Page 16-1
16 Managing Groups and Ports
In a traditional hub-based network, a broadcast domain is confined to a single network interface,
such as Ethernet or Token Ring, or even a specific physical location, such as a department
or building floor. In a switch-based network, such as one comprised on OmniAccess
512es, a broadcast domain—or
Group
— can span multiple physical switches and can include
ports using multiple network interfaces. For example, a single OmniAccess 512 Group could
span three different switches located in different buildings and include Ethernet, Token Ring,
ATM
and
WAN
physical ports.
An unconfigured OmniAccess 512 contains one Group, or broadcast domain. It also contains
one default Virtual Network, or
VLAN
, referred to as "default
VLAN
#1". The default Group,
Group #1, and its default VLAN contain all physical ports in the switch. When a switching
module is added to the switch all of these additional physical ports are also assigned to
Group #1,
VLAN
#1.
You can create Groups in addition to this default Group. When you add a new Group, you
give it a name and number, optionally configure a virtual router port for its default
VLAN
, and
then add switch ports to it. The switch ports you add to a new Group are moved from the
default Group #1 to this new Group. (For more information on how ports are assigned to
Groups, see
How Ports Are Assigned to Groups
on page 16-2.)
Up to 500 Groups can be configured on each OmniAccess 512. An entire OmniAccess 512
network can contain up to 65,535 Groups. Each Group is treated as a separate entity.
There are three main types of Groups:
1.
Mobile Groups. These groups allow ports to be dynamically assigned to the Group based
on AutoTracker polices. In contrast to non-mobile Groups, AutoTracker rules are assigned
directly to a mobile Group. No AutoTracker VLANs are contained within a mobile Group.
(However, mobile groups do contain a default VLAN 1 to which AutoTracker policies are
assigned; policies assigned to this default VLAN apply to the entire mobile group.) Any
AutoTracker policy may be used as criteria for membership in a mobile Group. Mobile
groups are described in more detail in
Mobile Groups
on page 16-5.
2.
Mobile Groups based on authentication. Authenticated Groups are a special form of
mobile Group. These Groups include devices that are dynamically assigned based on an
authentication criteria. Typically the user will have to log in with a valid password before
being included in an authenticated mobile Group. Group membership is based on users
proving their identity rather than the physical location of user devices. Authenticated
Groups are described in more detail in the
Switch Network Services User Manual
.
3.
Non-mobile Groups. These Groups are the original Group type used in previous releases.
They contain statically assigned ports and may contain AutoTracker or Multicast VLANs.
These VLANs within a non-mobile Group use AutoTracker policies to filter traffic.
AutoTracker rules are not assigned to non-mobile Groups, they are assigned to the VLANs
within the Group. Non-mobile groups are described in more detail in
Non-Mobile Groups
and AutoTracker VLANs
on page 16-15.
All three types of Groups may co-exist on the same switch. However, a switch port cannot
belong to a non-mobile group and a mobile group.
How Ports Are Assigned to Groups
Page 16-2
How Ports Are Assigned to Groups
There are two methods for assigning physical OmniAccess 512 ports to a Group. One method
is static and requires manual configuration by the network administrator; the other method is
dynamic and requires only the configuration of AutoTracker rules for port assignment to
occur. The two methods are described in this section.
Static Port Assignment
In the static method, the network administrator manually assigns a port to a Group through
the
crgp
and
addvp
commands. The static method can be restrictive because it limits the
mobility of users in a multi-Group network. Users can only move within their assigned
Group. In addition, customized access for individual users is limited by this method. You can
use the static method of port assignment with mobile and non-mobile groups. Static port
assignment can be combined with dynamic port assignment for mobile groups, while static
port assignment is the only method for assigning ports to non-mobile groups.
Dynamic Port Assignment (Group Mobility)
The dynamic method is available with the Group Mobility feature. Initially each port is part of
the default Group #1 (only ports in the default Group and ports in mobile Groups are candidates
for dynamic port assignment). Based on the nature of traffic and configured
AutoTracker policies, ports are dynamically assigned to the appropriate Group.
For example, if a device attached to a port transmits traffic from the 140.0.0.0 subnet,
AutoTracker will check to see if a policy exists for this IP address. If it does, then it will move
the port from the default Group to the first Group using this policy. If this device detaches
from the network the port will be re-assigned to a Group without intervention by the network
administrator.
A port can belong to multiple mobile groups (up to 16) as long as devices attached to that
port match policies of these mobile groups. However, an individual device, or MAC address,
can only belong to one mobile group per protocol.
The dynamic method of port-to-Group assignment still requires the creation of Groups
through the
crgp
command. The criteria for the dynamic assignment of ports to a Group are
determined by AutoTracker policies that you can configure during the
crgp
procedure.
Only Ethernet and Token Ring ports can be dynamically assigned to Groups.
If more than one Group has the same type of rule, then ports matching that policy will be
assigned to the first Group matching the policy. For example, if a device matched policies in
both Groups 2 and 5, the port would be assigned to Group 2. To make the most out of
Group Mobility it is best not to duplicate policies among Groups.
Configuring Dynamic Port Assignment
You can enable dynamic port assignment while creating a group through the
crgp
command.
During the
crgp
procedure, you will be prompted
Enable Group Mobility on the Group ? [y/n] (n):
Answer
Yes
to this question to give this Group the capability of having ports and devices
dynamically added to the Group. Port and devices will be dynamically assigned based on
AutoTracker rules you define.
Service Ports and Group Mobility
Dynamic port assignment (ports carrying Ethernet and Token Ring traffic only) to Groups can
also apply to LANE service ports configured for
ATM
access. These ports may be automatically
added to the mobile group during the
crgp
procedure or through the
cats
command.
How Ports Are Assigned to Groups
Page 16-3
How Dynamic Port Assignment Works
Initially each port is assigned to the default Group. In this example, all three ports have workstations
that belong to three different
IP
subnets (130.0.0.0, 138.0.0.0, and 140.0.0.0). All three
ports start out in the default Group.
Group Mobility examines traffic coming from OmniAccess 512 ports. Three mobile groups are
defined on the switch and each uses a different IP policy. Traffic that matches IP policies for a
Group will trigger the movement of the port to the matching Group.
Initial Configuration: All Ports in Default Group
As soon as the workstations start transmitting traffic, Group Mobility checks the source subnet
of the frames and looks for a match with any configured IP policies. If a match is found—and
in this example all three ports can be matched with a corresponding Group—the port is
moved to the matching Group.
Devices matching a policy trigger the assignment of a port to a mobile group. Therefore, the
device is moved to the mobile group at the same time as the port to which it is attached. If
more than one device comes in on a port, then that port can belong to more than one mobile
group. Similarly, if a device transmits more than one protocol—such as IP and IPX—then the
port to which it is attached can belong to more than one mobile group.
OmniAccess 512
12345678
123456
Port 2
Group 2
Group 1
Group 4
IP Network 130.0.0.0
Default Group
IP Network 140.0.0.0
Port 1
130.0.0.1 138.0.0.5 140.0.0.3
Group 3
IP Network 138.0.0.0
Port 3
How Ports Are Assigned to Groups
Page 16-4
As the illustration below shows, the three ports are each moved from the default Group to a
Group with a policy that matches the subnet address of the workstation attached to the port.
AutoTracker IP address policies have been set up in Groups 2, 3, and 4. The ports are moved
to the Group with policies matching the subnet of the workstation.
Ports Move to Groups With Matching Policies
OmniAccess 512
12345678
123456
Port 2
Group 2
Group 1
Group 4
IP Network 130.0.0.0
Default Group
IP Network 140.0.0.0
138.0.0.1 140.0.0.1
Group 3
IP Network 138.0.0.0
Port 3
130.0.0.1
Port 1
Mobile Groups
Page 16-5
Mobile Groups
Switch ports can be dynamically assigned to mobile groups through AutoTracker policies.
Support for dynamic port assignment is one of the main differences between mobile groups
and non-mobile groups. AutoTracker rules are assigned
directly
to a mobile group. In
contrast, AutoTracker rules are assigned to the VLANs
within
a non-mobile group. No
AutoTracker VLANs are contained within a mobile Group, and each mobile group constitutes
a single spanning tree.
A switch port can belong to multiple mobile groups, whereas a switch port can belong to
only one non-mobile group. However, a port can
not
belong to a mobile and a non-mobile
group at the same time.
Ports can be assigned to mobile groups either statically or dynamically. A port is
statically
assigned to a mobile group when one of the following occurs:
• Port by default assigned to default group 1
• Port assigned to a group through
crgp
or
addvp
commands
Although switch ports can belong to multiple mobile groups, it is not possible to assign a port
to two different groups using the
addvp
command. However, a switch port could be assigned
to one mobile group via the
addvp
command and then gain membership to another mobile
group by matching the policy criteria for that group.
A switch port is
dynamically
assigned to a mobile group after one of its attached devices
matches an AutoTracker policy for that mobile group. An overview of how ports and devices
are dynamically assigned to mobile Groups can be found in
How Ports Are Assigned to Groups
on page 16-2.
Authenticated Groups
Mobile groups provide the added flexibility of user-authentication policies. Using Authentication
Management Console (
AMC
) software, you can configure mobile groups to use log-in
procedures as a means of assigning group membership. Mobile groups that use authentication
are a special group type called an Authenticated Group. Authenticated Groups are
described in more detail in the
Switch Network Services User Manual
.
Configuring Mobile Groups
You configure mobile Groups through the
crgp
command. During the
crgp
procedure you
will receive a prompt asking if you want to create a mobile Group
Enable Group Mobility on this Group ? [y/n] (n):
You must answer
Yes
to this prompt to set up a mobile group. After this question, you will be
asked to configure virtual ports and AutoTracker policies for the Group. Documentation for
the full
crgp
procedure can be found in
Creating a New Group
on page 16-18.
Mobile Groups
Page 16-6
Turning Group Mobility On or Off
The
gmstat
command turns group mobility on or off for a Group that you specify. Essentially,
you can change a non-mobile group into a mobile group and a mobile group back into a
non-mobile group through
gmstat
. The group you specify must previously have been created
through the
crgp
command.
Use the following syntax for the gmstat command:
gmstat <group number>
For example, if you wanted to change the group mobility status of group 2, you would enter:
gmstat 2
Mobile Group to Non-Mobile Group
If this group is already a mobile group, the following would display:
Group Mobility is ON for Group 2
Change Group Mobility Status for Group 2 to OFF ? [y/n] (y):
If you wanted to change this mobile group back to a non-mobile group, you would press
<enter>
and the group would lose its mobile status. All AutoTracker policies you set up for
the Group would no longer be valid.
If you decided not to turn off group mobility, enter
n
and the following prompt displays:
Group Mobility Status unchanged
Non-Mobile Group to Mobile Group
If this group is currently a non-mobile group, the following would display:
Group Mobility is OFF for Group 8
Change Group Mobility Status for Group 8 to ON ? [y/n] (y):
If you wanted to turn on Group Mobility, you would press
<enter>
and would then be asked
if you want to configure AutoTracker policies. If you answer yes, then the AutoTracker policies
menu would display as follows:
Select rule type:
1. Port Rule
2. MAC Address Rule
21) MAC Address Range Rule
3. Protocol Rule
4. Network Address Rule
5. User Defined Rule
6. Binding Rule
7. DHCP PORT Rule
8. DHCP MAC Rule
81) DHCP MAC Range Rule
Enter rule type (1):
You define policies for a mobile Group. Non-mobile groups do not require policies.
However, mobile Groups use policies to define membership. Instructions for specifying
AutoTracker policies may be found in Chapter 17.
_
Note
_
As of the current release, the MAC Address Range Rule
and DHCP MAC Range are not supported for
AutoTracker VLANs
Mobile Groups
Page 16-7
If you decided not to turn group mobility on, you would enter
n
at the group mobility prompt
and the following message would display:
Group Mobility Status unchanged
Understanding Port Membership in Mobile Groups
Switch ports can belong to multiple mobile groups. A port becomes a member of a mobile
group as long as one of its attached devices matches the policy criteria for that group.
However, the movement of ports between groups and the status of port membership in
groups can be affected by more than just whether or not devices match policy criteria.
Group mobility uses three variables that can affect a port's default group and whether or not
a port ages out of a group. These variables are as follows: def_group, move_from_def, and
move_to_def. The def_group and move_to_def variables can be configured through the
gmcfg
command, which is described on page 16-12. The move_from_def variable is enabled by
default, but can be disabled by entering a statement in the
oa512.cmd
file. The effects of these
three variables are described through diagrams on the following pages.
From the perspective of a device or switch port, there are three types of mobile group—
default, primary, and secondary. Keep in mind that definitions of these three types are relative
and can change for each port and device depending on the settings of the group mobility
variables and traffic patterns of devices.
Default Group
The default group is the group a port or device is statically assigned to by "default." Typically,
a port's default group will be Group 1. A port can also be statically assigned to its
default group through the crgp or addvp commands. A port or device does not have to match
a policy to gain membership into its default group.
The default group for a port or device is stored in memory; it can only be manually changed
through the addvp or crgp commands. Depending on the settings of other group mobility variables
a device or port can age out of other mobile groups but still remain a member of its
default group.
Primary Group
The primary group is the group upon which Spanning Tree operations converge. The primary
group is similar to the default group. There are two main differences between a primary and
a default group.
1. A primary group only contains devices that have matched one of its AutoTracker policies.
In contrast, switch ports may end up in a default group without matching any policy.
2. It is possible for the primary group of a port or device to change through learning or
aging. For example, if the move_from_def variable is enabled and a device matches the
policies of a mobile group other than its default group, then this new mobile group
becomes the primary group for the device and the port to which the device is attached
(see diagram on page 16-10). In this case the default group and primary group will be
different.
If the move_from_def is disabled, the port always remains int he default group (which can
now also be the primary group).
In addition a port can age out of its primary group if the move_to_def variable is enabled
(see diagram on page 16-11). A port cannot age out of its default group.
Mobile Groups
Page 16-8
Secondary Group
Switch ports and devices may become members of multiple mobile groups. A switch port
starts in its default group, which initially is also it's primary group. The primary group may
change if the move_from_def variable is enabled. Any subsequent mobile groups to which a
port gains membership beyond the primary group are "secondary" mobile groups. A port can
age out of these secondary groups if the move_to_def variable is enabled (see diagram on
page 16-11).
Mobile Groups
Page 16-9
How a Device Is Dropped from the Default Mobile Group (def_group)
If def_group is enabled....
The device that does not
match any policies becomes a
member of the default group.
Default Group 1
Group 3
Why enable def_group?
• Ensure that all network devices will be a
member of at least one mobile group.
If def_group is disabled....
Default
All traffic from the device that
does not match any policies
is dropped. The device is not
a member of any mobile
group, including the default
mobile group.
Mobile Group 1
Secondary
Mobile Group 3
• Reduces traffic to and from devices that
do not satisfy any network policies.
Device sends traffic that is forwarded to the MPM for processing.
