Académique Documents
Professionnel Documents
Culture Documents
IP Networking Portfolio I
Table of Contents
Disclaimer _____________________________________________________________________19 Trademark Text _________________________________________________________________19 Revision History ________________________________________________________________19 Alcatel-Lucent Company Background _______________________________________________20 About Boilerplate _______________________________________________________________21 About Alcatel-Lucent O/S (AOS) ___________________________________________________22 OmniSwitch 6850 Series / Marketing ________________________________________________23
Introduction _________________________________________________________________________ 23 The OmniSwitch 6850 Family __________________________________________________________ 24
Key Customer Benefits ________________________________________________________________________ 24 Power Supply Options _________________________________________________________________________ 32 Gigabit Ethernet at the Edge ____________________________________________________________________ 33 Intelligence at the Core ________________________________________________________________________ 33 Performance ________________________________________________________________________________ 33 10-Gigabit Ethernet Applications ________________________________________________________________ 33 Carrier-Class for the Enterprise __________________________________________________________________ 34 Secure Networking ___________________________________________________________________________ 34 Alcatel-Lucent Access Guardian and OmniVista 2770 Quarantine Manager _________________________ 35 High Availability _____________________________________________________________________________ 35 Advanced QoS_______________________________________________________________________________ 36 IPv6 Support ________________________________________________________________________________ 36 Compliancy _________________________________________________________________________________ 36 WebView ___________________________________________________________________________________ 36 CLI _______________________________________________________________________________________ 36 Simplified Manageability ______________________________________________________________________ 37 OneTouch Network Management ____________________________________________________________ 37
OmniSwitch 6850-48X Specifications ________________________________________________________ 58 OmniSwitch 6850-P24 ______________________________________________________________________ 59 OmniSwitch 6850-P24 Specifications _________________________________________________________ 60 OmniSwitch 6850-P48 ______________________________________________________________________ 61 OmniSwitch 6850-P48 Specifications _________________________________________________________ 62 OmniSwitch 6850-P24X ____________________________________________________________________ 63 OmniSwitch 6850-P24X Specifications _______________________________________________________ 64 OmniSwitch 6850-P48X ____________________________________________________________________ 65 OmniSwitch 6850-P48X Specifications _______________________________________________________ 66 OmniSwitch 6850-U24X ____________________________________________________________________ 67 OmniSwitch 6850-U24X Specifications _______________________________________________________ 68 OmniSwitch 6850-24L ______________________________________________________________________ 69 OmniSwitch 6850-24L Specifications_________________________________________________________ 70 OmniSwitch 6850-P24L ____________________________________________________________________ 71 OmniSwitch 6850-P24L Specifications _______________________________________________________ 72 OmniSwitch 6850-48L ______________________________________________________________________ 73 OmniSwitch 6850-48L Specifications_________________________________________________________ 74 OmniSwitch 6850-P48L ____________________________________________________________________ 75 OmniSwitch 6850-P48L Specifications _______________________________________________________ 76 Rear Panel _______________________________________________________________________________ 77 Status LEDs ______________________________________________________________________________ 78 10/100/1000 LEDs________________________________________________________________________ 79 1000 SFP LEDs __________________________________________________________________________ 79 10000 XFP LEDs ________________________________________________________________________ 79 Chassis Rear Panel ___________________________________________________________________________ 79 Architecture _________________________________________________________________________________ 80 The OmniSwitch 6850-48 & P48 Internal Architecture ___________________________________________ 80 The OmniSwitch 6850-48X & P48X Internal Architecture ________________________________________ 81 The OmniSwitch 6850-24 & P24 Internal Architecture ___________________________________________ 82 The OmniSwitch 6850-24X & P24X Internal Architecture ________________________________________ 83 OmniSwitch 6850 -- Fiber Optics Transceivers Technical Specifications Overview _________________________ 84 Small Form Factor Pluggable (SFP M SA) _____________________________________________________ 86 Handling Fiber and Fiber Optic Connectors ___________________________________________________ 87 Coarse Wave Division Multiplexing (CWDM) __________________________________________________ 98 10Gbps Small Form Factor Pluggable (XFPs) _________________________________________________ 102 Eye Safety _____________________________________________________________________________ 102 XFP-10G Specifications __________________________________________________________________ 103 Pin-Outs ___________________________________________________________________________________ 105 RJ-45 Console Port Connector Pinouts _____________________________________________________ 105 RJ-45 Console Port Connector Pinouts _____________________________________________________ 105 10/100M bps Ethernet Port RJ-45 Pinouts (Non-PoE) ___________________________________________ 105 Pow er over Ethernet Port RJ-45 Pinouts (with PoE) ___________________________________________ 105 1 Gigabit Ethernet Port RJ-45 Pinouts (Non-PoE)______________________________________________ 105 10/100/1000Mbps Power over Ethernet Port -RJ-45 Pinouts _____________________________________ 106 Console Port / Serial Connection Default Settings ______________________________________________ 106 OS6850 DB-25 POWER CONNECTOR PIN-OUT _____________________________________________ 107 Availability Feature __________________________________________________________________________ 108 Software Rollback ________________________________________________________________________ 108 Backup Power Supplies ____________________________________________________________________ 108 Hot Swapping ____________________________________________________________________________ 108 Hardware Monitoring _____________________________________________________________________ 109 Automatic Monitoring ____________________________________________________________________ 109 LEDs _________________________________________________________________________________ 109 User-Driven Monitoring __________________________________________________________________ 109 Auto negotiation Guidelines ___________________________________________________________________ 109 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 2 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Valid Port Settings on OmniSwitch 6850 Series Switches ____________________________________________ 109 10/100/1000 Crossover Supported ______________________________________________________________ 109 10/100 Crossover Supported ___________________________________________________________________ 109 The OmniSwitch 6850 Series Power Supply System ________________________________________________ 110 Pow er Supply Shelf _______________________________________________________________________ 111 Pow er Supply Redundancy _________________________________________________________________ 111 Monitoring Chassis Pow er _________________________________________________________________ 111 Pow er Supply Specifications ________________________________________________________________ 112 Pow er Supply Shelf _______________________________________________________________________ 115 PS-510W-AC Power Supply ________________________________________________________________ 115 PS-360W-AC Power Supply ________________________________________________________________ 116 PS-126W-AC Power Supply ________________________________________________________________ 117 PS-120W-DC Power Supply ________________________________________________________________ 117 Managing OmniSwitch 6850 Series Stacks ________________________________________________________ 118 OmniSwitch 6850 Series Stack Overview _____________________________________________________ 118 Roles w ithin the Stack _____________________________________________________________________ 118 Primary and Secondary Management ________________________________________________________ 118 Primary Management Module Selection ______________________________________________________ 118 Using the Chassis MAC Address ___________________________________________________________ 119 Using Saved Slot Information ______________________________________________________________ 119 Using Switch Uptime ____________________________________________________________________ 119 Secondary Management Module Selection ____________________________________________________ 119 Using the Stacking Connection to the Primary Switch ___________________________________________ 119 Using Saved Slot Information ______________________________________________________________ 119 Idle Module Role _________________________________________________________________________ 120 Pass-Through Mode ______________________________________________________________________ 120 Stack Cabling ____________________________________________________________________________ 121 Redundant Stacking Cable Connection _______________________________________________________ 122 Slot Numbering __________________________________________________________________________ 122 Dynamic Slot Number Assignment __________________________________________________________ 122 Manual Slot Number Assignment ___________________________________________________________ 122 Hot-Swapping Modules in a Stack ___________________________________________________________ 123 Removing Switches from an Existing Stack ___________________________________________________ 123 Inserting Sw itches into an Existing Stack _____________________________________________________ 123 M erging Stacks __________________________________________________________________________ 123 Reloading Switches _______________________________________________________________________ 124 Reloading the Primary Management Module __________________________________________________ 124 Reloading the Secondary Management Module ________________________________________________ 124 Reloading Switches with Idle Roles _________________________________________________________ 124 Reloading Switches in Pass-Through Mode ___________________________________________________ 124 Reloading All Switches in a Stack___________________________________________________________ 124 Software Synchronization During a Full Reload ________________________________________________ 124 Effects of Saved Slot Number Information on the Reload Process __________________________________ 125 Avoiding Split Stacks _____________________________________________________________________ 125 Changing the Secondary Module to Primary __________________________________________________ 126 Synchronizing Switches in a Stack ___________________________________________________________ 126 Automatic Synchronization during a Full Reload ______________________________________________ 126 Monitoring the Stack______________________________________________________________________ 126 Visually Monitoring the Stack______________________________________________________________ 126 Managing Power over Ethernet (PoE) ____________________________________________________________ 127 Pow er over Ethernet Specifications __________________________________________________________ 127 Pow er over Ethernet Defaults ______________________________________________________________ 128 Port Priority Levels _______________________________________________________________________ 128 Capacitor Detection Method________________________________________________________________ 128 Understanding Priority Disconnect __________________________________________________________ 128 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 3 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Monitoring Power over Ethernet via CLI _____________________________________________________ 129 Pow er Cords _____________________________________________________________________________ 130 Specifications __________________________________________________________________________ 130 Redundant AC Circuit Recommendation _____________________________________________________ 130 Grounding the Chassis ____________________________________________________________________ 130 Temperature Management _____________________________________________________________________ 130
MTBF Calculation Standards and Requirements _________________________________________ 131 MTBF Calculation Standards and Requirements _________________________________________ 131 Regulatory Compliance and Safety Information __________________________________________ 148
Declaration of Conformity: CE Mark ____________________________________________________________ 148 Waste Electrical and Electronic Equipment (WEEE) Statement ________________________________________ 148 Standards Compliance ________________________________________________________________________ 148 Safety Standards _________________________________________________________________________ 148 EMC Standards __________________________________________________________________________ 149 Safety and Environmental Standards ________________________________________________________ 149 FCC Class A, Part 15 _____________________________________________________________________ 149 Canada Class A Statement _________________________________________________________________ 150 JATE ___________________________________________________________________________________ 150 CISPR22 Class A Warning _________________________________________________________________ 150 VCCI ___________________________________________________________________________________ 150 Class A Warning for Taiwan and Other Chinese M arkets _______________________________________ 150
OmniSwitch 6850 Series Hardware & Software Features Overview Table ___________________ 153 Alcatel-Lucent AOS Release Briefs _____________________________________________________ 218
OVERVIEW _______________________________________________________________________________ 218 Whats New? ____________________________________________________________________________ 219 New Software Features (AOSv6.1.3r01) __________________________________________________________ 219 Feature Summary ________________________________________________________________________ 219 New Software Features (AOSv6.1.5r01) __________________________________________________________ 220 Feature Summary ________________________________________________________________________ 220 New Software Features (AOSv6.2.1r01) __________________________________________________________ 220 Feature Summary ________________________________________________________________________ 220 New Software Features (AOSv6.3.1r01) __________________________________________________________ 221 Feature Summary ________________________________________________________________________ 222 Software Supported __________________________________________________________________________ 223 Feature Summary ________________________________________________________________________ 223
OmniSwitch 6850 Series IETF / IEEE Standards ________________________________________ 315 OmniSwitch 6850 Series Typical RFP Questions & Answers Table _________________________ 320
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 4 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
What is the Internal Spanning Tree (IST) Instance _____________________________________________ 362 What is the Common and Internal Spanning Tree Instance ______________________________________ 362 Understanding Spanning Tree Modes ________________________________________________________ 362 M ST Interoperability and Migration_________________________________________________________ 362 M igrating from Flat Mode STP/RSTP to Flat Mode MSTP ______________________________________ 363 M igrating from 1x1 Mode to Flat Mode M STP ________________________________________________ 363 MAC Retention _____________________________________________________________________________ 364 M AC Retention Defaults ___________________________________________________________________ 364 M AC Retention Overview__________________________________________________________________ 364 How MAC Retention Works _______________________________________________________________ 366 M AC Retention After M ultiple Take-Overs ___________________________________________________ 366 M AC Retention Applications _______________________________________________________________ 367 Link Failure _____________________________________________________________________________ 368 Static (OmniChannel) Link Aggregation__________________________________________________________ 369 Static Link Aggregation Specifications _______________________________________________________ 369 Static Link Aggregation Defaults ____________________________________________________________ 369 Static Link Aggregation Overview ___________________________________________________________ 369 Static Link Aggregation Operation __________________________________________________________ 370 Relationship to Other Features _____________________________________________________________ 370 Dynamic (IEEE 802.3ad) Link Aggregation _______________________________________________________ 371 Dynamic Link Aggregation Specifications ____________________________________________________ 371 Dynamic Link Aggregation Default Values____________________________________________________ 372 Dynamic Link Aggregation Overview ________________________________________________________ 372 Dynamic Link Aggregation Operation _______________________________________________________ 373 Relationship to Other Features _____________________________________________________________ 373
IEEE 802.1X Defaults _____________________________________________________________________ 384 802.1X Overview _________________________________________________________________________ 385 802.1X Port Behavior ____________________________________________________________________ 385 802.1X Ports and DHCP __________________________________________________________________ 386 Re-authentication________________________________________________________________________ 386 802.1X Accounting ______________________________________________________________________ 386 Compared to Authenticated VLANs _________________________________________________________ 386 Port-Based Network Access Control _________________________________________________________ 386 802.1X on the OmniSwitch 6850 ____________________________________________________________ 387 Device Classification Policies ______________________________________________________________ 387 Port Mapping (AKA Private VLAN) ____________________________________________________________ 388 Port Mapping Specifications________________________________________________________________ 388 Port Mapping Defaults ____________________________________________________________________ 388 Example Port Mapping Overview ___________________________________________________________ 389 Access Control Lists -- ACLs __________________________________________________________________ 390 ACL Specifications _______________________________________________________________________ 390 ACL Defaults ____________________________________________________________________________ 390 ACL Overview ___________________________________________________________________________ 391 Rule Precedence ________________________________________________________________________ 391 How Precedence is Determined_____________________________________________________________ 392 Interaction With Other Features ____________________________________________________________ 392 Valid Combinations______________________________________________________________________ 392 ACL Configuration Overview ______________________________________________________________ 392 Policy Conditions For ACLs _______________________________________________________________ 393 Policy Actions For ACLs _________________________________________________________________ 393 Layer 2 ACLs __________________________________________________________________________ 394 Layer 3/4 ACLs _________________________________________________________________________ 394 Multicast Filtering ACLs__________________________________________________________________ 395 Using ACL Security Features ______________________________________________________________ 396 ACL Manager (ACLMAN) ____________________________________________________________________ 397 ACLMAN Defaults _______________________________________________________________________ 397 ACLMAN Overview ______________________________________________________________________ 397 ACLMAN Configuration File_______________________________________________________________ 397 ACL Text Files ___________________________________________________________________________ 398 ACL Precedence _________________________________________________________________________ 398 Interaction With the Alcatel-Lucent CLI _____________________________________________________ 398 Using the ACLMAN Shell__________________________________________________________________ 398 ACLMAN Modes and Commands ___________________________________________________________ 399 Supported Protocols and Services ___________________________________________________________ 399 Network Security ____________________________________________________________________________ 401 Network Security Specifications _____________________________________________________________ 401 Network Security Defaults _________________________________________________________________ 401 Network Security Overview ________________________________________________________________ 402 Anomalies _____________________________________________________________________________ 402 Monitoring Group _______________________________________________________________________ 403 Anomaly parameters Description ___________________________________________________________ 403
VLAN Router Interfaces ___________________________________________________________________ 408 Single M AC Router Mode _________________________________________________________________ 408 Defining V LAN Port Assignments ______________________________________________________________ 409 Port Assignment Specifications _____________________________________________________________ 409 Port Assignment Defaults __________________________________________________________________ 409 Statically Assigning Ports to VLANs _________________________________________________________ 410 Dynamically Assigning Ports to VLANs ______________________________________________________ 410 How Dynamic Port Assignment Works _______________________________________________________ 410 VLAN Mobile Tag Classification ____________________________________________________________ 410 VLAN Rule Classif ication __________________________________________________________________ 411 Ignoring B ridge Protocol Data Units (BPDU) __________________________________________________ 411 Understanding M obile Port Properties _______________________________________________________ 412 What is a Configured Default VLAN?________________________________________________________ 412 What is a Secondary VLAN? _______________________________________________________________ 412 Mobile Port Properties ____________________________________________________________________ 412 Defining V LAN Rules ________________________________________________________________________ 413 VLAN Rules Specifications _________________________________________________________________ 413 VLAN Rules Defaults _____________________________________________________________________ 413 VLAN Rules Overview ____________________________________________________________________ 413 VLAN Rule Types ________________________________________________________________________ 414 DHCP Rules ___________________________________________________________________________ 414 Binding Rules __________________________________________________________________________ 415 MAC Address & MAC Address Range Rules__________________________________________________ 415 Network Address Rules ___________________________________________________________________ 415 Protocol Rules __________________________________________________________________________ 416 Port Rules _____________________________________________________________________________ 416 Understanding VLAN Rule Precedence ______________________________________________________ 416 IEEE 802.1Q _______________________________________________________________________________ 417 802.1Q Specifications _____________________________________________________________________ 417 802.1Q Defaults __________________________________________________________________________ 417 802.1Q Overview _________________________________________________________________________ 417 Forcing a Sw itch Internal Tag ______________________________________________________________ 417 GVRP ____________________________________________________________________________________ 418 GVRP Specifications ______________________________________________________________________ 418 GVRP Defaults __________________________________________________________________________ 418 GARP Overview _________________________________________________________________________ 419 VLAN Stacking _____________________________________________________________________________ 422 VLAN Stacking Specifications ______________________________________________________________ 422 Service-Based VLAN Stacking Defaults ______________________________________________________ 423 Port-Based VLAN Stacking Defaults _________________________________________________________ 423 VLAN Stacking Overview _________________________________________________________________ 424 How VLAN Stacking Works _______________________________________________________________ 426 VLAN Stacking Modes ____________________________________________________________________ 426 Service Mode___________________________________________________________________________ 426 Legacy Mode ___________________________________________________________________________ 427 Interaction With Other Features ____________________________________________________________ 427 GARP VLAN Registration Protocol (GVRP) __________________________________________________ 427 IP Multicast VLANs _____________________________________________________________________ 427 Link Aggregation________________________________________________________________________ 428 Quality of Service (QoS) __________________________________________________________________ 428 Ring Rapid Spanning Tree Protocol (RRSTP) _________________________________________________ 428 Spanning Tree __________________________________________________________________________ 428 VLAN Stacking Application Examples _______________________________________________________ 429 Ethernet OAM ______________________________________________________________________________ 430 Ethernet OAM Specifications _______________________________________________________________ 430 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 8 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Ethernet OAM Def aults ___________________________________________________________________ 430 Ethernet OAM Overview __________________________________________________________________ 431 Connectivity Fault Management ____________________________________________________________ 431 Internet Protocol (IP) _________________________________________________________________________ 433 IP Specifications _________________________________________________________________________ 433 IP Defaults ______________________________________________________________________________ 433 IP Overview _____________________________________________________________________________ 433 IP Protocols ____________________________________________________________________________ 433 Transport Protocols ______________________________________________________________________ 434 Application-Layer Protocols _______________________________________________________________ 434 Additional IP Protocols ___________________________________________________________________ 434 IP Forwarding ___________________________________________________________________________ 435 Static Route _____________________________________________________________________________ 435 Default Route ____________________________________________________________________________ 435 Address Resolution Protocol (ARP) __________________________________________________________ 436 The Time-to-Live (TTL) Value _____________________________________________________________ 436 Local Proxy ARP _________________________________________________________________________ 436 ARP Filtering ____________________________________________________________________________ 436 IP-Directed Broadcasts ____________________________________________________________________ 437 Denial of Service (DoS) Filtering ____________________________________________________________ 437 IP Services ______________________________________________________________________________ 438 Managing IP_____________________________________________________________________________ 438 Internet Control Message Protocol (ICMP)____________________________________________________ 438 The Minimum Packet Gap_________________________________________________________________ 439 ICMP Control Table _____________________________________________________________________ 439 ICMP Statistics Table ____________________________________________________________________ 439 The Ping Command______________________________________________________________________ 439 Tracing an IP Route______________________________________________________________________ 439 Displaying TCP Information _______________________________________________________________ 439 Displaying UDP Information_______________________________________________________________ 439 Tunneling _______________________________________________________________________________ 440 Generic Routing Encapsulation _____________________________________________________________ 440 IP Encapsulation within IP ________________________________________________________________ 440 Tunneling operation______________________________________________________________________ 440 IPv6 ______________________________________________________________________________________ 441 IPv6 Specifications________________________________________________________________________ 441 IPv6 Defaults ____________________________________________________________________________ 441 IPv6 Overview ___________________________________________________________________________ 442 IPv6 Addressing __________________________________________________________________________ 442 IPv6 Address Notation ____________________________________________________________________ 443 IPv6 Address Prefix Notation _______________________________________________________________ 443 Auto-configuration of IPv6 Addresses ________________________________________________________ 443 Tunneling IPv6 over IPv4 __________________________________________________________________ 444 6to4 Tunnels _____________________________________________________________________________ 444 6to4 Site to 6to4 Site over IPv4 Domain ______________________________________________________ 445 6to4 Site to IPv6 Site over IPv4/IPv6 Domains _________________________________________________ 446 Configured Tunnels _______________________________________________________________________ 446 IPX ______________________________________________________________________________________ 447 IPX Specifications ________________________________________________________________________ 447 IPX Defaults _____________________________________________________________________________ 447 IPX Overview ____________________________________________________________________________ 447 IPX Routing _____________________________________________________________________________ 448 IPX Router Port Configuration Options ______________________________________________________ 448 Static Routes ____________________________________________________________________________ 449 Type-20 Packet Forwarding ________________________________________________________________ 449 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 9 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Extended RIP and SAP Packets _____________________________________________________________ 449 RIP and SAP Timers ______________________________________________________________________ 449 Using the PING Command _________________________________________________________________ 449 IPX RIP/SAP Filtering ____________________________________________________________________ 450 RIP Filters _____________________________________________________________________________ 450 SAP Filters ____________________________________________________________________________ 450 GNS Filters ____________________________________________________________________________ 450 RIP_______________________________________________________________________________________ 451 RIP Specifications ________________________________________________________________________ 451 RIP Defaults _____________________________________________________________________________ 451 RIP Overview ____________________________________________________________________________ 452 RIP Version 2 __________________________________________________________________________ 452 RIP Routing ____________________________________________________________________________ 453 The RIP Interface Metric __________________________________________________________________ 453 The RIP Forced Hold-down Interval _________________________________________________________ 454 RIP Redistribution _______________________________________________________________________ 454 Redistribution Metric_____________________________________________________________________ 454 RIP Redistribution Filter __________________________________________________________________ 454 RIP Security ___________________________________________________________________________ 454 OSPFv2 / OSPFv3 ___________________________________________________________________________ 455 OSPFv2 Specifications ____________________________________________________________________ 455 OSPFv2 Defaults _________________________________________________________________________ 456 OSPFv3 Specifications ____________________________________________________________________ 457 OSPFv3 Defaults _________________________________________________________________________ 457 OSPF Overview __________________________________________________________________________ 458 OSPF Areas ____________________________________________________________________________ 459 Classification of Routers __________________________________________________________________ 460 Virtual Links ___________________________________________________________________________ 460 Stub Areas _____________________________________________________________________________ 461 Not-So-Stubby-Areas ____________________________________________________________________ 461 Totally Stubby Areas ______________________________________________________________________ 462 Equal Cost Multi-Path (ECMP) Routing _____________________________________________________ 463 Non Broadcast OSPF Routing ______________________________________________________________ 463 Graceful Restart on Sw itches w ith Redundant Management _____________________________________ 464 Interface Authentication ___________________________________________________________________ 464 IS-IS _____________________________________________________________________________________ 465 IS-IS Specifications _______________________________________________________________________ 465 IS-IS Defualts Table ______________________________________________________________________ 465 IS-IS Overview ___________________________________________________________________________ 467 IS-IS Packet Types _______________________________________________________________________ 468 IS-IS Areas ______________________________________________________________________________ 469 Graceful Restart on Stacks with Redundant Sw itches ___________________________________________ 470 IS-IS Application Example _________________________________________________________________ 471 BGP ______________________________________________________________________________________ 472 BGP Specifications _______________________________________________________________________ 472 BGP Overview ___________________________________________________________________________ 473 Autonomous Systems (ASs) ________________________________________________________________ 474 Internal vs. External BGP _________________________________________________________________ 475 Communities ____________________________________________________________________________ 476 Route Reflectors _________________________________________________________________________ 477 BGP Confederations ______________________________________________________________________ 478 Policies _________________________________________________________________________________ 479 Regular Expressions ______________________________________________________________________ 480 The Route Selection Process ________________________________________________________________ 480 Route Dampening ________________________________________________________________________ 481 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 10 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
CIDR Route Notation _____________________________________________________________________ 481 Synchronizing BGP and IGP Routes _________________________________________________________ 481 Controlling Route Flapping Through Route Dampening ________________________________________ 482 Example: Flapping Route Suppressed, then Unsuppressed ______________________________________ 482 Setting Up Route Reflection ________________________________________________________________ 483 Working with Communities ________________________________________________________________ 485 Routing Policies __________________________________________________________________________ 485 RDP ______________________________________________________________________________________ 486 RDP Specifications _______________________________________________________________________ 486 RDP Defaults ____________________________________________________________________________ 486 RDP Overview ___________________________________________________________________________ 487 RDP Interfaces__________________________________________________________________________ 488 Security Concerns _______________________________________________________________________ 488 Defining the Advertisement Interval _________________________________________________________ 488 DHCP Relay _______________________________________________________________________________ 489 DHCP Relay Specifications_________________________________________________________________ 489 DHCP Relay Defaults _____________________________________________________________________ 489 DHCP Relay Overview ____________________________________________________________________ 490 DHCP ________________________________________________________________________________ 490 DHCP and the OmniSwitch________________________________________________________________ 490 DHCP Relay and Authentication____________________________________________________________ 491 External DHCP Relay Application __________________________________________________________ 491 Internal DHCP Relay_____________________________________________________________________ 492 DHCP Relay Implementation ______________________________________________________________ 493 Per-VLAN DHCP _______________________________________________________________________ 493 Enabling BOOTP/DHCP Relay_____________________________________________________________ 493 Using Automatic IP Configuration __________________________________________________________ 493 UDP Port Relay __________________________________________________________________________ 494 Configuring DHCP Security Features ________________________________________________________ 494 Using the Relay Agent Information Option (Option-82)__________________________________________ 495 How the Relay Agent Processes DHCP Packets from the Client ___________________________________ 495 How the Relay Agent Processes DHCP Packets from the Server ___________________________________ 495 Using DHCP Snooping ___________________________________________________________________ 496 DHCP Snooping Configuration Guidelines____________________________________________________ 496 VRRP ____________________________________________________________________________________ 497 VRRP Specifications ______________________________________________________________________ 497 VRRP Defaults ___________________________________________________________________________ 497 VRRP Overview _________________________________________________________________________ 498 Why Use VRRP?________________________________________________________________________ 498 Definition of a Virtual Router ______________________________________________________________ 499 VRRP MAC Addresses ___________________________________________________________________ 499 ARP Requests __________________________________________________________________________ 499 ICMP Redirects _________________________________________________________________________ 499 VRRP Startup Delay _____________________________________________________________________ 500 VRRP Tracking _________________________________________________________________________ 500 Interaction With Other Features ____________________________________________________________ 500 Configuration Overview __________________________________________________________________ 500 Basic Virtual Router Configuration__________________________________________________________ 500 The Advertisement Interval ________________________________________________________________ 500 Virtual Router Priority____________________________________________________________________ 501 Preemption for Virtual Routers _____________________________________________________________ 501 VRRP Authentication ____________________________________________________________________ 501 VRRP Traps ___________________________________________________________________________ 502 VRRP Application Example _______________________________________________________________ 502 VRRP Tracking Example _________________________________________________________________ 503 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 11 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
VRRP3 Application Example ______________________________________________________________ 504 VRRP3 Tracking Example ________________________________________________________________ 505 Quality Of Service (QoS) _____________________________________________________________________ 506 QoS Specifications ________________________________________________________________________ 506 QoS General Overview ____________________________________________________________________ 507 QoS Policy Overview ____________________________________________________________________ 507 How Policies Are Used ___________________________________________________________________ 508 Valid Policies __________________________________________________________________________ 508 Interaction With Other Features ____________________________________________________________ 508 Condition Combinations ___________________________________________________________________ 509 Action Combinations ______________________________________________________________________ 510 Condition and Action Combinations _________________________________________________________ 510 QoS Defaults ____________________________________________________________________________ 511 Global QoS Defaults _____________________________________________________________________ 511 QoS Port Defaults _______________________________________________________________________ 511 Policy Rule Defaults _____________________________________________________________________ 512 Policy Action Defaults ___________________________________________________________________ 512 Default (Built-in) Policies _________________________________________________________________ 512 QoS Configuration Overview _______________________________________________________________ 513 Automatic QoS Prioritization _______________________________________________________________ 513 Automatic Prioritization for NMS Traffic ____________________________________________________ 513 Automatic Prioritization for IP Phone Traffic _________________________________________________ 513 Using Quarantine M anager and Remediation _________________________________________________ 514 Using the QoS Log ________________________________________________________________________ 515 Forwarding Log Events to PolicyView / Console _______________________________________________ 515 Classifying Bridged Traffic as Layer 3 _______________________________________________________ 515 The Statistics Interval _____________________________________________________________________ 515 QoS Ports and Queues_____________________________________________________________________ 516 Shared Queues ___________________________________________________________________________ 516 Prioritizing and Queue Mapping ____________________________________________________________ 516 Priority to Queue Mapping Table ___________________________________________________________ 516 Queuing Schemes _________________________________________________________________________ 517 Trusted and Untrusted Ports _______________________________________________________________ 518 Policies _________________________________________________________________________________ 519 ASCII-File-Only Syntax ___________________________________________________________________ 519 Policy Conditions _________________________________________________________________________ 519 Policy Actions ____________________________________________________________________________ 520 Rule Precedence __________________________________________________________________________ 520 How Precedence is Determined_____________________________________________________________ 520 Rules with Compatible Actions _____________________________________________________________ 520 Rules with Conflicting Actions ______________________________________________________________ 520 Testing Conditions ________________________________________________________________________ 521 Using Condition Groups in Policies __________________________________________________________ 521 Using Network Groups ____________________________________________________________________ 521 Using Services & Service Groups ____________________________________________________________ 521 Using MAC Groups _______________________________________________________________________ 522 Using Port Groups ________________________________________________________________________ 522 Port Groups and Maximum Bandwidth ______________________________________________________ 522 Source Port Group Example _______________________________________________________________ 523 Destination Port Group Examples ___________________________________________________________ 523 Using Map Groups _______________________________________________________________________ 524 How Map Groups Work __________________________________________________________________ 524 Policy Applications _______________________________________________________________________ 525 Basic QoS Policies ________________________________________________________________________ 526 Basic Commands ________________________________________________________________________ 526 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 12 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Traffic Prioritization Example______________________________________________________________ 526 Bandwidth Shaping Example ______________________________________________________________ 526 Redirection Policies _______________________________________________________________________ 527 ICM P Policy Example _____________________________________________________________________ 528 802.1p and ToS/DSCP Marking and Mapping _________________________________________________ 529 Policy B ased Routing______________________________________________________________________ 530 Server Load Balancing (SLB) _______________________________________________________________ 531 Server Load Balancing Specifications ________________________________________________________ 531 Server Load Balancing Defaults _____________________________________________________________ 532 Server Load Balancing Overview ___________________________________________________________ 532 Server Load Balancing VIPs/Condition ______________________________________________________ 532 Server Load Balancing Example ____________________________________________________________ 533 Server Health M onitoring __________________________________________________________________ 534 IP Multicast Switching _______________________________________________________________________ 535 IPMS Specifications_______________________________________________________________________ 535 IPv6MS Specifications_____________________________________________________________________ 535 IPMS Default Values ______________________________________________________________________ 536 IPv6MS Default Values ____________________________________________________________________ 536 IPMS Overview __________________________________________________________________________ 537 IPMS Example _________________________________________________________________________ 537 Reserved M ulticast Addresses ______________________________________________________________ 538 IP M ulticast Routing ______________________________________________________________________ 538 PIM __________________________________________________________________________________ 538 DVMRP_______________________________________________________________________________ 538 IPMS and Link Aggregation _______________________________________________________________ 539 IGMP Version 3 __________________________________________________________________________ 539 MLD ___________________________________________________________________________________ 539 IPMS Application Example ________________________________________________________________ 540 Multicast Address Boundaries __________________________________________________________________ 541 M ulticast Boundary Specifications __________________________________________________________ 541 M ulticast Address Boundaries Overview _____________________________________________________ 541 Multicast Addresses and the IANA __________________________________________________________ 541 Administratively Scoped Multicast Addresses _________________________________________________ 541 Source-Specific Multicast Addresses ________________________________________________________ 541 Multicast Address Boundaries______________________________________________________________ 542 Concurrent Multicast Addresses ____________________________________________________________ 542 DVMRP___________________________________________________________________________________ 543 DVMRP Specifications ____________________________________________________________________ 543 DVMRP Defaults _________________________________________________________________________ 543 DVMRP Overview ________________________________________________________________________ 544 Reverse Path Multicasting _________________________________________________________________ 544 Neighbor Discovery _______________________________________________________________________ 545 M ulticast Source Location, Route Report M essages, and M etrics _________________________________ 545 Dependent Dow nstream Routers and Poison Reverse ___________________________________________ 546 Pruning Multicast Traffic Delivery __________________________________________________________ 546 Grafting B ranches Back onto the Multicast Delivery Tree _______________________________________ 546 DVMRP Tunnels _________________________________________________________________________ 547 PIM ______________________________________________________________________________________ 548 PIM Specifications ________________________________________________________________________ 548 PIM Defaults ____________________________________________________________________________ 548 PIM Overview ___________________________________________________________________________ 549 Rendezvous Points (RPs)__________________________________________________________________ 549 Candidate Rendezvous Points (C-RPs) _______________________________________________________ 549 Bootstrap Routers (BSRs) _________________________________________________________________ 549 Candidate Bootstrap Routers (C-BSRs) ______________________________________________________ 550 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 13 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Designated Routers (DRs)_________________________________________________________________ 550 Shared (or RP) Trees _____________________________________________________________________ 550 Avoiding Register Encapsulation ___________________________________________________________ 551 RP Initiation of (S, G) Source-Specific Join Message____________________________________________ 552 SPT Switchover _________________________________________________________________________ 553 PIM-SSM Support ________________________________________________________________________ 555 Source-Specific Multicast Addresses ________________________________________________________ 555 PIM-SSM Specification___________________________________________________________________ 555 IP Multicast VLAN __________________________________________________________________________ 556 IP M ulticast VLAN Specifications ___________________________________________________________ 556 IP M ulticast VLAN Defaults _______________________________________________________________ 556 IP M ulticast VLAN Overview ______________________________________________________________ 557 VLAN Stacking Mode _____________________________________________________________________ 557 IPMVLAN Lookup Mode __________________________________________________________________ 557 Enterprise Mode _________________________________________________________________________ 558 IPMV Packet Flows _______________________________________________________________________ 558 VLAN Stacking Mode _____________________________________________________________________ 558 Enterprise Mode _________________________________________________________________________ 560 IPMVLAN Application Example ____________________________________________________________ 561
Password Policies and Directory Servers _____________________________________________________ 575 Directory Server Schema for LDAP Authentication _____________________________________________ 575 LDAP Accounting Attributes ______________________________________________________________ 576 SSL for an LDAP Authentication Server _____________________________________________________ 576 Managing Policy Servers ______________________________________________________________________ 576 Policy Server Specifications ________________________________________________________________ 576 Policy Server Defaults _____________________________________________________________________ 576 Policy Server Overview ____________________________________________________________________ 577 Installing the LDAP Policy Server __________________________________________________________ 577 Secure Socket Layer for a Policy Server ______________________________________________________ 577 Interaction With CLI Policies ______________________________________________________________ 577 Diagnosing Switch Problems __________________________________________________________________ 578 UDLD ____________________________________________________________________________________ 578 UDLD Specifications ______________________________________________________________________ 578 UDLD Defaults __________________________________________________________________________ 578 UDLD Overview _________________________________________________________________________ 579 UDLD Operational Mode _________________________________________________________________ 579 Normal Mode __________________________________________________________________________ 579 Aggressive Mode________________________________________________________________________ 579 Mechanisms to Detect Unidirectional Links ___________________________________________________ 579 Neighbor database maintenance ____________________________________________________________ 579 Echo detection __________________________________________________________________________ 580 Port Mirroring ___________________________________________________________________________ 581 Port Mirroring Specifications ______________________________________________________________ 581 Port mirroring Defaults ___________________________________________________________________ 581 Using Port Mirroring with External RMON Probes _____________________________________________ 583 Remote Port M irroring ____________________________________________________________________ 584 Application Example _____________________________________________________________________ 584 Port Monitoring __________________________________________________________________________ 585 Port Monitoring Specifications _____________________________________________________________ 585 Port Monitoring Defaults__________________________________________________________________ 585 Remote Monitoring (RMON) _______________________________________________________________ 586 RMON Specifications ____________________________________________________________________ 586 RMON Probe Defaults ___________________________________________________________________ 586 Ethernet Statistics _______________________________________________________________________ 587 History (Control & Statistics) ______________________________________________________________ 587 Alarm_________________________________________________________________________________ 588 Event _________________________________________________________________________________ 588 Sw itch Health ____________________________________________________________________________ 589 Switch Health Specifications_______________________________________________________________ 589 Switch Health Defaults ___________________________________________________________________ 589 SFlow __________________________________________________________________________________ 591 Switch Logging _____________________________________________________________________________ 592 Sw itch Logging Specifications ______________________________________________________________ 592 Sw itch Logging Defaults ___________________________________________________________________ 592 Sw itch Logging Overview __________________________________________________________________ 593 Displaying Switch Logging Records _________________________________________________________ 594 Monitoring Memory _________________________________________________________________________ 595 M emory M onitoring Specifications __________________________________________________________ 595 M emory M onitoring Defaults _______________________________________________________________ 595 Debug Memory Commands Overview ________________________________________________________ 595 Logging into the Switch ______________________________________________________________________ 596 Logging Specifications_____________________________________________________________________ 596 Login Defaults ___________________________________________________________________________ 596 Overview of Switch Login Components ______________________________________________________ 597 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 15 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Management Interfaces____________________________________________________________________ 597 Logging Into the CLI_____________________________________________________________________ 597 Using the WebView Management Tool ______________________________________________________ 597 Using SNMP to Manage the Switch _________________________________________________________ 597 User Accounts __________________________________________________________________________ 597 Using Telnet _____________________________________________________________________________ 598 Using FTP_______________________________________________________________________________ 598 Using Secure Shell ________________________________________________________________________ 598 Secure Shell Components _________________________________________________________________ 598 Secure Shell Interface ____________________________________________________________________ 599 Secure Shell File Transfer Protocol __________________________________________________________ 599 Secure Shell Application Overview__________________________________________________________ 599 Secure Shell Authentication _______________________________________________________________ 599 Protocol Identification ____________________________________________________________________ 600 Algorithm and Key Exchange ______________________________________________________________ 600 The Login Banner ________________________________________________________________________ 600 The DNS Resolver ________________________________________________________________________ 600 Managing System Files _______________________________________________________________________ 601 File Management Specifications _____________________________________________________________ 601 Sw itch Administration Overview ____________________________________________________________ 601 File Transfer ____________________________________________________________________________ 601 Sw itch Directories ________________________________________________________________________ 602 File and Directory Management ____________________________________________________________ 602 Using Wildcards _________________________________________________________________________ 603 Directory Commands _____________________________________________________________________ 603 Loading Software onto the Switch ___________________________________________________________ 603 Using the Switch as an FTP Server __________________________________________________________ 603 Using the Switch as an FTP Client __________________________________________________________ 604 Using Zmodem _________________________________________________________________________ 604 Registering Software Image Files ____________________________________________________________ 605 Directories on the Switch __________________________________________________________________ 605 Available Image Files _____________________________________________________________________ 605 Setting the System Clock___________________________________________________________________ 606 Setting Date and Time _____________________________________________________________________ 606 Network Time Protocol (NTP) _________________________________________________________________ 607 NTP Specifications________________________________________________________________________ 607 NTP Defaults ____________________________________________________________________________ 607 NTP Overview ___________________________________________________________________________ 607 Stratum _________________________________________________________________________________ 608 Using NTP in a Network ___________________________________________________________________ 609 Authentication ___________________________________________________________________________ 610 Management Specifications ________________________________________________________________ 611 Management Files ________________________________________________________________________ 611 Management Software Directory Structure ___________________________________________________ 611 Where is the Switch Running From? _________________________________________________________ 612 Software Rollback Feature _________________________________________________________________ 612 Redundancy _____________________________________________________________________________ 612 Rebooting the Sw itch______________________________________________________________________ 613 Secondary Management unit Fail Over _______________________________________________________ 613 Other Stackable Units Behavior During Takeover _____________________________________________ 613 Copying the Running Configuration to the Working Directory ___________________________________ 614 Rebooting from the Working Directory ______________________________________________________ 615 Copying the Working Directory to the Certified Directory_______________________________________ 616 Using the CLI ______________________________________________________________________________ 617 CLI Specifications ________________________________________________________________________ 617 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 16 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
CLI Overview ___________________________________________________________________________ 617 Online Configuration _____________________________________________________________________ 617 Offline Configuration Using Configuration Files _______________________________________________ 617 Command Entry Rules and Syntax __________________________________________________________ 618 Text Conventions _________________________________________________________________________ 618 Using Show Commands _________________________________________________________________ 618 Using the No Form______________________________________________________________________ 618 Using Alias Commands __________________________________________________________________ 618 Partial Keyword Completion _______________________________________________________________ 619 Command Help __________________________________________________________________________ 619 CLI Services _____________________________________________________________________________ 620 Command Line Editing ____________________________________________________________________ 620 Syntax Checking _________________________________________________________________________ 620 Prefix Recognition ________________________________________________________________________ 620 Command History ________________________________________________________________________ 620 Logging CLI Commands and Entry Results ___________________________________________________ 620 Customizing the Screen Display _____________________________________________________________ 621 Changing the CLI Prompt _________________________________________________________________ 621 M ultiple User Sessions ____________________________________________________________________ 621 Working With Configuration Files ______________________________________________________________ 621 Configuration File Specifications ____________________________________________________________ 621 Configuration Files Overview_______________________________________________________________ 621 Applying Configuration Files to the Switch ___________________________________________________ 621 Managing Switch User Accounts _______________________________________________________________ 622 User Database Specif ications _______________________________________________________________ 622 User Accounts Defaults ____________________________________________________________________ 622 Overview of User Accounts_________________________________________________________________ 622 Startup Defaults __________________________________________________________________________ 623 Default User Settings ______________________________________________________________________ 623 SNMP Access for a User Account ___________________________________________________________ 624 End-User Profiles ________________________________________________________________________ 624 Managing Switch Security ____________________________________________________________________ 625 Sw itch Security Specifications ______________________________________________________________ 625 Sw itch Security Defaults ___________________________________________________________________ 625 Sw itch Security Overview __________________________________________________________________ 625 Authenticated Sw itch Access _______________________________________________________________ 625 AAA ServersRADIUS or LDAP ___________________________________________________________ 626 Authentication-onlyACE/Server __________________________________________________________ 626 Interaction With the User Database _________________________________________________________ 627 ASA and Authenticated VLANs _____________________________________________________________ 627 Configuring Authenticated Switch Access ____________________________________________________ 627 Accounting for ASA ______________________________________________________________________ 627 Using WebView ____________________________________________________________________________ 628 WebView CLI Defaults ____________________________________________________________________ 628 WebView Overview _______________________________________________________________________ 628 WebView Page Layout ___________________________________________________________________ 628 Banner ________________________________________________________________________________ 629 Toolbar _______________________________________________________________________________ 629 Feature Options _________________________________________________________________________ 629 View/Configuration Area _________________________________________________________________ 629 WebView Help _________________________________________________________________________ 629 Using SNMP _______________________________________________________________________________ 630 SNMP Specifications ______________________________________________________________________ 630 SNMP Defaults __________________________________________________________________________ 630 SNMP Overview _________________________________________________________________________ 631 OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 17 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
SNMP Operations ________________________________________________________________________ 631 Using SNM P for Switch Management ________________________________________________________ 631 Setting Up an SNMP Management Station ____________________________________________________ 632 SNMP Versions __________________________________________________________________________ 632 SNMPv1 ______________________________________________________________________________ 632 SNMPv2 ______________________________________________________________________________ 632 SNMPv3 ______________________________________________________________________________ 632 Using SNM P For Switch Security ___________________________________________________________ 633 Community Strings (SNMPv1 and SNMPv2)__________________________________________________ 633 Encryption and Authentication (SNMPv3) ____________________________________________________ 633 Working with SNMP Traps ________________________________________________________________ 633 Trap Filtering___________________________________________________________________________ 633 Filtering by Trap Families _________________________________________________________________ 633 Filtering By Individual Trap _______________________________________________________________ 634 Authentication Trap______________________________________________________________________ 634 Trap Management ________________________________________________________________________ 634 Replaying Traps_________________________________________________________________________ 634 Absorbing Traps ________________________________________________________________________ 634 Sending Traps to WebView________________________________________________________________ 634 SNMP MIB Inf ormation ___________________________________________________________________ 635 MIB Tables ____________________________________________________________________________ 635 MIB Table Description ___________________________________________________________________ 635
Appendix #1___________________________________________________________________636
SNMP Trap Tables __________________________________________________________________ 636
Appendix #2___________________________________________________________________656
SNMP MIB Tables___________________________________________________________________ 656
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 18 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Disclaimer
The information contained in this document represents the features of the listed Alcatel-Lucent Products. Alcatel-Lucent makes no claims regarding the accuracy of this published information and specifically disclaims all liability for loss or damages of any kind resulting from discussions made or actions taken by any party based on this information. Product inf ormation contained in this document is subject to change and frequent updates without prior notice. Contact your local Alcatel-Lucent representative for the most current information. Copyright 2004 Alcatel-Lucent Internetworking, Inc. All rights reserved. This document will not be reproduced in whole or in part without the express written permission of Alcatel-Lucent Internetworking.
Trademark Text
To protect the Alcatel-Lucent trademark, the following legal text must be inserted in the body of all RFPs, RFIs, and quotations. Alcatel-Lucent is a registered trademark of Alcatel-Lucent, a society anonym organized under the laws of the Republic of France. The first use of Alcatel-Lucent in any documents must include a "" registered trademark symbol.
Revision History
Rev. Preliminary Rev. 1.0 Rev. 2.0 Date: April 2006 June 2006 July 2006 Revision Description Preliminary draft. The OmniSwitch Boilerplate document version 1.0 was published in June 2006. Official Hardware & Software Release: AOSv6.1.2.r03 The OmniSwitch Boilerplate document version 2.0 was published in July 2006. Official Hardware & Software Release: AOSv6.1.2.r03 The OS6850-U24X definition and MTBF values were updated. The OmniSwitch Boilerplate document version 3.0 was published in Feb. 2007. Official Hardware & Software Release: AOSv6.1.3.r01 The OmniSwitch Boilerplate document version 4.0 was published in Nov. 2007. Official Hardware & Software Release: AOSv6.1.5.r01 The OmniSwitch Boilerplate document version 5.0 was published in Nov. 2007. Official Hardware & Software Release: AOSv6.2.1r01 The OmniSwitch Boilerplate document version 6.0 was published in Feb. 2008. Official Hardware & Software Release: AOSv6.3.1r01 The OmniSwitch Boilerplate document version 6.1 was published in Sept. 2008. Modifications to the raw capacily and throughput numbers made to allogh with the calculations for OS6400 Corrections for NEBS complience Removed all references to ASIC , CPU , transceivers vendors
Rev. 3.0 Rev. 4.0 Rev. 5.0 Rev. 6.0 Rev. 6.1
Feb. 2007 Nov. 2007 Nov. 2007 Feb. 2008 Sept. 2008
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 19 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
About Boilerplate
It is highly recommended that this Boilerplate document be used along with other Related Documents to collectively gather the most up-to-date information required for responding to customers RFPs & RFIs proposals. This document will not contain detailed design/f unctional/configuration, and/or software/hardware architectural specifications. It will only provide an overview of such aforementioned specifications. Alcatel-Lucent Internetworking Boilerplate documents include the following series: AOS OmniSwitch 9000 Series AOS OmniSwitch 7000 Series AOS OmniSwitch 6850 Series AOS OmniSwitch 6800 Series AOS OmniSwitch 6600/6602 Series OmniStack LS 6200 Product Families OmniAccess Wireless LAN (WLAN) Product Families OmniVista Network Management System Alcatel-Lucent Internetworking Sw itching and Routing Product Families --MTBF Legacy Product Families: AOS OmniSw itch 8800 OmniStack 6024/6124/6148/8008 Product Families OmniStack 6300 Product Families XOS OmniAccess 512 Product Family OmniCore 5000 Series XOS Omni Switch/Router (OSR) XOS Product Family XOS OmniSw itch Product Family XOS OmniStack Product Family
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 21 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 22 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 23 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
There is a noticeable performance boost in triple-play networks from advanced services and at a great price allowing customers to buy tomorrows capabilities today.
Enhanced security that is adaptive to user mobility, is proactive and reactive at the edge, core, and throughout the network
Security domain VLAN classification helps to contain viruses and network attacks maintaining network uptime for critical operations. Security domains provide safe network connectivity for infected devices to be re-mediated. Reduces IT support requirements and man-hours by using network intelligence that automates otherwise manual intervention.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 24 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Simplified manageability
The Omni product families use the same Alcatel-Lucent Operating System as the other OmniSwitch products, reducing or eliminating the need to train existing users. The Omni product families models are fully manageable by Alcatel-Lucent Network Manager OmniVista. Managing Alcatels entire suite of solutions and equipment is OmniVista. OmniVista eases the management burden in many ways: First, by centralizing the management activities of device discovery, topology / health maps, traps and health statistics, the LAN manager can quickly ascertain the networks condition at a glance. Next, through streamlining bulk operations, the IT staff has a mechanism to push configurations, QoS, security, VLAN memberships, and image files to the devices in the network or to schedule after hours back up of the configurations and image files. Finally, OmniVista utilizes self-contained applications - like the Automated Quarantine Manager - to deliver value added services like malicious behavior containment, or the OneTouch QoS to deliver end-to-end QoS policy enforcement. From this single application, the IT staff can access secure telnet and https GUI sessions with the Alcatel devices, and discover 3rd party equipment through their MIB identity. OmniVista is the platform, which provides the enterprise with the ease of management necessary to grow securely. The Omni product families provide a superior architecture with no single point of failure in its stacked configuration. They offer: Redundancy - Replaceable and redundant power supplies Virtual chassis - Fault tolerant loop stacking - Automatic election of primary and secondary manager - Single IP address for management - Image roll back to automatically reload previous configurations Resiliency - Network uptime is maximized by the wide support of open advanced routing redundancy protocols and mechanisms for fast reconfiguration of links between switches, servers, and other network devices. The Omni product families family provide: IPv6 support with hardware-based forwarding for wire-speed classification and tunneling. Flexibility choice of deploying IPv4, IPv6, or IPv4/IPv6 without compromising switch performance. Hardware-based classification (access control lists (ACLs) and quality of service (QoS)), forwarding and management for IPv6. A transition from an existing IPv4 network by support of tunneling
By offering the same operating system, existing users are familiar with the product from the first day, reducing the cost of ownership by eliminating the need for training.
By providing true redundancy, an enterprise can provide a reliable network for triple play applications.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 25 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Evolution / Migration
Interoperability
Alcatel-Lucent is strongly and fully committed to evolve its full array of comprehensive products and solutions to meet the emerging requirements for the next generation technological advancements. To remain highly competitive in the market place, the Omni family of innovative Products & Solutions Technology will continue to evolve and develop to incorporate the most advanced feature set that meets the new emerging networking requirements. As a matter of fact, to remain highly competitive in the market place, the Omni family of innovative Products & Solutions & Technologies has continued to evolve and develop to incorporate the most advanced feature set that meets the new emerging networking requirements in the enterprise LAN, MAN edge/access and WAN access. We can definitely today, compete very well with Cisco, Nortel and other vendors as applicable in this space. The new resilient, continuous switching, and standards-based architecture design of the Omni family of innovative Products & Solutions is highly interoperable not only within the existing Alcatel-Lucents family of enterprise network switching and routing products, but also within other vendors similar enterprise-networking switching and routing products in the market place.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 26 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Value add with emphasis on the Wireless LAN & Wired LAN solutions
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 27 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Extensive Experience
With 23,000 technology patents and a history of more than 100 years in the communications field, AlcatelLucent has proven experience. Alcatel-Lucent serves more than 500,000 customers, including many of the Fortune 500 and leading companies in most sectors. Alcatel-Lucents century of innovation and engineering has allowed us to provide the enterprise network with solutions that span the entire IP communications house. This house has at its top story the productivity enhancing applications, which run on Alcatel-Lucents award winning IP telephony communication servers. Supporting these products is the IP networking data products - the foundation of the IP communications house. As you well know, any house is only as strong as its foundation. We understand that an enterprise network must be able to rely on its infrastructure to deliver the communications and applications necessary to conduct business and take care of users. The first requirement is availability- we expect the phone and applications that expand the value of voice communications or integrate voice and data communications to be available. Our experience tells us that these networks must also be secure, and easily managed, otherwise valuable capital is diverted from the business goals of the company, lessening the opportunity to react to market changes and opportunities. Alcatel-Lucent also knows that the value to the enterprise can be measured in multiple ways - from the solutions purchased to the solutions enabled via partnerships and adherence to industry standards. As you learn more about us and our business philosophy, you will come to know that our greatest benefit to you and your company is not just the industry leading solutions we provide, but the synergies we create with the other products and solutions already deployed in your network. You see, we believe a strong foundation is not just to support the existing building, but to also support future growth. High Availability Your business users demand much, but assume one thing above all: availability. Using a strong hardwaresoftware mix, Alcatel-Lucent IP infrastructure solutions create a single-entity network that is resistant to configuration errors and doesn't need resetting after changes. Together with highly affordable, redundant network management and continuous switching capabilities, Alcatel-Lucents IP infrastructure solutions ensure fail-safe and cost effective business operations. High Security With Alcatel-Lucent IP infrastructure solutions, your information assets are really protected, from the core to the edge. The same security features are embedded in all Alcatel-Lucent IP infrastructure components: you dont need to go through a programming nightmare when deploying your network security policy or adding a new switch to the system. Security problems can be isolated and contained; specific security tasks can be addressed. In a nutshell, with an Alcatel-Lucent IP infrastructure, gaps in the communication protection system are eliminated, including at the PBX level. Simplified Management Alcatel-Lucent IP infrastructure solutions leverage common components and feature sets, running on a single operating system for centralized management. This simplifies both deployment and day-to-day operations, while minimizing down time. As a result, total network running costs decrease, and you can easily anticipate or react to evolving business needs. Last but not least, your IT people will appreciate the one-touch graphical approach of fully featured yet easy-to-use network management applications, helping them work more easily and quickly. Managing Alcatel-Lucents entire suite of solutions and equipment is OmniVista. OmniVista eases the management burden in many ways: First, by centralizing the management activities of device discovery, topology / health maps, traps and health statistics, the LAN manager can quickly ascertain the networks condition at a glance. Next, through streamlining bulk operations, the IT staff has a mechanism to push configurations, QoS, security, VLAN memberships, and image files to the devices in the network or to schedule after hours back up of the configurations and image files. Finally, OmniVista utilizes self-contained applications - like the Automated Quarantine Manager - to deliver value added services like malicious behavior containment, or the OneTouch QoS to deliver end-toend QoS policy enforcement. From this single application, the IT staff can access secure telnet and https GUI sessions with the AlcatelLucent devices, and discover 3rd party equipment through their MIB identity. OmniVista is the platform, which provides the enterprise with the ease of management necessary to grow securely.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 28 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Product Portfolio
Escalation
The Alcatel-Lucent Internetworking product portfolio consists of a full range of Ethernet based switches that address the Enterprises entire networking needs. The family of Alcatel-Lucent Ethernet switches range from entry-level L2+ switches where price is the main concern all the way up to advanced L3 modular or fixed configuration chassis providing state-of-theart and standard-based features that meet the stringent requirements for an highly available, highly secure and highly manageable networking infrastructure. The LAN switches, which support your business communications, come in two sets - entry level, fixed configuration and AOS advanced featured core to wiring closet. The entry level, fixed configuration solutions are provided for those customers who do not need to provide the advance services and security features our AOS switches provide. Typically small businesses, these solutions do provide great price/performance value for 10/100 and 10/100/1000. Our AOS advanced services switches deliver on our promise to deliver the industrys best value. Our core offerings of the OmniSwitch 9000 and 7000 family provide features which are important to the enterprise core - native server load balancing, link aggregation, high density gigabit and 10 gigabit, as well as support for routing protocols and multicast, classic IP addressing as well as IPv6, hot swappable modules and full management and power supply redundancy to promote high availability. Our advanced stackable line runs the same OS, and can be managed just like a chassis - one IP address, with management module redundancy for high availability. Supporting PoE, standard routing protocols and multicast, classic and IPv6 addressing as well as a host of other features, our AOS switch line is the easiest to manage in the industry, with a price to performance relationship unmatched in the industry. Expanding the IP communications foundation, Alcatel-Lucents OmniAccess WLAN family provides the enterprise with the industrys most complete WLAN security, availability, and mobility solutions. Further, the OmniAccess Service Gateways products perform at wire speed even with small packet sizes or network services enabled and include a wide array of WAN integrated capabilities - eliminating the need to purchase extra equipment to support additional WAN services. Alcatel-Lucents enterprise SNMP manager, OmniVista, can manage the entire portfolio. Alcatel-Lucent is fully committed to providing a comprehensive range of services and programs in support of its vast array of products. Alcatel-Lucents ecosystem of more than 1,500 partners helps ensure that solutions will be installed, integrated, fully supported and maintained according to Alcatel-Lucents high standards, following global best practices. Alcatel-Lucents Accreditation Program ensures that its partners are fully trained on the latest technologies and techniques to meet and support customer requirements. Technical Support An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support. Youll also receive regular software updates to maintain and maximize your Alcatel products features and functionality and on-site hardware replacement through our global network of highly qualified service delivery partners. Additionally, with 24-hour-a-day access to Alcatels Service and Support web page, youll be able to view and update any case (open or closed) that you have reported to Alcatels technical support, open a new case or access helpful release notes, technical bulletins, and manuals. SUPPORTbasic 7 X 24 Technical Response Center (7x24 phone support) Includes e-service web access, software releases and repair and return of hardware to be completed in 10 business days from receipt for same version only. Excludes NMS & Authentication Services software. SUPPORTplus hardware support Includes 7X24 phone support, software releases for same version only, e-service web access, advance shipment for next business day arrival of replacement hardware. Excludes NMS & Authentication Services software. SUPPORTtotal hardware support Includes 7X24 phone support, software releases for same version only, e-service web access, same day 4-hour hardware replacement (labor & parts) 7 days a week 24 hours a day. Allow 30 days lead time from receipt of sales order. Excludes NMS & Authentication Services software. Upon opening a case, customers will receive a case number and may review, update, or escalate support cases on-line. Escalation process is based on the severity level of the issue per the definitions below. Severity 1: Production network is down resulting in critical impact on businessno workaround Severity 2: Segment or Ring is down or intermittent loss of connectivity across network. Severity 3: Network performances are slow or impairedno loss of connectivity or data. Severity 4: Information or assistance on product feature, functionality, configuration, or installation.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 29 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Key Partners
Customer Training
Warranty Service & Support Programs & End Of Life Lifetime Support
Life Span
Customers can access customer support 24 x 7 x 365 via toll free number or Internet. Professional services can be contracted to perform a variety of functions, including customer network operations center management, network audits, security installation, network design, equipment staging, configuration and installation, resident engineering, proof of concept, solutions development and integration. Customers may take advantage of professional services with regard to customizing the network management system for optimal tuning in a multi-vendor environment. Professional Services also offers Customer Network Operations Center Service, which proactively monitors the customer network and responds to alarms and traps. Alcatel-Lucent has created a partnering program that enables it to work with a set of vendors in order to provide solutions that fall outside of its core competencies. Partnerships provide channels and customers a catalog of product solutions that are easy to find, evaluate, buy, install, and operate. Alcatel-Lucent offers instruction on its enterprise data products in a variety of modes instructor-led training (ILT), computer-based training (CBT), web-based training (WBT), and customized seminars/workshops/webinars. ILT is offered at several locations or on-site at customer locations. All instructors are Alcatel-Lucent Certified Switch Instructors (ACSIs). This means they have attended all of the courses, completed all of the certifications and attended the weeklong Train-the-Trainer program that includes a review of Alcatel-Lucent training policies, procedures, and practices to assure consistent delivery of information around the world. Standard Warranty Support All Alcatel-Lucent's products come with a standard one-year warranty on hardware and a three-month warranty on software. Hardware DOA Warranty If hardware fails within the first 30 days after delivery, call Alcatel-Lucent's Internetworking Division Customer Service by 2:00 p.m. (Pacific Standard Time) and they will send a replacement part overnight. One-year Hardware Warranty After the first 30 days, call Alcatel-Lucent's Internetworking Division Customer Service for a Return material Authorization (RMA) and ship the part back to them for factory repair. The repaired unit will be shipped back to you from our facility within 10 business days. Next day, advanced replacement is available for a small expedited fee. All-in-One Maintenance: All maintenance fix releases will be provided free of charge during the first 90 days. Service & Support Programs & End Of Life (EOL) In accordance with Alcatel-Lucents established Product Life Cycle policy, as well as its customer satisfaction policy, Alcatel-Lucent will honor its obligations to customers currently under warranty or with valid purchased service agreements relating to a product line for five (5) years (Software: three (3) years and Hardware: five (5) years) beyond the EOL (End Of Life) of a product line. Lifetime Support All versions of the stackaable product families come with a Limited Lifetime Hardware Warranty, limited to the original owner, and will be provided for up to five (5) years. Faulty parts will be replaced via a five (5) business days AVR (Advance Replacement) RMA. Limited Lifetime Warranty does not apply to SFPs. The Alcatel Product Life Span depends on many conditions in the market place and varies from platform to platform. Historically speaking, some platforms have been out in the market more than seven (7) years and still continue to exist on our product portfolio, while others may have experienced shorter life spans.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 30 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Lowering engineering and operational costs utilizing a common NMS (such as OmniVista & SAM management) Per port / feature / price ratio Pricing vs. the competition
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 31 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alcatel-Lucent OmniSwitch 6850 Family The OS6850 family offers layer-3 PoE and non-PoE Gigabit Ethernet models as well as Fast Ethernet models upgradeable to Gigabit. All models in OmniSwitch family are stackable, fixed configuration chassis in a 1U form factor. They can be optionally equipped with pluggable SFP and XFP transceivers (depending on the model) that can support short, long and very long distances. The following chart indicates the differences in the OS6850 models.
Fixed-Chassis Types POE Ports Non-POE Ports 10 Gig. Stacking Ports 2 2 2 2 2 2 2 10 Gig. Uplinks 10/100/1000Mbps ,GigE, or 10/100Mbps Non-PoE Models N/A 20 10/100/1000 2 N/A 2 2 N/A N/A 20 10/100/1000 44 10/100/1000 48 10/100/1000 22 Gig SFP** 20 10/100*** 44 10/100*** Combo Ports* POE Power Budget Power Supplies supported
OS6850-24 /-24D OS6850-24X /-24XD OS6850-48 /-48D OS6850-48X /-48XD OS6850-U24X /-U24XD OS6850-24L /-24LD OS6850-48L /-48LD OS6850-P24 /-P24H OS6850-P24X /-P24XH OS6850-P48 /-P48H OS6850-P48X /-P48XH OS6850-P24L /-P24LH OS6850-P48L /-P48LH
24 24 48 48 24 24 48
4 4 4 N/A 2 4 4
126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W
24 24 48 48 24 48
2 2 2 2 2 2
PoE Models**** N/A 20 10/100/1000 2 N/A 2 N/A N/A 20 10/100/1000 44 10/100/1000 48 10/100/1000 20 10/100*** 44 10/100***
4 4 4 N/A 4 4
240W / 390W 240W / 390W 240W / 390W 240W / 390W 240W / 390W 240W / 390W
*Combo ports are ports individually configurable to be 10/100/1000BaseT or 1000BaseX that can support SFP transceivers for short, long and very long distances. Combo Ports on the PoE Models: The Combo 10/100/1000BaseTcopper RJ-45 ports support PoE. The Combo 1000Base-X fiber SFP ports do not support PoE. ** Gig fiber interfaces support Gig SFP, dual-speed SFP or 100BaseX SFP optical transceivers. *** The 10/100 RJ-45 ports can be upgraded to 10/100/1000 speed by purchasing the OS6850-24L-UPGD or OS6850-48L-UPGD software license for 24-port and 48-port models respectively. **** The PoE Power Budget is subject to an extra overhead which has to be taken into account (please refer to the P/S Sec.)
Performance
The OS6850 family supports real-time voice, data, and video applications. The switches provide first packet wire-speed classification and processing for all packets in the data steam giving a noticeable performance boost to triple-play (voice, data and video) enterprise networks and at a great price allowing customers to buy tomorrows capabilities today. The OS6850s support advanced services such as 10GigE, PoE and IPv6, future proofing todays investment to support the demands of tomorrow.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 33 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Supprim :
Secure Networking
OmniSwitch 6850 can support a distributed security approach, enhance emerging security technologies, and help secure the LAN edge using proactive and reactive strategies. One proactive solution is to perform a host integrity check, which essentially ensures attached devices are running administrator defined credentials such as; operating system patch level, local firewall is activated, and that the anti-virus version is up to date prior to allowing network entry. Host integrity check solution is significantly enhanced by the OS6850 group mobility feature because it can automatically move hosts that pass inspection dynamically into their proper VLAN based on the user, regardless where they are physically or move them into a protected environment where they could maintain limited access to network resources for remediation. Since all security threats cannot be anticipated the enterprise also needs a reactive security solution that can respond quickly and effectively. When group mobility is combined with Alcatel-Lucents Quarantine Engine and supported Intrusion Detection Systems (IDS), the network can automatically detect attacks and take protective action such as writing a rule that drops the devices traffic, turning off the devices connectivity to the network or quarantine it to a protected environment. OmniSwitch 6850 series switches support additional security feature set to secure the LAN edge. Access control lists (ACLs) can filter out undesirable communication between hosts and can be a first line of defense against network attacks. In an Alcatel-Lucent OmniSwitch network, the authenticated VLAN feature provides the ability to authenticate by user with username and password and then dynamically place the user into the proper VLAN regardless of where they request access from. Other supported policy-based VLANs can do the same dynamic classification based on layer-2 and layer-3 packet information. IEEE 802.1x, a standards-based approach to network access, is an effective way of challenging a user by requesting a username and password before allowing access the network. Learned port security is a security feature that allows only pre-authorized network devices to communicate with each other. This provides protection against rogue devices such as WLAN access points, as well as unsecured and potentially virus infected laptops or PCs. Administration of the switch is secured by encrypting remote management with secure shell (SSH) for Telnet, Secure Socket Layer (SSL) for web-based management and SNMPv3 for network wide management systems such as Alcatel-Lucents OmniVista enterprise network management platform. Additionally all administrators are centrally authenticated through a RADIUS, LDAP or ACE server. A local database is also provided on every switch for administrator authentication.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 34 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
High Availability
The OmniSwitch 6850 stackable minimizes downtime, reduces operational complexity & cost and increases availability for mission-critical applications. The OmniSwitch 6850 supports the a wide range of availability features such as redundant management, redundant switching fabric/fault tolerant backplane, redundant power supplies, and link aggregation including 10Gigabit Ethernet that can be configured across physical switch boundaries. These attributes remove single points of failure. A very cost effective, highly available, scalable and re-configurable network can be achieved when the stackable-based chassis benefits of the OS6850 are deployed in conjunction with the OS9000 family. Additionally, standards-based features like per-VLAN spanning-tree 802.1s and rapid recovery spanning-tree 802.1w are used to provide added resiliency, fast fail-over to redundant links and layer-2 load sharing on otherwise unused network links (bandwidth capacity). Dynamic link aggregation 802.3ad provides inherent fail-over to remaining existing links in the aggregate should one or more links fail and automatically builds multi-gigabit capacity with other switches. By supporting the OS6850 backup power solution, customers have backup power for the OmniSwitch 6850s in case of any power supply failure. The OS6850s resiliency is provided through a superior architecture with no single point of failure in its stacked configuration. Resiliency is supported through physical and functional redundancy everywhere: Virtual chassis that provide management functionality and automatic election of primary and secondary managers Redundant subsystems in stacked configurations Redundant backup power supplies Fault tolerant loop stacking Virtual chassis that provides management functionality and automatic election of primary and secondary managers Hot swappable units and power supplies Image rollback to automatically re-load previous configurations and software versions Hitless loading of optional advanced routing software without re-booting
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 35 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Advanced QoS
Quality of service (QoS) addresses the need for mission critical applications to be always available by ensuring they receive expedited forwarding, reducing the chances of critical data flows getting interrupted or experiencing excessive delay. The OS6850 provides the necessary hardware queues, intelligence and granularity to properly identify (identification is based on layer-1 through layer-4 policy-based features), mark and prioritize data flows ensuring mission critical applications run smoothly.
IPv6 Support
Although there may not be an immediate need for IPv6 in an enterprise network, it should be included in upgrade plans to future proof the network and provide investment protection. Many leading industry analysts, such as Gartner Group and Burton, have indicated that it is not a matter of if, but when IPv6 will be a requirement for enterprise networks. By including it in current purchases, a network manager extends the life of existing equipment and prevents future expenses that would be required to upgrade to a switch that supports IPv6. The OS6850 family provides full IPv6 support with hardware-based forwarding for wire-rate speeds, classification and tunneling to address various corporate and U.S. federal government Department of Defense (DOD) requirements for IPv6. Flexibility is provided through a choice of deploying IPv4, IPv6, or IPv4/IPv6 without compromising switch performance. The OS6850s offer both native IPv6 routing and extensive support of IPv6 tunneling mechanisms, including configured, 6-in-4, and ISATAP tunneling.
Compliancy
1) RoHS-Alcatel's OmniSwitch 6850 family is among the first hardware to be in compliance with the new European Community's directive Restriction on Hazardous Substances in Electrical and Electronic Equipment (RoHS) 2) WEEE (Waste Electrical and Electronic Equipment) 3) NEBS Level 3 Certified All non-PoE models
WebView
Your IT person has long ago abandoned web management because it was too slow, inefficient and incapable. WebView updates happen instantly removing the biggest obstacle to simple fast management. Alcatel-Lucent WebView gives true real-world capabilities back to web browser element management and allows an IT staff of varying capabilities to quickly master and configure new features. The web interface provides point and click ease with quick access to help. WebView is full-featured and can configure and manage all switch features.
CLI
The AOS-based OS6850 uses an intuitive CLI that is common across the OmniSwitch line. A common and easy to use interface from the edge to the core can reduce total cost of ownership by reducing training costs, simplifying and speeding up deployment, and making troubleshooting efforts more routine.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 36 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Simplified Manageability
The group mobility feature inherent in the OS6850 also provides plug and play mobility for both wired and wireless users by removing physical limitations. The OS6850 can use device information, data traffic or user identity to automatically and dynamically keep the user connected to their resources seamlessly regardless of their location on the campus. Marketing, finance, operations and sales could all be in the same meeting at a common physical location, yet have secure and dynamic access to their respective network resources. Along with user benefits and greater user satisfaction, group mobility provides a kiosk hands-off operation to IT, reducing operational costs. Once initial rules for classification are defined further configuration or intervention is not necessary. The OS6850s design provides all the benefits of managing a truly chassis-based switch including: simple and quick software upgrades and switch configuration changes, single IP address for management, and a common look and feel with the rest of the OmniSwitch solutions. The AOS-based OS6850 uses an intuitive CLI that is common across the OmniSwitch line. A common and easy to use interface from the edge to the core can reduce total cost of ownership by reducing training costs, simplifying and speeding up deployment, and making troubleshooting efforts more routine. When the Alcatel-Lucent enterprise network management solution is used as the primary management tool, a very small IT staff can effectively and efficiently manage a large network of Alcatel-Lucent enterprise wired and wireless solutions, further reducing the man hours and support staff requirements. Because switches at the edge of the network are typically deployed in large numbers, it is essential that they are easy to install, configure, manage, and troubleshoot. The OmniSwitch 6850 uses an industry standard command line interface (CLI) to simplify configuration and reduce the total cost of ownership through reduced training costs. The OS6850 also includes a web based element manager with built-in help that provides point and click configuration for newer features reducing risk of misconfiguration and speeding up the introduction of new features. Every network connection begins at the physical layer where many network connectivity problems occur. Each 10/100/1000 switch port has the built-in capability, known as auto MDI/MDI-X, to determine if the cable attached is straight-thru or crossover and what network device (PC, switch, router) is on the other side of the cable to automatically create a link-up condition. Ports provide installation flexibility by supporting either copper or fiber link connectivity while reducing sparing costs by eliminating the need for separate Gigabit uplink modules.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 38 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 39 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Server Aggregation
The OmniSwitch 6850s small form factor, high performance and rich features set make it a great server aggregation switch, especially for space-constrained data centers where the switch can be installed in the same rack as the servers. Small Form Factor & High Performance fits well as rack mounted server aggregation (space constrained) o 10GigE connectivity-Server & redundant to Core o High-speed resilient stack ring o Multi-Channel Gig o Wire speed with full services implemented
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 40 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
L3 Aggregation/Distribution
The OmniSwitch 6850 placed in the distribution layer of three-tier networks provides high capacity wire speed L2 switching, L3 routing and intelligent services near the edge of the network. In addition, some models of the OmniSwitch 6850 family have four combo ports that are individually configurable to provide users the choice of copper or fiber. High Speed Distributed Processing Brings advanced services closer to edge
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 41 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 42 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 43 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Triple-Play Switching
The OmniSwitch 6850s are well suited for supporting, in real time, the triple-play applications of data, voice and video because of their resiliency and high performance. Other features that support triple play include: Wire-speed performance including the first packet giving a noticeable performance boost to triple play networks. Eight hardware-based quality of service (QoS) queues ensuring wire-speed packet classification and processing for all packets in a data steam
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 44 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 45 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 46 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-P48XH
OS6850-24
OS6850-24D
OS6850-24X
OS6850-24XD
OS6850-48
OS6850-48D
OS6850-48X
OS6850-48XD
OS6850-U24X
OS6850-U24XD
OS6850-P48XH PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 48 RJ-45 PoE ports individually configurable to 10/100/1000BaseT, two 10 Gigabit ports, and two dedicated stacking ports. The bundle includes a 510W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. The 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OmniSwitch 6850 non-PoE Chassis Bundles OS6850-24 chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies are can be ordered separately. OS6850-24D chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-24X chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-24XD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48 chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100/1000BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48D chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100/1000BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48X chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 48 RJ-45 ports individually configurable to 10/100/1000BaseT, two 10 Gigabit ports, and two dedicated stacking ports. The bundle includes a 126W AC power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48XD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 48 RJ-45 ports individually configurable to 10/100/1000BaseT, two 10 Gigabit ports, and two dedicated stacking ports. The bundle includes a 120W DC power supply with Power shelf, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-U24X chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 22 1000 Base-X SFP ports, 2 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-U24XD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 22 1000 Base-X ports, 2 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 47 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-P24L
OS6850-P24LH
OS6850-P48L
OS6850-P48LH
OS6850-24L
OS6850-24LD
OS6850-48L
OS6850-48LD
OmniSwitch 6850L PoE Chassis Bundles OS6850-P24L PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992]. L3 Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-24L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 360W AC PoE power supply with Power shelf, country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P24LH PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-24L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 510W AC PoE power supply with Power shelf, country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48L PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 PoE ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-48L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 360W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48LH PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 PoE ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-48L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 510W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OmniSwitch 6850L non-PoE Chassis Bundles OS6850-24L chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS685024L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-24LD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS685024L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48L chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-48L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48LD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS685048L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 48 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-SW-AR
OS-SW-SBR-N
OS-SW-SBR-S
OS6850-24L-UPGD OS6850-48L-UPGD
XFP-10G-ER40 XFP-10G-LR
XFP-10G-SR
XFP-10G-ZR80
SFP-GIG-47CWD60 SFP-GIG-49CWD60 SFP-GIG-51CWD60 SFP-GIG-53CWD60 SFP-GIG-55CWD60 SFP-GIG-57CWD60 SFP-GIG-59CWD60 SFP-GIG-61CWD60 SFP-GIG-BX-D SFP-GIG-BX-U SFP-GIG-EXTND
Backup Power Supplies OS6850-BP modular 126W AC backup power supply. Provides backup power to one non- PoE switch. Ships with chassis connection cable, country specific power cord, power shelf and connecting ears. OS6850-BP-D modular 120W DC backup power supply. Provides backup power to one non-PoE switch. Ships with chassis connection cable, power shelf and connecting ears. OS6850-BP-P modular 360W AC backup power supply. Provides backup power to one PoE switch. Ships with chassis connection cable, country specific power cord, power shelf and connecting ears. OS6850-BP-PH modular 510W AC backup power supply. Provides backup power to one PoE switch. Ships with chassis connection cable, country specific power cord, power shelf and connecting ears. Optional Advanced Routing Software OS6850 Advanced Routing software. Includes support for OSPFv2, BGPv4, PIM-SM/DM and DVMRP. Includes support for IPv6 Routing protocol OSPFv3. Optional Authenticated Services Software [ECCN 5D992] Authentication bundle for Windows w/MD5, RC4, MD4, DES. This bundle provides Funk Software's SteelBelted Radius Enterprise Edition for Microsoft Windows and includes a one-year maintenance contract (maintenance releases, 7X24 phone support and e-service web access). [ECCN 5D992] Authentication Bundle for Solaris w/MD5, RC4, MD4, DES. This bundle provides Funk Software's SteelBelted Radius Enterprise Edition for Sun Solaris and includes a one-year maintenance contract (maintenance releases, 7X24 phone support and e-service web access). Upgrade Software Software license that allows 10/100 RJ45 ports of OS6850-24L and OS6850-P24L chassis to operate also at Gigabit speed. Software license that allows 10/100 RJ45 ports of OS6850-48L and OS6850-P48L chassis to operate also at Gigabit speed. Transceivers 10-Gigabit Ethernet Transceivers (XFP MSA) 10 Gigabit Ethernet optical transceiver (XFP MSA). Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 40 Km on 9/125 m SMF. 10 Gigabit Ethernet optical transceiver (XFP MSA). Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10 Km on 9/125 m SMF. [Formerly known as 10G-XFP-LR] 10 Gigabit Ethernet optical transceiver (XFP MSA). Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Typical reach of 300m on 50/125 m MMF. [Formerly known as 10G-XFP-SR] 10 Gigabit Ethernet optical transceiver (XFP MSA). Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 80 Km on 9/125 m SMF. Gigabit Ethernet Transceivers (SFP MSA) CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ gray latch. Supports single mode fiber over 1470 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ violet latch. Supports single mode fiber over 1490 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ blue latch. Supports single mode fiber over 1510 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ green latch. Supports single mode fiber over 1530 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ yellow latch. Supports single mode fiber over 1550 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ orange latch. Supports single mode fiber over 1570 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ red latch. Supports single mode fiber over 1590 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ red latch. Supports single mode fiber over 1590 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. 1000Base-BX SFP transceiver with an LC type of interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 10 km. Transmits 1490 nm and receives 1310 nm optical signal. 1000Base-BX SFP transceiver with an LC type of interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 10 km. Transmits 1310 nm and receives 1490 nm optical signal. Extended 1000Base-SX Gigabit Ethernet optical transceiver (SFP MSA). Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Reach of up to 2 km (based on grade and condition of fiber) on 62.5/125 m MMF or 550m on 62.5/125 m MMF. Requires SFP-GIG-EXTND or GBIC-GIG-EXTND at the remote termination. [Formerly known as GE-EXTND-SFP]
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 49 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
SFP-GIG-LH40 SFP-GIG-LH70
SFP-GIG-LX
SFP-GIG-SX
SFP-GIG-T
SFP-DUAL-MM
SFP-DUAL-SM10
SFP-100-BX20LT
SFP-100-BX20NU
1000Base-LH Gigabit Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1310 nm wavelength (nominal) with an LC connector. Typical reach of 40Km on 9/125 m SMF. 1000Base-LH Gigabit Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 70 Km on 9/125 m SMF. [Formerly known as MINIGBIC-LH-70] 1000Base-LX Gigabit Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10 Km on 9/125 m SMF. [Formerly known as MINIGBIC-LX] 1000Base-SX Gigabit Ethernet optical transceiver (SFP MSA). Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Typical reach of 300m on 62.5/125 m MMF or 550m on 50/125 m MMF. [Formerly known as MINIGBIC-SX] 1000Base-T Gigabit Ethernet Transceiver (SFP MSA) - Supports category 5, 5E, and 6 copper cabling up to 100m. SFP only works in 1000 Mbps speed and full-duplex mode Dual Speed Ethernet Transceivers (SFP MSA) Dual Speed 100Base-FX or 1000Base-X Ethernet optical transceiver (SFP MSA). Supports multimode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 550m at Gigabit speed and 2km at 100Mbit speed. Note: - At 100Mbit speed, this SFP can interoperate with SFP-100-LC-MM or similar transceiver on the other end, - At Gigabit speed, this SFP cannot interoperate with SFP-GIG-SX or similar transceiver on the other end running over 850nm wavelength. - SFP supported on OS9-GNI-U24 Gigabit Ethernet Module and OS6850-U24X SFP ports (non combo) Dual Speed 100Base-FX or 1000Base-X Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10km at Gigabit speed and 100Mbit speed. Note: - At 100Mbit speed, this SFP can interoperate with SFP-100-LC-SM15 or similar transceiver, - At Gigabit speed, this SFP can interoperate with SFP-GIG-LX or similar transceiver. - SFP supported on OS9-GNI-U24 Gigabit Ethernet Module and OS6850-U24X SFP ports (non combo) 100BASE-FX Ethernet Transceivers 100Base-BX SFP transceiver with an SC type interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 20KM point-to-point. This transceiver is normally used in the central office (OLT) transmits 1550nm and receives 1310nm optical signal 100Base-BX SFP transceiver with an SC type interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 20KM point-to-point. This transceiver is normally used in the client (ONU) transmits 1310nm and receives 1550nm optical signal 100Base-FX SFP transceiver with an LC type interface. This transceiver is designed for use over multimode fiber optic cable. 100Base-FX SFP transceiver with an LC type interface. This transceiver is designed for use over single mode fiber optic cable up to 15KM. 100Base-FX SFP transceiver with an LC type interface. This transceiver is designed for use over single mode fiber optic cable up to 40KM. Accessories OS6850 150 centimeters long stacking cable. OS6850 30 centimeters long stacking cable. OS6850 60 centimeters long stacking cable. Base/wall mounting kit for OS6850 models. Includes 4 brackets and screws.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 50 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-24
The OmniSwitch 6850-24 is a stackable edge/workgroup switch offering 20 unshared 10/100/1000Base-T ports, as well as four combo ports individually configurable to be 10/100/1000Base-T or 1000Base-X high speed connections. The front panel of the OS6850-24 chassis contains the following major components: System status and slot indicator LEDs (20) unshared 10/100/1000Base-T ports (4) shared combo 10/100/1000Base-T ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 51 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (SFP ports) Maximum frame size Connections supported Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 52 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-48
The OmniSwitch 6850-48 is a stackable edge/workgroup switch offering 44 unshared 10/100/1000Base-T ports, as well as four combo ports individually configurable to be 10/100/1000Base-T or 1000Base-X high speed connections. The front panel of the OS6850-48 chassis contains the following major components: System status and slot indicator LEDs (44) unshared 10/100/1000Base-T ports (4) shared combo 10/100/1000Base-T ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 53 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (SFP ports) Maximum frame size Connections supported Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 54 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-24X
The OmniSwitch 6850-24X is a stackable edge/workgroup switch offering 20 unshared 10/100/1000Base-T Power over ports, two (2) 10 Gigabit XFP slots, as well as four combo ports individually configurable to be 10/100/1000Base-T or 1000Base-X high speed connections. The front panel of the OS6850-24X chassis contains the following major components: System status and slot indicator LEDs (20) unshared 10/100/1000Base-T ports (4) shared combo 10/100/1000Base-T ports (4) Combo SFP slots for 1000Base-X connections (2) 10 Gigabit XFP slots Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 55 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (SFP ports) Data rate (XFP Ports) Maximum frame size Connections supported Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 56 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-48X
The OmniSwitch 6850-48X is a stackable edge/workgroup switch offering 48 unshared 10/100/1000Base-T ports and two (2) 10 Gigabit XFP slots. The front panel of the OS6850-48X chassis contains the following major components: System status and slot indicator LEDs (48) unshared 10/100/1000Base-T ports (2) 10 Gigabit XFP slots Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 57 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (XFP Ports) Maximum frame size Connections supported Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 58 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-P24
The OmniSwitch 6850-P24 is a stackable edge/workgroup switch offering 20 unshared 10/100/1000Base-T Power over Ethernet (PoE) ports, as well as four combo ports individually configurable to be 10/100/1000 Base-T PoE or 1000 Base-X high speed connections. The front panel of the OS6850-P24 chassis contains the following major components: System status and slot indicator LEDs (20) unshared 10/100/1000Base-T PoE ports (4) shared combo 10/100/1000Base-T PoE ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 59 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (SFP ports) Maximum frame size Connections supported
Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 60 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-P48
The OmniSwitch 6850-P48 is a stackable edge/workgroup switch offering 44 unshared 10/100/1000Base-T Power over Ethernet (PoE) ports, as well as four combo ports individually configurable to be10/100/1000Base-T PoE or 1000Base-X high speed connections. The front panel of the OS6850-P48 chassis contains the following major components: System status and slot indicator LEDs (44) unshared 10/100/1000Base-T PoE ports (4) shared combo 10/100/1000Base-T PoE ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 61 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (SFP ports) Maximum frame size Connections supported
Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 62 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-P24X
The OmniSwitch 6850-P24X is a stackable edge/workgroup switch offering 20 unshared 10/100/1000Base-T Power over Ethernet (PoE) ports, two (2) 10 Gigabit XFP slots, as well as four combo ports individually configurable to be 10/100/1000Base-T PoE or 1000Base-X high-speed connections. The front panel of the OS6850-P24X chassis contains the following major components: System status and slot indicator LEDs (20) unshared 10/100/1000Base-T PoE ports (4) shared combo 10/100/1000Base-T PoE ports (4) Combo SFP slots for 1000Base-X connections (2) 10 Gigabit XFP slots Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 63 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (SFP ports) Data rate (XFP Ports) Maximum frame size Connections supported
Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 64 Software & Hardware Release: AOSv6.3.1r01
OmniSwitch 6850-P48X
The OmniSwitch 6850-P48X is a stackable edge/workgroup switch offering 48 unshared 10/100/1000Base-T Power over Ethernet (PoE) ports and two (2) 10 Gigabit XFP slots. The front panel of the OS6850-P48X chassis contains the following major components: System status and slot indicator LEDs (48) unshared 10/100/1000Base-T PoE ports (2) 10 Gigabit XFP slots Console port (RJ-45) USB port (USB 2.0) (Future Release)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 65 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 Ports) Data rate (XFP ports) Maximum frame size Connections supported
Cables supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 66 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-U24X
The OmniSwitch 6850-U24X is an edge/workgroup switch offering 24 1000Base-X MiniGBIC SFP ports, two (2) 10 Gigabit XFP slots, as well as four combo ports individually configurable to 10/100/1000 Base-T ports. The front panel of the OS6850-U24X chassis contains the following major components: System status and slot indicator LEDs (22) unshared 1000Base-X MiniGBIC SFP ports (2) Shared combo 1000Base-X MiniGBIC SFP ports (2) Combo RJ-45 10/100/1000Base-T ports (2) 10 Gigabit XFP slots Console port (RJ-45) USB port (USB 2.0) Note. USB 2.0 is not supported in this release.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 67 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards supported Data rate (RJ-45 ports) Data rate (SFP Ports) Data rate (XFP Ports) Maximum frame size Connections supported Cable supported (RJ-45 ports)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 68 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-24L
The OmniSwitch 6850-24L is a stackable edge/workgroup switch offering 20 unshared 10/100Base-T ports, as well as four combo ports individually configurable to be 10/100/1000 Base-T or 1000 Base-X high speed connections. The front panel of the OS6850-24L chassis contains the following major components: System status and slot indicator LEDs (20) unshared 10/100Base-T ports (4) shared combo 10/100/1000Base-T ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) Note. USB 2.0 will be supported in a future release. Note. The 20 (non combo ports) 10/100Base-T ports on the OmniSwitch 6850-24L can be upgraded to 10/100/1000Base-T ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 69 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
64 MB 256 MB SDRAM
19 inches, approx. 17.5 inches 1.5 inches 1 RU 10.5 inches without power supplies installed; 16.75 inches with power supplies installed 14 lbs. (6.24 Kg) without power supply 5% to 90% Relative Humidity (Operating) 0% to 95% Relative Humidity (Storage) 0 to 45 degrees, Celsius -20 to 70 degrees, Celsius Operating altitude: sea level at 40 degrees, Celsius and 10000 feet at 0 degrees, Celsius Storage altitude: sea level to 40000 feet 802.3z, 802.3ab, 1000Base-T, IEEE 802.3u 10 or 100 Mbps (full or half duplex) 1 Gigabit per second (full duplex) 1 Gigabit per second (full duplex) 9216 bytes 10/100/1000Base-T and 1000Base-X 10BaseT: unshielded twisted-pair (UTP) 100BaseTX: unshielded twisted-pair (UTP), Category 5, EIA/TIA 568 or shielded twisted-pair (STP), Category 5, 100 ohm 1000BaseT: unshielded twisted-pair (UTP), Category 5e 100 meters
Standards supported Data rate (RJ-45 Ports) Data rate (SFP Ports) Maximum frame size Connections supported Cable supported (RJ-45 ports)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 70 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-P24L
The OmniSwitch 6850-P24L is a stackable edge/workgroup switch offering 20 unshared 10/100Base-T Power over Ethernet (PoE) ports, as well as four combo ports individually configurable to be 10/100/1000Base-T PoE or 1000 Base-X high speed connections. The front panel of the OS6850-P24L chassis contains the following major components: System status and slot indicator LEDs (20) unshared 10/100Base-T PoE ports (4) shared combo 10/100/1000Base-T PoE ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) Note. USB 2.0 will be supported in a future release. Note. The 20 (non-combo ports) 10/100Base-T PoE ports on the OmniSwitch 6850-P24L can be upgraded to 10/100/1000Base-T PoE ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 71 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
64 MB 256 MB SDRAM
19 inches, approx. 17.5 inches 1.5 inches 1 RU 10.5 inches without power supplies installed; 16.75 inches with power supplies installed 14 lbs. (6.24 Kg) without power supply 5% to 90% Relative Humidity (Operating) 0% to 95% Relative Humidity (Storage) 0 to 45 degrees, Celsius -20 to 70 degrees, Celsius Operating altitude: sea level at 40 degrees, Celsius and 10000 feet at 0 degrees, Celsius Storage altitude: sea level to 40000 feet 802.3z, 802.3ab, 1000Base-T, IEEE 802.3u, IEEE 802.3af (DTE Power Via MDI MIB) ; IAB RFCs 826, 894 10 or 100 Mbps (full or half duplex) 1 Gigabit per second (full duplex) 1 Gigabit per second (full duplex) 9216 bytes IP phones, Bluetooth Access Points, Internet Cameras, and other devices requiring power over Ethernet 10BaseT: unshielded twisted-pair (UTP) 100BaseTX: unshielded twisted-pair (UTP), Category 5, EIA/TIA 568 or shielded twisted-pair (STP), Category 5, 100 ohm 1000BaseT: unshielded twisted-pair (UTP), Category 5e Default 15.4watts per port Configurable from 3watts to 15.4watts per port Using the 360watts P/S, the maximum available PoE power is 240 watts (less 1watt per port of overhead) per unit. Using the 510watts P/S, the maximum available PoE power is 390watts (less 1watt per port of overhead) per unit. Please refer to the Power Supply Specification Section for more details. 100 meters
Standards supported Data rate (RJ-45 Ports) Data rate (SFP Ports) Maximum frame size Connections supported Cable supported (RJ-45 ports)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 72 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-48L
The OmniSwitch 6850-48L is a stackable edge/workgroup switch offering 44 unshared 10/100Base-T ports, as well as four combo ports individually configurable to 10/100/1000Base-T or 1000Base-X high speed connections. The front panel of the OS6850-48L chassis contains the following major components: System status and slot indicator LEDs (44) unshared 10/100Base-T ports (4) shared combo 10/100/1000Base-T ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) Note. USB 2.0 will be supported in a future release. Note. The 44 (non combo ports) 10/100Base-T ports on the OmniSwitch 6850-48L can be upgraded to 10/100/1000Base-T ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 73 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
64 MB 256 MB SDRAM
19 inches, approx. 17.5 inches 1.5 inches 1 RU 10.5 inches without power supplies installed; 16.75 inches with power supplies installed 14 lbs. (6.24 Kg) without power supply 5% to 90% Relative Humidity (Operating) 0% to 95% Relative Humidity (Storage) 0 to 45 degrees, Celsius -20 to 70 degrees, Celsius Operating altitude: sea level at 40 degrees, Celsius and 10000 feet at 0 degrees, Celsius Storage altitude: sea level to 40000 feet 802.3z, 802.3ab, 1000Base-T, IEEE 802.3u 10 or 100 Mbps (full or half duplex) 1 Gigabit per second (full duplex) 1 Gigabit per second (full duplex) 9216 bytes 10/100/1000Base-T and 1000Base-X 10BaseT: unshielded twisted-pair (UTP) 100BaseTX: unshielded twisted-pair (UTP), Category 5, EIA/TIA 568 or shielded twisted-pair (STP), Category 5, 100 ohm 1000BaseT: unshielded twisted-pair (UTP), Category 5e 100 meters
Standards supported Data rate (RJ-45 Ports) Data rate (SFP Ports) Maximum frame size Connections supported Cable supported (RJ-45 ports)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 74 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OmniSwitch 6850-P48L
The OmniSwitch 6850-P48L is a stackable edge/workgroup switch offering 44 unshared 10/100Base-T Power over Ethernet (PoE) ports, as well as four combo ports individually configurable to 10/100/1000Base-T PoE or 1000Base-X high speed connections. The front panel of the OS6850-P48L chassis contains the following major components: System status and slot indicator LEDs (44) unshared 10/100Base-T PoE ports (4) shared combo 10/100/1000Base-T PoE ports (4) Combo SFP slots for 1000Base-X connections Console port (RJ-45) USB port (USB 2.0) Note. USB 2.0 will be supported in a future release. Note. The 44 (non-combo ports) 10/100Base-T PoE ports on the OmniSwitch 6850-P48L can be upgraded to 10/100/1000Base-T PoE ports. Please contact your Alcatel representative for more information.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 75 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
64 MB 256 MB SDRAM
19 inches, approx. 17.5 inches 1.5 inches 1 RU 10.5 inches without power supplies installed; 16.75 inches with power supplies installed 14 lbs. (6.24 Kg) without power supply 5% to 90% Relative Humidity (Operating) 0% to 95% Relative Humidity (Storage) 0 to 45 degrees, Celsius -20 to 70 degrees, Celsius Operating altitude: sea level at 40 degrees, Celsius and 10000 feet at 0 degrees, Celsius Storage altitude: sea level to 40000 feet 802.3z, 802.3ab, 1000Base-T, IEEE 802.3u, IEEE 802.3af (DTE Power Via MDI MIB) ; IAB RFCs 826, 894 10 or 100 Mbps (full or half duplex) 1 Gigabit per second (full duplex) 1 Gigabit per second (full duplex) 9216 bytes IP phones, Bluetooth Access Points, Internet Cameras, and other devices requiring power over Ethernet 10BaseT: unshielded twisted-pair (UTP) 100BaseTX: unshielded twisted-pair (UTP), Category 5, EIA/TIA 568 or shielded twisted-pair (STP), Category 5, 100 ohm 1000BaseT: unshielded twisted-pair (UTP), Category 5e Default 15.4watts per port Configurable from 3watts to 15.4watts per port Using the 360watts P/S, the maximum available PoE power is 240 watts (less 1watt per port of overhead) per unit. Using the 510watts P/S, the maximum available PoE power is 390watts (less 1watt per port of overhead) per unit. Please refer to the Power Supply Specification Section for more details. 100 meters
Standards supported Data rate (RJ-45 Ports) Data rate (SFP Ports) Maximum frame size Connections supported Cable supported (RJ-45 ports)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 76 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Rear Panel
The rear panel of OmniSwitch 6850 Series switches contains the following major components: Two DB-25 connectors for the primary power supply, which can be used for a single 510 Watt supply or two 360, 126, Or 120 Watt power supplies One DB-25 connector for an optional redundant power supply. Two stacking ports (A and B) Grounding block for type LCD8-10A-L grounding lug Note. The figure shows a pre-production version of the chassis without product, safety, and compliance information labels. All production versions of the chassis have these labels. Note: please refer to the Pin-Outs section for the DB-25 pins arrangements.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 77 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Status LEDs
LEDs provide visual status information. These status lights are used to indicate conditions, such as hardware and software status, primary role status (stacked configurations), power supply status, primary and secondary status (stacked configurations), fan and temperature errors, 10 Gigabit uplink status (when applicable), slot number information, data speed, link integrity, and activity. Refer to the diagram below for detailed information on LED states.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 78 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
10/100/1000 LEDs
There is a single LED for each corresponding 10/100/1000 Mbps ports. Displays solid green for a valid link; displays blinking green when transmitting or receiving packets in a link up state for non-PoE. Displays solid amber for a valid link; displays blinking amber when transmitting or receiving packets in a link up state for PoE.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 79 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Architecture
The OmniSwitch 6850-48 & P48 Internal Architecture
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 80 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 81 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 82 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 83 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
XFP-10G-SR
XFP-10G-ZR80
SFP-GIG-47CWD60 SFP-GIG-49CWD60 SFP-GIG-51CWD60 SFP-GIG-53CWD60 SFP-GIG-55CWD60 SFP-GIG-57CWD60 SFP-GIG-59CWD60 SFP-GIG-61CWD60 SFP-GIG-BX-D SFP-GIG-BX-U SFP-GIG-EXTND
SFP-GIG-LH40 SFP-GIG-LH70
SFP-GIG-LX
SFP-GIG-SX
SFP-GIG-T
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 84 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
SFP-DUAL-MM
SFP-DUAL-SM10
Dual Speed Ethernet Transceivers (SFP MSA) Dual Speed 100Base-FX or 1000Base-X Ethernet optical transceiver (SFP MSA). Supports multimode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 550m at Gigabit speed and 2km at 100Mbps speed. Note: - At 100Mbit speed, this SFP can interoperate with SFP-100-LC-MM or similar transceiver on the other end, - At Gigabit speed, this SFP cannot interoperate with SFP-GIG-SX or similar transceiver on the other end running over 850nm wavelength. - SFP supported on OS9-GNI-U24 Gigabit Ethernet Module and OS6850-U24X SFP ports (non combo) Dual Speed 100Base-FX or 1000Base-X Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10km at Gigabit speed and 100Mbps speed. Note: - At 100Mbit speed, this SFP can interoperate with SFP-100-LC-SM15 or similar transceiver, - At Gigabit speed, this SFP can interoperate with SFP-GIG-LX or similar transceiver. - SFP supported on OS9-GNI-U24 Gigabit Ethernet Module and OS6850-U24X SFP ports (non combo)
SFP-100-BX20LT
SFP-100-BX20NU
100BASE-FX Ethernet Transceivers 100Base-BX SFP trans. with an SC type interface. This bi-directional trans. is designed for use over single mode fiber optic on a single strand link up to 20KM point-to-point. This transceiver is normally used in the central office (OLT) transmits 1550nm and receives 1310nm optical signal 100Base-BX SFP trans. with an SC type interface. This bi-directional trans. is designed for use over single mode fiber optic on a single strand link up to 20KM point-to-point. This transceiver is normally used in the client (ONU) transmits 1310nm and receives 1550nm optical signal 100Base-FX SFP trans. with an LC type interface. This trans. is designed for use over multimode fiber optic cable. 100Base-FX SFP trans. with an LC type interface. This trans. is designed for use over single mode fiber optic cable up to 15KM. 100Base-FX SFP trans. with an LC type interface. This trans. is designed for use over single mode fiber optic cable up to 40KM.
