User Manual

SURPASS hiD 6610 S311 R1.0

UMN : CLI

DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

Important Notice on Product Safety

Elevated voltages are inevitably present at specific points in this electrical equipment. Some of the parts

may also have elevated operating temperatures.

Non-observance of these conditions and the safety instructions can result in personal injury or in

property damage.

Therefore, only trained and qualified personnel may install and maintain the system.

The system complies with the standard EN 60950 / IEC 60950. All equipment connected has to comply

with the applicable safety standards.

The same text in German:

Wichtiger Hinweis zur Produktsicherheit

In elektrischen Anlagen stehen zwangsläufig bestimmte Teile der Geräte unter Spannung. Einige Teile

können auch eine hohe Betriebstemperatur aufweisen.

Eine Nichtbeachtung dieser Situation und der Warnungshinweise kann zu Körperverletzungen und

Sachschäden führen.

Deshalb wird vorausgesetzt, dass nur geschultes und qualifiziertes Personal die Anlagen installiert und

wartet.

Das System entspricht den Anforderungen der EN 60950 / IEC 60950. Angeschlossene Geräte müssen

die zutreffenden Sicherheitsbestimmungen erfüllen.

Trademarks:

All designations used in this document can be trademarks, the use of which by third parties for their own

purposes could violate the rights of their owners.

Copyright (C) Siemens AG 2005.

Issued by Communications Group

Hofmannstraße 51
D-81359 München

Technical modifications are possible.

Technical specifications and features are binding only insofar as
they are specifically and expressly agreed upon in a written contract.

DDJ:A-M-5524B5-01 1
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

This Siemens product, SURPASS hiD 6610, contains both proprietary software and „Open Source Software”. The

Open Source Software is licensed to you at no charge under the GNU General Public License (GPL) and the GNU

Lesser General Public License (LGPL). This Open Source Software was written by third parties and enjoys copyright

protection. You are entitled to use this Open Source Software under the conditions set out in the GPL and LGPL

licenses indicated above. In the event of conflicts between Siemens´ license conditions and the GPL or LGPL license

conditions, the GPL and LGPL conditions shall prevail with respect to the Open Source portions of the software.

The GPL can be found under the following URL:

http://www.gnu.org/copyleft/gpl.html

The LGPL can be found under the following URL:

http://www.gnu.org/copyleft/lgpl.html

The Open Source Software´s source code, including related copyright notices, can be found under the following URL:

http://now-portal.c-lab.de/projects/………….

In addition, if the source code to the Open Source Software has not been delivered with this product, you may obtain

the source code (including the related copyright notices) by sending your request to the following address/fax

number: +82-2-3484-6551

You will, however, be required to reimburse Siemens for its costs of postage and copying. Any source code request

made by you must be sent within 3 years of your purchase of the product. Please include a copy of your sales receipt

when submitting your request. Also please include the exact name and number of the device and the version number

of the installed software.

The use of Open Source Software contained in this product in any manner other than the simple running of the

program occurs at your own risk, that is, without any warranty claims against Siemens. For more information about

the warranties provided by the authors of the Open Source Software contained in this product, please consult the

GPL and LGPL.

You have no warranty claims against Siemens when a defect in the product is or could have been caused by changes

made by you in any part of the software or its configuration. In addition, you have no warranty claims against Siemens

when the Open Source Software infringes the intellectual property rights of a third party.

Siemens provides no technical support for either the software or the Open Source Software contained therein if either

has been changed. You will find the GPL and LGPL license texts on the SW CDR which is delivered with the product

SURPASS hiD 6610.

2 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

Release for Update

Summary :
Initial release

Details :

Chapter/Section Reasons for update

All Initial release

Version history

Status Data of release Reasons for change

1 2005/03/31 Initial release

DDJ:A-M-5524B5-01 3
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Contents

1. Preface................................................................................................................................................. 3
1.1 Document Organization...................................................................................................................... 3

1.2 Document Convention........................................................................................................................ 4

1.3 Document Notation............................................................................................................................. 4

2. Product Introduction ............................................................................................................................. 6

2.2 Features ............................................................................................................................................. 7

3. Using Command................................................................................................................................. 12

3.1 Command Mode............................................................................................................................... 12

3.1.1 Privilege Exec View Mode ............................................................................................................. 13

3.1.2 Privilege Exec Enable Mode.......................................................................................................... 13

3.1.3 Global Configuration Mode............................................................................................................ 14

3.1.4 Rule Configuration Mode............................................................................................................... 15

3.1.5 DHCP Configuration Mode ............................................................................................................ 16

3.1.6 DHCP Option-82 Configuration Mode ........................................................................................... 17

3.1.7 Rmon Configuration Mode ............................................................................................................ 18

3.1.8 PIM Configuration Mode................................................................................................................ 18

3.1.9 VRRP Configuration Mode ............................................................................................................ 19

3.1.10 Bridge Configuration Mode.......................................................................................................... 20

3.1.11 Interface Configuration Mode ...................................................................................................... 20

3.1.12 Router Configuration Mode ......................................................................................................... 21

3.1.13 Route-Map Configuration Mode .................................................................................................. 22

3.2 Useful Tips........................................................................................................................................ 23

3.2.1 Listing Available Command ........................................................................................................... 23

3.2.2 Calling Command History.............................................................................................................. 25

3.2.3 Using Abbreviation ........................................................................................................................ 25

3.2.4 Using Privilege Exec Enable Mode Command .............................................................................. 26

3.2.5 Moving to the Other Mode ............................................................................................................. 26

4. System Connection and IP Address ................................................................................................... 28

4.1 System Connection .......................................................................................................................... 28

4.1.1 System Login................................................................................................................................. 28

4.1.2 Changing Login Password ............................................................................................................ 30

4.1.3 Configuring password for Privilege Exec Enable Mode................................................................. 31

4.1.4 Configuring Auto-logout Function .................................................................................................. 33

4 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

4.1.5 Managing the user’s account ........................................................................................................ 34

(1) Adding the user’s account................................................................................................................. 35

(2) Configuring the user’s right ............................................................................................................... 35

(3) Sample Configuration ....................................................................................................................... 39

4.1.6 Limiting the number of users ......................................................................................................... 41

4.1.7 Telnet Access ................................................................................................................................ 42

4.1.8 Disconnecting Telnet Access ......................................................................................................... 42

4.1.9 System Rebooting ......................................................................................................................... 43

(1) Passive System Rebooting ............................................................................................................... 43

(2) Auto System Rebooting .................................................................................................................... 44

4.1.10 System Logout ............................................................................................................................ 45

4.2 Assigning IP Address........................................................................................................................ 46

4.2.1 Enabling Interface ......................................................................................................................... 46

(1) On Global Configuration Mode.......................................................................................................... 47

(2) On Interface Configuration Mode ...................................................................................................... 47

4.2.2 Disabling Interface......................................................................................................................... 47

(1) On Global Configuration Mode.......................................................................................................... 48

(2) On Interface Configuration Mode ...................................................................................................... 48

4.2.3 Assigning IP Address to Network Interface.................................................................................... 49

4.2.4 Configuring Static Route and Default Gateway ............................................................................. 49

4.2.5 Sample Configuration.................................................................................................................... 51

4.3 SSH.................................................................................................................................................. 52

4.3.1 Operating SSH Server................................................................................................................... 52

(1) Enabling SSH Server ........................................................................................................................ 52

(2) Viewing On-line Clients ..................................................................................................................... 53

(3) Disconnecting Clients ....................................................................................................................... 53

(4) Checking Connection History of Client.............................................................................................. 53

4.3.2 Using Client ................................................................................................................................... 54

(1) Login to SSH Server ......................................................................................................................... 54

(2) File Copy........................................................................................................................................... 54

(3) Configuring Authentication Key ......................................................................................................... 55

(4) Connecting to FTP ............................................................................................................................ 56

4.3.3 Sample Configuration.................................................................................................................... 57

4.4 Port-Based Authentication (802.1x).................................................................................................. 60

4.4.1 Configuring Authentication Port ..................................................................................................... 62

4.4.2 Configuration of Port-Control......................................................................................................... 62

4.4.3 Confirming Configuration of 802.1x Port-Based Authentication..................................................... 63

DDJ:A-M-5524B5-01 5
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

4.4.4 802.1x Reauthentication................................................................................................................ 63

4.4.5 Configuring Port-based 802.1x Authentication .............................................................................. 63

(1) Configuring Authentication Port......................................................................................................... 64

(2) Configuring RADIUS Server.............................................................................................................. 64

(3) Configuring the Priority for RADIUS server ....................................................................................... 66

(4) Configuring reattempt interval for requesting identity........................................................................ 66

(5) Configuring the Number of Request for Authentication ..................................................................... 67

(6) Configuring reattempt interval of Authentication request................................................................... 67

(7) Configuring Timeout for RADIUS server ........................................................................................... 69

(8) Configuring a term of re-authentication............................................................................................. 69

(9) Immediate Implementing Reauthentication....................................................................................... 70

(10) Initiating the authentication ............................................................................................................. 71

4.4.6 Client Authentication through MAC address .................................................................................. 71

4.4.7 Confirming and deleting 802.1x user authentication statistics ....................................................... 72

4.4.8 Releasing 802.1x user authentication ........................................................................................... 73

4.4.9 Sample Configuration.................................................................................................................... 73

4.5 System Authentication...................................................................................................................... 75

4.5.1 Configuring Authorization Method ................................................................................................. 76

4.5.2 Designating Authentication Interface ............................................................................................. 77

4.5.3 Configuring Priority of Authorization Method ................................................................................. 77

4.5.4 Checking Configured Priority of Authorization Method .................................................................. 78

4.5.5 Configuring RADIUS ..................................................................................................................... 78

(1) Configuring RADIUS Server.............................................................................................................. 78

(2) Configuring the Priority for RADIUS server ....................................................................................... 79

(3) Configuring Frequency of Retransmit ............................................................................................... 79

(4) Configuring Timeout of Response..................................................................................................... 80

4.5.6 Configuring TACACS+................................................................................................................... 80

(1) Configuring TACACS Server............................................................................................................. 80

(2) Configuring the Priority for TACACS server ...................................................................................... 81

(3) Selecting Authorization Type............................................................................................................. 82

(4) Configuring Timeout of Response..................................................................................................... 82

(5) Configuring Client Priority ................................................................................................................. 83

4.5.7 Recording User’s Configuration .................................................................................................... 83

4.5.8 Sample Configuration.................................................................................................................... 83

5. Port Basic Configuration..................................................................................................................... 86

5.1 Port Basic Configuration................................................................................................................... 86

5.1.1 Activating Port ............................................................................................................................... 87

6 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

5.1.2 Configuring Auto-nego................................................................................................................... 88

5.1.3 Port Transmit Rate ........................................................................................................................ 89

5.1.4 Duplex Mode ................................................................................................................................. 90

5.1.5 Configuring Flow Control............................................................................................................... 91

5.1.6 Description of port ......................................................................................................................... 92

5.1.7 Viewing Port Statistics ................................................................................................................... 93

5.1.8 Initializing Port Statistics ................................................................................................................ 95

5.2 Port Mirroring.................................................................................................................................... 95

5.2.1 Assigning Monitor Port and Mirrored Port...................................................................................... 96

5.2.2 Enabling Port Mirroring.................................................................................................................. 96

5.2.3 Confirming Configuration of Port Mirroring .................................................................................... 97

5.2.4 Sample Configuration.................................................................................................................... 97

6. System Environment .......................................................................................................................... 99

6.1 Environment Configuration............................................................................................................... 99

6.1.1 Host Name .................................................................................................................................... 99

6.1.2 Date and Time ............................................................................................................................. 100

6.1.3 Time-zone.................................................................................................................................... 101

6.1.4 NTP ............................................................................................................................................. 102

6.1.5 SNTP........................................................................................................................................... 103

6.1.6 Output Condition of Terminal Screen........................................................................................... 105

6.1.7 DNS Server ................................................................................................................................. 106

6.1.8 Login Banner ............................................................................................................................... 109

6.1.9 Fan Operation ............................................................................................................................. 110

6.2 Configuration Management .............................................................................................................111

6.2.1 Checking Switch Configuration.................................................................................................... 112

6.2.2 Saving Configuration ................................................................................................................... 112

6.2.3 Auto-Saving ................................................................................................................................. 113

6.2.4 Reloading .................................................................................................................................... 113

6.2.5 Configuration Backup .................................................................................................................. 114

6.3 System Check ................................................................................................................................ 116

6.3.1 Checking Network Connection .................................................................................................... 116

6.3.2 IP ICMP Source-routing Function ................................................................................................ 119

6.3.3 Tracing Packet Route .................................................................................................................. 121

6.3.4 Checking Accessed User through Telnet ..................................................................................... 122

6.3.5 Confirming MAC table ................................................................................................................. 123

6.3.6 Configuring Ageing time .............................................................................................................. 123

6.3.7 Viewing Running Time of Switch ................................................................................................. 124

DDJ:A-M-5524B5-01 7
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

6.3.8 Confirming System Information ................................................................................................... 124

6.3.9 Checking Average of CPU Utilization .......................................................................................... 124

6.3.10 Checking CPU Process ............................................................................................................. 124

6.3.11 Viewing Utilization of Memory.................................................................................................... 125

6.3.12 Viewing Version of System Image ............................................................................................. 125

6.3.13 Viewing Size of System Image File ........................................................................................... 125

6.3.14 Checking Installed OS ............................................................................................................... 126

6.3.15 Configuring Default OS(※Supporting certain products) ............................................................ 127

6.3.16 Checking Switch Status ............................................................................................................. 128

6.3.17 Checking Tech-support.............................................................................................................. 129

7. Network Management ...................................................................................................................... 130

7.1 SNMP............................................................................................................................................. 130

7.1.1 Configuring SNMP v1 Community............................................................................................... 132

7.1.2 Configuring Accessed Person and Location of SNMP Agent....................................................... 133

7.1.3 Configuring SNMP v2c Com2sec ................................................................................................ 134

7.1.4 Configuring Group ....................................................................................................................... 135

7.1.5 Limiting Open Range of OID ....................................................................................................... 136

7.1.6 Access Right for Limited OID....................................................................................................... 137

7.1.7 Configuring SNMP v3 User ......................................................................................................... 138

7.1.8 Configuring SNMP Trap............................................................................................................... 139

(1) Configuring SNMP Trap-host .......................................................................................................... 139

(2) Configuring SNMP Trap .................................................................................................................. 141

7.1.9 Configuring Type of Alarm Notifications....................................................................................... 145

(1) Enabling Alarm Notification ............................................................................................................. 145

(2) Configuring General Alarm Notification ........................................................................................... 146

(3) Configuring Alarm Notification with the Severity.............................................................................. 147

7.1.10 Configuring IP Address of SNMP Agent .................................................................................... 152

7.1.10 Checking SNMP Configuration.................................................................................................. 153

7.1.11 Disable SNMP ........................................................................................................................... 153

7.2 Configuring OAM............................................................................................................................ 154

7.2.1 Configuring OAM Loopback ........................................................................................................ 154

(1) OAM Loopback ............................................................................................................................... 154

(2) Configuring Local OAM Mode ......................................................................................................... 155

(3) Configuring Unidirection.................................................................................................................. 155

7.2.2 Configuring Remote OAM ........................................................................................................... 155

7.2.4 Showing OAM Configuration ....................................................................................................... 157

7.3 Configuring LLDP ........................................................................................................................... 158

8 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

7.3.1 How to operate LLDP .................................................................................................................. 158

(1) LLDP operation ............................................................................................................................... 158

7.3.2 Configuring LLDP ........................................................................................................................ 158

(1) Configuring LLDP............................................................................................................................ 158

(2) How to LLDP operation ................................................................................................................... 159

(3) Configuring Basic TLV..................................................................................................................... 159

(4) Receiving LLDP message............................................................................................................... 160

(5) Configuring Reinitdelay ................................................................................................................... 160

(6) Configuring Delay time of transmitting LLDP frame ........................................................................ 161

(7) Showing LLDP configuration........................................................................................................... 161

(8) Showing LLDP statistics.................................................................................................................. 162

(9) Showing the statistics of Remote entry ........................................................................................... 162

7.3.3 Sample Configuration.................................................................................................................. 163

7.4 RMON ............................................................................................................................................ 167

7.4.1 Configuring RMON History .......................................................................................................... 167

(1) Assigning Source Port of Statistical Data ........................................................................................ 169

(2) Identifying Subject of RMON History............................................................................................... 169

(3) Configuring Number of Sample Data .............................................................................................. 170

(4) Configuring Interval of Sample Inquiry ............................................................................................ 170

(5) Activating RMON History ................................................................................................................ 171

(6) Deleting and Changing Configuration of RMON History ................................................................. 172

7.4.2 Configuring RMON Alarm ............................................................................................................ 172

(1) Identifying Subject of RMON Alarm................................................................................................. 174

(2) Configuring Object of Sample Inquiry ............................................................................................. 175

(3) Configuring Absolute Comparison and Delta Comparison. ............................................................. 175

(4) Configuring Upper Bound of Threshold........................................................................................... 176

(5) Configuring Lower Bound of Threshold........................................................................................... 177

(6) Configuring Standard of the First Alarm .......................................................................................... 178

(7) Configuring Interval of Sample Inquiry ............................................................................................ 179

(8) Activating RMON Alarm .................................................................................................................. 179

(9) Deleting RMON Alarm and Changing Configuration ....................................................................... 180

7.4.3 Configuring RMON Event ............................................................................................................ 180

(1) Configuring Event Community ........................................................................................................ 181

(2) Event Description............................................................................................................................ 182

(3) Identifying Subject of Event ............................................................................................................ 182

(4) Configuring Event Type................................................................................................................... 183

(5) Activating Event .............................................................................................................................. 183

DDJ:A-M-5524B5-01 9
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(6) Deleting RMON Event and Changing Configuration ....................................................................... 184

7.5 Syslog ............................................................................................................................................ 185

7.5.1 Configuring Level of Syslog Message ......................................................................................... 185

7.5.2 Configuring Syslog Message Priority........................................................................................... 187

7.5.3 Configuring Local-code ............................................................................................................... 188

7.5.4 Disabling Syslog.......................................................................................................................... 189

7.5.5 Showing Syslog configuration ..................................................................................................... 189

7.5.6 Designating IP Address of Syslog Message ................................................................................ 190

7.5.7 Checking Debug Message from Remote..................................................................................... 191

7.5.8 Configuring Threshold of CPU Utilization .................................................................................... 191

7.5.9 Configuring Threshold of Port Traffic ........................................................................................... 192

7.5.10 Configuration Threshold of Temperature ................................................................................... 194

7.6 Configuring Rule and QoS ............................................................................................................. 195

7.6.1 How to Operate Rule and Qos .................................................................................................... 195

(1) Creating Rule .................................................................................................................................. 196

(2) Configuring the priority.................................................................................................................... 197

(3) Configuring the condition for the packets ........................................................................................ 197

(4) Configuring Rule Operation ............................................................................................................ 199

(5) Configuring Cos value and Tos value.............................................................................................. 201

(6) Packet Counter ............................................................................................................................... 202

(7) Saving Rule..................................................................................................................................... 203

(8) Checking Rule Profile ..................................................................................................................... 203

(9) Modifying Rule ................................................................................................................................ 204

(10) Deleting Rule ................................................................................................................................ 204

7.6.2 Configuring QoS.......................................................................................................................... 204

(1) Configuring QoS map ..................................................................................................................... 205

(2) Configuring Scheduling Method ...................................................................................................... 206

(3) Setting Weight................................................................................................................................. 208

(4) Configuring Min-bandwidth ............................................................................................................. 208

(5) Limiting Max-bandwidth .................................................................................................................. 209

(6) User-defined Setting for CPU Packet.............................................................................................. 210

(7) RED (Random Early Detection) Setting .......................................................................................... 211

(8) Displaying QoS Setting ................................................................................................................... 212

7.6.3 Admin access rule ....................................................................................................................... 213

(1) Creating Admin access rule ............................................................................................................ 213

(2) Configuring the priority.................................................................................................................... 214

(3) Configuring the condition for the packet.......................................................................................... 214

10 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

(4) Configuring the operation of Admin access rule.............................................................................. 215

(5) Saving Admin access rule............................................................................................................... 216

(6) Checking Admin access rule Profile................................................................................................ 217

(7) Modifying Admin-access-rule .......................................................................................................... 217

(8) Deleting Admin access rule............................................................................................................. 217

7.6.4 Sample Configuration.................................................................................................................. 217

7.7 NetBIOS Filtering ........................................................................................................................... 224

7.8 DHCP Server Packet Filtering ........................................................................................................ 225

7.9 Martian Filtering.............................................................................................................................. 227

7.10 MAC Filtering................................................................................................................................ 228

7.10.1 Configuring Default Policy of MAC Filtering .............................................................................. 228

7.10.2 Adding Policy of MAC Filter ....................................................................................................... 229

7.10.3 Deleting MAC Filtering Policy .................................................................................................... 231

7.10.4 Listing of MAC Filtering Policy................................................................................................... 231

7.11 Configuring Max Host ................................................................................................................... 231

7.11.1 Configuring Max-hosts............................................................................................................... 231

7.11.2 Configuring Max-new-hosts ....................................................................................................... 233

7.12 Managing MAC Table ................................................................................................................... 235

7.13 Configuring ARP Table ................................................................................................................. 236

7.14 ARP-Alias ..................................................................................................................................... 237

7.15 Proxy-ARP.................................................................................................................................... 238

7.16 Configuring Gratuitous ARP ......................................................................................................... 240

7.17 Packet Routing ............................................................................................................................. 241

7.18 ICMP Message Control ................................................................................................................ 242

7.18.1 Blocking Echo Reply Message .................................................................................................. 243

7.18.2 Configuring Interval to Transmit ICMP Message ....................................................................... 243

7.18.3 Transmitting ICMP Redirect Message ....................................................................................... 247

7.19 IP TCP flag control ....................................................................................................................... 248

7.19.1 RST Configuration ..................................................................................................................... 249

7.19.2 SYN Configuration..................................................................................................................... 249

8. System Main Function...................................................................................................................... 251

8.1 VLAN(Virtual Local Area Network) ................................................................................................. 251

8.1.1 Default VLAN............................................................................................................................... 254

8.1.2 Configuring VLAN based on the port........................................................................................... 255

(1) Making VLAN .................................................................................................................................. 255

(2) Specifying PVID .............................................................................................................................. 256

(3) Assigning and deleting port ............................................................................................................. 256

DDJ:A-M-5524B5-01 11
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(4) Describing VLAN............................................................................................................................. 257

(5) Releasing VLAN function ................................................................................................................ 257

8.1.3 Configuring VLAN based on protocol .......................................................................................... 258

8.1.4 Configuring QinQ......................................................................................................................... 258

(1) Configuring QinQ ............................................................................................................................ 260

(2) Configuring the kind of TPID ........................................................................................................... 260

(3) Releasing QinQ............................................................................................................................... 261

8.1.5 Configuring Shared-VLAN in Layer 2 dedicated switch............................................................... 261

8.1.6 Showing the configuration for VLAN............................................................................................ 265

8.1.7 Sample Configuration.................................................................................................................. 266

8.2 Link aggregation............................................................................................................................. 271

8.2.1 Port trunk..................................................................................................................................... 272

(1) Configuring Port Trunk .................................................................................................................... 273

(2) Releasing Port Trunking.................................................................................................................. 274

(3) Confirming Port Trunk Configuration............................................................................................... 274

8.2.2 Configuring LACP........................................................................................................................ 275

(1) Enabling LACP................................................................................................................................ 276

(2) Configuring Packet Route ............................................................................................................... 276

(3) Configuring Member Port ................................................................................................................ 277

(4) Configuring Operating Mode of Member Port ................................................................................. 277

(5) Configuring the priority of the switch ............................................................................................... 278

(6) Deciding if LACP of member port is aggregated ............................................................................. 279

(7) Configuring BPDU Transmission Rate ............................................................................................ 280

(8) Configuring Key of Member Port..................................................................................................... 280

(9) Configuring Port Priority.................................................................................................................. 282

(10) Confirming LACP Configuration .................................................................................................... 283

8.2.3 Sample Configuration.................................................................................................................. 284

8.3 Configuring STP ............................................................................................................................. 289

8.3.1 STP Operation............................................................................................................................. 290

8.3.2 RSTP Operation .......................................................................................................................... 294

(1) Port States ...................................................................................................................................... 294

(2) BPDU Policy ................................................................................................................................... 295

(3) Rapid Network Convergence .......................................................................................................... 296

(4) Comparability with 802.1d............................................................................................................... 299

8.3.3 PVSTP and MSTP....................................................................................................................... 300

(1) Operation ........................................................................................................................................ 300

(2) MSTP.............................................................................................................................................. 302

12 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

8.3.4 Configuring STP/RSTP/MSTP/PVSTP/PVRSTP mode............................................................... 304

8.3.5 Configuring STP/RSTP/MSTP..................................................................................................... 304

(1) Activating STP/RSTP/MSTP ........................................................................................................... 304

(2) Configuring Root ............................................................................................................................. 305

(3) Configuring Path-cost ..................................................................................................................... 305

(4) Configuring Port-priority .................................................................................................................. 307

(5) Configuring MST Region................................................................................................................. 308

(6) Showing the configuration............................................................................................................... 309

8.3.6 Configuring PVSTP/PVRSTP ...................................................................................................... 310

(1) Activating PVST/PVRSTP............................................................................................................... 310

(2) Configuring Root ............................................................................................................................. 311

(3) Configuring Path-cost ..................................................................................................................... 312

(4) Configuring Port-priority .................................................................................................................. 312

8.3.7 BPDU Configuration .................................................................................................................... 313

(1) Hello time ........................................................................................................................................ 313

(2) Forward Delay................................................................................................................................. 314

(3) Max age .......................................................................................................................................... 315

(4) BPDU Hop ...................................................................................................................................... 315

(5) Confirming BPDU configuration ...................................................................................................... 316

8.3.8 Self Loop detection...................................................................................................................... 316

8.3.9 Sample Configuration.................................................................................................................. 317

8.5 Configuring ERP............................................................................................................................. 320

8.5.1 ERP Operation ............................................................................................................................ 320

8.5.2 LOTP........................................................................................................................................... 322

8.5.3 Configuring ERP.......................................................................................................................... 323

(1) Configuring ERP Domain ................................................................................................................ 323

(2) Configuring RM Node ..................................................................................................................... 323

(3) Configuring Port .............................................................................................................................. 324

(4) Configuring Protected VLAN ........................................................................................................... 324

(5) Configuring Protected Activation ..................................................................................................... 324

(6) Configuring Manual Switch to Secondary ....................................................................................... 325

(7) Configuring Wait-to-Restore Time ................................................................................................... 325

(8) Configuring Learning Disable Time ................................................................................................. 326

(9) Configuring Test Packet Interval ..................................................................................................... 326

(10) Checking ERP Configuration ........................................................................................................ 326

8.6 Stacking.......................................................................................................................................... 331

8.6.1 Configuring switch group............................................................................................................. 332

DDJ:A-M-5524B5-01 13
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.6.2 Designating Master switch .......................................................................................................... 332

8.6.3 Designating Slave Switch............................................................................................................ 332

8.6.4 Relesing Stakcing........................................................................................................................ 333

8.6.5 Confirming Stacking Configuration .............................................................................................. 333

8.6.6 Accessing to Slave switch from Master switch ............................................................................ 333

8.6.7 Sample Configuration ............................................................................................................... 334

8.7 Rate Limit ....................................................................................................................................... 336

8.7.1 Configuring Rate Limit................................................................................................................. 336

8.7.2 Sample Configuration.................................................................................................................. 337

8.8 Flood-Guard ................................................................................................................................... 338

8.8.1 Configuring Flood-Guard............................................................................................................. 338

8.8.2 Sample Configuration.................................................................................................................. 339

8.9 IP IGMP(Internet Group Management Protocol) ............................................................................ 339

8.9.1 IGMP Snooping ........................................................................................................................... 341

8.9.2 IGMP Snooping Querier .............................................................................................................. 342

8.9.3 Fast-leave.................................................................................................................................... 342

8.9.4 Time to Register in Multicast Group ............................................................................................ 343

8.9.5 Configuring Multicast Router Path............................................................................................... 344

8.9.6 Multicast Packet Filtering ............................................................................................................ 345

8.9.7 Registering in Multicast Group .................................................................................................... 347

8.10 PIM-SM (Protocol Independent Multicast – Sparse Mode) ........................................................... 348

8.10.1 Enabling PIM-SM ...................................................................................................................... 350

8.10.2 Deciding RP .............................................................................................................................. 352

8.10.3 Configuring Static RP ................................................................................................................ 352

8.10.4 Configuring BSR........................................................................................................................ 353

(1) Candidate-BSR IP Address............................................................................................................. 353

(2) Candidate-BSR Priority................................................................................................................... 354

(3) Candidate-BSR Hash-mask ............................................................................................................ 354

8.10.5 Configuring RP Information ....................................................................................................... 355

(1) Candidate-RP IP Address ............................................................................................................... 356

(2) Registering Multicast Group of Candidate-RP ................................................................................ 356

(3) Candidate-RP Priority ..................................................................................................................... 357

(4) Interval of Candidate-RP Information Transmit ............................................................................... 357

(5) Blocking Candidate-RP Message of Another Member .................................................................... 358

8.10.6 Configuring Assert Message Information................................................................................... 359

(1) Configuring Metric........................................................................................................................... 361

(2) Configuring Preference ................................................................................................................... 361

14 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

8.10.7 Whole-packet-checksum ........................................................................................................... 362

8.10.8 Configuring Interval of Cache-check ......................................................................................... 363

8.10.9 Configuring Multicast Routing Table .......................................................................................... 364

8.10.10 Configuring PIM-SM on Ethernet Interface.............................................................................. 365

(1) Activating PIM-SM on Ethernet Interface ........................................................................................ 365

(2) Blocking Multicast packet................................................................................................................ 366

(3) Prohibiting Bootstrap Message ....................................................................................................... 367

(4) Configuring Assert Message Information ........................................................................................ 368

(5) Deleting IP PIM Statistic.................................................................................................................. 369

(6) Showing IP PIM Statistic ................................................................................................................. 370

8.10.11 Viewing PIM-SM Information ................................................................................................... 370

(1) Multicast Routing Table ................................................................................................................... 370

(2) Checking PIM Neighbor Router ...................................................................................................... 370

(3) RP Table ......................................................................................................................................... 371

(4) PIM-SM on Ethernet Interface......................................................................................................... 371

(4) Static IP Multicast Routing Table ..................................................................................................... 371

8.11 VRRP (Virtual Router Redundancy Protocol) ............................................................................... 371

8.11.1 Configuring VRRP ..................................................................................................................... 372

(1) Assigning Associated IP Address .................................................................................................... 373

(2) Configuring Master Router and Backup Router .............................................................................. 374

8.11.2 Configuring VRRP Track function .............................................................................................. 377

8.11.2 Configuring Authentication Password ........................................................................................ 378

8.11.3 Configuring Preempt.................................................................................................................. 379

8.11.4 Configuring Advertisement Time................................................................................................ 380

8.11.5 Viewing VRRP Statistics ............................................................................................................ 381

8.11.6 Clearing VRRP Statistics ........................................................................................................... 382

8.12 Bandwidth..................................................................................................................................... 382

8.13 DHCP ........................................................................................................................................... 383

8.13.1 Activating DHCP server ............................................................................................................. 384

8.13.2 IP Pool....................................................................................................................................... 385

(1) Making IP Pool................................................................................................................................ 385

(2) Configuring DHCP Subnet .............................................................................................................. 385

(3) Configuring Subnet Default Gateway.............................................................................................. 386

(4) Configuring IP Address Range........................................................................................................ 386

(5) Configuring the Available Time to Use IP address .......................................................................... 387

(6) Registering DNS Server.................................................................................................................. 388

(7) Assigning IP address manually ....................................................................................................... 388

DDJ:A-M-5524B5-01 15
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(8) Chekcing Lease Data...................................................................................................................... 389

(9) Chekcing IP Pool Configuration ...................................................................................................... 389

(10) Checking Lease Data of each IP Pool........................................................................................... 390

8.13.3 Blocking the Fixed IP .............................................................................................................. 390

8.13.4 DHCP Packet Filtering............................................................................................................... 391

8.13.5 Registering DNS Server that is common to all IP Pools ............................................................ 392

8.13.6 Configuring IP Available Time that is common to all IP Pools.................................................... 393

8.13.7 Configuring DHCP Relay Agent................................................................................................. 393

(1) Registering DHCP server................................................................................................................ 394

8.13.8 DHCP Option-82 ....................................................................................................................... 395

(1) Enabling DHCP Option-82 .............................................................................................................. 396

(2) Configuring Option-82 Packet Policy .............................................................................................. 397

(3) Configuring Remote-ID and the Number of Assigning IP Address .................................................. 398

(4) Configuring Remote-ID and Pool .................................................................................................... 398

(5) Remote-ID, Circuit-ID and the Number of Assigning IP Address..................................................... 399

(6) Remote-ID, Circuit-ID and Pool....................................................................................................... 400

(7) Configuring System Remote-ID ...................................................................................................... 401

8.13.9 Back-up DHCP lease database................................................................................................. 402

8.14 Broadcast Storm Control .............................................................................................................. 402

8.15 Jumbo-frame Capacity ................................................................................................................. 403

8.16 Blocking Direct Broadcast ............................................................................................................ 405

9. IP Routing Protocol .......................................................................................................................... 406

9.1 BGP Routing Protocol .................................................................................................................... 406

9.1.1 Basic Configuration ..................................................................................................................... 406

(1) BGP Routing ................................................................................................................................... 407

(2) Configuring BGP Neighbor Router.................................................................................................. 407

(3) Changing Routing Policy................................................................................................................. 408

(4) Configuring BGP Weights ............................................................................................................... 410

(5) Aborting AS Route........................................................................................................................... 411

(6) BGP Route Filtering ........................................................................................................................ 411

(7) AS Route Filtering ........................................................................................................................... 411

(8) BGP Filtering through Prefix Lists ................................................................................................... 412

(9) Blocking information Transmission to Next Destination .................................................................. 415

(10) Configuring BGP Version .............................................................................................................. 416

9.1.2 Advanced Configuration .............................................................................................................. 416

(1) Changing Route through Route Map .............................................................................................. 417

(2) Configuring Aggregate Address ...................................................................................................... 417

16 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

(3) Configuring BGP Community Filtering ............................................................................................ 418

(4) Assigning ID Number for Router ..................................................................................................... 419

(5) Distributing Route to BGP............................................................................................................... 419

(6) Configuring Confederation of Routing Domain ............................................................................... 419

(7) Configuring Route Reflector............................................................................................................ 420

(8) Configurations through Neighbor .................................................................................................... 420

(9) Deactivating Neighbor Router ......................................................................................................... 422

(10) Configuring Backdoor Route ......................................................................................................... 422

(11) Deciding NLRI Type ...................................................................................................................... 423

(12) Configuring Distance Value........................................................................................................... 423

(13) Configuring BGP Timer ................................................................................................................. 423

(14) Checking Import Network.............................................................................................................. 424

(15) Configuring the First AS ................................................................................................................ 424

(16) Changing Priority of Local Network............................................................................................... 425

(17) Deciding Route based on Router ID ............................................................................................. 425

(18) Considering Route without MED as the Worst Route ................................................................... 425

(19) Deciding AS Route based on MED from ASs................................................................................ 425

(20) Deciding Confederation Route based on MED ............................................................................. 426

(21) Deciding Route in Confederation based on MED.......................................................................... 426

(22) Restoring Reflected Route ............................................................................................................ 426

(23) Route Dampening ......................................................................................................................... 426

(24) Checking and Managing BGP....................................................................................................... 428

9.2 OSPF Protocol ............................................................................................................................... 429

9.2.1 Enabling OSPF............................................................................................................................ 430

9.2.2 Configuring ABR Type ................................................................................................................. 431

9.2.3 Configuring Compatibility............................................................................................................. 431

9.2.4 Configuring OSPF Interface ........................................................................................................ 431

9.2.5 Configuring Network OSPF Type ................................................................................................ 432

9.2.6 Configuring Non-broadcast Network ........................................................................................... 433

9.2.7 Configuring Area ......................................................................................................................... 434

9.2.8 Configuring Representative Route between OSPF Areas ........................................................... 434

9.2.9 Configuring Virtual Link ............................................................................................................... 435

9.2.10 Configuring Default Metric ......................................................................................................... 435

9.2.11 Configuring Interval to Calculate Route ..................................................................................... 436

9.2.12 Configuring Route Transmit Interval .......................................................................................... 436

9.2.13 Route Transmit to OSPF Network ............................................................................................. 436

9.2.14 Configuring Default Route ......................................................................................................... 437

DDJ:A-M-5524B5-01 17
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

9.2.15 Configuring OSPF Distance ...................................................................................................... 437

9.2.16 Blocking Information Transmit ................................................................................................... 438

9.2.17 Blocking Renewed Information.................................................................................................. 438

9.2.18 OSPF Monitoring and Management .......................................................................................... 438

9.3 RIP Protocol ................................................................................................................................... 440

9.3.1 Enabling RIP ............................................................................................................................... 440

9.3.2 Configuring RIP Neighbor Router................................................................................................ 441

9.3.3 Configuring RIP Version .............................................................................................................. 442

9.3.4 Creating Static Route available only for RIP................................................................................ 442

9.3.5 Transmitting Routing Information................................................................................................. 443

9.3.6 Configuring Metrics for Redistributed Routes .............................................................................. 444

9.3.7 Configuring Administrative Distance............................................................................................ 444

9.3.8 Creating Default Route................................................................................................................ 445

9.3.9 Routing Information Filtering ....................................................................................................... 445

(1) Blocking Outgoing Routing Information to Interface........................................................................ 445

(2) Configuring Offset List .................................................................................................................... 446

9.3.10 Configuring Time ....................................................................................................................... 446

9.3.11 Activating and Deactivating Split-horizon ................................................................................... 447

9.3.12 Managing Authentication Key .................................................................................................... 447

9.3.13 Monitoring and Managing RIP ................................................................................................... 448

18 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

Illustrations

【 Figure 2-1 】Network Structure with SURPASS hiD 6610 ................................................................. 6

【 Figure 3-1 】 Configuring SURPASS hiD 6610 ............................................................................... 12

【 Figure 4-1 】Process of 802.1x Port-Based Authentication ............................................................. 61

【 Figure 4-2 】Multi Authentication Server.......................................................................................... 65

【 Figure 4-3 】Example of the Switch not supported 802.1x .............................................................. 71

【 Figure 4-4 】Process of System Authentication ............................................................................... 75

【 Figure 5-1 】Port Mirroring .............................................................................................................. 95

【 Figure 6-1 】Domain Name Server................................................................................................ 107

【 Figure 6-2 】Ping test for Network connection............................................................................... 120

【 Figure 6-3 】IP Source Routing ..................................................................................................... 120

【 Figure 7-1 】Organization of SNMP............................................................................................... 131

【 Figure 7-2 】Open Range of OID................................................................................................... 136

【 Figure 7-3 】Agent address ........................................................................................................... 152

【 Figure 7-4 】 User-defined Setting for CPU Packet ...................................................................... 206

【 Figure 7-5 】 Packet Process in WRR .......................................................................................... 207

【 Figure 7-6 】 The packet process in WFQ .................................................................................... 207

【 Figure 7-7 】 Min-bandwidth and Max-bandwidth in WFQ ............................................................ 209

【 Figure 7-8 】 The Principle of RED Function ................................................................................ 211

【 Figure 7-9 】 Necessity of NetBIOS Filtering ................................................................................ 224

【 Figure 7-10 】 DHCP Filtering....................................................................................................... 226

【 Figure 7-11 】ARP-Alias ................................................................................................................ 237

【 Figure 7-12 】Proxy-ARP .............................................................................................................. 239

【 Figure 7-13 】 ICMP Message ...................................................................................................... 242

【 Figure 8-1 】 VLAN structure based on the port in Layer 2 environment ...................................... 252

【 Figure 8-2 】The process of deciding packet route based on VLAN.............................................. 253

【 Figure 8-3 】The network construction of QinQ configuration ....................................................... 259

【 Figure 8-4 】In case the packets going outside in Layer 2 environment ........................................ 262

【 Figure 8-5 】In case external packets enter under Layer 2 environment ①.................................. 263

【 Figure 8-6 】In case external packet enter in Layer 2 environment② ........................................... 264

【 Figure 8-7 】Link aggregation........................................................................................................ 271

【 Figure 8-8 】The constitution example of Link aggregation ①...................................................... 272

【 Figure 8-9 】 Example of LACP Construction ①.......................................................................... 281

【 Figure 8-10 】 Example of LACP Construction ②........................................................................ 282

【 Figure 8-11 】 Example of Loop.................................................................................................... 289

DDJ:A-M-5524B5-01 19
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

【 Figure 8-12】 Example of the running STP ................................................................................... 289

【 Figure 8-13 】Root Switch ............................................................................................................. 291

【 Figure 8-14 】 Deciding Designated Switch .................................................................................. 292

【 Figure 8-15 】 Designated Switch and Designated Port ............................................................... 293

【 Figure 8-16 】 Example of Using Port priority ............................................................................... 294

【 Figure 8-17 】 Alternate Port and Backup Port ............................................................................. 295

【 Figure 8-18 】 In case of Receiving Low BPDU............................................................................ 296

【 Figure 8-19 】 Convergence of 802.1d Network ........................................................................... 296

【 Figure 8-20 】 Network convergence of 802.1w ① ...................................................................... 297

【 Figure 8-21 】 Network convergence of 802.1w ② ...................................................................... 298

【 Figure 8-22 】 Network convergence of 802.1w ③ ...................................................................... 298

【 Figure 8-23 】 Comparability with 802.1d ① ................................................................................ 299

【 Figure 8-24 】 Comparability with 802.1d ② ................................................................................ 299

【 Figure 8-25 】 STP ....................................................................................................................... 300

【 Figure 8-26 】PVSTP .................................................................................................................... 301

【 Figure 8-27 】MSTP ...................................................................................................................... 301

【 Figure 8-28 】 CST and IST① of MSTP....................................................................................... 302

【 Figure 8-29 】 CST and IST② of MSTP....................................................................................... 303

【 Figure 8-30 】 Ethernet ring operation in failure state .................................................................. 321

【 Figure 8-31 】Ring Protection........................................................................................................ 321

【 Figure 8-32 】Link Failure Recovery.............................................................................................. 322

【 Figure 8-33 】Ring Recovery......................................................................................................... 322

【 Figure 8-34 】The example of configuring stacking ....................................................................... 331

【 Figure 8-35 】 Rate Limit and Flood Guard .................................................................................. 338

【 Figure 8-36 】 IP Multicasting ①.................................................................................................. 340

【 Figure 8-37 】 IP Multicasting ②.................................................................................................. 340

【 Figure 8-38 】 Example ① The Multicast packet registered in the IGMP group.......................... 346

【 Figure 8-39 】 Example ② The unregistered Multicast packet.................................................... 346

【 Figure 8-40 】 RPT of PIM-SM ..................................................................................................... 349

【 Figure 8-41 】 STP of PIM-SM...................................................................................................... 350

【 Figure 8-42 】 Network which needs Assert ................................................................................. 360

【 Figure 8-43 】 Network that multicast source are not directly connected to multicast group ........ 362

【 Figure 8-44 】 RPF ....................................................................................................................... 364

【 Figure 8-45 】 Network in case of Prohibiting transmitting Bootstrap Message ............................ 367

【 Figure 8-46 】 VRRP Operation.................................................................................................... 372

【 Figure 8-47 】 VRRP Track........................................................................................................... 377

【 Figure 8-48 】 DHCP Service Construction .................................................................................. 383

20 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

【 Figure 8-49 】 An example of the Relay agent.............................................................................. 394

【 Figure 8-50 】 Packet Flow in case of Using DHCP Option-82..................................................... 396

【 Figure 8-51 】Facket flow in cse of DHCP Option-82 .................................................................... 397

DDJ:A-M-5524B5-01 21
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Table

【 Table 3-1 】Main Commands of Privilege Exec View Mode............................................................. 13

【 Table 3-2 】 Main commands of Privilege Exec Enable Mode ........................................................ 14

【 Table 3-3 】 Main Commands of Global Configuration Mode.......................................................... 15

【 Table 3-4 】The main commands of Rule Configuration Mode ........................................................ 16

【 Table 3-5 】Main Commands of DHCP Configuration Mode............................................................ 17

【 Table 3-6 】Main Commands of DHCP Option-82 Configuration Mode ........................................... 17

【 Table 3-7 】Main Common Commands of RMON Configuration Mode ........................................... 18

【 Table 3-8 】Main Commands of PIM Configuration Mode ............................................................... 18

【 Table 3-9 】Main Commands of VRRP Configuration Mode............................................................ 19

【 Table 3-10 】Main Commands of Bridge Configuration Mode ......................................................... 20

【 Table 3-11 】Main Commands of Interface Configuration Mode ...................................................... 21

【 Table 3-12 】Common Commands of Router Configuration Mode .................................................. 22

【 Table 3-13 】Main Commands of Route-Map Configuration Mode .................................................. 22

【 Table 5-1 】 GMT Time ................................................................................................................. 101

【 Table 6-1 】The basic information to operate ping test .................................................................. 117

【 Table 7-1 】Basic QoS map ........................................................................................................... 205

【 Table 7-2 】The value of ICMP Message....................................................................................... 244

【 Table 7-3 】The calculation for Default mask................................................................................. 245

2 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

1. Preface

This Manual provides helpful information and instruction how to configure SURPASS hiD 6610. All users

should carefully read this guide before handing this product and follow all instructions. For reader’s

comprehension, it contains detail description and practical example of product configuration.

This guide is designed for network administrators who will be installing and maintaining SURPASS hiD

6610. The system administrator should be familiar with the fundamentals of LAN and have technical

networking experience and professional knowledge about network equipment.

1.1 Document Organization

This Manual is organized with the following chapters.

▣ Product Instruction : Introduces functions of SURPASS hiD 6610.

▣ Using CLI : Explains CLI command mode and how to use it.

▣ System Connection and IP Address : Provides information of system connection and explains how

to assign IP address to be used for network communication.

▣ Port Basic Configuration : Provides instruction how to configure default parameters of Ethernet
port and port mirroring.

▣ System Environment : Explains how to configure basic system environment, manage configuration,

and check the system.

▣ Network Management : Provides instructions how to configure SNMP, Syslog, and packet filtering.

▣ System Main Function : Describes functions such as VLAN, STP(Spanning Tree Protocol), and IP

multicasting.

▣ IP Routing Protocol : Explains how to configure routing protocol of BGP, OSPF, and RIP.

DDJ:A-M-5524B5-01 3
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

1.2 Document Convention

This guide uses the following conventions to convey instructions and information.

Information

This information symbol provides useful information when using commands to configure.

Note

This note symbol means reader take note. Notes contain helpful suggestions or references.

Warning

This warning symbol means danger. You are in a situation that could cause bodily injury or broke the

equipment. Before you work on any equipment, be aware of the hazards involved with electrical

circuitry and be familiar with standard practices for preventing accidents by making quick guide based

on this guide.

1.3 Document Notation

◈ Notation of Console Terminal

The following table shows commands used in console terminal of SURPASS hiD 6610. Please be

aware of each command to use them correctly.

【 Table 1 】Command Notation of Console Terminal

Notation Description

a Commands you should use as is.

A Variables for which you supply values.

[ ] Commands or variables that appear within square brackets [ ] are optional.

< > Range of number that you can use.

{ } A choice of required keywords appears in braces { }. You must select one.

| Vertical bars separate optional variables |.

4 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

◈ Notation of Guide

The following table shows commands used in guidebook. Please be aware of each command to use

them correctly.

【 Table 2 】Command Notation of Guide Book

Notation Description

a,A Commands you should use as is.

a Variables for which you supply values.

[ ] Commands or variables that appear within square brackets [ ] are optional.

< > Range of number that you can use.

{ } A choice of required keywords appears in braces { }. You must select one.

| Vertical bars separate optional variables |.

DDJ:A-M-5524B5-01 5
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

2. Product Introduction

SURPASS hiD 6610 L3 switch is typical Layer 3 switch intended to construct large-scale network, which

provides aggregated function of upgraded LAN network consisted of typical Ethernet switch. Layer 3

switch can connect to PC, web server, LAN equipment, backbone equipment, or another switch through

various interfaces.

SURPASS hiD 6610 L3 switch supports routing based on VLAN, IP multicasting, and provides Layer 3

switching service such as IP packet filtering or DHCP.

The following picture is an example of network construction using SURPASS hiD 6610.

Internet

hiD 6610 L3 switch hiD 6610 L3 switch

Switch

Switch Switch

【 Figure 2-1 】Network Structure with SURPASS hiD 6610

6 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

2.2 Features

SURPASS hiD 6610 L3 switch provides the following functions.

• QoS (Quality of Service)

In SURPASS hiD 6610 L3 switch, QoS-based forwarding sorts traffic into a number of classes and

marks the packets accordingly. Thus, different quality of service is provided to each class, which the

packets belong to. The rich QoS capabilities enable network managers to protect mission-critical

applications and support differentiated level of bandwidth for managing traffic congestion. SURPASS

hiD 6610 L3 switch supports delay priority of the packet based on the IEEE 802.1p class of services

(CoS) standard.

• Multicast Communication

Since SURPASS hiD 6610 L3 switch provides IGMP Snooping and IGMP Querier, you can use

multicast communication. Through multicast communication, packets can be transmitted to hosts who

need them so that overloading can be prevented.

• SNMP (Simple Network Management Protocol)/RMON (Remote Monitoring)

Switch in SNMP is mounted can manage and monitor switch at remote place. SURPASS hiD 6610 L3

switch supports SNMP version 1,2, and four kinds of groups’ RMON so that administrator can check

static data anytime.

• IP Routing

Generally, switches are operated as Layer 2 of OSI layers. But, since SURPASS hiD 6610 L3 switch is

Layer 3 switch, it IP routing that routers have. So you can save the cost to install router additionally.

• IP Packet Forwarding based on Network

Newly upgraded SURPASS hiD 6610 L3 switch can restore the way of IP packet forwarding in terms of

network so that entry remembered in switching chip is enlarged. Maximum thirteen ways of IP packet

forwarding based on network can be restored.

DDJ:A-M-5524B5-01 7
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

• DHCP Server and Relay

SURPASS hiD 6610 L3 switch supports DHCP, which automatically assigns IP address to clients,

accessed to network. You can effectively utilize limited IP source and lower cost to manage network

because DHCP server manages all IP addresses from center.

• VLAN(Virtual Local Area Network)

VLAN(Virtual Local Area Network) is made by dividing one network into several logical networks. Packet

cannot be transmitted and received between different VLANs. Therefore it can prevent needless

packets accumulating and strengthen security of VLAN. SURPASS hiD 6610 L3 switch recognizes

802.1Q tagged frame and supports maximum 256 VLANs.

• ARP-alias

ARP-alias makes concentrating switch response to ARP request from equipment without registered IP

address for clients’ communication.

• Proxy-ARP

Proxy-ARP responses to ARP request from equipment in other subnet, so it makes communication

connection between different subnet networks.

• Packet Filtering

IP packet filtering limits network users so that only specific equipments and users can access to network.

Through this function, user can not only block unnecessary information and prevent outflow of specific

data, but also block unidentified users to strengthen network security. In addition, when Martian-filter to

block outgoing packet with other source IP address and LAN service is provided in apartment or some

areas, NetBIOS filtering is also supported to protect clients’ private information.

• Stacking

In switch group, a switch configured as master can configure, manage, and monitor the other switches

called slave with one IP address. Since one IP address can manage several switches, IP source can be

saved.

8 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

• Port Trunk

SURPASS hiD 6610 L3 switch aggregates several physical interfaces into one logical port(aggregate

port). Port trunk aggregates interfaces with the standard of same speed, same duplex mode, and same

VLAN ID. According to IEEE 802.3ad, SURPASS hiD 6610 L3 switch can configure maximum six

aggregate ports, which can include maximum eight ports to decrease traffic and improve fault recovery

function.

• LACP(Link Aggregation Control Protocol)

SURPASS hiD 6610 L3 switch supports LACP, complying with IEEE 802.3ad, which aggregates multiple

links of equipments to use more enlarged bandwidth.

• Rate-limit

SURPASS hiD 6610 L3 switch provides graded bandwidths to all ports. Through providing bandwidths

graded by user’s configuration, ISP can charge graded billing plan and manage efficient and

economized lines.

• Flood-Guard

Flood-guard limits amount of packets as many as user configures in a second, whereas Rate limit does

amount of packets by configuring port bandwidth.

• STP (Spanning Tree Protocol)

STP(Spanning Tree Protocol) enables switches, which have double-path to use the double-path without

loops. That is, it activates only one path, which is the shortest one among several paths and blocks the

others to prevent loop.

• PVST(Per VLAN Spanning Tree)

SURPASS hiD 6610 L3 switch supports PVST(Per VLAN Spanning Tree) that STP is independently

operated per each VLAN. PVST(Per VLAN Spanning Tree) prevents entire network freezing caused by

Loop in one VLAN.

DDJ:A-M-5524B5-01 9
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

• RSTP(Rapid Spanning Tree Protocol) (802.1w)

It is possible to construct stable and flexible network on metro Ethernet RING or existing P-to-P through

supporting RSTP(Rapid Spanning Tree Protocol) complying with IEEE 802.1W. RSTP is designed to

innovately decrease STP Reconvergency time. It innovate saves time of Fail over on Layer 2 switch,

which has Redundant link.

• System Management Based on CLI

It is easy for users who administer system by using telnet or console port to configure the functions for

system operating through CLI. CLI is easy to configure the needed functions after looking for available

commands by help menu different with Unix.

• 802.1x Port based Authentication

SURPASS hiD 6610 L3 switch restricts clients attempting to access to port by 802.1x port-based

authentication to enhance security and portability of network management. When a client attempts to

connect to port of 802.1x port-based authentication enabled, the switch transfers required information to

RADIUS server for authentication. Therefore, only authorized client who has access right can connect

to the port.

• RADIUS and TACACS+

SURPASS hiD 6610 L3 switch supports client authentication protocol, that is RADIUS(Remote

Authentication Dial-In User Service) and Tacacs+(Terminal Access Controller Access Control System+).

Not only user IP and password registered in switch but also authentication through RADIUS server and

TACACS+ server are required to access. So, security of system and network management is

strengthened.

• SSH Server

Through enabled SSH(Secure Shell) server, the security of telnet and ftp server can be strengthen.

10 DDJ:A-M-5524B5-01
User Manual UMN : CLI
SURPASS hiD 6610 S311 R1.0

• Broadcast Storm Control

Broadcast storm control is, when too much of broadcast packets are being transmitted to network, a

situation of network timeout because the packets occupy most of transmit capacity. SURPASS hiD 6610

L3 switch supports broadcast packet, multicast packet, and Broadcast storm control, which disuses

Flooding packet, that exceed the limit during the time configured by user.

DDJ:A-M-5524B5-01 11
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

3. Using Command

3.1 Command Mode

You can be configured and managed SURPASS hiD 6610 L3 switch by console terminal that is installed

on User’s PC. When you configure and manage SURPASS hiD 6610 L3 switch by console terminal, you

use the CLI-based interface command. Connect RJ-45-to-DB-9 console cable to SURPASS hiD 6610

L3 switch.

Connect RJ-45-to-DB-9 console cable

SURPASS hiD 6610
to SURPASS hiD 6610.

Configuration & Console

Management Terminal
installed in PC

【 Figure 3-1 】 Configuring SURPASS hiD 6610

This chapter explains how CLI command mode is organized before installing. CLI command mode is

consisted as follow:

□ Privilege Exec View Mode

□ Privilege Exec Enable Mode

□ Global Configuration Mode

□ Rule Configuration Mode

□ DHCP Configuration Mode

□ DHCP Option-82 Configuration Mode

12 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

□ RMON Configuration Mode

□ PIM Configuration Mode

□ VRRP Configuration Mode

□ Bridge Configuration Mode

□ Interface Configuration Mode

□ Router Configuration Mode

□ Route-Map Configuration Mode

3.1.1 Privilege Exec View Mode

When user logs in successfully, the command mode is on Privilege Exec View Mode. Privilege Exec

View Mode is a read-only mode provided to all users accessing to the switch. In Privilege Exec View

Mode, it is possible to check the configuration of switch.

【 Table 3-1 】shows main commands used on Privilege Exec View Mode of the SURPASS hiD 6610.

【 Table 3-1 】Main Commands of Privilege Exec View Mode

Command Function

enable Enter into Privilege Exec Enable Mode.

exit Logs out of the system

show Confirms the configuration of switch..

3.1.2 Privilege Exec Enable Mode

To have not only reading right but also configuring right, you must enter to Privilege Exec Enable Mode.

It is possible to enter into Privilege Exec Enable Mode using “enable” command in Privilege Exec View
Mode. After enter into Privilege Exec Enable Mode, the command prompt changes SWITCH> to

SWITCH#.

Command Mode Function

enable View Enter to Privilege Exec Enable Mode from Privilege Exec View Mode.

DDJ:A-M-5524B5-01 13
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To enhance the security more, the administrator can designate the password. In Privilege Exec Enable

Mode, if the user successfully logs in the switch, enters to Privilege Exec Enable Mode of CLI command.

The command in Privilege Exec Enable Mode is used to check the changes of terminal configuration,

Network status and system information.

【 Table 3-2 】is the command in OS 3.02 Privilege Exec Enable Mode of SURPASS hiD 6610.

【 Table 3-2 】 Main commands of Privilege Exec Enable Mode

Command Function

clock Inputs time and date in system

configure terminal Enters into Global Configuration mode.

exit Logs out of the system

reload Reboots the system.

telnet Connects to another device through telnet.

terminal line Configures the number of lines to be displayed in screen.

traceroute Traces transmission path of packet.

where Finds users accessed to system through telnet.

3.1.3 Global Configuration Mode

To enter into Global Configuration Mode, input the command, “configure terminal” on Privilege Exec
Enable Mode. After entering into Global Configuration Mode, the system prompt is supposed to change

to SWITCH(config)# from SWITCH#.

Command Mode Function

configure terminal Enable Enters into configuration mode from Enable mode.

Global Configuration Mode is to configure functions for general system management and SNMP before

configuring specific protocol or specific function. And user can enter into Bridge/Interface

Configuration Mode from configuration mode.

【 Table 3-3 】shows main commands of Global Configuration Mode.

14 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

【 Table 3-3 】 Main Commands of Global Configuration Mode

Command Function

access-list Configures policy to limit routing information on the standard of AS.

arp Registers IP address and MAC address in ARP table.

bgp Enters into Bridge configuration mode.

bridge Releases the configured function.

copy Registers IP address and MAC address in ARP table.

debug Finds source of system problem.

disconnect Disconnect user accessed through telnet.

hostname Changes hostname of system prompt.

end Returns to Privilege Exec Enable Mode.

exec-timeout Configures auto-logout function.

exit Returns to the previous mode.

interface Enters into Interface configuration mode.

ip Configures various functions of interface such as DHCP server.

passwd Changes the password.

qos Configures QoS.

restore factory-defaults Initiates the configuration of switch.

route-map Enters into Route-map configuration mode.

router Enters into Router configuration mode.

snmp Configures Snmp.

syslog Configures Syslog.

time-zone Configures Time-zone.

3.1.4 Rule Configuration Mode

You can enter into Rule Configuration Mode using the “rule name create” command in Global
Configuration Mode. If you enter into Rule Configuration Mode, the system prompt changes from

SWTCH(config)# to SWITCH(config-rule[name])#.

Command Mode Function

rule name create Global Enters into Rule configuration mode from Configuration.

DDJ:A-M-5524B5-01 15
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In Rule Configuration Mode, it is possible to configure the condition and operational method for the

packets which rule function is applied to.

【 Table 3-4 】is the command of configuring OS 2.09 Rule Configuration Mode of SURPASS hiD

6610.

【 Table 3-4 】The main commands of Rule Configuration Mode

Command Function

apply Configures Rule configuration and applies it to the switch.

cos Configures CoS in appropriate Rule.

end Returns to Privilege Exec Enable Mode

ethtype Configures the packet condition with Ethernet type.

exit Returns to the previous mode.

ip Configures the packet condition by IP address.

length Configures the packet condition by packet length.

mac Configures the packet condition by MAC address.

match Configures operational condition which meets the packet condition.

no-match Configures the operational condition for the packet which doesn’t meet the packet condition.

port Configures the packet condition with port number.

priority Configures the priority for Rule.

3.1.5 DHCP Configuration Mode

To enter into DHCP Configuration Mode, input the command, “ip dhcp pool pool-name” on
configuration mode as follow. Then the system prompt is changed to SWITCH(config-dhcp[pool-

name])# from SWITCH(config)#.

Command Mode Function

ip dhcp pool pool-name Global Enters into DHCP Configuration Mode to configure DHCP.

DHCP Configuration Mode is to configure range of IP address used in DHCP server, group in subnet,

and default gateway of subnet.

16 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

【 Table 3-5 】shows main commands of DHCP Configuration Mode.

【 Table 3-5 】Main Commands of DHCP Configuration Mode

Command Function

default-gateway Configures default-gateway of subnet.

dns-server Configures DNS-server.

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

range Configures range of IP address used in DHCP server.

3.1.6 DHCP Option-82 Configuration Mode

In Global Configuration Mode, if you the subnet using “ip dhcp option82” command, system prompt is
changed to SWITCH(config-opt82)# from SWITCH(config)# and enters into DHCP Option-82

Configuration Mode.

Command Mode Function

ip dhcp option82 Global Enters into DHCP Option-82 Configuration Mode for DHCP configuration.

In DHCP configuration mode, configure the range of IP address used in DHCP server and designate the
group in subnet and configure default gateway of the subnet. 【 Table 3-6 】is the main commands of

configuring OS 2.09 DHCP Option82 Configuration Mode of SURPASS hiD 6610.

【 Table 3-6 】Main Commands of DHCP Option-82 Configuration Mode

Command Function

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

lease Qualification of lease

policy Configures the rule for Option-82 packet

pool Qualification of lease IP pool

system-remote-id Configures remote-id of the system

DDJ:A-M-5524B5-01 17
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

3.1.7 Rmon Configuration Mode

To enter into Rmon-alarm Configuration Mode, input “rmon-alarm <1-65534>”, to enter into Rmon-event

Configuration Mode, input “rmon-event <1-65534>”, and to enter into Rmon-history Configuration Mode,

input “rmon-history <1-65534>”. The system prompt is supposed to be changed to SWTICH(config-

rmonalarm[n])# on Rmon-alarm Configuration Mode, to SWTICH(config-rmonevent[n])# on Rmon-event

Configuration Mode, and to SWTICH(config-rmonhistory[n])# on Rmon-history Configuration Mode.

【 Table 3-7 】shows common commands of RMON Configuration Mode.

【 Table 3-7 】Main Common Commands of RMON Configuration Mode

Command Function

active Activates each Rmon.

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

owner Shows the subject, which configures each Rmon and uses related information.

3.1.8 PIM Configuration Mode

To enter into PIM Configuration Mode, use the following command. The system prompt will be changed

to SWITCH (config_pim)# from SWITCH(config)#.

Command Mode Function

router pim Global Enters into PIM Configuration Mode from Global Configuration Mode.

On PIM Configuration Mode, you can configure PIM-SM to activate it.

【 Table 3-8 】shows main commands of PIM Configuration Mode.

【 Table 3-8 】Main Commands of PIM Configuration Mode

18 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Function

cache-check Configures the interval that checks packet transmission result from source.

cand-bsr Configures information for candidate-BSR.

cand-rp Configures information for candidate-RP.

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

metric Configures metric to decide Assert.

preference Configures preference to decide Assert.

static-rp Configures RP by user manually.

whole-packet-checksum Gives comparability with Cisco router when transmitting Register message.

3.1.9 VRRP Configuration Mode

To enter into VRRP Configuration Mode, use the following command. The system prompt is supposed

to be changed to SWITCH(config-vrrp)# from SWITCH (config).

Command Mode Function

Enters into VRRP Configuration Mode from Global

router vrrp interface-name group-id Global
Configuration Mode.

On VRRP Configuration Mode, you can configure VRRP to activate it. 【 Table 3-9 】shows main

commands of VRRP Configuration Mode.

【 Table 3-9 】Main Commands of VRRP Configuration Mode

Command Function

associate Configures Associated IP address same with Virtual Router.

authentication Configures password of Virtual Router group.

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

preempt Activates/Deactivates Preempt.

vr_priority Assigns priority to Virtual Router.

Configures Advertisement time, which means the interval that Master router
vr_timers
distributes its information to another Virtual Router.

DDJ:A-M-5524B5-01 19
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

3.1.10 Bridge Configuration Mode

When you input the command, “bridge” on configuration mode as follow, the system prompt is changed
to SWITCH (bridge)# from SWITCH(config)#.

Command Mode Function

bridge Global Enters into Bridge configuration mode from configuration mode.

Bridge mode is to manage MAC address and to configure switch functions of Layer 2 such as VLAN,

mirroring, STP.

【 Table 3-10 】shows main commands of Bridge configuration mode.

【 Table 3-10 】Main Commands of Bridge Configuration Mode

Command Function

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

lacp Configure LACP function.

mac-flood-guard Configures Mac-flood-guard.

mirror Configures Mirroring function.

rate Configures Rate-limit function.

trunk Configures Trunk function.

vlan Configures VLAN function.

3.1.11 Interface Configuration Mode

To enter into Interface configuration mode, input the command, “interface interface-name” on
configuration mode. When you enter into Interface configuration mode, the system prompt is changed to

SWITCH(config-if)# from SWITCH(config)#.

Command Mode Function

interface interface-name Global Enters into Interface configuration mode from configuration mode.

20 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Interface configuration mode is to assign IP address in Ethernet interface and to activate or deactivate

interface.

【 Table 3-11 】shows main commands of Interface configuration mode.

【 Table 3-11 】Main Commands of Interface Configuration Mode

Command Function

bandwidth Configures bandwidth used to make routing information.

description Makes description of interface.

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

ip Assigns IP address.

shutdown Deactivates interface.

mtu Set mtu value to interface

3.1.12 Router Configuration Mode

To enter into Router Configuration Mode, use the following command. The system prompt is supposed

to be changed to SWITCH(config-router)# from SWITCH(config)#.

Command Mode Function

router ip-protocol Global Enters into Router Configuration Mode.

According to routing protocol way, Router Configuration Mode is divided into BGP, RIP, and OSPF. They

are used to configure each IP routing protocol.

【 Table 3-12 】shows common commands of Router Configuration Mode.

DDJ:A-M-5524B5-01 21
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

【 Table 3-12 】Common Commands of Router Configuration Mode

Command Function

distance Configures distance value to find better route.

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

neighbor Configures Neighbor router.

network Configures network to operate each routing protocol.

redistribute Registers transmitted routing information to another router’s table.

3.1.13 Route-Map Configuration Mode

To enter into Route-Map Configuration Mode, use the following command. The system prompt is

supposed to be changed to SWITCH(config-route-map)# from SWITCH (config)#.

Command Mode Function

route-map name {permitㅣdeny} Enters into Route-Map Configuration Mode from Global
Global
<1-65535> Configuration Mode.

On Route-Map Configuration Mode, you can configure the place where information is from and sent in
routing table.

【 Table 3-13 】shows main commands of Route-Map Configuration Mode.

【 Table 3-13 】Main Commands of Route-Map Configuration Mode

Command Function

end Returns to Privilege Exec Enable Mode.

exit Returns to the previous mode.

match Transmits routing information to specified place.

set Configures router address and distance.

22 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

3.2 Useful Tips

This section provides useful functions for user’s convenience while using DSH commands. They are as

follow.

□ Listing Available Commands

□ Calling Command History

□ Using Abbreviation

□ Using Privilege Exec Enable Mode Command

□ Moving to the other mode

3.2.1 Listing Available Command

To find out available commands, input question mark(?). When you input the question mark(?) in each

command mode, you can see available commands used in the mode and variables following after the

commands. The following is the available commands on Privilege Exec Enable Mode of hiD 6610.

SWITCH# ?
Exec commands:
clear Reset functions
clock Manually set the system clock
configure Enter configuration mode
copy Copy from one file to another
debug Debugging functions (see also 'undebug')
default-os Select default OS
enable Turn on privileged mode command
exit End current mode and down to previous mode
help Description of the interactive help system
no Negate a command or set its defaults
ping Send echo messages
quote Execute external command
reload Reload the system
show Show running system information
ssh Configure secure shell
tech-support Technical Supporting Function for Diagnosis System
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
where List active user connections
write Write running configuration to memory, network, or terminal

SWITCH#

DDJ:A-M-5524B5-01 23
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Note

Question mark(?) will not be seen in the screen and you do not need to press Enter key to display

commands list. This guide is designed for the standard OS V3.02. The displayed contents may vary

depending on OS version.

In case of SURPASS hiD 6610 installed CLI, you can find out commands starting with specific alphabet.

Input the first letter and question mark without space. The following is an example of finding out the

commands starting s in Privilege Exec Enable Mode of SURPASS hiD 6610.