If the traffic matches the policies of an existing
mobile group, then it will become a member of that group.
If the device does not match the policies of any mobile
group, then the def_group variable determines whether
that device becomes a member of the default group.
Default Group 1
Group 3
Why disable move_from_def?
Mobile Groups
Page 16-10
How a Port's Primary Mobile Group Changes (move_from_def)
Default/Primary
Port assigned to default
group 1 or another group
through crgp or addvp.
Mobile Group 1
If move_from_def is enabled....
Device on port matches policy
in another mobile group
(3). Group 3 becomes primary
group.
Default Group 1
Primary Group 3
Helpful Hints:
• Reduces broadcasts to the default group.
• Best used when only one device is
attached to each port.
If move_from_def is disabled....
Default/Pri
Device on port matches policy
in another mobile group
(3). Group 1 remains primary
group. Group 3 is now a
"secondary" group for this
port.
Mobile Group 1
Secondary
Mobile Group 3
Why disable move_from_def?
• When multiple devices are attached to
the switch port, the port must support
multiple traffic in the default group as
well as traffic in the secondary mobile
groups.
Mobile Groups
Page 16-11
How a Port Ages Out of a Mobile Group (move_to_def)
If the port is in "optimized mode," then the MAC does not age out and the port would stay in
the mobile group even if move_to_def is enabled.
Default
Port assigned to default group.
Mobile Group
If move_to_def is enabled....
Why enable move_to_def?
• Security. Mobile groups only contain
devices and ports that have recently
matched policy criteria.
If move_to_def is disabled....
Why disable move_to_def?
• Switch ports retain group membership
even when idle for some time. May be
appropriate for silent devices, such as
printers.
Default
Port becomes a member of
other mobile groups when it
matches their policies. These
groups may be primary or
secondary groups.
Mobile Group
Primary
Group 2
Secondary
Group 3
Default
Port will be removed from
other groups when attached
devices age out of filtering
database.
Mobile Group
Primary
Group 2
Secondary
Group 3
Default
Port remains a member of all
mobile groups with which it
has satisfied a policy criteria
even if its devices age out of
the filtering database.
Mobile Group
Primary
Group 2
Secondary
Group 3
Mobile Groups
Page 16-12
Configuring Switch-Wide Group Mobility Variables
There are several switch-wide group mobility variables that you can configure through the
gmcfg command. These variables control the status of group mobility on all groups in a
switch as well as the use of the default group. These variables are illustrated through
diagrams on pages 16-9 to 16-11.
Follow these steps to use the gmcfg command:
1. Enter gmcfg. You do not need to specify a group number as this command applies to all
mobile groups in this switch.
2. The following prompt displays:
Group Mobility is Enabled. Disable Group Mobility ? [yes/no] (no) :
This prompt controls the status of group mobility in this switch. If you disable group
mobility here then mobile groups will not be supported in this switch even if they are
configured through the crgp command.
Default Group 1. When group mobility is enabled, default group 1 in the switch will be
treated as a mobile group and you will not be able to create AutoTracker VLANs within
this group. When group mobility is disabled, default Group 1 in the switch will be treated
as a non-mobile group in which AutoTracker VLANs could be created.
The default is to turn Group Mobility off. If you want to enable group mobility, then you
need to indicate that choice at this prompt. The prompt will always show the current
status of Group Mobility and then ask if you want to change that status. If you want to
change the current status, then enter a y at this prompt and press <enter>. To keep the
current status, simply press <enter>.
3. The following prompt displays:
move_to_def is set to Disabled. Set to Enable ? [yes/no] (no) :
The move_to_def variable determines what happens to a port once the devices on that
port age out of the filtering database. By default this variable is Disabled, which means
that a port will remain a member of a mobile group as long as its attached device satisfied
the criteria for membership in that mobile group at one point. If devices on a port
stop transmitting, the port will still retain all its mobile group memberships.
If the move_to_def variable is Enabled, then a port will lose its membership in a mobile
group if its devices age out of the filtering database for that mobile group (i.e., they stop
transmitting traffic that satisfies the criteria for membership in the mobile group). Once a
port loses membership in all criteria-based mobile groups, it will return to its default
group. The effect of this variable is illustrated on page 16-11.
By default, the move_to_def variable is Disabled. If you want to enable it (ports lose
mobile group membership when they age out), then you need to indicate that choice at
this prompt. The prompt will always show the current status of move_to_def and then ask
if you want to change that status. If you want to change the current status, then enter a y
at this prompt and press <enter>. To keep the current status, simply press <enter>.
4. The following prompt displays:
def_group is set to Enable. Set to Disable ? [yes/no] (no) :
The def_group variable determines what happens to devices that do not match any
mobile group policies. If def_group is Enabled (the default), then devices that do not
match any mobile group policies will be part of the default group for that port. If the
def_group variable is Disabled, then devices that do not match any mobile group policies
will be dropped from their default group and will not be part of any mobile group.
Mobile Groups
Page 16-13
By default the def_group variable is Enabled. If you want to disable it (devices that do not
meet criteria for mobile group membership will not be part of any mobile group), then
you need to indicate that choice at this prompt. The prompt will always show the current
status of def_group and then ask if you want to change that status. If you want to change
the current status, then enter a y at this prompt and press <enter>. To keep the current
status, simply press <enter>.
The move_from_def Variable
The move_from_def variable controls whether or not a port's primary group can differ
from the port's default mobile group. This variable is enabled by default, but can be
changed to disabled in the oa512.cmd file.
The original default group for a port is group 1 or the group to which the port is assigned
through the crgp or addvp commands. The primary group at this point is the same as the
default group. However, if the move_from_def variable is enabled, the primary group can
change as soon as a device on the port matches the policy criteria for another mobile
group.
For example, Port 5 may start out in Group 1, it's default group. The primary group in this
case will also be Group 1. If the move_from_def variable is enabled and Port 5 matches
AutoTracker polices for mobile group 3, then the new primary group for Port 5 will be
Group 3. All further Spanning Tree operations for the port will converge on group 3
rather than group 1. The effects of the move_from_def variable are further illustrated
though diagrams on page 16-10.
If you disable the move_from_def variable, then the primary group for a port will always
match the default group regardless of the number of other mobile groups to which it
gains membership. To disable the move_from_def variable, enter the following statement
in the oa512.cmd file
move_from_def=0
For this new setting to take place you need to reboot the switch.
Mobile Groups
Page 16-14
Viewing Ports in a Mobile Group
The vpl command lists all the Groups in the switch currently configured as mobile Groups
and the ports currently assigned to those Groups. Since ports are assigned to mobile groups
dynamically, this display is helpful to find out which ports the switch already sees in each
group. Ports will only display in this screen for secondary groups (i.e., not default or primary
groups). Enter vpl and a screen similar to the following displays:
================================================
Group ID Physical Port Virtual Port
================================================
Group ID: 2 4/2 4/3 4/4 4/5 12 13 14 15
Group ID: 3 3/1 5/2 8 20
Group ID: 6 NULL Port List
Group ID: 8 4/1 5/1 11 19
Group ID. The group number assigned to this mobile group during the crgp procedure.
Physical Port. The physical switch ports that have been dynamically assigned to this group
because they matched an AutoTracker policy. (Primary groups do not display in this screen.
For a display of port-to-primary group mappings, use the vi command) If this column reads
NULL Port List, then no physical ports have been assigned to the group yet.
Virtual Port. The virtual ports that are part of this mobile group. For Ethernet and Token Ring
switch ports, there is a one-to-one relationship between physical and virtual ports. For ATM
ports, multiple virtual ports may be associated with one physical port.
Viewing a Port's Mobile Group Affiliations
The vigl command lists all the ports in the switch that have been assigned to mobile Groups.
It is similar to the vpl command, but it lists ports first and then Groups. Since ports are
assigned to mobile groups dynamically, this display is helpful to find out which ports the
switch already sees in each group. Ports will only display in this screen for secondary groups
(i.e., not default or primary groups). Enter vigl and a screen similar to the following displays:
================================================
Virtual Port Physical Port Group ID
================================================
12 13 14 15 4/2 4/3 4/4 4/5 Group ID: 2
8 20 3/1 5/2 Group ID: 3
NULL Port List Group ID: 6
11 19 Physical Port Group ID
Virtual Port. The virtual ports in this mobile group. For Ethernet and Token Ring switch ports,
there is a one-to-one relationship between physical and virtual ports. For ATM ports, multiple
virtual ports may be associated with one physical port.
Physical Port. The physical switch ports that have been dynamically assigned to this secondary
mobile group because they matched an AutoTracker policy. (Primary groups do not
display in this screen. For a display of port-to-primary group mappings, use the vi command)
If this column reads NULL Port List, then no physical ports have been assigned to the group
yet.
Group ID. The group number assigned to this mobile group during the crgp procedure.
Non-Mobile Groups and AutoTracker VLANs
Page 16-15
Non-Mobile Groups and AutoTracker VLANs
Non-mobile Groups are comprised of physical entities—switch ports. Groups can span multiple
switches, but they are still made up of physical ports that you can see and touch. But just
as physically-based broadcast domains are limited, entirely port-based Groups can also be
limiting. In a large, flat, switched network, broadcast traffic can overload the network. There
needs to be a method for subdividing traffic even further. That's where virtual networks, or
VLANs, come into play.
VLANs are created within a Group to subdivide network traffic based on specific criteria. The
criteria you use to define a VLAN are called AutoTracker™ policies. AutoTracker policies can
be defined by port, MAC address, protocol, network address, a user-defined policy, or a multicast
policy. VLANs are described in more detail in Chapter 19, "Managing AutoTracker VLANs"
and Chapter 20, "Multicast VLANs."
Routing in a Non-Mobile Group
Communication within a Group containing only the default VLAN is switched; the ports are in
the same broadcast domain and do not require routing to communicate. Communication
between VLANs in the same Group or to VLANs in other Groups requires routing. That's why
all VLANs—including the default VLAN within each Group—may contain their own virtual
router port. A virtual router port for each VLAN can be configured to support IP and/or IPX
routing. If you do not configure a virtual router port for a VLAN, the devices in that VLAN will
not be able to communicate with devices in other VLANs unless there is an external router
between the VLANs.
Each OmniAccess 512 supports up to 32 virtual router ports. A single router port, using one
MAC address, can support IP routing, IPX routing, or both types of routing. When you enable
a router port for a default VLAN, you are actually creating a static route to that VLAN. Routing
is covered in more detail in Chapters 22 and 24.
_ Note _
For mobile, non-mobile groups and AutoTracker
VLANs, the router port operational status is not active
unless an active switch port is a member of the group
or VLAN.
Non-Mobile Groups and AutoTracker VLANs
Page 16-16
Spanning Tree and Non-Mobile Groups
Each Group uses one Spanning Tree for bridging. The OmniAccess 512 supports both 802.1d
and IBM Spanning Tree protocols. The Spanning Tree state for the port is Forwarding. Ports
that are in Blocked state, or in another non-Forwarding state, will not receive frames from the
router port. The figure below illustrates this concept.
Spanning Tree State and Routed Frames
OmniAccess 512
12345678
123456
Group 2
Ports 1 and 2
Server
Port 1: Forwarding
State
VLAN 1
(default VLAN #1)
Virtual Router
Workstation
Port 2: Blocked
State
VLAN 2
Routed frames not
received because attached
port is in Blocking state.
Routed frames received
because attached port
is in Forwarding state.
Group and Port Software Commands
Page 16-17
Group and Port Software Commands
Group and Virtual Port commands are part of the VLAN menu within the User Interface. Entering
vlan at any prompt displays the following menu:
Command VLAN Management Menu
gp View the list of Groups currently defined
crgp Create a Group
modvl Modify a VLANs configuration/availability
rmgp Remove a Group
addqgp Add 802.1q group/s to a port
delqgp Delete 802.1q group/s from a port
viqgp Display 802.1q groups on port/s
via View ports assigned to the selected Group
vi View info on a specific virtual port
vs View statistics on a virtual port attachment
ve View errors on a virtual port attachment
addvp Add ports to a GROUP
modvp Modify existing VPORT configuration information
rmvp Remove ports from a Group
pmapcr Create a Port Map
pmapdel Delete a Port Map
pmapmod Modify a Port Map
pmapv View Port Mapping Configuration
br Enter the Bridge Configuration/Parameter sub-menu
prty_mod Modify the priority of a group
prty_disp Display the priority of a group
at Enter the AutoTracker sub-menu
Main File Summary VLAN Networking
Interface Security System Services Help
The VLAN menu commands are divided into four sets of commands. The first set, at the top of
the menu beginning with gp, contains commands that create, modify, delete, and view
Groups. The second set of commands, beginning with addqgp are obsolete and no longer
control 802.1Q implimentation. (See Chapter 13 for information on 802.1Q.) The third set,
beginning with addvp, contains commands for adding, modifying, and deleting virtual ports.
All of these commands are described in this chapter.
The final set of commands at the bottom of the menu, br and at, are actually entry points to
the Bridging and AutoTracker submenus, respectively. Commands for the Bridge Management
(br) sub-menu are documented in Chapter 14, "Configuring Bridging Parameters."
Commands for the AutoTracker (at) sub-menu are documented in this chapter and in Chapter
19, "Managing AutoTracker VLANs" and Chapter 20, "Multicast VLANs." Some commands in
the at sub-menu apply to mobile groups and authenticated groups; those commands are
described in this chapter.
The pmapcr, pmapdel, pmapmod, and pmapv commands allow you to create port mapping
configurations. The port mapping feature is documented in Port Mapping on page 16-64. The
prty_mod and prty_disp commands allow you to modify and view the priority of a selected
group. These commands are detailed in Priority VLANs on page 16-71.
Creating a New Group
Page 16-18
Creating a New Group
There are several steps involved in creating a new Group. Note that some steps apply only to
mobile groups. These steps are as follows:
1. Enter Basic Group Information, such as the Group number and type. This section starts on
page 16-19.
2. Configure the Virtual Router Port (Optional). This section starts on page 16-20.
3. Enable/disable Group Mobility and User Authentication. This section starts on page 16-26.
4. Configure Virtual Ports. This section starts on page 16-27.
5. Configure AutoTracker policies (for mobile groups only). This section starts on page 16-
33.
WAN Routing Groups follow a slightly different procedure for their creation. You will receive
prompts during the procedure asking whether you want to create one of these special
Groups.
Creating a New Group
Page 16-19
Step 1. Entering Basic Group Information
a. Type crgp at any prompt.
b. The following prompt displays:
GROUP Number (5):
By default the Group number you entered or the next available Group number is
displayed in parentheses. Enter the Group number or accept the number shown in parentheses.
Each Group must have a unique number, which may range from 2 to 65,535.
(Group 1 is the default switch Group. It does not need to be created and it cannot be
deleted.) Press <Enter> after entering the Group number.
c. The following prompt displays:
Description (no quotes) :
Enter a descriptive name for the new Group. Group names can consist of up to 30 alphanumeric
characters. Press <Enter> after entering the Group name.
d. The following prompt displays:
Enable WAN Routing? (n):
If you want to perform WAN Routing through this Group you must enter a y at this
prompt. If you do not need to support WAN Routing, then answer n at this prompt and
continue with Step e.