Supported Configuration Matrix for New Ethernet Transceivers in Release 6.1.5r01 OS6800/OS6850 OS6800-U24 OS6850-U24X Combo Ports Non-Combo Ports SFP-GIG-T - 1000Base-T Gigabit Supported Supported Supported Ethernet Transceiver (SFP MSA). SFP-DUAL-MM - Dual Speed OS6800: Un-supported Un-supported Supported 100Base-FX or 1000Base-X Ethernet optical OS6850: Supported. transceiver. Release 6.3.1 provides support for this SFP on OS6850 combo ports. SFP-DUAL-SM10 - Dual Speed OS6800: Un-supported Un-supported Supported 100Base-FX or 1000Base-X Ethernet optical OS6850: Supported. transceiver (SFP MSA) Release 6.3.1 provides support for this SFP on OS6850 combo ports. SFP-100-BX20LT - 100Base-BX Un-supported Un-supported Supported SFP bi-directional transceiver. SFP-100-BX20NU - 100Base-BX Un-supported Un-supported Supported SFP bi-directional transceiver SFP-100-LC-MM - 100Base-FX Un-supported Un-supported Supported SFP transceiver. SFP-100-LC-SM15 - 100Base-FX Un-supported Un-supported Supported SFP transceiver. SFP-100-LC-SM40 - 100Base-FX Un-supported Un-supported Supported SFP transceiver. SFP
Supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 85 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The maximum distance supported with fiber optics transceivers will be influenced by the following factors: o Specified fiber plants standards for cable wiring such as ISO/IEC-11801, TIA 568, IEEE 802.3u, o IEEE 802.3z/1000BASE-SX/LX/LHetc. o Modal Bandwidth (measured in MHZ*km: such as 200 MHZ*km, or 160 MHZ*kmetc) o Fiber quality o Attenuation or dB of loss per km (Attenuation is a measure of the loss of signal strength or light power that occurs as light pulses propagate through a run of multimode or single-mode fiber. Measurements are typically defined in terms of decibels or dB/km.). This loss could result from patch panels, splicing, optical connectors, optical jointsetc. o The Optical Power Budget (OPB) in dB allowance o The Optical Power Budget (in dB) provides the necessary optical signal range to establish a working fiber-optic link. The OPB is allocated for the fiber-optic cable. The OPB is the available optical power for a fiber optic link to accommodate fiber cable losses plus losses due to in-line connectors, splices, optical switches, and to provide margin for link aging and unplanned losses due to cable plant reconfiguration or repair. o The worst-case Optical Power Budget in dB for a fiber optic link is determined by: The difference between the minimum transmitters output optical power and the lowest receiver sensitivity. o The best way to determine the distance being supported is to take an OTDR (Optical Time Domain Reflecto-meter) measurement on the fiber cable plant. (These measurements must be made using the same wavelength of light as the transceiver that will be installed.) This will indicate the amount of loss per intended distance. If the loss is within the transceivers allowed power budget, the connection will work. Minimum distance requirements must be carefully considered. Alcatel-Lucent supports several alternate sources of fiber optics transceiver manufacturers for its switching and routing line of products. Alcatel-Lucent strongly recommends compliance with the original manufactures fiber optics specifications, and fiber optics design guidelines. Therefore, as a general rule, Alcatel-Lucent stays within the boundaries of the original manufacturers specifications. Any deviations from the norm require further evaluations and testing. The insertion loss parameter value for the MiniGBICs requires a very specific testing which is normally performed by the original manufacturer, but usually is not stated in their specification documents and the value may vary from one manufacturer to another. Here at Alcatel-Lucent, our engineering normally does not carry out such testing and therefore we rely on our approved manufacturer specifications data. Essentially, the original manufacturer upon request must supply this specific parameter value. It is not anywhere in their specification sheets. Here is what our Engineering suggests to do: Instead of relying on the manufacture's data for the insertion loss value, which also varies from one manufacturer to another, we suggest looking into the IEEE Standard Document. No matter what, all manufacturers must comply with the IEEE Standard. All of our MiniGBICs comply with the IEEE 802.3z. You can easily look up the insertion loss parameter and its value for our MiniGBICs in this document.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 86 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
SFP MSA Specifications SFP-MSA Connector: The SFP connector consists of a 20-pin receptacle and a SFP housing cage. The 20-pin connector provides the interface for the hot Pluggable SFP module. Each SFP module contains a serial interface to provide identification information that describes the SFP capabilities, standard interfaces, manufacturer and other information. LC Connector: The LC connector is a fiber-optic cable connector that uses one-half the size of current industry standards. It increases panel density and provides duplex connection in 50% less space with duplex fits of RJ-45 footprint. It is available in SM, MM versions with Super, Ultra and Angle (APC) polishing. It provides a user-friendly audible latch to indicate proper mating and supports pull proof.
Notes:
*The worst-case Optical Power Budget in dB for a fiber optic link is determined by: The difference between the minimum transmitters output optical power and the lowest receiver sensitivity. Alcatel-Lucent switching & routing platforms support alternate sources of fiber-optics vendors, which are subject to change from time to time. Please be sure to contact Alcatel-Lucent Internetworking Product Marketing for a complete list of approved vendors. The following fiber optics transceivers specifications have been taken from Alcatel-Lucent IP Networking approved vendors original Specification Sheets. SFP-GIG-SX Technical Specifications Features Dual data-rate of 1.25Gbps/1.0625Gbps operation 850nm VCSEL laser and PIN photo detector 550m transmission with 50/125m MMF 275m transmission with 62.5/125m MMF Standard serial ID information Compatible with SFP MSA SFP MSA package with duplex LC connector With Spring-Latch for high density application Very low EMI and excellent ESD protection +3.3V single power supply Operating case temperature: 0 to +70C Connector Type The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding Standards supported IEEE 802.3z, and 1000BASE-SX (The IEEE 802.3z standard describes the specifications for the 1000BASE-X fiber optic GigE) Compatible with SFP MSA Compatible with IEEE 802.3z Compatible with ANSI specifications for Fiber Channel Compatible with FCC 47 CFR Part 15,Class B Connections supported 1000BASE-SX connections to backbone or server Fiber optic cable supported Multimode (MMF) with 62.5/125 m & 50/125 m Wavelength 850nm (typical) Transmitter Average Output Optical Power Min: -9.5 dBm and Max: -4 dBm Receiver Sensitivity Min: 0 dBm and Max: -17 dBm Power Budget* 7.5 dBm (17 9.5 = 7.5 dBm) Cable distances Supports 62.5/125 m MMF up to a maximum distance of 220 m to 300m or 50.0/125 m up to a maximum distance of 550m.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 88 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported
Wavelength Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Cable distances
SFP-GIG-LX Technical Specifications Dual data-rate of 1.25Gbps/1.0625Gbps operation 1310nm FP laser and PIN photo detector 550m transmission with MMF 10km ~ 20km transmission with SMF Standard serial ID information compatible with SFP MSA SFP MSA package with duplex LC connector With Spring-Latch for high density application Very low EMI and excellent ESD protection +3.3V single power supply Operating case temperature: Standard: 0 to +70C Industrial: -40 to +85C The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, 1000BASE-LX (The IEEE 802.3z standard describes the specifications for the 1000BASE-X fiber optic Gig Eth.) Compatible with SFP MSA Compatible with IEEE 802.3z Compatible with ANSI specifications for Fiber Channel Compatible with FCC 47 CFR Part 15, Class B Compatible with FDA 21 CFR 1040.10 and 1040.11, Class I Compatible with Telcordia GR-468-CORE RoHS compliance 1000BASE-LX connections to backbone or server Single mode (SMF) with 9/125 m Note: This transceiver also supports 50/125 m & 62.5/125 m Multimode (MMF) with a maximum distance of up to 700m (typical 550m). This special mode of operation will require single-mode fiber offset-launch mode-conditioning patch cord and be sure to review the IEEE 802.3 2002 clauses 38.11.1 through 38.11.4. The third party fiber optics distance extender devices will provide the capabilities of supporting much further distances than the typical 550m. 1310nm (typical) Min: -9.5 dBm and Max: -3 dBm Min: 0 dBm and Max: -20 dBm 10.5dBm (20 9.5 = 10.5 dBm) 10km on SMF and 700m (typical 550m) on MMF
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 89 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Receiver Sensitivity Power Budget* Cable distances
SFP-GIG-LH70 Technical Specifications Up to 1.25Gbps bi-directional data links 80km transmission distance with SMF 1550nm DFB laser transmitter SFP MSA package with LC optical receptacle With lever latch for high density application Single +3.3V power supply Hot-pluggable capability Low power dissipation Very low EMI and excellent ESD protection Class I laser product Monitoring interface compliant with SFF-8472 Operation case temperature: 0 to +70C The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding. IEEE 802.3z, 1000BASE-LH70 (The IEEE 802.3z standard describes the specifications for the 1000BASE-X fiber optic Gigabit Eth.) Compliant with SFP MSA Compliant with SFF 8472 Compliant with IEEE 802.3z Compliant with ANSI INCITS Fiber Channel FC-PI Rev13 Compliant with FCC 47 CFR Part 15, Class B Compliant with FDA 21 CFR 1040.10 and 1040.11, Class I 1000BASE-LH70 connections to backbone or server Single mode (SMF) with 9/125 m 1550nm (typical) Min: 0 dBm and Max: 5 dBm Min: 0 dBm and Max: -22 dBm 22 dBm (22 0 = 22 dBm) Long reach SMF 70km
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 90 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Cable distances
SFP-GIG-LH40 Technical Specifications Dual data-rate of 1.25Gbps/1.0625Gbps 40km transmission distance with 9/125 m SMF 1310nm uncooled DFB laser PIN photodiode receiver Class I laser product Digital diagnostic monitor interface Compatible with SFF-8472 SFP MSA package with duplex LC receptacle With lever latch for high density application Very low EMI and excellent ESD protection Single 3.3V power supply Operating case temperature: 0 to +70C The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, 1000BASE-LH40 Compatible with SFP MSA Compatible with SFF-8472 Compatible with IEEE 802.3z Compatible with IEEE 802.3ah Compatible with ANSI INCITS Fiber Channel FC-PI Rev13 Compatible with FCC 47 CFR Part 15, Class B Compatible with FDA 21 CFR 1040.10 and 1040.11, Class I RoHS compliant 1000BASE-LH40 connections to backbone or server Single mode (SMF) 1310nm (typical) Min: -2 dBm and Max: 3 dBm Min: 0 dBm and Max: -22 dBm 20 dBm ( 22 2 = 20 dBm) Long reach SMF 40km
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 91 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Overview
Features
Function Connector Type Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Receiver Sensitivity Power Budget* Cable distances
SFP-GIG-EXTND Technical Specifications The Fiber Driver SFP Multimode Extender increases the reach of Gigabit Ethernet and Fiber Channel data links to distances that far exceed the defined standard. This technology allows multimode (MM) fiber previously used for FDDI, Fast Ethernet and other legacy protocols to now be used for creating high-speed communication backbones. Since first appearing in the Fiber Driver Gigabit Multimode Extender module, the performance and reliability of the Multimode Extender (MMX) technology has been proven in installations throughout the world. Typically, Gigabit Ethernet and Fiber Channel transmissions distances over MM fiber are limited to 550 meters or less, far shorter than the 2-kilometer standard for when multimode fiber is used to transmit FDDI or Fast Ethernet. This fact has left IT managers needing to implement gigabit-speed protocols with little choice but to abandon their existing multimode fiber plant and install new single mode fiber. Extended 1000Base-SX Gigabit Ethernet optical transceiver (SFP MSA). Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Reach of up to 2 km (based on grade and condition of fiber) on 62.5/125 m MMF or 550m on 50.0/125 m MMF. Requires SFP-GIG-EXTND or GBIC-GIG-EXTND at the remote termination. Supply Voltage: 3.3V Transmits Gigabit Ethernet (IEEE 802.3) or Fiber Channel (ANSI X3.230-1994) up to 4 km (2 km guaranteed. Maximum range depends upon grade and condition of fiber plant used) over 62.5m and 50m dual fiber multimode links SFP MSA SFF-8074i compliant Bellcore GR-468 compliant Multimode DSC adapter Plug-n-play, hot swappable functionality Low EMI metal enclosure Operating temperature: 0 to +70C SFP Extended Multimode 7 SFP Extended Multimode with ROHS Compliance LC IEEE 802.3z 1000BASE-SX connections to backbone or server Multimode (MMF) 850nm (typical) Min: N/A and Max: N/A Min: N/A and Max: N/A N/A 2km on 62.5/125 m MMF or 550m on 50.0/125 m MMF
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 92 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type Standards supported Connections supported Copper Cables supported Cable distances Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Cable distances SFP compatibility notes
SFP-GIG-T Technical Specifications Up to 1.25Gb/s bi-directional data links Hot-pluggable SFP footprint Extended case temperature range (0C to +85C ) Fully metallic enclosure for low EMI Low power dissipation (1.2 W typical) Compact RJ-45 connector assembly Access to physical layer IC via 2-wire serial bus 10/100/1000 BASE-T operation in host systems with SGMII interface RJ-45 IEEE 802.3z, and 1000BASE-T 1000BASE-T connections to backbone or server CAT5, CAT5e, and CAT6 100m at 1000Mbps and full-duplex mode SFP-DUAL-MM Technical Specifications Build-in PHY supporting SGMII Interface Dual data-rate of 100BASE-FX/1000BASE-LX operation 1310nm FP laser and PIN photo-detector 0.5m~2km transmission with MMF at 125Mbps 0.5m~550m transmission with MMF at 1.25Gbps Standard serial ID information compliable with SFP MSA SFP MSA package with duplex LC connector With Spring-Latch for high density application Very low EMI and excellent ESD protection +3.3V single power supply Operating case temperature: 0 to +70C The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding 802.3z, and 100BASE-FX Compliable with SFP MSA Compliable with IEEE 802.3-2002 Compliable with IEEE 802.3ah-2004 Compliable with FCC 47 CFR Part 15, Class B Compliable with FDA 21 CFR 1040.10 and 1040.11, Class I Compliable with Telcordia GR-468-CORE RoHS compliance 1000BASE-LX or 100BASE-FX connections to backbone or server Multimode (MMF) 1310nm (typical) 1000BASE-LX Min: -11.5 dBm and Max: -3 dBm Min: 0 and Max: -22 dBm 10.5 dBm ( 22 11.5 = 10.5 dBm) 100BASE-FX Min: -20.0 dBm and Max: -14.0 dBm Min: 0 and Max: -28 dBm 8 dBm ( 28 20 = 8 dBm) 550m at 1000Mbps and 2km at 100Mbps This SFP is not supported on OmniSwitch 6850 combo ports with the exception of the OmniSwitch 6850-U24X combo ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 93 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Cable distances SFP compatibility notes
SFP-DUAL-SM10 Technical Specifications Build-in PHY supporting SGMII Interface Dual data-rate of 100BASE-LX/1000BASE-LX operation 1310nm FP laser and PIN photo-detector 0.5m~10km transmission with SMF Standard serial ID information compliable with SFP MSA SFP MSA package with duplex LC connector With Spring-Latch for high density application Very low EMI and excellent ESD protection +3.3V single power supply Operating case temperature: 0 to +70C The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, 100BASE-FX, and 1000BASE-X Compliable with SFP MSA Compliable with IEEE 802.3-2002 Compliable with IEEE 802.3ah-2004 Compliable with FCC 47 CFR Part 15, Class B Compliable with FDA 21 CFR 1040.10 and 1040.11, Class I Compliable with Telcordia GR-468-CORE RoHS compliance 100BASE-LX or 1000BASE-X connections to backbone or server Single mode (SMF) 1310nm (typical) 1000BASE-LX Min: -9.5 dBm and Max: -3 dBm Min: 0 and Max: -22 dBm 12.5 dBm ( 22 9.5 = 12.5 dBm) 100BASE-LX Min: -15 dBm and Max: -8 dBm Min: 0 and Max: -28 dBm 13 dBm ( 28 15 = 13 dBm) 0.5m ~ 10km transmission with SMF This SFP is not supported on OmniSwitch 6850 combo ports with the exception of the OmniSwitch 6850-U24X combo ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 94 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Receiver Sensitivity Power Budget* Cable distances SFP compatibility notes
Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Cable distances SFP compatibility notes
SFP-100-BX20LT Technical Specifications 1310nm/1550nm single fiber bi-directional transmission technology SFP Multi-Source package with SC receptacle 100~155.520Mbps data links Very low EMI and certified ESD Protection Class I laser product Single +3.3V power supply Hot-pluggable capability Low power dissipation Industrial operating temperature -40C to +85C The transceiver support SC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports bi-directional operation for layer-2, and layer-3 forwarding 802.3z, and 1000BASE-BX Compliant With Industrial Standard SFP MSA Compliant With ITU-T G.985 Compliant With FCC 47 CFR Part 15, Class B Compliant With FDA 21 CFR 1040.10 and 1040.11, Class I 1000BASE-BX connections to backbone or server Single Mode (SMF) 1310/1550nm (typical) Min: -14 dBm and Max: -8 dBm Min: 0 and Max: -32 dBm 18 dBm ( 32 14 = 18 dBm) 20km This SFP is not supported on OmniSwitch 6850 combo ports with the exception of the OmniSwitch 6850-U24X combo ports. SFP-100-BX20NU Technical Specifications 100~155Mbps data links 20km point-point transmission 1310nm FP Tx/1550nm 1550nm FP Tx/1310nm Class I laser product Low EMI and excellent ESD protection SFP MSA package with SC receptacle Operation case temperature:-40 to +85C The transceiver support SC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports bi-directional operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 1000BASE-BX Compatible with SFP MSA Compatible with ITU-T G.983 Compatible with IEEE 802.3ah Compliant with RoHS 1000BASE-BX connections to backbone or server Single mode (SMF) 1310nm/1550nm (typical) Min: -14 dBm and Max: -8 dBm Min: 0 and Max: -32 dBm 18 dBm ( 32 14 = 18 dBm) 20km This SFP is not supported on OmniSwitch 6850 combo ports with the exception of the OmniSwitch 6850-U24X combo ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 95 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power for 62.5/125m Transmitter Output Optical Power for 50/125m Receiver Input Optical Power Power Budgets* Cable distances SFP compatibility notes
SFP-100-LC-MM Technical Specifications Full compliance with ATM Forum UNI SONET OC-3 multimode fiber physical layer specification Full compliance with the optical performance requirements of the FDDI PMD Standard Full compliance with the optical performance requirements of 100Base-FX version of IEEE802.3u Industry standard Small Form Pluggable (SFP) package LC duplex connector optical interface Operates with 62.5/125m and 50/125m multimode fiber Single +3.3 V power supply +3.3 V TTL LOS output Manufactured in an ISO 9001 certified facility Temperature range: 0 C to +70 C Bail de-latch option The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 100BASE-FX 100BASE-FX connections to backbone or server Multimode (MMF) 1310nm (typical) Min: -20 dBm and Max: -14 dBm Min: -23.5 dBm and Max: -14 dBm Min: -14 and Max: -31 dBm 11 dBm ( 31 20 = 11 dBm) for 62.5/125m 7.5 dBm ( 31 23.5 = 7.5 dBm for 50/125m 2km This SFP is not supported on OmniSwitch 6850 combo ports with the exception of the OmniSwitch 6850-U24X combo ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 96 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Cable distances SFP compatibility notes
SFP-100-LC-SM15 Technical Specifications 100~155.52Mbps bi-directional data links 1310nm FP laser transmitter Multi-source package with LC optical interface Optional spring latch for high density application Class 1 laser product Very low jitter 15km transmission distance with SMF Low EMI and excellent ESD protection Single +3.3V power supply Hot-pluggable capability Temperature range: 0 C to +70 C The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 100BASE-FX Compliant with SFP MSA Compliant with FCC 47 CFR Part 15, Class B Compliant with FDA 21 CFR 1040.10 and 1040.11, Class I Compliant with ITU-T G.957 and G.958 Compliant with Telcordia GR-253-CORE 100BASE-FX connections to backbone or server Single mode (SMF) 1310nm (typical) Min: -15 dBm and Max: -8 dBm Min: 0 and Max: -36 dBm 21 dBm ( 36 15 = 21 dBm) 15km This SFP is not supported on OmniSwitch 6850 combo ports with the exception of the OmniSwitch 6850-U24X combo ports. SFP-100-LC-SM40 Technical Specifications 100~155.52Mbps bi-directional data links 1310nm FP laser transmitter Multi-source package with LC optical interface Optional spring latch for high density application Class 1 laser product Very low jitter 40km transmission distance with SMF Low EMI and excellent ESD protection Single +3.3V power supply Hot-pluggable capability Temperature range: 0 C to +70 C The transceiver support LC connectors and are hot swappable Supports the ability to mix and match SFPs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 100BASE-FX Compliant with SFP MSA Compliant with FCC 47 CFR Part 15, Class B Compliant with FDA 21 CFR 1040.10 and 1040.11, Class I Compliant with ITU-T G.957 and G.958 Compliant with Telcordia GR-253-CORE 100BASE-FX connections to backbone or server Single mode (SMF) 1310nm (typical) Min: -5 dBm and Max: 0 dBm Min: 0 and Max: -36 dBm 31 dBm ( 36 5 = 31 dBm) 40km This SFP is not supported on OmniSwitch 6850 combo ports with the exception of the OmniSwitch 6850-U24X combo ports.
Features
Connector Type
Standards supported
Connections supported Fiber optic cable supported Wavelength Transmitter Average Output Optical Power Receiver Sensitivity Power Budget* Cable distances SFP compatibility notes
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 97 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 98 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances
SFP-GIG-51CWD60 Technical Specifications Eight (8) Wavelength CWDM Transceivers Compliant with SFP MSA Compatible with IEEE 802.3z Gigabit Ethernet 1000BASE-LX PMD Specifications Compatible with 1.062GBd Fiber Channel 100-SM-LC-L FC-PI Standards Minimum Optical Link Power Budgets of 22dB and 24dB to support 62km and 70km Eye Safe (Class I Laser Safety per FDA/CDRH & Class 1M per IEC-825) Duplex LC Optical Interface Loss of Signal Output & TX Disable Input Hot-pluggable Single +3.3V Power Supply CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ blue latch. Supports single mode fiber over 1511nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. The transceiver support LC connectors and are hot swappable Supports the ability to mix and match CWDMs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 1000BASE-LX 1000BASE-CWDM connections to backbone or server Single mode (SMF) & 9/125 m 1511nm (nominal) Min: -2 dBm and Max: +3 dBm Min: -24 and Max: -3 dBm 22 dBm ( 24 2 = 22 dBm) Long reach single mode (SMF) 62km SFP-GIG-53CWD60 Technical Specifications Eight (8) Wavelength CWDM Transceivers Compliant with SFP MSA Compatible with IEEE 802.3z Gigabit Ethernet 1000BASE-LX PMD Specifications Compatible with 1.062GBd Fiber Channel 100-SM-LC-L FC-PI Standards Minimum Optical Link Power Budgets of 22dB and 24dB to support 62km and 70km Eye Safe (Class I Laser Safety per FDA/CDRH & Class 1M per IEC-825) Duplex LC Optical Interface Loss of Signal Output & TX Disable Input Hot-pluggable Single +3.3V Power Supply CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ green latch. Supports single mode fiber over 1531nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. The transceiver support LC connectors and are hot swappable Supports the ability to mix and match CWDMs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 1000BASE-LX 1000BASE-CWDM connections to backbone or server Single mode (SMF) & 9/125 m 1531nm (nominal) Min: -2 dBm and Max: +3 dBm Min: -24 and Max: -3 dBm 22 dBm ( 24 2 = 22 dBm) Long reach single mode (SMF) 62km
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 99 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances
SFP-GIG-55CWD60 Technical Specifications Eight (8) Wavelength CWDM Transceivers Compliant with SFP MSA Compatible with IEEE 802.3z Gigabit Ethernet 1000BASE-LX PMD Specifications Compatible with 1.062GBd Fiber Channel 100-SM-LC-L FC-PI Standards Minimum Optical Link Power Budgets of 22dB and 24dB to support 62km and 70km Eye Safe (Class I Laser Safety per FDA/CDRH & Class 1M per IEC-825) Duplex LC Optical Interface Loss of Signal Output & TX Disable Input Hot-pluggable Single +3.3V Power Supply CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ yellow latch. Supports single mode fiber over 1551nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. The transceiver support LC connectors and are hot swappable Supports the ability to mix and match CWDMs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 1000BASE-LX 1000BASE-CWDM connections to backbone or server Single mode (SMF) & 9/125 m 1551nm (nominal) Min: -2 dBm and Max: +3 dBm Min: -24 and Max: -3 dBm 22 dBm ( 24 2 = 22 dBm) Long reach single mode (SMF) 62km SFP-GIG-57CWD60 Technical Specifications Eight (8) Wavelength CWDM Transceivers Compliant with SFP MSA Compatible with IEEE 802.3z Gigabit Ethernet 1000BASE-LX PMD Specifications Compatible with 1.062GBd Fiber Channel 100-SM-LC-L FC-PI Standards Minimum Optical Link Power Budgets of 22dB and 24dB to support 62km and 70km Eye Safe (Class I Laser Safety per FDA/CDRH & Class 1M per IEC-825) Duplex LC Optical Interface Loss of Signal Output & TX Disable Input Hot-pluggable Single +3.3V Power Supply CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ orange latch. Supports single mode fiber over 1571nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. The transceiver support LC connectors and are hot swappable Supports the ability to mix and match CWDMs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 1000BASE-LX 1000BASE-CWDM connections to backbone or server Single mode (SMF) & 9/125 m 1571nm (nominal) Min: -2 dBm and Max: +3 dBm Min: -24 and Max: -3 dBm 22 dBm ( 24 2 = 22 dBm) Long reach single mode (SMF) 62km
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 100 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances Features
Connector Type
Standards supported Connections supported Fiber optic cable supported Wavelength Transmitter Output Optical Power Input Optical Power Power Budget* Cable distances
SFP-GIG-59CWD60 Technical Specifications Eight (8) Wavelength CWDM Transceivers Compliant with SFP MSA Compatible with IEEE 802.3z Gigabit Ethernet 1000BASE-LX PMD Specifications Compatible with 1.062GBd Fiber Channel 100-SM-LC-L FC-PI Standards Minimum Optical Link Power Budgets of 22dB and 24dB to support 62km and 70km Eye Safe (Class I Laser Safety per FDA/CDRH & Class 1M per IEC-825) Duplex LC Optical Interface Loss of Signal Output & TX Disable Input Hot-pluggable Single +3.3V Power Supply CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ red latch. Supports single mode fiber over 1591nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. The transceiver support LC connectors and are hot swappable Supports the ability to mix and match CWDMs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 1000BASE-LX 1000BASE-CWDM connections to backbone or server Single mode (SMF) & 9/125 m 1591nm (nominal) Min: -2 dBm and Max: +3 dBm Min: -24 and Max: -3 dBm 22 dBm ( 24 2 = 22 dBm) Long reach single mode (SMF) 62km SFP-GIG-61CWD60 Technical Specifications Eight (8) Wavelength CWDM Transceivers Compliant with SFP MSA Compatible with IEEE 802.3z Gigabit Ethernet 1000BASE-LX PMD Specifications Compatible with 1.062GBd Fiber Channel 100-SM-LC-L FC-PI Standards Minimum Optical Link Power Budgets of 22dB and 24dB to support 62km and 70km Eye Safe (Class I Laser Safety per FDA/CDRH & Class 1M per IEC-825) Duplex LC Optical Interface Loss of Signal Output & TX Disable Input Hot-pluggable Single +3.3V Power Supply CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ brown latch. Supports single mode fiber over 1611nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125 m SMF. The transceiver support LC connectors and are hot swappable Supports the ability to mix and match CWDMs on the same unit Supports operation for layer-2, and layer-3 forwarding IEEE 802.3z, and 1000BASE-LX 1000BASE-CWDM connections to backbone or server Single mode (SMF) & 9/125 m 1611nm (nominal) Min: -2 dBm and Max: +3 dBm Min: -24 and Max: -3 dBm 22 dBm ( 24 2 = 22 dBm) Long reach single mode (SMF) 62km
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 101 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Eye Safety
XFP transceivers are international Class 1 laser products and are eye-safe devices when operated within the limits of manufacturers specifications. Operating XFP transceivers in a manner inconsistent with intended usage and specification might result in hazardous radiation exposure.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 102 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
XFP-10G Specifications
XFP-10G-LR Technical Specifications Compact form factor according to 10 Gigabit Small Form Factor Pluggable (XFP) Multi Source Agreement, Release 3.1 Multiple rate and multiple protocol support SMF: 10GE / 10GFC / SONET / SDH MMF: 10GE / 10GFC XFP MSA compliant management and diagnostic interface Z-Axis hot-plug capability XFI serial data Interface via 30-Pin, XFP connector Support link spans up to 10km with single mode fiber and 300m with multimode fiber IEEE 802.3ae 2002 compliant 10GBASE-LR and 10GBASE-SR 10GFC draft 3.0 compliant 1200-SM-LL-L and 1200-MX-SN-I OC-192 SR-1/STM I64.1 Standards Supported IEEE 802.3ae & 10GBASE-LR Connector Type The transceiver support LC connectors and are hot swappable Supports the ability to mix and match XFPs on the same unit Supports operation for layer-2, and layer-3 forwarding Cable Supported Single mode; Full Duplex only Source Type Supports 10 m & 1310nm with a serial transceiver Cable Distances up to 10km Power Consumption 2.5watts Operating Temperature -5 to 70C Transmitter Average Output (launch) optical power Min: -5.2dBm & Max: 0.5dBm Receiver Sensitivity Min: -12.6dBm & Max: 0dBm Power Budget* 7.4dBm (12.6 5.2 = 7.4dBm) XFP-10G-SR Technical Specifications Features Compact form factor according to 10 Gigabit Small Form Factor Pluggable (XFP) Multi Source Agreement, Release 3.1 Multiple rate and multiple protocol support SMF: 10GE / 10GFC / SONET / SDH MMF: 10GE / 10GFC XFP MSA compliant management and diagnostic interface Z-Axis hot-plug capability XFI serial data Interface via 30-Pin, XFP connector Support link spans up to 10km with single mode fiber and 300m with multimode fiber IEEE 802.3ae 2002 compliant 10GBASE-LR and 10GBASE-SR 10GFC draft 3.0 compliant 1200-SM-LL-L and 1200-MX-SN-I OC-192 SR-1/STM I64.1 Standards Supported IEEE 802.3ae & 10GBASE-SR Connector Type The transceiver support LC connectors and are hot swappable Supports the ability to mix and match XFPs on the same unit Supports operation for layer-2, and layer-3 forwarding Cable Supported Multi mode; Full Duplex only Source Type Supports 50/125 m & 62.5/125 m & 850nm with a serial transceiver Cable Distances up to 300m (based on 50/125 m MMF and a Modal bandwidth of 2000MHz*km) Power Consumption 2.5watts Operating Temperature -5 to 70C Transmitter Average Output (launch) optical power Min: -7.3dBm & Max: -1.0dBm Receiver Sensitivity Min: 0dBm & Max: -11.1dBm Power Budget* 3.8dBm (11.1 7.3 = 3.8dBm) Features
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 103 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
XFP-10G-ER40 Technical Specifications Supports 9.95Gb/s to 10.7Gb/s bit rates Hot-pluggable XFP footprint Maximum link length of 40km Temperature-stabilized EML transmitter Duplex LC connector Power dissipation <3.5W Built-in digital diagnostic functions Temperature range: -5C to 70C Standards Supported IEEE 802.3ae & 10GBASE-ER Connector Type The transceiver support LC connectors and are hot swappable Supports the ability to mix and match XFPs on the same unit Supports operation for layer-2, and layer-3 forwarding Cable Supported Single mode; Full Duplex only Source Type supports 10 m & 1550nm Cable Distances up to 40km Power Consumption 3.5watts Operating Temperature -5 to 70C Transmitter Average Output (launch) optical power Min: -1.0dBm& Max: +2.0dBm Receiver Sensitivity @9.95Gbps to 11.1Gbps Min: 0dBm & Max: -16dBm Power Budget* 15dBm (16 1.0 = 15dBm) XFP-10G-ZR80 Technical Specifications Features Supports 9.95Gb/s to 10.7Gb/s bit rates Hot-pluggable XFP footprint Maximum link length of 80km Temperature-stabilized EML transmitter Duplex LC connector Power dissipation <3.5W Built-in digital diagnostic functions Temperature range: -5C to 70C Standards Supported IEEE 802.3ae & 10GBASE-ZR Connector Type The transceiver support LC connectors and are hot swappable Supports the ability to mix and match XFPs on the same unit Supports operation for layer-2, and layer-3 forwarding Cable Supported Single Mode; Full Duplex only Source Type Supports 10 m & 1550nm Cable Distances up to 80km Power Consumption 3.5 watts Operating Temperature -5 to 70C Transmitter Average Output (launch) optical power Min: 0dBm & Max: +4.0dBm Receiver Sensitivity @9.95Gbps Min: 0dBm & Max: -24dBm Power Budget* 24dBm (24 0 = 24dBm) Features
Notes: *The worst-case Optical Power Budget in dB for a fiber optic link is determined by: The difference between the minimum transmitters output optical power and the lowest receiver sensitivity.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 104 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Pin-Outs
RJ-45 Console Port Connector Pinouts
Pin Number 1 2 3 4 5 6 7 8 Shell Description (Signals as DCE Console Port) CTS NC RXD Ground Ground TXD NC RTS (Request to Send) Chassis Ground
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 105 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 106 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
PIN 14
Pin Number Description OS6850 PoE Models 1 -50V 2 -50V 3 -50VRTN 4 -50VRTN 5 N/C 6 +12V 7 +12V 8 +12V 9 GND 10 GND 11 PS_ALTER 12 PS_GOOD 13 PS_PRESENT 14 -50V 15 -50V 16 -50VRTN 17 -50VRTN 18 N/C 19 +12V 20 +12V 21 GND 22 GND 23 GND 24 PS_TYPE0 25 PS_TYPE1
PIN 25
Pin Number Description OS6850 Non-PoE Models 1 N/C 2 N/C 3 N/C 4 N/C 5 N/C 6 +12V 7 +12V 8 +12V 9 GND 10 GND 11 PS_ALTER 12 PS_GOOD 13 PS_PRESENT 14 N/C 15 N/C 16 N/C 17 N/C 18 N/C 19 +12V 20 +12V 21 GND 22 GND 23 GND 24 PS_TYPE0 25 PS_TYPE1
Note: This the pin-outs for the external power supplies DB-25 connectors as located on the rear panel of OmniSwitch 6850 platforms (as applicable). There are three DB-25 connectors. These connectors are used for connecting the appropriate power supply (s) to the OmniSwitch 6850 unit.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 107 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Availability Feature
The switch provides a broad variety of availability features. Availability features are hardware- and software-based safeguards that help to prevent the loss of data flow in the unlikely event of a subsystem failure. In addition, some availability features allow users to maintain or replace hardware components without powering off the switch or interrupting switch operations. Combined, these features provide added resiliency and help to ensure that the switch or virtual chassis is consistently available for day-to-day network operations. Hardware-related availability features include: Software Rollback Backup Power Supplies Hot Swapping Hardware Monitoring
Software Rollback
Software rollback (also referred to as image rollback) essentially allows the OmniSwitch 6850 Series switches to return to a prior last known good version of software in the event of a system software problem. The switch controls software rollback through its resilient directory structure design (i.e., /flash/ working and /flash/certified).
Hot Swapping
Hot swapping refers to the action of adding, removing, or replacing components without powering off switches or disrupting other components. This feature facilitates hardware upgrades and maintenance and allows users to easily replace components in the unlikely event of hardware failure. The following hardware components can be hot swapped: Backup power supply Backup power supply connector cables SFPs
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 108 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Hardware Monitoring
Automatic Monitoring
Automatic monitoring refers to the switchs built-in sensors that automatically monitor operations. If an error is detected (e.g., over-threshold temperature), the switch immediately sends a trap to the user. The trap is displayed on the console in the form of a text error message. (In the case of an over-threshold temperature condition, the chassis displays an amber TMP LED in addition to sending a trap.)
LEDs
LEDs, which provide visual status information, are provided on the chassis front panel. LEDs are used to indicate conditions such as hardware and software status, temperature errors, link integrity, data flow, etc.
User-Driven Monitoring
User-driven hardware monitoring refers to CLI commands that are entered by the user in order to access the current status of hardware components. The user enters show commands that output information to the console.
360W
360W
Valid
360W
510W
Not valid
510W
360W
Not valid
510W
126W
Not valid
510W
120W
Not valid
360W
126W
Not valid
360W
120W
Not valid
126W (AC)
None
Not valid
120W (DC)
None
Not valid
126W (AC)
126W (AC)
Valid
120W (DC)
120W (DC)
Valid
126W (AC)
120W (DC)
Valid
120W (DC)
126W (AC)
Valid
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 110 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-48, OS6850-48X, OS6850-24, OS6850-24X, OS6850-U24X, OS6850-24L, OS6850-48L OS6850-48, OS6850-48X, OS6850-24, OS6850-24X, OS6850-U24X, OS6850-24L, OS6850-48L OS6850-48, OS6850-48X, OS6850-24, OS6850-24X, OS6850-U24X, OS6850-24L, OS6850-48L OS6850-48, OS6850-48X, OS6850-24, OS6850-24X, OS6850-U24X, OS6850-24L, OS6850-48L
126W (AC)
510W
Not valid
120W (DC)
360W
Not valid
510W
None
Not valid
360W
None
Not valid
The power supplies can also be connected using a cable, in case there is a need for a less deep chassis. In this case, the same power shelf can be mounted in the rack using the mounting ears (removable in case the power supply needs to be plugged into the rear of the chassis).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 111 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 112 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 113 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Output voltage: -50 VDC maximum rated Output current: 4.8 Amps DC maximum rated The 510WAC-to-DC High PoE P/S The 510W AC-to-DC Power Supply is used on the following Models: OS6850-P24H & OS6850-P24LH & OS6850-P24XH & OS6850-P48H & OS6850-P48LH & OS6850-P48XH This specification covers the 510W switching power supply requirements for Ethernet switches with 390W (50V @ 7.8W/port) for PoE power and 120W (12V @ 10.0A) for system power operation. The 510W P/S provides the following outputs: The power supply provides dual outputs; -50V and +12V. P/S Input Parameters: Input Power: 637.5 watts AC (based on an efficiency of 80%) Input Voltage range: 85 to 264VAC (Universal input voltage) Input Voltage range: 100 to 240VAC (Nominal Input Voltage or Agency approved unit) Nominal input is expected to be 115VAC (rms) at 60Hz or 230VAC (rms) at 50Hz. Input current: 5.54 Amps AC@115VAC or 2.77 Amps AC@230VAC Input current: 7.08 Amps AC@90VAC Input current will be less than 10A (rms) at 115VAC (rms) and 60Hz. Input current will be less than 5A (rms) at 230VAC (rms) and 50Hz. Input Frequency: 47 to 63 Hz (3%) The power supply efficiency will be greater than 75%. The input fuse value shall be less than 12 Amps AC The power supply shall provide the following required output voltages & output currents for the main chassis and the PoE. Maximum continuous output power will be 510W. The Main Chassis P/S Output Parameters: Output Power: 120 watts DC rated Output voltage: 12 VDC rated Output current: 10.0 Amps DC maximum rated The PoE P/S Output Parameters: The estimated available P/S PoE power budget is 390watts: Output Power: 390 watts DC maximum rated Output voltage: -50 VDC maximum rated Output current: 7.8 Amps DC maximum rated Note: Switching DC/DC or linear regulators on the PCB further breaks down the +12VDC to generate the required 5V, 3.3V, 2.5V, 1.8V, 1.25V, 1.2V and 2V. The 360W AC-to-DC Power Supply is used on the following PoE Models: OS6850-P24 & OS6850-P24L & OS6850-P24X & OS6850-P48 & OS6850-P48L & OS6850-P48X: The 360W power supply provides: 240W (-50V @ 4.8A) for in-line power and 120W (12V @ 10.0A) for system power operation. PoE Power Budget for the 24-port Models: 216watts [240watts (PoE power) 24watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. PoE Power Budget for the 48-port Models: 192watts [240watts (PoE power) 48watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. The 510W AC-to-DC Power Supply is used on the following PoE Models: OS6850-P24H & OS6850-P24LH & OS6850-P24XH & OS6850-P48H & OS6850-P48LH & OS6850-P48XH: The 510W power supply provides: 390W (50V @ 7.8W/port) for in-line power and 120W (12V @ 10.0A) for system power operation. The available PoE Power Budget for the 24-port Models: 366watts [390watts (PoE power) 24watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. The available PoE Power Budget for the 48-port Models: 342watts [390watts (PoE power) 48watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. Note: Power for all POE ports is defaulted to 15.4 watts per port and each port is configurable between 3watts to 15.4watts (Port setting is in Milliwatts (3000 to 15400)). Please note that the available PoE power budget must not be exceeded.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 114 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 115 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 116 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 117 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 118 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 119 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Pass-Through Mode
The pass-through mode is a state in which a switch has attempted to join a stack but has been denied primary, secondary, and idle status. When a switch is in the pass-through mode, its Ethernet ports are brought down (i.e., they cannot pass traffic). Its stacking cable connections remain fully functional and can pass traffic through to other switches in the stack. In this way, the pass-through mode provides a mechanism to prevent the stack ring from being broken. However, note that when a switch comes up in Pass-through mode, it should not be left unresolved. Pass-through mode is essentially an error state that should be corrected immediately by the user. Conditions that can trigger a switch to enter pass-through mode include: Duplicate slot numbers have been assigned within the stack The user has manually forced the switch into pass-through mode Note. If a switch is forced into pass-through mode, the rest of the stack will not be disrupted. Any elements in the stack not operating in pass-through mode continue to operate normally. The most common reason for one or more switches to enter pass-through is duplicate slot number assignments within the stack. So, in order to avoid pass-through mode, it is useful to keep track of the current saved slot numbers on all elements in the stack. Slot number assignments are stored in the boot.slot.cfg file in the /flash directory of each switch. If the stack is booted and the same slot number is discovered on two or more switches, the switch with the lowest MAC address is allowed to come up and operate normally. Meanwhile, switches with the duplicate slot number and a higher MAC address come up in pass-through mode.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 120 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Stack Cabling
Switches in a stack are connected to each other by stacking cables. The valid cable lengths are 1.5m (4.9 feet), 60cm (23.6 inches), and 30cm (11.8 inches). These stacking cables provide high-speed, dual-redundant links between switches in a stack. Stacking cables for OmniSwitch 6850 Series switches can be connected in any pattern. In other words, the cable connected to stacking port A of one switch can be connected to either stacking port A or stacking port B of the adjacent switch. However, it is strongly recommended that the cabling pattern remains consistent across the stack. In addition, for a stack to have effective redundancy a redundant stacking cable must be installed between the upper-most and bottom-most switch at all times. This provides effective failover in the event of a stacking link or module failure within the stack. Note. When planning the stack-cabling configuration, keep in mind that the switch connected to stacking port A of the primary switch will be assigned the secondary management role by default.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 121 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Slot Numbering
For a stack of OmniSwitch 6850 Series switches to operate as a virtual chassis, each module in the stack must be assigned a unique slot number. To view the current slot assignments for a stack, use the show Ni or show module commands. The LED located on the left side of the chassis also displays the slot number on the front panel of each switch. There are two ways stacking modules are assigned slot numbers: Dynamic slot number assignment by the system software Manual slot number assignment by the user
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 122 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Merging Stacks
Merging stacks involves connecting two or more operational stacks and attempting to reboot them as a single virtual chassis. In most cases, errors will result. To merge stacks without causing errors, select one stack that is to remain up and running and then add modules from the other stack(s) by following the steps below: 1 Make sure all switches are running the same software version. 2 Clear the saved slot information from all incoming modules. This will ensure that they are each assigned unique slot numbers when they join the stack. 3 After clearing the saved slot information, power off all incoming modules. 4 Connect the stacking cables for all incoming modules to the existing, operational stack as required. Be sure to provide stacking cable redundancy. 5 Power on all incoming modules. Note. No more than eight switches can operate in a single stacked configuration at any time.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 123 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Reloading Switches
Reloading is essentially a soft boot of a switch. Users can reload stacked modules operating in any role i.e., primary, secondary, idle, and pass-through. Refer to the sections below for more information.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 124 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 125 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Be Sure a Redundant Stacking Cable is installed at All Times Another important guideline for avoiding split stacks involves the redundant stacking cable. In order to avoid isolated modules within the virtual chassis, simply make sure that a redundant stacking cable connection exists between the topmost and bottom-most switches at all times.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 126 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 127 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Power Priority level for a port The capacitor detection method Priority discount status
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 128 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Priority Disconnect is enabled; same Priority Level on All PD Ports Reminder. Priority disconnect examples are applicable only when there is inadequate power remaining to power an incoming device. When a PD is being connected to a port with the same priority level as all other ports in the slot, the physical port number is used to determine whether the incoming PD will be granted or denied power. Lower numbered ports receive higher priority than higher-numbered ports. In other words, a PD connected to Port 1 will have a higher power priority than a PD connected to Port 2; a PD connected to Port 23 will have a higher power priority than a PD connected to Port 24. In order to avoid a power budget deficit, another port in the slot is disconnected. In determining which port to power off, the system software disconnects the port with the highest physical port number. Priority Disconnect is enabled; Incoming PD Port has Highest Priority Level Reminder. Priority disconnect examples are applicable only when there is inadequate power remaining to power an incoming device. When a PD is being connected to a port with a higher priority level than all other ports in the slot, the incoming PD will automatically be granted power over the other devices, regardless of its physical port number. In order to avoid a power budget deficit, another port in the slot is disconnected. In determining which port to power off, the system software first selects the port with the lowest configured priority level. For example, if a critical priority device is being added to a slot in which five existing devices are attached to high priority ports and one device is attached to a low priority port, the low priority port is automatically disconnected, regardless of its physical port number. If all existing devices are attached to ports with the same lower priority level, the system software disconnects the port with both the lowest priority level and the highest physical port number. For example, if a critical priority device is being added to a slot in which six existing devices are attached to high priority ports, the high priority port with the highest physical port number is automatically disconnected. Priority Disconnect is enabled; Incoming PD Port has Lowest Priority Level Reminder. Priority disconnect examples are applicable only when there is inadequate power remaining to power an incoming device. When a PD is being connected to a port with a lower priority level than all other ports in the slot, the incoming PD will be denied power, regardless of its physical port number. Devices connected to other higher-priority ports will continue operating without interruption. Priority Disconnect is disabled Reminder. Priority disconnect examples are applicable only when there is inadequate power remaining to power an incoming device. When priority disconnect is disabled, power will be denied to any incoming PD, regardless of its port priority status (i.e., low, high, and critical) or physical port number (i.e., 124).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 129 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Power Cords
Because the power cord is the power supplys main disconnect device, it should be plugged into an easily accessible outlet. In the event that your power cord is lost or damaged, refer to the specifications below.
Specifications
The power cord to be used with 115-Volt configuration is a minimum type SJT (SVT) 18/3, rated at 250Volts AC, 10 Amps with a maximum length of 15 feet. One end terminates in an IEC 320 attachment plug and the other end terminates in a NEMA 5-15P plugs. The power cord to be used with 230-Volt configuration is minimum type SJT (SVT) 18/3, rated 250 Volts AC, 10 Amps with a maximum length of 15 feet. One end terminates in an IEC 320 attachment plug and the other end terminates as required by the country where it will be installed. European cords must be Harmonized (HAR) type. DC-to-DC Power Cords For DC-to-DC connections please refer to the Hardware Users Manuals for additional guidelines and information. Refer to the information below for power plug types by region: Power Cord Types NEMA 5-15-P (US), C22.2, No. 42 (Canada) BS 1,363 CEE 7/7 JIS 8,303 AS 3,112 BS 546 CIE 2,316 SEV 1011 SRAF 1,962 / D816 / 87 AR1-10P
North America United Kingdom / Ireland Europe Japan Australia India Italy Switzerland / Liechtenstein Denmark / Greenland Argentina
Temperature Management
The operating temperature of your switch is an important factor in its overall operability. In order to avoid a temperaturerelated system failure, your switch must always run at an operating temperature between 0 and 45 C (32 to 113 F). To avoid chassis over-temperature conditions, follow these important guidelines: Be sure that your switch is installed in a well-ventilated environment. To ensure adequate airflow, allow at least six inches of clearance at the front and back of the chassis. In addition, leave at least two inches of clearance at the left and right sides. Be sure that blank cover panels are installed at empty slot positions at all times. Blank cover panels help regulate airflow and thus regulate the overall operating temperature in the switch. To check the switchs current temperature status, use the show temperature command.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 130 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 131 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
5. MTBF CALCULATION REQUIREMENTS 5.1 Bill of Materials The Bill of Materials (BOMs) is normally used to calculate the MTBFs of all the NIBU products. 5.2 MTBF Calculations MTBF is a basic measure of reliability for repairable items. It can be described as the number of hours that pass before a component, assembly, or system fails. It is a commonly-used variable in reliability and maintainability analyses. MTBF can be calculated as the inverse of the failure rate for constant failure rate systems. For Example: If a component has a failure rate of 2 failures per million hours, the MTBF would be the inverse of that failure rate: MTBF = (1,000,000 hours) / (2 failures/million hours) = 500,000 hours Thus, for an assembly with multiple components, the MTBF is calculated as the inverse of all the failure rates, as follows: MTBF = 1 / (sum of all the part failure rates); or: MTBF = 1 / (FR1 + FR2 + FR3 + ............ FRn) Note: FR = Failure Rate For a combination of multiple assemblies in Serial M ode: MTBF (Combined) = 1 (1/MTBF1 + 1/MTBF2 + 1/MTBF3 + ..+1/MTBFn) To ease the complexity of the MTBF calculations, a reliability prediction program called RelCalc for Windows, Version 5.0BELL7 (Release 2004.1), produced by T-Cubed Systems, Inc. (http://www.t-cubed.com/), is used to calculate the MTBFs of all the NIBU products, with Telcordia SR-332, Issue 1, Method I (Parts Count), Case 3, Environment GB (Ground Benign), Correction Factor 1, 100% Duty Cycle, components Quality Level II and under an ambient temperature of 25C. 5.3 Minimum MTBF Expectation The minimum MTBF value for all NIBU products, including any module, unit or system is expected to be 43,800 hours (5 years). Thus: The minimum Mission Success Rate for 1 year (M.S.R. 1) = exp (-8760/43800) = 81.87% The minimum Mission Success Rate for 5 years (M.S.R. 5) = exp (-43800/43800) = 36.79% 5.4 MTBF Calculation Results A so called MTBF table is used to summarize the MTBF calculation results of all products. The MTBF table is periodically updated to include the additional MTBF calculation results of new products. After each update, it will be sent out to interested parties such as Engineering, Quality Assurance, Marketing and Sales departments. Beside the MTBF calculation results of each product, the MTBF table also displays other results such as backplanes, fans, power supplies, PCBAs, fiber optic transceivers, products with and without power supplies, products with and without fiber optic transceivers. 6. Additional Information 6.1 The History of the MTBF Standards For electronic components, the two most popular and widely accepted reliability prediction handbooks are MIL-HDBK-217 and Telcordia (Bellcore). These handbooks offer procedures for predicting electronic product reliability, providing a standard basis for comparing reliability numbers. 6.2 MIL-HDBK-217 The original reliability prediction handbook was MIL-HDBK-217, the Military Handbook for Reliability Prediction of Electronic Equipment. MIL-HDBK-217 (commonly referred to as 217) is published by the Department of Defense, based on work done by the Reliability Analysis Center and Rome Laboratory at Griffiss AFB, NY. The 217 handbook contains failure rate models for the various part types used in electronic systems, such as ICs, transistors, diodes, resistors, capacitors, relays, switches and connectors. These failure rate models are based on the best field data that could be obtained for a wide variety of parts and systems; this data is then analyzed and massaged, with many simplifying assumptions thrown in, to create usable models. The latest version of 217 is MIL-HDBK-217F, Notice 2 (217F2). A copy of MIL-HDBK-217F-2 can be obtained from any source that provides Mil Specs, Mil Standards, Mil Handbooks, etc.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 132 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
6.3 Telcordia (Bellcore) Bellcore was purchased by SAIC in 1997. The purchase agreement required Bellcore to change its name: Bellcore became Telcordia Technologies in 1999. However, people still continue to use the Bellcore name in their documentation. Note that Bellcore (Bell Communications Research, a spin-off of AT&T Bell Labs) was the research arm of the Bell Operating Companies. Bellcore previously used MIL-HDBK-217 for their reliability predictions, but found that 217 gave pessimistic numbers for its commercial quality products. A few years ago, Bellcore used 217 as a starting point, modified (and simplified) the models to better reflect their field experience, and developed the Bellcore reliability prediction procedure, which is applicable to commercial electronic products. A copy of the Telcordia document Reliability Prediction Procedure for Electronic Equipment (document number SR-332, Issue 1) can be obtained directly from Telcordia Customer Service in New Jersey. Many commercial electronic product companies, making products such as computers, telecommunications systems, medical systems, and power supplies, are now choosing to use the Bellcore handbook for their reliability predictions. 6.4 Failure Rate Unit Conversions Failure rate numbers can be expressed in many different units as shown in the following conversion equations. Note that the FITs (Failures In Time) unit is failures per billion hours, and that the MTBF is in hours. (Failures/million hours) = (1,000,000) / (MTBF) (Failures/million hours) = (0.001) * (FITs) (Failures/million hours) = (1000) * (failures/1000 hours) (Failures/million hours) = (10) * (%failures/1000 hours) (Failures/million hours) = (114.2) * (failures/year) (Failures/million hours) = (1.142) * (%failures/year) (FITs) = (1,000,000,000) / (MTBF) (FITs) = (1000) * (failures/million hours) (FITs) = (1,000,000) * (failures/1000 hours) (FITs) = (10,000) * (%failures/1000 hours) (FITs) = (114,200) * (failures/year) (FITs) = (1142) * (%failures/year) (MTBF) = (1,000,000) / (failures/million hours) (MTBF) = (1,000,000,000) / (FITs) 6.5 MTBF Mission Success Rate The Mission Success Rate (M.S.R.) is the probability that the circuit, including redundancy, will operate without failure for the mission time. For example, if the Mission Success Rate = 0.999405, then the circuit has a probability of 99.94% of working without a failure for the mission time duration. Assuming that failures occur randomly during the useful life of a product, they can be described as an exponential distribution. So the probability that a product will work for some time T without failure is given by: R (T) = exp (-T/MTBF) Thus, for a product with an MTBF of 250,000 hours, and an operating time of interest of 5 years (43,800 hours): R = exp (-43800/250000) = 0.839289 = 83.93% (Mission Success Rate for 5 years = 83.93%) This means that there is an 83.93% probability that the product will operate for the 5 years without a failure, or that 83.93% of the units in the field will still be working at the 5 year point. 6.6 Serial and Parallel Mode MTBF Calculations The following two typical model types are used to calculate the MTBFs of all the NIBU products: Serial Mode MTBF Calculation Parallel Mode MTBF Calculation
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 133 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
6.6.1 Serial Mode MTBF Calculation The MTBF calculation under serial mode requires all of the parts in the circuit to function for success. In other words, the whole assembly will be considered failed if only one single component failed. Under serial mode MTBF calculation, the MTBF calculation result usually goes lower with additional components. The serial mode is normally used to calculate the MTBFs of all the modules and systems, except redundancy configurations, with the following formula: MTBF (Combined) = 1 (1/MTBF1 + 1/MTBF2 + 1/MTBF3 ++ 1/MTBFn) 6.6.2 Parallel Mode MTBF Calculation The MTBF calculation under parallel mode requires only 1 of the parts in the circuit to function for success. The parallel mode is usually used to calculate the MTBFs of the units in redundancy mode, such as redundant power supplies or redundant chassis management modules (CMMs). Under parallel mode MTBF calculation, the MTBF calculation result usually goes higher with additional redundant units. There is no simple formula to calculate the MTBFs of the redundant modules or systems under parallel mode. A reliability prediction program such as RelCalc for Windows is used instead to perform the MTBF calculations under parallel mode. 6.7 MTBF and Other Related Terms 6.7.1 MTTF MTTF (Mean Time to Failures) is a basic measure of reliability for non-repairable systems items (such as fans). It is the mean time expected until the first failure of a piece of equipment. MTTF is a statistical value and is meant to be the mean over a long period of time and a large number of units. For constant failure rate systems, MTTF is the inverse of the failure rate. If the failure rate is in failures/millions of failure hours, MTTF = 1,000,000/Failure Rate for components with exponential distributions. Technically, MTBF should be used only in reference to repairable items, while MTTF should be used for non-repairable items. However, MTBF is commonly used for both repairable and non-repairable items. The MTBF figures can be used for this purpose. MTTF = 1 / (sum of all the part failure rates); or: MTTF = 1 / (FR1 + FR2 + FR3 + ............ FRn) Note: FR = Failure Rate MTTF = (1,000,000) / (failures/million hours) 6.7.2 MTTR (Mean Time to Repairs) for our systems depends on the failure. Our systems are designed to recover from simple failures, but our systems engineers can help our customers develop a fault tolerant network that would use a combination of local spares, distributed inventories and advanced replacements to optimize the availability rating.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 134 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
6.7.3 Availability Calculations Availability (Ai) is the probability that the system will be available when required, or the proportion of total time that the system is available for use. If the repair time is very small compared to the MTBF time, then the availability of the system can approach to 100%. Availability is typically specified in nines notation. For example: 3-nines availability corresponds to 99.9% availability. 5-nines availability corresponds to 99.999% availability. The following table shows the relationship of the availability and the corresponding percentage and downtime: Availability 1-nine 2-nines 3-nines 4-nines 5-nines 6-nines Availability Percentage 90% 99% 99.9% 99.99% 99.999% 99.9999% Down Time per Year 36.5 days/year 3.65 days/year 8.76 hours/year 52.56 minutes/year 5.26 minutes/year 31.54 seconds/year
The Availability can be calculated as: Ai = MTBF / (MTBF + MTTR) MTTR = Mean Time To Repair (average service or repair time in hours) Example: With MTBF = 100,000 hours and MTTR = 4 hours Ai = 100000 / (100000 + 4) = 0.999960001 99.99% (4-nines availability) With MTBF = 500,000 hours and MTTR = 4 hours Ai = 500000 / (500000 + 4) = 0.999992 99.999% (5-nines availability) Availability is calculated as: MTTF / (MTTF + MTTR) or MTBF / (MTBF + MTTR) Comment on 4 x 9s availability or 99.99% uptime carrier grade availability (Availability in % (ex: 100.00%)): To achieve the highest levels of availability there must be cooperative efforts between Alcatel-Lucent and the customer, this requires that in addition to device and network level capabilities, operational processes must also be in place across the many facets of the network hardware, software, applications, security, networking, backup systems, local spares and server farms. Network management must be designed to maintain availability with automated features to prevent and resolve problems, and incorporate security with ease of use to reduce human error and the associated downtime. 6.7.4 Spare Units Calculations The Mission Success Rate (M.S.R.) calculation should be used to determine the spare units that a customer should acquire: M.S.R (T) = exp (-T/MTBF) Example: With 100 units that had an MTBF = 100,000 hours M.S.R. for 1 year (8,760 hours) = exp (-8760/100000) = 91.61% 92% M.S.R. for 5 years (43,800 hours) = exp (-43800/100000) = 64.53% 65% This means that at the end of the first year, there is a probability that 92 units are still running with 8 units failed. Thus, the customer needs to acquire about 8 spare units for the first year. At the end of the 5th year, there is a probability that 65 units are still running with 35 units failed. Thus, the customer needs to get about 35 units for their replacement. However, some people prefer to use the following simpler method to calculate the spare units as an estimation figure: Spare units in a period = (number of units) * (period in hours) / (MTBF in hours) Example: With 100 units that had an MTBF = 100,000 hours Spare units in 1 year (8760 hours) = (100 units) * (8760 hours) / 100000 hours = 8.76 units 9 units Spare units in 5 years (43,800 hours) = (100 units) * (43800 hours) / 100000 hours = 43.80 units 44 units OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 135 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-24 OS6850-24D OS6850-24L OS6850-24LD
Module Name
OS6850-24-Fans PS-126W-AC (126W AC Pwr Supply) PS-120W-DC (120W DC Pwr Supply) OS6850-24-LED-USB-PCBA OS6850-24-4SFP-PCBA OS6850-24-Main-PCBA OS6850-24 (No PS. No MiniGBIC) OS6850-24+PS-126W-AC (No MiniGBIC) OS6850-24+2(PS-126W-AC)(No MiniGBIC) OS6850-24+PS-120W-DC (No MiniGBIC) OS6850-24+2(PS-120W-DC)(No MiniGBIC) OS6850-24+PS-126W-AC +PS-120W-DC (No MiniGBIC) MiniGBIC-SX (Multimode Trans.) MiniGBIC-LX (Single mode Trans.) MiniGBIC-LH-70 (Long Reach Trans.) OS6850-24+PS-126W-AC+4(MiniGBIC-SX) OS6850-24+PS-126W-AC+4(MiniGBIC-LX) OS6850-24+PS-126W-AC+4(MiniGBIC-LH-70) OS6850-24+2(PS-126W-AC)+4(MiniGBIC-SX) OS6850-24+2(PS-126W-AC)+4(MiniGBIC-LX) OS6850-24+2(PS-126W-AC)+4(MiniGBIC-LH-70) OS6850-24+PS-120W-DC+4(MiniGBIC-SX) OS6850-24+PS-120W-DC+4(MiniGBIC-LX) OS6850-24+PS-120W-DC+4(MiniGBIC-LH-70) OS6850-24+2(PS-120W-DC)+4(MiniGBIC-SX) OS6850-24+2(PS-120W-DC)+4(MiniGBIC-LX) OS6850-24+2(PS-120W-DC)+4(MiniGBIC-LH-70) OS6850-24+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-SX) OS6850-24+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LX) OS6850-24+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LH-70)
MTBF-Hr.
603,696 1,259,604 1,501,224 36,813,836 39,939,134 402,101 238,345 200,421 227,923 205,688 230,468 229,285 5,780,347 6,578,947 2,857,143 176,010 178,651 156,507 197,584 200,836 173,799 180,059 182,825 159,700 199,338 202,668 175,050 198,525 201,819 174,472
MTBF-Yr.
68.92 143.79 171.37 4,202.49 4,559.26 45.90 27.21 22.88 26.02 23.48 26.31 26.17 659.86 751.02 326.16 20.09 20.39 17.87 22.56 22.93 19.84 20.55 20.87 18.23 22.76 23.14 19.98 22.66 23.04 19.92
M.S.R.5
M.S.R.1
FTRJ-8519-7D (Finisar) FTRJ-1319-7D (Finisar) A10P-8063-STA-H (Avrio) 78% 95% 78% 95% 76% 95% 81% 96% 81% 96% 78% 95% 78% 95% 79% 95% 76% 95% 81% 96% 81% 96% 78% 95% 81% 96% 81% 78% 96% 95%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 136 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-24X OS6850-24XD
Module Name
OS6850-24X-Fans PS-126W-AC (126W AC Pwr Supply) PS-120W-DC (120W DC Pwr Supply) OS6850-24X-LED-USB-PCBA OS6850-24X-4SFP-PCBA OS6850-24X-Main-PCBA OS6850-24X (No PS. No MiniGBIC) OS6850-24X+PS-126W-AC (No MiniGBIC) OS6850-24X+2(PS-126W-AC)(No MiniGBIC) OS6850-24X+PS-120W-DC (No MiniGBIC) OS6850-24X+2(PS-120W-DC)(No MiniGBIC) OS6850-24X+PS-126W-AC +PS-120W-DC (No MiniGBIC) MiniGBIC-SX (Multimode Trans.) MiniGBIC-LX (Single mode Trans.) MiniGBIC-LH-70 (Long Reach Trans.) 10G-XFP-SR (Multimode XFP Trans.) 10G-XFP-LR (Single mode XFP Trans.) OS6850-24X+PS-126W-AC+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-24X+PS-126W-AC+4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-24X+PS-126W-AC+4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-24X+PS-126W-AC+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-24X+PS-126W-AC+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-24X+PS-126W-AC+4(MiniGBIC-LH-70) +2(10G-XFP-LR) OS6850-24X+2(PS-126W-AC)+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-24X+2(PS-126W-AC)+4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-24X+2(PS-126W-AC) +4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-24X+2(PS-126W-AC)+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-24X+2(PS-126W-AC)+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-24X+2(PS-126W-AC) +4(MiniGBIC-LH-70) +2(10G-XFP-LR) OS6850-24X+PS-120W-DC+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-24X+PS-120W-DC+4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-24X+PS-120W-DC+4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-24X+PS-120W-DC+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-24X+PS-120W-DC+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-24X+PS-120W-DC+4(MiniGBIC-LH-70) +2(10G-XFP-LR) OS6850-24X+2(PS-120W-DC)+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-24X+2(PS-120W-DC)+4(MiniGBIC-LX) +2(10G-XFP-SR)
MTBF-Hr.
603,696 1,259,604 1,501,224 36,813,836 38,764,649 368,556 226,105 191,695 217,007 196,509 219,248 218,209 5,780,347 6,578,947 2,857,143 6,427,590 4,944,180 160,778 162,979 144,347 158,400 160,536 142,427 178,972 181,646 159,184
MTBF-Yr.
68.92 143.79 171.37 4,202.49 4,425.19 42.07 25.81 21.88 24.77 22.43 25.03 24.91 659.86 751.02 326.16 733.74 564.40 18.35 18.60 16.48 18.08 18.33 16.26 20.43 20.74 18.17
M.S.R.5
M.S.R.1
FTRJ-8519-7D (Finisar) FTRJ-1319-7D (Finisar) A10P-8063-STA-H (Avrio) TXN181070850X17 (Intel) TXN181072013X58 (Intel) 76% 95% 76% 74% 76% 76% 74% 79% 79% 76% 95% 94% 95% 95% 94% 95% 95% 95%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 137 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-24X+2(PS-120W-DC) +4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-24X+2(PS-120W-DC)+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-24X+2(PS-120W-DC)+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-24X+2(PS-120W-DC) +4(MiniGBIC-LH-70) +2(10G-XFP-LR) OS6850-24X+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-24X+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-24X+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-24X+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-24X+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-24X+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LH-70) +2(10G-XFP-LR)
160,175
18.28
76%
95%
179,699
20.51
79%
95%
182,401
20.82
79%
95%
159,715
18.23
76%
95%
176,786
20.18
78%
95%
179,403
20.48
79%
95%
157,404
17.97
76%
95%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 138 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-P24 OS6850-P24H OS6850-P24L OS6850-P24LH
Module Name
OS6850-P24-Fans PS-510W-AC (510W AC Pwr Supply) PS-360W-AC (360W AC Pwr Supply) OS6850-P24-LED-USB-PCBA OS6850-P24-4SFP-PCBA OS6850-P24-POE-PCBA OS6850-P24-Main-PCBA OS6850-P24 (No PS. No MiniGBIC) OS6850-P24+PS-510W-AC (No MiniGBIC) OS6850-P24+2(PS-510W-AC)(No MiniGBIC) OS6850-P24+PS-360W-AC (No MiniGBIC) OS6850-P24+2(PS-360W-AC)(No MiniGBIC) MiniGBIC-SX (Multimode Trans.) MiniGBIC-LX (Single mode Trans.) MiniGBIC-LH-70 (Long Reach Trans.) OS6850-P24+PS-510W-AC+4(MiniGBIC-SX) OS6850-P24+PS-510W-AC+4(MiniGBIC-LX) OS6850-P24+PS-510W-AC+4(MiniGBIC-LH-70) OS6850-P24+2(PS-510W-AC)+4(MiniGBIC-SX) OS6850-P24+2(PS-510W-AC)+4(MiniGBIC-LX) OS6850-P24+2(PS-510W-AC)+ 4(MiniGBIC-LH-70) OS6850-P24+PS-360W-AC+4(MiniGBIC-SX) OS6850-P24+PS-360W-AC+4(MiniGBIC-LX) OS6850-P24+PS-360W-AC+4(MiniGBIC-LH-70) OS6850-P24+2(PS-360W-AC)+4(MiniGBIC-SX) OS6850-P24+2(PS-360W-AC)+4(MiniGBIC-LX) OS6850-P24+2(PS-360W-AC)+ 4(MiniGBIC-LH-70)
MTBF-Hr.
603,696 406,835 504,490 36,813,836 39,939,134 2,967,641 402,101 220,625 143,050 180,201 153,497 189,262 5,780,347 6,578,947 2,857,143 130,165 131,604 119,181 161,673 163,725 146,154 138,758 140,395 126,346 168,661 170,929 151,630
MTBF-Yr.
68.92 46.44 57.59 4,202.49 4,559.26 338.77 45.90 25.19 16.33 20.57 17.52 21.61 659.86 751.02 326.16 14.86 15.02 13.61 18.46 18.69 16.68 15.84 16.03 14.42 19.25 19.51 17.31
M.S.R.5
M.S.R.1
FFB0412VHN-F00 (Delta) YM-2511BA (3Y Pwr Tec) YM-2361BA (3Y Pwr Tec)
74% 94% 81% 96% 75% 94% 81% 96% FTRJ-8519-7D (Finisar) FTRJ-1319-7D (Finisar) A10P-8063-STA-H (Avrio) 71% 93% 72% 94% 69% 93% 79% 95% 79% 96% 76% 95% 73% 73% 71% 79% 79% 77% 94% 94% 93% 95% 96% 95%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 139 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-P24X OS6850-P24XH
Module Name
OS6850-P24X-Fans PS-510W-AC (510W AC Pwr Supply) PS-360W-AC (360W AC Pwr Supply) OS6850-P24X-LED-USB-PCBA OS6850-P24X-4SFP-PCBA OS6850-P24X-POE-PCBA OS6850-P24X-Main-PCBA OS6850-P24X (No PS. No MiniGBIC) OS6850-P24X+PS-510W-AC (No MiniGBIC) OS6850-P24X+2(PS-510W-AC)(No MiniGBIC) OS6850-P24X+PS-360W-AC (No MiniGBIC) OS6850-P24X+2(PS-360W-AC)(No MiniGBIC) MiniGBIC-SX (Multimode Trans.) MiniGBIC-LX (Single mode Trans.) MiniGBIC-LH-70 (Long Reach Trans.) 10G-XFP-SR (Multimode XFP Trans.) 10G-XFP-LR (Single mode XFP Trans.) OS6850-P24X+PS-510W-AC+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-P24X+PS-510W-AC+4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-P24X+PS-510W-AC+4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-P24X+PS-510W-AC+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-P24X+PS-510W-AC+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-P24X+PS-510W-AC+4(MiniGBIC-LH-70) +2(10G-XFP-LR) OS6850-P24X+2(PS-510W-AC)+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-P24X+2(PS-510W-AC)+4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-P24X+2(PS-510W-AC)+ 4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-P24X+2(PS-510W-AC)+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-P24X+2(PS-510W-AC)+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-P24X+2(PS-510W-AC)+ 4(MiniGBIC-LH-70) +2(10G-XFP-LR) OS6850-P24X+PS-360W-AC+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-P24X+PS-360W-AC+4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-P24X+PS-360W-AC+4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-P24X+PS-360W-AC+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-P24X+PS-360W-AC+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-P24X+PS-360W-AC+4(MiniGBIC-LH-70) +2(10G-XFP-LR)
MTBF-Hr.
603,696 406,835 504,490 36,813,836 38,764,649 3,228,883 368,556 211,308 139,074 174,448 148,929 182,834 5,780,347 6,578,947 2,857,143 6,427,590 4,944,180 122,047 123,311 112,340 120,672 121,908 111,174 150,178 151,958 136,624
MTBF-Yr.
68.92 46.44 57.59 4,202.49 4,425.19 368.59 42.07 24.12 15.88 19.91 17.00 20.87 659.86 751.02 326.16 733.74 564.40 13.93 14.08 12.82 13.78 13.92 12.69 17.14 17.35 15.60
M.S.R.5
M.S.R.1
FFB0412VHN-F00 (Delta) YM-2511BA (3Y Pwr Tec) YM-2361BA (3Y Pwr Tec)
73% 94% 80% 96% 75% 94% 81% 96% FTRJ-8519-7D (Finisar) FTRJ-1319-7D (Finisar) A10P-8063-STA-H (Avrio) TXN181070850X17 (Intel) TXN181072013X58 (Intel) 70% 93% 70% 68% 70% 70% 67% 77% 77% 75% 93% 92% 93% 93% 92% 95% 95% 94%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 140 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-P24X+2(PS-360W-AC)+4(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-P24X+2(PS-360W-AC)+4(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-P24X+2(PS-360W-AC)+ 4(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-P24X+2(PS-360W-AC)+4(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-P24X+2(PS-360W-AC)+4(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-P24X+2(PS-360W-AC)+ 4(MiniGBIC-LH-70) +2(10G-XFP-LR)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 141 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-48 OS6850-48D OS6850-48L OS6850-48LD
Module Name
OS6850-48-Fans PS-126W-AC (126W AC Pwr Supply) PS-120W-DC (120W DC Pwr Supply) OS6850-48-LED-USB-PCBA OS6850-48-4SFP-PCBA OS6850-48-Main-PCBA OS6850-48 (No PS. No MiniGBIC) OS6850-48+PS-126W-AC (No MiniGBIC) OS6850-48+2(PS-126W-AC)(No MiniGBIC) OS6850-48+PS-120W-DC (No MiniGBIC) OS6850-48+2(PS-120W-DC)(No MiniGBIC) OS6850-48+PS-126W-AC +PS-120W-DC (No MiniGBIC) MiniGBIC-SX (Multimode Trans.) MiniGBIC-LX (Single mode Trans.) MiniGBIC-LH-70 (Long Reach Trans.) OS6850-48+PS-126W-AC+4(MiniGBIC-SX) OS6850-48+PS-126W-AC+4(MiniGBIC-LX) OS6850-48+PS-126W-AC+4(MiniGBIC-LH-70) OS6850-48+2(PS-126W-AC)+4(MiniGBIC-SX) OS6850-48+2(PS-126W-AC)+4(MiniGBIC-LX) OS6850-48+2(PS-126W-AC)+4(MiniGBIC-LH-70) OS6850-48+PS-120W-DC+4(MiniGBIC-SX) OS6850-48+PS-120W-DC+4(MiniGBIC-LX) OS6850-48+PS-120W-DC+4(MiniGBIC-LH-70) OS6850-48+2(PS-120W-DC)+4(MiniGBIC-SX) OS6850-48+2(PS-120W-DC)+4(MiniGBIC-LX) OS6850-48+2(PS-120W-DC)+4(MiniGBIC-LH-70) OS6850-48+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-SX) OS6850-48+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LX) OS6850-48+PS-126W-AC+ PS-120W-DC +4(MiniGBIC-LH-70)
MTBF-Hr.
603,696 1,259,604 1,501,224 17,928,344 39,939,134 275,125 187,022 162,844 181,482 166,304 182,886 182,236 5,780,347 6,578,947 2,857,143 146,352 148,173 132,611 161,582 163,765 145,238 149,141 151,033 134,897 162,614 164,834 146,016 162,137 164,340 145,656
MTBF-Yr.
68.92 143.79 171.37 2,046.61 4,559.26 31.41 21.35 18.59 20.72 18.98 20.88 20.80 659.86 751.02 326.16 16.71 16.91 15.14 18.45 18.69 16.58 17.03 17.24 15.40 18.56 18.82 16.67 18.51 18.76 16.63
M.S.R.5
M.S.R.1
FTRJ-8519-7D (Finisar) FTRJ-1319-7D (Finisar) A10P-8063-STA-H (Avrio) 74% 94% 74% 94% 72% 94% 77% 95% 77% 95% 74% 94% 75% 94% 75% 94% 72% 94% 77% 95% 77% 95% 74% 94% 77% 95% 77% 74% 95% 94%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 142 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-48X OS6850-48XD
Module Name
OS6850-48X-Fans PS-126W-AC (126W AC Pwr Supply) PS-120W-DC (120W DC Pwr Supply) OS6850-48X-LED-USB-PCBA OS6850-48X-Main-PCBA OS6850-48X (No PS. No XFP) OS6850-48X+PS-126W-AC (No XFP) OS6850-48X+2(PS-126W-AC)(No XFP) OS6850-48X+PS-120W-DC (No XFP) OS6850-48X+2(PS-120W-DC)(No XFP) OS6850-48X+PS-126W-AC +PS-120W-DC (No XFP) 10G-XFP-SR (Multimode XFP Trans.) 10G-XFP-LR (Single mode XFP Trans.) OS6850-48X+PS-126W-AC+2(10G-XFP-SR) OS6850-48X+PS-126W-AC+2(10G-XFP-LR) OS6850-48X+2(PS-126W-AC)+ 2(10G-XFP-SR) OS6850-48X+2(PS-126W-AC)+ 2(10G-XFP-LR) OS6850-48X+PS-120W-DC+2(10G-XFP-SR) OS6850-48X+PS-120W-DC+2(10G-XFP-LR) OS6850-48X+2(PS-120W-DC)+ 2(10G-XFP-SR) OS6850-48X+2(PS-120W-DC)+ 2(10G-XFP-LR) OS6850-48X+PS-126W-AC+ PS-120W-DC +2(10G-XFP-SR) OS6850-48X+PS-126W-AC+ PS-120W-DC +2(10G-XFP-LR)
MTBF-Hr.
603,696 1,259,604 1,501,224 36,813,836 237,720 169,772 149,608 165,487 152,523 166,585 166,078 6,427,590 4,944,180 142,953 141,070 157,519 155,275 145,613 143,660 158,483 156,203 158,036 155,772
MTBF-Yr.
68.92 143.79 171.37 4,202.49 27.14 19.38 17.08 18.89 17.41 19.02 18.96 733.74 564.40 16.32 16.10 17.98 17.73 16.62 16.40 18.09 17.83 18.04 17.78
M.S.R.5
M.S.R.1
TXN181070850X17 (Intel) TXN181072013X58 (Intel) 74% 94% 73% 94% 76% 95% 76% 95% 74% 94% 74% 94% 76% 95% 76% 95% 76% 95% 76% 95%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 143 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-P48 OS6850-P48H OS6850-P48L OS6850-P48LH
Module Name
OS6850-P48-Fans PS-510W-AC (510W AC Pwr Supply) PS-360W-AC (360W AC Pwr Supply) OS6850-P48-LED-USB-PCBA OS6850-P48-POE-PCBA OS6850-P48-Main-PCBA OS6850-P48 (No PS. No MiniGBIC) OS6850-P48+PS-510W-AC (No MiniGBIC) OS6850-P48+2(PS-510W-AC)(No MiniGBIC) OS6850-P48+PS-360W-AC (No MiniGBIC) OS6850-P48+2(PS-360W-AC)(No MiniGBIC) MiniGBIC-SX (Multimode Trans.) MiniGBIC-LX (Single mode Trans.) MiniGBIC-LH-70 (Long Reach Trans.) OS6850-P48+PS-510W-AC+4(MiniGBIC-SX) OS6850-P48+PS-510W-AC+4(MiniGBIC-LX) OS6850-P48+PS-510W-AC+4(MiniGBIC-LH-70) OS6850-P48+2(PS-510W-AC)+4(MiniGBIC-SX) OS6850-P48+2(PS-510W-AC)+4(MiniGBIC-LX) OS6850-P48+2(PS-510W-AC)+ 4(MiniGBIC-LH-70) OS6850-P48+PS-360W-AC+4(MiniGBIC-SX) OS6850-P48+PS-360W-AC+4(MiniGBIC-LX) OS6850-P48+PS-360W-AC+4(MiniGBIC-LH-70) OS6850-P48+2(PS-360W-AC)+4(MiniGBIC-SX) OS6850-P48+2(PS-360W-AC)+4(MiniGBIC-LX) OS6850-P48+2(PS-360W-AC)+ 4(MiniGBIC-LH-70)
MTBF-Hr.
603,696 406,835 504,490 17,928,344 2,175,812 275,125 172,219 120,999 148,704 128,390 154,414 5,780,347 6,578,947 2,857,143 111,650 112,707 103,471 135,669 137,133 124,433 117,914 119,094 108,829 140,236 141,822 128,127
MTBF-Yr.
68.92 46.44 57.59 2,046.61 248.38 31.41 19.66 13.81 16.98 14.66 17.63 659.86 751.02 326.16 12.75 12.87 11.81 15.49 15.65 14.20 13.46 13.60 12.42 16.01 16.19 14.63
M.S.R.5
M.S.R.1
FFB0412VHN-F00 (Delta) YM-2511BA (3Y Pwr Tec) YM-2361BA (3Y Pwr Tec)
70% 93% 77% 95% 71% 93% 77% 95% FTRJ-8519-7D (Finisar) FTRJ-1319-7D (Finisar) A10P-8063-STA-H (Avrio) 68% 92% 68% 93% 65% 92% 74% 94% 75% 94% 72% 94% 69% 69% 67% 75% 75% 72% 93% 93% 92% 94% 95% 94%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 144 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-P48X OS6850-P48XH
Module Name
OS6850-P48X-Fans PS-510W-AC (510W AC Pwr Supply) PS-360W-AC (360W AC Pwr Supply) OS6850-P48X-LED-USB-PCBA OS6850-P48X-POE-PCBA OS6850-P48X-Main-PCBA OS6850-P48X (No PS. No XFP) OS6850-P48X+PS-510W-AC (No XFP) OS6850-P48X+2(PS-510W-AC)(No XFP) OS6850-P48X+PS-360W-AC (No XFP) OS6850-P48X+2(PS-360W-AC)(No XFP) 10G-XFP-SR (Multimode XFP Trans.) 10G-XFP-LR (Single mode XFP Trans.) OS6850-P48X+PS-510W-AC+2(10G-XFP-SR) OS6850-P48X+PS-510W-AC+2(10G-XFP-LR) OS6850-P48X+2(PS-510W-AC)+ 2(10G-XFP-SR) OS6850-P48X+2(PS-510W-AC)+ 2(10G-XFP-LR) OS6850-P48X+PS-360W-AC+2(10G-XFP-SR) OS6850-P48X+PS-360W-AC+2(10G-XFP-LR) OS6850-P48X+2(PS-360W-AC)+ 2(10G-XFP-SR) OS6850-P48X+2(PS-360W-AC)+ 2(10G-XFP-LR)
MTBF-Hr.
603,696 406,835 504,490 36,813,836 2,090,730 237,720 157,021 113,294 137,947 119,750 142,704 6,427,590 4,944,180 109,437 108,330 132,612 131,088 115,448 114,217 136,932 135,287
MTBF-Yr.
68.92 46.44 57.59 4,202.49 238.67 27.14 17.92 12.93 15.75 13.67 16.29 733.74 564.40 12.49 12.37 15.14 14.96 13.18 13.04 15.63 15.44
M.S.R.5
M.S.R.1
FFB0412VHN-F00 (Delta) YM-2511BA (3Y Pwr Tec) YM-2361BA (3Y Pwr Tec)
68% 93% 75% 95% 69% 93% 75% 95% TXN181070850X17 (Intel) TXN181072013X58 (Intel) 67% 92% 67% 92% 74% 94% 74% 94% 68% 93% 68% 93% 74% 94% 74% 94%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 145 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Family
OS6850-U24X OS6850-U24XD
Module Name
OS6850-U24X-Fans PS-126W-AC (126W AC Pwr Supply) PS-120W-DC (120W DC Pwr Supply) OS6850-U24X-Daughter-PCBA OS6850-U24X-Main-PCBA OS6850-U24X (No Power Supply, No MiniGBIC, No XFP) OS6850-U24X+PS-126W-AC (No MiniGBIC, No XFP) OS6850-U24X+2(PS-126W-AC) (No MiniGBIC, No XFP) OS6850-U24X+PS-120W-DC (No MiniGBIC, No XFP) OS6850-U24X+2 (PS-120W-DC (No MiniGBIC, No XFP) OS6850-U24X+PS-126W-AC +PS-120W-DC (No MiniGBIC, No XFP) MiniGBIC-SX (Multimode Trans.) MiniGBIC-LX (Single mode Trans.) MiniGBIC-LH-70 (Long Reach Trans.) 10G-XFP-SR (Multimode XFP Trans.) 10G-XFP-LR (Single mode XFP Trans.) OS6850-U24X+PS-126W-AC+24(MiniGBIC-SX) (No XFP) OS6850-U24X+PS-126W-AC+24(MiniGBIC-LX) (No XFP) OS6850-U24X+PS-126W-AC+ 24(MiniGBIC-LH-70) (No XFP) OS6850-U24X+PS-126W-AC+24(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-U24X+PS-126W-AC+24(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-U24X+PS-126W-AC+24(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-U24X+PS-126W-AC+24(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-U24X+PS-126W-AC+ 24(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-U24X+PS-126W-AC+ 24(MiniGBIC-LH-70) +2(10G-XFP-LR) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-SX) (No XFP) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-LX) (No XFP) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-LH-70) (No XFP) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-SX)+2(10G-XFP-SR) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-SX)+2(10G-XFP-LR) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-LX)+2(10G-XFP-SR) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-LX)+2(10G-XFP-LR) OS6850-U24X+2(PS-126W-AC)+ 24(MiniGBIC-LH-70)+2(10G-XFP-SR)
MTBF-Hr.
603,696 1,259,604 1,501,224 30,986,420 426,686 247,993 207,199 236,457 212,834 239,255 237,953 5,780,347 6,578,947 2,857,143 6,427,590 4,944,180 111,380 118,004 75,607 107,649 106,578 113,825 112,628 73,869 73,363 120,426 128,109 79,889 116,123 114,890 123,255 121,869 77,962
MTBF-Yr.
68.92 143.79 171.37 3,537.26 48.71 28.31 23.65 26.99 24.3 27.31 27.16 659.86 751.02 326.16 733.74 564.40 12.71 13.47 8.63 12.29 12.17 12.99 12.86 8.43 8.37 13.75 14.62 9.12 13.26 13.12 14.07 13.91 8.90
M.S.R.5
M.S.R.1
FTRJ-8519-7D (Finisar) FTRJ-1319-7D (Finisar) A10P-8063-STA-H (Avrio) TXN181070850X17 (Intel) TXN181072013X58 (Intel) 67% 92% 69% 56% 675% 66% 68% 68% 55% 55% 70% 71% 58% 69% 69% 70% 70% 57% 93% 89% 92% 92% 93% 93% 89% 89% 93% 93% 90% 93% 93% 93% 93% 89%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 146 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-U24X+2(PS-126W-AC)+24(MiniGBIC-LH-70)+ 2(10G-XFP-LR) OS6850-U24X+PS-120W-DC+24(MiniGBIC-SX)(No XFP) OS6850-U24X+PS-120W-DC+24(MiniGBIC-LX)(No XFP) OS6850-U24X+PS-120W-DC+24(MiniGBIC-LH-70)(No XFP) OS6850-U24X+PS-120W-DC+24(MiniGBIC-SX)+ 2(10G-XFP-SR) OS6850-U24X+PS-120W-DC+24(MiniGBIC-SX)+ 2(10G-XFP-LR) OS6850-U24X+PS-120W-DC+24(MiniGBIC-LX)+ 2(10G-XFP-SR) OS6850-U24X+PS-120W-DC+24(MiniGBIC-LX)+ 2(10G-XFP-LR) OS6850-U24X+PS-120W-DC+24(MiniGBIC-LH-70)+ 2(10G-XFP-SR) OS6850-U24X+PS-120W-DC+24(MiniGBIC-LH-70)+ 2(10G-XFP-LR) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-SX) (No XFP) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-LX) (No XFP) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-LH-70) (No XFP) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-SX) + 2(10G-XFP-SR) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-SX) + 2(10G-XFP-LR) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-LX) + 2(10G-XFP-SR) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-LX) + 2(10G-XFP-LR) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-LH-70) + 2(10G-XFP-SR) OS6850-U24X+2(PS-120W-DC)+24(MiniGBIC-LH-70) + 2(10G-XFP-LR) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-SX) (No XFP) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-LX) (No XFP) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-LH-70) (No XFP) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-SX) +2(10G-XFP-SR) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-SX) +2(10G-XFP-LR) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-LX) +2(10G-XFP-SR) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-LX) +2(10G-XFP-LR) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-LH-70) +2(10G-XFP-SR) OS6850-U24X+PS-126W-AC+ PS-120W-DC+ 24(MiniGBIC-LH-70) +2(10G-XFP-LR)
77,401 112,988 119,811 76,345 109,151 108,049 115,505 114,272 74,573 74,058 120,895 128,664 80,040 116,548 115,303 123,755 122,354 78,103 77,540 120,679 128,408 79,970 116,352 115,113 123,525 122,131 78,038 77,476
8.84 12.90 13.68 8.72 12.46 12.33 13.19 13.04 8.51 8.45 13.80 14.69 9.14 13.30 13.16 14.13 13.97 8.92 8.85 13.78 14.66 9.13 13.28 13.14 14.10 13.94 8.91 8.84
57% 68% 69% 56% 67% 67% 68% 68% 56% 55% 70% 71% 58% 69% 69% 70% 70% 57% 57% 70% 71% 58% 69% 69% 70% 70% 57% 57%
89% 93% 93% 89% 92% 92% 93% 93% 89% 89% 935 93% 90% 93% 93% 93% 93% 89% 89% 93% 93% 90% 93% 93% 93% 93% 89% 89%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 147 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Standards Compliance
The product bears the CE mark. In addition it is in compliance with the following other safety and EMC standards. Note: EN = European Norm, IEC = International Electro-technical Commission All hardware-switching platforms comply with Class A standards for digital devices per AS/NZS 3548, CISPR 22, EN55022, the FCC Part 15, ICES-003, and VCCI standards..
Safety Standards
Australia: c-Tick for Australia AS/NZS TS-001 and 60950; 2000, Australia Canada: CAN/CSA-C22.2 No. 60950-00 CB Certification PBR IEC 950 CB Certification (per IEC 60950) CB per EN 60825-1 & EN 60825-2 (Safety Laser Evaluation) CDRH for UL (Safety Laser Evaluation) China: China CCC C-Tick for Australia EN60950-1; 2001; all national deviations EN60950-1; 2001; all deviations EN60825-1 Laser EN60825-2 Laser Germany: TUV, UL-GS Mark for Germany IEC 60950-1; 2001; all national deviations NOM-019 SCFI, Mexico TS 001 UL-AR (Argentina) US: UL 60950
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 148 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
EMC Standards
AS/NZS 3548 Class A BSMI Class A CCC (China) Class A CE marking for European countries Class A CISPR 22 Class A EN 55022 Class A EN 55024: 1998 (Immunity Standard) EN 50082-1 EN 61000-3-2: 2000 EN 61000-3-3:1995 EN 61000-4-2: 1995 EN 61000-4-3: 1995 EN 61000-4-4: 1995 EN 61000-4-5: 1995 (Surge Level 4) EN 61000-4-6: 1996 EN 61000-4-8: 1993 ENC 1000-4-11: 1994 FCC Part 15 Class A ICES-003 Class A IEEE 802.3: Hi-Pot Test (1,500V or 2,250VDC on all Ethernet ports) VCCI Class A
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 149 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
JATE
This equipment meets the requirements of the Japan Approvals Institute of Telecommunications Equipment (JATE).
VCCI
This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may arise. When such trouble occurs, the user may be required to take corrective actions.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 150 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Installation Warning
Only personnel knowledgeable in basic electrical and mechanical procedures should install or maintain this equipment.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 151 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 152 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 153 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Notes -- PoE Models: The power consumption measurements were obtained under fully loaded conditions. In case of the PoE Models with a 360W power supply, the maximum PoE power budget is 240watts and therefore the PoE load cannot exceed 240watts. In case of the PoE Models with a 510W power supply the maximum PoE power budget is 390watts and therefore the PoE load cannot exceed 390watts. Power consumption calculations are based on total power drawn from the AC line, in other words, the Input Power = Output Power / Power Supply efficiency. Chassis Pwr Consumption = Chassis Pwr / PS efficiency + Available PoE Pwr / PoE PS efficiency The AC 110V power transfer efficiency is determined to be @88.9%. or 89% Maximum Power Consumption for the PoE Models with 360W P/S: OS6850-P24 & OS6850-P24L: 48.66watts / 89% + 240watts / 89% 324W OS6850-P24X: 51.36watts / 89% + 240watts / 89% 327W OS6850-P48 & OS6850-P48L: 86.73watts / 89% + 240watts / 89% 367W OS6850-P48X: 104.33watts / 89% + 240watts / 89% 387W Maximum Power Consumption for the PoE Models with 510W P/S: OS6850-P24H & OS6850-P24LH: 48.66watts / 89% + 390watts / 89% 493W OS6850-P24XH: 51.36watts / 89% + 390watts / 89% 496W OS6850-P48H & OS6850-P48LH: 86.73watts / 89% + 390watts / 89% 536W OS6850-P48XH: 104.33watts / 89% + 390watts / 89% 555W Notes Non-PoE Models: The power consumption measurements were obtained under fully loaded conditions. Power consumption calculations are based on total power drawn from the AC line, in other words, the Input Power = Output Power / Power Supply efficiency. Chassis Pwr Consumption = Chassis Pwr / PS efficiency The AC 110V power transfer efficiency is determined to be @88.9%. or 89% Maximum Power Consumption for the Non-POE Models: OS6850-24 & OS6850-24L & OS6850-24D & OS6850-24LD: 48.66watts / 89% 55W OS6850-24X & OS6850-24XD: 51.36watts / 89% 58W OS6850-48 & OS6850-48L & OS6850-48D & OS6850-48LD: 86.73watts / 89% 97W OS6850-48X & OS6850-48XD: 104.33watts / 89% 117W OS6850-U24X & OS6850-U24XD: 106watts / 89% 119W Power Consumption for the 1000BASE-X SFP MiniGBICs: SFP-GIG-SX transceiver = 0.75W SFP-GIG-LX transceiver = 0.9W SFP-GIG-LH transceiver = 1.0W 1-watt 3.41214 BTU/hr. Note: To calculate the heat dissipation for the PoE Models the following formula has been used: Heat Dissipation = (Chassis Power Consumption / PS efficiency + Estimated power required to power the PoE daughter card / PS efficiency) x 3.41214BTU/hr. The reason that the PoE power budget has not been fully taken into account here, is that the heat is dissipated on the PoE devices and not on the OmniSwitch 6850 chassis. Therefore, we only account for the heat dissipated on the OmniSwitch 6850 chassis plus the heat dissipated on the PoE daughter card inside the chassis including the P/S efficiency. Maximum Heat Dissipation for the PoE Models with 360W P/S or 510W P/S: OS6850-P24 & OS6850-P24L & OS6850-P24H & OS6850-P24LH: (48.66watts / 89% + 24watts / 89%) x 3.41214 279 BTU/hr. OS6850-P24X & OS6850-P24XH: (51.36watts / 89% + 24watts / 89%) x 3.41214 289 BTU/hr. OS6850-P48 & OS6850-P48L & OS6850-P48H & OS6850-P48LH: (86.73watts / 89% + 48watts / 89%) x 3.41214 517 BTU/hr. OS6850-P48X & OS6850-P48XH: (104.33watts / 89% + 48watts / 89%) x 3.41214 584 BTU/hr. Note: To calculate the heat dissipation for the non-PoE Models the following formula has been used: Heat Dissipation = Chassis Power Consumption x 3.41214BTU/hr. Maximum Heat Dissipation for the Non-POE Models: OS6850-24 & OS6850-24L & OS6850-24D & OS6850-24LD: 55watts x 3.41214 188 BTU/hr. OS6850-24X & OS6850-24XD: 58watts x 3.41214 198 BTU/hr. OS6850-48 & OS6850-48L & OS6850-48D & OS6850-48LD: 97watts x 3.41214 331 BTU/hr. OS6850-48X & OS6850-48XD: 117watts x 3.41214 399 BTU/hr. OS6850-U24X & OS6850-U24XD: 119watts x 3.41214 406 BTU/hr.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 154 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 155 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 156 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The 510W AC-to-DC High PoE P/S The 510W AC-to-DC Power Supply is used on the following Models: OS6850-P24H & OS6850-P24LH & OS6850-P24XH & OS6850-P48H & OS6850-P48LH & OS6850-P48XH This specification covers the 510W switching power supply requirements for Ethernet switches with 390W (50V @ 7.8W/port) for PoE power and 120W (12V @ 10.0A) for system power operation. The 510W P/S provides the following outputs: dual outputs; -50V and +12V. P/S Input Parameters: Input Power: 637.5 watts AC (based on an efficiency of 80%) Input Voltage range: 85 to 264VAC (Universal input voltage) Input Voltage range: 100 to 240VAC (Nominal Input Voltage or Agency approved unit) Nominal input is expected to be 115VAC (rms) at 60Hz or 230VAC (rms) at 50Hz. Input current: 5.54 Amps AC@115VAC or 2.77 Amps AC@230VAC Input current: 7.08 Amps AC@90VAC Input current will be less than 10A (rms) at 115VAC (rms) and 60Hz. Input current will be less than 5A (rms) at 230VAC (rms) and 50Hz. Input Frequency: 47 to 63 Hz (3%) The power supply efficiency will be greater than 75%. The input fuse value shall be less than 12 Amps AC The power supply shall provide the following required output voltages & output currents for the main chassis and the PoE. Maximum continuous output power will be 510W. The Main Chassis P/S Output Parameters: Output Power: 120 watts DC rated Output voltage: 12 VDC rated Output current: 10.0 Amps DC maximum rated The PoE P/S Output Parameters: The estimated available P/S PoE power budget is 390watts: Output Power: 390 watts DC maximum rated Output voltage: -50 VDC maximum rated Output current: 7.8 Amps DC maximum rated Note: Switching DC/DC or linear regulators on the PCB further breaks down the +12VDC to generate the required 5V, 3.3V, 2.5V, 1.8V, 1.25V, 1.2V and 2V. The 360W AC-to-DC Power Supply is used on the following PoE Models: OS6850-P24 & OS6850-P24L & OS6850-P24X & OS6850-P48 & OS6850-P48L & OS6850-P48X: The 360W power supply provides: 240W (-50V @ 4.8A) for in-line power and 120W (12V @ 10.0A) for system power operation. PoE Power Budget for the 24-port Models: 216watts [240watts (PoE power) 24watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. PoE Power Budget for the 48-port Models: 192watts [240watts (PoE power) 48watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. The 510W AC-to-DC Power Supply is used on the following PoE Models: OS6850-P24H & OS6850-P24LH & OS6850-P24XH & OS6850-P48H & OS6850-P48LH & OS6850-P48XH: The 510W power supply provides: 390W (50V @ 7.8W/port) for in-line power and 120W (12V @ 10.0A) for system power operation. The available PoE Power Budget for the 24-port Models: 366watts [390watts (PoE power) 24watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. The available PoE Power Budget for the 48-port Models: 342watts [390watts (PoE power) 48watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. Note: Power for all POE ports is defaulted to 15.4 watts per port and each port is configurable between 3watts to 15.4watts (Port setting is in Milliwatts (3000 to 15400)). Please note that the available PoE power budget must not be exceeded.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 157 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Electrical Requirements
Name Plates
Fans: 3 fans for the chassis. Additional fans built in the power supplies. Redundant fans support (1:N redundancy) Chassis Airflow: The fans pull air from the air intake vent located on the left-hand side of the chassis. The air is directed horizontally through the chassis and past the circuit board. Airflow is then exhausted through the fan vents at the right-hand side of the chassis. Important. Maintain a clearance of at least two inches at the left and right sides. Otherwise, airflow can become restricted. Restricted airflow can cause your switch to overheat; overheating can lead to switch failure. North America: NEMA 5-15-P (US), C22.2, No. 42 (Canada) United Kingdom / Ireland: BS 1,363, Europe: CEE 7/7 Japan: JIS 8,303, Australia: AS 3,112, India: BS 546, Italy: CIE 2,316 Switzerland / Liechtenstein: SEV 1011 Denmark / Greenland: SRAF 1,962 / D816 / 87, Argentina: AR1-10P OmniSwitch 6850 switches have the following general electrical requirements: Each switch requires one grounded electrical outlet for each power supply installed in the. OmniSwitch 6850 switches offer both AC and DC power supply support. Refer to the Hardware Users Guide for more information. For switches using AC power connections, each supplied AC power cord is 2 meters (approximately 6. 5 feet) long. Do not use extension cords. Redundant AC Power: If possible, it is recommended that each AC outlet reside on a separate circuit. With redundant AC, if a single circuit fails, the switchs remaining power supplies (on separate circuits) will likely be unaffected and can therefore continue operating. For switches using DC power, the user must assemble the DC power cord. Refer to the Hardware Users Guide for more information. A nameplate in the front of the chassis will identify the product model name & number and the vendor (in this case Alcatel-Lucent). A nameplate in the back will clearly identify the following: Model #, Assembly # with BAR CODE, and FCC statements Electric Ratings and U.S. Patent information along with their respective symbols. PoE Models: OS6850-P24/-P24L & OS6850-P24H/-P24LH: under 44dBa OS6850-P24X & OS6850-P24XH: under 44dBa OS6850-P48/-P48L & OS6850-P48H/-P48LH: under 48dBa OS6850-P48X & OS6850-P48XH: under 48dBa Non-POE Models: OS6850-24/-24D & OS6850-24L/-24LD: under 44dBa OS6850-24X & OS6850-24XD: under 44dBa OS6850-48/-48D & OS6850-48L/-48LD: under 48dBa OS6850-48X & OS6850-48X: under 48dBa OS6850-U24X & OS6850-U24XD: under 44dBa
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 158 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Safety Compliance All hardware-switching platforms comply with Class A standards for digital devices per AS/NZS 3548, CISPR 22, EN 55022, the FCC Part 15, ICES-003, and VCCI standards. Modules with copper connectors meet Class A requirements using unshielded (UTP) cables.
