 16 is split horizon. Split horizon does not allow the
transmission of route information that has been sent through oneself from other routers. If this method is
applied to the above network, because the information about network 10.1.1.0 was sent to router B through
router A, router B excludes the route entry about network 10.1.1.0 from the information that it sends to router
A.
188
TiFRONT User Guide
RIP Versions
The RIP versions supported by TiFRONT are RIPv1 and RIPv2. The differences between these two versions are
shown below.
Item
RFC
Subnet mask
Authentication
RIPv1
RIPv2
RFC1923
RFC2453
Only supports class A, B, C, and D.

Does
not
support
an
authentication
function
AFI(2) : Address Family Identifier
Message format
(RTE part)
IP address(4) : IP address of destination

metric(4) : Metric value of route.
The remaining 10 bytes are filled with 0.
Routing update
transmission
method
Supports CIDR by allowing the transmission of

subnet mask
Supports the authentication of routing update
messages
AFI(2) : Address Family Identifier
IP address(4) : IP address of destination
subnet mask(4) : Subnet mask
next hop(4) : IP address of the next hop
metric(4) : Metric value of route.
Sends
routing
update
messages
to
the
Broadcasts routing update messages to
multicast address 224.0.0.9 so that only the
every neighbor router
routers connected to the network can receive

them.
When you enable RIP in TiFRONT, RIPv1 is used by default. Because RIPv1 does not support subnet mask,
route information containing a subnet mask cannot be sent through RIPv1. Therefore, you should enable
RIPv2 depending on your network environment.
RIP Settings
The RIP setting process in TiFRONT includes the following steps:
Enabling RIP (required)
RIP Timer Setting
RIP Version Setting
Route Redistribution Setting
Default Route Setting
Default Metric Setting
RIP Fixed Route Setting
Limiting the Number of RIP Routes
Neighbor Routers Setting
Authentication Key Chain Setting
Routing Information Filtering
Cisco Metric Update Status Setting
RIP Setting of Interface
Each setting step is described below.
189
Enabling RIP
To enable RIP in TiFRONT, run the following commands in <Configuration Mode>.
No.
Command
Description
router rip
network {<A.B.C.D> | <IFNAME>}
Enable RIP routing process and enter <RIP configuration mode>.

Specify a network for which to enable RIP.
Enter the name of the VLAN interface to exchange routing update
messages with neighbor routers only through a specific interface.
Note: To disable RIP for the specified network, run the command no router rip in <Configuration Mode>.
RIP Timer Setting

RIP uses update, timeout, and collection timers to determine whether or not the routing update message
transmission period or route entry is valid, or whether or not to delete a route entry. You can set this value
by using the following command in <RIP Configuration Mode>.
Command
Description
RIP changes the value of routing timer.
<5-2147483647>
Update timer. Setting range: 5 ~ 2147483647, Default value: 30 (sec)
timers
basic
<5-2147483647>
<5-2147483647> <5-2147483647>
<5-2147483647>
Timeout timer. Setting range: 5 ~ 2147483647, Default value: 180 (sec)
<5-2147483647>
Collection timer. Setting range: 5 ~ 2147483647,
Default value: 120 (sec)
Note: To delete the changed timer value and restore the default value, run the command no timers basic in <RIP Configuration Mode>.
In TiFRONT, you can change the timer values when necessary due to an adjustment of routing protocol
performance or a change of network environment. Take special care about the following points when
changing the timer values.
Update Timer
Special care must be taken because this timer value can have great influence on network traffic. If this timer
value is too small, the routing update messages can burden the network; if it is too large, accurate routing is
impossible because the reliability of the routing information that the routers have becomes low. You should
use the default value 30 if possible.
Timeout Timer
This timer value must be at least three times as large as the update timer value. In other words, the route entry
must be treated as valid even if it is not updated while routing update messages are sent three times.
Collection Timer
The collection timer value is the waiting time after the timeout timer is updated until the route is deleted.
Therefore, the duration from the moment when an invalid route is detected until it is deleted equals timeout
timer + collection timer.
190
TiFRONT User Guide
RIP Version Setting

TiFRONT supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2). When you enable RIP in TiFRONT, RIPv1 is
used by default. If a neighbor router is using RIP version 2, it cannot process the packets sent from TiFRONT.
Therefore, you must change it to RIPv2.
You can set the RIP version by using the following command in <RIP Configuration Mode>.
Command
version <1-2>
Description
Set the RIP version. Enter 1 to set version 1 or 2 to set version 2.
Note: Instead of the RIP version set in <RIP Configuration Mode>, you can set the RIP version for each interface. To set the RIP version to be applied
to a specific interface, use the command ip rip send version and ip rip receive version in <Interface Configuration Mode>.

To send neighbor routers the information about the routes that are directly connected to routers, userdefined static routes, and the route information learned from other routing protocols among the routes in
the RIP routing table, you must redistribute the routes. You can redistribute the routes by using the following
command in <RIP Configuration Mode>.
Command
Description
Send information to neighbor routers.
redistribute {bgp | connected | isis |

kernel | ospf | static} [metric <0-16>]
[route-map <WORD>]
bgp
Route learned by BGP
connected
Directly connected route
isis
Route learned by IS-IS
kernel
Route that the kernel has
ospf
Route learned by OSPF
static
Static route
<0-16>
Initial metric of the redistributed route.
<WORD>
Redistributed route map name.
Note: If you dont want to redistribute the routes, run the command no redistribute in <RIP Configuration Mode>. The RIP router does not
redistribute the routes by default.

To generate a default route in an AS boundary router and send it to the RIP network, run the following
command in <RIP Configuration Mode>.
Command
default-information originate
Description
Generate a default route and send it to other routers in the RIP network.
Note: To disable the default route setting, run the command no default-information originate in <RIP Configuration Mode>.
191
Default Metric Setting

You can set the default metric for distributing to other routers by using the following command in <RIP
Command
Description
Set the default metric.
default-metric <1-16>
<1-16>
Note: To delete the default route setting, run the command no default-metric in <RIP Configuration Mode>.
RIP Fixed Route Setting

You can set a fixed route to be used only in a RIP network by using the following command in <RIP
Command
Description
Set a fixed RIP route.
route <A.B.C.D/M>
<A.B.C.D/M>
IP address and net mask bit of the fixed route
Note: To delete the RIP fixed route setting, run the command no route <A.B.C.D/M> in <RIP Configuration Mode>.
Limiting the Number of RIP Routes

You can limit the number of RIP routes in a routing table by using the following command in <RIP
Command
Description
Set a fixed RIP route.
<1-65535>
Maximum number of RIP routes
maximum-prefix <1-65535> [<1-100>]

<1-100>
Warning rate of the maximum number of RIP routes
Note: To delete the limitation setting on the number of RIP routes, run the command no maximum-prefix in <RIP Configuration Mode>.
192
TiFRONT User Guide
Neighbor Router Setting

To send RIP routing information to a router to which the RIP routing information is not broadcast, you must
set the router as a neighbor router. You can set a neighbor router by using the following command in <RIP
Command
Description
Set a neighbor router.
neighbor <A.B.C.D>
<A.B.C.D>
IP address of the neighbor router
Note: To delete the neighbor router setting, run the command no neighbor <A.B.C.D> in <RIP Configuration Mode>.
Authentication Key Chain Setting

When using RIPv2, you can use an authentication key for security between devices that exchange routing
information. You can set the use of the authentication key differently for each interface. If you set the
authentication key mode to MD5, the secret key chain set in <Configuration Mode> is used as the
authentication key. To set the authentication key chain, perform the following steps in <Configuration
Mode>.
No.
Command
Description
Create an authentication key chain and enter <Key Chain
key chain <WORD>
<WORD>
Name of authentication key chain
Set an authentication key ID and enter <Key Configuration
Mode>. The key ID must be identical for every connected
key <0-2147483647>
device.
<0-2147483647>
Authentication key ID. Setting range: 1 ~ 2147486347
Set an authentication key value. The authentication key
value must be identical for every connected device.
key-string <LINE>
<WORD>
String to be used as key value
Set the effective period of the received authentication key.
Enter the starting date and time of the effective period and
then the expiration date.
<HH:MM:SS>
Enter the hour, minute, and second.
accept-lifetime
<HH:MM:SS>
<1-31>
<MONTH> <1993-2035> {<HH:MM:SS> <1-
<1-31>
Enter the day of the month.
31> <MONTH> <1993-2035> | duration
<MONTH>
(Optional)
<1993-2035>
<1-2147483646> | infinite}
Enter the month.

Enter the year.
<1-2147483646>
Enter the effective period of the authentication key.
Setting range: 1 ~ 2147483646(sec)
infinite
193
Use the authentication key with no period limitation.

send-lifetime
<HH:MM:SS>
<1-31>
<MONTH> <1993-2035> {<HH:MM:SS> <1-
31> <MONTH> <1993-2035> | duration
Set the effective period of the sent authentication key.
<1-2147483646> | infinite}
(Optional)
Caution: For RIP to work normally, the authentication key IDs and strings of the connected devices must be identical.
Note: To delete an authentication key chain, run the command no key chain <WORD> in <Configuration Mode>.
Note: To delete an authentication key, run the command no key <0-2147483647> in <Key Chain Configuration Mode>.
Note: To delete a key string, run the command no key-string in <Key Configuration Mode>.
Note: To delete an effective period of the accept key, run the command no accept-lifetime in <Key Configuration Mode>.
Note: To delete an effective period of the send key, run the command no send-lifetime in <Key Configuration Mode>.

To control the reception and transmission of unnecessary routing information, TiFRONT filters routing
information in the following ways:
The reception and transmission of routing information satisfying specific conditions is blocked.
The transmission of routing information through a specific interface is blocked.
The use of routing information is prevented by increasing the metric when sending and receiving routing
information that satisfies specific conditions.
To set the routing information filtering, run the following command in <RIP Configuration Mode>.
Command
Description
The reception and transmission of RIP routing information
satisfying specific conditions are blocked.
<WORD>
Name of access list to be used as filtering condition
distribute-list {<WORD> | prefix <WORD>}

{in | out} [<IFNAME>]
<WORD>
Name of prefix-list to be used as filtering condition
in
out
Incoming routing information is blocked.

Outgoing routing information is blocked.
<IFNAME>
Name of interface to apply the filtering rule
passive-interface <IFNAME>
194
TiFRONT User Guide
The transmission of RIP routing information at a specific
interface is blocked.
<IFNAME>
Name of interface to be blocked from transmission of
routing information
The metric of RIP routing information satisfying specific
conditions is increased.
<WORD>
Name of access list to be used as filtering condition
offset-list
<WORD>
[<IFNAME>]
{in
out}
in
The metric of the incoming routing information is

increased
<0-16>
out
The metric of the outgoing routing information is

increased
<0-16>
Metric to be increased. Setting range: 0 ~ 16
<IFNAME>
Name of interface to apply the filtering rule
Note: Before you can set the routing information transmission/reception blocking rules using specific conditions, the access list and prefix list,
which are the filtering conditions, must be defined. For information about the access list setting, see [Chapter 12 Security Settings ACL (Access
Control List) - ACL Setting - Access List Setting] in this guide. For information about the prefix list setting, see [Filter Setting - Prefix List
Setting] section in this chapter.
Note: To delete the routing information exchange blocking rule through specific conditions, run the command no distribute-list {<WORD> |
prefix <WORD>} {in | out} [<IFNAME>] in <RIP Configuration Mode>.
Note: To delete the routing information transmission blocking rule of a specific interface, run the command no passive-interface <IFNAME>
Note: To delete the routing information metric increasing rule, run the command no offset-list <WORD> {in | out} <0-16> [<IFNAME>]
in <RIP Configuration Mode>.
Deleting RIP Routing Information

You can delete specific routing information from a routing table by using the following command in
<Privileged Mode>.
Command
Description
Delete routing information from a RIP routing table.
<A.B.C.D/M>
Enter the IP address of the routing

information to be deleted.
clear ip rip route {<A.B.C.D/M> | all |

bgp | connected | isis | kernel | ospf
| rip | static}
all
bgp
All routes of the routing table

connected
isis
kernel

ospf
static
Static route
rip
Route learned by RIP
195
Cisco Metric Update Support Setting

To support a metric update such as CISCO, run the following command in <RIP Configuration Mode>.
Command
cisco-metric-behavior enable
Description
Update the metric in the same way as with CISCO.
Note: To disable the CISCO metric update support setting, run the command cisco-metric-behavior disable or no cisco-metricbehavior in <RIP Configuration Mode>.
RIP Setting of Interface

The RIP settings (timer setting, RIP version setting, etc.) made in <RIP Configuration Mode> are commonly
applied to all interfaces of the network for which RIP is enabled. Of the RIP settings, you can set the RIP
version differently for each interface, and you can enable/disable the Split Horizon function, the use of
authentication key, and the transmission/reception of RIP packets. In this section, you will learn the
procedures for setting the RIP version at each interface, Split Horizon function, authentication key, and the
transmission and reception of RIP packets.
IP Address Setting for Interface

To set the RIP version to send and receive packets at an interface, perform the following procedure in
No.
Command
Description
Set the RIP version to use for sending packets.
ip rip send version {1 | 1-compatible

| 2 | 1 2}
1-compatible Use RIP version 1 compatible

packets at RIP version 2 interface
1 2
Use RIP version 1.
ip rip receive version {1 | 2 | 1 2}
Use RIP version 2.

Use both RIP versions 1 and 2.
Set the RIP version to use for receiving packets.
Note: To use the RIP version set in <RIP Configuration Mode> instead of the RIP version specified at the interface, run the command no ip rip
send version and no ip rip receive version.
Enabling/Disabling Split Horizon

To enable the Split Horizon function that prevents a routing loop, run the following command in <Interface
Command
ip rip split-horizon [poisoned]
Description
Enable the Split Horizon function.
poisoned
Advertise an unreachable path.
Note: To disable Split Horizon, run the command no ip rip split-horizon in <Interface Configuration Mode>.
196
TiFRONT User Guide
Setting Authentication Key

When using RIPv2, you can use an authentication key for security between devices that exchange routing
information.
You can set an authentication key by using the following command in <Interface Configuration Mode>.
No.
Command
Description
Set the RIP authentication mode.
ip rip authentication mode {md5 | text}
md5
Encrypt the key with the MD5 algorithm.
text
Use general text as authentication key.
Specify the key chain if the authentication mode is

MD5.
ip rip authentication key-chain <LINE>
2
ip rip authentication string <LINE>
Note: You must specify a key chain that has been created.
The procedure for setting a key chain, see [RIP Overview and
Setting - RIP Setting - Key Chain Setting] section of this
chapter.
Enter a string to be used as a key if you have set the
authentication mode to Text.
Note: To disable RIP authentication, run the command no ip rip authentication key-chain in <Interface Configuration Mode>.
Note: To delete the authentication key string, run the command no ip rip authentication string in <Interface Configuration Mode>.
Setting RIP Packet Sending/Receiving

To set whether to send or receive RIP packets at an interface, run the following commands.
Command
Description
ip rip send-packet
Send RIP packets at the interface.
ip rip receive-packet
Receive RIP packets at the interface.
Note: To enable/disable the sending and receiving of the RIP packets at an interface, run the command no ip rip send-packet and no ip
rip receive-packet in <Interface Configuration Mode>.
Checking the RIP Settings

To check the RIP settings, run the command show ip protocols rip in <User Mode> or <Privileged
Mode>.
Checking the RIP Routing Table

To show the entries in the RIP routing table, run the command show ip rip in <User Mode> or <Privileged
Mode>.
197
OSPF Overview and Setting

This section introduces the basic concepts about OSPF (Open Shortest Path First) and describes the
procedures for setting OSPF in TiFRONT through CLI commands.
OSPF Overview
As with RIP, OSPF is an internal gateway protocol for exchanging routing information in AS. The routing
information exchanged between routers in OSPF is called LSA (Link State Advertisement). OSPF selects the
shortest route to a destination through the Link State Algorithm. The Link State Algorithm checks the
network interface state and the network connected to the interface, and calculates the route cost used in an
interface. Then it selects the route with the smallest cost as the best route.
Unlike RIP, which periodically sends routing information even when there is no change in the network, OSPF
sends routing information only when the network is changed, thus preventing unnecessary traffic.
Every OSPF router in AS maintains routing information in the Link State Database. The Link State contains the
router's IP address, subnet mask, relation with neighbor routers, and the Link State Database is a set of such
link states. Because every OSPF router has a link state database that contains all information of the network,
complex and elaborate network control is possible.
OSPF can be configured in such a way that a network is divided into multiple parts and the link state
information is exchanged only in a limited part. In OSPF, this limited part is called "area." You can maintain
the optimum link state database by limiting the number of routers in this area.
OSPF Routing Topology

OSPF has a hierarchical topology which applies the routing algorithm. The following figure shows a typical
network structure according to the OSPF topology.
AS 20
AS 10
Backbone Area 0.0.0.0
RIP
ASBR3
ASBR2
ASBR1
ABR1
ABR2
Internal Router
Area 1.1.1.1
The OSPF topology consists of the following entries.
198
TiFRONT User Guide
Stub Area 1.1.1.2
AS (Autonomous System)
AS is the largest topology, and a set of networks managed by one management system while sharing a
common routing policy. AS is also called "routing domain." In this OSPF topology, there are two AS's: AS 10
and AS 20. AS consists of multiple areas.
Area
Area is a part of AS and a set of neighboring networks and the hosts that belong to the networks. In the area
network topology, you cannot see routers that belong to an external area. The OSPF routing inside the area is
called intra-area routing. In this OSPF topology, AS 10 consists of three areas (0.0.0.0, 1.1.1.1, 1.1.1.2).
Backbone Area
The Backbone Area distributes the routing information between an area and AS. The Backbone Area is at the
center of OSPF areas and is physically connected with every area. The ID of the Backbone Area must be set to
0.0.0.0.
Stub Area
Stub area is the area that does not receive external routing information. In the stub area, there is only one
router that is connected to another AS. The router in the stub area uses the paths inside as well as outside AS
to send packets to the destination. For the area specified as stub area, you can decrease the topology
database size and the memory size required to save the database. In the above figure, Area 1.1.1.2 is the
stub area and can be connected to an external AS only through ABR 2.
ABR(Area Border Routers)

ABR is a router that is connected to multiple areas and has multiple interfaces. ABR maintains a separate
topology database for each area. Furthermore, ABR summarizes the route information for the connected area
and sends it to the backbone area. The backbone area distributes the information received from the ABR to
other OSPF areas in the AS. In the figure, ABR 1 connects the backbone area with area 1.1.1, and ABR 2
connects the backbone area with the stub area which is area 1.1.12.
ASBR(Autonomous System Border Routers)

ASBR is a router that exchanges route information with the routers in which a different routing protocol is
used, such as ABR, RIP, BGP, and static routers that belong to another AS.
199
OSPF Operation Method

When the OSPF router is booted, it selects the designated router using the hello packet in order to recognize
neighboring routers. Among the many routers connected to a network, the designated router creates and
distributes the route information for networks on behalf of the network. Furthermore, they exchange routing
information with newly recognized routers to maintain the same routing information between them.
The OSPF router sends LSA, which contains information about its route table, when the router state changes,
and this LSA is known to every router in the area. Through this process, every router that belongs to one area
shares the same information.
For information sharing between areas, ABR exchanges summary information about areas with other ABRs.
Upon getting information about the topology and other areas of AS through this process, it can calculate the
routes for every destination that does not belong to its area and sends it to the internal router. Then the
internal router determines whether or not to send packets through ABR when sending packets to a
destination that belongs to a different area.
The ASBR that knows the external route information for other AS can send information through AS. This
external route information in ASBR is sent to the internal router as area summary by every ABR except the
stub area. Therefore, the location of ASBR is known to every router except the routers that belong to the stub
area and information can be sent to outside the AS through this.
In this way, the OSPF router gets information about the paths in and outside the area as well as outside the
AS and builds a topology database. The link state algorithm is applied to such a topology database, and the
router calculates the SPTs (shortest path trees) from itself to every route and maintains them in the route
table while performing packet relay.
200
TiFRONT User Guide
OSPF Settings
To use OSPF as the routing protocol for TiFRONT, you must perform the following configuration tasks.
Setting OSPF Router ID
Restarting OSPF Routing Process
Area Setting (required)
Area Authentication Setting
Stub Area Setting
NSSA Setting
Route Summarization Setting
RFC 1583 Support Setting
Virtual Route Setting
Reference Bandwidth Setting
OSPF Interface Attribute Setting
OSPF Router ID Setting

The router ID is used to differentiate OSPF routers in AS. To set the router ID of TiFRONT, perform the
following procedure in <Configuration Mode>.
No.
Command
Description
Enter the <OSPF configuration mode>.
router ospf [<1-65535>]
<1-65535>
OSPF Routing Process ID. Setting range: 1 ~ 65535
Set the router ID. This must be a unique value that is not used by
any other routers. If router ID is not set, the largest IP address of
router-id <A.B.C.D>
the interfaces defined in TiFRONT is used as the router ID by

default.
<A.B.C.D>
Enter the OSPF router ID in IP address format.
When the router ID is changed, the OSPF router sends every LSA to neighboring routers. If a fixed router ID is
assigned to TiFRONT using the router-id command, the router ID is not changed, even if every interface is
down.
Note: To delete the router ID set in TiFRONT, run the command no router-id <A.B.C.D> in <OSPF Configuration Mode>.
201
Restarting OSPF Routing Process

To add a new OSPF routing ID and apply it to the OSPF routing process, or restart an OSPF routing process
that is running now, run the following command in <Privileged Mode>.
Command
Description
Restart OSPF routing process. If you enter an OSPF routing
process ID, only that process is restarted. If you don't enter
clear ip ospf [<1-65535>] process
it, every process is restarted.