_ Note _
You do not need to create a special WAN Routing
Group to bridge or trunk traffic over a WAN connection.
A WAN Routing Group is different from other Groups; it must contain only WAN ports. In
addition, the virtual router and virtual ports are configured differently. Please skip ahead
to Creating a WAN Routing Group on page 16-34 to continue setting up this WAN Routing
Group.
Creating a New Group
Page 16-20
Step 2. Configuring the Virtual Router Port (Optional)
You can now optionally configure the virtual router port that the default VLAN in this Group
will use to communicate with other VLANs. When you define a virtual router, a virtual router
port for the default VLAN in the Group is created. If you do not define a virtual router, no
virtual router port is created and the default VLAN in the new Group will be "firewalled,"
unable to communicate with other VLANs.
_ Important Note _
Use caution when setting up routing on the default
VLAN for a Group. In some configurations enabling
routing on the default VLAN may not be necessary or
desirable. You can always enable routing on other,
non-default VLANs, within this Group. Refer to
AutoTracker Application Example 4 in Chapter 21 for
more information.
You will have the choice of configuring IP, IPX, or both IP and IPX routing. Continue with the
steps below:
a. The following prompt displays:
Enable IP (y):
Press <Enter> if you want to enable IP Routing on this virtual router port. If you do not
enable IP, then the default VLAN in this Group will not be able to route IP data. If you
don't want to set up an IP router, enter n, press <Enter> and skip to Step j.
_ Note _
You may enable routing of both IP and IPX traffic on
this router port. If you set up dual-protocol routing, you
must fill out information for both IP and IPX parameters.
b. The following prompt displays:
IP Address:
Enter the IP address for this virtual router port in dotted decimal notation (e.g.,
198.206.181.10). This IP address is assigned to the virtual router port of the default VLAN
within this Group. After you enter the address, press <Enter>.
c. The following prompt displays:
IP Subnet Mask (0xffffff00):
The default IP subnet mask (in parentheses) is automatically derived from the default
VLAN IP address class. Press <Enter> to select the default subnet mask or enter a new
subnet mask in dotted decimal notation or hexadecimal notation and press <Enter>.
d. The following prompt displays:
IP Broadcast Address (198.200.10.255):
The default IP broadcast address (in parentheses) is automatically derived from the default
VLAN IP address class. Press <Enter> to select the default address or enter a new address in
dotted decimal notation and press <Enter>.
Creating a New Group
Page 16-21
e. The following prompt displays:
Description (30 chars max):
Enter a useful description for this virtual IP router port using alphanumeric characters. The
description may be up to 30 characters long. Press <Enter>.
f. The following prompt displays:
Disable routing? (n) :
Indicate whether you want to disable routing in the group. You can enable routing later
through the modvl command.
g. The following prompt displays:
IP RIP Mode {Deaf (d),
Silent (s),
Active (a),
Inactive (i)} (s):
Define the RIP mode in which the virtual router port will operate. RIP (Router Information
Protocol) is a network-layer protocol that enables the default VLAN in this Group to learn
and advertise routes. The RIP mode can be set to one of the following:
Silent. The default setting shown in parentheses. RIP is active and receives routing information
from other VLANs, but does not send out RIP updates. Other VLANs will not receive
routing information concerning the default VLAN in this Group and will not include the
VLAN in their routing tables. Simply press <Enter> to select Silent mode.
Deaf. RIP is active and sends routing information to other VLANs, but does not receive RIP
updates from other VLANs. The default VLAN in this Group will not receive routing information
from other VLANs and will not include other VLANs in its routing table. Enter d and
press <Enter> to select Deaf mode.
Active. RIP is active and both sends and receives RIP updates. The default VLAN in this
Group will receive routing information from other VLANs and will be included in the routing
tables of other VLANs. Enter a and press <Enter> to select Active mode.
Inactive. RIP is inactive and neither sends nor receives RIP updates. The default VLAN in
this Group will neither send nor receive routing information to/from other VLANs. Enter i
and press <Enter> to select Inactive mode.
h. If routing domains are not configured on the switch, go to the next step. If routing
domains are configured on the switch, the following prompt displays:
Apply to Routing Domain ID (none) :
Enter a routing domain in which this group should be included, or press Enter. A routing
domain is a grouping of IP router interfaces that can forward packets only within the
domain. Routing domains are part of Advanced Routing software and are not part of the
base code. For more information about routing domains, see Chapter 14, "Routing
Domains," in the Advanced Routing User Manual.
i. After you enter the RIP mode, or after you enter a routing domain ID, the following
prompt displays:
Default framing type [Ethernet II(e),
fddi (f),
token ring (t),
Ethernet 802.3 SNAP (8),
source route token ring(s)} (e):
Creating a New Group
Page 16-22
Select the default framing type for the frames that will be generated by this router port
and propagated over the default VLAN to the outbound ports. Set the framing type to the
encapsulation type that is most prevalent in the default VLAN. If the default VLAN contains
devices using encapsulation types other than those defined here, the switching modules
must translate those frames, which slows throughput. The figure on the next page illustrates
the Default Framing Type and its relation to Virtual Router Port communications.
Default Framing Type and the Virtual Router Port
j. You can now configure IPX routing on this port. The following message displays:
Enable IPX? (y) :
Press <Enter> if you want to enable IPX Routing on this virtual router port. If you do not
enable IPX, then the default VLAN in this Group will not be able to route IPX data. You
can set up a virtual router port to route both IP and IPX traffic.
If you don't want to set up an IPX router for the default VLAN in this Group, enter n, press
<Enter>, and skip ahead to step p below. You can always set up IPX routing for other
VLANs within this Group.
OmniAccess 512
12345678
123456
Group
Virtual Router Port
VLAN 1
(default VLAN #1)
Virtual Router
The Default Router
Framing Type determines
the type of
frame transmitted
through the Virtual
Router Port to the
default VLAN.
SNMP AGENT RIP
Workstation A Workstation B
Creating a New Group
Page 16-23
k. After selecting to enable IPX, the following prompt displays:
IPX Network:
Enter the IPX network address. IPX addresses consist of eight hex digits and you can enter
a minimum of one hex digit in this field. If you enter less than eight hex digits, the system
prefixes your entry with zeros to create eight digits.
l. The following prompt displays:
Description (30 chars max):
Enter a useful description for this virtual IPX router port using alphanumeric characters.
The description may be up to 30 characters long. Press <Enter>.
m. The following prompt displays:
IPX Delay in ticks (0):
Enter the number of ticks you want for the IPX network. A tick is about 1/18th of a
second. The default is 0.
n. The following prompt displays:
IPX RIP and SAP mode {RIP and SAP active (a)
RIP only active (r)
RIP and SAP inactive (i)} (a):
Select how you want the IPX protocols, RIP (router information protocol) and SAP (service
access protocol), to be configured for the default VLAN in this Group. RIP is a networklayer
protocol that enables this VLAN to learn routes. SAP is also a network-layer protocol
that allows network services, such as print and files services, to advertise themselves. The
choices are:
RIP and SAP active. The default setting. The default VLAN to which this IPX router port is
attached participates in both RIP and SAP updates. RIP and SAP updates are sent and
received through this router port. Simply press <Enter> to select RIP and SAP active.
RIP only active. The default VLAN to which this IPX router port is attached participates in
RIP updates only. RIP updates are sent and received through this router port. Enter an r
and press <Enter> to select RIP only active.
RIP and SAP inactive. The IPX router port is active, but the default VLAN to which it is
attached does not participate in either RIP nor SAP updates. Enter an i and press <Enter> to
select RIP and SAP inactive.
Creating a New Group
Page 16-24
o. After selecting the RIP and SAP configuration, the following prompt displays the default
router framing type options:
Default router framing type for : {
Ethernet Media:
Ethernet II (0),
Ethernet 802.3 LLC (1),
Ethernet 802.3 SNAP (2),
Novell Ethernet 802.3 raw (3),
Select the default framing type for the frames that will be generated by this router port
and propagated over the default VLAN to the outbound ports. Set the framing type to the
encapsulation type that is most prevalent in the default VLAN. If the default VLAN contains
devices using encapsulation types other than those defined here, the switching modules
must translate those frames, which slows throughput. See the figure, Default Framing
Type and the Virtual Router Port on page 16-22 for an illustration of the Default Framing
Type and its relation to Virtual Router Port communications.
_ Note _
The .cmd file contains a command called hreXnative
that by default is set to 1. If physical ports in an end
station are using a different encapsulation than the
virtual router ports (for example, the modvl command
shows router ports set to Ethernet II IPX, but the swch
command shows that physical ports are using SNAP)
then the hreXnative command must be set to 0. See
Chapter 6, "Switch Wide Parameters," for more information
about the .cmd file.
p. If you chose a Source Routing frame format in the last step (options 5, 7, 9, or b), an additional
prompt displays:
Default source routing broadcast type : {
ARE broadcasts(a), STE broadcasts(s)} (a) :
Select how broadcasts will be handled for Source Routing. The choices are:
ARE broadcasts. All Routes Explorer, the default setting. Broadcasts are transmitted over
every possible path on inter-connected source-routed rings. This setting maximizes the
generality of the broadcast. Simply press <Enter> to select All Routes Explorer.
STE broadcasts. Spanning Tree Explorer. Broadcasts are transmitted only over Spanning
Tree paths on inter-connected source-routed rings. This setting maximizes the efficiency
of the broadcast. Enter an s and press <Enter> to select Spanning Tree Explorer.
Creating a New Group
Page 16-25
q. The following prompt displays:
Enter a priority level (0...7)(0):
Prioritizing VLANs allows to you set a value for traffic based on the destination VLAN of
packets. Traffic with the higher priority destination will be delivered first. VLAN priority
can be set from 0 to 7, with 7 being the level with the most priority.
Modifying and displaying a group's priority is described in Priority VLANs on page 16-71.
You have now completed the configuration of the virtual router port for this group. At
this point, you will be asked whether you want to enable group mobility. The following
prompt will display:
Enable Group Mobility on the Group ? [y/n] (n):
Mobile groups are discussed in detail in Mobile Groups on page 16-5. If you want to
enable group mobility answer Y to this prompt, press <enter>, and go on to Step 3. Set Up
Group Mobility and User Authentication on page 16-26.
If you do not want to configure group mobility answer N at the prompt, press <enter>,
and go on to Step 4. Configuring Virtual Ports on page 16-27 for further instructions.
Creating a New Group
Page 16-26
Step 3. Set Up Group Mobility and User Authentication
A mobile group offers more flexibility than a non-mobile group. With a mobile group, ports
are assigned dynamically to the group based on AutoTracker policies that you configure. In a
non-mobile group, ports are statically defined and AutoTracker policies are assigned to individual
VLANs within the Group. In most cases, you will want to set up a mobile group. The
following steps show you how.
a. After configuring the virtual router port, you will receive the following prompt:
Enable Group Mobility on the Group ? [y/n] (n):
To create a mobile group, enter a Y as this prompt, press <enter>, and continue with step
b. If you want to configure a non-mobile Group, enter N, press <enter>, and you will see
the following prompt:
This Group will not participate in Group Mobility
If you are not creating a mobile group, go on to Step 4. Configuring Virtual Ports on page
16-27.
b. The following prompt displays:
Enable User Authentication on the Group ? [y/n] (n):
An authenticated group is a special type of mobile group. It uses an authentication
process as it criteria for group membership. Typically, users will be prompted for an id
and password before gaining membership to an authenticated group. Authenticated
groups require additional Windows NT server software. More detailed information on
these groups can be found in the Switch Network Services User Manual. If you are not sure
whether this is an authenticated group, simply press <enter> at this prompt.
c. The following prompt displays:
Enable spanning tree for this group [y/n] (y):
Spanning Tree prevents broadcast storms by limiting logical loops in the network. For
more information on Spanning Tree, see Chapter 14, titled "Configuring Bridging Parameters."
If you wish to enable Spanning Tree, enter y and press <enter>. Otherwise, enter n.
d. The following prompt displays:
Do you wish to configure the interface group for this Virtual LAN at this time? (y)
You can assign physical ports to the new Group at this time. To begin assigning ports to
the new Group, press <Enter> and go to Step 4.
To assign ports to the Group later, type n and <Enter>. The new Group is configured but
does not yet contain any ports. You can use the addvp command later to assign ports to
the Group (see Adding Virtual Ports on page 16-43). A message similar to the following
displays confirming the creation of the new Group.
GROUP 6 has been added to the system.
You may add interfaces to this group using the addvp command at a later date.
For now, the GROUP is inactive until you add interfaces.
Creating a New Group
Page 16-27
Step 4. Configuring Virtual Ports
You can now enter configuration parameters for each switch port to be included in this
Group. These configuration parameters include the bridging mode, output format type, and
administrative state. In addition, if the port you are configuring is Ethernet (10/100 Mbps) or
Token Ring, you can also configure port mirroring.
Prompts for configuring virtual ports follow directly after Group Mobility prompts. You can
choose to add ports now or add them later through the addvp command. Follow these steps:
a. After you have stepped through the Routing and/or Group Mobility prompts, the following
message displays:
Do you wish to configure the interface group for this Virtual LAN at this time? (y)
You can assign physical ports to the new Group at this time. To begin assigning ports to
the new Group, press <Enter> and go to Step b.
To assign ports to the Group later, type n and <Enter>. The new Group is configured but
does not yet contain any ports. You can use the addvp command later to assign ports to
the Group (see Adding Virtual Ports on page 16-43). A message similar to the following
displays confirming the creation of the new Group.
GROUP 6 has been added to the system.
You may add interfaces to this group using the addvp command at a later date.
For now, the GROUP is inactive until you add interfaces.
b. After indicating that you want to set up ports, the following prompt displays:
Initial Vports (Slot/Phys Intf. Range) - For example, first I/O Module
(slot 2), second interface would be 2/2. Specify a range of interfaces
and/or a list as in: 2/1-3, 3/3, 3/5, 4/6-8
Enter the port or ports that you want to include in this new Group. The notation for
adding a port to a group is
<slot number of module>/<port number on the module>
Omni-9 slots are numbered 1-9, left to right. Port numbers are labelled on the front panel
of switching modules.
You may enter multiple ports from multiple switching modules. For example, to add ports
1 through 3 on the module in slot 2, specify 2/1-3. To additionally add the third and fifth
port on the module in the third slot, specify 3/3, 3/5. The complete slot port specification
would be:
2/1-3, 3/3, 3/5
c. If you enter a port that is already assigned to another Group, then you will be prompted
on whether or not you want to change its assignment. A message similar to the following
displays for each port that you enter:
Initial Slot/Interface Assignments: 2/8
2/8 - This interface has already been assigned to GROUP 1 -
(Default GROUP #1).
Do you wish to remove it from that GROUP and assign it (with
new configuration values) to this GROUP (n)?
