Chapter 1 Network design concepts Layer 2 network design concepts 1.1.1 VLAN In layer 2 network, the destination is determined based on MAC address. And Layer2 network can be divided by logical network called VLAN. It can make one logical network from multiple physical network or multiple logical network from one physical network.
1.1.2 Link aggregation Link aggregation is a technology which treats 1 logical circuit by collecting physical circuit together. When there is insufficient area in one physical circuit, wide area is secured by collecting multiple circuits together. Moreover, when one circuit cannot communicate due to the cause of the failure etc. among physical circuits which set link aggregation, the function of a redundant composition is also provided because the communication can be continued with the other physical circuit.
Chapter 2 Outline of functions Auto negotiation function The auto negotiation function is the protocol between two devices provided by IEEE802.3u, and is the function to set the transmission speed and the communication mode (full duplex/half duplex) automatically according to the priority level.
Flow control function In this device, the flow control function is supported by Pause frame based on IEEE802.3x. As per the flow control settings, operation of each port is as shown below. Points to be noted When the flow control is applied, the connected side might not be able to transmit the frame to corresponding port of this device.
Forwarding mode change function In this device, cut-through mode and store-and-forward mode can be selected as a switching method. Cut-through mode Top portion of the packet is input to this device and then the packet is delivered from the transfer destination port.
MAC address learning / MAC forwarding function In this device, following functions are supported as a MAC address learning function. MAC address learning basic function It is a function that dynamically learns the transmission source MAC address of reception packet and registers it in FDB (Forwarding Data Base).
VLAN function VLAN function is a function that divides physical LAN into virtual multiple LANs, and executes grouping in port, MAC address, protocol etc. Virtual Interface VLAN1、VLAN2、VLAN3 Switching HUB(supported VLAN) VLAN1 VLAN2 VLAN3 VLAN in device VLAN prescribes communication method that has used VLAN group identification method which is called as tagging method.
Page 10
VLAN type In VLAN function supported by this device, VLAN can be divided in following 2 units. •Port VLAN It is the function that executes grouping in port unit. Addresses for all the network protocols can be given. •Protocol VLAN It is a function that groups the ports on the basis of specific protocols.
Page 11
Mixed VLAN on the same port Combination of VLAN used by the same port is shown below. : Can be mixed,×: Cannot be mixed VLAN type Port VLAN(untagged) Protocol VLAN(untagged) Tag VLAN(Tagged) ○ ○ Port VLAN(untagged) × ○ ○ ○...
Page 12
VLAN trunk function The VLAN trunk function is a function to be used for communication between VLAN for a possibility of switching when the VLAN tag is assigned and deleted. In order to carry out routing from the port which belongs to multiple VLANs, it is relayed to other layer 3 switches.
Link aggregation function Link aggregation function is a function for multiplexing the multiple ports and handling as 1 high speed link (Trunk.Group). Hereon by using this function, it is possible to improve the redundancy of the link by distributing that traffic to the other port when 1 multiplexed link (Member port) is failed. Link aggregation function is also called as multi link ethernet or port trunking.
2.6.1 LACP Function The LACP function is link aggregation which uses IEEE802.3 compliant LACP. Link aggregation of feasible maximum level is continuously provided between the systems having LACP. Confirmation of consistency of link aggregation or confirmation of link consistency and accuracy of fault detection is improved by using LACP.
Back-up port function Back-up port function groups the two ports and manages port on one side as master port (Priority port) and port on the other side as back-up port (Standby port). Further it decides port on which side should be activated. If any error has occurred while running, port on the other side immediately switches over to activate port and it is possible to control the network error is not much affected.
STP Function STP Function connects the different LANs and broadcasts MAC frames. In this device, the following functions are supported. 2.8.1 STP This is IEEE 802.1D Spanning Tree Protocol (STP). The spanning tree is a function which prevents the loop when multiple paths are connected.
Page 17
Procedures to decide root port/ representative port/ blocking port Procedure to decide various ports is as follows. START You assigned to each bridge the bridge priority. Decision of The bridge with the bridge priority of the minimum becomes the root bridge. root bridge It is determined in each path port(It can be set in each port, and select the AUTO usually)(※1)...
Page 18
Network settings using spanning tree function Parameters in spanning tree In spanning tree, several parameters are set in bridge in order to implement the designed tree structure and tree performance. The tree structure and tree performance is determined according to this parameter. <Parameter that determines the tree structure>...
2.8.2 RSTP As a problem of STP, the communication may get disconnected for maximum 50 seconds. The protocol developed to overcome the problem is RSTP (rapid spanning tree protocol). When RSTP is used, spanning tree is calculated again for 1 second, and the change over at instantaneous interruption level becomes possible. Moreover, RSTP is standardized as IEEE802.1w and is compatible with conventional STP(IEEE802.1d).Therefore, the mixed environment with STP operates without trouble.