AS/NZS 3548 (Class A limits. Note: Class A with UTP cables) / EN55022 (Australia Emissions) Class A; CE Marking per EMC Directive; CE Markings for European countries (Class A. Note: Class A with UTP cables) CISPR22: 1997 Class A (International Emissions); CNS 13438:1997 Class A (Taiwan Emissions); FCC CFR Title 47, Subpart B, (Class A limits. Note: Class A with UTP cables) 89/336/EEC EMC Directive (European Requirements); EN50082-1; EN55022: 1998 w/A1 & A2 Emissions Standards including the European Emissions; EN55024: 1998 +A1 :2001+A2 :2003 ;includes EN61000-4-2, 3, 4, 5, 6, 7, 11 (European Immunity); EN60555-2; EN61000-3-2 (European Harmonics & Flicker); 2000 EN61000-3-3 (European Harmonics & Flicker); 1995+A1:2001 EN61000-4-2; 1995 + A1: 1998 EN61000-4-3; 1996 + A1: 1998 EN61000-4-4; 1995 EN61000-4-5; 1995 EN61000-4-6; 1996 EN61000-4-8; 1994 EN61000-4-11; 1994 ICES-003 Class A; IEC 1000-3-2; IEC 60950-1; 2001;all national deviations MIC Mark (Korean Emissions & Immunity Approval); NOM/NYCE (Mexican Product Safety & EMC Authorities) NOM-019-SCFI 1994 & NOM-019-SCFI-1998, Mexico; VCCI Class A (Japan Emissions); VCCI-V3/97.04, Class A limits. Note: Class A with UTP cables) IEEE 802.3:Hi-Pot Test (2250 VDC on all Ethernet ports) EN = European Norm, IEC = International Electro-technical Commission AS/NZS 3260 /TS-001and 60950-2000 (Australia Safety Standard); CAN/CSA-C22.2 No. 60950-1-03; CB Report and Cert. (International safety of ITE) with all national deviations (IEC 950); CE Marking per Low Voltage Directive (LVD) (European Safety Directive); CDRH Letter of Approval (US FDA Approval); 21 CFR 1040 (part of Laser Certification per EN 60825-1 & EN 60825-2); China CCC EN60825-1 (Laser Evaluation) &EN60825-2 (Laser Evaluation): 1994, A11: 1996 (European Safety of Lasers Products); IEC 60950-1; 2001; all national deviations EN60950-1: 2001 a11deviations + Deviations (European Safety of ITE); ETS 300 019 Storage Class 1.1/ Transportation Class 2.3/Stationary Use Class 3.1 FCC 21 CFR Subpart J (US Safety of Laser Products); GOST (Russian Federation Certificate) NOM-019 SCFI, Mexico TS 001; UL-GS Mark / TUV GS Mark (German Notified Body) EN 60950; UL-AR: Argentina Certification & S Mark (Argentina Safety Approval); UL 60950
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 159 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alcatel-Lucent is pleased to announce that both the Alcatel-Lucent OmniSwitch 6850 Stackable LAN switch and the Alcatel-Lucent OmniSwitch 9000 Chassis LAN switch are now Metro Ethernet Forum (MEF) 9 and 14 certified. MEF benefits for Alcatel-Lucent MEF certification strengthens LAN product positioning in Metro Access deployments for residential and business Ethernet services where the OmniSwitch 6850 and OmniSwitch 9000 switches are used as customer premises equipment (CPE) in single or multi-tenant unit (STU/MTU) installations. With this certification, Alcatel-Lucent now offers a fully MEF compliant end-to-end solution for Ethernet services based on LAN OmniSwitch switches and MPLS Service Routers (7710, 7750, 7450). What is MEF and what does it mean to be MEF certified? The Metro Ethernet Forum (MEF) is a global industry alliance comprising more than 120 organizations whose mission is to accelerate the worldwide adoption of carrier-class Ethernet networks and services. The alliance members develop technical specifications and implementation agreements to promote interoperability and deployment of carrier Ethernet worldwide. Test certifications obtained while running on the Alcatel-Lucent Operating System (AOS) version 6.3.1.R01 were: 1. MEF 9 for equipment vendors Ethernet services at the user network interface (UNI) 2. MEF 14 for equipment vendors focused on traffic management, service performance, and quality of service (QoS) Certifications tests indicate that the OmniSwitch 6850 and 9000 meet the carrier-class standard for Ethernet Private Line (EPL), Ethernet Virtual Private Line (EVPL), and Ethernet LAN (E-LAN) services at the UNI. Service providers benefit from this certification because it: Provides immediate assurance that the vendors equipment complies with MEF specifications Saves money and time on complex testing between vendors, especially on global accounts Establishes a solid foundation for carrier Ethernet ubiquity and interoperability This equipment meets the requirements of the Japan Approvals Institute of Telecommunications Equipment (JATE). The OmniSwitch 6850 Series has been rigorously tested for: Temperature Humidity Vibrations Acoustic Noise Altitude Drop Shock Bench Handling Please contact Alcatel-Lucent Internetworking Product Marketing and/or other Alcatel-Lucent authorized representatives to obtain further data and/or a full test report. 1) RoHS-Alcatel's OmniSwitch 6850 family is among the first hardware to be in compliance with the new European Community's directive Restriction on Hazardous Substances in Electrical and Electronic Equipment (RoHS) 2) WEEE (Waste Electrical and Electronic Equipment) 3) NEBS Level 3 Certified All of the non-PoE models
Compliancy
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 160 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RoHS Requirements
NEBS-Level-3 Electrical Compliance Electrostatic Discharge (ESD) ISO-9001:2000 DNV Certification Capability Maturity Model (CMM) Mean Time Between Failure (MTBF) Standard
It is Alcatel-Lucent's position to be in compliance with the European R.O.H.S Directive 2002/95/EC by the end of 2005. In doing so, all component selection decisions shall be influenced by offerings that are a) ROHS compliant today or b) have planned date of cutover to ROHS compliance without impacting the design (i.e. causing a redesign). It is Alcatel-Lucent's intention to choose environmentally friendly component finishes that are today solder-able with SN63/Pb37 solders (through late 2005), but can move to SnAgCu chemistries in Jan2006. Compliance with Environmental procedure 020499-00, primarily focused on Restriction of Hazardous Substances (ROHS Directive 2002/95/EC) and Waste Electrical and Electronic Equipment (WEEE Directive 2002/96/EC). Thus, all assemblies built after Dec. 31, 2005 shall be compliant with hazardous materials requirements as defined in 020499-00. Upon request, documentation shall be provided certifying compliance. First Green switch in the Market RoHS compliancy With the OmniSwitch 6850 family, Alcatel-Lucent will be the first switch manufacturer to be in compliance with the new European Communitys directive Restriction on Hazardous Substances in Electrical and Electronics Equipment (RoHS) which requires electric equipment to be free of six hazardous substances by July 2006. Although, only required for European Union countries, the rest of the World will benefit from these green switches by lessening the amount of hazardous substances that find its way into the environment. Compliance with regulation given in: http://europa.eu.int/ISPO/infosoc/legreg/docs/8795eec.html The product at end of life is subject to separate collection and treatment in the EU Member States, Norway and Switzerland. Treatment applied at end of life of the product in these countries shall comply with the applicable national laws implementing directive 2002/96EC on waste electrical and electronic equipment (WEEE). NEBS Level-3 Certified All of the non-PoE models of OmniSwitch 6850 family supports NEBS Level-3. The Electrical Compliance requirements are met through the EMC Compliance Standards and the Safety Compliance Standards as indicated above. The chassis has been thoroughly tested to withstand ESD test voltage conditions at any point on the enclosure using the test setups and conditions in accordance with IEC 61000-4-2 (EN61000-4-2). The OmniSwitch 6850 is compliant with the ISO-9001: 2000 DNV Alcatel-Lucent's Software Engineering Institute (SEI) Capability Maturity Model (CMM) rating for software processes meets the Level-2 (CMM-level-2) requirements. All AOS OmniSwitches support a commercial equivalent of MIL-HDBK-217F-2: MTBF Predictions are based on Telcordia (Bellcore Handbook Technical Reference) SR-332, Issue 1.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 161 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
MTBF Please note, that MTBF values are Configuration-specific and different configurations shall yield different MTBF values.
Please refer to the MTBF Section for other configuration details. PoE Models: OS6850-P24/-P24L: 170,929 MTBF-Hrs [OS6850-P24/-P24L + 2 (PS-360W-AC) + 4 (SFP-GIG-LX)] OS6850-P24H/-P24LH: 131,604 MTBF-Hrs [OS6850-P24H/-P24LH + PS-510W-AC + 4 (SFP-GIG-LX)] OS6850-P24X: 157,976 MTBF-Hrs [OS6850-P24X + 2 (PS-360W-AC) + 4 (SFP-GIG-LX) + 2 (10G-XFP-SR)] OS6850-P24XH: 151,958 MTBF-Hrs [OS6850-P24XH + 2 (PS-510W-AC) + 4 (SFP-GIG-LX) + 2 (10G-XFP-SR)]
OS6850-P48/-P48L: 141,822 MTBF-Hrs [OS6850-P48/-P48L + 2 (PS-360W-AC) + 4 (SFP-GIG-LX)] OS6850-P48H/-P48LH: 137,133 MTBF-Hrs [OS6850-P48H/-P48LH + 2 (PS-510W-AC) + 4 (SFP-GIG-LX)]
OS6850-P48X: 136,932 MTBF-Hrs [OS6850-P48X + 2 (PS-360W-AC) + 2 (10G-XFP-SR)] OS6850-P48XH: 132,612 MTBF-Hrs [OS6850-P48XH + 2 (PS-510W-AC) + 2 (10G-XFP-SR)] Non-PoE Models: OS6850-24/-24L: 200,836 MTBF-Hrs [OS6850-24/-24L+ 2 (PS-126W-AC) + 4 (SFP-GIG--LX)] OS6850-24D/-24LD: 202,668 MTBF-Hrs [OS6850-24D/-24LD + 2 (PS-120W-DC) + 4 (SFP-GIG--LX)] OS6850-24X: 181,646 MTBF-Hrs [OS6850-24X+2 (PS-126W-AC) + 4 (SFP-GIG-LX) + 2 (10G-XFP-SR)] OS6850-24XD: 166,445 MTBF-Hrs [OS6850-24XD + 2 (PS-120W-DC) + 4 (SFP-GIG-LX) + 2 (10G-XFP-SR)] OS6850-48/-48L: 163,765 MTBF-Hrs [OS6850-48/-48L + 2 (PS-126W-AC) + 4 (SFP-GIG-LX)] OS6850-48D/-48LD: 164,834 MTBF-Hrs [OS6850-48D/-48LD + 2 (PS-120W-DC) + 4 (SFP-GIG-LX)] OS6850-48X: 157,519 MTBF-Hrs [OS6850-48X + 2 (PS-126W-AC) + 2 (10G-XFP-SR)] OS6850-48XD: 158,483 MTBF-Hrs [OS6850-48XD + 2 (PS-120W-DC) + 2 (10G-XFP-SR)]
OS6850-U24X: 121,869 MTBF-Hrs [OS6850-U24X + 2 (PS-126W-AC) + 24 (SFP-GIG-LX) + 2 (10G-XFP-LR)] OS6850-U24XD: 122,354 MTBF-Hrs [OS6850-U24XD + 2 (PS-120W-DC) + 24 (SFP-GIG-LX) + 2 (10G-XFP-LR)]
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 162 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
It is the policy of Alcatel-Lucent USA to satisfy the Quality expectations of our customers both internal and external. Total Quality performance means understanding who the customer is, what the customer expectations are, and meeting those expectations without error, on time, every time. Total Quality is doing the right things right today and better tomorrow. As part of Alcatels overall Quality Assurance process Alcatels Cross-functional team continuously evaluates Cost, Time to Market, Communication, Customer satisfaction and Process improvements. Necessary and appropriate actions are subsequently taken as required. Alcatel-Lucent's Enterprise Solutions Division adheres to the ISO 9001 certification program. It measures Customer Satisfaction and Key Process Indicators that are reviewed on regular intervals with the Executive Management Team.
OS6850 chassis Temperature Requirements Note: the switch must be operated normally at Operating temperature: 0 C to 45 C
The installation site must maintain a temperature between 0 and 45 C (32 and 113 F) and not exceed 95 percent maximum humidity (non-condensing) at any time. Standard ambient (outside environment or outside the chassis) operating temperature: 0 C to 45 C Storage Temperature: 14 F to 158 F (-10C to 70C) The Show Temperature command displays the current operating chassis ambient temperature, as well as current temperature threshold settings for each of the modules in the stack. In over-threshold temperature situations, the switch immediately sends a trap to the user. Temperature errors LED is also provided in the front panel. Temperature Sensor National Semi-Conductor LM77 The so-called brownout/blackout tolerance is what we call Power Supply Holdup Time: The Holdup time across all switching and routing platforms power supplies is guaranteed to be: 20ms per each P/S at 100% load. Depending on the load and the input voltage, the holdup time can be as high as 120ms to 280ms. For RFP purposes please provide the Heat Dissipation (BTUs), Temperature, Fans and Chassis Air Flow information as described elsewhere in this table. Operating: 5% to 90% Relative Humidity (Non-condensing) Storage: 0% to 95% Relative Humidity (Non-condensing) Operating altitude: sea level at 40 degrees Celsius and 10000 feet at 0 degrees Celsius Storage altitude: sea level at 40000 feet Packed drop test: per MIL-STD-810 method 516.3 procedure IV from height of 30", one drop on each side, no drop test at 4 corners is required; Unpacked: 30G, 1/2 Sine, 11ms, 3 shocks in each direction along the 3 mutually perpendicular axes (18 shocks total); Unpacked bench handling: per MIL-STD-810 method 516.3 IV. Using one edge as pivot, lift the opposite edge until one of the following occurs: a) Chassis forms 45 angle with horizontal bench top. b) Lifted edge is raised 4" above horizontal bench top. c) Lifted edge is just below point of perfect balance. Let chassis drop freely. Repeat using other practical edges of same horizontal face as pivot points for a total of 4 drops. Repeat on other faces for a total of 4 times on each face, which the chassis could be placed on practically during servicing.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 163 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
0.25G, Sine, 5-500-5 Hz, maximum displacement of 0.060 inches, 1 octave/minute in its 3 mutually perpendicular axes. Testing shall be repeated 4 times for each axis. Packed: 1.6G, Sine, 5-500-5 Hz, maximum displacement of 0.060 inches, 1 octave/minute in its 3 mutually perpendicular axes. Testing shall be repeated 4 times for each axis; Packed random: per Mil-Std-810, Category 1, Basic Transportation, 60 min. duration with vibration level based on Fig. 514.3-1 through Fig. 514.3-3 in its 3 mutually perpendicular axes.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 164 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 165 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-24D
OS6850-24X 24 RJ-45 10/100/1000Base-T 2 build-in 10 Gig ports 4 combo ports (ports 21-24) 2 stacking ports
OS6850-24XD
OS6850-P24H
OS6850-P24X 24 PoE ports 2 build-in 10 Gig ports 4 combo ports (ports 21 - 24) 2 stacking ports
OS6850-P24XH
OS6850-24 chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies are can be ordered separately. OS6850-24D chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-24X chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-24XD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P24 PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992]. L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 360W AC PoE power supply with Power shelf, country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P24H PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 510W AC PoE power supply with Power shelf, country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P24X PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 360W AC PoE power supply with Power shelf, and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P24XH PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 510W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 166 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-48D
OS6850-48X 48 RJ-45 10/100/1000Base-T 2 build-in 10 Gig ports 2 stacking ports No combo ports
OS6850-48 chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48D chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf; user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48X chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 48 RJ-45 ports individually configurable to 10/100/1000BaseT, two 10 Gigabit ports, and two dedicated stacking ports. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48XD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 48 RJ-45 ports individually configurable to 10/100/1000BaseT, two 10 Gigabit ports, and two dedicated stacking ports. The bundle includes a 120W DC power supply with Power shelf; user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48 PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 44 RJ-45 PoE ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 360W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48H PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 44 RJ-45 PoE ports individually configurable to 10/100/1000 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 510W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48X PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 48 RJ-45 PoE ports individually configurable to 10/100/1000 BaseT, two 10 Gigabit ports, and two dedicated stacking ports. The bundle includes a 360W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. The 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48XH PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 48 RJ-45 PoE ports individually configurable to 10/100/1000BaseT, two 10 Gigabit ports, and two dedicated stacking ports. The bundle includes a 510W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. The 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately.
OS6850-48XD
OS6850-P48H
OS6850-P48X 48 PoE ports 2 build-in 10 Gig ports 2 stacking ports No combo ports
OS6850-P48XH
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 167 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-U24X
OS6850-U24XD
OS6850-P24L
OS6850-P24LH
OS6850-P48L
OS6850-P48LH
OS6850-U24X chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 22 1000 Base-X SFP ports, 2 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-U24XD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Gigabit Ethernet chassis in a 1U form factor with 22 1000 Base-X ports, 2 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, two 10 Gigabit ports, and two dedicated stacking ports. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf; user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), 10 Gigabit optical transceivers (XFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P24L PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992]. L3 Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-24L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 360W AC PoE power supply with Power shelf, country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P24LH PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 20 RJ-45 PoE ports individually configurable to 10/100 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-24L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 510W AC PoE power supply with Power shelf, country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48L PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 PoE ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-48L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 360W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-P48LH PoE chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 PoE ports individually configurable to 10/100 BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 PoE RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-48L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 510W AC PoE power supply with Power shelf and country specific power cord, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 168 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-24L
OS6850-24LD
OS6850-48L
OS6850-48LD
OS-SW-SBR-N
OS-SW-SBR-S
OS6850-24L-UPGD OS6850-48L-UPGD
OS6850-24L chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-24L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-24LD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 20 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. The 20 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-24L-UPGD software license. On the combo ports, either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48L chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-48L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 126W AC power supply with Power shelf and country specific power cord; user manuals access card, rack mounts, and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. OS6850-48LD chassis w/SSL (DES, 3DES, RC2, RC4) [ECCN 5A992] L3 Ethernet chassis in a 1U form factor with 44 RJ-45 ports individually configurable to 10/100BaseT, 4 combo ports configurable to be 10/100/1000 BaseT or 1000BaseX, and two dedicated stacking ports. The 44 10/100 RJ-45 ports can also operate at Gigabit speed by purchasing the OS6850-48L-UPGD software license. On the combo ports either copper or fiber can be used on a one for one basis. The bundle includes a 120W DC power supply with Power shelf, user manuals access card, rack mounts and RJ-45 to DB-9 adaptor. Ethernet optical transceivers (SFP), stacking cable, advanced routing software, and backup power supplies can be ordered separately. Backup Power Supplies OS6850-BP-P modular 360W AC backup power supply. Provides backup power to one PoE switch. Ships with chassis connection cable, country specific power cord, power shelf and connecting ears. OS6850-BP-PH modular 510W AC backup power supply. Provides backup power to one PoE switch. Ships with chassis connection cable, country specific power cord, power shelf and connecting ears. OS6850-BP modular 126W AC backup power supply. Provides backup power to one non-PoE switch. Ships with chassis connection cable, country specific power cord, power shelf and connecting ears. OS6850-BP-D modular 120W DC backup power supply. Provides backup power to one non-PoE switch. Ships with chassis connection cable, power shelf and connecting ears. Accessories OS6850 30 centimeters long stacking cable OS6850 60 centimeters long stacking cable OS6850 150 centimeters long stacking cable Base/wall mounting kit for OS6850 models. Includes 4 brackets and screws. Advanced Routing Software OS6850 Advanced Routing software. Includes support for IPv4 Routing protocols OSPFv2, BGPv4, PIM-SM/DM and DVMRP. Includes support for IPv6 Routing protocol OSPFv3. Authenticated Services Software [ECCN 5D992] Authentication bundle for Windows w/MD5, RC4, MD4, DES. This bundle provides Funk Software's Steel-Belted Radius Enterprise Edition for Microsoft Windows and includes an oneyear maintenance contract (maintenance releases, 7X24 phone support and e-service web access). [ECCN 5D992] Authentication Bundle for Solaris w/MD5, RC4, MD4, DES. This bundle provides Funk Software's Steel-Belted Radius Enterprise Edition for Sun Solaris and includes a one-year maintenance contract (maintenance releases, 7X24 phone support and e-service web access). Upgrade Software Software license that allows 10/100 RJ45 ports of OS6850-24L and OS6850-P24L chassis to operate also at Gigabit speed. Software license that allows 10/100 RJ45 ports of OS6850-48L and OS6850-P48L chassis to operate also at Gigabit speed.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 169 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
XFP-10G-ER40
XFP-10G-LR
XFP-10G-SR
XFP-10G-ZR80
SFP-GIG-BX-U
SFP-GIG-EXTND
SFP-GIG-LH40 SFP-GIG-LH70
SFP-GIG-LX
Transceivers 10 Gigabit Ethernet Transceivers (XFP MSA) 2 x XFP 10-GigEth ports Each 10 GigEth port supports industry standard XFP based 10GigE SMF 10GBASE-LR, MMF 10GBASE-SR, SMF 10GBASE-ER, and SMF 10GBASE-ZR optical transceivers. The applicable models provide 2 XFP slots. These slots support the following XFP types: XFP-10G-ER4010GBASE-ER Single mode fiber, supports distances up to 40km; uses LC connectors. XFP-10G-LR10GBASE-LR Single mode fiber, supports distances up to 10km; uses LC connectors. XFP-10G-SR10GBASE-SR Multimode fiber, supports distances up to 300m; uses LC connectors. XFP-10G-ZR8010GBASE-ZR Single mode fiber, supports distances up to 80km; uses LC connectors. The two-port XFP 10 Gigabit slots can mix and match different 10-Gigabit XFP transceiver types and is supported on applicable models with an X designation. Note. Compatibility with the OmniSwitch 6800 & OmniSwitch 9000 10-Gigabit Ethernet is supported. 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 40 Km on 9/125 m SMF. 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10 Km on 9/125m SMF. [Formerly known as 10G-XFP-LR] 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Typical reach of 300m on 50/125m MMF. [Formerly known as 10G-XFP-SR] 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 80 Km on 9/125m SMF. Gigabit Ethernet Transceivers (SFP MSA) CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ gray latch. Supports single mode fiber over 1470 nm wavelength (nominal) with an LC connector. Typical reach of 62Km on 9/125m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ violet latch. Supports single mode fiber over 1490 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ blue latch. Supports single mode fiber over 1510 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ green latch. Supports single mode fiber over 1530 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ yellow latch. Supports single mode fiber over 1550 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ orange latch. Supports single mode fiber over 1570 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ red latch. Supports single mode fiber over 1590 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125m SMF. CWDM Gigabit Ethernet optical transceiver (SFP MSA) w/ red latch. Supports single mode fiber over 1590 nm wavelength (nominal) with an LC connector. Typical reach of 62 Km on 9/125m SMF. 1000Base-BX SFP transceiver with an LC type of interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 10 km. Transmits 1490 nm and receives 1310 nm optical signal. 1000Base-BX SFP transceiver with an LC type of interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 10 km. Transmits 1310 nm and receives 1490 nm optical signal. Extended 1000Base-SX Gigabit Ethernet optical transceiver (SFP MSA): Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Reach of up to 2 km on 62.5/125m MMF and 50/125m MMF. Requires SFP-GIG-EXTND or GBIC-GIG-EXTND at the remote termination. [Formerly known as GE-EXTND-SFP] 1000Base-LH Gigabit Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1310 nm wavelength (nominal) with an LC connector. Typical reach of 40Km on 9/125m SMF. 1000Base-LH Gigabit Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 70 Km on 9/125m SMF. [Formerly known as MINIGBIC-LH-70] 1000Base-LX Gigabit Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10 Km on 9/125m SMF. [Formerly known as MINIGBIC-LX]
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 170 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
SFP-GIG-SX
SFP-GIG-T
SFP-DUAL-MM
SFP-DUAL-SM10
SFP-100-BX20LT
SFP-100-BX20NU
1000Base-SX Gigabit Ethernet optical transceiver (SFP MSA): Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Typical reach of 300m on 62.5/125m MMF or 550m on 50/125m MMF. [Formerly known as MINIGBIC-SX] 1000Base-T Gigabit Ethernet Transceiver (SFP MSA) - Supports category 5, 5E, and 6 copper cabling up to 100m. SFP only works in 1000 Mbps speed and full-duplex mode. Dual Speed Ethernet Transceivers (SFP MSA) Dual Speed 100Base-FX or 1000Base-X Ethernet optical transceiver (SFP MSA). Supports multimode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 550m at Gigabit speed and 2km at 100Mbit speed. - At 100Mbit speed, this SFP can interoperate with SFP-100-LC-MM or similar transceiver on the other end - At Gigabit speed, this SFP cannot interoperate with SFP-GIG-SX or similar transceiver on the other end running over 850nm wavelength. - SFP supported on OS9-GNI-U24 Gigabit Ethernet Module and OS6850-U24X SFP ports (non combo) Dual Speed 100Base-FX or 1000Base-X Ethernet optical transceiver (SFP MSA). Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10km at Gigabit speed and 100Mbit speed. - At 100Mbit speed, this SFP can interoperate with SFP-100-LC-SM15 or similar transceiver - At Gigabit speed, this SFP can interoperate with SFP-GIG-LX or similar transceiver. - SFP supported on OS9-GNI-U24 Gigabit Ethernet Module and OS6850-U24X SFP ports (non combo) 100BASE-FX Ethernet Transceivers 100Base-BX SFP transceiver with an SC type interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 20km point-to-point. This transceiver is normally used in the central office (OLT) transmits 1550nm and receives 1310nm optical signal 100Base-BX SFP transceiver with an SC type interface. This bi-directional transceiver is designed for use over single mode fiber optic on a single strand link up to 20km point-to-point. This transceiver is normally used in the client (ONU) transmits 1310nm and receives 1550nm optical signal 100Base-FX SFP transceiver with an LC type interface. This transceiver is designed for use over multimode fiber optic cable. 100Base-FX SFP transceiver with an LC type interface. This transceiver is designed for use over single mode fiber optic cable up to 15km. 100Base-FX SFP transceiver with an LC type interface. This transceiver is designed for use over single mode fiber optic cable up to 40km.
Supported Configuration Matrix for New Ethernet Transceivers in Release 6.1.5r01 OS6800/OS6850 Combo OS6800-U24 OS6850-U24X Ports Non-Combo Ports SFP-GIG-T - 1000Base-T Gigabit Supported Supported Supported Ethernet Transceiver (SFP MSA). SFP-DUAL-MM - Dual Speed OS6800: Un-supported Un-supported Supported 100Base-FX or 1000Base-X Ethernet optical OS6850: Supported. transceiver. Release 6.3.1 provides support for this SFP on OS6850 combo ports. SFP-DUAL-SM10 - Dual Speed OS6800: Un-supported Un-supported Supported 100Base-FX or 1000Base-X Ethernet optical OS6850: Supported. transceiver (SFP MSA) Release 6.3.1 provides support for this SFP on OS6850 combo ports. SFP-100-BX20LT - 100Base-BX Un-supported Un-supported Supported SFP bi-directional transceiver. SFP-100-BX20NU - 100Base-BX Un-supported Un-supported Supported SFP bi-directional transceiver. SFP-100-LC-MM - 100Base-FX Un-supported Un-supported Supported SFP transceiver. SFP-100-LC-SM15 - 100Base-FX Un-supported Un-supported Supported SFP transceiver. SFP-100-LC-SM40 - 100Base-FX Un-supported Un-supported Supported SFP transceiver. SFP
Supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 171 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
MAC Address Table (L2 Unicast MAC addresses) Learned Port Security What is the maximum number of MAC addresses a port can learn? IP Address Table Routes (RIB) L3 IPv4 Host Entries (FIB) L3 IPv4 LPM Routes (FIB) L3 IPv6 Host Entries (FIB) L3 IPv6 LPM Routes (FIB) Hardware Tunnels/Trunks Flows/ACLs Meters Counters Packet Buffer Size per system
Hardware Architecture Up to 16 K (16,384) MAC Addresses is supported per system. For the OmniSwitch 6850 family, the learned port security feature of the Alcatel-Lucent Operating System allows up to 100 MAC addresses per port to be learned and acted upon, with up to 8,192 per switch. The maximum number of MAC addresses the switch can learn for Layer 2 forwarding is 16,384 simultaneous MAC addresses. 48K routing table 8K 12K 4K 6K 128 2K 2K 2K 2MB of buffering available per system Each port type regardless of port speed is assigned a minimum and a maximum threshold buffer space. Buffering is supported per port and there is a shared pool of up to 2MB available per system that is based on an optimization algorithm that monitors buffer allocation per port. The buffering algorithm could be optimized to allocate the unused buffering space for the inactive ports to the active ports. In other words, inactive ports buffer space can be used by those ports that are active and require more buffering space if need be. * 2,097,152 bytes of buffering available per system. * Two buffer allocation thresholds: LwmCosSetLimit and DynCellLimit. There is one of each type of threshold per queue. Each queue is defined by a {port, COS} combination. There are 8 COS in our system, the highest COS is reserved for internal traffic while the user can assign the other 7. * LwmCosSetLimit is the Low Water Mark for buffer allocation per queue. Beyond this mark a queue will tap into a dynamically shared buffer pool. * DynCellLimit is the stop threshold for a queue to acquire more buffer from the pool. Both of the above thresholds have been pre-determined and calculated for optimal performance under our benchmark. The default will automatically tap into shared buffer resources whenever the situation demands it. If the users wish to customize the buffer sizes, we are usually able to accommodate the request by analyzing their traffic pattern. Free-scale MPC8248 processor (400MHZ) Hi-Gig (Hi-Gig+ capable) & 32-bit 66MHZ PCI BUS & I2C BUS 256MB of SDRAM SO-DIMM is default (upgradeable to 512MB) Boot Flash: default 8MB upgradeable to 32MB File System Flash: default 64MB of Compact FLASH for O/S storage Philips ISP1761 USB2.0 port on the front panel OS6850-48 & P48: BCM56504 XGS Switch & BCM56502 XGS Switch OS6850-48X & P48X: BCM56504 XGS Switch & BCM56504 XGS Switch OS6850-24 & P24: BCM56502 XGS Switch OS6850-24X & P24X: BCM56504 XGS Switch 10-Gigabit Ethernet XAUI interface (as applicable) : BCM8704 5464SR & 5464R XFP, SFP, and RJ45 connectors Supports up to 8 unit stacking topology Two built-in stacking ports to provide fault tolerant looped stacking configuration 10 Gbps full-duplex bandwidth per stacking port RS-232 Console Port (RJ-45 connector). The console-protecting chip SEMTEC LCDA15C-6 is used along with the RJ45 connector. OS6850-24, -24X, -P24, -P24X, - 48, -P48: four Gigabit Ethernet SFP combo ports OS6850-24L, -P24L, - 48L, -P48L: four Gigabit Ethernet SFP combo ports OS6850-U24X: two Gigabit Ethernet SFP combo ports OS6850-24X, -P24X, -48X, -P48X and -U24X Two built-in XFP ports that support industry standard XFP-based 10GigE optical transceivers
CPU BUS Memory Flash USB Port (Future Release) Main Switching Fabric ASIC
10GigE Uplinks
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 172 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
POE /(Power over Ethernet) In-line Power EEPROM Front Panel LED Temperature Sensor Thermal detection & Shutdown Clock Power Supply
Fans LEDS
The OmniSwitch 6850 Series platforms are 1U (Rack Unit) high 19" Rack-Mountable The OmniSwitch 6850 Series platforms are No more than 16.73 deep (including the power supplies) Dynamic and automatic module ID selection All models conform to Alcatel-Lucent coloring and labeling scheme Switch Faade for Alcatel-Lucent label 100BASE-FX 1000BASE-T SFP 1000BASE-SX SFP 1000BASE-LX SFP 1000BASE-LH (70Km) SFP 1000BASE-CWDM (CWDM Wavelength grid)) SFP 10GBASE-SR in XFP MSA form factor 10GBASE-LR in XFP MSA form factor 10GBASE-ER40 in XFP MSA form factor 10GBASE-ZR80 in XFP MSA form factor Grounding lugs Mounting holes on the side, near the front and back of the chassis RS-232 connector for console connection on the front pane USB port on the front panel (Version 2.0 full speed min.) 7 segment LED stack# display on the front panel Port LED Standard OK1 & OK2 LEDs Port Numbering scheme with first port in the upper left hand corner Power Supply Failure LED
Support POE with full compliance of IEEE 802.3af Board ID EEPROM Atmel 24C02 (on based-board) Front Panel 7-segment LED display for stack ID Temperature Sensor National Semi-Conductor LM77 is supported Thermal detection and shutdown is supported. Real Time Clock chip M41T11 Main and backup power supplies are external either directly connected to the rear of the unit or remotely mounted. Supports redundant dual hot swappable power supplies (Redundant Power Supply (RPS) AC-to-DC and DC-to-DC N+1 redundant P/Ss are supported) Power shelf that holds one 510W AC or two 360W AC, 126W AC or 120W DC power supplies (Out of box SPS with selection for Mono 510W or dual 360W and RUP is supported) 3 fans for the chassis with FAN failure detection. Additional fans built in the power supplies. Per port Link/Activity/PoE monitoring LED support System Power, BPS, and Diagnostic LED support LEDS: LED Status on Front Panel o OK (Diag/OK/Fan fail/Temp fail) o PRI (Primary/Secondary) o PWR (Main Power Supply Status) o RPS (Redundant Power Supply Status) Single LED with dual color is used for each Gig Ethernet Port (link/activity/POE) Single LED is used for each 10Gig Ethernet Port Single LED is used for the fiber SFP ports. Hardware Device Level features supported Supported. Supported. Supported. Supported Supported Supported The 100BASE-FX will be supported on the OS6850-U24X & OS6850-U24XD only on 20 fiber ports, and not on 4 combo ports Supported. Supported Supported Supported 1000BASE-CWDM (CWDM Wavelength grid)) SFP is supported. Supported Supported Supported. Supported. Supported Supported Supported Supported (Future Release) Supported Supported Supported Supported Indicating which PS has failed: Supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 173 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Temperature Threshold Exceeded LED FAN failure LED Primary unit LED (designate the master unit in a stack configuration) Secondary unit LED (designate the master unit in a stack configuration) LED for BPS status AC and DC power supplies AC Power Supply: power source 115-200 V AC, 50-60 Hz DC power supply: 36 72 V DC (input) 360W AC-to-DC Power Supply 510W AC-to-DC Power Supply 126W AC-to-DC Power Supply 120W DC-to-DC Power Supply Single main power supply to provide power for chassis and POE POE back up power POE interface compatible with PowerDsine Ron chip Low POE power (24 ports) 10watts/port Low POE power (48 ports) 5watts/port High POE power (24 ports)-16.25watts/port High POE power (48 ports) 8.125watts/port Redundant dual hot swappable Power Supplies. Integrated in OS6850 Series units. Power supplies are able to attach to the rear of the unit Insertion or removal of redundant power supply Remote mounting of both primary and backup power supplies Single BPS for chassis and POE Modular 510W BPS for POE that fits in the OS6850 BPS shelf. BPS Power Supply bundle (2.5U power shelf for BPS, power cord, BPS, chassis connection cable) Circuit breaker protected OS6850 units Redundant Fans support Noise level Operating Temperature Storage Temperature Operating Humidity Storage Humidity Loop protection against loop back Cisco-like Proprietary UDLD Support Cat 5, 5e, 6, and 6e Capability to disable transmit function (or reset) of each PHY individually Capability to control the transmit function of the SFP and XFP ports Compatible stacking connectors and cables with OS6800 Series platforms (30 cm, 60 cm and 1m)
Supported Supported Supported Supported Supported Supported Supported Supported Supported for: OS6850-P24 & OS6850-P24L & OS6850-P24X & OS6850-P48 & OS6850-P48L & OS6850-P48X Supported for: OS6850-P24H & OS6850-P24LH & OS6850-P24XH & OS6850-P48H & OS6850-P48LH & OS6850-P48XH Supported for: OS6850-24 & OS6850-24L & OS6850-24X & OS6850-48 & OS6850-48L & OS6850-48X & OS6850-U24X Supported for: OS6850-24D & OS6850-24LD & OS6850-24XD & OS6850-48D & OS6850-48LD & OS6850-48XD & OS6850-U24XD Supported Supported Supported Supported Supported Supported Supported 360W BPS is attached to the rear of the chassis. 510W RPS is external in 2U configuration Supported Insertion or removal of redundant power supply does not cause any power or service disruption to the switch Supported Supported Supported Power supply bundle is 1U 360W or 510W + shelf_cable+19 Rack mounts ears .BPS can be either connected at the back of the unit (360W) or on top of the unit (510W). Supported 1:N redundancy All OmniSwitch 6850 platforms: < 50dBa 0 C to 45 C (32 to 112 F) 10 C to 70 C (14 to 158 F) 5% to 95% (non-condensing) 5% to 95% (non-condensing) Supported UDLD is supported. support for monitoring the physical configuration of cables and detect unidirectional links Supported Supported Supported Supported
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 174 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Stacking Guidelines
Stacking Redundancy
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 175 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Data Plane
IEEE 802.3z & 802.3ab & 802.3u & 802.3 Auto-Detect on both Copper and Fiber Simultaneous detection configuration priority Media failure failover capability 802.3af on POE Models Hot Swappable Auto-negotiation/Auto sensing 10/100/1000 Auto-Detect the insertion and removal of the SFP Hardware to operate at HiGig and HiGig+ speeds UNH (or equivalent) operation standards Connectors/ Cabling Supported Supported Supported Supported Supported: Power over Ethernet is supported on 10/100/1000BASE-T ports only SFP and XFP optical transceivers are hot swappable Supported Supported Supported (currently the HiGig operation is implemented, but the hardware is HiGig+ capable) Supported
Ethernet Specifications
Management: 1 RJ-45 console interface configured as DCE/DTE for operation, diagnostics, status, and configuration information. Ship kit includes RJ-45 to DB-9 connector adaptor AC power connector 10/1000/1000BASE-T copper ports: RJ-45 10/100/1000BASE-T copper ports with PoE: RJ-45 1000BASE-X SFP ports: LC with Removable/Pluggable transceiver SFP-MSA 10GBASE-X XFP ports: LC with Removable/Pluggable XFP-MSA transceiver 24 & 48 x 10/1000/1000BASE-T copper ports: RJ-45 24 & 48 x 10/100/1000BASE-T copper ports with PoE: RJ-45 24 & 48 x 1000BASE-X SFP ports: LC with Removable/Pluggable transceiver SFP-MSA 10GBASE-X XFP ports: LC with Removable/Pluggable XFP-MSA transceiver 10BASE-T hub or device; 100BASE-TX hub or device; 1000BASE-T hub or device 1000BASE-X hub or device, and 10GBASE-X hub or device 10BASE-T: unshielded twisted-pair (UTP) 100BASE-TX: unshielded twisted-pair (UTP), Category 5, EIA/TIA 568 or shielded twisted-pair (STP), Category 5, 100 ohm 1000BASE-T: unshielded twisted-pair (UTP), Category 5, EIA/TIA 568 or shielded twisted-pair (STP), Category 5, 100 ohm Note: Category 6 cabling is also supported on the 10/100/1000BASE-T connections. On 10/100/1000Mbps triple speed ports: 10Mbps speed: 100 meters on copper 100Mbps speed: 100 meters on copper 1000Mbps speed: 100 meters on copper On GigE. Fiber: SFP-GIG-LH70: up to 70km SFP-GIG-LX: up to 10km SFP-GIG-SX: up to 550m CWDM: up to 62km On 10GigE. Fiber: XFP-10G-ZR80 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 80 Km on 9/125m SMF. XFP-10G-ER40 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports single mode fiber over 1550nm wavelength (nominal) with an LC connector. Typical reach of 40 Km on 9/125 m SMF. XFP-10G-SR: 300 m (high modal bandwidth fiber is required to reach 300 meters) 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports multimode fiber over 850nm wavelength (nominal) with an LC connector. Typical reach of 300m on 50/125m MMF. XFP-10G-LR: 10 km 10 Gigabit Ethernet optical transceiver (XFP MSA): Supports single mode fiber over 1310nm wavelength (nominal) with an LC connector. Typical reach of 10 Km on 9/125m SMF.
Connector type
Connectivity
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 176 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Ports Supported
Switching/Routing Support Backbone Support Port Mirroring Support 802.1Q Hardware Tagging Maximum Transfer Unit -- MTU
Inter-Frame Gap
802.3 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) 10/100/1000Mbps triple speed o 10Mbps o 100Mbps o 1000Mbps (Gigabit Ethernet) Gigabit Ethernet 10000Mbps (10-Gigabit Ethernet) Triple Speed ports is supported and includes: o Ethernet (10 Mbps) o Fast Ethernet (100 Mbps) o 1000Mbps Ethernet (Gigabit Ethernet) Gigabit Ethernet 10-Gigabit Ethernet Layer 2 Switching/Layer 3 Routing 10/100/1000Mbps, Gigabit Ethernet ports, and 10-Gigabit Ethernet ports 10/100/1000Mbps, Gigabit Ethernet ports, and 10-Gigabit Ethernet ports 10/100/1000Mbps, Gigabit Ethernet ports, and 10-Gigabit Ethernet ports MTU parameter for Routers is not configurable. The ASIC does not include the notion of an MTU that applies to an IP interface. Instead, it uses the physical long-frame-size of the egress port as the MTU. When the ASIC attempts to forward a packet, it tests the size of the packet against the physical long-frame-size of the egress port, if the packet is too large, it forwards the packet to the CPU for fragmentation (or ICMP processing in the case of a packet with Don't Fragment set). 10/100 ports are set with a long-frame-size of 1553 bytes. GigE/10GigE ports are set with a long-frame-size of 9216 bytes (jumbo frames). Packets larger than the long-frame-size are dropped at ingress. The above (& default) values are the maximum configurable values. Packets that are forwarded from a 10/100 to a 10/100 port cannot ever be reported as too big via ICMP because anything larger than 1553 would not be accepted. The same holds true for packets forwarded between two GigE/10GigE ports and from a 10/100 port to a GigE/10GigE. Layer-2 Ethernet Frame Size: Untagged: 1,518 Bytes without IEEE 802.1Q tags Tagged: 1,522 Bytes with IEEE 802.1Q tags Long Frame Size (enabled by default): 1553 Bytes (IEEE 8021.Q tagged or untagged) Frame Type: Type2, LLC, SNAP, RAW 802.3 The maximum frame size on the Gigabit Ethernet interfaces range from 1,518 to 9,216 Bytes Jumbo frames up to 9K Bytes (9,216 Bytes) are supported on GigE/10GigE interfaces. Untagged (without IEEE 802.1Q tags) Ethernet Packets: 1,518 Bytes Tagged (with IEEE 802.1Q tags) Ethernet Packets: 1,522 Bytes 12 Bytes (by default) Inter-frame gap is a measure of the minimum idle time between the end of one frame transmission and the beginning of another. By default, the inter-frame gap is 12 bytes. Through the use of this feature, the inter-frame gap value (in bytes) on a specific port, a range of ports, or all ports on a switch (slot) can be configured. Values for this command range from 9 to 12 bytes. Note. This command is only valid on Gigabit ports. Supported (none configured by default): Through the use of this feature an alias (i.e., description) for a single port can be configured. (You cannot configure an entire switch or a range of ports.) The text description can be up to 40 characters long. By default: 42Mbps (Fast Ethernet) 496Mbps (Gigabit Ethernet) 997Mbps (10-Gigabit Ethernet) By default, the flood rate is 42 Mbps on 10/100/1000 ports and 496 Mbps on Gigabit ports. Through the use of this feature, the peak ingress flood rate value on a specific port, a range of ports, or all ports on a switch (slot) in megabits per second can be configured. Note. The user can configure a flood rate equal to the line rate, but it is not recommended. AlcatelLucent recommends that you always configure the flood rate to be less than the line speed.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 177 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Flow Control
Per port rate limiting Per-port L2/L3 multicast & broadcast flood limit is supported. Re-settable Statistics Counters Duplex Mode support
Auto-negotiation Crossover
Diagnostics
The flow command can be used to enable (the default) or disable flow control on a specific port, a range of ports, or all ports on an entire switch (slot). When the buffers on a receiving device are full, flow control transmits pause frames to the remote link partner to delay transmission. IEEE 802.3x (programmable threshold) flow control. Note: the switch does not support honoring the incoming (RX) IEEE 802.3x pause frames, but it does support generating outgoing (TX) IEEE 802.3x pause frames Supported (disabled by default) This feature can be enabled or disabled (the default) on a specific port, a range of ports, or all ports on a switch (slot). When enabled, a trap message will be displayed on a Network Management Station (NMS) whenever the port state has changed. Per-port multicast / broadcast / flood limit is supported. The ASIC provides a per port configuration on the incoming and/or outgoing port basis that allows broadcast and/or multicast storm control. The CPU can program a threshold value per port that indicates the number of broadcast and/or multicast packets/bytes that are allowed in a given time interval. Supported The duplex mode feature is supported on a specific port, a range of ports, or all ports on a switch (slot). It can be set to full (full duplex mode, which is the default on fiber ports), half (half duplex mode), and auto (auto-negotiation, which is the default on copper ports). The Auto option causes the switch to advertise all available duplex modes (half/full/both) for the port during auto-negotiation. In full duplex mode, the interface transmits and receives data simultaneously. In half duplex mode, the interface can only transmit or receive data at a given time. Auto-negotiation is supported (enabled by default). It can be enabled or disabled on a single port, a range of ports, or an entire slot. Crossover can be configured on a single port, a range of ports, or an entire slot. If auto negotiation is disabled, auto MDIX, flow control, auto speed, and auto duplex are not accepted. Setting the crossover configuration to auto will configure the interface or interfaces to automatically detect crossover settings. Setting crossover configuration to mdix will configure the interface or interfaces for MDIX (Media Dependent Interface with Crossover), which is the standard for hubs and switches. Setting crossover to mdi will configure the interface or interfaces for MDI (Media Dependent Interface), which is the standard for end stations. And setting the crossover configuration to disable will disable crossover configuration on an interface or interfaces. To display information about Ethernet port configuration settings, use the show commands. These commands can be quite useful in troubleshooting and resolving potential configuration issues or problems on your switch. For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. Off-line Diagnostics for manufacturing OmniSwitch 6850 Series supports the capability to reboot to support Diagnostics Mode for Customers for hardware only troubleshooting Not to require external PCs or test equipment for running diagnostics
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 178 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Perfformance Pe rf ormanc e r
Raw Fabric Capacity OS6850-48/-48D/-48L/-48LD: 96Gbps Full Duplex or 192Gbps aggregate OS6850-48X/-48XD: 120Gbps Full Duplex or 240Gbps aggregate OS6850-P48/-P48H/-P48L/-P48LH: 96Gbps Full Duplex or 192Gbps aggregate OS6850-P48X/-P48XH: 120Gbps Full Duplex or 240Gbps aggregate OS6850-24/-24D/-24L/-24LD: 48Gbps Full Duplex or 96Gbps aggregate OS6850-24X/-24XD: 72Gbps Full Duplex or 144Gbps aggregate OS6850-P24/-P24H/-P24L/-P24LH: 48Gbps Full Duplex or 96Gbps aggregate OS6850-P24X/-P24XH: 72Gbps Full Duplex or 144Gbps aggregate OS6850-U24X/U24XD: 72Gbps Full Duplex or 144Gbps aggregate Raw Capacity: 24Gbps FD (12Gbps FD Stack-A and 12Gbps FD Stack-B) Throughput: The Stacking (Stack A & Stack B run at 10G) supports 2 x 10-Gigabit Eth ports at wire-speed: 2 * 14,880,952.3 pps = 29,761,904.6pps (approx: 29.8Mpps) Theoretical packet per second (pps) rates for Ethernet packets is normally calculated by adding 20 bytes to each packet size to account for the 0.096 microseconds inter frame gap (equivalent to 12 bytes) and the preamble (eight bytes). Thus, the theoretical 10 Mbps, 100 Mbps, Gigabit and 10-Gigabit Ethernet packet rate in packets per second (pps) for a packet of X bytes is defined by the following formulas. Throughput calculations assume 64 byte packets and the throughput rate is calculated per-port. (10 Gbps) / ((8 bits/ byte) * (X+20)) = 14,880,952.3 pps (1 Gbps) / ((8 bits/ byte) * (X+20)) = 1,488,095.23 pps (100 Mbps) / ((8 bits/ byte) * (X+20)) = 148,809.52 pps (10 Mbps) / ((8 bits/ byte) * (X+20)) = 14,880.95 pps Since the primary benefit of any switch is speed, the most appropriate performance metric is throughput, which is typically expressed in millions of packets per second (Mpps). Throughput measures the number of packets per second (measured in millions) that a switch can process for outbound (egress direction only) transmission to another device. Throughput (at Layer-2 or Layer-3) = wire-speed Eth. ports * throughput rate per port Note: The following assumes that all traffic is forwarded through the Main Switch Fabric ASIC. The Stacking (Stack A & Stack B) supports 2 x 10-Gigabit Eth ports at wire-speed: 2 * 14,880,952.3 pps = 29,761,904.6pps (approx: 29.8Mpps) The 2-port 10-Gigabit Eth uplink supports 2 x 10-Gigabit Eth ports at wire-speed: 2 * 14,880,952.3 pps = 29,761,904.6pps (approx: 29.8Mpps) The 24 Gigabit Eth ports throughput at wire-speeds: 24 * 1,488,095.23 pps = 35,714,285.52pps (approx: 35.7Mpps) The 48 Gigabit Eth ports throughput at wire-speeds: 48 * 1,488,095.23 pps = 71,428,571.04pps (approx: 71.4Mpps) The 20 x 10/100Mbps Eth ports throughput at wire-speeds: 20 * 148,809.52 pps = 2,976,190.4pps (approx: 2.97Mpps) The 44 x 10/100Mbps Eth ports throughput at wire-speeds: 44 * 148,809.52 pps = 6,547,618.88pps (approx: 6.54Mpps) The 4 Gigabit Eth ports throughput at wire-speeds: 4 * 1,488,095.23 pps = 5,952,380.92pps (approx: 5.95Mpps) Throughput numbers per models ( in stacked configuration): OS6850-48/-48D/-P48/-P48H (48 GE ports + 2 10G stacking): 101.2Mpps OS6850-48X/-48XD/-P48X/-P48XH (48 GE ports + 2 10G uplinks + 2 10G stacking): 131Mpps OS6850-24/-24D/-P24/-P24H (24 GE ports + 2 10G stacking): 65.5Mpps OS6850-24X/-24XD/-P24X/-P24XH (24 GE ports + 2 10G uplinks + 2 10G stacking): 95.3Mpps OS6850-U24X/-U24XD (24 GE ports + 2 10G uplinks + 2 10G stacking): = 95.3Mpps OS6850-24L/-24LD/-P24L/-P24LH ( 20 10/100Mbps ports + 4 GE combo ports + 2 10G stacking): 38.72Mpps OS6850-48L/-48LD/-P48L/-P48LH (44 10/100Mbps ports + 4 GE combo ports + 210G stacking): 42.29Mpps Note: the following throughput calculations assumes that the L Series have been upgraded with the OS6850-24L-UPGD* and OS6850-48L-UPGD* Software Packages in other words the throughput calculations are based on 10/100/1000Mbps forwarding rates:
@64Byte Packets
Assuming: All traffic is forwarded through The Switch Fabric ASIC And where applicable: o Including the 2-port 10GigE uplink module throughput
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 179 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850-48L/-48LD/-P48L/-P48LH (48 GE ports + 2 10G stacking) : 101.2Mpps OS6850-24L/-24LD/-P24L/-P24LH (24 GE ports + 2 10G stacking): 65.5Mpps Notes: For stand-alone configuration throughput numbers on all models please subtract 29.8Mpps Throughput Performance Or Forwarding Rate Per Stacked Switch Theoretical packet per second (pps) rates for Ethernet packets is normally calculated by adding 20 bytes to each packet size to account for the 0.096 microseconds inter frame gap (equivalent to 12 bytes) and the preamble (eight bytes). Thus, the theoretical 10 Mbps, 100 Mbps, Gigabit and 10-Gigabit Ethernet packet rate in packets per second (pps) for a packet of X bytes is defined by the following formulas. Throughput calculations assume 1518 byte packets and the throughput rate is calculated per-port. (10Gbps) / ((8 bits/ byte) * (X+20)) = 812,743.82 pps (1Gbps) / ((8 bits/ byte) * (X+20)) = 81,274.38 pps (100 Mbps) / ((8 bits/ byte) * (X+20)) = 8,127.43 pps (10 Mbps) / ((8 bits/ byte) * (X+20)) = 812.74 pps Since the primary benefit of any switch is speed, the most appropriate performance metric is throughput, which is typically expressed in millions of packets per second (Mpps). Throughput measures the number of packets per second (measured in millions) that a switch can process for outbound (egress direction only) transmission to another device. Throughput (at Layer-2 or Layer-3) = wire-speed Eth. ports * throughput rate per port Note: The following assumes that all traffic is forwarded through the Main Switch Fabric ASIC. The Stacking (Stack A & Stack B) supports 2 x 10-Gigabit Eth ports at wire-speed: 2 * 812,743.82 pps = 1,625,487.64pps (approx: 1.62Mpps) The 2-port 10-Gigabit Eth uplink supports 2 x 10-Gigabit Eth ports at wire-speed: 2 * 812,743.82 pps = 1,625,487.64pps (approx: 1.62Mpps) The 24 Gigabit Eth ports throughput at wire-speeds: 24 * 81,274.38 pps = 1,950,585.12pps (approx: 1.95Mpps) The 48 Gigabit Eth ports throughput at wire-speeds: 48 * 81,274.38 pps = 3,901,170.24pps (approx: 3.9Mpps) The 20 x 10/100Mbps Eth ports throughput at wire-speeds: 20 * 8,127.43 pps = 162,548.6pps (approx: 162.5Kpps) The 44 x 10/100Mbps Eth ports throughput at wire-speeds: 44 * 8,127.43 pps = 357,606.92pps (approx: 357.6Kpps) The 4 Gigabit Eth ports throughput at wire-speeds: 4 * 81,274.38 pps = 325,097.52pps (approx: 325.09Kpps) OS6850-48/-48D/-P48/-P48H (48 GE ports + 2 10G stacking): 5.52Mpps OS6850-48X/-48XD/-P48X/-P48XH (48 GE ports + 2 10G uplinks + 2 10G stacking): 7.14Mpps OS6850-24/-24D/-P24/-P24H (24 GE ports + 2 10G stacking): 3.57Mpps OS6850-24X/-24XD/-P24X/-P24XH (24 GE ports + 2 10G uplinks + 2 10G stacking): 5.19Mpps OS6850-U24X/-U24XD (24 GE ports + 2 10G uplinks + 2 10G stacking): = 5.19Mpps OS6850-24L/-24LD/-P24L/-P24LH ( 20 10/100Mbps ports + 4 GE combo ports + 2 10G stacking): 2.18Mpps OS6850-48L/-48LD/-P48L/-P48LH (44 10/100Mbps ports + 4 GE combo ports + 210G stacking): 2.3Mpps Note: the following throughput calculations assumes that the L Series have been upgraded with the OS6850-24L-UPGD* and OS6850-48L-UPGD* Software Packages in other words the throughput calculations are based on 10/100/1000Mbps forwarding rates: The OS6850-48L/-48LD/-P48L/-P48LH supports up to 48 GigE ports at wire-speeds: 5.52Mpps The OS6850-24L/-24LD/-P24L/-P24LH supports up to 24 GigE ports at wire-speeds: 3.57Mpps Notes: For stand-alone configuration throughput numbers on all models please subtract 1.62Mpps Layer-2 & Layer-3 Forwarding Rate Per port Wire-speed on 10Mbps port 14,880 pps with 64 Byte packets Wire-speed on 100Mbps port 148,809 pps with 64 Byte packets Wire-speed on Gigabit Ethernet port 1,488,095 pps with 64 Byte packets Wire-speed on 10-Gigabit Ethernet port 14,880,952 pps with 64 Byte packets The 2-port 10-Gigabit Ethernet uplink supports 2 x 10-Gigabit Eth. ports at wire-speed. The Stacking (Stack A & Stack B) supports 2 x 10-Gigabit Eth ports at wire-speed.
@1518Byte Packets
Assuming: All traffic is forwarded through The Switch Fabric ASIC And where applicable: o Including the 2-port 10GigE uplink module throughput o Stacking (Stack A & Stack B) throughput
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 180 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Latency
Notes for latency: Latency test results generated by IXIA Device Version 3.65.284 SW Version: AOSv6.1.1r01 GA Release RFC 2544 Latency Test Latency Measurement Type: First bit In to First bit Out ----- FIFO Protocol: the Layer-2 & Layer-3 Frame Rate: 100%
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 181 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 182 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
System
Boot time Cold boot time in a stand-alone configuration when the switch can join the network and start passing traffic: approximately 115 sec. Cold boot time in a stackable configuration of up to 8 units when the switch(s) can join the network and start passing traffic: approximately 115 sec. Warm re-boot time in a stand-alone configuration when the switch can join the network and start passing traffic: approximately 115 sec. Warm re-boot time in a stackable configuration of up to 8 units when the switch(s) can join the network and start passing traffic: approximately 115 sec. The Fail-over time (Primary switch to Secondary switch in a stacked configuration) is: Layer-2: 20 seconds maximum Layer-3: 30 seconds maximum Trap is sent (to the management station for the failure of the primary management) and log event is logged upon primary management failure and after the redundant management unit takes over. Approximately 65 sec Alcatel-Lucent OmniSwitch 6850 switches are designed in such a way that is highly reliable under extreme stress conditions. The OmniSwitch 6850 switches are rigorously tested to ensure that the system is able to sustain heavy loads and allow for continued availability of all system resources. The typical test setups involve: Running in normal operational mode where system is running under the specified CPU threshold values. Running above the CPU threshold values all the time.
Management fail-over
Interfaces
Power over Ethernet Stacking ports IEEE 802.3af (supported on all POE type chassis) Two built-in stacking ports 10 Gbps full-duplex bandwidth per stacking port Fault tolerant looped stacking configuration OS6850-24/-24D/-24X/-24XD/-48/-48D/-24L/-24LD/-48L/-48LD/-P24/-P24H/-P24X/-P24XH/-P48/ -P48H/-P24L/-P24LH/-P48L/-P48LH = 4 x Combo ports which can be individually configured to be 10/100/1000BaseT or 1000BaseX and that can support SFP transceivers. OS6850-48X/-48XD/-P48X/-P48XH = N/A (no combo ports) OS6850-U24X/-U24XD = 2 x Combo ports which can be individually configured to be 10/100/1000BaseT or 1000BaseX and that can support SFP transceivers. Notes: The Combo 10/100/1000BaseTcopper RJ-45 ports support PoE. The Combo 1000Base-X fiber SFP ports do not support PoE OS6850-24X, -24XD, -P24X, -P24XH, -U24X, -U24XD, -48X, -48XD, -P48X, -P48XH Built-in two-port 10 GigE ports Supports industry standard XFP-based 10GigE optical transceivers 64 Bytes 1000Mbps (GigE) and 10,000Mbps (10GigE); 9,216 Bytes (Jumbo frames) 10/100Mbps Eth IP packet max transmission unit; 1553 Bytes You can rate limit the flooding traffic. Flood control is done on ingress and the rate is shared for all interfaces on that switch. By default flood control only applies for flooding with broadcast (ff:ff:ff:ff:ff:ff) and unknown destination Mac address. You can enable flood control for multicast Mac as well. Default settings: Flood multicast disable Flood rate set to 997 Mbps on 10Gig port Flood rate set to 496 Mbps on 1G port Flood rate set to 49Mbps on 100M ports Flood rate set to 4Mbps on 10M ports Note: The above rates are met with packet size of 512 bytes. Different packet size will give different flood rate. The theoretical flood rate (the maximum TX rate at a given packet size you can send before you reach the flood control rate limiting) is obtained with: Theoretical Flood Rate = Interface Flood Rate * (Packet Size + 20) / 512 Flood rate limiting does not give a steady rate at the theoretical flood rate. It gives a sporadic/bursty profile where the average rate is the theoretical flood rate.
Combo ports
10GigE uplinks
Ethernet minimum size packet Ethernet IP packet maximum transmission _ MTU Flood Control
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 183 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Configuration Limitations The maximum number of units possible in the stackable system is 8. The stack may contain any combination of OS6850 Series platforms. Please see the table below: Fixed-Chassis POE Non-POE 10 Gig. 10 Gig. 10/100/1000Mbps Types Ports Ports Stacking Uplinks ,GigE, or Ports 10/100Mbps Non-PoE Models OS6850-24 N/A 24 2 N/A 20 10/100/1000 /-24D OS6850-24X N/A 24 2 2 20 10/100/1000 /-24XD OS6850-48 N/A 48 2 N/A 44 10/100/1000 /-48D OS6850-48X N/A 48 2 2 48 10/100/1000 /-48XD OS6850-U24X N/A 24 2 2 22 Gig SFP** /-U24XD OS6850-24L N/A 24 2 N/A 20 10/100*** /-24LD OS6850-48L N/A 48 2 N/A 44 10/100*** /-48LD PoE Models**** OS6850-P24 24 N/A 2 N/A 20 10/100/1000 /-P24H OS6850-P24X 24 N/A 2 2 20 10/100/1000 /-P24XH OS6850-P48 48 N/A 2 N/A 44 10/100/1000 /-P48H OS6850-P48X 48 N/A 2 2 48 10/100/1000 /-P48XH OS6850-P24L 24 N/A 2 N/A 20 10/100*** /-P24LH OS6850-P48L 48 N/A 2 N/A 44 10/100*** /-P48LH
Combo Ports*
4 4 4 N/A 2 4 4
126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC 126W AC-to-DC or 120W DC-to-DC Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W Dual ext. 360W and/or 510W
4 4 4 N/A 4 4
240W / 390W 240W / 390W 240W / 390W 240W / 390W 240W / 390W 240W / 390W
*Combo ports are ports individually configurable to be 10/100/1000BaseT or 1000BaseX that can support SFP transceivers for short, long and very long distances. Combo Ports on the PoE Models: The Combo 10/100/1000BaseTcopper RJ-45 ports support PoE. The Combo 1000Base-X fiber SFP ports do not support PoE. ** Gig fiber interfaces support Gig SFP, dual-speed SFP or 100BaseX SFP optical transceivers. *** The 10/100 RJ-45 ports can be upgraded to 10/100/1000 speed by purchasing the OS6850-24L-UPGD or OS6850-48L-UPGD software license for 24-port and 48-port models respectively. **** The PoE Power Budget is subject to an extra overhead which has to be taken into account (please refer to the P/S Sec.)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 184 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Layer-2/Layer-3 Switching
Root bridge priority / path cost: Default spanning tree mode is RSTP (IEEE 802.1w) The bridge priority can be any value between 0 and 65535 for STP and RSTP protocol in the 16-bit mode. By default spanning tree follows the 16-bit path cost. The bridge priority can only be in multiples of 4096 in the 32-bit mode or in MSTP mode. MSTP can only operate in 32-bit mode. Port MAC MAC range Mobile-Tag Protocol IP IPX DHCP port DHCP MAC DHCP MAC Range DHCP Generic Port-Protocol Binding rule MAC-Port Binding rule MAC-IP-Port Binding rule Mobile Tag DHCP Mac DHCP Mac Range DHCP Port DHCP Generic Mac-Port-IP Binding Mac-Port Binding Port-Protocol Binding Mac Mac Range Network Rule Protocol 253 supported per system VLAN Range Support Up to 4094 VLANs for Flat Spanning Tree mode/MSTP and 253 VLANs for 1x1 Spanning Tree mode are supported. In addition, it is now possible on the OmniSwitch 6800/6850/9000 to specify a range of VLAN IDs when creating or deleting VLANs and/or configuring VLAN parameters, such as Spanning Tree bridge values. Note: Although, up to 4094 VLANs has been configured and tested, we still recommend configuring up to 1K (1,024) in a flat STP mode. Is the native (untagged) VLAN required to be a specific VLAN? Alcatel-Lucent Response: No. Note: Alcatel-Lucent AOS OmniSwitch product family software refers to a native VLAN (a Cisco term) as a default VLAN. Therefore, our default VLAN functionality is similar to that of native VLAN as discussed here. Is the management VLAN required to be a specific VLAN? Alcatel-Lucent Response: No. Can the management VLAN be tagged or untagged? Alcatel-Lucent Response: YES. Can the Native VLAN be excluded from an 802.1Q link (i.e., the ability to send only tagged traffic over an 802.1Q link)? Alcatel-Lucent Response: YES. How many VLAN IDs does this device support? Alcatel-Lucent Response: Comply with up to 4093. Maximum Number of Tagged VLANs per Port: 4093
Rule Precedence:
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 185 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Maximum number of BPDUs the switch can handle MAC Address Table IP Address Table Routes Layer-2 Table Hashing
Maximum frame size With the insertion of a 4-byte svlan tag by VLAN Stacking, the maximum frame size that can be accommodated is jumbo frame size less 4 bytes = 9216 4 = 9212 bytes. Maximum number of SVLANs: For port level VLAN Stacking: 4093 (VLAN 2 through 4094). For port / vlan level VLAN Stacking: 768 (can use any number from 2 through 4094 inclusive). Approximately 800 BPDUs per second Up to 16 K (16,384) MAC Addresses is supported per system. 1K (authenticated / mobile users) per module 48K routing table 12K forwarding LPM entries, 8K hosts entries per module The L2 Table size is 16K entries. This is organized as 2K buckets with each bucket having 8 entries. The search key for the L2 Table is the 60 bit (i.e. 48-bit DA MAC address + 12 bit VLAN-ID) in the Ethernet MAC header in the incoming flow. The key is hashed into a 11-bit value used to select the bucket in the table using a CRC32 lower 11-bits algorithm. Each entry in the selected bucket is compared with the key. The match must be an exact match since if it does, it must be a host MAC address entry. If the key matches an entry in the bucket, then the information in the entry is used in the ingress logic for the destination port Link Fail-over: 459ms Link Fail-over Reverse: 240ms Port Fail-over: 220ms Port Fail-over Reverse: 140ms AGG Links Fail-over: 958ms AGG Links Fail-over Reverse: 260ms AGG Fail-over: 219ms AGG Fail-over Reverse: 280ms 1 K (1,024) with support of full 4K IEEE 802.1Q VLAN Spectrum. Port based (w / IEEE 802.1Q) VLANs. Maximum number of Avlan authenticated user per system: 1024. The system supports up to 1024 authenticated/mobile Mac-addresses AVLAN supports RADIUS or LDAP as authentication servers. By configuring multiple servers, user can gain server failover in case of server outage. Supported rules for AVLAN. MAC-Port Binding rule MAC-IP-Port Binding rule MAC range (used for IP phone OUI Mac-addresses for instance) MAC-Port Binding rule MAC-IP-Port Binding rule MAC range (used for IP phone OUI Mac-addresses for instance) 4K (4,094) The switch has indeed been tested with up to 4,094 active VLANs, but this is really based on switch configuration and available resources. Note: since configuring 4K VLANs consumes a lot of resources, the more practical, or more realistic and/or recommended figure is the 1,024 active VLANs. In the STP flat Mode: 4K VLANs are supported over 802.1Q or over a trunk. In the STP 1x1 Mode: 253 VLANs are supported over 802.1Q or over a trunk. In the STP Multiple Mode (IEEE 802.1s): 4K VLANs amongst 16 Multiple STP Instances (MSTPI). 8 K (8,192)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 186 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Max Types of Protocols Rules supported Max number of DHCP rules per system Max number of Binding Rules
Max number of 802.1Q tags per port Max number of Authenticated Users
Max number of STP instances per system Max number of 802.1s STP instances per system Max number of Link Aggregate
The following limitations are imposed by the NI hardware table sizes. Since the tables are always synchronized between NI, the following numbers are the chassis limitations: 1024 VLAN-MAC rules: A vlan Mac rule consists in MAC, MAC range, MAC-Port-IP binding, MAC-Port binding, MAC-PortProtocol binding, MAC-IP binding and IPX Network rules. Since hardware does not support IPX network rules, the system internally uses a vlan Mac rule to map the Mac address matching the given IPX network to that vlan. The VLAN-MAC table is also shared with authenticated Mac-addresses (AVLAN, 802.1x) 256 VLAN-SUBNET rules A vlan subnet rule consists in IP network and Port-IP binding rules 16 VLAN-PROTOCOL rules A vlan protocol rule consists in Protocol and Port-Protocol binding rules. For IP protocol (ip-e2 or ip-snap), 2 rules are needed: 1 for ip packets and 1 for arp packets. Notes: Dual protocols Mac-address is supported. The same Mac with both IP protocol (ip-e2) and IPX protocol (ipx-e2) can be classified into 2 different VLANs. Duplicate Mac on different mobile vlan is only supported for IP network rules or protocol rules. For rules falling into the VLAN MAC table, only one Mac/vlan is supported. For instance, the same Mac with 2 IPX networks 0x111 and 0x222 cannot be classified into 2 VLANs. Tagged packets on mobile ports are first classified by their VLAN-ID. If you do not have mobile-tag enabled for that vlan or a mobile rule to classify that packet to that vlan, the packet is dropped. 1 K (1,024) Note: Maximum number of MAC rules, Authenticated VLAN Users, Binding Rules, and 802.1x Users all share the 1,024 MAC Rules 256 (Maximum of 256 IP Subnet rules are supported.) 16 + 1 per port Maximum of 16 rules of combining Protocol & Port-Protocol rules are supported (If IP-E2 is used, total of 14 rules are supported) 6 (Note: Support for IP, IPX, DECNet, AppleTalk, SNAP, and Ethertype) 64 1 K (1,024) Note: Maximum number of MAC rules, Authenticated VLAN Users, Binding Rules, and 802.1x Users all share the 1,024 MAC Rules Maximum of 1024 rules of combining MAC-Port-IP binding, MAC-Port binging, MAC, MAC Range, and IPX Network rules (The available MAC rule pool is also shared by AVLAN and 802.1x) 4K 1 K (1,024) Note: Maximum number of MAC rules, Authenticated VLAN Users, Binding Rules, and 802.1x Users all share the 1,024 MAC Rules Maximum number of 802.1x authenticated user per system: 1 K (1,024) Maximum number of 802.1x authenticated user per port: 253 The system supports up to 1024 authenticated/mobile mac-addresses. Note: Maximum number of MAC rules, Authenticated VLAN Users, Binding Rules, and 802.1x Users all share the 1,024 Mac Rules 253 253 32 aggregates of up to 8 ports each, per stand-alone switch and/or across units Support for static aggregate (aka OmniChannel) Support for dynamic aggregate (IEEE 802.3ad) LOAD BALANCE ALGORITHM The load balance is the same for static and LACP link aggregation. The load balance takes the 3 last bits of the source address and the 3 last bits of the destination address and does an XOR. That gives a number between 0 and 7 Note that Link1 is the lowest port number, then Link2 is next port number On the 6850's, the multiple ports must be on the same "Stack" of 6850's. They can be on separate 6850's but those 6850's must be cabled together with a Stacking cable and it must be functioning as a stack.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 187 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Spanning Tree
When you want to flood a routed unicast packet to ALL ports of the egress vlan, which can be achieved by creating a static ARP with a multicast Mac address. The flooding is done in hardware (wire speed). Using a policy rule, you can rate limit the flooding to a specific rate. That feature is not supported on 10Gig (Ingress). However, flooding on egress 10Gig is supported. The UDP Relay will verify that the forward delay (elapsed boot time specified by the user) has been met before Relaying the UDP packet. If the relay is configured with multiple Next Hop addresses, then the packet will be sent to all next-hop destinations. The UDP Relay shall also verify that the maximum hop count (also set by the user) has not been exceeded. If either of these conditions is not meet, the UDP Relay will discard the BOOTP/DHCP packet. In Release 6.1.3.r01 the NBNS/NBDD and generic service has been added to the UDP port relay. As indicated in the table for NBNS and NBDD user can specify which vlan the packets are forwarded to. User can not specify the next hop IP address or the next hop address type. For all other generic services, user is able to configure which vlan (up to 10 VLANs) the UDP packet is to be forwarded to. User cannot specify the next hop IP address or the next hop IP address type. Service UDP Port Number Configurable Options BOOTP/DHCP 67/68 (Request / 1. Next Hop Address (Bootstrap Protocol/ Response) 2. Forward delay Dynamic Host 3. Maximum hops Configuration Protocol) NBNS/NBDD 137/138 1. VLANs to forward to Generic services Any number 1. VLANs to forward to Speed (10, 100, 1000Mbps) and duplex mode (half or full) IEEE 802.3x Note: the switch does not support honoring the incoming (RX) IEEE 802.3x pause frames, but it does support generating outgoing (TX) IEEE 802.3x pause frames IEEE 802.1D Standard Spanning Tree Algorithm and Protocol (STP) IEEE 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP) IEEE 802.1s / IEEE 802.1Q 2005 Multiple Spanning Tree Protocol (MSTP) Ring Rapid Spanning Tree Protocol (RRSTP) PVST+ Support of single and multiple instances for STP & RSTP BPDU Watch Guard How many Multiple Spanning Tree Groups are supported? 253 Is one Spanning Tree per Group supported? Yes only in a STP 1x1 mode Is one Spanning Tree per port supported? Yes Is Single Instance Spanning Tree supported? Yes only in a STP flat mode Does this device support any spanning tree enhancements (e.g., Root Guard, BPDU Guard, BPDU Filtering, PortFast, etc.)? Alcatel-Lucent Response: YES. Note: Alcatel-Lucent AOS OmniSwitch product family software refers to Root Guard as Restricted Role which is supported. Note: Alcatel-Lucent AOS OmniSwitch product family software refers to BPDU Guard as BPDU Shutdown Ports which is supported. BPDU Filtering is supported. Note: Alcatel-Lucent AOS OmniSwitch product family software refers to PortFast as EdgePort which is supported. Does this device support an instance of spanning tree per 802.1Q VLAN (commonly referred to as PVST+)? Alcatel-Lucent Response: Comply. a) Flat Mode: STP 1 Instance RSTP 1 Instance MSTP 1 CIST and 16 MST Instances b) 1x1 Mode: STP 253 Instances RSTP 253 Instances
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 188 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
a) Default spanning tree mode is RSTP (IEEE 802.1w) b) The bridge priority can be any value between 0 and 65535 for STP and RSTP protocol in the 16 bit mode. By default, spanning tree follows the 16 bit path cost. c) The bridge priority can only be in multiples of 4096 in the 32 bit mode or in MSTP mode. d) MSTP can support 32 bit mode per standard. e) Changing STP protocol to MSTP will reset all priority and path cost of a bridge to default The default port path costs are: (IEEE Std 802.1D-1998- 16 Bit) Port Speed Path cost 10M 100 100M 19 1000 M 4 10000 M 3 The default port path costs are: ( IEEE Std. 802.1Q-2005 32 Bit) Port Speed Path cost 10M 2000000 100M 200000 1000 M 20000 10000 M 2000 The default link aggregation path costs are (16 Bit): Linkagg speed Linkagg size Path cost 2 60 10M 4 40 8 30 2 12 100M 4 9 8 7 1000M N/A 3 10000M N/A 2 The default link aggregation path costs are (32 Bit): LinkAgg speed LinkAgg size Path cost 2 1200000 10M 4 800000 8 600000 2 120000 100M 4 80000 8 60000 1000M 2 12000 4 8 10000M 2 4 8 8000 6000 1200 800 600
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 189 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Port Monitoring
Port Mapping
STP convergence time (flat, 1x1, 802.1s) 802.1w rapid reconfiguration Learned MAC addresses per port Learned MAC addresses per system Layer-2 forwarding on Ethernet ports Layer-2 forwarding GigE, known MAC Broadcast per Ingress port Loopback Interface
The same unit cannot support both mirroring and monitoring configuration i.e. a user cannot have a port monitoring and a port mirroring session on the same unit. Only one monitoring session at a time across the entire system Only the first 64 bytes of the packet can be monitored. Due to the port monitoring file size, the system can only store the first 2K packets (i.e. 140K/64 = 2187) The port monitoring is not supported on the linkagg ports. Enabling the monitoring function affects the performance. Consequently, Port Monitoring performance is not at wire-rate. The N-to-1 port mirroring allows the user to specify multiple numbers of ports, range of ports as mirrored source in a single command. Maximum number of mirror source ports could be set to 128. Aggregate ports are allowed to be mirrored on the physical ports. Mirroring on the logical LinkAgg port ID is not supported. Mirroring Sessions Supported: One session supported per standalone switch Port mapping feature is supported on OS6800/6850/9000. Following are the limitations for the feature. 8 sessions supported per standalone switch and stack An aggregable port of a link aggregation group cannot be a mapped port and vice versa A mirrored port cannot be a mapped port and vice versa A mobile port cannot be configured as a network port of a mapping session 30 sec Less than 1 sec Up to 16 K (16,384) MAC Addresses is supported Up to 16 K (16,384) MAC Addresses is supported Wire-speed (64 Bytes packets) Wire-speed (64 Bytes packets) Programmable The loop-back interface allows you to uniquely identify a router in the network with one IP address. The advantage of the loop-back interface is to be independent of the physical ip interfaces. In a redundant routing network, the loop-back interface is always accessible when routing topology changes or ip interfaces go down. The main advantage of Loop-back interface is a more reliable Network Management path through OmniVista or an NMS station. Also, you can use the loop-back interface to uniquely identify the router within OSPF and BGP if you set the router-id to the same as the loop-back address. The loop-back can also be used for the RP (Rendezvous Point) in PIM-SM. The loop-back address is also used for the sFlow Agent IP address. The Loopback address is used for source IP of RADIUS authentication. Loopback0 is the name assigned to an IP interface to identify a consistent address for network management purposes. The Loopback0 interface is not bound to any VLAN; therefore it always remains operationally active. This differs from other IP interfaces, such that if there are no active ports in the VLAN, all IP interfaces associated with that VLAN are not active. In addition, the Loopback0 interface provides a unique IP address for the switch that is easily identifiable to network management applications. There are 2 kind of server clusters: -Server Farm: The traffic is truly destined to the Server Farm and the destination IP is the Virtual IP of the Server Farm. Each server is also configured with a Loopback Interface for the Virtual IP -Firewall Cluster: the traffic is not destined to the server, the server simply inspects the packet and sends it back if accepted by the Firewall policies Current limit of servers (on a per cluster basis) is 16. Current limit of cluster (on a per switch basis) is 16. 20 Probes Sever Load Balancing (SLB) Health monitoring is performed by the CPU of the Primary Management. LOAD BALANCING HASHING In both VIP and Condition SLB, the traffic is balanced among the servers using an hash algorithm based on IPSA and IPDA. Internally, each active server is seen as a host ECMP route to reach the cluster. Therefore, the load balancing is the same than the ECMP load balancing.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 190 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
A server is detached from the cluster when: -Disconnected, server goes to Link Down state -Fails to respond to the probe, server goes to No Answer state The default probe is a simple ping with 3 configurable parameters: -period (sec) -retry -timeout (ms) The switch sends a ping/probe to a server every period sec. If the server does not respond within timeout for retry time, the server goes No Answer With the default values (period =60 retry=3 timeout=3000), the switch can take up to 60+3*3=69 seconds to detect of server out of service SLB Probes In addition to Ping , the following probes are available: -FTP: the probe checks the server runs a ftp server -IMAP: the probe checks the server runs a mail server imap -IMAPS: the probe checks the server runs a ssl mail server imap -POP: the probe checks the server runs a mail server pop3 -POPS: the probe checks the server runs a ssl mail server pop3 -SMTP: the probe checks the server runs a smtp server -NNTP: the probe checks the server runs a network news server -HTTP: the probe checks the server runs a http server -HTTPS: the probe checks the server runs a ssl http server -UDP: the probe checks the server responds to a given udp port application -TCP: the probe checks the server responds to a given tcp port application COMMON PROBE PARAMETERS Like ping, a probe is configured with a period, a retry and a timeout. If the server does not respond to the probe, the server is detached from the cluster. According to the period/retry/timeout, the switch will probe each server to make sure the server is still running the appropriate application. For instance, with ftp probe, the switch verifies the server is able to accept a ftp session. PROBE PORT NUMBER A tcp/udp port number is mandatory for TCP and UDP probes. It specifies on which port the server must be listening for opening sessions. For other probes, the port is optional (default port number is 0); the probes uses the well known TCP/UDP ports: -FTP: port 21 -IMAP: port 143 -IMAPS: port 993 -POP: port 110 -POPS: port 995 -SMTP: port 25 -NNTP: port 119 -HTTP: port 80 -HTTPS: port 443 TCP/UDP PROBES These probes check the server can open a udp/tcp sessions on the given port Optional parameters can be given: -SSL : to use a secure socket layer application instead of basis tcp/ip layer -Send/Expect : to verify the server response (expect) upon a given message (send) HTTP/HTTPS PROBES These probes try to load a page from the server. The mandatory parameters are: -url : the page the probe is trying to load -status: the status of the page expected to be received (200 for OK, 400 for url not found ..). Default is 200. Optional parameters can be given: -expect: a string expected to be seen in the content of the page -username/password: the username/password to use when the web server requires an http authentication
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 191 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Maximum number of IP route entries (Layer-3 Routing Table Size) (Maximum Routing Information Base RIB) Max number of IP Router interfaces per system Single mode Max number of IP routes Max number of IP static routes RIPv1&v2
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 192 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPFv2 Specifications
ECMP
ARP Table: Max number of ARP entries per system Layer-3 forwarding, known IP@64 bytes pkt Layer-3 forwarding, known IP@1518 bytes pkt Layer-3 forwarding, known IP@ Jumbo pkt Trunking 2 VLANs, 64 Bytes pkt Trunking 2 VLANs, 1518 Bytes pkt RIP Learning Rate OSPF Learning Rate
The following values are the maximum limits enforced by the code. Maximum number of Areas (per router): 32 Maximum number of Interfaces (per area): 100 Maximum number of Interfaces (per router): 32 x 100 (Limited only by max. num of IPv4 interfaces = 4096) Maximum number of Link State Database entries (per router): 96K Maximum number of neighbors/adjacencies (per router): 254 Maximum number of neighbors/adjacencies (per area): 128 Maximum number of routes (per router): 96K Maximum number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 The following values are the tested limits with functionally verified (stress test). On OS6850 ABR routers: Max number of IP Routes on OS6850 router: 12K Max number of OSPFv2 Routes on OS6850 router: 12K Max number of OSPFv2 Interfaces on OS6850 ABR: 48 Max number of OSPFv2 Areas on OS6850 ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 ABR: 48 Max number of LSAs on OS6850 ABR: 12K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 On OS6850 non-ABR routers: Max number of IP Routes on OS6850 router: 96K Max number of OSPFv2 Routes on OS6850 router: 96K Max number of OSPFv2 Interfaces on OS6850 non-ABR: 27 Max number of OSPFv2 Areas on OS6850 non-ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 non-ABR: 27 Max number of LSAs on OS6850 non-ABR: 24K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 Notes: Please note that, the above OSPFv2 specifications may vary depending on the available system resources, and/or customer specific networking requirements & configurations. Please also note that, depending on the number of Areas, Interfaces, Adjacencies, and Neighbors configured, the maximum number of routes may vary. Please contact our customer Service & Support team, should your required specifications fall between "the limits as enforced by the code" and "the limits as functionally tested". Only 512 networks can be programmed in the ECMP table, so that the flows can be load balanced among the different paths. When having more than 512 ECMP routes on the show ip route, only the last (highest) 512 routes are programmed in the ECMP table. Only 512 networks can be load balanced over ECMP links The other ECMP networks will always be routed on the same link. Maximum BGP Peers per Router: 8 Maximum number of routes supported: 30,000 Range for AS Numbers 1 to 65535 Range of Local Preference Values 0 to 4294967295 Range for Confederation IDs 0 to 65535 Range for MED Attribute 0 to 4294967295 Up to 8K (8,192) L3 ARP entries are supported. Wire-speed Wire-speed Wire-speed Wire-speed Wire-speed 500 / sec 500 / sec
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 193 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
1.2 sec Supported platform: OS6800, OS6850, and OS9000 IPv4 Redistribution instances use route-maps to redistribute routes from a source protocol RIB to a destination protocol RIB. The source protocol can be BGP, RIP, OSPF, Local or Static. The destination protocol can be BGP, RIP or OSPF. Maximum number of route-maps that can be created on router: 200 Maximum number of route-map sequences that can be created on router: 400 Maximum number of IPv4 access-lists that can be configured on router: 200 Maximum number of OSPFv2 routes that can be redistributed into RIPv2: 6.5K Maximum number of RIPv2 routes that can be redistributed into OSPFv2: 6.5K Below table is high light of routing limitation in 6.1.3.R01 release. OS6850 OSPFv2 ABR LSA#/Routes# OSPFV2 non-ABR LSA#/Routes# RIPv2 IPv4 Redistribution RIPv2 into OSPFv2 IPv4 Redistribution OSPFv2 into RIPv2 OSPFv3 ABR LSA#/Routes# OSPFv3 non-ABR LSA#/Routes# RIPng IPv6 Redistribution RIPng into OSPFv3 IPv6 Redistribution OSPFv3 into RIPng OS9000
6.5K
8K
1K
1K
1K
1K
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 194 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Multicast support
Flow Table VLAN Replication Max number of DVMRP Interfaces Max number of DVMRP Neighbors Max number of DVMRP Tunnels Max number of PIM-SM Interfaces PIM-DM (IPv4)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 195 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Zapping
L2 static multicast Multicast without 8021.Q on 10/100Mbps interfaces Multicast without 8021.Q on 1000Mbps interfaces Multicast with 8021.Q, 0 copies, 1518Bytes pkt on 10/100/1000Mbps ports and/or GigE ports Multicast with 8021.Q, 1 copies, 1518Bytes pkt on 10/100/1000Mbps ports and/or GigE ports Multicast with 8021.Q, 2 copies, 1518Bytes pkt on 10/100/1000Mbps ports and/or GigE ports Network Protocols
The system can process 1000 IGMP per second. However, the performance can drop to 128 when IGMP are received too fast. Burst of 1000 IGMP reports at 1000 packet/sec: all 1000 groups are learnt Burst of 1000 IGMP reports at 1Gbps: only 128 groups are learnt You can configure ip multicast zapping to optimize channel surfing. That will instantly stop forwarding multicast to a client when that client sent an IGMP Leave. The zapping time can be measured by the leave message received by the switch and the last packet received by the client. This is usually in milliseconds. The feature is well suited for Multicast Switching and zapping only works well when ip multicast querying is disabled. 1022 static multicast MACs are supported on OS6850 and OS9000. The L2 Multicast table can have 1024 entries but 2 are reserved for other applications. Wire-speed Wire-speed Wire-speed Wire-speed Wire-speed DHCP Relay (including generic UDP Relay) TCP/IP Stack NDP ARP
Resilience
VRRPv3 Virtual Router Redundancy Protocol, VRRPv3, is designed to eliminate the single point of failure existing in a static default routed IPv6 environment. The loss of the default router isolates all systems not able to detect an alternate path. VRRPv3 provides the capability for assigning the responsibility of a virtual router to one of the IPv6 VRRPv3 routers on a LAN. A total of 255 VRRP3 instances can be configured if only IPv6 instances are configured. The total of 255 instances on a box is the maximum number of VRRP instances (VRRP2 + VRRP3) that can be configured on a box.. As an example if a user configures 200 VRRP2 instances, then only 55 VRRP3 instances can be configured. If a user configures 255 VRRP2 instances then no VRRP3 instances can be configured and vice versa.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 196 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Maximum number of IP route entries (Layer-3 Routing Table Size) (Maximum Routing Information Base RIB) Max number of IP Router interfaces per system Single mode IPv6 routes Max number of IPv6 static routes IPv6 interfaces IPv6 prefixes per interface IPv6 global unicast addresses per interface A 6to4 tunnel
RIPng
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 197 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPFv3 Specifications
IPv6 REDISTRIBUTION
Layer-3 forwarding, known IP@64 bytes pkt Layer-3 forwarding, known IP@1518 bytes pkt Layer-3 forwarding, known IP@ Jumbo pkt Trunking 2 VLANs, 64 Bytes pkt Trunking 2 VLANs, 1518 Bytes pkt RIP Learning Rate OSPF Learning Rate Route Convergence for OSPF
The following values are the maximum limits enforced by the code. Maximum number of Areas (per router): 32 Maximum number of Interfaces (per router): Unlimited (Limited only by max. num of IPv4 interfaces = 4096) Maximum number of Interfaces (per area): 100 Maximum number of Link State Database entries (per router): Unlimited Maximum number of adjacencies (per router): adjacency is no different from neighbor, below. Maximum number of OSPF- ECMP gateways (per destination): 4 Maximum number of neighbors (per router); 254 Maximum number of neighbors (per area); 64 Maximum number of routes (per router): Unlimited (Future Release) (Depending on the number of Areas, Interfaces, Adjacencies, and Neighbors configured, the maximum number of routes may vary.) Max number of OSPF Sessions: 1 The following values are the tested limits functionally verified. The following configuration is used as a stress test: On an OS6850 non-ABR Routers: (a) Min. usable Hello Interval with 20 Interfaces in 5 Areas with 4 Interfaces in each Area: 5 sec (b) Min. usable Router Dead Interval with 20 Neighbors, 4 each in 1 Area for a total of 5 Areas: 20 sec (c) Max. usable number of LSAs that the OS6850 router can stably hold: 5K (d) Max. usable number of Ospfv3 Routes that the OS6850 router can stably hold in this scenario: 5K (e) Max. number of usable Ospfv3 Interfaces between any two OS6850 or OS6850/OS9000 routers: 4 (f) Max number of IP Routes on OS6850 router: 5K (g) Max number of OSPFv3 Routes on OS6850 router: 5K On an OS6850 ABR: (a) Min. usable Hello Interval with 20 Interfaces in 5 Areas with 4 Interfaces in each Area: 5 sec (b) Min. usable Router Dead Interval with 20 Neighbors, 4 each in 1 Area for a total of 5 Areas: 20 sec (c) Max. usable number of LSAs that the OS6850 router can stably hold: 5K (d) Max. usable number of Ospfv3 Routes that the OS6850 router can stably hold in this scenario: 5K (e) Max. number of usable Ospfv3 Interfaces in 5 areas with 5K LSAs: 20 (f) Max. number of usable Ospfv3 Neighbors in 5 areas with 5K LSAs: 20 (g) Max. number of usable Ospfv3 Interfaces between any two OS6850 routers: 4 (l) Max. number of usable Ospfv3 Areas on an OS6850 ABR: 5 Notes: Please note that, the above OSPFv3 specifications may vary depending on the available system resources, and/or customer specific networking requirements & configurations. Please also note that, depending on the number of Areas, Interfaces, Adjacencies, and Neighbors configured, the maximum number of routes may vary. Please contact our customer Service & Support team, should your required specifications fall between "the limits as enforced by the code" and "the limits as functionally tested". (a) Maximum number of route-maps that can be created on an OS6850 router: 200 (b) Maximum number of route-map sequences that can be created on an OS6850 router: 400 (c) Maximum number of IPv6 access-lists that can be configured on an OS6850 router: 200 (d) Maximum number of OSPFv3 routes that can be redistributed into RIPng: 1K (e) Maximum number of RIPng routes that can be redistributed into OSPFv3: 1K Wire-speed Wire-speed Wire-speed Wire-speed Wire-speed 500 / sec 500 / sec 1.2 sec
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 198 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Multinetting
Multinetting This feature allows IP traffic from multiple subnets to coexist on the same VLAN. A network is said to be multinetted when multiple IP subnets are brought together within a single broadcast domain (VLAN). It is possible to assign up to eight different IP interfaces per VLAN. Each interface is configured with a different subnet. A network is said to be multinetted when multiple IP subnets are brought together within a single VLAN. For example, one may configure the subnet 192.168.1.0/24 and 194.2.10.0/24 to run on the same switch interface. In other words, traffic from the 192.168.1.0 subnet and traffic from the 194.2.10.0 subnet would coexist on the same physical VLAN. Within a Layer 2 environment, the traffic is broadcast between all subnets configured in the same VLAN. Layer-3 traffic is routed between the configured subnets in the same VLAN. Possible uses for Multinetting: Subnet renumbering used during transition from one addressing scheme to another to maintain connectivity. Ability to support more hosts on one physical link used to add more hosts to a broadcast domain than the addressing scheme allows. Supporting multiple subnets on one interface where configurations do not allow complete separation of subnet traffic. For example, a college campus may have departments where users are connected to a switch via hubs. Connected to each of the hubs are users configured to be in different subnets. The hubs are connected to the switches using portbased vlan configuration. Network administrators use Multinetting so they do not have to worry about re-cabling or reconfiguring ports for users in different subnets. Up to 8 subnets per VLAN All existing dynamic routing protocols, routing between each of the multinetted subnets in one VLAN and routing between each of the multinetted subnets and other VLANs VRRP DHCP is only supported on the primary interface of the multinetted vlan. All devices are assigned to the same scope (the one for the primary interface) With VRRP and Multinetting, you can still configure multiple instances to load balance the master role among the sub-netted interfaces. Routing protocols (RIP, OSPF, BGP) are supported in a multinetted environment. The routing interfaces are now based on ip interfaces, instead of the VLANs. Therefore, routing protocols are totally independent of VLANs and their data structures are maintained as part of an array indexed by ip interface only. There is no difference between running a routing protocol on an interface part of a multinetted vlan or a regular interface. Each subnet (interface) on the multinetted vlan can run its own routing protocol. The multicast routing protocols will be supported on one interface per VLAN. One interface designated the primary interface, will be used for the multicast routing protocols. The multicast routing protocols will not allow configuration on any non-primary interfaces. By default the first interface is the primary interface. DVMRP and PIM-SM will only allow configuration on the primary interface of a VLAN. This is to ensure consistency between the multicast routing protocols (DVMRP, PIM-SM, IPMRM), IPMS and IGMP.