Simply enter a y at each port prompt to change its Group assignment and begin setting
port parameters. You could also enter a c at this prompt to accept all default port parameters
and skip port configuration prompts. If you enter a c, all remaining ports are automatically
added to the Group with default settings, and your work is complete.
Creating a New Group
Page 16-28
d. The virtual port configuration menu displays:
Modify Ether/8 Vport 2/8 Configuration
1) Vport : 9
2) Description :
3) Bridge Mode : Auto-Switched
31) Switch Timer : 60
4) Flood Limit : 192000
5) Output Format Type : Default (IP-Eth II, IPX-802.3)
6) Ethernet 802.2 Pass Through : Yes
7) Admin, Operational Status : Enabled, inactive
8) Mirrored Port Status : Disabled, available
9) MAC address : 000000:000000
Command {Item=Value/?/Help/Quit/Redraw/Next/Previous/Save} (Redraw) :
Descriptions for each of the fields in this display follow. To change any default value,
enter the line number for item, an equal sign (=), and then the value for the parameter.
Enter save to save all configured settings and move onto the next step in the group
creation process.
1) Vport
The virtual port number for this port. The next virtual port number available in the switch
is shown by default in this field.
2) Description
Enter a useful description for this virtual port using alphanumeric characters. The description
may be up to 30 characters long.
3) Bridge Mode
Select the bridge mode used by this port. The choices are:
Spanning Tree Bridge. The default setting for all non-Ethernet ports. This mode is appropriate
for backbone and hub connections. The port acts as a standard 802.1d bridge port. It
forwards BPDU frames out the port. When frames are received, Spanning Tree BPDUs are
processed, and Spanning Tree dynamically controls the forwarding state. If flooding
occurs, all frames destined for unknown MAC addresses, broadcast addresses, or multicast
addresses will be sent to all ports in the same Group. Enter 3=b and press <Enter> to
select Spanning Tree Bridge mode.
Optimized Device Switching. This mode is appropriate for dedicated connections to a single
workstation or server. Spanning Tree is turned off. No Spanning Tree BPDUs will be sent
and the port will always be in the forwarding state. The port will stay in this mode even if
a Spanning Tree BPDU is detected. In addition, all MACs learned will not be aged out
(regardless of the Bridge Aging Timer setting) until the port is disconnected or configured
to be administratively down. No flooding of packets with an unknown destination address
is allowed after at least one MAC address has been learned. (An exception to this rule
occurs on newer Mammoth-generation Ethernet modules, such as the ESM-100C-12, ESM-
100F-8, and ESM-C-32. When these ports are in optimized mode, packets with unknown
destination addresses will be flooded.) Packets with a broadcast or multicast destination
will always be allowed. Enter 3=o and press <Enter> to select Optimized Device Switching
mode.
Creating a New Group
Page 16-29
Auto-Switch. The default setting for all Ethernet ports. This mode is appropriate for dedicated
connections requiring a switch-over to bridge mode when multiple devices are
detected. A port in Auto-Switch mode will start in Optimized Device Switching mode (see
description above). The port will remain in Optimized Device Switching mode until a
Spanning Tree BPDU is detected or more than one MAC address transmits data. Once
either of these conditions is met, the port will switch to Spanning Tree Bridge mode and
Spanning Tree will start (if configured in the switch).
An Auto-Switch port will remain in Spanning Tree Bridge mode as long as there are
BPDUs and multiple MACs. However, the port can revert back to Optimized Device
Switching Mode if the time specified in the next field (Switch Timer) transpires without
BPDUs and multiple MACs. Also, if the port is disconnected or configured to be administratively
down, then an Auto-Switch port will revert back to Optimized Device Switching
mode when it becomes operational again. Enter 3=a and press <Enter> to select Auto-
Switch mode.
How Auto-Switch Bridge Mode Works
31) Switch Timer
If you selected the Auto-Switch bridge mode, then you can configure this field. Enter the
time-out period, in seconds, for an Auto-Switch port that has turned to Spanning Tree
Bridge mode port to revert back to Optimized Switching mode. When in Auto-Switch
mode, a port switches to Spanning Tree Bridge mode as soon as it detects a BPDU or
more than one MAC address. The port will switch back to Optimized Switching mode after
the time-out value you define here.
Optimized
Device
Switching
Mode
Greater
Than 1
MAC?
No
BPDUs
Detected?
No
Yes
Spanning
Tree
Bridge
Mode
Yes
Switch
Timer Period
Elapsed?
BPDU
Detected?
Only 1
MAC Address
Detected?
No
Yes No
Yes
No
Yes
Creating a New Group
Page 16-30
4) Flood Limit
The flood limit allows you to tune a virtual port to limit the flooding of broadcast, multicast,
and unknown destination packets. This feature is useful for controlling broadcast
storms on your network. While each network is different, in general the amount of
flooded traffic represents a relatively small percentage of network traffic.
The flood limit is actually a "transmit credit" that is issued every five (5) seconds. When a
packet is flooded on this port, the size of the packet, in bytes, is decremented from the
current credit value. The credit value is the value you enter in this field multiplied by five.
An additional credit, in the amount of the value you enter here multiplied by five, is allocated
to each virtual port every five (5) seconds. If the credit value ever falls below zero,
then all flooded packets are discarded until another credit is allocated. Flood limit checking
is disabled if you enter a flood limit of zero (0). The flood limit default is 192,000
bytes per second, which equates to a transmit credit of 960,000 bytes every five seconds.
5) Output Format Type
The options will be different for Ethernet, Token Ring, and FDDI ports.
The output format setting determines the kind of frame that will be sent out this physical
port. If translation is necessary, then incoming frames will be translated to this format
before being sent out this port. For example, on an Ethernet port incoming FDDI frames
need to be translated to Ethernet. However, there are four types of Ethernet frames—
Ethernet II, IPX 802.3, SNAP, and LLC. The format type you select here would determine
the frame format to which non-Ethernet frames would be translated. The following figure
illustrates how a port's framing type affects communication with attached devices.
_ Note _
This parameter differs from the router framing type
selected during the configuration of the virtual router
port. The router framing type is the encapsulation done
on a router port, whereas this output format type
applies only to translations on this virtual port.
Creating a New Group
Page 16-31
Output Framing Type on Physical Ports
Note that for Ethernet, the default output format option is Ethernet II for IP frames and
802.3 for IPX frames. On Token-Ring and FDDI, only SNAP and LLC are available as output
format choices; FDDI ports may be configured to output 802.3 frames (i.e., "FDDI raw"),
but that must be configured through the Switch menu.
You can customize your frame translation settings even further through the Switch menu.
The Switch menu allows you to set translations at the frame format level (i.e., incoming
SNAP frames could be translated one way, while incoming LLC frames could be translated
another way) based on protocol type (IP or IPX). The Switch menu is explained in Chapter
15, "Configuring LAN Switch Translations."
6) Ethernet 802.2 Pass Through
For Ethernet ports only. If you answer Yes to this prompt, then frames received in the
IEEE 802.2 format will not be translated according the Output Format Type chosen in line
5; they will be sent as is in their native IEEE 802.2 format. If you answer No, then 802.2
frames will be subject to the Output Format Type chosen in line 5.
OmniAccess 512
12345678
123456
Group 2
Ports 1 and 2
Server
Receives frames in
Ethernet II format.
Ethernet Port 1:
Format set to
Ethernet II
VLAN 1
(default VLAN #1)
Virtual Router
Workstation
Receives frames in SNAP
format.
Ethernet Port 2:
Format set to
SNAP
The Output Format Type
you set for each port determines
the type of frames
that devices attached to
that port receive.
Creating a New Group
Page 16-32
7) Admin, Operational Status
Select whether to administratively enable or disable this port. When you enable the port,
the port can transmit and receive data as long as a cable is connected and no physical or
operational problems exist. When you disable a port, the port will not transmit or receive
data even if a cable is connected and the physical connection is operational. If you
disable the port at this point, you can enable it later through the modvp command (see
Modifying a Virtual Port on page 16-44).
8) Mirrored Port Status
If the port you are configuring is Ethernet (10 or 10/100 Mbps) or Token Ring, you can set
up port mirroring. You can mirror traffic on this port to another like port. Port mirroring is
a useful feature for monitoring traffic on particular ports. It is discussed in more detail
later in this chapter in Port Mirroring on page 16-55.
If you want to mirror this port, enter a 8=e, press <Enter> and you will be prompted for
the slot and port number of the "mirroring" port (i.e., the port that can "see" all traffic for
this port):
Mirroring vport slot/port ? ( ) :
Enter the mirroring port's slot and port number and press <Enter>.
If port mirroring is not supported on this port, then the following prompt will display:
mirroring not supported on this port type
9) MAC address
Enter the MAC address for this virtual port if it is known.
After the MAC address prompt, the switch confirms the addition of the port to the group
with a message similar to the following:
Adding port 2/8 to Group 6. . .
Make configuration changes to the port until you are satisfied. If you have completed the
final virtual port, then your work is complete. You can always alter Group parameters
(including virtual router parameters for the default VLAN) later through the modvl
command (see Modifying a Group or VLAN on page 16-39) and modify virtual port parameters
through the modvp command (see Modifying a Virtual Port on page 16-44).
Creating a New Group
Page 16-33
Step 5. Configuring AutoTracker Policies (Mobile Groups Only)
When you have completed configuring mobile group and auto-activated LANE services, you
can begin configuring AutoTracker policies for this mobile group. Instructions for configuring
these rules can be found in Chapter 17, "Configuring Group and VLAN Policies." Please refer
to that chapter for instructions on configuring each policy type. After you configure
AutoTracker policies, you are done configuring this mobile group and a prompt similar to the
following displays:
VLAN 9: 1 created successfully
You can configure rules for this group later through the modatvl command. This command
also works with mobile groups as long as you indicate you want to alter VLAN 1 in the
mobile group (i.e., the command line would read modatvl 3:1 to modify mobile group 3).
_ Note _
If the mobile group is initially created without rules, the
modatvl command cannot be used to add them later.
You must turn off group mobility and then reinstate it
to add the rules.
Creating a WAN Routing Group
Page 16-34
Creating a WAN Routing Group
After entering basic Group information as described in Step 1. Entering Basic Group Information
on page 16-19, you should have answered Yes to the following prompt:
Enable WAN Routing? (n):
if you want to enable WAN Routing. WAN Routing Groups are treated differently than other
Groups, as described earlier. The following steps complete the configuration of the WAN
Routing Group.
a. After answering y to the Enable WAN Routing? prompt, the following prompt displays:
Enable IP (y):
Press <Enter> if you want to enable IP Routing on the virtual router port for this Group. If
you do not enable IP, then this WAN Group will not be able to route IP data. If you don't
want to set up IP routing, enter n, press <Enter> and skip to Step g.
_ Note _
You may enable routing of both IP and IPX traffic over
a WAN connection. If you set up dual-protocol routing,
you must fill out information for both IP and IPX
parameters.
b. The following prompt displays:
IP Address:
Enter the IP address for this virtual router port in dotted decimal notation or hexadecimal
notation (e.g., 198.206.181.10). This IP address is assigned to the virtual router port of the
default VLAN within this Group. After you enter the address, press <Enter>.
c. The following prompt displays:
IP Subnet Mask (0xffffff00):
The default IP subnet mask (in parentheses) is automatically derived from the default
VLAN IP address class. Press <Enter> to select the default subnet mask or enter a new
subnet mask in dotted decimal notation or hexadecimal notation and press <Enter>.
d. The following prompt displays:
IP Broadcast Address (198.200.10.255):
The default IP broadcast address (in parentheses) is automatically derived from the default
VLAN IP address class. Press <Enter> to select the default IP broadcast address or enter a
new broadcast address in dotted decimal notation or hexadecimal notation and press
<Enter>.
e. The following prompt displays:
Description (30 chars max):
Enter a useful description for this virtual IP router port using alphanumeric characters. The
description may be up to 30 characters long. Press <Enter>.
Creating a WAN Routing Group
Page 16-35
f. The following prompt displays:
IP RIP Mode {Deaf (d),
Silent (s),
Active (a),
Inactive (i)} (s):
Define the RIP mode in which the virtual router port will operate. RIP (Router Information
Protocol) is a network-layer protocol that enables the default VLAN in this Group to learn
and advertise routes. The RIP mode can be set to one of the following:
Silent. The default setting shown in parentheses. RIP is active and receives routing information
from other VLANs, but does not send out RIP updates. Other VLANs will not receive
routing information concerning the default VLAN in this Group and will not include the
VLAN in their routing tables. Simply press <Enter> to select Silent mode.
Deaf. RIP is active and sends routing information to other VLANs, but does not receive RIP
updates from other VLANs. The default VLAN in this Group will not receive routing information
from other VLANs and will not include other VLANs in its routing table. Enter d and
press <Enter> to select Deaf mode.
Active. RIP is active and both sends and receives RIP updates. The default VLAN in this
Group will receive routing information from other VLANs and will be included in the routing
tables of other VLANs. Enter a and press <Enter> to select Active mode.
Inactive. RIP is inactive and neither sends nor receives RIP updates. The default VLAN in
this Group will neither send nor receive routing information to/from other VLANs. Enter i
and press <Enter> to select Inactive mode.
g. You can now configure IPX routing on this port. The following message displays:
Enable IPX? (y) :
Press <Enter> if you want to enable IPX Routing on this virtual router port. If you do not
enable IPX, then the default VLAN in this WAN Group will not be able to route IPX data.
You can set up a virtual router port to route both IP and IPX traffic.
If you don't want to enable IPX routing for the default VLAN in this Group, enter n and
press <Enter>. You can always set up IPX routing for other VLANs within this Group.
You are done configuring this WAN Routing Group. See the appropriate WAN interface
chapter for further information on configuring this Routing service.
h. After selecting to enable IPX, the following prompt displays:
IPX Network:
Enter the IPX network address. IPX addresses consist of eight hex digits and you can enter
a minimum of one hex digits in this field. If you enter less than eight hex digits, the
system prefixes your entry with zeros to create eight digits.
i. The following prompt displays:
Description (30 chars max):
Enter a useful description for this virtual IPX router port using alphanumeric characters.
The description may be up to 30 characters long. Press <Enter>.
j. The following prompt displays:
IPX Delay in ticks (0):
Enter the number of ticks you want for the IPX network. A tick is about 1/18th of a
second. The default is 0.
Creating a WAN Routing Group
Page 16-36
k. After entering a description, the following prompt displays:
IPX RIP and SAP mode {RIP and SAP active (a)
RIP only active (r)
RIP and SAP inactive (i)}
RIP and SAP triggered (t)} (a):
Select how you want the IPX protocols, RIP (router internet protocol) and SAP (service
access protocol), to be configured for the default VLAN in this Group. RIP is a networklayer
protocol that enables this VLAN to learn routes. SAP is also a network-layer protocol
that allows network services, such as print and files services, to advertise themselves. The
choices are:
RIP and SAP active. The default setting. The default VLAN to which this IPX router port is
attached participates in both RIP and SAP updates. RIP and SAP updates are sent and
received through this router port. Simply press <Enter> to select RIP and SAP active.