<1-65535>
OSPF Routing Process ID. Setting range: 1 ~ 65535
Area Setting
To specify a network for running OSPF and an area to which the interface connected to the network belongs,
run the following command in <OSPF Configuration Mode>.
Command
Description
Specify the area to which the interface connected to the
network will belong.
<A.B.C.D> <A.B.C.D>
IP address range and subnet mask of the OSPF network
network {<A.B.C.D> <A.B.C.D> | <A.B.C.D/M>} <A.B.C.D/M>

area {<0-4294967295> | <A.B.C.D>}
IP address range and mask bit of the OSPF network

<0-4294967295>
Enter the OSPF area ID. Setting range: 0 ~ 4294967295
<A.B.C.D>
Enter the OSPF area ID in IP address format.
Area 20
Vlan3
128.213.10.1
Area 0.0.0.1
VLAN1
192.213.1.1
Vlan2
192.213.20.2
As shown in the above figure, you can set the network 192.213.0.0/24 to which the Vlan1 and Vlan 2
interfaces belong so that it will be in the area whose ID is 0.0.0.1, and the network 128.213.0.1/32 to which
the Vlan3 interface belongs so that it will be in the area whose ID is 20, as follows:
(config-ospf)# network 192.213.0.0/24 area 0.0.0.1
(config-ospf)# network 128.213.10.1/32 area 20
Note: To disable OSPF in the specified network, run the command no network {<A.B.C.D> <A.B.C.D> | <A.B.C.D/M>} area {<1-4294967295> |
<A.B.C.D>} in OSPF Configuration Mode>
202
TiFRONT User Guide
Area Authentication Setting

You can use the area authentication function for the security of router information that is exchanged among
routers that belong to an area. To use the area authentication function, you must enable area authentication
in <OSPF Configuration Mode> and set an authentication key in <Interface Configuration Mode> of the
interface that belongs to the area.
To enable area authentication, run the following command in <OSPF Configuration Mode>.
Command
Description
Enable the area authentication function.
<0-4294967295>
Enter the area ID for which to enable authentication.
area {<0-4294967295> | <A.B.C.D>} <A.B.C.D>

authentication [message-digest]
Enter the area ID for which to enable authentication in IP address

format.
message-digest
Encrypt the key with the MD5 algorithm. The key will not be encrypted
if you don't specify this option.
Note: To disable area authentication, run the command no area {<0-4294967295> | <A.B.C.D>} authentication in <OSPF Configuration
Mode>.
Stub Area Setting

Stub area is an area that does not receive LSA that provides information about an external network. Through
the stub area, traffic to an external network is sent through the interface that has been specified as the
default route. Because the stub area maintains only a small amount of information, the internal area topology
database size as well as the memory size required for database storage can be reduced.
Usually, the area that has only one ABR, that is, only one point of connection with an external network is
specified as stub area. There are two types of stub areas. One, a stub area, receives everything except the
external network information that is transmitted by ASBR, and the other, a totally stubby area, also does not
receive the routing information (summary LSA) between different areas that is transmitted by ABR as well.
To set an area as a stub area, run the following command in <OSPF Configuration Mode>.
Command
Description
Set an area as stub area.
<0-4294967295>
Enter the area ID to be set as stub area.
area {<0-4294967295> | <A.B.C.D>}

stub [no-summary]

<A.B.C.D>
Enter the area ID to be set as stub area in IP address format.
no-summary
Set the ABR as totally stub area.
Note: To release the specified area from being a stub area, run the command no area {<0-4294967295> | <A.B.C.D>} stub [no-summary]
in <OSPF Configuration Mode>.
203
NSSA (Not-So-Stubby-Area) Setting

NSSA is a stub area that limitedly receives LSAs and sends them to the corresponding area. NSSA is used in
ASBR to transmit the stub area or the area of another routing protocol. You can set the following options
when setting NSSA.
Default-information-originate
Permit the default route of LSA type-7 in NSSA. This option can be used only for ABR routers.
No-redistribution
Do not perform route redistribution in the NSSA.
No-summary
Do not send route information between OSPF areas in NSSA.
Translator
Specify the method of handling the NSSA LSA information.
To set an area as NSSA, run the following command in <OSPF Configuration Mode>.
Command
Description
Set an area as stub area.
<0-4294967295>
Enter the area ID to be set as a NSSA.
<A.B.C.D>
Enter the area ID to be set as a NSSA in IP address format.
area
{<0-4294967295>
<A.B.C.D>} <0-16777214>
nssa [default-information-originate
Specify the metric. Setting range: 0 ~ 16777214
[metric <0-16777214> | metric-type <1-2>

<1-2>]
no-redistribution
no-
summary | translator-role {always |

never | candidate}]
Specify the external route type.

1: Use the sum of external and internal costs as the route cost.
2: Use the external cost as the route cost.
always
Convert every NSSA LSA to Type 5.
never
Do not change NSSA LSA to a different method.
candidate
If selected as translator, convert NSSA LSA to Type 5.
Note: To release the specified area from being an NSSA, run the command no area {<0-4294967295> | <A.B.C.D>} nssa [defaultinformation-originate [metric <0-16777214> | metric-type <1-2>] | no-redistribution | no-summary | translatorrole {always | never | candidate}] in <OSPF Configuration Mode>.
204
TiFRONT User Guide

If the TiFRONT session is ABR, you can set in such a way that specific route information will not be sent or
received to/from another area. To block route information exchanges between areas, you must first set the
route information to block as an access list or prefix list, and run the command in <OSPF Configuration
Mode> to apply it to the areas.
Command
Description
Specify the filter to block the exchange of route information
between areas.
<0-4294967295>
<A.B.C.D>
area {<0-4294967295> | <A.B.C.D>} filterlist {access | prefix} <WORD> {in | out}
access
Block the route information by using an access list.
prefix
Block the route information by using a prefix list.
<WORD>
Access list or prefix list name
in
Incoming route information is blocked.
out
Outgoing route information is blocked.
Note: To delete the specified route information filter, run the command no area {<0-4294967295> | <A.B.C.D>} filter-list
{access | prefix} <WORD> {in | out} in <OSPF Configuration Mode>.
Note: Before you can set the route information filter, the access list and prefix list which contain the filtering conditions must be defined. For
information about the access list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List Setting] in this
guide. For information about the prefix list setting, see [Filter Setting - Prefix List Setting] section in this chapter.
To filter the transmission and reception of specific route information in the routes that are directly connected
to a router, user-defined static routes, and the route information learned from other routing protocols, run
the following command in <OSPF Configuration Mode>.
Command
Description
Filter the transmission and reception of specific route
information.
Name of access list in which the route
<WORD>
information is specified
in
Incoming route information is filtered.
distribute-list <WORD> {in | out {bgp | out

connected | isis | kernel | ospf | rip | bgp
static}}
Outgoing route information is filtered.

connected
isis
kernel

ospf
static
Static route
rip
205
Note: To delete the specified route information filter, run the command no distribute-list <WORD> {in | out {bgp |
connected | isis | kernel | ospf | rip | static} in <OSPF Configuration Mode>.
Note: Before you can set the route information filter, the access list which contains the filtering conditions must be defined. For information about
the access list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List Setting] in this Guide.
Note: When filtering incoming route information, you cannot set the bgp, connected, isis, kernel, ospf, rip and static options.
Route Summarization Setting

If the TiFRONT is ABR, you can use the summary LSA when informing the route information of a network that
belongs to one area about another area. The summary LSA is the integrated information of multiple paths
that belong to a network. One summary LSA is created for each network and it is sent to other areas by ABR.
If the addresses of the networks that belong to an area are assigned sequentially, you can summarize the
information of these networks with one summary LSA. ABR sends this summary LSA as if it is information for
one network. This is called route summarization, and this reduces the amount of routing information to be
sent by ABR, and the size of routing table.
To use route summarization in a TiFRONT session which is ABR, specify a range of networks whose routes
will be integrated by running the following command in <OSPF Configuration Mode>.
Command
Description
Specify a range of networks whose routes will be integrated.
<0-4294967295>
<A.B.C.D>
area {<0-4294967295> | <A.B.C.D>} range

<A.B.C.D/M> [advertise | not-advertise]
<A.B.C.D/M>
Network address of the route to be summarized
advertise
Send the summarized route information to the outside
(default).
not-advertise
Do not send the summarized route information to the
outside.
The following is an example of summarizing and sending the route of area 10 that belongs to the address
range 192.168.0.0~192.168.255.255 (192.168.0.0/24 network):
(config-ospf)# area 10 range 192.168.0.0/16
Note: To disable route summarization in a specified network, run the command no area {<0-4294967295> | <A.B.C.D>} range
<A.B.C.D/M> in <OSPF Configuration Mode>.
206
TiFRONT User Guide
If the TiFRONT session is ASBR, specify a range of networks whose routes will be integrated by running the
following command in <OSPF Configuration Mode>.
Command
Description
Specify a range of networks whose routes will be integrated.
<0-4294967295>
<A.B.C.D/M>
summary-address
<A.B.C.D/M>
advertise | tag <0-4294967295>]
[not-
Network address of the route to be summarized

not-advertise
Do not send the summarized route information to the outside.
tag <0-4294967295>
Specify a tag number to the summarized route information.
Note: To disable route summarization, run the command no summary-address <A.B.C.D/M> [not-advertise | tag <0-4294967295>]
in <OSPF Configuration Mode>.

There are two standards for calculating the OSPF route summarization: RFC 1583 and RFC 2328. RFC 1583
had been used before RFC 2328, and TiFRONT supports RFC 2328 by default. However, you can set it to
support RFC 1583 for compatibility with other devices that use the older standard RFC 1583.
To set it to support the RFC 1583 standard, run the following command in <OSPF Configuration Mode>.
Command
compatible rfc1583
Description
Support RFC 1583 when calculating route summarization.
Note: To disable RFC 1583 support, run the command no compatible rfc1583 in <OSPF Configuration Mode>.
Virtual Route Setting

In this OSPF network, every area must be connected with the backbone area. For the areas that are not
directly connected to the backbone area, you can set a virtual route and connect the areas with the backbone
area through a virtual route.
You can set the following options when setting a virtual route:
Authentication
Use authentication for security of the exchanged routing information.
Dead-interval
Set the waiting time for judging that the OSPF router that does not send the hello packet is dead. You can set
a value between 1 and 65535 (sec). The default is 40 (sec).
hello-interval
Set the transmission interval of the hello packet that is sent to inform ones own status between OSPF routers.
You can set a value between 1 and 65535 (sec). The default is 10 (sec).
retransmit-interval
Set the retransmission interval for LSA information if no approval has been received for the transmitted LSA
207
information. You can set a value between 1 and 3600 (sec). The default is 5 (sec).
transmit-delay
Set the transmission delay to other routers for LSA information. You can set a value between 1 and 3600
(sec). The default is 1 (sec).
To set a virtual route, run the following command in <OSPF Configuration Mode>.
Command
Description
Set the virtual route for connecting to the backbone area.
<0-4294967295>
Enter the area ID for the virtual route setting.
area
{<0-4294967295>
virtual-link <A.B.C.D>
<A.B.C.D>}

<A.B.C.D>
Enter the area ID for the virtual route setting in IP address format.
<A.B.C.D>
The router ID of the other ABR to be used as virtual route.
Note: To delete the specified disabled area, run the command no area {<0-4294967295> | <A.B.C.D>} virtual-link <A.B.C.D> in
<OSPF Configuration Mode>.
Authentication Key Setting

To use authentication for virtual route setting, enable the authentication option by performing the following
procedure and entering the key value.
No.
Command
Description
Enable authentication and select whether or not to
area
1
{<0-4294967295>
virtual-link
<A.B.C.D>
[message-digest | null]
<A.B.C.D>}
authentication
encrypt the authentication key.

message-digest
null
Do not use the authentication.
To encrypt the key with MD5, specify the key ID and
value.
area
{<0-4294967295>
virtual-link
<A.B.C.D>
key <1-255> md5 <LINE>
<A.B.C.D>}
message-digest-
<1-255>
<LINE>
Authentication key value. Specify a string of up to
16 characters.
Enter a string to be used as key if you have set the
area
{<0-4294967295>
virtual-link
key <LINE>
<A.B.C.D>
<A.B.C.D>}
authentication-
authentication mode to Text.

<LINE>
Authentication key value. Specify a string of up to 8
characters.
Note: To disable the authentication option for virtual routes, run the command no area {<0-4294967295> | <A.B.C.D>} virtual-link
<A.B.C.D> authentication [message-digest] in <OSPF Configuration Mode>.
Note: To delete the authentication key for virtual routes, run the command no area {<0-4294967295> | <A.B.C.D>} virtual-link
<A.B.C.D> message-digest-key <1-255> md5 <LINE> or no area {<0-4294967295> | <A.B.C.D>} virtual-link <A.B.C.D>
authentication-key <LINE> in <OSPF Configuration Mode>.
208
TiFRONT User Guide
Transmission Period Setting

For a virtual route, you can set the transmission period of the hello packet, which is sent to analyze the
router state, the waiting time for judging if the other device is alive, the transmission period for LSA
information to other routers, and the retransmission period for LSA information. To set each period, run the
following command in <OSPF Configuration Mode>.
Command
area
{<0-4294967295>
Description
<A.B.C.D>}
virtual-
link <A.B.C.D> hello-interval <1-65535>
Set the transmission period for hello packet.

<1-65535>
Set the waiting time for judging that the OSPF router is
area
{<0-4294967295>
<A.B.C.D>}
virtual- dead.
link <A.B.C.D> dead-interval <1-65535>
<1-65535>
area
{<0-4294967295>
<A.B.C.D>}
virtual-
link <A.B.C.D> transmit-interval <1-3600>

area
{<0-4294967295>
<A.B.C.D>}
virtual-
link <A.B.C.D> retransmit-interval <1-3600>
Set the retransmission period for LSA information.

<1-3600>
Set the transmission period for LSA information.
<1-3600>

To send neighbor routers information about the routes that are directly connected to routers, user-defined
static routes, and the route information learned from other routing protocols among the routes in the OSPF
routing table, you must redistribute the routes. When the routes are redistributed, the metric of the route is
changed to the default metric. The default metric is 20. You can change this value by using the following
command default-metric in <OSPF Configuration Mode>.
Command
Description
Change the default metric.
default-metric <1-16777214>
<1-16777214>
Enter the value to be used as default metric.
Note: To return the default metric 20, run the command no default-metric.
209
To select which routes to redistribute, run the following command in <OSPF Configuration Mode>.
Command
Description
Specify the routes to be redistributed.
bgp
kernel
isis
ospf
redistribute {bgp | connected | isis | kernel
| ospf | rip | static} [metric <0-16777214> |
metric-type {1 | 2} | route-map <WORD> | tag
<0-4294967295>]
connected
rip
static

Static route
<0-16777214>
Enter the metric of the default route.
<WORD>
Name of the route map to be used for handling
routes
<0-4294967295>
Tag number of the route map.
If the redistributed route is an external route that is outside the AS, you can set the type of external route by
using the metric-type option. Enter metric-type 1 to specify an external route of type 1, which uses the sum
of the external route cost and the internal cost (cost used to reach the router inside an area) as the route cost.
Enter metric-type 2 to specify an external route of type 2, which uses external cost as route cost. If you dont
specify the type of external route, it will be set as type 2 by default.
Reference Bandwidth Setting

OSPF uses the reference bandwidth divided by the bandwidth of the interface as the cost. When the cost is
calculated, the value below the decimal point is discarded, and if the calculation result is less than 1, the cost
is determined to be 1. If the reference bandwidth is small, the cost calculation result of interfaces having
different bandwidths can be less than 1 and every cost will be 1 in this case. Thus, you should set an
appropriate reference bandwidth according to the network environment.
To set the reference bandwidth to be used in cost calculation, run the following command in <OSPF
Command
Description
Set the reference bandwidth.
auto-cost reference-bandwidth <1-4294967>
<1-4294967>
Setting range: 1 ~ 4294967(Mbps).
(Default value: 100 Mbps)
Note: To delete the reference bandwidth, run the command no auto-cost reference-bandwidth.
210
TiFRONT User Guide

To generate a default route and send it to the OSPF network when the TiFRONT session is ASBR, run following
command in <OSPF Configuration Mode>.
Command
Description
Generate a default route and send it to other routers in the
OSPF network.
always
Send the default route to other routers in the OSPF
network.
default-information
originate
[always
metric <0-16777214>
Set the metric of the default route.
metric <0-16777214> | metric-type {1 | 2}

| routemap <WORD>]

metric-type
Set the cost calculation method of the default route.
1: Internal and external route costs are added up.
2: Only the external route cost is calculated.
routemap <WORD>
Send to a route that has the specified route map..
Note: To disable the default route setting, run the command no default-information originate [always | metric <0-16777214> |
metric-type {1 | 2} | routemap <WORD>] in <OSPF Configuration Mode>.
Note: You can set the options multiple times regardless of the sequence when setting the default route.
OSPF Interface Attribute Setting

For OSPF interfaces, you can set route cost, transmission period of routing information, etc. This section
describes the procedure for setting the following attributes of the OSPF interface.
Cost of Interface
Hello Interval
Dead Interval
Priority
MTU Setting
OSPF Network Type Setting
Cost Setting
The cost of the OSPF interface is the overhead required when packets are transmitted through an interface.
OSPF refers to the cost of the interface which a route passes through when selecting the optimum route. By
default, the cost of OSPF interface is set to 10. You should set a low cost if the interface bandwidth is high or
the links state is not good, and a high cost in the opposite case so that routes that pass through an interface
will be chosen, if possible.
211
To set the cost of a specific interface, perform the following procedure in <Configuration Mode>. You must
enter the <Interface Configuration Mode> in which you can set the interface.
No.
1
Command
interface <IF-NAME>
Description
Enter the <Interface Configuration Mode>.
Enter a cost to be assigned to the interface.
ip ospf cost <1-65535>
<1-65535>
Note: To use the default value instead of the cost set in the OSPF interface, run the command no ip ospf cost in <Interface Configuration
Mode>.
Hello Interval Setting

The OSPF interface periodically sends the hello packet to introduce itself to neighbor routers or maintain
communication with them. The hello interval is the period of sending the hello packet, and every OSPF router
in a network must have the same hello interval. By default, the OSPF interface sends hello packet every 10
seconds.
You can change the hello interval of the OSPF interface by running the following command in <Interface
Command
Description
Chang the hello interval of the OSPF interface.
ip ospf hello-interval <1-65535>
<1-65535>
Setting range: 1 ~ 65535. (Default: 10 sec)
Note: To use the default value instead of the hello interval set in the OSPF interface, run the command no ip ospf hello-interval in
Dead Interval Setting

The dead interval is used to determine the state of a neighbor router. If no hello packet is received from a
neighbor router until the dead interval has passed, the interface regards the neighbor router as being down
and deletes all the routing information received from that router. All OSPF routers in the same network must
have the same dead interval. By default, the dead interval of OSPF interface is set to 40 sec.
You can change the dead interval of the OSPF interface by running the following command in <Interface
Command
Description
Chang the dead interval of the OSPF interface.
ip ospf dead-interval <1-65535>
<1-65535>
Note: To use the default value instead of the dead interval set in the OSPF interface, run the command no ip ospf dead-interval in
212
TiFRONT User Guide

To enable the authentication function for the security of the routing information that is exchanged between
OSPF routers, perform the following procedure in <Interface Configuration Mode>.
No.
Command
Description
Enable authentication and select whether or not to
encrypt the authentication key.
<A.B.C.D>
ip
ospf
[<A.B.C.D>]
[message-digest | null]
authentication
IP Address of the interface

message-digest
null
Do not use the authentication function
To encrypt the key with MD5, specify the key ID and
value.
ip
ospf
[<A.B.C.D>]
<1-255> md5 <LINE>
message-digest-key
<1-255>
<LINE>
Authentication key value. Specify a string of up to
16 characters.
Enter a string to be used as key if the key is not
ip
ospf
[<A.B.C.D>]
authentication-key
<LINE>
encrypted.
<LINE>
Authentication key value. Specify a string of up to 8
characters.
Note: To disable the authentication function, run the command no ip ospf authentication in <Interface Configuration Mode>.
Note: To delete the authentication key, run the command no ip ospf authentication-key in <Interface Configuration Mode>.
Priority Setting
OSPF elects the designated router (DR) representing a network to prevent the transmission of routing
information from every router. The designated router creates and distributes route information of a network.
Furthermore, when a new router is detected, it is synchronized by exchanging route information with the
router.
When the designated router is elected, the priority set in each interface is used. The interface with the
highest interface becomes the designated router of the network. By default, the priority of every OSPF
interface is set to 1.
You can set the priority of an OSPF interface by running the following command in <Interface Configuration
Mode>.
Command
Description
Set the priority of the OSPF interface. Set the priority to 0 for the interface of a
ip ospf priority <0-255>
router that must not be elected as designated router.

<0-255>
213
Note: To reset the priority of an OSPF interface to 1, run the command no ip ospf priority in <Interface Configuration Mode>.
MTU Setting
The MTU sizes of neighbor routers in an OSPF network must be identical. By default, it is impossible to
configure an OSPF network with routers having different MTU sizes. If you set to ignore the MTU size,
however, routers can be included in an OSPF network regardless of their MTU size.
To set the MTU size of OSPF interface, run the following command in <Interface Configuration Mode>.
Command
Description
Set the MTU size of OSPF interface.
ip ospf mtu <576-65535>
<576-65535>
Note: To reset the MTU size of an OSPF interface to 1500, run the command no ip ospf mtu in <Interface Configuration Mode>.
To ignore the MTU size of OSPF interface, run the following command in <Interface Configuration Mode>.
Command
Description
The MTU size of OSPF interface is ignored.
ip ospf [<A.B.C.D>] mtu-ignore
<A.B.C.D>
IP Address of the interface
Note: To stop ignoring the MTU size of an OSPF interface, run the command no ip ospf mtu-ignore in <Interface Configuration Mode>.
OSPF Network Type Setting

The OSPF networks are classified into the following four types. By default, the OSPF network type is
automatically determined by the interface type.
Broadcast
These networks support both broadcasting and multi-access and include Ethernet, token-ring, and FDDI.
NBMA (Non-Broadcast-Multi-Access)
These networks support multi-access but do not support broadcasting and include frame relay, ATM, and X.25.
Point-to-multipoint
This is a private network with multiple devices connected to one interface.
Point-to-point
This type of networks has only one device that is connected to one interface.
214
TiFRONT User Guide
The OSPF network type can be directly set by user depending on the network configuration. To set the type
of OSPF network, run the following command in <Interface Configuration Mode>. TiFRONT is set as
broadcast network by default.
Command
Description
Set the network type of OSPF interface.
broadcast
Set as broadcast network (default)
ip
ospf
broadcast
network
|
{broadcast
non- non-broadcast
point-to-multipoint
point-to-point}
Set as NBMA network.

point-to-multipoint
Set as point-to-multipoint network.
point-to-point
Set as point-to-point network.
Note: To reset the network type of an OSPF interface to the default broadcast network, run the command no ip ospf network in <Interface
Checking OSPF Information

This section describes the procedures for checking the following OSPF information:
OSPF routing table
OSPF configuration
OSPF neighbor router information
ABR/ASBR router information of OSPF instance
Virtual route information
OSPF interface information
OSPF database information
Checking the OSPF Routing Table

To show the entries of the OSPF routing table, run the command show ip ospf [<0-65535>] route in
<User Mode> or <Privileged Mode>. If you enter a specific OSPF routing process ID, only the routing table
for the corresponding OSPF routing process is displayed.
Checking OSPF Configuration Information

To show the OSPF configuration information, run the command show ip ospf
in <User Mode> or
<Privileged Mode>.
Checking OSPF Neighbor Router Information

To show the information about the OSPF neighbor routers of TiFRONT, run the command show ip ospf
neighbor [<A.B.C.D> [detail] | all | detail [all] | interface <A.B.C.D>] in <User Mode> or
<Privileged Mode>. You can enter the options to show only the information of a specific neighbor router or
the information of neighbor routers connected to a specific interface.
215
ABR/ASBR Router Information of OSPF Instance

To show the ABR router and ASBR router information of OSPF instance, run the command show ip ospf
[<0-65535>] border-routers
in <User Mode> or <Privileged Mode>. To show only the information of a
specific instance, enter the process ID of the instance.
Checking Virtual Route Information

To show the virtual route information of OSPF, run the command show ip ospf virtual-links in <User
Checking OSPF Interface Information

To show the OSPF interface state information, run the command show ip ospf interface [<IFNAME>] in
<User Mode> or <Privileged Mode>. If you enter the name of an interface, only the information about that
interface will be displayed.
Checking OSPF Database Information

To show the OSPF database summary, run the command show ip ospf database in <User Mode> or
<Privileged Mode>. You can enter the following options when running this command to show detailed
database information.
adv-router
LSA information received from a specific router
asbr-summary
Summary LSA information of an ASBR router
external
External LSA information
max-age
LSA information of MaxAge list
network
Network LSA information
nssa-external
External LSA information of NSSA
opaque-area
Type-10 LSA information
opaque-as
opaque-link
router
LSA information of router
summary
Summary information of LSA
216
TiFRONT User Guide
BGP Overview and Setting

This section introduces the basic concepts about BGP (Border Gateway Protocol), and describes the
procedures for setting BGP in TiFRONT through CLI commands.
BGP Overview
BGP is a routing protocol for exchanging routing information between ASs. In one AS, you can use an interior
gateway protocol (IGP) such as RIP or OSPF to exchange routing information. However, in order to exchange
routing information with other ASs such as ISPs (Information Service Providers), you must use an exterior
gateway protocol (EGP) such as BGP.
The following figure is a simple example showing two ASs to which BGP was applied. Each AS contains three
routers. Every router that belongs to the same AS exchanges BGP information through iBGP (Internal BGP),
and they exchange BGP information with routers that belong to another AS through eBGP (external BGP).
Furthermore, each router runs iBGP. The routers that belong to AS1 are OSPF routers and the routers that
belong to AS2 are RIP routers. The routing information can be redistributed between BGP and RIP and
between BGP and OSPF, and the static routes of other routing protocols can be redistributed as well.
AS1
AS2
Once a TCP connection with a neighbor is established, the BGP router exchanges its BGP routing table
information with its neighbors. After this initial information exchange process is finished, they do not
regularly send update messages containing routing information, unlike RIP, but they only send the update
messages to neighbors when their own BGP routing table is changed (added routes, changed routes, invalid
routes, etc.).
217
Selecting BGP Route

When there are multiple routes to one destination, you must select the best route and send packets through
that route. The criterion for selecting the best route is metric, and this value is different for each routing
protocol. OSPF uses the route bandwidth as the metric (a higher bandwidth has a higher priority), RIP uses
the hop count of the route (a lower hop count has a higher priority). BGP uses various BGP attributes such as
the following as metrics:
Weight
Local preference
AS path
MED (Multi-Exit Discriminator)
Community
In BGP, you can apply these attributes when sending information to or receiving information from BGP
neighbors. Because you can directly set the BGP attributes, they can be used to adjust the traffic direction by
reflecting the network policy or network status. For details about each BGP attribute, see [BGP
Settings
BGP
Attribute Setting] section in this chapter.