SWITCH# s?
show Show running system information
ssh Configure secure shell

SWITCH# s

Also, it is possible to view variables you should input following after commands. After inputting the

command you need, make one space and input question mark. The following is an example of viewing

variables after the command, write. Please note that you must make one space after inputting

SWITCH# write ?
file Write to file
memory Write to NV memory
terminal Write to terminal

SWITCH# write

If you need to find out the list of available commands in each mode and the variables in more detail, use

the command, show list. The following is an example of displaying list of available commands in

Privilege Exec Enable Mode and the variables by using the command, show list.

SWITCH# show list

clear ip bgp *
clear ip bgp * in
clear ip bgp * in prefix-filter
clear ip bgp * ipv4 (unicast|multicast) in
clear ip bgp * ipv4 (unicast|multicast) in prefix-filter
clear ip bgp * ipv4 (unicast|multicast) out
clear ip bgp * ipv4 (unicast|multicast) soft
clear ip bgp * ipv4 (unicast|multicast) soft in
clear ip bgp * ipv4 (unicast|multicast) soft out
-- more --

24 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Press any key to skip to the next list while you see “more”.

Note

This guide is designed for the standard OS V3.02. The displayed contents may vary depending on OS

version.

3.2.2 Calling Command History

In case of DSH, you do not have to enter repeated command again. When you need to call command

history, use this arrow key, (↑). When you press the arrow key, the latest command you used will be

seen one by one.

The following is an example of calling command history after using several commands. After using

these commands in order : show clock→configure terminal→interface 1→exit, press the arrow key(↑)

and then you will see the commands from latest one: exit→interface 1→configure terminal→show clock.

SWITCH# show clock

Tue Nov 30 03:27:07 1999
SWITCH# configure terminal
SWITCH(config)# interface 1
SWITCH(config-if)# exit
SWITCH(config)# exit
SWITCH# (press the arrow key,↑)
↓
SWITCH# exit(arrow key,↑)
↓
SWITCH# interface 1(arrow key,↑)
Each time you press the arrow key,
↓ only the command is changed on the
SWITCH# configure terminal(arrow key,↑)
same line.
↓
SWITCH# show clock(arrow key,↑)

3.2.3 Using Abbreviation

Almost commands can be used also with abbreviated form.

DDJ:A-M-5524B5-01 25
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following table shows some examples of abbreviated commands.

Command Abbreviation

clock cl

configure terminal con te

show sh

syslog sys

3.2.4 Using Privilege Exec Enable Mode Command

In SURPASS hiD 6610, the user can use the commands of Privilege Exec Enable Mode in the other
mode.

To use the commands of Privilege Exec Enable Mode in the other mode, use the following command.

Command Mode Function

Global/RMON/DHCP/Option-82/Bridge It is possible to use Privilege Exec Enable

do command
Interface/Rule/PIM/VRRP/Router/ Route-map Commands in another mode.

3.2.5 Moving to the Other Mode

In SURPASS hiD 6610, it is possible to return to the previous mode or move to Privilege Exec Enable

mode. On other hand, moving to previous mode is impossible in Privilege Exec View mode and

Privilege Exec Enable mode but it is possible to system log out in the mode.

To return to the previous mode or Privilege Exec Enable Mode, use the following command.

Command Mode Function

Global/RMON/DHCP/Option-82/Bridge
exit Returns to the previous mode.
Interface/Rule/PIM/VRRP/Router/ Route-map

Global/RMON/DHCP/Option-82/Bridge
end Returns to Privilege Exec Enable Mode.
Interface/Rule/PIM/VRRP/Router/ Route-map

26 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Note

The same command is used for system log out in Privilege Exec View mode and Privilege Exec

Enable mode.

The following is to log out of the system in Privilege Exec View mode and Privilege Exec Enable mode.

Command Mode Function

exit View/Enable Logs out of the system.

DDJ:A-M-5524B5-01 27
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

4. System Connection and IP Address

4.1 System Connection

After installing switch, SURPASS hiD 6610 is supposed to examine that each port is rightly connected to

network and management PC. And then, user connects to system to configure and manage SURPASS

hiD 6610.

This section provides instructions how to change password for system connection, connect to system

through telnet as the following order.

□ System Login

□ Changing Login Password

□ Configuring password for Privilege Exec Enable Mode

□ Configuring Auto-logout function

□ Managing the user’s account

□ Limiting the number of users

□ Telnet Access

□ Disconnecting Telnet Access

□ System Reboot

□ System Logout

4.1.1 System Login

After installing SURPASS hiD 6610, finally make sure that each port is correctly connected to PC for

network and management. And then, turn on the power and boot the system as follow.

Step 1 When you turn on the switch, booting will be automatically started and login prompt will be
displayed.

28 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

************************************************************
* *
* Boot Loader Version 4.59 *
* Siemens AG *
* *
************************************************************
Press 's' key to go to Boot Mode: 0
Load Address: 0x01000000
Image Size: 0x0095b000
Start Address: 0x01000000

console=ttyS0,9600 root=/dev/ram rw
NOS version 3.02 #3020
CPU : Motorola [rev=1014]
Total Memory Size : 128 MB
Calibrating delay loop... 175.71 BogoMIPS
Switch init...
system_probe : Finding model.....V5524EL
INIT: version 2.85 booting
Extracting configuration
Wed, 30 Mar 2005 14:34:55 +0000
INIT: Entering runlevel: 3
SWITCH login:

Step 2 When you enter login IP at the login prompt, password prompt will be displayed. And enter
password to move into Privilege Exec View mode. By default setting, login ID is configured

as “admin” and it is possible to access without password.

SWITCH login: admin

Password:
SWITCH>

Step 3 In Privilege Exec View Mode, you can check only the configuration for the switch. To
configure and manage the switch, you should enter into Privilege Exec Enable Mode. The

following is an example of entering into Privilege Exec Enable Mode.

SWITCH> enable
SWITCH#

DDJ:A-M-5524B5-01 29
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

4.1.2 Changing Login Password

Administrator who manages and configures the switch can change system Login password. For

thorough security, you would better to change the password whenever necessary.

To change system password, use the following command on Global configuration mode.

Command Mode Function

passwd Global Changes Login password.

Information

You can make password from at least five characters up to eight characters. Please avoid similar one

with login ID.

In order to change the Login password of added user with reading right, use the following command.

Command Mode Function

passwd user-name Global Changes the Login password of added user with reading right.

[ Sample Configuration 1 ]

The following is an example of changing password to “networks”.

SWITCH(config)# passwd
Changing password for admin
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password: networks
Re-enter new password: networks
Password changed.
SWITCH(config)#

Note

The password you enter will not be seen in the screen, so please be careful. You need to enter the

password twice not to make mistake.

30 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

4.1.3 Configuring password for Privilege Exec Enable Mode

You can configure the password to enhance the security when you change the mode from Privilege

Exec View Mode to Privilege Exec Enable Mode. To configure the password for changing, use the

following command.

Command Mode Function

passwd enable password Global Configure the password in to access to Privilege Exec Enable Mode.

The password that you had configured is displayed in configuration mode with the command show

running-config. For the security reasons, you can configure not to display with show running-config
command. The password is displayed with being encrypted so that the user cannot recognize the

password. by show running-config command.

Command Mode Function

service password-encryption Global Encrypt system passwords.

To disable the password encryption, use the following command.

Command Mode Function

no service password-encryption Global Disable password encryption.

However, even though you configure the encrypted password with service password-encryption
command, the other user can check the password disabling this command. To enhance the security for

the password, you can configure to check the encrypted password without service password-encryption

command. However, in order to user it, the user should input the character string for encrypted

password.

To configure the character string for encrypted password not to show the password, use the following

command.

Command Mode Function

Configures the password with the character string for

passwd enable 8 encrypted-password Global
encrypted password.

DDJ:A-M-5524B5-01 31
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

If you want to check the character string for encrypted password, first configure the password using

passwd enable password command and then enable service password-encryption and then check

the password with show running-config.

Information

By passwd enable 8 encrypted-password command, the encrypted password is displayed without

enabling service password-encryption.

To disable the configured password, use the following command.

Command Mode Function

no passwd enable Global Deletes the configured password to enter into Privilege Exec Enable

[ Sample Configuration 1 ]

The following is to configure the password to enter into Privilege Exec Enable as networks.

SWITCH# configure terminal

SWITCH(config)# passwd enable networks
SWITCH(config)# show running-config
!
hostname SWITCH
!
passwd enable networks
!
exec-timeout 0 0
(Omitted)
SWITCH(config)#

The following is to access after configuring the password as the above.

SWITCH login: admin

Password:
SWITCH > enable
Password: networks
SWITCH #

32 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is to check the password by enabling service password-encryption.

SWITCH(config)# show running-config

!
hostname SWITCH
!
passwd enable 8 bJ6fclPZlAIRk
!
service password-encryption
exec-timeout 0 0
!
(Omitted)
SWITCH(config)#

[ Sample Configuration 2 ]

The following is to configure the password as networks using the character string for the encrypted

password and then log in.

Information

You can check the character string for encrypted password like [ Sample Configuration 1 ].

Configure the password with passwd enable password command and enable service password-

encryption and then check the password by show running-config command.

SWITCH# configure terminal

SWITCH(config)# passwd enable 8 bJ6fclPZlAIRk
SWITCH(config)# exit
SWITCH# exit

SWITCH login: admin

Password:
SWITCH > enable
Password: networks
SWITCH #

4.1.4 Configuring Auto-logout Function

For security reasons of SURPASS hiD 6610, if no command is entered within the configured inactivity

time, the user is automatically logged out of the system. Administrator can configure the inactivity timer.

DDJ:A-M-5524B5-01 33
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure the inactivity timer, use the following command.

Command Mode Function

exec-timeout 0 Releases auto-logout function.

Global If no command is entered within the configured inactivity time,
exec-timeout <1-35791>< 0-59 >
the user is automatically logged out of the system.

Information

By default setting, auto-logout function is configured as 10 minutes.

Information

The time unit for <1-35791> is minute and the time unit for < 0-59 > is second.

To view configuration of auto-logout function, use the following command.

Command Mode Function

show exec-timeout Enable/Global Shows configured inactivity timer.

The following is an example of configuring auto-logout function as 60 seconds and viewing the

configuration.

SWITCH(config)# exec-timeout 60
SWITCH(config)# show exec-timeout
Log-out time : 60 seconds
SWITCH(config)#

4.1.5 Managing the user’s account

In SURPASS hiD 6610, the administrator can add the other user’s account. And it is possible to

designate the level from Level o to Level 5 to enhance the security for the switch.

The following describes how to manage the user’s account such as adding user, configuring the user’s

right.

34 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(1) Adding the user’s account

In SURPASS hiD 6610, the administrator can add the other user’s account. When you add the user’s

account, it is possible to designate the user’s right at once. If the user’s right is not designated, the right

for Level 0 is basically configured. To add the user’s account, user the following command.

Command Mode Function

user add name description Adds the user’s account having the right of Level 1.

user add-admin name description Global Adds the user’s account having the right of Level 15.

user add name level <0-15> description Add the user’s account with designating user’s right.

Information

As the account of Level 0 to Level 14 without configuring anything, it is possible to user exit and help
in Privilege Exec View Mode and it is not possible to access to Privilege Exec Enable Mode. The

account having the highest Level 15 is admin and it is possible to have both Read-Write right.

In order to delete the added account, use the following command.

Command Mode Function

user del name Global Deletes the added account.

In order to show the added user’s account, use the following command.

Command Mode Function

show user Enable/Global Shows the added user’s account.

(2) Configuring the user’s right

In SURPASS hiD 6610, it is possible to configure the Level for the user’s right from 0 to 15. Level 15, as

the highest level, has both Read-Write right. The administrator can configure from Level 0 to Level 14.

The administrator decides which Level user uses which commands in which level. As the basic right

from Level 0 to Level 14, it is possible to use exit and help command in Privilege Exec View Mode and
it is not possible to access to Privilege Exec Enable Mode. The following is to configure the user’s right

according to the user’s Level.

DDJ:A-M-5524B5-01 35
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Uses the specific command of BGP configuration mode in

privilege bgp level <0-15> {commandㅣall}
the Level.

privilege bridge level <0-15>

Uses the specific command of Bridge mode in the Level.
{commandㅣall}

privilege configure level <0-15>

Uses the specific command of Global mode in the Level.
{commandㅣall}

privilege dhcp-option82 level <0-15> Uses the specific command of DHCP-option82 mode in

{commandㅣall} the Level.

privilege dhcp-pool level <0-15> Uses the specific command of DHCP configuration mode

{commandㅣall} in the Level.

privilege enable level <0-15> Uses the specific command of Privilege Exec Enable

{commandㅣall} mode in the Level.

privilege interface level <0-15> Uses the specific command of Interface Configuration
G
{commandㅣall} mode in the Level.
L
privilege ospf level <0-15> O
Uses the specific command of OSPF mode in the Level.
{commandㅣall} B

privilege pim level <0-15> {commandㅣall} A Uses the specific command of PIM mode in the Level.

privilege rip level <0-15> {commandㅣall} L Uses the specific command of RIP mode in the Level.

privilege rmon-alarm level <0-15>

{commandㅣall}

privilege rmon-event level <0-15>

Uses the specific command of RMON mode in the Level.
{commandㅣall}

privilege rmon-history level <0-15>

{commandㅣall}

privilege route-map level <0-15> Uses the specific command of Route-map mode in the

{commandㅣall} Level.

privilege rule level <0-15> {commandㅣall} Uses the specific command of Rule mode in the Level.

privilege view level <0-15> Uses the specific command of Privilege Exec View mode

{commandㅣall} in the Level.

privilege vrrp level <0-15> {commandㅣall} Uses the specific command of VRRP mode in the Level.

36 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Note

The commands that can be used in low Level can be also used in the higher Level. For example, the

command in Level 0 can be used in from Level 0 to Level 14.

Note

The commands should be input same as the displayed commands by show list. Therefore, it is not
possible to input the commands in the bracket seperately.

SWITCH# show list

clear ip bgp *
clear ip bgp * in
clear ip bgp * in prefix-filter
clear ip bgp * ipv4 (unicast|multicast) in
clear ip bgp * ipv4 (unicast|multicast) in prefix-filter
clear ip bgp * ipv4 (unicast|multicast) out
(Omitted)

It is not possible to configure clear ip bgp * ipv4 unicast in. You should configure like clear ip bgp
* ipv4 {unicastㅣmulticast} in.

Information

The commands starting with the same character are applied by inputting only the starting commands.

For example, if you input show, all the commands starting with show are applied.

DDJ:A-M-5524B5-01 37
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To delete the configuration for user’s right, use the following command.

Command Mode Function

no privilege Deletes all the configurations by user’s right.

no privilege bgp level <0-15> {commandㅣall}

no privilege bridge level <0-15> {commandㅣall}

no privilege configure level <0-15> {commandㅣall}

no privilege dhcp-option82 level <0-15> {commandㅣ

all}

no privilege dhcp-pool level <0-15> {commandㅣall}

no privilege enable level <0-15> {commandㅣall}

no privilege interface level <0-15> {commandㅣall}

no privilege ospf level <0-15> {commandㅣall}

Global Deletes the configuration by user’s right for
no privilege pim level <0-15> {commandㅣall}
each mode.
no privilege rip level <0-15> {commandㅣall}

no privilege rmon-alarm level <0-15> {commandㅣall}

no privilege rmon-event level <0-15> {commandㅣall}

no privilege rmon-history level <0-15> {commandㅣ

all}

no privilege route-map level <0-15> {commandㅣall}

no privilege rule level <0-15> {commandㅣall}

no privilege view level <0-15> {commandㅣall}

no privilege vrrp level <0-15> {commandㅣall}

To show the right for the Level configured by administrator, use the following command.

Command Mode Function

show privilege Shows the right for Level configured by administrator.

show privilege now Checks the Level of the current access.

Global
Shows the right according to Level configured by administrator and added
show privilege with-user
user list

38 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(3) Sample Configuration

[Sample Configuration 1 ]

The following is to add test0 having the right as Level10 and test15 having the right as Level15.

SWTICH# configure terminal

SWITCH(config)# user add test0 test0
Changing password for test0
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Bad password: too short.

Warning: weak password (continuing).

Re-enter new password:
Password changed.
SWITCH(config)# user add-admin test15 test15
Changing password for test15
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Bad password: too short.

Warning: weak password (continuing).

Re-enter new password:
Password changed.
SWITCH(config)# show privilege with-user

User Privilege Level Configuration

--------------------------------------------
User Level

admin 15

tset0 0

test15 15

3 user(s) found.

(Omitted)

SWITCH(config)#

DDJ:A-M-5524B5-01 39
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 2 ]

The following is to add test0 having the right as Level10 and test1 having the right as Level1 without

password.

SWITCH# configure terminal

SWITCH(config)# user add test0 level 0 level0user
Changing password for test0
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:(Enter)
Bad password: too short.

Warning: weak password (continuing).

Re-enter new password: (Enter)
Password changed.
SWITCH(config)# user add test1 level 1 level1user
Changing password for test1
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password: (Enter)
Bad password: too short.

Warning: weak password (continuing).

Re-enter new password: (Enter)
Password changed.
SWITCH(config)# show user

====================================================

User name Description

====================================================

test0 level0user

test1 level1user

SWITCH(config)#

40 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is to configure the right level of Level 0 and Level 1.

SWITCH# configure terminal

SWITCH(config)# privilege view level 0 enable
SWITCH(config)# privilege enable level 0 show
SWITCH(config)# privilege enable level 1 clock
SWITCH(config)# privilege enable level 1 configure terminal
SWITCH(config)# show privilege

Command Privilege Level Configuration

-----------------------------------------------
Node All Level Command

EXEC(ENABLE) 1 clock
EXEC(ENABLE) 1 configure terminal
EXEC(VIEW) 0 enable
EXEC(ENABLE) 0 show

4 entry(s) found.

SWITCH(config)#

In the above configuration, as Level 0, it is possible to use only show command in Privilege Exec
Enable however as Level 1, it is possible to use not only the commands in Level 1 but also time

configuration commands in Privilege Exec Enable and accessing commands to Global configuration

mode.

4.1.6 Limiting the number of users

In SURPASS hiD 6610, you can limit the number of users accessing to the switch. Here, the user

means who access to the switch through both console port and remote. In case the switch is configured

as RADIUS server, or TACACS+ server, the users accessing to the server are contained in the number

of it.

To limit the number of users accessing to the switch, use the following command.

Command Mode Function

login connect <1-8> Global Limits the number of users accessing to the switch.

DDJ:A-M-5524B5-01 41
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

SURPASS hiD 6610 basically limits the number of users as 8.

4.1.7 Telnet Access

To connect to system by telnet at remote place, use the following commands.

Command Mode Function

telnet destination Connects with IP address or hostname of another system.

Enable
telnet destination port-number Connects with specified port of another port.

Note

When you save configuration with telnet connection, you should wait for [OK] message. Or, all new

configurations will be deleted when telnet session is disconnected. Please wait for [OK] message and
disconnect it.

SWITCH# write memory

Building configuration...
[OK]
SWITCH#

4.1.8 Disconnecting Telnet Access

Administrator of SURPASS hiD 6610 can confirm users connected from remote place and make some

of them disconnected, as administrator wants. To view tty of users connected from remote place, before

disconnecting a user, use the following command.

Command Mode Function

where Enable/Global Shows users connected through telnet.

To disconnect a user connected from remote place by using this information, use the following

command.

Command Mode Function

disconnect tty Global Disconnects a user connected from remote place.

42 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is to check the remote user and disabling remote user ,“ttyp1”,

SWITCH(config)# where
admin at ttyS0 from console for 23 hours 50 minutes 17.27 seconds
User’s
admin at ttyp0 from 172.16.30.2:3246 for 4 hours 31 minutes 46.65 seconds
ID
hyun at ttyp1 from 172.16.119.201:2633 for 2 hours 31 minutes 51.61 seconds
SWITCH(config)# disconnect ttyp1
SWITCH(config)#

4.1.9 System Rebooting

(1) Passive System Rebooting

After downloading new system image from TFTP/FTP server, reboot the system. Input the command,

reload on Privilege Exec Enable Mode to reboot in other cases when rebooting is needed during
installing and managing switch through terminal program.

Command Mode Function

reload Enable Reboots system.

On other hand, In SURPASS hiD 6610, it is possible to support Dual-OS according to the configured

Flash Memory. Single-OS is provided in the case Flash Memory is 8M+16M and Dual-OS is provided in

the case Flash Memory is 8M+32M. It is possible to check Flash Memory with show system command.
To reboot in Dual-OS, use the following command.

Command Mode Function

reload {os1ㅣos2} Enable Reboots system by selecting NOS.

If you reboot system without saving new configuration, new configuration will be deleted. So, you have

to save the configuration before rebooting. Not to make that mistake, SURPASS hiD 6610 is supposed

to print the following message to ask if user really wants to reboot and save configuration.

If you want to continue to reboot, press “y” key, if you want to save new configuration, press “n” key.

SWITCH# reload
Warning : Changed configuration was not saved to flash memory.
Do you still want to reload the system?[y|N]

DDJ:A-M-5524B5-01 43
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(2) Auto System Rebooting

SURPASS hiD 6610 reboots the system according to user’s configuration. There are two basises for

system rebooting. They are CPU and Memory. CPU is rebooted in case CPU Load or Interrupt Load

continues for the configured time. Memory is automatically rebooted in case Memory low occurs as the

configured times.

The following is to configure system rebooting function.

Command Mode Function

auto-reset cpu cpu-load-average Configures to reboot automatically in case cpu-load-average or

interrupt-load-average time interrupt-load-average consist for the configured time.

auto-reset memory
Bridge Configures to reboot automatically in case Memory low occurs as
time-threshold--memory-low
count--memory-low for time-threshold--memory-low.
count--memory-low

no auto-reset {cpuㅣmemory} Deleting auto system rebooting.

Information

The configurable range for cpu-load-average is from 50 to 100 and for interrupt-load-average is from 1

to 100.

Information

The configurable range for time-threshold-of-memory-low is from 1 to 120 and for count-of-memory-low

is from 1 to 10.

Information

The default for Time threshold of memory low is 10 minutes and the default for count of memory low is

5 times.

To show auto system rebooting, use the following command.

Command Mode Function

show auto-reset {cpuㅣmemory} Enable/Global/Bridge Shows auto system rebooting.

44 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 1 ]

The following is to configure to reboot automatically in case CPU Load continues as 70% and Interrupt

Load as 70% for a minute.

SWITCH(bridge)# auto-reset cpu 70 70 1

SWITCH(bridge)# show auto-reset cpu
------------------------------
Auto-Reset Configuration(CPU)
------------------------------
auto-reset: on
cpu load: 70
interrupt load: 70
continuation time: 1

SWITCH(bridge)#

[ Sample Configuration 2 ]

The following is to configure to reboot automatically in case Memory low occurs 3 times in 10 minutes.

SWITCH(bridge)# auto-reset memory 10 3

SWITCH(bridge)# show auto-reset memory
---------------------------------
Auto-Reset Configuration(Memory)
---------------------------------
auto-reset : enabled
time threshold : 10
admin reboot count : 3

SWITCH(bridge)#

4.1.10 System Logout

It is possible to log out of the system in Privilege Exec View mode or Privilege Exec Enable mode.

Therefore you should return to Privilege Exec Enable mode to log out if you are configuring in the other

mode. To log out of the system, use the following command.

Command Mode Function

exit View/Enable Logs out of the system.

DDJ:A-M-5524B5-01 45
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

4.2 Assigning IP Address

The switch uses only the data’s MAC address to determine where traffic needs to come from and which

ports should receive the data. Switches do not need IP addresses to transmit packets. However, if you

want to access to SURPASS hiD 6610 from remote place with TCP/IP through SNMP or telnet, it

requires IP address.

Information

As the default setting, SURPASS hiD 6610 is configured with virtual interface 1 and all of the ports are

member port of virtual interface 1.

You can enable interface to communicate with switch interface on network and assign IP address as the

following in order.

□ Enabling Interface

□ Disabling Interface

□ Assigning IP Address to Network Interface

□ Configuring Static Route and Default Gateway

4.2.1 Enabling Interface

Before you assign IP address to network interface, you need to verify that interface to communicate is

enabled. Unless the interface is enabled, you can communicate by assigning IP address. To check if

interface is enabled, use the command, “show running-config”.

The following is an example of checking if interface is enabled.

SWITCH# show running-config

Building configuration...
(omitted)
interface noshutdown lo
!
interface noshutdown default
(omitted)
SWITCH#

46 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

The VLAN name of interface 1 is default.

There are two ways to enable interface; on Global Configuration Mode and on Interface Configuration

Mode.

(1) On Global Configuration Mode

To enable interface on Global Configuration Mode, use the following command.

Command Mode Function

interface noshutdown interface-name Global Enables specified interface.

Information

For plural interfaces, use “-“ or “, ” at “interface-name”.

(2) On Interface Configuration Mode

You also can enable interface on Interface configuration mode. Before enabling interface on Interface

Configuration Mode, you should enter into the mode. To enter into Interface Configuration Mode of the

interface you are about to enable interface, use the following command.

Command Mode Function

interface interface-name Global Enters into Interface configuration mode of specified interface.

And, enable the interface by using the following command.

Command Mode Function

no shutdown Interface Enables interface.

4.2.2 Disabling Interface

To disable interface, use the following commands on each mode.

DDJ:A-M-5524B5-01 47
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(1) On Global Configuration Mode

To disable interface on Global configuration mode, use the following command.

Command Mode Function

interface shutdown interface-name Global Disables specified interface.

Information

For plural interfaces, use “-“ or “, ” at “interface-name”.

(2) On Interface Configuration Mode

You also can disable interface on Interface configuration mode. Before enabling interface on Interface

configuration mode, you should enter into the mode.

To enter into Interface configuration mode of the interface you are about to enable interface, use the
following command.

Command Mode Function

interface interface-name Global Enters into Interface configuration mode of specified interface.

And, To disable the interface, use the following command.

Command Mode Function

shutdown Interface Disables interface.

48 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

4.2.3 Assigning IP Address to Network Interface

After enabling interface, assign IP address. To assign IP address to network interface, use the following

commands.

Command Mode Function

ip address address/M Sets IP address of an Interface.

Sets link/host IP address. Link means IP address only for the

ip address address/M scope
Interface appropriate network and Host means IP address only for the
{host | link}
appropriate equipment.

ip address address/M secondary Sets secondary IP address of an Interface.

To verify assigned IP address, use the following command.

Command Mode Function

show ip Interface Shows assigned IP address in interface.

To disable the assigned IP address, use the following commands.

Command Mode Function

no ip address Clears all of IP address of an Interface.

no ip address address/M Interface Clears designated IP address of an Interface.

no ip address address/M secondary Assigns secondary IP address.

4.2.4 Configuring Static Route and Default Gateway

It is possible to configure Static route in SURPASS hiD 6610. Static route is a route that user configures.

Packets are transmitted to destination through Static route. Static route includes destination address,

neighbor router to receive packet, number of routes that packets have to go through.

DDJ:A-M-5524B5-01 49
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure static route, use the following commands.

Command Mode Function

ip route ip-address prefix-mask {ip-gateway-addressㅣnull} [1-255]

ip route ip-address/m {ip-gateway-addressㅣnull} [<1-255>] Global Configures static route.

ip route ip-address/m {ip-gateway-addressㅣnull} src ip-address

To configure default gateway, use the following command in Configuration mode.

Command Mode Function

ip route default { ip-address |interface-name} [<1-255>] Global Configures default gateway.

To view configured static route, use the following command.

Command Mode Function

show ip route [bgpㅣconnectedㅣkernelㅣospfㅣripㅣstatic

Enable/Global Shows configured static route.
ㅣip-addressㅣip-address/m ㅣ summary ]

To delete configured static route, use the following commands.

Command Mode Function

no ip route ip-address ip-address {ip-addressㅣinterface-name} [1-255]

Global Deletes configured static route.
no ip route ip-address/m {ip-address ㅣinterface-name} [1-255]

To delete configured default gateway, use the following commands.

Command Mode Function

no ip route default { ip-address |interface-name} [<1-255>] Global Deletes default gateway.

You can configure the maximum number of pathes when there are various multipahes. To configure the

maximum number of pathes, use the following command.

Command Mode Function

ip maximum-paths <1-8> Global Designate the maximum number of pathes.

50 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

4.2.5 Sample Configuration

[ Sample Configuration 1 ]

The followings are examples of enabling interface 1 in two ways.

① On Configuration Mode

SWITCH# configure terminal

SWITCH(config)# interface noshutdown 1
SWITCH(config)#

② On Interface Configuration Mode

SWITCH# configure terminal

SWITCH(config)# interface 1
SWITCH(config-if)# no shutdown
SWITCH(config-if)#

[ Sample Configuration 2 ]

The following is an example of assigning IP address 192.168.1.10 to 1.

SWITCH(config-if)# ip address 192.168.1.10/16

SWITCH(config-if)# show ip
IP-Address Scope Status
-------------------------------------
192.168.1.10/16 global

SWITCH(config-if)#

[ Sample Configuration 3 ]

The following is an example of configuring default gateway.

SWITCH# configure terminal

SWITCH(config)# ip route default 192.168.1.254
SWITCH(config)#

DDJ:A-M-5524B5-01 51
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

4.3 SSH

Network security is getting more important and more important according to using network has been

generalized between users. However, typical ftp and telnet service have big weakness for security.

SSH(Secure Shell) is security shell for login. Through SSH, all data are encoded, traffic is compressed.

So, transmit rate becomes faster, and tunnel for existing ftp and pop, which are not safe in security, is

supported.

4.3.1 Operating SSH Server

SURPASS hiD 6610 can be operated as server. You can configure the following things in SURPASS hiD

6610 as SSH server.

□ Enabling SSH Server

□ Viewing on-line Clients

□ Disconnecting Clients

□ Viewing Connection History of Clients

(1) Enabling SSH Server

To enable SSH server, use the following command.

Command Mode Function

ssh server enable Global Enables SSH server.

To disable SSH server, use the following command.

Command Mode Function

ssh server disable Global Disables SSH server.

52 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(2) Viewing On-line Clients

It is possible to view clients who are connected to SSH server, SURPASS hiD 6610. To view on-line

clients, use the following command.

Command Mode Function

show ssh Enable/Global Shows clients who are connected to SSH server.

The following is an example of viewing clients who are connected to SSH server.

SWITCH# show ssh

connected clients : 001
num pid ppid srv_usr remote_ip Start_Time SPrevileged_Time

001 731 96 root 100.10.14.20 Fri Mar 7 04:23:51 1980 --------

SWITCH#

(3) Disconnecting Clients

It is possible to disconnect clients who are connected on SSH server. To have clients disconnected, use

the following command.

Command Mode Function

ssh disconnect pid Global Disconnects clients who are connected to SSH server.

Information

“pid” is SSH client’s number. It can be displayed by using the command, “show ssh”.

(4) Checking Connection History of Client

It is possible to view connection history of clients who are connected to SSH server after SURPASS hiD

6610 is operated as the server. To view connection history of client, use the following command.

Command Mode Function

ssh debug Global Shows connection history of clients who are connected to SSH server up to now.

DDJ:A-M-5524B5-01 53
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

When you use the command, “ssh debug” to view connection history, you can view the history of only

disconnected clients. To view connected clients at present, use the command, “show ssh”.

4.3.2 Using Client

SURPASS hiD 6610 can be used for the following ways as client of SSH server.

□ Login to SSH Server

□ File Copy

□ Configuring Authentication Key

□ Connecting to FTP

(1) Login to SSH Server

To log in to SSH server after configuring SURPASS hiD 6610 as SSH client, use the following command.

Command Mode Function

ssh login destination Global Accesses to SSH server.

Information

You can input IP address or 「 ID@IP address or host domain name(ex : [email protected]) 」 at

“destination”.

(2) File Copy

It is possible to copy file or open file in server through SSH after SURPASS hiD 6610 is configured as

client. To copy file through SSH, use the following command.

Command Mode Function

Connects to file through SSH. “source” is source file and

ssh copy source destination Global
“destination” is file to be copied.

54 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

You need to input 「ID@host:file name」at “source” or “destination”. But, if IP address of user’s

switch is host of “source” or “destination”, you can input only file name.

The following is an example of copying file named, “etc/startup.post” into SSH server, 172.16.209.10 as

file name, “startup.post”.

Information

User should know the password of ID, “root”.

SWITCH(config)# ssh copy /etc/startup.post [email protected]:startup.post

[email protected]'s password:
startup.post 100% |*****************************| 782 00:00
SWITCH(config)#

(3) Configuring Authentication Key

SSH client can access to server through authentication key after configuring authentication key and

informing it to server. It is safer to use authentication key than inputting password every time for login,

and it is also possible to connect to many SSH server with using one authentication key. To configure

authentication key in SURPASS hiD 6610, use the following command.

Command Mode Function

ssh keygen {dsaㅣrsaㅣrsa1} Global Configures authentication key.

Information

“rsa1” is authentication way supported in ssh1, and “rsa” and “dsa” are authentication ways supported

in ssh2.

To configure authentication key and connect to server with the authentication key, perform the following

steps.

Step 1 Configures authentication key in user’s switch.

DDJ:A-M-5524B5-01 55
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring password, “networks” as authentication key

for authentication way of dsa in SWITCH A.

SWITCH_A(config)# ssh keygen dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/etc/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):networks
Enter same passphrase again:networks
Your identification has been saved in /etc/.ssh/id_dsa.
Your public key has been saved in /etc/.ssh/id_dsa.pub. Stored directory
and file name
The key fingerprint is:
d9:26:8e:3d:fa:06:31:95:f8:fe:f6:59:24:42:47:7e root@hiD6610
SWITCH_A(config)#

Step 2 Copy file, in which authentication key is stored into SWITCH B, which is SSH server. You
should connect to SWITCH B to copy. So, you have to input password of ID, “root”. In this

time, IP address of SWITCH B is 172.16.209.10.

SWITCH_A(config)# ssh copy

/etc/.ssh/id_dsa.pub [email protected]:/etc/.ssh/authorized_keys
The authenticity of host '172.16.209.10 (172.16.209.10)' can't be established.
RSA key fingerprint is ea:af:c8:e9:3f:4f:22:1c:61:2e:2b:9d:0a:f6:2b:7e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.209.10' (RSA) to the list of known hosts.
[email protected]'s password:
id_dsa.pub 100% |***********************************************| 600 00:00
SWITCH_A(config)#

Step 3 Connect to SSH server with authentication key.

SWITCH_A(config)# ssh login 172.16.209.10

Enter passphrase for key '/etc/.ssh/id_dsa': networks
SWITCH_B#

(4) Connecting to FTP

Typical FTP service has weak point in security. Therefore, it is possible to use FTP safely with SSH. To

connect to FTP with using SSH, use the following command.

Command Mode Function

ssh ftp destination Global Connects to FTP with using SSH.

56 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

You can input IP address or 「 ID@IP address or host domain name(ex : [email protected]) 」 at

“destination”.

4.3.3 Sample Configuration

[ Sample Configuration 1 ] Enabling SSH Server

The following is an example of confirming the configuration after enabling SSH server.

SWTICH(config)# ssh server enable

Generating SSH public/private RSA1 key ...
Generating SSH public/private RSA key ...
Generating SSH public/private DSA key ...
SSH Server start!
SWTICH(config)# show ssh
connected clients : 000
num pid ppid srv_usr remote_ip Start_Time
SPrevileged_Time

SWTICH(config)#

[ Sample Configuration 2 ] Disconnecting the clients

The following is an example of viewing client’s number and having the clients disconnected.

SWITCH# show ssh

connected clients : 001
num pid ppid srv_usr remote_ip Start_Time SPrevileged_Time

001 150 96 root 203.236.124.89 Wed Mar 5 15:40:55 1980 ---------

SWITCH# config terminal
SWITCH(config)# ssh disconnect 150
SWITCH(config)# show ssh
connected clients : 000
num pid ppid srv_usr remote_ip Start_Time SPrevileged_Time
SWITCH(config)#

DDJ:A-M-5524B5-01 57
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 3 ] Viewing connection History of clients

The following is an example of viewing connection history of clients.

SWITCH(config)# ssh debug

history clients : 015
num pid ppid srv_usr remote_ip Start_Time SPrevileged_Time

001 235 96 admin 202.26.10.29 Thu Mar 6 09:54:15 1980 Thu Mar 6 09:55:47 1980
002 269 96 admin 172.16.10.1 Thu Mar 6 09:58:30 1980 Thu Mar 6 10:00:00 1980
003 297 96 admin 172.16.10.1 Thu Mar 6 10:00:46 1980 Thu Mar 6 10:28:39 1980
004 441 96 admin 172.16.10.1 Thu Mar 6 10:46:44 1980 Thu Mar 6 10:46:46 1980
005 487 96 admin 172.16.20.10 Thu Mar 6 11:42:13 1980 Thu Mar 6 11:47:56 1980
006 500 96 admin 172.16.20.10 Thu Mar 6 11:59:06 1980 Thu Mar 6 12:00:32 1980
007 511 96 admin 172.16.9.10 Thu Mar 6 12:03:42 1980 Thu Mar 6 12:03:43 1980
008 258 96 admin 202.6.14.20 Thu Mar 6 09:56:17 1980 Thu Mar 6 12:07:52 1980
009 640 96 admin 172.16.21.55 Thu Mar 6 16:31:02 1980 Thu Mar 6 16:31:02 1980
010 646 96 admin 10.10.21.61 Thu Mar 6 16:34:27 1980 Thu Mar 6 16:35:49 1980
011 656 96 admin 100.16.21.61 Thu Mar 6 16:39:37 1980 Thu Mar 6 16:39:37 1980
012 660 96 admin 172.16.21.61 Thu Mar 6 16:39:59 1980 Thu Mar 6 16:40:06 1980
013 669 96 admin 172.16.21.61 Thu Mar 6 16:41:45 1980 Thu Mar 6 16:41:45 1980
014 673 96 admin 172.16.21.61 Thu Mar 6 16:42:05 1980 Thu Mar 6 16:55:13 1980
015 731 96 admin 202.2.24.19 Fri Mar 7 04:23:51 1980 Fri Mar 7 04:33:23 1980
SWITCH(config)#

[ Sample Configuration 4 ] Connecting to the server as a client

The following is an example of connecting to SSH server, 172.16.209.10. When you use the above

command, the message to ask whether or not to connect will be displayed.

SWITCH(config)# ssh login 172.16.209.10

The authenticity of host '172.16.209.10 (172.16.209.10)' can't be established.
RSA key fingerprint is ea:af:c8:e9:3f:4f:22:1c:61:2e:2b:9d:0a:f6:2b:7e.
Are you sure you want to continue connecting (yes/no)?

58 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In this case, if you want to connect to server, type “yes”. Then, the message to ask password will be

displayed. Input “root” to connect.

SWITCH(config)# ssh login 172.16.209.10

The authenticity of host '172.16.209.10 (172.16.209.10)' can't be established.
RSA key fingerprint is ea:af:c8:e9:3f:4f:22:1c:61:2e:2b:9d:0a:f6:2b:7e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.209.10' (RSA) to the list of known hosts.
[email protected]'s password:
SWITCH(config)#

All the above examples will be displayed only for the first connection. After the first connection, known-

host will be created. Then, you can connect to server only with password.

The following is an example of connecting to server, in which known-host has been created.

SWITCH(config)# ssh login 172.16.209.10

[email protected]'s password:
SWITCH(config)#

[ Sample Configuration 5 ] Copying the file

The following is an example of storing “etc/startup.post” in SSH server which IP address is

172.16.209.10 as “startup.post”.

Information

The user should notice the password about “admin”.

SWITCH(config)# ssh copy /etc/startup.post [email protected]:startup.post

[email protected]'s password:
startup.post 100% |*****************************| 782 00:00
SWITCH(config)#

DDJ:A-M-5524B5-01 59
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 6 ] Accessing to FTP

The following is an example of connecting to FTP server, 172.16.100.10 with using SSH. When you use

the above command, the message to ask whether or not to connect will be displayed.

SWITCH(config)# ssh ftp 172.16.100.10

Connecting to 172.16.100.10...
The authenticity of host '172.16.100.10 (172.16.100.10)' can't be established.
RSA key fingerprint is f0:e6:76:8f:39:79:25:16:cb:8e:b6:84:24:f7:ec:10.
Are you sure you want to continue connecting (yes/no)?

In this case, type “yes” to connect to server. Then the message to ask password will be displayed. You

need to input password of FTP server to connect to server.

SWITCH(config)# ssh ftp 172.16.100.10

Connecting to 172.16.100.10...
The authenticity of host '172.16.100.10 (172.16.100.10)' can't be established.
RSA key fingerprint is f0:e6:76:8f:39:79:25:16:cb:8e:b6:84:24:f7:ec:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 172.16.100.10' (RSA) to the list of known hosts.
[email protected]'s password:
sftp>

All the above examples will be displayed only for the first connection. After the first connection, known-

host will be created. Then, you can connect to server only with password.

The following is an example of connecting to server, in which known-host has been created.

SWITCH(config)# ssh ftp 172.16.100.10

Connecting to 172.16.100.10...
[email protected]'s password:
sftp>

4.4 Port-Based Authentication (802.1x)

SURPASS hiD 6610 restricts clients attempting to access to port by 802.1x port-based authentication to

enhance security and portability of network management. When a client attempts to connect to port of

802.1x port-based authentication enabled, the switch transfers required information to RADIUS server

for authentication. RADIUS server retains database about authorized clients who can access to the port.

60 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The switch acts an intermediary between the client and the authentication server, requesting identity

information from the client, verifying that information with the authentication server, and relaying a

response to the client. Therefore, only authorized client who has access right can connect to the port.

The below picture briefly shows the process of port-based authentication.

EAPOL EAP over RADIUS

(EAP over LAN)

PC
Switch RADIUS
Server

[ Supplicant ] [ Authenticator ] [ Authentication

Server ]

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity Radius-Access-Request

EAP-Request Radius-Access-Challenge

EAP-Response Radius-Access-Request

EAP-Success Radius-Access-Accept

【 Figure 4-1 】Process of 802.1x Port-Based Authentication

To enable 802.1x port-based authentication in port of SURPASS hiD 6610, you must be able to perform

the following tasks.

□ Configuring Authentication Port

□ Configuration of Port-Control

□ Confirming Configuration of 802.1x Port-Based Authentication

□ 802.1x Reauthentication

□ Configuring Port-based 802.1x Authentication

DDJ:A-M-5524B5-01 61
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

□ Client Authentication through MAC address

□ Confirming and deleting 802.1x user authentication statistics

□ Releasing 802.1x Port-Based Authentication

□ Sample Configuration

4.4.1 Configuring Authentication Port

User should configure which port to be used for 802.1x Port-Based Authentication.

To do it, use the following command.

Command Mode Function

dot1x system-auth-control Global Configures port of 802.1x port-based authentication.

4.4.2 Configuration of Port-Control

In SURPASS hiD 6610, you can permit the users requesting the access regardless of the authentication

from RADIUS server. For example, even though a client is authenticated from the server, it is possible

to configure not to be authenticated from the server.

To manage the approval for the designated port, use the following command.

Command Mode Function

dot1x port-control Configures the authentication for

Global
{autoㅣforce-authorizedㅣforce-unauthorized} port-number the port.

“auto” means to follow the authentication of RADIUS server. And “force-authorized” is to give the

permit to a client even though RADIUS server didn’t approve it. “force-unauthorized” is not to
authenticate a clinet even though RADIUS server authenticate it.

Information

Default is “auto”.

62 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To delete the configuration for port-control, use the following command.

Command Mode Function

no dot1x port-control port-number Global Releases the configuration for port-control.

4.4.3 Confirming Configuration of 802.1x Port-Based Authentication

After configuring 802.1x port-based authentication with the above explanation, user can confirm the

contents. To confirm configuration of 802.1x, use the following command.

Command Mode Function

show dot1x port-number Enable/Global Shows configuration of 802.1x.

4.4.4 802.1x Reauthentication

In case the configuration for authentication does not operate well, the administrator could restart the

authentication on the port without rebooting. To reauthenticate on the port, use the following command.

Command Mode Function

dot1x initialize port-number Global Starts 802.1x Reauthentication.

4.4.5 Configuring Port-based 802.1x Authentication

Port based 802.1x authentication authenticates the port itself regardless of the number of clients.

After enabling 802.1x demon, configure port based authentication as the following.

□ Configuring authentication port

□ Configuring RADUIS server

□ Configuring reattempt interval of Authentication request

□ Configuring a term of re-authentication

□ Immediate Implementing Reauthentication

□ Initiating the authentication

DDJ:A-M-5524B5-01 63
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(1) Configuring Authentication Port

After enabling 802.1x demon, user should configure which port to be used for 802.1x Port-Based

Authentication. To do it, use the following command.

Command Mode Function

dot1x nas-port port-number Global Configures port of 802.1x port-based authentication.

Information

It is possible to configure more than one port-number by using “,” or “-”.

Ex) dot1x nas-port 1,3,4 or dot1x nas-port 2-6

To release configured port of 802.1x port-based authentication, use the following command in

Configuration mode.

Command Mode Function

no dot1x nas-port port-number Global Releases configured port of 802.1x port-based authentication.

(2) Configuring RADIUS Server

After enabling 802.1x port-based authentication in port of SURPASS hiD 6610, there must be RADIUS

server that retains data about authorized clients who have access right. User has to configure IP

address of RADIUS server to be used for user’s device and key value after configuring port of 802.1x

port-based authentication.

To configure IP address of RADIUS server and key value, use the following command.

Command Mode Function

dot1x radius-server host {ip-addressㅣname} Register RADIUS server with key value and UDP port of

auth-port <0-65535> key key radius server.

Global
dot1x radius-server host {ip-addressㅣname}
Configures IP address of RADIUS server and key value.
key key

64 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

<0-65535> is the value for UDP port.

Information

In SURPASS hiD 6610, the authentication port number is basically configured as 1812.

As RADIUS server is registered in Authenticator, Authenticator also can be registered in RADIUS server.

Here, Authenticator and RADIUS server need extra data authenticating each other besides they register

each other’s IP address. The data is Key and should be the same value for each other. For the Key

value, every kinds of character can be used except the space or special character. If you register in

several server, the authentication server starts form RADIUS server registered as first one, then

requests the second RADIUS server in case there’s no response. According to the order of registering

the authentication request, the authentication request is tried and the server which responds to it

becomes the Default server from the point of response time. After Default server is designated, all

requests start from the RADIUS server. If there’s no response from Default server again, the

authentication request is tried for RADIUS server designated as next one.

SURPASS hiD 6610

PC
RADIUS
server

[ Supplicant ] [ Authenticator ] [ Authentication

server ]

Radius server(as the

Authentication request as the order order of registration)

A : 10.1.1.1

B : 20.1.1.1
Configure as Default RADIUS
server Response C : 30.1.1.1
:
:
J : 100.1.1.1

【 Figure 4-2 】Multi Authentication Server

DDJ:A-M-5524B5-01 65
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To delete the registered RADIUS server, use the following command.

Command Mode Function

no dot1x radius-server host ip-address Global Deletes the registered RADUIS server.

(3) Configuring the Priority for RADIUS server

In hiD 6610, you can configure the priority for the radius server that have configured by user.

Command Mode Function

Configures the priority for the configured

dot1x radius-server move ip-address priority priority Global
server.

(4) Configuring reattempt interval for requesting identity

In SURPASS hiD 6610, it is possible to specifie how long the device waits for a client to send back an

response/identity packet after the device has sent an request/identity packet. If the Client does not send

back an response/identity packet during this time, the device retransmits the request/identity packet.

To configure the number of seconds that the switch waits for a response to an request/identity packet,

use the following command.

Command Mode Function

Sets reattempt interval for requesting

dot1x timeout tx-period <1-65535> port-number Global
request/identity packet.

To disable the interval for requesting identity, use the following command.

Command Mode Function

no dot1x timeout tx-period port-number Global Disable the interval for requesting identity

66 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

The default time is 30 seconds.

(5) Configuring the Number of Request for Authentication

After 802.1x port-based authentication being configured as explained above, when the user tries to

connect with the port, the process of authentication is progressed among user’s PC and the equipment

as Authenticator and RADIUS server. It is possible to configure how many times the device which will be

authenticator requests for authentication to RADIUS server.

Information

Authentication request means “Radius-Access-Request” in 【 authentication process for 802.1x

user 】

In order to configure times of authentication request in SURPASS hiD 6610, please use the command in

Global mode.

Command Mode Function

dot1x radius-server retries number Global Configure times of authentication request to RADIUS server

Information

In SURPASS hiD 6610, basically you can configure the authentication request three times.

(6) Configuring reattempt interval of Authentication request

In case there’s no response after requesting authentication to RADIUS server from SURPASS hiD 6610,

authentication request will be reattempted as many as configured above. However, the administrator

needs to appoint waiting period to reattempt authentication request.

For example, suppose the reattempt interval of authentication request is configured as 1000ms (1sec)

and there’s no respond for 1000ms, authentication request will be reattempted

DDJ:A-M-5524B5-01 67
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

Authentication request is applicable “Radius-Access-Request” in 【 authentication process for

802.1x user 】

Information

Reattempt interval of authentication request becomes effective only in case that there’s no response

to request. For example, if RADUIS server is down and there’s a response from other packets,

reattempt interval of Authentication request is not supposed to take effect.

To configure reattempt interval of authentication request, use the following command in Global

Configuration Mode.

Command Mode Function

dot1x timeout quiet-period <1-65535 > Configures reattempt interval of authentication

Global
port-number request to RADIUS server.

Information

Unit of time interval is second.

Information

In SURPASS hiD 6610, reattempt interval of authentication request is basically configured as 60s.

Note

In case the distance from the server is too far and reattempt interval of Authentication request is

configured too short regardless of time that request packet reaches to the server, authentication might

not be occurred. Therefore, configure reattempt interval of Authentication request considering the

distance with the server. If authentication often fails after configuration, configure enough time by

confirming reattempt interval of authentication request.

To release configured quiet-period, use the following command.

Command Mode Function

no dot1x timeout quiet-period port-number Global Release the configuration of configured quiet-period.

68 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(7) Configuring Timeout for RADIUS server

In SURPASS hiD 6610, it is possible to set the time for the retransmission of packets to check RADIUS

server. If RADIUS server is down and there’s a response from other packets, the switch waits for a

response from RADIUS server during the configured time before resending the request.

Command Mode Function

Sets the time for the retransmission of packets to

dot1x radius-server timeout seconds Global
RADIUS server.

(8) Configuring a term of re-authentication

RAIDIUS server contains the database about the user who has access right. The database is real-time

upgraded so it is possible for user to lose the access right by updated database even though he is once

authenticated. In this case, even though the user is accessible to network, he should be authenticated

so that the changed database is applied to. Besides, because of various reasons managing RADIUS

server and 802.1x authentication port, the user is supposed to be re-authenticated every regular time.

The administer of SURPASS hiD 6610 can configure a term of re-authentication

Information

Re-authentication is applied to EAPOL-start in 【 authentication process for 802.1x user 】.

To configure a term of re-authentication, use the following command in configuration mode.

Command Mode Function

dot1x timeout reauth-period <1-4294967295 >

Global Set the period between reauthentication attempts
port-number

Information

The unit for the term of re-authentication is sec.

DDJ:A-M-5524B5-01 69
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To disable a term of re-authentication, use the following command in configuration mode.

Command Mode Function

no dot1x timeout reauth-period port-number Global Deletes the period between reauthentication attempts

Information

In SURPASS hiD 6610, a term of re-authentication is basically configured 1 hour ( 3600 sec).

After configuring a term of re-authentication, To be periodically authenticated, use the following

command.

Command Mode Function

dot1x reauth-enable port-number Global Enable periodic 802.1x authentication

To disable a term of re-authentication, use the following command in configuration mode.

Command Mode Function

no dot1x reauth-enable port-number Global Disables periodic 802.1x authentication

(9) Immediate Implementing Reauthentication

(8) Configuring a term of re-authentication, it is described even though the user is accessible to
network, he should be authenticated so that the changed database is applied to. Besides, because of

various reasons managing RADIUS server and 802.1x authentication port, the user is supposed to be

re-authenticated every regular time.

However, there are some cases of implementing reauthentication immediately. In SURPASS hiD 6610,

it is possible to implement reauthentication immediately regardless of configured time interval.

Command Mode Function

Implement reauthentication regardless of the

dot1x reauthenticate port-number Global
configured time interval.

70 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(10) Initiating the authentication

The user can delete the configuration about the authentication one by one and initiate all the

configuration to the default status. To initiate the configuration, use the following command in

configuration mode.

Command Mode Fucntion

dot1x default port-number Global Initiate all the configuration for authentication.

4.4.6 Client Authentication through MAC address

Suppose there’s a switch or a hub which is connected to SURPASS hiD 6610 and 802.1x user

authentication is not supported for the equipment. If many clients are connected to the equipment and a

client tries to be authenticated for SURPASS hiD 6610, all clients which are connected to the

authenticated equipment will automatically have the access authority.

In the following picture, SURPASS hiD 6610 is connected to SWITCH A which is linked with Clint

A,B,C,D. And 802.01x user authentication is not supported for SWITCH A. If Client A is authenticated

through SWITCH A To get access right, all clients which are connected to SWITCH A will have the right

to access like Client A. Therefore, To authenticate only for Client A , accessing to Client B, C, D should

be blocked. In this case, if SURPASS hiD 6610 allows the access right through MAC address, it is

possible to authenticate only for Client A.

SURPASS hiD 6610

SWITCH A
802.1x user authentication is
RADIUS server not supported for the switch.

All clients can access to

Allowing user 802.1X
SURPASS hiD 6610
authentication through
Client B Client C Client D
SWITCH A Client A

【 Figure 4-3 】Example of the Switch not supported 802.1x

DDJ:A-M-5524B5-01 71
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

If a client is connected to the equipment and 802.1x user authentication is supported for the

equipment, it is unnecessary to use MAC address to allow user authentication.

To give the access right for clients using MAC address, use the following command.

Command Mode Function

Configure to give the access right for clients using

dot1x auth-mode mac-base port-number Global
MAC address.

To disable to give the access right, using MAC address.

Command Mode Function

no dot1x auth-mode mac-base port-number Global Disables to give the access right using MAC address.

To show the authenticated MAC addresses on specific port, use the following command.

Command Mode Function

show dot1x mac_authed port-number Global Shows the authenticated MAC addresses.

4.4.7 Confirming and deleting 802.1x user authentication statistics

It is possible for user to make reset state by confirming and deleting the statistics of 802.1x user

authentication. To confirm the statistics about the process of 802.1x user authentication, use the

following command.

Command Mode Function

show dot1x statistics port-number Global Confirms the statistics of 802.1x user authentication on the port

To make reset state by deleting the statistics of 802.1x user authentication, use the following command.

Command Mode Function

dot1x clear statistic port-number Global Make Reset state by deleting the statistics of 802.1x on the port.

72 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

4.4.8 Releasing 802.1x user authentication

To release 802.1x user authentication and delete all configurations connected with user authentication,

use the following command. To release 802.1x user authentication, use the following command.

Command Mode Function

Release 802.1x user authentication configuration and delete all

no dot1x system-auth-control Control
configurations connected with user authentication.

Note

All the configuration connected to 802.1x is deleted by releasing 802.1x function using the above

commands.

4.4.9 Sample Configuration

[Sample Configuration 1] Configuring port based authentication

The following is to confirm the configuration after configuring pot number 4 as the authentication port

and registering IP address of authentication port and information of RADIUS server.

SWTICH(config)# dot1x system-auth-control

SWTICH(config)# dot1x nas-port 4
SWTICH(config)# dot1x port-control force-authorized 4
SWTICH(config)# radius host 10.1.1.1 auth-port 4 key test
SWTICH(config)# show dot1x
802.1x authentication is enabled.

RADIUS Server : 10.1.1.1 (Auth key : test)

-------------------------------------------------------
| 1 2 3 4
802.1x |123456789012345678901234567890123456789012
-------------------------------------------------------
PortEnable |...p......................................
PortAuthed |...u......................................
MacEnable |..........................................
MacAuthed |..........................................
-------------------------------------------------------
p = port-based, m = mac-based, a = authenticated, u = unauthenticated
SWTICH(config)#

DDJ:A-M-5524B5-01 73
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 2]

The following is configuring a term of reauthentication as 1800 and a tem of reauthentication as 1000

sec.

SWTICH(config)# dot1x timeout quiet-period 1000 4

SWTICH(config)# dot1x timeout reauth-period 1800 4
SWTICH(config)# dot1x reauth-enable 4
SWTICH(config)# show dot1x 4
Port 4
SystemAuthControl : Enabled
ProtocolVersion : 0
PortControl : Force-Authorized
PortStatus : Unauthorized
ReauthEnabled : True
QuietPeriod : 1000
ReauthPeriod : 1800
SWTICH(config)#

[Sample Configuration 3]

The following is an example of confirming the configuration after configuring the authentication based

on MAC address.

SWTICH(config)# dot1x auth-mode mac-base 4

SWTICH(config)# show dot1x
802.1x authentication is enabled.

RADIUS Server : 10.1.1.1 (Auth key : test)

-------------------------------------------------------
| 1 2 3 4
802.1x |123456789012345678901234567890123456789012
-------------------------------------------------------
PortEnable |..........................................
PortAuthed |..........................................
MacEnable |...m......................................
MacAuthed |...u......................................
-------------------------------------------------------
p = port-based, m = mac-based, a = authenticated, u = unauthenticated

SWTICH(config)#

74 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

4.5 System Authentication

SURPASS hiD 6610 is enhanced security of client authentication and user is able to configure

authorization method in diverse ways.

Usually, ID/password registered in switch is used but if you use RADIUS(Remote Authentication Dial-In

User Service), which is client authentication protocol, and TACACS+(Terminal Access Controller Access

Control System+), only clients recorded in each server can connect to the system. With TACACS+

configured, sends client information for authorization.

With configured RADIUS, sends

client information for
authorization.

Takes authorization process

according to configuration
Connects to switch through
Console or telnet.
Sends Result
SURPASS hiD 6610
RADIUS Server

Sends Result
With TACACS+ configured,
sends client information for
authorization.
TACACS Server

【 Figure 4-4 】Process of System Authentication

You need to configure the followings for system authentication in SURPASS hiD 6610.

Configuring Authorization Method

Designating Authentication Interface

DDJ:A-M-5524B5-01 75
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Configuring Priority of Authorization Method

Checking Configured Priority of Authorization Method

Configuring RADIUS

Configuring TACACS+

Recording User’s Configuration

Sample Configuration

Note

To enable RACIUS or TACACS+, add user with reading right named「user」by using the command,

“user add”. Or, all users connecting through authentication protocol are supposed to receive a right
as 「root」. Refer to 「4.1.5 Managing the user’s account」for the instruction to add user with

reading right.

4.5.1 Configuring Authorization Method

You can authorize clients attempting to access to SURPASS hiD 6610 by using registered ID/password,

RADIUS and TACACS+. It is possible to take all of three and to select one of them.

To configure authorization method, use the following commands.

Command Mode Function

login local {radiusㅣtacacsㅣhostㅣall} Configures authorization method for clients

enable connecting through console.

Global
login remote {radiusㅣtacacsㅣhostㅣall} Configures authorization method for clients

enable connecting through telnet.

Information

“host” is authentication by using ID/password registered in switch. It is configured in SURPASS hiD

6610 by default.

76 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Also, To release configured authorization method, use the following commands.

Command Mode Function

login local {radiusㅣtacacsㅣhostㅣall} Releases authorization method for clients

disable connecting through console.

Global
login remote {radiusㅣtacacsㅣhostㅣall} Releases authorization method for clients

disable connecting through telnet.

4.5.2 Designating Authentication Interface

In SURPASS hiD 6610 where over 2 interfaces or IP addresses are configured , in case RADIUS or

TACACS is used for authentication, the user can designate the packet destination as specific interface

or IP address.

To designate the authentication interface, use the following command.

Command Mode Function

login {radius | tacacs} interface

Global Designates user authentication interface or IP address.
interface-name [ip-address]

4.5.3 Configuring Priority of Authorization Method

After configuring authorization in diverse ways, you can configure priority of authorization method which

method will be the first or second or the last.

To configure priority of authorization method, use the following commands.

Command Mode Function

login local {radiusㅣtacacsㅣhost} Configures priority of authorization method for

primary clients connecting through console.

Global
login remote {radiusㅣtacacsㅣhost} Configures priority of authorization method for

primary clients connecting through telnet.

DDJ:A-M-5524B5-01 77
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

By default, priority of SURPASS hiD 6610 authentication is set to “host → radius → tacacs” in

order.

4.5.4 Checking Configured Priority of Authorization Method

User is able to check configured priority of authorization method. To do it, use the following command.

Command Mode Function

show login Enable/Global Shows configuration about authorization method.

4.5.5 Configuring RADIUS

(1) Configuring RADIUS Server

After configuring RADIUS for client authentication, you need to configure RADIUS server to be used in

switch. To configure RADIUS server, use the following command.

Command Mode Function

Registers IP address and key value of

login radius server add ip-address key
RADIUS server to be used in switch.
Global
login radius server add ip-address key Configures RADIUS server with the

auth_port port-number acct_port port-number authenticated port and Accounting port.

Information

“port-number” is to input port of RADIUS server connected to switch.

Information

You can configure maximum 5 RADIUS servers in SURPASS hiD 6610.

78 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To delete registered RADIUS server, use the following command.

Command Mode Function

login radius server del ip-address Global Deletes registered RADIUS server

(2) Configuring the Priority for RADIUS server

It is possible to configure up 5 RADIUS Server in hiD 6610. In the case of multiple RADIUS Servers,

you can give the priority for the servers. The server having higher priority is supposed to be used first.

The smaller number the higher priority.

Command Mode Function

login radius server move priority Global Gives the priority for configured RADIUS server.

Information

The priority is configured from 1 to 5. .

(3) Configuring Frequency of Retransmit

When SURPASS hiD 6610 cannot get any response from RADIUS server, it is supposed to retransmit

request. By default, frequency of retransmit is three times, but user can configure the number of the

times. To configure frequency of retransmit, use the following command.

Command Mode Function

Configures the number of times to retransmit

login radius retransmit count Global
information to RADIUS server.

Information

You can configure the retransmit times from 1 to 10.

DDJ:A-M-5524B5-01 79
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

The default is 3 times in SURPASS hiD 6610.

(4) Configuring Timeout of Response

In SURPASS hiD 6610, the number of seconds that the switch waits for a response from RADIUS

server is configured. User can configure it for convenience. To configure timeout of response, use the

following command.

Command Mode Function

Configures the number of seconds that the switch waits for a

login radius timeout time Global
response from RADIUS server.

Information

It is possible to configure the response time from 1 to 100 seconds.

Information

The default is 3 seconds in SURPASS hiD 6610.

4.5.6 Configuring TACACS+

(1) Configuring TACACS Server

After configuring TACACS+ for client authentication, you need to configure TACACS server to be used

in switch. To configure TACACS server, use the following command.

Command Mode Function

Registers IP address and key value of TACACS

login tacacs server add ip-address key Global
server to be used in switch.

80 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

And then, you should register interface of TACACS server connected to user’s switch. Use the following

command.

Command Mode Function

Registers interface of TACACS server connected

login tacacs interface interface-name [ ip-address] Global
to user’s switch.

Information

“port-number” is to input interface of TACACS server connected to user’s switch. Please check

interface of TACACS server connected to user’s switch before inputting it.

Information

You can register maximum five TACACS servers in SURPASS hiD 6610.

To register port of TACACS server connected to user’s switch, use the following command.

Command Mode Function

login tacacs socket-port port-number Global Registers port of TACACS server connected to user’s switch.

To delete registered TACACS server, use the following command.

Command Mode Function

login tacacs server del ip-address Global Deletes registered TACACS server.

(2) Configuring the Priority for TACACS server

It is possible to configure up 5 TACAS Server in hiD 6610. In the case of multiple TACAS Servers, you

can give the priority for the servers. The server having higher priority is supposed to be used first. The

smaller number the higher priority.

Command Mode Function

login tacacs server move ip-address priority Global Gives the priority for configured TACAS server.

DDJ:A-M-5524B5-01 81
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

The priority is configured from 1 to 5. .

(3) Selecting Authorization Type

When you configure TACACS+ for authentication, you need to select authorization type of TACACS+.

To select authorization type of TACACS+, use the following command.

Command Mode Function

login tacacs auth-type {asciiㅣpapㅣchap} Global Selects authorization type of TACACS+.

pap stands for Password Authentication Protocol and chap stands for Challenge Handshake

Authentication Protocol.

Information

The default is “ascii” type of TACACS+ in SURPASS hiD 6610.

(4) Configuring Timeout of Response

In SURPASS hiD 6610, the number of seconds that the switch waits for a response from TACACS

server is configured. User can configure it for convenience. To configure timeout of response, use the
following command.

Command Mode Function

Configures the number of seconds that the switch waits for a

login tacacs timeout time Global
response from TACACS server.

Information

It is possible to configure the response time from 1 to 100 seconds.

Information

The default is five seconds.

82 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(5) Configuring Client Priority

It is possible to configure priority of client’s right to use server according to configuration of TACACS

server authorization method. This priority is not used in SURPASS hiD 6610 but in TACACS server user

connects. To configure priority of client’s right to use server, use following command.

Command Mode Function

login tacacs priority-level

Global Configures priority of client’s right to use TACACS server.
{maxㅣminㅣrootㅣuser}

Comparatively speaking, the priority is “max = root ＞user ＞min” in order.

4.5.7 Recording User’s Configuration

When user configures RADIUS or TACACS+ for system authentication, the system records specific

services user has taken. Through this function, it is possible to apply billing policy to specific service.

To enable this function, use the following command.

Command Mode Function

login accounting-mode {noneㅣstartㅣstopㅣboth} Global Applies billing policy to switch.

Information

“start” sets the standard on user’s login and “stop” sets the standard on user’s logout. “both” takes

both of them and “none” releases applied billing policy.

4.5.8 Sample Configuration

[Sample Configuration 1] Configuration RADIUS server

The following is an example of configuring authorization method in SURPASS hiD 6610. It is configured

to add RADIUS to default method in case of clients connecting through console and telnet. And, the

priority is given to RADIUS in case of clients connecting through console and to default method in case

of clients connecting through telnet. Then, confirm the configuration. And The following is an example of

configuring frequency of retransmit and timeout of response after registering RADIUS server.

DDJ:A-M-5524B5-01 83
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

SWITCH(config)# user add user test1

Changing password for user
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:vertex
Re-enter new password:vertex
Password changed.
SWITCH(config)# login local radius enable
SWITCH(config)# login remote radius enable
SWITCH(config)# login local radius primary
SWITCH(config)# login remote host primary
SWITCH(config)# login radius server add 100.1.1.1 1
SWITCH(config)# login radius retransmit 5
SWITCH(config)# login radius timeout 10
SWITCH(config)# show login
[AUTHEN]
Local login : radius host
Displayed according to priority.
Remote login : host radius
Accounting mode : both
------------------------------------
[HOST]
maximum_login_counts : 8

------------------------------------
[RADIUS]
<Radius Servers & Key>
100.1.1.1 1

Radius Retries : 5
Radius Timeout : 10
Radius Interface : default
------------------------------------
[TACACS]
<Tacacs Servers & Key>

Tacacs Timeout : 3
Tacacs Socket Port : 49
Tacacs Interface : default
Tacacs PPP Id : 1
Tacacs Authen Type : ASCII
Tacacs Priority Level : MIN
SWITCH(config)#

[Sample Configuration 2] Configuration TACACS+ server

84 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring authorization method as TACACS+.

SWITCH(config)# user add user test1

Changing password for user
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:vertex
Re-enter new password:vertex
Password changed.
SWITCH(config)# login local tacacs enable
SWITCH(config)# login remote tacacs enable
SWITCH(config)# login local tacacs primary
SWITCH(config)# login remote tacacs primary
SWITCH(config)# login tacacs server add 200.1.1.1 1
SWITCH(config)# login tacacs interface br1
SWITCH(config)# login tacacs socket-port 1
SWITCH(config)# login tacacs auth-type pap
SWITCH(config)# login tacacs timeout 10
SWITCH(config)# login tacacs priority-level root
SWITCH(config)# show login
[AUTHEN]
Local login : tacacs host
Displayed according to the priority
Remote login : tacacs host
Accounting mode : both
------------------------------------
[HOST]
maximum_login_counts : 8

------------------------------------
[RADIUS]
<Radius Servers & Key>

Radius Retries : 3
Radius Timeout : 3
Radius Interface : default
------------------------------------
[TACACS]
<Tacacs Servers & Key>
200.1.1.1 1

Tacacs Timeout : 10
Tacacs Socket Port : 1
Tacacs Interface : default
Tacacs PPP Id : 1
Tacacs Authen Type : PAP
Tacacs Priority Level : MAX(ROOT)
SWITCH(config)#

DDJ:A-M-5524B5-01 85
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

5. Port Basic Configuration

It is possible for user to configure basic environment such as auto-negotiate, transmit rate, and flow-

control of SURPASS hiD 6610 port. Also, it includes instructions how to configure port mirroring and

port as basic.

