cnMatrix – Enterprise Switches Gate 7 Checkpoint

Technical Knowledge Transfer John Mead & Tam Nguyen

cnMatrix

cnMatrix Features

L2 Switching Features L2 Switching Features

2017 Copyright Cambium Networks, Ltd. All Rights Reserved2

• 802.1Q VLAN and Trunking Support• 802.1d STP, 802.1w RSTP, 802.1s MST• PVRST (Per VLAN RSTP)• STP Enhancements: BPDU guard, BPDU Edge,

Root Guard• ACL QoS: Mapping/Marking ToS/DSCP, 802.1p,

Priority Queue• Inbound Traffic Policing, and Outbound Traffic

Shaping• Storm Control• Flow Control Per Port• 802.1ab Link Layer Discovery Protocol (LLDP,

LLDP-MED)• 802.3ad Link Aggregation

• Policy Based Automation• IGMP Snooping v1/v2/v3 (v3*)• IGMP Proxy• Private Vlan Edge• 802.3af/at• Mirroring: Port-based, ACL-based• SNTP• Port Statistics• RMON• Dynamic Voice VLAN assignment*• RSPAN**• sFlow**

* Available in 2.1 Release** Available in Future Release

cnMatrix Features

L3 Switching Features


• Routing Between Directly Connected Subnets• Routed Interfaces• IPv4 and IPv6* static routes• Host routes• DHCP Relay• RIP v1/v2*• OSPF v2*• Route Policy and Redistribution*

• ECMP**• VRRP**• Policy Based Routing**• Layer 3/Layer 4 ACLs**


cnMatrix Features

Management Features Security Features


• CnMaestro Cloud-based Management• Industry-standard Command Line Interface (CLI)• Web Management• IPv6 Host• Zero Touch

• Initial Deployment with cnMaestro• Dynamic configuration w/ Policy Based Automation

• SNMPv1/v2c/v3• Telnet Client/Server• Out-of-band Ethernet Management• SSH/SSH v2• DHCP Client, Server• USB File Management and Storage*• Local/Remote Syslog• System Resource Monitoring

• 802.1x Authentication• Radius/TACACS+• DHCP Snooping• MAC-Based and IP-Based ACLs• Static MAC• IGMP Filtering• Local Management User Name Password• Dynamic ARP Inspection*

• Protection against Denial of Service (DoS) Attacks**

• Black-hole Routing**• Neighbor Discovery (ND) Inspection**


Getting Started cnMatrix

cnMatrix - Getting Connected

Access via Console• Connect RJ-45 Serial cable to cnMatrix’s console port and PC• Terminal Settings on PC

• Speed = 115200, Data bits = 8, Stop bits = 1, Parity = None, Flow Control = XON/XOFF• cnMatrix’s Login: admin/admin

Access via SSH• Connect RJ-45 Ethernet cable to cnMatrix’s OOB port and PC• Set PC’s IP address to 192.168.0.10/24• From PC, SSH to 192.168.0.1• cnMatrix’s Login: admin/admin

Access via Web Browser • Connect RJ-45 Ethernet cable to cnMatrix’s OOB port and PC• Set PC’s IP address to 192.168.0.10/24• From PC, launch IE/Chrome/Netscape and enter https://192.168.0.1• cnMatrix’s Login: admin/admin


cnMatrix – Initial IP Address

• Initial IP Address• OOB/MGMT Port

• IP address is 192.168.0.1 (Factory Default)• DHCP is disabled (Factory Default)

• In Band Network Ports• There is no default IP address (on default VLAN 1)• DHCP is enabled by default


Essential Operations

Image Download from TFTP ServercnMatrix# download agent tftp://192.168.0.10/uImage_agent

Save Configuration• Save in Flash memorycnMatrix# write startup-config• Save on TFTP servercnMatrix# copy startup-config tftp://192.168.0.10/cnMatrix.conf

Boot and Boot DefaultcnMatrix# boot –yescnMatrix# boot default

Configure IP Address on VLAN 1cnMatrix(config)# interface vlan 1cnMatrix(config-if)# ip address 10.10.10.1 255.255.255.0cnMatrix(config-if)# no shut

Configure VLAN 1 to obtain IP Address from DHCPcnMatrix(config)# interface vlan 1cnMatrix(config-if)# ip address dhcp


Trouble Shooting cnMatrix

LED Indicators

cnMatrix Logo (Power) LED• BLINKING – Switch is initializing• SOLID BLUE – Switch is operational

cnMaestro (Cloud) LED • OFF – Cloud Management is Disabled• BLINKING – Discovering cnMaestro on Cloud • SOLID GREEN – Onboarded

Data Port LED – Link Activity (Copper, SFP)• SOLID GREEN – Link Up• BLINKING – Traffic Activity

Data Port LED – Link Activity (SFP+)• GREEN (LEFT SIDE) – Link Up with 10Gbps• AMBER (RIGHT SIDE) – Link Up with 1Gbps• BLINKING – Traffic Activity

Data Port LED – PoE Status (Copper)• OFF – No PoE Load• SOLID AMBER – Active PoE with Load


Useful CLI ‘show’ Commands

Display system info. such as Software version, System Description etc.cnMatrix# show system information

Display system resource utilization: CPU, RAM, FlashcnMatrix# show env all

Display Base MAC Address, Default IP Address, IP Address Config Mode etc.cnMatrix# show nvram

Display Port’s MAC Address, Speed, Rx/Tx Counters, Link Status, StatisticscnMatrix# show interfacescnMatrix# show interface statuscnMatrix# show interface descriptioncnMatrix# show interface counters

Display Current Configuration on cnMatrixcnMatrix# show running-config

Display MAC Address TablecnMatrix# show mac-address-table


Useful CLI ‘show’ Commands (Cont’)

Display VLAN Information, VLAN’s port membership, PVID etc.cnMatrix# show vlancnMatrix# show vlan port gigabitethernet 0/2

Display Spanning Tree InformationcnMatrix# show spanning-tree

Display Port Channel InformationcnMatrix# show etherchannelcnMatrix# show etherchannel 10 detail

Display PoE InformationcnMatrix# show power inlinecnMatrix# show power inline gigabitethernet 0/1

Display LLDP Info, Neighbors, CounterscnMatrix# show lldpcnMatrix# show lldp neighborscnMatrix# show lldp traffic

Display Local IP Interfaces, ARP tablecnMatrix# show ip interfacecnMatrix# show ip arp


cnMatrix – Trouble Shooting

• Trace Route• Ping• Port Mirroring• Statistics• RMON• SNMP Traps• More to come!!!


Typical Switch Deployment

Technical Knowledge Transfer

cnMatrix

cnMatrix – Typical Switch Deployment

• Plug in switch• Get connectivity

• OOB – Default IP• InBand – DHCP

• Update to latest image• Initial configuration

• Port channel – 802.3ad• Port type – Trunk, Hybrid, Access• VLANs

• Port membership• 802.1x

• Radius Server• Create Policies ( Policy Based Automation)• Static Routes

• Web GUI


cnMatrix – Typical Switch Deployment (cont)

• Port Channel configurationcnMatrix(config)# load-balance src-dest-ipcnMatrix(config)# interface port-channel 10cnMatrix(config-if)# no shutcnMatrix(config-if)# switchport mode trunk

cnMatrix(config)# interface range extreme-ethernet 0/1-4cnMatrix(config-if-range)# channel-group 10 mode active

• VLAN configurationcnMatrix(config)# vlan 2cnMatrix(config-vlan)# port add gigabitethernet 0/10 untagged gigabitethernet 0/10cnMatrix(config)# interface gigabitethernet 0/10cnMatrix(config-if)# switchport pvid 2


cnMatrix – Typical Switch Deployment (cont)

• 802.1x ConfigurationcnMatrix(config)# aaa authentication dot1x default group radiuscnMatrix(config)# radius-server host 10.100.200.10 key my_key_9745cnMatrix(config)# dot1x system-auth-controlcnMatrix(config)# interface gigabitethernet 0/10cnMatrix(config-if)# dot1x port-control autocnMatrix(config-if)# dot1x host-mode multi-host

• Static Route configurationcnMatrix(config)# interface vlan 2cnMatrix(config-if)# ip address 10.10.10.2 255.255.255.0cnMatrix(config-if)# no shutcnMatrix(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.3


Detailed Feature Description


cnMatrix

cnMatrix – Detailed Feature Description Contents

• Section 1 – L2• Section 2 – L3• Section 3 – Management• Section 4 - Security


Detailed Feature Description -L2 Features


cnMatrix

cnMatrix – L2 Features covered in this section

L2 Switching Features L2 Switching Features


• 802.1Q VLAN and Trunking Support• 802.1d STP, 802.1w RSTP, 802.1s MST• PVSTP (Per VLAN RSTP)• STP Enhancements: BPDU guard, BPDU Edge,

Root Guard• QoS: Priority Maps, Metering, Policing, Shaper,

Scheduler, Rate Limiting, ACL• Storm Control• Flow Control • Jumbo Frames• 802.1ab Link Layer Discovery Protocol (LLDP,

LLDP-MED)• 802.3ad Link Aggregation

• Auto-Attach – Policy Based Automation• IGMP Snooping/IGMP Proxy• Private Vlan Edge• PoE - 802.3af/at• Mirroring: Port-based, ACL-based• SNTP• Port Statistics• RMON

* Available in Future Release

VLAN – IEEE 802.1Q


• IEEE 802.1Q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) onan IEEE 802.3 Ethernet network.

• The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to beused by bridges and switches in handling such frames.

• VLANs define broadcast domains in a Layer 2 network. A broadcast domain is the set of all devices that willreceive broadcast frames originating from any device within the set. Cambium Networks VLAN componentsupports 4066 VLANs creation for EX-2028 series and 4084 VLANs for EX-2010 series.

• VLAN configurations can be made from CLI, SNMP or WEB GUI.• The VLAN application supports the following types of VLANs:

1. Port-based VLAN2. Port and Protocol-based VLAN

1. Port-based VLAN• In port-based VLAN, frames are processed based on the PVID assigned to a port depending to which VLAN that

particular port was mapped to. If an untagged frames (no 802.1q tag present) ingresses a port, the frame is automaticallytagged with a VLAN ID equal to the PVID configured on the ingress port. The VLAN tag of the frames will be kept ordiscarded at egress based on how that particular port was configured as tagged or untagged on egress side.

VLAN – IEEE 802.1Q

• A port can be set to three different modes of operation, i.e., access, trunk and hybrid. These operation modesdefines the way of handing of traffic in the VLANs.

• access – The access port accepts and sends only untagged frames. This kind of port is added as a member to a specific VLAN only and carriestraffic only for the VLAN to which the port is assigned;

• trunk – The trunk port accepts and sends only tagged frames. This kind of port is automatically added as member of all existing VLANs and forany new VLAN created, and carries traffic for all VLANs. The trunk port accepts untagged frames too, if the acceptable frame type is set as all.

• hybrid – The hybrid port accepts and sends both tagged and untagged frames.

2. Port and Protocol-based VLAN• A protocol-based VLAN processes traffic based on protocol group created on the switch. A protocol

group represents a mapping between a specific protocol and an encapsulation frame. The protocolgroup can be further bound to multiple VLAN-PORT pairs in order to achieve port and protocol-based VLAN classification in the switch.

• The available protocols that can be configured are the following:• IP, Novel or other manually configurable protocols;

• The available encapsulation frames that can be mapped to the above protocols are the following:• Enet-v2, SNAP, LLCother;


VLAN – IEEE 802.1Q – Port-based VLAN configuration and troubleshooting

1. Scenario: Have three interfaces (Gi 0/1, Gi 0/2 and Gi 0/3) of three different operation modes, e.g., Gi 0/1 an access port, Gi 0/2 a trunk port and Gi 0/3 a hybrid one. Also configure three different VLANs, with VIDs 1, 2 an 3.

