OfficeServ Data Server Enterprise IP Solutions L2 Protocol Mar, 2006 OfficeServ Lab1 Samsung Electronics Co., Ltd.
1/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Contents STP / RSTP Port Trunking IGMP Snooping VLAN L2 QoS Security Mirroring Authentication
2/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved STP/RSTP
3/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Rapid Spanning Tree Protocol Bridge Parameter –Bridge Priority : Decides the priority of Bridges –Hello Time : Sets the transmission cycle of BPDU –Max Age Time : Sets the Message Age Time –Forward Time : The time that the state of each port is changed by level Port Parameter –Priority : Standard to select the port to be blocked when the switch loop is established –Force Version : Communication is progressed via the switch connected to the corresponding port and the BP 여 that a user specifies. –Path Cost : The path cost according to the bandwidth when the connection with the opponent is established –Portfast –Link Type : The link is connected as point-to- point in RSTP
4/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Rapid Spanning Tree Protocol ① ① Designated Bridge Identifier The upper 4 digits represent the bridge priority and the remaining lower digits are expressed as the system MAC address ② Root Bridge Identifier Among the connected switched, it indicates the identifier of the switch equipment selected as the root bridge. Therefore, if there is no connection between switched, the Root Bridge Identifier displays the same information as the Designated Bridge Identifier. ③ Root Path Cost When the root bridge is decided, it displays the calculated cost for the path to the root switch ④ Root Port If the current equipment is not the root switch, it indicates the ID of the port corresponding to the root port. ⑤ Last Topology changed ② ③ ④ ⑤
5/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Rapid Spanning Tree Protocol 0x8002 The role of the port that selected via the BDPU exchange between switches. Disable, Alternative, Backup, Designated, Root If a switch connected to the corresponding port is more close to the root switch, the Designated Root shows the Bridge identifier of the connected switch. Otherwise, Designated Root shows its own Bridge identifier Port priorityPort Index Discarding, Learning, Forwarding, Blocking
6/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Trunking
7/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Trunking - GPLIM The packet is transferred to a port among members included to the trunk group. Select an algorithm to select a port for transfer. Up to 8 groups can be generated, and up to 4 ports can be included to a group as members. In addition, a member included to a group cannot be included anther group simultaneously. Displayed when selecting the trunk configuration as ‘LACP’. –For the Active, a LACP packet is transferred to the opposite party first, based on the system. –For the Passive, it is responded only when receiving a packet from the opposite system. –If the user system and opposite system are all set up as Active, a system that has higher priority is used as a reference.
8/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Trunking - GSIM LACP is distinguished with Static Trunking in that the configuration as the LACP port automatically forms bandwidth The LACP Configuration window can configure trunk groups and add or delete members The selection of the algorithm to select the port to sent out the packets. Select [Port Trunking] [Status] menu to specify the configuration related to Port Trunking GSIM
9/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved IGMP Snooping
10/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved IGMP Snooping According to VLANs, the IGMP Snooping can be operated respectively
11/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved IGMP Snooping Select the VLAN and the Category to configure, enter the time and click the [OK] button to store the configuration Group Membership The time to exit from the multicast forwarding database list when new report does not exist Last Member Query Timeout The time to wait a response report after sending a query to check if the host is the last host when multicast router receives a leave message from a host. If the report is not replied until the time is elapsed, the host is deleted from the group. Max Response The maximum time until its response when IGMP Snooping query is received Other Query The time until the operation as a querier starts when a query from the multicast router doest not exist
12/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved IGMP Snooping Querier and Immediate Leave can be set of each VLAN, but Cross VLAN and Flood DPM can be set on a bridge basis. Querier The operation as IGMP querier when the multicast router does not exist. Immediate Leave Deletes a host from the group immediately when receiving the Leave Message. Cross VLAN Forwards multicast packets to all ports regardless of VLAN. Flood DPM If no member exists in the IGMP group, sets whether to forward multicast packets. In GSIM board, it is supported using [IGMP snooping] -> [Multicast Filter] menu.
13/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved IGMP Snooping In GSIM board, it is supported Cross VLAN and Flood DPM function in GPLIM board as shown in the figure below: Forward group Always forwards multicast packets Filter unregistered group Drops multicast packets when any member pertaining to IGMP group doesn’t exit Forward unregistered group Forwards multicast packets when any member pertaining to IGMP group doesn’t exit GSIM
14/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved IGMP Snooping Display the information on the members registered in IGMP Group. Click the [Refresh] button to update the information displayed on the web screen into the latest information.