Supported features:
Routing In Multinetting
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 199 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Policy/QoS
QoS / ACLs Features summary: 802.1p classification TOS/DSCP classification Ethertype classification IP protocol classification ICMP type and code classification TCP Flag classification and established for implicit reflexive tcp flows qos apply will not impact existing flows Port disable rules to shutdown a port when incoming packets matches a rule Rule logging Port redirect action to force a packet to be sent out on a given port User port profiles to filter and shutdown ports for BPDUs, IP spoofing and routing protocols (rip, ospf, bgp) DropServices to drop tcp/udp ports IGMP ACLs L2/L3/L4 QoS fully supports IP multicast traffic (priority, bandwidth shaping..) 8 hardware queues per port Traffic prioritization: Flow-based QoS with internal and external (a.k.a., remarking) prioritization Bandwidth management: flow based bandwidth management, ingress policing/egress shaping and port based egress shaping Queue management: Random Early Detect/Discard (RED), configurable de-queuing algorithm; Strict Priority, Weighted and Deficit Round Robin. Power-over-Ethernet: IEEE 802.3af maximum total power of 380W for PoE The following types of conditions are available: L1 conditions: source port, destination port, source port group, destination port group L2 conditions: source mac, source mac group, destination mac, destination mac group, 802.1p, ethertype, and source vlan (Destination vlan is not supported). L3 conditions: ip protocol, source ip, source network group, destination ip, destination network group, TOS, DSCP, ICMP type, ICMP code. L4 conditions: source TCP/UDP port, source TCP/UDP port range, destination TCP/UDP port, destination TCP/UDP port range, service, service group, tcp flags IP multicast condition: An ip multicast condition is used for IGMP ACLs. The multicast ip is actually the multicast group address used in the IGMP report packet. IP multicast can be combined with destination port, destination vlan, destination Mac, destination ip, that are the port/vlan/mac/ip of the device that sent the IGMP report The following actions are available: ACL (disposition drop/accept default is accept) Priority 802.1p/TOS/DSCP Stamping 802.1p/TOS/DSCP Mapping Maximum bandwidth Redirect Port Note: Condition combinations and Action combinations are also supported. Eight hardware based queues per port Flow based QoS Internal & External (aka remarking) prioritization Flow Based bandwidth management, 64kbps granularity Port based egress shaping, 1Mbps granularity Configurable de-queuing algorithm Strict Priority Weighted Round Robin DRR (Deficit Round Robin). This mode is quite similar as WRR In the Strict Priority mode, a port has 8 strict priority queues (SPQ) and all the queues on the port are serviced strictly by priority. In the WRR or DRR, queues are serviced on a round robin based on their weight. The higher the queue weight, the higher is the throughput for that queue. Any queue can be configured with a weight of 0 to make that queue strict priority. The weight ordering does not need to follow the queue order.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 200 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Power over Ethernet Max number of Rules Max number of Actions Max number of Conditions Max number of Policy Services Max number of Policy Groups Max number of Queues Filtering or ACL Throughput Configurable policies
OS6850 has 8 queues per egress port OS6850 has 3 Queuing schemes per egress port: Strict-Priority (default mode) WRR (Weighted Round Robin) DRR (Deficit Round Robin). This mode is quite similar as WRR In the Strict Priority mode, a port has 8 strict priority queues (SPQ) and all the queues on the port are serviced strictly by priority. In the WRR or DRR, queues are serviced on a round robin based on their weight. The higher the queue weight, the higher is the throughput for that queue. Any queue can be configured with a weight of 0 to make that queue strict priority. The weight ordering does not need to follow the queue order. Queue Mapping Table 802.1p TOS / DSCP Priority Rule Egress Queue 0 0 / 0-7 0 0 1 1 / 8-15 1 1 2 2 / 16-23 2 2 3 3 / 24-31 3 3 4 4 / 32-39 4 4 5 5 / 40-47 5 5 6 6 / 48-55 6 6 7 7 / 56-63 7 7 (*) SPQ Strict Priority Queue or Weighted Fair Queue if configured with a weight > 0 IEEE 802.3af (requires OS9-GNI-P24 & IP-Shelf) 128 per port; 2048 policy rules per chassis OS6850: 2048 rules per slice (2048 on a OS6850-24 chassis and 2*2048 on a OS6850-48 chassis) 128 per port; 2048 policy actions per chassis 128 per port; 2048 policy Conditions per chassis 256 1024 512 entries per policy group 8 / port Wire-speed OS6850-24 Models port unit (1 TCAM) Max available HW rules per slot: 1664 Max available tcp/udp port ranges per slot: 16 Max available bandwidth shaping rules per slot: 832 OS6850-48 Models port unit (2 TCAMs) Max available HW rules per slot: 3328 Max available tcp/udp port ranges per slot: 32 Max available bandwidth shaping rules per slot: 1664 OS6850 can log the packets matching a policy rule. The most common use of that feature is to log packet matching an ACL drop policy. To enable logging configure the policy rule with log [log interval x] The log interval is optional and the default interval is 30 sec. You can configure a log interval between 1 and 3600 sec. Depending on the configured log interval, the system periodically set the hardware to send copy of the packet matching the rule to CPU. As soon as the CPU receives a packet matching the rule, the system reset the hardware to no longer send copy to CPU until the next interval, to keep CPU low. The first packet is always logged. If one packet matching the rule is seen during the log interval time, it will be logged. Limitation: More than one packet can be logged depending on the rate of the traffic (because of time required by the CPU to stop the sampling). Log interval less than 5 seconds will be accepted by CLI , but logging will be done every 5 sec Logging does not lot all matching packets (not an IDS) Note: CPU stays low with rule logging enable. We tested a logging drop rule with 10 Gbps of incoming traffic and CPU stays low.
Servicing (*) SPQ or WFQ SPQ or WFQ SPQ or WFQ SPQ or WFQ SPQ or WFQ SPQ or WFQ SPQ or WFQ SPQ or WFQ
Rule logging
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 201 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Port shaping Shaping limits the bandwidth on the egress port. Shaping implies that the shaping function controls the rate at which the egress port sends the packets, regardless of egress queues. The granularity is 64Kbps. Queue shaping You can also configure maximum and minimum bandwidth on a per egress queue basis. Configuring an egress queue max bandwidth will shape priority traffic mapped to that queue. Configuring an egress queue min bandwidth will guarantee that bandwidth for priority traffic mapped to that queue. When a queue has a minimum bandwidth configured, traffic within that bandwidth has the HIGHEST priority, regardless the servicing mode or the priority of that queue. Limitation: The egress bandwidth shaping is only on a per port basis; the system cannot do a per flow basis egress bandwidth shaping. Using policy rule with maximum bandwidth action, you can limit the bandwidth on the ingress. Policing implies dropping the traffic when the programmed rate is exceeded. Policing is on a per flow basis. The granularity is 64kpbs. You can do the following: Ingress port rate limiting by configure a policy using a source port Ingress flow based rate limiting by configure a policy defining that flow Mixed of ingress and flow based rate limiting Limitations: Ingress rate limiting is done at the ingress NI. Policies spread out on multiple NIs will make the total egressing rate to be higher than the configured value (up to the N time the limit where N is the number of NI being spread) Show active policy rule will count the packets that exceed the rate limiting, not the packets that matches the rule On untrusted ports the priority/queue of the incoming packet is based on the port default 802.1p value. By default, the port default 802.1p value is 0 making traffic to be mapped to Q0 (best effort). Also, regardless or bridging or routing: 802.1p within the packets is set to the port default 802.1p DSCP within the packets is set to the port default dscp Changing the port default 802.1p will: Change the priority of all traffic from that port. That is like a port priority Set the 802.1p value in the packet to that port default 802.1p Changing the port default DSCP will: NOT change the internal priority Set the DSCP value in the packet to that of the port default DSCP Notes: On untrusted port, the default 802.1p defines the default internal priority for all packets. Untagged packets on untrusted ports get an 802.1p value from the port default 802.1p (if going out on tagged interface). Limitation: On untrusted ports, if the packet matches a policy rule, the DSCP in the packet is unchanged; it is not set to the port default dscp On trusted ports the priority/queue of the incoming packet is based on the ingress packet 802.1p or ToS/DSCP value. Non IP packets are prioritized based on the packet 802.1p value IP packets are prioritized based on the packet TOS/DSCP value Port default 802.1p or DSCP has no effect on trusted ports. Notes: On IP packets, the 802.1p is set to match the packet ToS value. Untagged non-IP packets always get an 802.1p of 0 and priority 0 (if going out on tagged interface). The port default 802.1p is not applied.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 202 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Regardless the condition or classification, the following stamping/mapping actions are allowed Stamp 802.1p Stamp TOS (precedence) Stamp DSCP Stamp 802.1p and TOS/DSCP Map 802.1p to 802.1p Map 802.1p to TOS Map 802.1p to DSCP Map ToS to 802.1p Map ToS to TOS Map ToS to DSCP Map DSCP to 802.1p Map DSCP to TOS Map DSCP to DSCP Stamping/mapping policies change the internal priority of the packets: Internal Priority is always based on the new 802.1p or TOS/DSCP being stamped/mapped Stamp/map TOS/DSCP also gives internal priority for non IP packets matching the rule Mapping rules takes one TCAM rule entry for each entry in the map group If both 802.1p and TOS/DSCP are stamped in a policy rule, priority is based on the stamped 802.1p value Notes: On trusted ports, stamping/mapping a tos/dscp also change the 802.1p value in the packet to the packet ToS value. If the policy rule has both a 802.1p stamp/map action and a priority action, the packet priority comes from the stamped/mapped 802.1p value, not the priority action. Policy Based Routing (PBR) allows a network administrator to define QoS policies that will override the normal routing mechanism for traffic matching the policy condition. Note. When a PBR QoS rule is applied to the configuration, it is applied to the entire switch, unless you specify a built-in port group in the policy condition. Policy Based Routing may be used to redirect traffic to a particular gateway based on source or destination IP address, source or destination network group, source or destination TCP/UDP port, a service or service group, IP protocol, or built-in source port group. Traffic may be redirected to a particular gateway regardless of what routes are listed in the routing table. Note that the gateway address does not have to be on a directly connected VLAN; the address may be on any network that is learned by the switch. Note. If the routing table has a default route of 0.0.0.0, traffic matching a PBR policy will be redirected to the route specified in the policy. Policy Based Routing may be used to redirect untrusted traffic to a firewall. In this case, note that reply packets will be not be allowed back through the firewall. Policy Based Routing may be used to redirect traffic to a particular gateway based on source or destination IP address, source or destination network group, source or destination TCP/UDP port, a service or service group, IP protocol, or built-in source port group. Traffic may be redirected to a particular gateway regardless of what routes are listed in the routing table. Note that the gateway address does not have to be on a directly connected VLAN; the address may be on any network that is learned by the switch. Multiple policy actions can be combined together within a single rule. The policy actions that can be combined in the same rule are: Priority Stamping/mapping Max BW Redirect Port A flow can match multiple rules but ONLY the action for the highest precedence-matching rule is then enforced. When rule are configured without precedence (default precedence is 0), the first created rule has the highest precedence.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 203 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IPv6 Actions
Port Disable
Classification & Combinations The following classification criteria are available (in Release 6.1.3.r01) for ipv6 packets source ipv6 address destination ipv6 address Next header. Policies specifying the NH parameter, classify based on the first NH value present in the V6 header of the IPV6 packet Flow label TCP Flags/Established. Policies specifying established or tcpflags, expect the first NH value present in the V6 header to be 6 ToS/DSCP source vlan 802.1p source Mac destination Mac source port destination port (only for bridged traffic) Multicast ipv6 for MLD report filtering (similar to IGMP filtering) Actions All actions are available for Ipv6 policies ACL (disposition drop/accept default is accept) Priority 802.1p/TOS/DSCP Stamping 802.1p/TOS/DSCP Mapping Maximum bandwidth/depth Redirect Port / Link aggregation Instead of filtering packets, you can configure a user-port profile to administratively disable an interface upon reception of spoof/bpdu/rip/ospf/bgp packets. To make the interface operational again, the port must be unplugged/plugged back or disabled/enabled using interfaces s/p admin down and interfaces s/p admin up. Also, a SNMP trap will be sent when an interface goes down because of the user-port shutdown profile. You can configure a Port Disable rule to administratively disable an interface when matching a policy rule. To make the interface operational again, the port must be unplugged/plugged back or disabled/enabled using interfaces s/p admin down and interfaces s/p admin up. Also, a SNMP trap will be sent when an interface goes down when matching a port disable rule This feature is supported on OS6850/9000 in 6.1.3.R01. Policy routing allows the user to specify gateways to be used for routed data flows based on various criteria. IP Protocol (i.e. ICMP, TCP, ICMP) Source IP address (or network group) Destination IP address (or network group) Source TCP/UDP port Destination TCP/UDP port Souce TCP/UDP service Destination TCP/UDP service Source TCP/UDP service group Destination TCP/UDP service group TOS, DSCP Source vlan Source slot/port Source slot/port group The action that can be specified is a gateway to be used overriding the routing database. Permanent gateway is supported in 6.1.1.R02, alternate gateway is not supported. Permanent gateway can be set to local next hop IP or remote hop IP. PBR is done in hardware. Note regarding bridged data flows PBR is also supported on bridged packets if a static ARP is configured for the permanent gateway. That way you can force bridged packets to be routed to that permanent gateway.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 204 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
High Availability
High Availability The switch provides a broad variety of availability features. Availability features are hardware- and software-based safeguards that help to prevent the loss of data flow in the unlikely event of a subsystem failure. In addition, some availability features allow users to maintain or replace hardware components without powering off the switch or interrupting switch operations. Combined, these features provide added resiliency and help to ensure that the switch or virtual chassis is consistently available for day-to-day network operations. Smart Continuous Switching: Hot Swap, Management Module Fail-over, Power Monitoring, Redundant subsystems in stacked configurations, and Stackability Virtual chassis design that provide management functionality and automatic election of primary and secondary managers Redundant Management & Switch Fabric (stacking configuration) o Virtual chassis that provides management functionality and automatic election of primary and secondary managers Fault tolerant loop stacking (Redundant Stacking link) Hot swappable components & hot insertable support: switch modules, SFPs/XFPs o Hot swappable switch units and power supplies Redundant (Backup) Power Supplies (Redundant 1:1 power provided by the OS6850-BPS) Redundant 1: 1 PoE power provided by the PoE Power Supplies Spanning Tree robustness (Single or Multiple STP options): IEEE 802.1D (STP) (802.1D spanning tree for loop free topology and link redundancy) and IEEE 802.1w-Rapid Reconfiguration of Spanning Tree (allows sub-second failover to redundant link) o Ring Rapid Spanning Tree optimized for ring topology to provide less than 100ms convergence time o IEEE 802.1s multiple spanning tree and Alcatel per-VLAN spanning tree (1x1) o PVST+ Fast forwarding mode on user ports to bypass 30-second delay for spanning tree Prevents unauthorized spanning-tree enabled attached bridges from operating. BPDU blocking automatically shuts down switch ports being used as user ports if a spanning tree BPDU packet is seen. Prevents unauthorized spanning-tree enabled attached bridges from operating. Priority queues: eight hardware-based queues per port VRRP (Virtual Router Redundancy Protocol), and OSPF ECMP (Equal Cost Multipath Protocol) Dynamic link aggregation IEEE 802.3ad (that supports automatic configuration of link aggregates with other switches) with resilient uplink capabilities Static link aggregation with OmniChannel (that supports automatic configuration of link aggregates with other switches) IEEE 802.1s: MISTP (802.1s) is an IEEE standard which allows several VLANs to be mapped to a reduced number of spanning-tree instances. This is possible since most networks do not need more than a few logical topologies. Each instance handles multiple VLANs that have the same Layer 2 topology. Software Resiliency: The AOS OmniSwitch product family provides fully redundant and resilient system components to insure continuous, non-stop operation. This includes redundant subsystems, hot swappable modules, load-sharing components, hitless software loading, downloadable bootstrap, and image rollback which allows the system to automatically re-load previous configurations and software versions. o Software image and configuration recovery (Software Rollback) Image rollback to automatically re-load previous configurations and software versions o Image and configuration synchronization for Management Modules o Hitless loading of optional advanced routing software without re-booting Broadcast storm control Downloadable bootstrap Chassis thermal protection/shutdown Hardware monitoring, temperature monitoring, and power monitoring & management Short cold and warm boot times Built-in security and device hardening Network and Link Resiliency: Network and link resiliency are important parts of network availability, and the AOS OmniSwitch product family supports advanced routing, load sharing, and mechanisms for fast reconfiguration of links between switches, servers, and other network devices. These include: o VRRP (Virtual Router Redundancy Protocol), and OSPF Equal Cost Multipath Protocol Topological Network Redundancy: In order to provide the highest levels of availability throughout an enterprise, it is important to build redundancy and resiliency into the topology at the network level to insure that links have backups and traffic is always flowing. This includes: o Physical redundancy o Layer 2 and layer 3 redundancies
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 205 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Security
Advanced Security The following is only a highlight of the advanced security features supported: Partitioned Management PM: Protected multiple user access control (i.e. the switch provides a full suite of commands that allow the user to create and modify User IDs and Passwords (multiple administrative profiles) for access to switch management). The PM feature utilizes an on-board database, or RADIUS, LDAP authentication servers (user profiles are stored within these servers). Authenticated Switch Access (ASA): the ASA feature (user access control or device access control) with Secure Access Logging (AAA service) utilizes an on-board database, RADIUS, LDAP, or ACE authentication servers Automatic Log-out based on a pre-configured timer Denial of Service Attack Defense (DOS protection) IEEE 802.1x industry standard port based authentication challenges users with a password before allowing network access o IEEE 802.1x multi-client, multi-VLAN support for per-client authentication and VLAN assignment IEEE 802.1x with group mobility IEEE 802.1x with MAC based authentication, group mobility or guest VLAN support MAC-based authentication for non-802.1x host Alcatel-Lucent Access Guardian support Port Mapping (Private VLANs) Port Binding Authenticated VLAN that challenges users with username and password and supports dynamic VLAN access based on user Support for host integrity check and remediation VLAN Security through the implementation of OmniVista Quarantine Manager (OV2770-QM) and quarantine VLAN, with OneTouch Security automation PKI authentication for SSH access Learned Port Security or MAC address lockdown allows only known devices to have network access preventing unauthorized network device access RADIUS and LDAP admin authentication prevents unauthorized switch management TACACS+ client allows for authentication-authorization and accounting with a remote TACACS+ server Secure Shell (SSH), Secure Socket Layer (SSL) for HTTPS and SNMPv3 for encrypted remote management communication Access Control Lists (ACLs) to filter out unwanted traffic including denial of service attacks; Access control lists (ACLs) are per port, MAC SA/DA, IP SA/DA, TCP/ UDP port; Flow based filtering in hardware (L1-L4) Support for Access Control List Manager (ACLMAN) Supports Microsoft Network Access Policy (NAP) protocol Switch protocol security o MD5 for RIPv2, OSPFv2 and SNMPv3 o SSHv2 for secure CLI session with PKI support o SSLv3 for secure HTTP session DHCP Snooping, DHCP-option 82, and DHCP IP Spoof protection
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 206 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP security enhancement
802.1X/Device Authentication
The following type of packets are processed in software and will increase the CPU usage: Unresolved L3 packet: unknown destination IP on a local subnet Broadcast L2 packet (including ARP requests): IP multicast packet on range 224.0.0.0-224.0.0.255: that includes routing protocol packets such as OSPF, RIPv2 and VRRP packets All IP packets going to a switch ip interfaces: ping, telnet, http Under normal conditions, the protocol packets are always prioritized in order to maintain the network topology. The following protocol packets are by default prioritized: BPDUs OSPF, RIPv2 VRRP IP multicast protocol (IGMP...) ARP (both request and reply) ARP To prevent an ARP attack, the system limits at 500 pps the number of arp packets sent to CPU (flooding of arp on the network is not limited). Also, there is an early arp discard mechanism to prevent the CPU from processing arp request not destined to a switch ip address. However, under attacks towards the switch, the CPU usage could rise dramatically and makes the switch unreachable for management (WebView, OmniVista or Telnet). In order to keep the switch reachable under attacks, some policies can be created to protect the management access. Supported platform: OS6800, OS6850, and OS9000 Detect ARP Flood Detect packets received with invalid Source IP addresses Detect packets received with invalid Destination IP addresses Detect multicast packets with a source MAC that is multicast Detect multicast packets with mismatching destination IP and MAC address Detect multicast packets with a Unicast destination IP and Multicast destination MAC address Detect ping overload Detect packets with Loopback source IP address Supported platform: OS6800, OS6850, and OS9000 There are 4 levels of 802.1x/device classification: -Basic 802.1x port. Only successful authenticated 802.1x devices are allowed in the network -Basic 802.1x port + fail authentication policies. Only 802.1x capable devices are allowed in the network. These policies allow the failed authenticated 802.1x devices to access non-secured (or non authenticated) VLANs -802.1x + non supplicant policies without Mac authentication. Non 802.1x devices are allowed on nonsecured VLANs according to the non-supplicant policies. -802.1x + non supplicant policies with Mac authentication. In this mode, the non 802.1x devices will follow either the non-supplicant authentication pass policies when the Mac authentication is successful or the non-supplicant authentication fail policies when the Mac authentication failed The open-unique and open-global options are no longer applicable. Device Authentication: Maximum number of supplicants / non-supplicant users per system: 1024 Maximum number of non-supplicant users per port: 1024 Maximum number of supplicant users per port: 253 Maximum combined number of supplicant and non-supplicant users per port: 1024 The system supports up to 1024 authenticated/mobile Mac-addresses. Supported/non-supported mobile rule on device authentication: 1. Support rule per tagged/untagged packet type. Mac rule apply on UNTAGGED packet IP subnet rule apply on UNTAGGED packet Protocol rule apply on UNTAGGED packet Port-protocol binding rule apply on UNTAGGED packet Mac-port binding rule apply on UNTAGGED packet Mac-IP-port binding rule apply on UNTAGGED packet Mobile-tag apply on TAGGED packet * Mobile tag only apply on tagged packets, all other rules apply on untagged packet. 2. DHCP related mobile rules are not supported with device authentication (i.e. supplicant/nonsupplicant cases) DHCP generic rule DHCP port rule DHCP Mac / Mac range rule Device authentication with Alcatel-Lucent IP phone:
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 207 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ACLMAN
Port Disable
Alcatel-Lucent Dynamic IP phone has 3 modes: 1.Untagged dynamic Packet is always untagged. 2.Tagged dynamic Packet is always tagged based on administrator config on phone. 3.Alcatel-Lucent dynamic First packet is untagged, second packet onward is tagged. ACLMAN is a function of the QoS subsystem in AOS. ACLMAN allows a network administrator to manage ACLs using default industry standard syntax on Alcatel-Lucent switches. To enforce the ACLs, ACLMAN translates default industry standard syntax into Alcatel-Lucent QoS filtering policies in a manner transparent to the ACLMAN user. ACLMAN provides the following: The ability to import text files from flash containing default industry standard ACL syntax An interactive shell emulating the default industry standard CLI ACL command syntax ACLMAN supports the following default industry standard ACL types: Standard ACLs Extended ACLs Numbered ACLs Named ACLs These are the limitations for the 6.1.2.R03 release. - Only supported on the OS6850 Series - No stacking support - ACLMAN is restricted by the same number of rule limitations that QoS supports - ACL names are limited to 16 characters Number of DHCP Bindings per ASIC: 126 Number of DHCP Bindings per port: 126 Flow based filtering in hardware (L1-L4) IEEE 802.1x, with Group Mobility & Guest VLAN support MAC based Authentication for non-802.1x host Authenticated VLAN (web & telnet based authentication) MD5 for RIPv2, OSPFv2 and SNMPv3 SSH for secure CLI session and SSL for secure HTTP session Local authentication database Remote authentication RADIUS, LDAP & ACE servers Instead of filtering packets, you can configure a user-port profile to administratively disable an interface upon reception of spoof/BPDUs/rip/ospf/bgp packets. To make the interface operational again, the port must be unplugged/plugged back or disabled/enabled using interfaces s/p admin down and interfaces s/p admin up. Also, a SNMP trap will be sent when an interface goes down because of the user-port shutdown profile. You can configure a Port Disable rule to administratively disable an interface when matching a policy rule. To make the interface operational again, the port must be unplugged/plugged back or disabled/enabled using interfaces s/p admin down and interfaces s/p admin up. Also, a SNMP trap will be sent when an interface goes down when matching a port disable rule
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 208 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The system sustained Denial of Services attacks from Nessus and no switch anomalies (crash or service interruptions) were observed while running the attacks. Nessus has reported the following vulnerabilities: alya.cgi (Backdoors) AnalogX denial of service (Denial of Service) cisco http DoS (Denial of Service) AnalogX denial of service by long CGI name (Denial of Service) Jigsaw webserver MS/DOS device DoS (Denial of Service) Trend Micro OfficeScan Denial of service (Denial of Service) BadBlue invalid GET DoS (Denial of Service) DCShop exposes sensitive files (General) OpenSSH < 3.0.1 (Gain a shell remotely) Quicktime/Darwin Remote Admin Exploit (Gain a shell remotely) OpenSSL overflow via invalid certificate passing (Gain a shell remotely) TESO in.telnetd buffer overflow (Gain root remotely) OpenSSH AFS/Kerberos ticket/token passing (Gain root remotely) OpenSSH <= 3.3 (Gain root remotely) OpenSSH < 3.7.1 (Gain root remotely) Oracle Application Server Overflow (Gain Root Remotely) AliBaba path climbing (Remote file access) Note: The Nessus suite was tested under the following platform. The following are the versions of Nessus and the Linux platform used. Nessus version: 2.2.0 Linux OS: Fedora Core Release 1 The reported failures are not a threat but a check against the switch which the test Nessus suite reported as vulnerable. For example, when running port scan Nessus will report failures against ports that should not respond or be open but are internal ports leveraged by the subsystem. As the report stated there is no anomalies detected or crashes from the scan.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 209 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Management
Simplified Manageability The following is only a highlight of the advanced network and switch management features supported by the OmniSwitch 6850 Series: OmniVista NMS: Alcatel-Lucents Single voice, data and services network management including OneTouch QoS and SecureView. Carrier-Class Dynamic Mobility Through the application of a comprehensive QoS feature set, the AOS OmniSwitch product family is capable of supporting converged applications such as the VoIP Diagnosing Switch problems: o Port Mirroring; Port based, port mirroring for troubleshooting, supports one session with multiple sources-to-one destination configuration o Port monitoring feature that allows capture of Ethernet packets to a file, or for on-screen display to assist in troubleshooting o SFlow v5 support to monitor and effectively control and manage the network usage o RMON: Supports RFC 2819 RMON group (1-Statistics, 2-History, 3-Alarm, and 9-Events) o Switch Health o Monitoring Memory Tools & Switch Configuration o Switch Logging Local (on the flash) and remote logging (Syslog) Logging into the Switch through Telnet, FTP, HTTP, SSH, SSL, and SNMPv1&v2&v3 o Remote telnet management or secure shell access using SSH o Secured file upload using SFTP, or SCP o SNMPv1/v2/v3 Authentication or AAA Servers Policy Servers; Authentication Servers such as RADIUS, LDAP, and ACE servers Policy-Based Management with LDAP Directory Services System File Management Dual image and dual configuration file storage provides backup Intuitive Alcatel-Lucent CLI for familiar interface and reduced training costs WebView Element Mgmt: Easy to use point & click web based element manager with built-in help for easy configuration of new technology features Remote telnet management or secure shell Secured file upload using SFTP, or SCP Port based, port mirroring for troubleshooting, supports four sessions with four source to one destination configuration. Human readable ASCII based config files for offline editing and bulk configuration Managing Switch Users Accounts & Partitioned Management feature Managing Switch Security IGMPv1/v2/v3 snooping to optimize multicast traffic BootP/DHCP client allows auto-config of switch IP information to simplify deployment Auto-negotiating 10/100/1000 ports automatically configure port speed and duplex setting Auto MDI/MDIX automatically configures transmit and receive signals to support straight thru and crossover cabling DHCP relay to forward client requests to a DHCP server DHCP Option-82 & DHCP Snooping Integration with SNMP manager OmniVista for network wide management System event log Network Time Protocol (NTP) for network wide time synchronization Alcatel-Lucent Interswitch Protocols (AIP) o AMAP: Alcatel-Lucent Mapping Adjacency Protocol (AMAP) for building topology maps within OmniVista o 802.1AB with MED Extensions / LLDP-MED GVRP for 802.1Q-compliant VLAN pruning and dynamic VLAN creation Command Line Interface (CLI), Telnet/SSH for remote CLI access, Web-based (HTTP/HTTPS) and SNMPv1/v2c/v3 for complete NMS integration Serial Console port for local & remote (modem dial up) access (RJ45) Console Port / Serial Connection: The console port, located on the chassis front panel, provides a console connection to the switch and is required when logging into the switch for the first time. By default, this RJ-45 connector provides a DTE console connection. In-band Ethernet access
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 210 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
System Maintenance
System file Transfer Max number of users in local database Max number of users in LDAP/RADIUS/ACE Server database (depends on server capabilities) Max number of SNMP users (login) Max number of simultaneous SNMPv3 requests Max number of simultaneous HTTP sessions Max number of simultaneous Telnet sessions Max number of simultaneous FTP sessions Max number of simultaneous Syslog servers Max number of simultaneous SSH Telnet / FTP sessions Max number of simultaneous User Login sessions Max number of simultaneous Authentications sessions (A-VLAN, A-ACL with RADIUS) Max number of authenticated ports Port Disable
Port Mirroring (one-to-one, many-to-one) RMON (Remote Monitoring): Statistics, History, Alarm & Events, and sFlow Local & Remote logging (Syslog) Detailed Statistics / Alarm / Debug information per process L3 OAM (ICMP Ping and Traceroute) NTP (Network Time Protocol) Internal flash (Compact Flash) to feature: Working Directory Certified Directory XModem and FTP (File Transfer Protocol) / SFTP (Secure FTP) / SCP 65 Greater than 1000 50 50 4 4 4 4 concurrent sessions Syslog to Multiple Hosts: You can send Syslog files to multiple hosts, up to a maximum of 4 servers. 8 13 30 48 You can configure a Port Disable rule to administratively disable an interface when matching a policy rule. To make the interface operational again, the port must be unplugged/plugged back or disabled/enabled using interfaces s/p admin down and interfaces s/p admin up. Also, a SNMP trap will be sent when an interface goes down when matching a port disable rule. A pktDrop SNMP trap will be sent out to the SNMP station when a port goes down because of a user-port shutdown profile or a port disable rule. The same unit cannot support both mirroring and monitoring configuration i.e. a user cannot have a port monitoring and a port mirroring session on the same unit Only one monitoring session at a time across the entire system Only the first 64 bytes of the packet can be monitored. Due to the port monitoring file size, the system can only store the first 2K packets (i.e. 140K/64 = 2187) Enabling the monitoring function affects the performance. As every single monitored packet is enqueued to the CPU, the Q-Dispatcher has to de-queue and look at each and every packet to determine if the destination is PMM (port monitoring module). The performance will be limited by the efficiency of Q-Dispatcher de-queuing speed and also the speed at which PMM can get the packets from Q-Dispatcher through IPC. Due to the performance limitations, monitoring wire rate traffic is not possible at this time. The packets coming to CPU are always tagged and undergo the same FFP modifications as mirroring Port Monitoring not supported on Link Aggregation The N-to-1 port mirroring allows the user to specify multiple numbers of ports, range of ports as mirrored source in a single command. However the maximum number of mirror source ports could be set to 128 for the current release. A user can mirror multiple 10GigE towards 1 port GigE. Of course if more than 1 GigE of traffic we don't expect one to mirror more that the port can deliver Aggregate ports are allowed to be mirrored on the physical ports. Mirroring on the logical link aggregated port ID is not supported. In mirroring, the packet coming out of mirroring port may be different from the ingress packet, based on the type of switching. For all types of mirroring, the mirrored packet carries the FFP (Fast Filtering Processor) modification, mirrored packet may get modified. To mirror port 1/1 to port 1/4, you can choose the following options: In-port Out-port Bi-directional
Port Mirroring
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 211 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Port Mapping (AKA Private VLAN) Allows traffic segregation at L2 User ports in the same session cannot talk to each other Note: this feature is part of Residential bridging features
SFLOW
Port Mapping is a security feature that controls peer users from communicating with each other. A Port Mapping session comprises a session ID and a set of user ports and/or a set of network ports. User ports within a session cannot communicate with each other and can only communicate via network ports. In a Port Mapping session with user port set A and network port set B, ports in set A can only communicate with ports in set B. If set B is empty, ports in set A can communicate with rest of the ports in the system. A port mapping session can be configured in unidirectional or bidirectional mode. In the unidirectional mode, the network ports can communicate with each other within the same session. In the bidirectional mode, the network ports cannot communicate with each other. Network ports of a unidirectional port mapping session can be shared with other unidirectional sessions, but cannot be shared with any sessions configured in bidirectional mode. Network Ports of different sessions can communicate with each other. Port Mapping Specifications: Ports Supported: Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/Gigabit Ethernet (1 Gb/1000 Mbps) /10 Gigabit Ethernet (10 Gb/10000 Mbps). Mapping Sessions: Eight sessions supported per standalone switch and stack. Port Mapping Defaults: Mapping Session: Creation: No mapping sessions Mapping Status configuration: Disabled Port Mapping Direction: Bi-directional SCP command can be used to get/put the file from/to the server. The scp CLI command is available for copying files in a secure manner between hosts on the network. The scp utility performs encrypted data transfers using the Secure Shell (SSH) protocol. In addition, scp uses available SSH authentication and security features, such as prompting for a password if one is required. Since OS6800/OS6850 does not have any SCP-daemon running on the switch, therefore this feature only works when OS6800/OS6850 works as a client instead of the server. This feature has been validated with SSH 4.0 on Solaris and Linux platforms. Since SSH 4.0 contains SCP, SFTP and SSH features, therefore the system allows the network administrator to create the local user database to specify all domain or family of features (i.e. the family of feature that a user can have access). When a user is being created, all allowed access need to be defined. SFlow is a network monitoring technology that gives visibility to the activity of the network, by providing network usage information. It provides the data required to effectively control and manage the network usage. SFlow is a sampling technology that meets the requirements for a network traffic monitoring solution. SFlow is a sampling technology embedded within switches/routers defined in RFC 3176. It provides the ability to monitor the traffic flows. It requires an sFlow Agent running in the Switch/Router and a sFlow collector which receives and analyses the monitored data. SFlow agent running on the OS6850, combines interface counters and traffic flow (packet) samples on all the configured interfaces into sFlow Datagrams that are sent across the network to an sFlow collector (3rd Party software). Packet sampling is done in hardware and is non-CPU intensive. Current release (6.1.3r01) will not support IPv6 as Collector. The switch sends the first 128 bytes of the sampled packet from which the entire layer 2/3/4 information can be extracted by the receiver. This could include: - Source/Destination Mac address - Source IP/ Destination IP - Source/Destination TCP/UDP/ICMP port - Source/Destination Physical port (Gigabit Port) - IPv4/IPv6 - RIP/OSPF/BGP/PIM-SM/DM (OK, but if this info. falls within the first 128Bytes of the packet) - VLAN - QoS 802.1Q, ToS and DiffServ (DSCP) - Data Payload (OK, but if this information falls within the first 128 Bytes of the packet) - Others (If this information falls within the first 128 Bytes of the packet) Given an IP Address the SFLOW sampling information can be sent to a Collector such as the InMon and/or the Crannog.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 212 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Since the CPU of switch is involved in the datagram processing, there is a built in back-off algorithm which will automatically adjust the sampling rate in the case of CPU congestion on switch. This back-off mechanism is not user-configurable in Release 6.1.3r01. If CPU is congested it automatically continues to double the sampling rate, and will continue to do so up to a very low rate of 1 sample in 2147483647 (2exp31)-1. For a 1Gig interface, the bit rate is 1,000,000,000 bits per second. The back-off algorithm is designed to take effect when the sample rate exceeds 10 samples per second on any interface. Since each sample is configured by default for 128bytes this is 10x128x8 or 10 samples/sec x 1024 bits/sample or 10x1024 bps 1Gbps / 10x1024 bps = 97656 sampling rate. Sampling with all available slot/ports at 10G wire-rates on OS9000 and all ports at 1G on the OS6850 keep backing-off up to 2,147,483,647 and stay fixed at this value until the traffic generation is halted or reduced. That is even running only one 1G interface at wire rate on the OS6850 will back-off to 2147483647 and stay at this (maximum, safe) sampling rate. Recommended sampling rates for various speeds at various load: Sampling Rates Medium Heavy Light Load Load Load 256 512 1024 512 1024 2048 8192* 65536* Max*
TACACS+
10Gb/s 2048 4096 Max* *8192 is the empirical value found in the lab for 10Mbs, 65536 for 100 Mbps *Max: because the OS6850 always backs-off to a max sampling rate of 2147483647 for wire rate at these rates. All other values are those recommended by Inmon. Whatever the configured sampling rate, the back-off mechanism will set the meanskipcount higher or lower depending on what is the unaffecting sampling rate for the CPU. Supported platform: OS6800, OS6850, and OS9000 Release 6.1.3.R01 is the first release to support TACACS+ AAA. AOS implementation is based on the Tacacs+ Protocol: draft-grant-tacacs-02.txt, January 1997. Overview: ASA or Authenticated Switch Access to AOS OmniSwitch running 6.1.3.R01 can be configured to add servers and forward AAA requests to TACACS+. TACACS+ servers are configured similar to RADIUS or LDAP servers; however, (MD5) encryption key is optional. AAA authentication and accounting services must be configured to point to the desired TACACS+ server. It is possible to set authentication and authorization to one TACACS+ server and accounting requests to a different server. The number of configurable servers and fail over to second server is uniform across all AAA server types: Up to 4 servers can be configured and all queries will be sent to the 1st server only. If 1st server is online and user exists on 2nd server, the result will be failed authentication. If the 1st server is down, authentication and authorization requests will only be sent to next available server. If all servers are down, all logins will fail. Different AAA services can be configured to query different authentication servers. All services may use a common authentication protocol or mix of supported protocols: Telnet service may be configured to query RADIUS while http/ftp may be configured to query TACACS+. Or all may query RADIUS. Or all may query TACACS+. In all cases accounting server protocol must match authentication/authorization server protocol. AOS TACACS+ does not support authentication for network or windows domain access. Only AOS switch access with Partition Management type domain family attribute/value pairs is supported. This to say different users or groups of users may be assigned various levels of AOS switch management privileges. The TACACS+ servers run as an external server on Unix or Windows. We have tested with CISCO TACACS+ freeware for Unix and Ciscos Secure ACSv4.0 TACACS+ uses TCP instead of UDP. Each login and supported command is queried back to the server for authorization. TACACS+ configuration is fully supported with AOS WebView. Notes: Tacacs+ supports Authenticated Switch Access and cannot be used for user authentication. Authentication and Authorization operations are combined together and cannot be performed independently. This implies that when Tacacs+ authentication is enabled, Tacacs+ authorization is also enabled. Disabling Tacacs+ authentication automatically disables authorization. A maximum of 50 simultaneous Tacacs+ sessions can be supported, when no other authentication mechanism is activated. This is a limit enforced by the AAA application.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 213 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The Standard in brief In IEEE 802.3af standard, POE transmits power over the same pair as the data. This method is called the resistive detection method. In non-802.3af or pre-802.3af standard, POE transmits power over a spare pair (not the same pair as the data). This method is called the capacitor detection method. Max power per port The max power per port is 16 watts (15.4watts by default) for OS6850 P Series. Using 350 milliamps in the standard to calculate max power, this is based on loose tolerances (3) for OS6850 POE power supply (Vmain) at 49 volts. Max power per unit OS6850 P Series can support either a 510W or 360W power supply that can be used for either a 24-port or a 48-port chassis. A 510W power supply provides 390W max per P/S for lanpower and 360W power supply gives 240W max per P/S for lanpower. IF another power supply is inserted for redundancy purposes, do not mix unlike power supply. If unlike power supplies are mixed or if an unsupported power supply (such as a 120W power supply) is used, undefined operation will result. Note that a DB25 female-male power cable is needed in order to connect between the chassis and the power supply. Note, that due to some overhead, there will less PoE power available for the end-use. Please see the P/S Specification section for more details. Lanpower Priority For port-priority, the OS6850 is set to low by default in all the ports. Therefore the lowered-numbered ports always have a higher-precedence of retaining lanpower when there is insufficient power for all the ports. In order for higher-numbered ports to have a higher priority, use the CLI command to set the port priority higher lanpower <slot/port> priority <low/high/critical>.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 214 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Source Learning
Source Learning Transparent bridging relies on a process referred to as source learning to handle traffic flow. Network devices communicate by sending and receiving data packets that each contains a source MAC address and a destination MAC address. When packets are received on switch network interface (NI) module ports, source learning examines each packet and compares the source MAC address to entries in a MAC address database table. If the table does not contain an entry for the source address, then a new record is created associating the address with the port it was learned on. If an entry for the source address already exists in the table, a new one is not created. Packets are also filtered to determine if the source and destination address are on the same LAN segment. If the destination address is not found in the MAC address table, then the packet is forwarded to all other switches that are connected to the same LAN. If the MAC address table does contain a matching entry for the destination address, then there is no need to forward the packet to the rest of the network. Source learning builds and maintains the MAC address table on each switch. New MAC address table entries are created in one of two ways: they are dynamically learned or statically assigned. Dynamically learned MAC addresses are those that are obtained by the switch when source learning examines data packets and records the source address and the port and VLAN it was learned on. Static MAC addresses are user-defined addresses that are statically assigned to a port and VLAN. Accessing MAC Address Table entries is useful for managing traffic flow and troubleshooting network device connectivity problems. For example, if a workstation connected to the switch is unable to communicate with another workstation connected to the same switch, the MAC address table might show that one of these devices was learned on a port that belonged to a different VLAN or the source MAC address of one of the devices may not appear at all in the address table. The ASIC is capable of Hardware Learning where the unknown source address of a packet could be learned by the ASIC without software intervention. The advantage of Hardware Learning is to eliminate excessive flooding problem due to the slow learning rate of Software Learning. OS6850 supports both hardware and software source learning modes. Default Chassis source learning mode is Hardware Learning. Default Chassis source learning mode is Hardware Learning. New CLI commands are available to allow user a choice of switching back to Software Learning mode. Mode will also change when the user configures to be mobile, authentication, and/or LPS port.
Hardware Learning
Maximum number of learned MAC addresses per switch (distributed MAC mode disabled) Maximum number of learned MAC addresses total for a stack of up to 8 switches
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 215 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Static MAC addresses are configured using the Mac-address-table command. These addresses direct network traffic to a specific port and VLAN. They are particularly useful when dealing with silent network devices. These types of devices do not send packets, so their source MAC address is never learned and recorded in the MAC address table. Assigning a MAC address to the silent devices port creates a record in the MAC address table and ensures that packets destined for the silent device are forwarded out that port. When defining a static MAC address for a particular slot/port and VLAN, consider the following: Configuring static MAC addresses is only supported on non-mobile ports. The specified slot/port must already belong to the specified VLAN. Use the vlan port default command to assign a port to a VLAN before you configure the static MAC address. Only traffic from other ports associated with the same VLAN is directed to the static MAC address slot/port. Static MAC addresses are permanent addresses. This means that a static MAC address remains in use even if the MAC ages out or the switch is rebooted. There are two types of static MAC address behavior supported: bridging (default) or filtering. Enter filtering to set up a denial of service to block potential hostile attacks. Traffic sent to or from a filtered MAC addr. is dropped. Enter bridging for regular traffic flow to or from the MAC addr. If a packet received on a port associated with the same VLAN contains a source address that matches a static MAC address, the packet is discarded. The same source address on different ports within the same VLAN is not supported. If a static MAC address is configured on a port link that is down or disabled, an asterisk appears to the right of the MAC address in the show Mac-address-table command display. The asterisk indicates that this is an invalid MAC address. When the port link comes up, however, the MAC address is then considered valid and the asterisk no longer appears next to the address in the display. Source learning also tracks MAC address age and removes addresses from the MAC address table that have aged beyond the aging timer value. When a device stops sending packets, source learning keeps track of how much time has passed since the last packet was received on the devices switch port. When this amount of time exceeds the aging time value, the MAC is aged out of the MAC address table. Source learning always starts tracking MAC address age from the time since the last packet was received. By default, the aging time is set to 300 seconds (5 min) and is configured on a global basis. Note. The MAC address table aging time is also used as the timeout value for the Address Resolution Protocol (ARP) table. This timeout value determines how long the switch retains dynamically learned ARP table entries. There are two types of source learning modes currently available: software and hardware. The software mode performs all source learning using switch software. The hardware mode takes advantage of hardware resources that are now available to perform source-learning tasks. At the present time, it is possible to select which mode is active for the chassis and/or a given set of ports. By default, hardware source learning mode is active for the switch. The exception to this is that hardware source learning is not supported on mobile or Learned Port Security (LPS) ports. As a result, only software source learning is performed on these types of ports. Using static multicast MAC addresses allows you to send traffic intended for a single destination multicast MAC address to selected switch ports within a given VLAN. To specify which ports will receive the multicast traffic, a static multicast address is assigned to each selected port for a given VLAN. The ports associated with the multicast address are then identified as egress ports. When traffic received on ports within the same VLAN is destined for the multicast address, the traffic is forwarded only on the egress ports that are associated with the multicast address. When defining a static multicast MAC address for a particular port and VLAN, consider the following: A MAC address is considered a multicast MAC address if the least significant bit of the most significant octet of the address is enabled. For example, MAC addresses with a prefix of 01, 03, 05, 13, etc., are multicast MAC addresses. If a multicast prefix value is not present, then the address is treated as a regular MAC address and not allowed when using the Mac-address-table static-multicast command. Multicast addresses within the following ranges are not supported: 01:00:5E:00:00:00 to 01:00:5E:7F:FF:FF & 01:80:C2:XX.XX.XX & 33:33:XX:XX:XX:XX Configuring static multicast addresses is only supported on non-mobile ports. In addition to configuring the same static multicast address for multiple ports within a given VLAN, it is also possible to use the same multicast address across multiple VLANs. The specified port or link aggregate ID must already belong to the specified VLAN. Use the vlan port default command to assign a port or link aggregate to a VLAN before you configure the static multicast address.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 216 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Software
Third Party Licenses and Notices The licenses and notices related only to such third party software are set forth below: Booting and Debugging Non-Proprietary Software The OpenLDAP Public License: Version 2.4, 8 December 2000 Linux GNU GENERAL PUBLIC LICENSE: Version 2, June 1991 University of California Carnegie-Mellon University Random.c Apptitude, Inc. Agranat RSA Security Inc. Sun Microsystems, Inc. Wind River Systems, Inc. Network Time Protocol Version 4 Alcatel-Lucent's Software Engineering Institute (SEI) Capability Maturity Model (CMM) rating for software processes meets the Level-2 (CMM-level-2) requirements. The Ethernet software is responsible for a variety of functions that support the Ethernet, Gigabit Ethernet and 10Gigabit Ethernet ports on OmniSwitch 6850 Series switches. These functions include diagnostics, software loading, initialization, and configuration of line parameters, gathering statistics, and responding to administrative requests from SNMP or CLI.
Operating Systems
Wind Rivers VxWorks multi-tasking O/S version 5.4 with a Kernel version 2.5. Alcatel-Lucent O/S AOS (Alcatel-Lucents Operating Systems). O/S: AOS (Alcatel-Lucent Operating Systems) based common to OS9000, OS8800, OS7000, OS6800 The AOS is uploaded onto the Flash memory. The advantage of this switch running the AOS is that it is managed using the same interface as with the rest of the Alcatel-Lucent AOS switching & routing platforms. The AOS on the OS6850 platforms provides support for the majority of the features of the larger modular platforms including layer-3 unicast routing using RIPv1&v2, VRRP, or OSPFv2. Group mobility and authenticated VLANs as well as QoS and ACL functionality are supported making the OS6850 a highly functional solution for the core of the network. The O/S supports the ability to detect operating system or other software errors, and report them to an EMS, independently of CPU hardware failures. The operating system is set to detect software exceptions, software trouble reports, and monitor registered software tasks. Depending on the severity of the problem detected the system may reboot; otherwise it just reports the problem and takes corrective action as necessary. In either case, it does communicate the problem, to the NMS in the form of an SNMP trap. Software Each OmniSwitch 6850 Chassis is shipped with base software. All advanced features (with the exception of Advanced Routing Software) are also included in the base software. Authenticated Services Software "[ECCN 5D992] Authentication bundle for Windows w/MD5, RC4, MD4, DES. This bundle provides Funk Software's Steel-Belted OS-SW-SBR-N Radius Enterprise Edition for Microsoft Windows and includes an one-year maintenance contract (maintenance releases, 7X24 phone support and e-service web access)." "[ECCN 5D992] Authentication Bundle for Solaris w/MD5, RC4, MD4, DES. This bundle provides Funk Software's Steel-Belted OS-SW-SBR-S Radius Enterprise Edition for Sun Solaris and includes an one-year maintenance contract (maintenance releases, 7X24 phone support and e-service web access)." Advanced Routing Software OS6850 Advanced Routing software. Includes support for OSPF, BGP, PIM-SM and DVMRP. OS6850-SW-AR
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 217 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 218 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Whats New?
New AOS Release 6.1.2r03 sof tware features for the OS6850 Series:
Alcatel-Lucent Access Guardian/Device Authentication support (set of enhanced security features for IEEE 802.1X) Residential bridging features (DHCP Option-82, DHCP Snooping, and Port Mapping) ACLMAN (OS6850 only) IPv6 Multicast support Hardware based IPv6 (OS6850 only) SFLOW PoE SCP to server for secure upload/download SSH w ith PKI Single entry ACL and ACL extensions VLAN range in CLI and WebView f or easier configuration QoS feature enhancements f or the OS6850s BGPv4 New Transceivers o SFP Gig LH-40km, CWDM, XFP 10Gig ER 40km , XFP 10Gig ZR 80km
Feature Summary
Platforms Feature
802.1Q 2005 (MSTP) 802.1W (RSTP) Spanning Tree (Default) 802.1x Device Classification (Access Guardian) Access Control Lists (ACLs) for IPv6 ACL Manager (ACLMAN) Authenticated Switch Access TACACS+ BGP Graceful Restart DHCP Option-82 DHCP Snooping Generic UDP Relay IP DOS Enhancements IP Multicast Switching (IPMS) - Proxying IPv6 Multicast Switching (IPMS) - Proxying IP Route Map Redistribution L2 DHCP Snooping L2 Static Multicast Addresses L2 MAC Address Table Size Enhancements OSPFv3 PIM and PIM-SSM (Source-Specific Multicast) Policy-Based Routing (Permanent Mode) Port Mapping Port Mirroring (1:128) Power over Ethernet (PoE) Redirection Policies (Port and Link Aggregation) Secure Copy (SCP) Server Load Balancing (SLB) SSH Public Key Authentication Syslog to Multiple Hosts VLAN Range Support VLAN Stacking and Translation VRRPv3 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS9000 OS6850/OS9000 OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS9000 OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850 OS9000 OS6850/OS9000 OS9000 OS6850 OS9000 OS6850/OS9000 OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000
Software Package
Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Advanced Routing/Base Advanced Routing/Base Base Base Base Base Base Base Base Base Base Base Base Base
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 219 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Feature Summary
Platforms Feature
Increased Number of Authenticated Users IPv6 Extensions for BGP L2 DHCP Snooping Enhancements Learned Port Security Enhancements RIP Timer Configuration Server Load Balancing (SLB) Extended Conditions and Statistics OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 Base Base Base Base Base Base
Software Package
Feature Summary
Platforms Feature
Ethernet OAM GVRP IP Multicast VLAN IS-IS MAC Retention Ring Rapid Spanning Tree Protocol (RRSTP) OS6850 OS6850 OS6850 OS6850 OS6850 OS6850
Software Package
Base Base Base Advanced Routing Software Base Base
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 220 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 221 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The following software features are supported with the Release AOSv6.3.1.r01 subject to the terms & conditions as described in the AOSv6.3.1.r01 Official Release Notes.
Feature Summary
Platforms Feature
31-bit Network Mask Support 802.1ab Account & Password Policies Quarantine Manager and Remediation ARP Defense Optimization ARP Poisoning Detect Auto-Qos Prioritization of IP Phone Traffic Auto-Qos Prioritization of NMS Traffic AVLAN support for IE7/Windows Vista DHCP Snooping Option-82 Data Insertion Format DSCP Range Condition ECMP RIP Support Ethernet OAM Generic Routing Encapsulation GVRP IP-IP Tunneling IP MC VLAN Support for multiple sender ports IPv6 Client and/or Server Support IPv6 Multicast Routing IS-IS Learned MAC Address Notification L4 ACLs over IPv6 Mac Authentication for Supplicant/non- Supplicant MAC Retention Traffic Anomaly Detection (Network Security) Policy Based Mirroring Port-based Ingress Limiting PVST+ Remote Port Mirroring RRSTP UDLD User Network Profiles VRRP Global Commands VLAN Stacking Eservices WebView/SNMP support for BGP IPv6 Extensions Windows Vista for WebView OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000
Software Package
Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base OS6850: Advanced Routing OS9000: Base OS6850: Advanced Routing OS9000: Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base OS6800/OS6850: Advanced Routing OS9000: Base Base
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 222 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Software Supported
In addition to the new software features introduced with the AOSv6.3.1.r01 release, the following software features are also supported, subject to the terms & conditions as described in the AOSv6.3.1.r01 Official Release Notes.
Feature Summary
Platforms Feature
802.1Q 802.1Q 2005 (MSTP) 802.1D/1W Spanning Tree 802.1s Multiple Spanning tree 802.1x with Multiple Client Support 802.1x Device Classification (Access Guardian) Access Control Lists (ACLs) Access Control Lists (ACLs) for IPv6 ACL & Layer-3 Security ACL Manager (ACLMAN) Authenticated Switch Access Authenticated VLANs Automatic VLAN Containment (AVC) Basic IPv4 Routing Basic IPv6 Routing (static, RIPng) IP DoS Filtering BGPv4 BGP Graceful Restart BPDU Shutdown Ports Command Line Interface (CLI) DHCP Relay DHCP Option-82 DHCP Snooping DNS Client Dynamic VLAN Assignment (Mobility) DVMRP End User Partitioning Ethernet Interfaces Flood/Storm Control Health Statistics HTTP/HTTPS Port Configuration Interswitch Protocols (AMAP) IP DOS Filtering IPv4 Multicast Switching (IPMS) & Routing (IPMR) IPv6 Routing IPv6 Multicast Switching (MLD) IPv4 Multicast Switching (Proxying) IPv6 Multicast Switching (Proxying) IPv6 (NDP) IPv4 & IPX Routing Learned Port Security (LPS) Link Aggregation (static & 802.3ad) MAC Address Mode Local Proxy ARP Multicast Routing IP Multinetting IP Route Map Redistribution L2 DHCP Snooping L2 Static Multicast Address NTP Client OSPFv2 OSPFv3 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000
Software Package
Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Advanced Routing on the OS6800/OS6850 & Base Advanced Routing on the OS6800/OS6850 & Base Base Base Base Base Base Base Base Advanced Routing on the OS6800/OS6850 & Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Advanced Routing on the OS6800/OS6850 & Base Advanced Routing on the OS6850 & Base
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 223 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Partitioned Switch Management Per-VLAN DHCP Relay PIM & PIM-SSM (Source-Specific Multicast) Policy Server Management Policy-Based Routing (Permanent Mode) Port Mapping Port Mirroring (1:24) Port Mirroring (1:128) Port Monitoring Power over Ethernet (PoE) Quality of Service (QoS) / ACL & Layer-3 Security Enhancements Quality of Service (QoS) Redirection Policies (port and Link Aggregates) RIPv1 & RIPv2 RIPng RMON-I Router Discovery Protocol (RDP) Routing Protocol Preference Secure Copy (SCP) Secure Shell (SSHv2) SSH Public Key Authentication Server Load Balancing SFlow Smart Continuous Switching: Hot Swap Management Module Fail over Power Monitoring Redundancy SNMP Source Learning Software Rollback Spanning Tree Syslog to Multiple Hosts Switch Diagnostics Switch Logging Text File Configuration User Definable Loop-back Interface UDP Relay VLANs VLAN Stacking and Translation VRRPv2 VRRPv3 Web-Based Management (WebView)
OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000
Base Base Advanced Routing on the OS6800/OS6850 & Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base
OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000 OS6850/OS9000 OS6800/OS6850/OS9000
Base Base Base Base Base Base Base Base Base Base Base Base Base Base Base
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 224 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alcatel-Lucent Value Propositions: Value High Availability Embedded Security Distributed Intelligence Simplified Manageability Alcatel-Lucents fixed & stackable configuration switches (including the OmniSwitch 6850 Series) are part of the larger Alcatel-Lucent LAN enterprise switching & routing portfolio that includes the modular-based OmniSwitch 7700, 7800, 8800, and 9000 series of switches. Together, this portfolio offers a complete core solution with high availability, intelligent performance, and enhanced security in an easy to manage, flexible and scalable package.
Vallue Va ue V
Alcatel-Lucents enterprise networking mission is to provide its customers with the industry's best value in highly available, secure and easy-to-manage network solutions. The industrys best value means having leading features for availability, security and manageability and simultaneously reducing the total cost of network ownership. In short, the best network at the best total cost. With up to 384Gbps FD switching capacity, the OS6850 can be a very cost-effective distribution layer, server aggregation, or core switch. The OS6850 value offers the enterprise the opportunity to invest in the future at prices they can afford today. Key Customers: specific names of key customers will be provided upon a successful bid and/or NDA. Alcatel-Lucent provides communications solutions to telecommunication carriers, Internet service providers and enterprises for delivery of voice, data and video applications to their customers or to their employees. Alcatel-Lucent leverages its leading position in fixed and mobile broadband networks, applications and services to bring value to its customers in the framework of a broadband world. As the largest supplier of telecommunications equipment to carriers in the world, Alcatel-Lucent possesses vast experience in providing carrier class Internet routing and fiber optic solutions, including SONET multiplexing, IP and ATM switching, and wave division multiplexing equipment. For example, our 7750 routing platform is extensively used by carriers and by municipalities as a high-end routing platform with integral MPLS and VPN services. Similarly, we provide a significant portion of the electronics that ties together both the terrestrial and the undersea fiber optic infrastructure throughout the world. With sales of EURO 12.5 billion in 2003, Alcatel-Lucent operates in more than 130 countries. For more information, visit Alcatel-Lucent on the Internet: http://www.Alcatel-Lucent.com About Alcatel-Lucent Enterprise Networking Solutions Alcatel-Lucent delivers standards-based IP communications solutions to a global customer base of over 500,000 small, medium and large enterprises, government agencies, healthcare facilities, and educational institutions. Alcatel-Lucent's award-winning Omni family of IP Communications solutions consists of an extensive portfolio of network switching infrastructure products and IP telephony products built to provide long-term value. Key Partners: A longer list of Alcatel-Lucents Partners with specific Marketing relationships will be provided upon a successful bid and/or NDA. Alcatel-Lucent has created a partnering program that enables it to work with a limited set of vendors in order to provide solutions that fall outside of its core competencies. Partnerships provide channels and customers a catalog of product solutions that are easy to find, evaluate, buy, install, and operate. Some of the security partnerships Alcatel-Lucent has established include: Fortinet Security Technology Vendor: Resale, Service & Support Sygate Security Technology Vendor: Resale, Service & Support TruSecure: Professional Services Aruba Corporation (Wireless LAN products): Resale, Service & Support Funk Software Corporation: RADIUS InterLink Networks RAD: RADIUS RSA: SSL implementation and ACE Server Open SSH: SSH RSA, VASCO, ActivCard, CRYPTO Card, Secure Computing: Security Token StoneSoft: High-Availability VLANs
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 225 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
High Availability
The Alcatel-Lucent AOS OmniSwitch product family has been designed from its inception to provide carrier-class availability to meet the needs of missioncritical, IP Communications, and converged network environments. With the increasing importance of networks carrying voice and real-time applications, there is an increased need for availability that reaches across the network links and end user devices. Additionally, there is also the need for high availability in the areas of security and manageability, with intelligence and performance as integral parts of the network infrastructure to enable enterprises to achieve their availability goals. A very cost effective, highly available, highly scalable and highly re-configurable network will be achieved when the OS6850 is deployed in your LAN enterprise network. The following is only a highlight of the availability features supported by the OmniSwitch 6850 Series: Smart Continuous Switching: Hot Swap, Management Module Fail-over, Power Monitoring, Redundancy, and Stack ability Redundant Management & Switch Fabric (stacking configuration) Redundant Stacking link Hot swappable components & hot insertable support: switch modules, SFPs/XFPs Redundant Power Supplies (Redundant 1:1 power provided by the OS6850-BPS) Redundant 1: 1 PoE power provided by the PoE Power Supplies Spanning Tree robustness (Single or Multiple STP options): IEEE 802.1D (STP) (802.1D spanning tree for loop free topology and link redundancy) and IEEE 802.1w-Rapid Reconfiguration of Spanning Tree (allows sub-second failover to redundant link) o Ring Rapid Spanning Tree optimized for ring topology to provide less than 100ms convergence time o IEEE 802.1s multiple spanning tree and Alcatel per-VLAN spanning tree (1x1) o PVST+ Fast forwarding mode on user ports to bypass 30-second delay for spanning tree Prevents unauthorized spanning-tree enabled attached bridges from operating. BPDU blocking automatically shuts down switch ports being used as user ports if a spanning tree BPDU packet is seen. Prevents unauthorized spanning-tree enabled attached bridges from operating. Priority queues: eight hardware-based queues per port VRRP (Virtual Router Redundancy Protocol), and OSPF ECMP (Equal Cost Multipath Protocol) Dynamic link aggregation IEEE 802.3ad (that supports automatic configuration of link aggregates with other switches) with resilient uplink capabilities Static link aggregation with OmniChannel (that supports automatic configuration of link aggregates with other switches) IEEE 802.1s: MISTP (802.1s) is an IEEE standard which allows several VLANs to be mapped to a reduced number of spanning-tree instances. This is possible since most networks do not need more than a few logical topologies. Each instance handles multiple VLANs that have the same Layer 2 topology. Software Resiliency: The AOS OmniSwitch product family provides fully redundant and resilient system components to insure continuous, non-stop operation. This includes redundant subsystems, hot swappable modules, load-sharing components, hitless software loading, downloadable bootstrap, and image rollback which allows the system to automatically re-load previous configurations and software versions. o Software image and configuration recovery o Image and configuration synchronization for Management Modules Broadcast storm control Downloadable bootstrap Chassis thermal protection/shutdown Hardware monitoring, temperature monitoring, and power monitoring & management Short cold and warm boot times Built-in security and device hardening Network and Link Resiliency: Network and link resiliency are important parts of network availability, and the AOS OmniSwitch product family supports advanced routing, load sharing, and mechanisms for fast reconfiguration of links between switches, servers, and other network devices. These include: o VRRP (Virtual Router Redundancy Protocol), and OSPF Equal Cost Multipath Protocol Topological Network Redundancy: In order to provide the highest levels of availability throughout an enterprise, it is important to build redundancy and resiliency into the topology at the network level to insure that links have backups and traffic is always flowing. This includes: o Physical redundancy o Layer 2 and layer 3 redundancies
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 226 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The Spanning Tree Algorithm and Protocol (STP) is a self-configuring algorithm that maintains a loop-free topology while providing data path redundancy and network scalability. Based on the IEEE 802.1D standard, the Alcatel.Lucent STP implementation distributes the Spanning Tree load between the primary management switch in the stack and the other switches in the stack. This ensures a Spanning Tree that continues to respond to STP Bridge Protocol Data Units (BPDU) received on switch ports and port link up and down states in the event of a management fail over to a backup management switch. In addition, the Alcatel.Lucent distributed implementation incorporates the following Spanning Tree features: Configures a physical topology into a single STP to ensure that there is only one data path between any two switches. Supports fault tolerance within the network topology. The Spanning Tree is reconfigured in the event of a data path or bridge failure or when a new switch is added to the topology. Supports two Spanning Tree operating modes; flat (single STP instance per switch) and 1x1 (single STP instance per VLAN). 1x1 mode can be configured to interoperate with Ciscos proprietary Per VLAN Spanning Tree instance (PVST+). Supports four Spanning Tree Algorithms; 802.1D (STP), 802.1w (RSTP), 802.1Q 2005 (MSTP), and RRSTP. Allows 802.1Q tagged ports and link aggregate logical ports to participate in the calculation of the STP topology. The Distributed Spanning Tree software is active on all switches by default. As a result, a loop-free network topology is automatically calculated based on default Spanning Tree switch, VLAN, and port parameter values. It is only necessary to configure Spanning Tree parameters to change how the topology is calculated and maintained. Spanning Tree Overview Alcatel-Lucent switches support the use of the 802.1D Spanning Tree Algorithm and Protocol (STP), the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), the 802.1Q 2005 Multiple Spanning Tree Protocol (MSTP), and the Ring Rapid Spanning Tree Protocol (RRSTP). RSTP expedites topology changes by allowing blocked ports to transition directly into a forwarding state, bypassing listening and learning states. This provides rapid reconfiguration of the Spanning Tree in the event of a network path or device failure. The 802.1w standard is an amendment to the 802.1D document, thus RSTP is based on STP. Regardless of which one of these two protocols a switch or VLAN is running, it can successfully interoperate with other switches or VLANs. 802.1Q 2005 is a new version of MSTP that combines the 802.1D 2004 and 802.1S protocols. This implementation of 802.1Q 2005 also includes improvements to edge port configuration and provides administrative control to restrict port role assignment and the propagation of topology change information through bridge ports. MSTP is an enhancement to the 802.1Q Common Spanning Tree (CST), which is provided when an Alcatel-Lucent switch is running in the flat Spanning Tree operating mode. The flat mode applies a single spanning tree instance across all VLAN port connections on a switch. MSTP allows the configuration of Multiple Spanning Tree Instances (MSTIs) in addition to the CST instance. Each MSTI is mapped to a set of VLANs. As a result, flat mode can now support the forwarding of VLAN traffic over separate data paths. RRSTP is faster than MSTP. It is used in a ring topology where bridges are connected in a point to point manner. This protocol identifies the bridge hosting the alternate (ALT) port in lesser convergence time. This ALT port is changed to the forwarding state immediately without altering the MSTP state to enable the data path. The RRSTP frame travels from the point of failure to the bridge hosting the ALT port in both the directions. The MAC addresses matching the ports in the ring are flushed to make the data path convergence much faster than normal MSTP.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 227 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Spanning Tree Specifications & Defualts Maximum number of Spanning Tree instances per stand-alone or per stack: 252
IEEE Standards supported 802.1DMedia Access Control (MAC) Bridges 802.1wRapid Reconfiguration (802.1D Amendment 2) 802.1Q 2005Virtual Bridged Local Area Networks 802.1Q 2005Multiple Spanning Trees (MSTP) Spanning Tree Operating Modes supported: Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree Protocols supported: 802.1D Standard Spanning Tree Algorithm and Protocol (STP) 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP) 802.1Q 2005 Multiple Spanning Tree Protocol (MSTP) Ring Rapid Spanning Tree Protocol (RRSTP) Spanning Tree port eligibility: Fixed ports (non-mobile) 802.1Q tagged ports Link aggregate of ports Number of 1x1 Spanning Tree instances: 252 Number of Multiple Spanning Tree Instances (MSTI) supported: 16 MSTI, in addition to the Common and Internal Spanning Tree instance (also referred to as MSTI 0). Number of Ring Rapid Spanning Tree rings (RRSTP) supported: 128 CLI Command Prefix Recognition: All Spanning Tree commands support prefix recognition. Spanning Tree Bridge Parameter Defaults Spanning Tree operating mode: 1x1 (a separate Spanning Tree instance for each VLAN) Spanning Tree protocol: RSTP (802.1w) BPDU switching status: Disabled Spanning Tree priority level for the bridge (VLAN): 32768 Hello time interval between each BPDU transmission.: 2 seconds Maximum aging time allowed for Spanning Tree information learned from the network: 20 seconds Spanning Tree port state transition time: 15 seconds Automatic VLAN Containment: Disabled Capability of 1X1 mode to interoperate with Ciscos PVST+ mode: Disabled Spanning Tree Port Parameter Defaults Spanning Tree port administrative state: Enabled Spanning Tree port priority value:7 Spanning Tree port path cost: 0 (cost is based on port speed) Path cost mode: Auto (16-bit in 1x1 mode and STP or RSTP flat mode, 32-bit in MSTP flat mode) Port state management mode: Dynamic (Spanning Tree Algorithm determines port state) Type of port connection: auto point to point Type of BPDU to be used on a port when the 1X1 mode is configured to interoperate with Ciscos PVST+ mode: Auto Multiple Spanning Tree (MST) Region Defaults The MST Region Name: Blank The revision level for the MST region: 0 The maximum number of hops authorized for the region: 20 The number of Multiple Spanning Tree Instances (MSTI): 1 (flat mode instance) The VLAN to MSTI mapping: All VLANs are mapped to the Common Internal Spanning Tree (CIST) instance Ring Rapid Spanning Tree (RRSTP) Defaults The following parameter value is specific to RRSTP and is only configurable when the flat mode is active on the switch. Ring status: Disabled
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 228 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1W (RSTP) Default IEEE 802.1s Multiple Spanning Tree Protocol (MSTP)
The Rapid Spanning Tree Protocol (RSTP) is the default Spanning Tree protocol for the OmniSwitch 6800/6850/9000 regardless of which mode (flat or 1x1) is active. The Alcatel-Lucent Multiple Spanning Tree (MST) implementation provides support for the IEEE 802.1s Multiple Spanning Tree Protocol (MSTP). In addition to the 802.1D Spanning Tree Algorithm and Protocol (STP) and the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), MSTP also ensures that there is always only one data path between any two switches for a given Spanning Tree instance to prevent network loops. MSTP is an enhancement to the 802.1Q Common Spanning Tree (CST), which is provided when an Alcatel-Lucent switch is running in the flat Spanning Tree operating mode. The flat mode applies a single spanning tree instance across all VLAN port connections on a switch. MSTP allows the configuration of Multiple Spanning Tree Instances (MSTIs) in addition to the CST instance. Each MSTI is mapped to a set of VLANs. As a result, flat mode can support the forwarding of VLAN traffic over separate data paths. In addition to 802.1s MSTP support, the 802.1D STP and 802.1w RSTP are still available in either the flat or 1x1 mode. However, if using 802.1D or 802.1w in the flat mode, the single spanning tree instance per switch algorithm applies. MST Specifications: IEEE Standards supported: 802.1DMedia Access Control (MAC) Bridges 802.1wRapid Reconfiguration (802.1D Amendment 2) 802.1QVirtual Bridged Local Area Networks 802.1sMultiple Spanning Trees (802.1Q Amendment 3) Spanning Tree Operating Modes supported: Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree Protocols supported: 802.1D Standard Spanning Tree Algorithm and Protocol (STP) 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP) 802.1s Multiple Spanning Tree Algorithm and Protocol (MSTP) Ring Rapid Spanning Tree Protocol (RRSTP) Spanning Tree Port Eligibility: Fixed ports (non-mobile) 802.1Q tagged ports Link aggregate of ports Number of 1x1 Spanning Tree instances supported: 253 Number of Multiple Spanning Tree Instances (MSTI) supported: 16 MSTI in addition to the Common and Internal Spanning Tree instance (also referred to as MSTI 0). CLI Command Prefix Recognition: All Spanning Tree commands support prefix recognition.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 229 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RRSTP Alcatel-Lucent switches support the use of the 802.1D Spanning Tree Algorithm and Protocol (STP), the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), the 802.1Q 2005 Multiple Spanning Tree Protocol (MSTP), and the Ring Rapid Spanning Tree Protocol (RRSTP). RRSTP is faster than MSTP. It is used in a ring topology where bridges are connected in a point to point manner. This protocol identifies the bridge hosting the alternate (ALT) port in lesser convergence time. This ALT port is changed to the forwarding state immediately without altering the MSTP state to enable the data path. The RRSTP frame travels from the point of failure to the bridge hosting the ALT port in both the directions. The MAC addresses matching the ports in the ring are flushed to make the data path convergence much faster than normal MSTP. The max number of nodes in a ring running RRSTP is 40.
PVST+ Interoperability
Ring Rapid Spanning Tree Protocol (RRSTP) is complimentary to the Multiple Spanning Tree Protocol (MSTP) but is designed to provide a faster convergence time than MSTP. Note that RRSTP is supported only in a ring topology where switches are connected point to point. In addition, there can be no alternate connections for the same instance between any two switches within a ring topology. RRSTP reduces convergence time by finding the bridge that hosts the alternate (ALT) port and immediately changing the ALT port state to forwarding without altering the MSTP port state. This process quickly enables the data path. The RRSTP frame travels from the point of failure to the ALT port in both directions. The MAC addresses corresponding to the ports in the ring are flushed to make the data path convergence time much faster than the normal MSTP. While RRSTP is already reacting to the loss of connectivity, the standard MSTP BPDU carrying the information about the link failure is processed in normal fashion at each hop. When this MSTP BPDU reaches the bridge whose ALT port is now in the "ALT FWD" state, due to RRSTP frame processing, it updates the MSTP state of the two ports in the ring as per the MSTP standard. RRSTP is only supported when the switch is configured in Flat mode (RRSTP or MSTP). Release 6.3.1 adds support for the OS9000 and VLAN Stacking. Ring Rapid Spanning Tree Defaults The following parameter value is specific to RRSTP and is only configurable when the flat mode is active on the switch. Ring status: Disabled by default The following limitations should be noted when using RRSTP: A port on a bridge can only be part of one RRSTP ring at any given instance. All bridges, which need to be made part of a ring, can be configured only statically. Fast convergence will not occur if an RRSTP frame is lost. However, MSTP convergence will still take place at a later time because there is no way of knowing about the RRSTP frame loss. RRSTP convergence may not happen when changes in configuration result in an unstable topology. If either of the two ports of the RRSTP ring on a bridge goes down or if one of the bridges in the ring goes down, the RRSTP convergence may not happen. However, MSTP convergence will continue without interruption. Maximum of 128 rings can participate on a switch. The current Alcatel-Lucent 1x1 Spanning Tree mode has been extended to allow all user ports on an OmniSwitch to transmit and receive either the standard IEEE BPDUs or proprietary PVST+ BPDUs. An OmniSwitch can have ports running in either 1x1 mode when connecting to another OmniSwitch, or PVST+ mode simultaneously. It is mandatory that all the Cisco switches have the Mac Reduction Mode feature enabled. Priority values can only be assigned in multiples of 4096 to be compatible with the Cisco MAC Reduction mode. In a mixed OmniSwitch and Cisco environment, it is highly recommended to enable PVST+ mode on all OmniSwitches in order to maintain the same root bridge for the topology. Alcatel-Lucents PVST+ interoperability mode is not compatible with a switch running in PVST mode. The same default path cost mode, long or short, must be configured the same way on all switches.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 230 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alcatel-Lucents link aggregation software allows you to configure the following two different types of link aggregation groups: Static (OmniChannel) link aggregate groups IEEE 802.3ad Dynamic link aggregate groups Static Link aggregation allows you to combine 2, 4, or 8, physical connections into large virtual connections known as link aggregation groups. You can create up to 32 link aggregation groups on a standalone switch. You can create Virtual LANs (VLANs), configure Quality of Service (QoS) conditions, 802.1Q framing, and other networking features on link aggregation groups because the switchs software treats these Virtual links just like physical links. Load balancing for Layer 2 non-IP packets is on a MAC address basis and for IP packets the balancing algorithm uses IP address as well. Ports must be the same speed within the same link aggregate group. Using link aggregation can provide the following benefits: Scalability: You can configure up to 32 link aggregation groups that can consist of 2, 4, or 8 10Mbps, 100Mbps, 1Gbps, or 10Gbps Ethernet links in the switch. Reliability: If one of the physical links in a link aggregate group goes down (unless it is the last one) the link aggregate group can still operate. Ease of Migration: Link aggregation can ease the transition from a 100 Mbps Ethernet backbones to Gigabit Ethernet backbones. Interoperability with Legacy Switches. Static link aggregation can interoperate with OmniChannel on legacy switches. Static Link Aggregation Specifications: Maximum number of link aggregation groups per switch: 32 Number of Links per group supported: 2,4, or 8 Range for optional group name: 1 to 225 characters Note: Link aggregation traps include one that will send a trap when a single link in the aggregate group is down or cannot join the aggregate group. On the 6850's, the multiple ports must be on the same "Stack" of 6850's. They can be on separate 6850's but those 6850's must be cabled together with a Stacking cable and it must be functioning as a stack.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 231 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Automatic Monitoring
User-Driven Monitoring
Alcatel-Lucents link aggregation software allows you to configure two different types of link aggregation groups: Static link aggregate (OmniChannel) groups Dynamic link aggregate groups Dynamic Link aggregation allows you to combine 2, 4, or 8 physical connections into large virtual connections known as link aggregation groups. You can create up to 32 link aggregation groups on a standalone switch. You can create Virtual LANs (VLANs), configure Quality of Service (QoS) conditions, 802.1Q framing, and other networking features on link aggregation groups because switch software treats these virtual links just like physical links. Link aggregation groups are identified by unique MAC addresses, which are created by the switch but can be modified by the user at any time. Load balancing for Layer 2 non-IP packets is on a MAC address basis and for IP packets the balancing algorithm uses IP address as well. Ports must be the same speed within the same aggregate group. Using link aggregation can provide the following benefits: Scalability: On OmniSwitch 6850 switches, you can configure up to 32 link-aggregation groups that can consist of 2, 4, or 8 10-Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links. Reliability: If one of the physical links in a link aggregate group goes down (unless it is the last one) the link aggregate group can still operate. Ease of Migration: Link aggregation can ease the transition from a 100 Mbps Ethernet backbones to Gigabit Ethernet backbones. Dynamic (IEEE 802.3ad) Link Aggregation Specifications: IEEE Specification supported: IEEE 802.3ad Aggregation of Multiple Link Segments Maximum number of link aggregation groups per stand-alone OmniSwitch 6850 Series switches: 32 Number of Links per group supported: 2,4, or 8 Range for optional group name: 1 to 225 characters Group actor admin key: 0 to 65535 Group actor system priority: 0 to 65535 Group partner system priority: 0 to 65535 Group partner admin key: 0 to 65535 Port actor admin key: 0 to 65535 Port actor system priority: 0 to 255 Port partner admin key: 0 to 65535 Port partner admin system priority: 0 to 255 Port actor port: 0 to 65535 Port actor priority: 0 to 255 Port partner admin port: 0 to 65535 Port partner admin port priority: 0 to 255 CLI Command Prefix Recognition: All dynamic link aggregation configuration commands support prefix recognition. Note: Link aggregation traps include one that will send a trap when a single link in the aggregate group is down or cannot join the aggregate group. On the 6850's, the multiple ports must be on the same "Stack" of 6850's. They can be on separate 6850's but those 6850's must be cabled together with a Stacking cable and it must be functioning as a stack. Automatic monitoring refers to the switchs built-in sensors that automatically monitor operations. If an error is detected (e.g., over-threshold temperature), the switch immediately sends a trap to the user. The trap is displayed on the console in the form of a text error message. (In the case of an overthreshold temperature condition, the chassis displays an amber TEMP LED in addition to sending a trap.) OmniSwitch 6850 Series switches can be monitored and managed via the console port using Command Line Interface (CLI) commands. The switches can also be monitored and managed via the Ethernet ports using CLI commands, WebView (Alcatel-Lucent AOS web-based Element Manager), SNMPv3, and Alcatel-Lucent OmniVista NMS. The front panel of OS6850 switches and NI Modules provides status LEDs that are useful in visually monitoring the status of NI modules. Front panel LEDs include: Ethernet Port LEDs, and Slot Indicator LED System Status LEDs User-driven hardware monitoring refers to CLI commands that are entered by the user in order to access the current status of hardware components. The user enters show commands that output information to the console. Monitoring information for chassis components such as the optional back up power supply, chassis temperature sensor, chassis fansetc.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 232 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Software Rollback The directory structure inherent in the Management software allows for a switch to return to a previous, more reliable version of image or configuration files.
MAC Retention
The directory structure inherent in an OmniSwitch switch allows for a switch to return to a previous, more reliable version of image or configuration files. Changes made to the configuration file may alter switch functionality. These changes are not saved unless explicitly done so by the user. If the switch reboots before the configuration file is saved, changes made to the configuration file prior to the reboot are lost. Likewise, new image files should be placed in the working (non-certified) directory first. New image or configuration files can be tested to decide whether they are reliable. Should the configuration or images files prove to be less reliable than their older counterparts in the certified directory, then the switch can be rebooted from the certified directory, and rolled back to an earlier version. Once the contents of the working directory are established as good files, then these files can be saved to the certified directory and used as the most reliable software to which the switch can be rolled back to in an emergency situation. The MAC Retention functionality is implemented to support Smart Continuous Switching (SCS) for stackable products by retaining the base MAC address during takeover. As a result, both L2 and L3 traffic as well as the associated control protocols (e.g. routing protocols, spanning tree) shall no longer be affected during takeover. Release 6.3.1 added enhancements for avoiding duplicate MAC scenarios. If the primary element is not returned to the stack after a preset time, a trap will be generated indicating the possibility of a duplicate MAC. A duplicate MAC scenario would occur if the primary element was put back into the network since the stack has retained the primary elements MAC address. MAC Retention allows a system of stackable switches to retain the MAC address of the primary switch for a fixed or indefinite time, even after multiple takeovers. This minimizes the recalculation of protocols, such as Spanning Tree and Link Aggregation. It also minimizes the updation of tables, such as the Address Resolution Protocol (ARP) table for IPv4 routing and the Neighbor Discovery table for IPv6 routing. MAC Retention Defaults The following lists the defaults for MAC Retention configuration: MAC Address Retention status: Disabled Status of duplicate MAC Address trap: Disabled MAC Retention Overview A stack element or simply element is a switch that has designated stacking ports. The switches are operatively interconnected via these ports to form a virtual chassis referred to as a stack. Each element in a stack can be elected as the primary or the secondary element. The primary element is elected based on the highest uptime or the lowest slot number or the lowest base MAC address. The secondary element is elected based on the lowest slot number or the lowest base MAC address of the remaining elements in the stack.The system of stackable switches is generally coupled in a series and the topology of the system is generally characterized by a closed loop called a ring. A stackable switch is adapted to perform switching between its own data ports and between the data ports of other stackable switches by transmitting packets via the stacking ports. Each stack element has a unique base MAC address. Generally, the stack address is the MAC address of the current primary element. When a primary element fails, a secondary element starts functioning as the new primary element. This is known as takeover. During takeover, the stack address is also accordingly changed to reflect the base MAC address of the new primary element. Whenever a takeover occurs, it impacts not only the stack, but also the devices that communicate with that stack.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 233 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Stacking
Stackability support Users can configure up to eight (8) OmniSwitch 6850 Series switches, in any combination of OS6850-24 and OS6850-48 chassis types, into a single virtual chassis known as a stack. With stacks, simply adding additional switches to the stack can easily expand switching capacity. For example, a user can start with a stack composed of two switches and add up to six additional switches to that stack as network demands increase over time. Stacks also provide enhanced resiliency and redundancy features. If a switch in a stack goes down or is taken offline, the other elements in the stack will continue to operate without disruption. In addition, when a switch auto-synchronizes at boot-up, or if the user manually synchronizes the switches operating software and configuration parameters are backed up on all switches in the stack. As a result, the original operating software and configuration parameters can be easily recovered if corrupted or otherwise lost. In order to operate as a virtual chassis, switches within an OmniSwitch 6850 Series stack are assigned specific roles. These roles include primary and secondary management roles, idle status, and pass-through. When OmniSwitch 6850 Series switches operate in a stack, one switch in the stack always assumes the primary management role. This primary element is responsible for functions, such as software and configuration management, web-based management (i.e., WebView), SNMP management, switch diagnostics, and software rollback. One additional switch in the stack operates in a secondary management role. This switch serves as a backup, and is always ready to assume the primary management role in the stack if the switch with the primary role fails or is taken offline for any reason. Since the secondary module quickly and automatically assumes management responsibilities, switches operating in idle mode elsewhere in the stack continue to pass traffic without disruption. This redundancy provides effective safeguards for mission-critical network traffic and is one of the stacks most important failover features. In stacked configurations, one OmniSwitch 6850 switch is designated as the primary management module for the stack. Because the stack can be thought of as a virtual chassis, the role of this primary management switch is to monitor and manage the functions of the entire stack. Similar to chassis-based switches, the stack also includes a secondary, or backup, management module. A stacks secondary switch immediately takes over management functions in the event of a primary switch failure. All switches in the stack besides the primary and secondary switch are considered idle or in pass-through. Idle switches act like Ethernet Network Interface (ENI) modules chassis-based switches in that they provide mainly Ethernet connectivity for 10/100/1000 traffic. The stack provides support for all idle switches during primary switch fail-over. In other words, if the primary switch in the stack fails or goes offline for any reason; all idle switches will continue data transmission during the secondary switchs takeover process. This availability feature is referred to as Smart Continuous Switching. Complete hot stand-by (not load sharing), hot-swappable and redundant Management. In a stacking configuration, one switch is elected to provide the primary management functions while another switch is elected to provide redundancy in case of management failure. When OmniSwitch 6850 Series switches operate in a stack, one switch in the stack always assumes the primary management role. This primary element is responsible for functions such as software and configuration management, web-based management (i.e., WebView), SNMP management, switch diagnostics, and software rollback. One additional switch in the stack operates in a secondary management role. This switch serves as a backup, and is always ready to assume the primary management role in the stack if the switch with the primary role fails or is taken offline for any reason. Because the secondary module quickly and automatically assumes management responsibilities, switches operating in idle mode elsewhere in the stack continue to pass traffic without disruption. This redundancy provides effective safeguards for mission-critical network traffic and is one of the stacks most important fail-over features. Switches in a stack are connected to each other by stacking cables. The valid cable lengths are 1.5m (4.9 feet), 60cm (23.6 inches), and 30cm (11.8 inches). These stacking cables provide high-speed, dual-redundant links between switches in a stack. Stacking cables for OmniSwitch 6850 Series switches can be connected in any pattern. In other words, the cable connected to stacking port A of one switch can be connected to either stacking port A or stacking port B of the adjacent switch. However, it is strongly recommended that the cabling pattern remains consistent across the stack. In addition, for a stack to have effective redundancy a redundant stacking cable must be installed between the upper-most and bottom-most switch at all times. This provides effective failover in the event of a stacking link or module failure within the stack.
Smart Continuous Switching Hot Swap Management Module Fail-over Power Monitoring Redundancy
Fault-tolerant Management
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 234 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Hot-Swapping Modules In a Stack is supported Removing Switches from an Existing Stack is supported
OmniSwitch 6850 Series switches allow redundant stacking cable connections between the top-most and bottom-most switches in a stack. Important. For a stacked configuration to have effective redundancy a redundant stacking cable must be installed between the upper-most and bottom-most switch in the chassis at all times. Redundant stacking cables provide a form of dual redundancy. The redundant cable allows traffic to flow in the event of a stacking link failure. The redundant cable also provides failover if a switch goes down within the stack. Traffic continues to flow between the modules that remain operational. Units within an OmniSwitch 6850 Series virtual chassis are hot swappable. Units are essentially those modules operating in the stack in idle mode. These units can be removed from, or added to, an existing stack without disrupting other modules in the stack. When removing switches from an existing stack, observe the following important guidelines: Do not attempt to hot-swap modules operating in primary or secondary management roles Be sure the stacking cables and stacking cable redundancy are not disrupted Hot swapping is intended for switches in idle and, if applicable, pass-through status only. Removing primary or secondary management modules from a stack will trigger a failover sequence, i.e., one or more additional modules within the stack must reload in order to reassign the management roles. Whenever possible, avoid removing a switch that is operating as a primary or secondary management module. Also, removing a switch from a stacked configuration can disrupt stack cabling at the rear of the stack. When removing a module, be sure that stacking link integrity, including important stacking cable redundancy, is maintained between all remaining modules. When inserting switches into an existing stack, observe the following important guidelines: Avoid duplicate saved slot numbers Never attempt to operate more than eight switches in a single stack Make sure all switches are running the same software version. Reloading is essentially a soft boot of a switch. Users can reload stacked modules operating in any role i.e., primary, secondary, idle, and pass-through. OmniSwitch 6850 Series stacks allow users to manually force the secondary switch to assume the primary management role. This is referred to as takeover. The behavior of a takeover is similar to that of reloading the primary management module. Whenever a takeover is initiated, the switch with the secondary role automatically takes over primary management functions. The primary switch is automatically reloaded and any traffic being passed on the primary switchs Ethernet ports is interrupted. Meanwhile, the idle switch with the next-lowest slot number automatically assumes the secondary role. When the former primary module comes back up, it assumes an idle role within the stack. Management module synchronization refers to the process of copying all files in the /flash/working and /flash/certified directories of the primary management module to the /flash/working and /flash/certified directories of all the other switches in the stack. The system and configuration software on the non-primary switchesi.e., the secondary management module and any modules operating in idleis overwritten. The synchronization process ensures that the contents of these directories match exactly for all switches across the stack. This can be especially useful after new software has been loaded to the primary management module. Monitoring the current status and operation of all elements in a stack can help users avoid unexpected stack conditions. The show CLI commands are useful in monitoring stack conditions. Visually Monitoring the Stack: Users can also monitor many stack operations by viewing the front panel LEDs on all elements in the stack.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 235 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
PoE Feature
Power over Ethernet (PoE) support The Power over Ethernet (PoE) software is supported on the OS6850-P24, OS6850-P24X, OS6850-P48, and OS6850-P48X stackable switches and the OS9-GNI-P24 module. PoE provides inline power directly from the switchs Ethernet ports. From these RJ-45 ports the devices receive both electrical power and data flow. PoE detects power based on PSE devices and not on class. PoE supports both IEEE 802.3af and non-IEEE 802.3af standards. The default inline power allotted for each port is 15400 Milliwatts. The minimum inline power allotted for a port is 3000 Milliwatts and the maximum is 16000 Milliwatts (OS6850) and 18000 Milliwatts (OS9000). The maximum PoE power that a 510w power-supply (OS6850/OS9600) can provide is approximately 390 watts. A 360w power-supply (OS6850/OS9600) can provide approximately 240 watts of PoE power. The OS-IP-Shelf power supplies (OS9000) can provide approximately 600 watts of PoE power. The OS-IP- Shelf supports up to four power supplies, so a total of approximately 2400 watts is possible. The redundant power supply for PoE is only for backup. If the primary power supply fails, then PoE can switch over seamlessly to the backup power supply. Power over Ethernet (PoE) is supported on OmniSwitch 6850 Series switches and provides inline power directly from the switchs Ethernet ports. Powered Devices (PDs) such as IP phones, wireless LAN stations, Ethernet hubs, and other access points can be plugged directly into the Ethernet ports. From these RJ-45 ports the devices receive both electrical power and data flow. As the feature reduces devices dependence on conventional power sources, PoE eliminates many restrictions that traditional electrical considerations have imposed on networks. In a PoE configuration, Power Source Equipment (PSE) detects the presence of a PD and provides an electrical current that is conducted along the data cable. The PD operates using the power received via the Ethernet data cable; no connection to an additional power source (e.g., an AC wall socket) is required. As the OmniSwitch 6850 Series switches fully support 10/100/1000 Ethernet connectivity, you may also attach non-PD equipment, such as computer workstations, printers, servers, etc. to the PoE ports. Important. Alcatel-Lucent recommends that PoE-enabled switches with attached IP telephones should have operational power supply redundancy at all times for 911 emergency requirements. In addition, both the switch and the power supply should be plugged into an Uninterruptible Power Source (UPS). Note. You can also monitor all chassis components and manage many chassis features, including Power over Ethernet, with WebView; Alcatel-Lucents embedded web-based device management application. WebView is an interactive and easy-to-use GUI that can be launched from the OmniVista or a web browser. The Power over Ethernet (PoE) software is supported on the OS6850 P Series of stackable switches. PoE provides inline power directly from the switchs Ethernet ports. From these RJ-45 ports the devices receive both electrical power and data flow. PoE detects power based on PSE devices and not on class. PoE supports both IEEE 802.3af and non-IEEE 802.3af standards. The default inline power allotted for each port is 15400 Milliwatts. The minimum inline power allotted for a port is 3000 Milliwatts and the maximum is 15400 Milliwatts (OS6850). The maximum PoE power that a 510w power-supply can provide is approximately 390 watts. A 360w power-supply can provide approximately 240 watts of PoE power. The redundant power supply for PoE is only for backup. If the primary power supply fails, then PoE can switch over seamlessly to the backup power supply. Note: Please note that due to some overhead, there would be less PoE power available to the end-user. Please refer to the Power Supply Specification section for more details.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 236 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE Standards supported Default PoE administrative status Default PoE operational status OmniSwitch 6850 Series platforms supporting PoE Cable distances supported Total number of PoE-capable ports per switch Default amount of inline power allocated for each port Range of inline power allowed for each port PoE Power availability
PoE operational status Total power allocated to a port Power Priority level for a port The capacitor detection method Priority discount status Port Priority Levels
PoE Specifications IEEE 802.3af DTE Power via MDI Enabled Disabled (PoE must be activated on a switch-by-switch basis). OmniSwitch 6850 Models designated with the letter P 100 meters Up to 48 15,400 Milliwatts 3,000-15,400 Milliwatts The 360W AC-to-DC Power Supply is used on the following PoE Models: OS6850-P24 & OS6850-P24L & OS6850-P24X & OS6850-P48 & OS6850-P48L & OS6850-P48X: The 360W power supply provides: 240W (-50V @ 4.8A) for in-line power and 120W (12V @ 10.0A) for system power. PoE Power Budget for the 24-port Models: 216watts [240watts (PoE power) 24watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. PoE Power Budget for the 48-port Models: 192watts [240watts (PoE power) 48watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. The 510W AC-to-DC Power Supply is used on the following PoE Models: OS6850-P24H & OS6850-P24LH & OS6850-P24XH & OS6850-P48H & OS6850-P48LH & OS6850-P48XH: The 510W power supply provides: 390W (50V@7.8W/port) for PoE power and 120W (12V@10.0A) for system power. The available PoE Power Budget for the 24-port Models: 366watts [390watts (PoE power) 24watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. The available PoE Power Budget for the 48-port Models: 342watts [390watts (PoE power) 48watts (the overhead (power consumed by the PoE daughter card which is 1watt per port))]. Note: Power for all POE ports is defaulted to 15.4 watts per port and each port is configurable between 3watts to 15.4watts (Port setting is in Milliwatts (3000 to 15400)). Please note that the available PoE power budget must not be exceeded. PoE Defaults Disabled 15.4watts Low Disabled Enabled As not all Powered Devices (PDs) connected to the switch have the same priority within a customer network setting, the OmniSwitch 6850 Series switches allow the user to specify priority levels on a port-by-port basis. Priority levels include low, high, and critical. The default priority level for a port is low. Low. This default value is used for port(s) that have low-priority devices attached. In the event of a power management issue, inline power to low-priority ports is interrupted first (i.e., before critical and high-priority ports). High. This value is used for port(s) that have important, but not mission-critical, devices attached. If other ports in the chassis have been configured as critical, inline power to high-priority ports is given second priority. Critical. This value is used for port(s) that have mission-critical devices attached, and therefore require top (i.e., critical) priority. In the event of a power management issue, inline power to critical ports is maintained as long as possible. The capacitive detection method should only be enabled to support legacy IP phones. This feature is not compatible with IEEE specification 802.3af. Please contact your Alcatel-Lucent sales engineer or Customer Support representative to find out which Alcatel-Lucent IP phones models need capacitive detection enabled.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 237 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Priority Disconnect
The priority disconnect function differs from the port priority function in that it applies only to the addition of powered devices (PDs) in tight power budget conditions. Priority disconnect is used by the system software in determining whether an incoming PD will be granted or denied power when there are too few watts remaining in the PoE power budget for an additional device To monitor current PoE statistics and settings, use the show lanpower command. The command output displays a list of all current PoE-capable ports, along with the following information for each port: Maximum power allocated to the port, in Milliwatts Actual power used by the port Current port status Power priority status Power on/off status Aggregate slot and chassis management information is also displayed. This information includes: Maximum watts allocated to the corresponding slot Amount of power budget remaining that can be allocated for PoE modules Total amount of power remaining that can be allocated for additional switch functions
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 238 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 239 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
User Network Profiles This feature provides the capability to have "Roles" assigned to users during authentication. The 6.3.1 release allows for a VLAN to be associated to a role, users matching the role will automatically be assigned to that VLAN. The role should be configured to match the Filter-ID attribute being returned by the RADIUS server.
Security Servers supported Learned Port Security (LPS) LPS has the following limitations: You cannot configure LPS on 10 Gigabit ports. You cannot configure LPS on link aggregate ports.
IP directed broadcast
The User Network Profile feature provides the capability to have users assigned to user roles during authentication. It works only with a RADIUS authentication server. The user role is returned from the RADIUS server through the Filter-ID attributes. A mapping table is provided to look up the VLAN ID based on the user role returned from the authentication server. AAA uses the Filter-ID attribute value returned by the RADIUS server to lookup the corresponding profile name and assigns the user to the associated VLAN. The role name is a case-sensitive ASCII string. If both a VLAN ID and a role name are returned by the RADIUS server, the VLAN associated with the role name takes precedence. Multiple names can be mapped to the same VLAN. The user network profile table can have a maximum of 4096 entries and contains the following two elements: Name VLAN ID LDAP, RADIUS, and ACE Server Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses on 10/100/1000 and Gigabit Ethernet ports. The only types of Ethernet ports that LPS does not support are link aggregate and tagged (trunked) link aggregate ports. Using LPS to control source MAC address learning provides the following benefits: A configurable source learning time limit that applies to all LPS ports. A configurable limit on the number of MAC addresses allowed on an LPS port. Dynamic configuration of a list of authorized source MAC addresses. Static configuration of a list of authorized source MAC addresses. Two methods for handling unauthorized traffic: stopping all traffic on the port or only blocking traffic that violates LPS criteria. A configurable limit to the number of filtered MAC addresses allowed on an LPS port. Conversion of dynamically learned MAC addresses to static MAC address entries. Support for all authentication methods and LPS on the same switch port. Configurable LPS parameters allow the user to restrict the source learning of host MAC addresses to: A specific amount of time in which the switch allows source learning to occur on all LPS ports A maximum number of learned MAC addresses allowed on the port. A list of configured authorized source MAC addresses allowed on the port. Additional LPS functionality allows the user to specify how the LPS port handles unauthorized traffic. The following two options are available for this purpose: Block only traffic that violates LPS port restrictions; authorized traffic is forwarded on the port. Disable the LPS port when unauthorized traffic is received; all traffic is stopped and a port reset is required to return the port to normal operation. LPS functionality is supported on the following 10/100/1000 and Gigabit Ethernet port types: Fixed (non-mobile) Mobile 802.1Q tagged Authenticated LPS has the following limitations: You cannot configure 802.1x and LPS on the same ports. You cannot configure LPS on 10 Gigabit ports. You cannot configure LPS on link aggregate and 802.1Q tagged ports. Learned Port Security Specifications: Ports eligible for LPS: 10/100 and Gigabit Ethernet ports (fixed, mobile, 802.1Q tagged, and authenticated ports) Ports not eligible for LPS: Link aggregated ports and 802.1Q (trunked) link aggregated ports Minimum number of learned MAC addresses allowed per port: 1 Maximum number of learned MAC addresses allowed per port: 100 Maximum number of configurable MAC address ranges per LPS port: 1 Max number of learned MAC addresses per OS6850 switch (applies to all ports on the switch): 8K An IP directed broadcast is an IP datagram that has all zeroes or all 1s in the host portion of the destination IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly attached. Directed broadcasts are used in denial-of-service smurf attacks. In a smurf attack, a continuous stream of ping requests is sent from a falsified source address to a directed broadcast address, resulting in a large stream of replies, which can overload the host of the source address. By default, the switch drops directed broadcasts. Typically, directed broadcasts should not be enabled.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 240 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at devices that are available on a private network or the Internet. Some of these attacks aim at system bugs or vulnerability (for example, teardrop attacks), while other types of these types of attacks involve generating large volumes of traffic so that network service will be denied to legitimate network users (such as Pepsi attacks). These attacks include the following: ICMP Ping of DeathPing packets that exceed the largest IP datagram size (65535 bytes) are sent to a host and hang or crash the system. SYN AttackFloods a system with a series of TCP SYN packets, resulting in the host issuing SYN-ACK responses. The half open TCP connections can exhaust TCP resources, such that no other TCP connections are accepted. Land AttackSpoofed packets are sent with the SYN flag set to a host on any open port that is listening. The machine may hang or reboot in an attempt to respond. Teardrop/Bonk/Boink attacksBonk / Boink / teardrop attacks generate IP fragments in a special way to exploit IP stack vulnerabilities. If the fragments overlap the way those attacks generate packets, an attack is recorded. Since teardrop, bonk and Boink all use the same IP fragmentation mechanism to attack, these are no distinction between detection of these attacks. The old IP fragments in the fragmentation queue are also reaped once the reassemble queue goes above certain size. Pepsi AttackThe most common form of UDP flooding directed at harming networks. A Pepsi attack is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network devices. This can cause network devices to use up a large amount of CPU time responding to these packets. The switch can be set to detect various types of port scans by monitoring for TCP or UDP packets sent to open or closed ports. Monitoring is done in the following manner: Packet penalty values set: TCP and UDP packets destined for open or closed ports are assigned a penalty value. Each time a packet of this type is received, its assigned penalty value is added to a running total. This total is cumulative and includes all TCP and UDP packets destined for open or closed ports. Port scan penalty value threshold: The switch is given a port scan penalty value threshold. This number is the maximum value the running penalty total can achieve before triggering an SNMP trap. Decay value: A decay value is set. The running penalty total is divided by the decay value every minute. Trap generation: If the total penalty value exceeds the set port scan penalty value threshold, a trap is generated to alert the administrator that a port scan may be in progress. By default, the switch filters the following denial of service (DoS) attacks, which are security attacks aimed at devices that are available on a private network or the Internet: ARP Flood Attack - OS6800/OS6850/OS9000 Invalid IP Attack - OS6850/OS9000 Multicast IP and MAC Address Mismatch - OS6850/OS9000 Ping Overload - OS6850/OS9000 Packets with loop back source IP address - OS6850/OS9000
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 241 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Traffic Anomaly Detection (TAD) (aka Etherbreaker or Network Security) Network Security Overview Network Security detects the anomalies in the network traffic by monitoring the difference in the rate of ingress and egress packets on a port, matching a specific traffic pattern. The Network Security software monitors these packets at configured intervals, counts the packets matching certain patterns, and applies anomaly detection rules. If anomalies are detected, then it is reported through a Syslog and/or an SNMP trap and/or the anomalous port is shut down.