2. Configuration: PORT creation:

• cnMatrix(config)# interface gigabitethernet 0/1• cnMatrix(config-if)# switchport acceptable-frame-type untaggedAndPrioritytagged - the acceptable frame type has to be configured to untaggedAndPrioritytagged the access

port prior to actually make it an access port

• cnMatrix(config-if)# switchport mode access • cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# switchport mode trunk – will be automatically added to the existent and newly created VLANs

• cnMatrix(config)# interface gigabitethernet 0/3• cnMatrix(config-if)# switchport mode hybrid• cnMatrix(config-if)# switchport pvid 3 – set the PVID of the hybrid port to 3, the VLAN to which it will belong;

VLAN creation and port assignment:• cnMatrix(config)# vlan 1 – create VLAN 1 and make it active

• cnMatrix(config-vlan)# ports add gigabitethernet 0/1 untagged gigabitethernet 0/1 – assign port Gi 0/1 to VLAN 1

• cnMatrix(config)# vlan 3 – create VLAN 3 and make it active

• cnMatrix(config-vlan)# ports add gigabitethernet 0/3 untagged gigabitethernet 0/3– assign port Gi 0/3 to VLAN 3

• cnMatrix(config)# vlan 2 – create VLAN 2 and make it active

3. Troubleshooting:• cnMatrix# show vlan brief – check the VLAN created an ports’ membership;

• cnMatrix# show vlan port Gigabitethernet 0/2 - check the operation mode of each interface;

• cnMatrix# show interface status – check the interface status;

• cnMatrix# show interface counters – check ingress/egress counters on each interface;


VLAN – IEEE 802.1Q – Port and Protocol-based VLAN configuration and troubleshooting

1. Scenario: Have a single hybrid interface (Gigabitethernet 0/2 – PVID 1) assigned to two different VLANs (VLAN 1 and 10). Create a protocol group (IP-EtherenetV2) and map it to VLAN 10 and interface Gigabitethernet 0/2.

2. Configuration:• cnMatrix(config)# protocol-vlan – enable Protocol-based VLAN classification globally;• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(if-config)# port protocol-vlan – enable Protocol-based VLAN particular on interface Gi 0/2;• cnMatrix(config)# map protocol ip enet-v2 protocol-group 1 – create protocol group 1 having IP as protocol and Ethernet-v2 as encapsulation frame type;• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# switchport map protocol-group 1 vlan 10 – map protocol group 1 to VLAN 10 and interface Gi 0/2;

3. Results:• Frames sent on interface Gi 0/2 matching the protocol and encapsulation type configured on protocol group 1 will be assigned to

VLAN 10 for forwarding;• Frames sent on interface Gi 0/2 NOT matching the protocol and encapsulation type configured on protocol group 1 will be

assigned to VLAN 1 for forwarding;

4. Troubleshooting:• cnMatrix# show vlan brief – check the VLAN created an ports’ membership;• cnMatrix# show vlan port Gigabitethernet 0/2 - check the protocol-based status on a particular interface;• cnMatrix# show vlan protocols-group - check the protocol group table containing the created protocol groups;• cnMatrix# show protocol-vlan – check the Interface-Protocol Group-VLAN mapping;• cnMatrix# show interface status – check the interface status;


Spanning-Tree Protocol


• Spanning-Tree protocol is a mechanism used by switches to prevent Layer2 loops by disabling one or more links leaving a single active path between two or more switches.

• STP is defined in 803.1D standard.

• cnMatrix support Spanning-Tree Protocol only in compatibility mode which allows it to interact with legacy bridges who supports legacy Spanning-Tree Protocol.

• Spanning Tree Operation:1.Determine Root Bridge

The Switch advertising the lowest priority becomes the root

2.Select Root PortEach switch selects its primary port facing the root

3.Select Designated portsOne designated port is selected per segment

4.Block ports with loops All non-root port and non-designated ports are blocked

Spanning-Tree Protocol– Port States


• Blocking - A port that would cause a switching loop if it were active. No user data is sent or received over a blocking port, but it may go into forwarding mode if the other links in use fail and the spanning tree algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking state. Prevents the use of looped paths.

• Listening - Processes BPDUs and awaits possible new information that would cause it to return to the blocking state. It does not populate the MAC address table and it does not forward frames.

• Forwarding - A port receiving and sending data in Ethernet frames, normal operation. The Forwarding port monitors incoming BPDUs that would indicate it should return to the blocking state to prevent a loop

Spanning-Tree Protocol – Port Roles


• Root Port – Each switch selects this state on port towards the root.

• Designated Port – Root has all its ports in this state. Also this is a forwarding port for every LAN segment

• Blocking Port - A backup/redundant path to a segment where another switch port already connects

• Disabled Port – A port has this role if spanning-tree is not running on that port

Spanning-Tree Protocol – BPDU Guard


• BPDU guard prevents the receiving of rogue BPDU packets.

• BPDUs should never be received because that indicates that another switch is connected to the port, potentially causing a spanning tree loop or STP topology change.

• When it is enabled, BPDU guard puts the port in an error-disabled state upon receipt of a BPDU.

• To re-enable the port, user must eliminate the BPDU packets ingressing the port and shutdown / no shutdown the port.

• BPDU filtering will disable sending and receiving BPDU packets. Loops may occur if the unit is linked to another unit in a STP loop topology

Spanning-Tree Protocol – Root Guard


• The root guard feature provides a way to enforce the root bridge placement in the network.

• If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state (listening state).

• No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

Spanning-Tree Protocol – Edge Port


• An edge port connects directly to an end device therefore, the switch assumes that no other switch is connected to it.

• Edge ports should immediately transition to the forwarding state. Edge ports do not generate topology changes.

• An edge port that receives a BPDU immediately loses edge port status and becomes a normal spanning tree port.

Spanning-Tree Protocol – Configuration and Troubleshooting


• Useful commands for STP:• Spanning-tree priority – sets the bridge priority• Spanning-tree hello-time – Sets the interval (in seconds) between the transmission of BPDUs.• Spanning-tree disable – Disables Spanning-Tree on a particular port

• Useful commands for troubleshooting STP:• show spanning-tree • show spanning-tree detail • show spanning-tree root • show spanning-tree interface • show spanning-tree vlan

Rapid Spanning-Tree

• Rapid spanning-tree protocol (RSTP – 802.1w) is used to guarantee a loop-free network topology

• It guarantees a significantly improved convergence time over the standard spanning-tree protocol (STP – 802.1d)

• RST is the default STP operating mode• Default values for timers are:

• Hello – 2sec• Max Age – 20sec• Forward Delay – 15sec

• Common used options:• Portfast – configurable per-port. Automatically sets the port in forwarding-mode. Used for edge ports which are expected

to have directly connected end-devices• BpduGuard – configurable per-port. Automatically puts the port in a disabled state (error-disabled) if BPDUs are received

on that port. Used for edge ports which are expected to have directly connected end-devices.• BpduFilter – configurable per-port. Filter all BPDUs on that port, both sent and received


Rapid Spanning-Tree – Config examples

• Change spanning-tree operation mode• cnMatrix(config)#spanning-tree mode { mst | pvrst | rst }

• Configure port-fast on an interface• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#spanning-tree portfast

• Configure bpdu-guard on an interface• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#spanning-tree bpduguard enable

• Configure bpdu-filter on an interface• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#spanning-tree bpdufilter enable

• Show spanning-tree global info• cnMatrix#show spanning-tree

• Show spanning-tree per-port info• cnMatrix#show spanning-tree interface gigabitethernet 0/1

• Show spanning-tree• cnMatrix#show spanning-tree summary


Multiple Spanning-Tree Protocol


• Multiple Spanning-Tree protocol is a STP mode which uses BPDUs to exchange information between spanning-tree compatible devices to prevent loops in each MSTI (Multiple Spanning Tree Instances) and in the CIST (Common and Internal Spanning Tree), by selecting active and blocked paths .

• MSTP is defined in 802.1s standard.

• MSTP uses Rapid Spanning-tree algorithm

• Default Timers are: • Hello – 2 sec• Forward Delay – 15 Sec• Max Age – 20 sec



• MSTP protocol works in close association with VLANs. The bridges in the topology can be configured to support different VLANs and these VLANS are in turn mapped to different Spanning Tree instances. Based on the VLAN membership, a port on a bridge may be a part of more than one spanning tree.

• When the MSTP protocol operates, the Port Role and Port State are calculated for the Common Internal Spanning Tree Context and also separately for each instance of which the current port is a member.



• As MSTP enables grouping and mapping VLANs into different spanning tree instances, there's an urge of determining a group or set of VLANs, which are all using the same spanning tree, this is what we come to know as a MSTI.

• Each instance defines a single forwarding topology for an exclusive set of VLANs, by contrast, STP or RSTP networks contains only a single spanning tree instance for the entire network, which contains all the VLANs. A region can include:

• Internal Spanning-Tree Instance (IST): Default spanning tree instance in any MST region. All VLANs in this IST instance conform a single spanning tree topology, allowing only one forwarding path between any two nodes. It also provides the root switch for any VLAN configured switches which are not specifically assigned to a MSTI.

• Multiple Spanning Tree Instance (MSTI): Unlike IST, this kind of instance comprises all static VLANs specifically assigned to it and at least, must include one VLAN.

• While each MSTI can have multiple VLANs, each VLAN can be associated with only one MSTI.



• Root• Provides the minimum cost path from the Bridge to the MSTI Regional Root.

• Designated• Provides the least cost path from the attached LANs through the Bridge to the Regional Root.

• Master• Provides connectivity from the Region to a CIST Root that lies outside the Region. The Bridge Port that is the CIST Root port for

the CIST Regional Root is the Master port for all MSTI.

• Alternate or Backup• Provides connectivity if other Bridges, Bridges ports or LANs fail or are erased.

Spanning-Tree Protocol – Configuration and Troubleshooting


• Useful commands for MSTP:• spanning-tree mode mst - Sets spanning tree operating mode to multiple spanning-tree protocol• spanning-tree mst configuration - Enter in mstp configuration submode• instance 5 vlan 10 – Maps vlan 10 in mstp instance 5

• Useful commands for troubleshooting MSTP:• show spanning-tree mst - displays multiple spanning tree information

• show spanning-tree mst detail

• show spanning-tree mst interface

Per VLAN Spanning-Tree

• PVRST is used to have a different instance of STP running on each VLAN• This way, ports can have different states for different VLANs, i.e. a port can be blocking in one

VLAN and forwarding in another VLAN• PVRST supports a number of 32 maximum instances, i.e. it can run independently on a maximum

of 32 VLANs• PVRST is NOT the default STP operating mode

• Enable PVRST mode• cnMatrix(config)#spanning-tree mode pvrst

• Show spanning-tree per-vlan info• cnMatrix#show spanning-tree vlan 1

• Show spanning-tree per-port per-vlan info• cnMatrix#show spanning-tree vlan 1 interface gigabitethernet 0/1


Quality of Service (QoS)

• QoS provides means of doing the following

• Traffic policing on ingress and egress• Priority remarking - either direct (based on the initial priority) or via traffic policers• Class-based queueing and scheduling• Traffic shaping• Although implemented in different hardware functional blocks, QoS works in tight

conjunction with the ACL module, which provides a way for the user to classify traffic using custom parameters and feed it to the QoS module.


QoS – priority maps

• A “Priority Map” allows the user to remap an incoming priority (802.1p or DSCP) to a new “regenerated” value.

cnMatrix(config)# priority-map 11cnMatrix(config-pri-map)# map in-priority-type vlanPri in-priority 2 regen-priority 4

cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group priority-map 11cnMatrix(config-cls-map)# set class 10

cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type nonecnMatrix(config-ply-map)# exitcnMatrix(config)#


QoS – priority maps

• Default queue assignment can be changed using queue-map command

Ex: packets with User Priority set to 3 will be mapped to queue 5cnMatrix(config)# priority-map 11cnMatrix(config-pri-map)# map in-priority-type vlanPri in-priority 3 regen-priority 3

cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group priority-map 11cnMatrix(config-cls-map)# set class 10

cnMatrix(config)# queue-map CLASS 10 queue-id 5

cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type none


QoS – metering

• Policers work in conjunction with metering and color marking tools to increase granularity. Metering measures the traffic arrival rate and assigns different colors to the traffic according to that rate.