2.8.3 MSTP Depend on VLAN configuration, there may not be any loops even if it looks no-loop in physical network. In that case, STP decides it as loop network, but MSTP does not because it can handle the network per VLAN. Therefore, MSTP can forward network data more efficiently than STP.
LLDP function LLDP (Link Layer Discovery Protocol) is an adjacent search protocol which aims at the understanding of the adjacent device and the confirmation of the connection state etc by the publicity of the information of device itself. LLDP information is delivered only to the device connected to the same physical LAN. It does not deliver before crossing the router.
2.10 MAC filtering function In the MAC filtering function, the security of network is improved and the load to network can be reduced by controlling the packet which passes this device by the combinations of MAC address, Packet format, VLAN ID, COS value, IP address, Port number etc.
Page 23
"lan ip filter", "qos aclmap", "vlan qos aclmap", "lan ip dscp", "ip6filter", "vlan ip6filter", "lan ip6 filter", "ip6qos aclmap", "vlan ip6qos aclmap", "lan ip6 dscp" commands. - The priority level between ether ports becomes high though the ether port number is smaller. - The priority level between VLAN becomes high though the VLAN ID is smaller.
Page 24
aclmap”, “lan ip dscp”, “ip6qos aclmap”, “vlan ip6qos aclmap”, “lan ip6 dscp” commands. - The priority level in ether port is high though the ether port number is smaller. - The priority level between VLAN becomes high though the VLAN ID is smaller. 1 action is consumed when following commands are set and only 1 action is consumed irrespective of number of command specifications.
2.11 QoS function The QoS function is a function to secure the quality of the communication by priority control and rewriting of priority control. In the priority control function of this device, there is a function where ACL is not used and the function where ACL is used.
Page 26
Relation between user priority value and priority The recommended setting of user priority value and queue in device at the time of initial setting and priority control of this device are shown below. Queue setting User priority value Initial setting of queue (Recommended) at the (Traffic type)
Page 27
Process method for priority control Any of Strict, WRR or WDRR is set in the priority control process. • Strict : The frame of the queue with high priority is processed in top priority. : A fixed value (Output ratio) of each queue is set and a relative priority control is executed. ・WRR For example, when 10 is set for queue 3 and 1 is set for queue 0, the process is executed at a rate of 10:1 for queue 3 and queue 0.
2.11.2 Priority control function where in ACL is used This device can control the priority by using ACL. If ACL is used, the allocation of the output port queue is decided, based on the combinations of the MAC address, packet format, VLAN ID, COS value, IP address, and the port number etc of the packet which passes through this device and the priority control information like DSCP can be rewritten.
Page 29
aclmap”, “lan ip6 dscp” commands consumes are as follows depending on applied acl. When multiple acl are applied it will be the sum total of each and the total of each by combination will be as follows. Number of Condition of applied acl masks In case of acl mac definition In case of acl vlan definition...
Page 30
1 action is consumed when following commands are set and only 1 action is consumed irrespective of number of command specifications. - vlan <vid> protocol ipv4 - vlan <vid> protocol ipv6 When the following commands are set, 1 action is consumed. When <tos_value>, <dscp_value>...
2.12 IGMP snoop function The IGMP snoop function confirms the IGMP packet sent by source and transfers the multicast packet to the port where receiver exists. ▪ Source Terminal or multicast router connected to this device ▪ Port where receiver exists Port where listener of multicast group address exists or the port where multicast router is connected With the use of this function, unexpected multicast packets are not received by the terminal and the load of terminal can be reduced.
Page 32
Points to be noted Communication may not be possible when performing the multicast communication without using the IGMP. Set the port connected to the device where IGMP snoop is enabled as multicast router port by configuration definition. When more than 2 multicast routers are connected set the multicast router port by configuration ...
2.13 MLD Snoop Function MLD snoop function confirms the MLD packets sent from the source and transmits IPv6 multicast packets to the port where receiver is present. Source Terminal or multicast router connected to this device Port where receiver exists Port where listener of multicast group address exists or the port where multicast router is connected By using this function, unexpected IPv6 multicast packets are not received by the terminal and load of terminal can be reduced.
Page 34
Points to be noted When MLD is not used and IPv6 multicast communication is executed, communication may not be possible. Port connected to the device where MLD snoop is enabled, is set as multicast router port by the • configuration definition.
2.14 EHM Function In End-Host-Mode (EHM), ensure that there is no generation of a loop of frame where no protocol of STP etc. is used by not transmitting frames within the uplink port. Common switch mode and End-Host-Mode can be switched over by re-starting, after specifying it by boot-system mode command.