The Traffic Anomaly Detection (TAD) feature, also referred to as Network Security, is used to detect anomalies through statistical analysis of network traffic. It can be used to detect network attacks by observing the patterns of a port through ingress and egress packets. Anomalies occur in network traffic when the traffic patterns in a network do not meet the expectations. Such anomalies are detected in real time network traffic and can be logged, generate SNMP traps, or result in disabling the anomalous port automatically. Network Security provides the following capabilities: Real time network traffic monitoring. Dynamic anomaly detection. Dynamic anomalous port quarantining. Network Security (also known as Alcatel-Lucents Traffic Anomaly Detection (TAD) feature or Etherbreaker) is a network monitoring feature that aims to detect the anomalies in the network by analyzing the patterns of ingress and egress packets on a port. These anomalies occur when the traffic patterns of a port do not meet the expectations. The detection of anomalies results in logging, SNMP trap generation, and shutting down of the anomalous port. This feature is mainly used in the Layer2 domain. Note. The Network Security feature is supported only on OmniSwitch 6850 and 9000 Series switches in Release 6.3.1. Network Security Specifications RFCs supported: Not applicable at this time. IEEE Standards supported: Not applicable at this time. Maximum number of monitoring- groups: 32 Time duration to observe traffic pattern: 5 to 3600 in seconds Minimum traffic to activate anomaly detection: 1 to 100,000 Anomaly sensitivity to deviation: 1 to 100 Network Security Defaults Status of anomaly detection: Disabled Log status: Disabled Trap status : Disabled Quarantine status: Disabled Time duration to observe traffic pattern: 30 seconds Anomaly sensitivity to deviation: 50 Anomalies A network traffic anomaly refers to deviations in the rates of a user-ports ingress and egress packets from expectations. The anomalies are monitored in the network by observing the networks traffic for a configurable time period. During this period, the Network Security counts relevant packets on a port. Anomalies may occur in scenarios, such as the following: When a high number of TCP SYN packets are not expected from a user-port in a short period. When more than one ARP response is received for every ARP request. When a high number of TCP RST packets are not expected in a network in a short period. The above listed scenarios occur in a network due to malicious systems in the network, or when a network is attacked or mis-configured. Network Security detects the following anomalies: Anomaly Description ARP Address Scan Occurs when a host sends a burst of ARP requests for multiple IP addresses. ARP Flood Occurs when a host receives a burst of ARP request packets. ARP Failure Occurs when ARP queries do not elicit ARP responses. ICMP Address Scan Occurs when multiple hosts receive ICMP echo request packets at the same time. ICMP Flood Occurs when a host receives a burst of ICMP echo request packets. ICMP Unreachable Occurs when a host receives a flood of ICMP Unreachable packets. TCP Port Scan Occurs when a host receives a burst of TCP SYN packets for multiple TCP ports. TCP Address Scan Occurs when multiple hosts receive TCP SYN packets at the same time. SYN Flood Occurs when a host receives a burst of TCP SYN packets on the same TCP port. SYN Failure Occurs when a host receives fewer SYNACKs than SYNs it sent out. SYN-ACK Scan Occurs when a host receives more SYNACKs than SYNs it sent out. Fin Scan Occurs when a host receives a burst of FIN packets. Fin-Ack Diff Occurs when a host sees more or fewer FINACK packets than it sent. Rst Count Occurs when a host receives a flood of RST packets.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 242 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Security through the implementation of OmniVista Quarantine Manager (OV2770-QM) With OneTouch Security automation
Automatic log-out
The CrystalSec Security Framework has been expanded with the addition of two solutions - Host Integrity Check and Attack Containment - and two partnerships - Sygate and Fortinet. The Quarantine Manager Application enables the Network Administrator to quarantine devices to protect the network from attacks. When blocking any network traffic such as in Denial Of Service (DOS) attacks, the application works with an external Intrusion Prevention System (IPS) such as Fortinet, to send Syslog messages to the Quarantine Manager, and/or Alcatel-Lucent AOS switches to send SNMP traps to the Quarantine Manager. The information includes the address that was blocked. Quarantine Manager then sends this information to the rest of the network by placing the address into to a "Quarantined" VLAN. Depending on the rule that is written for the event, the address can be immediately quarantined or placed into a Candidate List that can be reviewed by the Network Administrator. Quarantine Manager and Remediation (QMR) is a switch-based application that interacts with the OmniVista Quarantine Manager (OVQM) application to restrict the network access of quarantined clients and provide a remediation path for such clients to regain their network access. This functionality is driven by OVQM, but the following QMR components are configured through QoS CLI commands: Quarantined MAC address group. This is a reserved QoS MAC address group that contains the MAC addresses of clients that OVQM has quarantined and that are candidates for remediation. Remediation server and exception subnet group. This is a reserved QoS network group, called alaExceptionSubnet, that is configured with the IP address of a remediation server and any subnets to which a quarantined client is allowed access. The quarantined client is redirected to the remediation server to obtain updates and correct its quarantined state. Remediation server URL. This is the URL for the remediation server. Note that this done in addition to specifying the server IP address in the alaExceptionSubnet network group. Quarantined Page. When a client is quarantined and a remediation server URL is not configured, QMR can send a Quarantine Page to notify the client of its quarantined state. HTTP proxy port group. This is a known QoS service group, called alaHTTPProxy, that specifies the HTTP port to which quarantined client traffic is redirected for remediation. The default HTTP port used is TCP 80 and TCP 8080. Note that configuring QMR and QoS inner VLAN or inner 802.1p policies is mutually exclusive. QMR overlays the inner VLAN tag, thus creating a conflict with related QoS policies. This is also true with QMR and VLAN Stacking services. QMR is activated when OVQM populates the MAC address group on the LDAP server with quarantined MAC addresses. If VLAN Stacking services or QoS inner VLAN/802.1p policies are configured on the switch, QMR will not activate. NOTE: This feature is designed to work in conjunction with OmniVistas Quarantine Manager application. Refer to the OmniVista documentation for a detailed overview of the Quarantine Manager application. Within OmniVistas Quarantine Manager application, if a MAC is added or removed from the quarantined group, or when an IP address is added or removed from the IP DA remediation, OmniVista will trigger the configured switches to perform a recache action. The switches will then query OmniVistas LDAP database and pull the addresses from the database, these addresses will then be added or removed from the switchs quarantined or remediation group. Automatic log-out based on a pre-configured timer is supported: The switch supports the capability of configuring the inactivity timer for a CLI, HTTP (including WebView), or FTP interface. When the switch detects no user activity for this period of time, the user is logged off the switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 243 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Authenticated VLANs control user access to network resources based on VLAN assignment and a user login process; the process is sometimes called user authentication or Layer 2 Authentication. (Another type of security is device authentication, which is set up through the use of port-binding VLAN policies or static port assignment. The total number of possible AVLAN users is 2K per system, not to exceed 1K per module or stackable unit. This number is a total number of users that applies to all authenticated clients, such as AVLAN and 802.1X supplicants or non-supplicants. The Omniswitch supports the use of all authentication methods and Learned Port Security (LPS) on the same port. The terms authenticated VLANs (A-VLANs) and Layer 2 Authentication is synonymous. Layer 2 Authentication is different from another feature in the switch called Authenticated Switch Access, which is used to grant individual users access to manage the switch. An authenticated network requires several components: Authentication serversA RADIUS or LDAP server must be configured in the network. The server contains a database of user information that the switch checks whenever a user tries to authenticate through the switch. (Note that the local user database on the switch may not be used for Layer 2 authentication.). Backup servers may be configured for the authentication server. RADIUS or LDAP server: Follow the manufacturers instructions for your particular server. The external server may also be used for Authenticated Switch Access. RADIUS or LDAP client in the switch: The switch must be set up to communicate with the RADIUS or LDAP server. Authentication clientsAuthentication clients login through the switch to get access to A-VLANs. There are three types of clients: AV-Client. This is an Alcatel-Lucent-proprietary authentication client. The AV-Client does not require an IP address prior to authentication. The client software must be installed on the users end station. Telnet client: Any standard Telnet client can be used. An IP address is required prior to authentication. Web browser client: Any standard Web browser can be used (Netscape or Internet Explorer). An IP address is required prior to authentication. Authenticated VLANsAt least one authenticated VLAN must be configured. Authentication portAt least one mobile port must be configured on the switch as an authentication port. This is the physical port through which authentication clients are attached to the switch. DHCP ServerA DHCP server can provide IP addresses to clients prior to authentication. After authentication, any client can obtain an IP address in an authenticated VLAN to which the client is allowed access. A relay to the server must be set up on the switch. Authentication agent in the switchAuthentication is enabled when the server(s) and the server authority mode is specified on the switch. Note: AVLAN Web Authentication: The Mac OS X 10.3.x is supported for AVLAN web authentication using JVM-v1.4.2. The maximum number of possible A-VLAN users support is 2,048. Release 6.3.1 added AVLAN support for IE7 and Windows Vista. An Alcatel-Lucent certificate is required to provide this support. Please contact your customer support representative to obtain this certificate.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 244 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1X Note: there is no switch based local database for IEEE 802.1x authentication. Here are the limits: Maximum number of supplicants / non-supplicant users per system: 1024 Maximum number of non-supplicant users per port: 1024 Maximum number of supplicant users per port: 253 Maximum combined number of supplicant and non-supplicant users per port: 1024 The system supports up to 1024 authenticated/mobile mac-addresses. The system can roughly processes ~200 mac per seconds.
802.1X enhancements on the OmniSwitch 6850 (Synonymous with the feature titled Alcatel.Lucent Access Guardian support)
Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may be authenticated through the switch through port-based network access control. This control is available through the IEEE 802.1X standard implemented on the switch. In addition, Interoperability between Alcatel-Lucent 802.1x and Sygate Management Server (SMS) and Sygate Enforcer is also supported. The identity field in Alcatel-Lucent 802.1x authentication works with all applications that send more than 32 bytes (e.g., Sygate). IEEE 802.1X Specifications: RFCs Supported: RFC 2284PPP Extensible Authentication Protocol (EAP) RFC 2865Remote Authentication Dial In User Service (RADIUS) RFC 2866RADIUS Accounting RFC 2867RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868RADIUS Attributes for Tunnel Protocol Sup-port RFC 2869RADIUS Extensions IEEE Standards Supported: IEEE 802.1X-2001Standard for Port-based Network Access Control 802.1X RADIUS Usage Guidelines The 802.1X standard defines port-based network access controls, and provides the structure for authenticating physical devices attached to a LAN. It uses the Extensible Authentication Protocol over LAN (EAPOL). There are three components for 802.1X: The SupplicantThis is the device connected to the switch. The device may be connected directly to the switch or via a point-to-point LAN segment. Typically the supplicant is a PC. The Authenticator Port Access Entity (PAE)This entity requires authentication from the supplicant. The authenticator is connected to the supplicant directly or via a point-to-point LAN segment. The OmniSwitch acts as the authenticator. The Authentication ServerThis component provides the authentication service and verifies the credentials (username, password, challenge, etc.) of the supplicant. On the OmniSwitch, only RADIUS servers are currently supported for 802.1X authentication. Note: IEEE 802.1x Multi-client and Multi-VLAN feature provides the capability to force every user behind a given port to authenticate and be placed into their own applicable VLAN and allows multiple VLANs to be properly established on a single port. In other words, multiple supplicants can be authenticated on a given 802.1x port Note: the implementation of 802.1x on the OmniSwitch 6850 as described below is also synonymous with the feature titled Alcatel.Lucent Access Guardian support: In addition to the authentication and VLAN classification of 802.1x clients (supplicants), this implementation of 802.1x secure port access extends this type of functionality to non-802.1x clients (non-supplicants). To this end device classification policies are introduced to handle both supplicant and non-supplicant access to 802.1x ports. Supplicant policies use 802.1 x authentications via a remote RADIUS server and provide alternative methods for classifying supplicants if the authentication process either fails or does not return a VLAN ID. Non-supplicant policies use MAC authentication via a remote RADIUS server or can bypass authentication and only allow strict assignment to specific VLANs. MAC authentication verifies the source MAC address of a non-supplicant device via a remote RADIUS server. Similar to 802.1 x authentications, the switch sends RADIUS frames to the server with the source MAC address embedded in the username and password attributes. The 6.3.1 release increases the number of possible 802.1X users to 2K per system, not to exceed 1K per module or stackable unit. This number is a total number of users that applies to all authenticated clients, such as AVLAN and 802.1X supplicants or non-supplicants. In addition, the 6.3.1 release also supports the use of all authentication methods and Learned Port Security (LPS) on the same port. Release 6.3.1 added the capability to classify both supplicant and non-supplicant devices using nonsupplicant device classification policies. As a result, MAC authentication is now applicable to both supplicant and non-supplicant devices. By default non-supplicant devices are automatically blocked on 802.1x-enabled ports. In some cases, however, it is desirable to allow non-supplicant access on these ports. For example, using device policies a non-supplicant may gain access to a pre-determined VLAN. Such a VLAN might serve as a guest VLAN for such devices requiring restricted access to the switch. Supplicant devices are initially processed using 802.1 x authentications via a remote RADIUS server. If authentication is successful and returns a VLAN ID, the supplicant is assigned to that VLAN. If not, then any configured device classification policies for the port are applied to determine VLAN assignment for the supplicant. If there are no policies, then the default port behavior for 802.1x ports is in affect. The following types of device classification policies are available: 1. 802.1 x authenticationsperform 802.1 x authentications via a remote RADIUS server. 2. MAC authenticationsperforms MAC based authentication via a remote RADIUS server. 3. Group Mobility rulesuses GM rules to determine the VLAN assignment for a device 4. Strict Group Mobility rulesuses Group Mobility rules to determine the VLAN assignment for a device; does not allow assignment to authenticated VLANs.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 245 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Port Mapping (AKA Private VLAN) Allows traffic segregation at L2 User ports in the same session cannot talk to each other Note: this feature is part of Residential bridging features
VLAN IDassigns the device to the specified VLAN. Strict VLAN IDassigns the device to the specified VLAN; does not allow assignment to authenticated VLANs. 7. Default VLANassigns a device to the default VLAN for the 802.1x port. 8. Strict Default VLANassigns a device to the default VLAN for the 802.1x port; does not allow assignment to authenticated VLANs. 9. Blockblocks a device from accessing the 802.1x port. Alcatel-Lucent Access Guardian Support entails a set of security features that provide: o Automatic detection of 802.1x and non-802.1x devices o Flexible per port configuration of securities policies o 802.1x is used for user authentication, MAC-based authentication can be used for non-802.1x clients o Supported policies: Group Mobility rules Guest VLANs Default VLAN Block o Centralized location for user/device authentication-using RADIUS o Separate security policies can be configured for supplicants and non-supplicants Benefits: o Allows for flexible networks configuration which strengthens the security o Centralized management of users and devices reduces the administration cost All known users and devices are authenticated using RADIUS Change in one place only, takes effect everywhere in the network A mobile user will authenticate the same way a "wired" user o Guest users are placed in guest VLAN Applications: o Educational sector Port Mapping is a security feature, which controls communication between peer users. Each session comprises a session ID, a set of user ports, and/or a set of network ports. The user ports within a session cannot communicate with each other and can only communicate via network ports. In a port mapping session with user port set A and network port set B, the ports in set A can only communicate with the ports in set B. If set B is empty, the ports in set A can communicate with rest of the ports in the system. A port mapping session can be configured in the unidirectional or bi-directional mode. In the unidirectional mode, the network ports can communicate with each other within the session. In the bi-directional mode, the network ports cannot communicate with each other. Network ports of a unidirectional port mapping session can be shared with other unidirectional sessions, but cannot be shared with any sessions configured in the bi-directional mode. Network ports of different sessions can communicate with each other. Port Mapping Specifications: Ports Supported: Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/Gigabit Ethernet (1 Gb/1000 Mbps) /10 Gigabit Ethernet (10 Gb/10000 Mbps). Mapping Sessions: Eight sessions supported per standalone switch and stack. Port Mapping Defaults: Mapping Session: Creation: No mapping sessions Mapping Status configuration: Disabled Port Mapping Direction: Bi-directional
5. 6.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 246 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Access Control Lists (ACLs) Performance: Wire-speed ACLs are sometimes referred to as filtering lists.
Access Control Lists are Quality of Service policies used to control whether or not packets are allowed or denied at the switch or router interface. ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is specified in the policy condition. The policy action determines whether the traffic is allowed or denied. In general, the types of ACLs include: Layer 2 ACLsfor filtering traffic at the MAC layer. Usually uses MAC addresses or MAC groups for filtering. Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering may be done for both bridged and routed packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on: MAC address or MAC group Source VLAN Physical slot/port or port group The switch classifies the MAC address as both source and destination. Layer 3/4 ACLsfor filtering traffic at the network layer. Typically uses IP addresses or IP ports for filtering. The QoS software in the switch filters routed and bridged traffic at Layer 3. For Layer 3/4 filtering, the QoS software in the switch classifies traffic based on: Source IP address or source network group Destination IP address or destination network group IP protocol (note IPX filtering is not supported.) Source TCP/UDP port Destination TCP/UDP port or service or service group Destination slot/port or destination port group Multicast ACLsfor filtering IGMP traffic Multicast filtering may be set up to filter clients requesting group membership via the Internet Group Management Protocol (IGMP). IGMP is used to track multicast group membership. The IP Multicast Switching (IPMS) function in the switch optimizes the delivery of IP multicast traffic by sending packets only to those stations that request it. Potential multicast group members may be filtered out so that IPMS does not send multicast packets to those stations. Multicast traffic has its own global disposition. By default, the global disposition is accept. For multicast filtering, the switch classifies traffic based on the multicast IP address or multicast network group and any destination parameters. ACL Specifications: Maximum number of policy rules: 1024 Maximum number of policy rules per Ethernet port: 101 Maximum number of policy rules per 10-Gigabit Ethernet port: 997 Maximum number of policy conditions: 2048 Maximum number of policy actions: 2048 Maximum number of policy services: 256 Maximum number of groups (Network, MAC, service, port): 1024 Maximum number of group entries: 512 per group The following additional ACL features are available for improving network security and preventing malicious activity on the network: UserPortsA port group that identifies its members as user ports to prevent spoofed IP traffic. When a port is configured as a member of this group, packets received on the port are dropped if they Contain a source IP network address that does not match the IP subnet for the port. DropServicesA service group that improves the performance of ACLs that are intended to deny packets destined for specific TCP/UDP ports. Using the DropServices group for this function minimizes processing overhead, which otherwise could lead to a DoS condition for other applications trying to use the switch. ICMP drop rulesAllows condition combinations in policies that will prevent user pings, Thus reducing DoS exposure from pings. Two condition parameters are also available to provide more granular filtering of ICMP packets: icmptype and icmpcode. See Configuring ICMP Drop Rules in the network configuration Guide. BPDUShutdownPorts (Close user ports upon receipt of BPDU)A port group that identifies its members as ports that should not receive BPDUs. If a BPDU is received on one of these ports, The port is administratively disabled. In other words, this allows network administrators to prevent the connection of devices that can support bridging functionality to ports designated as user ports. TCP connection rulesAllows the determination of an established TCP connection by examining TCP flags found in the TCP header of the packet. Two condition parameters are available for defining a TCP connection ACL: established and tcpflags. Early ARP discardARP packets destined for other hosts are discarded to reduce processing overhead and exposure to ARP DoS attacks. No configuration is required to use this feature; It is always available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, VRRP, and Local Proxy ARP are not discarded.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 247 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
BPDU Shutdown Ports BPDUShutdownPortsA port group that identifies its members as ports that should not receive BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled.
The BPDUShutdownPorts group is a special QoS port group that identifies its members as ports that should not receive BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. Note that the BPDUShutdownPorts group is not supported on the OmniSwitch 6850 Series or the OmniSwitch 9000 Series. On these switches, it is possible to configure a global UserPorts profile, as described in ACL & Layer 3 Security, to monitor BPDU on user ports. Such a profile also determines whether user ports will filter BPDU or will administratively shutdown when BPDU are received on the port. Note that this functionality only applies to ports that are designated as members of the UserPorts port group. A port configured to administratively shutdown when BPDU are detected will generate an inferior BPDU every 5 seconds. This will prevent loops in the network if two BPDU shutdown ports are accidentally bridged together either through an external loop or through a hub, since both ports would be receiving inferior BPDUs. Support for IPv6 ACLs on the OmniSwitch 6850 Series and OmniSwitch 9000 Series is available. The following QoS policy conditions are now available for configuring ACLs to filter IPv6 traffic: source ipv6 destination ipv6 ipv6 nh (next header) flow-label source tcp port destination tcp port source udp port destination udp port Note the following when using IPv6 ACLs: Trusted/untrusted behavior is the same for IPv6 traffic as it is for IPv4 traffic. IPv6 policies do not support the use of network groups, service groups, map groups, or MAC groups. IPv6 multicast policies are not supported. Anti-spoofing and other UserPorts profiles/filters do not support IPv6. The default (built-in) network group, Switch, only applies to IPv4 interfaces. There is no such group for IPv6 interfaces. Note. IPv6 ACLs are not supported on A1 NI modules. Use the show ni command to verify the version of the NI module. Contact your Alcatel-Lucent support representative if you are using A1 boards. The following additional ACL features are available for improving network security and preventing malicious activity on the network: ICMP drop rulesAllows condition combinations in policies that will prevent user pings, thus reducing DoS exposure from pings. Two condition parameters are also available to provide more granular filtering of ICMP packets: icmptype and icmpcode. TCP connection rulesAllows the determination of an established TCP connection by examining TCP flags found in the TCP header of the packet. Two condition parameters are available for defining a TCP connection ACL: established and tcpflags. Early ARP discardARP packets destined for other hosts are discarded to reduce processing overhead and exposure to ARP DoS attacks. No configuration is required to use this feature, it is always available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, and VRRP are not discarded. UserPortsA port group that identifies its members as user ports to prevent spoofed IP traffic. When a port is configured as a member of this group, packets received on the port are dropped if they contain a source IP network address that does not match the IP subnet for the port. UserPorts ProfileIn addition to spoofed traffic, it is also possible to configure a global UserPorts profile to specify additional types of traffic, such as BPDU, RIP, OSPF, and/or BGP, to monitor on user ports. The UserPorts profile also determines whether user ports will filter the unwanted traffic or will administratively shutdown when the traffic is received. Note that this profile only applies to those ports that are designated as members of the UserPorts port group. DropServicesA service group that improves the performance of ACLs that are intended to deny packets destined for specific TCP/UDP ports. This group only applies to ports that are members of the UserPorts group. Using the DropServices group for this function minimizes processing overhead, which otherwise could lead to a DoS condition for other applications trying to use the switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 248 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Access Control List Manager (ACLMAN) is a function of the Quality of Service (QoS) application that provides an interactive shell for using common industry syntax to create ACLs. Commands entered using the ACLMAN shell are interpreted and converted to Alcatel-Lucent CLI syntax that is used for creating QoS filtering policies. This implementation of ACLMAN also provides the following features: Importing of text files that contain common industry ACL syntax Support for both standard and extended ACLs Creating ACLs on a single command line The ability to assign a name, instead of a number, to an ACL or a group of ACL entries Sequence numbers for named ACL statements Modifying specific ACL entries without having to enter the entire ACL each time to make a change The ability to add and display ACL comments ACL logging extensions to display Layer 2 through 4 packet information associated with an ACL ACLMAN Overview: ACLMAN is a function of the Alcatel-Lucent QoS system that allows network administrators to configure and manage ACLs using common industry syntax. ACLs configured using ACLMAN are transparently converted into Alcatel-Lucent QoS filtering policies and applied to the switch. An ACLMAN interactive shell provides an ACL command line interface that is similar to command interfaces that are available on other industry platforms. This shell serves as a configuration tool for creating ACLs using common industry syntax commands and/or importing industry syntax from text files. The following industry ACL types and features are supported with this implementation of ACLMAN: Standard ACL. This type of ACL compares the source address of a packet to the source address specified in the ACL. Extended ACL. This type of ACL compares the source and destination address of a packet to the source and destination address specified in the ACL. Also provides additional criteria for filtering packets. Numbered ACL. This type of ACL refers to standard or extended ACLs that are assigned a number for identification. Named ACL. This type of ACL refers to standard or extended ACLs that are assigned a name for identification. The following industry ACL types are currently not supported: Reflexive ACLs Context-Based Access Control Authentication Proxy Lock and Key (Dynamic ACLs) ACMAN Defaults: ACLMAN Defaults: ACL Disposition: Deny Logging rate time interval: 30 seconds
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 249 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Network Admission (Access) Control (aka NAC): Security Outline: - Of the switch - To the switch - Through the switch (NAC) - Proactive (Access Guardian) - Authentication - Client integrity - ACL and firewall policies - Reactive (Quarantine Manager) - Monitoring - Intrusion detection - Quarantining
Protecting the enterprise network takes more than just focusing on specific threats and adding specialized appliances. To defend against todays threats, the focus has changed from securing the perimeter to a pervasive layered, network-wide strategy where security functions are now embedded in the switches, providing a proactive, network defense. To meet this challenge Alcatel-Lucent has identified and implemented security services at every switch port making the network infrastructure an integral part of the security solution. With Alcatel-Lucents Network Access Control (NAC) technology, every port is capable of immediately detecting and neutralizing network attacks without sacrificing manageability, mobility, availability, or performance. Alcatel-Lucents LAN switches have embedded security features that not only respond to AlcatelLucent security applications, but also interoperate with standards-based security systems from the industries leading security software and security appliance vendors. Alcatel-Lucents NAC solution combines several services including: port control (Alcatel-Lucent Access Guardian), user policy violations (Alcatel-Lucent OmniVista 2770 Quarantine Manager) and the ability to monitor user end points (Client Integrity Checking) Alcatel-Lucent has three main approaches to security: securing the infrastructure itself, securing the access to the infrastructure, and securing the access provided by the infrastructure. Securing access provided by the switch, also knows as Network Access Control (NAC) relies on the combination of various security features embedded in our switches and enabled by partnerships with leading security software and security appliance vendors. These features utilize proactive processes that identify and authenticate the users, provide means of enforcing device policies and determine what resources the end user may access. These methods together are known as Alcatel-Lucent Access Guardian. To identify and authenticate users and devices, Alcatel-Lucent has implemented a powerful and flexible authentication mechanism that combines well-known authentication methods such as 802.1x and MAC authentication with unique classification methods. The network automatically senses the authentication method a device uses and adapts to provide the appropriate access to the resources a user needs. As part of this process, Alcatel-Lucent's network also interoperates with client-based security software to verify the compliance of a device. In addition to proactive methods, the Alcatel-Lucent Quarantine Manager makes use of reactive methods to monitor, detect intrusions, and quarantine end user devices. It interoperates with a wide range of security appliances to provide comprehensive enforcement of quarantining policies at the very edge of the network.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 250 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Distributed Intelligence
The AOS OmniSwitch product family has been designed to bring intelligence to an Enterprise network by implementing a host of intelligent features and services. Carrier-class intelligence insures that users and applications receive the priority and performance they need with ease-of-use management that extends across the entire enterprise. The OS6850 provides the necessary hardware queues, intelligence and granularity to properly identify, mark and prioritize data flows ensuring mission critical applications running smoothly. The following is only a highlight of the state-of-the-art intelligent features supported by the OmniSwitch 6850 Series: VLAN Support: o Up to 4,094 VLANs (1024 VLANs recommended), and 4,094 VLAN tags value support o Per port, 802.1Q and policy based VLAN including authentication VLAN (A-VLAN) Residential bridging features: DHCP option-82, DHCP-Snooping and Port Mapping Triple Play features: Rapid Spanning Tree, IP Multicast VLANs, Mac Retention, Eth. Operations Admin. & Maintenance (OAM), IS-IS and GVRP Quality of Service o IEEE 802.1p, ToS, DSCP marking o QoS mapping: 802.1p to 802.1p & ToS & DSCP, ToS to ToS & 802.1p & DSCP, DSCP to DSCP & 802.1p & ToS o Classification per port, 802.1p (CoS) value, MAC SA/DA, TOS precedence, DSCP value, IP SA/DA, TCP/UDP port range o 8 egress queues per port to support strict and hybrid queuing (strict + weighted round robin queuing algorithm). o Ingress bandwidth rate limiting per port/flow in 64k increments o Egress bandwidth rate limiting per port in 1Mbps increments Routing Protocols: IPv4 & IPv6, RIPv1/v2 & OSPF & OSPF-ECMP & BGP & VRRP & PIM-SMv2 & & PIM-SSM & DVMRPv3 VLANs One of the main benefits of using VLANs to segment network traffic, is that VLAN configuration and port assignment is handled through switch software. This eliminates the need to physically change a network device connection or location when adding or removing devices from the VLAN broadcast domain. The VLAN management software handles the following VLAN configuration tasks: Creating or modifying VLANs. Assigning or changing default VLAN port associations (VPAs). Enabling or disabling VLAN participation in the current Spanning Tree algorithm. Enabling or disabling classification of mobile port traffic by 802.1Q tagged VLAN ID. Enabling or disabling VLAN authentication. Defining VLAN IPX router interfaces to enable routing of VLAN IPX traffic. Enabling or disabling unique MAC address assignments for each router VLAN defined. Displaying VLAN configuration information. Up to 4094 VLANs for Flat Spanning Tree mode and 252 VLANs for 1x1 Spanning Tree mode are supported. In addition, it is also possible to specify a range of VLAN IDs when creating or deleting VLANs and/or configuring VLAN parameters, such as Spanning Tree bridge values. In a flat-bridged network, a broadcast domain is confined to a single LAN segment or even a specific physical location, such as a department or building floor. In a switch-based network, such as one comprised of Alcatel-Lucent switching systems, a broadcast domainor VLAN can span multiple physical switches and can include ports from a variety of media types. For example, a single VLAN could span three different switches located in different buildings and include 10/100 Ethernet, Gigabit Ethernet, 802.1q tagged ports and/or a link aggregate of ports. Initially all switch ports are non-mobile and are assigned to VLAN 1. When additional VLANs are created on the switch, ports are assigned to the VLANs so that traffic from devices connected to these ports is bridged within the VLAN domain. Switch ports are either statically or dynamically assigned to VLANs. Static port assignment applies to both mobile and non-mobile (fixed) ports. Fixed ports are also statically assigned to secondary VLANs by defining 802.1Q tagged VLANs for the port. In addition, ports can belong to a link aggregate of ports. Dynamic assignment applies only to mobile ports and requires the additional configuration of VLAN rules. When traffic is received on a mobile port, the packets are examined to determine if their content matches any VLAN rules configured on the switch. Rules are defined by specifying a port, MAC address, protocol, network address, binding, or DHCP criteria to capture certain types of network device traffic. It is also possible to define multiple rules for the same VLAN. A mobile port is assigned to a VLAN if its traffic matches any one VLAN rule. VLAN Specifications: RFCs supported: 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions. IEEE Standards supported: 802.1Q and 802.1D Maximum VLANs: 1024 (including VLAN#1) Maximum VLAN port associations: 32,768 Maximum IP router port VLANs: 1024 Maximum IPX router port VLANs: 1024 Maximum Spanning Tree VLANs: 253 Maximum Authenticated VLANs: 128 Maximum Router Mode Supported: Single The following provides a list of various types of VLAN rules supported. Rule Types: DHCP
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 251 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Rule Precedence
o DHCP MAC & DHCP MAC Range o DHCP Port o DHCP Generic Binding o MAC + IP+ Port o MAC + Port o Port + Protocol MAC o MAC address & MAC Address Range Mobile Tag Network address o IP (IP Subnet) & IPX (IPX Network) Protocol [including IP, IPv6, ARP, RARP, IPX (0x8137, 0xFFFF, 0xE0E0), AppleTalk (0x809b, 0x80F3) and DECNet] Port DHCP Mac & DHCP Mac Range DHCP Port DHCP Generic Mac-Port-IP Binding Mac-Port Binding Port-Protocol Binding Mac & Mac Range IP Subnet IPX Network Protocol (Group Mobility classifies IPv6 frames) Every switch port, mobile or non-mobile, has a configured default VLAN. Initially, this is VLAN 1 for all ports, but is configurable using the vlan port default command. All mobile ports start out with a configured default VLAN assignment. When mobile port traffic matches VLAN criteria, the port is assigned to that VLAN. Secondary VLANs are any VLAN a port is subsequently assigned to that is not the configured default VLAN for that port. A mobile port can obtain more than one secondary VLAN assignment under the following conditions: Mobile port receives untagged frames that contain information that matches rules on more than one VLAN. For example, if a mobile port receives IP and IPX frames and their is an IP protocol rule on VLAN 10 and an IPX protocol rule on VLAN 20, the mobile port is dynamically assigned to both VLANs. VLANs 10 and 20 become secondary VLAN assignments for the mobile port. Mobile port receives 802.1Q tagged frames that contain a VLAN ID that matches a VLAN that has VLAN mobile tagging enabled. For example, if a mobile port receives frames tagged for VLAN 10, 20 and 30 and these VLANs have mobile tagging enabled, the mobile port is dynamically assigned to all three VLANs. VLANs 10, 20, and 30 become secondary VLAN assignments for the mobile port. Dynamic assignment applies only to mobile ports and requires the additional configuration of VLAN rules. When traffic is received on a mobile port, the packets are examined to determine if their content matches any VLAN rules configured on the switch. Rules are defined by specifying a port, MAC address, protocol, network address, binding, or DHCP criteria to capture certain types of network device traffic. It is also possible to define multiple rules for the same VLAN. A mobile port is assigned to a VLAN if its traffic matches any one VLAN rule. When enabled, AVC prevents a port that has no VLANs mapped to an 802.1S Multiple Spanning Tree Instance (MSTI) from becoming the root port for that instance. Such ports are automatically assigned an infinite path cost value to make them an inferior choice for root port. In an 802.1s Multiple Spanning Tree (MST) configuration, it is possible for a port that belongs to a VLAN, which is not a member of an instance, to become the root port for that instance. This can cause a topology change that could lead to a loss of connectivity between VLANs/switches. Enabling Automatic VLAN Containment (AVC) helps to prevent this from happening by making such a port an undesirable choice for the root. When AVC is enabled, it identifies undesirable ports and automatically configures them with an infinite path cost value. Balancing VLANs across links according to their Multiple Spanning Tree Instance (MSTI) grouping is highly recommended to ensure that there is not a loss of connectivity during any possible topology changes. Enabling AVC on the switch is another way to prevent undesirable ports from becoming the root for an MSTI. Up to 4094 VLANs for Flat Spanning Tree mode and 252 VLANs for 1x1 Spanning Tree mode are supported. In addition, it is now possible to specify a range of VLAN IDs when creating or deleting VLANs and/or configuring VLAN parameters, such as Spanning Tree bridge values.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 252 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1Q
A VLAN is available for routing traffic when a virtual router port is defined for that VLAN and at least one active port has joined the VLAN. If a VLAN does not have a router defined, its ports are in essence fire walled from other VLANs. Each VLAN supports one IP virtual router port and a maximum of 1024 IP router port VLANs are allowed per switch. The OmniSwitch 6850 operates only in single MAC router mode. In this mode, each router port VLAN is assigned the same MAC address, which is the base chassis MAC address for the switch. As a result, up to 1024 IP router port VLANs are supported per single switch. This also eliminates the need to allocate additional MAC addresses if more than 32 router port VLANs are defined. Alcatel-Lucents 802.1Q is an IEEE standard for sending frames through the network tagged with VLAN identification. 802.1Q tagging can be configured and monitored on a single port in a switch or a link aggregation group in a switch. 802.1Q tagging is the IEEE version of VLANs. It is a method for segregating areas of a network into distinct VLANs. By attaching a label, or tag, to a packet, the packet can be identified as being from a specific area or identified as being destined for a specific area. When a port is enabled to accept tagged traffic, by default both 802.1Q tagged and untagged traffic is automatically accepted on the port. Configuring the port to accept only tagged traffic is also supported. When enabling a tagged port, you will also need to specify whether only 802.1Q tagged traffic is allowed on the port, or whether the port accepts both tagged and untagged traffic. Tagged refers to four bytes of reserved space in the header of the packet. The four bytes of tagging are broken down as follows: the first two bytes indicate whether the packet is an 802.1Q packet, and the next two bytes carry the VLAN identification (VID) and priority. On the ingress side, packets are classified in a VLAN. After classifying a packet, the switch adds an 802.1Q header to the packet. Egress processing of packets is done by the switch hardware. Packets have an 802.1Q tag, which may be stripped off based on 802.1Q tagging/stripping rules. If a port is configured to be a tagged port, then all the untagged traffic (including priority tagged, or VLAN 0 traffic) received on the port will be dropped. You do not need to reboot the switch after changing the configuration parameters. Priority tagged traffic, or traffic from VLAN 0, is used for Quality of Service (QoS) functionality. 802.1Q views priority tagged traffic as untagged traffic. Mobile ports can be configured to accept 802.1Q traffic by enabling the VLAN mobile tagging feature. The port can be assigned to as many 802.1Q VLANs as necessary, up to 4093 per port or 32768 VLAN port associations. For the purposes of Quality of Service (QoS), 802.1Q ports are always considered to be trusted ports. 802.1Q tagging is done at wire speed, providing high-performance throughput of tagged frames. IEEE 802.1Q Specifications: IEEE Specification: Draft Standard P802.1Q/D11 IEEE Standards for Local And Metropolitan Area Network: Virtual Bridged Local Area Networks, July 30, 1998 Maximum Number of Tagged VLANs per Port: 4093 Maximum Number of Untagged VLANs per Port: one untagged VLAN per port Maximum Number of VLAN Port Associations: 32768 What type of frames accepted: Both tagged and untagged frames are accepted IEEE 802.1Q 2005 (Q2005) is a new version of Multiple Spanning Tree Protocol (MSTP) that is a combination of the 802.1D 2004 and 802.1S protocols. This implementation of Q2005 also includes improvements to edge port configuration and provides administrative control to restrict port role assignment and the propagation of topology change information through bridge ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 253 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VLAN Stacking provides a mechanism to tunnel multiple customer VLANs (CVLAN) through a service provider network using one or more service provider VLANs (SVLAN) by way of 802.1Q double-tagging or VLAN Translation. This feature enables service providers to offer their customers Transparent LAN Services (TLS). This service is multipoint in nature so as to support multiple customer sites or networks distributed over the edges of a service provider network. The VLAN Stacking application operates in one of two modes: legacy and service. The two modes basically differ in how VLAN Stacking is configured, with the service mode offering the following additional enhancements that are not available in the legacy mode: Ethernet service-based approach that is similar to configuring a virtual private LAN service (VPLS). Ingress bandwidth sharing across User Network Interface (UNI) ports. Ingress bandwidth rate limiting on a per UNI port, per CVLAN, or CVLAN per UNI port basis. CVLAN (inner) tag 802.1p-bit mapping to SVLAN (outer) tag 802.1p bit. CVLAN (inner) tag DSCP mapping to SVLAN (outer) tag 802.1p bit. Profiles for saving and applying traffic engineering parameter values. Configuring VLAN Stacking in the legacy mode consists of using a port or port-VLAN level approach to tunneling customer traffic. Configuring VLAN Stacking in the service mode consists of using an approach based on defining an Ethernet service to tunnel customer traffic. Both modes are exclusive in that the switch can only operate in one mode or the other. In addition, each mode has its own unique CLI command syntax. Throughout this section, the term port-based VLAN Stacking refers to functionality available in the legacy mode and the term service-based VLAN Stacking refers to functionality available in the service mode. Note. You can also configure and monitor VLAN Stacking with WebView; Alcatel.Lucents embedded web based device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a web browser. VLAN Stacking Specifications IEEE Standards Supported: IEEE 802.1Q, 2003 Edition, IEEE Standards for Local and metropolitan area networksVirtual Bridged Local Area Networks P802.1ad/D6.0 (C/LM) Standard for Local and Metropolitan Area Networks - Virtual Bridged Local Area Networks - Amendment 4: Provider Bridges Maximum number of SVLANs for port-based VLAN Stacking: Port level VLAN Stacking-4093 (VLAN 2 through 4094) port/VLAN level VLAN Stacking: 768 (VLAN 2 through 4094 inclusive) Maximum number of SVLANs for service-based VLAN Stacking: 4093 (VLAN 2 through 4094) Features not supported on VLAN Stacking ports : Group Mobility, Authentication and L3 Routing Service-Based VLAN Stacking Defaults VLAN Stacking mode: legacy VLAN Stacking (vstk) SVLAN administrative and Spanning Tree status: Enabled IPMVLAN administrative and Spanning Tree status: Enabled Vendor TPID and legacy BPDU support for STP or GVRP on a VLAN Stacking network port: Legacy STP BPDU = dropped. Legacy GVRP BPDU = dropped. Acceptable frame types on a VLAN Stacking user port: None Traffic engineering profile attributes for a VLAN Stacking Service Access Point (SAP): ingress bandwidth = shared ingress bandwidth bps = 0 CVLAN tag is preserved. SVLAN priority mapping = 0 Treatment of customer STP and GVRP frames ingressing on a VLAN Stacking user port: STP frames are tunneled. GVRP frames are tunneled. Port-Based VLAN Stacking Defaults VLAN Stacking mode: legacy VLAN Stacking (vstk) Carries customer or provider traffic: Customer Traffic SVLAN administrative Status: Enabled Internal prioritization value and egress shaping for the SVLAN: 0 Vlan Stacking port type: User-customer-port Vendor TPID for VLAN Stacking network port: 0x88a8 Treatment of customer STP and GVRP frames ingressing on VLAN Stacking user-customer and userprovider ports: Flooded Acceptable frame types on user-customer and user-provider ports:Tagged and untagged Treatment of tagged packets upon an SVLAN lookup miss: Drop Legacy BPDU support for STP or GVRP on VLAN Stacking network ports Binding mode of VLAN Stacking port to an SVLAN: Double-tag
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 254 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VLAN Stacking provides a mechanism for defining a transparent bridging configuration through a service provider network. This type of configuration is achieved using one of two methods: servicebased VLAN Stacking or port-based VLAN Stacking. The service-based approach provides the ability to configure Ethernet services to provide VLAN Stacking functionality. The port-based approach requires configuring VLAN Stacking functionality on a port level or port-VLAN level. See VLAN Stacking Modes on page 7-8 for more information. The major components of VLAN Stacking that provide this type of functionality are described as follows: Provider Edge (PE) BridgeAn Ethernet switch that resides on the edge of the service provider network. The PE Bridge interconnects customer network space with service provider network space. A switch is considered a PE bridge if it transports packets between a customer-facing port and a network port or between two customer-facing ports. Transit BridgeAn Ethernet switch that resides inside the service provider network and provides a connection between multiple provider networks. It employs the same SVLAN on two or more network ports. This SVLAN does not terminate on the switch itself; traffic ingressing on a network port is switched to other network ports. It is also possible for the same switch to function as a both a PE Bridge and a Transit Bridge. Tunnel (SVLAN)A tunnel, also referred to as an SVLAN, is a logical entity that connects customer networks by transparently bridging customer traffic through a service provider network. The tunnel is defined by an SVLAN tag that is appended to all customer traffic. This implementation provides the following three types of SVLANs, which are both defined by the type of traffic that they carry: an SVLAN that carries customer traffic an SVLAN that carries provider management traffic an IP Multicast VLAN (IPMVLAN) that distributes multicast traffic Note that port-based VLAN Stacking does not support two or more customers sharing the same tunnel Network Network Interface (NNI)An NNI is a port that resides on either a PE Bridge or a Transit Bridge and connects to a service provider network. Traffic ingressing on a network port is considered SVLAN traffic and is switched to a customer-facing port or to another network port. User Network Interface (UNI)A UNI is a port that resides on a PE bridge that connects to a customer network and carries customer traffic. The UNI may consist of a single port or an aggregate of ports and can accept tagged or untagged traffic. Note that port-based VLAN Stacking provides two types of UNI ports: user-customer port and userprovider port. A user-customer port connects to a customer network and carries customer traffic; a user-provider port carries provider management traffic.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 255 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IPv4 Routing
IPv6 Routing
Internet Protocol (IP) is a network-layer (Layer 3) protocol that contains addressing and control information that allow packets to be forwarded on a network. IP is the primary network-layer protocol in the Internet protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is associated with several Layer 3 and Layer 4 protocols. These protocols are built into the base code loaded on the switch and they include: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) Bootstrap Protocol (BOOTP)/Dynamic Host Configuration Protocol (DHCP) Simple Network Management Protocol (SNMP) Telnet and File Transfer Protocol (FTP) Address Resolution Protocol (ARP) Internet Control Message Protocol (ICMP) RIPv1 & RIPv2 and Static Routes The base IP software allows one to configure an IP router port, static routes, a default route, the Address Resolution Protocol (ARP), the router primary address, the router ID, the Time-to-Live (TTL) Value, IP-directed broadcasts, and the Internet Control Message Protocol (ICMP). In addition, this software allows one to trace IP route, display Transmission Control Protocol (TCP) information, and display User Data-gram Protocol (UDP) information. OmniSwitch 6850/OS9000 supports hardware routing/flooding to static arp with multicast MAC address. Note. The switch operates only in single MAC router mode. In this mode, each router VLAN is assigned the same MAC address, which is the base chassis MAC address for the switch. IPv6 (documented in RFC 2460) is designed as a successor to IPv4 and is supported on the OmniSwitch 6850 and 9000. The changes from IPv4 to IPv6 fall primarily into the following categories: Address size increased from 32 bits (IPv4) to 128 bits (IPv6) Dual Stack IPv4/IPv6 ICMPv6 Neighbor Discovery Stateless Auto-configuration OSPFv3 RIPng Static Routes Tunneling: Configured and 6-to-4 dynamic tunneling Ping, trace-route DNS client using Authority records Telnetv6 - Client and server File Transfer Protocol (FTPv6) Client and server SSHv6 Client and Server OmniSwitch 6850 and 9000 switches support hardware-based IPv6 routing. Note. The switch operates only in single MAC router mode. In this mode, each router VLAN is assigned the same MAC address, which is the base chassis MAC address for the switch Route map redistribution provides the ability to control which routes from a source protocol are learned and distributed into the network of a destination protocol. A route map consists of one or more user-defined statements that can determine which routes are allowed or denied access to the network. In addition, a route map may also contain statements that modify route parameters before they are redistributed. Redistribution is configured by specifying a source and destination protocol and the name of an existing route map. Criteria specified in the route map are applied to routes received from the source protocol.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 256 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Tunneling
Routing Protocols
Tunneling is a mechanism that can encapsulate a wide variety of protocol packet types and route them through the configured tunnels. Tunneling is used to create a virtual point-to-point link between routers at remote points in a network. This feature supports the creation, administration, and deletion of IP interfaces whose underlying virtual device is a tunnel. The Alcatel-Lucent implementation provides support for two tunneling protocols: Generic Routing Encapsulation (GRE) and IP encapsulation within IP (IPIP). Note. The tunneling feature is supported by OmniSwitch 6850 and OmniSwitch 9000. Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels. GRE is used to create a virtual point-to-point link between routers at remote points in a network. This feature supports the creation, administration, and deletion of IP interfaces whose underlying virtual device is a GRE tunnel. Generic Routing Encapsulation overview GRE encapsulates a packet that needs to be carried over the GRE tunnel with a GRE header. The resulting packet is then encapsulated with an outer header by the delivery protocol and forwarded to the other end of the GRE tunnel. The destination IP address field in the outer header of the GRE packet contains the IP address of the router at the remote end of the tunnel. The router at the receiving end of the GRE tunnel extracts the original payload and routes it to the destination address specified in the payloads IP header. Consider the following when configuring the GRE tunnel interfaces: A switch can support up to 8 GRE tunnel interfaces. The features such as Multinetting, Egress ACL, NAT, QoS, and VRRP are not supported on the GRE tunnel interfaces. IPIP tunneling is a method by which an IP packet is encapsulated within another IP packet. The Source Address and Destination Address of the outer IP header identifies the endpoints of tunnel. Whereas Source Address and Destination Address of the inner IP header identifies the original sender and recipient of the packet, respectively. The IP/IP tunneling feature allows IP traffic to be tunneled through an IP network. This feature can be used to establish connectivity between remote IP networks using an intermediate IP network such as the Internet. Consider the following when configuring the IPIP tunnel interfaces: A switch can support up to 127 IPIP tunnel interfaces. IPIP tunnel interfaces are included in the maximum number of IP interfaces that are supported on the switch. IP is a network-layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be forwarded. IP is documented in RFC 791 and is the primary network-layer protocol in the Internet protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is enabled on the switch by default. Static IP Routing is supported. Dynamic IP Routing support: VRRPv2&v3, RIPv1, RIPv2, and OSPFv2&v3 Router Discover Protocol (RDP): The Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on their networks. This implementation of RDP supports the router requirements as defined in RFC 1256. L3 Routing Protocols (IPv4) IP Routing Static routing RIP v1 & v2 OSPF v2 BGP v4 Multicast IGMP v1, v2 & v3 snooping PIM-SM PIM-DM DVMRP Network Protocol TCP/IP stack ARP DHCP relay Generic UDP relay per VLAN Resilience VRRP v2 L3 Routing Protocols (IPv6) IP Routing Static routing RIPng OSPF v3 Multicast MLD snooping
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 257 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
PIM-SM PIM-DM Network Protocol TCP/IP stack DHCP relay (including generic UDP relay) ARP Resilience VRRPv3 Layer-3 Routing (IPX) IPX Routing Static routing RIP/SAP Examples of Routed protocols which is supported in OmniSwitch-6850: TCP/UDP, Telnet, and FTP OmniSwitch 6850 switches support provide configurable weight for each routing protocol (including static routes) to control which entry to prefer when two entries exist from different sources. By default, local routes always have precedence. In the CLI use the ip route-pref command to configure the routing preference. Internet Protocol (IP) is primarily a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded. Along with Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connection-less, best-effort delivery of Datagrams through an Internetwork; and providing fragmentation and reassembly of Datagrams to support data links with different Maximum Transmission Unit (MTU) sizes. IP is enabled on the switch by default and there are few options that can, or need to be, configured. Note. IP routing (Layer 3) can be accomplished by using static routes or by using one of the IP routing protocols such as Routing Information Protocol (RIP), or Open Shortest Path First (OSPFv2). There are two versions of Internet Protocol supported, IPv4 and IPv6. IP Specifications: RFCs Supported RFC 791Internet Protocol RFC 792Internet Control Message Protocol RFC 826An Ethernet Address Resolution Protocol 2784Generic Routing Encapsulation (GRE) 2890Key and Sequence Number Extensions to GRE (extensions defined are not supported) 1701Generic Routing Encapsulation (GRE) 1702Generic Routing Encapsulation over IPV4 Networks 2003-IP Encapsulation within IP. Maximum VLANs per switch: 4094 (including default VLAN 1) Maximum router VLANs per switch: 4094 IP and 256 IPX (single MAC router mode) Maximum IP interfaces per VLAN: 8 Maximum number of GRE tunnel interfaces:8 Maximum IP interfaces per switch: 4096 Maximum number of IPIP tunnel interfaces: 127 Routing protocols supported over the tunnel Interfaces: RIP, OSPF, and BGP Maximum ARP filters per switch :200 IP Forwarding: IP is enabled by default. Using IP, devices connected to ports on the same VLAN are able to communicate. However, to forward packets to a different VLAN, you must create a router port on each VLAN. Adds support for a 31-bit net mask to allow for a point-to-point Ethernet network between two routers.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 258 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Internet Protocol version 6 (IPv6) is the next generation of Internet Protocol version 4 (IPv4). Both versions are supported along with the ability to tunnel IPv6 traffic over IPv4. Implementing IPv6 solves the limited address problem currently facing IPv4, which provides a 32-bit address space. IPv6 increases the address space available to 128 bits. IPv6 Overview: IPv6 provides the basic functionality that is offered with IPv4 but includes the following enhancements and features not available with IPv4: Increased IP address sizeIPv6 uses a 128-bit address, a substantial increase over the 32-bit IPv4 address size. Providing a larger address size also significantly increases the address space available, thus eliminating the concern over running out of IP addresses. Auto-configuration of addressesWhen an IPv6 interface is created or a device is connected to the switch, an IPv6 link-local address is automatically assigned for the interface and/or device. Anycast addressesA new type of address. Packets sent to an Anycast address are delivered to one member of the Anycast group. Simplified header formatA simpler IPv6 header format is used to keep the processing and bandwidth cost of IPv6 packets as low as possible. As a result, the IPv6 header is only twice the size of the IPv4 header despite the significant increase in address size. Improved support for header optionsImproved header option encoding allows more efficient forwarding, fewer restrictions on the length of options, and greater flexibility to introduce new options. Security improvementsExtension definitions provide support for authentication, data integrity, and confidentiality. Neighbor Discovery protocolA protocol defined for IPv6 that detects neighboring devices on the same link and the availability of those devices. Additional information that is useful for facilitating the interaction between devices on the same link is also detected (e.g., neighboring address prefixes, address resolution, duplicate address detection, link MTU, and hop limit values, etc.). This implementation of IPv6 also provides the following mechanisms to maintain compatibility between IPv4 and IPv6: Dual-stack support for both IPv4 and IPv6 on the same switch Configuration of IPv6 and IPv4 interfaces on the same VLAN. Tunneling of IPv6 traffic over an IPv4 network infrastructure Embedded IPv4 addresses in the four lower-order bits of the IPv6 address. The remainder of this section provides a brief overview of the new IPv6 address notation, autoconfiguration of addresses, and tunneling of IPv6 over IPv4.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 259 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IPv6 Specifications Note: RFC 2893 has been obsoleted by RFC4213. RFC4213 is now supported, but it does not include Automatic tunnels. Therefore, the main difference is that the new RFC4213 does not contain an automatic tunneling capability.
RFCs Supported: 2460Internet Protocol, Version 6 (IPv6) Specification 2461Neighbor Discovery for IP Version 6 (IPv6) 2462IPv6 Stateless Address Auto-configuration 2463Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 2464Transmission of IPv6 Packets Over Ethernet Networks 2893Transition Mechanisms for IPv6 Hosts and Routers 3513Internet Protocol Version 6 (IPv6) Addressing Architecture 3056Connection of IPv6 Domains via IPv4 Clouds Maximum VLANs per switch: 4094 (including default VLAN 1) Maximum IPv6 router VLANs per switch: 4094 IP and 256 IPX (single MAC router mode) Maximum IPv4 router VLANs per switch: 4094 IP and 256 IPX (single MAC router mode) Maximum IPv4interfcase per VLAN: 1 Maximum ARP entries per system: 4K Maximum IPv6 interfaces per tunnel: 1 Maximum IPv6 static routes: 1,000 routes Maximum RIPng routes: 5K Maximum RIPng interfaces: 100 Maximum OSPFv3 routes: 10K Maximum OSPFv3 interfaces: 10 Maximum OSPFv3 adjacencies: 10 Maximum OSPFv3 areas: 5 Maximum OSPFv3 sessions: 1 OSPF ECMP Gateways per destination: 4 Maximum BGP routes: None Maximum IP route entries (RIB): 10K Maximum route entries per FIB: None Maximum BGP peers per system: None OSPF LSDB size: 2000 Maximum IPv6 router interfaces per system -multiple router MAC mode: 256 Maximum 6to4 tunnels per switch: 1 Maximum configured tunnels per switch: 255 IPv6 (documented in RFC 2460) is designed as a successor to IPv4. The changes from IPv4 to IPv6 fall primarily into the following categories: Address size increased from 32 bits (IPv4) to 128 bits (IPv6) Dual Stack IPv4/IPv6 ICMPv6 Neighbor Discovery Stateless Auto configuration RIPng Static Routes Tunneling: Configured and 6-to-4 dynamic tunneling Ping, trace-route FTP and Telnet servers DNS client using Authority records OmniSwitch 6850 & 9000 switches support hardware-based IPv6 routing. Note. The switch operates only in single MAC router mode. In this mode, each router VLAN is assigned the same MAC address, which is the base chassis MAC address for the switch
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 260 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The Internet Packet Exchange (IPX) protocol, developed by Novell for NetWare, is a Layer 3 protocol used to route packets through IPX networks. (NetWare is Novells network server operating system.). IPX specifies a connectionless datagram similar to the IP packet of TCP/IP networks. An IPX network address consists of two parts: a network number and a node number. The network administrator assigns the IPX network number. The node number is the Media Access Control (MAC) address for a network interface in the end node. Note. IPX routing is software-based only on OmniSwitch 6850 Series switches. This feature supports IPX routing, and fine-tuning IPX using optional IPX configuration parameters (e.g., IPX packet extension, type-20 propagation). It also supports IPX filtering, which is used to control the operation of the IPX RIP/SAP protocols. IPX Specifications: IPX RIP and Service Advertising Protocol (SAP) router specification; version 1.30; May 23, 1996 Part No. 107-000029-001 IPX is associated with additional protocols built into the switch software. The switch supports the following IPX protocols: IPX RIPLayer 3 protocol used by NetWare routers to exchange IPX routing information. IPX RIP and IP RIP functions are similar. IPX RIP uses two metrics to calculate the best route: hop count and ticks. An IPX router periodically transmits packets containing the information currently in its own routing table to neighboring IPX RIP routers to advertise the best route to an IPX destination. SAPLayer 3 protocol used by NetWare routers to exchange IPX routing information. SAP is similar in concept to IPX RIP. Just as RIP enables NetWare routers to exchange information about routes, SAP enables NetWare devices to exchange information about available network services. NetWare workstations use SAP to obtain the network addresses of NetWare servers. IPX routers use SAP to gather service information and then share it with other IPX routers. Sequenced Packet Exchange (SPX)Transport-layer protocol that provides a reliable end-to-end communications link by managing packet sequencing and delivery. SPX does not play a direct role in IPX routing; it simply guarantees the delivery of routed packets. IP is both connectionless (it forwards each datagram separately) and unreliable (it does not guarantee delivery of Datagrams). This means that a datagram may be damaged in transit, or thrown away by a busy switch, or simply never make it to its destination. The resolution of these transit problems is to use a Layer 4 transport protocol, such as: TCPA major data transport mechanism that provides reliable, connection-oriented, full-duplex data streams. While the role of TCP is to add reliability to IP, TCP relies upon IP to do the actual delivering of Datagrams. UDPA secondary transport-layer protocol that uses IP for delivery. UDP is not connection-oriented and does not provide reliable end-to-end delivery of Datagrams. But some applications can safely use UDP to send Datagrams that do not require the extra overhead added by TCP. Application-layer protocols are used for switch configuration and management: Bootstrap Protocol (BOOTP)/Dynamic Host Configuration Protocol (DHCP)May be used by an end station to obtain an IP address. The switch provides a DHCP Relay that allows BOOTP requests/replies to cross-different networks. Simple Network Management Protocol (SNMP)Allows communication between SNMP managers and SNMP agents on an IP network. Network administrators use SNMP to monitor network performance and manage network resources. TelnetUsed for remote connections to a device. You can telnet to a switch and configure the switch and the network using the CLI. File Transfer Protocol (FTP)Enables the transfer of files between hosts. This protocol is used to load new images onto the switch. There are several additional IP-related protocols that may be used with IP forwarding. These protocols are included as part of the base code. Address Resolution Protocol (ARP)Used to match the IP address of a device with its physical (MAC) address. Internet Control Message Protocol (ICMP)Specifies the generation of error messages, test packets, and informational messages related to IP. ICMP supports the ping command used to determine if hosts are online. Router Discovery Protocol (RDP)Used to advertise and discover routers on the LAN. Multicast ServicesIncludes IP multicast switching (IPMS)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 261 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Services
ICMP support
Routing Information Protocol (RIP) RIPv1&2 is supported Maximum number of IP Routes: 48K Maximum number of RIPv2 Interfaces per Router: 6 Maximum number of RIPv2 Peers per Router, one per interface: 6 Maximum number of RIPv2 routes: 8K
RIPng
Static routes are user-defined routes that allow you to define, or customize, an explicit path to an IP network segment, which is then added to the IP Forwarding table. Static routes can be created between VLANs to enable devices on these VLANs to communicate. When you create a static route, the default metric value of 1 is used. However, you can change the priority of the route by increasing its metric value. The lower the metric value, the higher the priority. This metric is added to the metric cost of the route. The metric range is 1 to 15. Static routes do not age out of the IP Forwarding table; you must delete them from the table. Note. A static route is not active unless the gateway it is using is active. A default route can be configured for packets destined for networks that are unknown to the switch. To send packets on a locally connected network, the switch uses ARP to match the IP address of a device with its physical (MAC) address. To send a data packet to a device with which it has not previously communicated, the switch first broadcasts an ARP request packet. The ARP request packet requests the Ethernet hardware address corresponding to an Internet address. All hosts on the receiving Ethernet receive the ARP request, but only the host with the specified IP address responds. If present and functioning, the host with the specified IP address responds with an ARP reply packet containing its hardware address. The switch receives the ARP reply packet, stores the hardware address in its ARP cache for future use, and begins exchanging packets with the receiving device. Note: Local Proxy ARP is also supported. This feature enhances how the OmniSwitch can respond to an ARP DoS attack by not adding entries to the forwarding table until the net hop ARP entry can be resolved. This feature detects the presence of an ARP-Poisoning host on the network using configured restricted IP addresses for which the switch, on sending an ARP request, should not get back an ARP response. If an ARP response is received, the event is logged and the user is alerted using an SNMP trap. By default ARP requests are not added to the ARP cache. Only router solicited ARP requests will be added to the cache. The TTL value is the default value inserted into the TTL field of the IP header of Datagrams originating from the switch whenever a TTL value is not supplied by the transport layer protocol. The value is measured in hops. The default hop count is 64. The valid range is 1 to 255. When a switch initially boots up, all supported TCP/UDP well-known service ports are enabled (open). Although these ports provide access for essential switch management services, such as telnet, ftp, snmp, etc., they also are vulnerable to DoS attacks. It is possible to scan open service ports and launch such attacks based on well-known port information. The ip service command allows you to selectively disable (close) TCP/UDP well-known service ports and enable them when necessary. This command only operates on TCP/UDP ports that are opened by default. It has no affect on ports that are opened by loading applications, such as RIP etc. In addition, the ip service command allows you to designate which port to enable or disable by specifying the name of a service or the well-known port number associated with that service. ICMP is a network layer protocol within the IP protocol suite that provides message packets to report errors and other IP packet processing information back to the source. ICMP generates several kinds of useful messages, including Destination Unreachable, Echo Request and Reply, Redirect, Time Exceeded, and Router Advertisement and Solicitation. Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop count as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of their own routing table. The RIP routing table uses the most efficient route to a destination that is, the route with the fewest hops and longest matching prefix. The switch supports RIP version 1 (RIPv1), RIP version 2 (RIPv2), and RIPv2 that is compatible with RIPv1. It also supports text key and MD5 authentication, on an interface basis, for RIPv2. Release 6.3.1 added ECMP capability for up to 4 paths. RIP Specifications: RFC 1058RIP v1 RFC 2453RIP v2 RFC 1722RIP v2 Protocol Applicability Statement RFC 1724RIP v2 MIB Extension The OmniSwitch 6850/9000 switches support Routing Information Protocol next generation (RIPng) for IPv6 networks. RIPng is based on RIPv1/RIPv2 and is an Interior Gateway Protocol (IGP) best suited for moderate sized networks. The 6.1.5 release provides the ability to configure the following key RIP timer values: Update The time interval between advertisement intervals. InvalidThe amount of time before an active route expires and transitions to the garbage state. GarbageThe amount of time an expired route remains in the garbage state before it is removed from the RIB. HolddownThe amount of time during which a route remains in the hold-down state.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 262 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPFv2 Specifications
The following values are the maximum limits enforced by the code. Maximum number of Areas (per router): 32 Maximum number of Interfaces (per area): 100 Maximum number of Interfaces (per router): 32 x 100 (Limited only by max. num of IPv4 interfaces = 4096) Maximum number of Link State Database entries (per router): 96K Maximum number of neighbors/adjacencies (per router): 254 Maximum number of neighbors/adjacencies (per area): 128 Maximum number of routes (per router): 96K Maximum number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 The following values are the tested limits with functionally verified (stress test). On OS6850 ABR routers: Max number of IP Routes on OS6850 router: 12K Max number of OSPFv2 Routes on OS6850 router: 12K Max number of OSPFv2 Interfaces on OS6850 ABR: 48 Max number of OSPFv2 Areas on OS6850 ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 ABR: 48 Max number of LSAs on OS6850 ABR: 12K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 On OS6850 non-ABR routers: Max number of IP Routes on OS6850 router: 96K Max number of OSPFv2 Routes on OS6850 router: 96K Max number of OSPFv2 Interfaces on OS6850 non-ABR: 27 Max number of OSPFv2 Areas on OS6850 non-ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 non-ABR: 27 Max number of LSAs on OS6850 non-ABR: 24K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 Notes: Please note that, the above OSPFv2 specifications may vary depending on the available system resources, and/or customer specific networking requirements & configurations. Please also note that, depending on the number of Areas, Interfaces, Adjacencies, and Neighbors configured, the maximum number of routes may vary. Please contact our customer Service & Support team, should your required specifications fall between "the limits as enforced by the code" and "the limits as functionally tested".
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 263 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Open Shortest Path First routing (OSPF) support OSPFv2 & OSPFv3 are supported Open Shortest Path First version 3 (OSPFv3) is available. OSPFv3 is an extension of OSPF version 2 (OSPFv2) that provides support for networks using the IPv6 protocol. OSPFv2 is for IPv4 networks. Both versions of OSPF are shortest path first (SPF), or link-state, protocols for IP networks. Also considered interior gateway protocols (IGP), both versions distribute routing information between routers in a single Autonomous System (AS). OSPF chooses the least-cost path as the best path. OSPF is suitable for complex networks with a large number of routers by providing faster convergence, loop free routing, and equal-cost multi-path routing where packets to a single destination can be sent to more than one interface simultaneously. OSPF adjacencies over non-broadcast links are also supported. In addition, OSPFv2 supports graceful (hitless) support during failover, which is the time period between the restart and the reestablishment of adjacencies after a planned (e.g., the users performs the takeover) or unplanned (e.g., the primary management module unexpectedly fails) failover. Note that OSPFv3 does not support graceful restart.
Open Shortest Path First routing (OSPF) is a shortest path first (SPF), or link state, protocol. OSPF is an interior gateway protocol (IGP) that distributes routing information between routers in a single Autonomous System (AS). OSPF chooses the least-cost path as the best path. OSPF is suitable for complex networks with large numbers of routers since it provides faster convergence where multiple flows to a single destination can be forwarded on one or more interfaces simultaneously. The following features are also supported: Graceful (Hitless) Support During Fail-over, which is the time period between the restart and the reestablishment of adjacencies after a planned (e.g., the users performs the takeover) or unplanned (e.g., the primary management module unexpectedly fails) fail-over. OSPF adjacencies over non-broadcast links. Continuous forwarding during a graceful restart depends on several factors. If the secondary module has a different router MAC than the primary module, or if one or more ports of a VLAN belonged to the primary module, spanning tree re-convergence might disrupt the forwarding state, even though OSPF performs a graceful restart. OSPFv2 Specifications: RFCs Supported: 1370Applicability Statement for OSPF 1850OSPF Version 2 Management Information Base 2328OSPF Version 2 2370The OSPF Opaque LSA Option 3101The OSPF Not-So-Stubby Area (NSSA) Option 3623Graceful OSPF Restart The following values are the maximum limits enforced by the code. Maximum number of Areas (per router): 32 Maximum number of Interfaces (per area): 100 Maximum number of Interfaces (per router): 32 x 100 (Limited only by max. num of IPv4 interfaces = 4096) Maximum number of Link State Database entries (per router): 96K Maximum number of neighbors/adjacencies (per router): 254 Maximum number of neighbors/adjacencies (per area): 128 Maximum number of routes (per router): 96K Maximum number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 The following values are the tested limits with functionally verified (stress test). On OS6850 ABR routers: Max number of IP Routes on OS6850 router: 12K Max number of OSPFv2 Routes on OS6850 router: 12K Max number of OSPFv2 Interfaces on OS6850 ABR: 48 Max number of OSPFv2 Areas on OS6850 ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 ABR: 48 Max number of LSAs on OS6850 ABR: 12K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 On OS6850 non-ABR routers: Max number of IP Routes on OS6850 router: 96K Max number of OSPFv2 Routes on OS6850 router: 96K Max number of OSPFv2 Interfaces on OS6850 non-ABR: 27 Max number of OSPFv2 Areas on OS6850 non-ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 non-ABR: 27 Max number of LSAs on OS6850 non-ABR: 24K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 OSPFv3 Specifications: RFCs supported: 2740 -OSPF for IPv6 1826 - IP Authentication Header 1827 - IP Encapsulating Security Payload 2553 - Basic Socket Interface Extensions for IPv6 2373 - IPv6 Addressing Architecture 2374 - An IPv6 Aggregatable Global Unicast Address Format 2460 - IPv6 base specification Internet Drafts Supported: draft-ietf-ospf-ospfv3-graceful-restart-xx.txtOSPFv3 Graceful Restart draft-ietf-ospf-ospfv3-mibxx.txtManagement Information Base for OSPFv3 draft-ietf-ospf-ospfv3-update-00.txtOSPF for IPv6 draft-ietf-ospf-ospfv3-auth-05.txtAuthentication/ Confidentiality for OSPFv3
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 264 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Route Redistribution
IS-IS
draft-ietf-ospf-ospfv3-mib-08.txtMIB Maximum number of Areas (per router): TBS Maximum number of Interfaces (per router): TBS Maximum number of Link State Database entries (per router): TBS Maximum number of adjacencies (per router): TBS Maximum number of ECMP gateways (per destination): TBS Maximum number of neighbors (per router); TBS Maximum number of routes (per router): TBS Notes: Please note that, the above OSPF specifications may vary depending on the available system resources, and/or customer specific networking requirements & configurations. Please also note that, depending on the number of Areas, Interfaces, Adjacencies, and Neighbors configured, the maximum number of routes may vary. Please contact our customer Service & Support team, should your required specifications fall between "the limits as enforced by the code" and "the limits as functionally tested". Using information from its continuously updated databases, OSPF calculates the shortest path to a given destination. Shortest path is determined from metric values at each hop along a path. At times, two or more paths to the same destination will have the same metric cost. OSPF allows for the use of authentication on configured interfaces. When authentication is enabled, only neighbors using the same type of authentication and the matching passwords or keys can communicate. There are two types of authentication: simple and MD5. Simple authentication requires only a text string as a password, while MD5 is a form of encrypted authentication that requires a key and a password. Both types of authentication require the use of more than one command. Redistribution provides a way to exchange routing information between RIP networks and OSPF networks; and also redistributes local and static routes. For example, redistribution makes a non-RIP route look like a RIP route. Route redistribution between RIPv1/v2, and OSPF is supported. It also has filtering capabilities. Intermediate System-to-Intermediate System (IS-IS) is an International Organization for Standardization (ISO) dynamic routing specification. IS-IS is a shortest path first (SPF), or link state protocol. It is an interior gateway protocol (IGP) that distributes routing information between routers in a single Autonomous System (AS) in IP as well as in OSI environments. IS-IS chooses the least-cost path as the best path. IS-IS is suitable for complex networks with large number of routers since it provides faster convergence where multiple flows to a single destination can be forwarded through one or more interfaces simultaneously. IS-IS is also an ISO Connectionless Network Protocol (CLNP). It communicates with its peers using the Connectionless Mode Network Service (CLNS) PDU packets, which means that even in an IP-only environment the IS-IS router must have an ISO address. ISO network-layer addressing is done through Network Service Access Point (NSAP) addresses that identify any system in the OSI network. IS-IS Specifications: RFCs Supported: 1142-OSI IS-IS Intra-domain Routing Protocol 1195OSI IS-IS for Routing in TCP/IP and Dual Environments Maximum number of areas (per router): 3 Maximum number of L1 adjacencies per interface (per router): 70 Maximum number of L2 adjacencies per interface (per router): 70 Maximum number of IS-IS interfaces (per router): 70 Maximum number of Link State Packet entries (per adjacency): 255 Maximum number of IS-IS routes: 24000 Maximum number of IS-IS L1 routes: 12000 Maximum number of IS-IS L2 routes: 12000 Release 6.3.1 adds support for the OS-9000 as well as simple and MD5 authentication.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 265 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The Border Gateway Protocol (BGP) is an exterior routing protocol that guarantees the loop-free exchange of routing information between autonomous systems. The Alcatel-Lucent implementation supports BGP version 4 as defined in RFC 1771. The Alcatel-Lucent implementation of BGP is designed for enterprise networks, specifically for border routers handling a public network connection, such as the organizations Internet Service Provider (ISP) link. Up to 65,000 route table entries and next hop routes can be supported by BGP. On OmniSwitch devices in a redundant stacking configuration, during a management takeover/failover, interdomain routing is disrupted. Alcatel.Lucent Operating System BGP needs to retain forwarding information, also help a peering router performing a BGP restart to support continuous forwarding for inter-domain traffic flows by following the BGP graceful restart mechanism. BGPv4 Specifications: RFCs Supported: 1771A Border Gateway Protocol 4 (BGP-4) 2385Protection of BGP Sessions via the TCP MD5 Signature Option 2439BGP Route Flap Damping 2842Capabilities Advertisement with BGP-4 2042Registering New BGP Attribute Types 1997BGP Communities Attribute 1998An Application of the BGP Community Attribute in Multi-Home Routing 1966BGP Route Reflection: An Alternative to Full Mesh IBGP 1965Autonomous System Confederations for BGP 1773Experience with BGP-4 Protocol 1774BGP-4 Protocol Analysis 1657Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol (BGP-4) Using SMIv2 BGP Attributes Supported: Origin, AS Path, Next Hop, MED, Local Preference, Atomic Aggregate, Aggregator, Community, Originator ID, Cluster List Maximum BGP Peers per Router: 8 Maximum number of routes supported: 30,000 Range for AS Numbers: 1 to 65535 Range of Local Preference Values: 0 to 4294967295 Range for Confederation Ids: 0 to 65535 Range for MED Attribute: 0 to 4294967295 The OmniSwitch provides IPv6 support for BGP using Multiprotocol Extensions. The same procedures used for IPv4 prefixes can be applied for IPv6 prefixes as well and the exchange of IPv4 prefixes will not be affected by this new feature. However, there are some attributes that are specific to IPv4, such as AGGREGATOR, NEXT_HOP and NLRI. Multiprotocol Extensions for BGP also supports backward compatibility for the routers that do not support this feature. This implementation supports Multiprotocol BGP as defined in the following RFCs: 4271, 2439, 3392, 2385, 1997, 4456, 3065, 4273, 4760, and 2545. Note that IPv6 extensions for BGP are only supported on the OmniSwitch 6850 and 9000. Release 6.3.1 adds WebView and SNMP support. BGP Graceful Restart is supported and is enabled by default. On OmniSwitch devices in a redundant stacking configuration, during a management takeover/failover, interdomain routing is disrupted. Alcatel-Lucent Operating System BGP needs to retain forwarding information and also help a peering router performing a BGP restart to support continuous forwarding for inter-domain traffic flows by following the BGP graceful restart mechanism. The Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on their networks. This implementation of RDP supports the router requirements as defined in RFC 1256. Using RDP, hosts attached to multicast or broadcast networks send solicitation messages when they start up. Routers respond to solicitation messages with an advertisement message that contains the router IP addresses. In addition, routers send advertisement messages when their RDP interface becomes active and then subsequently at random intervals. RDP Specifications: RFCs Supported: RFC 1256ICMP Router Discovery Messages Router advertisements: Supported Host solicitations: Only responses to solicitations supported in this release. Max no of RDP interfaces per switch: One for each available IP interface configured on the switch. Advertisement destination addresses: 224.0.0.1 (all systems multicast), 255.255.255.255 (broadcast)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 266 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DHCP Relay
The User Datagram Protocol (UDP) is a connectionless transport protocol that runs on top of IP networks. UDP is used for applications that do not require the establishment of a session and end-toend error checking. Email and file transfer are two applications that could use UDP. UDP offers a direct way to send and receive data-grams over an IP network and is primarily used for broadcasting messages. The UDP Relay feature allows UDP broadcast packets to be forwarded across groups and VLANs that have IP routing enabled. UDP Relay ensures that the DHCP mechanism is operational and it allows you to use non-routable protocols in a routing environment. UDP Relay is configured using the ip helper set of commands. The DHCP Relay allows you to use non-routable protocols (such as UDP) in a routing environment. In addition to BOOTP/DHCP relay, generic UDP relay is available. Using generic UDP relay, traffic destined for well-known service ports (e.g., NBNS/NBDD, DNS, TFTP, and TACACS) or destined for a user-defined service port can be forwarded to a maximum of 256 VLANs on the switch. The DHCP Relay service, its corresponding port numbers, and configurable options are as follows: DHCP Relay Service: BOOTP/DHCP UDP Port Numbers 67/68 for Request/Response Configurable options: DHCP server IP address, Forward Delay, Maximum Hops, Forwarding Option, automatic switch IP configuration. DHCP Relay Specifications: RFCs Supported: 0951Bootstrap Protocol 1534Interoperation Between DHCP and BOOTP 1541Dynamic Host Configuration Protocol 1542Clarifications and Extensions for the Bootstrap Protocol 2132DHCP Options and BOOTP Vendor Extensions 3046-DHCP Relay Agent Information Option, 2001 DHCP Relay Implementation: Global DHCP Per-VLAN DHCP AVLAN DHCP DHCP Relay Service: BOOTP/DHCP (Bootstrap Protocol/Dynamic Host Configuration Protocol) UDP Port Numbers: 67 for Request, 68 for Response IP address allocation mechanisms: AutomaticDHCP assigns a permanent IP address to a host. DynamicDHCP assigns an IP address to a host for a limited period of time (or until the host explicitly relinquishes the address). ManualThe network administrator assigns a hosts IP address and the DHCP conveys the address assigned by the host. IP addresses supported for each Relay Service: Maximum of 256 IP addresses for each Relay Service. IP addresses supported for the Per-VLAN service: Maximum of 8 IP addresses for each VLAN relay service. Maximum of 256 VLAN relay services. Maximum number of UDP relay services allowed per switch: 3 Maximum number of VLANs to which forwarded UDP service port traffic is allowed: 256 Maximum number of DHCP Snooping VLANs: 64 DHCP Relay allows you to forward DHCP broadcast requests to configurable DHCP server IP address in a routing environment. DHCP Relay is configured using the IP helper set of commands. Pre-boot Execution Environment (PXE) support was enabled by default in previous releases. Note that in release 6.3.1r01, it is disabled by default and is now a user-configurable option using the ip helper pxe-support command. The OmniSwitch allows you to configure the UDP Relay feature based on the VLAN ID of the DHCP request. For the Per-VLAN service, you identify the number of the VLAN that makes the relay request. You may identify one or more server IP addresses to which DHCP packets will be sent from the specified VLAN. Both standard and per VLAN modes are supported. It is possible to configure multiple DHCP relay (ip helper) addresses on a per-vlan basis. For the Per-VLAN service, identify the number of the VLAN that makes the relay request. You may identify one or more server IP addresses to which DHCP packets will be sent from the specified VLAN. Both standard and per VLAN modes are supported.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 267 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DHCP Security Features: DHCP Option-82 o Relay agent (switch) includes information about itself when forwarding client-originated DHCP packets to a DHCP server DHCP Snooping o Per Port/Per VLAN o Disabled by default o Binding database build: slot/port/MAC/IP IP spoof protection o Based on the information in the binding database ACL created Note: the DHCP Option-82 and DHCP Snooping are part of Residential bridging features DHCP Option-82 (Relay Agent Information Option)
There are two DHCP security features available: DHCP relay agent information option (Option-82) and DHCP Snooping. The DHCP Option-82 feature enables the relay agent to insert identifying information into client-originated DHCP packets before the packets are forwarded to the DHCP server. The DHCP Snooping feature filters DHCP packets between untrusted sources and a trusted DHCP server and builds a binding database to log DHCP client information. Although DHCP Option-82 is a subcomponent of DHCP Snooping, these two features are mutually exclusive. If the DHCP Option-82 feature is enabled for the switch, then DHCP Snooping is not available. The reverse is also true; if DHCP Snooping is enabled, then DHCP Option-82 is not available. In addition, the following differences exist between these two features: DHCP Snooping does require and use the Option-82 data insertion capability, but does not implement any other behaviors defined in RFC 3046. DHCP Snooping will automatically drop client DHCP packets that already have Option-82 information present. The DHCP Option-82 feature provides configurable options for dealing with such packets. DHCP Snooping is configurable at the switch level and on a per-VLAN basis, but DHCP Option-82 is only configurable at the switch level.
DHCP Snooping
The DHCP Option-82 feature enables the relay agent to insert identifying information into clientoriginated DHCP packets before the packets are forwarded to the DHCP server. The implementation of this feature is based on the functionality defined in RFC 3046. When DHCP Option-82 is enabled, communications between a DHCP client and a DHCP server are authenticated by the relay agent. To accomplish this task, the agent adds Option-82 data to the end of the options field in DHCP packets sent from a client to a DHCP server. If the relay agent receives a DHCP packet from a client that already contains Option-82 data, the packet is dropped by default. However, it is possible to configure a DHCP Option-82 policy that directs the relay agent to drop, keep, or replace the existing Option-82 data and then forward the packet to the server. DHCP Option-82 is supported on the OmniSwitch 6800 Series, OmniSwitch 6850 Series, and on the OmniSwitch 9000 Series. DHCP Snooping improves network security by filtering DHCP packets received from devices outside the network and building and maintaining a binding table (database) to log DHCP client access information. There are two levels of operation available for the DHCP Snooping feature: switch level or VLAN level. To identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes ports as either trusted or untrusted. A port is trusted if it is connected to a device inside the network, such as a DHCP server. A port is untrusted if it is connected to a device outside the network, such as a customer switch or workstation. The port trust mode is also configurable through the CLI. Additional DHCP Snooping functionality includes the following: Layer 2 DHCP SnoopingApplies DHCP Snooping functionality to bridged DHCP client/server broadcasts without using the relay agent or requiring an IP interface on the client/server VLAN. Traffic SuppressionPrevents the flooding of DHCP packets on the default VLAN for a DHCP Snooping port. Note that enabling traffic suppression on a port will prevent DHCP traffic between a DHCP server and client that belong to the same VLAN domain. IP Source FilteringRestricts DHCP Snooping port traffic to only packets that contain the client source MAC address and IP address obtained from the DHCP lease information. The DHCP Snooping binding table is used to verify the client lease information for the port that is enabled for IP source filtering. Rate LimitingLimits the number of DHCP packets on a port. This functionality is provided using the QoS application to configure ACLs for the port. User-configurable Option 82 Sub-option FormatAllows the user to specify the type of information (switch base MAC address, system name, or user-defined string) that is inserted into the Circuit ID and Remote ID sub-options of the Option-82 field. This functionality only applies when DHCP Snooping Option-82 Data Insertion is enabled.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 268 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
L2 DHCP Snooping
GVRP
By default, DHCP broadcasts are flooded on the default VLAN for the client/server port. If the DHCP client and server are both members of the same VLAN domain, the broadcast packets from these sources are bridged as Layer 2 traffic and not processed by the relay agent. As a result, any active relay agent features (e.g., information Option-82, DHCP Snooping) are not applied to this type of DHCP traffic. The DHCP Relay application has a traffic suppression feature that suppresses the broadcast of DHCP packets and forwards these packets to the relay agent for processing. Enhancements to DHCP Snooping provided with the 6.1.5 release allow application of DHCP Snooping functionality to bridged DHCP client/server broadcasts without using the relay agent or requiring an IP interface on the client/server VLAN. When DHCP Snooping is enabled at the switch level or for an individual VLAN, DHCP Snooping functionality is automatically applied to Layer 2 traffic. When DHCP Snooping is disabled at the switch level or disabled on the last VLAN to have snooping enabled on the switch, DHCP Snooping functionality is no longer applied to Layer 2 or Layer 3 traffic. The GARP VLAN Registration Protocol (GVRP), a protocol compliant with 802.1Q, dynamically learns and further propagates VLAN membership information across a bridged network. GVRP dynamically maintains and updates the registration and de-registration of VLANs and prunes unnecessary broadcast and unicast traffic. Through propagation of GVRP information, a device is continuously able to update its knowledge of the set of VLANs that currently have active members and of the ports through which those members can be reached. With GVRP, a single switch is manually configured with all the desired VLANs for the network, and all other switches on the network dynamically learn those VLANs. An end station can be plugged into any switch and can be connected to its desired VLAN. However, for end stations to make use of GVRP, they need Network Interface Cards (NIC) aware of GVRP. Release 6.3.1 added the following: OS9000 Support Generate a trap if the number of dynamic VLANs exceeds the maximum threshold configured for GVRP. The GARP VLAN Registration Protocol (GVRP) facilitates in controlling virtual local area networks (VLANs) in a large network. It is an application of Generic Attribute Registration Protocol (GARP) and provides VLAN registration service. GVRP enables devices to dynamically learn their VLAN memberships. GVRP is compliant with 802.1Q standard. It dynamically learns and propagates VLAN membership information across a bridged network. GVRP dynamically maintains and updates the registration and de-registration of VLANs and prunes unnecessary broadcast and unicast traffic. Through the propagation of GVRP information, a device is continuously able to update its knowledge on the set of VLANs that currently have active nodes and on the ports through which those nodes can be reached. GVRP Specifications Below lists specifications for Alcatel-Lucents GVRP: IEEE Standards Supported: IEEE Std. 802.1D - 2004, Media Access Control (MAC) Bridges IEEE Draft Std. P802.1Q-REV/D5.0 Maximum GVRP VLANs: 4094
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 269 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Triple Play
The Alcatel-Lucent Omni Prodcut Families are advanced, L2-L3 switches that extend intelligence to the metro access edge of a triple-play service delivery architecture network. With a range of Fast Ethernet, Gigabit Ethernet, 10Gigabit Ethernet, DC power, and fiber configurations, the Omni Prodcut Families are suitable for use as a metro access switch for enterprise networks as well as in small , medium, and large-sized business markets.The Omni Prodcut Families are well suited for supporting Ethernet access services within the Alcatel-Lucent real-time triple-play service delivery architecture of data, voice and video. By offering Triple Play features that focus on strengthening the availability, manageability and performance of these devices for service provider networks that have higher network availability requirements, the Omni Products will be able to compete very well with the competion. The Omni Prodcut Families Triple Play offerings are extremely cost effective and highly manageable which together with the following unique standards-based features sets them apart from the competition: Omni Prodcut Families Convergence / Triple Play features in support of Residential Metro Triple-play Ethernet Access: o The Omni Prodcut families are designed for resiliency and exceptional network performance to support real-time triple-play applications such as voice-over-IP (VoIP), data, and video applications supported by: o High-port density o High-capacity switching and traffic aggregation for business network cores o Highly-available switching fabric with a unique load sharing capability By providing true redundancy, an enterprise can provide a reliable network for triple play applications. o Multi-layer security o Simplaified but yet powerful unified management o Extremly Cost effective Triple Play offerings from Alcatel_lucent o Wire-speed performance including the first packet giving a noticeable performance boost to triple play networks. o Wire speed packet classification o Traffic prioritization: Flow-based QoS with internal and external (a.k.a., remarking) prioritization o Eight hardware-based quality of service (QoS) queues ensuring wire-speed packet classification and processing for all packets in a data steam o Bandwidth management: flow based bandwidth management, ingress policing/egress shaping and port based egress shaping o Queue management: Random Early Detect/Discard (RED), configurable dequeuing algorithm; Strict Priority, Weighted and Deficit Round Robin. o Power-over-Ethernet: IEEE 802.3af for PoE o Residential bridging features: DHCP option-82 relay agent information, DHCP-Snooping and Port Mapping Support for CWDM fiber optics Q-in-Q (Vlan Stacking) / 802.1ad: VLAN Stacking provides a mechanism for tunneling multiple customers VLANs (CVLAN) through a service provider network over the Ethernet Metropolitan Area Network (EMAN). The following features are supported for the OS6850 Series in AOS Release 6.2 and will be supported for the OmniSwitch 9000 Series in AOS Release 6.3. Ethernet Operations Administration and Maintenance (OAM) support: The acceptance of Ethernet as a metropolitan and wide-area networking technology has accelerated the need for a new set of OAM protocols. Service provider networks are large and complex with a wide user base, and they often involve different operators that must work together to provide end-to-end services to enterprise customers. By adding a support for Ethernet OAM, as defined in IEEE 802.1ag (version 7.0), the OS6850s are capable of generating and sending OAM messages that are used by the network administrators and operation staff to detect, verify and isolate problems in the network. Rapid Ring Spanning Tree: A ring topology offers built-in redundancy and is often the most economical in terms of interconnection costs. The Rapid Ring STP implementation available in AOS 6.2.1 was built upon the Rapid Spanning Tree Protocol (RSTP) standard and is enhanced in two ways: o Improves the fault recovery time performance o Improved performance for large ring network topologies In certain configurations RRSTP provides fault recovery times of 10 times faster than the current implementation. In addition to that we have maintained compatibility with standard RSTP for interoperability with the rest of the switches.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 270 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Multicast VLANs: Many providers need to have a way of separating users using VLANs while still being able to distribute broadcast media via IP multicast across these VLANs without a router being present in the distribution L2 switch. With the AOS 6.2.1, implementation of IP Multicast VLANs, the OmniSwitch 6850 can be used as a distributor of multicast traffic from a multicast server to the attached subscribers, reducing the packet duplication across the network. Multicast traffic will only flow from the distribution VLAN to the customer and not vise-versa. MAC retention: With the support of this feature in release 6.2.1, the OmniSwitch 6850 is made even more resilient to failures of the current primary element in the stack, which translates into smart continuous switching for stack-based products. When enabled, the MAC retention feature allows a system of stackable switches to retain the MAC address of the primary switch for a fixed or indefinite time, even after takeover, which avoids the disruption of L2 or L3 services. Intermediate System-to-Intermediate System (IS-IS) Routing Protocol: In recent years, the IS-IS routing protocol has become increasingly popular, with widespread use among service providers. It is a link state protocol, which enables very fast convergence, supports much larger networks, reduces the control traffic, and provides greater flexibility when extending the network. GVRP: Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) is an application defined in the IEEE 802.1Q standard that allows for dynamic control of VLANs, which offers easier configuration in larger networks with automatic optimization of data flows. GVRP is an industry-standard protocol designed to propagate VLAN information from device to device. With GVRP, a single switch is manually configured with all the desired VLANs for the network, and all other switches on the network learn those VLANs dynamically. The Virtual Router Redundancy Protocol (VRRPv2/VRRP3) is a standard router redundancy protocol supported in IPv4/IPv6. It is based on RFC 3768 and RFC 2787 and provides redundancy by eliminating the single point of failure inherent in a default route environment. The VRRP/VRRP3 router, which controls the IP/IPv6 address associated with a virtual router is called the master router, and it forwards the packets to that IP/IPv6 address. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Note. RFC 3768, which obsoletes RFC 2338, does not include support for authentication types. As a result, configuring VRRP authentication is no longer supported in this release. In addition, VRRP Tracking is also supported. A virtual routers priority may be conditionally modified to prevent another router from taking over as master. Tracking policies are used to conditionally modify the priority setting whenever a VLAN, slot/port, and/or IP address associated with a virtual router goes down. VRRP Specifications: RFCs Supported: RFC 2787Definitions of Managed Objects for the Virtual Router Redundancy Protocol RFC 3768Virtual Router Redundancy Protocol Compatible with HSRP: No Maximum number of virtual router instances: 255 (A virtual router is defined by a virtual router identifier (VRID) and a set of associated IP addresses on the LAN) Maximum number of IP addresses: 1 for the IP address owner; more than 1 address may be configured if the router is a backup for a master router that supports multiple addresses Release 6.3.1 added the following capabilities for VRRP2 only: Globally enable or disable all or a range of VRRP instances. View or configure default values such as priority, preempt, or advertising interval on all or a group or VRRP instances.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 271 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VRRPv3
This implementation is based on the latest Internet-Draft for VRRP for IPv6. VRRP version 2 (VRRPv2) is based on RFC 2338. Similar to VRRPv2, VRRPv3 is a standard router redundancy protocol that provides redundancy by eliminating the single point of failure inherent in a default route environment. The VRRPv3 router, Which controls the IPv6 address associated with a virtual router is called the master router, and is responsible for forwarding virtual router advertisements. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Both versions of VRRP allow routers on a LAN to back up a static default route with a virtual router. VRRP dynamically assigns responsibility for a virtual router to a physical router (VRRP router) on the LAN. The virtual router is associated with an IP address (or set of IP addresses) on the LAN. A virtual router master is elected to forward packets for the virtual routers IP address. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Authentication is not supported. In addition, both versions support VRRP Tracking. A virtual routers priority may be conditionally Modified to prevent another router from taking over as master. Tracking policies are used to Conditionally modify the priority setting whenever an ip interface, slot/port, and/or IP address associated with a virtual router goes down. Note that VRRPv3 is not available on the OmniSwitch 6800 Series. VRRPv2 is available on all supported OmniSwitch platforms.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 272 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 273 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Policy rule enabled or disabled: Enabled Determines the order (precedence) in which rules are searched: 0 Whether the rule is saved to flash immediately: Save option is enabled Whether messages about flows that match the rule are logged: No How often to check for matching flow messages: 60 seconds Whether to count bytes or packets that match the rule. (Only packets are counted on the OmniSwitch 6800.): packets are counted Whether to send a trap for the rule: enabled (trap sent only on port disable action or User-Port shutdown operation). Whether the flow matching the rule should be accepted or denied: Accept Automatic QoS prioritization refers to prioritizing certain subsets of switch traffic without having to configure a specific QoS policy to do the same for each type of traffic. This functionality is currently available for Network Management System (NMS) traffic and IP phone traffic. Note that automatic prioritization is not supported on the OmniSwitch 6800. The status of automatic NMS and IP phone prioritization for the switch is displayed through the show qos config command. This feature can be used to enable the automatic prioritization of NMS traffic that is destined for the switch. Prioritization maximizes access for NMS traffic and helps to reduce the potential for DoS attacks. Prioritizing NMS traffic destined for the switch helps to maximize NMS access to the switch and reduce the risk of DoS attacks. The following types of traffic are considered NMS traffic: SSH (TCP Port 22) Telnet (TCP Port 23) WebView (HTTP Port 80) SNMP (UDP port 161) Note: When automatic NMS prioritization is enabled, QoS policies that specify priority are not applied to the NMS traffic. Other QoS policies, however, are applied to this type of traffic as usual. If a policy specifies rate limiting, then the policy with the lowest rate limiting value is applied. This feature is used to automatically enable the prioritization of IP phone traffic. The traffic can be assigned a priority value or, if set to trusted mode, the IP phone packet is used to determine the priority. IP phone traffic is identified by examining the source MAC address of the packet received on the port. If the source MAC falls within one of the Alcatel-Lucent ranges below, the Auto-QoS feature automatically sets the priority. The switch automatically trusts the priority of IP phone traffic by default. This means that the priority value contained in packets originating from IP phones is used for the ingress priority. The default priority value configured for the QoS port receiving such traffic is used for the egress priority of the packet. IP phone traffic is detected by examining the source MAC address of the packet to determine if the address falls within the following ranges of IP phone MAC addresses: 00-80-9F-54-xx-xx to 00-80-9F-64-xx-xx 00-80-9F-66-xx-xx to 00-80-9F-6F-xx-xx Third-party devices can be added to this group as well. In addition to prioritizing IP phone traffic, it is also possible to automatically prioritize non-IP phone traffic. This is done by adding up to four MAC addresses or four ranges of MAC addresses to the predefined QoS alaPhone MAC address group. Note that when automatic prioritization of IP phone traffic is enabled, QoS policies that specify priority are not applied to the IP phone traffic. Other QoS policies, however, are applied to this type of traffic as usual. If a policy specifies rate limiting, then the policy with the lowest rate limiting value is applied. A policy (or a policy rule) is made up of a condition and an action. The condition specifies parameters that the switch will examine in incoming flows, such as destination address or Type of Service (ToS) bits. The action specifies what the switch will do with a flow that matches the condition; for example, it may queue the flow with a higher priority, or reset the ToS bits. Policies may be created directly on the switch through the CLI or WebView. Or policies may be created on an external LDAP server via the PolicyView application. The switch makes a distinction between policies created on the switch and policies created on an LDAP server. Note. Polices may be only be modified using the same source used to create them. Policies configured through PolicyView may only be edited through PolicyView. Policies created directly on the switch through the CLI or WebView may only be edited on the switch. Policies may be created through the CLI or WebView, however, to override policies created in PolicyView and vice versa.