• 2 types of meters are supported: srTCM and trTCMcnMatrix(config)# meter 1 cnMatrix(config-meter)# meter-type srTCM cir 100000 cbs 1024 ebs 2048cnMatrix(config)# meter 2 cnMatrix(config-meter)# meter-type trTCM cir 200000 cbs 2048 ebs 4096 eir 220000

cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group mac-access-list 12cnMatrix(config-cls-map)# set class 10

cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type nonecnMatrix(config-ply-map)# set meter 1 conform-action cos-transmit-set 2 exceed-action cos-transmit-set 0 violate-action drop


QoS – Policing

• Policers can be used to remark traffic for a specific flow (vlan prio or ipdscp)

cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group ip-access-list 1cnMatrix(config-cls-map)# set class 10

cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type ipDscp 20 cnMatrix(config-ply-map)# exitcnMatrix(config)#


QoS – Shaper

• Shapers support only cir and cbs parameters

cnMatrix(config)# shape-template 1 cir 100000 cbs 1024

cnMatrix(config)# queue 1 interface gi 0/1 shaper 1


QoS – Scheduler

• 4 types of scheduling algorithms are supported: strict-priority, round robin, weighted round robin, strict-wrr

• Default algorithm is strict-priority cnMatrix(config)# scheduler 1 interface gi 0/1 sched-algo rrcnMatrix(config)# scheduler 2 interface gi 0/2 sched-algo wrrcnMatrix(config)# scheduler 3 interface gi 0/3 sched-algo strict-prioritycnMatrix(config)# scheduler 4 interface gi 0/4 sched-algo strict-wrr

• Configure weight for a queuecnMatrix(config)# queue 2 interface gi 0/2 weight 40cnMatrix(config)# queue 8 interface gi 0/4 weight 0

0 value means strict priority; Modifying the Queue weight is applicable to all the ports where the scheduler is mapped


QoS – Verification

cnMatrix# show priority-mapcnMatrix# show class-mapcnMatrix# show policy-mapcnMatrix# show queue-mapcnMatrix# show qos queue-statscnMatrix# show qos queue-stats interface gi 0/1cnMatrix# show metercnMatrix# show meter 1cnMatrix# show shape-template cnMatrix# show shape-template 1cnMatrix# show schedulercnMatrix# show scheduler interface gi 0/2cnMatrix# show queuecnMatrix# show queue interface gi 0/3


Rate Limiting

• Rate limiting is used to control the rate of traffic sent or received by a network interface controller and is used to prevent denial of service ( DOS attacks )

• Benefits:• You implement rate limiting primarily to prevent a denial of service (intentional or

otherwise) • To limit the impact (or potential) of cascading failure.• To restrict or meter resource usage.

Note: Rate-limiting is not supported on the port-channel interface.


Access Control Lists (ACL)

• The ACL feature provides the means for the user create rules to match specific traffic based on the information in the packets. The packets matched by the rules can then be dropped, allowed or redirected, or they can be fed to the QoS engine to have them policed. Also, matched packets can be mirrored to a specific interface in order for them to be analyzed by a network administrator.

• An ACL consists of three parts: • The rule – a set of fields from the packet, and a set of values that the selected fields have to match• The action – what to do with the packets that match the rule (permit, deny, redirect)• The interface on which the rule is applied (on ingress or egress direction)

• There are three types of ACLs:• IP ACLs – the rule can consist of the source IP and the destination IP• MAC ACLs – the rule can consist of the source and destination MAC addresses , Ethernet type and the VLAN

information• IP extended ACLs – the rule can consist of the source IP and the destination IP, as well as Layer-4 information for

protocols such as UDP (source/destination ports), TCP (ports, TCP flags), ICMP (message code, message type) or any IP type, specified by the IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA).



• To configure an ACL rule, first decide the type of ACL needed, based on the fields that need top be matched. This example illustrates a rule to block pings coming from port 0/5.

Set the access-list type and Id:cnMatrix(config)# ip access-list extended 1001

Action is deny, protocol is ICMP, message type and message code are specific to ICMP requests packets. The rule will match any IP source and IP destination.

cnMatrix(config-ext-nacl)# deny icmp any any message-type 0 message-code 8

cnMatrix(config-ext-nacl)# exit

Go to the target interface:

cnMatrix(config)# interface gigabitethernet 0/5

Bind the ACL to the interface’s ingress

cnMatrix(config-if)# ip access-group 1001 in



There are two modes of configuring the ACL feature:• Consolidated – the user configures the entire set of rules, then he commits them to the hardware.• Immediate – the user configures the rules, and they are committed to hardware one-by-one, as the

user inputs them.In the immediate mode, the priorities assigned by the users are ignored by the switch and are assigned in the order in which they are configured. This mode is not recommended for scenarios with complex rules, in which priorities are relevant.

Let’s modify the previous example to make it a little more complex:• ping requests coming in on port 0/5 are blocked• ping requests are however permitted to the subnet’s gateway:

We will accomplish this by using prioritized rules in the ACL. We will create a rule that will drop all ping packets coming in on port 0/5, but we will also create a higher priority rule that will allow ping packets going to a specific IP.



Set the provisioning mode to consolidated. In this mode, all rules are committed to the hardware at the end.

cnMatrix(config)# access-list provision mode consolidatedcnMatrix(config)# ip access-list extended 1002Create a rule that will drop ICMP requests:cnMatrix(config-ext-nacl)# deny icmp any any message-type 0 message-code 8 priority 2

Create a higher priority rule that will allow pings to the gateway to be allowed.cnMatrix(config-ext-nacl)# permit icmp any host 192.168.0.1 message-type 0 message-code 8 priority 1

cnMatrix(config-ext-nacl)# exitcnMatrix(config)# interface gigabitethernet 0/5

Bind the ACL to the ingress of port 0/5:cnMatrix(config-if)# ip access-group 1002 incnMatrix(config-if)# access-list commit



• MAC access lists can help securing the environment by restricting the access of certain devices to the network, or by restricting obsolete or unwanted L2 protocols

cnMatrix(config)# mac access-list extended 1cnMatrix(config-ext-macl)# deny any any netbioscnMatrix(config-ext-macl)# exitcnMatrix(config)# mac access-list extended 2cnMatrix(config-ext-macl)# deny host 00:00:00:01:02:03 any cnMatrix(config-ext-macl)# exitcnMatrix(config)# interface gigabitethernet 0/1 cnMatrix(config)# mac access-group 1 in

• Note: MAC access list only work when they are applied to the ingress of a port.2017 Copyright Cambium Networks, Ltd. All Rights Reserved54


• Note 1: If it is necessary to configure multiple ACL types on the same port, note that their priorities will not be respected in this case. Priorities only assign higher or lower precedence of rules of the same type.

• Note 2: The maximum number of ACLs that can be configured on a system is 128 extended and 128 standard. Also, take into consideration that applying one ACL to 2 ports uses 2 entries.

• Note 3: For an example that uses ACLs to classify traffic into flows to be fed to the QoS engine, please refer to de QoS slides.


Rate Limiting – Config Example

INTERFACE commands :

Configure the rate limiting setting:

Rate-value varies depending on port type:

For 1Gb/s ports, the value is 1.000.000 Kbps.For 10Gb/s ports, the value is 10.000.000 Kbps.Burst size value is in multiples of 4096 KBytes and can be configured from 0 to 4095.

cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# rate-limit output rate-value (1-10000000) burst-value (0 - 4095)

cnMatrix(config)# interface extreme-ethernet 0/1cnMatrix(config-if)# rate-limit output rate-value (1-10000000) burst-value (0 - 4095)

Reset the rate limiting setting:

cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# no rate-limit output

cnMatrix(config)# interface extreme-ethernet 0/1cnMatrix(config-if)# no rate-limit output


Rate Limiting - Verification

• cnMatrix# show interfaces gigabitethernet 0/1 rate-limit• cnMatrix# show interfaces extreme-ethernet 0/1 rate-limit• cnMatrix# show interfaces rate-limit


Storm Control

• The Storm Control feature protects the switch from packet flooding from malicious users. Traffic that exceeds a configured threshold traffic rate must be dropped.

• Storm control can be applied on unknown Unicast, Multicast (both registered and unregistered) and Broadcast traffic.

• A unique Storm control rate value cannot be configured for different types of traffic on a port. The configured value on port will be applicable for all types of traffic for which Storm control is enabled

• Storm Control can be applied on physical interfaces and on port-channel.• Threshold level is counted in pkts/s, and depends on the speed of the link:

- 10M: effective rate will be the highest multiple of 64 pkts/s lower than configured level- 100M: effective rate will be the highest multiple of 640 pkts/s lower than configured level- 1G: effective rate will be the highest multiple of 6400 pkts/s lower than configured level- 10G: effective rate will be the highest multiple of 64000 pkts/s lower than configured level

• Example for 1G port:• Any configured level between 0-6399 will not have any impact; traffic will not be limited.• For any configured level between 6400-12799, effective rate will be 6400 pkts/s• For any configured level between 12800-19199, effective rate will be 12800 pkts/s


Storm Control – Config Example

INTERFACE commands :

Configure the storm-control settings:

cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# storm-control dlf level (1-262143)

cnMatrix(config)# interface extreme-ethernet 0/1cnMatrix(config-if)# storm-control broadcast level (1-262143)

cnMatrix(config)# interf port-channel 1cnMatrix(config-if)# storm-control multicast level (1-262143)

Reset the storm-control settings:

cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# no storm-control broadcast levelcnMatrix(config-if)# no storm-control dlf levelcnMatrix(config-if)# no storm-control multicast level


Storm Control- Verification

• cnMatrix# show interfaces gigabitethernet 0/1 storm-control• cnMatrix# show interfaces extreme-ethernet 0/1 storm-control• cnMatrix# show interfaces storm-control


Flow Control

• Flow Control is a per-port feature that detects packet congestion at its end and notifies the link partner by sending a pause frame.

• By enabling Flow Control, both the Tx (sending of pause frames) and Rx (receiving and obeying pause frames originating from a partner) are enabled.

• To enable Flow Control on an interface:• cnMatrix(config-if)# flowcontrol { on | off}

• Note 1: This feature requires that the port is down while the setting is changed.• Note 2: This feature only works in full-duplex mode.• Example:


Jumbo Frames

• Jumbo frames improve data transmission efficiency by sending a bigger frame of data instead of the standard one.

• The standard data frame has 1500 MTU size and the jumbo frame is typically set at 9000 MTU value size when enabled.

• Jumbo frame improves data transmission in two ways:• More data is sent out without increasing the overhead• Decreases the amount of interrupted frames which improves CPU usage

• Jumbo frames can be configured via CLI, SNMP, WEB(future release), and cnMaestro(future)


Jumbo frames- Configuration and Troubleshooting

• To configure jumbo frames for all interfaces call “system mtu” command• Example: cnMatrix(config)# system mtu 9000

• To configure jumbo frames on a vlan or on a single port, enter that interface and call “mtu” command

• Example:cnMatrix(config-if)# shutcnMatrix(config-if)# mtu 9000cnMatrix(config-if)# no shu

• Every single node within a jumbo frame enabled network needs to support jumbo frame. Otherwise there is no performance increase

• For information on jumbo frames status, call the following command:• cnMatrix# show interfaces mtu


LLDP

• LLDP (Link Layer Discovery Protocol) is a link-layer protocol used by devices to advertise their identity and capabilities to their neighbors on a LAN.

• The communication is done through LLDP Data Units which contain three or more TLVs (type-length-value structures).

• LLDPUs are consumed by the network device that receives it, i.e. frames received by a switch are not bridged to other devices.

• The TLVs advertised by the switch are configurable by the user on a per-port basis.• The values advertised in the TLVs are also configurable• The transmission timers for LLPDUs can be finely tuned.• The switch maintains a table with all the information advertised by the neighbors.• The configuration and the neighbors table are accessible via CLI, SNMP and WebUi.• The default LLDP version is v2.

• The protocol is standardized as IEEE 802.1ab and IEEE 802.3-2012 section 6 clause 79.• A maximum number of 256 neighbors are supported in this release.