5.1 Port Basic Configuration

It is possible to configure default environment of port such as port state, speed. To configure port, you

need to enter into Bridge configuration mode by using bridge command on configuration mode.

When you are entered into Bridge configuration mode, system prompt will be changed to

SWITCH(bridge)# from SWITCH(config)#.

Command Mode Function

bridge Global Enters into Bridge configuration mode.

The following is an example of entering into Bridge configuration mode.

SWITCH(config)# bridge
SWITCH(bridge)#

◆ SURPASS hiD 6610 Port Default Configuration

Detail Default Configuration

Port State Available

Auto-negotiate On( except 100BASE-FX )

Duplex mode Full duplex mode

Flow Control Off

STP For VLAN 1

VLAN default

86 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To view the configuration of user’s switch port, use the following command.

Command Mode Function

show port port-number Enable/Global/Bridge Shows port configuration.

When you use the command, show port command, if you input letter at port-number, the message, “%
Invalid port: port'” will be displayed, and if you input wrong number, the message, “% Invalid range: 100

[1-32]” will be displayed.

SWITCH(bridge)# show port port

%Invalid port: port
SWITCH(bridge)# show port 100
%Invalid range: 100 [1-32]
SWITCH(bridge)#

Information

On CLI command mode, you can use “,” and “-” at port-number to choose several ports.

You can configure the below functions about port basic configuration.

□ Activating Port

□ Auto negotiation

□ Port Transmit Rate

□ Duplex Mode

□ Flow Control

□ Description of Port

□ Viewing Port Statistics

□ Initializing Port Statistics

5.1.1 Activating Port

To activate port or deactivate port, use the following commands.

Command Mode Function

port enable port-number Activates port.

Bridge
port disable port-number Deactivates port.

DDJ:A-M-5524B5-01 87
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

By default, all ports are logically activated.

The following is an example of deactivating port 1 Ethernet port and confirming it.

SWITCH(bridge)# show port 1

-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Up Auto/Full/100 Off Y
SWITCH(bridge)# port disable 1
SWITCH(bridge)# show port 1
-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Down/Down Auto/Full/100 Off Y
SWITCH(bridge)#

5.1.2 Configuring Auto-nego

You can configure auto-negotiation for a port, automatically to match the transmission speed and the

duplex mode of the attached device.

To determine if the speed and duplex mode are set to auto-negotiate, use the following command in the

bridge configuration mode at configuration level.

Command Mode Function

port nego port-number on Sets the port to auto-negotiate..

Bridge
port nego port-number off Deletes auto-negotiate.

Information

By default, auto-nego is activated.

88 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of deleting auto-negotiate of port 1 and 2 and confirming it.

SWITCH(bridge)# show port 1-2

-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Down Auto/Half/100 Off Y
2: Ethernet 1 Up/Down Auto/Half/100 Off Y
SWITCH(bridge)# port nego 1-2 off
SWITCH(bridge)# show port 1-2
-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Down Force/Half/100 Off Y
2: Ethernet 1 Up/Down Force/Half/100 Off Y
SWITCH(bridge)#

Note

In case of FX port module, you don’t have to use Auto-nego function.

Note

To support Auto MDIX, you need to configure auto-nego as “on.”

5.1.3 Port Transmit Rate

It is possible to configure transmit rate of each port. To configure transmit rate of port, use the following

command.

Command Mode Function

port speed port-number {10ㅣ100ㅣ1000} Bridge Configure transmit rate of port as 10, 100, or 1000Mbps.

DDJ:A-M-5524B5-01 89
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring transmit rate of port 1 as 10Mbps and confirming it.

SWITCH(bridge)# show port 1

-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Up Force/Half/100 Off Y
SWITCH(bridge)# port speed 1 10
SWITCH(bridge)# show port 1
-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Up Force/Half/10 Off Y
SWITCH(bridge)#

Note

It is impossible to configure transmit rate of 1000BASE-X Gigabit port.

5.1.4 Duplex Mode

Only unidirectional communication is possible on half duplex mode and bi-directional communication is

possible on full duplex mode to transmit packet for two ways. By transmitting packet for two ways,
Ethernet bandwidth is enlarged two times- 10Mbps to 20Mbps, 100Mbps to 200Mbps.

To configure duplex mode of 10/100BaseTx Ethernet port, use the following command.

Command Mode Function

port duplex port-number {full | half} Bridge Configures duplex mode of port.

Note

When auto-nego is activated, it is impossible to change transmit rate.

90 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring duplex mode of port 2 as half mode and confirming it.

SWITCH(bridge)# show port 1

-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Up Force/Full/100 Off Y
SWITCH(bridge)# port duplex 1 half
SWITCH(bridge)# show port 1
-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Up Force/Half/100 Off Y
SWITCH(bridge)#

Infomation

Before connecting the link, the port of hiD 6610 is basically configured as 「Half duplex mode」.

Note

100BASE-FX Ethernet and 1000BASE-X Gigabit Ethernet can be configured as full duplex. User of

100BASE-FX Ethernet and 1000BASE-X Gigabit Ethernet cannot change the mode.

5.1.5 Configuring Flow Control

Ethernet ports on the switches use flow control to restrain the transmission of packets to the port for a

period of time. Typically, if the receive buffer becomes full, the port transmits a "pause" packet that tells

remote ports to delay sending more packets for a specified period of time. In addition, the Ethernet ports

can receive and act upon "pause" packets from other devices. To configure flow control on the Ethernet

port, use the following command.

Command Mode Function

port flow-control port-number {onㅣoff} Bridge Configures flow control.

Information

By default, Flow-control is set to “off”.

DDJ:A-M-5524B5-01 91
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring flow control to port 1.

SWITCH(bridge)# port flow-control 1 off

SWITCH(bridge)# show port 1
-------------------------------------------------------------------
NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED
(ADMIN/OPER)
-------------------------------------------------------------------
1: Ethernet 1 Up/Down Auto/Full/1000 Off Y
SWITCH(bridge)#

5.1.6 Description of port

For user’s reference, you can make description for each port.

To write port description, use the following command.

Command Mode Function

port description port-number description Bridge Makes description of each port.

To view description of port, use the following command.

Command Mode Function

show port description [port_number] Enable/Global/Bridge/Interface Shows description of one port or more.

The following is an example of making description of port 1 and viewing it.

SWITCH(bridge)# port description 1 test1

SWITCH(bridge)# show port description 1
------------------------------------------------------------
NO TYPE STATE LINK DESCRIPTION
(ADM/OPR)
------------------------------------------------------------
1 Unknown Up/Down 0HDX test1
SWITCH(bridge)#

92 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To delete port description, use the following command.

Command Mode Function

no port description port-number Bridge Deletes description of specified port.

5.1.7 Viewing Port Statistics

To display traffic average of each port or interface MIB, RMON MIB data defined in SNMP MIB, use the

following commands.

Command Mode Function

show port statistics avg-pkt

Shows traffic average of specified port.
[port-number]

show port statistics interface

Enable/Global Shows MIB data of specified port.
[port-number]

show port statistics rmon

Shows RMON MIB data of specified port.
[port-number]

The following is an example of viewing traffic average of port 13.

SWITCH# show port statistics avg-pkt 13

=============================================================================
Port | Tx | Rx
-----------------------------------------------------------------------------
Time | pkts/s | bytes/s | bits/s | pkts/s | bytes/s | bits/s
=============================================================================
port 13 ---------------------------------------------------------------------
5 sec: 0 0 0 10 1926 15,408
1 min: 0 0 0 8 2094 16,752
10 min: 0 0 0 9 2037 16,296
SWITCH#

DDJ:A-M-5524B5-01 93
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is an example of viewing interface MIB data of port 13.

SWITCH(config)# show port statistics interface 13

ifDescr port 13-TX-10/100
ifType 6
ifMtu 1500
ifPhysAddress 00:d0:cb:0d:00:12
UP
ifAdminStatus UP
ifOperStatus 341089087
ifInOctets 5246410
ifInUcastPkts 19472
ifInNUcastPkts 0
ifInDiscards 0
ifInErrors 0
ifInUnknownProtos 0
ifOutOctets 0
ifOutUcastPkts 0
ifOutNUcastPkts 0
ifOutDiscards 0
ifOutErrors 0
ifSpecific
SWITCH(config)#

The following is an example of viewing RMON MIB data of port 13.

SWITCH(config)# show port statistics rmon 13

Port 13 ethernet
etherStatsDropEvents 172
etherStatsOctets 6479316
etherStatsPkts 63187
etherStatsBroadcastPkts 56513
etherStatsMulticastPkts 5479
etherStatsCRCAlignErrors 0
etherStatsUndersizePkts 0
etherStatsOversizePkts 0
etherStatsFragments 0
etherStatsJabbers 0
etherStatsCollisions 0
etherStatsPkts64Octets 44362
etherStatsPkts65to127Octets 6024
etherStatsPkts128to255Octets 12315
etherStatsPkts256to511Octets 468
etherStatsPkts512to1023Octets 19
etherStatsPkts1024to1518Octets0
SWITCH(config)#

94 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

5.1.8 Initializing Port Statistics

To clear all recorded statistics of port and initiate, use the following command. It is possible to initiate

statistics of port and select specific port.

Command Mode Function

Initializes port statistics. It is possible to select

clear port statistics { port-number ㅣall} Global
several ports.

5.2 Port Mirroring

Port mirroring is the function of monitoring a designated port. Here, one port to monitor is called

“monitor port” and a port to be monitored is called “mirrored port”. Traffics transmitted from mirrored port

are copied and sent to monitor port so that user can monitor network traffic.

The following is a network structure to analyze the traffic by configuring port mirroring It analyzes traffic

on the switch and network status by configuring Mirrored port and Monitor port and connecting the

computer, that the watch program is installed, to the port configured as Monitor port.

MONITORING

SURPASS hiD 6610

Mirrored Mirrored
Port 1 Port 3

Mirrored Traffic transmitted from

Port 2 Mirrored port
1,2,3

【 Figure 5-1 】Port Mirroring

DDJ:A-M-5524B5-01 95
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure port Mirroring in hiD 6610, designate Mirrored port and Monitor port and enable port

mirroring function. Monitor port should be connected to PC that Watch program is installed. You can

designate only one Monitor port but many Mirrored ports for one switch.

5.2.1 Assigning Monitor Port and Mirrored Port

You should assign monitor port and mirrored port, and then you can configure Port-mirroring. To assign

monitor port and mirrored port, use the following command.

Command Mode Function

mirror add port-number [ingressㅣegress] Configures mirrored port.

Bridge
mirror monitor { port-number | cpu} Configures monitor port or CPU.

Information

To configure over 2 Mirrored ports, you can input the port-number using 「,」or「-」.

Ex) SWITCH(bridge)# mirror add 1,2,3 or SWITCH(bridge)# mirror add 1-3

Note

If CPU is monitoring the traffic on Mirrored port, it can cause CPU overloads.

To delete mirroring group, use the following command.

Command Mode Function

mirror del port-number [ingressㅣegress] Bridge Deletes mirrored port.

5.2.2 Enabling Port Mirroring

To use port mirroring function, you should enable port mirroring first. To enable port mirroring, use the

following command.

Command Mode Function

mirror enable Bridge Enables port mirroring.

96 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Also, you have to disable port mirroring to release it. To do it, use the following command.

Command Mode Function

mirror disable Bridge Disables port mirroring.

Note

You’d better to delete Mirrored port or disable Mirroring port after data analyzing. Using Mirroring

function too long time can cause CPU overload so that packet process would be delayed.

5.2.3 Confirming Configuration of Port Mirroring

To check the configuration of, use the following command.

Command Mode Function

show mirror Enable/Global/Bridge Shows configuration of port mirroring.

5.2.4 Sample Configuration

[Sample Configuration 1] Configuring monitoring through port

The following is to configure to monitor 2,3,4,5 ports from port number 1.

Step 1 Connect PC, that Watch program is installed for, to the port number 1 as Monitor port.

Step 2 Configure port number 1 as Monitor port and port number 2,3,4,5 as Mirroring ports.

SWITCH(bridge)# mirror monitor 1

SWITCH(bridge)# mirror add 2
SWITCH(bridge)# mirror add 3-5
SWITCH(bridge)#

Step 3 Enable Mirroring function.

SWITCH(bridge)# mirror enable

SWITCH(bridge)#

DDJ:A-M-5524B5-01 97
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Step 4 Check port mirroring configuration.

SWITCH(bridge)# show mirror

Mirroring enabled
Monitor port = 1

Ingress mirrored ports

-- 02 03 04 05 -- -- -- -- -- -- -- -- -- -- -- -- --

Egress mirrored ports

-- 02 03 04 05 -- -- -- -- -- -- -- -- -- -- -- -- --

SWITCH(bridge)#

[Sample Configuration 2] Configuring monitoring through CPU

The following is to configure to monitor 2,3,4,5 ports from CPU.

Step 1 Configure 2,3,4,5 port as Mirroring port and monitor them by CPU.

SWITCH(bridge)# mirror monitor cpu

SWITCH(bridge)# mirror add 2-5
SWITCH(bridge)#

Step 2. Enable mirroring function.

SWITCH(bridge)# mirror enable

SWITCH(bridge)#

Step 3 Check the port mirroring configuration.

SWITCH(bridge)# show mirror

Mirroring enabled
Monitor port = cpu

Ingress mirrored ports

-- 02 03 04 05 -- -- -- -- -- -- -- -- -- -- -- -- --

Egress mirrored ports

-- 02 03 04 05 -- -- -- -- -- -- -- -- -- -- -- -- --

SWITCH(bridge)#

98 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

6. System Environment

This chapter explains how to configure host name and time of system and how to manage it.

It contains the following sections.

■ Environment Configuration

■ Configuration Management

■ System Check

6.1 Environment Configuration

User must configure the following items.

□ Host name
□ Date and Time

□ Time-zone

□ NTP

□ SNTP

□ Output Condition of Terminal Screen

□ DNS Server

□ Log-in Banner

□ Fan Operation

6.1.1 Host Name

Host name displayed on prompt is necessary to distinguish each device connected to network. To

configure or change host name of switch, use the command, “hostname” on Global configuration mode.

Command Mode Function

hostname name Global Configures host name of switch with new name user assigns.

DDJ:A-M-5524B5-01 99
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

The variable, “name” which follows command is the new name of switch user assigns. Default is

“SWITCH”.

The following is an example of changing hostname to “hiD6610”.

SWITCH(config)# hostname hiD6610

hiD6610(config)#

To delete the hostname, use the following command.

Command Mode Function

no hostname name Global Deletes the configured host name..

6.1.2 Date and Time

To configure or change time and date in switch, use the command, “clock” on Privilege Exec Enable
Mode.

Command Mode Function

clock MMDDhhmmYYYY Enable/Global Configures or change time and date in user’s switch.

The variable, “MMDDhhmmYYYY” you need to enter after the command is “Month-Day-Hour-Minute-

Year”.

The following is an example of configuring as Dec., 13th , PM 04:14 in 2002.

SWITCH# clock 121316142002

Fri Dec 13 16:14:00 UTC 2002
SWITCH#

To view configured date and time, use the following command.

Command Mode Function

show clock Enable/Global Shows configured date and time.

100 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

6.1.3 Time-zone

You can configure Time-zone to the SURPASS hiD 6610 with the following command. Time-zone is

classified GMT, UCT, UTC.

If you want to know what kind of Time-zone can you configure, Use the “show time-zone” command.
Time-zone is predefined as the UTC(Universal Coordinated Time) at the factory configuration

Command Mode Function

show time-zone Enable/Global Show the kinds of Time-zone.

Information

The command, “show time-zone” only displays kinds of Time-zone. To verify configuration about Time-

zone, use the command, “show clock”.

The following table shows the kinds of Time-zone, which can configure to the Switch and a main country

or area, belong to the Time-zone.

【 Table 5-1 】 GMT Time

Time-zone Country Time-zone Country Time-zone Country

GMT-12 Eniwetok GMT-3 Rio De Janeiro GMT+6 Rangoon

GMT-11 Samoa GMT-2 Maryland GMT+7 Bangkok, Singapore

GMT-10 Hawaii, Honolulu GMT-1 Azores GMT+8 Hong Kong, Peking

GMT-9 Alaska GMT+0 London, Lisbon GMT+9 Seoul, Tokyo

GMT-8 LA, Seattle GMT+1 Berlin, Rome GMT+10 Sydney, Melbourne

GMT-7 Denver GMT+2 Cairo, Athens GMT+11 Okhotsk

GMT-6 Chicago, Dallas GMT+3 Moscow GMT+12 Wellington

GMT-5 New York, Miami GMT+4 Teheran

GMT-4 George Town GMT+5 New Dehli

DDJ:A-M-5524B5-01 101
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure time-zone, use the following command.

Command Mode Function

time-zone time-zone Global Configure or modify the current Time-zone on the Switch.

Information

The default is UCT(Universal Coordinated Time).

To verify configuration about Time-zone, use the following command.

Command Mode Function

show clock Enable/Global Shows user’s configuration about date/time and Time-zone.

The following is an example of configuring Time-zone as Seoul and viewing the configuration.

SWITCH(config)# time-zone GMT+9

SWITCH(config)# clock 121316142002
Fri, 13 Dec 2002 16:14:10 GMT+0900
SWITCH(config)# show clock
Fri, 13 Dec 2002 16:14:10 GMT+0900
SWITCH(config)#

6.1.4 NTP

NTP(Network Time Protocol) can be used to configure user’s switches to 1/1000 second to guarantee

the exact time on networks. The Switch and NTP server constantly transmit the massage each other to

converge the correct time. It is very important to configure exact time to the Switch so that switch

operates properly. The details about NTP will be given at STD and RFC 1119. To configure the switch in

NTP, use the following commands.

Command Mode Function

ntp server 1 [server 2] Specifies the IP address of the NTP server. It is

[server 3] Global possible up to three number of server.

ntp start Runs NTP.

102 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

We can use the public NTP server and private NTP server both and enter the Domain name or IP

address of NTP server. The「time.nuri.net」is used in Korea, IP address is 「203.255.112.96」.

To release NTP function, use the following command.

Command Mode Function

no ntp Global Releases NTP function.

To Verify NTP function, use the following command.

Command Mode Function

show ntp Enable/Global Verifies NTP function.

The following is an example of configuring 203.255.112.96 as NTP server, running it and confirming it.

SWITCH(config)# ntp 203.255.112.96

SWITCH(config)# ntp start
SWITCH(config)# show ntp
ntp started
ntp server 203.255.112.96
SWITCH(config)#

The following is an example of releasing NTP and confirming it.

SWITCH(config)# no ntp
SWITCH(config)# show ntp
ntp stoped
SWITCH(config)#

6.1.5 SNTP

NTP (Network Time Protocol) and SNTP (Simple Network Time Protocol) are the same TCP/IP protocol

in that they use the same UDP time packet from the Ethernet Time Server message to compute

accurate time. The basic difference in the two protocols is the algorithms being used by the client in the

client/server relationship.

DDJ:A-M-5524B5-01 103
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The NTP algorithm is much more complicated than the SNTP algorithm. NTP normally uses multiple

time server to verify the time and then controls the rate of adjustment or slew rate of the PC which

provides a very high degree of accuracy. The algorithm determines if the values are accurate by

identifying time server that don't agree with other time servers. It then speeds up or slows down the

PC's drift rate so that the PC's time is always correct and there won't be any subsequent time jumps

after the initial correction. Unlike NTP, SNTP usually uses just one Ethernet Time Server to calculate the

time and then it "jumps" the system time to the calculated time. It can, however, have back-up Ethernet

Time Servers in case one is not available.

To configure the switch in SNTP, use the following commands.

Command Mode Function

sntp server 1 [server 2] Specifies the IP address of the SNTP server. It is

[server 3] Global possible up to three number of server.

sntp start Runs SNTP.

show sntp Enable/Global Show SNTP configuration.

The following is to register SNTP server as 203.255.112.96 and enable it.

SWITCH(config)# sntp 203.255.112.96

SWITCH(config)# sntp start
SWITCH(config)# show sntp
==========================
sntpd is running.
==========================
Time Servers
--------------------------
1st : 203.255.112.96
==========================
SWITCH(config)#

Information

You can configure up to 3 servers so that you use second and third servers as backup use in case the

first server is down.

104 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to disable SNTP function, use the following command.

Command Mode Function

no sntp Global Disables SNTP function.

6.1.6 Output Condition of Terminal Screen

By default setting, SURPASS hiD 6610 is configured to display 24 lines composed by 80 characters on

console terminal screen. User can change the number of displayed lines by using the command, line.
You can display maximum 512 lines.

To configure the number of displayed lines on terminal screen, use the following command on Privilege

Exec Enable Mode.

Command Mode Function

terminal length <0~512> View/Enable Configures the number of displayed lines on terminal screen.

Information

The maximum of the number of line is 512.

The following is an example of configuring the number of displayed lines in terminal screen as 20 lines.

SWITCH# terminal line 20

SWITCH#

To disable the configuration for terminal length, use the following command.

Command Mode Function

Disables the configuration for the number of displayed lines on

no terminal length View/Enable
terminal screen.

DDJ:A-M-5524B5-01 105
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

6.1.7 DNS Server

In SURPASS hiD 6610, it is possible to use hostname or URL instead of IP address when you use

telnet, ftp, tftp, and ping command. To do that, you should register DNS server. To register DNS server,

use the following command.

Command Mode Function

dns server server-ip-address Global Registers DNS server in switch.

After registering DNS server with using the above command, DNS server is connected to network. Then,

you can use hostname or URL instead of IP address with commands such as telnet, ftp, tftp, and ping.

Note

To support this function, SURPASS hiD 6610 and DNS server should be connected to network.

To delete DNS server, use the following command.

Command Mode Function

no dns server server-ip-address Global Deletes DNS server in switch.

To view registered DNS server, use the following command.

Command Mode Function

show dns Enable/Global Shows registered DNS server in switch.

The following is an example of registering 168.126.63.1 as DNS server and checking it.

SWITCH(config)# dns server 168.126.63.1

SWITCH(config)# show dns
nameserver 168.126.63.1
SWITCH(config)#

Information

The above example is just for your reference. In real configuration, you must input the DNS server you

are going to use.

106 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of taking ping test with domain name after registering DNS server.

SWITCH# ping da-san.com

PING da-san.com (203.236.124.3) from 203.236.124.248 : 56(84) bytes of data.
64 bytes from 203.236.124.3: icmp_seq=0 ttl=254 time=0.4 ms
64 bytes from 203.236.124.3: icmp_seq=1 ttl=254 time=0.3 ms
64 bytes from 203.236.124.3: icmp_seq=2 ttl=254 time=0.3 ms
64 bytes from 203.236.124.3: icmp_seq=3 ttl=254 time=0.3 ms
64 bytes from 203.236.124.3: icmp_seq=4 ttl=254 time=0.3 ms
64 bytes from 203.236.124.3: icmp_seq=5 ttl=254 time=0.2 ms
64 bytes from 203.236.124.3: icmp_seq=6 ttl=254 time=0.3 ms

--- da-san.com ping statistics ---

7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.3/0.4 ms
SWITCH#

In addition, when you register specific domain name, you can use hostname in the domain instead of IP

address to use the commands such as telnet, ftp, tftp, and ping.

SURPASS hiD 6610

Domain name server

Domain name - A

Host A Host B Host C Host D

【 Figure 6-1 】Domain Name Server

In the above example, after domain name “A” is registered in hiD 6610, it is possible to use hostname
instead of IP address to use the commands such as telnet, ftp, tftp, and ping.

DDJ:A-M-5524B5-01 107
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To register specific domain name in switch, use the following command.

Command Mode Function

dns search domain-name Global Registers specified domain name.

Note

To support this function, SURPASS hiD 6610 and DNS server should be connected to network.

The following is an example of inputting hostname instead of IP address for ping test to host “B” after

registering domain “A”.

SWITCH(config)# dns search A

SWITCH# ping B
PING B.A (192.168.218.10) from 192.168.218.248 : 56(84) bytes of data.
64 bytes from 192.168.218.10: icmp_seq=0 ttl=127 time=0.6 ms
64 bytes from 192.168.218.10: icmp_seq=1 ttl=127 time=0.3 ms
64 bytes from 192.168.218.10: icmp_seq=2 ttl=127 time=0.3 ms
64 bytes from 192.168.218.10: icmp_seq=3 ttl=127 time=0.3 ms
64 bytes from 192.168.218.10: icmp_seq=4 ttl=127 time=0.3 ms

--- B.A ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.4/0.6 ms
SWITCH#

In the above example, “A” and “B” are just example. In real configuration, you should input actual
domain name and hostname instead of A and B.

To delete registered DNS domain name, use the following command.

Command Mode Function

no dns search Global Deletes DNS domain name.

To delete registered DNS server and domain name, use the following command.

Command Mode Function

no dns Global Deletes DNS server and domain name.

108 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

6.1.8 Login Banner

It is possible to write message in system login page. Through the message, administrator can leave a

message to another user.

To write a message in system login page, use the following command.

Command Mode Function

banner Register displayed message before login the system.

banner login Global Register displayed message when successfully log in the system.

banner login-fail Register displayed message when fail to login the system.

To delete login banner in system login page, use the following command.

Command Mode Function

no banner Deletes displayed message before login the system.

no banner login Global Deletes displayed message when successfully log in the system.

no banner login-fail Deletes displayed message when fail to login the system.

To view login banner, use the following command.

Command Mode Function

show banner Enable/Global Displays login banner user creates.

[ Sample Configuration 1 ]

The following is to generating Banner before Login.

When you use the above command, the following message will be displayed.

SWITCH(config)# banner
Save & Exit : CTRL-D When you press Ctrl + D key, you can exit to
system prompt.

DDJ:A-M-5524B5-01 109
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Write message you need. When you finish the message, press Ctrl+D key.

SWITCH(config)# banner
When you press Ctrl+D key after writing
Save & Exit : CTRL-D
a message, you can exit to system
do not change the configuration
prompt.
SWITCH(config)#

Then, the banner will be shown before you log in.

SWITCH# exit

do not change the configuration

SWITCH login: admin

Password:
SWITCH>

6.1.9 Fan Operation

In hid 6610, it is possible to configure FAN operation. To configure FAN operation, use the following

command.

Command Mode Function

fan operation {onㅣoff} Global Configures Fan operation.

On other hand, if Fan is on, it is possible to configure to start and stop Fan operation. on specific

temperature. To configure to operate Fan by temperature, use the following command.

Command Mode Function

Configures the starting and stopping

threshold fan start-temperature stop-temperature Global
temperature for fan operation.

Information

By default, the starting temperature is 30℃ and stopping temperature is 0℃.

Information

It is possible to configure up to 100℃ for starting temperature and -30℃ for stopping temperature.

110 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

The starting temperature should be higher than the starting temperature.

To check Fan status and the temperature for Fan operation, use the following command.

Command Mode Function

show status fan Enable/Global Check the Fan status and the temperature for the fan operation.

The following is to configure the starting temperature as 25℃ and stopping temperature as 5℃ for Fan

operation.

SWITCH(config)# threshold fan 25 5

SWITCH(config)# show status fan

Fan A : None
Fan B : None
Fan A-1 : None
Fan A-2 : None
Fan A-3 : None
Fan B-1 : None
Fan B-2 : None
Fan B-3 : None
Fan operation : ON
Fan threshold : Run 25 C / Stop 5 C

SWITCH(config)#

6.2 Configuration Management

User can check if user’s configurations are correct and save them in system. This section contains the

following functions.

□ Checking Switch Configuration

□ Saving Configuration

□ Auto-Saving

□ Reloading

□ Configuration Backup

DDJ:A-M-5524B5-01 111
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

6.2.1 Checking Switch Configuration

User can view switch configuration. To do it, use the following command.

Command Mode Function

show running-config Shows switch configuration.

show running-config { admin-ruleㅣarpㅣbridgeㅣdnsㅣfullㅣ Enable/Global/

hostnameㅣloginㅣpmㅣqosㅣrmon-alarmㅣrmon-eventㅣ Bridge/Interfac Show only the configuration

rmon-historyㅣruleㅣsnmpㅣsyslogㅣtime-zoneㅣtime_out } e/DHCP/DHCP that corresponds to each
-option82/…etc option.
show running-config interface interface-name

show running-config router {bgp | ospf | pim | rip | vrrp}

The following is to show Syslog configuration.

SWITCH# show running-config syslog

syslog start
syslog output info local volatile
syslog output info local non-volatile
!
SWITCH#

6.2.2 Saving Configuration

After you download a new system image to SURPASS hiD 6610 from TFTP/FTP server, if the

configuration files are changed, you must save the changed file in the flash memory. Unless you saved

the changed file, the configuration file will delete incase of rebooting. To save the configuration files in

the flash memory, use the following command.

Command Mode Function

write memory Enable/Global/Bridge/Interface/DHCP/…etc Saves changed configuration in the flash memory.

The following is an example of saving configuration.

SWITCH# write memory

[OK]
SWITCH#

112 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Note

When you store configurations with using this command, please wait for [OK] message without any
key pressed.

6.2.3 Auto-Saving

In hiD 6610, it is possible to save the configuration automatically. To configure the configuration

periodically, use the following command.

Command Mode Function

write interval <0-1440> Global Configures auto-configuration periodically.

Information

The unit for auto-saving <0-1440> is 10 minutes.

6.2.4 Reloading

User can delete an individual configuration one by one, and also can reload the switch with the default

setting. To reload the switch, use the following command on configuration mode.

Command Mode Function

restore factory-defaults Resets to factory defaults.

restore layer2-defaults Global Resets to L2 defaults.

restore layer3-defaults Resets to L3 defaults.

Note

After reloading with the command, “restore factory-defaults”, restore factory-defaults, you have to
reboot the switch to initiate.

The following is an example of reloading switch.

SWITCH(config)# restore factory-defaults

You have to restart the system to apply the changes
SWITCH(config)#

DDJ:A-M-5524B5-01 113
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

6.2.5 Configuration Backup

It is possible to save user’s configurations and to use for the data recovery or system operating. To back

up user’s configuration, use the following commands. To use back up file, use the following command.

Variable “name” is a kind of file name that can be configured by user.

Command Mode Function

copy running-config Copies the current configuration with a name configured by

{file-nameㅣstartup-config} user or startup configuration.

Enable/Global
copy startup-config file-name Copies startup configuration with a name configured by user.

copy file-name1 file- name2 Copies backup file with another name.

To use back up file using ftp or tftp server, use the following commands.

Command Mode Function

copy {ftp|tftp} config upload Uploads a file to ftp or fttp server with a name

{file-nameㅣstartup-config} configured by user.

copy {ftp|tftp} config download Downloads a file from ftp or fttp server with a

{file-nameㅣstartup-config} Enable name configured by user.

/Global Uploads a file to ftp or fttp server with a name of

copy {ftp|tftp} os upload {os1| os2}
os1 or os2.

Downloads a file from ftp or fttp server with a

copy {ftp|tftp} os download {os1| os2}
name of os1 or os2.

Note

To access to FTP to back up the configuration or use the backup file, you should know FTP user ID and

the password.

Information

To back up the configuration or use the file through FTP, you can check the transmission rate of file

because hash on function is automatically

114 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To use backup file, use the following command.

Command Mode Function

Opens backup file named name to use as startup

copy file-name startup-config Enable/Global
configuration.

Note

To apply back up file to switch, you should reboot the system.

To check starting-up config, use the following command.

Command Mode Function

show startup-config Enable Check the contents of starup-configuration.

To list backup files, use the following command.

Command Mode Function

show config-list Global Lists backup files.

The following is an example of copying the current configuration with a name and confirming it.

SWITCH(config)# copy running-config SURPASShiD6610

SWITCH(config)# show config-list
=========================
CONFIG-LIST
=========================
SURPASShiD6610
SWITCH(config)#

To delete backup file, use the following command.

Command Mode Function

erase filename Global Deletes backup file.

DDJ:A-M-5524B5-01 115
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

6.3 System Check

When there is any problem in switch, user must find what the problem is and its solution. Also neither he

nor she should always check switch to prevent trouble. Therefore user should not only be aware of

switch status but also check if configurations are correctly changed.

This section includes the following functions with CLI command.

□ Checking Network Connection

□ IP Source-routing Function

□ Tracing Packet Route

□ Checking Accessed User through Telnet

□ Confirming MAC table

□ Configuring Ageing Time

□ Viewing Running Time of Switch

□ Confirming System Information

□ Checking Average of CPU Utilization

□ Checking CPU Process

□ Viewing Utilization of Memory

□ Viewing Version of System Image

□ Viewing Size of System Image File

□ Checking Installed OS

□ Configuring Default OS

□ Checking Switch Status

□ Checking Tech-support

6.3.1 Checking Network Connection

To check if user’s switch is correctly connected to network, use the command, ping. In IP network, the

command, ping transmits echo message to ICMP(Internet Control Message Protocol). ICMP is internet

protocol that notifies fault situation and provides information on the location where IP packet is received.

When ICMP echo message is received at the location, its replying message is returned to the place

where it came from.

116 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To operate Ping test to check network status, use the following commands in privileged mode.

Command Mode Function

ping [word] Enable Operate Ping test to check network status.

The following is the basic information to operate Ping test. Input the following configurations after

operating Ping test in Privilege Exec Enable Mode.

【 Table 6-1 】The basic information to operate ping test

Contents Basic Configuration

Protocol [ip] Supports Ping test. Default is IP.

Sends ICMP echo message by inputting IP address or Hostname of destination in

Target IP address
order to check network status with relative.

Repeat count [5] Sends ICMP echo message as many as count.Default is 5.

Datagram size [100] Ping packet size. Default is 100 bytes.

It is considered as successful Ping test if reply returns within the configured time
Timeout in seconds [2]
interval. Default is 2 seconds.

Extended commands [n] Shows the additional commands. Default is no.

When a number of IP addresses are configured in user’s switch, sometimes you need to check the

connection status between the specific IP address and network status.

To take Sping test, use the same process as Ping test and then input the followings after ‘ Extended

commands’. It is possible to check the connection between specific IP address and network using the

following command.

The following is the information to use Sping test.

DDJ:A-M-5524B5-01 117
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Contents Basic Configuration

Designates the address where the relative device should respond in source ip

Source address or interface: address.

The service filed of Qos (Quality Of Service) in Layer 3 application. It is

Type of service [0]:
possible to designate the priority for IP Packet.

Decides whether Don’t Fragment (DB) bit is applied to Ping packet or not.

Default is no. If the user choose ‘yes’, when the packets pass through the
Set DF bit in IP header? [no]
segment compromised with the smaller data unit, it prevents the packet to be

Fragment. Therefore there could be error message.

Data pattern [0xABCD] Configures data pattern. Default is OxABCD.

Note

Use “sping” in the case there are a number of IP addresses in user’s switch. It is not necessary for the
switch having only one IP address.

[ Sample configuration 1 ]

The following is an example of Ping test 5 times to check network status with IP address 172.16.1.254.

SWITCH# ping
Protocol [ip]: ip
Target IP address: 172.16.1.254
Repeat count [5]: 5
Datagram size [100]: 100
Timeout in seconds [2]: 2
Extended commands [n]: n
PING 172.16.1.254 (172.16.1.254) 100(128) bytes of data.
Warning: time of day goes back (-394us), taking countermeasures.
108 bytes from 172.16.1.254: icmp_seq=1 ttl=255 time=0.058 ms
108 bytes from 172.16.1.254: icmp_seq=2 ttl=255 time=0.400 ms
108 bytes from 172.16.1.254: icmp_seq=3 ttl=255 time=0.403 ms
108 bytes from 172.16.1.254: icmp_seq=4 ttl=255 time=1.63 ms
108 bytes from 172.16.1.254: icmp_seq=5 ttl=255 time=0.414 ms

--- 172.16.1.254 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 8008ms
rtt min/avg/max/mdev = 0.058/0.581/1.632/0.542 ms
SWITCH#

118 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample configuration 2 ]

In case that user’s switch is configured with several IP addresses, sometimes you need to check

network connection of between specific IP address and partner.

The following is to check network status between 172.16.157.100 and 172.16.1.254 when IP address of

the switch is configured as 172.16.157.100.

SWITCH# ping
Protocol [ip]:
Target IP address: 172.16.1.254
Repeat count [5]: 5
Datagram size [100]:100
Timeout in seconds [2]:2
Extended commands [n]: y Input to select Extended commands
Source address or interface: 172.16.157.100 to operate “sping”.
Type of service [0]:0

Set DF bit in IP header? [no]:no

Data pattern [0xABCD]:
PATTERN: 0xabcd
PING 172.16.1.254 (172.16.1.254) from 172.16.157.100 : 100(128) bytes of data.
108 bytes from 172.16.1.254: icmp_seq=1 ttl=255 time=30.4 ms
108 bytes from 172.16.1.254: icmp_seq=2 ttl=255 time=11.9 ms
108 bytes from 172.16.1.254: icmp_seq=3 ttl=255 time=21.9 ms
108 bytes from 172.16.1.254: icmp_seq=4 ttl=255 time=11.9 ms
108 bytes from 172.16.1.254: icmp_seq=5 ttl=255 time=30.1 ms

--- 172.16.1.254 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 8050ms
rtt min/avg/max/mdev = 11.972/21.301/30.411/8.200 ms
SWITCH#

6.3.2 IP ICMP Source-routing Function

If you implement PING test to check the status of network connection, icmp request arrives at the final

destination as the closest route according to the routing theory.

DDJ:A-M-5524B5-01 119
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Reply B

Request
E

A(SURPASS hiD 6610)

PING test for C
The route of general PING test

PC

【 Figure 6-2 】Ping test for Network connection

In the above figure, if you implement PING test from PC to C, it goes through the route of 「A→B→C」

This is the general case. But, in SURPASS hiD 6610, it enables to implement PING test from PC as the

route of 「A→E→D→C」.

Reply Request
B

A(SURPASS hiD 6610)

PING test for C

PC

【 Figure 6-3 】IP Source Routing

120 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To implement PING test as the route which the manager designated, use the following steps.

Step 1 Enables IP source-routing function from the equipment connected to PC which the PING
test is going be implemented.

To enable IP source-routing in SURPASS hiD 6610, use the following command.

Command Mode Function

ip icmp source-route Enables IP source-routing function.

Global
no ip icmp source-route Disables IP source-routing function.

Step 2 Implements the PING test from PC as the designate route with the 「ping –k ip-address

ip-address…」command.

6.3.3 Tracing Packet Route

In hiD 6610, the user can check the tracing route while the packet goes to the destination. To show the

tracing route, traceroute command displays the returning time for every passing route after sending test

packet. If there’s no response until the returning time, (*) is displayed.

To trace packet route, use the following command in Privilege Exec Enable.

Command Mode Function

traceroute [word] Traces packet transmission route by configuring IP address or Hostname of the
Enable
traceroute ip [word] destination.

DDJ:A-M-5524B5-01 121
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Contents Basic Configuration

Designates the address where the relative device should respond in source ip
Source address or interface:
address.

The service filed of Qos (Quality Of Service) in Layer 3 application. It is

Type of service [0]:
possible to designate the priority for IP Packet.

Decides whether Don’t Fragment (DB) bit is applied to Ping packet or not.

Default is no. If the user choose ‘yes’, when the packets pass through the
Set DF bit in IP header? [no]
segment compromised with the smaller data unit, it prevents the packet to be

Fragment. Therefore there could be error message.

Data pattern [0xABCD] Configures data pattern. Default is OxABCD.

The following is to check the route of the packet transmitted to 192.168.1.10

SWITCH# traceroute 192.168.1.10

traceroute to 192.168.1.10 (192.168.1.10), 30 hops max, 38 byte packets
1 hmt.da-san.com (203.236.124.252) 0.528 ms 0.450 ms 0.719 ms
2 172.16.147.49 (172.16.147.49) 141.994 ms 125.313 ms 13.171 ms
3 168.126.228.101 (168.126.228.101) 13.600 ms 6.597 ms 6.591 ms
4 211.193.39.1 (211.193.39.1) 6.848 ms 6.884 ms 6.691 ms
5 211.196.155.2 (211.196.155.2) 7.215 ms 7.023 ms 6.995 ms
6 hh-k5-ge3.kornet.net (211.192.47.15) 7.749 ms 11.795 ms 50.576 ms
7 128.134.40.182 (128.134.40.182) 8.389 ms 34.922 ms 13.549 ms
8 211.39.255.229 (211.39.255.229) 134.076 ms 12.646 ms 7.442 ms
9 211.45.90.253 (211.45.90.253) 8.134 ms 13.891 ms 7.714 ms
10 * * *
11 * * *
12 * * *
SWITCH#

6.3.4 Checking Accessed User through Telnet

To check accessed user through telnet, use the following command.

Command Mode Function

where Enable/Global Checks accessed user from remote place.

The following is an example of checking if there is any accessed user from remote place.

SWITCH# where
admin at ttyS0 from console for 4 hours 6 minutes 21.57 seconds
SWITCH#

122 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

6.3.5 Confirming MAC table

To display MAC table recorded in specific port, use the following command.

Command Mode Function

show mac bridge-name [port-number] Enable/Global/Bridge Shows MAC table.

The following is an example of displaying MAC table recorded in br1.

SWITCH(config)# show mac 1

==================================================================
port mac addr permission in use
==================================================================
eth01 00:00:00:00:00:28 OK 23.29
eth01 00:00:00:00:00:25 OK 23.35
SWITCH(config)#

Information

The above message may vary according to product codes.

Information

There are more than about a thousand MAC addresses in MAC table. And it is difficult to find

information you need at one sight. So, The system shows certain amount of addresses displaying 「-

more-」on standby status. Press any key to search more. After you find the information, you can go

back to the system prompt without displaying the other table by pressing “q”.

6.3.6 Configuring Ageing time

SURPASS hiD 6610 records MAC Table to prevent Broadcast packets from transmitting. And

unnecessary MAC address that does not response during specified time is deleted from the MAC table

automatically. The specified time is called Ageing time.

To specify the Ageing time, use the following command.

Command Mode Function

mac aging-time <10-2147483647 Bridge Specifies the Ageing time.

DDJ:A-M-5524B5-01 123
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

Default is 300 seconds.

6.3.7 Viewing Running Time of Switch

User can view time how long user’s switch has been running after booting.

To view running time of user’s switch, use the following command.

Command Mode Function

show uptime Enable/Global Shows running time of user’s switch after power on.

6.3.8 Confirming System Information

To view system information such as product model, memory size, hardware specification, and OS

version, use the following command.

Command Mode Function

show system Enable/Global Shows system information.

6.3.9 Checking Average of CPU Utilization

It is possible to check average of CPU utilization. To do it, use the following command.

Command Mode Function

show cpuload Enable/Global Shows threshold of CPU utilization and average of CPU utilization.

6.3.10 Checking CPU Process

It is possible to check CPU loading process classified by each process. Through this function, user can

see which demon possesses the most of CPU, if there is unnecessary demon, and operating process of

troubled demon. This information is useful data to solve problem.

124 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To check CPU process, use the following command.

Command Mode Function

show process Enable/Global Checks CPU loading process

6.3.11 Viewing Utilization of Memory

To view utilization of memory, use the following command.

Command Mode Function

show memory Shows utilization of switch memory.

Enable
show memory
/Global Shows utilization of Memory for specific function.
{bgp | dhcp | imi | lib| nam | ospf |pim | rip }

6.3.12 Viewing Version of System Image

User can view current system image version of SURPASS hiD 6610. To view the current system image

version, use the following command.

Command Mode Function

show version Enable/Global Shows version of system image.

6.3.13 Viewing Size of System Image File

User can verify the size of the current system image file of SURPASS hiD 6610. To do this, use the

following command.

Command Mode Function

show os-size Enable/Global Shows size of system image.

DDJ:A-M-5524B5-01 125
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

6.3.14 Checking Installed OS

It is possible to view utilization of flash memory. To do it, use the following command.

Command Mode Function

show flash Enable/Global Shows utilization of flash memory.

Note

In SURPASS hiD 6610, it is possible to provide Dual-OS according to Flash Memory installed in the

switch.

On other hand, In SURPASS hiD 6610, it is possible to support Dual-OS according to the configured

Flash Memory. Single-OS is provided in the case Flash Memory is 8M+16M and Dual-OS is provided in

the case Flash Memory is 8M+32M

It is possible to check Flash Memory with show system command.

The following is the information of providing Dual-OS.

SWITCH(config)# show system

SysInfo(System Information)
Model Name : hiD 6610 (type code:S311)
Main Memory Size : 128 MB
Flash Memory Size : 8 MB(INTEL 28F640J3), 32 MB(INTEL 28F256J3)
S/W Compatibility : 3, 7
H/W Revision : DS-T2-07K-A1
NOS Version : 3.02
B/L Version : 4.59
H/W Address : 00:d0:cb:00:05:ff

SWITCH#

126 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is to show NOS installed in the switch that supports Dual-OS.

SWITCH# show flash

Flash Information(Bytes)

Area total used free

--------------------------------------------------------------
OS1(default)(running) 16777216 9801760 6975456 3.02-7 #3021
OS2 16777216 9613344 7163872 2.09-01 #3006
CONFIG 4194304 663552 3530752
--------------------------------------------------------------
Total 37748736 20078656 17670080
SWITCH#

Note

The above information can be different according to the product.

6.3.15 Configuring Default OS(※Supporting certain products)

On other hand, In SURPASS hiD 6610, it is possible to support Dual-OS according to the configured

Flash Memory. Single-OS is provided in the case Flash Memory is 8M+16M and Dual-OS is provided in

the case Flash Memory is 8M+32M. You can confirm the Flash Memory by using show system
command.

When there are two kinds of system images installed, user can configure one of two as Default OS as

user wants in SURPASS hiD 6610.

Note

In SURPASS hiD 6610, a system image saved in os1 is configured as Default OS by default.

User can configure default OS used in case of booting or rebooting the system. To do this, use the

follow command.

Command Mode Function

default-os {os1ㅣos2} Enable Configures default OS of switch.

DDJ:A-M-5524B5-01 127
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring OS2 as default OS.

SWITCH# default-os os2

SWITCH#

To confirm configured Default OS, view the system image installed in flash memory by using the

command, show flash. The following is an example of configuring os2 as Default OS of SURPASS hiD
6610 by changing from os1.

SWITCH# show flash

Flash Information(Bytes)
Area total used free
----------------------------------------------------
OS1(default) 7864320 5367868 2234398 2.09 #4121
OS2 7864320 5115586 2748734 7.83 #4435
Config 524284 92160 432124
----------------------------------------------------
Total 167252924 10575614 5415256
SWITCH# default-os os2
SWITCH# show flash
Flash Information(Bytes)
Area total used free
----------------------------------------------------
OS1 7864320 5367868 2234398 2.09 #4121
OS2 (default) 7864320 5115586 2748734 7.83 #4435
Config 524284 92160 432124
----------------------------------------------------
Total 167252924 10575614 5415256
SWITCH#

6.3.16 Checking Switch Status

You can check temperature of switch, power status, and fan status. To do it, use the following

commands.

Command Mode Function

show status fan Shows fan status of switch.

show status power Enable/Global/Bridge Shows power status.

show status temp Shows temperature of switch.

128 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

6.3.17 Checking Tech-support

In SURPASS hiD 6610, you can check the configuration and configuration file, log information, register,

memory, debugging information using the following commands. By checking Tech-supporting, check the

system errors and use it for solving the problem.

Command Mode Function

tech-support {all | crash-info} console Check Tech-support on console.

tech-support {all | crash-info} remote View/Enable Save the contents of Tech-support in the designated

ip-address file-name {ftp | tftp} address.

Information

If you choose all among options, you can check all of Tech-support information and if you choose

crash-info, you can check [SYSTEM], [SYSINFO], [VERSION], [TAG], [SHOW RUNNING-CONFIG],
[VOLATILE SYSLOG], [NON-VOLATILE SYSLOG], [SWITCHING ASIC INFO], [UPTIME INFO],

[FLASHINFO].

Information

Tech-support contents displayed on console are showed at once regardless of the number of display

lines of terminal screen.

DDJ:A-M-5524B5-01 129
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7. Network Management

This chapter provides guidelines to manage SURPASS hiD 6610 and network in which SURPASS hiD

6610 is. It contains the following sections.

■ SNMP

■ RMON

■ Syslog

■ QoS and Packet Filtering

■ MAC Filtering

■ Configuring Max Host

■ Managing MAC Table

■ Configuring ARP Table

■ ARP-Alias

■ Proxy-ARP

■ Configuring Gratuitous ARP

7.1 SNMP

SNMP(Simple Network Management Protocol) system is consisted of three parts: SNMP manager, a
managed device and SNMP agent. SNMP is an application-layer protocol that allows SNMP manager

and agent stations to communicate with each other. SNMP provides a message format for sending

information between SNMP manager and SNMP agent. The agent and MIB reside on the switch. In

configuring SNMP on the switch, you define the relationship between the manager and the agent.

According to community, you can give right only to read or right both to read and to write. The SNMP

agent has MIB variables to reply to request from SNMP administrator. And SNMP administrator can

obtain data from the agent and save data in the agent. The SNMP agent gets data from MIB, which

saves information on system and network.

The SNMP agent sends trap to administrator for some cases. Trap is a warning message to alert

network status to SNMP administrator. Trap informs improper user authentication, rebooting, connection

status(activate or deactivate), closing of TCP connection, disconnected to neighbor switch.

130 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Managed Device
Requested information
(Each SNMP Agent included) transferred to SNMP
manager

Request information
to SNMP Agent

SNMP Manager
NMS(Network Management
System) used

【 Figure 7-1 】Organization of SNMP

SURPASS hiD 6610 has supported SNMP v1, v2c, v3. SURPASS hiD 6610 enhances accessing

management of SNMP agent more and limit the range of OID opened to agents. The following is how to

configure SNMP in SURPASS hiD 6610.

□ Configuring SNMP v1 Community

□ Configuring Accessed Person and Location of SNMP Agent

□ Configuring SNMP v2c Com2sec

□ Configuring Group

□ Limiting the open range of OID

□ Access right for limited OID

□ Configuring SNMP v3 User

□ Configuring SNMP Trap

□ Configuring IP Address of SNMP Agent

□ Checking SNMP Configuration

□ Deleting SNMP function

DDJ:A-M-5524B5-01 131
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.1.1 Configuring SNMP v1 Community

Only authorized person can access to the SNMP agent installed in the switch by configuring password

called as community.

To configure the community in SNMP v1, use the following command on Global configuration mode.

Command Mode Function

snmp community {ro | rw} community Configures community to allow authorized person to
Global
[ip-address] [oid] access.

Information

It is possible to configure SNMP community up to maximum three for each reading right and writing

right in SURPASS hiD 6610.

Community means password as we usually know. You can configure the community by entering
password you want at community. And it is possible to give access right only to read or both to read and

to write according to configuring password.

The abbreviations following, ro stands for read-only and rw stands for read/write. They are commands
to distinguish access right.

To delete configured community, use the following command.

Command Mode Function

no snmp community {ro | rw} community Global Deletes community.

To check configured community, use the following command.

Command Mode Function

show snmp community Enable/Global Checks Community.

132 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample configuration 1]

The followings are two examples of giving access right both to read and write by configuring password

as public, and giving access right only to read by configuring password as private.

SWITCH(config)# snmp community rw public

SWITCH(config)# snmp community ro private
SWITCH(config)# show snmp community

Community List
Community Source OID
--------------------------------------------
community rw public
community ro private

SWITCH(config)#

7.1.2 Configuring Accessed Person and Location of SNMP Agent

You can configure accessed person and location of the SNMP agent so that these descriptions can be

saved at SNMP configuration file. To configure accessed person and location of the SNMP agent, use

the following commands.

Command Mode Function

snmp contact name Enters name of accessed person.

Global
snmp location name Enters location of SNMP agent.

To delete accessed person and location of the SNMP agent, use the following command.

Command Mode Function

no snmp contact Deletes the name of accessed person.

Global
no snmp location Deletes location of SNMP agent.

To check accessed person and location of the SNMP agent, use the following command.

Command Mode Function

show snmp contact Shows the name of accessed person.

Enable/Global
show snmp location Shows location of SNMP agent

DDJ:A-M-5524B5-01 133
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 2]

The following is to configure the information about system administrator of SNMP agent as

dasan<02.3484.6500> and the location of the switch where SNMP agent configured as Seoul,Korea.

SWITCH(config)# snmp contact dasan<02.3484.6500>

SWITCH(config)# show snmp contact

contact dasan<02.3484.6500>

SWITCH(config)# snmp location Seoul,Korea

SWITCH(config)# show snmp location

location Seoul,Korea

SWITCH(config)#

7.1.3 Configuring SNMP v2c Com2sec

SNMP v2 authorizes the host to access the agent, according to the identity of the host and Community

name. The command, com2sec, specifies the mapping from the identity of the host and Community

name to Security name. To create Security name, use the following command.

Command Mode Function

snmp com2sec security-name Specifies the mapping from the identity of the host and
Global
{ip-addressㅣip-address/m} community Community name to Security name.

To delete the registered Security name, use the following command.

Command Mode Function

no snmp com2sec security-name Global Deletes the registered Security name.

To check registered Security name, use the following command.

Command Mode Function

show snmp com2sec Enable/Global Checks the registered Security name.

134 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 3]

The following is an example of configuring com2sec and checking it.

SWITCH(config)# snmp com2sec test 100.1.1.1 public

SWITCH(config)# show snmp com2sec

com2sec list
---------------------------------------
com2sec test 100.1.1.1 public

SWITCH(config)#

7.1.4 Configuring Group

User can make SNMP Manager that can access SNMP Agent and its Community belongs to a group.

To create SNMP group, use the following command.

Command Mode Function

snmp group group-name {v1ㅣv2cㅣv3} user-name Global Creates SNMP group.

User can choose the security type from {v1ㅣv2cㅣv3}. security-name takes the one created from the

command, com2sec. However, security-name is a part of the basic SNMP protocol in SNMP v3, so

user also can specify this without com3sec configuration.

To delete SNMP group, use the following command.

Command Mode Function

no snmp group group-name [v1ㅣv2cㅣv3] Global Deletes SNMP group.

To check the registered group, use the following command.

Command Mode Function

show snmp group Enable/Global Checks the registered group.

DDJ:A-M-5524B5-01 135
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.1.5 Limiting Open Range of OID

The SNMP v2c and v3 can block the user with only access to limited OID. OID which limits the open
range is “view”.

View A

View B

【 Figure 7-2 】Open Range of OID

136 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To configure View in SURPASS hiD 6610, use the following command.

Command Mode Function

snmp view view included oid [mask] Configures OID which contains Sub-tree as “view”

Global Configure OID which doesn’t contain Sub-tree is

snmp view view excluded oid [mask]
designated as “view”.

To delete configured View, use the following command.

Command Mode Function

no snmp view view Global Deletes View of the name “view”.

To show configured View, use the following command.

Command Mode Function

show snmp view Enable/Global Checks configured View.

[Sample Configuration 4]

The following is an example of registering View and checking it.

SWITCH(config)# snmp view TEST included 410

SWITCH(config)# show snmp view

View list
-------------------------------------------
view TEST included 410

SWITCH(config)#

7.1.6 Access Right for Limited OID

In SURPASS hiD 6610, the manager can configure for the particular Group to look at limited

OID(=View).

To permit the particular group to access to limited OID, use the following command.

DDJ:A-M-5524B5-01 137
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

snmp access group-name {v1ㅣv2c} read- view Configures View to permit for appropriate

write-view notify-view group in SNMP v1 and SNMP v2c.

Global
snmp access group-name v3 {noauthㅣauthㅣpriv} Configures View to permit for appropriate

read- view write-view notify-view group in SNMP v3.

To release the configuration for accessing to limited OID, use the following command.

Command Mode Function

no snmp access group-name Global Releases the Group which gets the permission for limited OID.

To check the group which gets the permission for limited OID, use the following command.

Command Mode Function

show snmp access Enable/Global Shows the group which gets the permission for limited OID.

7.1.7 Configuring SNMP v3 User

In SNMP v3, register the agent as user. If you register User, you should configure it with the

authentication key. To configure SNMP v3, user the following command.

Command Mode Function

snmp user user-name {md5ㅣsha} auth-key [des] [private_key] Global Configures user of SNMP v3.

To delete register user, use the following command.

Command Mode Function

no snmp user user-name Global Deletes User.

To check registered user, user the following command.

Command Mode Function

show snmp user Enable/Global Checks registered user.

138 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.1.8 Configuring SNMP Trap

SNMP trap is alert message that SNMP agent notifies SNMP manager about certain problems. If you

configure SNMP trap, switch transmits pertinent information to network management program. In this

case, trap message receivers are called trap-hosts.

(1) Configuring SNMP Trap-host

To configure trap-host who receives trap message, use the following command. In this case, you should

input IP address of trap-host who is supposed to receive trap. For example, if SNMP manager is trap-

host, you should input IP address of SNMP manager.

In hiD 6610, it is possible to configure trap-host of SNMP v1 and SNMP v2c and SNMP v3 inform-trap-

host.

Command Mode Function

snmp trap-host ip-address [community] Configures SNMP version 1 trap host.

snmp trap2-host ip-address [community] Global Configures SNMP version 2 trap host.

snmp inform-trap-host ip-address [community] Configures SNMP v3 inform trap host.

Information

SNMP Trap starts to be transmitted by configuring Trap-host.

To disable to configuration of transmitting Trap message to appropriate IP address, use the following

command.

Command Mode Function

Disables the configuration of transmitting Trap

no snmp trap-host ip-address [community]
message to appropriate IP address.

Disables the configuration of transmitting SNMP

no snmp trap2-host ip-address [community] Global
v2c Trap message to appropriate IP address.

Disables the configuration of transmitting SNMP v3

no snmp inform-trap-host ip-address
inform Trap message to appropriate IP address.

DDJ:A-M-5524B5-01 139
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To check configured SNMP trap-host, use the following command.

Command Mode Function

show snmp trap Global Checks configured SNMP trap-host and SNMP trap.

Information

It is possible to configure maximum 16 SNMP trap-hosts in SURPASS hiD 6610.

When you configure more than one trap-host, you can configure it by inputting IP address one by one or

inputting the IP addresses at once.

[ Sample Configuration 5 ]

The following is an example of configuring IP address 10.1.1.3, 20.1.1.5, and 30.1.1.2 as trap-host in

two ways.

SWITCH(config)# snmp trap-host 10.1.1.3

SWITCH(config)# snmp trap-host 20.1.1.5
SWITCH(config)# snmp trap-host 30.1.1.2
SWITCH(config)#

SWITCH(config)# snmp trap-host 10.1.1.3 20.1.1.5 30.1.1.2

SWITCH(config)#

[ Sample Configuration 6 ]

The following is an example of configuring IP address 10.1.1.1 as trap-host, 20.1.1.1 as trap2-host and

30.1.1.1 as inform-trap-host.

140 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

SWITCH(config)# snmp trap-host 10.1.1.1

SWITCH(config)# snmp trap2-host 20.1.1.1
SWITCH(config)# snmp inform-trap-host 30.1.1.1
SWITCH(config)# show snmp trap

Trap-Host List
Host Community
------------------------------------------
inform-trap-host 30.1.1.1
trap2-host 20.1.1.1
trap-host 10.1.1.1

Trap List
Trap-type Status
--------------------------
auth-fail enable
cold-start enable
cpu-threshold enable
port-threshold enable
dhcp-lease enable
power enable
module enable
fan enable
temp-threshold enable

SWITCH(config)#

(2) Configuring SNMP Trap

There are nine kinds of SNMP trap messages provided by SNMP – authentication-failure, cold-start,

link-Up/Down, CPU-threshold, port-threshold, temp-threshold, DHCP-lease, fan, module, power.

Each trap message is shown in the following cases.

(1) authentication-failure is shown to inform wrong community is input when user trying to access to
SNMP inputs wrong community.

(2) cold-start is shown when SNMP agent is turned off and rebooted again.

DDJ:A-M-5524B5-01 141
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(3) link-up/down is shown when network of port specified by user is disconnected, or when the network
is connected again.

(4) cpu-threshold is shown when CPU utilization rises above the threshold configured by user referred
to「6.3.3 Configuring Threshold of CPU Utilization」. Also, when CPU utilization falls below the

threshold, trap message will be shown to notify it.

(5) dhcp-lease is shown when there is no more IP address can be assigned in subnet of DHCP server.
Even though only one subnet does not have IP address to assign when there are several subnets,

this trap message will be seen.

(6) port-threshold is shown when the port traffic rises above the threshold configured by user referred
to「7.3.4 Configuring Threshold of Port Traffic」. Also, when port traffic falls down below the

threshold, port-threshold will be shown.

(7) fan/module/power is shown when there is any problem in Fan, Module, and Power.

(8) temp-threshold is shown when temperature rises above the threshold configured by user referred

to Configuring Threshold of Temperature.

Information

SNMP Trap message provided by each switch can be different. Each switch that supports SNMP

function can use all or a part of the following commands when you configure the switch. To check the

command provided by each switch, use snmp trap ? in Global Configuration Mode.

However, it may inefficiently work if all these trap messages are too frequently sent. Therefore, user can

select type of trap sent to trap-host.

142 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To configure kinds of trap messages that user wants to receive, use the following commands.

Command Mode Function

snmp trap auth-fail Configures Authentication-failure trap message to be sent.

snmp trap cold-start Configures Cold-start trap message to be sent.

snmp trap link-down Configures Link-down message to be sent when network of port

port-number [node-number] specified by user is disconnected.

snmp trap link-up Configures Link-up message to be sent when network of port specified

port-number [node-number] by user is connected.

Configures CPU-threshold trap message to be sent when CPU

snmp trap cpu-threshold
utilization rises above the threshold and falls down below the threshold.

Configures port-threshold trap message to be sent when the port traffic

snmp trap port-threshold Global
rises above the threshold and falls down below the threshold.

Configures temp-threshold trap message to be sent when the

snmp trap temp-threshold temperature rises above the threshold and falls down below the

threshold.

Configures DHCP-lease trap message to be sent is when there is no

snmp trap dhcp-lease
more IP address can be assigned in subnet of DHCP server.

snmp trap fan Sends trap message when there is any problem in fan.

snmp trap module Sends trap message when there is any problem in module.

snmp trap power Sends trap message when there is any problem in power.

Information

By default, all kinds of trap messages are configured to send.

DDJ:A-M-5524B5-01 143
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To block each message to trap-host, use the following commands.

Command Mode Function

no snmp trap auth-fail Blocks authentication failure trap message.

no snmp trap cold-start Blocks cold-start trap message.

no snmp trap link-down port-number [node-number] Blocks link-down trap message.

no snmp trap link-up port-number [node-number] Blocks link-up trap message.

no snmp trap cpu-threshold Blocks cpu-threshold trap message.

no snmp trap dhcp-lease Global Blocks dhcp-lease trap message.

no snmp trap port-threshold Blocks port threshold trap message.

no snmp trap temp-threshold Blocks temp threshold trap message.

no snmp trap fan Blocks fan trap message.

no snmp trap module Blocks module trap message.

no snmp trap power Blocks power trap message.

To check the configured trap messages, use the following commands.

Command Mode Function

show snmp trap Global Checks configured SNMP trap-host and SNMP trap.

144 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 6 ]

The following is an example of blocking authentication failure trap message.

SWITCH(config)# no snmp trap auth-fail

SWITCH(config)# show snmp trap

Trap-Host List
Host Community
------------------------------------------
inform-trap-host 30.1.1.1
trap2-host 20.1.1.1
trap-host 10.1.1.1

Trap List
Trap-type Status
--------------------------
auth-fail disable
cold-start enable
cpu-threshold enable
port-threshold enable
dhcp-lease enable
power enable
module enable
fan enable
temp-threshold enable

SWITCH(config)#

7.1.9 Configuring Type of Alarm Notifications

In this mode, you can configure the Alarm notification. The notification will be sent to a configured trap

host whenever the configuration change occurs through CLI and ACI-E. This enhanced alarm

notification allows the network administrator to customize the severity on each alarm.

(1) Enabling Alarm Notification

To enable general alarm notifications, use the following command.

DDJ:A-M-5524B5-01 145
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Enables the activity for the general notification

snmp notify-activity { enable|disable} Global
processed through CLI or ACI-E.

Information

This is disabled by default.

(2) Configuring General Alarm Notification

To configure the severity for general alarm notifications, use the following command.

Command Mode Function

snmp alarm-severity default

Global Configures the severity for alarm notifications.
{ critical|major|minor |warning|intermediate}

Information

The default severity is “minior” by default.

If the severity is not configured for an alarm-notification, the general alarm notification is applied to the

alarm notification. The default value is configured as minor and it can be changed by network
administrator ’s configuration. If the user changes the severity of the general alarm notification, the

other alarm notification will be sent to inform the changes. To configure the alarm notification with the

severity to inform the changes or configuration about the general alarm notification, use the following

command.

Command Mode Function

snmp alarm-severity criteria Configures the severity for the changes on “general
Global
{ critical|major|minor |warning|intermediate} alarm notification alarm”.

Information

The default severity is “warning” by default.

146 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(3) Configuring Alarm Notification with the Severity

To configure the severity for alarms, use the following commands.

Command Mode Function

snmp alarm-severity fan-fail Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} there’s a problem on the fan.

snmp alarm-severity cold-start Sends alarm notification severity when SNMP

{ critical|major|minor |warning|intermediate} agent is turned off and rebooted again..

snmp alarm-severity broadcast-over Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} broadcast traffic is overload

snmp alarm-severity cpu-load-over Sends alarm notification with the severity in the

{ critical|major|minor |warning|intermediate} case of cpu overload.

Sends alarm notification with the severity when

snmp alarm-severity dhcp-lease
when there is no more IP address can be
{ critical|major|minor |warning|intermediate}
assigned in subnet of DHCP server.

snmp alarm-severity dhcp-illegal Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} there’s ip address illegally assigned.

snmp alarm-severity fan-remove Sends alarm notification with the severity when
Global
{ critical|major|minor |warning|intermediate} the fan is removed from the switch.

snmp alarm-severity ipconflict Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} IP address conflict happens.

snmp alarm-severity memory-over Sends alarm notification with the severity in the

{ critical|major|minor |warning|intermediate} case of memory overload.

snmp alarm-severity mfgd-block Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} MAC flood guard function is configured.

Sends alarm notification with the severity when

snmp alarm-severity port-link-down
network of port specified by user is
{ critical|major|minor |warning|intermediate}
disconnected.

snmp alarm-severity port-remove Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} the port is removed.

snmp alarm-severity port-thread-over Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} port traffic is over thread.

DDJ:A-M-5524B5-01 147
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

snmp alarm-severity power-fail Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} there’s any problem on the power.

snmp alarm-severity power-remove Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} the power is removed.

snmp alarm-severity rmon-alarm-rising Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} traffic is rising over rmon alarm threshold.

snmp alarm-severity rmon-alarm-falling Sends alarm notification with the severity when
Global
{ critical|major|minor |warning|intermediate} traffic is falling over rmon alarm threshold.

snmp alarm-severity system-restart Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} system is turn off and rebooted.

snmp alarm-severity module-remove Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} the module is removed from the switch.

snmp alarm-severity temperature-high Sends alarm notification with the severity when

{ critical|major|minor |warning|intermediate} there is any problem in temperature.

To disable the user's configuration, use the following commands.

Command Mode Function

no snmp alarm-severity fan-fail

no snmp alarm-severity cold-start

no snmp alarm-severity broadcast-over

no snmp alarm-severity cpu-load-over

no snmp alarm-severity dhcp-lease

no snmp alarm-severity dhcp-illegal To disable the user's configuration, use the

Global
no snmp alarm-severity fan-remove following commands.

no snmp alarm-severity ipconflict

no snmp alarm-severity memory-over

no snmp alarm-severity mfgd-block

no snmp alarm-severity port-link-down

no snmp alarm-severity port-remove

148 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Mode Function

no snmp alarm-severity port-thread-over

no snmp alarm-severity power-fail

no snmp alarm-severity power-remove

no snmp alarm-severity rmon-alarm-rising To disable the user's configuration, use the

Global
no snmp alarm-severity rmon-alarm-falling following commands.

no snmp alarm-severity system-restart

no snmp alarm-severity module-remove

no snmp alarm-severity temperature-high

To configure the severity of alarms for ADVA status, use the following commands.

Command Mode Function

snmp alarm-severity adva-fan-fail Sends alarm notification with the severity when ADVA

{critical|major|minor|warning|intermediate} informs fan-fail.

snmp alarm-severity adva-if-misconfig Sends alarm notification with the severity when ADVA

{critical|major|minor|warning|intermediate} informs there’s any mis-configuration.

snmp alarm-severity adva-if-opt-thres Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs traffic is over threshold on optical interface.

snmp alarm-severity adva-if-rcv-fail Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs to fail to receive the packets.

snmp alarm-severity adva-if-sfp-mismatch Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs SFP module is mismatched.