QoS Policy All Policies are directly enforced in hardware at wire-rate without performance degradation or performance penalty.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 274 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Shared Queues
When a flow comes into the switch, the QoS software in the switch checks to see if there are any policies with conditions that match the flow. If there are no policies that match the flow, the flow is accepted or denied based on the global disposition set for the switch. By default, the disposition is accept. If the flow is accepted, it is placed in a default queue on the output port. If there is more than one policy that matches the flow, each policy is applied to the flow as long as there are no conflicts between the policies. If there is a conflict, then the policy with the highest precedence is applied to the flow. Flows must also match all parameters configured in a policy condition. A policy condition must have at least one classification parameter. Once the flow is classified and matched to a policy, the switch enforces the policy by mapping each packet of the flow to the appropriate queue and scheduling it on the output port. There are a total of eight queues per port (two are reserved for internal use only). Traffic is mapped to a queue based on policies, the ToS/ 802.1p value of the packet, and whether the port is trusted or untrusted. There are a total of eight queues per port. Queue parameters may be modified on a port basis. When a flow coming into the switch matches a policy, it is queued based on: Parameters given in the policy action (specified by the policy action command) with either of the following keywords: priority, minimum bandwidth, or maximum bandwidth. Port settings configured through the qos port command. Eight priority queues are available at startup for each port. Flows always share queues; however, when a shared action is specified in policies, the policies will use the same values to implement maximum and minimum bandwidth. Note that the OmniSwitch 6800 also has eight priority queues per port but that two of these queues are reserved for internal use and are not available. QoS prioritizes packets by placing them in a higher priority egress queue. As previously mentioned, there are eight egress queues available for each port. In addition, there are different queuing algorithms available for egressing packets of different priorities. The algorithm used is determined by which servicing mode is active for the egress port. The egress priority of a packet is determined using one of the following methods: 1. If a packet matches a QoS policy rule that sets a priority value, the egress priority for the packet is set using the value specified in the rule. 2. If a packet ingressing on a trusted port does not match any QoS policy rule that sets the priority, then the egress priority for the packet is set using the existing DSCP value (IP packets), the existing 802.1p value (non-IP packets), or the default classification priority value for the port. See Configuring Trusted Ports on page 30-28 for more information. 3. The egress priority for a packet ingressing on a VLAN Stacking port (a trusted port) is set using the existing 802.1p value or configured through an associated VLAN Stacking service. 4. If a packet ingressing on an untrusted port does not match any QoS rule that sets the priority, then the egress priority for the packet is set using the default 802.1p value configured for the port on which the packet was received. See Trusted and Untrusted Ports on page 30-27 for more information. 5. Note that the 802.1p bit for tagged packets ingressing on untrusted ports is set with the default 802.1p value, which is configured using the qos port default 802.1p command. If the packet is untagged, however, then the DSCP bit is set with the default DSCP value, which is configured using the qos port default dscp command. Use the following table to see how packets are directed to the appropriate queues: Priority to Queue Mapping Table: 802.1p/ToS/DSCP/Rule (action)/OS6850&OS9000 Queue/OS6800Queue 0 000xxx 0 0 0 1 001xxx 1 1 0 2 010xxx 2 2 2 3 011xxx 3 3 3 4 100xxx 4 4 4 5 101xxx 5 5 5 6 110xxx 6 6 6 7 111xxx 7 7 7
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 275 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Classification
Classifier Engine
Congestion avoidance
QoS Policy Conditions Mixing of Layer-2 & Layer-3 & Layer-4 parameters is supported
QoS policies may be an integral part of configuring other switch features, such as Link Aggregation. In addition, QoS settings may affect other features in the switch; or QoS settings may require that other switch features be configured in a particular way. A summary of related features is given here: Dynamic Link AggregatesPolicies may be used to prioritize dynamic link aggregation groups. 802.1QTagged ports are always trusted, regardless of QoS settings. Mobile PortsMobile ports are always trusted, regardless of QoS settings. LDAP Policy ManagementPolicies may also be configured through the PolicyView application and stored on an attached LDAP server. LDAP policies may only be modified through PolicyView. VLAN Stacking ServiceVLAN Stacking ports are always trusted and default classification is set to 802.1p. QoS policy conditions to match the inner VLAN tag and inner 802.1p tag are available for classifying customer information contained in VLAN Stacking frames. Quarantine Manager and Remediation (QMR)Configuring QMR and QoS inner VLAN or inner 802.1p policies is mutually exclusive. QMR overlays the inner VLAN tag, thus creating a conflict with related QoS policies. This is also true with QMR and VLAN Stacking services. 802.1p classification TOS classification DSCP classification Ethertype classification IP protocol classification ICMP type and code classification The classifier engine responsible for providing QoS is called FFP (Fast Filtering Processing). The FFP is part of the ASIC responsible for functionality of QoS and filtering on the OS6850/OS9000 platforms. There is an FFP per port. Each FFP has 128 entries. The FFP consists of two parts, a FFP mask table and a FFP rule table. There are 16 masks in the mask table. There are 128 rule entries in the rule table. The FFP mask is ANDed with the packet, and the resulting value is compared with the FFP rule value. If the values match, then rule has matched and the appropriate actions are taken on the packet. Total FFP masks: 16 per port Total FFP rules: 128 per port Total number of entries in a group: 128 The congestion avoidance mechanism that is currently supported is built-in the hardware ASIC and managed through our configurable queuing (through the implementation of a threshold-based mechanism per queue ) & de-queuing schemes. There are many options for configuring a condition. But, it all depends on how the user wants the switch to classify traffic for a given policy. The following conditions are supported and may be combined with other conditions and/or actions: IP MulticastAn IP multicast condition is used in IGMP ACLs. The multicast IP is the multicast group address used in the IGMP report packet. Layer-4: o Source TCP port & Destination TCP port o Source UDP port & Destination UDP port o Service & Service group o TCP flags (ECN and CWR are only supported on the OmniSwitch 6800) Layer-3: o IP protocol o Source IP Address & Destination IP Address o Source network group o Destination network group o TOS & DSCP o ICMP Type & ICMP Code o Source IPv6 & Destination IPv6 o Multicast IP & multicast network group o IPv6 traffic o IPv6 next header (NH), IPv6 flow label (FL) Layer-2: o 802.1p and inner 802.1p o Source MAC Address & Destination MAC Address o Source MAC group & Destination MAC group o Source VLAN & inner source VLAN o Ethertype o Destination VLAN (multicast policies only) Layer-1: o Source port & Source port group o Destination port & Destination port group
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 276 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Note. The group options refer to groups of addresses, services, or ports that you configure separately through policy group commands. Rather than creating a separate condition for each address, service, or port, use groups and attach the group to a single condition. More than one condition parameter may be specified. Some condition parameters though are mutually exclusive. Note the following: The 802.1p and source VLAN conditions are the only Layer 2 conditions allowed in combination with Layer 4 conditions. Source and destination parameters can be combined in Layer 2, Layer 3, and Layer 4 conditions. In a given rule, ToS or DSCP may be specified for a condition with priority specified for the action. The Layer 1 destination port condition only applies to bridged traffic, not routed traffic. This restriction does not apply to the OmniSwitch 6800. The IP multicast condition works in combination with Layer 1, Layer 2, and Layer 3 destination conditions only if these conditions specify the device that sends the IGMP report packet. All IPv6 conditions are not supported on OmniSwitch 6800. For more information about IPv6 policies Individual items and their corresponding groups cannot be combined in the same condition. For example, a source IP address cannot be included in a condition with a source IP network group. Layer 2 and Layer 3 rules are always effected on bridged and routed traffic. As a result, combining source or destination TCP/UDP port and IP protocol in a condition is allowed. The Quarantine Manager and Remediation (QMR) application and inner VLAN or inner 802.1p conditions are mutually exclusive. If one of these is active, the other one is not available. Use the policy condition combinations table as specified in the QoS when configuring policy conditions. *IP multicast traffic (not IGMP) is treated as regular traffic; QoS functionality works the same way with this type of traffic, with the exception that the destination port condition does not apply. The CLI prevents you from configuring invalid condition combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenario. For example, you might configure source ip and a destination ip for the same condition. This is a valid combination, but will only be used to classify bridged traffic. A policy action should specify the way traffic should be treated. For example, it might specify a priority for the flow, a source address to rewrite in the IP header, or it may specify that the flow may simply be dropped. More than one action parameter may be specified. Some parameters may be mutually exclusive. In addition, some action parameters are only supported with particular condition parameters. The following actions are supported and may be combined with other actions: ACL (disposition drop) Priority 802.1p ToS/DCSP Stamping and Mapping Maximum Bandwidth Port Redirection (not supported on the OmniSwitch 6800) Link Aggregate Redirection (not supported on the OmniSwitch 6800 and 6850) Port Disable (not supported on the OmniSwitch 6800) Permanent Gateway IP (not supported on the OmniSwitch 6800 and 6850) Mirror (not supported on the OmniSwitch 6800) Use the policy action combinations table as specified in the QoS section when creating policy rules. Note. If you combine priority with 802.1p, dscp, tos, or map, in an action, the priority value is used to prioritize the flow. The CLI prevents you from configuring invalid action combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenario. For example, an action specifying maximum bandwidth may be combined with an action specifying priority. Conditions and actions are combined in policy rules. The CLI prevents you from configuring invalid condition/action combinations that are never allowed. All rules that match a flow will be applied to the flow, unless one of the following rule conflicts occur: Actions specified by one or more rules are in conflict with each other. Conditions specified in one or more contiguous rules are the same. If any of the above items are true, then rule precedence is used to determine which rule to apply to the flow. Precedence is particularly important for Access Control Lists (ACLs).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 277 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Redirect Policies (Port and Link Aggregate) Two policy action commands are available for configuring QoS redirection policies: policy action redirect port and policy action redirect linkagg. A redirection policy sends traffic that matches the policy to a specific port or link aggregate instead of the originally intended destination. This type of policy may use any condition; the policy action determines which port or link aggregate to which the traffic is sent.
QoS Logging
A redirection policy sends traffic that matches the policy to a specific port or link aggregate instead of the originally intended destination. This type of policy may use any condition; the policy action determines which port or link aggregate to which the traffic is sent. The following policy action commands are used for port and link aggregate redirection: policy action redirect port policy action redirect linkagg Note the following regarding the use and configuration of redirection policies: Redirection policies apply to both bridged and routed traffic. When redirecting routed traffic from VLAN A to VLAN B, the redirect port or link aggregate ID must belong to VLAN B (tagged or default VLAN). Routed packets (from VLAN A to VLAN B) are not modified after they are redirected; the source and MAC address remain the same. In addition, if the redirect port or link aggregate ID is tagged, the redirected packets will have a tag from the ingress VLAN A. If a route exists for the redirected flow, then redirected packets are the final post-routing packets. If a route does not exist for the redirected flow, the flow is not redirected to the specified port or link aggregate ID and is blackholed. As soon as a route is available, the flow is then redirected as specified in the policy. In most cases, a redirected flow will not trigger an update to the routing and ARP tables. When the ARP table is cleared or timed out, port/link aggregate redirection will cease until the ARP table is refreshed. If necessary, create a static route for the flow or assign the redirect port or link aggregate ID to the ingress VLAN (VLAN A) to send packets to the redirect port until a route is available. When redirecting bridged traffic on VLAN A, the redirect port or link aggregate ID must belong to VLAN A (tagged or default VLAN). In the following example, flows destined for UDP port 80 is redirected to switch port 3/2: -> policy condition L4PORTCOND destination udp port 80 -> policy action REDIRECTPORT redirect port 3/2 -> policy rule L4PORTRULE condition L4PORTCOND action REDIRECTPORT In the following example, flows destined for IP address 40.2.70.200 are redirected to link aggregate 10: -> policy condition L4LACOND destination IP 40.2.70.200 -> policy action REDIRECTLA redirect linkagg 10 -> policy rule L4LARULE condition L4LACOND action REDIRECTLA Note that in both examples above, the rules are not active on the switch until the qos apply command is entered on the command line. The switch includes some built-in policies, or default policies, for particular traffic types or situations where traffic does not match any policies. In all cases, the switch accepts the traffic and places it into default queues. Other trafficAny traffic that does not match a policy is accepted or denied based on the global disposition setting on the switch. The global disposition is by default accept. The switch network groupThe switch has a default network group, called switch, that includes all IP addresses configured for the switch itself. This default network group may be used in policies. Policy Port GroupsThe switch supports built-in policy port groups. The groups are called Slot01, Slot02, etc. The QoS software in the switch creates its own log for QoS-specific events. You may modify the number of lines in the log or change the level of detail given in the log. The PolicyView application, which is used to create QoS policies stored on an LDAP server, may query the switch for log events; or log events can be immediately available to the PolicyView application via a CLI command. Log events may also be forwarded to the console in real time. By default, only the most basic QoS information is logged. The type of information that may be logged includes rules, Layer 2 and Layer 3 information, etc. By default the QoS log displays a maximum of 256 lines. In some network configurations you may want to force the switch to classify bridged traffic as routed (Layer 3) traffic. Typically this option is used for QoS filtering. The Layer 3 classification of bridged traffic is no different from the classification of normal Layer 3 routed traffic. Note; that this implementation of QoS always performs Layer 3 classification of bridged traffic; it is not an option. As a result, Layer 3 ACLs are always effected on bridged traffic. The switch may bridge and route traffic to the same destination. Bridged IP packets are prioritized based on ToS, not 802.1p. Note that Layer 3 ACLs are affected on bridged IP traffic and Layer 2 ACLs are affected on routed traffic.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 278 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Using Quarantine Manager and Remediation (this features is only supported on the OS6850/9000)
QoS Queuing Schemes MIB Objects: alaQoSConfig alaQoSConfigServicingMode alaQoSConfigLowPriorityWeight alaQoSConfigMediumPriorityWeight alaQoSConfigHighPriorityWeight alaQoSConfigUrgentPriorityWeight
Quarantine Manager and Remediation (QMR) is a switch-based application that interacts with the OmniVista Quarantine Manager (OVQM) application to restrict the network access of quarantined clients and provide a remediation path for such clients to regain their network access. This functionality is driven by OVQM, but the following QMR components are configured through QoS CLI commands: Quarantined MAC address group. This is a reserved QoS MAC address group that contains the MAC addresses of clients that OVQM has quarantined and that are candidates for remediation. The default name of this group is Quarantined, but the user can specify a different name using the qos quarantine Mac-group command. Remediation server and exception subnet group. This is a reserved QoS network group, called alaExceptionSubnet, that is configured with the IP address of a remediation server and any subnets to which a quarantined client is allowed access. The quarantined client is redirected to the remediation server to obtain updates and correct its quarantined state. IP addresses are added to this group using the policy network group command. Remediation server URL. The qos quarantine path command is used to specify a URL for the remediation server. Note that this done in addition to specifying the server IP address in the alaException-Subnet network group. Quarantined Page. When a client is quarantined and a remediation server URL is not configured, QMR can send a Quarantine Page to notify the client of its quarantined state. To enable or disable the sending of a Quarantine Page, use the qos quarantine page command. HTTP proxy port group. This is a known QoS service group, called alaHTTPProxy, that specifies the HTTP port to which quarantined client traffic is redirected for remediation. The default HTTP port used is TCP 80 and TCP 8080. To specify a different HTTP port, use the policy service group command. There are four queuing schemes available for each switch port: one strict priority scheme and three weighted fair queuing (WFQ) schemes. By default the strict priority scheme is used and consists of eight priority queues (SPQ). All eight queues on the port are serviced strictly by priority. Lower priority traffic is dropped in the presence of higher priority traffic. The following WFQ schemes are available: WRRAll queues participate in a weighted round robin scheme. Traffic is serviced from each queue based on the weight of the queue. Note that the WRR scheme is not supported on the OmniSwitch6800, 9700, or 9800. Priority-WRRA type of WRR scheme that combines Strict-Priority queues (zero weight) and WRR queues (non-zero weight). Note that Priority-WRR is the only WFQ scheme supported on the OS6800. DRRAll queues participate in a deficit round robin scheme. Traffic is serviced from each queue based on the weight of the queue. The weight of each of the WRR/DRR queues is a configurable value. Note the following when configuring WRR/DRR queue weights: Weights are configured with a value between 0 and 15. The default weight for each WRR/DRR queue is set to one. Each queue can have a different weight value, and configuring these values in ascending or descending order is not required. When a queue is given a weight of 0, it is configured as a Strict-Priority queue. The CLI requires the user to enter eight queue weights on the OmniSwitch 6800, even though there are only six queues per port available on this switch. The last two weight values entered are ignored. A Priority-WRR scheme is configured by assigning a weight of zero to one or more WRR queues to make them Strict-Priority queues and a non-zero weight to the other WRR queues. Note that a PriorityWRR scheme is the only WFQ scheme that is supported on the OmniSwitch 6800. If there are multiple SPQs configured, the SPQs are scheduled according to their CoS queue number before any WFQs are scheduled. The weight assigned to a WRR queue designates the number of packets the queue sends out before the scheduler moves on to the next queue. For example, a queue weight of 10 sends out 10 packets at each interval. The weight assigned to a DRR queue determines the number of bytes that the queue will service. Each weight value is associated with the following number of bytes: 1=10K, 2=20K, 3=40K, 4=80K, 5=160K, 6=320K, 7=640K, 8=1280K, 9=2560K, 10=5120K, 11=10M, 12=20M, 13=40M, 14=80M, and 15=160M. For example, if the configured DRR queue weights are 1 1 2 2 3 3 4 4, queues 1/2 will service up to 10K each, queues 3/4 will service up to 20K each, queues 5/6 will service up to 40K each, and queues 7/8 will service up to 80K. The higher the queue weight assigned to a DRR queue, the higher the percentage of traffic that is serviced by that queue. For example, a queue with a weight of three will send four times as much traffic as a queue with a weight of one. The queuing scheme selected is the scheme that is used to shape traffic on destination (egress) ports and is referred to as the QoS servicing mode for the port. It is possible to configure a default servicing mode that will apply to all switch ports or configure the servicing mode on an individual port basis. Note that the QoS servicing mode only applies to destination ports because it is at this point where traffic shaping is effected on the flows. In addition, different ports can use different servicing modes.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 279 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
By default, all ports (except 802.1Q-tagged ports and mobile ports) are untrusted. The trust setting may be configured globally on the switch, or on a per-port basis. By default switch ports are not trusted; that is, they do not recognize 802.1p or ToS/DSCP settings in packets of incoming traffic. If a port is not trusted, the switch sets any 802.1p or ToS/DSCP contained in an incoming packet to the default 802.1p and DSCP values configured for the port. Fixed (non-mobile) ports that are configured for 802.1Q are always trusted, regardless of QoS settings. They cannot be configured as untrusted. Mobile ports are also always trusted; however, mobile ports may or may not accept Q-tagged traffic. Note: Mobile ports cannot be Q-tagged like fixed ports; however, a mobile port will join a tagged VLAN if tagged traffic for that VLAN comes in on the mobile port and the vlan mobile-tag command is enabled for that VLAN. Ports must be both trusted and configured for 802.1Q traffic in order to accept 802.1p traffic. The following applies to ports that are trusted (for 802.1p traffic, the ports must also be able to accept 802.1Q packets): The 802.1p or ToS/DSCP value is preserved. If the incoming 802.1p or ToS/DSCP flow does not match a policy, the switch places the flow into a default queue and prioritizes the flow based on the 802.1p or ToS/DSCP value in the flow. If the incoming 802.1p or ToS/DSCP flow matches a policy, the switch queues the flow based on the policy action. The switch may be set globally so that all ports are trusted. Individual ports may be configured to override the global setting. Whether or not the port is trusted is important if you want to classify traffic with 802.1p bits. If the policy condition specifies 802.1p, the switch must be able to recognize 802.1p bits. Note that the trusted port must also be 802.1Q-tagged. On untrusted ports the priority/queue of the incoming packet is based on the port default 802.1p or TOS/DSCP value. On an untrusted port, by default, all 802.1p, TOS/DSCP values map to queue 0 (if the default 802.1p or TOS/DSCP is 0) to give best effort for the incoming packet. Also, 802.1p and TOS within the packets are set to the port default 802.1p/TOS. Qos port default 802.1p or TOS/DSCP can be changed using CLI command: qos port <slot/port> default [802.1p | DSCP] num Changing the port default 802.1p or ToS/DSCP will impact the port priority: QoS port default 802.1p determines priority for non IP packets QoS port default TOS/DSCP determines priority for IP packets On trusted ports the priority/queue of the incoming packet is based on the ingress packet 802.1p or TOS/DSCP value. Non IP packets are prioritized based on the packet 802.1p value IP packets are prioritized based on the packet TOS/DSCP value Port default 802.1p or ToS/DSCP has no effect on trusted ports. However, an untagged packet will always get the port default 802.1p Maximum bandwidth policies are applied to source (ingress) ports and/or flows. If a port group condition is used in the policy, the bandwidth value specified is shared across all ports in the group. This also applies to flows that involve more than one port. For example, if a policy specifies a maximum bandwidth value of 10M for a port group containing 4 ports, the total bandwidth limit enforced is 10M for all 4 ports. Note the following when configuring ingress maximum bandwidth policies: On an OmniSwitch 6800 switch, bandwidth shaping is done on a per port basis and is not shared across multiple ports. If a policy condition applies to ports that are located on different slots, the maximum bandwidth limit specified is multiplied by the number of slots involved. For example, if a rule is configured to apply a maximum bandwidth limit of 10M to ports 1/1, 3/10, and 4/5, then the actual bandwidth limit enforced for all three ports is 30M. The maximum traffic received by a destination port is also dependant on how many slots are sending traffic to the destination port. However, each slot is restricted to sending only 10k. If a policy condition applies to ports that are all on the same slot, then the maximum bandwidth value specified in the rule is not increased. Ingress bandwidth limiting is done using a granularity of 64K bps. The show active policy rule command displays the number of packets that were dropped because they exceeded the ingress bandwidth limit applied by a maximum bandwidth policy. Although bandwidth policies are applied to ingress ports, it is possible to specify a destination port or destination port group in a bandwidth policy as well. Doing so will effect egress rate limiting/egress policing on the ingress port itself. The limitation of bridged port traffic only on destination ports applies in this case as well on the OmniSwitch 6850 and 9700. The following subsections provide examples of ingress maximum bandwidth policies using both source and destination port groups. Source Port Group Example
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 280 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Egress Bandwidth Shaping Egress bandwidth rate limiting per port in 1Mbps increments
In the following example, a port group (pgroup) is created with two ports and attached to a policy condition (Ports). A policy action with maximum bandwidth is created (MaxBw). The policy condition and policy action are combined in a policy rule called PortRule. -> Policy port group pgroup 1/1-2 -> Policy condition Ports source port group pgroup -> Policy action MaxBw maximum bandwidth 10k -> Policy rule Port Rule condition Ports action MaxBw In this example, if both ports 1 and 2 are active ports, the 10000 bps maximum bandwidth is shared by both ports. In other words, maximum bandwidth policies for port groups define a maximum bandwidth value that is a total bandwidth amount for all ports, not an amount for each port. Destination Port Group Example In the following example, a port group (pgroup2) is created with several ports and attached to a policy condition (Ports2). A policy action with maximum bandwidth is created (MaxBw). The policy condition and policy action are combined in a policy rule called PortRule2. -> Policy port group pgroup2 1/1 1/25 2/1 -> Policy condition Ports2 destination port group pgroup2 -> Policy action MaxBw maximum bandwidth 10k -> Policy rule PortRule2 condition Ports2 action MaxBw In this example, the specified ports for pgroup2 span across two slots. As a result, the maximum bandwidth limit specified by the policy action is increased to 20K for all of the ports. The bandwidth limit is increased by multiplying the number of slots by the specified bandwidth value. Traffic prioritization and bandwidth shaping are the most common types of QoS policies. For these policies, any condition may be created; the policy action indicates how the traffic should be prioritized or how the bandwidth should be shaped. QoS Traffic Prioritization Example: -> Policy condition ip_traffic source ip 10.10.4.0 mask 255.255.255.0 -> Policy action high priority 7 -> Policy rule rule1 condition ip_traffic action high The rule is not active on the switch until the qos apply command is entered on the command line. When the rule is activated, any flows coming into the switch from 10.10.4.0 will be given the highest priority. QoS Traffic Shaping Example: -> Policy condition ip_traffic2 source ip 10.10.5.3 -> Policy action flowShape maximum bandwidth 1k -> Policy rule rule2 condition traffic2 action flowShape Note that the bandwidth may be specified in abbreviated units, in this case, 1k. The rule is not active on the switch until the qos apply command is entered. When the rule is activated, any flows coming into the switch from source IP address 10.10.5.3 will be queued with no more than 1k of bandwidth. Bandwidth shaping is configured on a per port basis by specifying a maximum bandwidth value for ingress and egress ports. However, on the OmniSwitch 6850 and 9000 switches, configuring maximum egress bandwidth is supported on a per COS queue basis for each port. Also note that configuring the maximum bandwidth for ingress ports is not supported on the OmniSwitch 6800. Shaping limits the bandwidth on the egress. Shaping implies that the shaping function slows down the rate at which the egress port sends the packets. Egress shaping is on a per egress port basis, the granularity is 1Mbps. Egress Max Bandwidth is achieved by the CLI command: qos port <slot/port> Max bandwidth <num><num [num]><K (kilo)|M (mega)|G (giga)|T (tera)> This restricts the maximum bandwidth of the port at the egress. Limitation: The egress bandwidth shaping is only on a per port basis; the system cannot do a per flow basis egress bandwidth shaping. Configuring a minimum and maximum bandwidth value for each of the eight egress port queues is allowed on the OmniSwitch 6850 and 9000 but is not supported on the OmniSwitch 6800. By default the bandwidth values are set to zero, which means best effort for the minimum bandwidth and port speed for the maximum bandwidth. To configure the bandwidth values use the qos port q minbw maxbw command. For example, the following command sets the minimum and maximum bandwidth for queue 8 on port 2/10 to 2k and 10k: -> qos port 2/10 q8 minbw 2k q8 maxbw 10k Note that specifying both the minimum and maximum bandwidth value is allowed on the same command line. Configuring the bandwidth values for different queues requires a separate command for each queue.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 281 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Bandwidth Shaping
Ingress Max Bandwidth Policing Ingress bandwidth rate limiting per port/flow in 64k increments
Bandwidth shaping is configured on a per port basis. Bandwidth policing is applied using QoS policies. QoS supports configuring maximum bandwidth on ingress and egress ports. However, on the OmniSwitch 6850 and 9000 switches, configuring minimum and maximum egress bandwidth is supported on a per COS queue basis for each port. To limit the ingress or egress bandwidth for a QoS port, use the qos port maximum egress-bandwidth or qos port maximum ingress-bandwidth commands. For example, -> qos port 1/1 maximum egress-bandwidth 10M -> qos port 1/1 maximum ingress-bandwidth 5M Note the following when configuring the ingress or egress bandwidth limit for a port: Maximum bandwidth limiting is done using a granularity of 64K bps. Any value specified that is not a multiple of 64K is rounded up to the next highest multiple of 64K. The maximum bandwidth value cannot exceed the maximum bandwidth of the interface type associated with the port. Modifying the maximum bandwidth is most useful for low-bandwidth links. The bandwidth limit configured using the qos port maximum egress-bandwidth command takes precedence over an egress queue limit configured on the same port. Configuring the maximum ingress bandwidth value is not supported on an OmniSwitch 6800. Policing limits the bandwidth on the ingress. Policing implies dropping the traffic when the programmed rate is exceeded. Policing is on a per flow basis. The flow specification can specify a destination port, but the policing is done on a per ingress port basis. The granularity is 64kpbs. Ingress maximum bandwidth is achieved via policies specifying maximum bandwidth. The maximum bandwidth is on a per ingress port basis. Example: Ingress port rate limiting Policy condition c1 source port 1/1 Policy action a1 maximum bandwidth 10M Policy rule r1 condition c1 action a1 All traffic originating on port 1/1 are shaped to 10M A mirroring policy sends a copy of ingress, egress, or both ingress and egress packets that match the policy condition to a specific port. This type of policy may use any condition; the mirror policy action determines the type of traffic to mirror and the port on which the mirrored traffic is received. The policy action mirror command is used to configure mirror-to-port (MTP) action for the policy. For example, the following policy mirrors ingress packets to port 1/10: -> policy condition c1 source ip 192.168.20.1 -> policy action a1 mirror ingress 1/10 -> policy rule r1 condition c1 action a1 -> qos apply When the above rule is activated, any flows coming into the switch from source IP address 192.168.20.1 are mirrored to port 1/10. It is also possible to combine the MTP action with other actions. For example: -> policy condition c1 source ip 192.168.20.1 -> policy action a1 mirror ingress 1/10 disposition drop -> policy rule r1 condition c1 action a1 -> qos apply This policy rule example combines the MTP action with the drop action. As a result, this rule drops ingress traffic with a source IP of 192.168.20.1, but the mirrored traffic from this source is not dropped and is forwarded to port 1/10. Note the following regarding the use and configuration of mirroring policies: Only one policy-based MTP session is supported at any given time. As a result, all mirroring policies should specify the same destination port. In addition to one policy-based MTP session, the switch can support one port-based mirroring session, one remote port mirroring session, and one port monitoring session all running at the same time. Policy based mirroring and the port-based mirroring feature can run simultaneously on the same port. However, policy based mirroring is not supported on the OmniSwitch 6800. Rule precedence is applied to all mirroring policies that are configured for the same switch ASIC. If traffic matches a mirror rule on one ASIC with a lower precedence than a non-mirroring rule on a different ASIC, the traffic is mirrored in addition to the actions specified by the higher precedence rule.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 282 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
QoS Mapping Support QoS mapping: 802.1p to 802.1p & ToS & DSCP, ToS to ToS & 802.1p & DSCP, DSCP to DSCP & 802.1p & ToS
802.1p/TOS/DSCP Stamping/Mapping policies QoS mapping: 802.1p to 802.1p & ToS & DSCP, ToS to ToS & 802.1p & DSCP, DSCP to DSCP & 802.1p & ToS
Policies may be configured for ICMP on a global basis on the switch. ICMP policies may be used for security (for example, to drop traffic from the ICMP blaster virus). In the following example, a condition called icmpCondition is created with no other condition parameters: -> Policy condition icmpCondition ip protocol 1 -> Policy action icmpAction disposition deny -> Policy rule icmpRule condition icmpCondition action icmpAction This policy (icmpRule) drops all ICMP traffic. To limit the dropped traffic to ICMP echo requests (pings) and/or replies, use the policy condition icmptype to specify the appropriate condition. For example: -> Policy condition echo icmptype 8 -> Policy condition reply icmptype 0 Map groups are used to map 802.1p, ToS, or DSCP values to different values. The following mapping scenarios are supported: 802.1p to 802.1p, based on Layer 2, Layer 3, and Layer 4 parameters and source/destination slot/port. In addition, 802.1p classification can trigger this action. ToS or DSCP to 802.1p based on Layer 3 and Layer 4 parameters and source/destination slot/port. In addition ToS or DSCP classification can trigger this action. Note. Map groups are associated with a policy action. 802.1p values may be mapped to different 802.lp values on an individual basis or by using a map group. In addition, ToS or DSCP values may be mapped to 802.1p on a case-by-case basis or via a map group. (Note that any other mapping combination is not supported.) Note the following: Priority for the flow is based on the policy action. The value specified for 802.1p, ToS, DSCP, or the map group would determine how the flow is queued. The port on which the flow arrives (the ingress port) must be a trusted port. In this example, a policy rule (marking) is set up to mark flows from 10.10.3.0 with an 802.1p value of 5: -> Policy condition my_condition source ip 10.10.3.0 mask 255.255.255.0 -> Policy action my_action 802.1p 5 -> Policy rule marking condition my_condition action my_action In the next example, the policy map group command specifies a group of values that should be mapped; the policy action map command specifies what should be mapped (802.1p to 802.1p, ToS/DSCP to 802.1p) and the mapping group that should be used. Here, traffic from two different subnets must be mapped to 802.1p values in a network called Network C. A map group (tosGroup) is created with mapping values. -> Policy map group tos_group 1-4:4 5-7:7 -> Policy condition SubnetA source ip 10.10.5.0 mask 255.255.255.0 -> Policy condition SubnetB source ip 12.12.2.0 mask 255.255.255.0 -> Policy action map_action map tos to 802.1p using tos_group The map_action specifies that ToS values will be mapped to 802.1p with the values specified in tos_group. With these conditions and action set up, two policy rules can be configured for mapping Subnet A and Subnet B to the ToS network: -> Policy rule RuleA condition SubnetA action map_action -> Policy rule RuleB condition SubnetB action map_action Regardless of the condition or classification, the following stamping/mapping actions are allowed Stamp 802.1p Stamp TOS (precedence) Stamp DSCP Stamp 802.1p and TOS/DSCP Map 802.1p to 802.1p Map 802.1p to TOS Map 802.1p to DSCP Map ToS to 802.1p Map ToS to TOS Map ToS to DSCP Map DSCP to 802.1p Map DSCP to TOS Map DSCP to DSCP Stamping/mapping policies change the internal priority of the packets: Priority is always based on the new 802.1p or TOS/DSCP stamped/mapped value Stamp/map TOS/DSCP also gives priority for non IP packets matching the rule Mapping rules takes one FFP entry for each entry in the map group If both 802.1p and TOS/DSCP are stamped in a policy rule, priority is based on the stamped TOS/DSCP value
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 283 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VoIP treatment
Policy Based Routing (PBR) allows a network administrator to define QoS policies that will override the normal routing mechanism for traffic matching the policy condition. Note. When a PBR QoS rule is applied to the configuration, it is applied to the entire switch, unless you specify a built-in port group in the policy condition. Policy Based Routing may be used to redirect traffic to a particular gateway based on source or destination IP address, source or destination network group, source or destination TCP/UDP port, a service or service group, IP protocol, or built-in source port group. Traffic may be redirected to a particular gateway regardless of what routes are listed in the routing table. Note that the gateway address does not have to be on a directly connected VLAN; the address may be on any network that is learned by the switch. Note. If the routing table has a default route of 0.0.0.0, traffic matching a PBR policy will be redirected to the route specified in the policy. Policy Based Routing may be used to redirect untrusted traffic to a firewall. In this case, note that reply packets will be not be allowed back through the firewall. Policy Based Routing may be used to redirect traffic to a particular gateway based on source or destination IP address, source or destination network group, source or destination TCP/UDP port, a service or service group, IP protocol, or built-in source port group. Traffic may be redirected to a particular gateway regardless of what routes are listed in the routing table. Note that the gateway address does not have to be on a directly connected VLAN; the address may be on any network that is learned by the switch. Today's business needs depend on network communications that allow the expansion of business options and facilities in the future. The groundbreaking OmniSwitch 9000 family and Alcatel.Lucent Enterprise OmniPCX & IP-Phone products target this future networking and business solution. Alcatel.Lucent recognized that the evolution of networking was at a turning point and focused on the concept of mission critical networking that could support the convergence technology emerging in its voice solutions to become, essentially, the central nervous system of your business. The OmniSwitch 9000 family is a new range of data infrastructure switches that spans the core, edge and desktop of networking. The design combines Alcatel.Lucent's experience and expertise building carrier and enterprise network equipment with all of the company's cutting-edge convergence technologies. It relates to Alcatel.Lucent's vision of future e-Business solutions: (1) availability, (2) security, (3) intelligence and (4) manageability. These values are both essential to successful modern business and fundamental to appropriate new technology. The OmniSwitch 9000 offers carrier-class availability throughout the network to deliver the infrastructure mandatory for IP telephony and mission-critical applications. A multi-layered approach to security is offered, securing traffic to, through and between switch nodes, ensuring violation of your business traffic and privacy is near impossible. Intelligence mandates that all switching decisions are distributed and performed at wire-rate. Alcatel.Lucent's implementation is wire-rate into, through the backplane, and out all network interfaces without performance bottlenecks. Manageability involves both networking features and management system features, thus features such as OneTouch mean that complex QoS policies are implemented consistently with a simple point-and-click interface. Using QoS, a network administrator can gain more control over networks where different types of traffic (or flows) are in use or where network congestion is high. Preferential treatment may be given to individual flows as required. Voice over IP (VoIP) traffic or mission-critical data may be marked as priority traffic and/or given more bandwidth on the link. QoS can also prevent large flows, such as a video stream, from consuming all the links bandwidth. Using QoS, a network administrator can decide which traffic needs preferential treatment, and which traffic can be adequately served with best effort. QoS is implemented on the switch through the use of user-defined policies. The proposed Alcatel.Lucent infrastructure can support standard-based IP-Phones and IP-telephony applications. The OS9000 platforms support 802.1Q/p. In a dedicated VLAN scenario VOIP traffic is separated from data traffic on the switch. However, traffic will need to be prioritized on trunk links. This can be accomplished by prioritizing traffic by source / destination mac address, source / destination IP, or protocol types. In a shared environment, traffic can be prioritized through the switch and through the network via TOS or DiffServ.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 284 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alcatel-Lucents Server Load Balancing (SLB) software provides a method to logically manage a group of physical servers sharing the same content (known as a server farm) as one large virtual server (known as an SLB cluster). SLB clusters are identified and accessed at Layer 3 by the use of Virtual IP (VIP) addresses. OmniSwitch 6850/9000 switches operate at wire speed to process client requests addressed to the VIP of an SLB cluster and send them to the physical servers within the cluster. Using SLB clusters can provide cost savings (costly hardware upgrades can be delayed or avoided), scalability (as the demands on your server farm grow you can add additional physical servers), reliability (if one physical server goes down the remaining servers can handle the remaining workload), and flexibility (you can tailor workload requirements individually to servers within a cluster). Notes. SLB is supported on OmniSwitch 6850 and 9000 switches (Release 6.1.3r01) but not on OmniSwitch 6800 Series switches. You can also configure and monitor Server Load Balancing with WebView, AlcatelLucents embedded web-based device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a web browser. Server Load Balancing Specifications: Maximum number of clusters: 16 Maximum number of physical servers: 75 Layer-3 classification: Source IP address/Destination IP address pairs Server health checking: Ping, link checks High availability support: Hardware-based failover, VRRP, Chassis Management Module (CMM) redundancy Networking protocols supported: Virtual IP (VIP) addresses Ping period range: 0 to 3600 seconds Ping timeout range: 0 to 1000 times the value of the ping period Ping retries: 0 to 255 Maximum number of probes on a switch: 20 Probe timeout range: 1 to 3600000seconds Probe period range: 0 to 3600 Probe port range: 0 to 65535 Probe retry range: 0 to 255 Probe status range: 0 to 4294967295 Question: Can Server load balancing work across multiple switches; i.e., define a cluster so that it exists across multiple switches? Answer: 1) Can the servers be bridged across switches on the local vlan? The servers must be on a local vlan of the switch. This would mean that the packets can be bridged to other switches. Whatever the vlan encompasses. 2) The second question is more complicated: Can the cluster be configured on multiple switches and service the same servers in the same way? Theoretically, if all switches are configured the same in an SLB way (same clusters, servers, etc.), the hash for distributing the servers should be the same. Since the hashing algorithm is based on the addresses contained in the packet, they should map to the same servers. This would mean if packets for a flow arrive on different switches (i.e. ECMP connection) they would be forwarded to the same server. This configuration has not been verified, though, it seems like it would work.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 285 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Multicast Switching is a one-to-many communication technique employed by emerging applications such as video distribution, news feeds, conferencing, netcasting, and resource discovery (OSPF, RIP2, BOOTP). Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any sub-network that has at least one device requesting the multicast traffic. Multicast switching also requires much less bandwidth than unicast techniques and broadcast techniques since the source hosts only send one data stream to the ports on which destination hosts that request it are attached. Destination hosts signal their intent to receive a specific multicast stream by sending a request to do so to a nearby switch using Internet Group Management Protocol (IGMP). The switch then learns on which ports multicast group subscribers are attached and can intelligently deliver traffic only to the respective ports. This mechanism is often referred to as IGMP snooping (or IGMP gleaning). Alcatel-Lucents implementation of IGMP snooping is called IP Multicast Switching (IPMS). IPMS allow OmniSwitch 6850 Series switches to efficiently deliver multicast traffic in hardware at wire speed. Both IGMP version 3 (IGMPv3), which handles forwarding by source IP address and IP multicast destination, and IGMP version 2 (IGMPv2), which handles forwarding by IP multicast destination address only, are supported. IPMS is supported on IPv4 and IPv6 (MLD) on the OmniSwitch 6850 Series and OmniSwitch 9000 Series. The OmniSwitch 6800 Series only supports IPMS for IPv4. Note. You can also configure and monitor IPMS with WebView, Alcatel-Lucents embedded webbased device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a web browser. Both IGMP version 3 (IGMPv3), which handles forwarding by source IP address and IP multicast destination, and IGMP version 2 (IGMPv2), which handles forwarding by IP multicast destination address only, are supported. IPMS Specifications: RFCs Supported: RFC 1112 Host Extensions for IP Multicasting RFC 2236 Internet Group Management Protocol, Version 2 RFC 2933 Internet Group Management Protocol MIB RFC 3376 Internet Group Management Protocol, Version 3 IETF Internet-Drafts Supported: Draft-ietf-magma-snoop Considerations for IGMP and MLD Snooping Switches IGMP Query Interval: 1 to 65535 seconds IGMP Router Timeout: 1 to 65535 seconds IGMP Source Timeout: 1 to 65535 seconds IGMP Query Response Interval: 1 to 65535 in tenths of seconds IGMP Last Member Query Interval: 1 to 65535 in tenths of seconds IPv6MS Specifications: RFCs Supported: RFC 2710 Multicast Listener Discovery for IPv6 RFC 3810 Multicast Listener Discovery Version 2 for IPv6 RFC 3019 IPv6 MIB for Multicast Listener Discovery Protocol IETF Internet-Drafts Supported: Draft-ietf-magma-snoop Considerations for IGMP and MLD Snooping Switches MLD Query Interval: 1 to 65535 seconds MLD Router Timeout: 1 to 65535 seconds MLD Source Timeout: 1 to 65535 seconds MLD Query Response Interval: 1 to 65535 in milliseconds MLD Last Member Query Interval: 1 to 65535 in milliseconds IP multicast Proxying and configuring the IGMP and MLD unsolicited report interval are now available with this implementation of IPMS. Proxying enables the aggregation of IGMP and MLD group membership information and the reduction in reporting queries. The unsolicited report interval refers to the time period in which to proxy any changed IGMP membership state. Static multicast MAC addresses are used to send traffic intended for a single destination multicast MAC address to multiple switch ports within a given VLAN. A static multicast address is assigned to one or more switch ports for a given VLAN. The ports associated with the multicast address are then identified as egress ports. When traffic received on ports within the same VLAN is destined for the multicast address, the traffic is forwarded on the egress ports that are associated with the multicast address. One of the benefits of using static multicast addresses is that multicast traffic is switched in hardware and no longer subject to flood limits on broadcast traffic.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 286 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
MLD
IGMP
IP Multicast VLAN
MLD is used by IPv6 systems (hosts and routers) to report their IPv6 multicast group memberships to any neighboring multicast routers. MLD Version 1 (MLDv1) handles forwarding by IPv6 multicast destination addresses only. MLD Version 2 (MLDv2) handles forwarding by source IPv6 addresses and IPv6 multicast destination addresses. The OmniSwitch 6850 switch supports MLDv1 and MLDv2. MLDv2 uses source filtering and reports multicast memberships to neighboring routers by sending membership reports. MLDv2 also supports Source Specific Multicast (SSM) by allowing hosts to report interest in receiving packets only from specific source addresses or from all but specific source addresses. IGMP is used by IPv4 systems (hosts and routers) to report their IP multicast group memberships to any neighboring multicast routers. IGMP version 2 (IGMPv2) handles forwarding by IP multicast destination address only. IGMP version 3 (IGMPv3) handles forwarding by source IP address and IP multicast destination address. OmniSwitch 6850 Series switches support IGMPv2 and IGMPv3. In IGMPv2, each membership report contains only one multicast group. In IGMPv3, membership reports contain many multicast groups up to the Maximum Transmission Unit (MTU) size of the interface. IGMPv3 uses source filtering and reports multicast memberships to neighboring routers by sending membership reports. IGMPv3 also supports Source Specific Multicast (SSM) by allowing hosts to report interest in receiving packets only from specific source addresses or from all but specific source addresses. Note. It should be noted that in the current release SSM packet forwarding is not done between ports in the same VLAN. However, SSM forwarding between different VLANs (routing) is supported. In addition, the current implementation of IGMPv3 and SSM only forwards packets to a list of included sources for a given multicast destination. Exclude list forwarding is not supported, as it is not a requirement for SSM, and specifically Protocol Independent MulticastSource Specific Multicast (PIM-SSM). IP multicast routing can be used for IP Multicast Switching and Routing (IPMSR). IP multicast routing is a way of controlling multicast traffic across networks. The IP multicast router discovers which networks want to receive multicast traffic by sending out Internet Group Management Protocol (IGMP) queries and receiving IGMP reports from attached networks. The IGMP reports signal that users want to join a multicast group. The IPv6 multicast router discovers multicast listeners by sending out Multicast Listener Discovery (MLD) Protocol queries and receiving MLD reports from attached networks. The MLD reports signal that users want to join a IPv6 multicast group. If there is more than one IP multicast router in the network, the router with the lowest IP address is elected as the querier router, which is responsible for querying the sub-network for group members. The IP multicast routing package provides the following two separate protocols: Protocol Independent Multicast Sparse Mode (PIM-SM) and Dense Mode (PIM-DM) Distance Vector Multicast Routing Protocol (DVMRP) The multicast routing protocols build and maintain a multicast routing database. The multicast routing protocols forward multicast traffic to networks that have requested group membership to a specific multicast group. IPMS uses decisions made by the routing protocols and forwards multicast traffic to ports that request group membership. Multicast boundaries confine scoped multicast addresses to a particular domain. Confining scoped addresses helps to ensure that multicast traffic passed within a multicast domain does not conflict with multicast users outside the domain. Multicast Boundary Specifications: RFCs Supported: 2365Administratively Scoped IP Multicast 2932IPv4 Multicast Routing MIB Maximum Multicast Flows per switch: 1,021 (with hardware routing; see note below) Up to 1,021 simultaneous multicast flows are supported. There is no hard limit on the number of static multicast groups that can be configured, but if you try to send traffic to the entire group at the same time the limit is still 1,021 hardware flows. A flow is defined as a source-group pair. In the case all hardware entries are exhausted, the IPMS will not perform software forwarding. IP multicast tunneling is performed in software. Valid Scoped Address Range: 239.0.0.0 to 239.255.255.255 IP Multicast VLAN involves the creation of separate, dedicated VLANs constructed specifically for multicast traffic distribution. These distribution VLANs connect to the nearest multicast router and support multicast traffic only. The IP Multicast feature works in both the enterprise environment and the VLAN Stacking environment. The ports are separately classified as VLAN stacking ports or as legacy ports (Fixed ports/Tagged Ports). To ascertain that data flow is limited to either the VLAN Stacking domain or the enterprise domain, VLAN Stacking ports must be members of only the VLAN Stacking VLANs, while the normal legacy ports must be members of only enterprise mode VLANs. Release 6.3.1 adds support for multiple sender ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 287 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Multicast Routing
DVMRP is a dense-mode multicast routing protocol DVMRPv3.255 is supported The DVMRP implementation is performed in Hardware. The DVMRP implementation over 802.1Q tagging link is supported and it is also performed in Hardware.
The IP Multicast VLAN (IPMV) feature helps service providers to create separate dedicated VLANs to distribute multicast traffic. Service providers have to separate users using these VLANs. This should be done along with the distribution of broadcast media through IP Multicast across these VLANs without a router in the distribution L2 switch. To achieve this, the distribution L2 switch needs to perform IGMP snooping (i.e., allow the switch to "listen in" on the IGMP conversation between hosts and routers) as well as distribute multicast traffic from one multicast distribution VLAN to many customer ports. A distribution multicast VLAN that switches into customer ports is invisible to the customer to avoid packet duplication across the trunk. Furthermore, some service providers use QinQ on the provider ports to tag the multicast distribution VLAN with a distinct outer VLAN tag. The customer ports can either be tagged or untagged. However, the multicast traffic always needs to be tagged. This process requires one or more separate multicast distribution VLANs. These distribution VLANs connect to the nearest multicast router and are used for multicast traffic only. The multicast traffic will only flow from the distribution VLAN to the customer VLAN. Customer-generated multicast traffic will flow only through the customer VLANs so that the multicast router can control the distribution of such traffic. The IPMV feature works in both the Enterprise and the VLAN Stacking environment. The ports are classified as VLAN Stacking ports and Legacy ports (fixed ports/tagged ports). To ascertain that data flow is limited to either the VLAN Stacking domain or the Enterprise domain, VLAN Stacking ports must be members of VLAN Stacking VLANs only, while the normal Legacy ports must be members of VLANs configured in the Enterprise mode only. It is not possible to change an IPMVLAN from one mode to another. An IPMVLAN configured in a specific mode must first be deleted, then re-created in the other mode. The following table lists IPMVLAN specifications. IEEE Standards Supported: 802.1ad/D6.0 Standard for Local and Metropolitan Area Networks Virtual Bridged Local Area Networks - Amendment 4: Provider Bridges Maximum Number of IP Multicast VLAN IDs: 256 (The valid range is 2 through 4094) VLAN Stacking Functionality Modes: VLAN Stacking mode Enterprise mode The following table lists IPMVLAN default values. Administrative Status: Enabled The OmniSwitch 6850 Series supports multicast routing and includes configuration options for multicast address boundaries, the Distance Vector Multicast Routing Protocol (DVMRP), and Protocol-Independent Multicast (PIM). Multicast traffic consists of a data stream that originates from a single source and is sent to hosts that have subscribed to that stream. Live video broadcasts; video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news services are examples of multicast traffic. Multicast traffic is distinguished from unicast traffic and broadcast traffic. Multicast boundaries confine scoped multicast addresses to a particular domain. Confining scoped addresses helps to ensure that multicast traffic passed within a multicast domain does not conflict with multicast users outside the domain. Distance Vector Multicast Routing Protocol (DVMRP) is a dense-mode multicast routing protocol designed to assist routers in propagating IP multicast traffic through a network. DVMRP works by building per-source broadcast trees based on routing exchanges, then dynamically creating per-source, group multicast delivery trees by pruning the sources truncated broadcast tree. Distance Vector Multicast Routing Protocol (DVMRP) is a dense-mode multicast routing protocol. DVMRPwhich is essentially a broadcast and prune routing protocolis designed to assist routers in propagating IP multicast traffic through a network. DVMRP works by building per-source broadcast trees based on routing exchanges, then dynamically creating per-source, group multicast delivery trees by pruning the sources truncated broadcast tree. DVMRP Specifications: RFCs Supported: 2667IP Tunnel MIB IETF Internet-Drafts Supported: Distance-Vector Multicast Routing Protocol MIB draft-ietf-idmrdvmrp-v3-11.txt DVMRP Version Supported: DVMRPv3.255 DVMRP Attributes Supported: Reverse Path Multicasting, Neighbor Discovery, Multicast Source Location, Route Report Messages, Distance metrics, Dependent Downstream Routers, Poison Reverse, Pruning, Grafting, DVMRP Tunnels DVMRP Timers Supported: Flash update interval, Graft retransmissions, Neighbor probe interval, Neighbor timeout, Prune lifetime, Prune retransmission, Route report interval, Route holddown, Route expiration timeout Range for Interface Distance Metrics: 1 to 31 Range for Tunnel TTL Value: 0 to 255 Multicast Protocols per Interface: 1 (e.g., you cannot enable both PIM-SM and DVMRP on the same IP interface)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 288 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Protocol-Independent Multicast (PIM) PIM-SMv2 and PIM-DM are supported The PIM-SM implementation is performed in Hardware. The PIM-SM implementation over 802.1Q tagging link is supported and it is also performed in Hardware. The PIM-DM support
Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information provided by unicast routing protocols, such as RIP and OSPF. Sparse Mode PIM (PIM-SM) contrasts with flood-and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIMDM), in that multicast forwarding in PIM-SM is initiated only via specific requests. Downstream routers must explicitly join PIM-SM distribution trees in order to receive multicast streams on behalf of directly connected receivers or other downstream PIM-SM routers. This paradigm of receiverinitiated forwarding makes PIM-SM ideal for network environments where receiver groups are thinly populated and bandwidth conservation is a concern, such as in Wide Area Networks (WANs). PIMDM packets are transmitted on the same socket as PIM-SM packets as both use the same protocol and message format. Unlike PIM-SM, in PIM-DM there are no periodic joins transmitted; only explicitly triggered prunes and grafts. In PIM-DM, unlike PIM-SM, there is no Rendezvous Point (RP). PIM-SM Specifications: RFCs Supported: 2362Protocol Independent Multicast-Sparse Mode (PIM-SM) Protocol Specification 2934Protocol Independent Multicast MIB for Ipv4 2932Ipv4 Multicast Routing MIB 3973Protocol Independent Multicast-Dense Mode (PIM-DM) 3376Internet Group Management Protocol Internet Drafts Supported: Draft-ietf-pim-sm-v2-new-05.txtProtocol Independent Multicast Sparse Mode PIM-SM Draft-ietf-pim-mib-v2-00.txtProtocol Independent Multicast MIB Draft-ietf-pim-sm-bsr-02.txtBootstrap Router (BSR) Mechanism for PIM Sparse Mode PIM-SM Version Supported: PIM-SMv2 PIM-SM Attributes Supported: Shared trees (also referred to as RP trees), Designated Routers (DRs), Bootstrap Routers (BSRs), Candidate Bootstrap Routers (C-BSRs), Rendezvous Points (RPs), Candidate Rendezvous Points (C-RPs) PIM-SM Timers Supported: C-RP expiry, C-RP holdtime, C-RP advertisement, Join/Prune, Probe, Register suppression, Hello, Expiry, Assert, Neighbor liveness Maximum Rendezvous Point (RP) routers allowed in a PIM-SM domain: 100 (default value is 32) Maximum Bootstrap Routers (BSRs) allowed in a PIM-SM domain: 1 Multicast Protocols per Interface: 1 (e.g., you cannot enable both PIM-SM and DVMRP on the same IP interface)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 289 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) is a highly efficient extension of PIM. SSM, using an explicit channel subscription model, allows receivers to receive multicast traffic directly from the source; an RP tree model is not used. In other words, a Shortest Path Tree (SPT) between the receiver and the source is created without the use of a Rendezvous Point (RP). By default, PIM-SM software supports Source-Specific Multicast. No additional user configuration is required. PIM-SSM is automatically enabled and operational as long as PIM-SM is loaded and IGMPv3 source-specific joins are received within the SSM address range. PIM-SSM Specifications: RFCs Supported: 3569An Overview of Source-Specific Multicast (SSM) Internet Drafts Supported: Draft-ietf-pim-sm-v2-new-05.txtProtocol Independent Multicast Sparse Mode (PIM-SM) Draft-ietf-ssm-arch-04.txtAn Overview of Source-Specific Multicast (SSM) Valid SSM Address Range: 232.0.0.0 to 232.255.255.255 PIM-SSM Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information provided by unicast routing protocols, such as RIP and OSPF. PIM is protocol-independent because it does not rely on any particular unicast routing protocol. Sparse mode PIM (PIM-SM) contrasts with flood-and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIM-DM) in that multicast forwarding in PIM-SM is initiated only via specific requests, referred to as Join messages. PIM-DM PIM-DM for IPv4 is now supported with the 6.1.3.R01 release. PIM-DM packets are transmitted on the same socket as PIM-SM packets, as both use the same protocol and message format. Unlike PIMSM, in PIM-DM there are no periodic joins transmitted; only explicitly triggered prunes and grafts. In addition, there is no Rendezvous Point (RP) in PIM-DM. Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) is a highly-efficient extension of PIM. SSM, using an explicit channel subscription model, allows receivers to receive multicast traffic directly from the source; an RP tree model is not used. In other words, a Shortest Path Tree (SPT) between the receiver and the source is created without the use of a Rendezvous Point (RP). Note: Release 6.3.1 adds support for IPv6 via a new set of CLI commands and SNMP MIBs. Existing PIM configurations will be converted to the new CLI commands when a switch is upgraded to 6.3.1.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 290 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Simplified Manageability
Recognizing a great demand in the marketplace and customers expectation for a level of synergism in the network management, Alcatel-Lucent has developed a comprehensive, unified, and simplified network and switch management solutions for its full array of networking products including the AOS OmniSwitch product family. The OS6850 switch and network management industry proven features offers the network administrators ease-of-use and ease of management. The following is only a highlight of the advanced network and switch management features supported by the OmniSwitch 6850 Series: OmniVista NMS: Alcatel-Lucents Single voice, data and services network management including OneTouch QoS and SecureView. Carrier-Class Dynamic Mobility Through the application of a comprehensive QoS feature set, the AOS OmniSwitch product family is capable of supporting converged applications such as the VoIP Diagnosing Switch problems: o Port Mirroring; Port based, port mirroring for troubleshooting, supports four sessions with multiple sources-to-one destination configuration o Port monitoring feature that allows capture of Ethernet packets to a file, or for on-screen display to assist in troubleshooting o SFlow v5 support to monitor and effectively control and manage the network usage o RMON: Supports RFC 2819 RMON group (1-Statistics, 2-History, 3-Alarm, and 9-Events) o Switch Health o UDLD: support for monitoring the physical configuration of cables and detect unidirectional links o Monitoring Memory Tools & Switch Configuration o Switch Logging Local (on the flash) and remote logging (Syslog) Logging into the Switch through Telnet/STelnet, FTP/SFTP, HTTP/HTTPS, SSH, SSL, and SNMPv1&v2&v3 o Remote telnet management or secure shell access using SSH o Secured file upload using SFTP, or SCP o SNMPv1/v2/v3 Authentication or AAA Servers Policy Servers; Authentication Servers such as RADIUS, LDAP, and ACE servers Policy-Based Management with LDAP Directory Services System File Management Dual image and dual configuration file storage provides backup Intuitive Alcatel-Lucent CLI for familiar interface and reduced training costs WebView Element Mgmt: Easy to use point & click web based element manager with built-in help for easy configuration of new technology features Remote telnet management or secure shell Secured file upload using SFTP, or SCP Port based mirroring for troubleshooting supports 128 sources to one destination configuration. o Policy-based Mirroring & Remote-based Mirroring Human readable ASCII based config files for offline editing and bulk configuration Managing Switch Users Accounts & Partitioned Management feature Managing Switch Security IGMPv1/v2/v3 snooping to optimize multicast traffic BootP/DHCP client allows auto-config of switch IP information to simplify deployment Auto-negotiating 10/100/1000 ports automatically configure port speed and duplex setting Auto MDI/MDIX automatically configures transmit and receive signals to support straight thru and crossover cabling Etherbreaker DHCP relay to forward client requests to a DHCP server DHCP Option-82 & DHCP Snooping Integration with SNMP manager OmniVista for network wide management System event log Network Time Protocol (NTP) for network wide time synchronization Alcatel-Lucent Interswitch Protocols (AIP) o AMAP: Alcatel-Lucent Mapping Adjacency Protocol (AMAP) for building topology maps within OmniVista o IEEE 802.1AB with MED Extensions / LLDP-MED GVRP for 802.1Q-compliant VLAN pruning and dynamic VLAN creation Ethernet OAM
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 291 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alcatel-Lucent Interswitch Protocols (AIP) is used to discover adjacent switches and retain mobile port information across switches. The following protocol is supported: Alcatel-Lucent Mapping Adjacency Protocol (AMAP), which is used to discover the topology of OmniSwitches. Alcatel-Lucent Interswitch Protocols (AIP) is used to discover adjacent switches and retain mobile port information across switches. By default, AMAP is not enabled. The Alcatel-Lucent Mapping Adjacency Protocol (AMAP) is used to discover the network topology of OmniSwitch (s) in a particular installation. Using this protocol, each switch determines which OmniSwitch; Omni S/R and/or OmniAccess switches are adjacent to it by sending and responding to Hello update packets. For the purposes of AMAP, adjacent switches are those that: Have a Spanning Tree path between them Do not have any switch between them on the Spanning Tree path that has AMAP enabled Link Layer Discovery Protocol (LLDP) is an emerging standard to provide a solution for the configuration issues caused by expanding networks. LLDP supports the network management software used for complete network management. LLDP is implemented as per the IEEE 802.1AB standard. LLDP specifically defines a standard method for Ethernet network devices to exchange information with its neighboring devices and maintain a database of the information. The exchanged information, passed as LLDPDU, is in TLV (Type, Length, and Value) format. The information available to the network management software must be as new as possible; hence, remote device information is periodically updated. IEEE 802.1AB (2005) is the latest version for the standards based connectivity discovery protocol. The purpose of the IEEE standard 802.1AB for Link Layer Discovery Protocol (LLDP), is to provide support for network management software dealing with topology discovery such as OmniVista. Switches that are compliant with 802.1AB exchange information with neighboring devices and maintain a database of the information exchanged. 802.1ab uses TLV (Time, Length, and Value) frames to exchange information with neighboring devices. The Link Layer Discovery Protocol-Media Endpoint Discover or LLDP-MED is designed to extend IEEE 802.1AB functionality to exchange information such as VLANs and power capabilities. 802.1AB Overview LLDP is a Layer 2 protocol for detecting adjacent devices in a network. Each device in a network sends and receives LLDPDUs through all its ports, when the protocol is enabled. If the protocol is disabled on a port or on a device, then LLDPDUs received on that port or device are dropped. The LLDPDUs are transmitted at a certain interval that can be configured. When an LLDPDU is received from a neighboring device, the LLDPDU software validates the frame and stores the information in its remote device Management Information Base (MIB). This information is aged periodically, if an LLDPDU is not received from the same device within the time mentioned in the TTL TLV of the LLDPDU. By exchanging information with all the neighbors, each device will know its neighbor on each port. The information within the LLDPDU is transmitted in TLV (Type, Length, Value) format and falls under two categories: Mandatory Optional Each LLDPDU contains all the four mandatory TLVs and optional TLVs. IEEE 802.1AB (LLDAP) Specifications IEEE Specification: IEEE 802.1AB-2005 Station and Media Access Control Connectivity Discovery Transmit time interval for LLDPDUs : 5 to 32768 in seconds Transmit hold multiplier value : 2 to 10 Transmit delay : 1 to 8192 in seconds Reinit delay : 1 to 10 in seconds Notification interval : 5 to 3600 in seconds IEEE 802.1AB (LLDP) Defaults The following table shows the default settings of the configurable 802.1AB parameters. Parameter Description Default Transmit time interval for LLDPDUs 30 seconds Transmit hold multiplier value 4 Transmit delay 2 seconds Reinit delay 2 seconds Notification interval 5 seconds LLDPDUs transmission Transmission and Reception Per port notification Disable Management TLV Disable 802.1 TLV Disable 802.3 TLV Disable LLDP Media Endpoint Device Disable
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 292 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Authentication Servers
This feature allows a switch administrator to configure password policies for password creation and management. The administrators can configure how often a password must be changed, lockout settings for failed attempts, password complexity, history, and age as well as other account management settings. Authentication servers are sometimes referred to as AAA servers (authentication, authorization, and accounting). These servers are used for storing information about users who want to manage the switch (Authenticated Switch Access) and users who need access to a particular VLAN(s) (Authenticated VLANs). RADIUS or LDAP servers may be used for Authenticated Switch Access and/or Authenticated VLANs. Another type of server, SecurIDs ACE/Server, may be used for authenticated switch access only; the ACE/Server is an authentication-only server (no authorization or accounting). Only RADIUS servers are supported for 802.1X Port-Based Network Access Control. Authentication Servers Specifications: RADIUS RFCs Supported: RFC 2865Remote Authentication Dial In User Service (RADIUS) RFC 2866RADIUS Accounting RFC 2867RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868RADIUS Attributes for Tunnel Protocol Support RFC 2809Implementation of L2TP Compulsory Tunneling via RADIUS RFC 2869RADIUS Extensions RFC 2548Microsoft Vendor-specific RADIUS Attributes RFC 2882Network Access Servers Requirements: Extended RADIUS Practices LDAP RFCs Supported: RFC 1789Connectionless Lightweight X.5000 Directory Access Protocol RFC 2247Using Domains in LDAP/X.500 Distinguished Names RFC 2251Lightweight Directory Access Protocol (v3) RFC 2252Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions RFC 2253Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names RFC 2254The String Representation of LDAP Search Filters RFC 2256A Summary of the X.500 (96) User Schema for Use with LDAPv3 Other RFCs: RFC 2574User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 2924Accounting Attributes and Record Formats RFC 2975Introduction to Accounting Management RFC 2989Criteria for Evaluating AAA Protocols for Network Access Maximum number of authentication servers in single authority mode: 4 (not including any backup servers) Maximum number of authentication servers in multiple authority mode: 4 per VLAN (not including any backup servers) Maximum number of servers per Authenticated Switch Access type: 4 (not including any backup servers) CLI Command Prefix Recognition: The aaa radius-server and aaa ldap-server commands support prefix recognition.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 293 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ACE/Server
RADIUS Servers
An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2 authentication or for policy management. Attributes are not supported on ACE/Servers. These values must be configured on the switch through the user commands. Since an ACE/Server does not store or send user privilege information to the switch, the switch determines user privileges for Secur/ID logins. When a user attempts to log into the switch, the user ID and password is sent to the ACE/Server. The server determines whether the login is valid. If the login is valid, the user privileges must be determined. The switch checks its user database for the users privileges. If the user is not in the database, the switch uses the default privilege, which is determined by the default user account. There are no server-specific parameters that must be configured for the switch to communicate with an attached ACE/Server; however, you must FTP the sdconf.rec file from the server to the switchs/network directory. This file is required so that the switch will know the IP address of the ACE/Server. The ACE client in the switch is version 4.1; it does not support the replicating and locking feature of ACE 5.0, but it may be used with an ACE 5.0 server if a legacy configuration file is loaded on the server. The legacy configuration must specify authentication to two specific servers (master and slave). The ACE/Server generates secrets that it sends to clients for authentication. While you cannot configure the secret on the switch, you can clear it. The secret may need to be cleared because the server and the switch get out of synch. RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific Attributes (VSAs) is required. The Alcatel-Lucent attributes may include VLAN information, time-ofday, or slot/port restrictions. RADIUS Server Attributes: RADIUS servers and RADIUS accounting servers are configured with particular attributes defined in RFC 2138 and RFC 2139, respectively. These attributes carry specific authentication, authorization, and configuration details about RADIUS requests to and replies from the server. For a complete list of attributes (standard, and vendor-specific) and how to configure them on the server, please refer to the Users Manual. Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP client in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256. The protocol was developed as a way to use directory services over TCP/IP and to simplify the directory access protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort. Originally it was a front-end for X.500 DAP. The protocol synchronizes and governs the communications between the LDAP client and the LDAP server. The protocol also dictates how its databases of information, which are normally stored in hierarchical form, are searched, from the root directory down to distinct entries. In addition, LDAP has its own format that permits LDAP-enabled Web browsers to perform directory searches over TCP/IP. For a complete list of attributes (vendor-specific) and how to configure them on the server, please refer to the Users Manual. Quality of Service (QoS) policies that are configured through Alcatel-Lucents PolicyView network management application are stored on a Lightweight Directory Access Protocol (LDAP) server. PolicyView is an OmniVista application that runs on an attached workstation. Policy Server Specifications: LDAP Policy Servers RFCs Supported: RFC 2251Lightweight Directory Access Protocol (v3) RFC 3060Policy Core Information ModelVersion 1 Specification Maximum number of policy servers (supported on the switch): 4 Maximum number of policy servers (supported by PolicyView): 1 Policy servers use the Lightweight Directory Access Protocol (LDAP) to store policies that are configured through Alcatel-Lucents PolicyView network management application. PolicyView is an OmniVista application that runs on an attached workstation. The Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP policy server client in the switch is based on RFC 2251. Currently, only LDAP servers are supported for policy management. The switch communicates with the LDAP server to download and manage LDAP policies. When the policy server is connected to the switch, the switch is automatically configured to communicate with the server to download and manage policies created by the PolicyView application. There is no required user configuration. (Note that the LDAP policy server is automatically installed when the Policy-View application is installed.) Note. The switch has separate mechanisms for managing QoS policies stored on an LDAP server and QoS policies configured directly on the switch. Sending Syslog files to multiple hosts is allowed. It is possible to specify up to a maximum of four servers.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 294 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 295 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
duplication of traffic on the mirrored port without disrupting network traffic to and from the mirrored port. Port mirroring runs in the Chassis Management software and is supported for Ethernet (10 Mbps), Fast Ethernet (100 Mbps), Gigabit Ethernet (1000 Mbps), and 10 Gigabit Ethernet (10000 Mbps) ports. In addition, the switch supports N-to-1 port mirroring, where up to 24 (OS6800) or 128 (OS6850/OS9000) source ports can be mirrored to a single destination port. Note the following restriction when configuring a port mirroring session: One (1) port mirroring session is supported per standalone switch chassis, or in the case of OmniSwitch 6800 and 6850 switches, in a stack consisting of two or more switches. You cannot configure a port mirroring and a port monitoring session on the same NI module in an OmniSwitch 9000. You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch 6850 Series switches. Each switching ASIC controls 24 ports (e.g., ports 124, 2548, etc.). For example, if a port mirroring session is configured for ports 1/12 and 1/22, then configuring a port monitoring session for any of the ports between 1 and 24 is not allowed. You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch 6800 Series switches. Each switching ASIC controls 12 ports (e.g., ports 112, 1324, etc.). For example, if a port mirroring session is configured for ports 1/6 and 1/10, then configuring a port monitoring session for any of the ports between 1 and 12 is not allowed. If a port mirroring session is configured across two switching ASICs, then configuring a monitoring session is not allowed on any of the ports controlled by each of the ASICs involved. For example, if a port mirroring session is configured for ports 1/8 and 1/30 on a 48-port switch, then configuring a port monitoring session involving any of the ports between 1 and 48 is not allowed. By default, port-mirroring sessions are bi-directional. What Ports Can Be Mirrored? OmniSwitch 6800/6850/9000 Series switches support mirroring (where applicable) between any 10/100/1000 port to any other 10/100/1000 port and between any fiber MiniGBIC SFP to any other fiber MiniGBIC SFP port. When Port Mirroring is enabled, the active mirrored port transmits and receives network traffic normally, and the mirroring port receives a copy of all transmit and receive traffic to the active port. You can connect an RMON probe or network analysis device to the mirroring port to see an exact duplication of traffic on the mirrored port without disrupting network traffic to and from the mirrored port. Only one Port Mirroring session is supported. That session can be configured to a N-to-1 session where N can be a number from 1 to 24 (OS6800) or 1 to 128 (OS6850/OS9000) anywhere on the stack. In other words, you can configure up to 24 or 128 source ports for a single destination port in a session on a stack. You cannot configure port mirroring and port monitoring on the same NI module. This feature enhances the current port mirroring functionality on the OmniSwitch. It allows policies to be configured to determine when traffic should be mirrored based on policies rather than being restricted to a specified port. The following policies can be configured: Traffic between 2 ports Traffic from a source address Traffic to a destination address Traffic to/from an address Traffic between 2 addresses Traffic with a classification criterion based on packet contents other than addresses (for example , based on protocol, priority). VLAN-based mirroring - mirroring of packets entering a VLAN. Limitations The policy mirror action must specify the same analyzer port for all policies in which the action is used One policy-based mirroring session supported per switch. One port-based mirroring session supported per switch. Note that policy-based and port-base mirroring are both allowed on the same port at the same time. One remote port-based mirroring session supported per switch. One port-monitoring session supported per switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 296 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Remote Port Mirroring (802.1Q based) Remote port mirroring is supported only on OS6850 and OS9000 switches. This feature provides a remote port mirroring capability where traffic from a local port can be carried across the network to an egress port where a sniffer can be attached. This features makes use of an 802.1q tag to send the mirrored traffic over the network using tagged VLANs.
Remote Port Mirroring Overview: Remote Port Mirroring expands the port mirroring functionality by allowing mirrored traffic to be carried over the network to a remote switch. With Remote Port Mirroring the traffic is carried over the network using a dedicated Remote Port Mirroring VLAN, no other traffic is allowed on this VLAN. The mirrored traffic from the source switch is tagged with the VLAN ID of the Remote Port Mirroring VLAN and forwarded over the intermediate switch ports to the destination switch where an analyzer is attached. Note. Remote Port Mirroring is supported only on OS6850 and OS9000 Series switches. Since Remote Port Mirroring requires traffic to be carried over the network, the following exceptions to regular port mirroring exist: Spanning Tree must be disabled for the Remote Port Mirroring VLAN on all switches. There must not be any physical loop present in the Remote Port Mirroring VLAN. On the intermediate and destination switches, source learning must be disabled or overridden on the ports belonging to the Remote Port Mirroring VLAN. The QoS redirect feature can be used to override source learning on an OmniSwitch. BPDU mirroring will be disabled by default on all OS6850s. BPDU mirroring will be disabled by default on all OS9000s with B2 revision ASICs. (Contact Service and Support to enable) BPDU mirroring will be enabled by default on all OS9000s with A0/A1 revision ASICs. Source learning must be disabled or overridden on the ports belonging to the remote port mirroring VLAN on the intermediate and destination switches. On OS9000 and OS6850 switches the QoS redirect feature can be used to override source learning. The following types of traffic will not be mirrored: Link Aggregation Control Packets (LACP) 802.1AB (LLDP) 802.1x port authentication 802.3ag (OAM) Layer 3 control packets Generic Attribute Registration Protocol (GARP) BPDUs will not be mirrored on OS6850s but will be mirrored on OS9000s.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 297 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Port Monitoring
The Port Monitoring feature allows you to examine packets to and from a specific Ethernet port (either ingress or egress). You can select to dump captured data to a file, which can be up to 140K. Once a file is captured, you can FTP it to a Protocol Analyzer or PC for viewing. The OmniSwitch 9000 supports one session per switch. By default, the switch will create a data file called pmonitor.enc in flash memory. When the 140K limit is reached the switch will begin overwriting the data starting with the oldest captured data. However, you can configure the switch so it will not overwrite the data file. In addition, you can configure additional port monitoring files as long as you have enough room in flash memory. You cannot configure port mirroring and port monitoring on the same NI module. Port monitoring provides the ability to capture a packet trace locally for real time display or for replay later through a packet analyzer to determine network issues. It works like port mirroring but instead of sending the captured packets to another port, it stores these packets to a local file for later retrieval or display. Port Monitoring Specifications: Ports Supported: Ethernet (10 Mbps) / Fast Ethernet (100 Mbps) / Gigabit Ethernet Monitoring Sessions Supported: one per switch File Type Supported: ENC file format (Network General Sniffer Network Analyzer Format) By default, a port monitoring session will never be disabled. The length of time before a port monitoring session is disabled is from 0 (the default, where the session is permanent) to 2147483647 seconds. By default, a file called pmonitor.enc is created in the /flash directory when you configure and enable a port monitoring session. By default, port-monitoring sessions are bi-directional. The port-monitoring feature allows you to examine packets to and from a specific Ethernet port. Port monitoring has the following features: Software commands to enable and display captured port data. Captures data in Network General file format. Files called pmonitor.enc is created in /flash memory when you configure and enable a port monitoring session. Data packets time stamped. One port monitored at a time. RAM-based file system. Statistics gathering and display The port-monitoring feature also has the following restrictions: Estimated packet capture rate is around 500 packets/second The maximum number of monitoring session is limited one per chassis Link Aggregation ports can not be monitored If both mirroring and monitoring are enabled then packets will be either mirrored or monitored (i.e., sent to CPU), whichever comes first. You can select to dump real-time packets to a file. Once a file is captured, you can FTP it to a Sniffer or PC for viewing.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 298 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Remote Network Monitoring (RMON) is an SNMP protocol used to manage networks remotely. RMON probes can be used to collect, interpret, and forward statistical data about network traffic from designated active ports in a LAN segment to an NMS (Network Management System) application for monitoring and analysis without negatively impacting network performance. RMON software is fully integrated in the Chassis Management software and works with the Ethernet software to acquire statistical information. This feature supports basic RMON 4 group implementation in compliance with RFC 2819, including the Ethernet Statistics, History (Control & Statistics), Alarms and Events groups RMON Specifications; RFCs Supported: 2819 - Remote Network Monitoring Management Information Base RMON Functionality Supported: o Basic RMON 4 group implementation Ethernet Statistics group History (Control and Statistics) group Alarms group Events group RMON Functionality Not Supported: o RMON 10 group* o RMON2* o Host group o HostTopN group o Matrix group o Filter group o Packet Capture group o (*An external RMON probe that includes o RMON 10 group and RMON2 may be used where full RMON probe functionality is required.) Flavor (Probe Type): Ethernet/History/Alarm Status: Active/Creating/Inactive History Control Interval (seconds): 1 to 3600 History Sample Index Range: 1 to 65535 Alarm Interval (seconds): 1 to 2147483647 Alarm Startup Alarm: Rising Alarm/Falling Alarm/RisingOrFalling Alarm Alarm Sample Type: Delta Value/Absolute RMON Traps Supported: o RisingAlarm/FallingAlarm o These traps are generated whenever an Alarm entry crosses either its Rising Threshold or its Falling Threshold and generates an event con-figured for sending SNMP traps. The unidirectional link detection protocol is a protocol that can be used to detect and disable malfunctioning unidirectional Ethernet fiber or copper links. Errors due to improper installation of fiber strands, interface malfunctions, media converter faults, etc can be detected and the link can be disabled. It operates at Layer 2 in conjunction with IEEE 802.3's existing Layer 1 fault detection mechanisms. UDLD Uni Directional Link Detection (UDLD) is a protocol for detecting and disabling unidirectional Ethernet fiber or copper links caused by mis-wiring of fiber strands, interface malfunctions, media converter faults, etc. The UDLD operates at Layer 2 in conjunction with IEEE 802.3's existing Layer 1 fault detection mechanisms. UDLD is a lightweight protocol that can be used to detect and disable one-way connections before they create dangerous situations such as Spanning Tree loops or other protocol malfunctions. The protocol is mainly used to advertise the identities of all the UDLD-capable devices attached to the same LAN segment and to collect the information received on the ports of each device to determine whether the Layer 2 communication is functioning properly. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, the protocol administratively shuts down the affected port and generates a trap to alert the user. UDLD Overview UDLD is a Layer 2 protocol used to examine the physical configuration connected through fiber-optic or twisted-pair Ethernet cables. UDLD detects and administratively shuts down the affected port, and alerts the user when a unidirectional link exists. Unidirectional links can create hazardous situations such as Spanning-Tree topology loops caused, for instance, by unwiring of fiber strands, interface malfunctions, media converters faults, etc. The UDLD feature is supported on the following port types: Copper ports Fiber ports
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 299 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
UDLD Specifications RFCs supported : Not applicable at this time IEEE Standards supported: Not applicable at this time Probe-message advertisement timer:7 to 90 in seconds Echo-based detection timer : 4 to 15 in seconds Maximum neighbors per UDLD port : 32 Maximum number of UDLD ports per system : 128 UDLD Defaults Description Default UDLD administrative state Disabled UDLD status of a port Disabled UDLD operational mode Normal Probe-message advertisement time 15 Seconds Echo-based detection timer 8 Seconds To monitor resource availability, the NMS (Network Management System) needs to collect significant amounts of data from each switch. As the number of ports per switch (and the number of switches) increases, the volume of data can become overwhelming. The Health Monitoring feature can identify and monitor a switchs resource utilization levels and thresholds, improving efficiency in data collection. Health Monitoring provides the following data to the NMS: Switch-level Input/Output, Memory and CPU Utilization Levels Module-level and Port-level Input/Output Utilization Levels Health monitoring software monitors threshold levels for the switchs consumable resources bandwidth, RAM memory, and CPU capacityas well as the ambient chassis temperature. When a threshold is exceeded, the Health Monitoring feature sends a trap to the Network Management Station (NMS). A trap is an alarm alerting the user to specific network events and, in the case of Health-related traps, indicates specifically which threshold has been crossed. Note. When a resource falls back below the configured threshold, an addition trap is sent to the user. This indicates that the resource is no longer operating beyond its configured threshold limit. For each monitored resource, the following variables are defined: Most recent utilization level (percentage) Average utilization level over the last minute (percentage) Average utilization level over the last hour (percentage) Maximum utilization level over the last hour (percentage) Threshold level Additionally, Health Monitoring provides the capacity to specify thresholds for the resource utilization levels it monitors, and generates traps based on the specified threshold criteria. Switch Health Specifications: Health Functionality Supported: o Switch level CPU Utilization Statistics (percentage); o Switch/module/port level Input Utilization o Statistics (percentage); o Switch/module/port level Input/Output o Utilization Statistics (percentage); o Switch level Memory Utilization Statistics (percentage); o Device level o Temperature Statistics (Celsius). Monitored Resource Utilization Levels: o Most recent utilization level; o Average utilization level during last minute; o Average utilization level during last hour; o Maximum utilization level during last hour. Resource Utilization Raw Sample Values: Saved for previous 60 seconds. Resource Utilization Current Sample Values: Stored. Resource Utilization Maximum Utilization Value: Calculated for previous 60 seconds and stored. Utilization Value = 0: Indicates that none of the resource was measured for the period. Utilization Value = 1: Indicates that a non-zero amount of the resource (less than 2%) was measured for the period. Percentage Utilization Values: Calculated based on Resource Measured During Period/Total Capacity. Resource Threshold Levels: Apply automatically across all levels of switch (switch/module/port). Rising Threshold Crossing: A Resource Threshold was exceeded by its corresponding utilization value in the current cycle. Falling Threshold Crossing: A Resource Threshold was exceeded by its corresponding utilization value in the previous cycle, but is not exceeded in the current cycle. Threshold Crossing Traps Supported: Device, module, port-level threshold crossings.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 300 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Monitoring Memory
SFlow Based on RFC 3176 sFlow SFlow is a sampling technology embedded within switches/routers defined in RFC 3176. It provides the ability to monitor the traffic flows. It requires an sFlow Agent running in the Switch/Router and a sFlow collector which receives and analyses the monitored data. The sFlow collector makes use of SNMP to communicate with an SFlow agent in order to configure sFlow monitoring on the device (switch). SFlow agent running on the OS6850, combines interface counters and traffic flow (packet) samples on all the configured interfaces into sFlow Datagrams which are sent across the network to an sFlow collector (3rd Party software). Packet sampling is done in Hardware and is non-CPU intensive.
Debug memory monitor commands can monitor memory allocation and free memory (such as detection of invalid free addresses and maintenance of size statistics). These commands are useful for monitoring logging of events, leak detection, classification of memory allocations, detection of invalid free addresses, and maintenance of size statistics. Notes. System Debug (kTrace and sysTrace) commands is intended for use by qualified Alcatel-Lucent Customer Support personnel to assist customers in diagnosing or debugging system performance. For information about these commands, see the chapter titled, Memory Monitoring Commands in the OmniSwitch CLI Reference Guide. It is strongly recommended that you contact an Alcatel-Lucent Customer Service representative for assistance. The Switch Logging feature is a high-level event logging mechanism that can also be useful in maintaining and servicing the switch. The configuration snapshot command can be used to capture and save all kTrace, sysTrace, Memory Monitor, and Switch Logging configuration settings in a snapshot text file that can be viewed, edited, and used as a configuration file. Monitoring Memory Specifications: Functionality Supported: o Fence Post/ o Bad Address Detection/ o Leak Monitoring/ o Memory Classification/ o Global Statistical Gathering/ o Task Statistical Gathering/ o Size Statistical Gathering. Functionality Not Supported: Ownership Violations. Show Command Output Devices Supported: o Standard Out (console)/ o Switch Logging/ o sysTrace Buffer. SFlow is a network monitoring technology that gives visibility in to the activity of the network, by providing network usage information. It provides the data required to effectively control and manage the network usage. SFlow is a sampling technology that meets the requirements for a network traffic monitoring solution. SFlow provides a network-wide view of usage and active routes. It is used for measuring network traffic, collecting, storing, and analyzing the traffic data. As it is scalable, that doesnt add significant network load. sFlow is an industry standard with many vendors delivering products with this support. Some of the applications of the sFlow data include: Detecting, diagnosing, and fixing network problems Real-time congestion management Detecting unauthorized network activity Usage accounting and billing Understanding application mix Route profiling and peer optimization Capacity planning SFlow is a sampling technology embedded within switches/routers. It provides the ability to monitor the traffic flows. It requires a sFlow Agent software process running as part of the switch software and a sFlow collector which receives and analyses the monitored data. sFlow collector makes use of SNMP to communicate with a sFlow agent in order to configure sFlow monitoring on the device (switch). sFlow agent running on the switch/router, combines interface counters and traffic flow (packet) samples preferably on all the interfaces into sFlow Datagrams that are sent across the network to a sFlow collector. Packet sampling on the switch/router is typically performed by the switching/routing ASICs, providing wire-speed performance. In this case, sFlow agent does very little processing, by packaging data into sFlow Datagrams that are immediately sent on network. This minimizes the memory and CPU utilization by sFlow agent. MIB information for the sFlow commands is as follows: Filename: Alcatel-LucentIND1PortMirMon.MIB Module: Alcatel-Lucent-IND1-PORT-MIRRORING-MONITORING-MIB Filename: SFLOW_RFC3176.MIB Module: SFLOW-MIB
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 301 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Switch logging
The Switch Logging feature is designed to provide a high-level event logging mechanism that can be useful in maintaining and servicing the switch. Switch Logging uses a formatted string mechanism to process log requests from applications. When a log request is received, Switch Logging verifies whether the Severity Level included with the request is less than or equal to the Severity Level stored for the appropriate Application ID. If it is, a log message is generated using the formatting specified by the log request and placed on the Switch Log Queue, and Switch Logging returns control back to the calling application. Otherwise, the request is discarded. The default output device is the log file located in the Flash File System. Other output devices can be configured via the Command Line Interface. All log records generated are copied to all configured output devices for the switch. The Command Line Interface can be used to display and configure Switch Logging information. Log information can be helpful in resolving configuration or authentication issues, as well as general errors. Log records can be sent to a text file and written into the flash file system. The log records can also be scrolled to the switchs console or to a remote IP address. Switch logging information can be customized and configured through Command Line Interface (CLI) commands, WebView and SNMP. Log information can be helpful in resolving configuration or authentication issues, as well as general switch errors. Notes. Switch logging commands are not intended for use with low-level hardware and software debugging. It is strongly recommended that you contact an Alcatel-Lucent Customer Service representative for assistance with debugging functions. Switch Logging Specifications: Functionality Supported: High-level event logging mechanism that forwards requests from applications to enabled logging devices. Functionality Not Supported: Not intended for debugging individual hardware applications Logging Devices: Flash Memory/Console/IP Address Application ID Levels Supported: o IDLE (255), DIAG (0), IPC-DIAG (1), o QDRIVER (2), QDISPATCHER (3), IPC-LINK o (4), NI-SUPERVISION (5), INTERFACE (6), o 802.1Q (7), VLAN (8), GM (9), BRIDGE (10), o STP (11), LINKAGG (12), QOS (13), RSVP o (14), IP (15), IPMS (17), AMAP (18), GMAP o (19), AAA (20), IPC-MON (21), IP-HELPER o (22), PMM (23), MODULE (24), EIPC (26), o CHASSIS (64), PORT-MGR (65), CONFIG o (66), CLI (67), SNMP (68), WEB (69), MIPGW o (70), SESSION (71), TRAP (72), POLICY (73), o DRC (74), SYSTEM (75), HEALTH (76), o NAN-DRIVER (78), RMON (79), TELENET o (80), PSM (81), FTP (82), SNMI (83), DIS-TRIB o (84), EPIL0GUE (85), LDAP (86), NOS-NMP o (87), SSL (88), DBGGW (89), o LANPOWER (108) Severity Levels/Types Supported: o 2 (Alarm - highest severity), 3 (Error), o 4 (Alert), 5 (Warning) 6 (Info - default), o 7 (Debug 1), 8 (Debug 2), 9 (Debug 3 lowest severity) Logging into the switch may be done locally or remotely. Management tools include: the Command Line Interface (CLI), which may be accessed locally via the console port, or remotely via Telnet; WebView, which requires an HTTP client (browser) on a remote workstation; and SNMP, which requires an SNMP manager (such as Alcatel-Lucents OmniVista) on the remote workstation. Secure sessions are available using the Secure Shell interface. File transfers can be done via FTP or Secure Shell FTP. Login Specifications: Telnet clients supported: Any standard Telnet client. FTP clients supported: Any standard FTP client. HTTP (WebView) clients supported: Internet Explorer for Windows NT, Windows XP, and Windows 2000, version 6.0 Netscape for Windows NT, Windows XP, and Windows 2000, version 7.1 Netscape for Sun OS 2.8, version 4.79 Netscape for HP-UX 11.0, version 4.79. Secure Shell clients supported: Any standard Secure Shell client (Secure Shell Version 2). SNMP clients supported: Any standard SNMP manager.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 302 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Ethernet Interfaces
Ethernet OAM Complies with the IEEE 802.1ag draft 7.0 standards.
EUPM is used for customer login accounts that are configured with end-user profiles (rather than Functional privileges specified by partitioned management). Profiles specify command areas as well as VLAN and/or port ranges to which the user has access. These profiles are typically used for end users rather than network administrators. Ethernet and Gigabit Ethernet port software is responsible for a variety of functions that support Ethernet, Gigabit Ethernet and 10-Gigabit Ethernet ports. These functions include initialization of ports, notifying other software modules when a port goes down, configuration of basic line parameters, gathering of statistics for Ethernet and Gigabit Ethernet ports, and responding to administrative enable/disable requests. Configurable parameters include: auto negotiation (copper ports 10/100/1000), trap port link messages, flood control, line speed, duplex mode, inter-frame gap, resetting statistics counters, and maximum and peak flood rates. Flood control is configurable on ingress interfaces (flood rate and including/excluding multicast). Ethernet OAM (Operation, Administration, and Maintenance) provides service assurance over a converged Ethernet network. Ethernet OAM focuses on two main areas that are most in need by service providers and are rapidly evolving in the standards bodies: Service OAM and Link OAM. These two OAM protocols have unique objectives but are complementary to each other. Service OAM provides monitoring and troubleshooting of end-to-end Ethernet service instances, while Link OAM allows a provider to monitor and troubleshoot an individual Ethernet link. The end-to-end service management capability is the most important aspect of Ethernet OAM for service providers. This implementation of Service OAM: Complies with the IEEE 802.1ag draft 7.0 standards. Is only supported on a standalone OmniSwitch 6850. Support for this feature in a stacked environment (or multi-NI architecture) is planned for a future release. Does not support the optional MIP CCM database. As per section 19.4.4 of the IEEE 802.1ag 7.0 draft standard, LTM is forwarded on the basis of the source learning filtering database. Because the MIP CCM database is not supported in this release, MIPs will not forward LTM on blocked egress ports. Does not support Alarm Indication Signal (AIS) messages. Release 6.3.1 includes support for the IEEE 802.1ag draft 7.0 standards.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 303 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The rise in the number of Ethernet service instances has resulted in service providers requiring a powerful and robust set of management tools to maintain Ethernet service networks. Service provider networks are large and intricate, often comprising of different operators that work together to provide the customers with end-to-end services. The challenge for the service providers is to provide a highly available convergent network to its customer base. Ethernet OAM (Operations, Administration, and Maintenance) provides the detection, resiliency, and monitoring capability for end-to-end service guarantee in an Ethernet network. Note. Ethernet OAM is only supported in Release 6.2.1 for the OmniSwitch 6850 Series. The following table shows Ethernet OAM specifications. Ethernet OAM IEEE Standards Supported: IEEE 802.1agConnectivity Fault Management IEEE 802.3ahCSMA/CD Access Method and Physical Layer Specifications Note: IEEE 802.3ah will be supported in a Future Release. IEEE 802.1DMedia Access Control (MAC) Bridges IEEE 802.1QVirtual Bridged Local Area Networks Maximum Maintenance Domains (MD) per Bridge: 8 Maximum Maintenance Associations (MA) per Bridge: 128 Maximum Maintenance End Points (MEP) per Bridge: 25 The following table shows Ethernet OAM default values. Continuity Check Message interval: intervalnone MHF value assigned to a default Ethernet OAM Maintenance Domain: None The priority value for CCMs and LTMs transmitted by the MEP: 7 Number of Loopback messages to be transmitted: 1 Data Type Length Value: 64 VLAN priority: 0 Whether or not Drop Enable bit is configured (true or false): True Hop count: 64 Etherrnet OAM Overview Ethernet OAM provides service assurance over a converged Ethernet network. It helps service providers to manage network operations efficiently and smoothly. Ethernet OAM provides effective monitoring capabilities by increasing visibility in the network. It detects failure and degradation by raising warnings and alarms; also provides diagnostic and troubleshooting tools to resolve problems. Ethernet OAM focuses on two main protocols that the service providers require the most and are rapidly evolving in the standards bodies: Service OAM and Link OAM. These OAM protocols are unique and complementary to each other. Service OAMfor monitoring and troubleshooting end-to-end Ethernet service instances Link OAMfor monitoring and troubleshooting an individual Ethernet link Ethernet OAM is not supported on mobile, mirrored, and aggregable ports (the physical port members of an aggregate). It is also not supported on dynamically learned VLANs. But, it can be implemented on any full-duplex point-to-point or emulated point-to-point Ethernet link. It need not be implemented systemwide. Management systems are important for configuring Ethernet OAM across the network. They also help to automate network monitoring and troubleshooting. Ethernet OAM can be configured in two phases, Network Configuration phase and Service Activation phase. The Network Configuration phase enables Connectivity Fault Management (CFM) on the switches. CFM allows service providers to manage customer service instances individually. This phase also helps set up the Maintenance Intermediate Points (MIP) and Maintenance End Points (MEP). Any port of a bridge is referred to as a Maintenance Point (MP). An MP can be either a MEP or MIP. A MEP resides at the edge of a Maintenance Domain (MD), while a MIP is located within a Maintenance Domain. A Maintenance Domain is an administrative domain for managing and administering a network. In the Service Activation phase, a new end point created on a VLAN needs to be configured as a MEP. This enables the configuration of continuity-check and cross-check functionalities. Console portA direct connection to the switch through the console port: The console port is always enabled for the default user account. TelnetAny standard Telnet client may be used for remote login to the switch. This method is not secure. FTPAny standard FTP client may be used for remote login to the switch. This method is not secure. Secure ShellAny standard Secure Shell client may be used for remote login to the switch. Telnet may be used to log into the switch from a remote station. All of the standard Telnet commands are supported by software in the switch. When Telnet is used to log in, the switch is acting as a Telnet server. A Telnet session may also be initiated from the switch itself during a login session. In this case, the switch is acting as a Telnet client. Note. A Telnet connection is not secure. Secure Shell is recommended instead of Telnet or FTP as a secure method of accessing the switch.. The OmniSwitch can function as an FTP server. Any standard FTP client may be used. Note. An FTP connection is not secure. Secure Shell is recommended instead of FTP or Telnet as a secure method of accessing the switch. Note. You must use the binary mode (bin) to transfer image files via FTP.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 304 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Secure Shell (SSHv2) SSHv2 for secure CLI session with PKI is also supported
SCP to server for secure upload/download is supported. Copies an existing file in a secure manner. The SCP command will prompt you to enter the admin password, and the names and the path of the files being copied will be displayed. A file may be copied to a new location; you are not required to copy a file to the same directory that contains the original. Be sure to separate path directories and file names with a slash (/). Refer to the examples below. Up to 255 characters may be used for a fully qualified path. A path can contain up to a maximum of seven (7) directories including /flash. As with files names, up to thirty-two (32) characters may be used for a directory name. File and directory names can include only the following character types: a-z, A-Z, 0-9, dashes (-), dots (.), and underscores (_). SSL is a protocol that establishes and maintains secure communication between SSL-enabled servers and clients across the Internet. It secures communications to or from the switch for WebView or LDAP (LDAP-Netscape). Alcatel-Lucents SSL implementation is based on RSAs BSAFE SSL-C product, version 2.0.1. The OmniSwitch 6850 Series supports the SSL client / server implementation with the following types of encryptions: DES, 3DES, RC2, and RC4. The OmniSwitch Secure Shell feature provides a secure mechanism that allows you to log in to a remote switch, to execute commands on a remote device, and to move files from one device to another. Secure Shell provides secure, encrypted communications even when your transmission is between two untrusted hosts or over an un-secure network. The OmniSwitch includes both client and server components of the Secure Shell interface and the Secure Shell FTP file transfer protocol. SFTP is a subsystem of the Secure Shell protocol. All Secure Shell FTP data are encrypted through a Secure Shell channel. Secure Shell protects against a variety of security risks including the following: IP spoofing IP source routing DNS spoofing Interception of clear-text passwords and other data by intermediate hosts Manipulation of data by users on intermediate hosts Note. The OmniSwitch supports Secure Shell Version 2 only. Algorithm and key Exchange: One or several host-specific DSA keys identify the OmniSwitch Secure Shell server. Both the client and server process the key exchange to choose a common algorithm for encryption, signature, and compression. This key exchange is included in the Secure Shell transport layer protocol. It uses a key agreement to produce a shared secret that cannot be determined by either the client or the server alone. The key exchange is combined with a signature and the host key to provide host authentication. Once the exchange is completed, the client and the server turn encryption on using the selected algorithm and key. The following elements are supported: Host key Type: DSA Cipher Algorithms; AES, Blowfish, Cast, 3DES, Arcfour, and Rijndael Signature Algorithms: MD5, and SHA1 Compression Algorithms: None-supported Key Exchange Algorithms: Diffie-hellman-group-exchange-shal Diffie-hellman-group1-shal When used as an SSH Server, the following SSH Software is supported: OpenSSH: Sun Solaris, Win NT + Cygwin, Mac OSX, Linux Red Hat F-Secure: Sun Solaris, Win 2000, Win NT, Win XP, Mac OS9 SSH-Communication: Sun Solaris, Win 2000, Win NT, Win XP, Linux Red Hat PuTTY: Win 2000, Win NT, Win XP, Mac OS9 MAC-SSH: Mac OS9, Mac OSX When used as an SSH Client, the following SSH Software is supported: OpenSSH: Sun Solaris, Win NT + Cygwin, Linux Red Hat, AOS F-Secure: Sun Solaris, Win 2000, Win NT SSH-Communication: Sun Solaris, Win 2000, Win NT, Win XP, Linux Red Hat DSA public key authentication is supported when using PuTTY SSH software to generate the private and public key for the client and to access the switch. It is now possible to enforce the use of public key authentication only on the switch. By default, both password and public key authentication are allowed. HTTPThe switch has a Web browser management interface for users logging in via HTTP. This management tool is called WebView. The default HTTP port and the default Secure HTTP (HTTPS) port can be configured for the embedded Web server in the switch. SNMPAny standard SNMP browser may be used for logging into the switch. SNMPv1&v2&v3 is supported.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 305 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
User Accounts
User accounts may be configured and stored directly on the switch, and user accounts may also be configured and stored on an external authentication server or servers. The accounts include a username and password. In addition, they also specify the users privileges or end-user profile, depending on the type of user account. In either case, the user is given read-only or read-write access to particular commands. Local User Database The user command creates accounts directly on the switch. External Authentication Servers The switch may be set up to communicate with external authentication servers that contain user information. The user information includes usernames and passwords; it may also include privilege information or reference an end-user profile name. The Login Banner feature allows you to change the banner that displays whenever someone logs into the switch. This feature can be used to display messages about user authorization and security. You can display the same banner for all login sessions or you can implement different banners for different login sessions. You can display a different banner for logins initiated by FTP sessions than for logins initiated by a direct console or a Telnet connection. The switch supports a default login message. A Domain Name System (DNS) resolver is an optional Internet service that translates host names into IP addresses. Every time you enter a host name when logging into the switch, a DNS service must look up the name on a server and resolve the name to an IP address. You can configure up to three domain name servers that will be queried in turn to resolve the host name. If all servers are queried and none can resolve the host name to an IP address, the DNS fails. If the DNS fails, you must either enter an IP address in place of the host name or specify the necessary lookup tables on one of the specified servers. Note. You do not need to enable the DNS resolver service unless you want to communicate with the switch by using a host name. If you use an IP address rather than a host name, the DNS resolver service is not needed. File Management Specifications: File Transfer Methods: FTP, Zmodem Switch Software Utility: OmniSwitch as an FTP Client Configuration Recovery: The /flash/certified directory holds configurations that are certified as the default start-up files for the switch. They will be used in the event of a non-specified reload. Switch /flash Directory: 64 MB flash memory available for switch files and directories Contains the /certified and /working directories File/Directory Name Metrics: 32 characters maximum for directory and file names 255 character maximum for a fully qualified path File/Directory Name Characters: Character types are limited to a-z, A-Z, 0-9, dashes (-), dots (.), and underlines (_) Maximum Number of Files/Directories: Maximum of 244 files and/or directories allowed in the root (flash) directory. Sub-Directories: Up to seven sub-directories allowed including /flash. Text Editing: Vi standard UNIX editor. The Ed standard UNIX editor is available in the debug mode. System Clock: Set local date, time and time zone, Universal Time Coordinate (UTC), Daylight Savings (DST or summertime). System Date Default Value: THU JAN 01 1970 (Thursday, January 1, 1970) A number of CLI commands allow you to manage files on your switch by grouping them into subdirectories within the switchs flash directory. These commands perform the same functions as file management software applications (such as Microsofts Explorer) perform on a workstation. For documentation purposes, we have categorized the commands into three groups. Directory commands allow you to create, copy, move, remove, rename, and display directories. File commands allow you copy, edit, rename, remove, change, and display file attributes. Utility commands display memory and system diagnostic information. There are three common methods for loading software to and from your switch. The method you use depends on your workstation software, your hardware configuration, and the location and condition of your switch. FTP ServerYou can use the switch as an FTP server. If you have FTP client software on your workstation, you can transfer a file to the switch via FTP. This is normally done to load or upgrade the switchs software or configurations. FTP ClientYou can use the switch as an FTP client by connecting a terminal to the switchs console port and using standard FTP commands. This feature is useful in cases where you do not have access to a workstation with an FTP client. ZmodemYou can load software directly through the serial port with any terminal emulator that supports the Zmodem protocol. Note that a Zmodem transfer of large files may take several minutes to complete.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 306 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
When you log into the switch, your current directory is the flash directory. For a factory default switch, the flash directory contains three sub-directories and several files. It is important to understand the relationship of these directories before you load software or edit any of the files. The three directories are described here: Certified directoryThis directory contains configuration files that are certified as the default startup files for the switch. These are the trusted configuration and binary image files. They will be used in the event of a non-specified reload. Do not attempt to edit these files. The path to this directory is /flash/certified. Working directoryThe working directory is a repository for configuration files that you are working on. If you are working on configuration files to develop a custom switch application, you may want to test them before certifying them as the switchs default. To do this, you can boot from the files in the working directory while preserving the files in the certified directory. When the files in the working directory are tested and working properly, you may certify them as the switchs default files. The files are then copied into the certified directory to replace the old ones. The path to this directory is /flash/working. Network directoryThis directory holds files that may be required by servers used for authentication. Other files can be put into this directory if desired. The path to this directory is /flash/network. Kadvrout.img: Optional Advanced Routing (Advanced Routing) Kbase.img: Base Software (Base Software) K2diag.img: Base Software (Diagnostics) Keni.img: Base Software (Ethernet Images) K2os.img: Base Software (Operating System) Ksecu.img: Optional Security (Security A-VLANs) Krelease.img: Base Software (Release Archive) The switch clock displays time using a 24-hour clock format. It can also be set for use in any time zone. Daylight Savings Time (DST) is supported for a number of standard time zones. DST parameters can be programmed to support non-standard time zones and time offset applications. All switch files and directories listed in the flash directory bear a time stamp. This feature is useful for file management purposes. You can set the local date, time zone, and time for the switch or you can also set the switch to run on Universal Time Coordinate (UTC or GMT). If applicable, you can also configure Daylight Savings Time (DST or Summertime) parameters. The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver. It provides client time accuracies within a millisecond on LANs, and up to a few tens of milliseconds on WANs relative to a primary server synchronized to Universal Coordinated Time (UTC) (via a Global Positioning Service receiver, for example). NTP Specifications: RFCs supported: 1305-Netwok Time Protocol Maximum number of NTP severs per client: 3 Note. The Alcatel-Lucent OmniSwitch 6600, 6800, 6850, 7700, 7800, 8800 and 9000 switches can only be NTP clients in an NTP network. They cannot act as NTP servers. Note. Alcatel-Lucents current implementation of NTP only allows the OmniSwitch to act as a passive client, not as a server. A passive client only receives NTP information and adjusts its time accordingly. NTP is designed to use MD5 encryption authentication to prevent outside influence upon NTP timestamp information. Using a key file does this. The key file is loaded into the switch memory, and consists of a text file that lists key identifiers that correspond to particular NTP entities. If authentication is enabled on an NTP switch, any NTP message sent to the switch must contain the correct key ID in the message packet to use in decryption. Likewise, any message sent from the authentication-enabled switch will not be readable unless the receiving NTP entity possesses the correct key ID. The key file is a text (.txt) file that contains a list of keys that are used to authenticate NTP servers. It should be located in the /networking directory of the switch. Key files are created by a system administrator independent of the NTP protocol, and then placed in the switch memory when the switch boots.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 307 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Management software
Software Rollback feature The directory structure inherent in the Management software allows for a switch to return to a previous, more reliable version of image or configuration files.