LLDP-Configuration

• To enable LLDP on the switch:• For the basic functionality, no user configuration is necessary• The protocol is enabled by default, however it can be enabled and disabled globally with the following

command:• cnMatrix(config)# set lldp {enable | disable}• The protocol can also be enabled on a per-port base.• cnMatrix(config)# lldp {transmit | receive}

• To set local LLDP information (what is advertised to other devices):

• cnMatrix(config-if)# lldp port-id-subtype { if-alias | port-comp <string(255)> | mac-addr | if-name | local <string(255)> } to configure how the port is identified to other devices (by its management interface, its MAC address, or a locally assigned name)

• cnMatrix(config)# lldp chassis-id-subtype { chassis-comp <string(255)> | if-alias | port-comp <string(255)> | mac-addr | nw-addr | if-name | local <string(255)> } to configure how the chassis is identified to other devices (by its management interface, its MAC address, or a locally assigned name)

• To set advertised TLVs:• cnMatrix(config-if)# lldp tlv-select basic-tlv { port-descr | sys-name | sys-descr | sys-capab | mgmt-addr {all

| ipv4 <ucast_addr> | ipv6 <ipv6_addr>}} • cnMatrix(config-if)# lldp tlv-select dot1tlv {port-vlan-id | protocol-vlan-id {all |<vlan-id>} | vlan-name {all

| <vlan-id>} | vid-usage-digest | mgmt-vid | link-aggregation} [mac-address <mac_addr>]• cnMatrix(config-if)# lldp tlv-select dot3tlv {macphy-config | link-aggregation | max-framesize}• BY default, port-description, system name, system description and system capabilities are enabled on all ports.


LLDP-Configuration (Continued)

• To fine-tune the LLDP transmission timers:• cnMatrix(config)# lldp transmit-interval <seconds(5-32768)>• cnMatrix(config)# lldp holdtime-multiplier <value(2-10)>• cnMatrix(config)# lldp reinitialization-delay <seconds(1-10)>• cnMatrix(config)# lldp tx-delay <seconds(1-8192)>• cnMatrix(config)# lldp txCreditMax <value (1-10)>• cnMatrix(config)# lldp MessageFastTx <seconds(1-3600)>

• To display the LLDP status and configuration:• cnMatrix# show running-config lldp• cnMatrix# show lldp• cnMatrix# show lldp interface


LLDP – Neighbors

• To display LLDP neighbors• cnMatrix# show lldp neighbors

• TIP: To display all the available information about the neighbors, add the “detail” token to the command


LLDP - peers

• To display specific LLDP peers:

• cnMatrix# show lldp peers [chassis-id <string(255)> port-id <string(255)>] <interface-type> <interface-id>[[mac-address <mac_addr>] [detail]]

• This command allows the user to display only certain peers, filtered by the interface they were learned on, or just a specific peer identified by a chassis-id. The “detail” token can also be added to show complete information.


Port Channel


• Port Channel or Link Aggregation Group (LAG) is a way of bundling multiple Ethernet links together so they act like a single logical link.

• Benefits:• Increased reliability and availability – Traffic is reassigned to other links when one link

goes down• Traffic can be load-balanced across the physical links• Deliver higher bandwidth than individual link

• Link Aggregation Control Protocol (802.3ad LACP) – Allows switch to negotiate an automatic bundle by periodically sending LACP packets to the peer.

Port Channel


• Number of Port-Channels: 8 • Number of links per port-channel: Configurable per port-channel (8 max.)• Port-channel modes: Dynamic (Passive/Active) and Static (On).• Load-Balancing

• Hash function based on Src MAC, Dest MAC, Src IP, Dest IP, Scr-Dest MAC (Default), Src-Dest IP

• Setting applied to all port-channels

Port Channel – Config Example


cnMatrix(config)# load-balance src-dest-ipcnMatrix(config)# interface port-channel 10cnMatrix(config-if)# no shutcnMatrix(config-if)# max-ports 4 (default = 8)

cnMatrix(config)# interface range extreme-ethernet 0/1-4cnMatrix(config-if-range)# channel-group 10 mode active

cnMatrix(config)# vlan 2cnMatrix(config-if)# port add port-channel 10

cnMatrix(config)# interface port-channel 10cnMatrix(config)# switchport pvid 2

cnMatrix(config)# interface range gigabitethernet 0/1-4cnMatrix(config-if-range)# lacp port-priority 10

Port Channel - Troubleshooting


• Link members must be the same Speed or Autonegotiate.• Link members must be Full Duplex• Long and Short Timers must be same among the peer connections.

• cnMatrix# show etherchannel 10 detail• cnMatrix# show LACP counters• cnMatrix# show LACP neighbors• cnMatrix# show running-config la• cnMatrix# show interface description• cnMatrix# show vlan brief• cnMatrix# show interface descriptor• cnMatrix# show interface status

Auto-Attach

• Auto-Attach (AA) supports automatic switch configuration based on discovery of connected devices

• Dynamically configures commonly updated port settings (e.g., VLAN membership, default VLAN) when a device is discovered

• Existing port settings (e.g., QoS, VLAN membership) remain unchanged• Device discovery is port-independent (automate moves, adds and changes)• Minimal administrator configuration required• Leverages standard Logical Link Discovery Protocol (802.1ab LLDP) data for device

discovery/identification/status

• Dynamic settings cleared and previous settings restored following device disconnect (expiration, link down) and system reset

• Auto-Attach controlled through CLI for first release


Auto-Attach

• Global and per-port control of Auto-Attach operation• Enabled by default globally and on all access ports

• Administrator identifies device detection data and settings to be updated upon device discovery using AA policies, rules and actions

• Device detection data: LLDP fields to examine, device identification string data• Dynamic settings to be updated on port on which device is detected

• VLAN membership (up to 20 VLANs). VLANs dynamically created if necessary• Native VLAN (for received untagged traffic)• Port Mode (Hybrid, Access, Trunk)

• Detection policy supports precedence and enable/disable for precise administrator control

• Initial support for 50 administrator-defined AA policies, rules and actions• Precedence range 1..100 (default precedence 50) with policies at the same precedence

level evaluated "simultaneously"


Auto-Attach – Configuration Example

cnMatrix(config)# auto-attach policy cnPilot match LLDP-ANY cnPilot set vlan 10,20,30 pvid 30cnMatrix(config)# auto-attach policy wlan match LLDP-CAP wlan set vlan 100,200 prec 50

cnMatrix(config)# auto-attach rule cnPilotDetect LLDP-SYS-DESC "cnPilot E430W"cnMatrix(config)# auto-attach rule "All WLANs" LLDP-CAP wlancnMatrix(config)# auto-attach action cnPilotVlans vlan 10,20,30 pvid 30cnMatrix(config)# auto-attach action lowPriorityVlans vlan 100,200 pvid 100cnMatrix(config)# auto-attach policy cnPilot match rule cnPilotDetect

action cnPilotVlans precedence 10cnMatrix(config)# auto-attach policy "All WLANs" match rule "All WLANs"

action lowPriorityVlans precedence 20

cnMatrix(config)# no auto-attachcnMatrix(config-if)# no auto-attach


Auto-Attach - Troubleshooting

• Verify feature operation is enabled globally and on access ports• cnMatrix# show auto-attach global• cnMatrix# show auto-attach interface

• Verify local LLDP and connected device LLDP status• cnMatrix# show lldp• cnMatrix# show lldp traffic• cnMatrix# show lldp neighbor detail

• Verify device detection and action criteria• cnMatrix# show auto-attach rule• cnMatrix# show auto-attach action• cnMatrix# show auto-attach policy

• Clear current settings to start fresh (global or port-based)• cnMatrix(config)# no auto-attach• cnMatrix(config)# auto-attach• cnMatrix(config-if)# no auto-attach• cnMatrix(config-if)# auto-attach


Internet Group Management Protocol (IGMP)

• Internet Group Management Protocol is a protocol used by adjacent routers on IPv4 network and hosts to establish multicast group membership. This protocol can be used for one to many networking application.

• Various IGMP Modes are supported:• IGMP Snooping• Timing: Query Interval, Init Value• Querier, Query Interval, Send Query • Proxy Reporting, Report-Suppression-Interval, Proxy• Filter – Profile• Fast Leave• mRouter• Display Commands

• IGMP modes are configurable via CLI, WEB, cnMaestro (Future)• IGMP must be enabled globally prior to mode configuration



• IGMP Snooping:• Enabling IGMP Snooping feature globally on the switch with the following

command:• cnMatrix(config)# ip igmp snooping enable

• To enable the IGMP Snooping only on a desired VLAN use the following commands:• cnMatrix(config)# ip igmp snooping vlan 10

• Disable IGMP Snooping feature globally:• cnMatrix(config)# no ip igmp snooping

• Disable IGMP snooping on a specific VLAN:• cnMatrix(config)# no ip igmp snooping vlan 1



• Init Value: • Startup-query-Count: The initial value startup-query-count is used to set up a

number of query messages to be sent when the switch boots up, configured as a querier. The interval you can choose is between 2 and 5. The following commands can help to do that:

• cnMatrix(config)# vlan 1• cnMatrix(config-vlan)# ip igmp snooping startup-query-count 5• Startup-query-Interval: The initial value startup-query-interval is used to set the

time period in which the general queries are sent by the switch when it boots up, configured as a querier. The interval is between 15 and 150 and it must be less than query interval divided by 4.

• cnMatrix(config)# vlan 2• cnMatrix(config-vlan)# ip igmp snooping startup-query-interval 30



• Querier• If the switch is configured as a querier, it will send IGMP query messages. It will send general query

messages with chosen IP, switch IP or vlan IP. • cnMatrix(config)# vlan1

• Unicast IP:• cnMatrix(config-vlan)# ip igmp snooping querier 1.1.1.1

• Vlan Interface IP• cnMatrix(config-vlan)# ip igmp snooping querier address

• Switch IP• cnMatrix(config-vlan)# ip igmp snooping querier

• Query Interval:• This feature makes possible to tune the query interval time to do not flood the network with query

messages to discover. The interval to tune the value is between 60 and 600.• cnMatrix(config)# vlan 1• cnMatrix(config-vlan)# ip igmp snooping query-interval 125

• Send Query:• With this feature enabled, the switch will be able to generate IGMP general query messages to relearn the

topology if the hosts changed, using the following command: • cnMatrix(config)# ip igmp snooping send-query enable2017 Copyright Cambium Networks, Ltd. All Rights Reserved80


• IGMP Proxy-Reporting is mutually exclusive with Report-Suppression-Interval, so it must be enabled together in order to work.

• With proxy-reporting enabled, the switch will support the multicast router to learn the hosts information of the multicast group. It will forward the packets based of group information.

• cnMatrix(config)# ip igmp snooping proxy-reporting• Report-Suppression-Interval: the switch will forward IGMP report messages to the multicast

group. A timer will start immediately after forwarding the report. In this interval the switch will not forward another IGMP report message to the same multicast group. The interval is between 1 and 25.

• cnMatrix(config)# ip igmp report-suppression-interval 10.

• Proxy:• This feature is used for learning group membership information from hosts in downstream

interface then forwards the multicast packages with the substitution of information to upstream interfaces. The switch sends general query to all downstream interfaces at the query interval and collects information about the member ports.

• cnMatrix(config)# ip igmp snooping proxy



• IGMP Filter• Enable:

• This following command will help to enable the IGMP filter feature on the switch:• cnMatrix(config)# ip igmp snooping filter

• Max – Groups:• Setting up maximum number of multicast groups to be learned on the interface:• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# ip igmp max-groups 5

• Enter a profile:• With the following command you can enter a profile of filtering to modify parameters:• cnMatrix(config)# ip igmp profile 10

• Range: • Range helps to filter the traffic, the following commands will help the switch to permit / deny

(allow / drop packets) in the specified range:• cnMatrix(config)# ip igmp profile 10• cnMatrix(config-profile)# range 226.0.1.2 227.3.3.4



• Permit profile• The following command will permit (allow) multicast traffic (packages) to go through the

switch:• cnMatrix(config-profile)# permit

• Deny profile• The following command will deny (drop) multicast traffic (packages) to go through the

switch:• cnMatrix(config-profile)# deny

• Activate profile• The following command will activate the profile; if edited, a profile should be re-activated to

take effect:• cnMatrix(config-profile)# profile active

• Add interface to filter:• With the following commands you can add a multicast profile to an interface:• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# ip igmp filter 10



• Fast Leave • The following commands will process the leaving messages using the Fast Leave

Mechanism:• cnMatrix(config)# interface gigabitethernet 0/4• cnMatrix(config-if)# ip igmp snooping leavemode fastLeave

• mRouter:• To configure a list of multicast ports for a desired VLAN, when IGMP snooping is globally enabled. This

can be done with the following commands:• cnMatrix(config)# vlan 10• cnMatrix(config-vlan)# ip igmp snooping mrouter gigabitethernet 0/1



• Display IGMP snooping global information:• cnMatrix# show ip igmp snooping globals

• Display IGMP snooping information:• cnMatrix# show ip igmp snooping

• Display IGMP snooping statistics:• cnMatrix# show ip igmp snooping statistics.