When VLAN ID is not notified from RADIUS server, VID set by “ether dot1x vid” command is assigned. RADIUS server that does operation checking in this device is Fujitsu manufactured “Safeauthor V3.5”. In this device, multiple terminals can be authenticated by 1 physical port. In such case, switching HUB etc are connected to physical port of this device and authentication can be executed by each terminal by connecting multiple terminals.
Page 37
The authentication method and characteristics of each EAP are shown below. Authentication Characteristics Method Authentication standards of ID and password base. ・ EAP-MD5 User himself can change the password etc., hence reducing the load on the administrator. ・ Authentication can be done according to the information (Subject) given in the certificate. ・...
Page 38
EAP-MD5 Authentication EAP-MD5 authentication is a method to authenticate by a common password between user terminal and RADIUS server. The challenge and response are exchanged and encrypted by using MD5 hash function, and the user is authenticated by RADIUS server. At the time of local authentication, instead of "RADIUS server", "AAA function"...
Page 39
EAP-TLS Authentication EAP-TLS is an authentication method wherein the certificate is assigned for both user terminal and RADIUS server. The sequence of the EAP-TLS authentication of the IEEE802.1X function is shown below. Page 39 of 71...
Page 40
PEAP Authentication (EAP-TTLS authentication is also similar) PEAP is an authentication method wherein the certificate is assigned only to the RADIUS server. The sequence of PEAP authentication of IEEE802.1X function is shown below. Page 40 of 71...
2.16 Guest VLAN function Guest VLAN function is a function which permits the connection to the specific VLAN (Guest VLAN) when the terminal for which authentication is not permitted is detected. By using this function, the operation which controls the network use of the terminal for which authentication is not permitted, can be executed by recovering the terminal where the connection is not denied, to other VLAN.
2.17 Broadcast / Multicast storm control function Broadcast / multicast storm control function, is a function to control the packet so as not to obstruct the communication of other packets when large amount of packets of broadcast / multicast flow in the network due to error.
2.18 Port mirroring function Port mirroring is the function which monitors the receiving traffic or the sending traffic of the specified source port from the specified target port. Target port for reception mirror which monitors receiving traffic of source port and, Target Port for transmission mirror which monitors sending traffic of source port can be specified as target port.
Page 44
▪ The packet output to the target port is as follows. -When the transmission packet is mirrored, it is as shown in the table mentioned below Tag settings of address source port of packet Contents of mirror packet At the time of setting with tag Tagged.
2.19 Ether L3 Monitoring Functions The ether L3 is a function which confirms the existence of nodes depending on the sending / receiving of ICMP ECHO packets for specified nodes (Device). When the other monitoring devices are connected through one or more devices, the error of that route can be detected and the port which is monitored can be blocked.
2.20 Output rate control function Output rate control is a function which stops the flow of large quantity of traffic to the succeeding network and controls the quantity of flow of the output port. bandwidth limitation traffic Network Network Network Set the control value of output and control the bandwidth with the help of port unit for this device.
2.21 Port block function Port block function retains the linkdown status (port block function) of physical port until the operator instructs by issuing the online command. According to error cause, linkup/ linkdown of physical port may occur repeatedly. At that time if the redundant path exists by continuing linkdown function (Port block function) purposefully for this device, it is possible to secure the stable communication Transition to the port blockage function is controlled by following.
2.22 IP route control function IP route information is managed with routing table and used for the judgment of forwarding destination of IP packet. IP route information is controlled by the following functions. ▪ Function to control route by fault detection of interface ▪...
2.22.2 Management of IP Route Information IP route information is managed by the route table of routing protocol and routing table. Explanation regarding 2 tables is given below. Routing table Routing table is structured by the priority route (Best path) that is selected from the IP route information. Moreover, in the IP route information which is managed by the routing table, the information wherein the interface route is excluded;...
2.23 IPv6 Function IPv6 is a next generation internet protocol for replacing IP (IPv4) that is used primarily at present. Host function operation in IPv6 packets can be carried out in this device. IPv6 host functions supported by this device are as follows. ...
Page 51
IPv6 address system IPv6 address can be separated in to prefix and interface ID to separate IPv4 address to the network part and host part. Generally, the 64 bits prefix length (Prefix length) is used. When address is mentioned by including the prefix length, “/” is given after address and the prefix length is specified.
Page 52
Auto settings of Address by Router Advertisement Message Reception This device supports the reception function of Router Advertisement Message. The prefix information used by the network is included in Router Advertisement Message. When prefix information is received, prefix list to manage valid period is generated and the IPv6 address having the interface ID is set automatically.
Page 53
Auto selection of source address In IPv6, it is general that multiple IPv6 addresses are allocated to interface. The communication is started from this device and when explicit source address is not specified by application, the address is selected based on a fixed rule from multiple IPv6 addresses.