Chassis Management software runs the OmniSwitch Series. The directory structure of the software is designed to prevent corrupting or losing switch files. It also allows you to retrieve a previous version of the switch software. An OmniSwitch 6850 Series can provide redundancy; in a stacking configuration one switch is designated as the primary, and one is designated as the secondary. Specifications: Size of Flash Memory: 64MB Size of RAM Memory: 256MB Maximum Length of File Names: 32 Characters Maximum Length of Directory Names: 32 Characters Default Boot Directory: Certified Three types of files control the management of a single switch: Image files, which are proprietary code developed by Alcatel-Lucent to run the hardware. These files are not configurable by the user, but may be upgraded from one release to the next. These files are also known as archive files, as they are really the repositories of several smaller files grouped together under a common heading. A configuration file, named boot.cfg, which is an ASCII-based text file that sets and controls the configurable functions inherent in the image files provided with the switch. The user can modify this file. When the switch boots, it looks for the file called boot.cfg. It uses this file to set various switch parameters defined by the image files. A boot file, named boot.slot.cfg, which is an ASCII-based text file that numbers the NI Modules. Modifications to the switch parameters affect or change the configuration file. The image files are static for the purposes of running the switch (though they can be updated and revised with future releases or enhancements). Image and configuration files are stored in the Flash memory (which is equivalent to a hard drive memory) in specified directories. When the switch is running, it loads the image and configuration files from the Flash into the RAM. When changes are made to the configuration file, the changes are first stored in RAM. The directory structure that stores the image and configuration files is divided into two parts: The certified directory contains files that have been certified by an authorized user as the default files for the switch. Should the switch reboot; it would reload the files in the certified directory to reactivate its functionality. The working directory contains files that may or may not be altered from the certified directory. The working directory is a holding place for new files. Files in the working directory must be tested before committing them to the certified directory. You can save configuration changes to the working directory. You can reboot the switch from the working directory using the reload working commands. The running configuration is the current operating parameters of the switch, obtained from information from the image and configuration files. The running configuration is in the RAM memory. Initially, when normally booting the switch, the software is loaded from the certified directory. This is the repository for the most reliable software. When the switch is booted, the certified directory is loaded into the running configuration and used to manage switch functionality. The directory structure inherent in OmniSwitch 6850 Series switch management software allows for a switch to return to a previous, more reliable version of image or configuration files. Changes made to the configuration file may alter switch functionality. These changes are not saved unless explicitly done so by the user. If the switch reboots before the configuration file is saved, then the certified directory is re-loaded and changes made to the configuration file prior to the reboot are lost. Likewise, new image files should be placed in the working (non-certified) directory first. New image or configuration files can be tested to decide whether they are reliable. Should the configuration or images files prove to be less reliable than their older counterparts in the certified directory, then the switch can be rebooted from the certified directory, and rolled back to an earlier version. Once the contents of the working directory are established as good files, then these files can be saved to the certified directory and used as the most reliable software to which the switch can be rolled back to in an emergency situation. Note. It is not necessary to reboot an entire OS6850 switch for synchronization of the configuration. Software redundancy is one of the switchs most important fail over features. For software redundancy, at least two fully operational OmniSwitch 6850 Series switches must exist. In addition, the management software must be synchronized. When two switches are running in a stacked configuration, one unit has the primary role and the second unit has the secondary role at any given time. The primary unit manages the current switch operations while the secondary unit provides backup (also referred to as fail over).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 308 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alcatel-Lucents Command line interface (CLI) is a text-based configuration interface that allows you to configure switch applications and to view switch statistics. The CLI uses single-line text commands that are similar to other industry standard switch interfaces. However, the Alcatel-Lucent CLI is different from industry standard interfaces in that the AlcatelLucent uses a single level command hierarchy. Unlike other switch interfaces, the Alcatel-Lucent CLI has no concept of command modes. Other CLIs require you to step your way down a tree-type hierarchy to access commands. Once you enter a command mode, you must step your way back to the top of the hierarchy before you can enter a command in a different mode. The Alcatel-Lucent switch will answer any CLI command at any time because there is no hierarchy. CLI Specifications: Configuration Methods: Online configuration via real-time sessions using CLI commands. Offline configuration using text file holding CLI commands. Command Capture Feature: Snapshot feature captures switch configurations in a text file. User Service Features: Command Line Editing Command Prefix Recognition CLI Prompt Option Command Help Keyword Completion Command History (up to 30 commands) Command Logging (up to 100 commands; detailed information) Syntax Error Display Alias Command Option More Command Commands and settings needed for the OmniSwitch 6850 can be contained in an ASCII-based configuration text file. Configuration files can be created in several ways and are useful in network environments where multiple switches must be managed and monitored. Instead of using CLI commands entered at a workstation, you can configure the switch using an ASCII-based text file. You may type CLI commands directly into a text document to create a configuration file that will reside in your switchs /flash directory. Configuration files are created in the following ways: You may create, edit and view a file using a standard text editor (such as MS WordPad or Notepad) on a workstation. The file can then be uploaded to the switchs /flash file directory. You can invoke the switchs CLI configuration snapshot command to capture the switchs current configuration into a text file. This causes a configuration file to be created in the switchs /flash directory. You can use the switchs text editor to create or edit a configuration file located in the switchs /flash file directory. Once you have a configuration file located in the switchs file system you must load the file into running memory to make it run on the switch. You do this by using configuration apply command. You may apply configuration files to the switch immediately, or you can specify a timer session. In a timer session, you schedule a file to be applied in the future at a specific date and time or after a specific period of time has passed (like a countdown). Timer sessions are very useful for certain management tasks, especially synchronized batch updates. Configuration File Specifications: Creation Methods for Configuration Files: Create a text file on a word processor and upload it to the switch. Invoke the switchs snapshot feature to create a text file. Create a text file using one of the switchs text editors. Timer Functions: Files can be applied immediately or by setting a timer on the switch. Command Capture Feature: Snapshot feature captures switch configurations in a text file. Error Reporting: Snapshot feature includes error reporting in the text file. Text Editing on the Switch: Vi standard UNIX editor. The text file configuration feature allows you to configure the switch using an ASCII-based text file. You may type CLI commands directly into a text document to create a configuration file. This file resides in the switchs file system. You can create configuration files in the following ways. You may create, edit and view a file using a standard text editor (such as Microsoft Note Pad) on a workstation. The resulting configuration file is then uploaded to the switch. You can invoke the switchs CLI snapshot command to capture the switchs current configuration into a text file. You can use the switchs text editor to create or make changes to a configuration file.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 309 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Switch user accounts may be set up locally on the switch for users to log into and manage the switch. The accounts specify login information (combinations of usernames and passwords) and privilege or profile information depending on the type of user. The switch has several interfaces (console, Telnet, HTTP, FTP, Secure Shell, and SNMP) through which users may access the switch. The switch may be set up to allow or deny access through any of these interfaces. User information may also be configured on external servers in addition to, or instead of, user accounts configured locally on the switch (except end-user profiles, which may only be configured on the switch). User database Specifications: Maximum number of alphanumeric characters in a username: 31 Maximum number of alphanumeric characters in a user password: 47 Maximum number of alphanumeric characters in an end-user profile name: 32 Maximum number of user accounts: 64 Maximum number of end-user profiles: 128 A user account includes a login name, password, and user privileges. The account also includes privilege or profile information, depending on the type of user account. There are two types of accounts: network administrator accounts, and end-user or customer login accounts. Network administrator accounts are configured with user (sometimes called functional) privileges. These privileges determine whether the user has read or write access to the switch and which command domains and command families the user is authorized to execute on the switch. Customer login accounts are configured with end-user profiles rather than functional privileges. Profiles are configured separately and then attached to the user account. A profile specifies command areas to which a user has access as well as VLAN and/or port ranges to which the user has access. The designation of particular command families/domains or command families for user access is sometimes referred to as partitioned management. AAA servers are able to provide authorization for switch management users as well as authentication. (They also may be used for accounting.) User login information and user privileges may be stored on the servers. The following AAA servers are supported on the switch: Remote Authentication Dial-In User Service (RADIUS). Authentication using this type of server was certified with Funk/Juniper Steel Belted RADIUS server (any industry standard RADIUS server should work). Lightweight Directory Access Protocol (LDAP). Terminal Access Controller Access Control System (TACACS+). Authentication-only servers are able to authenticate users for switch management access, but authorization (or what privileges the user has after authenticating) is determined by the switch. Authentication- only servers cannot return user privileges to the switch. The authentication-only server supported by the switch is ACE/Server, which is a part of RSA Securitys SecurID product suite. RSA Securitys ACE/ Agent is embedded in the switch. By default, switch management users may be authenticated through the console port via the local user database. If external servers are configured for other management interfaces but the servers become unavailable, the switch will poll the local user database for login information if the switch is configured for local checking of the user database. The database includes information about whether or not a user is able to log into the switch and what kinds of privileges or rights the user has for managing the switch. The privileges and profiles are sometimes referred to as authorization. Users typically log into the switch through one of the following methods: Console portA direct connection to the switch through the console port. TelnetAny standard Telnet client may be used for logging into the switch. FTPAny standard FTP client may be used for logging into the switch. HTTPThe switch has a Web browser management interface for users logging in via HTTP. This management tool is called WebView. Secure ShellAny standard Secure Shell client may be used for logging into the switch. SNMPAny standard SNMP browser may be used for logging into the switch Available command domains and families are listed below: Domain-admin: file telnet dshell debug Domain-system: system aip snmp rmon web config Domain-physical: chassis module interface pmm health Domain-network: ip rip ospf vrrp ip-routing ipx ipmr ipms Domain-layer-2: 802.1q, vlan bridge stp, linkagg ip-helper Domain-service: dns Domain-policy: qos policy slb Domain-security: session avlan aaa
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 310 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
End-user profiles
By default, users can access the switch based on the SNMP setting specified for the default user account. The user command, however, may be used to configure SNMP access for a particular user. SNMP access may be configured without authentication and encryption required (supported by SNMPv1, SNMPv2, or SNMPv3). Or it may be configured with authentication or authentication/encryption required (SNMPv3 only). SNMP authentication specifies the algorithm that should be used for computing the SNMP authentication key. It may also specify DES encryption. The following options may be configured for a users SNMP access with authentication or authentication/encryption: SHAThe SHA authentication algorithm is used for authenticating SNMP PDU for the user. MD5The MD5 authentication algorithm is used for authenticating SNMP PDU for the user. SHA and DESThe SHA authentication algorithm and DES encryption standard is used for authenticating and encrypting SNMP PDU for the user. MD5 and DESThe MD5 authentication algorithm and the DES encryption standard is used for authenticating and encrypting SNMP PDU for the user. End-user profiles are designed for user accounts in the carrier market. With end-user profiles, a network administrator can configure customer login accounts that restrict users to particular command areas over particular ports and/or VLANs. End-user profiles are only managed and stored on the switch; profiles are not stored on external servers. Note. End-user profiles cannot be used in conjunction with user-partitioned management; the features are mutually exclusive. Switch security is provided on the switch for all available management interfaces (console, Telnet, HTTP, FTP, Secure Shell, and SNMP). The switch may be set up to allow or deny access through any of these interfaces. (Note that users attempting to access the switch must have a valid username and password.) A user login procedure requires that users be authenticated for switch access via an external authentication server or the local user database. Access to managing the switch is always available for the admin user through the console port, even if management access to the console port is disabled for other users. Switch Security Overview Switch security features increase the security of the basic switch login process by allowing management only through particular interfaces for users with particular privileges. Login information and privileges may be stored on the switch and/or an external server, depending on the type of external server you are using and how you configure switch access. An external RADIUS or LDAP server can supply both user login and authorization information. ACE/Server can provide login information; user authorization information is available through the switchs local user database. External servers may also be used for accounting, which includes logging statistics about user sessions. If an external server is not available or is not configured, user login information and user authorization may be provided through the local user database on the switch. Logging may also be accomplished directly on the switch. Switch Security Specifications: Telnet sessions allowed: 4 concurrent sessions FTP sessions allowed: 4 concurrent sessions HTTP (Web browser) sessions allowed: 4 concurrent sessions Secure Shell session (including SFTP) allowed: 8 concurrent sessions Total sessions (Telnet, FTP, HTTP, console): 13 concurrent sessions SNMP sessions allowed: 50 concurrent sessions Authenticated Switch Access (ASA) is a way of authenticating users who want to manage the switch. With authenticated access, all switch login attempts using the console or modem port, Telnet, FTP, SNMP, or HTTP require authentication via the local user database or via a third-party server. The type of server may be an authentication-only mechanism or an authentication, authorization, and accounting (AAA) mechanism. AAA servers are able to provide authorization for switch management users as well as authentication. (They also may be used for accounting.) User login information and user privileges may be stored on the servers. In addition to the Remote Authentication Dial-In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) servers, using a Terminal Access Controller Access Control System (TACACS+) server is now supported with the 6.1.3.R01 release. Authentication-only servers are able to authenticate users for switch management access, but authorization (or what privileges the user has after authenticating) are determined by the switch. Authentication-only servers cannot return user privileges to the switch. The authentication-only server supported by the switch is ACE/Server, which is a part of RSA Securitys SecurID product suite. RSA Securitys ACE/Agent is embedded in the switch. By default, switch management users may be authenticated through the console port via the local user database. If external servers are configured for other management interfaces but the servers become unavailable, the switch will poll the local user database for login information if the switch is configured for local checking of the user database. The database includes information about whether or not a user is able to log into the switch and what kinds of privileges or rights the user has for managing the switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 311 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Authentication-only -----ACE/Servers
Alcatel-Lucents OmniVista
AAA servers are able to provide authorization for switch management users as well as authentication (they also may be used for accounting). The AAA servers supported on the switch are Remote Authentication Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) servers. User login information and user privileges may be stored on the servers. Privileges are used for network administrator accounts. Instead of user privileges an end-user profile may be associated with a user for customer login accounts. User information configured on an external server may include a profile name attribute. The switch will attempt to match the profile name to a profile stored locally on the switch. Authentication-only servers are able to authenticate users for switch management access, but authorization (or what privileges the user has after authenticating) are determined by the switch. Authentication-only servers cannot return user privileges or end-user profiles to the switch. The authentication-only server supported by the switch is ACE/Server, which is a part of RSA Securitys SecurID product suite. RSA Securitys ACE/Agent is embedded in the switch. RADIUS: Telnet, FTP, HTTP, Secure Shell LDAP: Telnet, FTP, HTTP, Secure Shell, SNMP ACE/Server: Telnet, FTP, HTTP, Secure Shell Local: Console, FTP, HTTP, Secure Shell, SNMP OmniVista provides a single interface for voice and data. The Alcatel-Lucent OmniVista Network Management System provides network management layer functions across all Alcatel-Lucent enterprise switch products including OmniSwitch 6850 Series. OmniVista is a multi-user environment that is able to discover all Alcatel-Lucent enterprise switches in the network. It also allows multiple users to monitor network-wide activities while providing access to each switch. Please refer to the OmniVista Release 2.3 boilerplate document for a comprehensive coverage of the OmniVista features. The switch can be monitored and configured using WebView, Alcatel-Lucents web-based device management tool. The WebView application is embedded in the switch and is accessible via the following web browsers: Internet Explorer 6.0 and later for Windows NT, 2000, XP, 2003 Firefox 2.0 for Windows and Solaris SunOS 5.10 Windows Vista WebView contains modules for configuring all software features in the switch. Configuration and monitoring pages include context-sensitive on-line help. WebView CLI Defaults: Web Management Command Line Interface (CLI) commands allow you to enable/disable WebView, enable/disable Secure Socket Layer (SSL), and view basic WebView parameters. These configuration options are also available in WebView. Defaults for WebView Configuration through the http command: WebView Status: Enabled Force SSL: Disabled HTTPS port: 443 HTTP pot: 80 HTTP default port configuration This feature provides the user with the ability to specify an HTTP port number that is different than the default port 80 for web based authenticated VLAN feature.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 312 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The Simple Network Management Protocol (SNMP) Network administrators use SNMP to monitor network performance and to manage network resources.
SNMPv1&v2&v3 is supported
SNMPv3
The Simple Network Management Protocol (SNMP) is an application-layer protocol that allows communication between SNMP managers and SNMP agents on an IP network. Network administrators use SNMP to monitor network performance and to solve network problems. SNMP provides an industry standard communications model used by network administrators to manage and monitor their network devices. OmniSwitch 6850 Series switches support SNMPv1, SNMPv2, and SNMPv3. SNMP Specifications: RFCs Supported for SNMPv2: o 1902 through 1907 - SNMPv2c Management Framework o 1908 - Coexistence and transitions relating to SNMPv1 and SNMPv2c RFCs Supported for SNMPv3: o 2570 Version 3 of the Internet Standard Network Management Framework o 2571 Architecture for Describing SNMP Management Frameworks o 2572 Message Processing and Dispatching for SNMP o 2573 SNMPv3 Applications o 2574 User-based Security Model (USM) for version 3 SNMP o 2575 View-based Access Control Model (VACM) for SNMP o 2576 Coexistence between SNMP versions SNMPv1, SNMPv2, SNMPv3: The SNMPv3 protocol is ascending compatible with SNMPv1 and v2 and supports all the SNMPv1 and SNMPv2 PDUs SNMPv1 and SNMPv2 Authentication: Community Strings SNMPv1, SNMPv2 Encryption: None SNMPv1 and SNMPv2 Security requests accepted by the switch: Sets and Gets SNMPv3 Authentication: SHA, MD5 SNMPv3 Encryption: DES SNMPv3 Security requests accepted by the switch: Non-authenticated Sets, Nonauthenticated Gets and Get-Nexts, Authenticated Sets, Authenticated Gets and Get-Nexts, Encrypted Sets, Encrypted Gets and Get-Nexts SNMP traps: For a list and description of traps, refer to the SNMP Traps Table in Appendix #1. SNMP MIBs: For a list and description of system MIBs, refer to Industry Standard MIBs and Enterprise (Proprietary) MIBs in Appendix #2. The SNMP agent in the OS6850 switch can communicate with multiple managers. You can configure the switch to communicate with different management stations using different versions of SNMP. The switch supports SNMPv1&v2&v3. SNMPv3 supports the View-Based Access Control Model (VACM) and User-Based Security Model (USM) security models along with these added security features: Message integrityEnsuring that a packet has not been tampered with in transit Time Frame ProtectionLimiting requests to specified time frames. The user can specify a time frame so that any PDU bearing an out of date timestamp will be ignored. EncryptionScrambling the contents of a packet to prevent it from being learned by an unauthorized source AuthenticationDetermining that the message is from a valid source holding the correct privileges. The switch supports the SNMPv1 and SNMPv2c community strings security standard. When a community string is carried over an incoming SNMP request, that community string must match up with a user account name as listed in the community string database on the switch. Otherwise, the SNMP agent in the switch will not process the SNMP request. Note. A community string inherits the security privileges of the user account that creates it. Two important processes are used to verify that the message contents have not been altered and that the source of the message is authentic. These processes are encryption and authentication. The switch uses the Data Encryption Standard (DES) encryption scheme in its SNMPv3 implementation. For DES, the data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit input into a 64-bit output. The same steps with the same key are used to reverse the encryption. The authentication process ensures that the switch receives accurate messages from authorized sources. Authentication is accomplished between the switch and the SNMP management station through the use of a username and password identified via the snmp station CLI syntax. The username & password are used by the SNMP management station along with an authentication algorithm (SHA or MD5) to compute a hash that is transmitted in the PDU. The switch receives the PDU and computes the hash to verify that the management station knows the password. The switch will also verify the checksum contained in the PDU. Authentication and encryption are combined when the PDU is first authenticated by either the SHA or MD5 method. Then the message is encrypted using the DES encryption scheme. The encryption key is derived from the authentication key, which is used to decrypt the PDU on the switchs side.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 313 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
SNMP Traps
SNMP MIBs
The SNMP agent in the switch has the ability to send traps to the management station. It is not required that the management station request them. Traps are messages alerting the SNMP manager to a condition on the network. A trap message is sent via a PDU issued from the switchs network management agent. It is sent to alert the management station to some event or condition on the switch. Traps can indicate improper user authentication, restarts, the loss of a connection, or other significant events. You can configure the switch so that traps are forwarded to or suppressed from transmission to the management station under different circumstances. SNMP traps: For a list and description of traps, refer to the SNMP Traps Table in Appendix #1. You can display MIB tables and their corresponding command families by using the show snmp mib family command. The MIB table identifies the MIP identification number, the MIB table name and the command family. If a command family is not valid for the entire MIB table, the command family will be displayed on a per-object basis. For a list and description of system MIBs, refer to Industry Standard MIBs and Enterprise (Proprietary) MIBs in Appendix #2. For a list and description of traps, refer to the SNMP Traps Table in Appendix #1.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 314 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1ad/D6.0 (VLAN Stacking) IEEE 802.1ag IEEE 802.1D-1998 IEEE 802.1D for the GVRP support IEEE 802.1p IEEE 802.1Q
IEEE 802.1QinQ IEEE 802.1s IEEE 802.1x Extended 802.1x IEEE 802.1x MIB Port Access IEEE 802.1v IEEE 802.1w IEEE 802.3 IEEE 802.3i IEEE 802.3ab IEEE 802.3ac IEEE 802.3ad IEEE 802.3ae IEEE 802.3af IEEE 802.3x
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 315 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IETF -- RFCs
RFC 768 RFC 791 / 894 / 1024 /1349 RFC 792 RFC 793 / 1156 RFC 826 / 903 RFC 854 / RFC 855 RFC 855 RFC 894 RFC 896 RFC 903 RFC 919 / 922 RFC 922 RFC 925 / 1027 RFC 950 RFC 951 RFC 959 / 2640 RFC 1027 RFC 1058 RFC 1024 RFC 1075 RFC 1112 RFC 1122 RFC 1142 RFC 1151 RFC 1155 / 2578-2580 RFC 1156 RFC 1157 / 2271 RFC 1191 RFC 1195 RFC 1212 / 2737 RFC 1213 / 2011-2013 RFC 1215 RFC 1253 / 1850 / 2328 RFC 1256 RFC 1269 / 1657 RFC 1305 / 2030 RFC 1321 RFC 1349 RFC 1370 RFC 1403 / 1745 RFC 1493 RFC 1518 / 1519 RFC 1519 RFC 1534 RFC 1541 / 1542 / 2131 / 3396 / 3442 RFC 1542 RFC 1573 / RFC 2233 / RFC 2863 RFC 1587 / 3101 RFC 1643 / RFC 2665 RFC 1657 RFC 1701 & 1702 RFC 1722 / 1723 / 2453 / 1724 RFC 1724 RFC 1745 RFC 1757 / 2819 RFC 1765 RFC 1771-1774 / 2842 / 2918 / 3392 UDP IP & IP / Ethernet ICMP TCP / IP & MIB ARP & Reverse ARP Telnet & Telnet options Telnet & Telnet options IP & IP / Ethernet Congestion Control ARP & Reverse ARP Broadcasting Internet Datagram Broadcasting Internet Datagram Multi-LAN ARP / Proxy ARP; Statically configured ARP entries Subnetting Bootstrap Protocol (BootP) FTP Multi-LAN ARP / Proxy ARP; Statically configured ARP entries RIPv1 IP & IP / Ethernet DVMRPv2 IGMPv1 Internet Hosts OSI IS-IS Intra-domain Routing Protocol RDP SMIv1 & SMIv2 TCP / IP & MIB SNMPv1 Path MTU Discovery Use of OSI IS-IS for routing in TCP/IP & dual environments MIB & MIB-II SNMPv2 MIB Convention for SNMP Traps OSPFv2 & MIB ICMP Router Discovery Messages BGPv3&v4 MIB NTPv3 & Simple NTP MD5 IP & IP / Ethernet Applicability Statement for OSPF BGP / OSPF Interaction Bridge MIB CIDR CIDR Interoperation Between DHCP and BOOTP Dynamic Host Configuration Protocol (DHCP) Clarifications and Extensions for the Bootstrap Protocol Private Interface MIB OSPF NSSA Option Ethernet MIB BGPv3&v4 MIB 1701Generic Routing Encapsulation (GRE) 1702Generic Routing Encapsulation over IPV4 Networks RIPv2 Protocol Applicability Statement & MIB RIPv2 MIB Extension BGP / OSPF Interaction RMON & MIB OSPF Database Overflow is not currently supported. BGPv4
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 316 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RFC 1789 RFC 1798 RFC 1812 / 2644 RFC 1850 RFC 1886 RFC 1901, 1902, 1903, 1904, 1905, 1906, 1907 RFC 1908 RFC 1965 RFC 1966 RFC 1997/1998 RFC 2003 RFC 2011 RFC 2012 RFC 2013 RFC 2030 RFC 2042 RFC 2080 RFC 2096 RFC 2104 RFC 2131 / 3046 RFC 2132 RFC 2138 / 2865 / 2868 / 3575 / 2618 RFC 2139 / 2866 / 2867 / 2620
Connectionless Lightweight X.5000 Directory Access Protocol IPv4 Router Requirements OSPF Version 2 MIB DNS for IPv6 -SNMPv2c Management Framework -Coexistence and transitions relating to SNMPv1 and SNMPv2c BGP AS Confederations BGP Route Reflection BGP Communities Attributes -IP Encapsulation within IP. SNMPv2 MIB SNMPv2 MIB SNMPv2 MIB NTPv3 & Simple NTP BGP New Attribute RIPng IP MIB HMAC Message Authentication Dynamic Host Configuration Control (relay) DHCP / BootP Relay DHCP Options and BOOTP Vendor Extensions RADIUS Authentication & Client MIB RADIUS Note on RFC 2620: We support this RFC 2620 through our own Proprietary Private MIB. Although, the mapping between the RFC 2620 and our own Private MIB is not one-to-one, we do support many common objects between the standard version and that of our own Private MIB. OSPF MD5 Signature SFTP Private Interface MIB IGMPv2 (Snooping for layer-2 multicast switching) & MIB Using Domains in LDAP/X.500 Distinguished Names Lightweight Directory Access Protocol (v3) Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names The String Representation of LDAP Search Filters A Summary of the X.500 (96) User Schema for Use with LDAPv3 SNMPv1 PPP Extensible Authentication Protocol (EAP) IPv6 OSPFv2 Virtual Router Redundancy Protocol (VRRP) & MIB PIM-SM Protocol Specifications Administratively Scoped IP Multicast The OSPF Opaque LSA Option BGP MD5 Signature BGP Route Flap Damping IPv6 TCP/UDP MIB RIPv2 NDP ICMPv6 & MIB IPv6 Note: RFC 2893 has been obsoleted by RFC4213. RFC4213 is now supported, but it does not include Automatic tunnels. Therefore, the main difference is that the new RFC4213 does not contain an automatic tunneling capability. DiffServ DiffServ Microsoft Vendor-specific RADIUS Attributes
RFC 2154 RFC 2228 RFC 2233 RFC 2236 / 2933 RFC 2247 RFC 2251 RFC 2252 RFC 2253 RFC 2254 RFC 2255 RFC 2256 RFC 2271 RFC 2284 RFC 2292 / 2373 / 2374 / 2460 / 2462 RFC 2328 RFC 2338 / 3768 / 2787 RFC 2362 RFC 2365 RFC 2370 / 3630 RFC 2385 RFC 2439 RFC 2452 / RFC 2454 RFC 2453 RFC 2461 RFC 2463 / 2466 RFC 2464 / 2553 / 2893 / 3493 / 3513
RFC 2474 / 2475 / 2597 / 3168 / 3246 RFC 2475 RFC 2548
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 317 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RFC 2570 RFC 2571 RFC 2572 RFC 2573 RFC 2574 RFC 2575 RFC 2576 RFC 2578, RFC 2579, and RFC 2580 RFC 2597 RFC 2616 / RFC 2854 RFC 2618
RFC 2620
RFC 2640 RFC 2644 RFC 2665 RFC 2667 RFC 2668 / RFC 3636 RFC 2674 RFC 2715 / 2932 RFC 2727 RFC 2737 RFC 2740 RFC 2763 RFC 2784 RFC 2787 RFC 2796 RFC 2809 RFC 2819 RFC 2842 RFC 2863 RFC 2865 RFC 2866 RFC 2867 RFC 2868 RFC 2869/2869bits RFC 2882 RFC 2890 RFC 2893
Version 3 of the Internet Standard Network Management Framework Architecture for Describing SNMP Management Frameworks Message Processing and Dispatching for SNMP SNMPv3 Applications User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) View-based Access Control Model (VACM) for SNMP Coexistence between SNMP versions SMIv1 & SMIv2 DiffServ HTTP & HTML RADIUS Authentication & Client MIB Note: We support this RFC 2618 through our own Proprietary Private MIB. Although, the mapping between the RFC 2618 and our own Private MIB is not one-to-one, we do support many common objects between the standard version and that of our own Private MIB. RADIUS Accounting & Client MIB Note: We support this RFC 2620 through our own Proprietary Private MIB. Although, the mapping between the RFC 2620 and our own Private MIB is not one-to-one, we do support many common objects between the standard version and that of our own Private MIB. FTP Changing the Default for Directed Broadcast in Routers (complements IP router requirements) Ethernet MIB IP Tunnel MIB IEEE 802.3 MAU MIB Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions / VLAN MIB Multicast Routing MIB MIB & MIB-II OSPFv3 for IPv6 Dynamic Hostname Exchange for IS-IS Generic Routing Encapsulation (GRE) Definitions of Managed Objects for the Virtual Router Redundancy Protocol BGP Route Reflection Implementation of L2TP Compulsory Tunneling via RADIUS Remote Network Monitoring Management Information Base BGPv4 Private Interface MIB Remote Authentication Dial In User Service (RADIUS) RADIUS Accounting & Client MIB RADIUS Accounting Modifications for Tunnel Protocol Support / Accounting & Client MIB RADIUS Attributes for Tunnel Protocol Support RADIUS Extensions Network Access Servers Requirements: Extended RADIUS Practices Key and Sequence Number Extensions to GRE (extensions defined are not supported) IPv6/IPv4 Dual Stacks Note: RFC 2893 has been obsoleted by RFC4213. RFC4213 is now supported, but it does not include Automatic tunnels. Therefore, the main difference is that the new RFC4213 does not contain an automatic tunneling capability. BGPv4 Accounting Attributes and Record Formats IPv4 Multicast Routing MIB IGMP MIB PIM MIB for IPv4 Introduction to Accounting Management Criteria for Evaluating AAA Protocols for Network Access Dynamic Host Configuration Control (relay) DHCP / BootP Relay IPv6 Tunneling Policy Core
RFC 2918 RFC 2924 RFC 2932 RFC 2933 RFC 2934 RFC 2975 RFC 2989 RFC 3046 RFC 3056 RFC 3060
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 318 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RFC 3065 RFC 3101 RFC 3168 RFC 3176 RFC 3246 RFC 3289 RFC 3376 (IGMPv3) RFC 3392 RFC 3396 RFC 3411 RFC 3412 RFC 3413 RFC 3414 RFC 3415 RFC 3416, RFC 3417, and RFC 3418 RFC 3442 RFC 3542 / RFC 3587 RFC 3569 RFC 3575 RFC 3623 RFC 3635 RFC 3636 RFC 3768
BGP AS Confederations The OSPF Not-So-Stubby Area (NSSA) Option DiffServ RFC 3176 is for sFlow support DiffServ The RFC 3289 (DiffServ-MIB) IS NOT SUPPORTED. Snooping for layer-2 multicast switching BGPv4 Dynamic Host Configuration Protocol (DHCP) SNMPv3 SNMPv3 SNMPv3 SNMPv3 SNMPv3 SNMPv2c Dynamic Host Configuration Protocol (DHCP) IPv6 An Overview of Source-Specific Multicast (SSM) RADIUS Authentication & Client MIB Graceful OSPF Restart Pause Control IEEE 802.3 MAU MIB Virtual Router Redundancy Protocol (VRRP) & MIB
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 319 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Link Aggregation (IEEE 802.3ad) support and across switches? VLAN (IEEE 802.1Q) Software-Update without shutdown? Reboot necessary after update? Reboot necessary after changing the configuration? Port Mirroring support?
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 320 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Ability to deactivate a port based on a configurable number of error packets over time (as in, errors per minute)? Ability to deactivate a port based on a configurable number of broadcast packets over time (as in, broadcasts per second)? Link Aggregation? Is Link aggregation supported across stack? Does the switch support the ability to turn off SNMPTraps per port?
YES. The switch can be configured to limit broadcast on a per port basis and it is capable of automatically shutting down the port, if the limit is exceeded. The switch supports up to 32 link aggregation groups and up to 8 physical ports per link aggregation group. The Link aggregation is supported across stack. NO. The switch has the ability though to optionally enable and/or disable SNMP trap(s) and optionally sending them to designated destinations. But, there is no ability to control them at the switch and/or port level. Note: the port(s) optionally, but manually can be configured to be administratively "down" or "up" as required. Comply. NO. RMON-I RFC 2819 (with 4-groups) is supported only. NO. SNMPv1, SNMPv2, and SNMPv3 are supported. SNMPv3 RFCs 2570-2576 is supported only. The switch will support a maximum of 256 IP addresses for each Relay Service. Initially, the switch will support a maximum of 8 IP addresses for each VLAN Relay Service and a maximum of 256 VLAN Relay Services. YES. NO. SNMP can be used to restrict access and/or cut-off access to the switch, but it cannot be used to power-down the switch. NO. SNMP can be used to restrict access and/or cut-off access to the switch with time-delay, but it cannot be used to power-down the switch. Comply. Comply. Comply.
SNMP-authentication over RADIUS-Server? RMON (RFC 2021)? SNMPv3 (RFC 3411 to RFC 3418 (STD 0062)? DHCP-Forwarded/Relay Service capabilities? VLAN & DHCP-Forwarded/Relay Service capabilities? Is the data traffic on the backplane measurable? Could the switch be turned-off via SNMP? Could the switch be turned-off via SNMP with time-delay? Does the switch support the capability to turn-off all protocols except IP? IPv6? IGMPv1 (RFC 1112)? IGMPv2 (RFC 2236)? IGMPv3 (RFC 3376)? 802.1AB MAC address duplication what is the behavior of the network if duplicate MACs are discovered?
RADIUS interaction At what point is a RADIUS stop message sent to the RADIUS server? How does switch behave / handle a user's PC shutting down/unplugged from the port?
Comply. In a bridged environment? In a bridged environment (same VLAN), when an Alcatel-Lucent switch sees a local MAC address advertised via any port other than the port it was originally learned, the switch will flush that MAC from its table and begin forwarding traffic to that MAC via the port it was just advertised on. If the original MAC begins transmitting again, the switch will advertise that it now owns the MAC and the other switch will flush the MAC from its table. This will cause flapping for the traffic destined for the legitimate MAC address. One solution to this problem is to utilize IEEE 802.1x authentication for IEEE 802.1x devices, and MAC address port binding for network devices that dont support IEEE 802.1x. In a RADIUS environment - with MAC authentication and IEEE 802.1x: If a MAC address is found on another port, the initial MAC is logged off. If both devices continue to send, both will be disconnected from the network and the RADIUS server will see repeated logon attempts, which can be disabled (multiple logon restrictions). NOTE: In the event that a duplicate MAC is discovered on the network in the same VLAN, the switch CPU is not in danger of being subject to what would be a denial of service attack. Alcatel-Lucent would welcome a product enhancement request (PER) for the Alcatel-Lucent Operating System to handle this scenario without a RADIUS server. Possible solutions could include: shutdown the MACs after x flaps, hold the initial MAC address after a move, or send notifications to the network management software. In a routed environment? In a routed environment (separate VLAN), there will be no action taken by the Alcatel-Lucent switch since the MAC address is not appearing in the same broadcast domain. RADIUS stop/start - for both 802.1x and MAC Authentication a RADIUS start message is sent after authentication is completed. A RADIUS stop message is sent on a "logoff action", which include: Logoff of the client Port down (loss of link, unplugging of device) When the switch receives a stop message all traffic from that MAC will be disassociated from its authenticated VLAN. If the MAC begins transmitting again, the Alcatel-Lucent switch will begin the authentication / authorization process anew.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 321 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
How long after reboot before the switch can join the network and pass traffic?
Configuration via Web browser? DHCP auto-configuration of multiple switches via boot server? Auto-sensing on each 10/100 port Auto-negotiating on all ports- half- or full-duplex transmission mode Dynamic Trunking Protocol (DTP) across all switch ports Port Aggregation Protocol (PAgP) or like technology Link Aggregation Control Protocol (LACP) that conforms to IEEE 802.3ad DHCP Server DHCP Relay 802.3ab-1000BASE-SX, 1000BASE-LX, 1000BASE- BX10, SFP/GBIC 802.3u- 100BASE-FX, 100BASE-BX, and 100BASE-SX Default configuration stored in flash memory Automatic interface crossover (Auto-MDIX) Time-domain Reflectometry (TDR) to diagnose and resolve cabling problems on copper ports IEEE 802.1w Rapid Spanning Tree Protocol Per-VLAN Rapid Spanning Tree allows rapid spanning-tree re-convergence on a per-VLAN spanning-tree basis Command-switch redundancy Unidirectional Link Detection Protocol (UDLD) or like technology Switch port auto-recovery Redundant Power System Per-port broadcast, multicast, and uni-cast storm control IEEE 802.1 d Spanning Tree Protocol
Alcatel-Lucent switches will reboot for catastrophic Hardware & Software failures, which we call "Exceptions". Examples of Exceptions include: Unexpected Hardware failure such as: o Unexpected Memory failure o Unexpected Flash failure Unexpected Software corruption Generally speaking any "unexpected" catastrophic event will cause both chassis-based Models and/or stackable switch Models to reboot. Note: that in a stackable switch Model configuration, only the "failed" switch unit will reboot, while the traffic through the other switch units will be uninterrupted. Alcatel-Lucent switches do not need to reboot after software upgrades or configuration changes, including 802.1D, 802.1s, or 802.1w (Spanning Tree protocol standard, rapid, and per VLAN, respectively). OmniSwitch 9000 Series: OmniSwitch 9700 / 9600 30 to 45 seconds, depending on Network Interface modules and configuration. OmniSwitch 6850 Series: Stand-alone: Depending on the configuration, a switch can reload and begin passing traffic in as little as 30 seconds, to as long as 115 seconds. OmniSwitch 6850 stack of two to eight: 90 to 115 seconds Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant through Bootp/DHCP Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant through the implementation of GVRP which is a standards-based Protocol. Alcatel-Lucent Response: Compliant through the implementation of Static and Dynamic (IEEE 802.3ad) Link Aggregation Protocols. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Non-Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Future Compliant (TDR will be supported in a Future Release) Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant
Alcatel-Lucent Response: Compliant through the implementation of VRRP which is a standards-based Protocol. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Partial-Compliant Switch Port recovery from a disabled condition will require Manual Admin. Intervention. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 322 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1s Multiple Spanning Tree Protocol allows a spanning-tree instance per VLAN, enabling Layer 2 load sharing on redundant links IEEE 802.1Q VLAN Trunking Egress committed rate (ECR) Local Proxy Address Resolution Protocol (ARP) Internet Group Management Protocol (IGMP) version 3 snooping IGMP filtering Multicast VLAN registration (MVR) Standard 802.1 p CoS and DSCP field classification QoS ACLs on all ports Four egress queues per port Smoothed Round Robin (SRR) scheduling
Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant through the implementation of Egress Rate Shaping. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Partial-Compliant through the implementation of: There are three queuing schemes available for each switch port: one strict priority scheme and two weighted fair queuing (WFQ) schemes. By default the strict priority scheme is used and consists of eight priority queues (SPQ). All eight queues on the port are serviced strictly by priority. Lower priority traffic is dropped in the presence of higher priority traffic. The following WFQ schemes are available: WRRAll queues participate in a weighted round robin scheme. Traffic is serviced from each queue based on the weight of the queue. DRRAll queues participate in a dynamic round robin scheme. Traffic is serviced from each queue based on the weight of the queue. Alcatel-Lucent Response: Compliant through the implementation of a threshold-based mechanism per queue. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant
Weighted tail drop (WTD) for congestion avoidance Strict priority queuing guarantees Rate limiting based on source and destination IP address, source and destination MAC address, Layer 4 TCP and UDP information, or any combination of these fields, using QoS ACLs (IP ACLs or MAC ACLs), class maps, and policy maps Asynchronous data flow shaping Up to 64 aggregate or individual polices per port IEEE 802.1x port-based security and user authentication IEEE 802.1x with dynamic VLAN assignment IEEE 802.1x port IEEE 802.1x for Guest VLAN Port-based ACLs Uni-cast MAC filtering Unknown uni-cast and multicast port blocking SNMPv3 RADIUS and or TACACs authentication MAC address notification DHCP snooping DHCP Interface tracker MAC address aging Multilevel security on console access User-selectable address learning BPDU support Spanning-Tree Root Guard (STRG) support IGMP filtering
Alcatel-Lucent Response: If this is referring to ATM, then the answer is NO (Non-Compliant). Otherwise, single and/or multiple data-flow based shaping are supported (Compliant). Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant
Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response:
Compliant Compliant Compliant Compliant Compliant Compliant Compliant Compliant through the implementation of DHCP Option-82. Compliant
Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 323 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VLAN trunks on any port (802.1 Q tagging) Up to 255 VLANs per switch Up to Four thousand VLAN IDs supported Remote SPAN (RSPAN) monitoring Embedded Remote Monitoring (RMON) software agent Layer-2 trace route Domain Name System (DNS)
Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Partial-Compliant. L1-L4 ACLs is supported. L1-L4 Access Control Lists (ACLs) to filter out unwanted traffic including denial of service attacks are supported; Access control lists (ACLs) are per port, MAC SA/DA, IP SA/DA, TCP/ UDP port; Flow based filtering in hardware (L1-L4). Support for Access Control List Manager (ACLMAN): ACLMAN is a function of the QoS subsystem in AOS. ACLMAN allows a network administrator to manage ACLs using default industry standard syntax on Alcatel-Lucent switches. To enforce the ACLs, ACLMAN translates default industry standard syntax into Alcatel-Lucent QoS filtering policies in a manner transparent to the ACLMAN user. Alcatel-Lucent Response: Compliant
Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant through the implementation of a layer-2 link trace capability as provided by the IEEE 802.1ag support. Alcatel-Lucent Response: Compliant through the implementation of a DNS Resolver feature: A Domain Name System (DNS) resolver is an optional Internet service that translates host names into IP addresses. Every time you enter a host name when logging into the switch, a DNS service must look up the name on a server and resolve the name to an IP address. You can configure up to three domain name servers that will be queried in turn to resolve the host name. If all servers are queried and none can resolve the host name to an IP address, the DNS fails. If the DNS fails, you must either enter an IP address in place of the host name or specify the necessary lookup tables on one of the specified servers. Note. You do not need to enable the DNS resolver service unless you want to communicate with the switch by using a host name. If you use an IP address rather than a host name, the DNS resolver service is not needed. Alcatel-Lucent Response: Partial-Compliant through the implementation of FTP which is supported. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Non-Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant
Trivial File Transfer Protocol (TFTP) Network Timing Protocol (NTP) Multifunction LEDs per port for port status SNMPv1, v2c, and v3 and Telnet interface Power over Ethernet 802.3af, with port selectable capability Internal-Power-Supply Connector Internal auto-ranging power supply Support for input voltages between 100 and 240VAC Supplied AC power cord to connect the AC power connector to an AC power outlet Options for redundant power support Power over Ethernet support IEEE 802.3af (port switch selectable) 100BASE-TX ports: RJ-45 connectors, 2-pair Category 5,5e UTP cabling 1000BASE-T ports: RJ-45 connectors, 4-pair Category 5,5e,6 UTP cabling 1000BASE-T SFP-based ports: RJ-45 connectors, 4-pair Category 5, 5e, 6 UTP cabling 10GBASE-T ports: RJ-45 connectors, 4-pair Category 5, 5e, 6 UTP cabling 100BASE-SX, -BX, -FX: (single/multimode fiber) 1000BASE-SX, -LX,-BX (single/multimode fiber) 10GBASE-LR Dark fiber SMF/1310 nm 10 km 10GBASE-ER Dark fiber SMF/1550 nm 40 km 10GBASE-SR Dark fiber MMF/850 nm 65 meters 10/100/1000BASE-T copper SFP 10GBASE-R (64B/66B encoding) The device must switch and apply ACLs to IPv4 and IPv6 packets in hardware. IPv6 ACLs IPv4/IPv6 dual mode IP stack
Alcatel-Lucent Response: Partial-Compliant through the implementation of 10GBASE-CX4 Alcatel-Lucent Response: Compliant
Alcatel-Lucent Response: Non-Compliant (we currently comply with the 1000BASE-T copper SFP. To comply with the 10/100/1000BASE-T copper SFP will require further evaluation and testing. Alcatel-Lucent Response: Non-Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 324 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RIPng RIP Next Generation, IPv6 enabled Multicast Listener Discovery (MLD) for IPv6 Path MTU Discovery for IPv6 IPv6 to IPv4 Translation IPv6 Tunnels ICMPv6 messaging, trace route, ping and SSHv2 Must support a minimum of 1000 centralized ACLs Dot1p IP Redundant Ring Capability using RFC 3619 Ethernet Automation Protection Switching (EAPS) and EAPSv2. IEEE 802.1ad Virtual MANs (vMANs) RFC 2474 DiffServ Precedence, including 8 queues/port RFC 2598 DiffServ Expedited Forwarding (EF) RFC 2597 DiffServ Assured Forwarding (AF) RFC 2475 DiffServ Core and Edge Router Functions PVST+, Per VLAN STP (802.1Q interoperable) 2K centralized ACL rules per switch and 4K VLANs (Port, Protocol, IEEE 802.1Q) Trivial File Transfer Protocol (TFTP) remote firmware upgrades Recovery Configurations Hot Lock ACLs L2 & L3 ACL on the same interface ACLs
Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Non-Compliant Alternative solution: Our own version of RRSTP with less than 50msec re-convergnece time. Alcatel-Lucent Response: Compliant (this is Q-in-Q or VLAN Stacking) Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Compliant Compliant Compliant Compliant Compliant
Alcatel-Lucent Response: Compliant with FTP and Secure FTP only. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Non-Compliant Note: L2-L4 ACLs are supported. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Note: L2-L4 ACLs are supported. Per switch: 2000 Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Non-Compliant Alcatel-Lucent Response: Partial-Compliant (software upgrades will require a brief re-boot) Alcatel-Lucent Response: Compliant: Non-stop, carrier class availability Alcatel-Lucent Response: Compliant: As required to support data links with different Maximum Transmission Unit (MTU) sizes. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: N/A Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant with wire-rate. There are no oversubscriptions. Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Compliant Alcatel-Lucent Response: Non-Compliant Alcatel-Lucent Response: Non-Compliant Alcatel-Lucent Response: Compliant. Raw Fabric Capacity: Depending on the Model up to 224Gbps aggregate Throughput with 64Byte packets: Depending on the Model up to 101.2Mpps in a stand-alone config. Alcatel-Lucent Response: Compliant. Raw Fabric Capacity: Depending on the Model up to 224Gbps aggregate Throughput with 64Byte packets: Depending on the Model up to 101.2Mpps in a stand-alone config. Alcatel-Lucent Response: Compliant. Raw Fabric Capacity: Depending on the Model up to 224Gbps aggregate Throughput with 64Byte packets: Depending on the Model up to 101.2Mpps in a stand-alone config.
L2 Hitless Forwarding L3 Hitless Forwarding Integrated Cable Management Hitless Software Upgrades Track Record SAR OSPF/BGP Graceful Restart Hardware 19" mountable 240 V AC power input Modular switch type Stackable switch type Redundant power supply possible Redundant CPU Redundant Switching Engine 10 Gbps uplinks possible Upgradable to 4 x 1 Gbps uplink Oversubscritpion max. 4:1 Non-blocking PoE (802.3af) ports >= 500 Gbps L2 switching capacity >= 350 Mpps L3 switching capacity >= 90 Gbps L2 switching capacity
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 325 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Weight (kg)
Thermal rating (BTU/h) Bridging/Switching Ethernet 802.3 802.3ab (1000 Base-T) 802.3ae (10 Gbps) 802.3u (100Mbps) 802.3x (full duplex)
Alcatel-Lucent Response: Compliant. Raw Fabric Capacity: Depending on the Model up to 224Gbps aggregate Throughput with 64Byte packets: Depending on the Model up to 101.2Mpps in a stand-alone config. Alcatel-Lucent Response: Compliant. Raw Fabric Capacity: Depending on the Model up to 224Gbps aggregate Throughput with 64Byte packets: Depending on the Model up to 101.2Mpps in a stand-alone config. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. 0 to 45C Chassis size without P/S or P/S shelf 17.32 x 10.63 x 1.73 in (44.0 x 27.0 x 4.4 cm) Total size including P/S shelf and mounting ears 19.00 x 17.56 x 1.73 in (48.2 x 44.6 x 4.4 cm) Chassis size with mounting ears, without P/S or P/S shelf 19.00 x 10.63 x 1.73 in (48.2 x 27 x 4.4 cm) "PoE Models without the P/S: OS6850-P24/-P24H/-P24L/-P24LH: 3.91kg OS6850-P24X/-P24XH: 4.02 kg OS6850-P48/-P48H/-P48L/-P48LH: 4.26 kg OS6850-P48X/-P48XH: 4.35 kg Non-PoE Models without the P/S: OS6850-24/-24D/-24L/-24LD: 3.79 kg OS6850-24X/-24XD: 3.91kg OS6850-48/-48D/-48L/-48LD: 4.06 kg OS6850-48X/-48XD: 4.14 kg OS6850-U24X/-U24XD: 3.91kg Depending on the Model: From 198 to 584 BTU/hr. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant with eception: Note: the switch does not support honoring the incoming (RX) IEEE 802.3x pause frames, but it does support generating outgoing (TX) IEEE 802.3x pause frames Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Non-Compliant. Alcatel-Lucent Response: Compliant.
802.3z (1000Base-X) jumbo frames up to 9000 bytes VLANs more than 250 VLANs per switch and network at least 4000 VLAN ID's statically (manual) assigned VLAN on a port Dynamic VLANs based on - MAC address - Authentication (802.1x) - Private VLAN More than one Default Gateway per VLAN (Secondary addresses) Voice VLAN
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 326 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Automatically detect IP-phone 802.1q 802.1q, 250 VLANs on trunk 802.1q, Q-in-Q Trunking auto negotiation GVRP Spanning tree MISTP, 802.1s RSTP, 802.1w STP, 802.1d STP parameters configurable Link Aggregation Control Protocol LACP, 802.3ad possible for 10 Mb/s, 100Mb/s, 1Gb/s, 10 Gb/s Bundled links on different modules possible Max. number of bundled links per switch balancing based source and/or destination MAC-, IPaddress and port numbers possible Power over Ethernet 802.3af 50% of the ports can be fully powered automatically monitors power budget configurable per port Auto negotiation Speed Duplex Auto-MDXI automatic crossover on all Ethernet interfaces Layer 1 failure detection auto detect miswired links Traffic storm multicast/broadcast storm control configurable broadcast level Link Layer Discovery Protocol LLDP, 802.1ab can be enabled and disabled per interface System time can be set manually can be set automatically via NTP Bridging between VLANs Fail safe stacking Automatic configuration Automatic new unit configuration Support of Microsoft Load Balancing Protocol
Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. 32 aggregates of up to 8 ports each, per stand-alone switch and/or across units Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucents Server Load Balancing (SLB) is supported instead.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 327 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Security Authentication Login to device via password when logging in via - console port - telnet - SSH User group support one time authentication Security server. Which one? (Radius, Kerberos,..) - Accounting - Possible to record executed commands on the remote server - Redundancy possible TCP SYN flooding prevention Access Control Lists (ACL) Layer 3 Filter based on - Source address/network and/or - Destination address/network - Type of packet - TOS value - Upper layer protocol (at least Layer 4) - Any combination of these items ACL per interface possible inbound/outbound time range for access lists possible on any interface (physical and virtual) Logging possible Dynamic access lists Reflexive ACLs (automatically allow return traffic) ACLs have no impact on switching performance Layer 2 filter possible - Source MAC-address - Destination MAC-address - EtherType ACLs are possible for bridged traffic also Stateful packet inspection Intrusion detection Endpoint port security (Network access control) Devices fulfil all requirements for implementing Endpoint port security Denial of service (DoS) Rate limit traffic to processor in hardware 802.1x Redundant RADIUS servers possible Connection to Active Directory possible EAP authentication mechanisms - EAP-Message Digest 5 (MD5) - EAP-Transport Layer Security (TLS) - EAP-Tunnelled TLS (TTLS) - Protected Extensible Authentication Protocol (PEAPv0/EAP-MSCHAPv2) Static and dynamic VLAN assignment based on 802.1x authentication If authentication fails, there are the following configurable possibilities - port stays closed - port is assigned to a VLAN which can be configured on per port basis. - If authentication fails because backend server (RADIUS) is not available there should be the option to open the port anyway.
Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response:
Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Non-Compliant. Compliant. Compliant. Compliant. Non-Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Non-Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant.
Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 328 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Guest VLAN possible 802.1x behind telephone Multi Host Single Authentication Port security Limit port to definable MAC addresses Send notification when there is a violation Automatically convert MAC addresses into secure addresses DHCP snooping DHCP snooping configurable per port Routing and IP (L3 devices only) Loopback interface Loopback or virtual management interface configurable Classless routing CIDR supported ARP Proxy ARP Possible to turn proxy ARP on and off Configure ARP entries manually ARP inspection IP services ICMP Protocol Unreachable Messages (RFC792, RFC1122) ICMP Mask Reply Messages (RFC792, RFC1122) Set maximum MTU Packet Size per IP interface ICMP Redirect Messages (RFC792, RFC1122) Path MTU Discovery (RFC1191) IP Source Routing (RFC 791) ICMP Internet Router Discovery Protocol (IRDP) IRDP (RFC 1256) must be supported TCP parameter Setting the TCP Connection Attempt Time Enabling TCP Time Stamp (RFC 1323) Setting the TCP Outgoing Queue Size Enabling TCP Selective Acknowledgment (RFC2018) Setting the TCP Window Size Broadcast handling Forward broadcast via Layer 3 borders Routing redistribution Redistribution of routes between routing protocols possible Configurable metric/cost Filtering routes possible Configure sequence of routing protocols as routing information source Routing Information Protocol (RIP, RFC 1058) RIP v1 and RIP v2 supported Configurable metric/cost per route Possible to adjust RIP timers Summarization possible RIP v2 authentication Split horizon Open Shortest Path First (OSPF). OSPF supported Definition of areas Definition of stub areas Configurable routing interface parameters Not-so-stubby-areas (NSSAs) per RFC 1587 Plain text and MD5 authentication Virtual links ABR, ABSR possible More than one OSPF process Associate networks with OSPF process
Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response:
Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Compliant. Compliant. Compliant. Compliant.
Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 329 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Summarization possible Generate Default Route Prevent routing information and hello per interface Configurable OSPF timers Network address translation (NAT) NAT (RFC1631) supported Bidirectional translation Statical address mapping Dynamic address translation Port Address Translation (PAT) Address translation in application layer DHCP Server DHCP server functionality supported DHCP Relay Agent DHCP relay supported DNS Name resolution supported Mobile IP RFC 2002, IP Mobility Support RFC 2005, Applicability Statement for Mobile IP RFC 2003, IP Encapsulation within IP RFC 2006, The Definitions of Managed Objects for IP Mobility Support IP multicast PIM dense and sparse mode or DVMRP IGMP v1 (RFC 1112) IGMP v2 (RFC 2236) IGMP snooping (layer 2 devices) Multicast Source Discovery Protocol (MSDP, RFC 3618) Virtual Router Redundancy Protocol (VRRP, RFC 3768) VRRP is supported VRRP groups per VLAN VRRP priority configurable VRRP MD5 authentication IPv6 IPv6 in hardware Multiprotocol BGP for IPv6 VRRP in IPv6 Mobile IPv6 IPv6 Multicast IP Flow monitoring for IPv6 Policy-Based Routing for IPv6 RIP for IPv6 Traffic Filters and Firewalls for IPv6 Security DHCP for IPv6 IPSec in IPv6 IPv6 over MPLS NAT for IPv6 OSPF for IPv6 QoS for IPv6 Static Routes for IPv6 Tunneling for IPv6 Policy based routing Policy based routing supported
Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response:
Compliant. Compliant. Compliant. Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Compliant. Compliant. Non-Compliant. Compliant. DNS Resolver is supported. Non-Compliant. Non-Compliant. Non-Compliant. Compliant. Non-Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Non-Compliant.
Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Compliant. Compliant. 255 Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Non-Compliant. Compliant. Non-Compliant. Compliant. This feature will be supported in a Future Release. Compliant. Compliant. Non-Compliant. Compliant. This feature will be supported in a Future Release. Compliant. This feature will be supported in a Future Release. Non-Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 330 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Routing criteria based on ACLs Multiprotocol Label Switching (MPLS) MPLS LSR and LER supported Layer 3 VPNs Layer 2 VPNs Multiprotocol Label Switching Quality of Service Multiprotocol Label Switching Traffic Engineering Quality of Service QoS configuration on virtual and physical interfaces Classification Classification of traffic based on: - IP ToS/DSCP and IEEE 802.1p CoS values - IP ACLs - MAC ACLs ToS to CoS rewrite possible QoS marking based on classification Policing and shaping Configurable ingress and egress queues Configurable queuing mechanism (please indicate which one) Priorization mechanism for real time traffic (e.g. voice) Mechanisms for congestion avoidance. (please indicate which one) Management Address assignment Address assignment statically Address assignment dynamically via DHCP Switch Cluster Up to 8 devices with one management address Backup possible Command Line Interface (CLI) CLI via console port CLI remotely via telnet and SSH up to 4 simultanous sessions Command history Help system Command logging Identical CLI as all other device types Graphical User Interface (GUI) GUI via http GUI via https (SSL) up to 4 simultaneous sessions Password protected access Restricted access via filter SNMP SNMPv1 (RFC 1157) SNMPv2C (RFCs 1901 to 1907) SNMPv3 (RFCs 2273 to 2275) SNMP traps configurable More than one trap receiver configurable Macros Macros (set of CLI commands) supported Port mirroring Port mirroring possible Multiple source ports to one destination port possible Multiple mirroring sessions at the same time Configuration via CLI and SNMP Remote Mirroring (Source and Destination ports are on different switches) possible
Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response:
Compliant. This feature will be supported in a Future Release. Compliant. This feature will be supported in a Future Release. Compliant. This feature will be supported in a Future Release. Compliant. This feature will be supported in a Future Release. Compliant. This feature will be supported in a Future Release. Compliant. This feature will be supported in a Future Release. Compliant. This feature will be supported in a Future Release.
Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Strict Priority, WRR, and DRR Alcatel-Lucent Response: Compliant. Alcatel-Lucent Response: Compliant. Congestion avoidance strategies and technologies are supported through the implementation of a threshold-based mechanism per queue. Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 331 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Remote Monitoring (RMON) RMON (RFC 1757) supported Statistics, History, Alarms and Events supported Syslog System messages can be logged locally (CLI) System messages can be logged on a syslog server (RFC 3164) Severity level of messages configurable More than one syslog servers configurable Messages can be time stamped Integrated Service Level Monitoring Integrated Service Level Monitoring supported It is possible to measure: - Delay (both round-trip and one-way) - Jitter (directional) - Packet loss (directional) - Packet sequencing (packet ordering) - Path (per hop) - Connectivity (directional) - Server or website download time - Voice quality scores Data accessible via SNMP Send notifications based on configurable thresholds Diagnostics Online diagnostics Diagnostics on demand via CLI Health monitoring Configurable health threshold with notification Troubleshooting Ping Traceroute Image and Configuration file Image and Configuration file are up- and downloadable via TFTP or FTP Configuration file is in text format Debugging Debugging for all features possible Debugging can be turned on and off per feature Debugging output via console or remote terminal
Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: FTP only. Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response: Alcatel-Lucent Response:
Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Non-Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant. Compliant.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 332 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Value
Alcatel-Lucents enterprise networking mission is to provide its customers with the industry's best value in highly available, secure and easy-to-manage network solutions. The industrys best value means having leading features for availability, security and manageability and simultaneously reducing the total cost of network ownership. In short, the best network at the best total cost. Alcatel-Lucent provides high availability solutions from the edge to the core of the IP network. Availability requires resiliency and smart use of redundancy. Alcatel-Lucent wired and wireless LAN products lead the industry in features that deliver high availability and have a price advantage in redundant configurations. Alcatel-Lucents CrystalSec security strategy provides in-depth defense. For the OmniSwitch, for example, this translates to embedded security capabilities on every port in the LAN network, which harden the switch, control user access, control network traffic, and monitor and automate the network response to anomalies. Alcatel-Lucents approach allows enterprise to deploy new services at reduced cost by providing easyto-manage and operate solutions. OmniVista NMS policy-based management tools and automation save time and improve accuracy. Alcatel-Lucent leads the industry with OneTouch tools that provide network-wide, policy-based management for QoS, SecureAccess, and VLAN management. Alcatel-Lucent saves you time by automating operations for recurring tasks, including configuration backup, software image distribution, and scripting. And Alcatel-Lucent offers the industrys strongest web interface and a clean, simple CLI. Vendor Experience and Vision: Evaluation of the vendor's experience in building intelligent network infrastructures and implementing Internet technologies. Alcatel-Lucent has a rich history providing intelligent network infrastructures in higher education. This success is due in large measure for our ability to provide convergence ready networks without limitations. We accomplish this by creating a strong IP/Ethernet foundation, where high availability, edge to core QoS, and support for wire-speed multicast applications and virus attack quarantine create a secure infrastructure which allows the university to confidently reach their vision for education. Our list of higher education customers include those who are utilizing our network equipment to run Voice over IP, IP TV, Video on Demand and Internet 2. In addition, many of our customers have leveraged our standards based capabilities to integrate our switches with other vendors equipment - providing a smooth transition to the latest Alcatel-Lucent technology, while extending the useful life of the existing network. Alcatel-Lucent's technology leadership does not stop at the enterprise. We are the #2 market share provider of high-end Internet routing products for carriers and ISPs. We have held the top worldwide DSL market share position for the past 6 years, as well as provide over 80% of the intercontinental submarine fiber optic network, which connects the Internet to the world. We once claimed that we are the architects of the Internet, but I believe that we are the engineers of the future.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 333 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Leading Edge Technology: The ability to incorporate future requirements and technological advances. The ability to incorporate future requirements and technological advances will be driven by the specific need. For requirements or advances that encompass bandwidth, our core offering to you is based on a chassis design. The OmniSwitch 9700 product family has a 960 Gbps backplane capacity, so as new bandwidth needs arise, this platform will be more than able to handle it with the addition of network line cards. At the edge of the network, there are several options for your review. Each of them has strengths for a specific direction that the college intends to head. One platform has the ability to connect to a 10 Gbps backbone. Both platforms can connect multiple GE uplinks via 802.3ad to create a multiple Gigabit backbone. What is more important than bandwidth? Intelligent use of the bandwidth This is where Alcatel-Lucent has a decided advantage in the marketplace. Leveraging our network management software package, we can provision edge to core QoS with one mouse click. We can integrate with third party IDS/IDP devices and quarantine misbehaving computers based upon the IDS/IDP communications. We can provide server load balancing at no extra cost - allowing the university to expand server performance without spending extra. We accomplish this through our high-end OmniSwitch operating system, which is identical from the core to the edge. This consistency allows the network management team to increase their productivity - since both OS are the same; there is no need to learn how to manage the core versus the edge. As previously mentioned, Alcatel-Lucent doggedly adheres to standards therefore, with this common code base, whenever there is a new IEEE specification, we support it in the code. When you update the OS you gain the new feature. This is how 802.1S, sFlow and multiple MAC 802.1x authentications became available to our customers. Performance and features help us deliver to our customers the best value in the industry.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 334 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
High Availability
There are many aspects to high availability and ways to define what it means in data networking environments. While most implementations focus on the device hardware only, Alcatel-Lucent has designed the AOS OmniSwitch products on the basis that availability also needs to be extended throughout the enterprise at both the device and network levels. This means that the traditional components of reliability, resiliency, and redundancy need to be designed into the network as well as the devices to ensure the continuous flow of information to users and resources. The Alcatel-Lucent AOS OmniSwitch product family has been designed from its inception to provide carrier-class availability to meet the needs of mission-critical, IP Communications, and converged network environments. With the increasing importance of networks carrying voice and real-time applications, there is an increased need for availability that reaches across the network links and end user devices. Additionally, there is also the need for high availability in the areas of security and manageability, with intelligence and performance as integral parts of the network infrastructure to enable enterprises to achieve their availability goals. An Overview of the Alcatel-Lucent AOS OmniSwitch 6850 Series High Availability feature: Redundant Management & Switch Fabric (stacking configuration) Redundant Stacking link Hot swappable components Redundant Power Supplies (Redundant 1:1 power provided by the OS6850-BPS) Spanning Tree robustness (Single or Multiple STP options): IEEE 802.1D (STP) (802.1D spanning tree for loop free topology and link redundancy) and IEEE 802.1w-Rapid Reconfiguration of Spanning Tree (allows subsecond failover to redundant link) o Ring Rapid Spanning Tree optimized for ring topology to provide less than 50ms convergence time o Alcatel.Lucent per-VLAN spanning tree (1x1) Fast forwarding mode on user ports to bypass 30-second delay for spanning tree BPDU blocking automatically shuts down switch ports being used as user ports if a spanning tree BPDU packet is seen. Prevents unauthorized spanning-tree enabled attached bridges from operating. Priority queues: eight hardware-based queues per port VRRP (Virtual Router Redundancy Protocol), and OSPF ECMP (Equal Cost Multipath Protocol) Dynamic link aggregation IEEE 802.3ad (that supports automatic configuration of link aggregates with other switches) with resilient uplink capabilities Static link aggregation with OmniChannel (that supports automatic configuration of link aggregates with other switches) IEEE 802.1s: MISTP (802.1s) is an IEEE standard which allows several VLANs to be mapped to a reduced number of spanning-tree instances. This is possible since most networks do not need more than a few logical topologies. Each instance handles multiple VLANs that have the same Layer 2 topology. Software Resiliency: The AOS OmniSwitch product family provides fully redundant and resilient system components to insure continuous, non-stop operation. This includes redundant subsystems, hot swappable modules, load-sharing components, hitless software loading, downloadable bootstrap, and image rollback which allows the system to automatically re-load previous configurations and software versions. o Software image and configuration recovery o Image and configuration synchronization for Management Modules Broadcast storm control Downloadable bootstrap Chassis thermal protection/shutdown Hardware monitoring, temperature monitoring, and power monitoring & management Short cold and warm boot times Built-in security and device hardening Network and Link Resiliency: Network and link resiliency are important parts of network availability, and the AOS OmniSwitch product family supports advanced routing, load sharing, and mechanisms for fast reconfiguration of links between switches, servers, and other network devices. These include: o VRRP (Virtual Router Redundancy Protocol), and OSPF Equal Cost Multipath Protocol Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 335 Software & Hardware Release: AOSv6.3.1r01
Topological Network Redundancy: In order to provide the highest levels of availability throughout an enterprise, it is important to build redundancy and resiliency into the topology at the network level to insure that links have backups and traffic is always flowing. This includes: o Physical redundancy o Layer 2 and layer 3 redundancies A host of other advanced featuresetc.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 336 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Number of 1x1 Spanning Tree instances Number of Multiple Spanning Tree Instances (MSTI) supported Number of Ring Rapid Spanning Tree rings (RRSTP) supported CLI Command Prefix Recognition
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 337 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 338 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In addition, a root path cost value is associated with every bridge. This value is the sum of the path costs for the port that receives frames on the best path to the root (this value is zero for the root bridge). The bridge with the lowest root path cost becomes the designated bridge for the LAN, as it provides the shortest path to the root for all bridges connected to the LAN.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 339 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
During the process of calculating the Spanning Tree topology, each port on every bridge is assigned a port role based on how the port and/or its bridge will participate in the active Spanning Tree topology. The following table provides a list of port role types and the port and/or bridge properties that the Spanning Tree Algorithm examines to determine which role to assign to the port. Role Root Port Designated Port Backup Port Port/Bridge Properties Port connection that provides the shortest path (lowest path cost value) to the root. The root bridge does not have a root port. The designated bridge provides the LAN with the shortest path to the root. The designated port connects the LAN to this bridge. Any operational port on the designated bridges that is not a root or designated port. Provides a backup connection for the designated port. A backup port can only exist when there are redundant designated port connections to the LAN. Any operational port that is not the root port for its bridge and its bridge is not the designated bridge for the LAN. An alternate port offers an alternate path to the root bridge if the root port on its own bridge goes down. Port is not operational. If an active connection does come up on the port, it is assigned an appropriate role.
Alternate Port Disabled Port Note. The distinction between a backup port and an alternate port was introduced with the IEEE 802.1w standard to help define rapid transition of an alternate port to a root port. The role a port plays or may potentially play in the active Spanning Tree topology determines the ports operating state; discarding, learning or forwarding. The port state is also configurable in that it is possible to enable or disable a ports administrative status and/or specify forwarding or blocking state that is only changed through user intervention.
The Spanning Tree Algorithm only includes ports in its calculations that are operational (link is up) and have an enabled administrative status. The following table compares and defines 802.1D and 802.1w port states and their associated port roles: STP Port State Disabled Blocking RSTP Port State Discarding Discarding Port State Definition Port is down or administratively disabled and is not included in the topology. Frames are dropped; nothing is learned or forwarded on the port. Port is temporarily excluded from topology. Port is preparing to transmit data and is included in the active topology. Port is learning MAC addresses that are seen on the port and adding them to the bridge forwarding table, but not transmitting any data. Port is included in the active topology. Port is transmitting and receiving data and is included in the active topology. Port Role Disabled Alternate, Backup
Listening Learning
Discarding Learning
Forwarding
Forwarding
Root, Designated
Once the Spanning Tree is calculated, there is only one root bridge, one designated bridge for each LAN, and one root port on each bridge (except for the root bridge). Data travels back and forth between bridges over forwarding port connections that form the best, non-redundant path to the root. The active topology ensures that network loops do not exist.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 340 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Bridge ID
Port ID
The sending and receiving of Configuration BPDU between switches participating in the bridged network is how the root bridge is elected and the best path to the root is determined and then advertised to the rest of the network. BPDU provide enough information for the STP software running on each switch to deter-mine the following: Which bridge will serve as the root bridge The shortest path between each bridge and the root bridge Which bridge will serve as the designated bridge for the LAN Which port on each bridge will serve as the root port The port state (forwarding or discarding) for each bridge port based on the role the port will play in the active Spanning Tree topology The following events trigger the transmitting and/or processing of BPDU in order to discover and maintain the Spanning Tree topology. When a bridge first comes up, it assumes it is the root and starts transmitting Configuration BPDU on all its active ports advertising its own bridge ID as the root bridge ID. When a bridge receives BPDU on its root port that contains more attractive information (higher priority parameters and/or lower path costs), it forwards this information on to other LANs to which it is connected for consideration. When a bridge receives BPDU on its designated port that contains information that is less attractive (lower priority values and/or higher path costs), it forwards its own information to other LANs to which it is connected for consideration. STP evaluates BPDU parameter values to select the best BPDU based on the following order of precedence: 1. The lowest root bridge ID (lowest priority value, then lowest MAC address). 2. The best root path cost. 3. If root path costs are equal, the bridge ID of the bridge sending the BPDU. 4. If the previous three values tie, then the port ID (lowest priority value, then lowest port number) When a topology change occurs, such as when a link goes down or a switch is added to the network, the affected bridge sends Topology Change Notification (TCN) BPDU to the designated bridge for its LAN. The designated bridge will then forward the TCN to the root bridge. The root then sends out a Configuration BPDU and sets a Topology Change (TC) flag within the BPDU to notify other bridges that there is a change in the configuration information. Once this change is propagated throughout the Spanning Tree network, the root stops sending BPDU with the TC flag set and the Spanning Tree returns to an active, stable topology.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 341 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Topology Examples
The following diagram shows an example of a physical network topology that incorporates data path redundancy to ensure fault tolerance. These redundant paths, however, create loops in the network configuration. If a device connected to Switch A sends broadcast packets, Switch A will flood the packets out all of its active ports. The switches connected to Switch A will in turn flood the broadcast packets out their active ports, and Switch A will eventually receive the same packets back and the cycle will start over again. This causes severe congestion on the network, often referred to as a broadcast storm.
The Spanning Tree Algorithm prevents network loops by ensuring that there is always only one active link between any two switches. This is done by transitioning one of the redundant links into a blocking state, leaving only one link actively forwarding traffic. If the active link goes down, then Spanning Tree will transition one of the blocked links to the forwarding state to take over for the downed link. If a new switch is added to the network, the Spanning Tree topology is automatically recalculated to include the monitoring of links to the new switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 342 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The following diagram shows the logical connectivity of the same physical topology as determined by the Spanning Tree Algorithm:
In the above active Spanning Tree topology example, the following configuration decisions were made as a result of calculations performed by the Spanning Tree Algorithm: Switch D is the root bridge because its bridge ID has a priority value of 10 (the lower the priority value, the higher the priority the bridge has in the Spanning Tree). If all four switches had the same priority, then the switch with the lowest MAC address in its bridge ID would become the root. Switch A is the designated bridge for Switch B, because it provides the best path for Switch B to the root bridge. Port 2/9 on Switch A is a designated port, because it connects the LAN from Switch B to Switch A. All ports on Switch D are designated ports, because Switch D is the root and each port connects to a LAN. Ports 2/10, 3/1, and 3/8 are the root ports for Switches A, B, and C, respectively, because they offer the shortest path towards the root bridge. The port 3/9 connection on Switch C to port 2/2 on Switch D is in a discarding (blocking) state, as the connection these ports provides is redundant (backup) and has a higher path cost value than the 2/3 to 3/8 connection between the same two switches. As a result, a network loop is avoided. The port 3/2 connection on Switch B to port 3/10 on Switch C is also in a discarding (blocking) state, as the connection these ports provides has a higher path cost to root Switch D than the path between Switch B and Switch A. As a result, a network loop is avoided.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 343 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above example, if port 8/3 connects to another switch and port 10/5 connects to that same switch; the Spanning Tree Algorithm would detect a redundant path and transition one of the ports into a blocking state. The same holds true for the tagged ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 344 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above example, STP2 is a single Spanning Tree instance since VLAN 5 contains only fixed ports. STP 3 and STP 4 are a combination of single and 802.1Q Spanning Tree instances because VLAN 2 contains both fixed and tagged ports. On ports where VLAN 2 is the default VLAN, BPDU are not tagged. On ports where VLAN 2 is a tagged VLAN, BPDU are also tagged.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 345 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Both Cisco and an OmniSwitch support two default path cost modes; long or short. It is recommended that the same default path cost mode be configured in the same way on all switches so that the path costs for similar interface types will be consistent when connecting ports between OmniSwitch and Cisco Switches. Dynamic aggregate link (LACP) functions properly between OmniSwitch and Cisco switches. The Cisco switches send the BPDUs only on one physical link of the aggregate, similar to the OmniSwitch Primary port functionality. The path cost assigned to the aggregate link is not the same between OmniSwitch and Cisco switches since vendor-specific formulas are used to derive the path cost. Manual configuration is recommended to match the Cisco path cost assignment for an aggregate link. The table below shows the default Spanning Tree values. Parameters OmniSwitch Cisco Disabled MAC Reduction Mode Enabled Bridge Priority 32768 32768 128 32 (cat OS)/128 (IOS) Port priority Port Path Cost IEEE port Speed Table IEEE port Speed Table Proprietary Table Avg. Path Cost/Num Ports Aggregate Path Cost Default Path Cost Short (16-bit) Short (16-bit) 20 20 Max Age Hello Time 2 2 15 15 Forward Delay Time Default Protocol RSTP (1w) Per VLAN PVST+ (1d) Per Switch
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 347 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Bridge Priority
A bridge is identified within the Spanning Tree by its bridge ID (an eight byte hex number). The first two bytes of the bridge ID contain a priority value and the remaining six bytes contain a bridge MAC address. The bridge priority is used to determine which bridge will serve as the root of the Spanning Tree. The lower the priority value, the higher the priority. If more than one bridge have the same priority, then the bridge with the lowest MAC address becomes the root. Note. Configuring a Spanning Tree bridge instance with a priority value that will cause the instance to become the root is recommended, instead of relying on the comparison of switch base MAC addresses to determine the root. If the switch is running in the 1x1 Spanning Tree mode, then a priority value is assigned to each VLAN instance. If the switch is running in the flat Spanning Tree mode, the priority is assigned to the flat mode instance or a 802.1s Multiple Spanning Tree Instance (MSTI). In both cases, the default priority value assigned is 32768. Note that priority values for an MSTI must be multiples of 4096.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 348 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 349 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above diagram, port 4/2 is the Root port and port 5/1 is a designated port for MSTI 1. AVC is not enabled. If another link with the same speed and lower port numbers is added to default VLAN 1 on both switches, the new link becomes the root for MSTI 1 and the tagged link between VLAN 2 is blocked, as shown below:
If AVC was enabled in the above example, AVC would have assigned the new link an infinite path cost value that would make this link undesirable as the root for MSTI 1. Balancing VLANs across links according to their Multiple Spanning Tree Instance (MSTI) grouping is highly recommended to ensure that there is not a loss of connectivity during any possible topology changes. Enabling AVC on the switch is another way to prevent undesirable ports from becoming the root for an MSTI. By default AVC is disabled on the switch. Use the bridge auto-vlan-containment command to globally enable this feature for all MSTIs. Once AVC is globally enabled, then it is possible to disable AVC for individual MSTIs using the same command.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 350 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 351 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Is a 16-bit path cost value is in use and the path cost is set to zero, the following IEEE 802.1D recommended default path cost values based on link speed are used: Link Speed IEEE 802.1D Recommended Value 250 4Mbps 100 10Mbps 62 16Mbps 19 100Mbps 4 1Gbps 2 10Gbps By default, Spanning Tree is enabled on a port and the path cost is set to zero. If the switch is running in the 1x1 Spanning Tree mode, then the port path cost applies to the specified VLAN instance associated with the port. If the switch is running in the flat Spanning Tree mode, then the port path cost applies across all VLANs associated with the port. The flat mode instance is specified as the ports instance, even if the port is associated with other VLANs.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 352 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
100MB
1GB 10GB
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 353 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 354 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Using RRSTP
The Ring Rapid Spanning Tree Protocol (RRSTP) is complimentary to both the Spanning Tree Protocol (STP) as well as the Multiple Spanning Tree Protocol (MSTP). It is designed to provide faster convergence time when switches are connected point to point in a ring topology. RRSTP can only be configured on an OmniSwitch running in flat mode. RRSTP reduces convergence time by finding the bridge that hosts the alternate (ALT) port and immediately changing the ALT port state to forwarding without altering the MSTP port state. This process quickly enables the data path. The RRSTP frame travels from the point of failure to the ALT port in both directions. The MAC addresses corresponding to the ports in the ring are flushed to make the data path convergence time much faster than the normal MSTP. While RRSTP is already reacting to the loss of connectivity, the standard MSTP BPDU carrying the link down information is processed in normal fashion at each hop. When this MSTP BPDU reaches the bridge whose ALT port is now in the "ALT FWD" state, due to RRSTP frame processing, it updates the MSTP state of the two ports in the ring as per the MSTP standard. The following limitations should be noted when using RRSTP: A port on a bridge can only be part of one RRSTP ring at any given instance. All bridges, which need to be made part of a ring, can be configured only statically. Fast convergence will not occur if an RRSTP frame is lost. However, MSTP convergence will still take place at a later time because there is no way of knowing about the RRSTP frame loss. RRSTP convergence may not happen when changes in configuration result in an unstable topology. If either of the two ports of the RRSTP ring on a bridge goes down or if one of the bridges in the ring goes down, the RRSTP convergence may not happen. However, MSTP convergence will continue without interruption. Maximum of 128 rings can participate on a switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 355 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above example topology: Each switch is operating in the 1x1 Spanning Tree mode by default. Each switch configuration has a VLAN 255 defined. The Spanning Tree administrative status for this VLAN was enabled by default when the VLAN was created. VLAN 255 on each switch is configured to use the 802.1w (rapid reconfiguration) Spanning Tree Algorithm and Protocol. Ports 2/1-3, 2/8-10, 3/1-3, and 3/8-10 provide connections to other switches and are all assigned to VLAN 255 on their respective switches. The Spanning Tree administrative status for each port is enabled by default. The path cost for each port connection defaults to a value based on the link speed. For example, the connection between Switch B and Switch C is a 100 Mbps link, which defaults to a path cost of 19. VLAN 255 on Switch D is configured with a Bridge ID priority value of 10, which is less than the same value for VLAN 255 configured on the other switches. As a result, VLAN 255 was elected the Spanning Tree root bridge for the VLAN 255 broadcast domain. A root port is identified for VLAN 255 on each switch, except the root VLAN 255 switch. The root port identifies the port that provides the best path to the root VLAN. VLAN 255 on Switch A was elected the designated bridge because it offers the best path cost for Switch B to the root VLAN 255 on Switch D. Port 2/9 on Switch A is the designated port for the Switch A to Switch B connection because Switch A is the designated bridge for Switch B. Redundant connections exist between Switch D and Switch C. Ports 2/2 and 3/9 are in a discarding (blocking) state because this connection has a higher path cost than the connection provided through ports 2/3 and 3/8. As a result, a network loop condition is avoided. Redundant connections also exist between Switch A and Switch B. Although the path cost value for both of these connections is the same, ports 2/8 and 3/3 are in a discarding state because their port priority values (not shown) are higher than the same values for ports 2/10 and 3/1. The ports that provide the connection between Switch B and Switch C are in a discarding (blocking) state, because this connection has a higher path cost than the other connections leading to the root VLAN 255 on Switch D. As a result, a network loop is avoided. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 356 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
MST Specifications
IEEE Standards supported 802.1DMedia Access Control (MAC) Bridges 802.1wRapid Reconfiguration (802.1D Amendment 2) 802.1QVirtual Bridged Local Area Networks 802.1sMultiple Spanning Trees (802.1Q Amendment 3) Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN 802.1D Standard Spanning Tree Algorithm and Protocol (STP) 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP) 802.1s Multiple Spanning Tree Algorithm and Protocol (MSTP) Fixed ports (non-mobile) 802.1Q tagged ports Link aggregate of ports 253 16 MSTI in addition to the Common and Internal Spanning Tree instance (also referred to as MSTI 0). All Spanning Tree commands support prefix recognition.
Number of 1x1 Spanning Tree instances Number of Multiple Spanning Tree Instances (MSTI) supported CLI Command Prefix Recognition
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 357 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 358 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above 1x1 mode example: Both switches are running in the 1x1 mode (one Spanning Tree instance per VLAN). VLAN 100 and VLAN 200 are each associated with their own Spanning Tree instance. The connection between 3/1 and 2/1 is left in a forwarding state because it is part of the VLAN 100 Spanning Tree instance and is the only connection for that instance. Note that if additional switches containing a VLAN 100 were attached to the switches in this diagram, the 3/1 to 2/1 connection could also go into blocking if the VLAN 100 Spanning Tree instance determines it is necessary to avoid a network loop. The connections between 4/8 and 5/2 and 4/2 and 5/1 are seen as redundant because they are both controlled by the VLAN 200 Spanning Tree instance and connect to the same switches. The VLAN 200 Spanning Tree instance determines which connection provides the best data path and transitions the other connection to a blocking state.
In the above flat mode STP/RSTP example: Both switches are running in the flat mode. As a result, a single flat mode Spanning Tree instance applies to the entire switch and compares port connections across VLANs to determine which connection provides the best data path. The connection between 3/1 and 2/1 is left forwarding because the flat mode instance determined that this connection provides the best data path between the two switches. The 4/8 to 5/2 connection and the 4/2 to 5/1 connection are considered redundant connections so they are both blocked in favor of the 3/1 to 2/1 connection.
In the above flat mode MSTP example: Both switches are running in the flat mode and using MSTP. VLANs 100 and 150 are not associated with an MSTI. By default they are controlled by the CIST instance 0, which exists on every switch. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 359 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
VLANs 200 and 250 are associated with MSTI 2 so their traffic can traverse a path different from that determined by the CIST. Ports are blocked the same way they were blocked in the flat mode STP/RSTP example; all port connections are compared to each other across VLANs to determine which connection provides the best path. However, because VLANs 200 and 250 are associated to MSTI 2, it is possible to change the port path cost for ports 2/12, 3/6, 4/8 and/or 5/2 so that they provide the best path for MSTI 2 VLANs, but do not carry CIST VLAN traffic or cause CIST ports to transition to a blocking state. Another alternative is to assign all VLANs to an MSTI, leaving no VLANs controlled by the CIST. As a result, the CIST BPDU will only contain MSTI information.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 360 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In addition to the attributes described above, the MST maximum hops parameter defines the number of bridges authorized to propagate MST BPDU information. In essence this value defines the size of the region in that, once the maximum number of hops is reached, the BPDU is discarded. The maximum number of hops for the region is not one of the attributes that define membership in the region.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 361 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 363 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
MAC Retention
MAC Retention allows a system of stackable switches to retain the MAC address of the primary switch for a fixed or indefinite time, even after multiple takeovers. This minimizes the recalculation of protocols, such as Spanning Tree and Link Aggregation. It also minimizes the updation of tables, such as the Address Resolution Protocol (ARP) table for IPv4 routing and the Neighbor Discovery table for IPv6 routing.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 364 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above diagram, Stack 1 has the stack address M1. When a takeover occurs, the secondary element starts functioning as the new primary element and the stack address is also changed, for example, to M2, the new primary elements MAC address. Stack 1 advertises its new stack address M2. Switch 1, which had previously associated Stack 1 with the stack address M1, now has to change its ARP tables to associate Stack 1 with the new stack address M2. Similarly, in IPv6 routing, Switch 1 has to change its Neighbor Discovery tables to associate Stack 1 with the new stack address M2. Another aspect that may be impacted is the recalculation of the Spanning Tree in accordance with the Spanning Tree Protocol (STP). If the stack address is changed due to the election of a new primary element, a new Spanning Tree has to be recalculated to account for this change. This becomes even more difficult when the newly elected primary element becomes the new root bridge. Link Aggregation Control Protocol (LACP) is another application that is influenced by the takeover. This application uses the base MAC address of the switch as the system ID while exchanging the LACP PDUs in the network. After takeover, the aggregate ports will administratively go down and then come up again due to the change in the system ID. Therefore, to avoid these recalculations, when a primary element fails in a stack, the secondary element, which takes over as the new primary element uses the MAC address of the former primary element.This feature of retaining the base MAC address of the former primary element for a fixed or indefinite period of time is called MAC Address Retention. In this way, recalculation of protocols, such as Spanning Tree and Link Aggregation and updation of tables, such as the Address Resolution Protocol (ARP) table for IPv4 routing and the Neighbor Discovery table for IPv6 routing is minimized. Note. The MAC Retention feature is only supported on the switch that operates in the single MAC mode.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 365 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 366 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above diagram, when the primary element in Stack 1 fails, the secondary element becomes the new primary element and shares the MAC address of the former primary element of the stack. In this scenario, the decision to retain the base MAC address is acceptable. This feature also works well during the following failures: Power failure of the primary element Hardware failure of the primary element
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 367 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Link Failure
In the following diagram, even if both stack links "a" and "b" of the primary element of Stack 1 go down almost at the same time (removed by the user or actual link failures), the MAC Retention feature will remain enabled and the base MAC address will be retained during takeover.
In the above diagram, if the links between the primary and the secondary element and the primary and the idle element fail, the entire stack will split into two separate stacks. The primary element will become an independent stack, and the new primary element (after takeover) and the new secondary element will form another separate stack. Both the stacks will share the same base MAC address.This will lead to the duplication of MAC address because the software running on the elements will not be able to distinguish between a crash or two link failures. In the above scenario, although the duplication of MAC address cannot be prevented, the element can be configured to generate an SNMP trap. If an SNMP trap is generated, the administrator can release the base MAC address from the stack consisting of the new primary and secondary elements. This stack will use the base MAC address from the EEPROM of the new primary element of the stack.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 368 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 369 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 370 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 371 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 372 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Dynamic aggregate groups can be created between: Two OmniSwitch 6850/9000 switches An OmniSwitch 6850/9000 switch and an OmniSwitch 7700/7800 or OmniSwitch 8800 switch An OmniSwitch 6850/9000 switch and an OmniSwitch 6600 Family switch An OmniSwitch 6850/9000 switch and another vendors switch, if that vendor supports IEEE 802.3ad LACP
Embedded Security
The long-term success of world-class organizations is tied to how well they gather and utilize information. Though difficult to measure, an organizations information is arguably its most valuable asset and protecting it has become essential. Their prosperity depends on safeguarding the critical business information, identifying the proper users, providing the proper access and defending against hostile intrusion. Alcatel-Lucents AOS OmniSwitch product family provides organizations with easy, robust and optimal ways to control access to individual infrastructure components and to the individual resources resident on the network both internally and externally. Hence, information security for Internet, Intranet and Extranet applications will be supported through the incorporation of an advanced security feature set. An Overview of the Alcatel-Lucent AOS OmniSwitch 6850 Series Embedded Security features: The following is only a highlight of the advanced security features supported by the OmniSwitch 6850 Series: Partitioned Management PM: Protected multiple user access control (i.e. the switch provides a full suite of commands that allow the user to create and modify User IDs and Passwords (multiple administrative profiles) for access to switch management). The PM feature utilizes an on-board database, or RADIUS, LDAP authentication servers (user profiles are stored within these servers). Authenticated Switch Access (ASA): the ASA feature (user access control or device access control) with Secure Access Logging (AAA service) utilizes an on-board database, RADIUS, LDAP, or ACE authentication servers Automatic Log-out based on a pre-configured timer Denial of Service Attack Defense (DOS protection) IEEE 802.1x industry standard port based authentication challenges users with a password before allowing network access IEEE 802.1x multi-client, multi-VLAN support for per-client authentication and VLAN assignment o IEEE 802.1x with group mobility o IEEE 802.1x with MAC based authentication, group mobility or guest VLAN support o MAC-based authentication for non-802.1x host o Alcatel-Lucent Access Guardian support Port Mapping (Private VLANs) Port Binding Authenticated VLAN that challenges users with username and password and supports dynamic VLAN access based on user Support for host integrity check and remediation VLAN Security through the implementation of OmniVista Quarantine Manager (OV2770-QM) and quarantine VLAN, with OneTouch Security automation PKI authentication for SSH access Learned Port Security or MAC address lockdown allows only known devices to have network access preventing unauthorized network device access RADIUS and LDAP admin authentication prevents unauthorized switch management TACACS+ client allows for authentication-authorization and accounting with a remote TACACS+ server Secure Shell (SSHv2), Secure Socket Layer (SSLv3) for HTTPS and SNMPv3 for encrypted remote management communication Access Control Lists (ACLs) to filter out unwanted traffic including denial of service attacks; Access control lists (ACLs) are per port, MAC SA/DA, IP SA/DA, TCP/ UDP port; Flow based filtering in hardware (L1-L4) Support for Access Control List Manager (ACLMAN) Supports Microsoft Network Access Policy (NAP) protocol Switch protocol security o MD5 for RIPv2, OSPFv2 and SNMPv3 o SSHv2 for secure CLI session with PKI support o SSLv3 for secure HTTP session DHCP Snooping, DHCP IP Spoof protection
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 374 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 375 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 376 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeroes or all 1s in the host portion of the destination IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly attached. Directed broadcasts are used in denial-of-service smurf attacks. In a smurf attack, a continuous stream of ping requests is sent from a falsified source address to a directed broadcast address, resulting in a large stream of replies, which can overload the host of the source address. By default, the switch drops directed broadcasts. Typically, directed broadcasts should not be enabled.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 378 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Authentication serversA RADIUS or LDAP server must be configured in the network. The server contains a database of user information that the switch checks whenever a user tries to authenticate through the switch. (Note that the local user database on the switch may not be used for Layer 2 authentication.) Backup servers may be configured for the authentication server. RADIUS or LDAP server: Follow the manufacturers instructions for your particular server. The external server may also be used for Authenticated Switch Access. RADIUS or LDAP client in the switch: The switch must be set up to communicate with the RADIUS or LDAP server. Authentication clientsAuthentication clients login through the switch to get access to authenticated VLANs. There are three types of clients: AV-Client. This is an Alcatel-Lucent-proprietary authentication client. The AV-Client does not require an IP address prior to authentication. The client software must be installed on the users end station. Telnet client: Any standard Telnet client may be used. An IP address is required prior to authentication. Web browser client: Any standard Web browser may be used (Netscape or Internet Explorer). An IP address is required prior to authentication. Authenticated VLANsAt least one authenticated VLAN must be configured. Authentication portAt least one mobile port must be configured on the switch as an authentication port. This is the physical port through which authentication clients are attached to the switch. DHCP ServerA DHCP server can provide IP addresses to clients prior to authentication. After authentication, any client can obtain an IP address in an authenticated VLAN to which the client is allowed access. A relay to the server must be set up on the switch. Authentication agent in the switchAuthentication is enabled when the server(s) and the server authority mode is specified on the switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 379 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Authentication Clients
The following describes the Telnet authentication client, Web browser authentication client, and Alcatel-Lucents proprietary AV-Client. An overview of authentication clients is given in the following table:
Type of Client AV-Client Telnet Secure No No Single Sign-on Yes No IP Address Required No Yes IP Release/ Renew Automatic Manual Platforms Supported Windows only (except ME) Windows Linux Mac OS 9.x (no Telnet by default) Mac OS X.1 Windows (IE version 4.72 and later; Netscape version 4.7 and later) Linux (Netscape version 4.75 and later) Mac OS 9.x (IE versions 5.5 and later, Including 5.0 and 5.14) Mac OS X.1 (IE versions between 5.0 And 5.5, except 5.0, 5.5, and 5.14)
Yes (SSL)
No
Yes
Automatic
Windows, Linux, and Mac OS 9 Clients If you are using the wv-cert.pem file or another self-signed certificate, the client will not recognize the certificate, and a warning message will display on the client; however, the client will be allowed to authenticate.
The AV-Client
The AV-Client is a proprietary Windows-based application that is installed on client end stations. The AV-Client does not require an IP address in order to authenticate; the client relies on the DLC protocol (rather than IP) to communicate with the authentication agent in the switch. After authentication, the client may issue a DHCP release/renew request to get an IP address; a utility in the client software may be used to configure this automatic request. The AV-Client software requires three main installation steps as listed here. These steps are slightly different depending on the version of Windows you are using. Load the Microsoft DLC protocol stack. Load the AV-Client software. Set the AV-Client as primary network login (Windows 95 and 98). Configure the AV-Client for DHCP (optional). The Microsoft DLC Protocol Stack and the AV-Client Software are supported on: Windows 2000 and Windows NT Windows 98 Windows 95
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 381 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Single Mode
This mode should be used when all authenticated VLANs on the switch are using a single authentication server (with optional backups) configured with VLAN information. When this mode is configured, a client is authenticated into a particular VLAN or VLANs. (For the client to be authenticated into multiple VLANs, each VLAN must be configured for a different protocol.) When a client first makes a connection to the switch, the agent in the switch polls the authentication server for a match with a clients user name and password. If the authentication server is down, the first backup server is polled. The switch uses the first available server to attempt to authenticate the user. (If a match is not found on that server, the authentication attempt fails. The switch does not try the next server in the list.) If a match is found on the first available server, the authentication server sends a message to the agent in the switch that includes the VLAN IDs to which the client is allowed access. The agent then moves the MAC address of the client out of the default VLAN and into the appropriate authenticated VLAN(s).