• Display IGMP snooping statistics:• cnMatrix# show ip igmp snooping statistics

• Display IGMP snooping group information:• cnMatrix# show ip igmp snooping groups

• Display IGMP snooping forwarding database information:• cnMatrix# show ip igmp snooping forwarding-database


PVLAN-Edge

• PVLAN-edge is used to better control the flow of L2 traffic on the switch.

• When a port has protected status it no longer forwards any traffic (unicast, multicast, broadcast) to any other port that is also protected and on the same switch.

• The feature only has local significance; there is no isolation between ports on different switches.

• Between two protected ports only L2 traffic is restricted.


PVLAN-Edge – Config Example

• Configuring ports as protected:• cnMatrix(config)# interface range Gigabitethernet 0/1-24• cnMatrix(config-if)# switchport protected

• Disabling protected status:• cnMatrix(config)# interface range Gigabitethernet 0/1-24• cnMatrix(config-if)# no switchport protected


PVLAN-Edge – Show command

• Show port protected status:• cnMatrix# show vlan port gig 0/1

Vlan Port configuration table--------------------------------------------------------------Port Gi0/1Port Vlan ID : 1Port Acceptable Frame Type : Admit AllPort Mac Learning Status : EnabledPort Ingress Filtering : EnabledPort Mode : HybridPort-and-Protocol Based Support : EnabledDefault Priority : 0Port Protected Status : EnabledIngress EtherType : 0x8100Egress EtherType : 0x8100---------------------------------------------------------------


Power Over Ethernet

• PoE (Power Over Ethernet) is used to power various devices connected directly to the switch via the copper ports (like Wireless Access Points, IP Cameras, VoIP Phones etc) over standard Ethernet CAT5 or CAT6 cables

• It supports 802.3af and 802.3at standards, offering thus the possibility to deliver up to 30W per port• The PoE power budget, or available power, depends on the model of the switch:

• 400W for EX2028-P• 100W for EX2010-P

• PoE is enabled by default, both globally and per-port• Devices will be powered-up regardless of the administrative state of the port, i.e. PoE works even if

the port is in shutdown state• PoE configurations can be done only from the CLI for the moment• PoE priority can be configured on a per-port basis. Available options are: critical, high and low. Low

is also the default• When power budget is exceeded, ports will be denied power based on their priority. If the decision

has to be made between ports with equal priority, the biggest port number will be denied power


Power Over Ethernet – Config Examples

• Modify priority on a port• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#power inline priority critical

• Disable PoE on a port• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#power inline never

• Enable PoE on a port• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#power inline auto

• Display PoE per-port info• cnMatrix(config)#show power inline

• Display PoE global details• cnMatrix#show power detail

• Display PoE per-port measurements info• cnMatrix#show power inline measurements


Port Mirroring

• Port mirroring is used on the switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.

• Various Mirroring Modes are supported:• Port Based Mirroring, RX/TX or Both• Many To One Mirroring, RX/TX or Both• VLAN – Source VLAN, Destination Port• Src/Dest MAC Mirroring through use of ACL • Src/Dest IP Mirroring through use of ACL

• Number of monitor sessions: 7 (Only one session can use ACL)• Monitor session is configurable via CLI, WEB (Future), cnMaestro (Future)• Mirroring must be enabled globally prior to mode configuration• Port-channel can NOT be source or destination in monitor session• Only one ACL based mirroring session is supported


Port Mirroring – Config Examples

• Enable Mirroring on the switch• cnMatrix(config)# set mirroring enable

• Port Based:• cnMatrix(config)# monitor session 1 source interface gigabitethernet 0/3 tx (rx, both)• cnMatrix(config)# monitor session 1 destination interface gigabitethernet 0/4

• Many-To-One:• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/1 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/2 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/3 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/4 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/5 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/6 both• cnMatrix(config)# monitor session 2 destination interface gigabitethernet 0/10

• VLAN Based:• cnMatrix(config)# monitor session 1 source vlan 2 rx (tx, Both)• cnMatrix(config)# monitor session 1 destination interface gigabitethernet 0/2


Port Mirroring – Config Examples

• Src/Dest MAC address through use of ACL example:• Configure a mac based ACL to permit unicast traffic from a host with a source MAC

address of 00:00:00:00:00:10 to a host MAC destination address of 00:00:00:00:00:20:• cnMatrix(config)# mac access-list extended 1 • cnMatrix(config-ext-macl)# permit host 00:00:00:00:00:10 host 00:00:00:00:00:20 priority 1• cnMatrix(config)# interface Gigabitethernet 0/6• cnMatrix(config-if)# mac access-group 1 in

• Create Monitoring configuration• cnMatrix(config)#monitor session 3 source mac-acl 1• cnMatrix(config)#monitor session 3 destination interface gigabitethernet 0/5

• Src/Dest IP through use of ACL example:• Configure an IP Based ACL to permit unicast traffic from a host with an source IP address

of 10.0.0.1 to a host IP destination address of 10.0.0.2:• cnMatrix(config)#ip access-list standard 1• cnMatrix(config-ext-macl)# permit host 10.0.0.1 host 10.0.0.2 priority 1 • cnMatrix(config)# interface Gigabitethernet 0/6• cnMatrix(config)# ip access-group 1 in

• Create Monitoring Configuration• cnMatrix(config)#monitor session 1 source ip-acl 1• cnMatrix(config)#monitor session 1 destination interface gigabitethernet 0/2

• Display All Monitor Sessions:• cnMatrix# show monitor session all


SNTP client

• The SNTP (Simple Network Time Protocol) is a simplified version or subset of the NTP protocol. It is used to synchronize the time and date in cnMatrix by contacting a SNTP Server. The administrator can choose whether to set the system clock manually or to enable SNTP. If SNTP is enabled, the SNTP implementation discovers the SNTP server and gets the time from the server.

• cnMatrix has only the SNTP client feature• SNTP operates in any of the following modes.

• Unicast addressing mode –SNTP client will send unicast SNTP requests and synchronize the clock with the response received from the SNTP server.

• Broadcast addressing mode –SNTP client will not send any SNTP request. It will wait for SNTP response messages from broadcast servers and will synchronize the clock from the response received from one of the broadcast servers.

• Manycast addressing mode – SNTP client will first send a SNTP request for the broadcast/multicast address configured. Then it will synchronize the clock timing from the first response received. Once the response is received the operation of Manycast addressing mode is same as unicast addressing mode.


SNTP client –Config Examples

• SNTP is not enabled by default. To enable and use SNTP client, the following steps must be taken:

• Step1: Set client addressing mode:• The recommended setting is unicast mode because of the better security .To use unicast

addressing mode the following steps must be take:• Step1.1: Set an unicast server:

• Example: cnMatrix(config-sntp)# set sntp unicast-server ipv4 20.0.0.1 • Step1.2: Set the SNTP client addressing mode to unicast:

• cnMatrix(config-sntp)# set sntp client addressing-mode unicast• Step2: Enable sntp client:

• cnMatrix(config-sntp)# set sntp client enabled• Step3: Set NTP as source for the system clock

• cnMatrix(config)# clock time source ntp


SNTP client – Troubleshooting

• To view the clock call:• cnMatrix# show clockOr• cnMatrix# show sntp clock

• For information regarding SNTP packets, issue the following command:• cnMatrix# show sntp statistics

• For information regarding the SNTP client status, issue the following command:

• cnMatrix# show sntp status• For information regarding the SNTP client unicast addressing mode call;

• cnMatrix# show sntp unicast-mode status


RMON

• Remote monitoring (RMON) provides the summary information on the network traffic, including error statistics and performance statistics

• RMON operates in a client/server model• RMON probes support the following RMON groups:

• Ethernet Statistics Group• Ethernet History Group• Alarm Group• Event Group

• The feature is supported in CLI and Web.


RMON – Config Examples

• Configure a device to log an event when the alarm threshold that monitors the ifInUcastPkts exceeds an absolute value of 1000000:

• cnMatrix(config)# rmon enable• cnMatrix(config)# rmon event 2 description "High Ucast Packets" log owner user1• cnMatrix(config)# rmon alarm 1 1.3.6.1.2.1.2.2.1.11.1 60 absolute rising-threshold

1000000 falling-threshold 900000



• Show commands• cnMatrix# show rmon events

Event 1 is active, owned by user1Description is High Ucast PacketsEvent firing causes log,Time last sent is Mar 25 00:12:00 2018

• cnMatrix# show rmon alarmsRMON is enabledAlarm 1 is active, owned byMonitors 1.3.6.1.2.1.2.2.1.11.1 every 60 second(s)Taking absolute samples, last value was 0Rising threshold is 1000000, assigned to event 1Falling threshold is 900000, assigned to event 1On startup enable rising or falling alarmLogging Event With Description : High Ucast Packets



• Configure statistics monitoring on an interface:• cnMatrix(config-if)# rmon collection stats 1 owner user 1• cnMatrix# show rmon statistics 1

RMON is enabledCollection 1 on Gi0/1 is active, and owned by user1,Monitors by Gi0/1 interface which hasReceived 111331701 octets, 1739527 packets,8 broadcast and 11 multicast packets,0 undersized and 0 oversized packets,0 fragments and 0 jabbers,0 CRC alignment errors and 0 collisions.0 out FCS errors and 0 Drop events,# of packets received of length (in octets):64: 1739603, 65-127: 7, 128-255: 17,256-511: 1, 512-1023: 0, 1024-1518: 0,1519-1522: 0



• Configure history collection on an interface• cnMatrix(config-if)# rmon collection history 1 interval 10 owner user1• cnMatrix# show rmon history overview

RMON is enabledEntry 1 is active, and owned by user1Monitors ifEntry.1.1 every 10 second(s)Requested # of time intervals, ie buckets, is 50,Granted # of time intervals, ie buckets, is 50,Number of history collection on interface: 1


Detailed Feature Description -L3 Features


cnMatrix

cnMatrix – L3 Features covered in this section

L3 Switching Features


• Routing Between Directly Connected Subnets• Routed Interfaces• IPv4 static routes• DHCP Relay


Inter-Vlan Routing

• inter-VLAN routing is a feature that allows traffic to move from one network segment to another based on a Layer 3 process that can either be implemented using a router or a Layer 3 switch interface.

• Benefits:• The use of Inter-VLAN routing ( layer 3 device ) provides a method for controlling the flow of

traffic between network segments, including network segments created by VLANs.

• Inter-VLAN routing features:• Routing - is the process of selecting a path for traffic in a network, or between or across

multiple networks.

• IP echo-reply - operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply.

• IP redirects - are used by routers to notify the hosts on the same Ethernet segment that a better route is available for a particular destination.


Inter-Vlan Routing

• IP directed broadcast - This command enables forwarding of directed broadcasts. The IP directed broadcast is an IP packet whose destination is a valid IP subnet address, but the source is from a node outside the destination subnet.

• IP mask-reply - This command enables sending ICMP Mask Reply messages. The IP mask reply is an ICMP message sent by the router to the host informing the subnet mask of the network. This reply is in correspondence to a request sent by the host seeking the subnet mask of the network.

• IP unreachables - This command enables the router to send an ICMP unreachable message to the source if the router receives a packet that has an unrecognized protocol or no route to the destination address. ICMP provides a mechanism that enables a router or destination host to report an error in data traffic processing to the original source of the packet. This informs the source that the packet is dropped.