The procedure for selecting the best route by using these attributes in BGP is as follows:
1.
First, select a route that has the highest weight.
2.
If the weights of two routes are identical, select the route that has the highest local preference.
3.
If the local preferences are identical, select the route that has occurred in the local BGP router.
4.
If there is no route that has occurred in a local BGP router, select the route that has the shortest AS
path.
5.
If the lengths of AS paths are identical, select the route that has the lowest MED (Multi-exit
discriminator).
6.
If MEDs are identical, select the route that was obtained by eBGP, not iBGP.
7.
If the routes were obtained by the same iBGP or eBGP, select the route that has the nearest IGP
neighbor.
In general, BGP routes have the same weight or local preference, so the factor that has the greatest effect on
route selection is the length of the AS path in many cases.
218
TiFRONT User Guide
BGP Timers
BGP uses the following four types of timers to maintain connections with neighbors and send routing
information.
Timer
Keepalive
Functions
Default
Period of sending KEEPALIVE messages to inform ones own state to BGP

neighbors and get the operation states of neighbors (0 - 65535 sec)
60 sec
Waiting time after receiving the KEEPALIVE message from a BGP neighbor until
the next message is received (3 65535 sec). If the KEEPALIVE message is not
Holdtime
received within this time, the BGP neighbor is regarded as dead, the TCP
180 sec
connection is stopped, and all the routing information received from that
neighbor is deleted.
Connect
Waiting time after the connection with a BGP neighbor is stopped until
connection is tried again (0 - 65535 sec).
60 sec
Minimum time after an update packet is sent to a BGP neighbor until a new
Update
update packet is sent. Even if the routing information is changed, update
30 sec (eBGP)
packets are not sent until the minimum update timer has expired (0 - 65535
5 sec (iBGP)
sec).
Characteristics of BGP
BGP has the following characteristics which are different from RIP and OSPF which are IGPs:
BGP is not completely a distance vector protocol or link state protocol.
Because BGP is an EGP, its goal is to exchange routing information between ASs.
Like the distance vector protocol, BGP provides the next hop information to each destination.
Unlike the distance routing protocol that only sends ones own routing table, BGP can apply the routing policy
defined by the network administrator.
Unlike other routing protocols, BGP uses TCP communication when sending routing information.
BGP provides not only the net hop information for the destination, but also the route information for the ASs that
the update message has passed through.
BGP reduces the use of bandwidth due to the regular transmission of update messages by sending update
messages only when something has changed except when sending the entire routing table information when it
first establishes a relationship with a BGP neighbor.
BGP supports CIDR (Classless Inter Domain Routing).
BGP supports route aggregation that integrates multiple routes into one route. Route aggregation reduces the use
of network bandwidth by BGP.
219
BGP Settings
The BGP configuration process in TiFRONT includes the following steps:
Enabling BGP (required)
Peer Group Setting
BGP Neighbor Setting (required)
Network Setting for Sending Information to BGP Neighbor
Route Reflector Setting
Setting the Removal of Private AS Numbers
BGP Attribute Setting
Route Aggregation Setting
BGP Timer Setting
Fast External Failover Setting
Neighbor State Change Log Setting
Validity Check Period Setting for BGP Routing Information
Nexthop Address Tracking Setting
eBGP Multihop Setting
Enforce Multihop Setting
Maximum Prefix Setting
Next Hop Self Setting
Loopback Interface Setting
220
TiFRONT User Guide
Enabling BGP
To enable BGP in TiFRONT, run the following commands in <Configuration Mode>.
No.
Command
Description
Enable the BGP routing process and enter <BGP configuration mode>.
router bgp <1-4294967295>
<1-4294967295>
Number of AS to which TiFRONT belongs
Set the BGP router ID. This must be a unique value that is not used by
any other routers. If router ID is not set, the largest IP address of the
bgp router-id <A.B.C.D>
interfaces defined in TiFRONT is used as the router ID by default.

<A.B.C.D>
Enter the BGP router ID in IP address format.
Note: To delete the BGP router ID, run the command no bgp router-id <A.B.C.D> in <BGP Configuration Mode>.
Note: To disable the BGP routing process, run the command no router bgp <1-4294967295> in <Configuration Mode>.
Peer Group Setting

All BGP routers in one AS must form neighbor router relationships with other BGP routers. If there are many
BGP neighbors, it is cumbersome to set each and every neighbor. In this case, you can specify BGP neighbors
as a peer group for efficient management. When you specify a peer group as a target when setting BGP
neighbors, the same setting will be applied to all the neighbors of the group.
In order to use a peer group, you must first create a peer group, and specify neighbors to be included in that
group.
To create a peer group, run the following command in <BGP Configuration Mode>.
Command
Description
Create a peer group.
neighbor <WORD> peer-group
<WORD>
Peer group name
Note: To delete a peer group, run the command no neighbor <WORD> peer-group in <BGP Configuration Mode>.
221
To specify routers to be included in a peer group, run the following command in <BGP Configuration Mode>.
Command
Description
Create a peer group.
<A.B.C.D>
neighbor
{<A.B.C.D>
peer-group <WORD>
<X:X::X:X>}
IPv4 address of the router to be included in the peer group

<X:X::X:X>
IPv6 address of the router to be included in the peer group
<WORD>
Peer group name
Note: To delete a router from a peer group, run the command no neighbor {<A.B.C.D> | <X:X::X:X>} peer-group <WORD> in <BGP
BGP Neighbor Setting

Two routers that form a TCP connection to exchange BGP routing information are called BGP neighbors.
Because BGP does not automatically search neighbors that can exchange routing information, you must
directly specify the IP address of a neighbor and the AS number that the neighbor belongs to.
If the AS number used to specify a BGP neighbor is identical to the AS number to which one belongs (the AS
number entered when the router bgp command was run), that BGP neighbor is an internal neighbor that
belongs to a local network. Therefore, it is connected through iBGP. If the AS numbers differ, it is an external
neighbor that is connected through eBGP. The external neighbor connected through eBGP must be directly
connected. However, the internal neighbor connected through iBGP just needs to be a router that can be
reached through IGP.
In the following figure, Routers B and D are BGP routers that belong to the same AS (AS 200), they are
connected through iBGP. Furthermore, Routers A and B, and Routers D and E are connected through eBGP
because they belong to different ASs.
AS 300
AS 100
Router A
Router E
129.213.1.1
30.0.0.1
AS 200
129.213.1.2
30.0.0.2
Router D
Router B
20.0.0.2
10.0.0.2
20.0.0.1
10.0.0.1
Router C
222
TiFRONT User Guide
To specify a BGP neighbor, run the following command in <BGP Configuration Mode>.
Command
Description
Specify a BGP neighbor.
<A.B.C.D>
IPv4 address of the other device to become a BGP neighbor
<WORD>
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} remote-as <1-4294967295>
Peer group name. If a peer group is specified, it becomes a
BGP neighbor with every device of the group.

<X:X::X:X>
IPv6 address of the other device to become a BGP neighbor
<1-4294967295>
Number of the AS to which the other device belongs
Note: To release the BGP neighbor relationship, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} remote-as <14294967295> in <Configuration Mode>.
The procedures for specifying a BGP neighbor in each router in the figure are as follows:
[Router A]
(config)# router bgp 100
(config-router)# neighbor 129.213.1.2 remote-as 200
[Router B]
[Router D]
[Router E]
To release only the TCP connection with a neighbor while maintaining the BGP neighbor relationship, run the
following command in <BGP Configuration Mode>.
Command
Description
Release only the TCP connection with neighbor.
<A.B.C.D>
IPv4 address of the other device with which to release
only the TCP connection
neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>}

shutdown
<WORD>
Name of a peer group with which to release only the TCP
connection
<X:X::X:X>
IPv6 address of the other device with which to release
only the TCP connection
Note: To make a TCP connection after disconnecting the TCP connection with a neighbor, run the command no neighbor {<A.B.C.D> |
<WORD> | <X:X::X:X>} shutdown in <BGP Configuration Mode>.
223
Network Setting for Sending Information to BGP Neighbor

To send routing information to a BGP neighbor, you must specify the network of the routing information to
send. The specified network must be directly connected so that it is reachable from TiFRONT, or added to a
routing table as a static or dynamic route. To specify the network of the routing information to send, run the
Command
Description
Specify the network of the routing information to send to a BGP
neighbor.
<A.B.C.D>
Network address of the routing information
network {<A.B.C.D> [mask <A.B.C.D>]

|
<A.B.C.D/M>}
[backdoor]
[route-map
<WORD>]
mask <A.B.C.D>
Subnet mask
<A.B.C.D/M>
Network address and netmask bit of the routing information
<WORD>
Name of the route map to be applied when sending the routing
information
backdoor
The AD value of the routing is changed to 200.
Note: If you dont want to send the routing information of the specified network to BGP neighbors, run the command no network <ipaddress>/<mask> in <BGP Configuration Mode>.

To send neighbor routers the information about the routes that are directly connected to routers through
BGP, user-defined static routes, and the route information learned from other routing protocols, you must
redistribute the routes. To send the routing information to neighbors, run the following command in <BGP
Command
Description
Specify the routes to be redistributed.
connected
isis
redistribute {connected | isis | kernel | ospf

| rip | static} [route-map <WORD>]
kernel
ospf

rip
static
Static route
<WORD>
Name of the route map to be applied

when redistributing the routes
Note: If you dont want to perform the redistribution of the routes, run the command no redistribute {connected | isis | kernel |
ospf | rip | static} [route-map <WORD>] in <BGP Configuration Mode>.
224
TiFRONT User Guide

To send the routing information to a specific neighbor router or peer group so that they will specify oneself
as the default route, run the following command in <BGP Configuration Mode>.
Command
Description
Specify a neighbor router or peer group to which to send the default
route.
<A.B.C.D>
neighbor {<A.B.C.D> | <WORD> |

<X:X::X:X>}
default-originate
[route-map <WORD>]
IPv4 address of the neighbor router to which to send the default route
<WORD>
Name of a peer group to which to send the default route
<X:X::X:X>
IPv6 address of the neighbor router to which to send the default route
<WORD>
Name of the route map to be applied when sending the default route
Note: To delete the default route setting, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} default-originate
[route-map <WORD>] in <BGP Configuration Mode>.
Route Reflector Setting

To prevent a loop of routing information, BGP does not send information received from an iBGP router to
another iBGP router. Due to this characteristic, the iBGP routers in one AS must be connected as full mesh.
However, the full mesh configuration is complex due to the connections between all iBGPs and the exchange
volume of routing information increases greatly. Route Reflector is designed to resolve the problem of the
full mesh configuration. When you specify a route reflector, it delivers the information received from an iBGP
router to another iBGP router (route reflector client). The route reflector function is used by specifying the
route reflector client in the Route Reflection that sends the routing information. To specify a Route Reflector
Client in TiFRONT, run the following command in <BGP Configuration Mode>.
Command
Description
Specify a Route Reflector Client.
<A.B.C.D>

route-reflector-client
IPv4 address of the Route Reflector Client.

<WORD>
Peer group name of the Route Reflector Client.
<X:X::X:X>
IPv6 address of the Route Reflector Client.
Note: To delete the Route Reflector Client, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} route-reflectorclient in <BGP Configuration Mode>.
The route reflector structure and route reflector client is called a cluster. You can set multiple route reflectors
in one AS. In this case, you set a cluster ID to the route reflector to differentiate each cluster. To set a cluster
ID, run the following command in <BGP Configuration Mode>.
Command
Description
Specify a Route Reflector Client.
bgp
cluster-id
<A.B.C.D>}
{<1-4294967295>
<1-4294967295>
Specify a cluster ID. Setting range: 1 ~ 4294967295
Specify the cluster ID in IP address format.
225
Note: To delete the cluster ID, run the command no bgp cluster-id in <BGP Configuration Mode>.
Setting the Removal of Private AS Numbers

When using private AS numbers in addition to Sub-AS for configuration function, you must remove the
private AS numbers from the routing information sent to the outside of AS.
To remove the private AS numbers from the routing information sent to the outside, run the following
command in <BGP Configuration Mode>.
Command
Description
Remove
the
private
AS
number
from
the
routing
information.
<A.B.C.D>
remove-private-AS

<WORD>
Peer group name.
<X:X::X:X>
Note: To delete the private AS number removal, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} removeprivate-AS in <BGP Configuration Mode>.
BGP Attribute Setting

When there are multiple routes to the same destination in the BGP routing table, BGP selects the optimum
route based on BGP attributes. This section describes the procedure for setting the types of BGP attributes
and the BGP attributes.
Weight Attribute Setting

Weight is the first attribute that is used by BGP when selecting the optimum route among multiple routes to
the same destination, and the route having the highest weight is selected as the optimum route. Weight is set
to the route received by a BGP neighbor and is not spread to other routers. By default, the weight of a route
received from a BGP neighbor that belongs to a different AS is 0, and the weight of a route received from a
BGP neighbor that belongs to the same AS is 32768.
You can directly set the weight attribute value for each BGP neighbor. Using a weight value allows you to
make a route received from a specific BGP neighbor to be selected before others or not be selected if
possible.
226
TiFRONT User Guide
To specify a weight value of the route received from the specified BGP neighbor, run the following command
in <BGP Configuration Mode>.
Command
Description
Specify the weight value of the route received from a BGP
neighbor.
<A.B.C.D>
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} weight <0-65535>
<WORD>
Peer group name.

<X:X::X:X>
<0-65535>
Weight for the route received from a neighbor.
Note: To ignore the weight set by user and use the default value, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>}
weight in <BGP Configuration Mode>.
Local Preference Attribute Setting

If there are many routers (exit points) that can reach the network that belongs to another AS among the
routers that belong to the same AS, BGP must select only one router among them. The attribute that is used
when selecting the exit point that reaches the network of another AS from a local AS is local preference.
Local preference is set for each router and the same value is set for every route that is received at the router.
Routers that have become the exit points for the same network exchange compare their local preference
values and set the router having a larger local preference value as the exit point. Therefore, unlike the weight
attribute that is not spread to other routers, the local preferences are exchanged between routers inside a
local AS to compare their values. The default local preference value is 100. Because a greater local preference
value has a higher priority, you must set high local preferences for the routes received from the router of the
exit point to be selected before others.
To set a local preference value, run the following command in <BGP Configuration Mode>.
Command
Description
Change the local preference value.
bgp default local-preference

<0-4294967295>
<0-4294967295>
Local preference value. Setting range: 0 ~ 4294967295.
Note: To return the local preference value to the default 100, run the command bgp default local-preference in <BGP Configuration Mode>
AS Path Attribute Setting

The AS path attribute is the list of AS numbers included in a route. In other words, it indicates the ASs
through which the route passes. BGP adds the AS path attribute value when sending the routing information
to BGP neighbors. When BGP receives routes for the same destination from different neighbors, it chooses the
one with the shortest AS path.
227
As with the local preference of route, you must use a route map when changing the AS path. The set
command of the route map used to change the AS path is set as-path prepend. For details about the
types of set commands and the route map, see the route map setting section.
To define a route map and change the AS path of the route map, perform the following procedure in
No.
Command
Description
Define a route map and enter the <Route map configuration
mode>. The serial number is used as the order of applying the
route map when a route map of the same name is already
defined.
route-map <WORD> permit <1-65535>
<WORD>
Name of the route map.
<1-65535>
Sequential number of the route map rule.
Change the AS path of the route.
set as-path prepend
<1-4294967295>
Number of AS to be added to the current AS path.
<1-4294967295>
(Setting range: 1 ~ 4294967295)

Exit to <Configuration mode> from the <Router map
exit
router bgp <1-4294967295>
Enter the <BGP Configuration Mode>.
Specify the route for sending which neighbor to which the
route map will be applied defined in steps 1 and 2.
<A.B.C.D>
IPv4 address of the neighbor to which the route map will be
applied.
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} route-map <WORD> out
<WORD>
Name of a peer group to which the route map will be
applied.
<X:X::X:X>
IPv6 address of the neighbor to which the route map will be
applied.
<WORD>
In the following example, the as-path route map is defined (set to 500), and the route map is applied to
send routing information to a BGP neighbor with the IP address 200.1.1.2.
(config)# route-map aspath permit 10
(config-route-map)# set as-path prepend 500
(config-route-map)# exit
(config-router)# neighbor 200.1.1.2 route-map aspath out
(config-router)#
With the above settings, when TiFRONT sends routing information to a neighbor with the IP address
200.1.1.2, 500, which has been set in the route map, is added to the AS path attribute
228
TiFRONT User Guide
MED (Multi-Exit Discriminator) Attribute Setting

The MED attribute is a metric that is added when sending routing information in BGP. When routing
information for the same destination is received from different neighbors, BGP selects the one with the
smaller metric value.
MED compares the metric values only for routing information received from routers that belong to the same
AS (local AS) by default. If you want to compare the metric values of routing information received from
another AS, you must run the following command in <BGP Configuration Mode>.
Command
Description
Enable the comparison of the metric values of routing information
bgp always-compare-med
received from different ASs.
Note: If you want to change the settings to compare the metric values of routing information received only from the local AS, run the command no
bgp always-compare-med in <BGP Configuration Mode>.
You must use a route map to set ones own metric value. The set command of the route map used to change
the metric value is set metric. For details about the types of set command and the route map, see the route
map setting section.
To define a route map and change the metric value of the route map, perform the following procedure in
No.
Command
Description
Define a route map and enter <Route map configuration
mode>. The serial number is used as the order of
applying the route map when a route map of the same
name is already defined.
<WORD>
<1-65535>
Setting range: 1 - 65535
Change the metric value of a route.
<+/-><0-4294967295>
set metric <+/-><0-4294967295>
Differentiate the increase or decrease by +/- and

enter the metric to be increased or decreased.
exit
router bgp <1-4294967295>
Specify the route for sending which neighbor the route
map will be applied as defined in steps 1 and 2.
<A.B.C.D>
IPv4 address of the neighbor to which the route map
neighbor
{<A.B.C.D>
<WORD>
will be applied.
<WORD>
applied.
<X:X::X:X>
229
will be applied.
<WORD>
In the following example, the med route map, which sets the metric value of the route to 15, is defined, and
this route map is applied to the route for sending to a BGP neighbor with the IP address 200.1.1.2.
(config)# route-map med permit 1
(config-route-map)# set metric 15
(config-router)# neighbor 200.1.1.2 route-map med out
(config-router)#
With the above settings, the route information with the metric value 15 will be sent to the neighbor 200.1.1.2.
Community Attribute
The community attribute indicates the processing method for routing information to neighbors. Depending
on the community attribute setting, the neighbor receiving the routing information determines whether to
send the routing information to external ASs or only to the local AS. There are three types of communities:
local-AS
The routing information is sent only to the local AS and not to other eBGP neighbors.
no-advertise
The routing information is not sent to other BGP neighbors (cannot send to both local and external ASs).
no-export
The routing information is sent only to the local AS to which the neighbor belongs and not outside the AS.
To send the community attribute to neighbors, run the following command in <BGP Configuration Mode>.
Command
neighbor <ip-address> send-community
Description
Send the community attribute to neighbors.
Note: To stop sending community attributes to neighbors, run the command no neighbor send-community in <BGP Configuration Mode>.
230
TiFRONT User Guide
You can set the community attribute to send to neighbors through a route map. The set command of the
route map used to set the community attribute is set metric. For details about the types of set commands
and the route map, see the route map settings section. To define a route map and change the attribute
values of the route map, perform the following procedure in <Configuration Mode>.
No.
Command
Description
Define a route map and enter <Route map configuration
mode>. The serial number is used as the order of
applying the route map when a route map of the same
name is already defined.
<WORD>
<1-65535>
Setting range: 1 - 65535
Change the community attribute.
local-AS
Send routing information only to local AS.
set
community
{local-AS
advertise | no-export}
no-
no-advertise
The routing information cannot be sent to other BGP
neighbors.
no-export
Send routing information only to local AS to which the
neighbor belongs.
exit
router bgp <1-4294967295>
Specify the route to send to which neighbor and which
route map will be applied as defined in steps 1 and 2.
<A.B.C.D>
will be applied.
neighbor
{<A.B.C.D>
<WORD>
<WORD>
applied.
<X:X::X:X>
will be applied.
<WORD>
In the following example, the comm route map, which sets the community attribute to no-export, is
defined, and this community is sent to a BGP neighbor with the IP address 200.1.1.2.
(config)# route-map comm permit 10
(config-route-map)# set community no-export
(config-router)# neighbor 200.1.1.2 send-community
(config-router)# neighbor 200.1.1.2 route-map comm out
(config-router)#
231
When you make the above settings, neighbor 200.1.1.2 may send the BGP information to other neighbors in
the AS to which the neighbor that sent this information belongs to, but not to other ASs.
Route Aggregation Setting

In BGP, you can integrate multiple routes into one route; this is called aggregation. Aggregation decreases
the data traffic and the routing table size by sending data to one route instead of advertising the data to
different routes.
To specify the network for sending data to an aggregated route, run the following command in <BGP
Command
Description
Specify a network for sending to an aggregated route. You can
use the as-set and summary-only options simultaneously
regardless of the order.
<A.B.C.D/M>
aggregate-address <A.B.C.D/M> [as-set]

[summary-only]
Network address for integrated management.

as-set
The information about every AS that belongs to the integrated
network is maintained.
summary-only
Only the routing information about the integrated network is
sent to other routers.
Note: To delete the route aggregation setting, run the command no aggregate-address <A.B.C.D/M> [as-set] [summary-only] in <BGP
Timer Settings
BGP uses four types of timers to maintain connection with neighbors and send routing information: keepalive,
holdtime, connect, and update. The keepalive, holdtime, and connect timers are set to 60 sec, 180 sec, and
60 sec, respectively. The update timer is set to 5 sec in iBGP and 30 sec in eBGP by default. You can use
different values than the default set in each timer by setting the desired timer value by referring to the
following explanation.
Keepalive and Holdtime Timer Settings