Global
snmp alarm-severity adva-if-trans-fault Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs to fail to transmit the packets.

snmp alarm-severity adva-psu-fail Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs there’s any problem on the power.

snmp alarm-severity adva-temperature Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs there is any problem in temperature.

snmp alarm-severity adva-voltage-high Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs the voltage is high.

snmp alarm-severity adva-voltage-low Sends alarm notification with the severity when ADVA

{ critical|major|minor |warning|intermediate} informs the voltage is low.

DDJ:A-M-5524B5-01 149
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To disable the user's configuration, use the following commands.

Command Mode Function

no snmp alarm-severity adva-fan-fail

no snmp alarm-severity adva-if-misconfig

no snmp alarm-severity adva-if-opt-thres

no snmp alarm-severity adva-if-rcv-fail

no snmp alarm-severity adva-if-sfp-mismatch To disable the user's configuration, use the

Global
no snmp alarm-severity adva-if-trans-fault following commands.

no snmp alarm-severity adva-psu-fail

no snmp alarm-severity adva-temperature

no snmp alarm-severity adva-voltage-high

no snmp alarm-severity adva-voltage-low

To configure the severity of alarms for ERP status, use the following commands.

Command Mode Function

Sends alarm notification with the severity when

snmp alarm-severity erp-domain-lotp
when no test packet has been received within 3 test
{critical|major|minor|warning|intermediate}
packet intervals in ERP mechanism.

snmp alarm-severity erp-domain-multi-rm Sends alarm notification with the severity when a

{critical|major|minor|warning|intermediate} Global Multiple RM node is created.

Sends alarm notification with the severity when no

snmp alarm-severity erp-domain-ulotp test packet has been received within 3 test packet

{critical|major|minor|warning|intermediate} intervals in one ERP port while test packets are

received in the other port with ERP state.

To disable the user's configuration, use the following commands.

Command Mode Function

no snmp alarm-severity erp-domain-lotp

To disable the user's configuration, use the
no snmp alarm-severity erp-domain-multi-rm Global
following commands.
no snmp alarm-severity erp-domain-ulotp

150 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To check the severity of alarms that user configure, use the following commands.

Command Mode Function

show snmp alarm-severity Enable/Global To check the severity of alarms that user configure

[ Sample Configuration 8 ]

The following is to configure alarm-severity.

SWITCH(config)# snmp notify-activity enable

SWITCH(config)# snmp alarm-severity criteria critical
SWITCH(config)# snmp alarm-severity cpu-load-over warning
SWITCH(config)# show snmp alarm-severity
notify activity : enable
default severity : minor
severity criteria : critical
cpu-load-over : warning
SWITCH(config)#

To show what kind of alarm has been transmitted, use the following command.

Command Mode Function

show snmp alarm-history Enable/Global Shows what kind of alarm has been transmitted.

To deletes the recorded alarm in the system, use the following command.

Command Mode Function

snmp clear alarm-history Enable/Global Deletes the recorded alarm in the system.

The following is to show the transmitted alarm and delete the records.

SWITCH(config)# show snmp alarm-history

cold-start minor Fri Mar 25 15:30:56 2005 System booted.
SWITCH(config)# snmp clear alarm-history
SWITCH(config)# show snmp alarm-history
SWITCH(config)#

DDJ:A-M-5524B5-01 151
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.1.10 Configuring IP Address of SNMP Agent

In case SNMP agent has various IP addresses, SNMP transmits information through the best route

when SNMP manager requests for information. Therefore, when the manager requests information, the

information having different address from referred IP address could be transmitted.

Refer to the below picture.

IP : 10.1.1.1 IP : 20.1.1.1
( contain SNMP agent )

Ex) In spite that SNMP

IP : 30.1.1.1 IP : 40.1.1.1 manager requests for
information through IP
address 10.1.1.1, if the SNMP
decides that 40.1.1.1 is the
SNMP manager best route, information is
transmitted through 40.1.1.1
IP address.

【 Figure 7-3 】Agent address

In SURPASS hiD 6610, user can designate IP address of SNMP agent in order to receive information

again when the administrator requests for information. As the above picture, if SNMP manager

configures IP address as 10.1.1.1, SNMP information is transmitted through IP address 10.1.1.1. In

order to configure IP address of SNMP agent, use the following command.

Command Mode Function

snmp agent-address ip-address Configures IP address of SNMP agent.

Global
no snmp agent-address ip-address Deletes IP address of SNMP agent.

Note

If the designated IP address of SNMP agent is deleted from the switch, SNMP may not respond.

152 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

If you try to delete the designated IP as the IP address of SNMP agent from device, it informs that

SNMP may not respond as follows.

SWITCH(config)# snmp agent-address 10.1.1.1

SWTICH(config)# interface br1
SWITCH(config-if)# no ip addres 10.1.1.1/8
Warning : 172.16.209.100/16 is specified to the SNMP agent address.
SNMP agent may not reply.
SWITCH(config-if)#

To check IP address of SNMP agent, use the following command.

Command Mode Function

show snmp agent-address Enable/Global Shows the IP address of SNMP agent

7.1.10 Checking SNMP Configuration

To check SNMP configuration, use the following command.

Command Mode Function

show snmp Enable/Global/Bridge/Interface Shows the configuration of the switch.

7.1.11 Disable SNMP

To disable SNMP, use the following command.

Command Mode Function

no snmp Global Disables SNMP.

Note

When you use the above command, all configurations concerned with SNMP will be deleted.

DDJ:A-M-5524B5-01 153
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.2 Configuring OAM

OAM(Operations, Administration, Maintenance) is useful function for watching the Link Operation.

Network administrator watches the network so that it helps to seize the location where the error

happens fast. OAM shows the network status by using Loopback function. And it also helps to

recognize the status of ADVA switch by receiving SNMP information of ADVA.

7.2.1 Configuring OAM Loopback

(1) OAM Loopback

For OAM Loopback function, the user’s switch and host connected to the user’s device should support

OAM function. OAM Loopback function enables Loopback function from the user’s device to host

connected to the user’s device and operate it.

To enable Local OAM, use the following command.

Command Mode Function

oam local admin enable port-number Bridge Enables Local OAM.

To disable Local OAM, use the following command.

Command Mode Function

oam local admin disable port-number Bridge Disables Local OAM.

To enable Loopback function of the host connected to the user’s switch, use the following command.

Command Mode Function

oam remote loopback enable port-number Bridge Enables Loopback function of Peer device.

To disable Loopback function of peer device, use the following command.

Command Mode Function

oam remote loopback disable port-number Bridge Disables Loopback function of Peer device.

154 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To operate Loopback, use the following command

Command Mode Function

oam remote loopback start port-number Bridge Operates Loopback.

(2) Configuring Local OAM Mode

To configure Local OAM, use the following command.

Command Mode Function

oam local mode {activeㅣpassive} port-number Bridge Configures the mode of Local OAM.

Both Request and Loopback are possible for Local OAM active.

Whereas, Request or Loopback is impossible in Local OAM passive.

(3) Configuring Unidirection

When RX is impossible in Local OAM, it is possible to send the information by using TX.

To enable the function, use the following command.

Command Mode Function

oam local unidirection enable port-number Bridge Sends the information by using TX

To disable to transmit the information by using TX, use the following command.

Command Mode Function

oam local unidirection disable port-number Bridge Disables to transmit the information by using TX.

7.2.2 Configuring Remote OAM

To enable Remote OAM, use the following command.

DDJ:A-M-5524B5-01 155
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

oam remote oam admin <1-2> enable port-number Bridge Enables Remote OAM.

To disable Remote OAM, use the following command.

Command Mode Function

oam remote oam admin <1-2> disable port-number Bridge Disables Remote OAM.

To configure the mode of Remote OAM, use the following command.

Command Mode Function

oam remote oam mode <1-2> {activeㅣpassive} port-number Bridge Configures the mode of Remote OAM.

Both Request and Loopback are possible for Remote OAM active. Whereas, Request or Loopback is

impossible in Remote OAM passive.

To check the information of peer host using OAM function, use the following command.

Command Mode Function

oam remote alarm optical <1-3> <0-65535> port-number

oam remote alarm temperature <1-3> <0-255> port-number

oam remote alarm voltage {minㅣmax} <0-65535> port-number

oam remote alarm electrical mode {fullㅣhalf} port-number

oam remote alarm general autoneg <1-4> {enableㅣdisable} port-number

oam remote alarm general forwarding <3-4> {enableㅣdisable} port-number Check the information
Bridge
oam remote alarm general speed <1-4> <0-4294967295> port-number of peer host using

OAM function.
oam remote alarm general user <1-4> string port-number

oam remote system interface {unforcedㅣforceAㅣforceB} port-number

oam remote system interval <0-255> port-number

oam remote system mode {masterㅣslave} port-number

oam remote system reset {unforcedㅣforceAㅣforceB} port-number

156 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.2.4 Showing OAM Configuration

To check OAM configuration, use the following command.

Command Mode Function

show oam Shows OAM configuration.

show oam local [port-number] Enable/Global/Bridge Shows Local OAM configuration.

show oam remote [port-number] Shows Remote OAM configuration.

The following is to configure to enable OAM Loopback function through 25 port of the user’s switch and

operate once.

SWITCH(bridge)# oam local admin enable 25

SWITCH(bridge)# oam remote loopback enable 25
SWITCH(bridge)# show oam local 25
LOCAL PORT[25]
-------------------------------------------
item | value
-------------------------------------------
admin | ENABLE
mode | ACTIVE
mux action | FORWARD
par action | DISCARD
variable | UNSUPPORT
link event | UNSUPPORT
loopback | SUPPORT(disable)
uni-direction | UNSUPPORT(disable)
-------------------------------------------
SWITCH(bridge)# show oam remote 25
REMOTE PORT[25]
-------------------------------------------
item | value
-------------------------------------------
mode | ACTIVE
MAC address | 00:d0:cb:27:00:94
variable | UNSUPPORT
link event | UNSUPPORT
loopback | SUPPORT(enable)
uni-direction | UNSUPPORT
-------------------------------------------
SWITCH(bridge)# oam remote loopback start 25
PORT[25]: The remote DTE loopback is success.
SWITCH(bridge)#

DDJ:A-M-5524B5-01 157
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.3 Configuring LLDP

LLDP(Link Layer Discovery Protocol) is the function of transmitting data for network management for

the switches connected in LAN according to IEEE 802.1ab standard.

LLDP is described as follows.

7.3.1 How to operate LLDP

hiD 6610 supporting LLDP transmits the management information between near switches. The

information shows the management information that can recognize the switches and the function. Then

this information is saved in internal MIB(Management Information Base).

(1) LLDP operation

When LLDP starts to operate, the switches send their information to near switches. If Local status is

changed, it sends their changed information to near switch to inform their changes. For example, if the

port statue is changed to disable, it informs that the port is disabled to near switches. On other hand,

the switch that receives the information from near switches processes LLDP frame and saves the

information of the other switches. The information received from other switches is Ageing.

7.3.2 Configuring LLDP

How to configure LLDP is as follows.

(1) Configuring LLDP

To operate LLDP, LLDP should be enabled first. To enable LLDP, use the following command.

Command Mode Function

lldp enable port-number Enables LLDP on the port.

Bridge Enables LLDP on the port and configure IP
lldp enable port-number mgmtaddr mgmt-ip-address
assigned to LLDP.

158 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

mgmt-ip-address is IP address for transmitting LLDP frame.

To disable LLDP, use the following command.

Command Mode Function

lldp disable port-number

Bridge Disables LLDP on the port.
lldp disable port-number mgmtaddr ip-address

(2) How to LLDP operation

If LLDP is enabled on the port, then you should configure how to operate LLDP.

Information

In hiD 6610, LLDP operation is configured no to process the frames.

To configure how to operate LLDP, use the following command.

Command Mode Function

lldp adminstatus port-number {bothㅣ tx_onlyㅣrx_only} Bridge Configure how to operate LLDP.

Tx-only is to receive LLDP frame and rx-only is to send LLDP frame. Both is to receive and send LLDP

frame. To configure not to process LLDP operation, use the following command.

Command Mode Function

lldp adminstatus port-number disable Bridge Not to process LLDP frame.

(3) Configuring Basic TLV

LLDC is transmitted through TLV. There are Mandatory TLV and Optional TLV. In optional TLV, there are

Basic TLV and organizationally specific TLV. Basic TLV must be in the switch where LLDP is realized ,

specific TLV can be added according to the feature of the switch..

DDJ:A-M-5524B5-01 159
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In hiD 6610, the administrator can enable and disable Basic TLV by selecting it.

To enable Basic TLV by selecting it, use the following command.

Command Mode Function

lldp enable port-number Select Basic TLV that is sent in

Bridge
{portdescriptionㅣsysnameㅣsysdescriptionㅣsyscap} the port..

To disable Basic TLV configured to be sent, use the following command.

Command Mode Function

lldp disable port-number To disable Basic TLV configured to be

Bridge
{portdescriptionㅣsysnameㅣsysdescriptionㅣsyscap} sent in the port.

(4) Receiving LLDP message

In hiD 6610, it is possible to configure the interval time and times of sending LLDP message. To

configure the interval time and times of LLDP message, use the following command.

Command Mode Function

Configures the interval of sending LLDP message. The unit

lldp msg txinterval <5-32768>
Bridge is second.

lldp msg txhold <2-10> Configures the periodic times of LLDP message.

Information

Default for sending LLDP message is 4 time in every 30 seconds.

(5) Configuring Reinitdelay

In hiD 6610, the administrator can configure the interval time of enabling LLDP frame after

configuring not to process it.

160 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To configure the interval time of enabling LLDP frame after configuring not to process it, use the

following command.

Command Mode Function

Configures the interval time of enabling LLDP frame from the time
lldp reinitdelay <1-10> Bridge
of configuring not to process LLDP frame.

Information

Default for interval time is 2 seconds.

(6) Configuring Delay time of transmitting LLDP frame

In hiD 6610 , the administrator can configure Delay time of transmitting LLDP frame. To configure

Delay time of transmitting LLDP frame, use the following command.

Command Mode Function

lldp txdelay <1-8192> Bridge Configures Delay time of transmitting LLDP frame/

Information

In hiD 6610, Delay time for transmitting LLDP frame is 2 seconds.

(7) Showing LLDP configuration

To show LLDP configuration, use the following command.

Command Mode Function

show lldp config port-number Shows LLDP configuration.

Enable/Global/Bridge
show lldp remote port-number Show statistics for Remote entries

DDJ:A-M-5524B5-01 161
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(8) Showing LLDP statistics

To show LLDP operation and statistics, use the following command.

Command Mode Function

show lldp statistics port-number Enable/Global/Bridge Shows LLDP operation and statistics.

To initialize the accumulated statistics on the port, use the following command.

Command Mode Function

clear lldp statistics port-number Bridge Initializes the accumulated statistics on the port

(9) Showing the statistics of Remote entry

To show the statistics of Remote entry, use the following command.

Command Mode Function

show lldp remote port-number Enable/Global/Bridge Shows the statistics of Remote entry.

162 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.3.3 Sample Configuration

[ Sample Configuration 1 ]

The following is to enable LLDP on the port 25,26 and show it.

SWITCH(bridge)# lldp enable 25-26

SWITCH(bridge)# show running-config
!
hostname SWITCH
!
exec-timeout 0 0
!
syslog start
syslog output info local volatile
syslog output info local non-volatile
syslog output info console
!
bridge
vlan create 101,201-300
!
vlan fid 201-300 1000
!
vlan add default 7-42 untagged
vlan add br101 1-2,5-6 tagged
vlan add 201-300 1-2,5-6 tagged
!
vlan pvid 1-42 1
!
lldp enable 25-26
!
erp domain 101
erp protections 101 201-300
erp port 101 primary 1 secondary 2
erp activation 101
!
interface noshutdown lo
!
end
SWITCH(bridge)#

DDJ:A-M-5524B5-01 163
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 2 ]

The following is to show Statistics of LLDP Remote entries.

SWITCH(bridge)# show lldp remote

Port 25:
MSAP-Identifier: 00 d0 cb 27 00 88 65 74 68 32 35
ChassisType : macAddress(4)
ChassisID : 00 d0 cb 27 00 88
PortType : interfaceAlias(1)
PortID : 'eth25'
PortDescription: 'port25-TX-10/100/1000'
SystemName : 'EL2'
SystemDescript.: 'hiD6610 NOS 3.02/DS-QA-07D-B0'
SysCapabilities: [0x16] repeater(0x02), bridge(0x04), router(0x10),
SysCapEnabled : [0x04] bridge(0x04),
Mgmt: ifType ifId ifAddress |OID

Port 26:
MSAP-Identifier: 00 d0 cb 27 00 8d 65 74 68 32 36
ChassisType : macAddress(4)
ChassisID : 00 d0 cb 27 00 8d
PortType : interfaceAlias(1)
PortID : 'eth26'
PortDescription: 'port26-TX-10/100/1000'
SystemName : 'EL3'
SystemDescript.: 'hiD6610 NOS 3.02/DS-QA-07D-B0'
SysCapabilities: [0x16] repeater(0x02), bridge(0x04), router(0x10),
SysCapEnabled : [0x04] bridge(0x04),
Mgmt: ifType ifId ifAddress |OID

SWITCH(bridge)#

164 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 3 ]

The following is to show LLDP statistics.

SWITCH(bridge)# show lldp statistics

GLOBL:
RemTabInserts = 4 RemTabAgeouts = 0
RemTabDeletes = 0 RemTabDrops = 0

TX | RX TLV Drop CurrentRem

PORTS Frames | Frames Drop Error Disc Unknown Ageouts Burst Count
1: 0 | 0 0 0 0 0 0 0 0
2: 0 | 0 0 0 0 0 0 0 0
3: 0 | 0 0 0 0 0 0 0 0
4: 0 | 0 0 0 0 0 0 0 0
5: 0 | 0 0 0 0 0 0 0 0
6: 0 | 0 0 0 0 0 0 0 0
7: 0 | 0 0 0 0 0 0 0 0
8: 0 | 0 0 0 0 0 0 0 0
9: 0 | 0 0 0 0 0 0 0 0
10: 0 | 0 0 0 0 0 0 0 0
11: 0 | 0 0 0 0 0 0 0 0
12: 0 | 0 0 0 0 0 0 0 0
13: 0 | 0 0 0 0 0 0 0 0
14: 0 | 0 0 0 0 0 0 0 0
15: 0 | 0 0 0 0 0 0 0 0
16: 0 | 0 0 0 0 0 0 0 0
17: 0 | 0 0 0 0 0 0 0 0
18: 0 | 0 0 0 0 0 0 0 0
19: 0 | 0 0 0 0 0 0 0 0
20: 0 | 0 0 0 0 0 0 0 0
21: 0 | 0 0 0 0 0 0 0 0
22: 0 | 0 0 0 0 0 0 0 0
23: 0 | 0 0 0 0 0 0 0 0
24: 0 | 0 0 0 0 0 0 0 0
25: 4 | 4 0 0 0 0 0 0 1
26: 6 | 7 0 0 0 0 0 0 1
27: 0 | 0 0 0 0 0 0 0 0
28: 0 | 0 0 0 0 0 0 0 0
SWITCH(bridge)#

DDJ:A-M-5524B5-01 165
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 4 ]

The following is to initialize the statistics.

SWITCH(bridge)# clear lldp statistics

SWITCH(bridge)# show lldp statistics
GLOBL:
RemTabInserts = 4 RemTabAgeouts = 0
RemTabDeletes = 0 RemTabDrops = 0

TX | RX TLV Drop CurrentRem

PORTS Frames | Frames Drop Error Disc Unknown Ageouts Burst Count
1: 0 | 0 0 0 0 0 0 0 0
2: 0 | 0 0 0 0 0 0 0 0
3: 0 | 0 0 0 0 0 0 0 0
4: 0 | 0 0 0 0 0 0 0 0
5: 0 | 0 0 0 0 0 0 0 0
6: 0 | 0 0 0 0 0 0 0 0
7: 0 | 0 0 0 0 0 0 0 0
8: 0 | 0 0 0 0 0 0 0 0
9: 0 | 0 0 0 0 0 0 0 0
10: 0 | 0 0 0 0 0 0 0 0
11: 0 | 0 0 0 0 0 0 0 0
12: 0 | 0 0 0 0 0 0 0 0
13: 0 | 0 0 0 0 0 0 0 0
14: 0 | 0 0 0 0 0 0 0 0
15: 0 | 0 0 0 0 0 0 0 0
16: 0 | 0 0 0 0 0 0 0 0
17: 0 | 0 0 0 0 0 0 0 0
18: 0 | 0 0 0 0 0 0 0 0
19: 0 | 0 0 0 0 0 0 0 0
20: 0 | 0 0 0 0 0 0 0 0
21: 0 | 0 0 0 0 0 0 0 0
22: 0 | 0 0 0 0 0 0 0 0
23: 0 | 0 0 0 0 0 0 0 0
24: 0 | 0 0 0 0 0 0 0 0
25: 0 | 0 0 0 0 0 0 0 0
26: 0 | 0 0 0 0 0 0 0 0
27: 0 | 0 0 0 0 0 0 0 0
28: 0 | 0 0 0 0 0 0 0 0
SWITCH(bridge)#

166 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.4 RMON

RMON(Remote Monitoring) is a function to monitor communication status of devices connected to

Ethernet at remote place. While SNMP can give information only about the device mounted SNMP

agent, RMON gives information about overall segments including devices. Thus, user can manage

network more effectively. For instance, in case of SNMP it is possible to be informed traffic about certain

ports but through RMON you can monitor traffics occurred in overall network, traffics of each host

connected to segment and current status of traffic between hosts.

Since RMON processes quite lots of data, its processor share is very high. Therefore, administrator

should take intensive care to prevent performance degradation and not to overload network

transmission caused by RMON. There are nine defined RMON MIB groups in RFC 1757: Statistics,

History, Alarm, Host, Host Top N, Matrix, Filter, Packet Capture and Event. SURPASS hiD 6610

supports three MIB groups of them, most basic ones: History, Alarm and Event.

7.4.1 Configuring RMON History

RMON History is periodical sample inquiry of statistical data about each traffic occurred in Ethernet port.

Statistical data of all ports are pre-configured to be monitored at 30-minute interval, and 50 statistical

data stored in one port. It also allows you to configure the time interval to take the sample and the

number of samples you want to save.

The following is an example of viewing the default configuration of History.

SWITCH(config)# show running-config

(omitted)
!
rmon-history 1
owner monitor
data-source ifIndex.n1/port1
interval 30
requested-buckets 50
!
(omitted)
SWITCH(config)#

DDJ:A-M-5524B5-01 167
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

You need to enter into History configuration mode first to configure RMON history. To enter into History

configuration mode, use the following command. After entering into History configuration mode, the

system prompt is changed to SWITCH(config-rmonhistory[n]# from SWITCH(config)#. The variable “n”

is number to be configured to distinguish each different History.

Command Mode Function

Configures a number to distinguish RMON History. It can be

rmon-history <1-65534> Global
configured from 1 to 65,534.

The following is an example of entering into History Configuration mode to configure History 5.

SWITCH(config)# rmon-history 5
SWITCH(config-rmonhistory[5])#

Input a question mark(?) at the system prompt on History configuration mode if you want to list available

commands.

The following is an example of listing available commands on History configuration mode.

SWITCH(config-rmonhistory[1])# ?
RMON history configuration commands:
active Activate the history
data-source Set data source name for the ethernet port
do To run exec commands in config mode
exit End current mode and down to previous mode
help Description of the interactive help system
interval Define the time interval for the history
owner Assign the owner who define and is using the history resources
requested-buckets Define the bucket count for the interval
show Show running system information

SWITCH(config-rmonhistory[1])#

Information

The question mark(?) you enter will not be seen. Right after entering the question mark, the commands

will be displayed.

168 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To return into configuration mode, or to enter into Privilege Exec Enable Mode, use the following

commands.

Command Mode Function

exit Returns to Global Configuration Mode.

RMON
end Goes back right to Privilege Exec Enable Mode.

The followings are examples of returning to Global Configuration Mode and going back to Privilege

Exec Enable Mode from RMON-History Configuration Mode.

SWITCH(config-rmonhistory[5])# exit
SWITCH(config)#

SWITCH(config-rmonhistory[5])# end
SWITCH#

(1) Assigning Source Port of Statistical Data

When you configure RMON History, you have to assign source port of statistical data. To invest

statistical data from a certain port as sample inquiry, assign the port by using the following command.

Command Mode Function

Assigns a source port of statistical port. The variable object

data-source data-object-id RMON
should be formed as “ifIndex .number”.

The following is an example of assigning port 1 as source port.

SWITCH(config-rmonhistory[5])# data-source ifindex.br1

SWITCH(config-rmonhistory[5])#

(2) Identifying Subject of RMON History

User can configure RMON History and identify subject using many kinds of data from History.

DDJ:A-M-5524B5-01 169
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To identify subject using History, use the following command.

Command Mode Function

owner name RMON Configures History and identifies subject using related data.

The following is an example of configuring subject of History as “Siemens”.

SWITCH(config-rmonhistory[5])# owner siemens

SWITCH(config-rmonhistory[5])#

Information

When you configure subject of RMON History, it is possible to input maximum 32 letters. If you input

more than 32 letters, the error message, “%Too long owner name” will be displayed.

(3) Configuring Number of Sample Data

User can configure the number of sample data in RMON History.

To do that, use the following command.

Command Mode Function

requested-buckets count RMON Configures the number of sample data.

The following is an example of configuring the number of sample data as 25 in History.

SWITCH(config-rmonhistory[5])# requested-buckets 25
SWITCH(config-rmonhistory[5])#

Information

You can configure the number of sample data 1-100.

(4) Configuring Interval of Sample Inquiry

User can configure the interval of sample inquiry in terms of second.

170 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To do it, use the following command.

Command Mode Function

interval time RMON Configures the interval of sample inquiry. The default setting is 30 seconds.

The following is an example of configuring the interval of sample inquiry as 60 seconds.

SWITCH(config-rmonhistory[5])# interval 60
SWITCH(config-rmonhistory[5])#

Information

You can configure the interval of sample inquiry as maximum 3,600 seconds.

(5) Activating RMON History

After finishing all configurations, you need to activate RMON History. To activate RMON History, use the

following command.

Command Mode Function

active RMON Activates RMON History.

The following is an example of activating RMON History and viewing the configuration

SWITCH(config-rmonhistory[5])# active
SWITCH(config-rmonhistory[5])# show running-config
Building configuration...
(Omitted)
rmon-history 5
owner test
data-source ifindex.hdlc1
interval 60
requested-buckets 25
active

(Omitted)
SWITCH(config-rmonhistory[5])#

DDJ:A-M-5524B5-01 171
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

Before activating RMON History, check if user’s configuration is correct. After RMON History is

activated, you cannot change its configuration. If you need to change configuration, you have to delete

RMON History and configure it again.

(6) Deleting and Changing Configuration of RMON History

When you need to change configuration of RMON History, you should delete RMON History of the

number and change the configuration again.

To delete RMON History, use the following command.

Command Mode Function

no rmon-history number Global Deletes RMON History of specified number.

The following is an example of deleting RMON History 5.

SWITCH(config)# no rmon-history 5
SWITCH(config)#

7.4.2 Configuring RMON Alarm

RMON Alarm invests sample data at the interval as use configured, and when the data is not in the

configured threshold.

There are two ways to compare with the threshold: Absolute comparison and Delta comparison.

■ Absolute Comparison : Comparing sample data with the threshold at configured interval, if the
data is more than the threshold or less than the threshold, Alarm is occurred.

■ Delta Comparison : Comparing difference between current data and the latest data with the
threshold, if the data more than the threshold or less than the threshold, Alarm is occurred.

You need to enter into RMON Alarm configuration mode first to configure RMON Alarm.

172 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To enter into RMON Alarm configuration mode, use the following command. After entering into RMON

Alarm configuration mode, the system prompt is changed to SWITCH(config-rmonalarm[n]# from

SWITCH (config)#. The variable “n” is number to be configured to distinguish each RMON Alarm.

Command Mode Function

rmon-alarm <1-65534> Global Enters into RMON Alarm configuration mode.

The following is an example of entering into Alarm configuration mode to configure RMON Alarm 1.

SWITCH(config)# rmon-alarm 1
SWITCH(config-romonalarm[1]#

Input a question mark(?) at the system prompt on Alarm configuration mode if you want to list available

commands.

The following is an example of listing available commands on Alarm configuration mode.

SWITCH(config-rmonalarm[1])# ?
RMON alarm configuration commands:
active Activate the event
do To run exec commands in config mode
exit End current mode and down to previous mode
falling-event Associate the falling threshold with an existing RMON event
falling-threshold Define the falling threshold
help Description of the interactive help system
owner Assign the owner who define and is using the history resources
rising-event Associate the rising threshold with an existing RMON event
rising-threshold Define the rising threshold
sample-interval Specify the sampling interval for RMON alarm
sample-type Define the sampling type
sample-variable Define the MIB Object for sample variable
show Show running system information
startup-type Define startup alarm type

SWITCH(config-rmonalarm[1])#

Information

The question mark(?) you enter will not be seen. Right after entering the question mark, the commands

will be displayed.

DDJ:A-M-5524B5-01 173
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To return into configuration mode, or to enter into Privilege Exec Enable Mode, use the following

commands.

Command Mode Function

exit Returns to Configuration mode.

RMON
end Goes back right to Privilege Exec Enable Mode.

The followings are examples of returning to Configuration mode and going back to Privilege Exec

Enable Mode from History configuration mode.

SWITCH(config-rmonalarm[1])# exit
SWITCH(config)#

SWITCH(config-rmonalarm[1])# end
SWITCH#

(1) Identifying Subject of RMON Alarm

User needs to configure RMON Alarm and identify subject using many kinds of data from Alarm. To

identify subject using Alarm, use the following command.

Command Mode Function

Configures RMON Alarm and identifies subject using many

owner name RMON
kinds of data from Alarm

The following is an example of configuring subject of Alarm as “Test”.

SWITCH(config-rmonalarm[1])# owner test

SWITCH(config-rmonalarm[1])#

Information

When you identify subject of RMON Alarm, it is possible to input maximum 32 letters. If you input more

than 32 letters, the error message, “%Too long owner name” will be displayed.

174 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(2) Configuring Object of Sample Inquiry

User needs object value used for sample inquiry to provide RMON Alarm. The following is rule of object

for sample inquiry.

― svcExt.mib prescribes object used as sample.

― CntExt.mib prescribes notation of object value.

To assign object used for sample inquiry, use the following command.

Command Mode Function

sample-variable mib-object RMON Assigns MIB object used for sample inquiry.

The following is an example of configuring MIB object apSvcConnections used for sample inquiry

SWITCH(config-rmonalarm[1])# sample-variable apSvcConnections

SWITCH(config-rmonalarm[1])#

(3) Configuring Absolute Comparison and Delta Comparison.

It is possible to select the way to compare MIB object used for sample inquiry in case of configuring

RMON Alarm. Absolute comparison directly compares object selected as sample with the threshold. For
instance, when you want to know the point of 30,000 times of sample inquiry, if you configure

apSvcConnections as 30,000, it is for Absolute comparison.

To compare object selected as sample with the threshold, use the following command.

Command Mode Function

sample-type absolute RMON Compares object with the threshold directly.

Delta comparison compares difference between current data and the latest data with the threshold. For

instance, in order to know the point of variable notation rule 100,000 more than the former rule,

configure apCntHits as Delta comparison.

DDJ:A-M-5524B5-01 175
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure Delta comparison, use the following command.

Command Mode Function

sample-type delta RMON Compares difference between current data and the latest data with the threshold.

(4) Configuring Upper Bound of Threshold

If you need to occur Alarm when object used for sample inquiry is more than upper bound of threshold,

you have to configure the upper bound of threshold.

To configure upper bound of threshold, use the following command.

Command Mode Function

rising-threshold number RMON Configures upper bound of threshold.

The following is an example of configuring upper bound of threshold as 100.

SWITCH(config-rmonalarm[1])# rising-threshold 100

SWITCH(config-rmonalarm[1])#

Information

You can configure upper bound of threshold as maximum 2,147,483,647. If you configure it as 0, then

there will not be Alarm.

After configuring upper bound of threshold, configure to occur RMON Event when object is more than

configured threshold. Use the following command.

Command Mode Function

Configures to occur RMON Event when object is more than

rising-event <0-65535> RMON
configured threshold.

176 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring to occur RMON event 1 when object is more than configured

threshold.

SWITCH(config-rmonalarm[1])# rising-event 1
SWITCH(config-rmonalarm[1])#

Information

If you configure the standard, the upper bound of threshold as 0, there will not be Event.

(5) Configuring Lower Bound of Threshold

If you need to occur Alarm when object used for sample inquiry is less than lower bound of threshold,

you should configure lower bound of threshold. To configure lower bound of threshold, use the following

command.

Command Mode Function

falling-threshold number RMON Configures lower bound of threshold.

The following is an example of configuring lower bound of threshold as 90.

SWITCH(config-rmonalarm[1])# falling-threshold 90
SWITCH(config-rmonalarm[1])#

Information

You can configure lower bound of threshold as maximum 2,147,483,647. If you configure it as 0, there

will not be Alarm.

After configuring lower bound of threshold, configure to occur RMON Event when object is less than

configured threshold. Use the following command.

Command Mode Function

Configures to occur RMON Alarm when object is less than

falling-event <0-65535> RMON
configured threshold.

DDJ:A-M-5524B5-01 177
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring ro occur RMON Event when object is less than configured

threshold.

SWITCH(config-rmonalarm[1])# falling-event 2
SWITCH(config-rmonalarm[1])#

Information

If you configure lower bound of threshold as 0, there will not be Event.

(6) Configuring Standard of the First Alarm

It is possible for users to configure standard when Alarm is first occurred. User can select the first point

when object is more than threshold, or the first point when object is less than threshold, or the first point

when object is more than threshold or less than threshold. To configure the first RMON Alarm to occur

when object is less than lower bound of threshold first, use the following command.

Command Mode Function

Configures the first RMON Alarm to occur when object is less

startup-type falling RMON
than lower bound of threshold first.

To configure the first Alarm to occur when object is firstly more than upper bound of threshold, use the

following command.

Command Mode Function

Configures the first Alarm to occur when object is firstly more

startup-type rising RMON
than upper bound of threshold.

To configure the first Alarm to occur when object is firstly more than threshold or less than threshold,

use the following command.

Command Mode Function

Configures the first Alarm to occur when object is firstly more

startup-type rising-and-falling RMON
than threshold or less than threshold.

178 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(7) Configuring Interval of Sample Inquiry

The interval of sample inquiry means time interval to compare selected sample data with upper bound

of threshold or lower bound of threshold in terns of seconds. To configure interval of sample inquiry for

RMON Alarm, use the following command.

Command Mode Function

sample-interval <0-65535> RMON Configures interval of sample inquiry.

The following is an example of configuring interval of sample inquiry as 60 seconds.

SWITCH(config-rmonalarm[1])# sample-interval 60
SWITCH(config-rmonalarm[1])#

(8) Activating RMON Alarm

After finishing all configurations, you need to activate RMON Alarm. To activate RMON Alarm, use the

following command.

Command Mode Function

active RMON Activates RMON Alarm.

The following is an example of activating RMON Alarm and viewing the configuration.

SWITCH(config-rmonalarm[1])# active
SWITCH(config-rmonalarm[1])# show running-config
Building configuration...
(Omitted)
rmon-alarm 1
owner test
sample-variable apSvcConnections
sample-type absolute
startup-type rising
rising-threshold 100
falling-threshold 90
rising-event 1
falling-event 2
sample-interval 60
active
(Omitted)
SWITCH(config-rmonalarm[1])#

DDJ:A-M-5524B5-01 179
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

You should make sure that all configurations are correct before activating RMON Alarm. After activating

RMON Alarm, you cannot change configuration. If you need to change configuration, you have to delete

RMON Alarm and configure it again.

(9) Deleting RMON Alarm and Changing Configuration

When you need to change configuration of RMON Alarm, you should delete RMON Alarm of the number

and configure it again. To delete RMON Alarm, use the following command.

Command Mode Function

no rmon-alarm number<1-65534> Global Deletes RMON Alarm of specified number.

The following is an example of deleting RMON Alarm 1.

SWITCH(config)# no rmon-alarm 1
SWITCH(config)#

7.4.3 Configuring RMON Event

RMON Event identifies all operations such as RMON Alarm in switch. User can configure Event

message or Trap message to be sent to SNMP management server when sending RMON Alarm. You
need to enter into Event configuration mode to configure RMON Event. When you enter into Event

configuration mode by using the following command, the system prompt is changed to SWITCH(config-

rmonevent[n]# from SWITCH(config)#. The variable “n” is a number to distinguish each different Event.

Command Mode Function

rmon-event <1~65534> Global Enters into RMON Event configuration mode.

The following is an example of entering into Event configuration mode to configure Rmon Event 1.

SWITCH(config)# rmon-event 1
SWITCH(config-rmonevent[1])#

To list available commands for RMON Event, input the question mark(?) at the system prompt on Event

configuration mode.

180 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of listing available commands on Event configuration mode.

SWITCH(config-rmonevent[1])# ?
RMON event configuration commands:
active Activate the event
community Define a community to an unactivated event
description Define description of RMON event
do To run exec commands in config mode
exit End current mode and down to previous mode
help Description of the interactive help system
owner Assign the owner who define and is using the history resources
show Show running system information
type Define the event type determines where send the event notification

SWITCH(config-rmonevent[1])#

Note

The question mark(?) you enter will not be seen. Right after entering the question mark, the

commands will be displayed.

To return into configuration mode, or to enter into Privilege Exec Enable Mode, use the following

commands.

Command Mode Function

exit Returns to Global Configuration Mode.

RMON
end Goes back right to Privilege Exec Enable Mode.

The followings are examples of returning to configuration mode and going back to Privilege Exec

Enable Mode from Event configuration mode.

SWITCH(config-rmonevent[1])# exit
SWITCH(config)#
SWITCH(config-rmonevent[1])# end
SWITCH#

(1) Configuring Event Community

When RMON Event is happened, you need to input community to transmit SNMP trap message to host.

Community means a password to give message transmission right.

DDJ:A-M-5524B5-01 181
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure community for trap message transmission, use the following command.

Command Mode Function

community password RMON Configures password for trap message transmission right.

The following is an example of configuring community of RMON Event as “password”.

SWITCH(config-rmonevent[1])# community password

SWITCH(config-rmonevent[1])#

(2) Event Description

It is possible to describe Event briefly when Event is happened. However, the description will not be

automatically made. Thus administrator should make the description. To make a description about

Event, use the following command.

Command Mode Function

description description RMON Describes Event.

The following is an example of describing Event.

SWITCH(config-rmonevent[1])# description This event ..

SWITCH(config-rmonevent[1])#

Information

The maximum description of Event is 126 characters.

(3) Identifying Subject of Event

User should configure Event and identify subject using various data from Event. To identify subject of

Event, use the following command.

Command Mode Function

Identifies subject of Event. You can use maximum 126 characters and
owner name RMON
this subject should be same with the subject of Alarm.

182 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of identifying subject of Event as “test”.

SWITCH(config-rmonevent[1])# owner test

SWITCH(config-rmonevent[1])#

Information

When you identify subject of RMON Event, it is possible to input maximum 32 letters. If you input more

than 32 letters, the error message, “%Too long owner name” will be displayed.

(4) Configuring Event Type

When RMON Event is happened, you need to configure Event type to arrange where to send Event.

To configure Event type, use the following commands.

Command Mode Function

Configures Event type as log type. Event of log type is sent to the
type log
place where the log file is made.

RMON Configures Event type as trap type. Event of trap type is sent to
type trap
SNMP administrator and PC.

type log-and-trap Configures Event type as both log type and trap type.

(5) Activating Event

After finishing all configurations, you should activate RMON Event. To activate RMON Event, use the

following command.

Command Mode Function

active RMON Activates Event.

DDJ:A-M-5524B5-01 183
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is an example of activating RMON Event and viewing the above configuration.

SWITCH(config-rmonevent[1])# active
SWITCH(config-rmonevent[1])# show running-config
Building configuration...
(omitted)
!
rmon-event 1
owner test
community password
description This event ...
type log-and-trap
active

(omitted)
SWITCH(config-rmonevent[1])#

Information

You should make sure that all configurations are correct before activating RMON Event. After activating

RMON Event, you cannot change configuration. If you need to change configuration, you have to delete

RMON Event and configure it again.

(6) Deleting RMON Event and Changing Configuration

Before changing the configuration of RMON Event, you should delete RMON Event of the number and

configure it again.

To delete RMON Event, use the following command.

Command Mode Function

no rmon-event number Global Deletes RMON Event of specified number.

The following is an example of deleting RMON Event 1.

SWITCH(config)# no rmon-event 1
SWITCH(config)#

184 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.5 Syslog

The function of syslog massage is to inform the troubles that occurred in user’s switch, to the network

manager. By default, system logger is activated in SURPASS hiD 6610. Therefore, although you delete

this function, it will be activated again.

Information

By default, system logger is activated in SURPASS hiD 6610.

This section contains the following functions.

□ Configuring Level of Syslog Message

□ Configuring Syslog Message Priority

□ Configuring Local-code

□ Disabling Syslog

□ Checking Syslog Configuration

□ Designating IP Address of Syslog Message

□ Checking Debug message from remote

□ Configuring Threshold of CPU Utilization

□ Configuring Threshold of Port Traffic

□ Configuration Threshold of Temperature

7.5.1 Configuring Level of Syslog Message

In hiD 6610, Syslog message is transmitted with Level and Priority. To mark level for all Sylslog

message regardless of Priority, use the following command. Here, it is also possible to configure the

destination of syslog message.

DDJ:A-M-5524B5-01 185
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure level of syslog message and place to transmit, use the following commands.

Command Mode Function

syslog output {emergㅣalertㅣcritㅣerrㅣwarningㅣ Transmits syslog message of configured level

noticeㅣinfoㅣdebug } console to console.

syslog output {emergㅣalertㅣcritㅣerrㅣwarningㅣ Transmits syslog message of configured level

Global
noticeㅣinfoㅣdebug} local {volatileㅣnon-volatile} to inside of system.

syslog output {emergㅣalertㅣcritㅣerrㅣwarningㅣ Transmits syslog message of configured level

noticeㅣinfoㅣdebug } remote ip-address to inside of host.

There are seven levels of syslog message according to its importance; emergencyㅣalertㅣcriticalㅣ

errorㅣwarningㅣnoticeㅣinfo. Emergency is the highest level and info is the lowest level in importance.

User can configure level of syslog, but user cannot receive messages of lower levels than user’s

configured level. That means, in order to receive all messages, user have to configure the level as info.

When user configures syslog level as error, he can receive messages of higher level than error.

If you want to receive syslog message through console on user’s PC, enter console, and if you want to

receive it within the system, enter local, and if you want to receive it remote host, enter remote.

To release configuration of syslog message, use the following commands.

Command Mode Function

no syslog output {emergㅣalertㅣcritㅣerrㅣwarningㅣ

noticeㅣ infoㅣdebug } console

no syslog output {emergㅣalertㅣcritㅣerrㅣwarningㅣ Releases syslog level and place to

Global
noticeㅣinfoㅣdebug} local {volatileㅣnon-volatile} transmit configured by user.

no syslog output {emergㅣalertㅣcritㅣerrㅣwarningㅣ

noticeㅣ infoㅣdebug } remote ip-address

186 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.5.2 Configuring Syslog Message Priority

In hid 6610, it is possible to configure the Priority for Syslog Message It is possible to transmit specific

syslog message that is selected by user. Here, Level and the destination should be configured at once.

Command Mode Function

syslog output priority {authㅣauthprivㅣcronㅣ

deamonㅣkernㅣlprㅣmailㅣnewsㅣsyslogㅣuserㅣ Transmits specific message of configured

uucp} {emergㅣalertㅣcritㅣerrㅣwarningㅣnoticeㅣ priority and level to console.

infoㅣdebug} console

syslog output priority {authㅣauthprivㅣcronㅣ

deamonㅣkernㅣlprㅣmailㅣnewsㅣsyslogㅣuserㅣ Transmits specific message of configured

Global
uucp} {emergㅣalertㅣcritㅣerrㅣwarningㅣnoticeㅣ priority and level to within the system.

infoㅣdebug} local {volatileㅣnon-volatile}

syslog output priority {authㅣauthprivㅣcronㅣ

deamonㅣkernㅣlprㅣmailㅣnewsㅣsyslogㅣuserㅣ Transmits specific message of configured

uucp} {emergㅣalertㅣcritㅣerrㅣwarningㅣnoticeㅣ priority and level to remote host.

infoㅣdebug } remote ip-address

You can choose auth, authpriv, cron, deamon, kern, lpr, mail, news, syslog, user, uucp as the priority in

hiD 6610. As the priority, you can also configured from local0 to local7. This is used to sort out Syslog

message of each host when Syslog server receives Syslog message from many hosts. To transmit
Syslog message by configuring Priority, use the following command.

Command Mode Function

syslog output priority {local0ㅣlocal1ㅣlocal2ㅣ local3ㅣ

local4ㅣlocal5ㅣlocal6ㅣlocal7} {emergㅣalertㅣcritㅣerrㅣ

warningㅣnoticeㅣinfoㅣdebug} console

syslog output priority {local0ㅣlocal1ㅣlocal2ㅣ local3ㅣ

Transmit Sylsog message by
local4ㅣlocal5ㅣlocal6ㅣlocal7} {emergㅣalertㅣcritㅣerrㅣ Global
configuring the Priority.
warningㅣnoticeㅣinfoㅣdebug} local {volatileㅣnon-volatile}

syslog output priority {local0ㅣlocal1ㅣlocal2ㅣ local3ㅣ

local4ㅣlocal5ㅣlocal6ㅣlocal7} {emergㅣalertㅣcritㅣerrㅣ

warningㅣnoticeㅣinfoㅣdebug } remote ip-address

DDJ:A-M-5524B5-01 187
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.5.3 Configuring Local-code

In hiD 6610, it is possible to transmit all syslog messages for remote by changing the priority. As the

priority of syslog message that is transmitted to remote, Local-code can be configured from local0 to

local7.

To configure Local-code, use the following command.

Command Mode Function

syslog local-code <0-7> Global Changes the Priority of all syslog into local-code.

Note

The above commands are applicable only to Syslog message, that is transmitted to remote. You don’t

have to use the commands if there’s no configuration for syslog messages to remote.

[ Sample Configuration 1 ]

The following is an example of configuring syslog message to send all logs higher than notice to

external host 10.1.1.1 and configuring local1.info to transmit to console.

SWITCH(config)# syslog output notice remote 10.1.1.1

SWITCH(config)# syslog output priority local1 info console
SWITCH(config)# show syslog
System logger on running!

info local volatile

info local non-volatile
notice remote 10.1.1.1
local1.info console
SWITCH(config)#

188 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 2 ]

The following is to configure Priority of all Syslog message, that is transmitted to remote, as local0.

SWITCH(config)# syslog output err remote 10.1.1.1

SWITCH(config)# syslog local-code 0
SWITCH(config)# show syslog
System logger on running!

info local volatile

info local non-volatile
err remote 10.1.1.1
local_code 0
SWITCH(config)#

7.5.4 Disabling Syslog

To disable Syslog, use the following command.

Command Mode Function

no syslog Global Disables Syslog.

To recovery syslog again after deleting it by “no syslog”, use the following command. Since syslog
logger is activated when booting, this command is not necessary when syslog is activated.

Command Mode Function

syslog start Global Restart the syslog logger.

7.5.5 Showing Syslog configuration

To show the configuration of the syslog massage, use the following “show” commands. Take notice that

the configuration of the syslog can’t be showed by using “show running-config” command.

DDJ:A-M-5524B5-01 189
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

show syslog Show the configuration of the syslog.

show syslog local {volatileㅣnon-volatile} Show the syslog massage.

Enable Show the newest massage as number of entering.

show syslog local {volatileㅣnon-volatile}
/Global For example, you enter “2”, show two number of
number
newest massages.

show syslog {volatileㅣnon-volatile} information Show the syslog status.

Information

It is impossible to view syslog configuration with the command, “show running-config”.

The following shows the configuration that Emergency massage is saved in the console and Info

massage and the higher massage than Info is saved in the volatile file.

SWITCH(config)# show syslog

System logger on running!

info local volatile

emerg console
SWITCH(config)#

If you need to delete the log massage that is saved in the syslog file, use the following command.

Command Mode Function

clear syslog local {volatileㅣnon-volatile} Global Deletes the log massage in the Syslog file.

7.5.6 Designating IP Address of Syslog Message

The user can designate which IP address to be assigned for syslog message forwarded remotely. In

order to designate which IP address to be assigned for syslog message, use the following command.

Command Mode Function

Designates IP address for syslog message forwarded with

syslog bind-address ip-address Global
remotely.

190 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.5.7 Checking Debug Message from Remote

For the user who accesses from remote, it is possible to check Syslog message through the server by

sending syslog message to the server. In hiD 6610, it is possible to check Debug message in user’s

own Console window even from remote.

To check Debug message in remote user’s Console window, use the following command.

Command Mode Function

terminal monitor Enable Check Debug message in remote user’s own Console window.

The following is to check Debug message in remote user’s own Console window.

SWITCH# terminal monitor

SWITCH# show syslog
System logger on running!

info local volatile

info local non-volatile
user.debug /dev/ttyP1 the user who excesses through telnet.
SWITCH#

To disable terminal monitor in remote user’s own Console window, use the following command.

Command Mode Function

no terminal monitor Enable Disables terminal monitor in remote user’s own Console window.

7.5.8 Configuring Threshold of CPU Utilization

SURPASS hiD 6610 has a function that sends syslog message to inform when CPU utilization excesses

configured threshold or is less than the threshold. To configure threshold of CPU utilization, use the

following command.

Command Mode Function

Configures threshold of CPU utilization. The unit is “%” and it is

threshold cpu <20-100> {5ㅣ60ㅣ600} Global
possible to configure from 20% to 100%.

DDJ:A-M-5524B5-01 191
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

The default is 50% and you can configure 5, 60,600 seconds as time interval.

To view configured threshold of CPU, use the following command.

Command Mode Function

show cpuload Enable/Global Shows configured threshold of CPU utilization and average of CPU utilization.

The following is an example of configuring threshold of CPU utilization as 70% and checking it.

SWITCH(config)# threshold cpu 70 60

SWITCH(config)# show cpuload
----------------
Average CPU load
----------------
5 sec: 12.26(11.87) %
1 min: 12.35(11.90) %
10 min: 12.42(11.90) %

cpuload threshold : 70
timer interval : 60 seconds
SWITCH(config)#

After you configure as the above, the following message will be displayed when CPU utilization

excesses 70%.

Oct 18 17:37:24 zebra[80]: CPU Overload Warning : Threshold [70] < CPU Load [86]

And the following message will be displayed when the CPU utilization goes down less than 70%.

Oct 18 17:37:29 zebra[80]: CPU Overload Cleared : Threshold [70] > CPU Load [39]

In the above message, the number in [ ] means loading rate.

7.5.9 Configuring Threshold of Port Traffic

SURPASS hiD 6610 has a function that sends syslog message to inform when port traffic excesses

configured threshold or is less than the threshold.

192 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To configure threshold of port traffic, use the following command.

Command Mode Function

threshold port port-number range

Global Configures threshold of port traffic. The unit is “kbps”.
{5ㅣ60ㅣ600} { rxㅣtx }

Information

The port threshold is basically configured as maximum rate value. 1000000kbps is configured for Giga

port and 100000kbps is configured for 100M port.

Information

You can configure 5, 60,600 seconds as time interval.

To disable threshold of port traffic, use the following command.

Command Mode Function

threshold port disable port-number { rxㅣtx } Global Disables threshold of port traffic.

To show configured threshold of port traffic, use the following command.

Command Mode Function

show port threshold Enable/Global Shows configures threshold of port traffic.

The following is an example of configuring threshold of port 1 traffic as 500Mbps and checking it.

SWITCH(config)# threshold port 1 500 5 rx

SWITCH(config)#

Note

The contents for show status fan can be different according to the product.

DDJ:A-M-5524B5-01 193
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.5.10 Configuration Threshold of Temperature

In hiD 6610, If the user configures the threshold for the switch temperature, the system informs by

syslog message when the temperature accesses the threshold and goes down under the threshold.

To configure the threshold for the temperature of the switch, use the following command in Global

configuration mode.

Command Mode Function

threshold temp <-40-100> Global Configures the threshold for the temperature of the switch.

Information

The default temperature is 80℃.

To show the temperature status and the threshold for the switch, use the following command.

Command Mode Function

show status temp Enable/Global Informs the temperature status and threshold value for the user’s switch.

The following is to configure the threshold of the temperature as 45℃ and checking it.

SWITCH(config)# threshold temp 45

SWITCH(config)# show status temp

Temperature 1 current : 57 C
Temperature 2 current : 48 C
Temp Threshold : 45 C

SWITCH(config)#

Note

The contents for show status fan can be different according to the product.

194 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.6 Configuring Rule and QoS

SURPASS hiD 6610 provides Rule and Qos function for traffic management. Rule function analyzes the

transmitted packets and decides packet forwarding by classified according to the designated policy.

MAC address, VLAN ID, IP address are used for distinguishing the packets in order to configure the

policy of Rule function. And the packets by this function operate as the user has configured. The user

can configure the policy in order to block unnecessary data and keep important data thorough Rule

function.

QoS(Quality of Service) is one of useful functions to provide more convenient service about network

traffic for users. It is very serviceable to prevent overloading and delaying or failing of sending traffic by

giving priority to traffic. By the way, you need to be careful for other traffics not to be failed by the traffic

configured as priority by user. QoS can give a priority to a specific traffic by basically offering the priority

to the traffic or limiting the others.

When processing data, data are usually supposed to be processed in time-order like first in, first out.

This way, not processing specific data first, might lose all data in case of overloading traffics.

However, in case of overloading traffics QoS can apply processing order to traffic by reorganizing

priorities according to its importance. By favor of QoS, user can predict network performance in

advance and manage bandwidth more effectively.

7.6.1 How to Operate Rule and Qos

In SURPASS hiD 6610, Rule and Qos operate as follows.

◆ Rule Creation

To classify the packets according to the specific basis, configure the policies about them first. The basis

used to classify the packets is IP address, TCP/UDP, Port number, Protocol.

◆ Rule Action

Configure the policy classifying the packets and Precedence and DiffServ, Cos to designate the priority

for the classified packets.

DDJ:A-M-5524B5-01 195
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Prescribe Rule action for the classified packets according to the user’s requirements.

● “Permit” operates for the traffic meeting the requirements.

● Deny” operates for the traffic which do not meet the requirements.

● Mirror” transmits the classified traffic to monitor port.

● Redirect” re-transmits the appropriate traffics.

◆ Scheduling

To handle overloading of traffics, you need to configure differently processing orders of graphic by using

scheduling algorithm.

SURPASS hiD 6610 provides Strict Priority Queuing, WRR(Weighted Round Robin), WFQ(Weighted

Fair Queuing).Configure Rule is as follows.

□ Creating Rule

□ Configuring the priority

□ Configuring the condition for the packets

□ Configuring Rule Operation

□ Configuring Cos value and Tos value

□ Packet Counter
□ Saving Rule

□ Checking Rule Profile

□ Modifying Rule contents

□ Deleting Rule

(1) Creating Rule

In SURPASS hiD 6610, in order to create rule, enter into Rule configuration mode first. To enter Rule

configuration mode, use the following command.

Command Mode Function

rule name create Global To create new Rule, enter into Rule configuration mode.

196 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

After entering into Rule creation mode, the prompt changes SWITCH(config)# into SWITCH(config-

rule[name])#

The following is to enter into Rule creation mode in order to create new Rule named by “TEST”.

SWITCH(config)# rule TEST create

SWITCH(config-rule[TEST])#

Information

It is possible to create a number of policies in a Rule.

After entering into Rule configuration mode, configure Rule that the user wants. For the rule, configure

the packet condition and how to process the packets.

(2) Configuring the priority

To configure the priority for the Rule, use the following command. The higher priority Rule has, the

faster it is processed.

Command Mode Function

priority {lowㅣmediumㅣhighㅣhighest} Rule Configure the priority for the new Rule.

Information

The priority of the all rule is basically configured as “low”.

(3) Configuring the condition for the packets

In Rule, configure the condition for the packets and how to process the packets. Configure Rule of the

condition with various basis.

To configure Rule, use the following commands.

DDJ:A-M-5524B5-01 197
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Configure the Rule based on Source MAC

mac {src-mac-addressㅣany} {dst-mac-addressㅣany}
address and Destination MAC address.

ip {src-ip-addressㅣsrc-ip-address/mㅣany}

{dst-ip-addressㅣdst-ip-address/mㅣany} Configure the Rule based on Source IP address

ip {src-ip-addressㅣsrc-ip-address/mㅣany} and Destination IP address.

{dst-ip-addressㅣdst-ip-address/mㅣany} <0-255>

ip {src-ip-addressㅣsrc-ip-address/mㅣany}
Configure the Rule based on Source IP address,
{dst-ip-addressㅣdst-ip-address/mㅣany}
Destination IP address, and protocol.
{icmpㅣtcpㅣudp}

ip {src-ip-addressㅣsrc-ip-address/mㅣany}
Configure Message type and Code value of
{dst-ip-addressㅣdst-ip-address/mㅣany} icmp
ICMP.
{<0-255>ㅣany} {<0-255>ㅣany}

ip {src-ip-addressㅣsrc-ip-address/mㅣany}
Configure based on TCP Source port and
{dst-ip-addressㅣdst-ip-address/mㅣany} tcp
Destination port.
{<1-65535>ㅣany} {<1-65535>ㅣany} [tcp-flagㅣany] Rule

ip {src-ip-addressㅣsrc-ip-address/mㅣany}
Configure the rule based on UDP Source port
{dst-ip-addressㅣdst-ip-address/mㅣany} udp
and Destination port.
{<1-65535>ㅣany} {<1-65535>ㅣany}

ip-prec {<0-7>ㅣany} Configure the rule based on IP TOS precedence.

port {src-port-numberㅣany}
Configure the rule based on the port.
{dst-port-numberㅣcpuㅣany}

cos {<0-7>ㅣany} Configure the rule with CoS value.

tos {<0-255>ㅣany} Configure the rule with ToS value.

Configure the rule based on DSCP value in ToS

dscp {<0-63>ㅣany}
area of packets.

ethtype {ethertypeㅣarpㅣany} Configure the rule based on Ethtype.

vlan {<1-4094>ㅣany} Configure the rule based on VLAN ID.

length {<21-65535>ㅣany} Configure the rule based on the packet length.

Information

It is possible to configure a number of rules in a Rule.

198 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To delete the configured Rule, use the following commands.

Command Mode Function

no cos

no ethtype

no ip

no length Rule To delete the configured Rule.

no mac

no tos

no vlan

(4) Configuring Rule Operation

After configuring the packet condition for Rule, then configure how to process the packets. To configure

Rule operation, use the following command.

Command Mode Function

Configure the maximum bandwidth used for packet transmission. The

match bandwidth bandwidth
unit for bandwidth is Mbps.

match copy-to-cpu Sends the packets correspond to Rule to CPU.

match deny Do not get the packets correspond to Rule.

match dmac dst-mac-address Designate MAC address of packets that correspond to Rule.

Designate DSCP value in ToS area of the packets that correspond to

match dscp <0-63>
Rule.
Rule
match egress filter port-number Excludes specific ports from matched-packet's egress ports

match egress port port-number Replaces matched-packet's egress ports

Transmits the copied packets correspond to Rule packet to the

match mirror
mirroring port.

match permit Get the packets correspond to Rule.

match redirect port-number Sends the packets correspond to Rule packet to the designate port.

match vlan <1-4094> Designate VID for the packets that correspond to Rule.

DDJ:A-M-5524B5-01 199
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To disable above configuration, use the following command.

Command Mode Function

no match bandwidth

no match copy-to-cpu

no match deny

no match dmac

no match dscp Release the configuration for the process of the packets that
Rule
no match egress correspond to Rule.

no match mirror

no match permit

no match redirect

no match vlan

The following is to process the packets that correspond to Rule.

Command Mode Function

no-match copy-to-cpu Sends the packets that don’t correspond to Rule to CPU.

no-match deny Denies the packets that don’t correspond to Rule.

no-match dscp <0-63> Designate DSCP value in ToS area of packets that don’t correspond to Rule.
Rule
no-match mirror Sends a copy of packets that don’t correspond to Rule to mirroring port.

no-match redirect
Sends the packets that don’t correspond to Rule to the designated port.
port-number

To release the above configuration, use the following command.

Command Mode Function

no no-match copy-to-cpu

no no-match deny
Release the process for the packets that don’t correspond to
no no-match dscp Rule
Rule.
no no-match mirror

no no-match redirect

200 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(5) Configuring Cos value and Tos value

To apply the scheduling value using the configured Rule, first apply a class that can adjust to the

scheduling value for each rule. CoS value is classified as 8 class. On the other hand, “overwite

“ variable decides whether the packets are processed with CoS class only in internal of the switch or

they are transmitted to external network with the designated CoS value. Therefore, if the command

contains “overwrite”, CoS value adjust to the packets when they communicate with external and if it is

not contained in the command, it is only for internal.

To apply the class to the packets that correspond to Rule, use the following command.

Command Mode Function

match cos <0-7> [overwrite] Give CoS value to the packets that correspond to Rule.

Designate CoS value for the packets that correspond to Rule

match cos same-as-tos overwrite
as IP ToS precedence value.

Rule Designate IP ToS precedence for the packets that correspond

match ip-prec <0-7>
to Rule.

Designate IP ToS precedence value for the packets that

match ip-prec same-as-cos
correspond to Rule as CoS value.

To release the above configuration, use the following command.

Command Mode Function

no match cos Disable the configuration of configuring CoS or IP ToS

Rule
no match ip-prec precedence value for the packets that correspond to Rule.

DDJ:A-M-5524B5-01 201
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To adjust the class when the packets that don’t correspond to Rule, use the following command.

Command Mode Function

no-match cos <0-7> [overwrite] Give CoS value to the packets that don’t correspond to Rule.

Designate CoS value for the packets that don’t correspond to

no-match cos same-as-tos overwrite
Rule as IP ToS precedence value.

Rule Designate IP ToS precedence for the packets that don’t

no-match ip-prec <0-7>
correspond to Rule.

Designate IP ToS precedence value for the packets that don’t

no-match ip-prec same-as-cos
correspond to Rule as CoS value.

To release the above configuration, use the following command.

Command Mode Function

no no-match cos Disable the configuration of configuring CoS or IP ToS precedence

Rule
no no-match ip-prec value for the packets that don’t correspond to Rule.

(6) Packet Counter

When packets defined in rule are come, QoS policy is applied. However, suppose that packet defined to

throw out is come. In that case, it will be thrown out without any notice or record. For administrators, it

would better to know the packet is transmitting although it is unnecessary and harmful. It is possible to

know how many times packet defined in specified rule are come.

In SURPASS hiD 6610, it is possible to know how many times packet defined in specified rule are come.

To check how many times packet defined in specified rule are come, use the following command.

Command Mode Function

match counter Rule Check how many times packet defined in specified rule are come.

202 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To release the configuration for how many times packet defined in specified rule are come, use the

following command.

Command Mode Function

Release the configuration for how many times packet defined in specified
no match counter Rule
rule are come.

(7) Saving Rule

After configuring rule using the above commands, apply it to the switch by saving. If you don’t save and

apply rule to the switch, all configurations are deleted.

To save and apply the rule, use the following command.

Command Mode Function

apply Rule Save rule and apply it to the switch.

Note

After configuring the rule, it should be applied to the switch.

(8) Checking Rule Profile

To check the configured rule Profile, use the following command.

Command Mode Function

show rule-profile Rule Check the Profile of appropriate rule.

show rule Check the profile of all rule.

show rule name Check the profile of designated Rule.

View/Enable/Global
show rule all Check all Rule and all Admin access rule Profile.

show rule stat Check amount of Rule.

DDJ:A-M-5524B5-01 203
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(9) Modifying Rule

It is possible to modify the Rule configuration. To modify them, use the following command.

Command Mode Function

To modify Rule named by “name”, enter into Rule configuration

rule name modify Global
mode.

(10) Deleting Rule

To delete the Rule, use the following command.

Command Mode Function

no rule name Deletes the appropriate Rule.

Global
no rule all Deletes all Rule and all Admin access rule.

7.6.2 Configuring QoS

In SURPASS hiD 6610, it is possible to use RED, Strict Priority Queuing, WFQ(Weighted Fair Queuing),

WRR(Weighted Round Robin) for Qos.

How to configure Qos, the following contents are explained.

□ Configuring QoS map

□ Configuring Scheduling Method

□ Setting Weight

□ Configuring Min-bandwidth

□ Limiting Max-bandwidth

□ User-defined Setting for CPU Packet

□ RED Setting

□ Displaying QoS Setting

204 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(1) Configuring QoS map

In SURPASS hiD 6610, it is possible to Mapping to Que with CoS configured for packets. Basically, they

are Mapping as below.

【 Table 7-1 】Basic QoS map

CoS Que number CoS Que number

0 0 4 4

1 1 5 5

2 2 6 6

3 3 7 7

To create QoS Map, in order to classify the rule having a class to Que, use the following command in

Global Configuration Mode.

Command Mode Function

qos map <0-7> <0-7> Global Classify the rule to Que. CoS number is 0~7, queue number is 0~7.

Note

In SURPASS hiD 6610, it is possible to use all 8 of Ques.

Information

CoS number is from 0 to 7. Que number is from 0 to 7.

To return to Basic QoS map, use the following command in Global Configuration Mode.

Command Mode Function

qos map default Global Returns to Basic QoS map

DDJ:A-M-5524B5-01 205
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(2) Configuring Scheduling Method

To process Que, it is possible to use Strict Priority Queuing, WFQ, WRR method.

• Strict Priority Queuing

Strict Priority Queuing is used to process firstly more important data than the others. Since all data are

processed by their priorities, data with high priorities can be processed fast but data without low

priorities might be delayed and piled up. This method has a strong point of providing the distinguished

service with a simple way. However, if the packets having higher priority enter, the packets having lower

priority are not processed.

The processing order in Strict Priority Queuing in case of entering packets having the Que number

as belows.

7 1 3 4 6 7 7 7

【 Figure 7-4 】 User-defined Setting for CPU Packet

• WRR(Weighted Round Robin)

WRR processes packets as much as Weight. Processing the packets that have higher priority is the

same way as Strict Priority Queuing. However, it passes to next stage after processing as configured

Weight so that it is possible to configure for packet process not to be partial to the packets having

higher priority. However, there’s a limitation of providing differentiated service from those existing

service.

206 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The processing in WRR when the packets having following Que numbers

3
Que W 7
0 1
1 1 6
2 1 7 6 7 1 3 6 7 7
3 1
4 1 7
5 1 6
6 1
7 2 1

【 Figure 7-5 】 Packet Process in WRR

• WFQ(Weighted Fair Queuing)

WFQ has only good points of Strict Priority Queuing and WRR. If the bandwidth are configured for all

Ques, the packets of appropriate Que can be processed in the assigned bandwidth.

The processing in WRQ when the packets having following Que numbers

3
Que BW 7
7
0 7 50Mbps
1 6
7
2 7
3
7 6 50Mbps
4
5 6 6
6 50Mbps
1
7 50Mbps

【 Figure 7-6 】 The packet process in WFQ

DDJ:A-M-5524B5-01 207
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To decide one among three scheduling methods, use the following command.

Command Mode Function

qos scheduling-mode {spㅣwrrㅣwfq} Global Decide the scheduling method.

Inforamtion

In SURPASS hiD 6610, default is “WRR”.

(3) Setting Weight

In WRR, the packets are processed by Weight. The user can configure the weight value.

Information

The default for weight is “1”.

To set the weight, use the following command.

Command Mode Function

qos weight port-number <0-7> <1-15> Set Weight

Global
qos weight port-number <0-7> unlimited Process Qos with Strict Priority Queuing

Information

It is not possible to configure Weight in WFQ.

(4) Configuring Min-bandwidth

WFQ restricts the traffic of appropriate Que with bandwidth. Therefore, in order to use WFQ, you should

configure the assured bandwidth for every Que. This assured bandwidth is Min-bandwidth.

Information

In SURPASS hiD 6610, the minimum of the assured bandwidth is configured as “0”.

208 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To configure the assured bandwidth, use the following command.

Command Mode Function

qos min-bandwidth port-number <0-7> <1-100> Configure the assured bandwidth.

Global
qos min-bandwidth port-number <0-7> unlimited Don’t restrict the assured bandwidth.

Information

It is not possible to configure the assured bandwidth under WRR.

(5) Limiting Max-bandwidth

In case of processing scheduling by Strict Priority Queuing, it is possible to concentrate on the packets

of one kind of class. To prevent this, it is possible to limit the bandwidth. Also, it is possible to configure

redundant bandwidth for the packets over assured bandwidth. The function is Max-bandwidth.

Max-bandwidth is used to restrict the bandwidth processing the packets of appropriate Que in Strict

Priority Queuing and provide the redundant bandwidth in WFQ method.

For example, in WFQ, if Min-bandwidth is configured as 10Mbps for specific Que and Max-bandwidth

is configured as 15Mbps, it unconditionally guarantees up to 10Mbps and it is possible to provide up to

15Mbps.