Inter-Vlan Routing – Config Example

cnMatrix# configure terminalcnMatrix(config)# vlan 20cnMatrix(config-vlan)# name VLAN_ITcnMatrix(config-vlan)# exitcnMatrix(config)# vlan 30cnMatrix(config-vlan)# name VLAN_AccountingcnMatrix(config-vlan)# exitcnMatrix(config)# interface vlan 20cnMatrix(config-if)# ip address 20.20.20.1 255.255.255.0cnMatrix(config-if)# no shutdowncnMatrix(config-if)# exitcnMatrix(config)# interface vlan 30cnMatrix(config-if)# ip address 30.30.30.1 255.255.255.0cnMatrix(config-if)# no shutdown


Inter-Vlan Routing – Config Example

cnMatrix(config-if)# exitcnMatrix(config)# ip echo-replycnMatrix(config)# ip routingcnMatrix(config)# ip mask-replycnMatrix(config)# ip redirectscnMatrix(config)# ip unreachablescnMatrix(config)# interface vlan 200cnMatrix(config-if)# ip directed-broadcast

Reset the settings

cnMatrix(config)# no ip echo-replycnMatrix(config)# no ip routingcnMatrix(config)# no ip mask-replycnMatrix(config)# no ip redirectscnMatrix(config)# no ip unreachablescnMatrix(config)# interface vlan 200cnMatrix(config-if)# no ip directed-broadcastcnMatrix(config-if)# no ip address 20.20.20.1 255.255.255.0cnMatrix(config)#no interface vlan 20


Inter-Vlan Routing - Troubleshooting

• cnMatrix# show running-config • cnMatrix# show ip route• cnMatrix# show ip route connected• cnMatrix# show ip route static• cnMatrix# show ip interface• cnMatrix# show ip interface Extreme-Ethernet• cnMatrix# show ip interface Gigabitethernet• cnMatrix# show ip interface vlan• cnMatrix# show vlan brief• cnMatrix# show vlan ascending


ARP

• The Address Resolution Protocol is used to dynamically discover and maintain the mapping between a layer 3 (protocol) and a layer 2 (hardware) address.

• ARP entries are cached to the ARP Table• Switch is able to learn ARP entries from the ARP Requests for his own IP

addresses, also from ARP Replies in response to his own ARP Requests• Static ARP entries are also configurable


ARP – Config Example

• Maximum number of ARP request retriescnMatrix(config)# ip arp max-retries (2-10)

• ARP cache timeoutcnMatrix(config)# arp timeout (30-86400)

• Configure static ARP on SVIcnMatrix(config)# arp 1.1.1.1 00:00:01:02:03:04 vlan 1

• Configure static ARP on routed portcnMatrix(config)# arp 2.2.2.2 00:00:11:22:33:44 gigabitethernet 0/2

• Delete an static ARP entrycnMatrix(config)# no arp 1.1.1.1

• Clear ARP tablecnMatrix(config)# clear ip arp


ARP- Verification

• cnMatrix# show ip arp• cnMatrix# show ip arp summary• cnMatrix# show ip arp information• cnMatrix# show ip arp vlan 1• cnMatrix# show ip arp gigabitethernet 0/2• cnMatrix# show ip arp 00:00:11:22:33:44• cnMatrix# show ip arp statistics


ARP Proxy

• The Proxy ARP capability makes the router answers ARP requests intended for another node in the network. By faking its identity, the router accepts responsibility for routing packets to the real destination. The Proxy ARP capability helps machines on a subnet reach remote subnets, without the need to configure routing or a default gateway.

• Router acts as a proxy for ARP requests to target IP addresses in which the network address is the same as any of the IP addresses of the interfaces configured.

• Proxy ARP capability can be enable or disabled per IP interface. By default, the Proxy ARP is disabled on all the interfaces.

• On any interface, the router does not send a reply, and silently ignores ARP requests to any IP addresses other than its own, when the Proxy ARP capability is disabled on the receiving interface, or on the interface on which the target IP address lies.


ARP Proxy – Config Example

• Enable proxy arp on a SVIcnMatrix(config)# interface vlan 1cnMatrix(config-if)# ip proxy-arp

• Enable proxy arp on a routed portcnMatrix(config)# interface gigabitethernet 0/2cnMatrix(config-if)# ip proxy-arp

• Disable proxy arpcnMatrix(config-if)# no ip proxy-arp


ARP Proxy- Verification

• cnMatrix# show ip proxy-arp


Static Routes – Config Example

• to route IP traffic destined for the network 10.10.20.0/24 via next-hop 192.168.1.1, can be used the following command

cnMatrix(config)#ip route 10.10.20.0 255.255.255.0 192.168.1.1

• static routes can be added using next-hop the SVI already configured or a routed port:

cnMatrix(config)# ip route 10.10.20.0 255.255.255.0 Vlan20

cnMatrix(config)# ip route 10.10.20.0 255.255.255.0 Gigabitethernet 0/1

• static route configured with administrative distance:

cnMatrix(config)#ip route 10.10.20.0 255.255.255.0 192.168.1.1 10cnMatrix(config)#ip route 10.10.20.0 255.255.255.0 192.168.2.1 15


Static Routes- Verification

• cnMatrix# show ip route• cnMatrix# show ip route static• cnMatrix# show ip route details• cnMatrix# show ip route connected• cnMatrix# show ip route summary


DHCP Relay

• DHCP relay allows the DHCP client and DHCP server in different subnets to communicate with each other, so that the DHCP client can obtain its configuration information.

• The relay agent receives packets from the client, inserts information such as network details, and forwards the modified packets to the server. The server identifies the client’s network from the received packets, allocates the IP address accordingly, and sends reply to the relay. The relay strips the information inserted by the server and broadcasts the packets to the client’s network.


DHCP Relay – Configuration

• Enable DHCP Relay• First make sure DHCP Server service is disabled

cnMatrix# show ip dhcp relay informationcnMatrix(config)# no service dhcp-server

• Start DHCP Relay service and verify the statuscnMatrix(config)# service dhcp-relaycnMatrix# show ip dhcp relay information

• Configure DHCP Server addresscnMatrix(config)# ip dhcp server 10.100.200.10

• Configure circuit-id and remote-id optionscnMatrix(config)# ip dhcp relay information optioncnMatrix(config)# ip dhcp relay circuit-id option vlanidcnMatrix(config-if)# ip dhcp relay remote-id "vlan50_clients"


Detailed Feature Description -Management Features


cnMatrix

cnMatrix – Management Features covered in this section

Management Features


• Image Download• Config Save/Restore/Download• HTTPS/SSL• Out-of-band Ethernet Management• SSH/SSH v2• DHCP Client, Server• Local/Remote Syslog• System Resource Monitoring


Image download

• Image download is a feature created for the purpose of cnMatrix upgrade• Image download obtains the agent from a remote source and burns it into the

switch flash, so that at next system reboot, the image becomes active• Image download offers the capability to obtain the agent from a TFTP server, a

SFTP server, and cnMaestro. In the next release, download will be available from an USB device as well

• Image download can be called from CLI, SNMP, Web and cnMaestro


Image download – Usage and Troubleshooting

• To download an agent from a tftp server issue “download agent” command with tftp option:• Example: cnMatrix# download agent tftp://20.0.0.1/cnMatrix.img

• To download an agent from a sftp server issue “download agent” command with sftp option:• Example: cnMatrix# download agent sftp://John:[email protected]/cnMatrix.img

• SFTP offers a secure file transmission compared to TFTP, but as a tradeoff it takes a little bit longer to complete

• Downloading from a remote server with TFTP needs the TFTP server service to be working on that remote server, and the agent needs to be in the server tftp directory, and have third-party reading permission

• Downloading from a remote server with SFTP needs the SFTP server service to be working on that remote server, the agent path to be accessible from the user directory, and the agent needs to have reading permission for that user.


Config save/restore/download

• To preserve cnMatrix configurations after the system resets, its settings have to be saved in a file on the flash. This file is referred to as a configuration file, or config file for short.

• Config save is a feature that assures the preservation of configurations by writing them either locally on the flash or on a remote host. These remote hosts can be either a TFTP server, or a SFTP server. In the next release config save will also be able to write to an USB device

• Config restore handles the restoration of settings found within the config file at system start-up

• Config download offers the capability of retrieving a config file from an external source. These sources can be either a TFTP server, or a SFTP server. In the next release config download will also be able to retrieve a file from an USB device

• All config related operations are accessible from CLI,SNMP and Web


Config save – Usage Examples

• To request a local config save, one of the following commands have to be called:

• cnMatrix# write startup-configor

• cnMatrix# copy running-config startup-config

• To request a remote config save to a tftp server without saving the configlocally as well, issue the “write” command with the tftp option

• Example: cnMatrix# write tftp://20.0.0.1/config.conf

• To request a remote config save to a sftp server without saving the configlocally as well, issue the “write” command with the sftp option

• Example: cnMatrix# write sftp://John:[email protected]/config.conf


Config save – Usage Examples

• To save on a tftp server a copy of the local saved config, issue a local configsave by calling “write startup-config” or “copy running-config startup-config” and then the “copy startup-config tftp” command

• Example:• cnMatrix# write startup-config• cnMatrix# copy startup-config tftp://20.0.0.1/config.conf

• To save on a sftp server a copy of the local saved config, issue a local configsave by calling “write startup-config” or “copy running-config startup-config” and then the “copy startup-config sftp” command

• Example:• cnMatrix# write startup-config• cnMatrix# copy startup-config sftp://John:[email protected]/config.conf


Config save - Troubleshooting


• Config save to a remote server with TFTP needs the TFTP server service to be working on that remote server, and the server tftp directory needs to have third party write permission. If the file exists already on the server, it has to have third party write permission.

• Config save to a remote server with SFTP needs the SFTP server service to be working on that remote server, and the config path needs to be accessible from the user directory, and has to have write permission for that user. If the file exists already on the server, it has to have write permission for that user.


Autosave

• Autosave is a subfeature of config save. Its purpose is to ensure local config saves take place every time a change in the settings occurs. Therefore, all config modifications are preserved without the user having to call a manual save.

• Autosave is not enabled by default. To enable it, the following commands have to be called:• cnMatrix(config)# incremental-save enable • cnMatrix(config)# auto-save trigger enable

and then reset the system so that they can take effect• Incremental save makes sure that only the config changes are written into the config file• Auto-save trigger enables the autosave task. But autosave needs incremental save because

off its triggering mechanism which determines when a configuration change has happened.• To see the autosave status issue the “show nvram” command

• Example: cnMatrix# show nvram:Auto Save : EnableIncremental Save : Enable:


Config download – Usage Examples

• To trigger a config download from a remote TFTP server, the “copy tftp startup-config” command needs to be called:

• Example cnMatrix# copy tftp://20.0.0.1/config.conf startup-config

• To trigger a config download from a remote SFTP server, the “copy sftpstartup-config” command needs to be called:

• Example cnMatrix# copy sftp://John:[email protected]/config.conf startup-config

• Downloaded configs will take effect after system restart


Config download - Troubleshooting


• Config download from a remote server with TFTP needs the TFTP server service to be working on that remote server, and the requested file has to have third-party read permission

• Config download from a remote server with SFTP needs the SFTP server service to be working on that remote server, and the requested file has to have write permission for that user.


Config restore

• Config restore is not enabled by default. For it to work, it needs a config file to be present at system boot up.

• Config restore will read every mib-value pair found in the config file, and apply it at system start-up

• To enable config restore, a local config save or a config download has to be issued.

• To disable config restore, issue the following command:• cnMatrix# config-restore norestore

• To see the config restore status, issue the “show nvram command”• cnMatrix# show nvram

:Config Restore Option : Restore:


HTTPS/SSL server

• SSL (Secure Sockets Layer), is a protocol developed for transmitting private information through an Internet connection. It works by using a public-private key mechanism to encrypt/decrypt data that is transferred over the connection.

• HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP for secure communication over an encrypted SSL/TLS connection.