The keepalive and holdtime timers are used for maintenance of the TCP connection with neighbors. You can
set common values for all BGP neighbors and for exclusive values to be used only for specific neighbors.
You can set the values of keepalive and holdtime timers that are commonly used for all BGP neighbors by
using the following command in <BGP Configuration Mode>.
Command
Description
Change the Keepalive timer and Holdtime timer settings.
<0-65535>
Keepalive timer. Setting range: 0 ~ 65535.
timers bgp <0-65535> <0-65535>
(Default value: 60 sec)

<0-65535>
Holdtime timer. Setting range: 0 ~ 65535.
232
TiFRONT User Guide
Note: To delete the Keepalive and Holdtime timer values and reset them, run the command no timers bgp.
The timer values set by the timers bgp command described above are commonly used for all BGP neighbors.
You can use the following command in <BGP Configuration Mode> to set the keepalive and holdtime timer
values to be applied to specific neighbors only.
Command
Description
Set the keepalive and holdtime timer values to be applied to the
specified neighbor only.
<A.B.C.D>
<WORD>
Peer group name.
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} timers <0-65535> <0-65535>
| <X:X::X:X>
<0-65535>
Keepalive timer. Setting range: 0 ~ 65535.
<0-65535>
Holdtime timer. Setting range: 0 ~ 65535.
Note: To delete the keepalive and holdtime timer values set for the specified neighbor and use the value set by the timers bgp command instead,
run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} timers.
Connect Timer Setting

Connect timer is the connection retrial period when the TCP connection with the specified BGP neighbor is
disconnected. The connect timer is set to 60 seconds by default and you can set this value by using the
Command
Description
Set the connect timer value to be applied to the specified
neighbor only.
<A.B.C.D>
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} timers connect <1-65535>
<WORD>
Peer group name.
<X:X::X:X>
<1-65535>
Connect timer. Setting range: 0~65535.
Note: To delete the connect timer value and use the default value 60 sec again, run the command no neighbor {<A.B.C.D> | <WORD> |
<X:X::X:X>} timers connect.
233
Update Timer Setting

Update timer is the minimum time interval for sending the routing information update packet to the specified
BGP neighbor. The update timer is set to 5 in iBGP and to 30 sec in eBGP by default. You can change this
value by using the following command in <RIP Configuration Mode>.
Command
Description
Set the update timer value to be applied to the specified neighbor
only. If you set this to 0, the update packet will be sent to the
neighbor
immediately
whenever
the
routing
information
is
changed.
<A.B.C.D>
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} advertisement-interval

<WORD>
Peer group name.
<0-600>
<X:X::X:X>
<0-600>
Setting range: 0 ~ 600.
(Default value: iBGP-5 sec, eBGP-30 sec)
Note: To delete the update timer value and use the default value again, run the command no neighbor {<A.B.C.D> | <WORD> |
<X:X::X:X>} advertisement-interval.
Fast External Failover Setting

Fast External Failover is to recreate a BGP session immediately when the interface used for BGP connection is
down. Fast External Failover is enabled by default.
To enable the Fast External Failover function, run the following command in <BGP Configuration Mode>.
Command
bgp fast-external-failover
Description
Enable Fast External Failover.
Note: To disable the Fast External Failover function, run the command no bgp fast-external-failover in <BGP Configuration Mode>.
Neighbor State Change Log Setting

To record logs for state change events of a BGP neighbor, run the following command in <BGP Configuration
Mode>. The neighbor state change log is not recorded by default.
Command
bgp log-neighbor-changes
Description
Record the state change logs of BGP neighbor.
Note: To disable the recording of state change logs of a BGP neighbor, run the command no bgp fast-external-failover in <BGP
234
TiFRONT User Guide
Validity Check Period Setting for BGP Routing Information

BGP periodically checks the validity of routing information in the BGP routing table. The checking period is 60
sec by default, and you change this period by running the following command in <BGP Configuration Mode>.
Command
Description
Set the validity check period for BGP routing information. If you set
this to 0, the routing information validity check is not performed.
bgp scan-time <0-60>
<0-60>
Note: To reset the validity check period to the default value, run the command no bgp scan-time in <BGP Configuration Mode>.
Nexthop Address Tracking Setting

Nexthop address tracking is to monitor the state of the routes in the RIB (Routing Information Base) and
reflect the changed states of nexthop in the BGP process.
To enable the Nexthop Address Tracking function, perform the following procedure in <Configuration
Mode>.
No.
Command
Description
Set the waiting time until the state change of nexthop is
reflected in the BGP process.
bgp nexthop-trigger delay <1-100>
<0-100>
Hop count with neighbor. Setting range: 1 ~ 100.
bgp nexthop-trigger enable
Enable the nexthop address tracking function.
Note: To return to the default setting, run the command no nexthop-trigger delay in <Configuration Mode>.
Note: To disable the nexthop address tracking function, run the command no nexthop-trigger enable in <Configuration Mode>.
235
eBGP Multihop Setting

If the neighbor is not directly connected to eBGP, the hop count to the neighbor is specified. When specifying
the eBGP multihop, the hop count is set by adding all the routers in the middle including the neighbor
routers at both sides. To specify a hop count for a neighbor, run the following command in <BGP
Command
Description
Specify the hop count for an eBGP neighbor.
<A.B.C.D>

ebgp-multihop <1-255>
<WORD>
Peer group name.
<X:X::X:X>
<0-255>
Hop count with neighbor. Setting range: 1 ~ 255
Note: To delete the hop count setting for a neighbor, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} ebgpmultihop [<1-255>] in <BGP Configuration Mode>.
Enforce Multihop Setting

The Enforce Multihop function enforces a specific neighbor as an eBGP neighbor that is not directly
connected. To enable enforce multihop for a specific neighbor, run the following command in <BGP
Command
Description
Set the specified neighbor as an eBGP neighbor that is not
directly connected.
<A.B.C.D>

enforce-multihop

<WORD>
Peer group name.
<X:X::X:X>
Note: To disable the enforce multihop function for a neighbor, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>}
enforce-multihop in <BGP Configuration Mode>.
236
TiFRONT User Guide
Maximum Prefix Setting

The Maximum prefix function prevents memory overload that may occur when a BGP router receives too
much routing information. To limit the routing information count received from a neighbor or a peer group,
run the following command in <BGP Configuration Mode>.
Command
Description
Specify the routing information count received from a
neighbor or peer group.
<A.B.C.D>
<WORD>
Peer group name.
<X:X::X:X>

maximum-prefix
<1-4294967295>
[warning-only]
[<1-100>]

<1-4294967295>
Maximum
routing
information
count
that
can
be
received. Setting range: 1 ~ 4294967295

<1-100>
Threshold for limiting the routing information count.
Setting range: 1 ~ 100(%)
warning-only
The routing information count is not limited, but only a
warning message is displayed.
Note: To delete the maximum prefix setting for a neighbor, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>}
maximum-prefix [<1-4294967295> [warning-only]] in <BGP Configuration Mode>.
Next Hop Self Setting

The next hop self function allows an eBGP router that is connected to a different AS to send the next hop of
the routing information for the network of a different AS to its iBGP router after changing it to its own IP
address. To enable the next hop self function for a specific neighbor, run the following command in <BGP
Command
Description
Enable the next hop self function for the specified neighbor.
<A.B.C.D>
neighbor
{<A.B.C.D>
<X:X::X:X>} next-hop-self
<WORD>

<WORD>
Peer group name.
<X:X::X:X>
Note: To disable the next hop self function for a neighbor, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} nexthop-self in <BGP Configuration Mode>.
237

There are two standards for selecting the BGP route: RFC 1771 and RFC 4271. RFC 1771 had been used
before RFC 4271, and TiFRONT supports RFC 4271 by default. However, you can set it to support RFC 1771
for compatibility with other devices that use the older standard RFC 1771.
To set the support for the RFC 1771 standard, run the following command in <Configuration Mode>.
Command
Description
bgp rfc1771-path-select
Support RFC 1771 as a method for selecting a BGP route.
Note: To disable RFC 1771 support, run the command no bgp rfc1771-path-select in <Configuration Mode>.
To set the support for the RFC 1771 standard as the only BGP route selection method, run the following
Command
Description
bgp rfc1771-strict
Set RFC 1771 as the only method for selecting a BGP route.
Note: To cancel the exclusive use of RFC 1771, run the command no bgp rfc1771-strict in <Configuration Mode>.
Loopback Interface Setting

The loopback interface sets an IP address for a virtual interface and uses it for a TCP session connection with
a BGP neighbor. The use of the loopback interface prevents the TCP session with a BGP neighbor from
disconnecting due to problems with the physical interface.
To set an IP address for the loopback interface and use it for session connections with neighbors, perform
the following procedure in <Configuration Mode>.
No.
1
Command
Description
Enter <Interface Configuration Mode> in the loopback
interface lo
interface.
Set the IP address of the loopback interface.
ip address <A.B.C.D/M>
<A.B.C.D/M>
IP Address of the loopback interface
Exit to <Configuration mode> from the <Interface
exit
router bgp <1-4294967295>
Enter <BGP Configuration Mode>.
Enable the use of the loopback interface for connections
with neighbors.
<A.B.C.D>
neighbor
{<A.B.C.D>
<WORD>
<X:X::X:X>} update-source lo

<WORD>
Peer group name.
<X:X::X:X>
Note: To delete the loopback interface setting, run the command no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} update-source in
<BGP Configuration Mode>.
238
TiFRONT User Guide
BGP Session Reset

If the routing policy of the BGP router is changed, you must reset the sessions with neighbors to apply the
updated policy.
To reset BGP sessions, run the following commands in <Privileged Mode>.
Command
Description
Reset BGP sessions.
*
Reset the sessions with all neighbors.
<A.B.C.D>
IPv4 address of the neighbor with whom the session will
be reset.
clear ip bgp {* | <A.B.C.D> | <X:X::X:X> |

<1-4294967295> | peer-group <WORD>}
<X:X::X:X>
IPv6 address of the neighbor with whom the session will
be reset.
<1-4294967295>
AS number for resetting the session. The sessions with
all neighbors who belong to this AS are reset.
<WORD>
Peer group name of the session to be reset.

BGP allows the filtering of routing information exchanged with specific neighbors through one of the
following four methods:
Distribute list
Filter the routing information by using an access list.
Prefix list
Filter the routing information by using a prefix list.
AS path access list
Filter the routing information by using an AS path access list.
Route Map
Filter the routing information by using a route map.
To filter routing information, you must first set the conditions and policies for comparing routing information
in the access list, prefix list, AS path access list, or route map depending on the filtering method.
Note: For information about the access list setting, see [Chapter 12 Security Settings ACL (Access Control List) - ACL Setting - Access List
Setting] in this guide.
Note: For information about the prefix list setting, see [Filter Settings Prefix List Setting] in this chapter.
Note: For information about the route map setting, see [Route Map Setting] in this chapter.
239
To set an AS path access list, run the following command in <Configuration Mode>.
Command
Description
Create an AS path access list.
<WORD>
Name of AS path access list.
ip as-path access-list <WORD> {deny |

permit} <LINE>
deny
Discard routing information that meets the condition.
permit
Permit routing information that meets the condition.
<LINE>
Enter the condition for comparing with AS route as a regular
expression.
Note: AS path access list uses AS route as the comparing condition. The comparing condition is entered as a regular expression by using the
following symbols.
Symbol
Description
Beginning of a line or string
Ending of a line or string
A random character
A string of which the character right before it appears never or multiple times
A string of which the character right before it appears at least once
A string of which the character right before it appears never or once
Indicates the start or end of a string, or a space
[]
Indicates a set or range of characters. - between two characters indicate a

range. ^ in [ ] means not.
A random character within a range
Note: To delete the AS path access list, run the command no ip as-path access-list <WORD> {deny | permit} <LINE> in
To filter routing information exchanged with a specific neighbor through each method, run the following
command in <BGP Configuration Mode>.
Command
Description
Filter the routing information by using an access list.
<A.B.C.D>
IPv4 address of the neighbor for which to filter the
routing information.
<WORD>
Name of a peer group for which to filter the routing

distribute-list {<1-199> | <1300-2699> |
<WORD>} {in | out}
information
<X:X::X:X>
IPv6 address of the neighbor for which to filter the
routing information.
<1-199>
Access list number for which the filtering policy has been
set. Setting range: 1 ~ 199
<1300-2699>
Number of extended access list with which the filtering
policy has been set. Setting range: 1300 ~ 2699
240
TiFRONT User Guide
<WORD>
Name of access list with which the filtering policy has
been set.
in
Incoming routing information is filtered.
out
Outgoing routing information is filtered.
Filter the routing information by using a prefix list.

prefix-list <WORD> {in | out}
<WORD>
Name of prefix list with which the filtering policy has
been set.
Filter the routing information by using an AS path access

filter-list <WORD> {in | out}
list.
<WORD>
Name of the AS path access list with which the filtering
policy has been set.
Filter the routing information by using a route map.

route-map <WORD> {in | out}
<WORD>
Name of route map with which the filtering policy has
been set.
Note: To delete the routing information filtering setting, run the following command in <BGP Configuration Mode>.
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} distribute-list {<1-199> | <1300-2699> |
<WORD>} {in | out}
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} prefix-list <WORD> {in | out}
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} filter-list <WORD> {in | out}
no neighbor {<A.B.C.D> | <WORD> | <X:X::X:X>} route-map <WORD> {in | out}
241
Checking the BGP Information

This section describes the procedures for checking the following BGP information:
BGP routing table
BGP Neighbor Information
BGP Connection Information
Showing the BGP Routing Table

Showing all entries
To show the entries of the BGP routing table, run the command show ip bgp.
Showing specific entries

To see the details about a specific entry in the BGP routing table, enter the network address of the entry in
the show ip bgp command. Then, only the detailed information about the route entry related to the entered
network will be displayed among the entries of the BGP routing table.
Showing BGP Neighbor Information

To show the BGP neighbor information, run the command show ip bgp neighbors.
Showing BGP Connection Information

You can see the connection information of each BGP neighbor by using the command show ip bgp summary.
242
TiFRONT User Guide
Chapter 10
Failover Configuration
This chapter introduces the VRRP (Virtual Router Redundancy Protocol) for failover and the procedure for
setting the VRRP to configure failover in TiFRONT.
VRRP Overview
VRRP Configuration
TiFRONT User Guide
VRRP Overview
There are two routing methods used to search routes used for sending data from a host to a destination:
dynamic routing and static routing. Dynamic routing determines the best route between networks through
routing protocols such as RIP and OSPF and maintains the routing table. If any route in the routing table is
invalid due to a down device or related issue, another route is searched for automatically. Dynamic routing is
convenient because you don't have to separately configure routes, but it may cause a large network load due
to the time required to search and the large amount of traffic.
For static routing, you must configure the routing table by specifying a fixed route for each destination.
Because there is no need to search routes, static routing has a small load. However, communication troubles
may be caused when the routes in the routing table become invalid because alternative routes are not
automatically set. In the worst case, when a device set as the default gateway is down, it becomes impossible
to communicate with external networks. In static routing, the one route, such as the default gateway, that
causes loss of communication when the route is down is called the 'single point of failure.'
The VRRP additionally supports the redundancy function using a master router and one or more backup
routers in static routing by which the backup router takes up the master role when the master router goes
down. This master/backup router redundancy function allows for uninterrupted service even when the
master router is down. Using the VRRP not only reduces the route search load resulting from dynamic routing,
but also prevents the single point of failure which is the greatest problem of static routing.
The following figure illustrates the single point of failure that may occur in a network that does not use the
VRRP.
Router B
Router A
single point of failure
IP address:10.0.0.1
Host 1
Default gateway: 10.0.0.1
[Figure - Single point of failure in a network that does not use VRRP]
In the above figure, host 1 uses router A with the IP address 10.0.0.1 as the default gateway. If router A goes
down, host 1 cannot communicate with other networks. In this case, router A which brought about the
communication trouble of host 1 is the single point of failure.
Now, let us examine the case where the same network is configured with the VRRP and router A is set as
master and router B as backup.
Router A (Master)
Router B (Backup)
IP Address:10.0.0.1
Host 1
Default gateway: 10.0.0.1
[Figure A network using VRRP]
244
TiFRONT User Guide
In the VRRP configuration, even when router A, which is the default gateway of host 1, goes down, it is
possible to communicate with external networks through router B which is the backup (using the route
marked by a dotted line). Therefore, communication trouble by single point of failure is prevented.
VRRP Group
In the VRRP, a group of one master router and multiple backup routers is called a VRRP group. A VRRP group
is also referred to as virtual router because multiple routers work like one router. The following figure shows
a VRRP group consisting of router A and router B.
Router A
Router B
(Master)
(Back)
VRRP group
(VRID=1,Virtual IP=10.1.1.1)
[Figure A VRRP Group in VRRP]
A VRRP group has a unique VRID, virtual IP address, and a virtual MAC address. Routers that belong to a VRRP
group are called 'VRRP routers.'
Master Router
A master router is a router that uses the virtual IP address of a VRRP group as its interface address among
the VRRP routers of a VRRP group. The data sent to a VRRP group through a virtual IP address are actually
sent to the master router that uses an interface address and the master router sends this data to the
destination. Furthermore, the ARP request for a virtual IP address is also replied by the master router.
The master router periodically sends its information including its state and priority to other VRRP routers in
the VRRP group. This information sent by the master router is called an advertisement. The backup router
identifies the state and priority of the master router through the received advertisement and determines
whether or not to select a new master.
Backup Router
Backup routers are the remaining VRRP routers excluding one master router in a VRRP group. Backup routers
have nothing to do except receive advertisements while the master router is working normally. If no
advertisement is received from the master router within the specified time, the backup router determines
that the master router is not working normally and the backup router that has the highest priority takes over
the role of master router.
Virtual IP Address
The virtual IP address is the IP address of the VRRP group that the master router uses as its interface address.
The master router replies to ARP requests for a virtual IP address.
Priority of the VRRP Router

The priority of a VRRP router is the value referenced when the master router is elected among the backup
routers of a VRRP group. You can directly specify a value between 1 and 255 for the VRRP router priority. The
higher this value is, the higher the priority. When the master router has a problem, the router that has the
highest priority among the backup routers is elected as master router.
245
Chapter 10 Failover Configuration
VRRP Setting
This section describes the procedure for setting the VRRP in TiFRONT.
VRRP Setting Items

To configure failover in TiFRONT, you must first create a VRRP group and set the following items in the VRRP
group.
Virtual IP Address
Priority
Advertisement Period
Preempt Function
Creating VRRP Group

To create a VRRP group, run the following commands in <Configuration Mode>.
Command
Description
Create a VRRP group and enter the <VRRP configuration mode>.
<1-255>
router vrrp <1-255> <IFNAME>
VRRP group ID. Setting range: 1 ~ 255

<IFNAME>
VLAN interface to belong to a virtual switch.
Note: To delete a VRRP group, run the command no router vrrp <1-255> <IFNAME> in <Configuration Mode>.
Virtual IP Address Setting

To set a virtual IP address of a VRRP group, run the following command in <VRRP Configuration Mode>.
Command
Description
Set a virtual IP address.
virtual-ip <A.B.C.D>
<A.B.C.D>
Virtual IP address of a VRRP group
Note: To delete a virtual IP address, run the command no virtual-ip in <VRRP Configuration Mode>.
246
TiFRONT User Guide
Priority Setting
To set a priority, run the following command in <VRRP Configuration Mode>.
Command
Description
Set a priority. A higher value has a higher priority.
priority <1-254>
<1-254>
Note: To change the priority to the default value, run the command no priority in <VRRP Configuration Mode>.
Advertisement Transmission Period Setting

To set the period of sending advertisement from the master router to another router in a VRRP group, run the
following command in <VRRP Configuration Mode>.
Command
Description
Set the advertisement transmission period.
advertisement-interval <1-10>
<1-10>
Setting range: 1 ~ 10. (Default: 1 sec)
Note: To change the advertisement transmission period to the default value, run the command no advertisement-interval in <VRRP
Preempt Function Setting

The preempt function elects a backup router as the master router when the priority of the backup router in a
VRRP group is higher than the master router. The backup router for which the preempt function is disabled is
not elected as master router even if its priority is higher than that of the master router and it is elected as
master router only when the master router is down.
To set the preempt function, run the following command in <VRRP Configuration Mode>.
Command
Description
Set the preempt function of the switch. The preempt function is enabled
preempt {false | true}
by default.
false
true
Disable the preempt function

Enable the preempt function
Checking VRRP Settings

To check the current VRRP group setting, run the command show vrrp [<1-255> <IFNAME>]
in <User
247
Chapter 10 Failover Configuration
The following is an example of VRRP group setting.
(config)# router vrrp 10 vlan2
Create a VRRP group and specify a VLAN interface
(config-router)# virtual-ip 192.168.200.10
Set a virtual IP address
(config-router)# priority 200
Set a priority
(config-router)# advertisement-interval 2
Set the advertisement transmission period
(config-router)# preempt-mode false
Disable the preempt function
(config-router)# exit
(config)# exit
# show router vrrp
Show the VRRP settings.
Address family IPv4
VRRP Id: 10 on interface: vlan2
State: AdminUp - Init (interface is down or not running)
Virtual IP address: 192.168.200.10
Priority is 200
Advertisement interval: 2 sec
Preempt mode: FALSE
Multicast membership on IPv4 interface vlan2: LEFT
248
TiFRONT User Guide
Chapter 11
QoS Configuration
This chapter describes the QoS (Quality of Service) feature of TiFRONT and the procedure for setting QoS for
TiFRONT.
This chapter is composed of the following sections.
Understanding QoS
QoS Configuration
TiFRONT User Guide
Understanding QoS
Overview
TiFRONT supports the QoS (Quality of Service) feature that allows you set different bandwidths by the type of
traffic. With QoS in TiFRONT, you can limit the bandwidth to a specified value for specific traffic or ports.
If QoS is not used, TiFRONT sends traffic in the order it was received. In other words, the traffic that arrived
first is sent first. If the bandwidth is insufficient, the traffic that arrives later waits until there is enough
bandwidth, and if it becomes available, the packet that waited for the longest is sent. However, the following
problems may occur if the traffic is sent in the order it was received:
Important traffic may be sent later or not sent at all because the characteristics of traffic are not
considered.
Because the bandwidth of specific traffic cannot be restricted, when the bandwidth is fully occupied by
specific traffic, other traffic cannot be sent at all.
These problems can be solved by the QoS feature. To prevent using too much bandwidth on specific traffic,
you have to classify the traffic by such conditions as source/destination IP addresses, source/destination
MAC addresses, source/destination port numbers, DSCP, Ethernet type, protocol, interface, and assign the
maximum bandwidth (peak rate) to this class.
Class
Class is used to check the satisfaction of specific conditions by packets. Therefore, a class consists of various
conditions for comparison of packets. You can use the following conditions in a class. Of the following eleven
items, select only those that you need and use them as the class conditions.
Item
Description
Source IP address
Packets are classified by source IP address or IP bandwidth.
Source MAC address
Packets are classified by source MAC address.
Source port number
Packets are classified by source port number.
Destination IP address
Packets are classified by destination IP address or IP bandwidth.
Destination MAC address
Packets are classified by destination MAC address.
Destination port number
Packets are classified by destination port number.
DSCP
Packets are classified by the DSCP (Differentiated Services Code Point) value in
the IP header.
Ethernet type
Packets are classified by the Ethernet type.
Protocol
Packets are classified by the IP protocol.
Received interface (port)
Packets are classified by received interface (port).
VLAN
Packets are classified by the VLAN to which the packet belongs.
250
TiFRONT User Guide
Policy
Policy is used to define the bandwidth policy to be applied to a specific class. Policy consists of a class, the
maximum bandwidth to be assigned to the traffic of that class, and priority.
Item
Class
Description
This is the traffic condition for policy application. You can set multiple classes for one policy or
a different class to each class.
This is class priority. This priority is used when there are multiple classes defined for one
Priority
policy and the remaining bandwidth is allocated after the minimum bandwidth is allocated to
each class.
This is the maximum bandwidth that can be used by the traffic of a class. The maximum
bandwidth is used to restrict the transmission of traffic to the specified bandwidth. Even if
there is sufficient bandwidth due to low traffic, the traffic of the class can only use up to the
maximum bandwidth. If the transmitted traffic exceeds the maximum bandwidth of the class, it
will be shaped through buffering so that the traffic would not exceed the maximum bandwidth.
Traffic shaping is a traffic transmission method that stores traffic exceeding the specified
Maximum
bandwidth (maximum bandwidth) in the buffer and send it when the bandwidth has a room.
bandwidth
(peak rate)
Queue Scheduling
The output ports have a defined method of deciding on which packet will be processed first when there are
more packets in the queue than can be transmitted. This is called queue scheduling. In TiFRONT, you can use
the following methods of queue scheduling.
SPQ (Strict Priority Queuing)
A priority is set for each queue, and after all the packets in a queue of a higher priority are processed, the
packets of a queue of the next priority are processed.
RR (Round Robin)
Queues are selected sequentially.
WRR (Weight Round Robin)
The packet size to be processed is set differently for each queue using weights and the packets are
processed sequentially for the specified weight.
DRR (Deficit Round Robin)
The quantum (size of the largest packet that can be processed) and deficit counter are defined for each
queue, and the packets of the queue are processed for the size of the deficit counter. The deficit counter is
set to zero by default and is combined with the quantum value at the moment when the data of the queue
are serviced. After the packets are processed, the deficit counter decreases for the size of the processed
packets.
251
Chapter 11 QoS Configuration
Bandwidth Limit (Rate Limit)