RIP only active. The default VLAN to which this IPX router port is attached participates in
RIP updates only. RIP updates are sent and received through this router port. Enter an r
and press <Enter> to select RIP only active.
RIP and SAP inactive. The IPX router port is active, but the default VLAN to which it is
attached does not participate in either RIP nor SAP updates. Enter an i and press <Enter> to
select RIP and SAP inactive.
RIP and SAP triggered. The IPX router port is active, but RIP and SAP information will be
sent out on the port only when a network change has occurred. This option is more cost
effective for WAN links and is best suited for smaller network environments that don't
change often. Enter a t and press <Enter> to select RIP and SAP triggered.
When you are done entering Router parameters, a message similar to the following
displays:
GROUP 5 has been added to the system
You should now follow the instructions for configuring a WAN Routing Service described
in the appropriate WAN interface chapter.
Viewing Current Groups
Page 16-37
Viewing Current Groups
The gp command provides information on all currently defined Groups in a switch including
Group number, network address, protocol type, and encapsulation type. You can obtain
information on all groups in a switch by entering:
gp
A screen similar to the following displays:
Group Network Address Proto/
ID Group Description (IP Subnet Mask) Encaps
(:VLAN ID) or (IPX Node Addr)
===== =========================== =============== ========
1 Default GROUP (#1) 198.206.182.115 IP /
(ff.ff.ff.00) ETH2
2 New GROUP (#2) 198.206.101.12 IP /
(ff.ff.ff.00) SNAP
3 New GROUP (#3) 198.206.181.10 IP/
(ff.ff.ff.00) 1490
4 New Group (#4) 198.206.183.44 IP /
(ff.ff.ff.00) ETH2
12314526 IPX /
(0020da:020484) 8023
5 New GROUP 198.206.143.11 CIP /
(ff.ff.ff.00) 1483
You can also get information on a specific Group by entering gp followed by the Group
number. For example,
gp 3
displays information just on Group 3:
Group Network Address Proto/
ID Group Description (IP Subnet Mask) Encaps
(:VLAN ID) or (IPX Node Addr)
===== =========================== =============== ========
3 New GROUP (#3) 198.206.181.10 IP /
(ff.ff.ff.00) 1490
The following sections describe the columns in this table:
Group ID (:VLAN ID). The identification number assigned to this Group when it was created
through the crgp command. The Group identifier is typically consistent network-wide (i.e.,
Group 3 in this switch should be the same Group as Group 3 configured in all other Omni-
Access 512es in the network). If this Group contains any VLANs, then they will be listed
below the Group number. If the default VLAN in the Group supports both IP and IPX routing,
then information on both (network address, etc) will display. Group 4 in the screen
sample above shows a case where both IP and IPX routing are supported.
Group Description. The textual description of this Group that was entered when the Group was
created or modified. This description is limited to 30 characters.
Network Address (IP Subnet Mask) or (IPX Node Addr). For each virtual router port configured,
two addresses are listed. Both of these addresses were configured when the Group was
created or modified through crgp or modvl. The first address is the Network Address, which is
the address of the virtual router port for the default VLAN (VLAN #1) in this Group. For an IP
virtual router port, this address is the IP address, which is shown in dotted decimal format.
For an IPX virtual router port, this address is the IPX network address, which is shown as
eight hex characters.
Viewing Current Groups
Page 16-38
A second address is displayed below the Network address. For IP, this address is the IP
Subnet Mask, which is normally derived from the default VLAN IP address class. For IPX, this
address is the IPX Node Address.
Proto/Encaps. For each Group or VLAN listed, the top field is the Protocol supported by this
virtual router port. Possible values in the field are: IP (IP router), IPX (IPX router), and CIP
(Classical IP Group with CIP router). If you configured an IP and an IPX router port, then two
router entries will be listed—one with a Protocol of IP and the other with a Protocol of IPX.
The bottom field is the encapsulation used for outgoing frames on the router port. This
encapsulation was configured when the router port was configured. Possible values for this
field depend on the Protocol and type of Group.
Frame Relay WAN Groups will always display 1490 to indicate RFC 1490 encapsulation is
performed on frames. ATM Classical IP (CIP) Groups will display 1483 to indicate RFC 1483
encapsulation is performed on frames.
IP and IPX routers have additional possible encapsulation types. For IP virtual router ports,
the possible encapsulation types are as follows:
• ETH2 Ethernet II
• SNAP Ethernet 802.3 SNAP
For IPX virtual router ports, the possible encapsulation types are as follows:
• ETH2 Ethernet II
• LLC Ethernet 802.3 LLC
• SNAP Ethernet 802.3 SNAP
• 8023 Ethernet 802.3 (Novell raw)
Modifying a Group or VLAN
Page 16-39
Modifying a Group or VLAN
After creating a Group (through crgp) or VLAN (through cratvl, see Chapters 16 and 18), you
can change any of their parameters through the modvl command. In addition, if you did not
set up a virtual router port (IP or IPX) during the initial Group or VLAN configuration, you can
set one up with modvl. To use this command, enter modvl followed by the Group number and
VLAN number to change. For example, to modify parameters in Group 2, VLAN 1, enter:
modvl 2
Note that you do not need to specify a VLAN number to modify the default VLAN within a
Group. To modify parameters in Group 2, VLAN 2, you would enter:
modvl 2:2
A screen similar to the following displays.
Current values associated with GROUP 2.1 are as follows:
1) GROUP Number - 2:1
2) Description - New GROUP (#2)
IP Parameters:
3) IP enabled - Y
4) IP Network Address - 198.206.101.12
5) IP Subnet Mask - 255.255.255.0
6) IP Broadcast Address - 198.206.101.255
7) Router Description - Router Port #2
8) RIP Mode - Silent
{Active (a), Inactive (i), Deaf (d), Silent (s)}
9) Routing disabled - N
11) Default Framing - Ethernet II
{Ethernet II(e), Ethernet 802.3 (8), fddi (f),
token ring (t), source route token ring (s)}
IPX parameters:
12) IPX enabled - N
(save/quit/cancel)
:
The Group number at the top of this sample screen is followed by the number 1 (GROUP 2.1),
meaning that the information applies to default VLAN #1 in this Group. If this screen displayed
information on Group 2, VLAN 2, then this field would read GROUP 2:2.
The colon prompt (:) at the bottom of the screen is used to prompt for user input. To change
a value, type the line number of the item you want to change, followed by an equal sign (=)
and the new value. For example, to set a new description you could enter:
2=Engineering
All of the modvl parameters are described in the section for creating a new Group, Creating a
New Group on page 16-18.
_ Note _
Line numbering for the modvl command will vary
depending on whether you have an IP or IPX router
configured. Each type of router contains several parameters
that require extra line numbers.
Modifying a Group or VLAN
Page 16-40
Viewing Your Changes
When you enter a change at the colon prompt, the modvl screen does not normally refresh. If
you want to see the current Group or VLAN settings, including any changes you made, enter a
question mark (?) at the colon prompt. The modvl screen will refresh.
Saving Your Changes
Once you have entered all your modifications and you want to save them, type save at the
colon prompt. You will exit the modvl command and your changes will take effect.
Canceling Your Changes
You can also exit the modvl command without saving any changes you made in the current
session. Simply enter cancel at the colon prompt or enter <Ctrl>-d. The modvl command will
end and none of the changes you made will be saved.
Changing the IP Address
Changing the IP address can also affect the Subnet Mask and the Broadcast Address. The new
IP address means that the Subnet Mask and Broadcast Address must be re-generated and the
following message displays:
New IP address generates new subnet and broadcast address
Enter '?' to view the changes
The system automatically creates new Subnet Mask and Broadcast addresses based on the
new IP address. If you enter a question mark (?) at this point you could view these changes.
If you remove the last IP address in the system, you will see a warning message that SNMP
(and other applications) are now inoperational.
Changing the IP Subnet Mask
Changing the IP Subnet Mask can also affect the IP Broadcast Address. The new Subnet Mask
means that the Broadcast Address must be re-generated and the following message displays:
New mask caused change in broadcast address
The system automatically created a new Broadcast address based on the new Subnet Mask. If
you entered a question mark (?) at this point you could view these changes.
Modifying a Group or VLAN
Page 16-41
Enabling IP or IPX Routing
If you enable IP or IPX routing by setting the corresponding modvl lines from N to Y, then the
screen automatically refreshes with additional lines for the new router port parameters. All
lines are set to router defaults. The router defaults are as follows:
IP Router
IP Network Address 0.0.0.0
IP Subnet Mask 0.0.0.0
IP Broadcast Address 0.0.0.0
Router Description (no description shown for default)
Routing Disabled No
RIP Mode Silent
Default Framing Type Ethernet II
IPX Router
IPX Network Address 0x0
Router Description (no description shown for default)
Delay in Ticks 0
RIP/SAP Mode RIP and SAP are active
Default Framing Type Ethernet II
You can change any of these defaults as you would any other modvl parameters: enter the
line number, followed by an equal sign (=) and the new parameter.
_ Note _
You must at least enter a Network Address for a new
router or you will not be able to save the configuration.
Deleting a Group
Page 16-42
Deleting a Group
You can delete a Group as long as it does not contain any virtual ports. The default Group,
Group #1, cannot be deleted. To delete a Group, enter rmgp followed by the Group number
you want to delete. For example, if you wanted to delete Group 5, you would enter:
rmgp 5
If the Group does not contain any virtual ports, then a confirmation message displays:
GROUP 5 removed.
If the Group still contains virtual ports, then a message similar to the following displays:
GROUP 5 has active entries, you must remove
these prior to removing the GROUP (use rmvp for this).
You must first remove the Group's virtual ports before the Group can be removed. The rmvp
command allows you to remove virtual ports. See Deleting a Virtual Port on page 16-45 for
information on using this command.
_ Note _
Some commands in the Bridge Management menu
(described in Chapter 14, "Configuring Bridging Parameters")
require you to select a Group before making
configuration changes. If you delete the currently
selected Group with rmgp, then the new currently
selected Group reverts to the default Group, Group #1.
Adding Virtual Ports
Page 16-43
Adding Virtual Ports
You can add virtual ports to a Group at any time after the Group is created. The addvp
command allows you to add one or more ports to a Group you specify. If you have used the
crgp command to add virtual ports, then you will find the addvp command fields very familiar.
To use addvp, enter the command followed by the Group number to which you want to add
the port. Next, specify the port or ports you want to add.
addvp <Group Number for port> <Module Slot>/<Port Number>
For example, if you wanted to add ports 4 through 6 on the module in slot 4 to Group #5,
then you would specify:
addvp 5 4/4-6
The procedure for using addvp is as follows:
1. Enter addvp followed by the Group number where you want this port to reside, followed
by the physical slot and port numbers you want to configure.
2. If you enter a port that is already assigned to another Group, then you will be prompted
on whether or not you want to change its assignment. A message similar to the following
displays for each port that you enter:
4/4 - This interface has already been assigned to GROUP 1 -
(Default GROUP #1).
Do you wish to remove it from that GROUP and assign it (with
new configuration values) to this GROUP (n)?
Simply enter a y at each port prompt to change its Group assignment and begin setting
port parameters. You could also enter a c at this prompt to accept all default port parameters
and skip port configuration questions. If you enter a c, all remaining ports are automatically
added to the Group with default settings, and your work is complete.
3. The virtual port configuration menu displays:
Modify Ether/8 Vport 4/4 Configuration
1) Vport : 9
2) Description :
3) Bridge Mode : Auto-Switched
31) Switch Timer : 60
4) Flood Limit : 192000
5) Output Format Type : Default (IP-Eth II, IPX-802.3)
6) Ethernet 802.2 Pass Through : Yes
7) Admin, Operational Status : Enabled, inactive
8) Mirrored Port Status : Disabled, available
9) MAC Address : 000000:000000
Command {Item=Value/?/Help/Quit/Redraw/Next/Previous/Save} (Redraw) :
Descriptions for each of the fields in this display begin on page 16-28. To change any
default value, enter the line number for the item, an equal sign (=), and then the value for
the parameter. When you have completed the configuration for this port, enter save to
save all configured settings.
Modifying a Virtual Port
Page 16-44
Modifying a Virtual Port
You can modify a virtual port through the modvp command. The modvp command is very
similar to the addvp command and the port configuration phase of the crgp command. To use
modvp, enter the command, followed by the Group number for the port, and the physical slot
and port number for the port:
modvp <Group Number for port> <Module Slot>/<Port Number>
You can specify only one port at a time. For example, if you wanted to modify the parameters
for Port 7 on the module in Slot 4, and the Port currently resides in Group 6, then you
would enter:
modvp 6 4/7
The procedure for using modvp is as follows:
1. Enter modvp followed by the Group number where the port currently resides, the physical
slot and port number.
2. A prompt displays requesting your confirmation:
Modify local port 7 (Virtual port (#14)) ? (y) :
Simply press <Enter> if this is the correct virtual port. The Virtual Port number in parentheses
(Virtual Port #14 in this case) is the virtual port number within this entire OmniAccess
512 or PizzaSwitch. Virtual ports are numbered sequentially within the switch, not within
a Group or VLAN.
3. The virtual port configuration menu displays:
Modify Ether/8 Vport 4/7 Configuration
1) Vport : 9
2) Description :
3) Bridge Mode : Auto-Switched
31) Switch Timer : 60
4) Flood Limit : 192000
5) Output Format Type : Default (IP-Eth II, IPX-802.3)
6) Ethernet 802.2 Pass Through : Yes
7) Admin, Operational Status : Enabled, inactive
8) Mirrored Port Status : Disabled, available
9) MAC Address : 000000:000000
Command {Item=Value/?/Help/Quit/Redraw/Next/Previous/Save} (Redraw) :
Descriptions for each of the fields in this display begin on page 16-28. To change any
default value, enter the line number for the item, an equal sign (=), and then the value for
the parameter. When you have completed the configuration for this port, enter save to
save all configured settings.
Deleting a Virtual Port
Page 16-45
Deleting a Virtual Port
You can delete a virtual port from its existing Group by using the rmvp command. When you
remove a virtual port, the port is moved to the default switch Group, Group #1, and all port
parameters are reset to defaults except for the port name. For example, if you configured a
port with a special flood limit and customized translation settings and you then removed the
port, you would lose those port settings.
To remove a port, enter the rmvp command, followed by the Group number where the port
currently resides and the physical slot and port number for the port:
rmvp <Group number> <Module Slot>/<Port Number>
For example, to delete Port 7 on the module in Slot 4, and the Port currently resides in Group
6, you would enter:
rmvp 6 4/7
A prompt displays requesting that you confirm the deletion:
Local port 7 (Virtual po...) is attached to this slot/interface - remove? (n):
Enter a y and press <Enter> to remove the port. Another message displays confirming the
deletion:
BRIDGE port on 4/7 moved to GROUP 1.