• cnMatrix offers capabilities for SSLv3 and TLS1.0• The HTTPS/SSL server can be configured via CLI, SNMP, WEB, and

cnMaestro(future)


HTTPS/SSL server –Configuration Examples

• HTTPS/SSL server is not enabled by default. To enable it, the following steps must be taken:

• Step1: Create a RSA key pair• cnMatrix(config)# ip http secure crypto key rsa 1024

• Step2: Generate a certificate request with the key from Step1• cnMatrix# ssl gen cert-req algo rsa sn JohnCert-----BEGIN CERTIFICATE REQUEST-----

MIIBUDCBugIBADARMQ8wDQYDVQQDEwZPYmlXYW4wgZ8wDQYJKoZIhvcNAQEBBQAD

gY0AMIGJAoGBAKeJyfV/g0KbEzW9d+GrOLr3zOG93NIUZvX0R2fFnsZEFlmegmF4

bKAYMFU6uA/kqOX7SFkuQBXpKEZc21JOOLSPu+a8KQ4HjIpeO/H0eIeLgQl0SN3J

Ye1+eBFGhO2xSPb/9ROkorUoAP55Pf5/ZbsWPwZCu0P8+WxHGL/IOp4VAgMBAAGg

ADANBgkqhkiG9w0BAQsFAAOBgQCihxXm915sEoqlY31kpvCKLHghK6vJ0k9jJ3NW

Nu2gP3pZWaautv3Ih84hotEt5sqHSrjSt76froMfou5OSeIGpUUvTgW2KweED5Ic

px9f/c5fc8yLAMIkIRpz7NH6s1q65QQ9V7I4TNiEFBQkDUIcLZqN8HU7xrJlP61U

zEUEXw==

-----END CERTIFICATE REQUEST-----

• Step3: Take the CR obtained at Step2, give it to a CA to sign it


HTTPS/SSL server –Configuration Examples

• Step4: Get the certificate from the CA and give it to cnMatrix (* no need to copy the ---BEGIN CERTIFICATE--- / ---END CERTIFICATE--- , and make sure that you do not copy any new lines):

• cnMatrix# ssl server-cert Enter Cert: MIIEqzCCApOgAwIBAgICEB8wDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAlJPMQswCQYDVQQHDAJSTzELMAkGA1UECgwCUk8xCzAJBgNVBAsMAlJPMQswCQYDVQQDDAJSTzEYMBYGCSqGSIb3DQEJARYJcm9Acm8uY29tMB4XDTE4MDkwNjExMjQwMloXDTE5MDkxNjExMjQwMlowETEPMA0GA1UEAxMGT2JpV2FuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnicn1f4NCmxM1vXfhqzi698zhvdzSFGb19EdnxZ7GRBZZnoJheGygGDBVOrgP5Kjl+0hZLkAV6ShGXNtSTji0j7vmvCkOB4yKXjvx9HiHi4EJdEjdyWHtfngRRoTtsUj2//UTpKK1KAD+eT3+f2W7Fj8GQrtD/PlsRxi/yDqeFQIDAQABo4IBODCCATQwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUWGS/YN1grRbj/oLWCh9gVX/rtIkwgZoGA1UdIwSBkjCBj4AUdIrVVeIobRiLQdCEIefOMnbTdnChbKRqMGgxCzAJBgNVBAYTAlJPMQswCQYDVQQIDAJSTzELMAkGA1UEBwwCUk8xCzAJBgNVBAoMAlJPMQswCQYDVQQLDAJSTzELMAkGA1UEAwwCUk8xGDAWBgkqhkiG9w0BCQEWCXJvQHJvLmNvbYIJANJW2vEaeHt6MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA0tP1D4pMua20f9muJJ5TTIpnOofIth+IVCv8zUOykHGt833uKycjt/gc+Z43xxeif2orydOXR5aiRRJRGoeywZygkuV7dzbZ7VzVVtx/hpm7T5K5D4IlLB3Whaw9HNfsBi9RlKnJfHTqgL0oPF0gNI1NJ1XWlFU+yUHuzsY/XiHV25sfrujLX/jR3as6SZAOMK6cH6lsHoEe6btODrLWryAownNFiZI1P7dzskElF9F06WYMfkpRsupQ52heWjQ1F+EmNT5vqMn01oDseKpNO2lVDuU/RGWmH4pEnBSuMZ3JRp51lnRXsfiydHK4CmvGxelwcsIljR8tb9CWWM23/GRWrNI7Sul75nExY1zuACtmSvJtDbGIS+tbuFv4pF5WkTw0PnAuDBuPCk1qkZ7yDb5MEat7EsTF6hOHbRmO73DjLhI3ordZzB0jAZGmtbRi2BQ5BeUvaftGVyS/OPcv0YFOhYVRhPOg2hyzFl712kniJyEAqG1vuweuCbEwdo2C3EkJRzw42EEtpYng8OPqP6JQG4emdI529lOHXx1U6TZN0NeVciz0AkEBqqbPJqXP6bJGNFSs+k/UJrpoLIAoaYdTL55ipmVCw4CzZHLdLesQEdXLwpiMOkAqppiA9wxb6uRrgZ60HN6YpSG1H0JBA6S27E+bG51LrVe0zF/GoDA=

• Step5: Enable https/ssl server on cnMatrix:• cnMatrix(config)# ip http secure server

• To check the server, open a web browser and enter the cnMatrix ip with HTTPS(Example https://20.0.0.1)

• To change the various cipher suits used when establishing a SSL connection, the following command should be issued:

• cnMatrix(config)# ip http secure ciphersuite


HTTPS/SSL -Troubleshooting

• For a SSL connection to be established, the remote client, and the cnMatrixSSL server must use same cipher suits for encryption, and the client must be TLS1.0 or SSLv3 compatible

• For information regarding the certificate issue the command:• cnMatrix# show ssl server-cert

• For information regarding the HTTPS/SSL server issue the command:• cnMatrix# show ip http secure server status


SSH

• SSH (Secure Shell) is a protocol for secure remote login and other secure network services over an insecure network. It consists of three major components:

• The Transport Layer Protocol which provides server authentication, confidentiality and integrity.• The User Authentication Protocol which authenticates the client-side user to the server. It runs

over the transport layer protocol.• The Connection Protocol which multiplexes the encrypted tunnel into several logical channels. It

runs over the user authentication protocol.

• The client sends a service request once a secure transport layer connection has been established. A second service request is sent after user authentication is complete.

• cnMatrix offers both SSH client and SSH server capabilities• SSH client and server can be configured via CLI, SNMP, WEB, and CnMaestro(future)


OOB


• The Out Of Band (OOB) dedicated port provides management connectivity isolated from user – data plane - traffic.

• Benefits:• Separating user and management traffic provides extra security and reliability for the

management traffic• Offers redundancy in management connectivity (dedicated network resources)• Prevents data plane misconfiguration from impacting management connectivity

• Disadvantages of using OOB rather than in-band ports for management:• Extra cost and effort are required for maintaining a separate network for management

purposes only.• IPv6 not supported yet on OOB port.

OOB


• A few examples of operations available via the OOB port• SSH access to CLI• Web UI access• SNMP management• Software image download• TFTP/SFTP file transfer (configuration/logs)• SNTP synchronization• Device authentication via Radius• Remote syslog

OOB


Configuration commands applicable to the OOB interface:• Enable OOB interface

cnMatrix(config)# interface mgmt0cnMatrix(config-if)# no shutcnMatrix(config-if)# end

• Disable OOB interfacecnMatrix(config)# interface mgmt0cnMatrix(config-if)# shutcnMatrix(config-if)# end

• Configure static IP addresscnMatrix(config)# interface mgmt0cnMatrix(config-if)# ip address 192.168.1.1 255.255.0.0cnMatrix(config-if)# end

• Configure as DHCP clientcnMatrix(config)# interface mgmt0cnMatrix(config-if)# ip address dhcpcnMatrix(config-if)# end

OOB


Commands for trouble shooting the operation of the OOB interface:• cnMatrix# show interface status• cnMatrix# show interface mgmt0• cnMatrix# show ip interface• cnMatrix# show ip dhcp client stats• cnMatrix# show ip route

Default IP address on OOB port is 192.168.0.1.

SSH

• SSH (Secure Shell) is a protocol for secure remote login and other secure network services over an insecure network. It consists of three major components:

• The Transport Layer Protocol which provides server authentication, confidentiality and integrity.• The User Authentication Protocol which authenticates the client-side user to the server. It runs

over the transport layer protocol.• The Connection Protocol which multiplexes the encrypted tunnel into several logical channels. It

runs over the user authentication protocol.

• The client sends a service request once a secure transport layer connection has been established. A second service request is sent after user authentication is complete.

• cnMatrix offers both SSH client and SSH server capabilities• SSH client and server can be configured via CLI, SNMP, WEB, and CnMaestro(future)


SSH client – Configuration and usage examples

• The ssh client needs no configuration. It is enabled by default • Example: cnMatrix# ssh 20.0.0.1 -1 Forces ssh to try protocol version 1 only

-2 Forces ssh to try protocol version 2 only

-4 Forces ssh to use IPv4 addresses only

-6 Forces ssh to use IPv6 addresses only

-A Enables forwarding of the authentication agent connection

-C Requests compression of all data

-N Do not execute a remote command

-T Disables pseudo-tty allocation

-V print version information and exit

-a Disables forwarding of the authentication agent connection

-l To specify login name

-s The subsystem is specified as the remote command(SSH-2 only)

-t Enables force pseudo-tty allocation

-v show verbose messages

<CR> Establish SSH client session

<string> Remote command to be executed. If it is more than one argument use double quotes

• Example of establishing a ssh client connection with default options:• cnMatrix# ssh 20.0.0.1

• To disable SSH client, issue the following command:• cnMatrix# set ssh-client disable


SSH server – Configuration and usage examples

• SSH server is enabled by default• To disable it, issue the following command:

• cnMatrix(config)# ssh disable• To change the SSH server address or the port it listens to, issue the “ssh server-address ” command:

• Example: cnMatrix(config)# ssh server-address 20.0.0.2 port 22• To change SSH server parameters issue “ip ssh” command

• This command can: Change the public key authentication mechanism

By default it is hmac-sha1 Change the ciphers used in encryption

By default the ciphers used are: 3DES-CBC, DES-CBC, AES128-CBC, AES256-CBC Change the maximum bytes allowed in a SSH transport connection

By default it is 32768 Make the server compatible with older version

By default it is only version 2 compatible• Example of SSH connection from remote to cnMatrix: ssh [email protected]


SSH - Troubleshooting

• Ciphers and public key mechanism used by remote host must be among the ones used by cnMatrix

• For SSH server, make sure that the remote client logs to the port cnMatrix has set

• For ssh client information the following command exist:• cnMatrix# show ssh-client

• For ssh server information the following commands exist:• cnMatrix# show ip ssh• cnMatrix# show ssh-configurations


DHCP Client


DHCP Client uses DHCP to temporarily receive a unique IP address for it from the DHCP server. It also receives other network configuration information such as default gateway, from the DHCP server.

DHCP Client configuration cnMatrix(config)# interface vlan 1 cnMatrix(config-if)# ip address dhcp cnMatrix(config-if)# no shutdown

DHCP Client renew address cnMatrix# renew dhcp vlan 1

DHCP Client release address cnMatrix# release dhcp vlan 1

DHCP Client show commands cnMatrix# show ip dhcp client stats cnMatrix# show ip dhcp client option

DHCP Server

DHCP server is responsible for dynamically assigning unique IP address and other configuration parameters such as gateway, to interfaces of a DHCP client.

The IP address is leased to the interface only for a particular time period as mentioned in the DHCP lease. The interface should renew the DHCP lease once it expires.