TiFRONT can limit the bandwidth that can be used in a specific traffic flow. You can restrict only the
bandwidth of traffic that belongs to a specific class or the bandwidth of all ports.
QoS Configuration
In TiFRONT, you can set QoS by using a class map (classifier) for packet classification and policy map (QoS
action) to be applied to the classified packets. The QoS configuration process in TiFRONT includes the
following steps:
1. Set a class map
The packets received with TiFRONT are classified to specific classes. When packets are classified into classes, the
criteria defined in each class are used. The information in the packet is compared with the criteria defined in the
class and if they match, it is classified as a packet of the class.
2. Set a policy map
The QoS action to be applied to the packet classified into a specific traffic class through the class map is defined.
3. Apply the policy map (service map)
Specify the policy map to be applied to TiFRONT among the defined policy maps.
4. Send traffic by applying the QoS policy
Send the packets of each class according to the defined policy (bandwidth allocation method).
The class is used when classifying the received traffic and the policy is used when sending the traffic.
The QoS class is added to the QoS policy and the policy is applied to the class. Furthermore, the QoS policy is
included in the QoS interface and applied to the traffic sent through the interface.
Class Map Setting

The class map defines the criteria for differentiating specific kinds of traffic. When you create a class map,
TiFRONT checks if the packets of the inbound interface belong to the class according to the classification
criteria defined in the class map. If the packets are classified into a class, the QoS action defined in the policy
map to which the class belongs is applied to the packets.
To create a class map and define the criteria for traffic classification in TiFRONT, run the following command
No.
Command
qos
class-map <WORD>
Description
Enter the <QoS configuration mode>.
Define a class map and enter the <Class map configuration mode>.
<WORD>
Class map name
Define the criterion for classifying classes. The classification criteria
that come after the match command are as follows:
match
destination-ip-address <A.B.C.D/M>
Packets are classified by destination IP address (IPv4).
destination-ipv6-address <X:X::X:X/M>
Packets are classified by destination IP address (IPv6).
252
TiFRONT User Guide
destination-mac-address <MAC>
Packets are classified by destination MAC address.
dscp <0-63>
Packets are classified by the DSCP value. (Setting range: 0 ~ 63)
ethertype <HEX>
Packets are classified by the Ethernet type field value.
input-interface <IFNAME>
Packets are classified by the input interface.
ip-destination-port <0-65535>
Packets are classified by the destination port number.
ip-protocol <0-255>
Packets are classified by the protocol. (Setting range: 0 ~ 255)
ip-source-port <0-65535>
Packets are classified by source port number. (Setting range: 0 ~
65535)
source-ip-address <A.B.C.D/M>
Packets are classified by source IP address (IPv4).
source-ipv6-address <X:X::X:X/M>
Packets are classified by source IP address (IPv6).
source-mac-address <MAC>
Packets are classified by source MAC address.
vlan-id <1-4094>
Packets are classified by the VLAN ID to which they belong.
Note: To delete a class map, run the command no class-map <WORD> in <QoS Configuration Mode>.
Note: To delete the classification criterion for classes, run the command no match with the classification criterion in <QoS Configuration Mode>.
Policy Map Setting

The policy map defines the policy (QoS action) to be applied to traffic classified through a class map. The QoS
action to be applied to the packet classified into a specific traffic class is defined in the policy map. A policy
map can include multiple classes having different classification criteria and QoS actions to be applied to the
classes. Furthermore, you can add multiple QoS actions to a policy map so that they can be applied to one
class.
To define a policy map, specify a class map to which to apply the policy, and configure QoS actions for the
class, run the following commands in <Configuration Mode>.
No.
Command
qos
policy-map <WORD>
Description
Define a policy map and enter the <Policy map configuration mode>.
<WORD>
Policy map name
class <WORD> [<1-12>]
Specify a class map to which to apply a policy and enter the <Policymap-class configuration mode>.
253
<WORD>
Class map name to which to apply policy
<1-12>
Priority of the class map Setting range: 1 ~ 12
Set the QoS action to apply to the defined class map.
deny
Block the classified packet.
drop-precedence
Block the classified packet before others.
insert-dscp <0-63>
Insert a DSCP value in the classified packet. (Setting range: 0 ~ 63)
insert-priority <0-7>
Set a priority to the classified packet. (Setting range: 0 ~ 7)
4
confirm-action
insert-top <0-7>
Insert a Top value in the classified packet. (Setting range: 0 ~ 7)
permit
Permit the classified packet.
priority-to-tos
Use the ToS value as the priority of the classified packet.
tos-to-priority
Use the ToS value of the classified packet as the priority.
Caution: For TiFRONT-G48/G48P, you cannot set QoS action as inserttop, priority-to-tos, tos-to-priority.
Limit the bandwidth of traffic that belongs to a specific class.
<1-1000000>
rate-limit <1-1000000>
<1-16000>
Maximum bandwidth to be guaranteed for the traffic of the class

Setting range: 1 ~ 1,000,000 (unit: kbps)
<1-16000>
Maximum burst that can be used by the traffic of the class.
Setting range: 1 ~ 16,000 (unit: kbps)
Note: To delete a policy map, run the command no policy-map <WORD> in <QoS Configuration Mode>.
Note: To delete a QoS action, run the command no confirm-action with the QoS action in <Policy-map-class Configuration Mode>.
Note: To delete a bandwidth limit setting, run the command no rate-limit in <Policy-map-class Configuration Mode>.
Service Policy Setting

The service policy specifies which policy map to actually apply among the policy maps that have been defined.
To define a class map and a policy map is a process of making rules for QoS and to define a service policy is
a process of selecting which rules to use for which port. To set a service policy in TiFRONT, run the following
command in <QoS Configuration Mode>.
Command
service-policy <PNAME>
254
TiFRONT User Guide
Description
Apply a service policy to TiFRONT.
Note: In TiFRONT, you can apply only one policy map as service policy.
Note: To delete a service policy that has been defined, run the command no service-policy in <QoS Configuration Mode>.
Queue Scheduling Method Setting

There are eight transmission queues for each output port of TiFRONT. To set a queue scheduling method in
TiFRONT, run the following command in <QoS Configuration Mode>.
Command
service-queue
output
<IFNAME>
Description
schedule
{drr <0-15> | rr | spq | wrr <0-15>}
mode
Set the queue scheduling method to apply. If you

select drr or wrr, you must set the CoS value within the
range of 0-15 for each queue.
To set the transmission queue to be processed by the priority of the CoS field, run the following command in
<QoS Configuration Mode>.
Command
Description
Set the queue processing method by the priority of CoS
field.
<0-7>
Priority of the CoS field. Setting range: 0~7
<0-7>
Queue number. Setting range: 0~7
If you set this to default, the queue numbers that are
assigned by default by the priority of the CoS field are
service-queue input <IFNAME> cos-map {default
shown below.
| prio <0-7> | queue <0-7>}
Priority
Queue number
Bandwidth Limit Setting

To limit the bandwidth of the traffic received or sent through a port, run the following command in <QoS
Command
Description
Limit the bandwidth of the traffic that is sent through the
service-queue output <IFNAME> rate-limit

{<1-1000000> <1-128000> | none}
specified output port.

<1-1000000>
Maximum bandwidth to be guaranteed for the port Setting
range: 1 ~ 1,000,000 (kbps)
255
<1-128000>
Maximum burst to be permitted for the port Setting range:
1 ~ 128,000 (kbps)
none
Bandwidth is not limited.
To set a bandwidth limit for the defined queue, run the following command in <QoS Configuration Mode>.
Command
Description
Set a bandwidth limit for the defined queue.
<0-7>
Queue number. Setting range: 0 ~ 7
<1-1000000>
service-queue
output
<IFNAME>
cos-rate-limit
queue <0-7> {<1-1000000> <1-1000000> | none}
Minimum
bandwidth.
Setting
range:
Setting
range:
1,000,000 (kbps)
<1-1000000>
Maximum
bandwidth.
1,000,000 (kbps)
none
Bandwidth is not limited.

Checking the QoS setting
To check the current QoS setting, run the command show qos install in <User Mode>, <Privileged
Mode>, or <QoS Configuration Mode>.
Checking the class map setting

To check the current class map, run the command show class-map in <User Mode>, <Privileged Mode>, or
<QoS Configuration Mode>. To check the detailed settings for a class map, run the command show class-
map [<WORD>].
Checking the policy map setting

To check the current policy map, run the command show policy-map in <User Mode>, <Privileged Mode>,
or <QoS Configuration Mode>. To check the detailed settings for a class policy, run the command show
policy-map [<WORD>].
Checking the service policy setting

To check the current service policy, run the command show service-policy in <User Mode>, <Privileged
Mode>, or <QoS Configuration Mode>.
Checking the queue scheduling setting

To check the current queue scheduling method, run the command show service-queue {input | output}
in <User Mode>, <Privileged Mode>, or <QoS Configuration Mode>. To check the detailed settings for an
interface, run the command show service-queue {input | output} [<IFNAME>].
256
TiFRONT User Guide
The following is an example of QoS setting.
(config)# qos
(config-qos)# class-map testmap-c
Define a class map and enter the <Class map configuration
mode>.
(config-qos-cmap)# match vlan-id 2
Classify packets by VLAN ID
(config-qos-cmap)# exit
(config-qos)# policy-map testmap-p
(config-qos-pmap)# class
(config-qos-pmap-class)#
(config-qos-pmap)# exit
Define a policy map and enter the <Policy-map-class

testmap-c Specify a class map to which to apply the policy
confirm-action insert-priority 1 Set QoS action
rate-limit 10000 16000
Set a bandwidth limit
exit
(config-qos)#
(config-qos)#
(config-qos)#
(config-qos)#
service-policy testmap-p
Apply the service policy
service-queue out ge1 schedule mode rr
Set the scheduling method
service-queue input ge1 cos-map default
Set the queue processing method
service-queue output ge1 rate-limit 100000 128000 Set the bandwidth limit of the
ge1 port
(config-qos)# service-queue output ge1 cos-rate-limit queue 0 10000 20000
Set the queue bandwidth limit
(config-qos)# show qos install

SERVICE POLICY : testmap-p
Show the QoS settings.
CLASS-MAP : testmap-c precedence 6

match :
vlan id : 2
protocol : 6
action :
commit info :
insert priority : 1
limit info :
rate limit
rate value: 10000
burst value: 16000
(config-qos)# show class-map
Show the class map setting
CLASS-MAP: testmap-c
vlan id : 2
protocol : 6
(config-qos)# show policy-map
Show the policy map setting
POLICY-MAP : testmap-p
CLASS-MAP : testmap-c precedence 6
commit info :
insert priority : 1
limit info :
rate limit
rate value: 10000
burst value: 16000
(config-qos)# show service-policy
-----------------------------SERVICE POLICY : testmap-p
------------------------------
Show the service policy setting
(config-qos)# show service-queue output ge1

Show the queue scheduling setting
Service Queue Egress Setting...
Interface: ge1
SCHEDULE MODE: ROUND-ROBIN
CoSq Rate Limit:
-----------------------------------------CoS Q | min-rate(kbps)
| max-rate(kbps)
-------+-----------------+---------------0
|
10048 |
20032
1
| no-limit | no-limit
2
3
4
5
6
7
-----------------------------------------Egress Rate Limit:
Min-rate(kbps): 100032, Max-rate(kbps): 128024
257
Chapter 12
This chapter describes the concept of IGMP Snooping and the procedure for setting IGMP Snooping.
IGMP Snooping Overview
TiFRONT User Guide
IGMP Snooping Overview

IGMP Snooping allows a device to obtain the status of the members of a multicast group by sending query
messages to every port on a local network, and send report messages about each multicast group by
referring to the status of the members of the multicast group that the device had obtained without
broadcasting IMGP query messages sent from a router. With IGMP snooping, you can send multicast packets
based on the MAC information managed at each port and prevent a waste of bandwidth by avoiding the
flooding of multicast traffic.

The process of setting the IGMP snooping function in TiFRONT is described below.
Enabling IGMP Snooping

To enable the IGMP snooping function, run the following commands in <Configuration Mode>.
Command
ip igmp snooping
Description
Enable IGMP snooping.
Note: To disable the IGMP snooping function, run the command no ip igmp snooping in <Configuration Mode>.
IGMP Snooping Version Setting

TiFRONT can specify the IGMP snooping version of each VLAN interface, and each VLAN interface sends
report messages only with the version specified for the multicast router.
To specify the IGMP snooping version, run the following commands in <Interface Configuration Mode>.
Command
Description
Specify the IGMP snooping version of the VLAN interface.
ip igmp version <1-3>
<1-3>
IGMP Snooping version. Setting range: 1 ~ 3.
(Default value: 2)
Note: To change the IGMP snooping version set in the VLAN interface to the default value, run the command no ip igmp version in <Interface
259
Chapter 12 IGMP Snooping Configuration
IGMPv2 Snooping Configuration

The process of configuring the IGMPv2 snooping function in TiFRONT is described below.
IGMP Snooping Querier Setting

The IGMP Snooping Querier periodically sends membership query messages to connected hosts. Upon
receiving membership query messages from IGMP Snooping Querier, the hosts in the multicast group send a
response message. The IGMP Snooping Querier checks the response messages from the hosts and
determines whether each host belongs to the multicast group.
To enable the IGMP Snooping Querier, run the following command in <Interface Configuration Mode>.
Command
ip igmp snooping querier
Description
Enable the IGMP Snooping Querier at the VLAN interface.
Note: To disable the IGMP Snooping Querier set in the VLAN interface, run the command no ip igmp snooping querier in <Interface
IGMP Snooping Query Transmission Period Setting

To set the membership query message transmission period from the IGMP Snooping Querier, run the
following command in <Interface Configuration Mode>.
Command
Description
Set
ip igmp query-interval <1-18000>
the
transmission
period
of
the
IGMP
snooping
membership query messages of the VLAN interface.

<1-18000>
Note: To change the membership query message transmission period set in the VLAN interface to the default value, run the command no ip
igmp query-interval in <Interface Configuration Mode>.
IGMP Snooping Query Response Time Limit Setting

To set the response time limit of the host to the membership query message, run the following command in
Command
Description
Set the response time limit of the host to the
ip igmp query-max-response-time <1-240>
membership query message.

<1-240>
Note: To change the response time limit of the host to the membership query message to the default value, run the command no ip igmp
query-max-response-time in <Interface Configuration Mode>.
260
TiFRONT User Guide
IGMP Startup Query Transmission Period Setting

To set the transmission period of startup query messages sent by the IGMP Snooping Querier to get multicast
membership information, run the following command in <Interface Configuration Mode>.
Command
Description
Set the transmission period of IGMP snooping startup query
ip igmp startup-query-interval <1-18000>
messages of the VLAN interface.

<1-18000>
Note: To change the startup query message transmission period set in the VLAN interface to the default value, run the command no ip igmp
startup-query-interval in <Interface Configuration Mode>.
IGMP Startup Query Transmission Count Setting

To set the startup query message transmission count, run the following command in <Interface
Command
Description
Set the transmission count of IGMP snooping startup query
ip igmp startup-query-count <2-10>
messages of the VLAN interface.

<2-10>
Note: To change the startup query message transmission count set in the VLAN interface to the default value, run the command no ip igmp
startup-query-count in <Interface Configuration Mode>.
IGMP Robustness Variable Setting

The IGMP Robustness Variable is included in the query message sent by the IGMP Snooping Querier and is
used to prevent the loss of a host's response due to an unstable network. The host that receives the query
message sends the response messages to the IGMP Snooping Querier for the value of the robustness variable,
and if any one response message is received, it is determined that the host normally responded. To set the
robustness variable, run the following command in <Interface Configuration Mode>.
Command
Description
Set a value for the robustness variable.
ip igmp robustness-variable <2-7>
<2-7>
Note: To change the robustness variable set in the VLAN interface to the default value, run the command no ip igmp robustness-variable
in <Interface Configuration Mode>.
261
Transmission Period Setting for IGMP Snooping Last Member

Query
When TiFRONT, enabled with the IGMP snooping function receives a leave message (sent when leaving from
the multicast group) from a host of the multicast group, it sends a group-specific query message to check if
there are any remaining members of the group. If no response message is received from this message,
TiFRONT determines that there is no host remaining in the multicast group and deletes the multicast group.
To set the group-specific query message transmission period, run the following command in <Interface
Command
Description
Set the transmission period of query messages for
checking if the last host in the VLAN interface has left.
ip igmp last-member-query-interval <1000-25500> <1000-25500>

Setting range: 1000 ~ 25500.
(Default value: 1000 ms)
Note: To change the group-specific query message transmission period set in the VLAN interface to the default value, run the command no ip
igmp last-member-query-interval in <Interface Configuration Mode>.
Transmission Count Setting for IGMP Snooping Last Member Query

To set the group-specific query message transmission count, run the following command in <Interface
Command
Description
Set the transmission count of query messages for
ip igmp last-member-query-count <2-7>
checking if the last host in the VLAN interface has left.

<2-7>
Note: To change the transmission count of the group-specific query messages to the default, run the command no ip igmp last-memberquery-count in <Interface Configuration Mode>.
IGMP Fast-Leave Setting

The IGMP Fast-Leave function immediately deletes a host from the multicast group with no separate
verification process when the IGMPv2 leave message is received.
To set the IGMP fast-leave function in a VLAN interface of TiFRONT, run the following command in <Interface
Command
ip igmp snooping fast-leave
Description
Set the IGMP Fast-Leave function at the VLAN interface.
Note: To cancel the IGMP fast-leave function, run the command no ip igmp snooping fast-leave in <Interface Configuration Mode>.
262
TiFRONT User Guide
Multicast Router Port Setting

When IGMP Snooping is enabled in TiFRONT, IGMP query messages are sent to the connected hosts to
investigate the state of the members of the multicast group. According to the rules of IGMP, when there are
two or more IGMP Queriers in one LAN, the one with the smaller IP address acts as the IGMP Querier. If there
are two or more multicast routers in one LAN, they receive the same multicast traffic from the outside and
forward it to the inside of the LAN. Thus, the same data are received by the two routers.
But, if the IP of the TIFRONT session that offers IGMP snooping is smaller than the IP of the multicast router,
it is possible that the multicast router receiving the IGMP query message from TiFRONT recognizes TiFRONT
as a multicast router and stops its role as the IGMP Querier. When this happens, a problem arises because the
multicast traffic sent from the outside is not forwarded to the LAN by the multicast router. Therefore, the
transmission of the IGMP query messages through a multicast router connected to TiFRONT must be
prevented. In order to do this, you must set the port connected with a multicast router as a multicast router
port.
Caution: When TiFRONT sends IGMP query messages to a multicast router, it is possible that the multicast router will not work normally.
To directly set a multicast router port in TiFRONT, run the following command in <Interface Configuration
Mode>.
Command
ip igmp snooping mrouter interface <IFNAME>
Description
Set a multicast router port in a VLAN interface.
Note: To delete the multicast router port set in the VLAN interface, run the command no ip igmp snooping mrouter interface
<IFNAME> in <Interface Configuration Mode>.
IGMP Multicast Filter Setting

The IGMP multicast filter sets whether or not to send multicast traffic depending on the multicast group
membership. To set the IGMP multicast filter function, run the following command in <Configuration Mode>.
Command
Description
Set the IGMP multicast filter function.
multicast-flood-all
Send multicast traffic to every port regardless of
multicast group membership.
multicast-flood-none
multicast-filter mode
{multicast-flood-all | multicast-flood-none |
multicast-flood-unknown} vlan <1-4094>
Send multicast traffic only to the port that has a host

that has joined a multicast group, and do not send
multicast traffic if there is no such host.
multicast-flood-unknown
Send multicast traffic only to the port that has a host
that has joined a multicast group, and send multicast
traffic to every port if there is no such host (default).
<1-4094>
263
IGMP Snooping Proxy Setting

The IGMP Snooping Proxy allows TiFRONT to send and receive IGMP messages to/from multicast routers
instead of the multicast group.
To set the IGMP snooping proxy function, run the following command in <Configuration Mode>.
Command
Description
ip igmp snooping proxy
Enable IGMP snooping proxy.
Note: To disable the IGMP snooping proxy, run the command no ip igmp snooping proxy in <Configuration Mode>.
Checking IGMP snooping settings

To check the settings for IGMP snooping, run the following command in <User Mode> or <Privileged Mode>.
Command
Description
show ip igmp interface [<IFNAME>]
Check the IGMP snooping settings.
show ip igmp groups [<IFNAME> | <A.B.C.D>]

[detail]
show ip igmp snooping mrouter [<IFNAME>]
Check the IGMP snooping membership group information.