If the port you specified did not exist in the Group you specified in the rmvp command, then
a message similar to the following would display:
Specified port(s) not found on GROUP 6.
Viewing Information on Ports in a Group
Page 16-46
Viewing Information on Ports in a Group
The via command allows you to view port attachments associated with a specified Group or
all Groups in a switch. Entering
via
displays summary information for all virtual ports in the switch. You can also display virtual
interface attachments for a specific Group by specifying the Group ID after the via command.
For example, to view ports for Group 2, you would enter
via 2
The same type of information is displayed for a single Group as is displayed for all Groups.
The following screen shows a sample from the via command when specified without a Group
ID.
GROUP Interface Attachments For All Interfaces
GROUP: Service/ Admin
Slot/Intf Description Instance Protocol Status
======= ============================= ========== ========= =======
1.1 : * GROUP #1.0 IP router vport Rtr / 1 IP Enabled
2.1 : * for group 2 Rtr / 2 IP Enabled
1:2/1 Virtual port (#2) Brg / 1 Tns Enabled
1:2/2 Virtual port (#3) Brg / 1 Tns Enabled
1:2/3 Virtual port (#4) Brg / 1 Tns Enabled
2:2/4 finance server Brg / 1 Tns Enabled
1:2/5 Virtual port (#6) Brg / 1 Tns Enabled
1:2/6 Virtual port (#7) Brg / 1 Tns Enabled
1:2/7 Virtual port (#8) Brg / 1 Tns Enabled
1:2/8 Virtual port (#9) Brg / 1 Tns Enabled
1:3/1 Virtual port (#1) Brg / 1 Tns Enabled
1:4/1 Virtual port (#10) Brg / 1 Tns Enabled
1:4/2 Virtual port (#11) Brg / 1 Tns Enabled
1:4/3 Virtual port (#12) Brg / 1 Tns Enabled
1:4/4 Virtual port (#13) Brg / 1 Tns Enabled
1:4/5 Virtual port (#14) Brg / 1 Tns Enabled
1:4/6 Virtual port (#15) Brg / 1 Tns Enabled
GROUP: Slot/Intf. GROUP is the group number to which this port is assigned. When the Group
displays as a Group number followed by a decimal and a 1 (1.1 and 2.1 in the above sample),
it represents the router port on the default VLAN within that Group. Slot is the position in the
chassis of the switching module where this port is located. Intf (Interface) is the physical port
on the switching module. When the Slot and Interface are shown as an asterisk (*)—as the
top two entries in the above table display—it represents as virtual router port that does not
have a corresponding physical interface.
Description. The textual description entered for either the virtual router port or the virtual
switch port. This description was entered through crgp or modvl for virtual router ports, or
through crgp, addvp, or modvp for virtual switch ports.
Service/Instance. Service is the service type configured for this port. Instance is an identifier of
this service type within the switch. For example, multiple virtual router ports within the
switch will be labelled consecutively (1, 2, 3, etc.), and will each have a different Instance
number.
Viewing Information on Ports in a Group
Page 16-47
Values for the service type are as follows:
• Rtr Virtual router port
• Brg Virtual bridge port
• Tnk Virtual trunk port (used for WAN)
• FRT Frame Relay trunk port
• Lne LAN Emulation service port
• CIP Classical IP service port
• Vlc VLAN Clusters (X-LANE) service port
Protocol. The bridging protocol for virtual ports and services or the routing protocol for virtual
router ports. Possible values are:
• Tns Transparent bridge. Bridges maintain a dynamic table of known MAC
addresses on connected segments. The table is used to make forwarding decisions.
When a frame is received that contains a destination address that
matches an address in the table, it is forwarded to designated bridge ports
that are in forwarding state.
• SR IPIP Routing Protocol. Routing Information Protocol (RIP) used to learn routes
from neighboring routers. You configure an IP router through the crgp or
modvl commands. Other IP routing parameters can be set through the
Networking menu commands, which are described in Chapter 22, "IP Routing."
• IPX IPX Routing Protocol. Uses RIP to learn routes from neighboring routers and
the Service Advertising Protocol (SAP) to maintain a database of network
services for requesting workstations. Other IPX routing parameters can be set
through the Networking menu commands, which are described in Chapter 24,
"IPX Routing."
• CIP Classical IP Routing (RFC 1577). Classical IP is necessary when an ATM
network contains devices that support only CIP. This type of routing is
configured when you initially create a Group through the crgp command.
• FR Frame Relay IP Routing. WAN Routing Groups are configured slightly different
from other Groups. Frame Relay IP Routing is IP Routing with some
enhancements to account for the Frame Relay network.
Admin Status. Indicates whether the port is administratively Enabled or Disabled. When Enabled,
the port can transmit and receive data as long as a cable is connected and no physical or
operational problems exist. When Disabled, the port will not transmit or receive data even if a
cable is connected and the physical connection is operational. You can set the Admin Status
during port configuration phase of the crgp, addvp, or modvp commands.
Viewing Detailed Information on Ports
Page 16-48
Viewing Detailed Information on Ports
The vi command displays detailed information about virtual ports. Entering
vi
displays information for all virtual ports in the switch. You can also display information for
only ports in a specific Group by specifying the Group ID after the vi command. For example,
to view information only for ports in Group 6, you would enter
vi 6
The same type of information is displayed for a single Group as is displayed for all Groups.
The following screen shows a sample from the vi command when specified without a Group
ID.
Virtual Interface Summary Information- For All Interfaces
Status
Slot/ Type/ ------------------------------------
Group Intf Inst/Srvc MAC Address Prt Encp Admin Oper Spn Tr Mode
===== === =========== ============= === ==== ====== ===== ====== ======
1 All Rtr/ 1 0020da:020d40 IP ETH2 Enabld Active N/A N/A
2 All Rtr/ 2 0020da:020d43 IP ETH2 Enabld Active N/A N/A
2 All Rtr/ 3 0020da:020d44 IP ETH2 Enabld Active N/A N/A
1 3/1 Brg/ 1/ 1 0020da:048730 Tns DFLT Enabld Inactv Disabl Bridged
1 4/1 Brg/ 1/ na 0020da:030990 Tns DFLT Enabld Active Fwdng Bridged
1 4/2 Brg/ 1/ na 0020da:030991 Tns DFLT Enabld Inactv Disabl Bridged
1 4/3 Brg/ 1/ na 0020da:030992 Tns DFLT Enabld Inactv Disabl Bridged
1 4/4 Brg/ 1/ na 0020da:030993 Tns DFLT Enabld Inactv Disabl Bridged
1 4/5 Brg/ 1/ na 0020da:030994 Tns DFLT Enabld Inactv Disabl Bridged
1 4/6 Brg/ 1/ na 0020da:030995 Tns DFLT Enabld Inactv Disabl Bridged
1 4/7 Brg/ 1/ na 0020da:030996 Tns DFLT Enabld Inactv Disabl Bridged
2 4/8 Brg/ 1/ na 0020da:030997 Tns DFLT Enabld Inactv Disabl Bridged
1 5/1 Brg/ 1/ na 0020da:022860 Tns DFLT Enabld Inactv Disabl Bridged
Group. The Group number to which this port is currently assigned.
Slot/Intf. The slot (Slot) is the position in the chassis of the switching module where this port
is located. The interface (Intf) is the physical port on the switching module. If this column
reads All, then this port is a router port that supports all virtual ports in the Group.
Type/Inst/Srvc. The Service Type (Type), Instance (Inst) of this Service Type in the switch, and
service number (Srvc) for this virtual port. Service Type values are as follows:
• Rtr Virtual router port
• Brg Virtual bridge port
• Tnk Virtual trunk port (used for WAN)
• FRT Frame Relay trunk port
• Lne LAN Emulation service port
• Vlc VLAN clusters (X-LANE) service port
• CIP Classical IP service port
Viewing Detailed Information on Ports
Page 16-49
The Instance (Inst) is an identifier of this type of service within the switch. For example, if
more than one virtual router port is configured in the switch, then each "instance" of a router
will be given a different number. The service number (Srvc) is port-specific. If a port has
more than one service configured on it, then each service will be identified by a different
service number.
MAC Address. The MAC address for this virtual port. Each virtual port is allocated a MAC
address.
Prt. The bridging or routing protocol supported by this virtual port. Descriptions of these
protocol types are provided on page 16-47. Possible values are:
• Tns Transparent Bridge
• IP IP Routing Protocol
• IPX IPX Routing Protocol
• CIP Classical IP Routing (RFC 1577)
• FR Frame Relay IP Routing
Encp. Encapsulation used for outgoing packets on this virtual router or switch port. Possible
encapsulation values are:
• DFLT Default format for this switch port (differs for each interface type)
• SWCH Frame translations have been customized through the Switch menu
• ETH2 Ethernet II
• ESNP Ethernet 802.3 SNAP (virtual router ports)
• ELLC Ethernet 802.3 LLC (IPX router ports only)
• 8023 Ethernet 802.3, Novell Raw (IPX router ports only)
• 1490 Frame Relay Routing (RFC 1490)
• 1483 Classical IP Routing (RFC 1483)
• SNAP SNAP (switch ports only)
• LLC LLC (switch ports only)
Admin. Indicates whether the port is administratively Enabled or Disabled. When Enabld, the
port can transmit and receive data as long as a cable is connected and no physical or operational
problems exist. When Disabld, the port will not transmit or receive data even if a cable
is connected and the physical connection is operational. You can set the Administrative Status
during the port configuration phase of the crgp command, the addvp command, or the modvp
command. A port can have an Administrative Status of Enabled, but still be operationally
Inactive. See the description of the Oper column below.
Oper. Indicates the current Operational Status of the port. The port will be Active (Active) or
Inactive (Inactv). If the port is Active, then the port can pass data and has a good physical
connection. If it is Inactive, then it may not have a good physical connection and it is not
capable of passing data at this time.
Spn Tr. The port's current state as defined by the Spanning Tree Protocol. The possible Spanning
Tree States are: Disabled, Blocking, Listening, Learning, and Forwarding. This state
controls the action a port takes when it receives and transmits a frame. For ports which are
Administratively disabled or Operationally Inactive, this state will be Disabled (Disabl), meaning
the Spanning Tree algorithm is not active on this port. If the state is Blocking, then only
BPDUs will be transmitted and received. If the state is Forwarding, then both data and BPDU
frames will be transmitted and received. This Spanning Tree Protocol state is not applicable to
virtual router ports and will read N/A for those ports.
Viewing Detailed Information on Ports
Page 16-50
Mode. The Bridge Mode currently in use on this port. This mode is chosen during the port
configuration phase of the crgp command, through the addvp command, or through the
modvp command. It is not applicable to virtual router ports and will read N/A for those ports.
Possible values are:
• Bridged Spanning Tree Bridge.
• AutoSw Auto Switch.
• Optimzd Optimized Device Switching.
See page 16-28 for a description of these bridge modes.
Viewing Port Statistics
Page 16-51
Viewing Port Statistics
The vs command displays transmit and receive statistics for ports in the switch. Entering
vs
displays statistics for all virtual ports in the switch. You can also display statistics for only
ports in a specific Group by specifying the Group ID after the vs command. For example, to
view statistics only for ports in Group 6, you would enter
vs 6
You can also display statistics for a specific port by entering the slot and port number after
the vs command. For example, to view statistics only for Port 1 on the module in Slot 4, you
would enter
vs 4/1
The same type of information is displayed for a single Group or port as is displayed for all
ports in a switch. The following screen shows a sample from the vs command when specified
without any Group or port parameters.
Virtual Interface Statistical Information- For All Interfaces
Frames Octets UcastPkts NUcastPkts
Slot/ Service/ In In In In
Group Intf Instance Out Out Out Out
===== === =========== =========== =========== ============ =============
1 All Rtr/ 1
2 All Rtr/ 2
3 All Rtr/ 3
1 3/1 Tnk/ 1 0 0 0 0
0 0 0 0
1 4/1 Brg/ 1 17774 1739560 1707 16067
684 103048 681 3
1 4/2 Brg/ 1 0 0 0 0
0 0 0 0
1 4/3 Brg/ 1 0 0 0 0
0 0 0 0
1 4/4 Brg/ 1 0 0 0 0
0 0 0 0
1 4/5 Brg/ 1 0 0 0 0
0 0 0 0
1 4/6 Brg/ 1 0 0 0 0
0 0 0 0
1 4/7 Brg/ 1 0 0 0 0
0 0 0 0
1 4/8 Brg/ 1 0 0 0 0
0 0 0 0
1 5/1 Brg/ 1 0 0 0 0
0 0 0 0
Group, Slot/Intf. These columns are described for the vi command on page 16-48.
Service/Instance. The Service Type (Service) and Instance (Instance) of this Service Type in the
switch.
Viewing Port Statistics
Page 16-52
Service Type values are as follows:
• Rtr Virtual router port
• Brg Virtual bridge port
• Tnk Virtual trunk port (used for WAN)
• FRT Frame Relay trunk port
• Lne LAN Emulation service port
• Vlc VLAN clusters (X-LANE) service port
• CIP Classical IP service port
The Instance (Inst) is an identifier of this type of service within the switch. For example, if
more than one virtual router port is configured in the switch, then each "instance" of a router
will be given a different number.
Frames In/Out. The number of frames received or sent from this port. The top number for each
port row is the number of frames received, and the bottom number is the number of frames
sent. Statistics are not provided for virtual router ports in this display, but they are provided
through Networking menu commands. See Chapters 22 and 24 for further information on
router port statistics.
Octets In/Out. The number of octets, or bytes, received or sent from this port. The top number
for each port row is the number of octets received, and the bottom number is the number of
octets sent. Statistics are not provided for virtual router ports, but they are provided through
Networking menu commands. See Chapters 22 and 24 for further information on router port
statistics.
Ucast Pkts In/Out. The total number of unicast packets received or sent from this port. The top
number for each port row is the number of unicast packets received, and the bottom number
is the number of unicast packets sent. Statistics are not provided for virtual router ports, but
they are provided through Networking menu commands. See Chapters 22 and 24 for further
information on router port statistics.
Non Ucast Pkts In/Out. The total number of non-unicast packets received or sent from this port.
Non-unicast frames include multicast and broadcast frames. The top number for each port
row is the number of non-unicast packets received, and the bottom number is the number of
non-unicast packets sent. Statistics are not provided for virtual router ports, but they are
provided through Networking menu commands. See Chapters 22 and 24 for further information
on router port statistics.
Viewing Port Errors
Page 16-53
Viewing Port Errors
The ve command displays port error statistics for ports in the switch. Entering
ve
displays error statistics for all virtual ports in the switch. You can also display errors statistics
for only ports in a specific Group by specifying the Group ID after the ve command. For
example, to view errors only for ports in Group 6, you would enter
ve 6
You can also display error statistics for a specific port by entering the slot and port number
after the ve command. For example, to view errors only for Port 1 on the module in Slot 4,
you would enter
ve 4/1
The same type of information is displayed for a single Group or port as is displayed for all
ports in a switch. The following screen shows a sample from the ve command when specified
without any Group or port parameters.