Packet

Min-bandwidth
(Guarantee)

Max-bandwidth
(Possibility)

【 Figure 7-7 】 Min-bandwidth and Max-bandwidth in WFQ

DDJ:A-M-5524B5-01 209
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure the maximum bandwidth used for appropriate Que, use the following command.

Command Mode Function

qos max-bandwidth port-number <0-7> <1-100> Configure the maximum bandwidth.

Global
qos max-bandwidth port-number <0-7> unlimited Don’t limit the maximum bandwidth.

Information

In SURPASS hiD 6610, basically there’s no limitation on available bandwidth.

(6) User-defined Setting for CPU Packet

Queue processing for CPU packet can be set up by user with two scheduling methods, Strict Priority

Queuing, WRR (Weighted Round Robin)

To select which scheduling method of the two, use the following command.

Command Mode Function

qos cpu scheduling-mode {spㅣwrr} Global Selects scheduling method for CPU packet.

Information

Default scheduling method for CPU packet is “WRR”

WRR method is a packet processing method according to weight value. Weight value can be

designated by user.

Information

Default weight value for all queues is “1”

To designate weight value for WRR, use the following command.

Command Mode Function

qos cpu weight <0-7> <1-15> Assigns weight value from “1’” to “15”
Global
qos cpu weight <0-7> unlimited Handles designated queue with Strict Priority Queuing

210 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(7) RED (Random Early Detection) Setting

RED, which utilizes end-to-end flow-control of TCP, is a random packet dropping function when traffic

reaches the user-designated threshold even before it reaches maximum buffer size. If traffic usage

reaches maximum buffer size, all packets can be dropped, which makes packet loss. Therefore, in order

to prevent packet loss or unstable traffic transmission, user can restrict excessive traffic over buffer size

by setting up a threshold. With RED function, packet loss can be reduced and stable packet

transmission can be acquired. To apply RED function, RED function needs to be enabled.

Command Mode Function

qos red enable Global Enables RED function.

To utilize RED function, start queue length value and drop probability are necessary. Start queue length

represents the starting point of random packet dropping, and drop probability indicates the percentage

of packet dropping from the starting point of random packet dropping to the point of complete dropping.

If probability is large, large amount of packets would be dropped, therefore complete dropping point is

slowly reached. On the other hand, if probability is little, little amount of packets would be dropped,

therefore complete dropping point is quickly reached. If probability value is 1, dropping packet would be

none and the value is 15, all packets would be dropped from the point of start queue length value is

reached. The following figure shows the principle of RED function.

Drop
100%

Probability

S X Queue

Length

【 Figure 7-8 】 The Principle of RED Function

In Above figure, “S” indicates start queue length value and “X” is the point of complete dropping. If

queue length reaches “S’, packet would be randomly dropped, and if it reaches “X”, packet would be

completely dropped. At this moment, it is probability that shows how many packets are dropped as “S”

approaches to “X”.

DDJ:A-M-5524B5-01 211
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To set up RED function by designating start threshold and probability, use following command.

Command Mode Function

qos red <0-7> start <0-127> probability <1-15> Global Designates start threshold and probability for CPU

To clear RED set up, use following command.

Command Mode Function

no qos red <0-7> Global Clears RED function set up

Information

If user-designated value is cleared, the setting returns to default automatically.

To disable RED function, use following command.

Command Mode Function

qos red disable Global Disables RED function.

Information

Above command just disables RED function, and does have not influence on the setting value

(8) Displaying QoS Setting

To show the QoS setting, use following command.

Command Mode Function

show qos Displays set-up for QoS scheduling

show qos port-number Displays set-up for QoS scheduling per each port
Enable/Global
show qos cpu Displays set-up for QoS scheduling of CPU packet

show qos red Displays set-up for RED

212 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.6.3 Admin access rule

In SURPASS hiD 6610, it is possible to configure to block the service access such as telnet, ftp, icmp,

snmp accessing to switch. To block the service such as telnet, ftp, icmp, snmp entering to switch, use

Admin access rule.

How to check Admin access rule is as follows.

□ Creating Admin access rule

□ Configuring the priority

□ Configuring the condition for the packet

□ Configuring the operation of Admin access rule

□ Saving Admin access rule

□ Checking Admin access rule Profile

□ Deleting Admin access rule

(1) Creating Admin access rule

In SURPASS hiD 6610, in order to create Admin access rule, enter into Rule configuration mode first.

To enter Admin access rule configuration mode, use the following command.

Command Mode Function

rule name create admin Global To create Admin access Rule, enter into Admin access Rule mode.

After entering into Admin access rule mode, the prompt changes SWITCH(config)# into

SWITCH(config-admin-rule [name])#

The following is to enter into Admin access rule mode in order to create new Admin access rule named

by “TEST”.

SWITCH(config)# rule TEST create

SWITCH(config-admin-rule[TEST])#

DDJ:A-M-5524B5-01 213
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

It is possible to create a number of policies in a Rule.

After entering into Admin access rule configuration mode, configure Admin access rule that the user

wants. For the Admin access rule, configure the packet condition and how to process the packets.

(2) Configuring the priority

To configure the priority for the Rule, use the following command. The higher priority Rule has, the

faster it is processed.

Command Mode Function

priority
Admin access rule Configure the priority for the new Admin Access Rule.
{lowㅣmediumㅣhighㅣhighest}

Information

The priority of the all rule is basically configured as “low”.

(3) Configuring the condition for the packet

In Admin access rule, you can configure the condition for the packet and how to process the packets

that correspond to the condition. Configure Admin access rule with various conditions.

214 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To configure Admin access rule, use the following command.

Command Mode Function

ip {src-ip-addressㅣsrc-ip-address/mㅣany}

{dst-ip-addressㅣdst-ip-address/mㅣany} Configure a rule based on Source IP address

ip {src-ip-addressㅣsrc-ip-address/mㅣany} and Destination IP address.

{dst-ip-addressㅣdst-ip-address/mㅣany} <0-255>

ip {src-ip-addressㅣsrc-ip-address/mㅣany} Configure the rule based on Source IP

{dst-ip-addressㅣdst-ip-address/mㅣany} address, Destination IP address and

{icmpㅣtcpㅣudp} protocol.
Admin
ip {src-ip-addressㅣsrc-ip-address/mㅣany}
access Configure Message type and Code value of
{dst-ip-addressㅣdst-ip-address/mㅣany} icmp
rule ICMP.
{<0-255>ㅣany} {<0-255>ㅣany}

ip {src-ip-addressㅣsrc-ip-address/mㅣany}
Configure the rule based on TCP Source port
{dst-ip-addressㅣdst-ip-address/mㅣany} tcp
and Destination port.
{<1-65535>ㅣany} {<1-65535>ㅣany} [tcp-flagㅣany]

ip {src-ip-addressㅣsrc-ip-address/mㅣany}
Configure the rule based on UDP Source
{dst-ip-addressㅣdst-ip-address/mㅣany} udp
port and Destination port.
{<1-65535>ㅣany} {<1-65535>ㅣany}

Information

It is possible to configure a number of policies in one Admin access rule

(4) Configuring the operation of Admin access rule

After configuring the condition of packets for Admin access rule, configure how to process the packets.

To configure Rule operation, use the following command.

Command Mode Function

match deny Denies the packets of Admin access rule.

Admin access rule
match permit Permits the packets of Admin access rule.

DDJ:A-M-5524B5-01 215
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To disable the above configuration, use the following command.

Command Mode Function

no match deny Disable the configuration for the packet process of Admin access
Admin access rule
no match permit rule

To process the packets that don’t correspond to the Rule, use the following command.

Command Mode Function

no-match deny Deny the packets that correspond to Admin access rule.
Admin access rule
no-match permit Permit the packets that don’t correspond to Admin access rule.

To release the above configuration, use the following command.

Command Mode Function

no no-match deny Release the configuration for the process of packets which
Admin access rule
no no-match permit don’t correspond to Admin access rule.

(5) Saving Admin access rule

After configuring Admin access rule using the above commands, apply it to the switch by saving. If you

don’t save and apply Admin access rule to the switch, all configurations are deleted.

To save and apply Admin access rule, use the following command.

Command Mode Function

apply Admin access rule Save Admin access rule and apply it to the switch.

Note

After configuring Admin access rule, it should be applied to the switch.

216 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(6) Checking Admin access rule Profile

To check the configured Admin access rule Profile, use the following command.

Command Mode Function

show rule-profile Admin access rule Check the Profile of appropriate Admin access rule.

show rule admin Check the profile of all Admin access rule.
View/Enable/Global
show rule all Check all Rule and all Admin access rule Profile.

(7) Modifying Admin-access-rule

It is possible to modify the Admin-access-rule configuration. To modify them, use the following

command.

Command Mode Function

To modify Admin-access-rule named by “name”, enter into Rule

rule name modify admin Global
configuration mode.

(8) Deleting Admin access rule

To delete the configure Admin access rule, use the following command.

Command Mode Function

no rule admin Delete all of Admin access rule.

Global
no rule all Delete all of Rule and all of Admin access rule.

7.6.4 Sample Configuration

DDJ:A-M-5524B5-01 217
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 1 ] Rule Configuration

The following is an example of configuring Rule as “TEST” and applying it to the system.

SWITCH> enable
SWITCH# configure terminal
SWITCH(config)# rule TEST create
SWITCH(config-rule[TEST])# priority high
SWITCH(config-rule[TEST])# ip 10.1.1.1 20.1.1.1 tcp 22 any
SWITCH(config-rule[TEST])# cos 0
SWITCH(config-rule[TEST])# match deny
SWITCH(config-rule[TEST])# show rule-profile
rule TEST
priority high
ip 10.1.1.1/32 20.1.1.1/32 tcp 22 any
match deny
SWITCH(config-rule[TEST])# apply You should apply it to the system.
SWITCH(config-rule[TEST])# exit
SWITCH(config)# show rule
rule TEST
priority high
cos 0
ip 10.1.1.1/32 20.1.1.1/32 tcp 22 any
match deny
SWITCH(config)#

If you don’t apply it to the system and change to other configuration, all the configuration is deleted as

follows.

SWITCH> enable
SWITCH# configure terminal
SWITCH(config)# rule TEST create
SWITCH(config-rule[TEST])# priority high
SWITCH(config-rule[TEST])# ip 10.1.1.1 20.1.1.1 tcp 22 any
SWITCH(config-rule[TEST])# cos 0
SWITCH(config-rule[TEST])# match deny
SWITCH(config-rule[TEST])# show rule-profile
rule TEST
priority high
cos 0
ip 10.1.1.1/32 20.1.1.1/32 tcp 22 any
match deny
SWITCH(config-rule[TEST])# exit
SWITCH(config)# show rule
There’s no configured rule.
SWITCH(config)#

218 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 2 ] Modifying Rule

The following is an example of modifying Rule named by TEST.

SWITCH> enable
SWITCH# configure terminal
SWITCH(config)# rule TEST modify
SWITCH(config-rule[TEST])# show rule-profile
rule TEST
priority high
cos 0
ip 10.1.1.1/32 20.1.1.1/32 tcp 22 any
match deny
SWITCH(config-rule[TEST])# match permit
SWITCH(config-rule[TEST])# show rule-profile
rule TEST
priority high
cos 0
ip 10.1.1.1/32 20.1.1.1/32 tcp 22 any
match permit
SWITCH(config-rule[TEST])# apply
SWITCH(config-rule[TEST])# exit
SWITCH(config)#

DDJ:A-M-5524B5-01 219
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 3 ] Configuring Strict Priority Queuing

The following is how to configure Strict Priority Queuing on SURPASS hiD 6610.

SWITCH# configure terminal

SWITCH(config)# qos scheduling-mode sp
SWITCH(config)# qos max-bandwidth 1-5 7 50
SWITCH(config)# show qos
cpu-rx-cos : enabled
cpu-tx-cos : 7

Scheduling mode : SP (Strict Priority Queuing)

CoS-Queue Map : cos 0 1 2 3 4 5 6 7

-----------------------
queue 0 1 2 3 4 5 6 7

PORT Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
-------------------------------------
1 UN UN UN UN UN UN UN 50
2 UN UN UN UN UN UN UN 50
3 UN UN UN UN UN UN UN 50
4 UN UN UN UN UN UN UN 50
5 UN UN UN UN UN UN UN 50
6 UN UN UN UN UN UN UN UN
7 UN UN UN UN UN UN UN UN
8 UN UN UN UN UN UN UN UN
9 UN UN UN UN UN UN UN UN
10 UN UN UN UN UN UN UN UN
11 UN UN UN UN UN UN UN UN
12 UN UN UN UN UN UN UN UN
13 UN UN UN UN UN UN UN UN
14 UN UN UN UN UN UN UN UN
15 UN UN UN UN UN UN UN UN
16 UN UN UN UN UN UN UN UN
17 UN UN UN UN UN UN UN UN
18 UN UN UN UN UN UN UN UN
19 UN UN UN UN UN UN UN UN
20 UN UN UN UN UN UN UN UN
21 UN UN UN UN UN UN UN UN
22 UN UN UN UN UN UN UN UN
23 UN UN UN UN UN UN UN UN
24 UN UN UN UN UN UN UN UN
25 UN UN UN UN UN UN UN UN
26 UN UN UN UN UN UN UN UN
SWITCH(config)#

220 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 4 ] Configuring WRR Scheduling

The following is how to configure WRR scheduling in SURPASS hiD 6610.

SWITCH# configure terminal

SWITCH(config)# qos scheduling-mode wrr
SWITCH(config)# qos weight 1-10 7 5
SWITCH(config)# qos weight 11-15 6 4
SWITCH(config)# qos weight 16-20 5 3
SWITCH(config)# show qos
cpu-rx-cos : enabled
cpu-tx-cos : 7

Scheduling mode : WRR (Weighted Round Robin)

CoS-Queue Map : cos 0 1 2 3 4 5 6 7

-----------------------
queue 0 1 2 3 4 5 6 7

PORT Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
-------------------------------------------------------------
1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
2 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
3 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
4 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
5 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
6 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
7 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
8 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
9 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
10 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/5
11 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/4 UN/1
12 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/4 UN/1
13 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/4 UN/1
14 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/4 UN/1
15 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/4 UN/1
16 UN/1 UN/1 UN/1 UN/1 UN/1 UN/3 UN/1 UN/1
17 UN/1 UN/1 UN/1 UN/1 UN/1 UN/3 UN/1 UN/1
18 UN/1 UN/1 UN/1 UN/1 UN/1 UN/3 UN/1 UN/1
19 UN/1 UN/1 UN/1 UN/1 UN/1 UN/3 UN/1 UN/1
20 UN/1 UN/1 UN/1 UN/1 UN/1 UN/3 UN/1 UN/1
21 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1
22 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1
23 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1
24 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1
25 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1
26 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1 UN/1
SWITCH(config)#

DDJ:A-M-5524B5-01 221
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 6-4-5 ] Configuring WFQ Scheduling

The following is how to configure WFQ scheduling in SURPASS hiD 6610.

SWITCH# configure terminal

SWITCH(config)# qos scheduling-mode wfq
SWITCH(config)# qos min-bandwidth 1-10 7 30
SWITCH(config)# qos min-bandwidth 1-10 6 20
SWITCH(config)# qos max-bandwidth 1-10 7 35
SWITCH(config)# qos max-bandwidth 1-10 6 25
SWITCH(config)# show qos
cpu-rx-cos : enabled
cpu-tx-cos : 7

Scheduling mode : WFQ (Weighted Fair Queuing)

CoS-Queue Map : cos 0 1 2 3 4 5 6 7

-----------------------
queue 0 1 2 3 4 5 6 7

PORT Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
---------------------------------------------------------------------
1 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
2 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
3 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
4 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
5 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
6 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
7 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
8 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
9 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
10 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 25/20 35/30
11 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
12 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
13 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
14 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
15 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
16 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
17 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
18 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
19 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
20 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
21 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
22 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
23 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
24 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
25 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
26 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0 UN/0
SWITCH(config)#

222 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 6-4-5 ] Configuring RED

The following is how to configure RED in SURPASS hiD 6610.

SWITCH# configure terminal

SWITCH(config)# qos red enable
SWITCH(config)# qos red 7 start 60 probability 7
SWITCH(config)# show qos red
WRED enabled
-----------------------------------------------
queue | start TH | Queue Length | probability
-----------------------------------------------
0 96 128 5
1 96 128 5
2 96 128 5
3 96 128 5
4 96 128 5
5 96 128 5
6 96 128 5
7 60 128 7

SWITCH(config)#

[Sample Configuration 6-4-6 ] Configuring Admin-access-rule

The following is an exmple of configuring not to permit all telent to the switch.

SWITCH> enable
SWITCH# configure terminal
SWITCH(config)# rule TEST create admin
SWITCH(config-admin-rule[TEST])# priority high
SWITCH(config-admin-rule[TEST])# ip 10.1.1.1 20.1.1.1 tcp 22 any
SWITCH(config-admin-rule[TEST])# cos 0
SWITCH(config-admin-rule[TEST])# match deny
SWITCH(config-admin-rule[TEST])# apply
SWITCH(config-admin-rule[TEST])# exit
SWITCH(config)#

If you save the configured Admin access rule and go out from Admin access rule configuration

mode without applying it to the switch, all of the configuration would be deleted.

DDJ:A-M-5524B5-01 223
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.7 NetBIOS Filtering

NetBIOS is used at LAN(Local Area Network) environment where should share information with each

other to communicate between computers. However, in case ISP(Internet Service Provider) provides

internet communication through LAN service to specific area such as apartments, customer’s

information should be kept.

Cyber Apt.
LAN environment for Internet Service

Information Shared

Needs to prevent sharing

information between units.

【 Figure 7-9 】 Necessity of NetBIOS Filtering

In this case, without NetBIOS filtering, customers’ data may be opened to each other even though the

data should be kept. To keep customer’s information and prevent sharing information in the above case,

NetBIOS filtering is necessary.

Command Mode Function

netbios-filter port-number Bridge Configures NetBIOS filtering in specified port.

To release NetBIOS filtering according to user’s request, use the following command.

Command Mode Function

no netbios-filter port-number Bridge Releases NetBIOS filtering from specific port.

224 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To view configuration of NetBIOS filtering, use the following command.

Command Mode Function

show netbios-filter Enable/Global/Bridge Shows configuration of NetBIOS filtering.

The following is an example of configuring NetBIOS filtering in port 1~5 and confirming it.

SWITCH(bridge)# netbios-filter 1-5

SWITCH(bridge)# show netbios-filter
o:enable .:disable
--------------------------
1 2
12345678901234567890123456
--------------------------
ooooo.....................
--------------------------
SWITCH(bridge)#

7.8 DHCP Server Packet Filtering

DHCP(Dynamic Host Control Protocol) makes DHCP server assign IP address to DHCP clients
automatically and manage the IP address. Most ISP operators provide the service as such a way. At this

time, if a DHCP client connects with the equipment that can be the other DHCP server such as Internet

access gateway router, communication failure might be occurred.

DHCP filtering helps to operate DHCP service by blocking Request which enters through subscriber’s

port and goes out into uplink port or the other subscriber’s port and Reply which enters to the

subscriber’s port.

In the below example, server A has the IP area from 192.168.10.1 to 192.168.10.10. Suppose a user

connects with Client 3 that can be DHCP server to A in order to share IP address from 10.1.1.1 to

10.1.1.10.

DDJ:A-M-5524B5-01 225
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

DHCP Server A Client 3

The equipment which can
192.168.10.1~
be DHCP server
192.168.10.10 Request of
IP Assign Client 1,2
it transmitted
to Client3
SURPASS hiD 6610
IP assign from
not DHCP 10.1.1.1 ~
Server A 10.1.1.10
but Client 3 IP Assign
To prevent IP from
being assigned from
Client 1 Client 2 PC PC PC
Client 3, DHCP
filtering is needed for
the port.

【 Figure 7-10 】 DHCP Filtering

Here, if Client 1 and Client 2 are not blocked from Client 3 of DHCP server, Client 1 and Client 2 will

request and receive IP from Client 3 so that communication blockage will be occurred.

Therefore, the filtering function should be configured between Client 1 and Client 3, Client 2 and Client

3 in order to make Client 1 and Client 2 receive IP without difficulty from DHCP server A

To configure DHCP filtering function in particular port according to user’s demand, after enabling filtering

function, designate the port needing DHCP filtering function by using the following command.

Command Mode Function

dhcp-server-filter port-number Configures DHCP server packet filtering.

Bridge
no dhcp-server-filter port-number Releases DHCP server packet filtering.

show dhcp-server-filter Enable/Global/Bridge Checks DHCP server packet filtering.

226 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example for configuring DHCP filtering from 1 to 5 and checking it.

SWITCH(bridge)# dhcp-server-filter 1-5

SWITCH(bridge)# show dhcp-server-filter
o:enable .:disable
--------------------------
1 2
12345678901234567890123456
--------------------------
ooooo.....................
--------------------------
SWITCH(bridge)#

7.9 Martian Filtering

It is possible to block packets, which try to bring different source IP out from same network. If packet

brings different IP address, not its source IP address, then it is impossible to know it makes a trouble.

Therefore, you would better prevent this kind of packet outgoing from your network. This function is

named as Martian-filter.

To block packets, which try to bring different source IP out from same network, use the following

command.

Command Mode Function

Blocks packets, which brings different Source IP address

ip martian-filter interface-name Global
from specified interface.

Note

It is not possible to configure both Qos and Martin Filtering at the same time.

To release the above configuration, use the following command.

Command Mode Function

Releases blocked packet, which brings different Source IP

no ip martian-filter interface-name Global
address from specified interface.

DDJ:A-M-5524B5-01 227
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To view configuration of Martian-filter, use the following command.

Command Mode Function

show running-config Enable/Global/Bridge/Interface Shows switch configurations.

The following is an example of configuring Martian-filter in br 1 and checking it.

SWITCH(config)# ip martian-filter br1

SWITCH(config)# show running-config
Building configuration...
(omitted)
!
!

ip martian-filter br1
(omitted)
SWITCH(config)#

7.10 MAC Filtering

It is possible to forward frame to MAC address of destination. Without specific performance degradation,

maximum 4,096 MAC addresses can be registered.

7.10.1 Configuring Default Policy of MAC Filtering

The basic policy of filtering based on system is set to allow all packets for each port. However the basic

policy can be changed for user’s requests.

After configuring basic policy of filtering for all packets, use the following command on Bridge mode to

confirm the configuration.

Command Mode Function

mac-filter default-policy {denyㅣpermit} port- Configures basic policy of MAC

Bridge
number Filtering in specified port.

show mac-filter default-policy Enable/ Global/Bridge Shows the basic policy.

228 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

By default, basic filtering policy provided by system is configured to permit all packets in each port.

[ Sample Configuration 1 ]

This is an example of blocking all packets in port 1~3 and port 7.

SWTICH(bridge)# mac-filter default-policy deny 1-3

SWTICH(bridge)# mac-filter default-policy deny 7
SWTICH(bridge)# show mac-filter default-policy
-------------------------
PORT POLICY | PORT POLICY
------------+------------
1 DENY | 17 PERMIT
2 DENY | 18 PERMIT
3 DENY | 19 PERMIT
4 PERMIT | 20 PERMIT
5 PERMIT | 21 PERMIT
6 PERMIT | 22 PERMIT
7 DENY | 23 PERMIT
8 PERMIT | 24 PERMIT
9 PERMIT | 25 PERMIT
10 PERMIT | 26 PERMIT
11 PERMIT | 27 PERMIT
12 PERMIT | 28 PERMIT
13 PERMIT | 29 PERMIT
14 PERMIT | 30 PERMIT
15 PERMIT | 31 PERMIT
16 PERMIT | 32 PERMIT
SWTICH(bridge)#

7.10.2 Adding Policy of MAC Filter

You can add the policy to block or to allow some packets of specific address after configuring the basic

policy of MAC Filtering. To add this policy, use the following commands on Bridge mode.

Command Mode Function

Allows or blocks packet which brings configured

mac-filter add mac-address {denyㅣpermit} Bridge
mac address to specified port.

DDJ:A-M-5524B5-01 229
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

Variable MAC-ADDRESS is composed of twelve digits number in Hexa decimal. It is possible to check it

by using the command show mac. 00:d0:cb:06:01:32 is an example of MAC address.

To confirm user’s configuration about MAC filter policy, use the following commands.

Command Mode Function

show mac-filter Shows MAC filter policy.

show mac-filter count Enable/ Global Shows MAC filter policy as many as user configures.
/Bridge Shows filter policy concerned with specified MAC
show mac-filter count mac-address
address as many as user configures.

[ Sample Configuration 2 ]

The latest policy is recorded as number 1. The following is an example of permitting MAC address

00:02:a5:74:9b:17 and 00:01:a7:70:01:d2 and confirming table of filter policy.

SWITCH(bridge)# mac-filter add 00:02:a5:74:9b:17 permit

SWITCH(bridge)# mac-filter add 00:01:a7:70:01:d2 permit
SWITCH(bridge)# show mac-filter
=================================
ID | MAC | ACTION
=================================
1 00:01:a7:70:01:d2 PERMIT
2 00:02:a5:74:9b:17 PERMIT
SWITCH(bridge)#

The following is an example of viewing one configuration.

SWITCH(bridge)# show mac-filter 1

=================================
ID | MAC | ACTION
=================================
1 00:01:a7:70:01:d2 PERMIT
SWITCH(bridge)#

230 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.10.3 Deleting MAC Filtering Policy

To delete MAC filtering policy, use the following command.

Command Mode Function

Deletes filtering policy for specified MAC

mac-filter del source-mac-address Bridge
address.

To delete MAC filtering function, use the following command.

Command Mode Function

no mac-filter Bridge Deletes all MAC filtering functions..

7.10.4 Listing of MAC Filtering Policy

When you need to make many MAC filtering policies at a time, it is hard to input command one by one.

In this case, it is more convenient to save MAC filtering policies at “/etc/mfdb.conf” and display the list

of MAC filtering policy. To view the list of MAC filtering policy at /etc/mfdb.conf, use the following

command.

Command Mode Function

mac-filter list Bridge Shows the list of MAC filtering policy at /etc/mfdb.conf.

7.11 Configuring Max Host

7.11.1 Configuring Max-hosts

User can limit the number of users by configuring maximum number of users also named as Max host

for each port. In this case, you need to consider not only the number of PCs in network but also devices

such as switches in network.

For SURPASS hiD 6610, you have to lock the port like MAC filtering before configuring Max Host. In

case of ISPs, it is possible to arrange billing plan for each user by using this configuration.

DDJ:A-M-5524B5-01 231
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure Max host, use the following command.

Command Mode Function

Limits the number of connection to a port by setting

max-hosts port-number max-mac-number Bridge
maximum host.

Information

When Max host is configured as “0”, no one can connect to the port.

The following is an example of configuring to allow two MAC addresses to port 1, and five addresses to

port 2,3 ,and to ten addresses to port 4.

SWITCH(bridge)# max-hosts 1 2
SWTICH(bridge)# max-hosts 2 5
SWTICH(bridge)# max-hosts 3 5
SWTICH(bridge)# max-hosts 4 10
SWTICH(bridge)#

To delete max host, use the following command.

Command Mode Function

no max-hosts port-number Bridge Deletes configured max-host.

To check configured max host, use the following command.

Command Mode Function

show max-hosts Enable/Global/Bridge Shows configured max host.

The following is an example of viewing configured max hosts.

SWITCH(bridge)# show max-hosts

port 1 : 0/2 (current/max)
port 2 : 0/5 (current/max)
port 3 : 0/5 (current/max)
port 4 : 0/10 (current/max)
port 5 : 0/Unlimited (current/max)
(omitted)
SWITCH(bridge)#

232 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.11.2 Configuring Max-new-hosts

Max-new-hosts is to limit the number of users by configuring the number of MAC address that can be

Learning on the system and on the port for a second. The number of MAC address that ca be Learming

on the system has the priority. To configure Max-new-hosts, use the following command.

Command Mode Function

The number of MAC address that can be

max-new-hosts port-number max-mac-number
Learning on the port for a second.
Bridge
The number of MAC address that can be
max-new-hosts system port-number max-mac-number
Learning on the system for a second.

To delete the configured Max-new-hosts, use the following command.

Command Mode Function

Deletes the number of MAC address that can be Learning on the

no max-new-hosts port-number
port.
Bridge
Deletes the number of MAC address that can be Learning on the
no max-new-hosts system
system..

To check the configured Max-new-hosts, use the following command.

Command Mode Function

show max-new-hosts Enable/Global/Bridge Shows the configured Max-new-hosts.

Note

If MAC that is already counted disappears before passing 1 seconds and again starts Learning, it is

not counted.

Note

In case the same MAC changes the port, it is not counted again. For example, if MAC that is Learning

port number 1 is Learning port number 2, it is supposed to move the port. So, it is deleted from port

number 1 and Learning on port number 2 but it is not counted.

DDJ:A-M-5524B5-01 233
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 1 ]

The following is to limit the number of MAC address that can be Learning on the system for a second as

10 and limit the number of MAC address that can be Learning on the port number 1-10 for a second as

3.

SWITCH(bridge)# max-new-hosts system 10

SWITCH(bridge)# max-new-hosts 1-10 3
SWITCH(bridge)# show max-new-hosts
System : 10

port 1 : 3
port 2 : 3
port 3 : 3
port 4 : 3
port 5 : 3
port 6 : 3
port 7 : 3
port 8 : 3
port 9 : 3
port 10 : 3
port 11 : Unlimited
port 12 : Unlimited
port 13 : Unlimited
port 14 : Unlimited
port 15 : Unlimited
port 16 : Unlimited
port 17 : Unlimited
port 18 : Unlimited
port 19 : Unlimited
port 20 : Unlimited
port 21 : Unlimited
--More--
SWITCH(bridge)#

In the above configuration, after MAC is Learning on the port number 1-10, when 11th MAC starts

Learning, it is limited because the number of MAC address, that can be Learning on the system for a

second, is already exceeded.

234 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.12 Managing MAC Table

There are two types of addresses registered in MAC table: Dynamic address and Static address.

Dynamic address is deleted when it is not used after the switch registers it in MAC table. Static address

is the configured address by user that is remained even after rebooting. To register Static address in

MAC table, use the following command on Bridge configuration mode.

Command Mode Function

mac bridge-name port-number Registers Static address in MAC table with

Bridge
mac-address MAC address, bridge name and port number.

show mac bridge-name [port-number] Enable/Global/Bridge Shows MAC address user configured.

The following is an example of registering MAC address 00:01:02:9a:61:17 in port 13 MAC table of 1.

SWITCH(bridge)# mac 1 13 00:01:02:9a:61:17

SWITCH(bridge)#

The following is an example of showing MAC address of destination, the specified port number, VLAN

ID, and time registered in table.

SWITCH(bridge)# show mac 1 24

==================================================================
port mac addr permission in use
==================================================================
eth24(24) 00:01:02:9a:61:1a static 0.00
eth24(24) 00:10:5a:84:46:76 OK 0.01
eth24(24) 00:e0:4c:1a:37:17 OK 0.07
eth24(24) 00:d0:cb:0a:a0:b7 OK 0.15
eth24(24) 00:c0:ca:33:5b:90 OK 0.18
eth24(24) 00:03:47:70:e3:30 OK 0.50
(omitted)
SWITCH(bridge)#

To delete Static address in MAC table, use the following commands on Bridge configuration mode.

Command Mode Function

Deletes specified MAC address registered in

no mac [bridge-name] [port-number] [mac-address] Bridge
specified port.

DDJ:A-M-5524B5-01 235
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.13 Configuring ARP Table

Devices connected to IP network have two address, LAN address and network address. LAN address is

sometimes called as data link because it is used in Layer 2 level, but more commonly the address is

known as MAC address.

Switch on Ethernet needs 48-bit-MAC address to transmit packets. In this case, the process of finding

proper MAC address from IP address is called as address resolution. On the other hand, the progress

of finding proper IP address from MAC address is called as reverse address resolution. Siemens’

switches find MAC address from IP address through Address Resolution Protocol(ARP). ARP saves

these addresses in ARP table for quick search. Referring to IP address in ARP table, packet attached IP

address is transmitted to network. When configuring ARP table, it is possible to do it only in some

specific interfaces.

To match a specific IP address and MAC address, use the following command on configuration mode.

Command Mode Function

arp ip-address mac-address Saves IP address and MAC address in ARP table. Also
Global
[interface-name] possible to configure a specific interface.

To view ARP table, use the following command on Privilege Exec Enable Mode or configuration mode.

Command Mode Function

show arp [interface-nameㅣip-address] Enable/ Global Shows registered ARP table.

To release ARP function about IP address and MAC address, use the following command on

configuration mode.

Command Mode Function

Releases ARP function about IP address and

no arp [ ip-address] [interface-name] Global
MAC address.

236 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of saving IP address 10.1.1.1 in MAC address 00:d0:cb:00:00:01.

SWITCH(config)# arp 10.1.1.1 00:d0:cb:00:00:01

SWITCH(config)#

The following is an example of viewing ARP table.

SWITCH(config)# show arp

Address HWtype HWaddress Flags Mask Iface
172.16.1.254 ether 00:D0:CB:06:01:32 C 1

7.14 ARP-Alias

Although clients are joined in same client switch, it may be impossible to communicate between clients

for their private security. When you need to make them communicate each other, SURPASS hiD 6610

supports ARP-alias, which responses ARP request from client net through Concentrating switch. In the

below picture, it is impossible to communicate between clients 10.1.1.2~10.1.1.5. In this case, you can

configure ARP-alias to response ARP request from the clients 10.1.1.2~10.1.1.5. Through

Concentrating switch, they can communicate after configuring ARP-Alias.

Internet

Concentrating

③ Concentrating switch Switch

responses ARP request ① Register 10.1.1.2 ~10.1.1.5
from 10.1.1.2~10.1.1.5 in ARP-Alias

Client Switch

② ARP requests of
10.1.1.2~10.1.1.5 sent to
Concentration Switch
Client Net
For private security
10.1.1.2 10.1.1.3 10.1.1.4 10.1.1.5 impossible to communicate
between clients
∴ No ARP between Clients.

【 Figure 7-11 】ARP-Alias

DDJ:A-M-5524B5-01 237
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To register address of client net range in ARP-Alias, use the following command.

Command Mode Function

arp-alias start-ip-address end-ip-address Registers IP address range and MAC address in ARP-
Global
[mac-address] Alias to make user’s equipment response ARP request.

Information

Unless you input MAC address, MAC address of user’s equipment will be used for ARP response.

To delete registered IP address range of ARP-Alias, use the following command.

Command Mode Function

no arp-alias start-ip-address
Global Deletes registered IP address range of ARP-Alias.
end-ip-address

To view ARP-Alias, use the following command.

Command Mode Function

show arp-alias Enable/Global Shows registered ARP-Alias.

【 Sample Configuration 1 】

The following is an example of configuring ARP-Alias by registering IP address from 10.1.1.2 to 10.1.1.5.

SWITCH(config)# arp-alias 10.1.1.2 10.1.1.5

SWITCH(config)#

Unless you input MAC address as the above example, MAC address of hiD 6610 will be used.

7.15 Proxy-ARP

SURPASS hiD 6610 has Proxy-ARP, which responses ARP request instead of other equipment. In the

below picture, Host A has IP address 172.16.10.100 and the subnet mask is set to /16. So, it is

considered as connecting to network 172.16.0.0.

238 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In case Host A needs to send packet to Host D, Host A is supposed to send ARP request considering

that Host D is on the same network. Since ARP request is transferred through broadcast, the ARP

request from Host A is sent not to Host D, but to 1 interface and nodes belonged to subnet A.

Host A Host B
172.16.10.100/16 172.16.10.200/24
br1 172.16.10.99/24
subnet A

SURPASS hiD 6610

br2 172.16.20.99/24

subnet B

Host C Host D
172.16.20.100/24 172.16.20.200/24

【 Figure 7-12 】Proxy-ARP

However, SURPASS hiD 6610 is aware that Host D belongs to other subnet and able to transmit packet

to Host D. Therefore it responses to ARP request from Host A with its own MAC address. Using this way,

all ARP requests from subnet A to subnet B are responded with MAC address of SURPASS hiD 6610.

Packets, which should be transmitted to Host D from Host A are well transmitted through SURPASS hiD

6610.

To configure Proxy-ARP, enter into Interface configuration mode of specific interface and use the

following command.

Command Mode Function

ip proxy-arp Interface Configures Proxy-ARP in specific interface.

To disable Proxy-ARP, use the following command.

Command Mode Function

no ip proxy-arp Interface Disables Proxy-ARP.

DDJ:A-M-5524B5-01 239
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

【 Sample Configuration 1 】

The following is an example of configuring Proxy-ARP in 1.

SWITCH# configure terminal

SWITCH(config)# interface 1
SWITCH(config-if)# ip proxy-arp
SWITCH(config-if)# show running-config
Building configuration...
(omitted)
interface 1
no shutdown
ip proxy-arp
ip address 172.16.209.50/16
!
ip route 0.0.0.0/0 172.16.1.254
!
no snmp
!
SWITCH(config-if)#

7.16 Configuring Gratuitous ARP

In SURPASS hiD 6610 3.02 NOS, by broadcasting Gratuitous ARP containing IP address and MAC

address of gateway, the network is accessible even though IP addresses of specific host’s gateway are

repeatedly assigned.

Configure Gratuitous ARP interval and transmission count using following commands. And configure

transmission delivery-start in order to transmit Gratuitous ARP after ARP reply.

Gratuitous ARP is transmitted after some time from transmitting ARP reply.

Command Mode Function

arp-patrol interval count {delivery-start} Configures Gratuitous ARP.

no arp-patrol Global Releases Gratuitous ARP.

show running-config Confirms the configuration of Gratuitous ARP.

240 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring the transmission interval as 10 sec and transmission times

as 4 and confirming it.

SWITCH(config)# arp-patrol 10 4
SWITCH(config)# show running-config
Building configuration...

Current configuration:
hostname SWITCH

(Omitted)

arp-patrol 10 4
!
no snmp
!
SWITCH(config)#

7.17 Packet Routing

SURPASS hiD 6610 provides packet routing function based on CPU, host, or network, which means the

capacity for packet routing ways has been larger than before.

Information

User can configure maximum 13 packet routing ways based on network.

To configure a packet routing way based on CPU, host, or network, use the following command.

Command Mode Function

ip switching-mode host Configures a packet routing way based on host.

Global
ip switching-mode network Configures a packet routing way based on network.

Information

Although user configures more than two routes for packets in the same network using the packet routing

way based on network, only one route is available. In case of being impossible to use the first route,

packets are transmitted to the next route.

DDJ:A-M-5524B5-01 241
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

7.18 ICMP Message Control

ICMP stands for Internet Control Message Protocol. When it is impossible to transmit data or configure

route for data, ICMP sends error message about it to host.

The first 4 bytes of all ICMP messages are same, but the other parts are different according to type field

value and code field value.

There are fifteen values of field to distinguish each different ICMP message, and code field value helps

to distinguish each type in detail.

The following shows simple ICMP message construction.

0 7 15 16 31

8‐bit type 8‐bit code 16‐bit checksum

(contents depend on type and code)

【 Figure 7-13 】 ICMP Message

The following table shows explanations for fifteen values of ICMP message type.

Type Explanation Type Explanation

0 echo reply 12 parameter problem

3 destination unreachable 13 timestamp request

4 source quench 14 timestamp reply

5 redirect 15 information request

8 echo request 16 information reply

9 router advertisement 17 address mask request

10 router solicitation 18 address mask reply

11 time exceeded

It is possible to control ICMP message through user’s configuration. You can configure not to send echo

reply message to the partner who is taking ping test to device and interval to transmit ICMP message.

You can configure the following to control ICMP message.

242 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

□ Blocking Echo Reply Message

□ Configuring Interval to Transmit ICMP Message

□ Transmitting ICMP Redirect Message

7.18.1 Blocking Echo Reply Message

It is possible to configure not to send echo reply message to the partner who is taking ping test to

device. To block echo reply message, use the following commands.

Command Mode Function

Blocks echo reply message to all partners who are taking ping
ip icmp ignore echo all
test to device.
Global
Blocks echo reply message to partner who is taking broadcast
ip icmp ignore echo broadcast
ping test to device.

To release blocked echo reply message, use the following commands.

Command Mode Function

Releases blocked echo reply message to all partners who are

no ip icmp ignore echo all
taking ping test to device.
Global
Releases blocked echo reply message to partner who is taking
no ip icmp ignore echo broadcast
broadcast ping test to device.

7.18.2 Configuring Interval to Transmit ICMP Message

It is possible to configure interval to transmit ICMP message. After you configure the interval, ICMP

message will not be sent until configured time based on the last message is up. For example, if you

configure the interval as 1 second, ICMP will not be sent within 1 second after the last message has

been sent.

To configure interval to transmit ICMP message, the administrator should configure the type of message

and the interval time.

DDJ:A-M-5524B5-01 243
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure the interval to transmit ICMP message, use the following command.

Command Mode Function

ip icmp interval rate-mask mask Global Configures the interval to transmit ICMP message

Information

mask should be input as hexadecimal number.

Each ICMP message has the value as follows.

【 Table 7-2 】The value of ICMP Message

TYPE VALUE TYPE VALUE

ICMP_ECHOREPLY 0 ICMP_DEST_UNREACH 3

ICMP_SOURCE_QUENCH 4 ICMP_REDIRECT 5

ICMP_ECHO 8 ICMP_TIME_EXCEEDED 11

ICMP_PARAMETERPROB 12 ICMP_TIMESTAMP 13

ICMP_TIMESTAMPREPLY 14 ICMP_INFO_REQUEST 15

ICMP_INFO_REPLY 16 ICMP_ADDRESS 17

ICMP_ADDRESSREPLY 18

How to calculate Mask is as follows. If mask that is input as hexadecimal number is calculated as binary

number,“1” means “Status ON”, “0” means “Status OFF”. In binary number, if the digit showed as “1”

matches with the value of ICMP message, it means ICMP Message is selected as “Status ON”. Digit

value starts from 0.

Note

Digit value in binary number starts from 0.

For example, if hexadecimal number “8” is changed as binary number, it is “1000”. In 1000, 0 digit is “0”

and 1 digit is “0”, 2 digit is “0” and 3 digit is “1”. The digit showed as “1” is “3” and

ICMP_DEST_UNREACH means ICMP value is “3”. So ICMP_DEST_UNREACH is chosen the

message of limiting the transmission time.

244 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

Default for mask is 0x1818.

Information

Maximum mask value is 0xFFFFFFFF.

Default is 0x1818. If 1818 as 16 hexadecimal number is changed as binary number, it is

1100000011000. By calculating from 0 digit, 3 digit, 4 digit, 11 digit, 12 digit is “1” and it is “STATUS ON”.

Therefore, the message that corresponds to 3,4,11,12 is chosen as the message limiting the

transmission rate.

The following shows the result of mask calculation of Default.

【 Table 7-3 】The calculation for Default mask

TYPE STATUS

ICMP_ECHOREPLY(0) OFF

ICMP_DEST_UNREACH(3) ON

ICMP_SOURCE_QUENCH(4) ON

ICMP_REDIRECT(5) OFF

ICMP_ECHO(8) OFF

ICMP_TIME_EXCEEDED(11) ON

ICMP_PARAMETERPROB(12) ON

ICMP_TIMESTAMP(13) OFF

ICMP_TIMESTAMPREPLY(14) OFF

ICMP_INFO_REQUEST(15) OFF

ICMP_INFO_REPLY(16) OFF

ICMP_ADDRESS(17) OFF

ICMP_ADDRESSREPLY(18) OFF

DDJ:A-M-5524B5-01 245
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To configure how much time ICMP transmission time is limited, use the following command.

Command Mode Function

ip icmp interval rate-limit interval Global Configures how much time ICMP transmission time is limited

Information

The unit for “interval” 10㎳(1/100s).

Information

The default transmission time is 1second(100㎳).

Information

If 0 is input in “interval”, the message is sent without limiting interval.

To return to default configuration, use the following command.

Command Mode Function

ip icmp interval default Global Returns to default configuration

246 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 1]

The following is to limit the transmission rate of the message for ICMP_ECHO, ICMP_INFO_REQUEST,

ICMP_INFO_REPLY.

ICMP_ECHO is 8, ICMP_INFO_REQUEST is 15, ICMP_INFO_REPLY is 16 and you should input mask

by changing binary number which 8 digit, 15 digit, 16 digit is “1” into hexadecimal number. As binary

number, it is 11000000100000000 and it is 18100 as hexadecimal number.

SWITCH(config)# ip icmp interval rate-mask 0x18100

SWITCH(config)# show ip icmp interval
----------------------------------------
RATE-LIMIT : 100 (default:100)
----------------------------------------
RATE-MASK : 0x18100 (default:0x1818)
----------------------------------------
TYPE | STATUS
----------------------------------------
ICMP_ECHOREPLY(0) | OFF
ICMP_DEST_UNREACH(3) | OFF
ICMP_SOURCE_QUENCH(4) | OFF
ICMP_REDIRECT(5) | OFF
ICMP_ECHO(8) | ON
ICMP_TIME_EXCEEDED(11) | OFF
ICMP_PARAMETERPROB(12) | OFF
ICMP_TIMESTAMP(13) | OFF
ICMP_TIMESTAMPREPLY(14)| OFF
ICMP_INFO_REQUEST(15) | ON
ICMP_INFO_REPLY(16) | ON
ICMP_ADDRESS(17) | OFF
ICMP_ADDRESSREPLY(18) | OFF
----------------------------------------
SWITCH(config)#

7.18.3 Transmitting ICMP Redirect Message

User can configure to transmit ICMP Redirect Message. Transmitting ICMP Redirect Message is one of

the ways preventing DoS(Denial of Service), and this can make the switch provide the constant service

to the hosts.SURPASS hiD 6610 transmits more optimized route to the host than the present route

between the host connected to the switch and the specific destination.

DDJ:A-M-5524B5-01 247
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To activate the function transmitting ICMP Redirect Message, use the following command.

Command Mode Function

ip redirects Activates the function transmitting ICMP Redirect Message.

Global
no ip redirecs Deactivates the function transmitting ICMP Redirect Message.

show running-config Enable/Global Checks the present configuration.

The following is an example for configuring ICMP Redirect Message and checking the configuration.

SWITCH(config)# show running-config

(omitted)

interface 1
ip address 222.121.68.247/24
!
!
!
SWITCH(config)# ip redirects
SWITCH(config)# show running-config

(omitted)

interface 1
ip address 222.121.68.247/24
!!
ip redirects
!
!
SWITCH(config)#

7.19 IP TCP flag control

TCP(Transmission Control Protocol) header includes six kinds of flags that are URG, ACK, PSH, RST,

SYN, and FIN. In SURPASS hiD 6610, you can configure RST and SYN as the below.

□ RST Configuration

□ SYN Configuration

248 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

7.19.1 RST Configuration

RST sends a message that TCP connection cannot be done to a person who tries to make it. However,

it is also possible to configure not to send the message. This function will help prevent that hackers can

find impossible connections.

To configure not to send the message that informs TCP connection cannot be done, use the following

command.

Command Mode Function

Configures not to send the message that informs TCP

ip tcp ignore rst-unknown Global
connection cannot be done.

Information

The default is enabled RST.

To enable RST, use the following command.

Command Mode Function

no ip tcp ignore rst-unknown Global Enables RST.

7.19.2 SYN Configuration

SYN sets up TCP connection. SURPASS hiD 6610 transmits cookies with SYN to a person who tries to

make TCP connection. And only when transmitted cookies are returned, it is possible to permit TCP

connection. This function prevents connection overcrowding because of accessed users who are not

using and helps the other users use service. To permit connection only when transmitted cookies are

returned after sending cookies with SYN, use the following command.

Command Mode Function

Permits only when transmitted cookies are returned after sending

ip tcp syncookies Global
cookies with SYN.

DDJ:A-M-5524B5-01 249
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To disable the above configuration, use the following command.

Command Mode Function

Disables configuration to Permits only when transmitted cookies

no ip tcp syncookies Global
are returned after sending cookies with SYN.

[Sample Configuration 1]

The following is an example of disabling RST and permitting only when transmitted cookies are returned

after sending cookies with SYN.

SWITCH(config)# ip tcp ignore rst-unknown

SWITCH(config)# ip tcp syncookies
SWITCH(config)# show running-config
Building configuration...
(omitted)
ip tcp ignore rst-unknown
ip tcp syncookies
!
ip route 0.0.0.0/0 172.16.254.1
!
dot1x address 172.16.209.5
dot1x port enable 1
!
no snmp
!
SWITCH(config)#

250 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8. System Main Function

This chapter describes main functions of this switch such as VLAN, Port trunking, and STP. It contains

the following sections.

■ VLAN

■ Port Trunking

■ LACP Configuration

■ STP and RSTP, PVST and MSTP

■ Stacking

■ Configuring Port Bandwidth

■ Flood-Guard

■ Configuring Bandwidth-share-group

■ IP IGMP

■ PIM-SM

■ VRRP

■ Bandwidth

■ DHCP

■ Broadcast Storm Control

■ Blocking Direct Broadcast

8.1 VLAN(Virtual Local Area Network)

Every nodes in the same LAN could get the information from a node by Broadcast. However, there’s the

inconvenience of having unnecessary information from Broadcast. Here, if you divide LAN into logical

LAN again, nodes only on the same logical LAN would get the information from Broadcast.

LAN, separated like this way is named VLAN (Virtual LAN). It is logical Network logically separated as

user’s needs and a VLAN contains many ports. The network composed of VLAN can transmit the

packets only in the same VLAN if there’s no routing function.

The following is an example of construction based on the port in Layer 2 environment.

DDJ:A-M-5524B5-01 251
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

SURPASS hiD 6610

br 1 br 3

br 2

【 Figure 8-1 】 VLAN structure based on the port in Layer 2 environment

In the above figure, br1, br2, br3 configured as VLAN is logically configured virtual network. If it

operates as Layer 2, it is possible to communicate in the same virtual network, however it is impossible

to communicate with other virtual network. SURPASS hiD 6610 provides Layer 3 switching function so

that it makes the ports in the other VLAN to communicate with each other.

VLAN decreases Ethernet traffic to improve transmit rate and strengthens security by transmission per

VLAN. You can construct VLAN based on port, MAC address, and protocol. VLAN based on the port

designate VLAN as ports, a port could belong to various VLANs. VLAN based on MAC addresses

configures VLAN with their MAC addresses. Even though the administrator changes the connection port,

VLAN is not changed because it uses its own MAC address. Also, VLAN based on protocol is the way

of structuring VLAN by the protocol. SURPASS hiD 6610 supports VLAN based on the port and the

protocol. The number of VLAN which can be generated from VLAN is 4096 and it is possible to

generate up to 8 VLAN based on the protocol.

In order to decide the packet path, first of all, VLAN based on the protocol is used. When the packet is

transmitted, it is forwarded to VLAN as the user configured. However, if the user did not configure VLAN

for the packet, the packet path would be decided according to the port.

252 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

SURPASS hiD 6610 according to IEEE 802.1q standards already has VLAN ID(PVID) on the all ports. If

the packet entering to Tagged port keeps its VLAN ID and the packet transmitting to Untagged port

receives PVID that the system configured. In other words, if a port of SURPASS hiD 6610 ports

constructing VLAN network can transmit packets to VLAN by PVID.

The following is how to decide packet route by VLAN configured in SURPASS hiD 6610 S.

There’s VLAN

constructing with Transmit to

→ →
the appropriate VLAN
Check
protocol.
protocol
There’s no Transmits
Tagged
→ appropriate → Check the → → according to Tag
port
protocol. port of packets

Transmits
Untagged
→ → packets by giving
port
PVID on them

【 Figure 8-2 】The process of deciding packet route based on VLAN

VLAN has following features.

◆ Enlarged Network Bandwidth

Users belonged in each different VLAN can use more enlarged bandwidth than no VLAN composition

because they do not receive unnecessary Broadcast information.

◆ Cost-Effective Way

When you use VLAN to prevent unnecessary traffic loading because of broadcast, you can get cost-

effective network composition since switch is not needed.

◆ Strengthened Security

Usually node shares broadcast information, in some case, authorization is required for the information.

VLAN supports the way for VLAN member consisted of only authorized users so that network security

can be more strengthened.

DDJ:A-M-5524B5-01 253
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Configuring VLAN describes as follows.

□ Default VLAN

□ Configuring VLAN based on the port

□ Configuring VLAN based on the protocol

□ Configuring QinQ

□ Configuring FID

□ Confirming the configuration related to VLAN

8.1.1 Default VLAN

In SURPASS hiD 6610, all ports are basically configured as Default VLAN. Default VLAN designates

PVID as 1 and it is impossible to deleted. In order to contain the ports in newly generated VLAN without

duplication, the user should delete the ports from Default VLAN. The ports deleted from other VLAN are

automatically contained in Default. Also, the ports that are once the member port of Trunk port and then

released are contained in Default VLAN.

The following is an example of deleting port number 3 from br2 and showing it to return to Default status

again.

SWITCH(bridge)# vlan create br2

SWITCH(bridge)# vlan del default 3,4
SWITCH(bridge)# vlan add br2 3,4 untagged
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |uu..uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |..uu......................................
SWITCH(bridge)# vlan del br2 3
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |uuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |...u......................................
SWITCH(bridge)#

254 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.1.2 Configuring VLAN based on the port

In order to configure VLAN based on the port in SURPASS hiD 6610, first of all, newly make VLAN and

designate the member and assign PVID for them. The following describes VLAN configuration as

follows.

□ Making VLAN

□ Specifying PVID

□ Assigning Port in VLAN

□ Releasing VLAN

(1) Making VLAN

In SURPASS hiD 6610, make vlan-name form “brN” (N=integer) in order to make VLAN. Here, VID for

each VLAN is automatically configured as “N”. In other words, VID for br2 is 2 and VID for br100 is 100.
Default VLAN is VLAN that has VID 1.

Therefore the user can not make VLAN which has the name of br1.

In order to configure new VLAN in user’s network, user the following command.

Command Mode Function

vlan create vlan-name Bridge By designating VLAN name, make new VLAN.

Information

Make vlan-name form “brN” (N=integer) or “N”. If you input wrong letter, not BrN, the following
message will be displayed.

SWITCH(bridge)# vlan create A

%invalid input parameter: A
SWITCH(bridge)#

Information

In order to use vlan-name for “N”, you can input large range by using “-” and display them by using “,”.

For the form “brN”, you should configure one by one.

DDJ:A-M-5524B5-01 255
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(2) Specifying PVID

In SURPASS hiD 6610, “N” for vlan-name is automatically configured as VID. For example, if vlan-name

is configured as “br2” or “2”, VID will be also “2”

The user can designate PVID. In order to designate PVID on the port, use the following command.

Command Mode Function

The user can configure PVID as their pleases. It is possible to

vlan pvid port-number <1-4094> Bridge
configure PVID from 1 to 4094..

(3) Assigning and deleting port

After making VLAN newly, you should assign port for it. In SURPASS hiD 6610, because all ports are

basically integrated in interface “default”, you should delete all ports from “default” in order to assign
ports to another VLAN without duplication.

Information

In SURPASS hiD 6610, all ports basically belong to “default”. In order to assign them to VLAN without

duplication, fist of all, delete the ports from “default”.

The following is a command of deleting and assigning ports to VLAN.

Command Mode Function

vlan add vlan-name port-number Designate the port which VLAN to belong and

{tagged | untagged} Bridge configure the port as tagged or untagged.

vlan del vlan-name port-number Delete the port in VLAN

Information

When you designate many ports in VLAN, displays the port number using “,” without vacancy. In order

to designate a series of port range, input them using “-”.

256 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(4) Describing VLAN

After making VLAN, you can describe for specific VLAN.

The following is a command of decribing for specific VLAN.

Command Mode Function

vlan description vlan-name description Bridge Describes for specific VLAN.

(5) Releasing VLAN function

In order to delete VLAN configured in SURPASS hiD 6610, you should delete all ports in appropriate

VLAN first After disable VLAN interface, delete VLAN.

The following is an example of deleting the designated VLAN.

Step 1 In bridge mode, delete all ports in VLAN by using the commands.

Command Mode Function

vlan del vlan-name port-number Bridge Delete all ports in VLAN.

Step 2 Enter interface mode from configuration mode in order to disable virtual interface.

Command Mode Function

Input the name of VLAN which is going to be deleted and enter into
Interface interface-name Global
interface mode.

shutdown Interface Disable virtual interface.

Step 3 Delete VLAN using the following command in bridge mode.

Command Mode Function

no vlan vlan-name Bridge Deletes VLAN.

DDJ:A-M-5524B5-01 257
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Note

If you delete VLAN, all ports in appropriate VALN will be disabled. There ports keep disabled status

until they are assigned to new VLAN.

8.1.3 Configuring VLAN based on protocol

In order to configure VLAN based on protocol, designate port, protocol, PVID. If an entering packet

corresponds to the protocol composing of VLAN, it is transmitted to VLAN according to the configured

PVID.

In order to configure VLAN based on protocol, use the following command.

Command Mode Function

Configure VLAN based on protocol by

vlan pvid port-number ethertype ethertype <1-4094> Bridge
designating packet type.

In order to clear VLAN based on protocol, use the following command.

Command Mode Function

no vlan pvid port-number ethertype [ethertype] Bridge Clears configured VLAN based on protocol.

8.1.4 Configuring QinQ

In the QinQ environment, it is possible to communicate between networks where different VLANs are

configured by using a VLAN.

It is also called Double Q-tag because another Tag is attached to in order to send a packet.

In existing network environment, suppose that there are two switches composed of different VLAN. For

all switches connecting those two switches, VLAN should be configured just the same. However, you

don’t need to configure a number of VLAN by using QinQ function in SURPASS hiD 6610.

258 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Network A-1
communication with PVID 10 Network A-1/A-2 and Network other
VLAN is configured with PVID 3.

If you configure QinQ SWITCH 1

on the port connected
to Network A-1, Connecting Network A-1 and
designated PVID is Network A-2 with PVID 3
attached to the current SWITCH 2
PVID.
Here, configure PVID
connecting SWITCH1
and SWITCH 2. Network A-2
If you configure QinQ on the port communication with PVID 10
connected to Network A-1, If you
configure QinQ on the port
connected to Network A-2, the
original PVID shows by taking off
covered PVID.

【 Figure 8-3 】The network construction of QinQ configuration

In above figure, when Network A-1 sends packet to Network A-2, packets are transmitted to QinQ port

of SWITCH 1 and the transmitted packets are sent to Network A-2 through SWITCH 2 where Qin Q has

been configured.

If you configure QinQ on the port connected to Network A-2, the original PVID shows by taking off

covered PVID.

Here, if packets are sent to SWITCH1 from Network A-1, the packets going out from QinQ port attach

other Tag. This Tag is to use transmit packets from Network where a number of VLAN are configured.

When packets are transmitted to Network A-2 through QinQ of SWITCH 2, the attached Tag on QinQ

port is removed and the original Tag of packet is transmitted.

Note

Configure other ports except QinQ port as Tagged port.

Because not QinQ port but other ports should transmit Tagged packet, it should be configured as

Tagged port.

DDJ:A-M-5524B5-01 259
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(1) Configuring QinQ

In order to configure QinQ, configure the port where other VLAN is configured as QinQ and configure

PVID used for other VLAN ‘s network on that port. In case of 【 Figure 7-1-3 】The construction

example of QinQ configuration, configure PVID as “3”.

The following is the order of configuring QinQ.

Step 1 In order to configure the port where QinQ is configured, follow below order.

Command Mode Function

vlan dot1q-tunnel enable port-number Bridge Configure QinQ on the designated port.

Information

The port where QinQ is configured does not operate as a member of VLAN.

Step 2 Configure the same PVID with network communicating to other VLAN on the port where
QinQ is configured.

Command Mode Function

vlan pvid port-number <1-4094> Bridge The user Configure PVID from 1~4094.

(2) Configuring the kind of TPID

TPID(Tag Protocol Identifier) shows the kind of Tag protocol and currently used protocol. The user can

change TRIP.

Information

In TPID, the port configuring 802.1q(0x8100) does not operate as the member of VLAN.

In order to configure TRIP of QinQ port, use the following command.

Command Mode Function

vlan dot1q-tunnel tpid tpid Bridge Configure TRIP of QinQ port.

260 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(3) Releasing QinQ

In order to release the configuration of QinQ, use the following command.

Command Mode Function

vlan dot1q-tunnel disable port-number Bridge Release the configuration as QinQ port.

8.1.5 Configuring Shared-VLAN in Layer 2 dedicated switch

Note

This configuration is applied if only SURPASS hiD 6610 is used as L2 dedicated switch.

SURPASS hiD 6610 is actually Layer 3 switch and it is possible to use as Layer 2 dedicated switch. In

case the user uses it as Layer 2 switch, because there’s no routing function, it is not possible to

communicate between VLAN. Specially, the port designated as Uplink port should receive packets from

all VLAN. In case of using it as Layer 2 switch, if the user doesn’t configure Uplink port in all VLAN, it is

not possible to receive packets.

DDJ:A-M-5524B5-01 261
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Therefore, in order to configure VLAN in Layer 2 Switch, you should configure Uplink port to belong in

all VLAN as below.

SWITCH(bridge)# show vlan

u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |u...uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |.u.....................u..................
br3( 3| 3) |..u....................u..................
br4( 4| 4) |...u...................u..................
SWITCH(bridge)#

default
X
br2
External
Network
X
br3

br4 X
Uplink
Port

By configuring Uplink port as a member of all

VLAN for packets going out from from each
VLAN, transmit them through Uplink port.

【 Figure 8-4 】In case the packets going outside in Layer 2 environment

In the above configuration, when Untagged packet enters into port number 1, PVID would attach tag 1.

Because Uplink port 24 belongs to VLAN 1, it is possible to transmit to port number 24.

The problem is Untagged packet entering into Uplink port. It is hardly known Untagged packet coming

down Uplink port would be transmitted to which port with what kind of PVID.

262 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

SWITCH(bridge)# show vlan

u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |u...uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |.u.....................u..................
br3( 3| 3) |..u....................u..................
br4( 4| 4) |...u...................u..................
SWITCH(bridge)#

default
X
br2
External
Network
? X
br3

br4 X
Uplink When untagged packets that
Port should be transmitted to br3
through Uplink port, it is
impossible to know what kind of
PVID should be attached

【 Figure 8-5 】In case external packets enter under Layer 2 environment ①

In order to transmit untagged packets Uplink port to the other port, you should create a VLAN having all

pots containing Uplink port as a member.

By this configuration, Uplink port recognizes all ports. Here, what helps packet transmission is FID.FID

is used to control MAC table and it is possible to inform the packet process because same FID

manages with same MAC table. If you don’t configure FID equally, packet would be Flooded because

the switch cannot recognize the information through MAC table.

DDJ:A-M-5524B5-01 263
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

SWITCH(bridge)# show vlan

u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 5) |u...uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 5) |.u.....................u..................
br3( 3| 5) |..u....................u..................
br4( 4| 5) |...u...................u..................
br4( 5| 5) |uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu

SWITCH(bridge)#

br5 containing all ports

Configure same FID for all ports

default

br2
External
Network br3

br4

Uplink
Port
Packet transmission to br3 is possible since a
connection is established among them.

【 Figure 8-6 】In case external packet enter in Layer 2 environment②

Therefore for L2 exclusive use, add Uplink port to all VLAN as a member and create one more VLAN

having all ports as a member and configure FID equally for the communication between VLANs. In

order to configure FID, use the following command.

Command Mode Function

vlan fid vlan-name fid Bridge Fid value is from 1to 4094

264 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.1.6 Showing the configuration for VLAN

In SURPASS hiD 6610, it is possible to confirm port based VLAN, protocol based VLAN, QinQ.How to

confirm the configuration is as follows.

Command Mode Function

show vlan Shows all VLAN configuration.

show vlan vlan-name Shows the configuration for specific VLAN.

show vlan description Enable/Global/Bridge Shows the description for specific VLAN.

show vlan dot1q-tunnel Shows QinQ configuration.

show vlan protocol Shows VLAN based on protocol.

DDJ:A-M-5524B5-01 265
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.1.7 Sample Configuration

[ Sample Configuration 1 ] Configuring port based VLAN

The following is assigning br2,br3,br4 to port 2, port 3, port 4.

Default br2 br3 br4

SWITCH(bridge)# vlan create br2

SWITCH(bridge)# vlan create br3
SWITCH(bridge)# vlan create br4
SWITCH(bridge)# vlan del default 2-4
SWITCH(bridge)# vlan add br2 2 untagged
SWITCH(bridge)# vlan add br3 3 untagged
SWITCH(bridge)# vlan add br3 3 untagged
SWITCH(bridge)# vlan pvid 2 2
SWITCH(bridge)# vlan pvid 3 3
SWITCH(bridge)# vlan pvid 4 4
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |u...uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |.u........................................
br3( 3| 3) |..u.......................................
br4( 4| 4) |...u......................................
SWITCH(bridge)#

266 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 2 ] Deleting port based VLAN

The following is deleting br3 among configured VLAN.

SWITCH(bridge)# vlan del br3 3

SWITCH(bridge)# exit
SWITCH(config)# interface br3
SWITCH(interface)# shutdown
SWITCH(interface)# exit
SWITCH(config)# bridge
SWITCH(bridge)# no vlan br3
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |u...uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |.u........................................
br4( 4| 4) |...u......................................
SWITCH(bridge)#

DDJ:A-M-5524B5-01 267
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 3 ] Configuring protocol based VLAN

The following is configuring protocol based VLAN on the port number 2 and port number 4.

0x800 packet among 0x900 packet among the

the packets entering packets entering to Port 4.
to Port 2.

Default br2 br3 br4

SWITCH(bridge)# vlan pvid 2 ethertype 0x800 5

SWITCH(bridge)# vlan pvid 4 ethertype 0x900 6
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |u...uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |.u........................................
br3( 3| 3) |..u.......................................
br4( 4| 4) |...u......................................
SWITCH(bridge)# show vlan protocol
---------------------------------------------------------------
| 1 2 3 4
Ethertype | VID |123456789012345678901234567890123456789012
---------------------------------------------------------------
0x0800 2 .p........................................
0x0900 4 ...p......................................
SWITCH(bridge)#

With above configuration, the packets from port number 2 and 4 are decided according to the protocol

kinds. In case the protocol is incongruous, the route is decided according to the port based VLAN.

[Sample Configuration 4 ] Configuring QinQ

268 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

10 port of SWITCH 1 and 11 port of SWITCH 2 are connected to the network where different VLAN is

configured. In order to communicate without changing VLAN configuration of SWITCH 1 and SWITCH 2

which communicate with PVID 10, configure it as follows.

Note

You should configure the ports connected to network communicating with PVID 11 as Tagged VLAN

port.

The network
communicating
with PVID 11

SWITCH 1 SWITCH 2
Communicating Communicating
with PVID 10 with PVID 10
Connecting to port Connecting to
number 10 of port number 11
SWITCH 1 of SWITCH 1

< SWITCH 1 >

SWITCH(bridge)# vlan dot1q-tunnel enable 10
SWITCH(bridge)# vlan pvid 10 11
SWITCH(bridge)# show vlan dot1q-tunnel
Tag Protocol Id : 0x8100 (d: double-tagging port)
----------------------------------------------------
| 1 2 3 4
Port |123456789012345678901234567890123456789012
----------------------------------------------------
dtag .........d................................
SWITCH(bridge)#

< SWITCH 2 >

SWITCH(bridge)# vlan dot1q-tunnel enable 11
SWITCH(bridge)# vlan pvid 11 11
SWITCH(bridge)# show vlan dot1q-tunnel
Tag Protocol Id : 0x8100 (d: double-tagging port)
----------------------------------------------------
| 1 2 3 4
Port |123456789012345678901234567890123456789012
----------------------------------------------------
dtag ..........d...............................
SWITCH(bridge)#

DDJ:A-M-5524B5-01 269
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 5 ] Configuring Shared-VLAN using FID

Configure br2, br3, br4 in SURPASS hiD 6610 configured Layer 2 environment and 24 ports as Uplink

port is configured. In order to transmit Untagged packet through Uplink port rightly, follow below

configuration.

default

br2
External
Network br3

br4

Uplink
Port

SWITCH(bridge)# vlan create br2

SWITCH(bridge)# vlan create br3
SWITCH(bridge)# vlan create br4
SWITCH(bridge)# vlan del default 3-8
SWITCH(bridge)# vlan add br2 3,4 untagged
SWITCH(bridge)# vlan add br3 5,6 untagged
SWITCH(bridge)# vlan add br4 7,8 untagged
SWITCH(bridge)# vlan add br2 24 untagged
SWITCH(bridge)# vlan add br3 24 untagged
SWITCH(bridge)# vlan add br4 24 untagged
SWITCH(bridge)# vlan create br5
SWITCH(bridge)# vlan add br5 1-42 untagged
SWITCH(bridge)# vlan fid 1-5 5
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 5) |uu......uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 5) |..uu...................u..................
br3( 3| 5) |....uu.................u..................
br4( 4| 5) |......uu...............u..................
br5( 5| 5) |uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
SWITCH(bridge)#

270 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.2 Link aggregation

LACP(Link Aggregation Control Protocol) complying with IEEE 802.3ad bundles several physical ports

together to from one logical port so that user can get enlarged bandwidth”.