2.24 IP Filtering function The security of the network for this device can be improved by using settings of the IP filtering function and the password etc. With IP filtering function the security of the network can be improved by controlling the packet which is transmitted and received via this device by using IP address and the port number, etc.
2.25 DSCP Value Rewrite Function DSCP value rewrite is a function to rewrite the DSCP value of IP packets specified. Delay within IP-VPN net can be reduced if the DSCP value of data that is requested by voice and response using IP-VPN net is changed and then sent.
Page 56
after rewrite. Output queue related to DSCP after rewrite, is the output queue where upper 3 bits of that DSCP are considered to be user priority. Priority control, which is to be set in ‘traffic’ of DSCP that is re-written, can be applied by specifying priority control algorithm and priority for output queue.
2.26 RADIUS function The RADIUS function is a function to manage AAA (Authentication, Authorization, Accounting) information by using an external server (RADIUS server). When same AAA information is necessary in the multiple devices and when a large amount of user information is to be managed, it is possible to manage by consolidating authentication information and configuration information of user and connecting time of each user.
Page 58
Points to be noted ▪ The number with which authentication and accounting can be carried out at the same time by restricting the RADIUS protocol, is 256. Both fail when the authentication and the accounting of 257 or more are carried out at the same time.
The network is managed by SNMP function by using these two functions and by transmitting and receiving the parameter defined in MIB within SNMP manager and SNMP agent. SNMPv1, SNMPv2c and SNMPv3 are supported by this device. Moreover, standard MIB and Fujitsu extended MIB are supported.
2.27.1 RMON Function RMON (Remote Network Monitoring) is the standard specifications for network monitoring. It is a function which monitors the communication state of traffic or error of LAN from remote location. RMON function is an extension of SNMP function. It stores the statistical information of LAN at SNMP agent side.
2.28 SSH server function SSH server function supports the remote logging function (ssh server) similar to TELNET server function and remote file transfer function FTP(sftp server) similar to server function. In TELNET server function and FTP server function, it is feared that the content of the communicationmay be intercepted when communicating like the plain text data.
Page 62
Following are the points of differentiation between sftp connection and ftp connection Items Sftp connection ftp connection User ID specifications Specifications before connection Specifications after connection (Specify some part of sftp client when (Specify some part of client starting connection) before the connection) Binary mode specifications Binary mode specifications...
2.28.1 SSH client software In the SSH server function of this device, use the SSH client software (ssh client software and sftp client software) which supports to SSH protocol version 2 since it supports only to SSH protocol version 2. Page 63 of 71...
2.29 Application Filter Function In the application filter function, an access related to each server function operated in this device can be controlled. Accordingly, the maintenance of this device or the terminal which uses the server function of this device is restricted and security can be increased.
2.30 TACACS+ Function TACACS+ function is a function which manages the AAA (Authentication, Authorization, Accounting) information by using external server (TACACS+ server). When same AAA information is required for multiple devices or when maximum user information is managed, Authentication, Authorization and Accounting information is summarized and can be managed.
2.31 LDAP Function LDAP function manages the AAA (Authentication, Authorization, Accounting) information by using the external server (LDAP server). If the same AAA information is required in many devices or if the large amount of user information is to be managed then the authentication information is summarized and managed. In this device, the user authentication function of LDAP client function is supported.
2.32 IEEE802.1Q Tunneling Function IEEE802.1Q tunneling function is a function designed for service provider. According to IEEE802.1Q tunneling, VLAN traffic of customer can be transmitted via service provider network without affecting other VLAN traffic. In following figure, packets sent from 802.1Q tag port of customer to tunnel port of service provider have 802.1Q tag.
Page 68
At the time of simultaneous use with protocol VLAN function, when the frame that is recognized as protocol VLAN is received by IEEE802.1Q tunnel port, the protocol VLAN is to be applied for that frame and IEEE802.1Q tunneling function will be disabled. Page 68 of 71...
2.33 CEE Function Fibre Channel FCoE enabled switch DCBX FCoE DCBX FCoE CNA expansion board CEE (Converged Enhanced Ethernet) function is the one by which the extensions required to integrate the different types of conventional communications, such as LAN, IPC, and SAN etc in one network is added in Ethernet.
Page 70
IEEE802.1Q tunneling function. When CEE function is defined in valid port; same port cannot be used. When CEE function is in valid port, the settings of queue specifications and queue change function become disabled by ACL for ETHER port. When CEE function is in valid port, priority control function using WRR and WDRR, the settings of queue ...
2.34 Edge virtual switch function Edge virtual switch (Edge Virtual Bridging) function is a necessary for the adjacent switch connected to the server in the server virtualization environment. A virtual switch which operates on server virtualization software exists in the server visualization environment, and the communication is switched between virtual machines. Therefore, process according to the form of a virtual switch is necessary in the adjacent switch.