Virtual Interface Error Information- For All Interfaces
Slot/ Service/ Buffer Discards Error Discards
Group Intf Instance In Out In Out
===== === =========== =========== =========== ============ =============
2 All Rtr/ 1
3 All Rtr/ 2
1 All Rtr/ 1
1 3/1 Tnk/ 1 0 0 0 0
1 4/1 Brg/ 1 0 0 0 0
1 4/2 Brg/ 1 0 0 0 0
1 4/3 Brg/ 1 0 0 0 0
1 4/4 Brg/ 1 0 0 0 0
1 4/5 Brg/ 1 0 0 0 0
1 4/6 Brg/ 1 0 0 0 0
1 4/7 Brg/ 1 0 0 0 0
1 4/8 Brg/ 1 0 0 0 0
1 5/1 Brg/ 1 0 0 0 0
Group, Slot/Intf. These columns are described for the vi command on page 16-48.
Service/Instance. The Service Type (Service) and Instance (Instance) of this Service Type in the
switch. Service Type values are as follows:
• Rtr Virtual router port
• Brg Virtual bridge port
• Tnk Virtual trunk port (used for WAN)
• FRT Frame Relay trunk port
• Lne LAN Emulation service port
• Vlc VLAN clusters (X-LANE) service port
• CIP Classical IP service port
Viewing Port Errors
Page 16-54
The Instance (Inst) is an identifier of this type of service within the switch. For example, if
more than one virtual router port is configured in the switch, then each "instance" of a router
will be given a different number.
Buffer Discards In/Out. For transmit (Out) and receive (In), the number of frames discarded due
to a lack of buffer space. Buffer discard information is not provided for virtual router ports.
Error Discards In/Out. For transmit (Out) and receive (In), the number of frames discarded due
to errors. Error discard information is not provided for virtual router ports.
Port Mirroring
Page 16-55
Port Mirroring
You can set up Port Mirroring for any pair of Ethernet (10 or 10/100 Mbps) ports within the
same switch. When you enable port mirroring, the active, or "mirrored," port transmits and
receives network traffic normally, and the "mirroring" port receives a copy of all transmit and
receive traffic to the active port. You can connect an RMON probe or network analysis device
to the mirroring port to see an exact duplication of traffic on the mirrored port without
disrupting network traffic to and from the mirrored port.
Port mirroring is supported on OmniAccess 512 switches for Ethernet (10 or 10/100 Mbps)
ports only. An Ethernet port can only be mirrored by one other Ethernet port. A mirroring
port can only mirror one port at a time. Up to five (5) mirroring sessions (mirrored-mirroring
port pairs) are supported in a single switch. The mirrored and mirroring ports can be in different
Groups and different VLANs.
How Port Mirroring Works
When a frame is received on a Mirrored Port it is copied and sent to the Mirroring Port. The
received frame is actually transmitted twice across the switch backplane—once for normal
bridging and then again to the Mirroring Port.
When a frame is transmitted by the mirrored port, a copy of the frame is made, tagged with
the mirroring port as the destination, and sent back over the switch backplane to the mirroring
port. The following diagram illustrates the data flow for a Mirrored-Mirroring port pair.
Relationship Between Mirrored and Mirroring Port
When port mirroring is enabled, there may be some performance degradation since all frames
received and transmitted by the Mirrored port need to be copied and sent to the Mirroring
port.
What Happens to the Mirroring Port
Once you set up port mirroring and attach cables to the Mirrored and Mirroring ports, the
Mirroring port is administratively disabled and no longer a part of the Bridging Spanning Tree.
The Mirroring port does not transmit or receive any traffic on its own. In addition, the Admin
Status of the mirroring port displays in switch software commands, such as vi, as
M <slot> <port>
where <slot> is the slot number of the module containing the mirrored port, and <port> is the
port number of the mirrored port. For example, if the Admin Status of a port displayed as
M 2 02
then you would know this port is mirroring traffic for Port 2 in Slot 2.
Mirrored Port Mirroring Port
Incoming
Frames
Outgoing
Frames
Copied Incoming Frames
Copied Outgoing Frames
Incoming and outgoing
frames on the Mirrored port
are copied and transmitted
to the Mirroring Port.
Port Mirroring
Page 16-56
If a cable is not attached to the Mirrored port, port mirroring will not take place. In this case,
the Mirroring Port reverts back to its normally operational state and will bridge frames as if
port mirroring were disabled.
Using Port Mirroring With External RMON Probes
Port mirroring is a helpful monitoring tool when used in conjunction with an external RMON
probe. Once you set up port mirroring, the probe can collect all relevant RMON statistics for
traffic on the mirrored port. You can also move the Mirrored Port so that the Mirroring Port
receives data from different ports. In this way, you can roam the switch and monitor traffic at
various ports.
If you attach an external RMON probe to a mirroring port, that probe must have an IP address
that places it in the same VLAN as the mirrored port. In addition if you change the mirrored
port, then you must again make sure that the RMON probe is in the same VLAN as that new
mirrored port.
Mirrored and Mirroring Ports in Same VLAN
Frames received from an RMON probe attached to the Mirroring Port can be seen as being
received by the Mirrored Port. These frames from the Mirroring Port are marked as if they are
received on the Mirrored Port before being sent over the switch backplane to an NMS station.
Therefore, management frames from an NMS station that are destined for the RMON probe are
first forwarded out the Mirrored Port. After being received on the Mirrored Port, copies of the
frames are mirrored out the Mirroring Port—the probe attached to the Mirroring Port receives
the management frames. The illustration on the following page shows this data flow.
Mirrored Port Mirroring Port
RMON Probe
Must be in same VLAN.
Port Mirroring
Page 16-57
Port Mirroring Using an External RMON Probe
_ Important Note _
The Mirroring Port is not accessible from the NMS
device. From the NMS station, the Mirroring Port will
appear disabled or down.
Mirrored Port Mirroring Port
RMON probe frames from
the Mirroring Port appear to
come from the Mirrored Port
when the NMS workstation
receives them.
RMON Probe
_
NMS
Workstation
RMON probe frames sent
from the Mirroring Port.
_
Mirrored Port Mirroring Port
RMON Probe
NMS
Workstation
Management frames from the
NMS workstation are sent to
the Mirrored Port.
_
Port mirroring sends copies
of management frames
to the Mirroring Port.
_
Port Mirroring
Page 16-58
Setting Up Port Mirroring
You set up port mirroring when you add or modify a port through the addvp or modvp
commands. The switch software senses the type of port you are configuring, so it will only
prompt you for port mirroring when configuring an Ethernet port. Follow the steps below to
set up port mirroring.
1. Start the addvp or modvp command for the virtual port that you want to mirror.
2. At the Command prompt enter 8=e, press <Enter> and you will be prompted for the slot
and port number of the "mirroring" port (i.e., the port that can "see" all traffic for this
port):
Mirroring vport slot/port ? ( ) :
3. Enter the mirroring port's slot, a slash (/), the port number, and then press <Enter>. The
port that you indicate here will be disabled and only capable of receiving duplicate traffic
from the mirrored port. If port mirroring is not supported on this port, then the following
prompt will display:
mirroring not supported on this port type
After entering the Mirroring slot and port number, the addvp or modvp screen of options
re-displays with the changes you entered. If you are done modifying or adding the port,
enter save at the Command prompt. If using the addvp command a message indicating that
you have successfully set up the port displays. Port mirroring takes place immediately, so
you could now connect a probe or network analyzer to the Mirroring port.
Disabling Port Mirroring
You can disable port mirroring through the modvp command. Follow these steps to disable
port mirroring.
1. Start the modvp command for the virtual port on which you want to disable port mirroring.
2. At the Command prompt enter 8=d, press <Enter>. The modvp screen re-displays. The
Mirrored Port Status field should read Disabled, available.
Port Monitoring
Page 16-59
Port Monitoring
An essential tool of the network engineer is a network packet capture device. A packet
capture device is usually a PC-based computer, such as the Sniffer®, that provides a means for
understanding and measuring data traffic of a network. Understanding data flow in a VLANbased
switch presents unique challenges primarily because traffic takes place inside the
switch, especially on dedicated devices.
The port monitoring feature built into OmniAccess 512 software allows the network engineer
to examine packets to and from a specific Ethernet port. Port monitoring has the following
features:
• Software commands to enable and display captured port data.
• Captures data in Network General® file format.
• Limited protocol parsing (basic IP protocols and IPX) in console dump display.
• Data packets time stamped.
• One port monitored at a time.
• RAM-based file system.
• Memory buffer space from 1 MB to 8 MB.
• Statistics gathering and display
• Monitors only Ethernet ports
• Filtering limited to basic packet type—broadcast, multicast or unicast.
You can select to dump real-time packets to the terminal screen, or send captured data to a
file. Once a file is captured, you can FTP it to a Sniffer for viewing.
Port Mirroring
An alternate method of monitoring ports is Port Mirroring, which allows a network engineer
to attach a Sniffer to one Ethernet port and mirror traffic to and from any other Ethernet port.
Port mirroring is described in Port Mirroring on page 16-55.
Port Monitoring Menu
The port monitoring commands are contained on the port monitoring menu, which is a submenu
of the Networking menu. The port monitoring menu displays as follows:
Command Port Monitoring Menu
pmon Port monitor utility
pmcfg Configure port monitor parameters
pmstat View port monitor statistics
pmd Port monitor disable
pmp Port monitor pause
Main File Summary VLAN Networking
Interface Security System Services Help
/Networking/Monitor %
The commands in this menu are described in the following sections.
Port Monitoring
Page 16-60
RAM Disk System for Data Capture Files
Port monitoring uses a RAM disk for fast temporary storage of data capture files. The RAM disk
has a separate directory designation of /ram. RAM-based files are created in DOS-FAT format
and they are displayed in UPPERCASE.
You can copy files between the /ram disk system and the standard /flash file system. In addition,
files in the RAM disk system are retrievable via FTP. Both the /ram file system and the
/flash file system are accessible by using the UNIX/DOS-style change directory (cd) command.
_ Note _
The RAM drive is part of DRAM memory. If you power
off or reboot the switch, any files saved in the RAM
drive will be lost.
Configuring RAM Drive Resources (pmcfg)
The pmcfg command allows you to select the size of the RAM disk file system or to delete the
RAM disk. In addition, it allows you to configure the amount of data collected for each packet
capture. To begin configuring RAM drive resources, enter
pmcfg
A screen similar to the following displays:
RAM disk size : 1000 Kilobytes
Lines displayed: 1
Change any of the above (y/n)? (n)
To change one of the settings, enter a Y and press <enter>. You will be prompted for a new
RAM drive size. Select a size in kilobytes between 1000 and 8000. You can also delete the
RAM drive by entering a size of zero (0). Changing the RAM disk size also requires that you
reboot the system.
The Lines displayed controls the amount of data displayed to the terminal when you choose to
dump session data to the computer screen. You can specify the number of lines to display
while viewing port monitor data on the screen.
Changing the Default System Directory (cd)
After a port monitoring session is enabled the default directory is the RAM disk system (/ram).
To switch back to the standard default flash file system (/flash) use the cd command. To
switch back to the default directory, enter
cd /flash
To switch back to the RAM disk directory, enter
cd /ram
Port Monitoring
Page 16-61
Starting a Port Monitoring Session (pmon)
You enable a port monitoring session through the pmon command. To start a session, enter
pmon followed by the slot and port number that you want to monitor. For example, to monitor
a port that is the first port in the second slot of the switch, you would enter
pmon 2/1
You can only monitor Ethernet ports. If a port is already being mirrored (enabled through the
addvp or modvp command) you cannot monitor it. Also, you cannot set up more than one
monitoring session on the same port.
If the port is currently being monitored, or mirrored, the following message displays:
Port 2/1 is being monitored.
Disable monitoring? (y)
If the port is not being monitored, or mirrored, the following message displays:
Port 2/1 is not being monitored, or mirrored.
Enable monitoring? (y)
Enter a Y and press <enter> at this prompt. The following screen of options displays:
Slot/Port : 2/1
RAM disk size 1000 Kilobytes
Capture to filename : y
Capture filename : PMONITOR.ENC
Dump to screen : y
Broadcast frames : y
Multicast frames : y
Unicast frames : y
Change any of the above (y/n)? (n) :
If you want to change any of the values, enter a Y and press <enter>. You will be prompted
for all of the values in the screen except the RAM disk size, which you must change through
the pmcfg command before starting the session. The information selected in this screen will
be saved in flash configuration memory.
Enter any new values as prompted. The above screen re-displays to show the new values.
Press <enter> to accept the updated values. Messages similar to the following display:
1048576 byte RAM drive /ram already initialized.
Bytes remaining on RAM disk = 1040384
The port monitoring session has begun. What happens at this point depends on whether you
chose the Dump to screen option. The sections below describe what happens in each case.
_ Important Note _
If you change the capture filename from the default,
you must specify /ram. Otherwise, the file will be saved
in the flash directory.
Port Monitoring
Page 16-62
If You Chose Dump to Screen
If you selected the Dump to screen option, then a real-time synopsis of the session displays on
your terminal screen. The following shows an example of this data
Enter 'p' to pause, 'q' to quit.
Destination | Source | Type | Data
--------------------------------------------------------------------------------------------------------------
00:20:DA:04:01:02 | 00:20:DA:04:01:01 | ICMP | 01:02:03:04:05:06:07:08
00:20:DA:04:01:02 | 00:20:DA:04:01:01 | ICMP | 01:02:03:04:05:06:07:08
FF:FF:FF:FF:FF:FF | 00:20:DA:02:10:E3 | ARP-C | 08:06:00:01:08:00:06:04
FF:FF:FF:FF:FF:FF | 00:20:DA:6F:97:A3 | RIP | 08:00:45:00:00:34:22:30
Each line in the display represents a packet. The destination MAC address, source MAC
address, protocol type and actual packet data are shown. The amount of data shown is
configured through the pmcfg command. The above sample shows 16 bytes of data per
packet. You can stop the data dump to the screen at anytime by pressing q to quit. You can
also pause the data dump by pressing p to pause.
If You Did Not Choose Dump to Screen
If you did not select the Dump to screen option, then the system prompt will return and port
monitoring occurs in the background. You can continue using other UI commands. The port
monitoring session data is saved in the file you indicated through the pmon screen. You can
monitor the session at anytime by using the pmstats command. You can also end or pause an
in-progress session using the pmdelete or pmpause commands, respectively. The following
sections describes pmdelete and pmpause.
Ending a Port Monitoring Session (pmdelete)
The pmdelete command ends a port monitoring data capture session that is being saved to file
but not being dumped to the console screen. To end the session, enter:
pmd
A message similar to the following displays:
Port monitoring session terminated, data file is xxxxx.ENC.
If a port monitoring session was not in progress then the following message displays:
No ports being monitored.
Pausing a Port Monitoring Session (pmpause)
The pmpause command pauses a port monitoring data capture session that is being saved to
file but not being dumped to the console screen. To pause the session, enter:
pmp
The following message displays
Pausing monitor data capture/display.