The DHCP server contains a pool of IP address from which one address is assigned to the interface. The following options can be configured per each pool of IP addresses:

Default router DNS server Domain name Lease time NTP server Custom options


DHCP Server – Config Examples

Assign IP address to L3 interface cnMatrix(config)#interface vlan 1

cnMatrix(config-if)# ip address 10.100.200.60 255.255.255.0

cnMatrix(config-if)# no shutdown

•

Enable DHCP Server cnMatrix(config)# service dhcp-server

Configure DHCP pool cnMatrix(config)# ip dhcp pool 1 lan1

cnMatrix(dhcp-config)#network 10.100.200.100 255.255.255.0 10.100.200.199

cnMatrix(dhcp-config)#default-router 10.100.200.1

cnMatrix(dhcp-config)#lease 100

cnMatrix(dhcp-config)#dns-server 10.100.200.60

cnMatrix(dhcp-config)#ntp-server 10.100.200.60


DHCP Server – Show commands

Display DHCP Server bindings cnMatrix# show ip dhcp server binding

Display DHCP Server statistics cnMatrix# show ip dhcp server statistics

Display DHCP Server general information cnMatrix# show ip dhcp server information

Display DHCP Server pools cnMatrix# show ip dhcp server pools


Syslog

• Syslog offers users a way for network devices to send event messages to a logging server.• Syslog messages include information such as: ip address, timestamp and the actual log message.• Source of messages can be determined by configuring the local facilities (local0…local7).• Local0 is the default facility.• 8 severity levels are available:

• debugging Debugging messages• informational Information messages• notification Normal but significant messages• warnings Warning conditions• errors Error conditions• alerts Immediate action needed• critical Critical conditions• emergencies System is unusable

• Only UDP protocol is supported for sending messages


Syslog – Config example

• Enable logging:• cnMatrix(config)# logging on

• Choose facility to configure:• cnMatrix(config)# logging facility local0

• Configure logging for facility local0:• cnMatrix(config)# logging 128 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 129 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 130 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 131 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 132 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 133 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 134 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging severity debugging

• Local buffer size can be changed if desired:• cnMatrix(config)# logging buffered 100


Syslog – Show commands

• Show logging info:• cnMatrix# show logging

System Log Information-------------------------------------Syslog logging : enabled(Number of messages 0)Console logging : enabled(Number of messages 4)TimeStamp option : enabledSeverity logging : DebuggingFacility : Default (local0)Buffered size : 100 Entries

• cnMatrix# show syslog informationSystem Log Information----------------------Syslog Localstorage : DisabledSyslog Port : 514Syslog Role : Device


Syslog – Show commands

• Show logging info:• cnMatrix# show logging-server

Syslog Forward Table Information--------------------------------Priority Address-Type IpAddress Port Trans-Type-------- ------------ --------- ---- --------128 ipv4 10.0.0.1 514 udp129 ipv4 10.0.0.1 514 udp130 ipv4 10.0.0.1 514 udp131 ipv4 10.0.0.1 514 udp132 ipv4 10.0.0.1 514 udp133 ipv4 10.0.0.1 514 udp134 ipv4 10.0.0.1 514 udp


Environmentals

• Offers users the ability to monitor the devices’ general status.• Available information:

• Maximum CPU threshold• Current CPU usage• Maximum RAM threshold• Current RAM usage• Maximum flash threshold• Current flash usage• Maximum temperature threshold• Minimum temperature threshold• Current temperature value• Fan status• Status for routing on mgmt port

• Information is available in CLI and WEB.• Only EX2028-P is equipped with fans


Environmentals – Config example

• Configure maximum threshold for CPU, RAM and flash:• cnMatrix(config)# set switch maximum CPU threshold 40• cnMatrix(config)# set switch maximum RAM threshold 80• cnMatrix(config)# set switch maximum flash threshold 80

• Show command:• cnMatrix(config)# show env all

Current RAM Usage : 36%Current CPU Usage : 0%Fan Status 1 : OperationalFan Status 2 : OperationalCurrent Temperature : 26CCurrent Flash Usage : 0%Mgmt Port Routing : Disabled


Detailed Feature Description -Security Features


cnMatrix

cnMatrix – Security Features covered in this section

Security Features



• 802.1x Authentication• Radius • TACACS+• DHCP Snooping• Static MAC• Local Management User Name Password

802.1X

Configure RADIUS based authentication.cnMatrix(config)# aaa authentication dot1x default group radiuscnMatrix(config)# radius-server host 10.100.200.10 key my_key_9745

Enable 802.1X globallycnMatrix(config)# dot1x system-auth-control

Enable 802.1X per interfacecnMatrix(config-if)# dot1x port-control autocnMatrix(config-if)# dot1x host-mode single-hostorcnMatrix(config-if)# dot1x host-mode multi-host

Display 802.1X informationcnMatrix# show dot1xcnMatrix# show dot1x interface gigabitethernet 0/2cnMatrix# show dot1x statistics interface gi 0/2


Radius client

• Radius (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service

• Radius client is a security feature that offers the ability for a remote access server(cnMatrix in our case) to communicate with a Radius central server for the purpose of authenticating users and authorizing their access to the system or a specific service.

• Radius client is used with the login and PNAC features.• The radius client can be configured via CLI, SNMP, WEB(future release), and

CnMaestro(future)


Radius client – Config Examples

• Configuring the radius client on the switch means to populate the local database with RADIUS server credentials:

• Example: cnMatrix(config)# radius-server host 20.0.0.1 auth-port 1812 timeout 2 retransmit 3 key cnKey primary host specifies the RADIUS server IPv4, IPV6 or DNS host name auth-port specifies the authentication port on which the server listens for request.

By default it is 1812 timeout specifies the time period in seconds for which a client waits for a response from the server before

re-transmitting the request By default it is 3

retransmit specifies the maximum number of attempts to be tried by a client to get a response from the server for a request. By default it is 10

key configures the per-server encryption key which specifies the authentication and encryption key for all RADIUS communications between the authenticator and the RADIUS server

primary configures this server to be the primary one used in RADIUS authentication; There are a total of maximum 5 RADIUS servers whose credentials can be stored locally at a time


Radius client – Config Examples

• Example of configuring a radius server with the default options:• cnMatrix(config)# radius-server host 20.0.0.1 key cnKey

• Configuring user LOGIN feature to use RADIUS:• cnMatrix(config)# login authentication radius

• Configuring user LOGIN feature to use RADIUS, but use the local database in case of RADIUS failure:

• cnMatrix(config)# login authentication radius local

• Configuring PNAC feature to use RADIUS:• cnMatrix(config)# aaa authentication dot1x default group radius


Radius server – Config Examples

• For the radius feature to work properly, the unit must be identified as a client on the server side, and the user must be added on the server database

• Example :• Adding the switch as a client in clients.conf

client cnMatrix {ipaddr = 20.0.0.2secret = cnKey

}• Adding user bob with administrative credentials in users

bob Cleartext-Password := "Boby"Service-Type = Administrative-User


Radius client –Troubleshooting

• The Key set must be the one the server has for this radius client• The server must be accessible and must have the RADIUS server service

turned on• The clients and their passwords must be present in the RADIUS server

database

• For radius information the following commands exist:• cnMatrix # show radius server• cnMatrix # show radius statistics


TACACS+ client

• TACACS(Terminal Access Controller Access-Control System) is a protocol used in handling remote authentication and other related services for network access control through a centralized server.

• TACACS+ client is a security feature that offers the ability for a remote access server, cnMatrix in our case, to communicate with a TACACS+ central server for the purpose of authenticating users.

• TACACS+ uses TCP for transport to ensure reliable delivery• TACACS+ client is used with the login feature.• The TACACS+ client can be configured via CLI, SNMP, WEB(future release),

and CnMaestro(future)


TACACS+ client - Config Examples

• Configuring the TACACS+ client on the switch means to populate the local database with TACACS+ server credentials:

• Example: cnMatrix(config)# tacacs-server host 20.0.0.1 single-connection port 49 timeout 2 key cnKey host specifies the TACACS+ server IPv4, IPV6 or DNS host name single-connection allows multiple sessions to be established over a single TCP connection port specifies the TCP port number in which the multiple sessions are established.

By default it is 49 timeout specifies the time period (in seconds) till which a client waits for a response from the server before

closing the TCP connection By default it is 5

key specifies the authentication and encryption key for all TACACS communications between the authenticator and the TACACS+ server

• Example of configuring a TACACS+ server with the default options:• cnMatrix(config)# tacacs-server host 20.0.0.1 key cnKey


TACACS+ client - Config Examples

• cnMatrix can contain up to 5 TACACS+ servers credentials in its local database. To select a certain server to be the one used in all TACACS related communication, the “tacacs use-server” command must be issued:

• Example: cnMatrix(config)# tacacs use-server address 20.0.0.1

• Configuring user LOGIN feature to use TACACS:• cnMatrix(config)# login authentication tacacs

• Configuring user LOGIN feature to use TACACS, but use the local database in case of TACACS failure:

• cnMatrix(config)# login authentication tacacs local

• TACACS user will be given root privilege by default or local user privilege if the user exists in local database


TACACS+ server - Config Examples

• For the TACACS feature to work properly the user must be added on the server database

• Example :• Adding the switch as a client in tac_plus.confkey = “cnKey"user = John {

pap = cleartext “JohnPassword"}

• TACACS client uses PAP(password authentication protocol) for user authentication


TACACS+ client –Troubleshooting

• The key set on the switch must be the one the server uses• The server must be accessible and must have the TACACS+ server service

turned on• The clients and their passwords must be present in the TACACS+ server

database

• For TACACS information the following commands exist:• cnMatrix # show tacacs server• cnMatrix # show tacacs statistics


DHCP snooping

• DHCP snooping is a feature who filters untrusted DHCP messages and builds a DHCP snooping binding database. It acts as a firewall between untrusted hosts and DHCP servers. These untrusted messages are sent from devices outside a network and are usually sources of traffic attacks.

• DHCP snooping intercepts all DHCP packets from untrusted ports and after inserting the port specific information (option 82), forwards the DHCP client side packets on trusted ports. This option 82 will be used to redirect the DHCP responses from server to the appropriate untrusted port.

• DHCP snooping binding database maintains a table which contains MAC address, IP address, lease time, binding type, VLAN number and interface information of the local untrusted interfaces of the switch. This table is updated when a valid IP address is allocated for a host


DHCP snooping – Config Examples

• DHCP snooping is not enabled by default. To enable it, the following steps need to be taken:

• Step1: Set the ports connected to trusted DHCP servers as trusted• Example:

• cnMatrix(config)# int gigabitethernet 0/1• cnMatrix(config-if)# ip dhcp snooping trust

By default all ports are set as untrusted

• Step2: Enable dhcp snooping globally• cnMatrix(config)# ip dhcp snooping

• Step3: Enable dhcp snooping on the desired vlan.• Example: cnMatrix(config)# ip dhcp snooping vlan 1


DHCP snooping – Troubleshooting

• To be sure that a the DHCP snooping feature works, check the binding table:• cnMatrix# show ip binding dhcp

Host Binding Information------------------------

1 00:01:0a:c8:e0:07 20.0.0.183 Gi0/23 20.0.0.1 dhcp

The entry above states that host 00:01:0a:c8:e0:07 connected to vlan 1 from untrusted port gi0/23 was issued ip 20.0.0.183 from a trusted DHCP server.

• For information regarding packet statistics, issue command “show ip dhcp snooping” for the desired vlan

• Example: cnMatrix# show ip dhcp snooping vlan 1• For information regarding port trust/untrust status, issue the following command:

• cnMatrix# show ip dhcp snooping port-security-state • For dhcp snooping status issue the following command:

• cnMatrix# sho ip dhcp snooping globals


Static MAC Address table

• The static MAC address table is a 256 unicast MAC entries wide table, eachentry being manually added by the user. A static entry maps a MAC address toparticular Port-VLAN pair. The statically created entries can reside in the staticMAC address table for a limited amount of time, until the switch is rebooted orthey can reside even after the switch reboots.

• A dynamic entry having the same MAC address and belonging to the sameVLAN as an already existent statically added entry, but received on a differentport as compared to the port on which static entry was configured, will not belearned on the switch. Due to this matter, the static MAC address table ismore of a security feature since, an intruder cannot be able to spoof an exactsame MAC address to the one statically added.


Static MAC address table – Configuration and troubleshooting

1. Scenario: Create 3 static entries on 3 different ports in VLAN 1 with three different states.2. Configuration:

• cnMatrix(config)# mac-address-table static unicast 00:00:00:00:00:01 vlan 1 interface gi 0/1 status permanent – the entry will remain in the MAC address table even after the switch is rebooted;

• cnMatrix(config)# mac-address-table static unicast 00:00:00:00:00:02 vlan 1 interface gi 0/2 status – deleteOnReset – the entry will remain in the MAC address table until the switch is rebooted;

• cnMatrix(config)# mac-address-table static unicast 00:00:00:00:00:03 vlan 1 interface gi 0/3 status – deleteOnTimeout - the entry will remain in the MAC address table until the configured aging time is reached out on the switch;

3. Troubleshooting:• cnMatrix# show vlan brief – check the VLAN created an ports’ membership;• cnMatrix# show vlan port Gigabitethernet 0/1 - check the status on a particular interface;• cnMatrix# show mac-address-table static unicast – check the static MAC address table;• cnMatrix# show mac-address-table aging time – check the configured aging time relevant for the “deleteOnTimeout” static entries;


Local Users and Passwords

Create user with RW rightscnMatrix(config)# username RW_user password PA$$word1234 privilege 15

Create user with RO rightscnMatrix(config)# username RO_user password PA$$word1234 privilege 1

Change password for default admin usercnMatrix(config)# username admin password PA$$word1234 privilege 15

Display local userscnMatrix# listuser

USER MODE PRIVILEGE

admin / 15

guest / 1

RO_user / 1

RW_user / 15

Display logged in userscnMatrix# show users

Line User Peer-Address

0 con admin Local Peer

1 ssh RW_user 10.110.200.12


Documents

cnMatrix – Enterprise Switches Gate 7 Checkpoint