Bandwidth from a port

It takes effect
from a wide bandwidth by using
A logical port that can be a number of ports.
made by aggregating a
number of the ports.

【 Figure 8-7 】Link aggregation

Information

In SURPASS hiD 6610, it is possible to make the configured logical port with Link aggregation up to

maximum 14 and contain physical port in logical port up to 8.

SURPASS hiD 6610 supports two kinds of Link aggregation as port trunk and LACP. There’s a little

difference in these two ways.

In case of Port Trunking, it is quite troublesome to set the configuration manually and the rate to adjust

to the network environment changes when connecting to the switch using logical port. However, if the

user configures physical port aggregated with the logical port in each switches, the switches are

connected as the configuration. Therefore it is easier for user to configure comparing to the port trunk

and could quickly respond to the environmental changes.

DDJ:A-M-5524B5-01 271
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Connecting SWITCH A and SWITCH

C through 3 ports.

SWICH C SWICH A

Connecting SWITCH A and

SWITCH B through 2 ports

SWICH B

【 Figure 8-8 】The constitution example of Link aggregation ①

SWITCH A is aggregated with SWITCH B as a logical port by connecting 2 physical ports and it is

aggregated with SWITCH C as a logical port by three physical ports.

Link aggregation function should be used for the above configuration. Here, if port trunk is use for the

configuration, first the user should configure the logical port by aggregating 3 physical ports and the

logical ports by aggregating 2 physical ports. Configure a logical port by aggregating 2 physical ports in

SWITCH B and configure a logical port by aggregating three physical ports. If the user connects the

ports with cables, it operates as Link aggregation status.

However, using LACP could make the configuration to be easier. The link is automatically generated if

logical port and physical port which is going to be aggregated as logical port are configured.

For SWITCH A, after making two logical ports, designate 5 physical ports which will be contained in the

logical port. Then, even though there’s no configuration as above, it operates as Link aggregation status

by connecting the cable.The following is how to configure port trunk and LACP.

8.2.1 Port trunk

Port trunking enables you to dynamically group similarly configured interfaces into a single logical link

(aggregate port) to increase bandwidth, while reducing the traffic congestion.

272 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Configuring port trunk

Releasing port trunk

Checking port trunk

(1) Configuring Port Trunk

In order to make logical port by aggregating the ports, use the following command.

Command Mode Function

trunk add group-id port-number

Designate physical port as logical port and decide which
{dstipㅣdstmacㅣsrcdstipㅣsrcdstmac Bridge
packets are transmitted to the aggregated port.
ㅣsrcipㅣsrcmac }

Information

It is possible to input Group-id from “0” to “13” because SURPASS hiD 6610 supports 14 logical ports.

Note

Group-id of port trunk and Aggregator-number of LACP cannot be repeatedly configured.

If packets enter to logical port aggregating several ports and there’s no way to decide packet route, the

packets could be gathered on particular member port so that it is not possible to use logical port
effectively. Therefore SURPASS hiD 6610 is configured to decide the way of packet route in order to

divide on member port effectively when packets enter. It is decided with Source IP address, Destination

IP address, Source MAC address, Destination Mac address and the user could get information of

packets to decided packet route. dstip is Destination IP address and dstmac means Destination MAC

address .srcdstip means Destination IP address and srcdstmac means Source Destination MAC

address. srcip is Source IP address and srcmac is Source MAC address.

Information

In SURPASS hiD 6610, Source Destination MAC address is basically used to decide packet route.

The port designated as member port of port trunk is automatically deleted from existing VLAN as the

following example. Therefore, if member port and aggregated port exist in other VLAN, VLAN

configuration should be changed for the aggregated port.

DDJ:A-M-5524B5-01 273
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Note

If member port and aggregated port exist in other VLAN, VLAN configuration for aggregated port

should be changed.

SWITCH(bridge)# show vlan

u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |uuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |...u......................................
SWITCH(bridge)# trunk add 0 10-17 srcmac
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |1234567890123456789012345678901234567890
-----------------------------------------------------------------
default( 1| 1) |uuu.uuuuu........uuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |...u....................................
SWITCH(bridge)#

(2) Releasing Port Trunking

In order to release the configured port trunk, use the following command.

Command Mode Function

trunk del group-id port-number Bridge Release the configured trunk port.

If the user deleted member port from logical port or release port trunk, they are automatically contained

as Default VLAN.

(3) Confirming Port Trunk Configuration

In order to confirm the configuration of port trunk, use the following command.

Command Mode Function

show trunk Enable/Global/Bridge Shows the configuration for trunk.

274 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.2.2 Configuring LACP

LACP(Link Aggregation Control Protocol) is the function of using more wide bandwidth by aggregating

more than two ports as a logical port as previously stated port trunk function. However, what is different

from port trunk is to make aggregated bandwidth automatically in case logical Aggregator that

aggregates the ports and physical member port which will be aggregated as logical port are configured.

If the integrated port by configuring from port trunk is in other VLAN which is different from VLAN where

existing member port is originally belong to, it should be moved to VLAN where the existing member

port is belong to. However, the integrated port configured by LACP is automatically added to

appropriate VLAN.

Information

The integrated port from LACP could support up to 14 so that it is possible to input Aggregator-number

from “0” to “13”.

Note

Group-id of port trunk and Aggregator-number of LACP cannot be configured repeatedly.

The following explains how to configure LACP.

Enabling LACP

Configuring packet route

Configuring member port

Configuring operation mode of member port

Configuring the priority of the switch

Deciding if LACP of member port is aggregated

Configuring the cycle of BPDU transmission

Configuring Key value of member port

Configuring port priority

Confirming LACP configuration

DDJ:A-M-5524B5-01 275
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(1) Enabling LACP

In order to configure LACP function in SURPASS hiD 6610, fist enable LACP function. In order to LACP,

use the following command in Bridge configuration mode.

Command Mode Function

Enable LACP of designated Aggregator-number. Valid

lacp aggregator aggregator-number Bridge
aggregator-number is from 0 to 13.

On the other hand, in order to release LACP and delete the configuration of LACP, use the following

command.

Command Mode Function

no lacp aggregator aggregator-number Bridge Release LACP for designated Aggregator-number.

(2) Configuring Packet Route

When packets enter to logical port integrating several ports, if there’s no process to decide packet route,

it is possible not to use logical port effectively from focusing packets on a particular member port.

If packets enter to logical port aggregating several ports and there’s no way to decide packet route, the

packets could be gathered on particular member port so that it is not possible to use logical port
effectively.

Therefore SURPASS hiD 6610 is configured to decide the way of packet route in order to divide on

member port effectively when packets enter. It is decided with Source IP address, Destination IP

address, Source MAC address, Destination Mac address and the user could get information of packets

to decided packet route. dstip is Destination IP address and dstmac means Destination MAC

address .srcdstip means Destination IP address and srcdstmac means Source Destination MAC

address. srcip is Source IP address and srcmac is Source MAC address.

Information

In SURPASS hiD 6610, Source Destination MAC address is basically used to decide packet route.

276 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

After configuring aggregator, you should configure packets transmitting aggregator port. The following is

the command of configuring packets transmitting aggregator port.

Command Mode Function

Defines packets tranmitted by way

lacp aggregator distmode aggregator-number
Bridge of aggregator which is a logical
{dstipㅣdstmacㅣsrcdstipㅣsrcdstmacㅣsrcipㅣsrcmac }
aggregated port.

(3) Configuring Member Port

After the configuration for Aggregator, configure the physical port that is a member of aggregated port.

In order to configure member port of aggregated port, use the following command in Bridge mode.

Command Mode Function

lacp port port-number Bridge Configure physical port that is member port of Aggregator.

Information

It is possible to configure plural port-number using “,” or “-“.

In order to release member port, use the following command.

Command Mode Function

no lacp port port-number Bridge Release member port of Aggregator.

(4) Configuring Operating Mode of Member Port

After configuring member port, configure the mode of member port. There are two kinds of mode of

“Active Mode ” and “Passive mode ” in member port. The port of Passive mode starts LACP when
there’s Active mode on the port of opposite switch. The priority of Active mode is higher that that of

Passive mode so that the port of Passive mode follows the port of Active mode.

DDJ:A-M-5524B5-01 277
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Note

If each member ports of the connected switch is configured as“ active mode” and “passive mode”,

“active mode” is the standard. If both switches are configured as “passive mode”, Link for member
ports of two switches is not realized.

In order to configure the mode of member port, use the following command in Bridge mode.

Command Mode Function

lacp port activity port-number {activeㅣpassive} Bridge Configure the mode of member port.

Information

The operating mode of member port is basically configured as “active mode”.

In order to release the operating mode of configured member port, use the following command.

Command Mode Function

no lacp port activity port-number Bridge Release operation mode of configured member port.

Information

After releasing operating mode of configured member port, the basic configuration returns to default.

(5) Configuring the priority of the switch

In case the member ports of connected switches are configured as Active mode, it is required to

configure which switch would be a standard for it. For this case, the user could configure the priority on

switch.. The following is the command of configuring the priority of the switch in LACP function.

Command Mode Function

lacp system priority <1-65535> Bridge Sets the priority of the switch in LACP function.

Information

In SURPASS hiD 6610, the priority of the system is basically configured as “32768(=0x8000)”.

278 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Note

If each member ports of the connected switch is configured as“ active mode” and “passive mode”,

“active mode” is the standard. If all of them is configured as “active mode”, the switch having higher
priority would be the standard.

In order to release the priority of configured switch, use the following command.

Command Mode Function

no lacp system priority Bridge Clears the priority of the configured switch.

Information

After clearing operating mode of configured member port, the basic configuration returns to default.

(6) Deciding if LACP of member port is aggregated

The port configured as member port is basically configured to aggregated to LACP. However, even

though the configuration as member port is not released, they could operate as independent port

without being aggregated to LACP. These independent ports cannot be configured as trunk port

because they are independent from being aggregated to LACP under the condition of being configured

as member port. In order to configure for member port to aggregated to LACP, use the following

command.

Command Mode Function

lacp port aggregation port-number Designate whether a member port is included in LACP
Bridge
{ aggregatableㅣindividual } or not

Information

In SURPASS hiD 6610, the member port is basically configured to aggregated to LACP.

In order to clear aggregated to LACP of configured member port, use the following command.

Command Mode Function

no lacp port aggregation port-number Bridge Clears the configured member in LACP.

DDJ:A-M-5524B5-01 279
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

If you clear the user-configuration of aggregating to LACP, it returns to default configuration.

(7) Configuring BPDU Transmission Rate

Member port transmits BPDU with it’s information. In SURPASS hiD 6610, it is possible to configure the

BPDU transmission rate, use the following command.

Command Mode Function

lacp port timeout port-number { longㅣshort} Bridge Configure BPDU transmission rate.

Information

In SURPASS hiD 6610, BPDU transmission rate of member port is basically configured as “long”.

Information

The transmission rate of “long” is 30 sec and that of “short” is 1 sec.

In order to clear BPDU transmission rate, use the following command.

Command Mode Function

no lacp port timeout port-number Bridge Clears BPDU transmission rate of configured member port.

(8) Configuring Key of Member Port

Member port of LACP has key value. All member ports in one aggregator have same key values. In

order to make an aggregator consisted of specified member ports, configure different key value with key

value of another port.

Command Mode Function

lacp port admin-key port-number <1-15> Bridge Configure Key value of member port.

Information

In hiD 6610, key value of all ports are basically configured as “1”.

280 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

For example, switch A and switch B are linked with switch C in the below picture. Two aggregators are

configured in switch A and ports 7 ~ 10 are configured as member port. One aggregator is configured in

switch B and ports 7 ~ 8 are configured as member port. And one aggregator is configured as switch C

and port 9 ~ 10 are configured as member port. After these configurations, ports 7~8 of switch A and B

are linked with ports 9~10 of switch A and C, then switch A is linked with switch B and C through

aggregators.

Aggregators of switch A and C

are linked through port 9, 10 Internet
SWICH C SWICH A

Aggregators of switch A and C

are linked through port 7, 8

SWICH B

【 Figure 8-9 】 Example of LACP Construction ①

Meanwhile, switch A is linked with switch B in the below picture. Two aggregators are configured in both

switch A and B, ports 7~10 are configured as member port. With this configuration, if ports 7~10 are

connected through cable, one aggregator including the ports is made. However, if key values of ports

7~10 are differently configured, two aggregators are made.

DDJ:A-M-5524B5-01 281
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

SWICH A Internet

Aggregators of switch A Aggregators of switch A

and B are linked through and B are linked through
port 7, 8 port 9,10

SWICH B

【 Figure 8-10 】 Example of LACP Construction ②

In order to delete key value of configured member port, use the following command.

Command Mode Function

no lacp port admin-key port-number Bridge Delete key value of member port.

Information

If you delete Key value of configured member port, it returns to default configuration.

(9) Configuring Port Priority

One aggregator can include maximum eight ports. When there are ten ports configured, higher priories

are selected. However, user can configure the priority when user wants specific port to configure as

member port regardless of its priority. In order to configure priority of LACP member port, use the

following command.

Command Mode Function

lacp port priority port-number <1-65535> Bridge Sets the LACP priority of member port.

282 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

In SURPASS hiD 6610, the LACP priority of a member port is basically configured. “32768(=0x8000)”.

In order to clear port priority of configured member port, use the following command.

Command Mode Function

no lacp port priority port-number Bridge Clears port priority of member port.

Information

After releasing the priority of configuring member port, it returns to default configuration.

(10) Confirming LACP Configuration

In SURPASS hiD 6610, the user can confirm LACP configuration.

In order to confirm LACP configuration, use the following command.

Command Mode Function

show lacp aggregator Shows the information of aggregated port.

Enable
show lacp aggregator aggregator-number Shows the information of appropriate aggregated port.
/Global
show lacp port Shows the information of member port.
/Bridge
show lacp port port-number Shows the information of appropriated member port.

DDJ:A-M-5524B5-01 283
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.2.3 Sample Configuration

[ Sample Configuration 1 ] Configuring port trunk①

The following is configuring port number 10-17 as trunk 0 and confirming the configuration.

SWITCH(bridge)# trunk add 0 10-17 srcmac

SWITCH(bridge)# show trunk
Trunk Group 0 : SRC__MAC : 10(x) 11(x) 12(x) 13(x) 14(x) 15(x) 16(x) 17(x)
Trunk Group 1 : Inactive
Trunk Group 2 : Inactive
Trunk Group 3 : Inactive
Trunk Group 4 : Inactive
Trunk Group 5 : Inactive
Trunk Group 6 : Inactive
Trunk Group 7 : Inactive
Trunk Group 8 : Inactive
Trunk Group 9 : Inactive
Trunk Group 10 : Inactive
Trunk Group 11 : Inactive
Trunk Group 12 : Inactive
Trunk Group 13 : Inactive

SWITCH(bridge)# show vlan

u: untagged port, t: tagged port
-----------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-----------------------------------------------------------------
default( 1| 1) |uuu.uuuuu........uuuuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |...u......................................
SWITCH(bridge)#

284 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 2 ] Configuring Port Trunk②

The following is to configure 10-17 port in br2 to trunk 0 which belongs to default VLAN.

In order to make VLAN 10-17 port to be the same status that is before trunk configuration, you must

configure the intergrated ports to belong br2.

SWITCH(bridge)# show vlan

u: untagged port, t: tagged port
---------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |1234567890123456789012345678901234567890
---------------------------------------------------------------
default( 1| 1) |uuuuuuuuu........uuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |.........uuuuuuuu.......................
SWITCH(bridge)# trunk add 0 10-17 srcdstmac
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
---------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |1234567890123456789012345678901234567890
---------------------------------------------------------------
default( 1| 1) |uuuuuuuuu........uuuuuuuuuuuuuuuuuuuuuuu
br2( 2| 2) |........................................
SWITCH(bridge)# vlan del default 27
SWITCH(bridge)# vlan add br2 27 untagged
SWITCH(bridge)# show vlan
u: untagged port, t: tagged port
---------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |1234567890123456789012345678901234567890
---------------------------------------------------------------
default( 1| 1) |uuuuuuuuu........uuuuuuuuu.uuuuuuuuuuuuu
br2( 2| 2) |..........................u.............
SWITCH(bridge)#

[Sample Configuration 3] Configuring LACP

The following is an example of configuring Aggregator 0 in SWITCH A and SWITCH B and port number

2, 3 as the member port. Here, in order to configure SWITCH A as a reference, configure operating

mode of member port for SWITCH B as “Passive mode”. If there’s no configuration on it, the reference
is automatically displayed.

DDJ:A-M-5524B5-01 285
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

SWITCH A

SWITCH B

< Configuration in SWITCH A>

SWITCH_A(bridge)# lacp aggregator 0

SWITCH_A(bridge)# lacp aggregator distmode 0 srcdstmac
SWITCH_A(bridge)# lacp port 1-3
SWITCH_A(bridge)# show lacp aggregator
AGGR ACTOR SYSTEM PARTNER SYSTEM MEMBER
---- ------------- -------------- ------ It is showed when Link is
0 8000.000000-000000 0000.000000-000000 2(o)-3(o) formed between the member
ports.
SWITCH_A(bridge)# show lacp port
PORT AGGR (A) KEY (P) PORT (P) KEY (A)-(P) ACTIVITY
---- ---- ------- -------- ------- ----------------
01 - 1000 000000-000000(P 1) 1000 ACTIVE - PASSIVE
02 - 1000 000000-000000(P 2) 1000 ACTIVE - PASSIVE
03 - 1000 000000-000000(P 3) 1000 ACTIVE - PASSIVE

SWITCH_A(bridge)#

< Configuration in SWITCH B>

SWITCH_B(bridge)# lacp aggregator 0

SWITCH_B(bridge)# lacp aggregator distmode 0 srcdstmac
SWITCH_B(bridge)# lacp port 1-3
SWITCH_B(bridge)# lacp port activity 1-3 passive
SWITCH_A(bridge)# show lacp aggregator
AGGR ACTOR SYSTEM PARTNER SYSTEM MEMBER
---- ------------- -------------- ------
0 8000.000000-000000 0000.000000-000000 2(o)-3(o)
It is showed when Link is
formed between the member
t
SWITCH_A(bridge)# show lacp port
PORT AGGR (A) KEY (P) PORT (P) KEY (A)-(P) ACTIVITY
---- ---- ------- -------- ------- ----------------
01 - 1000 000000-000000(P 1) 1000 PASSIVE - ACTIVE
02 - 1000 000000-000000(P 2) 1000 PASSIVE - ACTIVE
03 - 1000 000000-000000(P 3) 1000 PASSIVE - ACTIVE

SWITCH_A(bridge)#

286 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

“AGGR” shows ID of Aggregator by using the “show lacp port” command. It is different from
Aggregator-number.

[Sample Configuration 4] Configuring Admin-key

SWICH A Internet

The intergtated ports of The intergtated ports of

SWITCH A and SWITCH SWITCH A and SWITCH
B are connected through B are connected through
port number 7,8. port number 9,10.

SWICH B

The following example is configuring two intergrate ports and 7-10 port as member port in SWITCH A

and SWITCH B without changing Key value.

<SWITCH A>

SWITCH_A(bridge)# lacp aggregator 0

SWITCH_A(bridge)# lacp aggregator 1
SWITCH_A(bridge)# lacp aggregator distmode 0 srcdstmac
SWITCH_A(bridge)# lacp port 7-10
SWITCH_A(bridge)# show lacp aggregator

AGGR PRIORITY PARTNER MEMBER

---- ------------------- ------------ ------
0 0x8000.00D0CB0A01B3 00D0CB0AA790 eth07(o)-eth08(o)-eth09(o)-eth10(o)
1 0x8000.000000000000

SWITCH_A(bridge)#

DDJ:A-M-5524B5-01 287
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

<SWITCH B>

SWITCH_B(bridge)# lacp aggregator 0

SWITCH_B(bridge)# lacp aggregator 1
SWITCH_B(bridge)# lacp aggregator distmode 0 srcdstmac
SWITCH_B(bridge)# lacp port 7-10

SWITCH_B(bridge)# lacp port activity 7-10 passive

SWITCH_A(bridge)# show lacp aggregator
SWITCH_B(bridge)# show lacp aggregator

AGGR PRIORITY PARTNER MEMBER

---- ------------------- ------------ ------
0 0x8000.00D0CB0A01B3 00D0CB0AA790 eth07(o)-eth08(o)-eth09(o)-eth10(o)
1 0x8000.000000000000

SWITCH_B(bridge)#

The above configiuration shows 4 integrated ports are integrated to a port. However, you can make 2

integrated ports by configuring key value of port 7,8 and 9,10 in SWITCH A and SWITCH B.

<SWITCH A>

SWITCH_A(bridge)# lacp port admin-key 9-10 2

SWITCH_A(bridge)# show lacp aggregator

AGGR PRIORITY PARTNER MEMBER

---- ------------------- ------------ ------
0 0x8000.00D0CB0A01B3 00D0CB0AA790 eth07(o)-eth08(o)
1 0x8000.000000000000 00D0CB0AA790 eth09(o)-eth10(o)

SWITCH_A(bridge)#

<SWITCH B>

SWITCH_B(bridge)# lacp port admin-key 9-10 2

SWITCH_B(bridge)# show lacp aggregator

AGGR PRIORITY PARTNER MEMBER

---- ------------------- ------------ ------
0 0x8000.00D0CB0A01B3 00D0CB0AA46C eth07(o)-eth08(o)
1 0x8000.000000000000 00D0CB0AA46C eth09(o)-eth10(o)

SWITCH_B(bridge)#

288 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.3 Configuring STP

LAN, which is composed of double-path like token ring, has the advantage that it is possible to access

in case of disconnection with one path. However there is another problem named Loop when you

always use the double-path. Loop is; when there are more than two paths between switches as below

figure(SWITCH A,B), PC A sends packet through broadcast or multicast and then the packet keeps

rotating. It causes superfluous data-transmission and network fault.

SWITCH A SWITCH B

PC A PC B

【 Figure 8-11 】 Example of Loop

STP(Spanning-Tree Protocol) is the function to prevent Loop in LAN with more than two paths and to

utilize the double-path efficiently. It is specified in IEEE 802.1d. When STP is configured, there is no

Loop since it chooses more effective path of them and closes the other path. In other words, when
SWITCH C in the below figure sends packet to SWITCH C, path 1 is chosen and path 2 is closed.

SWITCH A

SWITCH B SWITCH E

Path 1

SWITCH C Path 2 SWITCH D

【 Figure 8-12】 Example of the running STP

DDJ:A-M-5524B5-01 289
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Meanwhile, RSTP(Rapid Spanning-Tree Protocol) defined in IEEE 802.1w innovate reduces the time of

network convergence on STP. Due to same vocabularies and configuration parameter used in 802.1d, it

is easy and fast to configure new protocol.

Also, 802.1w includes 802.1d inside, so it can provide comparability with 802.1d. For more detail

description of STP and RSTP, refer to the following.

□ STP operation

□ RSTP operation

□ Configuring STP/RSTP/MSTP/PVSTP/PVRSTP mode

□ Configuring STP/RSTP/MSTP

□ Configuring PVSTP/PVRSTP

□ BPDU(Bridge Protocol Data Unit) configuration

8.3.1 STP Operation

The 802.1d STP defines port state as Blocking, Listening, Learning, and Forwarding. When STP is

configured in LAN with double-path, switches exchange their information including Bridge ID.

It is named as BPDU(Bridge Protocol Data Unit). Switches decide port state based on exchanged

BDPU and automatically decide optimized path to communicate with Root switch as standard of

Spanning-Tree.

◆ Root Switch

The critical information to decide Root switch is Bridge ID. Bridge ID is composed of 2 bytes-Priority and

6 Bytes-MAC address. The Root switch is decided with the lowest Bridge ID.

290 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

SWITCH A
Priority : 8
ROOT

SWITCH B SWITCH C
Priority : 9 Priority : 10

SWITCH D

【 Figure 8-13 】Root Switch

For example, suppose there are three linked switches as below picture. After configuring STP, switches

exchange their information. The Priority of SWITCH A is 8, the Priority of SWITCH B is 9 and the Priority

of SWITCH C is 10. In this case, SWITCH A is automatically configured as Root switch.

◆ Designated Switch

After deciding Root switch, when SWTCH A transmits packet to SWITCH C, SWITCH A compares

exchanged BDPU to decide path. The critical information to decide path is path-cost. Path-cost depends

on transmit rate of LAN interface and path with lower path-cost is selected.

The standard to decide designated switch is total Root path-cost which is added with path-cost to Root.

Path-cost depends on transmit rate of switch LAN interface and switch with lower path-cost is selected

to be designated switch.

DDJ:A-M-5524B5-01 291
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

SWITCH A
Priority : 8
ROOT

Path-cost Path-cost
50 100

Designated
SWITCH

SWITCH B SWITCH C
Priority : 9 Priority : 10

Path-cost Path-cost
100 100

SWITCH D

: Path 1

: Path2
(PATH 1=50+100=150, PATH 2=100+100=200, PATH 1＜ PATH 2, ∴ PATH 1 selected)

【 Figure 8-14 】 Deciding Designated Switch

In case of the above picture showing SWITCH C sends packet, path-cost of PATH 1 is 150 and path-

cost of PATH 2 is total 200(100 + 100 ; path-cost of SWITCH C to B + path-cost of SWITCH B to C).

Therefore lower path-cost, PATH 1 is chosen. In this case, port connected to Root switch is named Root
port. In the above picture, port of SWITCH C connected to SWITCH A as Root switch is Root port.

There can be only one Root port in one equipment.

Information

The standard to decide designated switch is total Root path-cost which is added with path-cost to

Root. switch with lower path-cost is selected to be designated switch. When Root path-costs are same,

bridge ID is compared.

◆ Designated Port and Root Port

Also, selected switch for communication in a segment is named Designated switch. In the below picture,

suppose that packet is transmitted from Root switch to SWITCH D. SWITCH B and SWITCH C can be

selected.

292 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

However, since Loop is created transmitting packet to SWITCH D, one of two must be selected by

comparing information of BDPU. As a result, if PATH 1 is selected, Designated switch against

segment transmitted to SWITCH D is SWITCH B.

Except Root port in each switch, selected port to communicate is Designated port. The other ports,

except Root port and Designated port, are named Blocked port.

SWITCH A
ROOT
Designated▶
Port

SWITCH B
◀ Root Port
Designated
SWITCH
Designated ▶ SWITCH C
Port

PATH 1 PATH 2

SWITCH D

【 Figure 8-15 】 Designated Switch and Designated Port

◆ Port-priority

Meanwhile, when path-costs of two paths are same, port-priority is compared. As the below picture,

suppose that two switches are connected.

Since the path-costs of two paths are 100, same, their port-priorities are compared and port with smaller

port-priority is selected to transmit packet.

DDJ:A-M-5524B5-01 293
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

- Path-cost 100
- Port priority 7
ROOT - Port 1
PATH 1

PATH 2
- Port 2
- Port priority 8
- Path-cost 100

( path-cost of PATH 1 = path-cost of PATH 2 = 100 ∴ unable to compare

PATH 1 port priority = 7, PATH 2 port priority = 8, PATH 1＜ PATH 2, ∴ PATH 1 is chosen )

【 Figure 8-16 】 Example of Using Port priority

All these functions are automatically performed by BDPU, which is the information of switch. It is also

possible to configure BDPU to change Root switch or path manually. Refer to ‘8.4.4 Configuring BPDU

(Bridge Protocol Data Unit) Transmission’.

8.3.2 RSTP Operation

When SRP or RSTP is configured on network where Loop can be created, result of the last

Previlegedology is same. However, RSTP is more rapidly progressed than STP at the stage of reaching
to the last Previlegedology. This section describes how the RSTP more improved than STP works. It

contains the below sections.

□ Port States

□ BPDU Policy

□ Rapid Network Convergence

□ Comparability with 802.1d

(1) Port States

RSTP defines port states as Discarding, Learning, and Forwarding. Blocking of 802.1d and Listening is

combined into Discarding. Same as STP, Root port and Designated port are decided by port state. But

existing Blocked port is divided into Alternate port and Backup port.

294 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Alternate port means a port blocked by receiving BDPU of priority of high numerical value from another

equipment, and Backup port means a port blocked by receiving BDPU of priority of high numerical value

from another port of same equipment. The below picture shows Alternate port and Backup port.

SWITCH A
ROOT

SWITCH B SWITCH C

Alternate ▶ Designated ▶ ◀ Backup Port

Port Port

PATH 1 PATH 2

SWITCH D

【 Figure 8-17 】 Alternate Port and Backup Port

The difference of between Alternate port and Backup port is that Alternate port can alternate path of

packet when there is a problem between Root switch and SWITCH C but Backup port cannot provide

stable connection in that case.

(2) BPDU Policy

802.1d forwards BDPU following Hello-time installed in Root switch and the other switch except Root

switch its own BDPU only when receiving BDPU from Root switch. However, in 802.1w not only Root

switch but also all the other switches forward BDPU following Hello-time. BDPU is more frequently

changed than the interval Root switch exchanges, but with 802.1w it becomes faster to be master of the

situation of changing network.

By the way, when low BDPU is received from Root switch or Designated switch, it is immediately

accepted. For example, suppose that Root switch is disconnected to SIWTCH B. Then, SWITCH B is

considered to be Root because of the disconnection and forwards BDPU.

DDJ:A-M-5524B5-01 295
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

However, SWITCH C recognizes Root existing, so it transmits BDPU including information of Root to

Bridge B. Thus, SWITCH B configures a port connected to SWITCH C as new Root port.

SWITCH A

ROOT

New
ROOT PORT
▼

SWITCH B SWITCH C

BPDU including
Low BPDU Root information

【 Figure 8-18 】 In case of Receiving Low BPDU

(3) Rapid Network Convergence

① New link ROOT

created

SWITCH A

② Transmit
BDPU at
SWITCH B SWITCH C Listen state

③ Blocking to
prevent Loop

: BPDU Flowing
SWITCH D

【 Figure 8-19 】 Convergence of 802.1d Network

296 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

As the above picture, suppose that there is a new link connected between SWITCH A and Root. Root

and SIWTCH A is not directly connected, but indirectly through SSIWTCH D. After SWITCH A is newly

connected to Root, packet cannot be transmitted between the ports because state of two switches

becomes listening, and no Loop is created.

In this state, if Root transmits BDPU to SWITCH A, SWITCH A transmits new BDPU to SWITCH A and

SWITCH C, SIWTCH C transmits new BDPU to SWITCH D. SWITCH D, which received BDPU from

SWITCH C makes port connected to SWITCH C Blocking state to prevent Loop after new link.

This is very an epochal way of preventing Loop, the matter is that communication is disconnected

during two times of BDPU Forward-delay till a port connected to SIWTCH D and SWITCH C is blocked.

The below picture shows the progress of 802.1w to save the time of disconnection. There is a new link

between SWITCH A and Root.

Then, right after the connection, it is possible to transmit BDPU although packet cannot be transmitted

between SIWTCH A and Root.

ROOT
① New link
SWITCH A created

② Negotiate between
SWITCH A and Root
SWITCH B SWITCH C (Traffic Blocking)

SWITCH D

【 Figure 8-20 】 Network convergence of 802.1w ①

DDJ:A-M-5524B5-01 297
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

SWITCH A negotiates with Root through BDPU. To make link between SWITCH A and Root, port state

of non-edge designated port of SWITCH is changed to Blocking. Although SWITCH A is connected to

Root, Loop will not be created because SWITCH A is blocked to SWITCH Band C. In this state, BDPU

form Root is transmitted to SWITCH B and C through SWITCH A. To configure Forwarding state of

SWITCH A, SWITCH A negotiates with SWITCH B and SWITCH A does with SWITCH C.

ROOT
③ Forwarding state

③ Negotiate between SWITCH A

SWITCH A
and SWITCH B ③ Negotiate between
(Traffic Blocking) SWITCH A and
SWITCH C
(Traffic Blocking)
SWITCH B SWITCH C

SWITCH D

【 Figure 8-21 】 Network convergence of 802.1w ②

SWITCH B has only edge-designated port. Edge designated does not cause Loop, so it is defined in

802.1w to be changed to Forwarding state. Therefore, SWITCH B does not need to block specific port

to Forwarding state of SWITCH A. However since SWITCH C has a port connected to SWITCH D, you

should make Blocking sate of the port.

ROOT

SWITCH A

④ Forwarding state ④ Forwarding state

SWITCH B SWITCH C

④ Blocking
to make Forwarding
SWITCH D
state of SWITCH A

【 Figure 8-22 】 Network convergence of 802.1w ③

298 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

It is same with 802.1d to block the connection of SWITCH D and SWITCH C. However, 802.1w does

not need any configured time to negotiate between switches to make Forwarding state of specific port.

So it is very fast progressed. During progress to Forwarding sate of port, Listening and Learning are not

needed. These negotiations use BDPU.

(4) Comparability with 802.1d

RSTP internally includes STP, so it has comparability with 802.1d. Therefore, RSTP can recognize

BDPU of STP. But, STP cannot recognize BDPU of RSTP. For example, assume that SWITCH A and

SWITCH B are operated as RSTP and SWITCH A is connected to SWITCH C as Designated switch.

Since SWITCH C, which is 802.1d ignores RSTP BDPU, it is interpreted that SIWTCH C is not

connected to any switch or segment.

SWITCH A SWITCH B SWITCH C

(802.1w) (802.1w) (802.1d)

RSTP BPDU STP BPDU

【 Figure 8-23 】 Comparability with 802.1d ①

However, SWITCH A converts a port received BDPU into RSTP of 802.1d because it can read BDPU of

SWITCH C. Then SWITCH C can read BDPU of SWITCH A and accepts SWITCH A as Designated

switch.

SWITCH A SWITCH B SWITCH C

(802.1w) (802.1w) (802.1d)

STP BPDU

【 Figure 8-24 】 Comparability with 802.1d ②

DDJ:A-M-5524B5-01 299
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.3.3 PVSTP and MSTP

In order to operate the network more effectively, SURPASS hiD 6610 uses PVSTP(Per VLAN Spanning

Tree Protocol) or MSTP(Multiple Spanning Tree Protocol). It constitutes the network with VLAN

subdividing existing LAN domain logically and configure the route by VLAN or VLAN group instead of

existing routing protocol.

Using PVMSTP, it is possible to minimize tree reconstruction time in case of changing Previlegedology

without establishing RSTP.

(1) Operation

Here explains how STP/PVSTP/MSTP differently operates on the LAN. Suppose to configure 100 of

VLAN from Switch A to B, C.

In case of STP/RSTP, there’s only a STP on all of VLAN and it does not provide multiple Instances.

SWITCH A
Root

BPDU BPDU

SWITCH B SWITCH C

【 Figure 8-25 】 STP

While existing STP is a protocol to prevent Loop in a LAN domain and PVSTP(Per VLAN Spanning Tree

Protocol) establishes STP per VLAN in order to realize Routing suitable to VLAN environment.

In case of PVSTP/PVRSTP, each STP could be supported for a VLAN. In this case, it is required to

calculate 100 of STP from 100 of VLAN so that there’s a defect of burdening on a switch.

300 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

SWITCH A

VLAN 1-50 VLAN 1-50

VLAN 51-100 VLAN 51-100

SWITCH B SWITCH C

【 Figure 8-26 】PVSTP

In IEEE 802.1s MSTP using RSTP for rapid convergence, it is possible to classify several VLAN with

Instance unit. Each Instance operates with different Spanning Tree Previlegedology.

It does not need to calculate all STP for several VLAN so that traffic overload could be reduced. By

reducing unnecessary overload and providing multiple transmission route for data forwarding, it realizes

load balancing and provides many VLAN through Instances.

SWITCH A

Instance 1 Instance 1

Instnace 2 Instance 2

SWITCH B SWITCH C

Root Instance 1 Root Instance 2

【 Figure 8-27 】MSTP

DDJ:A-M-5524B5-01 301
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(2) MSTP

In MSTP, VLAN is classified to groups with same Configuration ID. Configuration ID is composed of

Revision name, Revision, VLAN map. Therefore in order to have same Configuration ID, all of these

tree conditions should be the same. VLAN classified with same Configuration ID is called MST Region.

In a Region, there’s only a STP so that it is possible to reduce the number of STP comparing to PVSTP.

There’s no limitation for Region in a network environment but it is possible to generate Instances up to

64. Therefore Instances can be generated from 1 to 64. Spanning-Tree which operates in each Region

is IST(Internal Spanning-Tree). CST is applied by connecting each Spanning-Tree of Region. Instance 0

means that there is not any Instance generated from grouping VLAN, that is, it does not operate as

MSTP. Therefore Instance 0 exists on all the ports of the equipments. After starting MSTP, all the

switches in CST exchanges BPDU and CST Root is decided by comparing their BPDU. Here, the

switches that don’t operate with MSTP have Instance 0 so that they can also join BPUD exchanges.

The operation of deciding CST Root is CIST(Common & Internal Spanning-Tree).

CST

Legacy 802.1d

Region B(IST)
Legacy 802.1d
CST Root & IST Root

*B *C
IST Root

Instance 2 Instance 1

IST Root

Instance 2

*D Instance 1 *E

Region A(IST)

【 Figure 8-28 】 CST and IST① of MSTP

302 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In CST, A and B are the switches operating with STP and C, D and, E are those operating with MSTP.

First, in CST, CIST is established to decide CST Root. After CST Root is decided, the closest switches

to CST Root is decided as IST Root of the Region. Here, CST Root in IST is IST Root.

CST

Legacy 802.1d

Region C(IST) Region B(IST)

CST Root & IST Root

*B IST Root *C

Instance 2 Instance 1

IST Root
Instance 2

*D Instance 1
*E

Region A(IST)

【 Figure 8-29 】 CST and IST② of MSTP

In above situation, if B operates with MSTP, B will send it’s BPDU to CST Root and IST Root in order to

request itself to be CST Root. However, if any BPDU having higher priority than that of B is sent, B

cannot be CST Root.

In SURPASS hiD 6610, the commands configuring MSTP are also used to configure STP and RSTP.

The commands configuring PVST are used to configure PVRSTP.

DDJ:A-M-5524B5-01 303
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.3.4 Configuring STP/RSTP/MSTP/PVSTP/PVRSTP mode

In SURPASS hiD 6610, in order to configure STP, fist of all, configure Force-version in order to decide

the mode. In order to decide Force-version, use the following command.

Command Mode Function

stp force-version {stpㅣrstpㅣmstpㅣpvstpㅣpvrstp } Bridge Configure Force-version in the bridge.

In order to clear STP configuration from the switch, use the following command.

Command Mode Function

no stp force-version Bridge Clears STP configuration.

8.3.5 Configuring STP/RSTP/MSTP

(1) Activating STP/RSTP/MSTP

In order to enable STP, RSTP, MSTP in the Force-version, use the following command in Bridge

configuration mode.

Command Mode Function

stp mst enable Bridge Enables STP, RSTP or MSTP function.

Information

With using above commands, STP, RSTP, MSTP can be enabled by the configuration.

Even though STP function does not operated, loop event does not occur in a switch which belongs to

the non-dual path LAN environment.

In order to disable configured STP, RSTP, or MSTP, use the following command.

Command Mode Function

stp mst disable Bridge Disables STP, RSTP, or MSTP in VLAN.

304 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(2) Configuring Root

In order establish STP, RSTP, or MSTP function, first of all, Root switch should be decided. In STP or

RSTP, it is Root switch and in MSTP it is IST Root switch. Each switch has its own Bridge ID and Root

switch on same LAN is decided by comparing their Bridge ID. However, the user can change Root

switch by configuring Priority for it. The switch having lowest priority is decided as Root switch.

In order to change Root switch by configuring Priority for it, use the following command..

Command Mode Function

stp mst priority mstid_range <0-61440> Configures the Priority of the switch.
Bridge
no stp mst priority mstid_range Clears the Priority of the switch.

Information

You should input Instance number for mstid_range. It is from 0 to 64.

Note

In case of configuring the priority of STP and RSTP, mstid_range is 「0」.

Note

You should input the Priority as a multiple of 4096.

Information

In SURPASS hiD 6610, the Priority is basically configured as 32768.

(3) Configuring Path-cost

After deciding Root switch, you need to decide to which route you will forward the packet. To do this, the

standard is path-cost.

Generally, path-cost depends on transmission speed of LAN interface in switch. The following table

shows path-cost according to transmit rate of LAN interface.

DDJ:A-M-5524B5-01 305
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Note

You can use same commands to configure STP and RSTP, but their path-costs are totally different.

Please be careful not to make mistake.

Transmit Rate Path-cost

4M 250

10M 100

100M 19

1G 4

10G 2

【 Table 7‐1 】 STP path‐cost

Transmit Rate Path-cost

4M 20,000,000

10M 2,000,000

100M 200,000

1G 20,000

10G 2,000

【 Table 7‐2 】 RSTP path‐cost

When the route decided by path-cost gets overloading, you would better take another route.

Considering these situations, it is possible to configure path-cost of Root port so that user can configure

route manually.

In order to configure path-cost, use the following command.

Command Mode Function

Configures path-cost to configure

stp mst path-cost mstid_range port-number <1-200000000>
Bridge route on user’s own.

no stp mst path-cost mstid_range port-number Clears the configured path-cost.

306 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

You should input Instance number for mstid_range. It is from 0 to 64.

Note

In case of configuring the priority of STP and RSTP, mstid_range is 「0」.

(4) Configuring Port-priority

When all conditions of two routes are same, the last standard to decide route is port-priority. It is also

possible to configure port priority so that user can configure route manually.

In order to configure port-priority, use the following command.

Command Mode Function

stp mst port-priority mstid_range port-number <0-240> Configures port-priority.

Bridge
no stp mst port-priority mstid_range port-number Clears the configured port-priority.

Information

You should input Instance number for mstid_range. It is from 0 to 64.

Note

In case of configuring the priority of STP and RSTP, mstid_range is 「0」.

Note

You should input Priority as a multiple of 16.

Information

In SURPASS hiD 6610, default Priority is 128.

DDJ:A-M-5524B5-01 307
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(5) Configuring MST Region

If MSTP is established in SURPASS hiD 6610, decide which MST Region the switch is going to belong

to by configuring MST Configuration ID. Configuration ID contains Region name, Revision, VLAN map.

In order to set Configuration ID, use the following command.

Command Mode Function

stp mst config-id name name Designate the name for the Region.

Configure the range of VLAN that is going to be

stp mst config-id map <1-64> vlan-range
Bridge grouping as a region.

Configure the switches in the same MST boundary

stp mst config-id revision <0-65535>
as same number.

Information

There is no limitation to configure the number of MST Region in a network environment, but it is

possible to generated up to 64 instances.

Information

In case of configuring STP and RSTP, you don’t need to configure Configuration ID. If it is configured,

error message is displayed.

In order to delete Configuration ID, use the following command.

Command Mode Function

no stp mst config-id Delete all of the configured Configuration ID.

no stp mst config-id name Deletes the name of Region.

Bridge
no stp mst config-id map <1-64> [vlan-range] Deletes entire VLAN-map or part of it.

no stp mst config-id revision Deletes the configured revision number.

After configuring Configuration ID in SURPASS hiD 6610, you should apply the configuration to the

switch. After changing or deleting the configuration, you must apply it to the switch. If not, it does not

being injected into the switch.

308 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to apply the configuration to the switch after configuring Configuration ID, use the following

command.

Command Mode Function

stp mst config-id commit Bridge Committing the configuration of the Region.

Note

After deleting the configured Configuration ID, apply it to the switch using the above ommand.

(6) Showing the configuration

In order to confirm the configuration after configuring STP, RSTP, MSTP, use the following command.

Command Mode Function

show stp Shows the configuration of STP/RSTP/MSTP.

show stp mst Shows the configuration when it is configured as MSTP.

show stp mst mstid_range Enable Shows the configuration of specific Instance.
/Global Shows the configuration of the specific Instance for all
show stp mst mstid_range all [detail]
/Bridge the ports.

show stp mst mstid_range port-number Shows the configuration of specific Instance for specific

[detail] port.

Information

With 「show stp」command, it is possible to confirm the information for STP/ RSTP/MSTP. How to

distinguish them is to check which one is marked on the「mode」.

Note

In case STP or RSTP is configured in SURPASS hiD 6610, you should configure mstid_range as

「0」.

DDJ:A-M-5524B5-01 309
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In case of configure MSTP in switch, use the following command to show Configuration ID.

Command Mode Function

show stp mst config-id currnet Shows the current Configuration ID.
Enable/Bridge Shows Configuration ID that is the most recently
show stp mst config-id pending
configured.

For example, after the user configures Configuration ID, if you apply it to the switch with stp mst

config-di commit command, you can check Configuration ID with the show stp mst config-id currnet

command and the show stp mst config-id pending command.

However, if the user didn’t use stp mst config-di commit command in order to apply to the switch after

configuration, the configuration could be confirmed with show stp mst config-id pending command

and you can check the configuration with the show stp mst config-id currnet command.

8.3.6 Configuring PVSTP/PVRSTP

(1) Activating PVST/PVRSTP

In SURPASS hiD 6610, in order to configure PVSTP or PVRSTP, fist of all, configure Force-version in
order to decide the mode. In order to decide Force-version, use the following command.

Command Mode Function

stp pvst enable vlan-range Bridge Activates PVSTP or PVRSTP function.

Information

PVSTP is activated after selecting PVSTP in Force-version using the above command and PVRSTP is

activated after selecting PVRSTP using the above commands.

Information

vlan-range can be input with VLAN name or integral. It is possible to input integral using「-」.

310 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

In PVSTP and PVRSTP, it is possible to configure only the current VLAN. If you input VLAN that does

not exist, error message is displayed.

For the switches in LAN where dual pathdoesn’t exist, Loop does not generate even though STP

function is not configured. In order to release configured PVSTP, PVRSTP, use the following command.

Command Mode Function

stp pvst disable Bridge Deactivates PVSTP or PVRSTP in VLAN.

(2) Configuring Root

In order establish STP, RSTP, or MSTP function, first of all, Root switch should be decided. Each switch

has its own Bridge ID and Root switch on same LAN is decided by comparing their Bridge ID. However,

the user can change Root switch by configuring Priority for it. The switch having lowest priority is

decided as Root switch.

In order to change Root switch by configuring Priority for it, use the following command..

Command Mode Function

stp pvst priority vlan_range <0-61440> Bridge Configure Priority of the switch.

Information

You should input VID for vlan_range.

Note

You should input the Priority as a multiple of 4096.

Information

In SURPASS hiD 6610, the Priority is basically configured as 32768.

DDJ:A-M-5524B5-01 311
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(3) Configuring Path-cost

After deciding Root switch, you need to decide to which route you will forward the packet. To do this, the

standard is path-cost. Generally, path-cost depends on transmission speed of LAN interface in switch.

In case the route is overload based on Path-cost, it is better to take another route.

By considering the situation, in SURPASS hiD 6610, the user can configure Path-cost of Root port in

order to designate the route on ones own. In order to configure Path-cost, use the following command.

Command Mode Function

stp pvst path-cost vlan_range port-number Configures path-cost to configure route on user’s
Bridge
<1-200000000> own

Information

You should input VID for vlan_range.

(4) Configuring Port-priority

When all conditions of two routes are same, the last standard to decide route is port-priority. It is also

possible to configure port priority so that user can configure route manually. In order to configure port-

priority, use the following command.

Command Mode Function

stp pvst port-priority vlan_range port-number <0-240> Bridge Configures port-priority.

Information

You should input VID for vlan_range.

Note

You should input Priority as a multiple of 16.

Information

In SURPASS hiD 6610, Priority is configured as 128.

312 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.3.7 BPDU Configuration

BPDU is a transmission message in LAN in order to configure, maintain the configuration for

STP/RSTP/MSTP. Switches in which STP is installed exchange their information BDPU to find best path.

For STP, user can configure the following. MSTP BPDU is general STP BPDU having additional MST

data on it’s end. MSTP part of BPDU does not rest when it is out of Region

◆ Hello time

Hello time decides an interval time when a switch transmits BPDU. It can be configured from 1 to 10

seconds. The default is 2 seconds.

◆ Max Age

Root switch transmits new information every time based on information from another switches. However,

if there are many switches on network, it takes lots of time to transmit BDPU. And if network status is

changed while transmitting BDPU, this information is useless. To get rid of useless information, Max

Age is identified in each information.

◆ Forward Delay

Switches find location of another switches connected to LAN though received BDPU and transmit

packets. Since it takes certain time to receive BDPU and find the location before transmitting packet,

switches send packet at regular interval. This interval time is named Forward Delay.

Information

The configuration for BPDU is applied as selected in Force-version. The same commands are used for

STP, RSTP and MSTP and the same commands are used for PVSTP and PVRSTP.

(1) Hello time

Hello time decides an interval time when a switch transmits BPDU.

DDJ:A-M-5524B5-01 313
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to configure Hello Time, use the following command.

Command Mode Function

stp mst hello-time Configures Hello time to transmit the message in STP, RSTP,

<1 – 10> MSTP. The default setting of the system is 2 seconds.

Bridge
stp pvst hello-time vlan-range Configures Hello time to transmit the message in PVST, PVRST.

<1 – 10> The default setting of the system is 2 seconds.

Information

The default setting of the system is 2 seconds.

In order to clear configured hello-time, use the following command.

Command Mode Function

no stp mst hello-time Clears the time configuration that is set up to transmit
Bridge
route message.
no stp pvst hello-time vlan-range

(2) Forward Delay

It is possible to configure Forward delay, which means time to take port status from Listening to

Forwarding. In order to configure Forward delay, use the following command.

Command Mode Function

stp mst forward-delay <4 – 30> Designates Forward-delay in STP, RSTP or MSTP.
Bridge
stp pvst forward-delay vlan-range <4 – 30> Designates Forward-delay in PVSTP or PVRSTP.

Information

The default is 15 seconds.

314 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to release the configured forward-delay, use the following command.

Command Mode Function

no stp mst forward-delay

Bridge Clears the configured Forward-delay.
no stp pvst forward-delay vlan-range

(3) Max age

Max Age shows how long path message is valid. In order to configure Max Age to delete useless

messages, use the following command.

Command Mode Function

stp mst max-age <6-40> Configure Max age of route message in STP, RSTP or MSTP.
Bridge
stp pvst max-age vlan-range <6-40> Configure Max age in PVST or PVRST.

Information

The default is 20 seconds..

Note

It is recommended that Max Age is configured less than twice of Forward Delay and more than twice of
Hello Time.

In order to release the configured Max age, use the following command.

Command Mode Function

no stp mst max-age

Bridge Release Max age of configured route message.
no stp pvst max-age vlan-range

(4) BPDU Hop

In MSTP, it is possible to configure the number of Hop in order to prevent BPDU from wandering. BPDU

passes the switches as the number of Hop by this function.

DDJ:A-M-5524B5-01 315
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to configure the number of Hop of BPDU in MSTP, use the following command.

Command Mode Function

stp mst max-hops <1-40> Bridge Configures the number of Hop for BPDU.

In order to delete the configured number of Hop for BPDU, use the following command.

Command Mode Function

no stp mst max-hops Bridge Delete the number of Hop for BPDU in MSTP.

(5) Confirming BPDU configuration

In order to confirm the configuration for BPDU, use the following command.

Command Mode Function

In STP, RSTP or MSTP, it is possible to check the configuration for

show stp mst
Enable BPDU.

show stp pvst vlan-range /Global/Brdige In PVSTP, PVRST, it is possible to check the configuration for

[all | port_number ] [detail] BPDU.

8.3.8 Self Loop detection

Although there is no double path in user’s equipment, Loop can be caused by network environment and

cable condition connected to equipment. To prevent this, SURPASS hiD 6610 has Self Loop detection

to perceive that outgoing packet is got back. Through the Self Loop detection, you can prevent packet,

which comes back because it blocks the port. In order to enable Self Loop detection, use the following

command.

Command Mode Function

stp self-loop-detect enable Bridge Enable Self Loop detection function.

316 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to disable Self Loop detection, use the following command.

Command Mode Function

stp self-loop-detect disable Bridge Disables Self Loop detection.

In order to check Self Loop detection or the port where Loop occurred, use the following command.

Command Mode Function

show stp self-loop-detect Shows status of Self Loop detection and a port where Loop is happed.

show stp self-loop-detect Bridge Shows Self Loop detection status and Loop on specific port or all the

{port-numberㅣall} ports

8.3.9 Sample Configuration

[Sample Configuration 1] MSTP Configuration

The following is an example of configuring MSTP in the switch.

SWITCH(bridge)# stp force-version mstp

SWITCH(bridge)# stp mst enable
SWITCH(bridge)# stp mst config-id map 2 1-50
SWITCH(bridge)# stp mst config-id name 1
SWITCH(bridge)# stp mst config-id revision 1
SWITCH(bridge)# stp mst config-id commit
SWITCH(bridge)# show stp mst
Status enabled
bridge id 8000.00d0cb000183
designated root 8000.00d0cb000183
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 15.00 bridge forward delay 15.00
CIST regional root 8000.00d0cb000183 CIST path cost 0
max hops 20
name TEST
revision 1
instance vlans
-------------------------------------------------------------------
CIST 51-4094
2 1-50
-------------------------------------------------------------------
SWITCH(bridge)#

DDJ:A-M-5524B5-01 317
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 2 ] PVSTP Configuration

The following is an example of configuring PVSTP when Default and br2, br3 is configured as VLAN.

SWITCH(bridge)# stp force-version pvst

SWITCH(bridge)# stp pvst enable 1-3
SWITCH(bridge)# show stp
Spanning tree operation mode is PVSTP
self-loop-detect is disabled
-----------------------------------------------
bridge id (VID) status
-----------------------------------------------
8001.00d0cb000183 ( 1) enabled
8002.00d0cb000183 ( 2) enabled
8003.00d0cb000183 ( 3) enabled
SWITCH(bridge)#

[ Sample Configuration 3 ] Changing Path-cost

The following is an example of changing Path-cost into 100 on the port number 1 in PVSTP and

confirming the configuration.

SWITCH(bridge)# show stp pvst 1 1 detail

(Omitted)
port01
port id 8001
state forwarding role designated
designated root 8000.00d0cb036023 path cost 19
designated bridge 8001.00d0cb000183 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 38
flags STP P2P Boundary

SWITCH(bridge)# stp pvst path-cost 1 1 100

SWITCH(bridge)# show stp pvst 1 1 detail
(Omitted )
port01
port id 8001
state forwarding role designated
designated root 8000.00d0cb036023 path cost 100
designated bridge 8001.00d0cb000183 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 38
flags STP P2P Boundary

SWITCH(bridge)#

318 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 4 ] Changing BPDU Configuration

The following is an example of configuring mstp Hello time as 3 sec, Forward-delay as 15 sec, Max-age

as 20 se in MSTP.

SWITCH(bridge)# stp mst hello-time 3

SWITCH(bridge)# stp mst forward-delay 15
SWITCH(bridge)# stp mst max-age 20
SWITCH(bridge)# show stp mst
Status disabled
bridge id 8000.00d0cb000183
designated root 0000.000000000000
root port 0 path cost 0
max age 0.00 bridge max age 30.00
hello time 0.00 bridge hello time 3.00

forward delay 0.00 bridge forward delay 15.00

CIST regional root 0000.000000000000 CIST path cost 0
max hops 20

name TEST
revision 1
instance vlans
-------------------------------------------------------------------
CIST 51-4094
2 1-50
-------------------------------------------------------------------

SWITCH(bridge)#

[ Sample Configuration 5 ] Configuring Self Loop

The following is an example of confirming the configuration after enabling Self Loop Detection.

SWITCH(bridge)# stp self-loop-detect enable

SWITCH(bridge)# show stp self-loop-detect
self-loop-detect is enabled
SWITCH(bridge)# show stp self-loop-detect 1
self-loop-detect is enabled
-----------------------------------------------
PORT Self-Loop-Detected
-----------------------------------------------
01 no No Loop on the port number 1
SWITCH(bridge)#

DDJ:A-M-5524B5-01 319
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.5 Configuring ERP

ERP(Ethernet Ring Protection) is a protocol to prevent Loop in Metro Ethernet network. It is a fast failur

e detection and recovery so that it decreases the time to prevent Loop under 50ms by realizing ERP

in hiD 6610.

Note

ERP and STP can not be realized at once.

The description for ERP is as follows.

8.5.1 ERP Operation

Ethernet Ring Protection (ERP) is a concept and protocol optimized for fast failure detection and

recovery on Ethernet ring topologies. The Protection of fast failure detection and recovery occurs on

RM Node.

An Ethernet ring consists of two or more switches. One of the nodes on the ring is designated

as redundancy manager (RM) and the two ring ports on the RM node are configured as primary

port and secondary port respectively.

The RM blocks the secondary port for all non-control traffic belong to this ERP domain. Here, if Line

failure occurs, the Nodes detecting Link Failure transmit Link Down message and Link Failure port

becomes Blocking status.

When the RM nodes receive this link-down message, it immediately declares failed state, and op

ens the logically blocked protected VLANs on the secondary port. Then, Ethernet Ring restarts the

communication.

The following is ERP operation when Link Failure occurs.

320 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

③ Nodes detecting Link Failure ③ Nodes detecting Link Failure

transmit Link Down message. transmit Link Down message.

Normal Normal

Node Node
② Link failure

P RM
Normal
Node ① Secondary Port of RM node is
Blocking status in Normal state.

【 Figure 8-30 】 Ethernet ring operation in failure state

Normal Node Normal Node

② Sends
Link Down Message

Normal Node P RM
② Sends ① Secondary port of RM Node
Link Down Message is changed as unblocking state.

【 Figure 8-31 】Ring Protection

When a Link Failure is recovered, a temporary loop may occur. To rectify this condition, ERP sends a “link up”

message to the RM. The RM will logically block the protected VLANs on its secondary port and generate a

“RM link up” packet to make sure that all transit nodes are properly reconfigured. This completes fault restora

tion and the ring is back in normal state.

DDJ:A-M-5524B5-01 321
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

② The Nodes detecting Link Failure ② The Nodes detecting Link Failure
Send Link Up message Send Link Up message

Normal Node Normal Node

① Link Failure Recover

Blocks the port

S
recovered from
Link Failure

Normal Node P RM

【 Figure 8-32 】Link Failure Recovery

Normal Node Normal Node

③ Unblocks the port

recovered from Link ② Sends
Failure RM Link Up message
S

Normal Node P RM
② Sends ① Blocks RM Node of
RM Link Up message Secondary Port

【 Figure 8-33 】Ring Recovery

8.5.2 LOTP

ERP recognizes the Link Failure using LOTP(Loss of Test Packet). RM Node regularly sends RM Test

Packet message. If the message is not retransmitted to RM Node through Ethernet Ring, it means that

Loop doesn’t occur. Therefore, RM Node unblocks Secondary port. The condition that RM Test Packet

from RM Node doesn’t return is LOTP state.

322 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

On the other hand, if RM Test Packet is retransmitted to RM Note through Ethernet Ring, Loop may

occur. In this condition RM Node blocks Secondary port.

8.5.3 Configuring ERP

The following is how to configures ERP.

(1) Configuring ERP Domain

To realize ERP, you should fist configure domain for ERP. To configure the domain, use the following

command.

Command Mode Function

erp domain domain-id Bridge Creates ERP Domain.

Information

domain-id is Control VLAN ID of Domain and 1-4094.

To delete the configured domain, use the following command.

Command Mode Function

no erp domain {allㅣdomain-id} Bridge Deletes ERP Domain.

To add the description for configured domain, use the following command.

Command Mode Function

erp description domain-id description Bridge Configures Description for Domain.

(2) Configuring RM Node

To configure RM Node, use the following command.

Command Mode Function

erp rmnode domain-id Bridge Configures RM Node of ERP Node Mode.

DDJ:A-M-5524B5-01 323
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is to configure RM Node as Normal Node.

Command Mode Function

no erp rmnode domain-id Bridge Configures ERP Node Mode as Normal Node.

(3) Configuring Port

To configure Primary Port and Secondary port of RM Node, use the following command.

Command Mode Function

erp port domain-id primary port-number

Bridge Configures Port of ERP Domain.
secondary port-number

Note

Primary port and secondary port should be different.

(4) Configuring Protected VLAN

To configure Protected VLAN of ERP domain, use the following command.

Command Mode Function

erp protections domain-id vid Bridge Configures Protected VLAN of ERP Domain.

The delete the configured Protected VLAN, use the following command.

Command Mode Function

no erp protections vid Bridge Deletes Protected VLAN OF ERP Domain.

(5) Configuring Protected Activation

To configure ERP Protected Activation, use the following command.

Command Mode Function

erp activation domain-id Bridge Configures ERP Protected Activation.

324 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To disable ERP Protected Activation, use the following command.

Command Mode Function

no erp activation domain-id Bridge Disables ERP Protected Activation.

(6) Configuring Manual Switch to Secondary

To configure Manual Switch to Secondary, use the following command.

Command Mode Function

erp ms-s domain-id Bridge Configures ERP Manual Switch to Secondary.

To disable Manual Switch to Secondary, use the following command.

Command Mode Function

no erp ms-s domain-id Bridge Disables ERP Manual Switch to Secondary.

(7) Configuring Wait-to-Restore Time

To configure Wait-to-Restore Time, use the following command.

Command Mode Function

erp wait-to-restore domain-id <1-720> Bridge Configures ERP Wait-to-Restore Time.

To return the configured Wait-to-Restore Time as Default, use the following command.

Command Mode Function

no erp wait-to-restore domain-id Bridge Configures ERP Wait-to-Restore Time as default.

DDJ:A-M-5524B5-01 325
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(8) Configuring Learning Disable Time

To configure ERP Learning Disable Time, use the following command.

Command Mode Function

erp learn-dis-time domain-id <0-500> Bridge Configures ERP Learning Disable Time.

To return the configured Learning Disable Time as Default, use the following command.

Command Mode Function

no erp learn-dis-time domain-id Bridge Configures ERP Learning Disable Time as default.

(9) Configuring Test Packet Interval

To configure ERP Test Packet Interval, use the following command.

Command Mode Function

erp test-packet-interval domain-id <10-500> Bridge Configures ERP Test Packet Interval.

To return ERP Test Packet Interval as Default, use the following command.

Command Mode Function

no erp test-packet-interval domain-id Bridge Configures ERP Test Packet Interval as default.

(10) Checking ERP Configuration

To check the configuration for ERP, use the following command.

Command Mode Function

show erp configuration {allㅣdomain-id} Enable/Global/Bridge Shows the information for ERP.

[ Sample Configuration 1 ]

The following is an example of configuring primary port number 1, secondary port number 2, VLAN 201-

300 as protection VLAN in a Domain when tree switches are connected.

326 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

SWITCH A SWITCH B

Port number1: Primary Port Port number 2: Secondary Port

RM Node
SWITCH C

Here, VID same as Domain ID should be configured before configuring ERP domain, the port as

Primary port and Secondary port should be configured as Tagged VLAN as follows.

SWITCH(bridge)# show vlan

u: untagged port, t: tagged port
-------------------------------------------------------------------
| 1 2 3 4
Name( VID| FID) |123456789012345678901234567890123456789012
-------------------------------------------------------------------
default( 1| 1) |......uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
br101( 101| 101) |tt..tt....................................
br201( 201| 201) |tt..tt....................................
br202( 202| 202) |tt..tt....................................
br203( 203| 203) |tt..tt....................................
br204( 204| 204) |tt..tt....................................
br205( 205| 205) |tt..tt....................................
br206( 206| 206) |tt..tt....................................
br207( 207| 207) |tt..tt....................................
br208( 208| 208) |tt..tt....................................
br209( 209| 209) |tt..tt....................................
br210( 210| 210) |tt..tt....................................
br211( 211| 211) |tt..tt....................................
br212( 212| 212) |tt..tt....................................
br213( 213| 213) |tt..tt....................................
br214( 214| 214) |tt..tt....................................
br215( 215| 215) |tt..tt....................................
br216( 216| 216) |tt..tt....................................

SWITCH(bridge)#

DDJ:A-M-5524B5-01 327
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is to configure on each switch.

< SWITCH A>

SWITCH_A(bridge)# erp domain 101

SWITCH_A(bridge)# erp protections 101 201-300
SWITCH_A(bridge)# erp port 101 primary 1 secondary 2
SWITCH_A(bridge)# erp activation 101
SWITCH_A(bridge)# show running-config
!
hostname SWITCH_A
!
exec-timeout 0 0
!
syslog start
syslog output info local volatile
syslog output info local non-volatile
syslog output info console
!
bridge
vlan create 101,201-300
!
vlan add default 7-42 untagged
vlan add br101 1-2,5-6 tagged
vlan add 201-300 1-2,5-6 tagged
!
vlan pvid 1-42 1
!
erp domain 101
erp protections 101 201-300
erp port 101 primary 1 secondary 2
erp activation 101
!
interface noshutdown lo
!
end
SWITCH_A(bridge)# show erp
-------------------------------------------------------------------
Domainid Primary Port Secondary Port Protected Vlans
-------------------------------------------------------------------
101 (O) 1:Forwarding 2:Forwarding 201-300
SWITCH_A(bridge)#

< SWITCH B>

328 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

SWITCH_B(bridge)# erp domain 101

SWITCH_B(bridge)# erp protections 101 201-300
SWITCH_B(bridge)# erp port 101 primary 1 secondary 2
SWITCH_B(bridge)# erp activation 101
SWITCH_B(bridge)# show running-config
!
hostname SWITCH_B
!
exec-timeout 0 0
!
syslog start
syslog output info local volatile
syslog output info local non-volatile
syslog output info console
!
bridge
vlan create 101,201-300
!
vlan add default 7-42 untagged
vlan add br101 1-2,5-6 tagged
vlan add 201-300 1-2,5-6 tagged
!
vlan pvid 1-42 1
!
erp domain 101
erp protections 101 201-300
erp port 101 primary 1 secondary 2
erp activation 101
!
interface noshutdown lo
!
end
SWITCH_B(bridge)# show erp
-------------------------------------------------------------------
Domainid Primary Port Secondary Port Protected Vlans
-------------------------------------------------------------------
101 (O) 1:Forwarding 2:Forwarding 201-300
SWITCH_B(bridge)# show erp all
Domainid: 101 DomainName: erp_domain0101
Description:
Protected Vlans: 201-300
-----------------------------------------------------------------------------
Primary Port: 1 Secondary Port: 2 Domain Activated: Yes
Wait-to-Restore: 1(s) Test Packet: 10(ms) Learning Disable: 50(ms)
Bridge Role: Normal Node Operate Request: Clear Multiple RM: No
Erp State: Idle LOTP(Multiple Fail) State: No
-----------------------------------------------------------------------------

SWITCH_B(bridge)#

DDJ:A-M-5524B5-01 329
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

< SWITCH C >

SWITCH_C(bridge)# erp domain 101

SWITCH_C(bridge)# erp protections 101 201-300
SWITCH_C(bridge)# erp port 101 primary 1 secondary 2
SWITCH_C(bridge)# erp rm-node 101
SWITCH_C(bridge)# erp activation 101
SWITCH_C(bridge)# show running-config
(Omitted)
!
hostname SWITCH_C
(Omitted)
!
bridge
vlan create 101,201-300
!
vlan add default 7-42 untagged
vlan add br101 1-2,5-6 tagged
vlan add 201-300 1-2,5-6 tagged
!
vlan pvid 1-42 1
!
erp domain 101
erp protections 101 201-300
erp port 101 primary 1 secondary 2
erp activation 101
erp rmnode 101
!
interface noshutdown lo
!
end
SWITCH_C(bridge)# show erp
-------------------------------------------------------------------
Domainid Primary Port Secondary Port Protected Vlans
-------------------------------------------------------------------
101 (O) 1:Forwarding 2:Blocking 201-300
SWITCH_C(bridge)# show erp all
Domainid: 101 DomainName: erp_domain0101
Description:
Protected Vlans: 201-300
-----------------------------------------------------------------------------
Primary Port: 1 Secondary Port: 2 Domain Activated: Yes
Wait-to-Restore: 1(s) Test Packet: 10(ms) Learning Disable: 50(ms)
Bridge Role: RM Node Operate Request: Clear Multiple RM: No
Erp State: Idle RM LOTP(Multiple Fail) State: No
-----------------------------------------------------------------------------

SWITCH_C(bridge)#

330 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.6 Stacking

It is possible to manage several switches with one IP address by using stacking. If there’s a limitation for

using IP addresses and there are too many switches which you must manage, you can manage a

number of switches with a IP using this stacking function.

It is named One IP Management because you can easily manage various switches and subscribers

connected to the switch with this stacking function. SURPASS hiD 6610 provides the function.

Information

It is possible to configure stacking function for switches from 2 to 16.

The following is an example of the network where stacking is configured.