Check the multicast router port setting.
In the following example, IGMP snooping is set and the settings are queried.
Create a VLAN to set IGMP snooping for.
(config)# ip igmp snooping
(config)# interface vlan2
(config-if-vlan2)# ip igmp
Enable IGMP Snooping

snooping querier
Enable Querier
query-interval 300
Set the query transmission period
query-max-response-time 20 Set query response time limit
startup-query-interval 60
Set the startup query transmission period
startup-query-count 3
Set the startup query transmission count
robustness-variable 3
Set the robustness variable.
last-member-query-interval 2000
Set the transmission period for last member query

(config-if-vlan2)# ip igmp last-member-query-count 3
Set the transmission period for last
member count.
(config-if-vlan2)# ip igmp snooping fast-leave
Set the Fast-Leave function
(config-if-vlan2)# ip igmp snooping mrouter interface ge1 Set the multicast router port
(config-if-vlan2)# end
# show ip igmp interface vlan 2
Show the IGMP snooping settings
Interface vlan2 (Index 35)

IGMP Enabled, Inactive, Version 2 (default)
IGMP interface has 0 group-record states
IGMP activity: 0 joins, 0 leaves
IGMP query interval is 300 seconds
IGMP Startup query interval is 60 seconds
IGMP Startup query count is 3
IGMP querier timeout is 910 seconds
IGMP max query response time is 20 seconds
Group Membership interval is 920 seconds
IGMP Last member query count is 3
Last member query response interval is 2000 milliseconds
264
TiFRONT User Guide
IGMP
IGMP
IGMP
IGMP
Snooping
Snooping
Snooping
Snooping
is globally enabled
fast-leave is enabled
querier is enabled
report suppression is enabled
# show ip igmp snooping mrouter interface vlan2

VLAN
Interface
1
ge1
# show ip igmp group vlan2
IGMP Connected Group Membership
Group Address
Interface
239.0.0.1
vlan2
239.0.0.2
vlan2
239.0.0.3
vlan2
239.0.0.4
vlan2
Show multicast router port setting
Show the IGMP snooping membership group information.

Uptime
00:01:30
00:01:30
00:01:30
00:01:30
Expires
00:02:58
00:02:58
00:02:58
00:02:58
Last Reporter
10.10.10.9
10.10.10.9
10.10.10.9
10.10.10.9
265
Chapter 13
Security Configuration
This chapter introduces the security features of TiFRONT and the procedures for using each security feature.
TiMatrix Setting
Integrated Authentication
IP Management Setting
Web Alert Setting
TiFRONT User Guide
TiMatrix Setting
TiMatrix is a security engine that has important security functions provided by TiFRONT.
The security functions of TiMatrix are as follows:
DoS/DDoS Blocking
Static Host Blocking
Each function and the procedure for setting them up are described below.
DoS/DDoS Blocking
(DoS Denial of Service) is an attack that tries to monopolize or destroy system resources so that other
processes of the system cannot provide services properly. In particular, DoS attacks spread through the
network, paralyzing networks and system services, thereby causing considerable inconveniences and
enormous damages to users. TiFRONT can block such DoS attacks and protect the internal network from DoS
attacks.
Note: DDoS (Distribute Denial of Service) is to distribute multiple attackers and perform DoS attacks simultaneously through them.
TiFRONT blocks the following DoS attacks.

Attack Type
SYN flooding
UDP flooding
ICMP unreachable flooding
Description
Sends large volumes of SYN data for TCP connections to a target system to
paralyze the services and systems that receive the connection requests.
Sends large volumes of UDP packets with forged source IPs or MAC addresses to
a target system to paralyze the network.
Broadcasts unreachable ICMP packets to exhaust the network resources.
Continuously sends ICMP echo request messages to prevent the target host
from requesting other services. For example if the maximum number of "ping
ICMP echo request flooding
target.com" messages are sent, the target host (target.com) has to continuously
send responses to the ICMP requests which prevents the host from sending
other service requests and slows down the network speed.
This attack is usually targeted at network devices such as switches. It sends
MAC flooding
large volumes of packets with forged MAC addresses to saturate the MAC
address table of the target system, thus preventing the system from providing
normal services.
The attacker's collection of information about the target is called 'scan.' The
Port scanning
attacker uses port scanning tools such as Nmap to collect the information about
ports used by a specific host.
Host scanning
Collects the IP and MAC addresses of hosts on a network through ICMPv6

Neighbor Discovery.
Intentionally changes the source IP addresses of packets to meaningless IP
IP spoofing
addresses or IP addresses of other hosts. This attack makes use of the

vulnerability in the system that authenticates based on IP addresses. It bypasses
267
Chapter 13 Security Configuration
the authentication process by using a system IP address that has been

authenticated through the IP address authentication process. Furthermore, this
has the effect of concealing the attacker's IP address.
The attacker sends a fabricated ARP reply or ARP request to the target host on
the same network to change the ARP cache. If this attack is successful, all
ARP spoofing
packets are sent to the device set by the attacker, resulting in disabled
communication or the communication of unwanted information.
This is similar to ARP spoofing. This attack manipulates the NDP (Neighbor
NS/NA spoofing
Discovery Protocol) packets used in the IPv6 network to disable communication

or snatch traffic.
Sends large volumes of abnormal IGMP packets to prevent the target from
IGMP DoS
handling the packets and providing normal services.

This is similar to IGMP DoS. This attack sends large volumes of MLD packets
MLD DoS
used in IPv6 networks to prevent the target from handling the packets and
providing normal services.
This attack interferes with duplicate IP address checks when a new host is
DAD
connected to the IPv6 network to prevent it from connecting to the network.
Setting the DoS/DDoS Blocking Function

You can set the DoS/DDoS blocking function in <TiMatrix Configuration Mode>. You can enter the <TiMatrix
Configuration Mode> as follows:
(config)# timatrix
(config-timatrix)#
To set the DoS/DDoS blocking function, perform the following steps in <TiMatrix Configuration Mode>.
No.
Command
Description
Enable the DoS/DDoS blocking function. If you omit the mode,
the block mode will be set.
detect
dos-ddos [detect | block]
Packets are not blocked and only logs are recorded.

block
Packets are blocked and logs are recorded.
Note: To disable the DoS/DDoS blocking function, run the command no
dos-ddos in <TiMatrix Configuration Mode>.
268
TiFRONT User Guide
Enable the ARP snooping function. If you omit the mode, the
block mode will be set.
You must enable the ARP spoofing blocking function separately
from the DoS/DDoS blocking function.
2
arp-spoof [detect | block]
detect
block
Note: To disable the ARP spoofing function, run the command no arpspoof in <TiMatrix Configuration Mode>.
Enable the MAC flooding blocking function. You must enable the
MAC flooding blocking function separately from the DoS/DDoS
mac-flooding
blocking function.
Note: To disable the MAC flooding blocking function, run the command
no mac-flooding in <TiMatrix Configuration Mode>.
Set the number of MAC addresses which is the criterion for MAC
flooding attack. If the MAC addresses registered in the MAC
address table of each port is greater than this number, the
packets from unregistered MAC addresses are blocked.
<WORD>
mac-flooding limit <WORD>

4
<1-500>
(Optional)
Enter the port name. To enter more than one port, separate
the ports with "," and for continuous ports, use "-".
<1-500>
Number of permitted MAC addresses.
Note: To change the number of MAC addresses to the default value, run
the command no mac-flooding limit <WORD> in <TiMatrix
Enable the IPv6 security function. You must enable the IPv6
security function with this command so as to enable the NS/NA
timatrix-ipv6
spoofing blocking, DAD attack blocking, and host scan blocking

functions. The IPv6 security function is enabled by default.
Note: To disable the IPv6 security function, run the command no
timatrix-ipv6 in <TiMatrix Configuration Mode>.
Enable the NS/NA snooping blocking function. If you omit the
mode, the block mode will be set.
You must enable NS/NA spoofing blocking separately from the
DoS blocking function. The block mode is set by default.
neighbor-spoof [detect | block]
detect
block
Note: To disable the NS/NA spoofing blocking function, run the command
no neighbor-spoof in <TiMatrix Configuration Mode>.
269
Enable the DAD attack blocking function. If you omit the mode,
the block mode will be set.
You must enable the DAD attack blocking separately from the
DoS blocking function. The block mode is set by default.
7
dad-attack [detect | block]
detect
block
Note: To disable the DAD attack blocking function, run the command no
dad-attack in <TiMatrix Configuration Mode>.
Enable the IPv6 host scan blocking function. If you omit the
mode, the block mode will be set.
You must enable host scan blocking separately from the DoS
blocking function. The block mode is set by default.
host-scan [detect | block]
detect
block
Note: To disable the host scan blocking function, run the command no
host-scan in <TiMatrix Configuration Mode>.
Specify the secure port for which to apply the security functions
set in steps 1 to 8.
<WORD>
secure-port <WORD>
Note: To cancel the security port setting, run the command no
secure-port <WORD> in <QoS Configuration Mode>.
Specify an uplink port connected to an external network.
<WORD>
10
uplink-port <WORD>
(Optional)
Note: To cancel the uplink port setting, run the command no uplinkport <WORD> in <QoS Configuration Mode>.
Note: When you run the timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS blocking, ARP spoofing blocking, NS/NA
spoofing blocking, DAD attack blocking, and host scan blocking functions are set in block mode, and the MAC flooding blocking and the Protocol
Anomaly blocking functions are enabled.
Note: When you run the no timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS blocking, ARP spoofing blocking, NS/NA
spoofing blocking, DAD attack blocking, and host scan blocking functions are set in block mode, whereas the MAC flooding blocking and the Protocol
Anomaly blocking functions are disabled.
Note: The security functions of TiFRONT detect attacks at the access level by default, thus preventing the spread of the attack. When traffic
coming from external networks is inspected, the device performance may drop. Therefore, it is recommended to set the port connected to an
external network as the uplink port so that the DoS/DDoS blocking will not be applied.
270
TiFRONT User Guide
Caution: If you set the MAC address count limit by using the mac-address limit command for a port, the MAC flooding blocking function does
not work at the port.
Permit List Setting

You can exclude packets from DoS/DDoS blocking inspections with the Permit List. You can set a Permit List
by protocol, source/destination IP addresses, source/destination port numbers, source/destination MAC
addresses, or ARP sender/target MAC addresses of the packets. These packets are passed regardless of the
DoS/DDoS blocking function.
To set a permit list, run the following command in <TiMatrix Configuration Mode>. In TiFRONT, you can set
up to 128 permit lists.
Command
Description
Specify a permit list by the protocol, source/destination
iIPv4
addresses,
and
the
source/destination
port
numbers of the packets.
any | <A.B.C.D/M>
Source IPv4 address and net mask bit of the packets
any | <A.B.C.D/M>
Destination IPv4 address and net mask bit of the
packets
<0-255> | tcp | udp
permit-list ip {any | <A.B.C.D/M>} {any |
<A.B.C.D/M>} {<0-255> | tcp | udp} {any | eq

<1-65535> | range <1-65534> <2-65535>} {any
Specify a protocol number or name.
| eq <1-65535> | range <1-65534> <2-65535>}
any | eq <1-65535> | range <1-65534>

<2-65535>
Source port number or range of the packets
any | eq <1-65535> | range <1-65534>

<2-65535>
Destination port number or range of the packets
Specify a permit list by the protocol, source/destination

iIPv6
addresses,
and
the
source/destination
port
numbers of the packets.
any | <X:X::X:X/M>
Source IPv6 address and net mask bit of the packets

permit-list ipv6 {any | <X:X::X:X/M>} {any |
Destination IPv6 address and net mask bit of the
<X:X::X:X/M>} {<0-255> | tcp | udp} {any |

eq
<1-65535>
range
<1-65534>
<2-65535>}
{any | eq <1-65535> | range <1-65534> <265535>}
any | <X:X::X:X/M>
packets
<0-255> | tcp | udp
Specify a protocol number or name.
any | eq <1-65535> | range <1-65534>

<2-65535>
Source port number or range of the packets
any | eq <1-65535> | range <1-65534>

<2-65535>
Destination port number or range of the packets

Specify a permit list by the source/destination MAC
permit-list
any
{any
{any | <HHHH.HHHH.HHHH>}
<HHHH.HHHH.HHHH>}
addresses of the packets regardless of the protocol.
any |
<HHHH.HHHH.HHHH>
Source MAC address of the packets. You can specify
a range by using the wildcard character (*) for the
characters at the back.
271
any
|
<HHHH.HHHH.HHHH>
Destination MAC address of the packets. You can
specify a range by using the wildcard character (*) for
the characters at the back.
Specify a permit list by the ARP sender/target MAC

addresses.
permit-list arp
{any
{any | <HHHH.HHHH.HHHH>}
<HHHH.HHHH.HHHH>}
any
|
<HHHH.HHHH.HHHH>
MAC address of ARP sender. You can specify a
range by using the wildcard character (*) for the
any
|
<HHHH.HHHH.HHHH>
MAC address of ARP target. You can specify a range
by using the wildcard character (*) for the
Note: To delete a permit list, run the command no permit-list {ip | ipv6 | tcp | udp} <OPTION> in <TiMatrix Configuration Mode>.
Note: For the packets in the permit list of TiMatrix, the ACL, IP management, QoS, DHCP server, and DHCP relay agent functions may not apply.
Therefore, you must set the rule by accurately specifying the protocol, source/destination IP addresses, and the source/destination port numbers
when specifying a permit list.

To check the DoS/DDoS blocking settings, run the command show timatrix in <User Mode>, <Privileged
Mode>, or <TiMatrix Configuration Mode>.
Showing Statistics
To check the statistics about the packets detected by the DoS/DDoS blocking function, run the command
show timatrix statistics in <User Mode>, <Privileged Mode>, or <TiMatrix Configuration Mode>.
Showing Filter Information

When attacks are detected, the DoS/DDoS blocking function automatically generates a filter to block attacks.
This filter is maintained for 100 sec. To check this filter, run the command show timatrix filter in <User
Mode>, <Privileged Mode>, or <TiMatrix Configuration Mode>.
Deleting Filters
To delete TiMatrix filters regardless of the hold time, run the following command in <TiMatrix Configuration
Mode>.
Command
Description
Delete a TiMatrix filter.
<WORD>
clear timatrix-filter {<WORD> | all}
Filter ID to delete.
all
Delete all TiMatrix filters.
272
TiFRONT User Guide
Showing the MAC flooding blocking list

To check the hosts blocked by the MAC flooding blocking function, run the command show timatrix mac-
flooding-list <WORD> in <User Mode>, <Privileged Mode>, or <TiMatrix Configuration Mode>. Up to 100
MAC flooding blocking lists are displayed.
The following example shows the settings of the DoS/DDoS blocking function and a permit list.
(config)# timatrix
(config-timatrix)#
(config-timatrix)#
(config-timatrix)#
(config-timatrix)#
Enter the <TiMatrix configuration mode>.

dos-ddos block
Enable the DoS/DDoS blocking function in block mode
arp-spoof block
Enable the ARP poisoning blocking function in block mode
mac-flooding
Enable the MAC flooding blocking function.
secure-port ge1-10
Specify the port to which the DoS/DDoS blocking
function will be applied.
(config-timatrix)# uplink-port ge11,ge21
(config-timatrix)# permit-list tcp 192.168.201.231/24 192.168.202.232/24 eq 1850 eq 21
(config-timatrix)# show timatrix
Show the settings.
TiMatrix Information
------------------------------------------------------security-level : 3
Secure Port List
ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8,
ge9, ge10
Set a permit list
Uplink Port List

ge11, ge21
Protocol Anomaly Detection
DoS/DDoS Detection
ARP-Spoof Detection
MAC-Flooding Detection
:
:
:
:
Disable
Block mode
Block mode
Enable
Permit List
-------------------------------------------#1
Ethertype
: ip
IP Protocol
: tcp
Src IP address
: 192.168.201.231/24
Dst IP address
: 192.168.202.232/24
Src port
: 1850
Dst port
: 21
-------------------------------------------Static Host List
None
------------------------------------------------------(config-timatrix)# show timatrix statistics
Protocol Anomaly
-------------------------------------------TCP Fragments
:
0
ICMP Fragments
:
0
Land
:
0
Equal-ports, Invalid TCP Flag :
0
--------------------------------------------
Show the statistics
Permit / DoS-DDoS / ARP-Spoof

----------------------------------------------------Permit
:
0 | IP Spoofing
:
0
Flooding
:
1 | DoS
:
0
Port Scan
:
0 | ARP Spoofing :
0
MAC Flooding :
0
----------------------------------------------------(config-timatrix)# show timatrix filter
Show the filter information.
TiMATRIX Filter Information
--------------------------------------------------------------------------id
|
type |port |proto |
src mac/ip |
dst ip
|time|action
---+-----------+----+-------+-----------------+---------------+----+------2
flooding ge2 arp
100.1.1.1
any
10 block
---------------------------------------------------------------------------
273

Protocol Anomaly is an attack that generates abnormal traffic which violates the standard protocols such as
TCP, UDP, and ICMP. TiFRONT can block the following types of protocol anomaly attacks.
Attack Type
Description
When sending packets to a target host, the attacker sets both the source and destination
Land
IP addresses to the IP address of the target host. Upon receiving the packets, the target
host continuously sends packets to itself, thus causing system overload.
Invalid TCP flag
Abnormally manipulates the TCP flags such as SYN, FIN, URG, and PSH so as to cause an
overload or malfunction because the target host cannot handle the abnormal TCP flags.
Divides TCP headers into small fragments to hide the destination port so as to bypass
intrusion detection systems or packet filtering systems. Packet filtering systems and
TCP fragments
intrusion detection systems generally check port numbers to determine filtering, and they
pass the first fragment that is too small to include the port number. After this, they pass
the second fragment that actually includes the port number without inspecting it.
ICMP fragments
Sends large ICMP packets over the length specified in the standard so as to cause system
overload because the target host cannot handle the packets.
This attack uses the vulnerability of the ICMP protocol. When ICMP echo messages are
broadcast to a network address with the destination IP address of the message disguised,
Smurf
all the hosts in the network that receive the broadcast message send response packets to
the disguised source IP address, which paralyzes the target network and the hosts having
the disguised source IP address.
Setting the Protocol Anomaly Blocking Function

You can set the Protocol Anomaly blocking function in <TiMatrix Configuration Mode>. You can enter the
<TiMatrix Configuration Mode> as follows:
(config)# timatrix
(config-timatrix)#
To enable the Protocol Anomaly blocking function, run the following command in <TiMatrix Configuration
Mode>.
Command
proto-anomaly
Description
Enable the protocol anomaly blocking function.
Note: To disable the protocol anomaly blocking function, run the command no proto-anomaly in <TiMatrix Configuration Mode>.
Note: When you run the timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS blocking and ARP spoofing blocking functions
are set in block mode, and the MAC flooding and the Protocol Anomaly blocking functions are enabled.
Note: When you run the no timatrix-all command in <TiMatrix Configuration Mode>, the DoS/DDoS, ARP spoofing, MAC flooding, and protocol
anomaly blocking functions are all disabled.
274
TiFRONT User Guide

To check the Protocol Anomaly blocking settings, run the command show timatrix in <User Mode>,
<Privileged Mode>, or <TiMatrix Configuration Mode>.
In the following example, the protocol anomaly blocking function is enabled.
(config)# timatrix
Enter the <TiMatrix configuration mode>.
(config-timatrix)# proto-anomaly
Enable the Protocol Anomaly Blocking function.
Show the settings.
------------------------------------------------------security-level : 3
Secure Port List
None
Uplink Port List
None
DoS/DDoS Detection
ARP-Spoof Detection
:
:
:
:
Enable
Disable
Disable
Disable
Permit List
None
Static Host List
None
------------------------------------------------------(config-timatrix)# no proto-anomaly
Disable the Protocol Anomaly Blocking function.
Show the settings.
------------------------------------------------------security-level : 3
Secure Port List
None
Uplink Port List
None
DoS/DDoS Detection
ARP-Spoof Detection
:
:
:
:
Disable
Disable
Disable
Disable
Permit List
None
Static Host List
None
-------------------------------------------------------
275
Static Host Setting

A host that is set to receive an IP address that is always the same (fixed IP address) is called a static host. If
you set the IP and MAC addresses of a host using the static host feature, when a host having a different MAC
address sends ARP packets to the IP address, it is regarded as an ARP spoofing attack and is blocked.
To set a static host that receives a fixed IP address in TiFRONT, run the following command in <TiMatrix
Command
Description
Set a static host.
static-host <A.B.C.D> <MAC> [notice]
notice
When an ARP spoofing attack is detected, the MAC address table
of every host connected to the TiFRONT is updated.

To check the static host setting, run the command show timatrix in <User Mode>, <Privileged Mode>, or
<TiMatrix Configuration Mode>.
Security Level Setting

Security levels are five-step threshold values that are used as the criteria for detecting attacks by each
security function of TiMatrix. You can use security levels to adjust the application intensity of TiMatrix
security functions. You can set a security level between 1 and 5. A higher level (smaller number) refers to
stronger application of TiMatrixs security function.
To set a security level, run the following command in <TiMatrix Configuration Mode>.
Command
Description
Set the level of TiMatrixs security function.
security-level <1-5>
<1-5>

To check the security level setting, run the command show timatrix in <User Mode>, <Privileged Mode>,
or <TiMatrix Configuration Mode>.
Checking User IP Address

To check the IP address and MAC address of each host connected to TiFRONT, run the command show
timatrix iplist [<WORD>] in <User Mode>, <Privileged Mode>, or <TiMatrix Configuration Mode>. If
you enter the port name (<WORD>), only the information of the host connected to the post is displayed.
Note: To use this function, the ARP spoofing blocking function of TiMatrix must be enabled and the port must be specified as secure port.
276
TiFRONT User Guide

ACL filters packets by inspecting the starting IP address, the destination IP address, the starting port number,
the destination port number, and protocol. ACL allows you to improve security levels by blocking
unauthorized network or user packets and intercepting unnecessary traffic, thus enhancing the network
availability.
When packets are received through a port or VLAN for which ACL is enabled, they are sequentially compared
with the Access List. If there is a matching condition, the packet is permitted or denied. The sequence
(priority) of the rules in the Access List is very important because once a matching condition is found, no
more comparisons are performed.
When using multiple access lists, you can define an access group to easily manage access lists.
ACL Setting
Access List Setting
To set an access list, perform the following steps in <Configuration Mode>. In TiFRONT, you can define up to
1000 access lists for each ID type (number, string) (2000 in total), and up to 50 rules for one access list. To
set multiple access lists or set rules, repeat the following steps.
No.
Command
Description
Add an access list.
<1-1000> | <WORD>
Set the access list ID with a number or string.
Number setting range: 1 ~ 1000
String setting range: 1-10 characters (combination of
letters, numbers, and special characters)
<1-1000>
Priority of the rule. If this is omitted, the lowest priority
will be set. Setting range: 1 ~ 1000
If there are rules having the same priority, a newly added
access-list {<1-1000> | <WORD>} [<1-
rule has that priority and the priority of the existing rules
any
higher the priority.
1000>] {deny | permit} {<0-255> |
tcp
udp}
{<A.B.C.D/M>
become one-step lower. The lower the number, the
<X:X::X:X/M> | any} {<A.B.C.D/M> |
deny | permit
65535> | range <1-65534> <2-65535>}
<0-255> | any | tcp | udp
<X:X::X:X/M> | any} {any | eq <1{any
eq
<1-65535>
65534> <2-65535>}
range
<1-
Specify the policy. deny: blocked, permit: allowed
Specify a protocol by using a protocol number or name.
<A.B.C.D/M> | <X:X::X:X/M> | any

Source IP address of the packets. (both IPv4 and IPv6 are
supported)
<A.B.C.D/M> | <X:X::X:X/M> | any
Destination IP address of the packets. (both IPv4 and IPv6

are supported)
any | eq <1-65535> | range <1-65534> <2-65535>

Source port number of the packets
any | eq <1-65535> | range <1-65534> <2-65535>
Destination port number of the packets
277
Specify the interface to which to apply the access list.