To resume the port monitoring session, enter pmp again. The following message displays:
Resuming monitor data capture.
If a port monitoring session was not in progress, then the following message would display:
No ports being monitored.
Port Monitoring
Page 16-63
Ending a Port Monitoring Session
After you quit a port monitoring session, the default directory changes to /ram and the current
files on the RAM drive are listed. The screen below shows an example of the display at the
completion of a monitoring session.
Port monitoring capture done. Current capture files listed:
Current working directory '/ram'.
PM0302.ENC 65536 10/20/96 12:12
PM0303.ENC 32768 10/20/96 11:15
950272 bytes free
Viewing Port Monitoring Statistics (pmstat)
The pmstat command displays the statistics gathered for the current or most recent port monitoring
session. If a port monitoring session is currently in progress, then it displays the results
of the in-progress session. If a port monitoring session is not in progress, then it displays
results of the most recently completed session. To view session statistics, enter
pmstat
A screen similar to the following displays:
Viewing capture statistics:
Percent RAM available: 96%
Frame type #Frames
------------------ --------------
Broadcast 108
Multicast 253
Unicast 301
The Percent RAM available indicates how much of the configured RAM disk has been used by
this port monitoring session. You can configure the size of the RAM disk through the pmcfg
command; the default size is 1 MB. The remaining items in the display show the number of
packets passed on the port broken down into broadcast, multicast, and unicast frames.
Port Mapping
Page 16-64
Port Mapping
The OmniAccess 512 began as an any-to-any switching device, connecting different LAN interfaces,
such as Ethernet, Token Ring, and FDDI. As networks grew and the traffic on them
increased, a need arose for controlling some traffic, such as broadcasts. Virtual LANs, or
VLANs, were introduced to segment traffic such that devices could only engage in switched
communication with other devices in the same VLAN.
Some applications today require a further degree of traffic segmentation than that provided by
VLANs. The port mapping feature allows you to further segment traffic within a VLAN or
group by isolating a set of ports.
Groups/VLANs and Port Mapping
Port mapping does not affect existing group or AutoTracker VLAN operations in a switch.
Group and VLAN membership are checked and applied before port mapping constraints are
applied. Therefore, any constraints applied by port mapping only limit traffic flow within a
group or VLAN; port mapping parameters do not provide any additional connectivity to a port.
So if you add a port to a port mapping set, that port will be first subject to the constraints of
its Group/VLAN and then the restrictions imposed by port mapping. Up to 128 port mapping
sets can be configured per switch.
The illustration below helps show how group and port mapping constraints interact. The
ports (2/1, 2/2, 2/7, and 2/8 are part of groups 3. By group membership, all of these ports
have switched communication with each other. Likewise, the ports 2/3, 2/4, 2/5, and 2/6 have
switched communication with each other as they all belong to group 2.
Groups and Port Mapping
Once a port mapping set is constructed, communication within each of the groups becomes
more restricted. A port mapping set consists of ingress and egress ports; ingress ports can only
send traffic to egress ports. In the above figure, all ports in subset A are ingress ports and
ports subset B are egress ports.
12345678
OmniAccess 512
Mobile Group 2
2/5 2/6 2/7 2/8
2/1 Mobile Group 3
2/3
2/4
2/2
Port Mapping Subset B
Port
Mapping
Subset A
Port Mapping
Page 16-65
Port communication is uni-directional. A mapping between an ingress port and an egress port
can only pass data from the ingress port to the egress port. To allow traffic to flow the from
the egress port to the ingress port, it is necessary to create a new mapping.
This configuration restricts each port to communication only with the other four ports in the
opposite port mapping subset within the same group. For example, port 2/1 can only send traffic
to ports 2/7 and 2/8. It can no longer communicate with port 2/2 even though it is part of
the same group. Port mapping restricts ports from communicating with other ports within the
same subset.
Port mapping does not affect other ports in the group that are not part of the port mapping
set.
The Details of Port Mapping
Port mapping can be thought of as special rule that is applied after standard group and VLAN
rules are applied. This rule statically assigns a port as either an ingress or egress port. Ingress
ports can only communicate with egress ports. In this sense, one subset of ports is "mapped"
to another subset of ports. Ports within the same subset can not communicate with each other
or with another switch port that is not a member of the opposite port mapping subset.
_ Note _
Port mapping restrictions are only applied to ports on
10/100 Ethernet ports.
As an illustration, see the diagram of an OmniAccess 512. The ports are in slot 2. The ports
that are circled are included in a port mapping subset. The first subset is port 2/1-4 and are
ingress ports. The second subset includes ports 2/9-12, and are egress ports in the port
mapping set.
Port Subsets in the Port Mapping Set
Other side of the
paired set. Ports
2/9-12 These ports
are subset B.
One side of the
paired set. Ports
2/1-4. This port is
subset A.
PS
TP CONSOLE
10/100
4 8
OmniAccess 1 5
512
OK2
OK1
12
9
1X 2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X
S1
S4
S3/1 S3/2
Port Mapping
Page 16-66
Who Can Talk to Whom?
The following matrix outlines which ports can communicate with each other in the example
shown on the previous page assuming all ports are part of the same group or VLAN. A port
can only communicate with ports in the opposite subset within the port mapping set.
Port communication is uni-directional. A mapping between an ingress port and an egress port
can only pass data from the ingress port to the egress port. To allow traffic to flow the from
the egress port to the ingress port, it is necessary to create a new mapping.
It's important to remember that the port mapping configuration is affected by existing group/
VLAN rules. If the ports in the above example belonged to three groups based on IP network
rules, then they would be restricted by group membership and port mapping.
Port Mapping Limitations
The following are restrictions to the use of the port mapping feature:
• Port mapping cannot be used with ports assigned to an 802.1Q group.
• Port mapping cannot be used with an OmniChannel unless all ports in the OmniChannel
are included in the port mapping (on either the ingress or egress list). For example, if ports
3/1-3/4 are an OmniChannel, all four ports must be in the ingress or egress list. You could
not just map port 3/1.
Switch Ports That May Communicate*
2/1 2/2 2/3 2/4 2/9 2/10 2/11 2/11
2/1 N/A No No No Yes Yes Yes Yes
2/2 No N/A No No Yes Yes Yes Yes
2/3 No No N/A No Yes Yes Yes Yes
2/4 No No No N/A Yes Yes Yes Yes
2/9 Yes Yes No No N/A No No No
2/10 No No No No No N/A No No
2/11 No No No No No No N/A No
2/12 No No No No No No No N/A
* Read table from left to right.
Port Mapping
Page 16-67
Creating a Port Mapping Set
Use the pmapcr command to create a port mapping set. Follow these steps:
1. Enter pmapcr at a system prompt.
2. The following screen displays:
Port Map Configuration
1. Ingress List :
2. Egress List :
Enter the ingress ports and egress ports for this map set. This is done by entering the line
number, an equal sign, and the port (or ports) to be added. For example, if you want to
create a map set with and ingress port of 2/6 and an egress port of 2/8, you would enter
the following at the prompt:
1=2/6
2=2/8
This must be done in two separate operations, one for the ingress and one for the egress
lists. You can add more than one port to a list by using a comma (,) between slot/port
designations, or a dash (-) between port numbers. For example, if you wanted to make
ports 2/1, 2/6, 2/7, 2/8, and 2/9 egress ports for this map set, you would enter the following:
2=2/1, 2/6-9
A switch port in the ingress list can only communicate with switch ports in the egress list.
Switch ports in the same list cannot communicate with each other or any other ports in
the switch. For example, if you enter:
1=2/1, 2/2
2=2/3, 2/4
then you are creating a paired set of four ports. Port 2/1 can only communicate with ports
2/3 or 2/4. It cannot communicate with any other ports in the switch, including port 2/2.
Port 2/2 also can only communicate with ports 2/3 and 2/4, but no others.
Any port type may be added to a port mapping set. However, only Mammoth-generation
Ethernet ports will be restricted by port mapping limitations. For example, you could add
a non-Ethernet port to the set, but traffic from that port would not be restricted.
3. You will want to save your configuration, so enter an s at the port-mapping prompt. Your
configuration will be saved. A prompt similar to the following appears to confirm the
creation of the port map:
Port Map 7 created.
The port map number is used when modifying the map set.
It is important to remember that port communication is uni-directional. A mapping between
an ingress port and an egress port can only pass data from the ingress port to the egress port.
To allow traffic to flow the from the egress port to the ingress port, it is necessary to create a
new mapping.
Port Mapping
Page 16-68
Adding Ports to a Port Mapping Set
You can add ports to a port map set once it has been created using the pmapmod command.
Follow these steps:
1. Enter the pmapmod command at a system prompt, as shown:
pmapmod <pmap id>
where <pmap id> is the map set number shown when the map set was created. (To view a
list of all existing map sets, see Viewing a Port Mapping Set on page 16-70.) For example,
to modify map set 5, you would enter the following:
pmapmod 5
2. The following screen displays:
Port Mapping Configuration
=======================
Port Map Id Ingress Ports Egress Ports
----------------- ------------------- ------------------
5 2/1, 2/2, 2/3 2/1, 2/2, 2/3
Modify Port Map 5
1. Add Ports to Ingress List :
2. Add Ports to Egress List :
3. Delete Ports from Ingress List :
4. Delete Ports from Egress List :
5. View Port Map Configuration :
Note that the current ports in the port mapping set are displayed. Use this information to
make decisions on the ports you want to add or remove from the set.
Enter the line number for the operation you want to perform (a 1 for the ingress list or a 2
for the egress list), an equal sign (=), and the ports to be added. For example, add port 2/
2 to the ingress list and the egress list, enter the following (in two separate operations):
1=2/2
2=2/2
You can add more than one port to a list by using a comma (,) between slot/port designations,
or a dash (-) between port numbers. For example, if you wanted to make ports 2/1,
2/6, 2/7, 2/8, and 2/9 egress ports for this map set, you would enter the following:
2=2/1, 2/6-9
3. To view the changes, enter a 5 (View Port Map Configuration), and equal sign (=), and a y,
as shown:
5=y
This will refresh the Port Mapping Configuration screen and display any changes you
have made.
4. Quit the session by entering a q at the prompt.
Port Mapping
Page 16-69
Removing Ports from a Port Mapping Set
You can remove ports to a port map set once it has been created using the pmapmod
command. Follow these steps:
1. Enter the modpmap command at a system prompt, as shown:
pmapmod <pmap id>
where <pmap id> is the map set number shown when the map set was created. (To view a
list of all existing map sets, see Viewing a Port Mapping Set on page 16-70.) For example,
to modify map set 5, you would enter the following:
pmapmod 5
2. The Port Mapping Configuration screen displays (as shown above in Adding Ports to a
Port Mapping Set on page 16-68).
Enter the line number for the operation you want to perform (a 3 for the ingress list or a 4
for the egress list), an equal sign (=), and the ports to be added. For example, remove
port 2/2 to the ingress list and the egress list, enter the following (in two separate operations):
3=2/2
4=2/2
You can remove more than one port to a list by using a comma (,) between slot/port
designations, or a dash (-) between port numbers. For example, if you wanted to remove
ports 2/1, 2/6, 2/7, 2/8, and 2/9 from the egress list of this map set, you would enter the
following:
4=2/1, 2/6-9
3. To view the changes, enter a 5 (view port may configuration), and equal sign (=), and a y,
as shown:
5=y
This will refresh the Port Mapping Configuration screen and display any changes you
have made.
4. Quit the session by entering a q at the prompt.
Port Mapping
Page 16-70
Viewing a Port Mapping Set
You can view a port mapping set using the vpmap command. Enter the pmapv command as
shown:
pmapv <pmap id>
where <pmap id> is the map set number shown when the map set was created. For example,
to modify map set 5, you would enter the following:
pmapv 5
The following screen is shown:
Port Mapping Configuration
=======================
Port Map Id Ingress Ports Egress Ports
----------------- ------------------- ------------------
5 2/1, 2/2, 2/3 2/1, 2/2, 2/3
As a variation of this command, enter the vpmap command with no port map identification.
This will display all port mapping sets configured for this switch.
Port Map Id. An identification number for the port map set, generated when the set is created.
Ingress Ports. The switch ports designated as ingress ports for this port map set. Ingress ports
can only communicate with egress ports.
Egress Ports. The switch ports designated as egress ports for this port map set. Egress ports
can only communicate with ingress ports.
Deleting a Port Mapping Set
You can delete a port mapping set after it is created. Enter pmapdel at a prompt as shown:
pmapdel <pmap id>
where <pmap id> is the map set number shown when the map set was created. (To view a list
of all existing map sets, see Viewing a Port Mapping Set on page 16-70.) For example, to
modify map set 5, you would enter the following:
pmapdel 5
Priority VLANs
Page 16-71
Priority VLANs
Prioritizing VLANs allows to you set a value for traffic based on the destination VLAN of packets.
Traffic with the higher priority destination will be delivered first. VLAN priority can be set
from 0 to 7, with 7 being the level with the most priority.
The following diagram illustrates this idea:
In the above diagram, traffic from VLAN 1 to VLAN 4 would have priority over traffic from
VLAN 1 to VLAN 3. Conversely, traffic sent from VLAN 4 to VLAN 2 would have priority over
traffic from VLAN 4 to VLAN 1.
Group priority can be set when creating a group using the crgp command. For more information
on the crgp command, see Chapter 16, "Managing Groups and Ports."
Group priority can modified or viewed using the prty_mod and prty_disp commands, detailed
below.
_ Note _
Although the range of VLAN priority is 0-7, the current
implementation only supports two levels of priority. In
other words, 0-3 is one level and 4-7 is another. Future
releases will expand the number of priority levels.
Switch A Switch B
Client 1 Client 2
Client 3 Client 4
VLAN 1
VLAN 2
(Priority 0)
(Priority 7)
Priority VLANs
Page 16-72
Configuring VLAN Priority
To configure the priority of a VLAN:
1. Enter the prty_mod command at the system prompt, as shown:
prty_mod <groupId>
where <groupId> is the group number associated with the VLAN whose priority is being
set. For example, to modify the priority of the VLAN for Group 2, you would enter the
following:
prty_mod 2
The following prompt is shown:
Enter a priority value which is between 0 and 7: 0
2. Enter the number value that is to be the new priority level for this VLAN. The highest
(most important) value is 7.
3. Press <enter>. A message similar to the following is displayed:
Priority for VLAN 2 has been set as 7
Viewing VLAN Priority
The priority level for all configured VLANs can be viewed by using the prty_disp command.
Enter the prty_disp at the system prompt, as shown:
prty_disp <groupId>
where <groupId> is the group number associated with the VLAN whose priority is being
viewed. For example, to view the priority of the VLAN for Group 2, you would enter the
following:
prty_disp 2
A display similar to the following is shown:
The priority of group 2 is 7
As a variation of this command, you can enter prty_disp at the system prompt without a group
number. This will display the priority of all VLANs.
沒有留言:
張貼留言