SWITCH
Internet

SWITCH A
(Master switch) SWITCH SWITCH

SWITCH B
(Slave switch)
Manage with
the same IP

SWITCH C
(Slave switch)

【 Figure 8-34 】The example of configuring stacking

A switch, which is supposed to manage the other switches in stacking is named as Master switch and

the other switches managed by Master switch are named as Slave switch. Regardless of installed place

or connection state, Master switch can check and manage all Slave switches.

DDJ:A-M-5524B5-01 331
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The below steps are provided to configure stacking.

8.6.1 Configuring switch group

You shold configure all the switches configured with stacking function to be in the same VLNA. In order

to configure the switches as a switch group which belongs in the same VLAN, use the following

command.

Command Mode Function

Configure all swithes configured with stakcing function as a same

stack device bridge-name Global
switch group.

Information

For manging the stacking function, the port connecting Master switch and Slave switch must be in the

same VLAN.

8.6.2 Designating Master switch

Designate Mater switch using the following command.

Command Mode Function

stack master Global Configure Master switch.

8.6.3 Designating Slave Switch

After designating Master switch, register Slave switch for Master switch.

In order to register Slave switch or delete the registered Slave switch, use the following command.

Command Mode Function

stack add mac-address [description] Register Slave switch.

Global
stack del mac-address Delets Slave switch.

332 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

To make stacking operate well, it is required to enable the interface of Slave switch.

Information

The switches in different VLAN cannot be added to the same switch group.

You shold register Slave switch registered in Master switch as Slave switch. In order to designate Slave

switch, use the following command.

Command Mode Function

stack slave Global Designate as Slave switch.

8.6.4 Relesing Stakcing

In order to release stakcing, use the following command.

Command Mode Function

no stack Global Releasing Stacking.

8.6.5 Confirming Stacking Configuration

In order to confirm the configuration for stakcing, use the following command.

Command Mode Function

show stack Enable/Global/Bridge Confirm the configuration for stakcing.

8.6.6 Accessing to Slave switch from Master switch

After configuring all stakcing configuration, it is possible to configure and mange by accessing to Slave

switch from Master switch.

DDJ:A-M-5524B5-01 333
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to access to Slave switch from Mater switch, use the following command in Bridge configuration

mode.

Command Mode Function

rcommand node-number Global Access to slave switch.

node-number means “node ID” from configuring stacking in Slave switch. If you input the above
command in Mater switch, Telnet connected to Slave switch is displayed and it is possible to configure

Slave switch using DSH command. If you use “exit” command in Telnet, the connection to Slave switch
is down.

8.6.7 Sample Configuration

[ Sample Configuration 1 ] Configuring stacking

The following is a stacking configuration by designating SWITCH A as a master and SWITCH B as a

slave.

SWITCH A
(Master switch) Step 1 Assign IP address in Interface configuration mode

of Switch and enable inteface using “no shutdown”

command. In order to enter into Interface configuration

SWITCH B Manage switches mode, you should enter into Interface configuration mode
(Slave switch) using an IP.
of VLAN to register as a switch group for stacking.

The following is an example of configuring Interface of switch group as 1.

SWITCH_A# configure terminal

SWITCH_A(config)# interface 1
SWITCH_A(Interface)# ip address 192.168.10.1/16
SWITCH_A(Interface)# no shutdown
SWITCH_A(Interface)#

334 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

If there are several switches, rest of them are managed by IP address of Master switch. Therefore you

don’t need to configure IP address in Slave switch.

Step 2 Configure Switch A as Master switch. Configure VLAN to belong in the same switch group and
after registering Slave switch, configure it as a Master switch.

<Switch A – Master Switch>

SWITCH_A(config)# stack device br1

SWITCH_A(config)# stack add 00:d0:cb:22:00:11
SWITCH_A(config)# stack master

Step 3 Configure VLAN in order to belong to the same switch group in Switch B registered in Master
switch as Slave switch and configure as a Slave switch.

<Switch B – Slave Switch>

SWITCH_B(config)# stack slave

SWITCH_B(config)# stack device br1

Step 4 Confirm the configuration. The information you can check in Master switch and Slave switch is
different as belows.

<Switch A – Master Switch>

SWITCH_A(config)# show stack

device : br1
node ID : 1
node MAC address status type name port
1 00:d0:cb:0a:00:aa active SURPASS hiD 6610 SWITCH_A 24
2 00:d0:cb:22:00:11 active SURPASS hiD 6610 SWITCH_B 24
SWITCH_A(config)#

<Switch B – Slave Switch>

SWITCH_B(config)# show stack

device : br1
node ID : 2
SWITCH_B(config)#

DDJ:A-M-5524B5-01 335
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[ Sample Configuration 2 ] Accessing from Master switch to Slave switch

The following is an example of accessing to Slave switch from Master switch configured in [ Sample

Configuration 1 ].. If you confirm the configuration of Slave switch in [ Sample Configuration 1 ], you
recognizes node-number is 2.

SWITCH(bridge)# rcommand 2
Trying 127.1.0.1(23)...
Connected to 127.1.0.1.
Escape character is '^]'.
SWITCH login: root
Password: vertex25

SWITCH#

In order disconnect, input as belows.

SWITCH# exit
Connection closed by foreign host.
SWITCH(bridge)#

8.7 Rate Limit

User can customize port bandwidth according to user’s environment. Through this configuration, you

can prevent a certain port to monopolize whole bandwidth so that all ports can use bandwidth equally.
egress and ingress can be configured both to be same and to be different.

8.7.1 Configuring Rate Limit

In order to set port bandwidth, use the following command.

Command Mode Function

rate port-number rate Sets port bandwidth. If you input egress or ingress, you can configure
Bridge
[egressㅣingress] outgoing packet or incoming packet. The unit is Mbps.

Unless you input neither egress nor ingress, they are configured to be same. To switch, egress is

incoming packet. So, it is upload to PC user. On the otherhand, when the packets over the configured

bandwidth enter, Rate limit has been drop the packets unconditionally.

336 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Howerver, newly upgraded SURPASS hiD 6610 sends pause packet first and then if the packets are

continuously transmitted, drop them. With this method, in order to configure Rate limit in ingress, use

the following command.

Command Mode Function

rate port-number rate

Bridge Configure to use pause packet on Ingress.
ingress enhanced

In order to check the configured bandwidth, use the following command.

Command Mode Function

show rate Enable/Global/Bridge Shows the configured bandwidth.

In order to clear the configured bandwidth, use the following command in Bridge configuration mode.

Command Mode Function

no rate port-number [egressㅣingress] Bridge Clears the configured bandwidth on a port.

8.7.2 Sample Configuration

[ Sample Configuration 1 ] Configuring Rate Limit

The following is an example of the configuration after setting the bandwidth of port number 1 as 64Mbps

and the bandwidth of port number 2 as 52Mbps.

SWTICH(bridge)# rate 1 64
SWTICH(bridge)# rate 2 52
SWTICH(bridge)# show rate
----------------------------------------------------------------
Port Ingress Egress | Port Ingress Egress
--------------------------------+-------------------------------
1 64( 64.000) 64( 64.000) | 2 52( 52.000) 52( 52.000)
3 N/A N/A | 4 N/A N/A
5 N/A N/A | 6 N/A N/A
(Omitted)
SWTICH(bridge)#

DDJ:A-M-5524B5-01 337
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.8 Flood-Guard

Flood-guard limits number of packets, how many packets can be transmitted, in configured bandwidth,

whereas Rate limit described in 「8.5 Configuring Rate Limit」controls packets through configuring

width of bandwidth, which packets pass through. This function prevents receiving packets more than

configured amount without enlarging bandwidth.

<Rate Limit> <Flood Guard>

SURPASS hiD 6610 SURPASS hiD 6610

Configure Flood-guard
Configure to allow packets as
Rate Limit in port many as ‘n’ per a
second

3
Control ‘n’ packets
. .
bandwidth . allowed for
.
a second
n

n+1 Packets over

Bandwidth n
n+2
thrown away

【 Figure 8-35 】 Rate Limit and Flood Guard

8.8.1 Configuring Flood-Guard

In order to limit the number of packets which can be transmitted in a second, use the following

command.

Command Mode Function

Limits the number of packets which can be

mac-flood-guard port-number <1-2000000> Bridge
transmitted to the port for 1 second.

338 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to clear the configured Flood Guard, use the following command.

Command Mode Function

no mac-flood-guard port-number Bridge Clears the configured Flood Guard.

In order to check the configuration of Flood Guard, use the following command.

Command Mode Function

show mac-flood-guard [mac-address] Enable/Global/Bridge Shows the configured Flood Guard.

8.8.2 Sample Configuration

【 Sampel Configuration 1 】Configuring Flood-Guard

The following is an example of confirming the configuration after limiting the number of packets

transmitted to the port number 1 as 10,000.

SWITCH(bridge)# mac-flood-guard 1 10000

SWITCH(bridge)# show mac-flood-guard
---------------------------------
Port Rate(fps) | Port Rate(fps)
----------------+----------------
1 10000 | 2 Unlimited
3 Unlimited | 4 Unlimited
5 Unlimited | 6 Unlimited
7 Unlimited | 8 Unlimited
9 Unlimited | 10 Unlimited
11 Unlimited | 12 Unlimited
13 Unlimited | 14 Unlimited
15 Unlimited | 16 Unlimited
17 Unlimited | 18 Unlimited
(Omitted)
SWITCH(bridge)#

8.9 IP IGMP(Internet Group Management Protocol)

The Multicast packet is transmitted to a part of group request the Multicast packet. IGMP(Internet Group

Management Protocol) is the internet protocol that helps to inform Multicast groups to Multicast router.

In the Multicast Network, Multicast router sends only IGMP Query massage that quest whether receive

Multicast packet when Multicast packet is transmitted.

DDJ:A-M-5524B5-01 339
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

If a switch sends the join massage to Multicast router, Multicast router transmits the Multicast packet

only to that switch.

Multicast Packet

Multicast Router

No packet transmission
Before join message. Sends IGMP Query Message

【 Figure 8-36 】 IP Multicasting ①

Multicst Packet

Multicast Router

2. Transmitting the Multicast

packet to the port that send join
massage

1. Requesting the Multicast packet

: Multicast Join request

: Multicast Packet

【 Figure 8-37 】 IP Multicasting ②

IGMP Snooping is a function that finds port, which sends 「Join message」to join in specific multicast

group to receive multicast packet or「leave message」to get out of the multicast group because it does

not need packets.

340 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Only when the switch is connected to multicast router, IGMP Snooping can be enabled.

8.9.1 IGMP Snooping

In order to enable IGMP Snooping, use the following command.

Command Mode Function

ip igmp snooping Enables IGMP Snooping.

Global
ip igmp snooping vlan <1-4094> Configures IGMP snooping in VLAN.

On the otherhand, in order to release IGMP snooping, use the following command in Global

Configuration Mode.

Command Mode Function

no ip igmp snooping Relese IGMP snooping function.

Global
no ip igmp snooping vlan <1-4094> Release IGMP snooping in VLAN.

Note

Since PIM-SM includes IGMP Snooping, both IGMP Snooping and PIM-SM can be enabled at the

same time.

In order to show IGMP snooping configuration, use the following command.

Command Mode Function

show ip igmp snooping

Enable/Global Show IGMP Snooping.
show ip igmp snooping vlan <1-4094>

DDJ:A-M-5524B5-01 341
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.9.2 IGMP Snooping Querier

To enable Querier in configured IGMP Snooping, use the following command.

Command Mode Function

ip igmp snooping querier Enables Querier in the configured IGMP Snooping.

Global Enables Querier in IGMP Snooping in VLAN

ip igmp snooping querier vlan <1-4094>
configured in VLAN.

To disable Querier in IGMP Snooping, use the following command.

Command Mode Function

no ip igmp snooping querier Disables Querier in IGMP Snooping.

Global Disables Querier in IGMP Snooping configured in

no ip igmp snooping querier vlan <1-4094>
VLAN.

To show Querier enabled in IGMP Snooping, use the following command.

Command Mode Function

show ip igmp snooping querier Shows Querier operated in IGMP Snooping.

Global Shows Querier in IGMP Snooping configured in

show ip igmp snooping querier vlan <1-4094>
VLAN.

8.9.3 Fast-leave

If the Multicast client sends the leave massage to leave out Multicast group, Multicast router sends

IGMP Query massage to the client again, and when the client does not respond, delete the client from

the Multicast group.

Therefore, it takes time the Multicast router to delete the client. But, you can configure the function that

the client has no sooner sent the leave massage than Multicast router has delete it from the Multicast

group by using the following command. That function is called fast-leave.

342 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Mode Function

ip igmp snooping fast-leave Configures the fast-leave.

Global
ip igmp snooping fast-leave vlan <1-4094> Configures the fast-leave in fast-leave.

To remove fast-leave from the SURPASS hiD 6610, use the following command.

Command Mode Function

no ip igmp snooping fast-leave Deletes the fast-leave.

Global
no ip igmp snooping fast-leave vlan <1-4094> Deletes the fast-leave in fast-leave.

In order to view IGMP snooping fast-leave configration, use the following command.

Command Mode Function

show ip igmp snooping fast-leave

Enable/Global Show IGMP Snooping fast-leave.
show ip igmp snooping fast-leave vlan <1-4094>

8.9.4 Time to Register in Multicast Group

If the clients in multicast group sends leave message in order to leave from multicast group, multicast

router sends IGMP Query message again. If there’s no respond about the message, it takes some time

because it deletes the host from multicast group.

In order to send IGMP Query message and configure the respond time, use the following command.

Command Mode Function

ip igmp snooping last-member-query-interval Configure the time of registering in multicast

<100-900> group after sending Join message.

Global
ip igmp snooping last-member-query-interval Configure the time of registering in multicast

<100-900> vlan <1-4094> group after sending Join message from VLAN.

Information

The time unit for <100-900> is ms.

DDJ:A-M-5524B5-01 343
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

In SURPASS hiD 6610, the respond wating time is basically configured as 1000ms.

Information

If you configure ip igmp snooping fast-leave, it is meaningless to register time as multicast group.

In order to release the waiting time for respond after sending IGMP Query message, use the following

command.

Command Mode Function

Release the time of registering Join message in

no ip igmp snooping last-member-query-interval
multicast group after sending it.
Global
no ip igmp snooping last-member-query-interval Release the time of registering Join message

vlan <1-4094> after sending it in VLAN.

In order to view the IGMP snooping last-member-query-interval configuration, use the following

command.

Command Mode Function

show ip igmp snooping

last-member-query-interval Show IGMP snooping last-member-query-

Enable/Global
show ip igmp snooping interval configuration.

last-member-query-interval vlan <1-4094>

8.9.5 Configuring Multicast Router Path

In SURPASS hiD 6610, it is possible to designate multicast router is connected to which port. If you

designate multicast router is connted to where, it is possible to transmit multicast packet or message

only to that port.

344 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To designate the port connected to multicast router, use the following command.

Command Mode Function

Designate the port where multicast router is

ip igmp snooping mrouter port port-number
connected to.
Global
ip igmp snooping mrouter port port-number In VLAN, designate the port where multicast router

vlan <1-4094> is connected to.

In order to release the port where multicast router is connected, use the following command.

Command Mode Function

no ip igmp snooping mrouter port

Release the port where multicast router is connected.
port-number
Global
no ip igmp snooping mrouter port
Release the port where multicast router is connected in VLAN.
port-number vlan <1-4094>

In order to view IGMP snooping mrouter configuration, use the following command.

Command Mode Function

show ip igmp snooping mrouter

Enable/Global Show IGMP snooping mrouter configuration.
show ip igmp snooping mrouter vlan <1-4094>

8.9.6 Multicast Packet Filtering

When the Multicast packet is transmitted to the switch, the switch transmits it as IGMP table. The packet

that is registered in the IGMP group is transmitted to the interface of the same group.

But, the unregistered Multicast packet can be transmitted from the device connected with user’s switch,

too. If the unregistered Multicast packet is transmitted to the switch, the switch will drops or floods it as

user’s decision. Therefore, you have to decide how to do the unregistered packet.

DDJ:A-M-5524B5-01 345
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Multicast Packet
of Gourp A

Current IGMP Table

interface group

b, e A
Transmit to the b and c
registered in the IGMP
table

a b c d e

【 Figure 8-38 】 Example ① The Multicast packet registered in the IGMP group

Multicast Packet
of Group B

Current IGMP Table

interface group Drop or flood as user’s

b, e A decision because of
unregistered packet.

a b c d e

【 Figure 8-39 】 Example ② The unregistered Multicast packet

In order to filter all unregistered multicast packet in IGMP table, use the following command.

Command Mode Function

ip igmp multicast-filter Global Enables Multicast packet filter.

The following is an example of enabling Multicast packet filtering.

SWITCH(config)# ip igmp multicast-filter

SWITCH(config)#

346 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to disable Multicast packet filtering, use the following command.

Command Mode Function

no ip igmp multicast-filter Global Disables Multicast packet filtering.

The following is an example of disabling Multicast packet filtering.

SWITCH(config)# no ip igmp multicast-filter

SWITCH(config)#

8.9.7 Registering in Multicast Group

In the Multicast Network, it takes time that Multicast client send the join massage and receive Multicast

packet. But, SURPASS hiD 6610 can transmit Multicast packet promptly when the client request the

Multicast packet, because it receives Multicast packets previously and keeps them.

If you want to keep the Multicast packets transmitted to do Multicasting quickly, configure your switch to

Multicast group by using the following command

Command Mode Function

ip igmp snooping static-group bridge-name ip-address

Global Adds to specified multicast group.
port-number

After using the above command, you need to verify that SURPASS hiD 6610 joins in multicast group

through multicast router. In order to do it, use the following command.

Command Mode Function

show igmp snooping static-group Enable/Global Shows multicast group registration.

Information

The above example is a case when there is no registration. It may vary according to registered

information.

DDJ:A-M-5524B5-01 347
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to delete switch from multicast group, use the following command.

Command Mode Function

no ip igmp snooping static-group bridge-name ip-address

Global Deletes switch from multicast group
port-number

8.10 PIM-SM (Protocol Independent Multicast – Sparse Mode)

IGMP is the protocol to help multicast communication between switch and host, and PIM is the protocol

for multicast communication between router and router. There are two kinds of PIM, PIM-DM(Protocol

Independent Multicast – Dense Mode) and PIM-SM(Protocol Independent Multicast – Sparse Mode),

SURPASS hiD 6610 supports PIM-SM.

Protocol of dense mode can send information about data packet and member to interface, which is not

connected to multicast source or receiver, and multicast router saves connection state to all the nodes.

In this case, when most hosts are belonged to multicast group and there is enough bandwidth to

support flow of controlling message between constituent members, these overheads are acceptable,

but the other cases are inefficient.

Contrary to dense mode, PIM-SM receives multicast packet only when request comes from specific

host in multicast group. Therefore PIM-SM is proper when constituent members of group are dispersed

in wide area or bandwidth used for the whole is small. Sparse mode is the most useful on WAN and can

be used on LAN. For standard of PIM-SM, you can refer to RFC 2362.

Information

For using PIM-SM, you need a router which supports PIM-SM.

◆ RPT and SPT

RP(Rendezvous Point) works in a central role for PIM-SM. Viewing the below chart, multicast packet is

transmitted to D as RP from A as source, through B and C. And D(RP) transmits multicast packet after

receiving join message from E or F. That is, all multicast packets are transmitted with passing through

RP(Rendezvous Point). For instance, even though F needs multicast packet, the packet is passed

through 『A → B → C → D → C →F』, not 『A → B → C → F』.

348 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Like this, route made with focusing on RP is RPT(Rendezvous Point Tree) or shared tree. There is only

one RP in one multicast group. RPT has (*, G) entry because receiver can send a message to RP

without knowing source. “G” means multicast group.

1.Multicast packet
transmitted to RP
A
B
2. Asks RP for
multicast packet
D
E Source

RP 2. Asks RP for
(Rendezvous Point) multicast packet
3. RP transmits multicast
packet for the request.
C F
3. RP transmits multicast
packet for the request.

【 Figure 8-40 】 RPT of PIM-SM

Also, routers on packet route automatically optimize route by deleting unnecessary when traffic exceeds

certain limit. After route to source and multicast group connected to the source are constituted, all

sources have route to connect to receiver directly.

In the below picture example, packets are usually transmitted through 『A → B → C → D』, but

packets are transmitted through faster route 『A → C → F』 when traffic is increased. SPT(Shortest-

Path Tree) selects the shortest route between source and receiver regardless of RP, it is called source

based tree or short path tree. SPT has (S, G) entry, “S” means source address and “G” means multicast

group.

DDJ:A-M-5524B5-01 349
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

A
4.optimizes route by deleting unnecessary
when traffic exceeds certain limit 2.requests multicast
packet to RP
Source 1.multicast packet is D
transmitted to RP
B C
E

RP
(Rendezvous Point) F
3. RP transmits multicast
packet for the request.

【 Figure 8-41 】 STP of PIM-SM

In order to configure PIM-SM in SURPASS hiD 6610, you should refer to the following sections.

Enabling PIM-SM

Deciding RP

Configuring Static RP

Configuring BSR

Configuring RP Information

Configuring Assert message Information

Whole-packet-checksum

Configuring Interval of Cache-check

Configuring Multicast Routing Table

Configuring Multicast Routing vid

Configuring PIM-SM on Ethernet Interface

Viewing PIM-SM Information

8.10.1 Enabling PIM-SM

Before configuring PIM-SM in switch, you should enable PIM-SM. In order to enable PIM-SM, use the

following command. When you enable PIM-SM by using the following command, the system is

supposed to enter into PIM configuration mode. When you enter into PIM configuration mode, the

system prompt is changed to SWITCH(config_pim)# from SWITCH(config)#.

350 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Mode Function

router pim Global Enables PIM-SM and enters into PIM configuration mode.

Information

PIM-SM supports both IGMP Querier and IGMP Snooping, therefore you cannot configure them at the

same time.

Note

The commands, “ip igmp static” and “ip igmp fast-leave” can be used when IGMP and PIM-SM are
enabled at same time.

In order to disable PIM cofiguration mode, use the following command.

Command Mode Function

no router pim Global Enables PIM-SM and enters into PIM configuration mode.

[Sample Configuration 1]

The following is an example of enabling PIM-SM and entering into PIM configuration mode from

configuration mode.

SWITCH(config)# router pim

SWITCH(config_pim)#

Use “exit” command to go back to configuration mode. And use “end” command to enter into Privilege
Exec Enable Mode.

SWITCH(config_pim)# exit
SWITCH(config)#
SWITCH(config_pim)# end
SWITCH#

DDJ:A-M-5524B5-01 351
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.10.2 Deciding RP

There are two ways to decide RP as central of PIM-SM on multicast network. One is that network

administrator manually decides RP and the other way is that RP is automatically decided by exchanging

information between multicast routers installed on network. The information transmitted between

multicast routers in the automatic way is called Bootstrap message and the router, which sends this

Bootstrap message, is called BSR(Bootstrap Router). All PIM routers existed on multicast network can

be BSR.

Routers that want to be BSP are named candidate-BSR and one router, which has the highest priority,

becomes BSR among them. If there are routers, which have same priority, then one router, which has

the highest IP address, becomes BSR. Bootstrap message includes priority to decide BSR, hash-mark

to be used in Hash, and RP information. After deciding BSR, routers, which support RP, transmit

candidate-RP message to BSR. Candidate-RP message includes priority, IP address, and multicast

group. Then BSR adds candidate-RP message to Bootstrap message and transmits it to another PIM

router. Through this transmitted Bootstrap message, RP of multicast group is decided.

User’s equipment belonged in PIM-SM network can be candidate-BSR and BSR is decided among

them. Candidate-BSR transmits Bootstrap message to decide BSR. You can configure priority to decide

BSR among Bootstrap messages and Hash-mask in SURPASS hiD 6610.

8.10.3 Configuring Static RP

In order to configure RP manually by administrator, use the following command.

Command Mode Function

static-rp group-address/M rp-ip-address PIM Configures RP of multicast group.

In order to delete RP configured by network administrator, use the following command.

Command Mode Function

Deletes RP configured by network

no static-rp group-address/M rp-ip-address PIM
administrator.

352 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring a router, which has an address 200.1.1.1 in multicast group,

which has network address 224.0.0.0/8 as RP.

SWITCH(config_pim)# static-rp 224.0.0.0/8 200.1.1.1

SWITCH(config_pim)#

8.10.4 Configuring BSR

The information transmitted between multicast routers in the automatic way is called Bootstrap

message and the router, which sends this Bootstrap message, is called BSR(Bootstrap Router). All PIM

routers existed on multicast network can be BSR. Routers, which want to be BSP, are named

candidate-BSR and one router, which has the highest priority, becomes BSR among them. If there are

routers, which have same priority, then one router, which has the highest IP address, becomes BSR.

It is possible to configure the following messages, which are included in candidate-BSR message.

□ Candidate-BSR IP Address

□ Candidate-BSR Priority

□ Candidate-BSR Hash-mask

(1) Candidate-BSR IP Address

Since it is possible to assign several IP addresses in SURPASS hiD 6610, the switch may have several
IP addresses assigned. User can select one IP address among several IP addresses to be used in

switch as candidate-BSR. In order to select IP address to be used in candidate-BSR, use the following

command.

Command Mode Function

cand-bsr address ip-address PIM Selects IP address to be used in candidate-BSR

In order to delete assigned IP address in candidate-BSR, use the following command.

Command Mode Function

no cand-bsr address PIM Deletes assigned IP address in candidate-BSR.

DDJ:A-M-5524B5-01 353
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(2) Candidate-BSR Priority

When you decide BSR among candidate-BSRs, priority in Bootstrap message is compared to decide it.

The highest priority of candidate-BSR becomes BSR. In order to configure priority of Bootstrap

message, use the following command.

Command Mode Function

cand-bsr priority <0-255> PIM Configures priority of Bootstrap message.

Information

The default is “0”.

Information

The highest priority of candidate-BSR becomes BSR.

In order to delete priority of Bootstrap message, use the following command.

Command Mode Function

no cand-bsr priority PIM Deletes priority of Bootstrap message.

(3) Candidate-BSR Hash-mask

When there are same priorities to compare candidate-BSR, IP address is compared through Hash. User

can configure Hash-mask to apply Hash.

In order to configure Hash-mask included in Bootstrap message when SURPASS hiD 6610 is

candidate-BSR, use the following command.

Command Mode Function

cand-bsr hash-mask <0-32> PIM Configures Hash-mask in Bootstrap message.

354 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to delete Hash-mask in Bootstrap message, use the following command.

Command Mode Function

no cand-bsr hash-mask PIM Deletes Hash-mask in Bootstrap message.

Information

The default is “30”.

[Sample Configuration 2]

The following is an example of configuring IP address, priority, Hash-mask of candidate-BSR and

confirming it.

SWITCH(config_pim)# cand-bsr address 10.1.1.1

SWITCH(config_pim)# cand-bsr hash-mask 30
SWITCH(config_pim)# cand-bsr priority 5
SWITCH(config_pim)# show running-config
(omitted)
router pim
cand-bsr address 10.1.1.1
cand-bsr priority 5
cand-bsr hash-mask 30
!
ip route 0.0.0.0/0 172.16.1.254
!
no snmp
!
SWITCH(config_pim)#

8.10.5 Configuring RP Information

After deciding BSR on multicast network, candidate-RP routers send RP message to BSR. Candidate-

RP message includes priority, IP address, and multicast group. Then, BSR adds received candidate-RP

information to Bootstrap message and transmit to another PIM router. Through this Bootstrap message,

RP of multicast group is decided. All routers belonged in multicast network can become candidate-RP

and routers which generally consist candidate-BSR are supposed to consist candidate-RP. It is possible

to configure the following information, which is included in candidate-RP message.

DDJ:A-M-5524B5-01 355
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

□ Candidate-RP IP Address

□ Multicast Group of Candidate-RP

□ Candidate-RP Priority

□ Interval of Candidate-RP Information Transmit

□ Blocking Candidate-RP of Another Member

(1) Candidate-RP IP Address

It is possible to configure several IP addresses in SURPASS hiD 6610 router. Therefore, you need to

configure IP address to be used in SURPASS hiD 6610 as candidate-RP. In order to configure IP

address to be used in candidate-RP, use the following command.

Command Mode Function

cand-rp address ip-address PIM Configures IP address to be used in candidate-RP.

In order to delete configured IP address, use the following command.

Command Mode Function

no cand-rp address PIM Deletes configured IP address.

(2) Registering Multicast Group of Candidate-RP

You should register address of multicast group as well as IP address in candidate-RP message for

service. In order to register address of multicast group in candidate-RP message, use the following

command.

Command Mode Function

Registers address of multicast group in candidate-RP

cand-rp group group-address/M PIM
message.

In order to delete registered multicast group, use the following command.

Command Mode Function

no cand-rp group group-address/M PIM Deletes registered multicast group.

356 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(3) Candidate-RP Priority

When BSR decides RP, priority of candidate-RP is compared. In order to configure this priority, use the

following command.

Command Mode Function

cand-rp priority <0-255> PIM Configures priority of candidate-RP.

Information

Candidate-RP with higher priority is decided as RP.

Information

The default is “0”.

In order to delete configured priority of candidate-RP, use the following command.

Command Mode Function

no cand-rp priority PIM Deletes configured priority of candidate-RP.

(4) Interval of Candidate-RP Information Transmit

Candidate-RP transmits candidate-RP message to BSR at regular interval. User can configure the

interval to transmit candidate-RP message when SURPASS hiD 6610 is candidate-RP.

In order to configure interval to transmit candidate-RP message, use the following command.

Command Mode Function

cand-rp interval <1-65535> PIM Configures interval to transmit candidate-RP message.

Information

The default is “60 seconds”.

DDJ:A-M-5524B5-01 357
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to delete interval to transmit candidate-RP message, use the following command.

Command Mode Function

no cand-rp interval PIM Deletes interval to transmit candidate-RP message.

[Sample Configuration 3]

The following is an example of configuring things about candidate-RP message and confirming it.

SWITCH(config_pim)# cand-rp address 20.1.1.1

SWITCH(config_pim)# cand-rp group 224.0.0.0/8
SWITCH(config_pim)# cand-rp interval 10
SWITCH(config_pim)# cand-rp priority 3
SWITCH(config_pim)# show running-config
(omitted)
router pim
cand-bsr address 100.1.1.1
cand-bsr priority 5
cand-bsr hash-mask 32
cand-rp address 20.1.1.1
cand-rp priority 3
cand-rp interval 10
cand-rp group 224.0.0.0/8
(omitted)
SWITCH(config_pim)#

(5) Blocking Candidate-RP Message of Another Member

One network may include different multicast groups and routers that are not members of multicast group.

Therefore it can happen that routers, which are members of another network or not members of

multicast group, apply for RP and transmit candidate-RP message.

In order to prevent this case, user can block candidate-RP message of another router by making only

candidate-RP in multicast group communicate. In order to block candidate-RP message from routers

which are not members, perform the below tasks.

Step 1 Block all packets transmitted on network.

Command Mode Function

cand-rp access deny network-address PIM Blocks all packets transmitted on specified network.

358 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Step 2 Allow only packets transmitted by routers that will exchange candidate-RP message.

Command Mode Function

Allows only packets transmitted by routers that will

cand-rp access permit ip-address/M PIM
exchange candidate-RP.

In order to release the above configuration, use the following commands.

Command Mode Function

no cand-rp access deny network-address Releases blocked packet.

PIM
no cand-rp access permit ip-address/M Releases allowed packet.

[Sample Configuration 4]

The following is an example of allowing only packets transmitted by routers that will exchange

candidate-RP message and confirming it.

SWITCH(config_pim)# cand-rp access deny 172.16.209.0/24

SWITCH(config_pim)# cand-rp access permit 172.16.209.5/32
SWITCH(config_pim)# cand-rp access permit 172.16.209.10/32
SWITCH(config_pim)# show running-config
Building configuration...
(omitted)
cand-rp access deny 172.16.209.0/24
cand-rp access permit 172.16.209.5/32
cand-rp access permit 172.16.209.10/32
!
ip route 0.0.0.0/0 172.16.1.254
!
SWITCH(config_pim)#

8.10.6 Configuring Assert Message Information

When there are several PIM-SM routers on same LAN, they may exchange packets are not needed. In

order to prevent this problem, you need to assign one PIM-SM router to transmit multicast packet. In

this case, assigned router is named Assert.

DDJ:A-M-5524B5-01 359
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In the below example, there are router B, C which can transmit multicast packet in case of receiving

Join message from receiver. D and E, which send Join message, cannot decide which router to receive.

And C may transmit same packet to B belonged in multicast group. In this case, if Assert is decided,

multicast group is well organized because D and E transmit Join message only to Assert.

Multicast packet from

Source

RP

A
B C
Unnecessary same
packet sent

D Join Message Join Message E

【 Figure 8-42 】 Network which needs Assert

When Assert is decided, Metric and Preference in Assert message are compared. Lower Metric has

priority and higher Preference has priority.

□ Configuring Metric

□ Configuring Preference

360 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(1) Configuring Metric

In order to configure Metric of Assert message, use the following command.

Command Mode Function

metric <1-2,147,483,647> PIM Configures Metric of Assert message.

Information

Lower Metric has priority.

In order to delete configured Metric of Assert message, use the following command.

Command Mode Function

no metric PIM Deletes configured Metric of Assert message.

(2) Configuring Preference

In order to configure Preference of Assert message, use the following command.

Command Mode Function

preference <1-2,147,483,647> PIM Configures Preference of Assert message.

Information

Higher Preference has priority.

In order to delete configured Preference of Assert message, use the following command.

Command Mode Function

no preference PIM Deletes configured Preference of Assert message.

DDJ:A-M-5524B5-01 361
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 5]

SWITCH(config_pim)# metric 1
SWITCH(config_pim)# preference 1
SWITCH(config_pim)# show running-config
Building configuration...
(Omitted)
router pim
preference 1
metric 1
(Omitted)
SWITCH(config_pim)#

8.10.7 Whole-packet-checksum

Although source of multicast is not connected to multicast group, multicast communication is possible.

In the below picture, First-Hop router directly connected to source can receive packet from source

without (S,G) entry about source. The First-Hop router encapsulates the packet in Register message

and unicasts to RP of multicast group. RP decapsulates capsule of Register message and transmits it to

members of multicast group.

Source

Multicast Packet

First-Hop Router

RP

encapsulates the packet

in Register message
decapsulates capsule of
and unicasts
Register message and
transmits it

【 Figure 8-43 】 Network that multicast source are not directly connected to multicast group

362 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

When the Register message is transmitted, range of Checksum in header conforms to header part as

RFC standard, but whole packet is included in range of Checksum in case of Cisco router. For

comparability with Cisco router, you should configure range of Checksum of Register message as whole

packet.

In order to configure range of Checksum of Register message as whole packet for comparability with

Cisco router, use the following command.

Command Mode Function

Configures range of Checksum of Register message as

whole-packet-checksum PIM
whole packet for comparability with Cisco router.

In order to follow RFC standard by deleting comparability with Cisco router, use the following command.

Command Mode Function

Deletes comparability with Cisco router and follows RFC

no whole-packet-checksum PIM
standard.

Information

The default has no comparability with Cisco router.

8.10.8 Configuring Interval of Cache-check

RP receives packet from multicast source and transmits it to receiver. However, it there is no packet

received from source for certain period, it is not necessary to keep multicast item. Therefore, RP checks

whether packet is received from source at regular interval and this function is named Cache-check. In

order to configure the interval of Cache-check, use the following command.

Command Mode Function

cache-check interval <1-128> PIM Configures interval of Cache-check.

DDJ:A-M-5524B5-01 363
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to delete configured interval of Cache-check, use the following command.

Command Mode Function

no cache-check interval PIM Deletes configured interval of Cache-check.

Information

The default is “20 seconds”.

8.10.9 Configuring Multicast Routing Table

There is RPF(Reverse Path Forwarding) on route of transmitting multicast packet. RPF is, a former

router that transmits multicast packet. In the below picture, ROUTER B is RPT of ROUTER E and

ROUTER C is RPF of ROUTER E.

Source

B(RP) A C

SPT
RPT

【 Figure 8-44 】 RPF

364 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

However, user can configure ROUTER D as RPF by configuring multicast routing table manually. It is

possible for users to configure router as RPF by configuring multicast routing table manually.

In order to configure multicast routing table manually to configure RPF, use the following command.

Command Mode Function

Configures RPF about packet of specified

mroute multicast group-address/M ip-address PIM
multicast group.

In order to delete configured multicast routing table, use the following command.

Command Mode Function

no mroute multicast group-address/M [ip-address] Deletes configured multicast routing table.

PIM
no mroute all Deletes all configured multicast routing table.

8.10.10 Configuring PIM-SM on Ethernet Interface

It is possible to configure PIM-SM on Ethernet interface. You need to be able to do the following to do it.

□ Activating PIM-SM on Ethernet Interface

□ Blocking Multicast Packet

□ Prohibiting Bootstrap Message

□ Configuring Assert Message Information

□ Clearing PIM statistics

□ Showing IP PIM statistics

(1) Activating PIM-SM on Ethernet Interface

You need to enter into Interface configuration mode of specified interface for activating PIM-SM on

Ethernet Interface. In order to enter into Interface configuration mode, use the following command.

Command Mode Function

interface interface-name Global Enters into Interface configuration mode of specified interface.

DDJ:A-M-5524B5-01 365
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to release Interface configuration mode, use the following command.

Command Mode Function

no interface interface-name Global Enters into Interface configuration mode of specified interface.

In order to activate PIM-SM after entering into the Interface configuration mode, use the following

command.

Command Mode Function

ip pim sparse-mode [passive] Interface Activates PIM-SM on specified interface.

In order to release PIM-SM, use the following command.

Command Mode Function

no ip pim sparse-mode Interface Releases PIM-SM from specified interface.

(2) Blocking Multicast packet

It may happen that some of receivers in multicast group cannot receive packet because of not satisfying

terms to receive multicast packet. It is possible to configure not to receive multicast packets that cannot

be sent to receiver.

In order to block transmitting packet to specified multicast group, use the following command.

Command Mode Function

Blocks transmitting packet to specified

ip pim access-list group-address-prefix Interface
multicast group.

In order to release blocked multicast group, use the following command.

Command Mode Function

no ip pim access-list group-addres/M Interface Releases blocked multicast group.

366 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(3) Prohibiting Bootstrap Message

When all equipments configured PIM are considered as one big PIM domain, it may cause that

unnecessary Bootstrap messages can be transmitted between group members which are operated as

different service, and then it results to confuse to decide RP.

To prevent this problem, you can prohibit transmitting Bootstrap message between multicast groups,

which are operated as different service.

Source A Source B

Multicast Packet Multicast Packet

Bootstrap Message
Mutlcast Domain A blocked

【 Figure 8-45 】 Network in case of Prohibiting transmitting Bootstrap Message

In order to prohibit transmitting Bootstrap message between multicast groups, which are operated as

different service, use the following command.

Command Mode Function

ip pim border Interface Blocks Bootstrap message transmitted.

In order to release blocked Bootstrap message, use the following command.

Command Mode Function

no ip pim border Interface Releases blocked Bootstrap message.

DDJ:A-M-5524B5-01 367
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(4) Configuring Assert Message Information

As explained at “8.9.6 Configuring Assert Message Information”, when there is a network

environment that needs Assert, Assert message is compared to decide Assert. It is possible to configure

Assert message information owned only by Ethernet interface in which PIM-SM is configured.

Information

Unless you configure Assert message information on Ethernet interface, value configured at “7.6.6

Configuring Assert Message Information” is used on all interfaces.

In order to configure Assert message interface on Ethernet interface, use the following commands.

Command Mode Function

ip pim metric <1-127> Configures metric of Assert message of specific interface.

ip pim preference <1-255> Interface Configures preference of Assert message of specific interface.

ip pim threshold <1-255> Configures threshold of Assert message of specific interface.

Information

Lower Metric has priority and higher Preference has priority.

In order to delete configured Assert message information on Ethernet interface, use the following

commands.

Command Mode Function

no ip pim metric Deletes configured metric of Assert message of specific interface.

no ip pim preference Interface Deletes configured preference of Assert message of specific interface.

no ip pim threshold Deletes configured threshold of Assert message of specific interface.

368 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

[Sample Configuration 6]

The following is an example of configuring PIM-SM and showing it.

SWITCH(config)# interface 1
SWITCH(config-if)# ip pim sparse-mode
SWITCH(config-if)# ip pim border
SWITCH(config-if)# ip pim metric 5
SWITCH(config-if)# ip pim preference 10
SWITCH(config-if)# ip pim threshold 100
SWITCH(config-if)# show running-config
Building configuration...
(omitted)
interface 1
no shutdown
ip address 172.16.209.1/16
ip pim sparse-mode
ip pim threshold 100
ip pim preference 10
ip pim metric 5
ip pim border

!
router pim
preference 1
metric 1
!
ip route 0.0.0.0/0 172.16.1.254
(omitted)
!

no snmp
!
SWITCH(config-if)#

(5) Deleting IP PIM Statistic

In order to delete IP PIM packet statistic, use the following command.

Command Mode Function

clear pim statistics PIM Clears PIM packet statistic.

DDJ:A-M-5524B5-01 369
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(6) Showing IP PIM Statistic

In order to show IP PIM packet statistic, use the following command.

Command Mode Function

show ip pim statistics PIM Shows IP PIM packet statistic.

8.10.11 Viewing PIM-SM Information

It is possible to view PIM-SM information of user’s switch as follow.

□ Multicast Routing Table

□ Checking PIM Neighbor Router

□ RP Table

□ PIM-SM on Ethernet Interface

□ Static IP Multicast Routing Table

(1) Multicast Routing Table

In order to view multicast routing table, use the following commands.

Command Mode Function

show ip pim mrt detail Shows multicast routing table in detail.

show ip pim mrt group group-address Enable/Global Shows routing table of specific multicast group.

show ip pim mrt summary Shows summary of multicast routing table.

(2) Checking PIM Neighbor Router

In order to check PIM neighbor router, use the following command.

Command Mode Function

show ip pim neighbor Enable/Global Checks PIM neighbor router.

370 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(3) RP Table

In order to view RP table recorded in switch, use the following command.

Command Mode Function

show ip pim rp group ip- address Enable/Global Shows RP table recorded in switch.

(4) PIM-SM on Ethernet Interface

In order to view PIM-SM configured on Ethernet interface, use the following command.

Command Mode Function

show ip pim interface Enable/Global Shows PIM-SM information configured on Ethernet interface.

(4) Static IP Multicast Routing Table

In order to view static IP multicast routing table, use the following command.

Command Mode Function

show ip pim mroute Enable/Global Shows static IP multicast routing table

8.11 VRRP (Virtual Router Redundancy Protocol)

VRRP(Virtual Router Redundancy Protocol) is configuring Virtual router(VRRP Group) consisted of

VRRP routers to prevent network failure caused by one dedicated router. You can configure maximum

255 VRRP routers in VRRP group of SURPASS hiD 6610. First of all, decide which router plays a roll as

Master Virtual Router. The other routers will be Backup Virtual Routers. After you give priority to these

backup routers, the router serves for Master Virtual Router when there are some problems in Master

Virtual router. When you configure VRRP, configure all routers in VRRP with unified Group Id and

assign unified Associated IP to them. After that, decide Master Virtual Router and Backup Virtual Router.

A router which has the highest priority is supposed to be Master and Backup Virtual Routers also get

orders depending on priority.

DDJ:A-M-5524B5-01 371
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Internet

Virtual Router
Associate IP : 10.0.0.5/24

Backup Router 1 Backup Router 2 Master Router

IP : 10.0.0.1/24 IP : 10.0.0.2/24 IP : 10.0.0.3/24

Default Gateway : 10.0.0.5/24

【 Figure 8-46 】 VRRP Operation

In case routers have same priorities, then a router, which has lower IP address, gets the precedence.

The below picture shows an example of configuring three routers which have IP addresses, 10.0.0.1/24,

10.0.0.2/24 and 10.0.0.3/24 for each one as Virtual router by Associated IP,10.0.0.5/24. If theses three

routers have same Priority, a router, which has the smallest IP, address, 10.0.0.1/24 is decided to be

Master Router. Also, switches and PCs connected to the Virtual Router are to have IP address of Virtual

Router, 10.0.0.5/24 as default gateway.

8.11.1 Configuring VRRP

In order to configure SURPASS hiD 6610 as device in Virtual Router, use the following command on

configuration mode. Then you can configure VRRP by entering into VRRP configuration mode.

Command Mode Function

router vrrp interface-name group-id Global Configures Virtual Router(VRRP Group).

372 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Information

group-id can be configured between 1 and 255.

The following is an example of entering into VRRP configuration mode by using the above command.

When you enter into VRRP configuration mode, the system prompt will be changed for SWITCH(config-

vrrp)# from SWITCH(config)#.

SWITCH(config)# router vrrp 1 1

SWITCH(config-vrrp)#

In order to view the configuration of VRRP, use the following command.

Command Mode Function

show vrrp Shows current configuration of VRRP.

Enable/Global Shows current configuration of specified

show vrrp interface interface-name
interface VRRP.

Enable/Global /Bridge
show running-config Shows switch’s configuration.
/Interface/VRRP

In order to return into configuration mode, or to enter into Privilege Exec Enable Mode, use the following

commands.

Command Mode Function

exit Returns to Global Configuration Mode.

Interface
end Goes back right to Privilege Exec Enable Mode.

(1) Assigning Associated IP Address

After configuring Virtual Router, you need to assign Associated IP address in Virtual Router. Assign

unified IP address to routers in one Group.

In order to assign Associate IP address to routers in Virtual Router or delete configured Associate IP

address, use the following command.

DDJ:A-M-5524B5-01 373
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

associate ip-address Assigns Associated IP address to Virtual Router.

VRRP
no associate ip-address Deleted assigned Associated IP address to Virtual Router.

The following is an example of assigning IP address, 10.0.0.5 to Virtual Router of SURPASS hiD 6610.

SWITCH(config-vrrp)# associate 10.0.0.5

SWITCH(config-vrrp)#

(2) Configuring Master Router and Backup Router

Siemens, Inc. products configure Master Router and Backup Router by comparing Priority and IP

address of devices in Virtual Router. First of all, it compares Priority. A device, which has higher Priority,

is to be higher precedence. And when devices have same Priority, then it compares IP address. A

device, which has lower IP address, is to be higher precedence. In case of trouble with Master Router,

when there are more than two routers, one of them is selected according to their precedence.

In order to configure Priority of Virtual Router or delete the configuration, use the following commands.

Command Mode Function

vr-priority priority Configures Priority of Virtual Router.

VRRP
no vr-priority Deletes configured Priority of Virtual Router.

In order to set Vrrp timers or delete the configuration, use the following commands.

Command Mode Function

vr-timer advertisement <1-10> Sets VRRP timers

VRRP
no vr-timer advertisement <1-10> Clears the configured VRRP time.

Note

By default, Priority of SURPASS hiD 6610 is configured as “100”.

374 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Note

Priority of Virtual Backup Router can be configured from 1 to 254.

The following is an example of configuring Master Router and Backup Router by comparing their

Priorities: Virtual Routers, Layer 3 SWITCH 1 – 101 and Layer 3 SWITCH 2 – 102. Then, regardless of

IP addresses, one that has higher Priority, Layer 3 SWITCH 2 becomes Master Router.

<Layer 3 SWITCH1 : IP Address - 10.0.0.1/24>

SWTICH1(config)# router vrrp br1 1

SWITCH1(config-vrrp)# associate 10.0.0.5
SWITCH1(config-vrrp)# vr_priority 101
SWITCH1(config-vrrp)# exit
SWITCH1(config)# show vrrp

br1 - virtual router 1

----------------------------------------------
state backup
virtual mac address 00:00:5E:00:01:01
advertisement interval 1 sec
preemption enabled
priority 101
master down interval 3.624 sec
[1] associate address : 10.0.0.5

<Layer 3 SWITCH 2 : IP Address - 10.0.0.2/24>

Layer 3 SWITCH 2 with higher
SWTICH2(config)# rotuer vrrp br1 1
Priority is configured as Master.
SWITCH2(config-vrrp)# associate 10.0.0.5
SWITCH1(config-vrrp)# vr_priority 102
SWITCH2(config-vrrp)# exit
SWITCH2(config)# show vrrp

br1 - virtual router 1

----------------------------------------------
state master
virtual mac address 00:00:5E:00:01:01
advertisement interval 1 sec
preemption enabled
priority 102
master down interval 3.620 sec
[1] associate address : 10.0.0.5

DDJ:A-M-5524B5-01 375
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

By default, Priority of SURPASS hiD 6610 is configured as “100”. So, unless you configure specific

Priority, this switch becomes Master Router because a device, which has lower IP address, has higher

precedence.

Also, when there are more than two Backup Routers, IP addresses are compared to decide order. The

following is an example of configuring Master Router and Backup Router by comparing IP addresses:

Virtual Routers, Layer 3 SWITCH 1 – 10.0.0.1 and Layer 3 SWITCH 2 – 10.0.0.2.

<Layer 3 SWITCH1 : IP address - 10.0.0.1/24>

SWTICH1(config)# router vrrp br1 1

SWITCH1(config-vrrp)# associate 10.0.0.5
SWITCH1(config-vrrp)# exit
SWITCH1(config)# show vrrp

br1 - virtual router 1

----------------------------------------------
state master
virtual mac address 00:00:5E:00:01:01
advertisement interval 1 sec
preemption enabled
priority 100
master down interval 3.624 sec
[1] associate address : 10.0.0.5

<Layer 3 SWITCH 2 : IP Address - 10.0.0.2/24>

In case of same Priorities, Layer 3

SWTICH2(config)# router vrrp br1 1 SWITCH 1 with lower IP address

SWITCH2(config-vrrp)# associate 10.0.0.5
is configured as Master .
SWITCH2(config-vrrp)# exit
SWITCH2(config)# show vrrp

br1 - virtual router 1

----------------------------------------------
state backup
virtual mac address 00:00:5E:00:01:01
advertisement interval 1 sec
preemption enabled
priority 100
master down interval 3.620 sec
[1] associate address : 10.0.0.5

376 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.11.2 Configuring VRRP Track function

When the link connected to Master Router of VRRP is off as below, if link of Master Router is not

recognized, the users on the interface are not able to communicate because the interface is not able to

access to Master Router.

In the condition that Link to VRRP's master router is link down as the figure shown below, if the link of

Master Router cannot be recognized, the communication would be impossible..

In SURPASS hiD 6610, you can configure Master Router to be changed by giving lower Priority to

Master Router when the link of Mater Router is disconnected. This function is VRRP Track.

Internet

Virtual Router
Associate IP : 10.0.0.5/24

Master Router Backup Router 1 Backup Router 2

IP : 10.0.0.3/24 IP : 10.0.0.2/24 IP : 10.0.0.1/24

① Link down

Default Gateway : 10.0.0.5/24

② If the interface doesn’t recognize to be
Link down, it is supposed to be
inaccessible to Master Router. Therefore
the users on the interface are not able to
communicate.
Counter
measure

③ If” Link down “ happens, by giving low

priority automatically to Master Router,
Master Router will be changed at the
same time with Link down.

【 Figure 8-47 】 VRRP Track

DDJ:A-M-5524B5-01 377
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to configure VRRP Track in SURPASS hiD 6610, use the following command.

Command Mode Function

Configures VRRP Track. The Priority

track interface interface-name priority <1-254> VRRP
becomes lower as the configured value.

Information

If the user configures priority value as less than 1, the priority will be 1.

Information

If you configure VIP as your IP address, so priority becomes 255, the priority does not become lower

by Track function.

In order to release VRRP Track configuration, use the following command.

Command Mode Function

no track interface interface-name VRRP Releases VRRP Track configuration.

8.11.2 Configuring Authentication Password

After user configures Virtual Router, if anyone knows Group ID And Associated IP address, it is possible
to configure another devices as Virtual Router. To prevent it, user needs to configure a password,

named authentication password that can be used only in Virtual Router user configured. In order to

configure an authentication password for security of Virtual Router, use the following command on

VRRP configuration mode.

Command Mode Function

authentication clear_text password Configures an authentication password.

VRRP
no authentication Deletes a configured authentication password.

Note

Authentication password can be configured with maximum 7 digits.

378 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is an example of configuring Authentication password in Virtual Router as network and

confirming it.

SWITCH(config-vrrp)# authentication clear_text network

SWITCH(config-vrrp)# show running-config
Building configuration...
(Omitted)
vrrp br1 1
authentication clear_text network
associate 10.0.0.5
no snmp
SWITCH(config-vrrp)#

8.11.3 Configuring Preempt

Preempt is a function that an added device with the highest Priority user gave is automatically

configured as Master Router without rebooting or specific configuration when you add an other device

after Virtual Router is configured. In order to configure Preempt, use the following command on VRRP

configuration mode.

Command Mode Function

preempt {enable | disable} VRRP Enables or disables Preempt.

The following is an example of disabling Preempt.

SWITCH(config-vrrp)# preempt disable

SWITCH(config-vrrp)# exit
SWITCH(config)# show vrrp

br1 - virtual router 1

----------------------------------------------
state master
virtual mac address 00:00:5E:00:01:01
advertisement interval 1 sec
preemption disabled
priority 100
master down interval 3.624 sec
[1] associate address : 10.0.0.5

SWITCH(config)#

DDJ:A-M-5524B5-01 379
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Also, in order to make Preempt “enable” as default setting, use the following command on VRRP

configuration mode.

Command Mode Function

no preempt VRRP Deletes the former configuration of Preempt to enable it.

Note

By default, Preempt is configured as “enable” in SURPASS hiD 6610.

8.11.4 Configuring Advertisement Time

Master Router in Virtual Router transmits its data to the other routers in VRRP group at regular interval.

The interval is named as Advertisement Time. User can configure Advertisement Time in SURPASS hiD

6610. In order to configure Advertisement Time, use the following command on VRRP configuration

mode.

Command Mode Function

vr_timers advertisement time VRRP Configures Advertisement Time.

The following is an example of configuring Advertisement Time as 10 seconds and confirming it.

SWITCH(config-vrrp)# vr_timers advertisement 10

SWITCH(config-vrrp)# exit
SWITCH(config)# show vrrp

br1 - virtual router 1

----------------------------------------------
state master
virtual mac address 00:00:5E:00:01:01
advertisement interval 10 sec
preemption disabled
priority 100
master down interval 30.624 sec
[1] associate address : 10.0.0.5

SWITCH(config)#

380 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to delete configured Advertisement Time for default setting, use the following command.

Command Mode Function

no vr_timers advertisement VRRP Deletes configured Advertisement time to return default setting.

Note

By default, Advertisement Time is configured as 1 second in SURPASS hiD 6610.

Note

For SURPASS hiD 6610, Advertisement Time can be configured for 1 second to 10 seconds.

8.11.5 Viewing VRRP Statistics

In order to view statistics that packets have bees sent and received, use the following command.

Command Mode Function

show vrrp stat Enable/Global Shows statistics of packets in Virtual Router Group.

The following is an example of viewing statistics of packets in Virtual Router Group.

SWITCH(config)# show vrrp stat

VRRP statistics :
VRRP packets rcvd with invalid TTL 0
VRRP packets rcvd with invalid version 0
VRRP packets rcvd with invalid VRID 0
VRRP packets rcvd with invalid size 0
VRRP packets rcvd with invalid checksum 0
VRRP packets rcvd with invalid auth-type 0
VRRP packets rcvd with interval mismatch 0

SWITCH(config)#

DDJ:A-M-5524B5-01 381
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

8.11.6 Clearing VRRP Statistics

In order to clear statistics that packets have bees sent and received, use the following command.

Command Mode Function

clear vrrp stat Global/ VRRP Clear s statistics of packets in Virtual Router Group.

8.12 Bandwidth

Routing protocol uses bandwidth information to measure routing distance value. In order to configure

bandwidth of interface, use the following command.

Command Mode Function

bandwidth kilobits Interface Configures bandwidth of interface.

Note

The bandwidth can be from 1 to 10,000,000Kbits. This bandwidth is for routing information implement

and it does not concern physical bandwidth.

The following is an example of configuring bandwidth as 1000Kbits and confirming it.

SWITCH(config-if)# bandwidth 1000

SWITCH(config-if)# show running-config
(omitted)
interface br1
no shutdown
bandwidth 1000
(omitted)

In order to delete configured bandwidth, use the following command.

Command Mode Function

no bandwidth [kilobits] Interface Deletes configured bandwidth of interface.

382 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.13 DHCP

DHCP(Dynamic Host Control Protocol) makes DHCP server assign IP address to DHCP clients

automatically and manage the IP address. In the environment that all PCs may be not connected to

network at the same time, all of they do not need to have IP addresses. When some of they need IP

address, it can be automatically assigned. In this case, DHCP server is the one that assigns IP address

automatically and DHCP clients are those, which PCs are. DHCP provides the following benefits.

◆ Saving COST

With limited IP source, many users can connect to internet. So, it can save IP source and the cost.

◆ Effective Network Management

Anyone can configure DHCP server and DHCP clients belonged to network managed by DHCP server

access to network without professional knowledge such as configuring TCP/IP on network environment..

DHCP Server

IP Request
(Broadcast)

DHCP Pack
(Unicast)

PC PC PC
Subnet

※ PC=DHCP Client

【 Figure 8-48 】 DHCP Service Construction

SURPASS hiD 6610 can be the DHCP server or the DHCP Relay agent according to user’s

configuration. The DHCP Relay agent’s function is to connect the DHCP server to the DHCP client.You

need to know the following functions.

Activating DHCP Server

IP Pool

DDJ:A-M-5524B5-01 383
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Blocking the Fixed IP

DHCP Packet Filtering

Registering DNS Server that is common to all IP Pools

Configuring IP Available Time that is common to all IP Pools

Configuring DHCP Relay Agent

DHCP Option-82

Showing DHCP Configuration

8.13.1 Activating DHCP server

In order to provide DHCP server to DHCP client by configuring the switch as DHCP server, configure as

switch as DHCP server mode.

In order to configure the user’s switch as DHCP server, use the following command in Configuration

mode.

Command Mode Function

ip dhcp active server Global Configures the user’s switch as DHCP server.

Meanwhile, SURPASS hiD 6610 supports special function that prohibits assigning plural IP address to

one MAC address. Usually, SURPASS hiD 6610 assigns IP address to equipment, which already has

assigned IP address because it may need more than one IP address.

However, although personal computer does not need plural IP addresses, it gets them. This function

prevents that case. In other words, it is possible for SURPASS hiD 6610 both to assign plural IP

address to equipments and also prohibit assigning plural IP address to one MAC address. In order to

prohibit assigning plural IP address to one MAC address, use the following command.

Command Mode Function

ip dhcp database-key Prohibits assigning plural IP address to one equipment.

Global
{client-idㅣhardware-address} Recognize a client with a client or hardware address.

Information

When you do not need the function to prohibit assigning IP address to one MAC address, activate

DHCP server with the command, “ip dhcp server”.

384 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to disable the DHCP server, use the following command.

Command Mode Function

no ip dhcp active server Global Disable the user’s switch as DHCP server.

8.13.2 IP Pool

(1) Making IP Pool

The assembly place for IP address which DHCP server assign to clients is called IP Pool. The manager

can configure the name for their IP Pool. If you configure the name for IP Pool, you will enter DHCP IP

Pool configuration mode. After that, system prompt changes form SWITCH(config)# to

SWITCH(config-dhcp[pool-name])#. The following is to enter IP Pool configuration mode by configuring

the name of DHCP IP Pool.

Command Mode Function

Enters into IP Pool configuration by configuring the name of DHCP IP

ip dhcp pool pool-name Global
Pool.

The following is an example of making IP Pool as the name TEST.

SWITCH(config)# ip dhcp pool TEST

SWITCH(config-dhcp[TEST])#

In IP Pool configuration mode, you can configure subnet, the range of IP address, default gateway of

subnet. In order to enter from IP Pool configuration mode to configuration mode, input the command

“exit” and in order to enter Privilege Exec Enable Mode immediately, input the “end” command. In order
to delete configured IP Pool , use the following command in Global Configuration Mode.

Command Mode Function

no ip dhcp pool pool-name Global Deletes IP Pool.

(2) Configuring DHCP Subnet

After making IP Pool, designate subnet in IP Pool.

DDJ:A-M-5524B5-01 385
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to designate the subnet, use the following command in IP Pool configuration mode.

Command Mode Function

subnet ip-address/m IP Pool Designate subnet in IP Pool.

In SURPASS hiD 6610, it is possible to designate several subnet in IP Pool.

The following is an example of deleting subnet.

Command Mode Function

no subnet ip-address/m IP Pool Deletes the subnet.

Information

Subnet mask should be configured as network ID.

(3) Configuring Subnet Default Gateway

You have to configure default gateway all IP addresses can be allowed so that DHCP server can

communicate with unspecified IP address. In order to configure default gateway of subnet, use the

following command.

Command Mode Function

default-gateway gateway-address IP Pool Configures default gateway of subnet.

In order to delete the configured default-gateway, use the following command.

Command Mode Function

no default-gateway gateway-address Deletes default-gateway of subnet.

IP Pool
no default-gateway all Deletes all the configured default-gateway.

(4) Configuring IP Address Range

After configuring DHCP subnet, you need to configure IP address range used in the subnet.

386 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to configure IP address range, use the following command.

Command Mode Function

range start-address end-address IP Pool Configures IP address range.

It is possible to configure inconsecutive subnets in same IP address range. For example, you can

configure subnet from 192.168.1.10 to 192.168.1.20 and from 192.168.1.30 to 192.168.1.40 in IP

address range 192.168.1.0/24.

In order to delete the configured IP address range, use the following command.

Command Mode Function

no range start-address end-address IP Pool Deletes the configured IP adder range.

(5) Configuring the Available Time to Use IP address

DHCP server administrator can configure the available time to use IP address assigned to DHCP client.

This time is named IP address lease time. The default is one-hour and the system asks if DHCP client

wants to extend it by the end of the time. In order to configure IP address lease time, use the following

command.

Command Mode Function

lease-time default <120-2147483637> Configures default IP address lease time in seconds.

IP Pool
lease-time max <120-2147483637> Configures maximum IP address lease time in seconds.

Information

The default is one hour(3600 seconds), and the maximum is two hours.

In order to release the configured time, use the following command.

Command Mode Function

no lease-time {defaultㅣmax} IP Pool Deletes the configured using time.

DDJ:A-M-5524B5-01 387
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

In SURPASS hiD 6610, the default time is 1 hour (3600 sec).

Information

The information is applicable only to appropriate IP Pool.

(6) Registering DNS Server

DHCP server basically informs IP address, default gateway, IP address lease time ,and available DNS

server when DHCP client is accessed. Therefore, you should register DNS server that can be used in

DHCP server. You can register up to two servers.

In order to register DNS server, use the following command.

Command Mode Function

dns-server ip-address 1 [ip-address 2] [ip-address 3] IP Pool Registers DNS server.

Information

The information is applicable only to appropriate IP Pool.

In order to delete the configured DNS server, use the following command.

Command Mode Function

no dns server { ip-addressㅣall } IP Pool Deletes the configured DNS server.

(7) Assigning IP address manually

In SURPASS hiD 6610, the administrator can manually configure IP addresses. It is assigning an IP

address to DHCP client who has specific MAC address. In order to assign IP address manually, use the

following command.

Command Mode Function

Assign the IP address to DHCP client who has

fixed-address ip-address mac-address IP Pool
the designated MAC address.

388 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to release the fixed-address, use the following command.

Command Mode Function

no fixed-address ip-address IP Pool Release the fixed-adress.

(8) Chekcing Lease Data

In order to check lease data of IP address which is assigned to the IP Pool, use the following command.

Command Mode Function

show ip dhcp lease {allㅣboundㅣabandonㅣofferㅣfixedㅣfree} pool-name Check the list of

Global
show ip dhcp lease detail [ip-address] assigned IP address.

fixed shows fixed-IP addresses and bound shows IP addresses assigned from the server by Discover-

Offer-Request-Ack when a clinet requests IP address to the server and offer shows IP address that the

server presented to the client in offer stage. free shows the addresses that the clients can currently use

and abandon shows IP addresses that have been requested from the clients even the server did not

present them and you can check all of the IP addresses with the command all.

(9) Chekcing IP Pool Configuration

In order to check IP Pool configuration, use the following command.

Command Mode Function

show ip dhcp pool pool-name IP Pool Check IP Pool configuration.

[Sample Configuration 1]

The following is an example of configuring DHCP server ; network range 192.168.1.0/24 as subnet and

192.168.1.10 ~ 192.168.1.20 and 192.168.1.30 ~ 192. 168.1.40 as IP address range.

DDJ:A-M-5524B5-01 389
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The default gateway of subnet is configured as 192.168.1.254 and DHCP server is activated.

SWITCH(config)# ip dhcp pool test5

SWITCH(config-dhcp[test5])# subnet 192.168.1.0/24
SWITCH(config-dhcp[test5])# range 192.168.1.50 192.168.1.70
SWITCH(config-dhcp[test5])# default-gateway 192.168.1.254
SWITCH(config-dhcp[test5])# exit
SWITCH(config)# show ip dhcp pool test5
show dhcp pool start3j.
POOL : test5

SUBNET 192.168.1.0/24 from 192.168.1.50 to 192.168.1.70

Total Leases 21
Allocated 0 (0.00% used)
- Fixed 0
- Offered 0
- Bound 0
- Abandoned 0
Available 21 (100.00% free)

Supported informations:
Lease time (default) 3600
Lease time (Maximum) 3600
Default gateway
192.168.1.254
SWITCH(config)#

(10) Checking Lease Data of each IP Pool

In order to check the assigned IP addresses of each IP Pool, use the following command.

Command Mode Function

show ip dhcp pool summary pool-name Global Check the IP addresses assigned from DHCP.

8.13.3 Blocking the Fixed IP

In SURPASS hiD 6610, it is possible to block to use IP Pool resources as fixed by using the assigned IP

addresses without renewing them.

390 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

The following is the commands of blocking the user who uses IP address as fixed.

Command Mode Function

ip dhcp authorized-arp Use IP address for lease-time. Blok

{default-lease-timeㅣhalf-lease-timeㅣmax-lease-time} Global the fixed IP.

no ip dhcp authorized-arp Release to block the fixed IP.

You can check the information of valid IP and invalid IP after enabling “ blocking the fixed IP” function

using the following commands.

Command Mode Function

show ip dhcp authorized-arp valid Shows the assigned IP addresses through the proper process.

Shows MAC address using the fixed IP and the used IP

show ip dhcp authorized-arp illegal IP Pool
address and the time of blocking IP address.
{ ipㅣmacㅣtime}

In order to deleted the data of fixed IP, use the following command.

Command Mode Function

clear ip dhcp authorized-arp illegal Global Deletes the data of fixed IP.

8.13.4 DHCP Packet Filtering

In SURPASS hiD 6610, it is possible to block the specific client with MAC address. If the blocked MAC

address by an administrator requests IP address, the server does not assign IP. This function is to

strength the security of DHCP server.

The following is the function of blocking to assign IP address to the port.

Command Mode Function

ip dhcp filter-port port-number Global Configure the port in order not to assign IP.

DDJ:A-M-5524B5-01 391
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to release DHCP packet filtering, use the following command.

Command Mode Function

no ip dhcp filter-port port-number Global Release DHCP packet filtering.

The following is to designate MAC address which IP address is not assigned.

Command Mode Function

ip dhcp filter-address mac-address Global Block MAC-address in case of requesting IP address.

In order to release DHCP mac-filtering, use the following command.

Command Mode Function

no ip dhcp filter-address mac-address Global Release DHCP mac-filtering.

8.13.5 Registering DNS Server that is common to all IP Pools

DHCP server basically informs IP address, default gateway, IP address lease time ,and available DNS

server when DHCP client is accessed. Therefore, you should register DNS server that can be used in

DHCP server. You can register up to two servers. This server is applied to all IP Pools if you don’t

configure DNS server for IP Pools seperately.

In order to register DNS server that is common to all IP Pools, use the following command in IP Pool

mode.

Command Mode Function

ip dhcp default-config dns-server ip-address 1 Register DNS server that is common to all
IP Pool
[ip-address 2] [ip-address 3] of IP Pools.

In order to delete the registered DNS server, use the following command.

Command Mode Function

no ip dhcp default-config dns-server ip-address Delete DNS server.

Global
no ip dhcp default-config dns-server Delete all registered DNS server..

392 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.13.6 Configuring IP Available Time that is common to all IP Pools

DHCP server administrator can configure IP available time that is common to all IP Pools. This time is

applied to all IP Pools if you don’t configure DNS server for IP Pools seperately. The default time is an

hour and the server sends Request Packet in order to ask if DHCP clinet prolongs the time of using IP.

To configure available time of using IP, use the following command in Global Configuration Mode.

Command Mode Function

ip dhcp default-config lease-time defalut Configure default time of using IP. The time uint is

<120-2147483637> second.
Global
ip dhcp default-config lease-time max Configure maximum time of using IP. The time uint is

<120-2147483637> second..

Information

In SURPASS hiD 6610, the default time for using IP address is 1 hour (3600 sec).

In order to release the the configured time, use the following command.

Command Mode Function

no ip dhcp default-config lease-time default Release default attributes of pool.