2
access-list
{<1-1000>
interface <IFNAME>
<WORD>}
<1-1000> | <WORD>
Access list ID.
<IFNAME>
Port or VLAN name
Caution: When you apply an access list to an interface, a rule that blocks all packets except the ARP packets will be added as the last rule.
Note: To delete an access list, run the command no access-list {<1-1000> | <WORD>} in <Configuration Mode>. You cannot delete an
access list that has been applied to an interface and access group.
Note: To delete the rules of an access list, run the command no access-list {<1-1000> | <WORD>} [<1-1000>] { | {deny |
permit} {<0-255> | any | tcp | udp} {<A.B.C.D/M> | <X:X::X:X/M> | any} {<A.B.C.D/M> | <X:X::X:X/M> | any} {any
| eq <1-65535> | range <1-65534> <2-65535>} {any | eq <1-65535> | range <1-65534> <2-65535>} in <Configuration
Mode>. When you add or delete an access list, it is immediately applied to the access group and interface for which the access list has been
applied.
Note: To cancel an access list that has been applied to an interface, run the command no access-list interface <IFNAME> in
Note: Only one access list or access group can be specified for one interface.
Note: If access lists are set for a port and the VLAN to which the port belongs, the access list set for the port will be applied first.
Checking the Access List Settings

To check the rules set in an access list, run the command show access-list [<1-1000> | <WORD>] in
To check the access list information set in an interface, run the command show access-list interface in
Access Group Setting

To set an access group, perform the following steps in <Configuration Mode>. You can define up to 100
access groups in TiFRONT, and you can repeat this process to set multiple access groups. In one access
group, you can set up to 10 access lists.
No.
Command
Description
access-group <WORD> access-list [<1-
<WORD>
Specify the access group ID with a string.
Setting range: 1-10 characters. (combination of letters,
numbers, and special characters)
Add an access group.
1000> | <WORD>]
<1-1000> | <WORD>
ID of the access list to be included in the access group
Specify the port to which to apply the access group.
2
access-group
<IFNAME>
<WORD>
interface
<WORD>
Access group ID.
<IFNAME>
Port or VLAN name
278
TiFRONT User Guide
Note: To delete an access group, run the command no access-group {<1-1000> | <WORD>} in <Configuration Mode>. You cannot delete an
access group that has been applied to an interface.
Note: To delete an access group rule, run the command no access-group <WORD> access-list {<1-1000> | <WORD>} in <Configuration
Mode>. When you add or delete an access list in an access group, it is immediately applied to the interface for which the access group has been
applied.
Note: To cancel an access group that has been applied to an interface, run the command no access-group interface <IFNAME> in
Note: Only one access list or access group can be specified for one interface.
Note: If access groups are set for a port and the VLAN to which the port belongs, the access group set for the port will be applied first.
Checking the Access Group Settings

To check the access lists set in an access group, run the command show access-group [<WORD>] in <User
Mode>, <Privileged Mode>, or <Configuration Mode>.
To check the access group information set in an interface, run the command show access-group
interface in <User Mode>, <Privileged Mode>, or <Configuration Mode>.
Time-based ACL Setting

TiFRONT provides a time-based ACL function that applies access lists and access groups only at the specified
time. To set the time-based ACL, perform the following steps in <Configuration Mode>.
No.
1
Command
Description
access-list mode time-based
Enable the time-based ACL function.

Specify the time at which to apply the access list.
<1-1000> | <WORD>
Access list ID for which to specify the applied time
any
access-list {<1-1000> | <WORD>} time

{any | <TIMEMAP>}
The access list is applied regardless of the time (default).

<TIMEMAP>
Specify the applied time using '-' within the range of 024. To specify multiple time blocks, separate them by
using ','.
Note: The start time must not be greater than the end time. For
example, if you want to set 24-1, you must change 24 to 0.
Specify the time at which to apply the access group.
access-group
3
<TIMEMAP>}
(Optional)
<WORD>
time
{any
<WORD>
Access group name for which to specify the applied time
any
The access group is applied regardless of the time

(default).
<TIMEMAP>
Specify the applied time in the format 'start time-end time'.
To specify multiple time blocks, separate them by using ','.
279
Note: To set time-based ACL, you must first define the access list and access group.
Note: When you set the applied time to an access group, it will be applied to all the access lists in that group regardless of the applied time set in
the access lists.
Note: To disable the time-based ACL function, run the command no access-list mode time-based in <Configuration Mode>.
In this example, an access list is set as shown in the following table, and then the settings are queried.
Configuration item
Set value
ID
acl-01
acl-02
Policy
permit
deny
Protocol
TCP
UDP
Source IP address
192.168.201.231/24 192.168.203.233/24
Destination IP address
192.168.202.232/24 192.168.204.234/24
Source port number
any
any
Destination port number
any
any
(config)# access-list acl-01 permit tcp 192.168.201.231/24 192.168.202.232/24 any any

Set an access list
(config)# access-list acl-02 deny udp 192.168.203.233/24 192.168.204.234/24 any any
(config)# show access-list
-------------------------------------------Access List acl-01
1 Action
: Permit
IP Protocol
: 6
Src IP address
: 192.168.201.231/24
Dst IP address
: 192.168.202.232/24
Set an access list

Show the settings
Access List acl-02

1 Action
: Deny
IP Protocol
: 17
Src IP address
: 192.168.203.233/24
Dst IP address
: 192.168.204.234/24
-------------------------------------------(config)# access-list acl-01 interface ge1
(config)# access-list acl-02 interface ge2
(config)# show access-list interface
--------------------------Interface
| Access-list
------------+-------------ge1
|
acl-01
ge2
|
acl-02
ge3
|
None
ge4
|
None
ge5
|
None
ge6
|
None
ge7
|
None
ge8
|
None
ge9
|
None
ge10
|
None
ge11
|
None
ge12
|
None
ge13
|
None
ge14
|
None
ge15
|
None
ge16
|
None
ge17
|
None
ge18
|
None
280
TiFRONT User Guide
Apply ac1-01 to ge1 port

Apply ac1-01 to ge2 port
ge19
|
None
ge20
|
None
ge21
|
None
ge22
|
None
ge23
|
None
ge24
|
None
vlan1
|
None
vlan2
|
None
---------------------------
The following is an example of setting an access group.
(config)# access-group acg-01 access-list acl-01

Add an access list to an access group
(config)# access-group acg-01 access-list acl-02
(config)# show access-group
Show the access group settings
-------------------------------------------Access Group acg-01
Access-list acl-01
Access-list acl-02
-------------------------------------------(config)# access-group acg-01 interface ge3
(config)# access-group acg-01 interface vlan2
(config)# show access-group interface
---------------------------Interface
| Access-group
------------+--------------ge1
|
None
ge2
|
None
ge3
|
acg-01
ge4
|
None
ge5
|
None
ge6
|
None
ge7
|
None
ge8
|
None
ge9
|
None
ge10
|
None
ge11
|
None
ge12
|
None
ge13
|
None
ge14
|
None
ge15
|
None
ge16
|
None
ge17
|
None
ge18
|
None
ge19
|
None
ge20
|
None
ge21
|
None
ge22
|
None
ge23
|
None
ge24
|
None
vlan1
|
None
vlan2
|
acg-01
----------------------------
Apply the access group to ge3 port

Apply the access group to VLAN with two IDs
281

The system access control allows specific packets to be received by TiFRONT in order to protect the system.
The system access control feature can prevent unauthorized users from accessing TiFRONT to see
information or arbitrarily change the settings.
The system access control functions can be used to reduce the vulnerability of the user authentication
process. In order to monitor or manage systems by accessing TiFRONT through Telnet, SSH, or SNMP, you
must pass the user authentication process of checking the login ID and password. However, if the login ID
and password for user authentication are exposed, it is impossible to control the access of hosts through
authentication. However, if you specify the conditions of hosts for which to allow access through access rules,
the hosts are filtered before the authentication process so it is possible to safely protect systems from
unauthorized hosts even if the authentication information is exposed.
The system access control function specifies permitted and denied packets by using access rules. An access
rule consists of conditions for packets and the handling method (permit or deny) for the packets satisfying
the conditions. You can specify the packet conditions through a combination of protocol, source/destination
IP addresses, and the source/destination port numbers of the packets.
Priority of Access Rules

When there are multiple access rules, TiFRONT applies the access rule having the highest priority first.
Priorities are automatically specified by the setting order of access rules, and the access rule that is set
earlier has a higher priority. During the comparison of access rules and packets, if a packet satisfies the
access rule condition, the packet is handled according to the policy of the access rule.
One packet may satisfy multiple access rules simultaneously. In this case, the packet handling will vary by
which access rule is applied first. Therefore, you must define the access rules in such a way that the packets
will be handled as you intended them.
In general, when multiple access rules are satisfied simultaneously, the access rule having more concrete
conditions is set first. For example, if you have to define an access rule (rule 1) having the condition that the
source is 192.168.10.0/24 and another access rule (rule 2) having the condition that the source is
192.168.10.0/28 and the protocol is TCP, you should define rule 2 first because it has more concrete
conditions.
282
TiFRONT User Guide
Operation Process of System Access Control Functions

The following figure illustrates the process of denying and permitting packets by the system access control
function.
Defined access rule?
Satisfy
access
rule
with highest priority?
Last access rule?
Satisfy access rule

of the next priority?
permit
Permit packet
deny
Deny packet
[Figure - System access control process of TiFRONT]
When a host sends packets to access TiFRONT, TiFRONT compares the access rules with the packets starting
from the packet that was set first in order to find access rule that the packets satisfy. If there is an access
rule that is satisfied by the packet, the packet is permitted or denied by the policy of the access rule. If there
is no access rule that is satisfied by the packet or no access rule is defined, the packet is permitted.
System Access Control Setting

To set the system access control functions, run the following command in <Configuration Mode>. You can
define up to 100 system access control rules in TiFRONT, and you can repeat this command to set multiple
access control rules.
Caution: When the system access control rule is set, it is immediately applied. If you set a deny rule with no permit rule, a problem may arise that
you may not be able to access TiFRONT by the rule. In this case, you must log in to the console and change the system access control rule.
283
Command
Description
Add a system access control rule.
deny | permit
Enter a policy. deny: blocked, permit: allowed
system-access {deny | permit} {any |

icmp | tcp | udp} {<A.B.C.D/M> |
any} {<A.B.C.D/M> | any} {any | eq

<1-65535>
range
<1-65534>
<2-
65535>} {any | eq <1-65535> | range

<1-65534> <2-65535>}
any | icmp | tcp | udp

Specify the protocol.
<A.B.C.D/M> | any
Source IP address of the packets.
<A.B.C.D/M> | any
Destination IP address of the packets.
any | eq <1-65535> | range <1-65534> <2-65535>
Source port number of the packets
any | eq <1-65535> | range <1-65534> <2-65535>
Destination port number of the packets
Note: To delete an access rule, run the command no system-access {deny | permit} {any | icmp | tcp | udp} {<A.B.C.D/M> |
any} {<A.B.C.D/M> | any} {any | eq <1-65535> | range <1-65534> <2-65535>} {any | eq <1-65535> | range <1-65534>
<2-65535>} in <Configuration Mode>.
Checking the System Access Control Settings

To check the system access control settings, run the command show system-access in <User Mode>,
The following is an example of system access control setting.
(config)# system-access permit tcp 192.168.230.250/24 192.168.224.243/24 range 1024

5000 range 1024 5000
Set a rule that permits system access
(config)# system-access deny tcp 192.168.230.250/24 192.168.224.243/24 any any
Set a rule that denies system access
(config)# show system-access
Show the system access control settings
System Access List
------------------------------------------------------#1
Action
: Permit
IP Protocol
: TCP
Src IP address
: 192.168.230.250/24
Dst IP address
: 192.168.224.243/24
Src port
: 1024-5000
Dst port
: 1024-5000
#2
Action
: Deny
IP Protocol
: TCP
Src IP address
: 192.168.230.250/24
Dst IP address
: 192.168.224.243/24
Src port
: ANY
Dst port
: ANY
-------------------------------------------------------
284
TiFRONT User Guide
Integrated Authentication
TiFRONT provides the following three types of authentication for network access control of the connected
hosts:
802.1x Authentication
MAC Authentication
Web Authentication
The integrated authentication feature of TiFRONT allows the use of only one authentication function or a
combination of different authentication functions through the following methods:
Stand-alone authentication method

Only one of 802.1x, MAC, and Web authentications is used.
Multi-step authentication method

Two authentication functions including user terminal authentication (802.1x or MAC authentication) and user
authentication (802.1x or Web authentication) are performed step by step.
Fall-back authentication method

The 802.1x authentication is performed first, and if it fails or there is no response, the MAC or Web
authentication is performed.
When the multi-step authentication method is used, both authentication functions must be passed
successfully before network access to the host is permitted. The multi-step authentication method combines
the following authentication functions:
User Terminal
Authentication
User Authentication
MAC authentication
802.1x authentication
MAC authentication
Web Authentication
Web Authentication
For the fall-back authentication method, if the 802.1x authentication fails, other authentication functions are
performed sequentially, and if one authentication is successful, network access is permitted. If all
authentication fails, the authentication process must be restarted from 802.1x authentication. The fail-back
authentication method can use the following combinations:
1st authentication
2nd authentication
3rd authentication
MAC authentication
Web authentication
MAC authentication
Web authentication
Each authentication function determines approval through the RADIUS server and can be set by each port. If
you set the authentication function, authentication mode, and authentication method to use by considering
the characteristics of the host connected to each port, you can shorten the time required for the
authentication process and use the integrated authentication function more efficiently.
TiFRONT supports the VLAN Assignment function, which means that if the authentication is successful, the
VLAN of the port to which the host is connected is changed to a VLAN set in the RADIUS server. VLAN
Assignment is enabled by default without a separate setting. If the VLAN ID is not registered in the RADIUS
285
server or the VLAN ID does not exist in TiFRONT, the current VLAN is maintained. If the port authentication
mode is host mode, it is set to the VLAN of the host that succeeded in authentication for the first time
through the port.
Each of the authentication functions provided by TiFRONT is described in detail below.
802.1x is an IEEE standard related to port-based network access control. TiFRONT provides the
authentication function that authenticates a host and gives access permission based on IEEE 802.1x. Setting
the 802.1x authentication policy can raise network security because only the hosts having the access
permission can access the network.
The following shows the 802.1x authentication process.
Host (Supplicant)
RADIUS server
(Authentication Server)
TiFRONT (Authenticator)
EAPOL-Start
EAP-Request/Identity
Radius-Access-Request
EAP-Response/Identity
Radius-Access-Challenge
EAP-Request
EAP-Response
EAP-Success
Radius-Access-Accept
[Figure - 802.1x Authentication Process]
1. EAPOL-Start
When accessing the network first, the host (supplicant) requests network access by sending the EAPOL-Start
packet to the TiFRONT (Authenticator).
2. EAP-Request/Identity
TiFRONT sends the EAP-Request/Identity packet requesting identification of the host.
3. EAP-Response/Identity
The host sends the EAP-Response/Identity packet containing the identity information to TiFRONT.
4. Radius-Access-Request
TiFRONT sends the Radius-Access-Request packet containing identity information to the RADIUS server.
5. Radius-Access-Challenge
The RADIUS server sends the Radius-Access-Challenge packet requesting a certificate or password to TiFRONT.
6. EAP-Request
TiFRONT sends the EAP-Request packet requesting a certificate or password to the host.
7. EAP-Response
The host sends the EAP-Response packet containing a certificate or password to TiFRONT.
TiFRONT sends the Radius-Access-Request packet containing a certificate or password to the RADIUS server.
286
TiFRONT User Guide
9. Radius-Access-Accept
The RADIUS server notifies successful authentication by sending the Radius-Access-Accept packet to TiFRONT.
10. EAP-Success
TiFRONT notifies of successful authentication by sending the EAP-Success packet to the host.
Note: The 802.1x authentication process generally starts by the host sending the EAPOL-Start packet. If TiFRONT starts authentication first,
however, the authentication process begins from the part where the EAP-Request/Identity packet is sent.
Note: The authentication information of the host that is used in the 802.1x authentication process is saved in the RADIUS server and not in
TiFRONT.
TiFRONT provides the Guest VLAN function that allows devices that do not support 802.1x is to access the
network normally regardless of the 802.1x authentication. When a device that does not support 802.1x is
connected to an authentication port for which Guest VLAN is set, the VLAN of that port is changed to Guest
VLAN and the communication is performed normally. However, even if the Guest VLAN function is enabled,
devices that fail authentication are blocked.
MAC Authentication
MAC authentication supports authentication for such hosts as printers and VoIP phones that do not support
the IEEE 802.1x standard or which cannot accept IDs and passwords. It controls network access through the
MAC address of hosts.
For MAC authentication, the MAC address is acquired from the ARP packet or DHCP discover packet that the
host sends to TiFRONT, and this MAC address is used as the ID for authentication. Therefore, in order to use
the MAC authentication function, the MAC address of the host that will be permitted to access the network
must be registered in the RADIUS server.
The following shows the MAC authentication process.
RADIUS server
Host (Supplicant)
ARP/DHCP discover
[Figure - MAC Authentication Process]
1. ARP/DHCP discover
The host sends an ARP packet or a DHCP discover packet containing its MAC address to TiFRONT.
TiFRONT sends the Radius-Access-Request packet containing the MAC address and password of the host to the
RADIUS server.
The RADIUS server notifies of successful authentication by sending the Radius-Access-Accept packet to TiFRONT,
and TiFRONT permits the network access of the host.
Note: For the password used in the MAC authentication process, a password that is commonly applied to all hosts must be set. If the MAC
authentication password is not set, the MAC address of the host is used for MAC authentication.
287
Web Authentication
Web authentication controls network access by sending an authentication page from TiFRONT and accepting
the ID and password when a host tries to access the network through a Web browser.
In order to use the Web authentication function, the ID and password of the host that will be permitted to
access the network must be registered in the RADIUS server. Furthermore, Web authentication can be used
only in an environment where the fixed IP address is used for HTTP communication between TiFRONT and
host.
When a host tries to access through the Web, the following authentication page appears.
The success/failure of authentication is informed to the host by showing the following Web page, and the
host is permitted to access the network only if authentication is successful.
Caution: Before Web authentication is successful, TiFRONT responds with its IP address to the ARP Request and DNS Query sent by the host.
Therefore, after Web authentication is complete, the Web browser must be restarted to update the network access information. In this process,
the network access of host can be delayed a little.
288
TiFRONT User Guide
The Web authentication process is described below.

RADIUS server
Host (Supplicant)
HTTP Request
HTTP Login Page
HTTP Get
HTTP Response
[Figure - Web Authentication Process]
1. HTTP Request
The host sends the HTTP Request packet to TiFRONT.
2. HTTP Login Page
TiFRONT sends a login page where an ID and password for Web authentication will displayed in the browser.
3. HTTP Get
The host enters an ID and password on the login page and sends the HTTP Get packet.
TiFRONT sends the Radius-Access-Request packet containing the ID and password of the host to the RADIUS
server.
The RADIUS server notifies of successful authentication by sending the Radius-Access-Accept packet to TiFRONT,
and TiFRONT permits network access of the host.
6. HTTP Response
TiFRONT responds with a Web page that informs of successful authentication.
Note: The authentication information of the host that is used in the Web authentication process is saved in the RADIUS server and not in TiFRONT.
289
Authentication Mode
TiFRONT supports the following two authentication modes:
Port Mode
Authentication is performed based on the port. When authentication is successful, the port passing the
authentication is changed from a Blocked to a Forwarding state and is allowed to access the network.
Host Mode
Authentication is performed based on the MAC address of the host. When authentication is successful, the MAC
address of the host passing the authentication is registered in the MAC address table and the host is permitted to
access the network.
TiFRONT performs authentication based on the port by default. When authentication is performed based on
the port, there is no problem if one host is connected to one port, but when multiple hosts are connected to
one port through a hub, etc., unauthorized hosts can access the network. In this case, you must use the host
mode and let only the host passing the authentication can access the network.
The following shows the port mode authentication process.
TiFRONT
Blocked
Forwarding
Hub
Host
[Figure - Port Mode Authentication Process]
As shown in the above figure for the port-based method, when host no. 1 succeeds in authentication, all
hosts connected to the port through a hub can access the network. Therefore, even hosts no. 2 and 3, which
have not been authenticated, can access the network. On the other hand, if host no.1 fails authentication,
hosts no.2 and 3 cannot access the network, either.
The following figure shows the host mode authentication process.
TiFRONT
Hub
Host
[Figure - Host Mode Authentication Process]
As shown in the above figure, the host mode allows you to block network access of each host. In other words,
unlike the port mode, even if host no.1 passes authentication, hosts no.2 and 3 cannot access the network.
290
TiFRONT User Guide
Integrated Authentication Setting

Cautions for Integrated Authentication Setting
Before setting the integrated authentication, you must generate the following VLANs.
- Guest VLAN for communication with the authentication server (when using 802.1x authentication).
- VLAN to which the port will belong to after the successful authentication (when VLAN assignment is used).
You must set the port mode to which you will apply the integrated authentication to Access.
The integrated authentication function is not applied to hosts that have registered a static MAC address in
the MAC address table.
Authentication Server Setting

To configure the RADIUS server to be used as an authentication server, perform the following steps in
No.
Command
Description
Register the RADIUS server.
<HOSTNAME>
dot1x radius-server host <HOSTNAME>

[<PORT>]
IP address or host name of the RARDIUS server.

<PORT>
Port number of the RADIUS server
Enter the encryption key.
dot1x radius-server key <KEY>
<KEY>
Setting range: 1-64 characters (combination of letters,
Set the IP address or host name of the RADIUS client and
the port.
dot1x radius-client host <HOSTNAME>
<HOSTNAME>
IP address or host name of the device
<PORT>
<PORT>
Port number of the device. Setting range: 1 ~ 65535
Note: To delete the RADIUS server, run the command no dot1x radius-server host in <Configuration Mode>.
Note: To delete the encryption key, run the command no dot1x radius-server key in <Configuration Mode>.
Note: To delete the RADIUS client setting, run the command no dot1x radius-client host in <Configuration Mode>.
Enabling Integrated Authentication

To enable the integrated authentication function, run the following command in <Configuration Mode>.
Command
dot1x system-auth-ctrl
Description
Enable Integrated Authentication
291
Note: To disable the integrated authentication function, run the command no dot1x system-auth-ctrl in <Configuration Mode>.
MAC Authentication Setting

To set the common password and MAC address format to be used for MAC authentication, perform the
following steps in <Configuration Mode>.
No.
Command
Description
Set the password to be used for MAC authentication.
<WORD>
dot1x mac-auth password <WORD>
Setting range: 1-20 characters (combination of letters,

Set the format of MAC address to be sent to the
authentication server. As MAC authentication uses the MAC
address of the host as the ID, it must be specified in the
same format as the ID saved in the RADIUS server.
dot1x
mac-auth
addr-format
{no-
delimiter | multi-dash | multi-colon}
no-delimiter
Specify as HHHHHHHHHHHH format
multi-dash
Specify as HH-HH-HH-HH-HH-HH format
multi-colon
Specify as HH:HH:HH:HH:HH:HH format (default)
Note: To delete the password for MAC authentication, run the command no dot1x mac-auth password in <Configuration Mode>.
Note: To change the MAC address format to the default format, run the command no dot1x mac-auth addr-format in <Configuration Mode>.
Authentication Port Setting

Enabling Integrated Authentication
To enable the integrated authentication function for port, run the following command in <Interface
Command
dot1x port-control auto
Description
Enable the integrated authentication function for port.
Note: If you enable the integrated authentication function, 802.1x authentication is also enabled.
Note: To disable the integrated authentication function, run the command no dot1x port-control in <Configuration Mode>.
292
TiFRONT User Guide
802.1x Authentication Setting

To set 802.1x authentication-related options for a port, perform the following steps in <Interface
Configuration Mode> of the port.
No.
Command
Description
Set
dot1x reauthMax <1-10>
the
transmission
count for
EAP-Request/Identity
packets to host.
<1-10>
Set the transmission count for EAP-Request packets to
dot1x max-req <1-10>
host.
<1-10>
Set the retransmission period for EAP-Request/Identity
dot1x timeout quiet-period <1-65535>
packets after failed authentication.