15/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Virtual LAN (VLAN) -Port based VLAN -MAC based VLAN Q Tag based VLAN -Protocol based VLAN -IP-subnet based VLAN
16/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN GPLIM –256 VLANs –Mode MAC based VLAN Port based VLAN 802.1Q Tag based VLAN GSIM –1024 VLANs –Mode Port based VLAN MAC based VLAN IP based VLAN Protocol based VLAN
17/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(1) MAC based VLAN : VLAN is configured for each MAC address –A MAC based VLAN does not basically contain port information. –The port serves as a VLAN member by receiving packets. –The ARP packet must be transmitted to the switch to enable members of a VLAN to exchange packets.
18/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(2) MAC based VLAN (cont’d) –Select ‘MAC’ from VLAN Operation Mode –Select the corresponding VLAN and enter VLAN Name and VLAN ID –Enter the MAC address into [Classification] menu
19/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(3) Port Based VLAN –A single port can be assigned to multiple VLANs. –Broadcast packets transmitted by the port is transmitted to all VLANs containing the port. –Ports not assigned to any VLANs serve as a single VLAN.
20/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(4) Port based VLAN (cont’d) –Select ‘Port’ from VLAN Operation Mode –Select the corresponding VLAN and enter VLAN Name and VLAN ID
21/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(5) 802.1Q (IVL/SVL) –1. Member set –2. Untagged set –3. PVID (Port VLAN ID) (Note) If you change the VLAN operation mode, the previous VLAN setting is cleared.
22/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(6) In the [Port]->[VLAN]->[Port VID] menu, set the operation method when an untagged frame is received Send a frame to VLAN registered in the Port VID ‘1’ is a default VLAN that includes all ports Set drop/pass when an untagged frame is delivered. For drop, tick off the checkbox
23/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(7) 802.1Q (IVL/SVL) (cont’d) –IVL (Independent VLAN Learning) One FDB per each VLAN ID if individual MAC address learned in one VLAN, learned information NOT used in forwarding decisions relative to all other VLANs –SVL(Shared VLAN Learning) One single FDB if individual MAC address learned in one VLAN, learned information used in forwarding decisions relative to all other VLANs –IVL vs SVLIVL vs SVL
24/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN - GPLIM(8) Classification –If the VLAN mode is ‘802.1Q’, VLAN ID is decided depending on the protocol of the packet received. –Classification Mode In case of MAC based VLAN, ‘MAC’ is selected. In case of 802.1Q based VLAN, ‘proto’ is selected.
25/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN – GSIM (1) Port based VLAN –VLAN Create –VLAN Edit Add/Delete members Egress-Tagged Egress-Tagged The packet that sends out to the outside via a port is sent out as Tagged-Packet
26/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN – GSIM (2) The trunk port is set (Static Trunk) –The member port of each group should have always the same VLAN characteristics. –The ports with the different VLAN characteristics cannot be involved in the trunk group. –In case of LACP, if the link of its member port is not connected, the trunk device (po1, po2, …) is hidden.
27/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN – GSIM (3) Port Setup –Set Port ID –Ingress-Filter For Security The type of packets coming from the port can be limited via the Frame-Type. –Frame Type Configure Ingress Packet (All-Packet/Tagged-Packet)
28/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN – GSIM (4) VLAN Classification –MAC-based VLAN Configuration in accordance with the source MAC address of the Untagged packet arriving to the port –IP-based VLAN Configure VLAN depending on the IP subnet of the Untagged packet coming in the port –Protocol-based VLAN Configure VLAN depending on the protocol type of the Untagged packet coming in the corresponding port selected If the port is set as the trunk group, the same setting is to be made in all number ports of the trunk group
29/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN Cli command If you can’t connect to a GPLIM/GSIM board because of VLAN configuration, you have to configure using cli command. 1. Enter “show vlan all bridge 1” command Display current configurations of VLAN.
30/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved VLAN Cli command 2. Enter “configure terminal” command 3. Enter “vlan database” command to configure vlan database 4. Enter “no vlan 2 bridge 1” command to clear information about VLAN 2 5. Return ‘enable mode’ 6. Enter “show vlan all bridge 1” command to display current configurations of VLAN
31/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved L2 QoS -Port based L2 QoS p Tag based L2 QoS
32/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved p tag based L2 QoS Assumption for configuration Example –Set L2 QoS for MP, MGI, and IP Phone (ITP). –MP and MGI are not provided with 802.1p and connected to P1, P7, respectively. –If the IP Phone is connected to P3, P4, P5, and P6, the 802.1p Tag priority function is provided. –The IP Phone connected to P3, P4 is provided with 802.1p, and a tag value is set to 7. The IP Phone connected to P5, P6 is also provided with 802.1p, and a tag value is set to 1.