Global
no ip dhcp default-config lease-time max maximum time of using IP.

8.13.7 Configuring DHCP Relay Agent

You can configure the system to forward IP address that is requested from DHCP clients in hiD 6610. It

called the DHCP Relay agent. The DHCP Relay agent is of avail to manage a wide DHCP subnet.

DDJ:A-M-5524B5-01 393
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

DHCP Server

Relay agent 1 Relay agent 2

※ PC=DHCP Client

PC PC PC PC PC PC

Subnet 1 Subnet 2

【 Figure 8-49 】 An example of the Relay agent

The following is how to configure SURPASS hiD 6610 as DHCP Relay agent.

Registering DHCP server

(1) Registering DHCP server

After configuring SURPASS hiD 6610 as Relay agent, register DHCP server. In order to register DHCP

server, use the following command in Global Configuration Mode.

Command Mode Function

ip dhcp active relay server-address Register DHCP server and configure the user’s switch
Global
[server-address2] [server-address 3] as Relay agent.

The following is how to delete the registered DHCP server and configuring the user’s switch as Relay

agent.

Command Mode Function

no ip dhcp active relay server-address Release the registered DHCP server and Relay agent.

Global Release all of the registered DHCP server and Relay

no ip dhcp active relay all
agent.

394 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

It is possible to register DHCP server up to 3. DHCP client can select IP address among many IP

addresses assigned from each server.

[ Sample Configuration 1 ]

The following is an example of configuring DHCP Relay and register DHCP server.

SWITCH(config)# ip dhcp mode relay 172.16.100.10

SWITCH(config)# show running-config
(Omitted)
ip dhcp mode relay 172.16.100.10
ip dhcp default-config dns-server 200.1.1.1
ip dhcp pool test

!
SWITCH(config)#

8.13.8 DHCP Option-82

As subscriber network is getting enlarged, DHCP server should assign IP addresses to many

subscribers. User can manage subscribers efficiently using DHCP Option-82. In DHCP Option-82,

DHCP Relay sends DHCP Request packets attaching Option-82 information and it authenticates the
subscriber through this information. Through Option-82, DHCP not only assigns IP address but also

restricts access to server. Moreover it provides differentiated service and enhances the security.

hiD 6610 transmits port number and Remote ID with Option-82 to DHCP server. The priority of port

number is higher than that of Remote ID. When it receives Request packet without Option-82

information, it attaches its information. In case Remote ID recorded in Option-82 is same with MAC

address of its system, it transmits packets after removing Option-82 by designated port number.

DDJ:A-M-5524B5-01 395
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following is to show packet’s flow.

DHCP Server

④ DHCP Rspond+Option-82
② DHCP Request+Option-82

DHCP Relay Agent

(Option-82)

⑤ DHCP Respond
① DHCP Request

【 Figure 8-50 】 Packet Flow in case of Using DHCP Option-82

(1) Enabling DHCP Option-82

In order to enable DHCP Option-82 in hiD 6610, use the following command.

Command Mode Function

ip dhcp option82 Global Enables DHCP Option-82 function.

In order to disable DHCP Option-82, use the following command.

Command Mode Function

no ip dhcp option82 Global Disables DHCP Option-82 function.

In order to return into configuration mode, or to enter into Privilege Exec Enable Mode, use the following

commands.

Command Mode Function

exit Returns to Configuration mode.

Option-82
end Goes back right to Privilege Exec Enable Mode.

396 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(2) Configuring Option-82 Packet Policy

User can configure how to process the packets when DHCP Option-82 packets come to DHCP server

or DHCP relay agent.

In order to configure the policy for Option-82 packet, use the following command in Option-82

configuration mode.

Command Mode Function

policy {dropㅣkeepㅣreplace} Option-82 Configures the policy for Option-82 packet.

In order to configure the policy for Option-82 packet, use the following command in Option-82

configuration mode.

“drop” means to throw away Option-82 packet. “keep” means that Relay agent transmits packets

preserving Option-82 which the agent sends, “replace” means to transmit by changing into it’s Option-
82 information.

DHCP Server

④ DHCP Rspond+Option-82
② DHCP Request+Option-82

DHCP Relay Agent

(Option-82)

⑤ DHCP Respond
① DHCP Request

【 Figure 8-51 】Facket flow in cse of DHCP Option-82

It is possible to configure the rule for Option-82 packets when hiD 6610 is DHCP server or DHCP Relay

agent.

DDJ:A-M-5524B5-01 397
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

Basically the rule for Option-82 packet is configured as “keep”..

(3) Configuring Remote-ID and the Number of Assigning IP Address

In order to configure remote-ID and designate the number of assigning IP address to the remote-ID, use

the following command. Remote-ID can be IP address or MAC address.

Command Mode Function

remote-id ip ip-address lease-limit <0-2147483637>

Configures remote-ID and the
remote-id binary binary-format lease-limit <0-2147483637> Option-82
number of assigning IP address.
remote-id text circuit-id lease-limit <0-2147483637>

To delete remote-ID and designate the number of assigning IP address for the remote-ID, use the

following command.

Command Mode Function

no remote-id ip ip-address lease-limit

Deletes remote-ID and the number of
no remote-id binary binary-format lease-limit Option-82
assigning IP address.
no remote-id text circuit-id lease-limit

(4) Configuring Remote-ID and Pool

When the administrator configures the remote-id, he can also configure from where ip addresses are

assigned. To configure Remote-ID and IP Pool, use the following commands.

Command Mode Function

remote-id ip ip-address pool pool-name

remote-id binary binary-format pool pool-name Option-82 Configures remote-ID and pool.

remote-id text remote-id pool pool-name

398 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To delete Remote-ID and IP Pool, use the following commands.

Command Mode Function

no remote-id ip ip-address pool pool-name

no remote-id binary binary-format pool pool-name Option-82 Deletes remote-ID and pool.

no remote-id text remote-id pool pool-name

(5) Remote-ID, Circuit-ID and the Number of Assigning IP Address

In SURPASS hiD 6610, you can assign IP addresses by Remote-ID and Circuit-ID. If you configure

Remote-ID and Circuit-ID, the server assigns IP addresses for the packets having the designated

Remote-ID and Circuit-ID. And you can also limit the number of assigning IP address in this

configuration. To assign IP address with Remote-ID and Circuit-ID and limit the number of IP address,

use the following commands.

Command Mode Function

remote-id ip ip address circuit-id binary binary-format lease-limit

<0-2147483637>

remote-id ip ip address circuit-id text circuit-id lease-limit

<0-2147483637>

remote-id ip ip address circuit-id index <0-65535> lease-limit

<0-2147483637>

remote-id binary binary-format circuit-id binary binary-format lease-limit

<0-2147483637> Assigns IP address with

remote-id binary binary-format circuit-id text circuit-id lease-limit Remote-ID and Circuit-
Option-82
<0-2147483637> ID and limits the number

remote-id binary binary-format circuit-id index <0-65535> lease-limit of IP address

<0-2147483637>

remote-id text remote-id circuit-id binary binary-format lease-limit

<0-2147483637>

remote-id text remote-id circuit-id text circuit-id lease-limit

<0-2147483637>

remote-id text remote-id circuit-id index <0-65535> lease-limit

<0-2147483637>

DDJ:A-M-5524B5-01 399
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To delete Remote-ID and Circuit-ID and the number of IP address, use the following commands.

Command Mode Function

no remote-id ip ip address circuit-id binary binary-format lease-limit

no remote-id ip ip address circuit-id text circuit-id lease-limit

no remote-id ip ip address circuit-id index <0-65535> lease-limit

Assigns IP address
no remote-id binary binary-format circuit-id binary binary-format lease-limit with Remote-ID and

no remote-id binary binary-format circuit-id text circuit-id lease-limit Option-82 Circuit-ID and limits

no remote-id binary binary-format circuit-id index <0-65535> lease-limit the number of IP

address
no remote-id text remote-id circuit-id binary binary-format lease-limit

no remote-id text remote-id circuit-id text circuit-id lease-limit

no remote-id text remote-id circuit-id index <0-65535> lease-limit

(6) Remote-ID, Circuit-ID and Pool

In SURPASS hiD 6610, you can assign IP addresses by Remote-ID and Circuit-ID. If you configure

Remote-ID and Circuit-ID, the server assigns IP addresses for the packets having the designated

Remote-ID and Circuit-ID. And you can also configure IP Pool in this configuration.

To assign IP address with Remote-ID and Circuit-ID and configure IP Pool, use the following commands.

Command Mode Function

remote-id ip ip address circuit-id binary binary-format pool pool-name

remote-id ip ip address circuit-id text circuit-id pool pool-name

remote-id ip ip address circuit-id index <0-65535> pool pool-name

remote-id binary binary-format circuit-id binary binary-format pool pool-

Assigns IP address with
name
Option-82 Remote-ID and Circuit-
remote-id binary binary-format circuit-id text circuit-id pool pool-name
ID and configure IP Pool
remote-id binary binary-format circuit-id index <0-65535> pool pool-name

remote-id text remote-id circuit-id binary binary-format pool pool-name

remote-id text remote-id circuit-id text circuit-id pool pool-name

remote-id text remote-id circuit-id index <0-65535> pool pool-name

400 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To delete Remote-ID and Circuit-ID and IP Pool, use the following commands.

Command Mode Function

no remote-id ip ip address circuit-id binary binary-format pool

no remote-id ip ip address circuit-id text circuit-id pool

no remote-id ip ip address circuit-id index <0-65535> pool

no remote-id binary binary-format circuit-id binary binary-format pool Assigns IP address with

no remote-id binary binary-format circuit-id text circuit-id pool Option-82 Remote-ID and Circuit-

no remote-id binary binary-format circuit-id index <0-65535> pool ID and configure IP Pool

no remote-id text remote-id circuit-id binary binary-format pool

no remote-id text remote-id circuit-id text circuit-id pool

no remote-id text remote-id circuit-id index <0-65535> pool

(7) Configuring System Remote-ID

In option-82 environment, the packet from the switch is transmitted with remote ID or circuit ID. In

SURPASS hiD 6610, remote ID is MAC address by default and circuit ID is port number by default.

Here, it is possible to change the form for remote ID and circuit ID of the switch in easier way to

recognize.

To change the form of Remote ID of the switch, use the following commands.

Command Mode Function

system-remote-id binary binary-format

system-remote-id ip ip-address Option-82 Configures remote-ID.

system-remote-id text remote-id

To change the form of Circuit ID of the switch,use the following command.

Command Mode Function

system-circuit-id port-number binary binary-format

system-circuit-id port-number index <0-65535> Option-82 Configures circuit-ID.

system-circuit-id port-number text remote-id

DDJ:A-M-5524B5-01 401
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

To disable to change the form fo Remote ID and Circuit ID, use the following command.

Command Mode Function

no system-remote-id port-number
Option-82 Configures remote-ID.
no system-circuit-id

8.13.9 Back-up DHCP lease database

In hiD 6610, it is possible to save DHCP lease data base. To Back-up DHCP lease database,use

the following command.

Command Mode Function

ip dhcp leasedb backup ip- address <1- Back-up DHCP lease database and configure the

2147483637> Global interval.

no ip dhcp leasedb backup ip- address Deletes Back up lease database.

8.14 Broadcast Storm Control

SURPASS hiD 6610 supports Broadcast Storm Control for Broadcast packet. Broadcast Storm is

overloading situation of broadcast packets since they need major part of transmit capacity. Broadcast

storm may be often occurred because of difference of versions.For example, when there are mixed 4.3
BSD and 4.2 BSD, or mixed Appletalk Phase I and Phase II in TCP/IP, Storm may be occurred.

Also, when information of routing protocol regularly transmitted from router is wrong recognized by

system, which does not support the protocol, Broadcast Storm may be occurred.

Broadcast Storm Control is operated by ; system counts how many Broadcast packets are there for a

second and if there are packets over configured limit, they are discarded.

SURPASS hiD 6610 provides not only broadcast storm but also control of multicast and

DLF(Destination Lookup Fail) storm. In order to use control of muticast and DLF storm, use the

following commands. Then all configurations of Broadcast storm control will be equally applied to all

VLANs.

402 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To enable multicast storm control and DLF storm control, use the following commands.

Command Mode Function

Enables broadcast, multicast, or dlf storm control

storm-control {broadcast | multicast | dlf}
Bridge respectively in a port with a user defined rate. Rate value is
rate [port-number]
from 1 to 262142 for FE, and from 1 to 2097150 for GE

Information

The default is enabled DLF storm control and disabled multicast storm control.

In order to disable multicast storm control and DLF storm control, use the following commands.

Command Mode Function

no storm-control {broadcast | multicast Disables broadcast, multicast, or dlf storm control

Bridge
| dlf} rate [port_number] respectively.

In order to confirm Storm Control configuration, use the following command.

Command Mode Function

show storm-control Enable/Bridge Shows Storm Control configuration.

8.15 Jumbo-frame Capacity

The packet range that can be capable to accept is from 64 Bytes to 1,518 bytes. Therefore, packets not

between this range will not be taken. However, SURPASS hiD 6610 can accept Jumbo-frame larger

than 1,518 bytes through user’s configuration.

In order to configure to accept Jumbo-frame larger than 1,158 bytes, use the following command.

Command Mode Function

configures to accept Jumbo-frame

jumbo-frame port-number <1518-9000> Bridge
between specified range.

DDJ:A-M-5524B5-01 403
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Information

The maximum range it up to 10,000 bytes.

In order to disable configuration to accept Jumbo-frame, use the following command.

Command Mode Function

Disables configuration to accept Jumbo-frame

no jumbo-frame port-number Bridge
in specified port.

In order to view configuration of Jumbo-frame, use the following command.

Command Mode Function

show jumbo-frame Enable/Global/Bridge Shows configuration of Jumbo-frame.

[Sample Configuration 1]

The following is an example of configuration to accept Jumbo-frame under 2500 bytes in port 1~10.

SWITCH# configure terminal

SWITCH(config)# bridge
SWITCH(bridge)# jumbo-frame 1-10 2500
SWITCH(bridge)# show jumbo-frame
port 1 : 2500 / 1522 (current/default)
port 2 : 2500 / 1522 (current/default)
port 3 : 2500 / 1522 (current/default)
port 4 : 2500 / 1522 (current/default)
port 5 : 2500 / 1522 (current/default)
port 6 : 2500 / 1522 (current/default)
port 7 : 2500 / 1522 (current/default)
port 8 : 2500 / 1522 (current/default)
port 9 : 2500 / 1522 (current/default)
port 10 : 2500 / 1522 (current/default)
port 11 : 1522 / 1522 (current/default)
port 12 : 1522 / 1522 (current/default)
port 13 : 1522 / 1522 (current/default)
port 14 : 1522 / 1522 (current/default)
port 15 : 1522 / 1522 (current/default)
port 16 : 1522 / 1522 (current/default)
(Omitted)
SWITCH(bridge)#

404 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

8.16 Blocking Direct Broadcast

RFC 2644 recommends that system blocks broadcast packet of same network bandwidth with

interfaceof equipment, namely Direct broadcast packet. Hereby, SURPASS hiD 6610 supposed to block

Direct broadcast packet by default setting. However, you can enable or disable it in SURPASS hiD 6610.

In order to block Direct broadcast packet, use the following command.

Command Mode Function

no ip forward direct-broadcast Global Enables blocking Direct broadcast packet.

Information

The default is enabled.

In order to disable blocking Direct broadcast packet, use the following command.

Command Mode Function

ip forward direct-broadcast Global Disables blocking Direct broadcast packet.

In order to view configuration about blocking Direct broadcast packet, use the following command.

Command Mode Function

show running-config Enable/Global/Bridge/Interface Shows switch configuration.

The following is an example of blocking Direct broadcast packet and confirming it.

SWITCH(config)# ip forward direct-broadcast

SWITCH(config)# show running-config
Building configuration...
(omitted)
!
ip forward direct-broadcast
!
no snmp
!
SWITCH(config)#

DDJ:A-M-5524B5-01 405
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

9. IP Routing Protocol

This chapter describes on layer 3 switching and how to configure the switch for supported IP routing

protocols. It is intended to provide enough information for a network administrator to get the protocols

up and running.

9.1 BGP Routing Protocol

BGP(Border Gateway Protocol) is, as defined in RFC 1163, 1267, EGP(Exterior Gateway Protocol) to

connect to exterior Network. BGP manages routing information in network so that AS(Autonomous

System) can transmit and receive routing information. BGP consists of network number, which packet is

passed through and autonomous system number.

SURPASS hiD 6610 supports BGP version 4 defined in RFC 1771. BGP version 4 provides Aggregate

route by using CIDR(classless interdomain routing) to reduce size of routing table. CIDR provides IP

prefix, which is network address instead of IP address on BGP network. OSPF and RIP can also

transmit CIDR path.

Switch, which takes BGP protocol, is intended to exchange AS(autonomous system) and path reaching

to AS between BGP equipments. By doing it, user can prevent routing Loop and take the most effective

AS information.

User can configure MED(Multi Exit Discriminator) by using route map. When new routing information is

transmitted to neighbor BGP, MED is passed without any change. Thus, BGP routers located in same

AS can select path with same standard.

9.1.1 Basic Configuration

BGP configuration is roughly divided into basic configuration and advanced configuration. Basic

configuration includes the following.

□ Activating BGP

□ Configuring BGP Neighbor Router

□ Changing Routing Policy

□ Configuring BGP Weights

406 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

□ BGP Route Filtering

□ AS Route Filtering

□ BGP Route Filtering through Prefix Lists

□ Blocking information Transmission to Next Destination

□ Configuring BGP Version

(1) BGP Routing

In order to activate BGP, perform the following steps.

Step 1 Enter into BGP router configuration mode by using the following command. Then BGP will be
activated.

Command Mode Function

router bgp <1-65535> BGP Config Assigns AS number to configure BGP routing.

AS number is an identification of autonomous system used for detecting the BGP connection. AS

number is a digit between 1 and 655367. AS number 65512 through 65535 are defined as private AS

number. Private number cannot be advertised on the Config Internet.

Step 2 Configure BGP network and register it in BGP routing table by using the following commands.

Command Mode Function

Configures backdoor route to reach to border router,

network prefix backdoor
Router which receives BGP information.

network prefix nlri [multicast | unicast] Decides where to send routing information.

(2) Configuring BGP Neighbor Router

EGP should know neighbor router. Therefore BGP, as one of EGP, has to configure neighbor router.

BGP neighbor router includes internal neighbor router, which is located in same AS and external

neighbor router, which is located in different AS. Usually, internal neighbor router in same AS is not

directly connected, but external neighbor router is directly connected to share partner’s sub network.

DDJ:A-M-5524B5-01 407
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to configure BGP neighbor router, use the following command.

Command Mode Function

neighbor ip-address remote-as number Router Configures BGP Neighbor router.

(3) Changing Routing Policy

Routing policy is to decide which information to receive and which information to provide through route-

map, distribute-list and prefix-list when exchanging routing information with neighbor router. When you

change routing policy, you should modify routing information to follow new policy by deleting routing

information of old policy or resetting default route.

In order to receive routing information of new policy, you need to configure inbound reset, and in order

to provide the information, you need to configure outbound reset. When BGP router provides routing
information of new policy, neighbor routers are supposed to receive the information.

If both BGP router and neighbor router support route refresh capability, it is possible to renew routing

information by using inbound reset. This way has the following advantages.

● No optional configuration of administrator

● No additional memory for changing routing information

In order to check if neighbor router supports route refresh capability, use the following command.

Command Mode Function

Informs whether neighbor router supports route refresh capability. If

neighbor {ip-addressㅣneighbor-
Router neighbor router supports the function, “Received route refresh
tag} capability route-refresh
capability from peer.” will be displayed.

If all BGP routers support route refresh capability, user can receive route information by using soft reset.

408 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to configure routing information to follow new policy, use the following command.

Command Mode Function

Receives routing information of new policy. You can configure

clear ip bgp [* | AS | address ] network address to receive the information or AS. When you select
Enable
soft in asterisk(*), the routing information will be received from all

addresses.

No previous configuration is required for outbound reset. Routing information is resent by using

command, soft.

In order to provide routing information again, use the following command.

Command Mode Function

Operates route refresh capability in where routing information is

clear ip bgp [* | AS | address] provided. You can configure network address or AS to send the
Enable
soft out information. When you select asterisk(*), the routing information will

be sent to all addresses.

When administrator recoveries default routing policy from configured one, route refresh capability is

used. You do not have to delete configured policy one by one in case of this function.

Meanwhile, if a router does not support route refresh capability, you should delete old routing

information by using “neighbor soft-reconfiguration”. However, you would better take another way as
possible because it may cause network problem.

If you do not want to reconfigure BGP information but create new information, you have to save all

incoming information to BGP network in BGP router without processing routing information in order.

Please note that this way may cause overloading of memory.

Therefore you would better avoid it. On the other hand, memory is not required to provide changed

information. After BGP router transmits new information, neighbor router receives the information.

DDJ:A-M-5524B5-01 409
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to change BGP configuration through saved routing policy, follow the below steps.

Step 1 After reconfiguring BGP router, configure to save received information from neighbor router.
And then, all incoming information to BGP router will be saved.

Command Mode Function

After reconfiguring BGP router, saves all

neighbor ip-address soft-reconfiguration inbound Router
information from neighbor router.

Step 2 Register new information in table by using saved information.

Command Mode Function

Registers new information in table by using saved

clear ip bgp [* | as-address] soft in Enable information. You can configure network address, AS, or

all(*) for where to receive the information.

In order to check it routing information is correctly changed through routing table and BGP neighbor

router, use the following command.

Command Mode Function

show ip bgp neighbors ip-address Shows information to transmit to neighbor

Enable/Global
[advertised-routes | received-routes | routes] router or to receive from neighbor router.

(4) Configuring BGP Weights

Weight is number assigned to route to decide route. It is available from 0 to 65534 only in BGP. If you

want to give priority to information from specific router, you can assign higher weight to the information

to do it. In order to configure BGP weight, use the following command.

Command Mode Function

neighbor ip-address weight

Router Assigns weight to information from neighbor router.
<0-65534>

410 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(5) Aborting AS Route

By default setting, SURPASS hiD 6610 uses AS to decide route. However, you can change it to decide

route as IETF.

In order to disregard length required to reach to AS in case of deciding route, use the following

command.

Command Mode Function

Disregards length required to reach to AS in case of deciding

bgp bestpath as-path ignore Router
route

(6) BGP Route Filtering

If you want to block specific routing information in system, you can optionally receive information, which

is transmitted to and received from neighbor router. In this case, user should configure access list and

prefix list. Then routing information will be filtered with configured standard.

In order to filter BGP routing information, use the following command.

Command Mode Function

neighbor ip-address distribute-list Filters incoming or outgoing information through specific

Router
access-list-name {in | out} network by using Access list.

Information

Distribute list can be used on only BGP internal network.

(7) AS Route Filtering

As filtering information with network address on BGP network, it is possible to filter information going

through AS. Policies applied to decide route are registered in access list. In order to filter routing

information with AS standard, configure filtering policy in access list and apply the policy to neighbor

router.

DDJ:A-M-5524B5-01 411
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

The following steps are instruction to filter routes in AS.

Step 1 Define specific AS in access list.

Command Mode Function

ip as-path access-list access-list-number

Global Defines specific AS in access list.
{permit | deny} expression

Step 2 Enter into Router configuration mode.

Step 3 Apply defined access list to filter routing information, which AS transmits or receives.

Command Mode Function

neighbor ip-address filter-list Applies defined access list to filter routing

Router
access-list-number {in | out} information, which AS transmits or receives.

Step 1 Define specific AS in access list.

Command Mode Function

ip as-path access-list access-list-number {permit | deny}

Global Defines specific AS in access list.
expression

(8) BGP Filtering through Prefix Lists

When you restrict BGP route, prefix list is preferred than access list because of the following reasons;

● saves time to search and apply data in case of massive filter lists.

● unlimited registration in filter lists.

● easy to use

Before applying prefix list, user should configure prefix list. User can assign number to each policy

registered in prefix list.

◆ Traffic Filtering Operation through Prefix Lists

412 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Filtering through prefix list processes routing information in specific order by applying policy defined in

filter list. It is similar to access list but there are more detail rules as follow;

● Allows all network information if there is no defined policy in prefix list.

● Rejects specified network information unless policy applied to network is defined in prefix list.

● Distinguishes each policy with the assigned number and applies policy which has the lowest number

when there are more than one policy applied to one network.

Routers search policy in prefix list from the top in order. When they find required policy, they

sPrevileged searching. For faster operation, user can make quick search list on the top of the list by

using seq provided from ip prefix-list. In order to view assigned number to policy, use the command,

show ip prefix-list. Policies configured by user are automatically assigned number. If you do not

configure it, you should assign number to each policy by using the command, ip prefix-list SEQ-
VALUE.

◆ Making Prefix List

In order to create prefix list, use the following commands.

Command Mode Function

ip prefix-list name {deny|permit} [description description] Configures list name when creating prefix

[seq value] prefix [ge value] [le value] list.

ip prefix-list name {deny|permit} [description description] Global Creates prefix list to be applied to all

[seq value] any networks.

ip prefix-list name description description Makes additional description to prefix list.

Information

To create prefix list, you should select permit or deny..

DDJ:A-M-5524B5-01 413
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

◆ Creating Prefix List Policy

You can add policy to prefix list one by one. Use the following command.

Command Mode Function

ip prefix-list name seq value Configures policy of prefix list and

Global
{deny|permit} any | prefix [ge value] [le value] } assigns number to the policy.

You can input ge and le optionally, and they are used when you configure more than one network. If you

do use neither ge nor le, network range is more clearly configured. When only ge attribute us

configured, network range is configured from ge-value, and when only le attribute is configured, network
range is configured from netmask to le-value.

◆ Viewing Prefix List Policy

In order to view information about prefix table, use the following command.

Command Mode Function

show ip prefix-list [detail | summary] Shows prefix lists in detail or briefly.

show ip prefix-list [detail|summary] name Shows prefix list of specified name.

show ip prefix-list name [seq number] Shows policy of specified number.

Shows policy applied to specified

show ip prefix-list name [prefix] Enable/
network.
Global
Shows all policies of prefix list applied
show ip prefix-list name [prefix] longer
to specified network.

Shows policy first applied to specified

show ip prefix-list name [prefix] first-match
network.

◆ Deleting Number of Inquiring Prefix List

By default system records number how many times prefix list is inquired. In order to delete the number,

use the following command.

414 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Deletes the number how many times prefix list is

clear ip prefix-list name [prefix] Enable
inquired.

(9) Blocking information Transmission to Next Destination

It is possible to block new routing information transmitting to next destination. This function is useful

when system is not connected to same IP network like Frame Relay. There are two ways to bock new

routing information transmitting to next destination as follow;

□ Configures another address instead of neighbor router address

□ Receives information from neighbor through route map and local BGP router distributes

information

◆ Blocking Routing Information through Another Address

In order to block routing information transmitting to next destination by configuring another address

instead of destination address, use the following command.

Command Mode Function

Blocks routing information transmitting to next

neighbor ip-address next-hop-self Router
destination.

This command informs router’s address instead of neighbor router address and makes BGP routers

transmit information with the address. It is more effective than assigning specific address which to

receive routing information.

◆ Blocking Routing Information through Routing Map

To make the next destination of BGP be neighbor router, use the command, set ip next-hop. In order to
configure neighbor router as the next destination of BGP, use the following command.

DDJ:A-M-5524B5-01 415
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Specifies user’s BGP router connected neighbor router as the

set ip next-hop ip-address Route-map next destination of BGP and configure neighbor router address

as the next destination.

(10) Configuring BGP Version

By default, system supports BGP version 4. It is also possible to change the version as user needs.

In order to make a connection to neighbor router with specified BGP version, use the following

command.

Command Mode Function

neighbor ip-address version Configures BGP version to be used when communicating with
Router
{4 | 4-} neighbor router..

9.1.2 Advanced Configuration

After finishing basic configuration, it is possible to do advanced configuration. It contains the following

sections.

□ Changing Route through Route Map

□ Configuring Aggregate Address

□ Configuring BGP Community Filtering

□ Assigning ID Number for Router

□ Distributing Route to BGP

□ Configuring Confederation of Routing Domain

□ Configuring Route Reflector

□ Configuration through Neighbor Commands

□ Deactivating Neighbor Router

□ Configuring Backdoor Route

□ Deciding NLRI Type

□ Configuring Distance Value

□ Configuring BGP Timer

416 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

□ Checking Import Network

□ Configuring the First AS

□ Changing Priority of Local Network

□ Deciding Route based on Router ID

□ Considering Route without MED as the Worst Route

□ Deciding AS Route based on MED from ASs

□ Deciding Confederation Route based on MED

□ Deciding Route in Confederation based on MED

□ Restoring Reflected Route

□ Route Dampening

□ Checking and Managing BGP

(1) Changing Route through Route Map

You can process routes in specific order or change various attributes through route map. It is possible

for route map to apply both received information and distributed information.

Define route map and then it is possible to receive or distribute only matched routes to route map.

Routing information is processed in order; AS route first, then community, and network number last.

To prescribe process term, AS route uses as-path access-list, community uses community-list and

network uses ip access-list. In order to define route map, use the following command.

Command Mode Function

neighbor ip-address route-map

Router Applies route map to route which to receive or distribute.
route-map-name {in | out}

(2) Configuring Aggregate Address

CIDR(Classless interdomain routing) has user create aggregate route or supernet to minimize size of

routing table. User can transmit aggregate route to BGP router or configure aggregate route by using

aggregate function. When there are more than one route in BGP table, aggregate address is added to

BGP table.

DDJ:A-M-5524B5-01 417
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to configure aggregate address to routing table, use the following commands.

Command Mode Function

aggregate-address prefix Creates aggregate address in BGP routing table.

Router
aggregate-address prefix summary-only Distributes only aggregated address.

(3) Configuring BGP Community Filtering

BGP supports transmit policy distributing routing information. Distributing routing information is operated

based on not only community list but also IP address and AS route. Community list makes community

according to each destination and routing policy is applied based on community standard. It helps

configure BGP speaker that distributes routing information.

Community is destination group that shares some common attributes. One destination can be belonged

to more than one community. As administrator can configure to which community destination is

belonged. By default, all destinations are configured to be in internet community.

The other defined and well-known communities are as the below.

● no-export: Do not distribute this route to exterior BGP neighbor router

● no-advertise: (Either exterior or interior) Do not distribute this route to neighbor router.

● local-as: Distribute this information to neighbor routers of low level AS located on BGP united
network. Do not distribute it to exterior router.

In order to create community list, use the following command.

Command Mode Function

ip community-list name {permit | deny} {community |

Global Creates community list.
local-AS | no-advertise | no-expert}

“community” is notated with a form, AA:NN as defined in RFC. AA is AS number and NN is number of 2

bytes. In order to transmit community name to IP address of neighbor router, use the following

command.

418 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Transmits community name to IP address

neighbor ip-address send-community
Router of neighbor router, which has specified IP
[extended]
address or specified neighbor-tag.

(4) Assigning ID Number for Router

User can assign router ID number for BGP router, which transmits BGP route. If you want delete this

function and change to default ID number, use “no”.

Command Mode Function

bgp router-id address Router Assigns ID number for BGP router.

(5) Distributing Route to BGP

It is possible to register route made in another place in BGP routing table. For instance, it is possible to

transmit connected route, kernel route, static route and route made by routing protocol to BGP. This

function is applied to all IP routing protocol.

In order to distribute route made in another place to BGP, use the following command.

Command Mode Function

redistribute {connected | kernel | static | ospf | rip} [route-

Router Distributes routing information to BGP table.
map TAG]

(6) Configuring Confederation of Routing Domain

One way to reduce complicate multi-connection of BGP network is to divide one AS into several small

ASs and to group them into one confederation. To the outside, the confederation looks like a single AS.

All systems in each AS are connected to each other, but all they are not directly connected to another

AS in same confederation. In this case, communicating with neighbor router in another AS is considered

as communicating with interior BGP router. Especially, next destination, MED, and priority value in

network are applied as they are. In order to configure BGP confederation, you should configure ID

number for confederation. To the outside, a series of AS group looks like a single AS which has each

different confederation number.

DDJ:A-M-5524B5-01 419
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to configure BGP confederation, use the following command.

Command Mode Function

bgp confederation identifier as Router Configures BGP confederation.

In order to configure neighbor AS in confederation, use the following command.

Command Mode Function

bgp confederation peers as [as...] Router Configures neighbor AS in confederation.

(7) Configuring Route Reflector

BGP requires that all of speaker routers in network be connected to each other. However, it is

impossible when there are many speaker routers.

Instead of configuring a confederation, another way to reduce complicate multi-connection of BGP

network is to configure a route reflector.

By using route reflector, all BGP speaker routers do not need to be fully connected to each other

because it is possible to distribute transmitted route to neighbor route. Interior neighbor router

distributes route to next destination.

In order to configure route reflector and client router, which receives the route, use the following

command.

Command Mode Function

Configures local router as BGP route router and

neighbor ip-address route-reflector-client Router
neighbor router as client router.

(8) Configurations through Neighbor

To provide BGP routing information to lots of neighbors, you can configure BGP to receive information

from neighbors by using access list. In order to configure BGP route through neighbor, use the following

commands.

420 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Allows BGP communication although neighbor router is not

neighbor ip-address ebgp-multihop
connected to BGP network.

neighbor ip-address Configures how many BGP networks can be connect to

maximum-prefix maximum neighbor router.

neighbor ip-address weight weight Configures each weight of all routes.

neighbor ip-address distribute-list Assorts information exchanged to neighbor router according

access-list-name {in | out} to policy defined in access list.

neighbor ip-address filter-list

Configures BGP filter.
access-list-name {in | out}

neighbor ip-address next-hop-self Blocks BGP information to the next destination.

Configures BGP version to communicate with neighbor

neighbor ip-address version VALUE
router.

neighbor ip-address route-map

Applies route map to transmitted information.
name {in | out}

neighbor ip-address
Saves received information.
soft-reconfiguration inbound Router

neighbor ip-address
Configures peer not to reflect changed route.
dont-capability-negotiate

Forces to configure route refresh capability, if neighbor

neighbor ip-address
router does not have it. When user configures override
strict-capability-match
capability, it is impossible to use strict capability match.

Does not configure AS number of neighbor router although

neighbor ip-address transparent-as
the neighbor router is external BGP network.

neighbor ip-address Configures not to display the next hop although peer is

transparent-nexthop external BGP network.

neighbor ip-address
Makes peer to override another route on received route.
override-capability

neighbor ip-address port Assigns TCP port number to BGP network.

neighbor ip-address
Configures interface of neighbor router.
interface interface-name

neighbor ip-address route-server-client Configures neighbor router as route server.

DDJ:A-M-5524B5-01 421
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Command Mode Function

Enables the exchange of information with BGP neighbor

neighbor ip-address activate
router.

neighbor ip-address remote-as

Blocks routing information from specified neighbor router.
NUMBER passive

neighbor ip-address description text Describes relation of neighbor router.

Router
neighbor ip-address Forwards default route 0.0.0.0 from BGP router to neighbor

default-originate router.

neighbor ip-address send-community Sends community attribute to specified neighbor router .

neighbor ip-address update-source Forwards internal BGP information to interface, which is able

interface to do TCP communication.

(9) Deactivating Neighbor Router

In order to deactivate BGP neighbor router, use the following command.

Command Mode Function

neighbor ip-address shutdown Router Deactivates BGP neighbor router.

In order to activate BGP neighbor router again, use the following command.

Command Mode Function

no neighbor ip-address shutdown Router Activates BGP neighbor router.

(10) Configuring Backdoor Route

You can configure which networks are reachable by using a backdoor route that the border router

should use. In order to configure border router, use the following command.

Command Mode Function

Configures network available to be connected through

network ip-address backdoor Router
backdoor route.

422 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(11) Deciding NLRI Type

In order to decide type of route for sending to neighbor router, use the following command.

Command Mode Function

network ip-address /m nlri

Router Decide type of route to send to neighbor router.
[ multicast | unicast multicast ]

(12) Configuring Distance Value

Administrative distance is a measure of priority of each routing protocol. BGP uses three kinds of

administrative distance; external, internal and local.

Routes through exterior BGP are given exterior distance, routes through interior BGP are given interior

distance and routes through local BGP are given local distance.

In order to configure BGP distance, use the following commands.

Command Mode Function

distance bgp external internal local Router Configures BGP distance value.

Since it may be risky to change BGP distance, it is not recommended. The exterior distance should be

lower than any other routing protocol, and the interior distance and local distances should be higher

than any other dynamic routing protocol.

(13) Configuring BGP Timer

You need to configure BGP timer so that BGP can transmit keepalive message at regular interval and

control it when there is no response from its destination. Keepalive timer configured by BGP system is

60 seconds and holdtimer is 180 seconds. It is possible to configure monitor timer in all neighbor router.

DDJ:A-M-5524B5-01 423
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to configure BGP timer for all neighbor routers, use the following command.

Command Mode Function

Configures time to check BGP router in regular interval for saving

bgp scan-time seconds Router
time to transmit routing information.

In order to adjust BGP timer for specified neighbor router, use the following command.

Command Mode Function

neighbor ip-address
Configures keepalive timer and holdtimer for specific peer.
timers keepalive holdtimer
Router
neighbor ip-address
Configures connection timer with neighbor router.
timers connect time

To delete time value configured in BGP neighbor router, use no neighbor timers command.

(14) Checking Import Network

In order to check imported information from remote network, use the following command.

Command Mode Function

Checks imported information from remote network on BGP

bgp network import-check Router
network.

(15) Configuring the First AS

In order to configure neighbor router as the first AS, use the following command.

Command Mode Function

Assigns number of the first AS to neighbor router. Checks

bgp enforce-first-as number Router
imported information from remote network on BGP network.

424 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

(16) Changing Priority of Local Network

It is possible to make high preference low preference by changing priority of local network. The default

setting of priority is 100. In order to change priority of local network, use the following command.

Command Mode Function

bgp default local-preference value Router Changes default priority of local network.

(17) Deciding Route based on Router ID

In order to select route of the lowest number as the optimized route among similar routes from exterior

BGP router, use the following command. If you recovery default setting, use “no”.

Command Mode Function

Compares router ID numbers for AS to select proper route

bgp bestpath compare-routerid Router
among imported router from neighbor router.

(18) Considering Route without MED as the Worst Route

In order to configure route without MED attribute as the worst route, use the following command.

Command Mode Function

Configures the router to consider a missing MED as

bgp bestpath med missing-as-worst Router having a value of infinity, choosing a path among

confederation paths.

(19) Deciding AS Route based on MED from ASs

MED is one of the parameters that is considered when deciding the best route among many alternative

routes. Route with a lower MED is preferred over route with a higher MED. By default, MED is

compared just in same AS to decide the best route. To do it, use the following command.

Command Mode Function

bgp always-compare-med Router Compares MED from other ASs.

DDJ:A-M-5524B5-01 425
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(20) Deciding Confederation Route based on MED

To configure router to consider MED value when deciding route, use the following command.

Command Mode Function

Compares MED to decide the best route among routes from

bgp bestpath med confed Router
each different confederations.

(21) Deciding Route in Confederation based on MED

In order to configure router to use MED to decide the best route among routes distributed by a single

sub-AS in a confederation, use the following command.

Command Mode Function

Compares MED to decide the best route among routes from

bgp deterministic-med Router
ASs in confederation.

(22) Restoring Reflected Route

In order save route reflection from BGP route reflector to clients, use the following command.

Command Mode Function

bgp client-to-client reflection Router Saves route reflection from BGP route reflector to clients.

(23) Route Dampening

Route dampening is designed not to distribute routes, which repeat being available and unavailable. A

route is considered to be flapping when it is repeatedly available, then unavailable, then available, then

unavailable, and so on.

1) Syntax Description of Route Dampening

The following descriptions are syntax descriptions of route dampening.

426 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

● Flap — Route repeats being available and unavailable.

● History state — Whenever a route flaps, it assigns a penalty and configure as "history state,"
meaning the router does not have the best path, based on historical information.

● Penalty — Each time a route flaps, the router configured for route dampening in another AS assigns
the route a penalty of 1000. Penalties are cumulative. The penalty for the route is stored in the BGP

routing table until the penalty exceeds the suppress limit. At that point, the route state changes from

"history" to "damp."

● Damp state — In this state, the route has flapped so often that the router will not advertise this route
to BGP neighbors.

● Suppress limit — A route is suppressed when its penalty exceeds this limit. The default value is 2000.

● Half-life — Once the route has been assigned a penalty, the penalty is decreased by half after the
half-life time, which is 15 minutes by default. The process of reducing the penalty happens at 5 seconds

interval.

● Reuse limit — As the penalty for a flapping route decreases and falls below this reuse limit, the route
is unsuppressed. That is, the route is added back to the BGP table and once again used for forwarding.

The default reuse limit is 750. The process of unsuppressing routes occurs at 10-second increments.

Every 10 seconds, the router finds out which routes are now unsuppressed and advertises them to the

world.

● Maximum suppress limit — This value is the maximum amount of time a route can be suppressed.
The default value is 4 times the half-life.

2) Configuring Route Dampening

In order to configure BGP route dampening, use the following command.

Command Mode Function

bgp dampening Router Activates BGP route dampening.

In order to change the default values of various dampening factors, use the following command.

Command Mode Function

Configures various factors for route dampening. Half-life time

bgp dampening half-life –time
Router can be from 1 second to 45 seconds. And, reuser limit can be
[reuse-limit-value]
from 1 to 2,000.

DDJ:A-M-5524B5-01 427
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(24) Checking and Managing BGP

User can delete all factors of cache, table and database. Also it is possible to display specific statistics.

1) Deleting Cache, Table and Database

You can delete all contents of specific cache, table, and database when some factors are invalid or

unreliable. In order to delete cache, table or database, use the following commands.

Command Mode Function

clear ip bgp { *ㅣ ip-address ㅣas-number} Reconfigures information about BGP neighbor

Enable
[in | outㅣsoft [inㅣout]] router, AS group, all(*) BGP connections.

2) Displaying System and Network Statistics

You can display specific statistics such as contents of BGP routing table, cache, and database.

Information provided can be used to determine resource utilization and solve network problems. You

can also display information about node reachability and discover the routing path your device's packets

are taking through the network. In order to display various routing statistics, use the following

commands.

Command Mode Function

show ip bgp prefix-list name Shows peers to which the prefix has been advertised.

Displays all BGP routes including subnetwork and upper

show ip bgp cidr-only Enable
network.
Global
show ip bgp community
Displays route belonged in specific community. Community
[number|local-AS|no-advertise
Number is formed as AA:NN.
| no-export]

show ip bgp community-list

Shows all routes that are permitted by the community list.
community-list-name [exact-match]

show ip bgp community-info Displays all information of BGP community.

show ip bgp filter-list Shows routes that are matched by the specified autonomous

access-list-name system route in access list.

428 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Command Mode Function

show ip bgp regexp Shows routes that match the specified regular expression

regular-expression entered on the command line.

show ip bgp attribute-info Shows all information of BGP attributes.

show ip bgp network Shows BGP routing table.

show ip bgp [network] Shows BGP routing table. longer-prefix presents more detail

[network -mask [longer-prefix]] route.

show ip bgp neighbors Shows detail information on TCP and BGP

[ip-address] connections to individual neighbors.

Enable
Shows information about the TCP and BGP
Global
connections to neighbors. The advertised-routes

option displays all the routes the router has

show ip bgp neighbors
advertised to the neighbor. The received-routes
ip-address [advertised-routes |
option displays all received routes (both accepted
received-routes | routes]
and rejected) from the specified neighbor. The

routes option displays all routes that are received

and accepted.

show ip bgp paths Shows all BGP routes in database.

show ip bgp summary Shows all BGP connections.

9.2 OSPF Protocol

OSPF(Open shortest path first) is ) is an interior gateway protocol developed by the OSPF working

group of IETF(Internet Engineering Task Force). OSPF designed for IP network supports IP subnetting

and marks on information from exterior network.

Moreover, it supports packet authorization and transmits/receives routing information through IP

multicast. It is most convenient to operate OSPF on layered network.

The first thing you should do on OSPF network is to configure border router and AS boundary router.

And then, you need to configure basic setting to operate OSPF router and interface in area.

When you customize OSPF router for user’s environment, you have to confirm that all configurations

are same in each router.

DDJ:A-M-5524B5-01 429
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

9.2.1 Enabling OSPF

In order to configure routing protocol in router, you need to enter into Router configuration mode by

taking the following steps.

Step 1 Enter into Router configuration mode.

Command Mode Function

router ospf Global Enters into Router configuration mode.

Step 2 Configure network ID of OSPF. Network ID decides IPv4 address of this network.

Command Mode Function

router-id router-id Router Configures network ID of OSPF.

Step 3 Configures an interface on which OSPF runs and specifies the area ID or IP address for that
interface.

Command Mode Function

Configures OSPF area ID. OSPF Area-ID can be

network ip-address /m area
Router configured from 0 to 4294967295 or one of Ipv4
{<0-4294967295> | Ip-address}
addresses.

After enabling OSPF, you can select the following items to configure.

□ Configuring ABR Type

□ Configuring Comparability

□ Configuring OSPF Interface

□ Configuring OSPF Network Type

□ Configuring Non-broadcast Network

□ Configuring Areas

□ Configuring Representative Route between OSPF Areas

□ Configuring Virtual Link

□ Configuring Default Metric

430 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

□ Configuring Interval to Calculate Route

□ Configuring Interval to Transmit Route

□ Route Transmit to OSPF Network

□ Configuring Default Route

□ Configuring OSPF Distance Value

□ Blocking Information Transmit

□ Blocking Renewed Information

□ OSPF Monitoring and Management

9.2.2 Configuring ABR Type

As there are various OSPF versions, there are various OSPF configurations according to equipments.

In order to configure OSPF protocol of equipment, configure equipment type named ABR by using the

following command. Please note that SURPASS hiD 6610 is complied with RFC 2328.

Command Mode Function

abr-type {cisco | ibm | shortcut | standard} Router Configures ABR type.

9.2.3 Configuring Compatibility

Compatibility configuration enables the switch to be compatible with a variety of RFCs that deal with

OSPF. Perform the following task to support many different features within the OSPF protocol.

Command Mode Function

compatible rfc1583 Router Supports function defined in RFC 1583.

9.2.4 Configuring OSPF Interface

You can alter certain interface-specific OSPF parameters as needed. You are not required to alter any

of these parameters, but some interface parameters must be consistent across all routers in an

attached network.

Those parameters are controlled by “ip ospf hello-interval”, “ip ospf dead-interval”, and “ip ospf

authentication-key” commands.

DDJ:A-M-5524B5-01 431
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Therefore, be sure that if you configure any of these parameters, the configurations for all routers on

your network have compatible values.

Use the following commands to configure user’s environment.

Command Mode Function

Configures cost to transmit packets on OSPF interface. It is recorded as

ip ospf cost cost
metric value3 of LSA and used to calculate SPF.

ip ospf retransmit-interval Configures time to transmit route information to router connected to

second ODPF interface. The default is 5 seconds.

Configures time to provide route information from OSPF interface. Max-

ip ospf transmit-delay
age of LSA meaning available time increases in proportion to the time to
second
transmit information. The default is 1 second.

Configures priority of OSPF router. When high priority is configured, the

ip ospf priority number
router becomes destination router of network. The default is 1.

Interface Configures interval to transmit hello packet from OSPF interface. All
ip ospf hello-interval
routers on same network should have same interval value. The default
second
is 10 seconds.

Configures number of how many time hello packets are not received to
ip ospf dead-count
be considered as freezing of OSPF router in neighbor routers. All
count
routers on same network should have same value. The default is 4.

ip ospf authentication-key Configures password for OSPF routers’ authentication on same

key networks. It can be configured up to 8 alphabet letters.

ip ospf message-digest- Configures password to be encrypted to MD5 by OSPF routers. It can

key keyed md5 key be configured up to sixteen characters.

9.2.5 Configuring Network OSPF Type

OSPF network is divided into three types as follow.

□ Broadcast Network

□ NBMA(Nonbroadcast multi-access) Network

□ Point-to-point Network

432 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

It is possible to configure OSPF network as broadcast type or non-broadcast type. For example, if

user’s network does not support multicasting, it is possible to configure broadcast network as non-

broadcast type. Conversely, it is also possible to configure NBMP network such as frame relay as

broadcast type. To operate network as NBMA type, all routers should be connected through virtual

circuit. However, it is possible to connect to some part of OSPF network with using virtual circuit through

point-to-multipoint function so that network management cost can be saved. Two routers that are not

directly connected should transmit and receive routing information through intermediate router. So, you

do not have to configure neighbor router anymore.

The followings are features of OSPF point-to-multipointing type.

● IP source is economized because you do not have to assign Neighbor router and there is no

additional process to configure designated router.

● Management cost is saved because it does not need to be linked with all router on network like a
spider's thread.
● It can provide more stable network service since it can communicate even when virtual circuit is

disconnected.

In order to configure OSPF network type, use the following command.

Command Mode Function

ip ospf network {broadcast | non-broadcast | Configures OSPF network type in OSPF

Interface
(point-to-multipoint | point-to-point)} interface.

9.2.6 Configuring Non-broadcast Network

As there might be many routers attached to an OSPF network, a designated router is selected for the

network. It is necessary to select designated router to transmit routing information if broadcast capability

is not configured. To configure router communicated by non-broadcast type, use the following command.

Command Mode Function

neighbor ip-address [priority <0-255>ㅣ poll- Configures router communicated by non-

Router
interval <1-65535>] broadcast type.

DDJ:A-M-5524B5-01 433
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

9.2.7 Configuring Area

You can configure several area parameters including authentication, defining stub areas, and assigning

specific costs to the default route. Authentication allows password-based protection against

unauthorized access to an area. Stub areas are areas into which information on external routes is not

sent. Instead, there is a default external route generated by the area border router, into the stub area for

destinations outside the autonomous system. To further reduce the number of link state advertisements

sent into a stub area, “no-summary” configuration on the ABR is allowed to prevent it from sending
summary link advertisement into the stub area.

Use the following commands as you need. The parameter, “area-id” can be formed as IP address or

from 0 to 4,294,967,295.

Command Mode Function

area area-id authentication Enables authentication for an OSPF area.

area area-id authentication

Enables MD5 authentication for an OSPF area.
message-digest

area area-id stub [no-summary] Defines an area to be a stub area.

Assigns a specific cost to the default summary

area area-id default-cost cost
route used for the stub area.
Router
Configures which policy will be transmitted to
area area-id export-list access-list
another area.

Configures a policy used in the other area to be

area area-id import-list access-list
received.

Configures the shortest route to go through

area area-id shortcut {default |disable |enable}
specified area.

9.2.8 Configuring Representative Route between OSPF Areas

Through route summarization, you can configure ABR to transmit single summarized route to other

areas. In OSPF, ABR transmits network information of an area to other areas. When the networks’

addresses are in consecutive range, you can configure a representative address including each network

as network route.

434 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to configure network’s address, use the following commands.

Function Mode Function

Configures network range that can be advertised as

area area-id range
a representative route. arid-id can be from o to
{ip-addressㅣip-address/m} not-advertised
Router 4,294,967,295.

area id-id range ip-address {suppress | Configures network range that does not transmit

substitute ip-address} route information.

9.2.9 Configuring Virtual Link

In OSPF, all areas must be connected to a backbone area. If there is a break in backbone continuity, or

the backbone is purposefully portioned, you can establish a virtual link.

The virtual link must be configured in both routers. The configuration information in each router consists

of the other virtual endpoint, and the nonbackbone area that the two routers have in common (called the

transit area). Note that virtual link cannot be configured through stub areas.

In order to create a virtual link, perform the following task in router configuration mode. The parameter,

“area-id” can be formed as IP address or from 0 to 4,294,967,295.

Command Mode Function

Creates virtual link. hello-interval can be configured

area area-id virtual-link router-id-address hello- from 1 to 65535 seconds, retransmit-interval is from

interval time retransmit-interval time transmit- Router 3 to 65535 seconds, transmit-delay is from 1 to

delay time dead-interval time 65535 seconds, and dead-interval is from 1 to

255 seconds.

9.2.10 Configuring Default Metric

OSPF calculates metric based on interface bandwidth. For example, default metric of T1 link is 64, but

default metric of 64K line is 1562.

DDJ:A-M-5524B5-01 435
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

If there are plural lines in the bandwidth, you can view costs to use line by assigning metric to each line.

In order to classify costs to use line, use the following command.

Command Mode Function

auto-cost reference-bandwidth Classifies bandwidth provided by each line. It can be

Router
reference-bandwidth configured from 1Mbit/s to 4,294,967Mbir/s.

9.2.11 Configuring Interval to Calculate Route

After notice of OSPF network organization changed, you can configure interval to calculate route, which

starts calculating ‘the shortest path first’. In order to configure the interval, use the following command.

Command Mode Function

Configures interval to calculate route. Delay Time and

timers spf spf-delay spf-hold Router
Hold Time can be configured from 0 to 4294967295.

9.2.12 Configuring Route Transmit Interval

The originating router keeps track of LSAs and performs refreshing LSAs when a refresh timer is

reached. You can configure the refresh time when OSPF LSAs gets refreshed and sent out. In order to

do this, use the following command.

Command Mode Function

refresh timer <10-1800> Router Configures interval to renew routing information.

9.2.13 Route Transmit to OSPF Network

Redistributing routes into OSPF from other routing protocols, static, kernel or from connected devices

will cause these routes to become OSPF external routes.

436 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

In order to redistribute routes into OSPF, use the following tasks associated with route redistribution.

Command Mode Function

redistribute {kernel | connected | static | rip | bgp} Transmits external route to OSPF

[metric value] [metric-type (1|2)][route-map tag] network.

Router Configures same route from 0 to

default-metric number 16777214 for all external route

transmitted to OSPF.

9.2.14 Configuring Default Route

You can configure Autonomous System Boundary router to transmit default route to OSPF network.

Autonomous System Boundary router transmits route created externally to OSPF network. However, it

does not create system default route.

In order to have autonomous System Boundary router create system default route, use the following

command.

Command Mode Function

default-information originate Makes Autonomous System Boundary router create

Router
[metric value] [metric-type (1|2)] system default route in OSPF.

9.2.15 Configuring OSPF Distance

An administrative distance is a rating of the trustworthiness of a routing information source, such as an

individual router or a group of routers. Numerically, an administrative distance is an integer between 0

and 255. In general, the higher the value is, the lower the trust rating is. An administrative distance of

255 means the routing information source cannot be trusted at all and should be ignored.

OSPF uses three different administrative distances: intra-area, inter-area, and external. Routes learned

through other domain are external, routes to another area in OSPF domain are inter-area, and routes

inside an area are intra-area. The default distance for each type of route is 110.

DDJ:A-M-5524B5-01 437
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

In order to change any of the OSPF distance values, use the following commands.

Command Mode Function

distance ospf {external distance 1 | inter-area distance 2 | intra-

Router Changes OSPF distance value.
area distance 2}

9.2.16 Blocking Information Transmit

Interface configured as passive in OSPF network is operated like stub network. Therefore, it is

impossible to transmit and receive OSPF routing information in passive interface. In order to block

routing information in interface, use the following command.

Command Mode Function

passive-interface interface-name Configures not to transmit routing information in specified

Router
interface.

9.2.17 Blocking Renewed Information

To block OSPF routing information to other routers, you should configure to block renewed routing

information. Please note that this function can be configured only for external routes.

In order to block renewed routing information, use the following command.

Command Mode Function

distribute-list name out {bgp | Distributes or blocks renewed routing information according
Router
connected | kernel | rip | static} to policy configured in Access list.

9.2.18 OSPF Monitoring and Management

You can view all kinds of statistics and database recorded in IP routing table. These information can be

used to enhance system utility and solve problem in case of trouble.

438 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

You can check network connection and routes that data went through when transmitting data also.In

order to view routing statistics, use the following commands.

Command Mode Function

show ip ospf Shows overall information about OSPF routing operation.

show ip ospf database option Shows information about OSPF database.

Shows OSPF routing information to ABR(Area Border Router)

show ip ospf border-routers
and ASBR(Autonomous System Boundary Router).
Enable/
show ip ospf route Shows routing information recorded in OSPF routing table.
Global
show ip ospf interface
Shows OSPF interface information.
interface-name

show ip ospf neighbor Shows information of neighbor router communicated with OSPF

[neighbor id | interface-name] router.

When network trouble is occurred, you can find what the cause is by using debugging command.In

order to view OSPF information, use the following commands.

Command Mode Function

debug ospf packet {hello | dd | ls-ack | ls-

Shows information of each packet. The information includes
request | ls-update | all}
OSPF packet and the data.
[send | recv [detail]]

Shows information about OSPF operation such as OSPF

debug ospf event neighbor router, transmitted information, deciding destination

router, calculating the shortest route, and so on.

debug ospf ism Shows information transmitted in OSPF internal area and the
Global
[events | status | timers] shortest route.

debug ospf lsa Shows information transmitted by OSPF and calculating the

[flooding | generate | refresh] shortest route.

debug ospf nsm

Shows information about OSPF neighbor router.
[events | status | timers]

debug ospf nssa Shows OSPF NSSA information.

show debugging ospf Shows debugging message about OSPF.

DDJ:A-M-5524B5-01 439
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

9.3 RIP Protocol

RIP(Routing Information Protocol) is a relatively old, but still commonly used, IGP(Interior Gateway

Protocol) created for use in small, homogeneous networks. It is a classical distance-vector routing

protocol with using hop count. RIP is documented in RFC 1058.

RIP uses broadcast UDP(User Datagram Protocol) data packets to exchange routing information. The

OS software sends routing information updates every 30 seconds. This process is termed advertised. If

a router does not receive an update from another router for 180 seconds or more, it marks the routes

served by the nonupdating router as being unusable. If there is still no update after 120 seconds, the

router removes all routing table entries for the nonupdating router.

The metric that RIP uses to rate the value of different routes is hop count. The hop count is the number

of routers that can be traversed in a route. A directly connected network has a metric of zero; an

unreachable network has a metric of 16. This small range of metrics makes RIP an unsuitable routing

protocol for large networks.

A router that is running RIP can receive a default network via an update from another router that is

running RIP, or the router can source (generate) the default network itself with RIP. In both cases, the

default network is advertised through RIP to other RIP neighbors.

RIP sends updates to the interfaces in the specified networks. If an interface's network is not specified,

it will not be advertised in any RIP update. The system supports RIP version 1and 2.

9.3.1 Enabling RIP

To use RIP protocol, you should enable RIP.

Step 1 Enter into Router configuration mode by using the following command.

Command Mode Function

Enters into Router configuration mode and operates RIP

router rip Global
routing protocol.

440 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

Step 2 Configure network to operate as RIP.

Command Mode Function

network {ip-address | interface-name} Router Configures network to operate as RIP.

The command “network ip-address” enables RIP interfaces between certain numbers of a special
network address. For example, if the network for 10.0.0.0/24 is RIP enabled, this would result in all the

addresses from 10.0.0.0 to 10.0.0.255 being enabled for RIP. RIP packet is transmitted to port specified

with the command, “network interface-name”.

□ Configuring RIP Neighbor Router

□ Configuring RIP Version

□ Creating Static Route available only for RIP

□ Transmitting Routing Information

□ Configuring Metrics for Redistributed Routers

□ Configuring Administrative Distance

□ Configuring Default Route

□ Routing Information Filtering

□ Configuring Time

□ Activating and Deactivating Split-horizon

□ Managing Authentication Key

□ Monitoring and Managing RIP

9.3.2 Configuring RIP Neighbor Router

Since RIP is broadcast protocol, routers should be connected to transmit routing information of RIP to

non-broadcast network. In order to configure neighbor router to transmit RIP information, use the

following command.

Command Mode Function

neighbor ip-address Router Configure neighbor router to transmit routing information.

You can block routing information to specific interface by using passive-interface command.

DDJ:A-M-5524B5-01 441
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

9.3.3 Configuring RIP Version

Siemens’ routers basically support RIP version 1 and 2. However, you can configure to receive only

version 1 type packet or only version 2 type packet. In order to configure RIP version, use the following

command.

Command Mode Function

version {1 | 2} Router Configures version to transmit one of RIP 1 type packet and RIP 2 type packet.

The preceding task controls default RIP version settings. You can override the routers RIP version by

configuring a particular interface to behave differently. To control which RIP version an interface sends,

perform one of the following tasks after entering into RIP interface configuration mode.

Command Mode Function

ip rip send version 1 Transmits only RIP version 1 type packet in the interface.

ip rip send version 2 Interface Transmits RIP version 2 type packet on the interface.

ip rip send version 1 2 Transmits RIP version 1 and 2 type packets.

Similarly, to control how packets received from an interface are processed, perform one of the following

tasks.

Command Mode Function

ip rip receive version 1 Receives only RIP version 1 type packet in the interface.

ip rip receive version 2 Interface Receives only RIP version 2 type packet on the interface.

ip rip receive version 1 2 Receives RIP version 1 and 2 type packets.

9.3.4 Creating Static Route available only for RIP

This feature is provided only by Siemens’ route command creates static route available only for RIP. If

you are not familiar with RIP protocol, you would better use redistribute static command.

Command Mode Function

route ip-address/m Router Creates static route available only for RIP.

442 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

9.3.5 Transmitting Routing Information

SURPASS hiD 6610 can redistribute routing information from a source route entry into the RIP tables.

For example, you can instruct the router to re-advertise connected, kernel, or static routes as well as

routing protocol-derived routes. This capability applies to all the IP-based routing protocols.

In order to redistribute routing information from a source route entry into the RIP table, use the following

command.

Command Mode Function

redistribute {connected | kernel | static | ospf | Registers transmitted routing information in

Router
bgp} [metric value | route-map tag] another router’s RIP table.

You may also conditionally control the redistribution of routes between the two domains using “route

map” command. In order to define a route map for redistribution, use the following command.

Command Mode Function

route-map tag {deny | permit} sequence-number Global Creates route map.

One or more match and set commands typically follow a route-map command. If there are no match

commands, then everything matches. If there are no set commands, nothing is done. Therefore, you
need at least one match or set command. To define conditions for redistributing routes from a source

route entry into the RIP tables, perform at least one of the following tasks in route-map configuration

node.

Command Mode Function

match interface interface-name Transmits information to only specified interface.

match ip address {access-list-name|

Transmits information matched with access-list or prefix-list.
prefix-list ip-address-name}

match ip next-hop {access-list-name | Route Transmits information to only neighbor router in access-list or

prefix-list ip-address-name} -map prefix-list.

match metric metric-value Transmits information matched with specified metric.

ip next-hop ip-address Configures Neighbor router address.

metric <1-2147483647> Configures metric value.

DDJ:A-M-5524B5-01 443
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

9.3.6 Configuring Metrics for Redistributed Routes

The metrics of one routing protocol do not necessarily translate into the metrics of another. For example,

the RIP metric is a hop count and the OSPF metric is a combination of five quantities. In such situations,

an artificial metric is assigned to the redistributed route. Because of this unavoidable tampering with

dynamic information, carelessly exchanging routing information between different routing protocols can

create routing loops, which can seriously degrade network operation.

In order to set metrics for redistributed routes, use the following command.

Command Mode Function

default-metric value Router Configures same metric for all route transmitted by routing protocol.

Information

The metric of all protocol can be configured from 0 to 4294967295. It can be configured from 1 to 16

for RIP.

9.3.7 Configuring Administrative Distance

Distance value represents confidence of routing information created by router. In large scaled network,

some routing protocols or routing information may be more confident than other protocols or routers.

Therefore, although a router has many routing protocols, the most confident route can receive routing

information. When user configures distance value, router can find where routing information is created.

Router always selects route created by routing protocol of the smallest distance value . Each network

has its own features. So, there is no general rule for distance configuration. You should consider overall

network to configure distance value.

In order to configure distance value, use the following command.

Command Mode Function

distance value [ip-address/M [access-list-name]] Router Configures distance value.

444 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

9.3.8 Creating Default Route

You can force an autonomous system boundary router to generate a default route into an RIP routing

domain. Whenever you specifically configure redistribution of routes into an RIP routing domain, the

router automatically becomes an autonomous system boundary router. However, an autonomous

system boundary router does not, by default, generate a default route into the RIP routing domain.

In order to force the autonomous system boundary router to generate a default route, use the following

command.

Command Mode Function

Forces the autonomous system boundary router to generate a default

default-information originate Router
route into the RIP routing domain.

9.3.9 Routing Information Filtering

You can filter routing protocol information by performing the following tasks.

● Suppress sending of routing updates on a particular router interface. This is done to prevent other

systems on an interface from learning about routes dynamically.

● Apply an offset to routing metrics. This is done to provide a local mechanism for increasing the value

of routing metrics.

(1) Blocking Outgoing Routing Information to Interface

To prevent other routers on a local network from learning about routes dynamically, you can keep

routing update messages from being sent through a router interface. This feature applies to all IP-based

routing protocols except BGP.

Command Mode Function

passive-interface
Router Blocks routing information from interface of router.
interface-name

DDJ:A-M-5524B5-01 445
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

(2) Configuring Offset List

An offset list is the mechanism for increasing incoming and outgoing metrics to routes learned via RIP.

You can limit the offset list with an access list.

In order to increase the value of routing metrics, use the following command.

Command Mode Function

offset-list access-list-name {in | out}

Router Applies an offset to routing metrics.
metric [interface]

9.3.10 Configuring Time

Routing protocols use several timers that determine such variables as the frequency of routing updates,

the length of time before a route becomes invalid, and other parameters. You can adjust these timers to

tune routing protocol performance to better suit your internet needs. The default settings for the timers

are as follows.

● The update timer is 30 seconds. Every update timer seconds, the RIP process is awakened to send

an unsolicited response message containing the complete routing table to all neighboring RIP routers.

● The timeout timer is 180 seconds. Upon expiration of the timeout, the route is no longer valid; however,

it is retained in the routing table for a short time so that neighbors can be notified that the route has

been dropped.

● The garbage collect timer is 120 seconds. Upon expiration of the garbage-collection timer, the route is

finally removed from the routing table.

In order to adjust the timers, use the following command.

Command Mode Function

timers basic update timeout garbage Router Adjusts routing protocol timers.

446 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

9.3.11 Activating and Deactivating Split-horizon

Normally, routers that are connected to broadcast-type IP networks and that use distance-vector routing

protocols employ the split horizon mechanism to reduce the possibility of routing loops. Split horizon

blocks information about routes from being advertised by a router out any interface from which that

information originated. This behavior usually optimizes communications among multiple routers,

particularly when links are broken. However, with nonbroadcast networks, such as Frame Relay,

situations can arise for which this behavior is less than ideal. For these situations, you might want to

disable split horizon.

If an interface is configured with secondary IP addresses and split horizon is enabled, updates might not

be sourced by every secondary address. One routing update is sourced per network number unless

split horizon is disabled.

In order to activate or deactivate or disable split horizon, perform the following tasks in interface

configuration mode.

Command Mode Function

ip split-horizon Activates Split horizon.

Interface
no ip split-horizon Deactivates Split horizon.

9.3.12 Managing Authentication Key

RIP Version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets,

you can enable RIP authentication on an interface.

The key chain determines the set of keys that can be used on the interface. If a key chain is not

configured, plain text authentication can be performed using string command.

We support two modes of authentication on an interface for which RIP authentication is enabled: plain

text authentication and MD5 authentication. The default authentication in every RIP Version 2 packet is

plain text authentication.

DDJ:A-M-5524B5-01 447
UMN:CLI User Manual
SURPASS hiD 6610 S311 R1.0

Note

Do not use plain text authentication in RIP packets for security purposes, because the unencrypted

authentication key is sent in every RIP Version 2 packet. Use plain text authentication when security is

not an issue, for example, to ensure that misconfigured hosts do not participate in routing.

In order to configure RIP authentication, use the following commands.

Command Mode Function

ip rip authentication key-chain name Activates RIP authentication.

Configures the interface to use MD5 digest

ip rip authentication mode {text | md5} authentication or let it default to simple password
Interface
authentication.

Configures the interface with plain text authentication.

ip rip authentication string string
The string must be shorter than 16 characters.

9.3.13 Monitoring and Managing RIP

You can display specific router statistics such as the contents of IP routing tables, and databases.

Information provided can be used to determine resource utilization and solve network problems. You

can also discover the routing path your router’s packets are taking through the network.

In order to display various router statistics, use the following commands.

Command Mode Function

show ip rip Shows RIP information being used in router.

show ip route rip Enable/Global Shows routing table information concerned with RIP.

show ip protocols Shows current status of using RIP protocol and the information.

448 DDJ:A-M-5524B5-01
User Manual UMN:CLI
SURPASS hiD 6610 S311 R1.0

To quickly diagnose problems, the command, “debugging” is meaningful and useful to customers. Use
the following commands to display information on RIP routing transactions.

Command Mode Function

Shows RIP event such as packet transmit and sending and

debug rip events
changed RIP information.

Shows more detail information about RIP packet. The

debug rip packet [recv | send] Global
information includes address of packet transmission and port
debug rip packet [recv | send] detail
number.

show debugging rip Shows all information configured for RIP debugging.

DDJ:A-M-5524B5-01 449