<1-65535>
Setting range: 1 ~ 65,535(sec). (Default value: 60 sec)
Set the retransmission period for EAP-Request packets
when there is no response from host after a certificate or
dot1x timeout supp-timeout <1-65535>
password request.
<1-65535>
Set the retransmission period for EAP-Request/Identity
packets when there is no response from host after an
dot1x timeout tx-period <1-65535>
identity request.
<1-65535>
In port mode, when a device that does not support 802.1x
is connected to the port, the Guest VLAN is set to allow the
dot1x guest-vlan <2-4093>
device to communicate. This works only when the

integrated authentication method is stand-alone.
<2-4093>
ID of the VLAN to be used as guest VLAN.
Note: In the following cases, the port that was set as a Guest VLAN is restored to the previous VLAN. In other words, it belongs to the VLAN it
was in right before it was changed to a Guest VLAN again. If the previous VLAN has been deleted, it will belong to the default VLAN.
- The port is down.
- The integrated authentication function is disabled (no dot1x system-auth-ctrl)
- The 802.1x function is disabled for the port (no dot1x port-control)
- The authentication mode has been changed to host mode.
Caution: When the port belongs to a Guest VLAN because the device connected to TiFRONT does not support 802.1x, if you save the configuration
file by using the command write memory, the port is saved as if it belongs to the Guest VLAN instead of the previous VLAN. In this case, even
after the system is rebooted, the port is not restored to the previous VLAN, but keeps belonging to the Guest VLAN. Therefore, you must save the
configuration file after the port is restored to the previous VLAN.
Note: To delete the Guest VLAN setting, run the command no dot1x guest-vlan in <Interface Configuration Mode>.
293
MAC Authentication Setting

To enable the MAC authentication function for a port, run the following command in <Interface Configuration
Mode> of the port.
Command
dot1x mac-auth
Description
Enable MAC authentication.
Note: To disable the MAC authentication function, run the command no dot1x mac-auth in <Interface Configuration Mode>.
Web Authentication Setting

To enable the Web authentication function for a port, run the following command in <Interface Configuration
Mode> of the port.
Command
dot1x web-auth
Description
Enable Web authentication.
Note: To disable the Web authentication function, run the command no dot1x web-auth in <Interface Configuration Mode>.
Setting the Integrated Authentication Method and Authentication Mode

To set the integrated authentication method and the authentication mode, perform the following steps in
No.
Command
Description
Select the authentication mode of the port. If you enable
the integrated authentication function, the authentication
mode is set to port mode by default.
dot1x auth-mode {host | port}
host
Select host mode as the authentication mode.
port
Select port mode as the authentication mode (default).
Select the integrated authentication mode of the port. The
integrated authentication works in stand-alone mode by
default.
fall-back
In
the
fall-back
authentication
mode,
802.1x
authentication is performed by default; if authentication

2
dot1x mode {fall-back | multi-step |

stand-alone}
fails, a different authentication is performed.

multi-step
In the multi-step authentication mode, user terminal
authentication and user authentication are performed
step by step.
stand-alone
In the stand-alone authentication mode, only one
authentication function is used (default).
294
TiFRONT User Guide
The multi-step authentication method only performs MAC

authentication for user terminal authentication by default.
Run this command if you want to support 802.1x with user
3
dot1x multi-step terminal-dot1x
terminal authentication.
Note: To perform user terminal authentication only with MAC
authentication, run the command no dot1x multi-step
terminal-dot1x in <Interface Configuration Mode>.
Setting Authentication Options

To set options that are commonly applied to each authentication function, run the following commands in
Command
Description
Set the direction of the packet to be blocked in the
event of failed authentication.
dot1x port-control dir {both | in}
both
Block all packets sent from and received by the port.
in
Block only the packets received by the port (default).
Set the waiting time for response from the RADIUS
server. If there is no response from the RADIUS server
dot1x timeout server-timeout <1-65535>
for this time, a failed authentication message is sent

to the host.
<1-65535>
Setting range: 1~65535(sec). (Default value: 30 sec)
Enable
the
reauthentication
function.
(Default:
Disabled)
dot1x reauthentication
Note: In host mode, if the reauthentication function is

disabled, hosts that are newly connected or disconnected to
the port cannot be detected. Therefore, you must enable the
reauthentication function in host mode.
Set
the
reauthentication
period
for
renewing
authentication.
dot1x timeout reauth-period <1-4294967295>
<1-4294967295>
Setting range: 1 ~ 4,294,967,295(sec)
(Default value: 3,600 sec)
Set the authentication sate of the port by force.
dot1x port-control {force-authorized | force-
unauthorized}
force-authorized
Every authentication is regarded as successful.
force-unauthorized
Every authentication is regarded as failed.
Note: If you have not enabled the integrated authentication function, you cannot set the authentication port. Therefore, before setting an
authentication port, you must enable the integrated authentication function by using the command dot1x system-auth-ctrl in
Caution: You must not set a MAC filter for ports for which the integrated authentication has been set. If both integrated authentication and MAC
filter are set for one port, both functions may malfunction.
295
Note: To reset the integrated authentication settings, run the command dot1x default-configuration in <Configuration Mode>.
Note: To disable the reauthentication function in port mode, run the command no dot1x reauthentication in <Interface Configuration
Mode>.
If you perform Web authentication with the authentication mode set as fall-back, you can set the options for
Web authentication by running the following commands in <Interface Configuration Mode>.
Command
Description
Specify the waiting time for accepting ID and password for
Web authentication. If the ID and password are not entered
dot1x web-auth state-timer <1-300>
for the specified waiting time, it is regarded as failed

authentication.
<1-300>
Specify the maximum failure count for Web authentication.
If Web authentication fails for the specified times, the
dot1x web-auth login-attempt-max <1-5>
authentication process must be restarted from 802.1x

authentication.
<1-5>
Setting range: 1 ~ 5. (Default value: 1 )
Note: To change the waiting time for Web authentication to the default, run the command no dot1x web-auth state-timer in <Interface
Note: To change the maximum failure count for Web authentication to the default, run the command no dot1x web-auth login-attemptmax in <Interface Configuration Mode>.
Initializing Port Authentication State

To initialize the authentication state of the host connected to a port regardless of the current authentication
state, perform the following steps in <Configuration Mode>.
No.
Command
Description
Specify
the port whose authentication
state will be
initialized and enter the <Interface Configuration Mode>.

1
interface <IFNAME>
<IFNAME>
Number of the port whose authentication state will be
initialized.
dot1x initialize
Initialize the authentication state of the port.
Checking the Integrated Authentication Setting

To check the ports for which integrated authentication is set, run the command show dot1x [{all |
interface <IFNAME>}] in <User Mode> or <Privileged Mode>. To check the authentication setting of a
specific port, use the interface <IFNAME> option.
296
TiFRONT User Guide
Checking the 802.1x Authentication Statistics

To see the statistics of 802.1x authentication packets exchanged through the authentication port, run the
command show dot1x statistics interface <IFNAME> in <User Mode> or <Privileged Mode>.
Setting EAPOL Packet Forwarding

If 802.1x authentication is not enabled, TiFRONT discards the received EAPOL packets by default. However, in
an environment where the 802.1x authentication function is used through another network device, the EAPOL
packets need to be forwarded. To set the forwarding of EAPOL packets, run the following command in
Command
Description
no dot1x system-auth-ctrl eapol-forwarding
Set the forwarding of EAPOL packets.
Note: To disable the forwarding of EAPOL packets, run the command no dot1x system-auth-ctrl in <Configuration Mode>.
In this example, the RADIUS server for integrated authentication is set as shown in the following table, and
the settings are queried.
Item
Settings
RADIUS server IP address
192.167.201.237
Encryption key
radius-key01
RADIUS client IP address
192.168.203.236
RADIUS client port number
49153
# show dot1x
Show the 802.1x authentication settings
802.1X Port-Based Authentication Disabled
RADIUS server address: not configured
RADIUS client address: not configured
Next radius message id: 0
# configure
(config)# dot1x
(config)# dot1x
(config)# dot1x
(config)# dot1x
system-auth-ctrl
Enable the 802.1x authentication function
radius-server host 192.167.201.237
Set the RADIUS server
radius-server key radius-key01
Set the encryption key.
radius-client host 192.168.203.236 49153
Set the RADIUS client
(config)# exit
# show dot1x
Show the 802.1x authentication settings
802.1X Port-Based Authentication Enabled
RADIUS server address: 192.167.201.237:1812
RADIUS client address: 192.168.203.236:49153
Next radius message id: 0
297
In the next example, the integrated authentication function is enabled, and the integrated authentication
function is set for the ge1 port as shown below.
Item
Settings
Authentication Mode
Port Mode
Integrated Authentication Method
Multi-step
User Terminal Authentication
MAC Authentication
User Authentication
(config)# dot1x system-auth-ctrl

Enable integrated authentication
(config-if-ge1)# dot1x port-control auto
Enable the integrated authentication function for port.
(config-if-ge1)# dot1x auth-mod port
Select port mode as the authentication mode.
(config-if-ge1)# dot1x mode multi-step
Set multi-step for the integrated authentication method
(config-if-ge1)# dot1x mac-auth
Enable MAC authentication.
(config-if-ge1)# end
# show dot1x interface ge1
Show the integrated authentication settings of ge1 port
Authentication Mechanism: multi-step / terminal-dot1x option: disabled
802.1X info for interface ge1
Authentication Mode : Port
portEnabled: true - portControl: Auto
portStatus: Unauthorized - currentId: 1
reAuthenticate: disabled
reAuthPeriod: 3600
abort:F fail:F start:F timeout:F success:F
PAE: state: Connected - portMode: Auto
PAE: reAuthCount: 0 - rxRespId: 0
PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30
BE: state: Idle - reqCount: 0 - idFromServer: 0
BE: suppTimeout: 30 - serverTimeout: 30 - maxReq: 2
CD: adminControlledDirections: in - operControlledDirections: both
CD: bridgeDetected: false
KR: rxKey: false
KT: keyAvailable: false - keyTxEnabled: false
Guest-VLAN: N/A
In the following example, the 802.1x authentication statistics are queried.
# show dot1x statistics interface ge1

802.1X statistics for interface ge1
EAPOL Frames Rx: 4 - EAPOL Frames Tx: 0
EAPOL Start Frames Rx: 0 - EAPOL Logoff Frames Rx: 0
EAP Rsp/Id Frames Rx: 2 - EAP Response Frames Rx: 2
EAP Req/Id Frames Tx: 2 - EAP Request Frames Tx: 2
Invalid EAPOL Frames Rx: 0 - EAP Length Error Frames Rx: 0
EAPOL Last Frame Version Rx: 1 - EAPOL Last Frame Src: 001e.8c8f.b333
298
TiFRONT User Guide
IP Management Setting
IP Management controls the traffic of host access to the network through TiFRONT. If you set the IP
management function in TiFRONT, you can permit or deny the traffic of hosts having specific IP
addresses/MAC addresses/ports.
Setting the State of IP Management Function

To set the state of IP management function, run the following command in <Configuration Mode>.
Command
Description
Set the state of IP management function.
disable
Disable the IP management function. (Default)
filter black
Permit the network access of every host by default, and only the
hostacl mode {disable | filter

{black | white} | learning}
hosts
specified
as
management
hosts
are
blocked
from
accessing the network.

filter white
Block the network access of every host by default, and only the
hosts specified as management hosts are permitted to access the
network.
learning
Learn the IP address/MAC address/port information of the host.
Management Host Setting

To set a host to control network access, run the following command in <Configuration Mode>.
Command
Description
Enter the IP address and MAC address of the host that will control
network access.
port
Only the access to the specified port is permitted/denied
according to the filter mode. If you omit this, access to every
port is permitted/denied.
time
Set the network access control time. If you omit this, network
hostacl <A.B.C.D> <XX:XX:XX:XX:XX:XX>
access to the host is controlled for 24 hours.
[port <PORT>] [time <TIMEMAP>] [block] <TIMEMAP>

Specify the start and end times for permitting the access using
'-' in the range of 0-24. To specify multiple time ranges,
separate them with ','.
Note: The start time must not be greater than the end time. For example, if
you want to set 24-1, you must change 24 to 0.
block
Enter this if the filter mode is 'black'. The host will not be
blocked if you don't specify this option.
299
Note: To delete a specific management host, use the command no hostacl <A.B.C.D> <XX:XX:XX:XX:XX:XX> [block] [port <PORT>]
| [time <TIMEMAP>]. To delete all management hosts that have been set until now, run the command no hostacl all.
Note: The IP management function has a higher priority than the ACL function. Therefore, the packets of the host set as management host of the
IP management function are not blocked by the ACL function. Furthermore, even the packets permitted in ACL may be blocked, depending on the
IP management settings.
Permission Protocol Setting

To permit the access of packets at every port except the management Ethernet port for hosts using the DHCP
or DNS protocol, run the following command in <Configuration Mode>.
Command
hostacl proto {dhcp | dns}
Description
Set the use of the DHCP or DNS protocol.
Note: To delete the permission protocol setting, run the command no hostacl proto {dhcp | dns}.
Uplink Port Setting

To set an uplink port so that the permitted hosts can communicate with external networks, run the following
Command
hostacl uplink <PORT>
Description
Set an uplink port connected to an external network.
Note: To delete the uplink port setting, run the command no hostacl uplink <PORT>.
Note: The IP management function controls network access of hosts in the internal network. Because the IP management function does not need to
be applied to the ports connected to an external network, you can specify them as uplink ports to prevent the lowering of device performance by
unnecessary inspections.
TiManager Connection Setting

To use the IP management function with TiManager, run the following command to set the connection with
TiManager in <Configuration Mode>.
Command
Description
Set the connection with TiManager for IP management.
<A.B.C.D>
logging hostacl <A.B.C.D> <1-65535>
IP address of TiManager
<1-65535>
Port number of TiManager. Setting range: 1 ~ 65535
Note: To delete the connection setting with TiManager, run the command no logging hostacl in <Configuration Mode>.
300
TiFRONT User Guide

To check the IP management settings, run the command show hostacl in <Privileged Mode> or
To check the hosts that have been denied, permitted, or learned by the IP management function, run the
command show hostacl iplist [block | permit | learnt] in <Privileged Mode> or <Configuration
Mode>.
To check the IP address and MAC address of the host that will control network access, run the command
show hostacl rulelist in <Privileged Mode> or <Configuration Mode>.
To check the connection settings with TiManager, run the command show logging hostacl in <Privileged
Mode> or <Configuration Mode>.
In this example, the IP management functions are configured so that the host with the IP address and MAC
address shown in the following table can access the specified port, and the settings are queried.
Configuration item
Set value
Access permitted IP address
192.168.201.236
Access permitted MAC address
0006.c473.f28d
Access permitted port number
fe11
(config)# hostacl mode filter white

Enable IP management
(config)# hostacl 192.168.201.236 0006.c473.f28d port fe11
Set IP address, MAC
address, and port
(config)# show hostacl iplist permit
Show the IP management settings
IP address
MAC address
PORT Name
Action Status Since
-------------------------------------------------------------------------------192.168.201.236 0006.c473.f28d fe11
permit Off
12/13 04:26:19
(config)#
301
Web Alert Setting

Web Alert Setting for Hazardous Traffic
The Web Alert function for hazardous traffic informs hosts when TiManagers security functions have found
security issues. When the host sending the hazardous traffic accesses the Internet via Web browser, the
following information appears to report the sending of hazardous traffic.
To enable Web Alert for hazardous traffic, run the following commands in <Configuration Mode>.
No.
Command
Description
Set the company name to be displayed on the screen.
web-alert display-company <WORD>
<WORD>
Enter up to 64 characters composed of letters, numbers,
Set the e-mail address of the administrator to be displayed
on the screen.
web-alert display-mail <WORD>
<WORD>
Enter up to 64 characters composed of letters, numbers,
Set the phone number of the administrator to be displayed
web-alert display-phone <WORD>
on the screen.
<WORD>
Enter a four-digit number.
Set the warning page display method.
web-alert timatrix alert-type {pop-
up | web-page}
pop-up
Show the warning on a pop up window. (default)
web-page
Show the warning on a Web browser screen.
web-alert timatrix enable
Enable Web Alert for hazardous traffic.
Note: To disable Web Alert for hazardous traffic, run the command no web-alert timatrix enable in <Configuration Mode>.
Note: The company name, e-mail address, and phone are applied to the Web Alert for IP Management in the same way.
302
TiFRONT User Guide
Web Alert Setting for IP Management

The IP Management Web Alert sends Web request packets (protocol: TCP, port: 80) to a separate Web server
when they are sent by a host that has been blocked by the IP management function. If no Web server for
redirect has been set, TiFRONT responds with a warning page as shown below to notify you that the packets
were filtered by the IP management feature.
To set the Web Alert for IP management in TiFRONT, run the following commands in <Configuration Mode>.
No.
Command
Description
Set the IP address and port of the Web server to redirect
the Web requests of blocked users to.
web-alert hostacl server-ip <A.B.C.D>
<A.B.C.D>
IP address of the Web server
<1-65535>
<1-65535>
Port number of the Web server
Set the warning page sending period.
alert-per-block
Send whenever a packet is blocked.
alert-per-day
Send once a day to the blocked hosts.
web-alert
hostacl
{alert-per-block
alert-per-time
alert-interval
alert-per-day
<TIMEMAP>,[<TIMEMAP>]
| no-alert}
alert-per-time
Send only for the set time.
<TIMEMAP>
Specify the start and end times for sending the warning
page using '-' in the range of 0-24. To specify multiple
time ranges, separate them with ','.
Note: The start time must not be greater than the end time. For
example, if you want to set 24-1, you must change 24 to 0.
no-alert
The warning page response is not given. (default)
Set the company name to be displayed on the screen.
web-alert display-company <WORD>
<WORD>
Enter up to 64 characters composed of
letters,

Set the e-mail address of the administrator to be
displayed on the screen.
4
web-alert display-mail <WORD>
<WORD>
Enter up to 64 characters composed of
letters,
303
Set the phone number of the administrator to be

5
displayed on the screen.
web-alert display-phone <WORD>
<WORD>
Enter a four-digit number.
Set the warning page display method.
web-alert hostacl alert-type {pop-up
| web-page}
pop-up
Show the warning on a pop up window. (Default)
web-page
Show the warning on a Web browser screen.
web-alert hostacl enable
Enable Web Alert for IP management.
Note: To disable Web Alert for IP management, run the command no web-alert hostacl enable in <Configuration Mode>.
Note: The company name, e-mail address, and phone are applied to the Web Alert for hazardous traffic in the same way.

To check the Web Alert settings, run the command show web-alert in <Privileged Mode> or <Configuration
Mode>.
To check the hosts handled by the Web Alert for IP Management function, run the command show hostacl
web-alert list in <Privileged Mode> or <Configuration Mode>.
In this example, the Web Alert for hazardous traffic and Web Alert for IP management have been set and the
settings are queried.
Configuration item
Set value
Company name
PIOLINK
Administrator e-mail
admin@piolink.com
Administrator phone number
9876
Warning page output method
web-page
Transmission period for warning

page (IP management Web Alert)
Redirect server IP address and port
(ID manages Web Alert)
alert-per-block
192.168.200.50/8080
(config)# web-alert display-company PIOLINK Set the company name to be displayed on the alert page
(config)# web-alert display-mail admin@piolink.com Set the administrator e-mail to be
displayed on the warning page.
(config)# web-alert display-phone 9876 Set the administrator phone number to be displayed
on the warning page.
(config)# web-alert timatrix alert-type web-page Set the display method for Web Alert for
hazardous traffic
(config)# web-alert hostacl alert-type web-page Set the output method of the Web Alert for IP management.
(config)# web-alert hostacl alert-interval alert-per-block Set the transmission period for IP
Management Web Alert.
(config)# web-alert hostacl server-ip 192.168.200.50 8080 Redirect the Web Server for IP
management. Server settings
(config)# web-alert timatrix enable Enable Web Alert for hazardous traffic
(config)# web-alert hostacl enable Enable Web Alert for IP management
304
TiFRONT User Guide
(config)# show web-alert Show the functional settings of Web Alert

Web-Alert Configuration
---------------------------------------------------------TiMatrix Web-Alert Status: Enable
TiMatrix Web-Alert Type: Web-page
Hostacl Web-Alert Status: Enable
Hostacl Web-Alert Type: Web-page
Hostacl Web-Alert External Server IP: 192.168.200.50(port : 8080)
Hostacl Web-Alert Interval: alert-per-block
Alert Display Mail: admin@piolink.com
Alert Display Company: PIOLINK
Alert Display Phone: 9876
(config)#
305

Tifront Switch User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tifront Switch User Guide

Uploaded by

Copyright:

Available Formats

Traffic Inspection + FRONT

Before Getting Started

Who should read this guide

Notations of this guide

Note and caution marks

Screen content notations

System prompt symbol

Commands and keywords are written in bold type.

Arguments (parameters) for specifying values are

Optional variables and commands are written in

(config)# show storm-control

square brackets ([]).

Selectable variables are written in braces, divided by

vertical lines. Users can select one of the variables.

No.405, IT Castle 1 Building, 550-1, Gasan-dong,

This chapter introduces the major features and characteristics of TiFRONT.

Before You Begin

Basic Network Configuration

Link Aggregation Configuration

Routing Protocol Configuration

IGMP Snooping Configuration

Guide Contents ............................................................................................................. 5

Chapter 1 Introduction to TiFRONT ............................................................. 20

Chapter 2 Before You Begin ......................................................................... 24

How to Use Basic CLI ..................................................................................................... 27

Command Modes ............................................................................................................ 29

Chapter 3 Basic Network Configuration ..................................................... 32

UDLD (UniDirectional Link Detection) Setting ............................................................................ 36

Configuration examples .............................................................................................. 39

Configuration examples .............................................................................................. 48

Configuration examples .............................................................................................. 51

Configuration examples .............................................................................................. 54

Configuration examples .............................................................................................. 59

Configuration examples .............................................................................................. 65

Port Failover Setting ....................................................................................................... 66

Configuration examples .............................................................................................. 67

DHCP Relay Agent Setting ......................................................................................... 71

Configuration examples .............................................................................................. 72

DHCP Filtering ................................................................................................................. 74

Network Connection Check ........................................................................................... 75

Packet Route Tracking................................................................................................ 77

PoE Setting ...................................................................................................................... 79

Enabling PoE ............................................................................................................................. 82

Configuration examples .............................................................................................. 83

Configuration examples .............................................................................................. 88

Chapter 4 System Management ................................................................... 89

Configuration examples .............................................................................................. 91

Manual System Rebooting.......................................................................................... 97

Restoring Initial Configuration .................................................................................................. 102

Configuration examples ............................................................................................ 103

Configuration examples ............................................................................................ 107

Configuration examples ............................................................................................. 112

Configuration examples ............................................................................................. 114

Configuration examples ............................................................................................. 116

Log Settings ............................................................................................................... 118

Showing Logs ........................................................................................................... 120

Configuration examples ............................................................................................ 120

Configuration examples ............................................................................................ 126

Chapter 5 Link Aggregation Configuration ............................................... 131

Port Trunking Setting ................................................................................................... 134

Configuration Example ............................................................................................. 135

Configuration Example ............................................................................................. 138

Chapter 6 SNMP Configuration .................................................................. 139

Authentication .......................................................................................................................... 142