33/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved p tag based L2 QoS MP MGI IP Phone with 7 value of 802.1p tag field IP Phone with 1 value of 802.1p tag field Cannot support the 802.1p function GPLIM
34/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved p tag based L2 QoS Process 3 packets with a high priority and then one packet with a low priority If QoS Mode is set to ‘All High before Low’, set the maximum time when a packet with a low priority is not processed If the set time is reached, packets are first processed Set this value to high priority 1. From the [Port]->[QoS] menu, select the QoS mode as ‘Weight Round Robin’ or ‘All High before Low’. 2. Since the Tag information with a high priority is 1 and 7, tick off Level1 and 7. GPLIM
35/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved p tag based L2 QoS Always, set a high priority for MP and MGI for which 802.1p is not provided 3. From the [Port]->[Config] menu, set the priority of a port to which MP and MGI are connected as High. If set as High, set to ensure that a port with a high priority can be operated even if there is no value in the Tag field. GPLIM
36/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port based L2 QoS Assumption for configuration Example –Set L2 QoS for MP, MGI and IP Phone (ITP). –MP and MGI are not provided with 802.1p, and connected to P1, P7, respectively. –The IP Phone (ITP) is connected to P3, P4, P5, and P p is not supported
37/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port based L2 QoS ITP(IP Phone) Without the 802.1p Function MP MGI GPLIM
38/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port based L2 QoS 1. To use the Priority function in the [Port]->[QoS] menu, the QoS mode should be set to ‘Weighted Round Robin’ or ‘All High before Low’. Thus, set the QoS mode as shown in the figure below: GPLIM
39/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port based L2 QoS 2. In the [Port]->[Config] menu, set the priority of the port to which MP, MGI and IP Phone are connected as High. GPLIM
40/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Security
41/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved MAC Authentication Assumption for Configuration Example 1.Four PCs has the following MAC addresses: PC#1 : F PC#2 : F0-AB-CD-EF PC#3 : F A PC#4 : F PC#1 is used to connect to P7 only. PC#2 is used to connect to P5 only. PC#3 is used to connect to P12 only. PC#4 is not available.
42/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved MAC Authentication MP MGI GPLIM PC#2 × ○ × ○ PC#1 is used to connect to P7 only PC#4 is not authorized PC#2 and PC#3 are authorized. PC#4 PC#3 PC#1
43/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved MAC Authentication 1. In the [Port]->[Config] menu, tick off the “Security” of a port whose security is requested. Disable MAC learning GPLIM
44/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved MAC Authentication 2. In the [Port]->[MAC]->[Static Address] menu, enter a MAC address of PC and information on the port. MAC address of PC#1, #2, and #3 port 4 port 3 port 6 GPLIM
45/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Mirroring
46/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Mirroring Assumption for Configuration Example 1.Capture the IP packet information in the Management PC connected to P10. 2.Capture all Tx/Rx data generated from MP. 3.An address of the MP network is /24. 4.Check and store the capture information using the Ethereal program in PC. (Refer to )
47/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Mirroring MP MGI GPLIM MP IP : /24 MGI IP : /24 Management PC MP MGI Data Traffic Data Traffic Mirrored From P1 to P10
48/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Mirroring 1. From the [Port]->[MISC] menu, select information on Mode, Monitoring Port, Monitored Port. > Monitoring Port: A port to which a PC terminal for viewing data to be captured is connected. > Monitored Port: A port to which a terminal sends/ receives data to be captured is connected. Port to which MP is connected Information on a port to which PC is connected Ingress: Select packet information only received from the Monitored Port to the selected port Egress: Select packet information only transmitted from the Monitored Port to the selected port Both: Select packet information only transmitted/received from the Monitored Port to the selected port
49/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Mirroring GSIM Select [Port] [Mirror Config] menu to perform the port mirroring. To apply the configurations specified to the system, Port to which MP is connected Information on a port to which PC is connected
50/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Port Mirroring 2. Start the Ethereal program in the PC connected to the Monitoring Port. 3. Enter ‘ip host ’ in the Filter field. Then, MP IP is If you enter as shown below and press OK, only packets with an MP IP are captured, among data monitored from the port to which MP is connected.
51/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Authentication
52/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Authentication (802.1x) Select [Authentication] [Management] to activate/deactivate the authentication of system. When executing [Run] of Action if Activity is set to Stop, items of [Authentication] [Configuration] can be set. The host IP address, host, and key should be registered of the Radius server to be used. The default of the Radius Host Port is 1812 port. Click the [OK] button after the setting. Then, the setting is applied.
53/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Authentication (802.1x) Re-authentication setting and the cycle setting are applied only when setting is changed because there is default value Control None : Authentication is not performed for the port Force-Authorized : Admits the port forcibly Force-Unauthorized : Block the port forcibly. Auto : Allows the port through authentication from the Radius server and blocks the port
54/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Why IVL? (1) SVL would not work! (A learned from both port 1 and 4) no STP in the example
55/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Why IVL? (2) SVL would not work! (A learned from both port 1 and 3) STP enabled, VLAN-aware connector
56/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Why SVL?
57/57 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved Thank you !