Multiple Mode
Multiple authority modes associate different servers with particular VLANs. This mode is typically used when one party is providing the network and another is providing the server. When this mode is configured, a client is first prompted to select a VLAN. After the VLAN is selected, the client then enters a user name and password. The server configured for that particular authenticated VLAN is polled for a match. (If the server is unavailable, the switch polls the first backup server, if one is configured.) If a match is not found on the first available server, the authentication attempt fails. If a match is found, the clients MAC address is moved into that VLAN. A server in multiple authority modes does not have to be configured with VLAN information. If the same server services more than one VLAN, the same user ID and password may be used to authenticate into one of several VLANs, depending on which VLAN the user selects at authentication. Clients are only able to authenticate into one VLAN at a time. (In single authority mode, clients can authenticate into more than one VLAN at a time if each VLAN is configured for a different protocol.)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 382 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 383 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1X
Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may be authenticated through the switch through port-based network access control. This control is available through the IEEE 802.1X standard implemented on the switch.
The following table shows the default for authenticating 802.1X ports through the aaa authentication 802.1x command:
Description Whether any traffic will be allowed or restricted after authenticating the 802.1X port Default Open-unique
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 384 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
802.1X Overview
The 802.1X standard defines port-based network access controls, and provides the structure for authenticating physical devices attached to a LAN. It uses the Extensible Authentication Protocol over LAN (EAPOL). There are three components for 802.1X: The SupplicantThis is the device connected to the switch. The device may be connected directly to the switch or via a point-to-point LAN segment. Typically the supplicant is a PC or laptop. The Authenticator Port Access Entity (PAE)This entity requires authentication from the supplicant. The authenticator is connected to the supplicant directly or via a point-to-point LAN segment. The OmniSwitch acts as the authenticator. The Authentication ServerThis component provides the authentication service and verifies the credentials (username, password, challenge, etc.) of the supplicant. On the OmniSwitch, only RADIUS servers are currently supported for 802.1X authentication. Note: there is no switch-based local database support for 802.1x authentication. On the OmniSwitch 6850, configurable device classification policies are available to handle access of non-supplicant devices on 802.1x ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 385 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Re-authentication
After a supplicant has successfully authenticated through an 802.1X port, the switch may be configured to periodically reauthenticate the supplicant (re-authentication is disabled by default). In addition, the supplicant may be manually re-authenticated. The re-authentication process is transparent to a user connected to the authorized port. The process is used for security and allows the authenticator (the OmniSwitch) to maintain the 802.1X connection. Note. If the MAC address of the supplicant has aged out during the authentication session, the 802.1X software in the switch will alert the source learning software in the switch to re-learn the address. 802.1X ports may also be initialized if there is a problem on the port. Initializing a port drops connectivity to the port and requires the port to be re-authenticated.
802.1X Accounting
802.1X authentication sessions may be logged if servers are set up for 802.1X accounting. Accounting may also be done through the local Switch Logging feature.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 386 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 387 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 388 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above example topology: Ports 2/1 and 2/2 on Switch A do not interact with each other and do not interact with the ports on Switch B. Ports 2/1, 2/2, and 3/1 on Switch B interact with all the ports of the network except with ports 2/1 and 2/2 on Switch A Ports 2/1 and 2/2 on Switch D do not interact with each other but they interact with all the user ports on Switch A except 3/1, 3/2, and 3/3. They also interact with all the ports on Switch B and Switch C. Ports 3/1, 3/2, and 2/1 on Switch C can interact with all the user ports on the network except 3/1, 3/2, 3/3 on Switch A
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 389 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ACL Specifications
These specifications are the same as those for QoS in general: Maximum number of policy rules Maximum number of policy rules per Ethernet port Maximum number of policy rules per 10Gigabit port Maximum number of policy conditions Maximum number of policy actions Maximum number of policy services Maximum number of groups (Network, MAC, service, port) Maximum number of group entries 1024 101 997 2048 2048 256 1024 512 per group
ACL Defaults
Parameter Default Accept Global bridged disposition Accept Global routed disposition Accept Global multicast disposition Accept Policy rule disposition 0 (lowest) Policy rule precedence Note that in the current software release, the deny and drop options produce the same effect; that is, that traffic is silently dropped.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 390 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ACL Overview
ACLs provide moderate security between networks. The following illustration shows how ACLs may be used to filter subnetwork traffic through a private network, functioning like an internal firewall for LANs.
When traffic arrives on the switch, the switch checks its policy database to attempt to match Layer-2 or Layer3/4 information in the protocol header to a filtering policy rule. If a match is found, it applies the relevant disposition to the flow. Disposition determines whether a flow is allowed or denied. There is a global disposition (the default is accept), and individual rules may be set up with their own dispositions. Note. In some network situations, it is recommended that the global disposition be set to deny, and that rules be created to allow certain types of traffic through the switch. When multiple policy rules exist for a particular flow, each policy is applied to the flow as long as there are no conflicts between the policies. If there is a conflict, then the policy with the highest precedence is applied to the flow. Note. QoS policy rules may also be used for traffic prioritization and other network scenarios.
Rule Precedence
All rules that match a flow will be applied to the flow, unless one of the following rule conflicts occur: Actions specified by one or more rules are in conflict with each other. Conditions specified in one or more contiguous rules are the same. If any of the above items are true, then rule precedence is used to determine which rule to apply to the flow. (This functionality is different from the OmniSwitch 7700/7800/8800, which will always apply the rule with the highest precedence.) Rules With Compatible Actions: More than one rule may have the same condition. For example, two rules may have the same IP address condition but different actions. If the actions are compatible, both rules will be applied to the flow, regard-less of the precedence settings. Rules With Conflicting Actions: If the actions are in conflict, however, the switch will apply only the rule with the highest precedence.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 391 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Valid Combinations
There are limitations to the types of conditions that may be combined in a single rule. A brief overview of these limitations is listed here: Source and destination parameters can be combined in Layer 2, Layer 3, and Layer 4 conditions. Individual items and their corresponding groups cannot be combined in the same condition. For example, a source IP address cannot be included in a condition with a source IP network group.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 392 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 393 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Layer 2 ACLs
Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering may be done for both bridged and routed packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on: MAC address or MAC group Source VLAN Physical slot/port or port group The switch classifies the MAC address as both source and destination. The following policy condition keywords are used for Layer 2 ACLs: Layer 2 ACL Condition Keywords Source mac Destination mac Source mac group Destination mac group Source vlan Destination port Source port Destination port group Source port group Ethertype A group and an individual item cannot be specified in the same condition. For example, a source MAC address and a source MAC group cannot be specified in the same condition. Note that combining Layer 2 and Layer 3 conditions in the same policy is supported.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 394 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 395 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 396 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ACLMAN Defaults
Parameter ACL disposition Logging rate time interval Default Deny 30 seconds
ACLMAN Overview
ACLMAN is a function of the Alcatel-Lucent QoS system that allows network administrators to configure and manage ACLs using common industry syntax. ACLs configured using ACLMAN are transparently converted into Alcatel-Lucent QoS filtering policies and applied to the switch. An ACLMAN interactive shell provides an ACL command line interface that is similar to command interfaces that are available on other industry platforms. This shell serves as a configuration tool for creating ACLs using common industry syntax commands and/or importing industry syntax from text files. The following industry ACL types and features are supported with this implementation of ACLMAN: Standard ACL. This type of ACL compares the source address of a packet to the source address specified in the ACL. Extended ACL. This type of ACL compares the source and destination address of a packet to the source and destination address specified in the ACL. Also provides additional criteria for filtering packets. Numbered ACL. This type of ACL refers to standard or extended ACLs that are assigned a number for identification. Named ACL. This type of ACL refers to standard or extended ACLs that are assigned a name for identification. The following industry ACL types are currently not supported: Reflexive ACLs Context-Based Access Control Authentication Proxy Lock and Key (Dynamic ACLs)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 397 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ACL Precedence
ACLMAN allows a user to apply common industry ACLs to an Alcatel-Lucent switch. When these ACLs are created using ACLMAN configuration tools, they are automatically assigned an Alcatel-Lucent QoS internal priority of 101. Alcatel-Lucent CLI/SNMP policies are assigned a priority of one by default. As a result, ACLMAN policies will take precedence over Alcatel-Lucent CLI/SNMP policies unless the Alcatel-Lucent policies are configured with a precedence value higher than 101. QoS policies configured through LDAP are given a value in the range 30000 to 65535. Therefore LDAP policies take precedence over ACLMAN policies.
Help is an available menu item in each of the shell command modes. In addition, help is also available by Entering a question mark (?) at the command prompt or after entering a command parameter. For example: Aclman (config)#? Access-list Add an access list entry End Return to privileged exec mode Exit Exit from configure mode Help Description of the interactive help system Interface Select an interface to configure Ip Global IP configuration subcommands No Negate a command or set its defaults Time-range Define time range entries Aclman (config)#access-list? <1-99> IP standard access list <100-199> IP extended access list <1300-1999> IP standard access list (expanded range) <2000-2699> IP extended access list (expanded range) Aclman (config) #access-list
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 399 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Supported TCP Service Parameters Bgp (179) Gopher (70) Pop3 (110) Chargen (19) Hostname (101) Smtp (25) Cmd (rcmd, 514) Ident (113) Sunrpc (111) Daytime (13) Irc (194) Syslog (514) Discard (9) Klogin (543) Tacacs (49) Domain (53) Kshell (544) Talk (517) Echo (7) Login (rlogin, 513) Telnet (23) Exec (rsh, 512) Lpd (515) Time (37) Finger (79) Nntp (119) Uucp (540) Ftp (21) Pim-auto-rp(496) Whois (43) Ftp-data (20) Pop2 (109) Www (HTTP, 80) When creating extended UDP ACLs, enter one of the following supported UDP service types for the required port parameter value. Note that using the port number to specify the service instead of the service name is also allowed. Supported UDP Service Parameters Biff (512) Nameserver (obsolete, 42) Snmptrap (162) Bootpc (BOOTP) client (68) netbios-dgm (138) Sunrpc (111) Bootps (BOOTP) server (67) Netbios-ns (137) Syslog (514) Discard (9) Netbios-ss (139) Tacacs (49) Dnsix (195) Non500-isakmp (4500) Talk (517) Domain (DNS, 53) Ntp (123) Tftp (69) Echo (7) Pim-auto-rp (496) Time (37) Isakmp (500) Rip (router, in.routed, 520) Who (rwho, 513) Mobile-ip (434) Snmp (161) Xdmcp (177)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 400 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Network Security
Network Security (also known as Alcatel-Lucents Traffic Anomaly Detection (TAD) feature or Etherbreaker) is a network monitoring feature that aims to detect the anomalies in the network by analyzing the patterns of ingress and egress packets on a port. These anomalies occur when the traffic patterns of a port do not meet the expectations. The detection of anomalies results in logging, SNMP trap generation, and shutting down of the anomalous port. This feature is mainly used in the Layer2 domain. Note. The Network Security feature is supported only on OmniSwitch 6850 and 9000 Series switches in Release 6.3.1.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 401 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Anomalies
A network traffic anomaly refers to deviations in the rates of a user-ports ingress and egress packets from expectations. The anomalies are monitored in the network by observing the networks traffic for a configurable time period. During this period, the Network Security counts relevant packets on a port. Anomalies may occur in scenarios, such as the following: When a high number of TCP SYN packets are not expected from a user-port in a short period. When more than one ARP response is received for every ARP request. When a high number of TCP RST packets are not expected in a network in a short period. The above listed scenarios occur in a network due to malicious systems in the network, or when a network is attacked or mis-configured. Network Security detects the following anomalies: Anomaly Description
ARP Address Scan ARP Flood ARP Failure ICMP Address Scan ICMP Flood ICMP Unreachable TCP Port Scan TCP Address Scan SYN Flood SYN Failure SYN-ACK Scan Fin Scan Fin-Ack Diff Rst Count Occurs when a host sends a burst of ARP requests for multiple IP addresses. Occurs when a host receives a burst of ARP request packets. Occurs when ARP queries do not elicit ARP responses. Occurs when multiple hosts receive ICMP echo request packets at the same time. Occurs when a host receives a burst of ICMP echo request packets. Occurs when a host receives a flood of ICMP Unreachable packets. Occurs when a host receives a burst of TCP SYN packets for multiple TCP ports. Occurs when multiple hosts receive TCP SYN packets at the same time. Occurs when a host receives a burst of TCP SYN packets on the same TCP port. Occurs when a host receives fewer SYNACKs than SYNs it sent out. Occurs when a host receives more SYNACKs than SYNs it sent out. Occurs when a host receives a burst of FIN packets. Occurs when a host sees more or fewer FINACK packets than it sent. Occurs when a host receives a flood of RST packets.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 402 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Monitoring Group
A monitoring-group is used by Network Security to configure the anomaly detection on sets of ports. A monitoring-group is identified by a name and has a set of ports as its members. A monitoring-group is created by adding a set of ports to the group or by configuring an anomaly parameter for the group. A monitoring-group exists as long as it has a member port or has at least one of its anomaly parameters configured. The network security configurations are applied according to the monitoring-groups. The anomaly detection parameters of monitoring-groups can be configured by the user. Also, the user can add or remove a port in the monitoring-group. A port can be moved from one monitoring-group to another, but it cannot exist in more than one monitoring-group at a time. Network security is disabled on a port that is not a member of a monitoring-group. Network Security changes an anomaly parameter configuration across all monitoring-groups in the following ways: Group-name all, overwrites the configuration for all the monitoring-groups. Anomaly all, overwrites the configuration for all the anomalies. Network Security has a predefined monitoring-group default, and allows a maximum of 32 monitoring groups including "default" at a time. Network Security applies the rules to match the specific packets when a port is in a monitoring-group. These rules exist as long as the port is a member of any monitoring group. The statistics for the packets are maintained on a per-port basis and are available when a port is a member of the monitoringgroup. When a port is removed from the monitoring-group, the statistics for the packets are cleared. If a monitoring port is moved from one monitoring-group to another, the statistics of the port do not get cleared. A port's anomaly statistics are tracked when that anomaly is configured to be monitored on that port, and are cleared when monitoring is stopped for that anomaly.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 403 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Distributed Intelligence
The AOS OmniSwitch product family has been designed to bring intelligence to an Enterprise network by implementing a host of intelligent features and services. Carrier-class intelligence insures that users and applications receive the priority and performance they need with ease-of-use management that extends across the entire enterprise. The AOS OmniSwitch product family features state-of-art ASIC-based technology, which includes intelligent layer-2/layer-3 switching & routing, extensive and robust QoS, ACLs, and a host of other advanced features. An Overview of the Alcatel-Lucent AOS Distributed Intelligence features: Distributed architecture with high performing switching fabric capacity State-of-the-art intelligent architecture support for flow-based, policy-based, rule-based layer-2/layer-3/layer-4 wire-speed QoS and traffic management features such as: o Traffic prioritization and layer-2/layer-3/layer-4 classification o Bandwidth management including rate limiting o QoS mapping, re-mapping, marking, re-marking o Advanced Buffering/Queue Algorithms The Quality of Service & Filtering Manager is responsible for managing traffic through user-configured policies. Traffic policies fall into the following categories: o Access Control Lists (or Filtering) o IPMS multicast filtering o Traffic Prioritization & Traffic Shaping o Trusted & Untrusted ports Wire-speed layer-2/layer-3 switching including IPv4 & IPv6 routing Static Routing support: Static routes are user-defined; they carry a higher priority than routes created by dynamic routing protocols. Dynamic Routing support: IP routing [RIPv1&v2, OSPFv2, OSPF-ECMP (including Static ECMP), BGPv4, and VRRP] RDP: Router Discovery Protocol IP Multicast switching with IGMPv1&v2&v3 and IP Multicast routing with DVMRPv3 & PIM-SMv2 IP Multicast Switching (IPMS) is a one-to-many communication technique employed by emerging applications such as video distribution, news feeds, conferencing, netcasting, and resource discovery (OSPF, RIP2, and BOOTP). Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any sub-network that has at least one device requesting the multicast traffic. Alcatel-Lucents IPMS feature support is compatible with the following RFCs: o RFC 2236 Internet Group Management Protocol, Version 2 o RFC 2933 Internet Group Management Protocol MIB o RFC 3376 Internet Group Management Protocol, Version 3 IP multicast routing can be used for IP Multicast Switching and Routing (IPMSR). IP multicast routing is a way of controlling multicast traffic across networks. The multicast router discovers which networks want to receive multicast traffic by sending out Internet Group Management Protocol (IGMP) queries and receiving IGMP reports from attached networks. The IGMP reports signal that users want to join a multicast group. If there is more than one multicast router in the network, the router with the lowest IP address is elected the querier router, which is responsible for querying the sub-network for group members. o The IP multicast routing package offers the following two separate protocols (The AOS OmniSwitch 6850 platforms support DVMRPv3 (draft version 10), and PIM-SMv2): o Protocol Independent Multicast Sparse Mode (PIM-SM) RFCs Supported: 2362Protocol Independent Multicast-Sparse Mode (PIM-SM) Protocol Specification 2934Protocol Independent Multicast MIB for IPv4 2932IPv4 Multicast Routing MIB o Distance Vector Multicast Routing Protocol (DVMRP) RFCs Supported 2667IP Tunnel MIB IETF Internet-Drafts Supported: Distance-Vector Multicast Routing Protocol MIB Draft-ietf-idmr-dvmrp-v3-10.txt Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 404 Software & Hardware Release: AOSv6.3.1r01
Draft-ietf-idmr-dvmrp-mib-11.tx Policy based VLANs including IEEE 802.1Q VLAN Trunking: o A set of hosts defined by a set of ports o A set of MAC addresses o Sub-net based: Network address rule o Protocol policies o DHCP (MAC address and port DHCP rules) o Binding VLANs (based on port, MAC, IP and combinations) o IEEE 802.1Q VLANs o DHCP High port density NI modules, high speed (10/100/1000Mbps (triple speed), GigEth, and 10-GigEth) and flexible connectivity with copper and fiber (MiniGBICs) IEEE 802.3x Flow Control on all Network Interfaces Note: the switch does not support honoring the incoming (RX) IEEE 802.3x pause frames, but it does support generating outgoing (TX) IEEE 802.3x pause frames Per port Multicast and Broadcast flood limiting Layer-2/Layer-3 Jumbo frame support Alcatel-Lucent understands that enterprise networking traffic volume is increasing and ultra high-speed Gigabit Ethernet technology has emerged, conventional Ethernet's packaging of data into mini-chunks is inhibiting the ability of servers and applications to take full advantage of next-generation networks. The speed and capacity of today's Ethernets are pushing the processor limits of most installed servers, and more data is being transferred between servers. For these reasons, extending Ethernet's frame size to reduce server overhead and increase throughput has become an attractive and logical option. The use of Jumbo Frames can deliver an increase in throughput with a simultaneous decrease in CPU utilization. Applications optimized for large frame sizes can easily be integrated with existing Ethernet LANs without causing interoperability problems. The AOS OmniSwitch 6850 platforms support layer-2/layer-3 9K Byte (9216 Byte) jumbo frames on Gigabit Eth. ports. IP fragmentation for Gigabit Ethernet routed ports with per flow MTU is also supported Maximum Transfer Units (MTU): o Layer-2 Ethernet Frame Size: o Untagged: 1518 Bytes without IEEE 802.1Q tags o Tagged: 1522 Bytes with IEEE 802.1Q tags o Long Frame Size (enabled by default): 1553 Bytes (IEEE 8021.Q tagged or untagged) o Frame Type: Type2, LLC, SNAP, RAW 802.3 The maximum frame size on the Gigabit Ethernet interfaces are (range: 1518 to 9216 Bytes): o Gigabit Ethernet Packets: 9216 Bytes o Untagged (without IEEE 802.1Q tags) Ethernet Packets: 1518 Bytes o Tagged (with IEEE 802.1Q tags) Ethernet Packets: 1522 Bytes
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 405 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VLANs
In a flat-bridged network, a broadcast domain is confined to a single LAN segment or even a specific physical location, such as a department or building floor. In a switch-based network, such as one comprised of Alcatel-Lucent switching systems, a broadcast domainor VLAN can span multiple physical switches and can include ports from a variety of media types. For example, a single VLAN could span three different switches located in different buildings and include 10/100 Ethernet, Gigabit Ethernet, 802.1q tagged ports and/or a link aggregate of ports.
VLAN Specifications
RFCs Supported 2674 - Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 802.1Q - Virtual Bridged Local Area Networks 802.1D - Media Access Control Bridges 1024 (including the default VLAN#1) 32,768 1024 (single router MAC mode) 256 (single router MAC mode) 8 253 128 Single
IEEE Standards Supported Maximum VLANs per switch Maximum VLAN port associations per switch Maximum IP router port VLANs per switch Maximum IPX router port VLANs per switch Maximum IP router interfaces per VLAN Maximum Spanning Tree VLANs per switch Maximum authenticated VLANs per switch MAC Router Mode Supported
VLAN Defaults
Parameter Description VLAN identifier (VLAN ID) VLAN administrative state VLAN description VLAN Spanning Tree state VLAN mobile tag status VLAN IP router interfaces VLAN IPX router interface Switch MAC router mode VLAN authentication status VLAN port associations Default VLAN 1 predefined on each switch. Enabled VLAN identifier (VLAN ID) Enabled (Disabled if VLAN count exceeds 254) Disabled VLAN 1 router interface No router interface defined Single MAC router mode Disabled All ports initially associated with default VLAN 1.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 406 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Creating/Modifying VLANs
The initial configuration for all Alcatel-Lucent switches consists of a default VLAN 1 and all switch ports are initially assigned to this VLAN. When a switching module is added to the switch, the modules physical ports are also assigned to VLAN 1. If additional VLANs are not configured on the switch, then the entire switch is treated as one large broadcast domain. All ports will receive all traffic from all other ports. Up to 1024 VLANs are supported per switch, including default VLAN 1. In compliance with the IEEE 802.1Q standard, each VLAN is identified by a unique number, referred to as the VLAN ID. The user specifies a VLAN ID to create, modify or remove a VLAN and to assign switch ports to a VLAN. When a packet is received on a port, the ports VLAN ID is inserted into the packet. The packet is then bridged to other ports that are assigned to the same VLAN ID. In essence, the VLAN broadcast domain is defined by a collection of ports and packets assigned to its VLAN ID. The operational status of a VLAN remains inactive until at least one active switch port is assigned to the VLAN. This means that VLAN properties, such as Spanning Tree or router interfaces, also remain inactive. Ports are considered active if they are connected to an active network device. Non-active port assignments are allowed, but do not change the VLANs operational state. Ports are either statically or dynamically assigned to VLANs. When a port is assigned to a VLAN, a VLAN port association (VPA) is created and tracked by VLAN management switch software.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 407 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VLAN Authentication
Layer-2 authentication uses VLAN membership to grant access to network resources. Authenticated VLANs control membership through a login process; this is sometimes called user authentication. A VLAN must have authentication enabled before it can participate in the Layer 2 authentication process. Once authentication is enabled on a VLAN, then only authenticated mobile port devices can join the VLAN after completing the appropriate login process.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 409 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 410 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 411 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 412 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Maximum VLANs Maximum number of rules per VLAN Maximum number of rules per switch Switch ports eligible for VLAN rule classification (dynamic VLAN assignment) Switch ports not eligible for VLAN rule classification
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 413 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DHCP Rules
Dynamic Host Configuration Protocol (DHCP) frames are sent from client workstations to request an IP address from a DHCP server. The server responds with the same type of frames, which contain an IP address for the client. If clients are connected to mobile ports, DHCP rules are used to classify this type of traffic for the purposes of transmitting and receiving DHCP frames to and from the server. When a mobile port receives a DHCP frame that matches a DHCP rule, the port is temporarily assigned to the VLAN long enough to forward the DHCP requests within the VLAN broadcast domain. The source MAC address of the DHCP frame, however, is not learned for that VLAN port association. As a result, the show mac-address-table command output will not contain an entry for the DHCP source MAC address. The show vlan port command output, however, will contain an entry for the temporary VLAN port association that occurs during this process. Once a device connected to a mobile port receives an IP address from the DHCP server, the VLAN port assignment triggered by the devices DHCP frames matching a VLAN DHCP rule is dropped unless regular port traffic matches another rule on that same VLAN. If this match occurs, or the traffic matches a rule on another VLAN, then the source MAC address of the mobile ports frames is learned for that VLAN port association. DHCP rules are most often used in combination with IP network address rules. A DHCP client has an IP address of all zeros (0.0.0.0) until it receives an IP address from a DHCP server, so initially it would not match any IP network address rules. Binding rules, MAC address rules, and protocol rules also capture DHCP client traffic. The exception to this is binding rules that specify an IP address as part of the rule, similar to IP network address rule definitions. The following DHCP rule types are available: DHCP MAC Address: DHCP MAC address rules capture DHCP frames that contain a source MAC address that matches the MAC address specified in the rule. DHCP MAC Range: A DHCP MAC range rule is similar to a DHCP MAC address rule, but allows the user to specify a range of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential MAC addresses. One DHCP MAC range rule could serve the same purpose as 10 or 20 DHCP MAC address rules, requiring less work to configure. DHCP frames that contain a source MAC address that matches the low or high end MAC or that falls within the range specified by the low and high end MAC trigger dynamic port assignment to the rules VLAN. DHCP Port: DHCP port rules capture DHCP frames that are received on a mobile port that matches the port specified in the rule. DHCP Generic: DHCP generic rules capture all DHCP traffic that does not match an existing DHCP MAC or DHCP port rule. If none of these other rules exist, then all DHCP frames are captured regardless of the port they came in on or the frames source MAC address. Only one rule of this type is allowed per switch. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 414 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Binding Rules
Binding rules restrict VLAN assignment to specific devices by requiring that device traffic match all criteria specified in the rule. As a result, a separate binding rule is required for each device. An unlimited number of such rules, however, is allowed per VLAN and up to 8129 of each rule type is allowed per switch. Although DHCP traffic is examined and processed first by switch software, binding rules take precedence over all other rules. The following binding rule types are available. The rule type name indicates the criteria the rule uses to determine if device traffic qualifies for VLAN assignment. For example, the MAC-Port-IP address-binding rule requires a matching source MAC and IP address in frames received from a device connected to the port specified in the rule. Binding rules require mobile port traffic to match all rule criteria. The criteria consists of one of three combinations, each of which is a specific binding rule type: MAC-Port-IP Address: The device must attach to a specific switch port and use a specific MAC address and use a specific IP network address (MAC-port-IP address binding rule). MAC-Port: The device must use a specific port and a specific source MAC address (MAC-port binding rule). Port-Protocol: The device must attach to a specific switch port and use a specific protocol (port-protocol binding rule). Note that MAC-port-IP and, MAC-port binding rules are also supported on Authenticated VLANs (A-VLANs).
Protocol Rules
Protocol rules determine VLAN assignment based on the protocol a device uses to communicate. When defining this type of rule, there are several generic protocol values to select from: IP, IPX, AppleTalk, or DECNet. If none of these are sufficient, it is possible to specify an Ethernet type, Destination and Source Service Access Protocol (DSAP/SSAP) header values, or a Sub-network Access Protocol (SNAP) type. Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype value found in the IEEE 802.2 SNAP LLC frame header. IP protocol rules also capture DHCP traffic, if no other DHCP rule exists that would classify the DHCP traffic into another VLAN. Therefore, it is not necessary to combine DHCP rules with IP protocol rules for the same VLAN. Protocol rules capture frames that contain a protocol type that matches the protocol value specified in the rule. There are several generic protocol parameter values to select from; IP Ethernet-II, IP SNAP, IPX Ethernet II, IPX Novell (802.3), IPX LLC (802.2), IPX SNAP, DECNet, and Appletalk. If none of these are sufficient to capture the desired type of traffic, use the Ethertype, DSAP/SSAP, or SNAP parameters to define a more specific protocol type value.
Port Rules
Port rules are fundamentally different from all other supported rule types, in that traffic is not required to trigger dynamic assignment of the mobile port to a VLAN. As soon as this type of rule is created, the specified port is assigned to the VLAN only for the purpose of forwarding broadcast types of VLAN traffic to a device connected to that same port. Port rules are mostly used for silent devices, such as printers, that require VLAN membership to receive traffic forwarded from the VLAN. These devices usually dont send traffic, so they do not trigger dynamic assignment of their mobile ports to a VLAN. It is also possible to specify the same port in more than one port rule defined for different VLANs. The advantage to this is that traffic from multiple VLANs is forwarded out the one mobile port to the silent device. For example, if port 3 on slot 2 is specified in a port rule defined for VLANs 255, 355, and 755, then outgoing traffic from all three of these VLANs is forwarded on port 2/3. Port rules only apply to outgoing mobile port traffic and do not classify incoming traffic. If a mobile port is specified in a port rule, its incoming traffic is still classified for VLAN assignment in the same manner as all other mobile port traffic. VLAN assignments that are defined using port rules are exempt from the ports default VLAN restore status. Port rules do not require mobile port traffic to trigger dynamic assignment. When this type of rule is defined, the specified mobile port is immediately assigned to the specified VLAN. As a result, port rules are often used for silent network devices, which do not trigger dynamic assignment because they do not send traffic. Port rules only apply to outgoing mobile port broadcast types of traffic and do not classify incoming traffic. In addition, multiple VLANs can have the same port rule defined. The advantage to this is that broadcast traffic from multiple VLANs is forwarded out one physical mobile port. When a mobile port is specified in a port rule, however, its incoming traffic is still classified for VLAN assignment in the same manner as all other mobile port traffic.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 416 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1Q
802.1Q is the IEEE standard for segmenting networks into VLANs. Adding a specific tag to a packet performs 802.1Q segmentation.
802.1Q Specifications
IEEE Specification Draft Standard P802.1Q/D11 IEEE Standards for Local And Metropolitan Area Network: Virtual Bridged Local Area Networks, July 30, 1998 Maximum Number of Tagged VLANs per Port 4093 Maximum Number of Untagged VLANs per Port One untagged VLAN per port. Maximum Number of VLAN Port Associations 32768 Note. Up to 4093 VLANs can be assigned to a tagged port or link aggregation group. However, each assignment counts as a single VLAN port association. Once the maximum number of VLAN port associations is reached, no more VLANs can be assigned to ports.
802.1Q Defaults
Parameter Description What type of frames accepted Which tag is enforced Default Both tagged and untagged frames are accepted On (OmniSwitch 6850)
802.1Q Overview
Alcatel-Lucents 802.1Q is an IEEE standard for sending frames through the network tagged with VLAN identification. 802.1Q tagging can be configured and monitored on a single port in a switch or a link aggregation group in a switch. 802.1Q tagging is the IEEE version of VLANs. It is a method for segregating areas of a network into distinct VLANs. By attaching a label, or tag, to a packet, the packet can be identified as being from a specific area or identified as being destined for a specific area. When enabling a tagged port, you will also need to specify whether only 802.1Q tagged traffic is allowed on the port, or whether the port accepts both tagged and untagged traffic. Tagged refers to four bytes of reserved space in the header of the packet. The four bytes of tagging are broken down as follows: the first two bytes indicate whether the packet is an 802.1Q packet, and the next two bytes carry the VLAN identification (VID) and priority. On the ingress side, packets are classified in a VLAN. After classifying a packet, the switch adds an 802.1Q header to the packet. Egress processing of packets is done by the switch hardware. Packets have an 802.1Q tag, which may be stripped off based on 802.1Q tagging/stripping rules. If a port is configured to be a tagged port, then all the untagged traffic (including priority tagged, or VLAN 0 traffic) received on the port will be dropped. You do not need to reboot the switch after changing the configuration parameters. Note. Priority tagged traffic, or traffic from VLAN 0, is used for Quality of Service (QoS) functionality. 802.1Q views priority tagged traffic as untagged traffic. Mobile ports can be configured to accept 802.1Q traffic by enabling the VLAN mobile tagging feature. The port can be assigned to as many 802.1Q VLANs as necessary, up to 4093 per port or 32768 VLAN port associations. For the purposes of Quality of Service (QoS), 802.1Q ports are always considered to be trusted ports. Alcatel-Lucents 802.1Q tagging is done at wire speed, providing high-performance throughput of tagged frames. Note. 802.1Q on the OmniSwitch 6850 supports the force tag internal feature.
GVRP
The GARP VLAN Registration Protocol (GVRP) facilitates in controlling virtual local area networks (VLANs) in a large network. It is an application of Generic Attribute Registration Protocol (GARP) and provides VLAN registration service. GVRP enables devices to dynamically learn their VLAN memberships. GVRP is compliant with 802.1Q standard. It dynamically learns and propagates VLAN membership information across a bridged network. GVRP dynamically maintains and updates the registration and de-registration of VLANs and prunes unnecessary broadcast and unicast traffic. Through the propagation of GVRP information, a device is continuously able to update its knowledge on the set of VLANs that currently have active nodes and on the ports through which those nodes can be reached. Note. GVRP is only supported in Release 6.2.1 for the OmniSwitch 6850 Series.
GVRP Specifications
The table below lists specifications for Alcatel-Lucents GVRP: IEEE Standards Supported IEEE Std. 802.1D - 2004, Media Access Control (MAC) Bridges IEEE Draft Std. P802.1Q-REV/D5.0 4094
GVRP Defaults
Parameter Description Global status of GVRP Status of GVRP on specified port Transparent switching Maximum number of VLANs Registration mode of the port Applicant mode of the port Timer value for Join timer, Leave timer, or LeaveAll timer Restrict dynamic VLAN registration Restrict VLAN advertisement Restrict static VLAN registration Maximum VLANs learned through GVRP Default Disabled Disabled Disabled 1024 Normal Participant Join timer value: 200 ms Leave timer value: 600 ms LeaveAll timer value: 10000 ms not restricted not restricted not restricted 256
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 418 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
GARP Overview
GARP was introduced to avoid manual configuration of devices and applications in a large network. It enables dynamic configuration of devices and applications in a network. It also provides a generic framework whereby devices in a bridged LAN can register and de-register attribute values, such as VLAN identifiers, with each other. These attributes are propagated through devices in the bridged LAN. GARP consists of: GARP Information Declaration (GID)The part of GARP that generates data from the switch. GARP Information Propagation (GIP)The part of GARP that distributes data to different switches. A GARP applicant may or may not choose to actively participate in declaring and registering an attribute value. By declaring an attribute, a GARP applicant indicates to other applicants that it is either associated with the attribute or it is interested to know about the other applicants associated with that attribute. A GARP applicant that declares attributes is referred to as an active member. A passive member is an applicant interested in an attribute but will not initiate GARP PDUs when it is aware that other applicants have also registered the attribute. The following messages are used in GARP: JoinIn and JoinEmptyUsed by an applicant (including itself) associated with an attribute. Receiving JoinIn messages from other applicants or transmitting JoinEmpty messages enables an applicant to register the attribute. LeaveIn and LeaveEmptyUsed by an applicant to withdraw its declaration when it is no more associated with an attribute. LeaveAllUsed for periodic declarations and registration maintenance. An applicant periodically sends LeaveAll messages, which enable other applicants to indicate their attributes registered states. These messages indicate the current state of the sender applicant device to other GARP applicant devices. With this information, these GARP applicant devices can modify their behavior associated with the attribute (declare and withdraw). GVRP, an application of GARP, is designed to propagate VLAN information from device to device. With GVRP, a single switch is manually configured with all the desired VLANs for the network, and all the other switches on the network learn those VLANs dynamically. An end station can be plugged into a switch and be connected to its desired VLAN. However, end stations need GVRP-aware Network Interface Cards (NIC) to make use of GVRP. GVRP sends information encapsulated in an Ethernet frame to a specific MAC address (01:80:C2:00:00:21). Based on the received registration information (Join message of GARP), VLAN information is learned on a system. GVRP enables new dynamic VLANs on a device or dynamically registers a port to an existing VLAN. In effect, based on the received registration information of a VLAN, the port becomes associated with that VLAN. Similarly, whenever de-registration information is received for a VLAN (Leave message of GARP) on a particular port, the association of that VLAN with the port may get deleted. A GVRP-enabled port sends GVRP PDUs advertising the VLAN. Other GVRP-aware ports receiving advertisements over a link can dynamically join the advertised VLAN. All ports of a dynamic VLAN operate as tagged ports for that VLAN. Also, a GVRP-enabled port can forward an advertisement for a VLAN it learned about from other ports on the same switch. However, that forwarding port does not join that VLAN until an advertisement for that VLAN is received on that port.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 419 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Switch A has 3 VLANs configured as static VLANs (10, 20, and 30). Other switches on the same network will learn these 3 VLANs as dynamic VLANs. Also, the end station connected on port 5 is statically configured for VLAN 50. Port 1 on Switch A is manually configured for VLANs 10, 20, and 30. Hence, as the diagram above shows, 1: Port 1 on Switch A advertises VLAN IDs (VIDs) 10, 20, and 30. 2: Port 2 on Switch B receives the advertisements. VLANs 10, 20, and 30 are created as dynamic VLANs on this switch and Port 2 becomes a member of VLANs 10, 20, and 30. 3: Port 3 on Switch B is triggered to advertise VLANs 10, 20, and 30, but does not become a member of these VLANs. 4: Port 4 on Switch C receives the advertisements. VLANs 10, 20, and 30 are created as dynamic VLANs on this switch and Port 4 becomes a member of VLANs 10, 20, and 30. 5: Port 5 advertises VLANs 10, 20, and 30, but this port is not a member of these VLANs. Note. Default VLAN (VLAN 1) exists on all switches, but it is not considered here. The above sequence of advertisements and registration of VLANs results in the following configuration:
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 420 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Here, the end station advertises itself as a member of VLAN 50. As the above diagram shows, 1: Port 5 receives the advertisement and Switch C creates VLAN 50 as a dynamic VLAN. Port 5 of Switch C becomes a member of VLAN 50. 2: Port 4 advertises VLAN 50, but is not a member of VLAN 50. 3: Port 3 of Switch B receives the advertisement, Switch B creates the dynamic VLAN 50, and Port 3 becomes a member of VLAN 50. 4: Port 2 advertises VLAN 50, but is not a member of this VLAN. 5: Port 1 on Switch A receives the advertisement, creates dynamic VLAN 50. Port 1 becomes a member of VLAN 50. The resulting configuration is depicted below:
Note. Every port on a switch is not a member of all the VLANs. Only those ports that receive the advertisement become members of the VLAN being advertised.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 421 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VLAN Stacking
VLAN Stacking provides a mechanism to tunnel multiple customer VLANs (CVLAN) through a service provider network using one or more service provider VLANs (SVLAN) by way of 802.1Q double-tagging or VLAN Translation. This feature enables service providers to offer their customers Transparent LAN Services (TLS). This service is multipoint in nature so as to support multiple customer sites or networks distributed over the edges of a service provider network. The VLAN Stacking application operates in one of two modes: legacy and service. The two modes basically differ in how VLAN Stacking is configured, with the service mode offering the following additional enhancements that are not available in the legacy mode: Ethernet service-based approach that is similar to configuring a virtual private LAN service (VPLS). Ingress bandwidth sharing across User Network Interface (UNI) ports. Ingress bandwidth rate limiting on a per UNI port, per CVLAN, or CVLAN per UNI port basis. CVLAN (inner) tag 802.1p-bit mapping to SVLAN (outer) tag 802.1p bit. CVLAN (inner) tag DSCP mapping to SVLAN (outer) tag 802.1p bit. Profiles for saving and applying traffic engineering parameter values. Configuring VLAN Stacking in the legacy mode consists of using a port or port-VLAN level approach to tunneling customer traffic. Configuring VLAN Stacking in the service mode consists of using an approach based on defining an Ethernet service to tunnel customer traffic. Both modes are exclusive in that the switch can only operate in one mode or the other. In addition, each mode has its own unique CLI command syntax. Throughout this section, the term port-based VLAN Stacking refers to functionality available in the legacy mode and the term service-based VLAN Stacking refers to functionality available in the service mode. Note. You can also configure and monitor VLAN Stacking with WebView; Alcatel.Lucents embedded web based device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a web browser.
Maximum number of SVLANs for service-based VLAN Stacking Features not supported on VLAN Stacking ports
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 422 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Treatment of customer STP and GVRP frames ingressing on a VLAN Stacking user port.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 423 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 424 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 425 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Service Mode
Configuring VLAN Stacking in the service mode consists of using an Ethernet service based approach for tunneling customer traffic through a provider network. Service-based VLAN Stacking involves configuring the following components to define a tunneling service: VLAN Stacking Servicea service name that is associated with an SVLAN, NNI ports, and one or more VLAN Stacking service access points. The service identifies the customer traffic that the SVLAN will carry through the provider traffic. Service Access Point (SAP)A SAP is associated with a VLAN Stacking service name and a SAP profile. The SAP binds UNI ports and customer traffic received on those ports to the service. The profile specifies traffic engineering attribute values that are applied to the customer traffic received on the SAP UNI ports. Service Access Point (SAP) ProfileA SAP profile is associated with a SAP ID. Profile attributes define values for ingress bandwidth sharing, rate limiting, CVLAN tag processing (translate or preserve), and priority mapping (inner to outer tag or fixed value). UNI Port Profile this type of profile is associated with each UNI port and configures how Spanning Tree and GVRP control packets are processed on the UNI port. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 426 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Legacy Mode
Configuring VLAN Stacking in the legacy mode consists of using a port-based approach for tunneling customer traffic through a provider network. Port-based VLAN Stacking provides the following two methods for defining a VLAN Stacking configuration. Port level configurationAll traffic ingressing on a user port is assigned an SVLAN reserved for that port. Customer traffic (customer VLAN) is not used to classify which SVLAN to be assigned to the traffic. There is one and only one SVLAN per user port. Several user ports belonging to a customer may share an SVLAN. Port-VLAN level configurationAll traffic ingressing on a user port is assigned an SVLAN based on both the user port and the customer VLAN. Each customer VLAN may be assigned a unique SVLAN. Note that port-VLAN level is a super set of port level VLAN Stacking. Port level is basically portVLAN level with all customer VLANs associated to a single SVLAN.
IP Multicast VLANs
The IP Multicast VLANs (IPMV) application has the following interactions with service-based VLAN Stacking functionality and commands: Changing between VLAN Stacking legacy and VLAN Stacking service modes requires removal of any IPMV configuration before the mode is changed. IPMV operates in one of two modes: enterprise or VLAN Stacking. When the enterprise mode is active, IPMV uses sender and receiver ports for IP multicast traffic. When the IPMV VLAN Stacking mode is active, IPMV maps sender and receiver ports to VLAN Stacking NNI and UNI ports. If IPMV is operating in the enterprise mode, there are no CLI usage changes. If IPMV is operating in the VLAN Stacking mode, the following VLAN Stacking CLI commands are used to configure interoperability with IPMV depending on which VLAN Stacking mode is active (legacy or service):
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 427 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Link Aggregation
Both static and dynamic link aggregation are supported with service-based and port-based VLAN Stacking. The exception to this is that port-VLAN level VLAN Stacking on a static link aggregate of UNI ports is not supported. Note that in both VLAN Stacking modes, a link aggregate must consist of all UNI or all NNI ports. VLAN Stacking functionality is not supported on link aggregates that consist of a mixture of VLAN Stacking ports and conventional switch ports.
Spanning Tree
Spanning Tree is enabled by default for VLAN Stacking SVLANs. The Spanning Tree status for an SVLAN is configurable in both the service-based and port-based VLAN Stacking modes. Note that the SVLAN Spanning Tree status applies only to the service provider network topology. BPDU frames are tunneled by default. A back door link configuration is not supported. This occurs when there is a link between two customer sites that are both connected to a VLAN Stacking provider edge switch. A dual home configuration is not supported. This type of configuration consists of a single customer site connected to two different VLAN Stacking switches or two switches at a customer site connect to two different VLAN Stacking switches.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 428 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 429 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Ethernet OAM
The rise in the number of Ethernet service instances has resulted in service providers requiring a powerful and robust set of management tools to maintain Ethernet service networks. Service provider networks are large and intricate, often comprising of different operators that work together to provide the customers with end-to-end services. The challenge for the service providers is to provide a highly available convergent network to its customer base. Ethernet OAM (Operations, Administration, and Maintenance) provides the detection, resiliency, and monitoring capability for end-to-end service guarantee in an Ethernet network.
Maximum Maintenance Domains (MD) per Bridge Maximum Maintenance Associations (MA) per Bridge Maximum Maintenance End Points (MEP) per Bridge
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 430 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 431 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
CFM Monitoring Domains Ethernet OAM Connectivity Fault Management consists of four types of messages that help in monitoring and debugging Ethernet networks. These messages are described below: Continuity Check Messages (CCMs)these are multicast messages exchanged periodically between MEPs. They allow MEPs to detect loss of service connectivity amongst themselves and discover other MEPs within a domain. These messages also enable MIPs to discover MEPs. Linktrace Messages LTMs) these messages are transmitted by a MEP to trace the path to a destination MEP. They are requested by an administrator. Loopback Messages (LBMs) these messages are transmitted by a MEP to a specified MIP or MEP. They are requested by an administrator. Alarm Indication Signal (AIS) Messages these messages send alerts to other devices in the network to notify a fault in the network. Note. AIS messages are not supported in this release. MIP CCM Database Support Per section 19.4 of the IEEE 802.1ag 7.0 draft standard, an MHF may optionally maintain a MIP CCM database as it is not required for conformance to this standard. A MIP CCM database, if present, maintains the information received from the MEPs in the MD and can be used by the Linktrace Protocol. This implementation of Ethernet OAM does not support the optional MIP CCM database. As per section 19.4.4 of the IEEE 802.1ag 7.0 draft standard, LTM is forwarded on the basis of the source learning filtering database. Because the MIP CCM database is not supported in this release, MIPs will not forward LTM on blocked egress ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 432 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Specifications
RFCs Supported RFC 791Internet Protocol RFC 792Internet Control Message Protocol RFC 826An Ethernet Address Resolution Protocol 2784Generic Routing Encapsulation (GRE) 2890Key and Sequence Number Extensions to GRE (extensions defined are not supported) 1701Generic Routing Encapsulation (GRE) 1702Generic Routing Encapsulation over IPV4 Networks 2003-IP Encapsulation within IP. 4094 (including default VLAN 1) 4094 IP and 256 IPX (single MAC router mode) 8 8 4096 127 RIP, OSPF, and BGP 200
Maximum VLANs per switch Maximum router VLANs per switch Maximum IP interfaces per VLAN Maximum number of GRE tunnel interfaces Maximum IP interfaces per switch Maximum number of IPIP tunnel interfaces Routing protocols supported over the tunnel interfaces Maximum ARP filters per switch
IP Defaults
Description IP-Directed Broadcasts Time-to-Live Value IP interfaces ARP filters Default Off 64 Hops VLAN 1 interface 0
IP Overview
IP is a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded on a network. IP is the primary network-layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP is enabled on the switch by default and there are few options that can, or need to be, configured.
IP Protocols
IP is associated with several Layer 3 and Layer 4 protocols. These protocols are built into the base code loaded on the switch. A brief overview of supported IP protocols is included below.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 433 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Transport Protocols
IP is both connectionless (it forwards each datagram separately) and unreliable (it does not guarantee delivery of Datagrams). This means that a datagram may be damaged in transit, or thrown away by a busy switch, or simply never make it to its destination. The resolution of these transit problems is to use a Layer 4 transport protocol, such as: TCPA major data transport mechanism that provides reliable, connection-oriented, full-duplex data streams. While the role of TCP is to add reliability to IP, TCP relies upon IP to do the actual delivering of Datagrams. UDPA secondary transport-layer protocol that uses IP for delivery. UDP is not connection-oriented and does not provide reliable end-to-end delivery of Datagrams. But some applications can safely use UDP to send Datagrams that do not require the extra overhead added by TCP.
Application-Layer Protocols
Application-layer protocols are used for switch configuration and management: Bootstrap Protocol (BOOTP)/Dynamic Host Configuration Protocol (DHCP)May be used by an end station to obtain an IP address. The switch provides a DHCP Relay that allows BOOTP requests/replies to cross-different networks. Simple Network Management Protocol (SNMP)Allows communication between SNMP managers and SNMP agents on an IP network. Network administrators use SNMP to monitor network performance and manage network resources. TelnetUsed for remote connections to a device. You can telnet to a switch and configure the switch and the network using the CLI. File Transfer Protocol (FTP)Enables the transfer of files between hosts. This protocol is used to load new images onto the switch.
Additional IP Protocols
There are several additional IP-related protocols that may be used with IP forwarding. These protocols are included as part of the base code. Address Resolution Protocol (ARP)Used to match the IP address of a device with its physical (MAC) address. Virtual Router Redundancy Protocol (VRRP)Used to back up routers. Internet Control Message Protocol (ICMP)Specifies the generation of error messages, test packets, and informational messages related to IP. ICMP supports the ping command used to determine if hosts are online. Router Discovery Protocol (RDP)Used to advertise and discover routers on the LAN. Multicast ServicesIncludes IP multicast switching (IPMS)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 434 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Forwarding
Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the same VLAN. However, if a device needs to communicate with another device that belongs to a different VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs. Bridging makes the decision on where to forward packets based on the packets destination MAC address; routing makes the decision on where to forward packets based on the packets IP network address (e.g., IP - 21.0.0.10). Alcatel-Lucent switches support routing of IP traffic. A VLAN is available for routing when at least one router interface is defined for that VLAN and at least one active port is associated with the VLAN. If a VLAN does not have a router interface, the ports associated with that VLAN are in essence firewalled from other VLANs. IP Multinetting is also supported. A network is said to be multinetted when multiple IP subnets are brought together within a single broadcast domain. It is now possible to configure up to eight IP interfaces per VLAN and a maximum of 4096 interfaces per switch. Each interface is configured with a different subnet. As a result, traffic from each configured subnet can coexist on the same VLAN. In the illustration below, an IP router interface has been configured on each VLAN. Therefore, workstations connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both switches have been assigned to VLAN 2, and a physical connection has been made between the switches. Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected to VLAN 3 on Switch 2.
If the switch is running in single MAC router mode, a maximum of 4094 VLANs can have IP interfaces defined and a maximum of 256 VLANs can have IPX interfaces defined. In this mode, each router VLAN is assigned the same MAC address, which is the base chassis MAC address for the switch.
Static Route
Static routes are user-defined routes that allow you to define, or customize, an explicit path to an IP network segment, which is then added to the IP Forwarding table. Static routes can be created between VLANs to enable devices on these VLANs to communicate. When you create a static route, the default metric value of 1 is used. However, you can change the priority of the route by increasing its metric value. The lower the metric value, the higher the priority. This metric is added to the metric cost of the route. The metric range is 1 to 15. Static routes do not age out of the IP Forwarding table; you must delete them from the table. Note. A static route is not active unless the gateway it is using is active.
Default Route
A default route can be configured for packets destined for networks that are unknown to the switch. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 435 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
ARP Filtering
ARP filtering is used to determine whether or not the switch responds to ARP requests that contain a specific IP address. This feature is generally used in conjunction with the Local Proxy ARP application; however, ARP filtering is available for use on its own and/or with other applications. By default, no ARP filters exist in the switch configuration. When there are no filters present, all ARP packets are processed, unless they are blocked or redirected by some other feature.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 436 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeroes or all 1 in the host portion of the destination IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly attached. Directed broadcasts are used in denial-of-service smurf attacks. In a smurf attack, a continuous stream of ping requests is sent from a falsified source address to a directed broadcast address, resulting in a large stream of replies, which can overload the host of the source address. By default, the switch drops directed broadcasts. Typically, directed broadcasts should not be enabled.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 437 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Services
When a switch initially boots up, all supported TCP/UDP well-known service ports are enabled (open). Although these ports provide access for essential switch management services, such as telnet, ftp, snmp, etc., they also are vulnerable to DoS attacks. It is possible to scan open service ports and launch such attacks based on well-known port information. The ip service command allows you to selectively disable (close) TCP/UDP well-known service ports and enable them when necessary. This command only operates on TCP/UDP ports that are opened by default. It has no affect on ports that are opened by loading applications, such as RIP, etc. In addition, the ip service command allows you to designate which port to enable or disable by specifying the name of a service or the well-known port number associated with that service. The following table lists ip service command options for specifying TCP/UDP services and also includes the well-known port number associated with each service: Service Port 21 FTP 22 SSH 23 Telnet HTTP 80 443 Secure-HTTP A-VLAN-HTTP 260 261 AVLAN-Secure-HTTP A-VLAN-Telnet 259 67 UDP-Relay Network-Time 123 161 SNMP Proprietary 1024 1025 Proprietary
Managing IP
The following sections describe IP commands that can be used to monitor and troubleshoot IP forwarding on the switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 438 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Additional ICMP messages include: Echo-Request MessageGenerated by the ping command, the message is sent by any host to test node reach ability across an Internetwork. The ICMP echo-reply message indicates that the node can be successfully reached. Redirect MessageSent by the switch to the source host to stimulate more efficient routing. The switch still forwards the original packet to the destination. ICMP redirect messages allow host routing tables to remain small because it is necessary to know the address of only one switch, even if that switch does not provide the best path. Even after receiving an ICMP redirect message, some devices might continue using the less-efficient route. Time-Exceeded MessageSent by the switch if an IP packets TTL field reaches zero. The TTL field prevents packets from continuously circulating the Internetwork if the Internetwork contains a routing loop. Once a packets TTL field reaches 0, the switch discards the packet.
Tracing an IP Route
The traceroute command is used to find the path taken by an IP packet from the local switch to a specified destination. This command displays the individual hops to the destination as well as some timing information. When using this command, you must enter the name of the destination as part of the command line (either the IP address or host name). Use the optional max-hop parameter to set a maximum hop count to the destination. If the trace reaches this maximum hop count without reaching the destination, the trace stops.
Tunneling
Tunneling is a mechanism that can encapsulate a wide variety of protocol packet types and route them through the configured tunnels. Tunneling is used to create a virtual point-to-point link between routers at remote points in a network. This feature supports the creation, administration, and deletion of IP interfaces whose underlying virtual device is a tunnel. The Alcatel-Lucent implementation provides support for two tunneling protocols: Generic Routing Encapsulation (GRE) and IP encapsulation within IP (IPIP). Note. The tunneling feature is supported by OmniSwitch 6850 and OmniSwitch 9000.
IP Encapsulation within IP
IPIP tunneling is a method by which an IP packet is encapsulated within another IP packet. The Source Address and Destination Address of the outer IP header identifies the endpoints of tunnel. Whereas Source Address and Destination Address of the inner IP header identifies the original sender and recipient of the packet, respectively. Consider the following when configuring the IPIP tunnel interfaces: A switch can support up to 127 IPIP tunnel interfaces. IPIP tunnel interfaces are included in the maximum number of IP interfaces that are supported on the switch.
Tunneling operation
The diagram below illustrates how packets are forwarded over the tunnel. In the above diagram, IP packets flowing from the private IP network 50.0.0.0 to the private IP network 40.0.0.0 are encapsulated by the tunneling protocol at switch A and forwarded to switch B. Intermediate switches route the packets using addresses in the delivery protocol header. Switch B extracts the original payload and routes it to the appropriate destination in the 40.0.0.0 network. The tunnel interface is identified as being up when all of the following are satisfied: Both source and destination addresses are assigned. The source address of the tunnel is one of the switch's IP interface addresses that is either a VLAN or loopback0 interface. A route is available to reach the destination IP address. A route whose egress interface is a VLANbased interface is available for its destination IP address.The switch supports assigning an IP address as well as routes to a tunnel interface.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 440 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IPv6
Internet Protocol version 6 (IPv6) is the next generation of Internet Protocol version 4 (IPv4). Both versions are supported along with the ability to tunnel IPv6 traffic over IPv4. Implementing IPv6 solves the limited address problem currently facing IPv4, which provides a 32-bit address space. IPv6 increases the address space available to 128 bits.
IPv6 Specifications
RFCs Supported
Note: RFC 2893 has been obsoleted by RFC4213. RFC4213 is now supported, but it does not include Automatic tunnels. Therefore, the main difference is that the new RFC4213 does not contain an automatic tunneling capability.
Maximum VLANs per switch Maximum IPv6 router VLANs per switch Maximum IPv4 router VLANs per switch Maximum IPv4interfcase per VLAN Maximum ARP entries per system Maximum IPv6 interfaces per tunnel Maximum IPv6 static routes Maximum RIPng routes Maximum RIPng interfaces Maximum OSPFv3 routes Maximum OSPFv3 interfaces Maximum OSPFv3 adjacencies Maximum OSPFv3 areas Maximum OSPFv3 sessions OSPF ECMP Gateways per destination Maximum BGP routes Maximum IP route entries (RIB) Maximum route entries per FIB Maximum BGP peers per system OSPF LSDB size Maximum IPv6 router interfaces per system -multiple router MAC mode Maximum 6to4 tunnels per switch Maximum configured tunnels per switch
2460Internet Protocol, Version 6 (IPv6) Specification 2461Neighbor Discovery for IP Version 6 (IPv6) 2462IPv6 Stateless Address Auto-configuration 2463Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 2464Transmission of IPv6 Packets Over Ethernet Networks 2893Transition Mechanisms for IPv6 Hosts and Routers 3513Internet Protocol Version 6 (IPv6) Addressing Architecture 3056Connection of IPv6 Domains via IPv4 Clouds 4094 (including default VLAN 1) 4094 IP and 256 IPX (single MAC router mode) 4094 IP and 256 IPX (single MAC router mode) 1 4K 1 1,000 5K 100 10K 10 10 5 1 4 None 10K None None 2000 256 1 255
IPv6 Defaults
Description Global status of IPv6 on the switch IPv6 interfaces Default Enabled None
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 441 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IPv6 Overview
IPv6 provides the basic functionality that is offered with IPv4 but includes the following enhancements and features not available with IPv4: Increased IP address sizeIPv6 uses a 128-bit address, a substantial increase over the 32-bit IPv4 address size. Providing a larger address size also significantly increases the address space available, thus eliminating the concern over running out of IP addresses. Auto-configuration of addressesWhen an IPv6 interface is created or a device is connected to the switch, an IPv6 linklocal address is automatically assigned for the interface and/or device. Anycast addressesA new type of address. Packets sent to an Anycast address are delivered to one member of the Anycast group. Simplified header formatA simpler IPv6 header format is used to keep the processing and bandwidth cost of IPv6 packets as low as possible. As a result, the IPv6 header is only twice the size of the IPv4 header despite the significant increase in address size. Improved support for header optionsImproved header option encoding allows more efficient forwarding, fewer restrictions on the length of options, and greater flexibility to introduce new options. Security improvementsExtension definitions provide support for authentication, data integrity, and confidentiality. Neighbor Discovery protocolA protocol defined for IPv6 that detects neighboring devices on the same link and the availability of those devices. Additional information that is useful for facilitating the interaction between devices on the same link is also detected (e.g., neighboring address prefixes, address resolution, duplicate address detection, link MTU, and hop limit values, etc.). This implementation of IPv6 also provides the following mechanisms to maintain compatibility between IPv4 and IPv6: Dual-stack support for both IPv4 and IPv6 on the same switch Configuration of IPv6 and IPv4 interfaces on the same VLAN. Tunneling of IPv6 traffic over an IPv4 network infrastructure Embedded IPv4 addresses in the four lower-order bits of the IPv6 address. The remainder of this section provides a brief overview of the new IPv6 address notation, auto-configuration of addresses, and tunneling of IPv6 over IPv4.
IPv6 Addressing
One of the main differences between IPv6 and IPv4 is that the address size has increased from 32 bits to 128 bits. Going to a 128-bit address also increases the size of the address space to the point where running out of IPv6 addresses is not a concern. The following types of IPv6 addresses are supported: UnicastStandard unicast addresses, similar to IPv4. MulticastAddresses that represent a group of devices. Traffic sent to a multicast address is delivered to all members of the multicast group. AnycastTraffic that is sent to this type of address is delivered to one member of the Anycast group. The device that receives the traffic is usually the one that is easiest to reach as determined by the active routing protocol. Note. IPv6 does not support the use of broadcast addresses. This functionality is replaced using improved multicast addressing capabilities. IPv6 address types are identified by the high-order bits of the address, as shown in the following table: Address Type Unspecified Loop back Multicast Link-local unicast Site-local unicast Global unicast Binary Prefix 000 (128 bits) 001 (128 bits) 11111111 1111111010 1111111011 Everything else IPv6 Notation ::/128 ::1/128 FF00::/8 FE90::/10 FEC0::/10
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 442 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 443 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Both stateless and Stateful auto-configuration is supported for devices, such as a workstation, when they are connected to the switch. When the stateless method is used in this instance, the device listens for router advertisements in order to obtain a subnet prefix. Combining the subnet prefix with the interface ID for that device then forms the unicast address for the device. Stateful auto-configuration refers to the use of an independent server, such as a DHCP server, to obtain an IPv6 unicast address and other related information. Of course, manual configuration of an IPv6 address is always available for devices as well. Regardless of how an IPv6 address is obtained, duplicate address detection (DAD) is performed before the address is assigned to an interface or device. If a duplicate is found, the address is not assigned. Note that DAD is not performed for Anycast addresses. Please refer to RFCs 2462, 2464, and 3513 for more technical information about auto-configuration and IPv6 address notation.
6to4 Tunnels
6to4 tunneling provides a mechanism for transporting IPv6 host traffic over an IPv4 network infrastructure to other IPv6 hosts and/or domains without having to configure explicit tunnel endpoints. Instead, an IPv6 6to4 tunnel interface is created at points in the network where IPv6 packets are encapsulated (IPv4 header added) prior to transmission over the IPv4 network or decapsulates (IPv4 header stripped) for transmission to an IPv6 destination. An IPv6 6to4 tunnel interface is identified by its assigned address, which is derived by combining a 6to4 well-known prefix (2002) with a globally unique IPv4 address and embedded as the first 48 bits of an IPv6 address. For example, 2002:d467:8a89::137/64, where D467:8A89 is the hex equivalent of the IPv4 address 212.103.138.137. 6to4 tunnel interfaces are configured on routers and identify a 6to4 site. Because 6to4 tunnels are point-to-multi-point in nature, any one 6to4 router can communicate with one or more other 6to4 routers across the IPv4 cloud. Two common scenarios for using 6to4 tunnels are described below.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 444 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above diagram: 1 The 6to4 hosts receive 6to4 prefix from Router Advertisement. 2 The 6to4 host sends IPv6 packets to 6to4 border router. 3 The 6to4 border router encapsulates IPv6 packets with IPv4 headers and sends to the destination 6to4 border router over the IPv4 domain. 4 The destination 6to4 border router strips IPv4 header and forwards to 6to4 destination host.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 445 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above diagram: 1 The 6to4 relay router advertises a route to 2002::/16 on its IPv6 router interface. 2 The IPv6 host traffic received by the relay router that has a next hop address that matches 2002::/16 is routed to the 6to4 tunnel interface configured on the relay router. 3 The traffic routed to the 6to4 tunnel interface is then encapsulated into IPv4 headers and sent to the destination 6to4 router over the IPv4 domain. 4 The destination 6to4 router strips the IPv4 header and forwards it to the IPv6 destination host.
Configured Tunnels
A configured tunnel is where the endpoint addresses are manually configured to create a point-to-point tunnel. This type of tunnel is similar to the 6to4 tunnel on which IPv6 packets are encapsulated in IPv4 headers to facilitate communication over an IPv4 network. The difference between the two types of tunnels is that configured tunnel endpoints require manual configuration, whereas 6to4 tunneling relies on an embedded IPv4 destination address to identify tunnel endpoints. Note that RFC 2893 also discusses automatic tunnels, which are not supported with this implementation of IPv6. Note: RFC 2893 has been obsoleted by RFC4213. RFC4213 is now supported, but it does not include automatic tunnels. Therefore, the main difference is that the new RFC4213 does not contain an automatic tunneling capability. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 446 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
IPX
The Internet Packet Exchange (IPX) protocol, developed by Novell for NetWare, is a Layer 3 protocol used to route packets through IPX networks. (NetWare is Novells network server operating system.). This feature supports IPX routing, and fine-tuning IPX using optional IPX configuration parameters (e.g., IPX packet extension, type-20 propagation). It also supports IPX filtering, which is used to control the operation of the IPX RIP/SAP protocols.
IPX Specifications
Specifications Supported IPX RIP and Service Advertising Protocol (SAP) router specification; version 1.30; May 23, 1996 Part No. 107-000029-001
IPX Defaults
Description IPX Defaults Type-20 Packet Forwarding Extended RIP/SAP Packets RIP/SAP Timers Default Enabled Disabled Disabled 60 (seconds)
IPX Overview
IPX specifies a connectionless datagram similar to the IP packet of TCP/IP networks. An IPX network address consists of two parts: a network number and a node number. The network administrator assigns the IPX network number. The node number is the Media Access Control (MAC) address for a network interface in the end node. IPX exchanges information using its own version of RIP, which sends updates every 60 seconds. NetWare also supports SAP to allow network resources, including file and print servers, to advertise their network addresses and the services they provide. The user can also define routes. These routes, called static routes, have higher priority than routes learned through RIP. When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However, to route packets between VLANs, you must create an IPX router port on each VLAN. In the illustration below, a router port has been configured on each VLAN. Therefore, workstations connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both switches have been assigned to VLAN 2, and a physical connection has been made between the switches. Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected to VLAN 3 on Switch 2.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 447 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In IPX routing, the switch builds routing tables to keep track of optimal destinations for traffic it receives that is destined for remote IPX networks. The switch sends and receives routing messages, or advertisements, to/from other switches in the network. When the switch receives an IPX packet, it looks up the destination network number in its routing table. If the network is directly connected to the switch, the switch also checks the destination node address. IPX is associated with additional protocols built into the switch software. The switch supports the following IPX protocols: IPX RIPLayer 3 protocol used by NetWare routers to exchange IPX routing information. IPX RIP and IP RIP functions are similar. IPX RIP uses two metrics to calculate the best route: hop count and ticks. An IPX router periodically transmits packets containing the information currently in its own routing table to neighboring IPX RIP routers to advertise the best route to an IPX destination. SAPLayer 3 protocol used by NetWare routers to exchange IPX routing information. SAP is similar in concept to IPX RIP. Just as RIP enables NetWare routers to exchange information about routes, SAP enables NetWare devices to exchange information about available network services. NetWare workstations use SAP to obtain the network addresses of NetWare servers. IPX routers use SAP to gather service information and then share it with other IPX routers. Sequenced Packet Exchange (SPX)Transport-layer protocol that provides a reliable end-to-end communications link by managing packet sequencing and delivery. SPX does not play a direct role in IPX routing; it simply guarantees the delivery of routed packets.
IPX Routing
When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However, to route packets to a device on a different VLAN, you must create an IPX router port on each VLAN. IPX is enabled by default. You must configure an IPX router port on a VLAN for devices on that VLAN to communicate with devices on other VLANs. You can only create one IPX router port per VLAN. VLAN router ports are not active until at least one active physical port is assigned to the VLAN. Up to 256 router ports are supported (including IP and IPX). You can configure an IP and IPX router port on the same VLAN. Both types of router ports will share the same MAC address for that VLAN. Note. Router port IPX addresses must be unique. You cannot have two router ports with the same IPX address.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 448 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Static Routes
A static route enables you to send traffic to a switch other than those learned through routing protocols. Static routes are user-defined and carry a higher priority than routes created by dynamic routing protocols. That is, if two routes have the same metric value, the static route has the higher priority. Static routes allow you to define, or customize, an explicit path to an IP network segment, which is then added to the IP forwarding table. Static routes can be created between VLANs to enable devices on these VLANs to communicate. Static routes do not age out of the routing tables; however, they can be deleted.
RIP Filters
IPX RIP filters allow you to minimize the number of entries put in the IPX RIP routing table. RIP input filters control which networks are allowed into the routing table when IPX RIP updates are received. RIP output filters control, which networks the switch, advertises in its IPX RIP updates. Note. RIP filters work only on switches running the RIP protocol. They do not work for switches running the NLSP protocol. Use RIP filters with care because they can partition a physical network into two or more segments.
SAP Filters
IPX SAP filters allow you to minimize the number of entries put in the SAP Bindery Table. SAP input filters control the SAP updates received by the switch prior to a switch accepting information about a service. The switch will filter all incoming service advertisements received before accepting information about a service. SAP output filters control which services are included in SAP updates sent by the switch.
GNS Filters
GNS output filters control which servers are included in the GNS responses sent by the switch. GNS supports output filters only.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 450 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RIP
Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop count as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of their own routing table. The RIP routing table uses the most efficient route to a destination that is, the route with the fewest hops and longest matching prefix. The switch supports RIP version 1 (RIPv1), RIP version 2 (RIPv2), and RIPv2 that is compatible with RIPv1. It also supports text key and MD5 authentication, on an interface basis, for RIPv2.
RIP Specifications
RFCs supported RFC 1058RIP v1 RFC 2453RIP v2 RFC 1722RIP v2 Protocol Applicability Statement RFC 1724RIP v2 MIB Extension Maximum number of IP Routes: 48K Maximum number of RIPv2 interfaces per router: 6 Maximum number of RIPv2 peers per router, one per interface: 6 Maximum number of RIPv2 routes: 8K
RIP Defaults
Description RIP Status RIP Forced Hold-down Interval RIP Interface Metric RIP Interface Send Version RIP Interface Receive Version RIP Host Route RIP Route Tag Redistribution Status Redistribution Metric Redistribution Filter Effect Redistribution Filter Metric Redistribution Filter Control Redistribution Filter Route Tag RIP Interface Authentication Defaults Disable 0 1 V2 Both Enable 0 Disable 0 Permit 0 All-subnets 0 None
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 451 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RIP Overview
In switching, traffic may be transmitted from one media type to another within the same VLAN. Switching happens at Layer 2, the link layer; routing happens at Layer 3, the network layer. In IP routing, traffic can be transmitted across VLANs. When IP routing is enabled, the switch uses routing protocols to build routing tables that keep track of stations in the network and decide the best path for forwarding data. When the switch receives a packet to be routed, it strips off the MAC header and examines the IP header. It looks up the source/destination address in the routing table, and then adds the appropriate MAC address to the packet. Calculating routing tables and stripping/adding MAC headers to packets is performed by switch software. IP is associated with several Layer 3 routing protocols. RIP is built into the base code loaded onto the switch. Others are part of Alcatel-Lucents optional Advanced Routing Software. IP supports the following IP routing protocols: RIP: An IGP that defines how routers exchange information. RIP makes routing decisions using a least-cost path method. RIPv1 and RIPv2 services allow the switch to learn routing information from neighboring RIP routers. Open Shortest Path First (OSPF): An IGP that provides a routing function similar to RIP but uses different techniques to determine the best route for a datagram. OSPF is part of Alcatel-Lucents optional Advanced Routing Software. When RIP is initially enabled on a switch, it issues a request for routing information, and listens for responses to the request. If a switch configured to supply RIP hears the request, it responds with a response packet based on information in its routing database. The response packet contains destination network addresses and the routing metric for each destination. When a RIP response packet is received, RIP takes the information and rebuilds the switchs routing database, adding new routes and better (lower metric) routes to destinations already listed in the database. RIP uses a hop count metric to measure the distance to a destination. In the RIP metric, a switch advertises directly connected networks at a metric of 1. Networks that are reachable through one other gateway are 2 hops; networks that are reachable through two gateways are 3 hops, etc. Thus, the number of hops (or hop count) along a path from a given source to a given destination refers to the number of networks that are traversed by a datagram along that path. When a switch receives a routing update that contains a new or changed destination network entry, the switch adds one to the metric value indicated in the update and enters the network in the routing table. After updating its routing table, the switch immediately begins transmitting routing updates to inform other network switches of the change. These updates are sent independently of the regularly scheduled updates. By default, RIP packets are broadcast every 30 seconds, even if no change has occurred anywhere in a route or service. RIP deletes routes from the database if the next switch to that destination says the route contains more than 15 hops. In addition, all routes through a gateway are deleted by RIP if no updates are received from that gateway for a specified time period. If a gateway is not heard from for 180 seconds, all routes from that gateway are placed in a hold-down state. If the hold-down timer value is exceeded, the routes are deleted from the routing database. These intervals also apply to deletion of specific routes.
RIP Version 2
RIP version 2 (RIPv2) adds additional capabilities to RIP. Not all RIPv2 enhancements are compatible with RIPv1. To avoid supplying information to RIPv1 routes that could be misinterpreted, RIPv2 can only use non-compatible features when its packets are multicast. RIPv1 does not support multicast. On inter-faces that are not compatible with IP multicast, the RIPv1compatible packets used do not contain potentially confusing information. RIPv2 enhancements are listed below. Next HopRIPv2 can advertise a next hop other than the switch supplying the routing update. This capability is useful when advertising a static route to a silent switch not using RIP, since packets passing through the silent switch do not have to cross the network twice. Network MaskRIPv1 assumes that all sub-networks of a given network have the same network mask. It uses this assumption to calculate the network masks for all routes received. This assumption prevents subnets with different net-masks from being included in RIP packets. RIPv2 adds the ability to specify the network mask with each network in a packet. Because RIPv1 switches ignore the network mask in RIPv2 packets, their calculation of the network mask could possibly be wrong. For this reason, RIPv1-compatible RIPv2 packets cannot contain networks that would be misinterpreted by RIPv1. These networks must only be provided in native RIPv2 packets that are multicast. AuthenticationRIPv2 packets can contain an authentication key that may be used to verify the validity of the supplied routing data. Authentication may be used in RIPv1-compatible RIPv2 packets, but RIPv1 switches will ignore authentication information. The authentication is a simple password in which an authentication key of up to 16 characters is included in the packet. If this key does not match the configured authentication key, the packet is discarded.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 452 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP MulticastIP Multicast Switching (IPMS) is a one-to-many communication technique employed by emerging applications such as video distribution, news feeds, netcasting, and resource discovery. Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any sub-network that has at least one device requesting the multicast traffic.
RIP Routing
IP routing requires IP router ports to be configured on VLANs and a routing protocol to be enabled and configured on the switch. RIP also requires a RIP interface to be created and enabled on the routing port. In the illustration below, a router port and RIP interface have been configured on each VLAN. Therefore, workstations connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both switches have been assigned to VLAN 2, and a physical connection has been made between the switches. Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected to VLAN 3 on Switch 2.
Note. In simple networks where only IP forwarding is required, you may not want to use RIP. If you are not using RIP, it is best not to load it to save switch resources. Note. You can create a RIP interface even if an IP router port has not been configured. However, RIP will not function unless a RIP interface is created and enabled on an IP router port.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 453 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RIP Redistribution
Redistribution provides a way to exchange routing information between RIP networks and OSPF and BGP networks; and also redistributes local and static routes into RIP. Basically, redistribution makes a non-RIP route look like a RIP route. Configuring RIP redistribution consists of the following tasks: Enabling RIP Redistribution Configuring a RIP Redistribution Policy Configuring a RIP Redistribution Filter o Creating a Filter o Configuring a Redistribution Filter Action (optional) o Configuring a Redistribution Metric (optional)
Redistribution Metric
When redistributing routes into RIP, the metric for the redistributed route is calculated as a summation of the routes metric and the corresponding metric in the redistribution policy. This is the case when the matching filter metric is 0 (the default). However, if the matching redistribution filter metric is set to a non-zero value, the redistributed routes metric is set to the filter metric. This gives better control of the metric when redistributing non-RIP routes into RIP. Note that if the metric calculated for the redistributed route, as described above, is greater than 15 (RIP_UNREACHABLE) or greater than the metric of an existing pure RIP route, the new route is not redistributed.
RIP Security
By default, there is no authentication used for a RIP. However, you can configure a password for a RIP interface. To configure a password, you must first select the authentication type (simple or MD5), and then configure a password. If simple or MD5 password authentication is used, both switches on either end of a link must share the same password. If you configure simple or MD5 authentication you must configure a text string that will be used as the password for the RIP interface. If a password is used, all switches that are intended to communicate with each other must share the same password.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 454 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPFv2 / OSPFv3
Open Shortest Path First routing (OSPF) is a shortest path first (SPF), or link state, protocol. OSPF is an interior gateway protocol (IGP) that distributes routing information between routers in a single Autonomous System (AS). OSPF chooses the least-cost path as the best path. OSPF is suitable for complex networks with large numbers of routers since it provides faster convergence where multiple flows to a single destination can be forwarded on one or more interfaces simultaneously. On OmniSwitch 6850 switches only, OSPF version 3 for IPv6 is supported.
OSPFv2 Specifications
RFCs Supported 1370Applicability Statement for OSPF 1850OSPF Version 2 Management Information Base 2328OSPF Version 2 2370The OSPF Opaque LSA Option 3101The OSPF Not-So-Stubby Area (NSSA) Option 3623Graceful OSPF Restart The following values are the maximum limits enforced by the code. Maximum number of Areas (per router): 32 Maximum number of Interfaces (per area): 100 Maximum number of Interfaces (per router): 32 x 100 (Limited only by max. num of IPv4 interfaces = 4096) Maximum number of Link State Database entries (per router): 96K Maximum number of neighbors/adjacencies (per router): 254 Maximum number of neighbors/adjacencies (per area): 128 Maximum number of routes (per router): 96K Maximum number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 The following values are the tested limits with functionally verified (stress test). On OS6850 ABR routers: Max number of IP Routes on OS6850 router: 12K Max number of OSPFv2 Routes on OS6850 router: 12K Max number of OSPFv2 Interfaces on OS6850 ABR: 48 Max number of OSPFv2 Areas on OS6850 ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 ABR: 48 Max number of LSAs on OS6850 ABR: 12K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 On OS6850 non-ABR routers: Max number of IP Routes on OS6850 router: 96K Max number of OSPFv2 Routes on OS6850 router: 96K Max number of OSPFv2 Interfaces on OS6850 non-ABR: 27 Max number of OSPFv2 Areas on OS6850 non-ABR: 6 Max number of OSPFv2 Adjacencies on OS6850 non-ABR: 27 Max number of LSAs on OS6850 non-ABR: 24K Tested number of OSPFv2- ECMP gateways (per destination): 4 Max number of OSPFv2 Sessions: 1 Notes: Please note that, the above OSPFv2 specifications may vary depending on the available system resources, and/or customer specific networking requirements & configurations. Please also note that, depending on the number of Areas, Interfaces, Adjacencies, and Neighbors configured, the maximum number of routes may vary. Please contact our customer Service & Support team, should your required specifications fall between "the limits as enforced by the code" and "the limits as functionally tested".
OSPFv2 Specifications
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 455 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPFv2 Defaults
Parameter Description Enables OSPF. Enables an area. Enables an interface. Enables OSPF redistribution. Sets the overflow interval value. Assigns a limit to the number of External Link-State Database (LSDB) entries. Configures timers for Shortest Path First (SPF) calculation. Creates or deletes an area default metric. Default Value/Comments Disabled Disabled Disabled Disabled 0 -1 Delay: 5 Hold: 10 ToS: 0 Type: OSPF Cost: 1 40 seconds (broadcast and point-to-point) 120 seconds (NBMA and point-to-multipoint) 10 seconds (broadcast and point-to-point) 30 seconds (NBMA and point-to-multipoint) 1 120 seconds 1 5 seconds 1 second Broadcast Disabled
Configures OSPF interface dead interval. Configures OSPF interface hello interval. Configures the OSPF interface cost. Configures the OSPF poll interval. Configures the OSPF interface priority. Configures OSPF interface retransmit interval. Configures the OSPF interface transit delay. Configures the OSPF interface type. Configures graceful restart on switches
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 456 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPFv3 Specifications
RFCs Supported 2740 -OSPF for IPv6 1826 - IP Authentication Header 1827 - IP Encapsulating Security Payload 2553 - Basic Socket Interface Extensions for IPv6 2373 - IPv6 Addressing Architecture 2374 - An IPv6 Aggregatable Global Unicast Address Format 2460 - IPv6 base specification draft-ietf-ospf-ospfv3-graceful-restart-xx.txt OSPFv3 Graceful Restart draft-ietf-ospf-ospfv3-mibxx.txtManagement Information Base for OSPFv3 draft-ietf-ospf-ospfv3-update-00.txtOSPF for IPv6 draft-ietf-ospf-ospfv3-auth-05.txtAuthentication/ Confidentiality for OSPFv3 draft-ietf-ospf-ospfv3-mib-08.txtMIB TBS TBS TBS TBS TBS TBS TBS
Maximum number of Areas (per router) Maximum number of Interfaces (per router) Maximum number of Link State Database entries (per router) Maximum number of adjacencies (per router) Maximum number of ECMP gateways (per destination) Maximum number of neighbors (per router) Maximum number of routes (per router) Notes: Please note that, the above OSPFv3 specifications may vary depending on the available system resources, and/or customer specific networking requirements & configurations. Please also note that, depending on the number of Areas, Interfaces, Adjacencies, and Neighbors configured, the maximum number of routes may vary. Please contact our customer Service & Support team, should your required specifications fall between "the limits as enforced by the code" and "the limits as functionally tested".
OSPFv3 Defaults
Parameter Description Enables OSPFv3 Configures timers for Shortest Path First (SPF) calculation. Creates or deletes an area default metric. Configures OSPF interface dead interval. Configures OSPF interface hello interval. Configures the OSPF interface cost. Configures the OSPF poll interval. Configures the OSPF interface priority. Configures OSPF interface retransmit interval. Configures the OSPF interface transit delay. Configures the OSPF interface type. Configures graceful restart on switches Default Value/Comments Enabled Delay: 5 Hold: 10 Enabled and type of area is normal TBS TBS TBS TBS TBS TBS TBS TBS Interval 120 Helper: enabled Helper-strict-lsa-checking: Enabled 0 Metric: 0
Controls the route-tag used for ASE routes Creates an OSPF routes for directly connected hosts
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 457 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPF Overview
Open Shortest Path First routing (OSPF) is a shortest path first (SPF), or link-state, protocol. OSPF is an interior gateway protocol (IGP) that distributes routing information between routers in a Single Autonomous System (AS). OSPF chooses the least-cost path as the best path. Each participating router distributes its local state (i.e., the routers usable interfaces, local networks, and reachable neighbors) throughout the AS by flooding. In a link-state protocol, each router maintains a database describing the entire topology. This database is built from the collected link state advertisements of all routers. Each multi-access network that has at least two attached routers has a designated router and a backup designated router. The designated router floods a link state advertisement for the multi-access network. When a router starts, it uses the OSPF Hello Protocol to discover neighbors. The router sends Hello packets to its neighbors, and in turn receives their Hello packets. On broadcast and point-to-point networks, the router dynamically detects its neighboring routers by sending Hello packets to a multicast address. On non-broadcast and point-to-multipoint networks, some configuration information is necessary in order to configure neighbors. On all networks (broadcast or nonbroadcast), the Hello Protocol also elects a designated router for the network.
The router will attempt to form full adjacencies with all of its newly acquired neighbors. Only some pairs, however, will be successful in forming full adjacencies. Topological databases are synchronized between pairs of fully adjacent routers. Adjacencies control the distribution of routing protocol packets. Routing protocol packets are sent and received only on adjacencies. In particular, distribution of topological database updates proceeds along adjacencies. Link state is also advertised when a routers state changes. A routers adjacencies are reflected in the contents of its link state advertisements. This relationship between adjacencies and link state allows the protocol to detect downed routers in a timely fashion. Link state advertisements are flooded throughout the AS. The flooding algorithm ensures that all routers have exactly the same topological database. This database consists of the collection of link state advertisements received from each router belonging to the area. From this database each router calculates a shortest-path tree, with itself as root. This shortest-path tree in turn yields a routing table for the protocol.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 458 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OSPF Areas
OSPF allows collections of contiguous networks and hosts to be grouped together as an area. Each area runs a separate copy of the basic link-state routing algorithm (usually called SPF). This means that each area has its own topological database.
An areas topology is visible only to the members of the area. Conversely, routers internal to a given area know nothing of the detailed topology external to the area. This isolation of knowledge enables the protocol to reduce routing traffic by concentrating on small areas of an AS, as compared to treating the entire AS as a single link-state domain. Areas cause routers to maintain a separate topological database for each area to which they are connected. (Routers connected to multiple areas are called area border routers). Two routers belonging to the same area have identical area topological databases. Different areas communicate with each other through a backbone. The backbone consists of routers with contacts between multiple areas. A backbone must be contiguous (i.e., it must be linked to all areas). The backbone is responsible for distributing routing information between areas. The backbone itself has all of the properties of an area. The topology of the backbone is invisible to each of the areas, while the backbone itself knows nothing of the topology of the areas. All routers in an area must agree on that areas parameters. Since a separate copy of the link-state algorithm is run in each area, most configuration parameters are defined on a per-router basis. All routers belonging to an area must agree on that areas configuration. Misconfiguration will keep neighbors from forming adjacencies between themselves, and OSPF will not function.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 459 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Classification of Routers
When an AS is split into OSPF areas, the routers are further divided according to function into the following four overlapping categories: Internal routers: A router with all directly connected networks belonging to the same area. These routers run a single copy of the SPF algorithm. Area border routers: A router that attaches to multiple areas. Area border routers run multiple copies of the SPF algorithm, one copy for each attached area. Area border routers condense the topological information of their attached areas for flooding to other areas. Backbone routers: A router that has an interface to the backbone. This includes all routers that inter-face to more than one area (i.e., area border routers). However, backbone routers do not have to be area border routers. Routers with all interfaces connected to the backbone are considered to be internal routers. AS boundary routers: A router that exchanges routing information with routers belonging to other Autonomous Systems. Such a router has AS external routes that are advertised throughout the Autonomous System. Every router in the AS knows the path to each AS boundary router. This classification is completely independent of the previous classifications (i.e., internal, area border, and backbone routers). AS boundary routers may be internal or area border routers, and may or may not participate in the backbone.
Virtual Links
It is possible to define areas in such a way that the backbone is no longer contiguous. (This is not an ideal OSPF configuration, and maximum effort should be made to avoid this situation.) In this case the system administrator must restore backbone connectivity by configuring virtual links. Virtual links can be configured between any two-backbone routers that have a connection to a common non-backbone area. The protocol treats two routers joined by a virtual link as if an unnumbered point-to-point network connected them. The routing protocol traffic that flows along the virtual link uses intra-area routing only. The physical connection between the two routers is not managed by the network administrator (i.e., there is no dedicated connection between the routers as there is with the OSPF backbone).
In the above diagram, Router A and Router B are connected via a virtual link in Area 1, which is known as a transit area.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 460 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Stub Areas
OSPF allows certain areas to be configured as stub areas. A stub area is an area with routers that have no AS external Link State Advertisements (LSAs). In order to take advantage of the OSPF stub area support, default routing must be used in the stub area. This is accomplished by configuring only one of the stub areas border routers to advertise a default route into the stub area. The default routes will match any destination that is not explicitly reachable by an intra-area or inter-area path (i.e., AS external destinations).
Area 1 and Area 3 could be configured as stub areas. The OSPF protocol ensures that all routers belonging to an area agree on whether the area has been configured as a stub. This guarantees that no confusion will arise in the flooding of AS external advertisements. Two restrictions on the use of stub areas are: Virtual links cannot be configured through stub areas. AS boundary routers cannot be placed internal to stub areas.
Not-So-Stubby-Areas
NSSA, or not-so-stubby area, is an extension to the base OSPF specification and is defined in RFC 1587. An NSSA is similar to a stub area in many ways: AS-external LSAs are not flooded into an NSSA and virtual links are not allowed in an NSSA. The primary difference is that selected external routing information can be imported into an NSSA and then redistributed into the rest of the OSPF routing domain. These routes are imported into the NSSA using a new LSA type: Type-7 LSA. Type-7 LSAs are flooded within the NSSA and are translated at the NSSA boundary into ASexternal LSAs so as to convey the external routing information to other areas. NSSAs enable routers with limited resources to participate in OSPF routing while also allowing the import of a selected number of external routes into the area. For example, an area, which connects to a small external routing domain running RIP, may be configured as an NSSA. This will allow the import of RIP routes into this area and the rest of the OSPF routing domain and at the same time, prevent the flooding of other external routing information (learned, for example, through RIP) into this area. All routers in an NSSA must have their OSPF area defined as an NSSA. To configure otherwise will ensure that the router will be unsuccessful in establishing an adjacent in the OSPF domain.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 461 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 462 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Delivery of packets along equal paths is based on flows rather than a round-robin scheme. Equal cost is determined based on standard routing metrics. However, other variables, such as line speed, are not considered. So it is possible for OSPF to decide two paths have an equal cost even though one may contain faster links than another.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 463 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
If the restarting router, Router X, was the Designated Router (DR) on network segment S when the helping relationship began, the helper neighbor, Router Y, maintains Router X as the DR until the helping relationship is terminated. If there are multiple adjacencies with the restarting Router X, Router Y will act as a helper on all other adjacencies. Note. OSPFv3 will implement OSPFv3 graceful restart both as a restarting system and as a helper.
Interface Authentication
OSPF allows for the use of authentication on configured interfaces. When authentication is enabled, only neighbors using the same type of authentication and the matching passwords or keys can communicate. There are two types of authentication: simple and MD5. Simple authentication requires only a text string as a password, while MD5 is a form of encrypted authentication that requires a key and a password. Both types of authentication require the use of more than one command.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 464 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IS-IS
Intermediate System-to-Intermediate System (IS-IS) is an International Organization for Standardization (ISO) dynamic routing specification. IS-IS is a shortest path first (SPF), or link state protocol. It is an interior gateway protocol (IGP) that distributes routing information between routers in a single Autonomous System (AS) in IP as well as in OSI environments. IS-IS chooses the least-cost path as the best path. IS-IS is suitable for complex networks with large number of routers since it provides faster convergence where multiple flows to a single destination can be forwarded through one or more interfaces simultaneously. IS-IS is also an ISO Connectionless Network Protocol (CLNP). It communicates with its peers using the Connectionless Mode Network Service (CLNS) PDU packets, which means that even in an IP-only environment the IS-IS router must have an ISO address. ISO network-layer addressing is done through Network Service Access Point (NSAP) addresses that identify any system in the OSI network.
IS-IS Specifications
RFCs Supported 1142-OSI IS-IS Intra-domain Routing Protocol 1195OSI IS-IS for Routing in TCP/IP and Dual Environments 3 70 70 70 255 24000 12000 12000
Maximum number of areas (per router) Maximum number of L1 adjacencies per interface (per router) Maximum number of L2 adjacencies per interface (per router) Maximum number of IS-IS interfaces (per router) Maximum number of Link State Packet entries (per adjacency) Maximum number of IS-IS routes Maximum number of IS-IS L1 routes Maximum number of IS-IS L2 routes
IS-IS Overload state IS-IS Overload state after bootup IS-IS graceful restart IS-IS graceful restart helper mode IS-IS system wait-time IS-IS adjacency check configuration Authentication type (per IS-IS level) Hello authentication (per IS-IS level)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 465 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
CSNP authentication (per IS-IS level) PSNP authentication (per IS-IS level) Wide metrics (per IS-IS level) IS-IS interface status IS-IS interface type Hello authentication (per interface) CSNP time interval (per interface) IS-IS level (per interface) LSP time interval (per interface) IS-IS passive interface Retransmission time of LSP on a point-to-point interface Hello authentication for the specified IS-IS level of an interface Hello time interval for the specified IS-IS level of an interface Number of missing Hello PDUs from a neighbor Metric value of the specified IS-IS level of the interface IS-IS passive interface (per IS-IS level) Interface level priority
Enabled Enabled Disabled Disabled Broadcast None 10 seconds (broadcast) 5 seconds (point-to-point) Level-1/2 100 milliseconds Disabled 5 Seconds None designated routers: 3 seconds non-designated routers: 9 seconds 3 10 Disabled 64
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 466 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IS-IS Overview
IS-IS is an SPF or link state protocol. IS-IS is also an IGP that distributes routing information between routers in a single AS. It supports pure IP and OSI environments, as well as dual environments (both IP and OSI). However, it is deployed extensively in IP-only environments. IS-IS uses a two-level hierarchy to support large routing domains. A large routing domain may be administratively divided into areas, with each router residing in exactly one area. Routing within an area is referred to as Level-1 routing. A Level-1 Intermediate System (IS) keeps track of routing within its own area. Routing between areas is referred to as Level-2 routing. A Level-2 IS keeps track of paths to destination areas. IS-IS identifies a device in the network by the NSAP address. NSAP address is a logical point between network and transport layers. It consists of the following three fields: NSEL fieldThe N-Selector (NSEL) field is the last byte and it must be specified as a single byte with two hex digits preceded by a period (.). Normally, the NSEL value is set to 00.The NSAP address with its NSEL set to 00 is called Network Entity Title (NET). A NET implies the network layer address of IS-IS. System ID This ID occupies the 6 bytes preceeding the NSEL field. It is customary to use either a MAC address from the router (for Integrated IS-IS) or an IP address (for example, the IP address of a loopback interface) as part of the system ID. Area IDThe area ID occupies the rest of NSAP address. When a router starts, it uses the IS-IS Hello protocol to discover neighbors and establish adjacencies. The router sends Hello packets through all IS-IS-enabled interfaces to its neighbors, and in turn receives Hello packets. In a broadcast network, the Hello protocol elects a Designated Intermediate System (DIS) for the network.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 467 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Separate DISs are elected for Level-1 and Level-2 routing. Election of the DIS is based on the highest interface priority, the default value of which is 64. Priority can also be manually configured, the range being 1127. In case of a tie, the router with the highest Subnetwork Point Of Attachment (SNPA) address (usually the MAC address) for that interface is elected as the DIS. Routers that share common data links will become IS-IS neighbors if their Hello packets contain data that meet the requirements for forming an adjacency. The requirements may differ slightly depending on the type of media being used, which is either pointto-point or broadcast. The primary criteria for forming adjacencies are authentication match, IS-type, and MTU size. Adjacencies control the distribution of routing protocol packets. Routing protocol packets are sent and received only on adjacencies. In particular, distribution of topological database updates proceeds along adjacencies. After establishing adjacencies, routers will build a link-state packet (LSP) based upon their local interfaces that are configured for IS-IS and prefixes learned from other adjacent routers. Routers flood LSPs to all adjacent neighbors except the neighbor from which they received the same LSP. Routers construct their link-state database from these packets. The link state is also advertised when a routers state changes. A routers adjacencies are reflected in the contents of its link state packets. This relationship between adjacencies and link state allows the protocol to detect downed routers in a timely fashion. Link state packets are flooded throughout the AS. The flooding algorithm ensures that all routers have exactly the same topological database. This database consists of a collection of link state packets received from each router belonging to the area. From this database, each router calculates the shortest-path tree, with itself as the root. This shortest-path tree, in turn, yields a routing table for the protocol.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 468 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IS-IS Areas
IS-IS allows collections of contiguous networks and hosts to be grouped together as an area. Each area runs a separate copy of the basic link state routing algorithm (usually called SPF). This means that each area has its own topological database as explained in the previous section.
An areas topology is visible only to the members of that area. Routers inside a given area do not know the detailed topology outside the area. This isolation of knowledge enables the protocol to reduce routing traffic by concentrating on small areas of an AS, as compared to treating the entire AS as a single link state domain. In IS-IS, the router belongs entirely to a single area. When an AS is split into IS-IS areas, the routers are classified into the following three categories: Level-1 routersThese are Intra-area routers and form relationship with other Level-1 or Level-1/2 routers within the same area. Level-1/2 routersThese routers form relationship with other Level-1, Level-2, or Level-1/2 routers. They are used to connect Inter-area routers with Intra-area routers. Level-2 routersThese are Inter-area routers and form relationship with other Level-2 or Level-1/2 routers These Level capabilities can be defined globally on a router or on specific interfaces. Since a separate copy of the link state algorithm is run in each area, most configuration parameters are defined on a perrouter basis. All routers belonging to an area must agree on that areas configuration. Misconfiguration will keep neighbors from forming adjacencies between themselves, and IS-IS will not function. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 469 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
If the restarting router, Router X, is identified as the Designated Router (DIS) on the network segment S at the beginning of the helping relationship, the helper neighbor, Router Y, will maintain Router X as the DIS until the helping relationship is terminated. If there are multiple adjacencies with the restarting Router X, Router Y will act as a helper on all other adjacencies.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 470 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 471 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
BGP
The Border Gateway Protocol (BGP) is an exterior routing protocol that guarantees the loop-free exchange of routing information between autonomous systems. The Alcatel-Lucent implementation supports BGP version 4 as defined in RFC 1771. The Alcatel-Lucent implementation of BGP is designed for enterprise networks, specifically for border routers handling a public network connection, such as the organizations Internet Service Provider (ISP) link. Up to 65,000 route table entries and next hop routes can be supported by BGP. Note: The BGP terms peer and neighbor is used interchangeably. On OmniSwitch devices in a redundant CMM configuration, during a CMM takeover/failover, interdomain routing is disrupted. Alcatel-Lucent Operating System BGP needs to retain forwarding information, also help a peering router performing a BGP restart to support continuous forwarding for inter-domain traffic flows by following the BGP graceful restart mechanism. By default, BGP graceful restart is enabled.
BGP Specifications
RFCs Supported 1771A Border Gateway Protocol 4 (BGP-4) 2385Protection of BGP Sessions via the TCP MD5 Signature Option 2439BGP Route Flap Damping 2842Capabilities Advertisement with BGP-4 2042Registering New BGP Attribute Types 1997BGP Communities Attribute 1998An Application of the BGP Community Attribute in Multi-Home Routing 1966BGP Route Reflection: An Alternative to Full Mesh IBGP 1965Autonomous System Confederations for BGP 1773Experience with BGP-4 Protocol 1774BGP-4 Protocol Analysis 1657Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol (BGP-4) Using SMIv2 Origin, AS Path, Next Hop, MED, Local Preference, Atomic Aggregate, Aggregator, Community, Originator ID, Cluster List 8 30,000 1 to 65535 0 to 4294967295 0 to 65535 0 to 4294967295
Maximum BGP Peers per Router Maximum number of routes supported Range for AS Numbers Range of Local Preference Values Range for Confederation IDs Range for MED Attribute
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 472 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
BGP Overview
BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway hosts in a network of autonomous systems. BGP is the most common protocol used between gateway hosts on the Internet. The routing table exchanged between hosts contains a list of known routers, the addresses they can reach, and attributes associated with the path. The OmniSwitch implementation supports BGP-4, the latest version of BGP, as defined in RFC 1771. BGP is a distance vector protocol, like the Routing Information Protocol (RIP). It does not require periodic refresh of its entire routing table, but messages are sent between BGP peers to ensure a connection is active. A BGP speaker must retain the current routing table of its peers during the life of a connection. Hosts using BGP communicate using the Transmission Control Protocol (TCP) on port 179. On connection start, BGP peers exchange complete copies of their routing tables, which can be quite large. However, only changes are exchanged after startup, which makes long running BGP sessions more efficient than shorter ones. BGP-4 lets administrators configure cost metrics based on policy statements. BGP communicates with other BGP routers in the local AS using Internal BGP (IBGP). BGP-4 makes it easy to use Classless Inter-Domain Routing (CIDR), which is a way to increase addresses within the network beyond the current Internet Protocol address assignment scheme. BGPs basic unit of routing information is the BGP path, which is a route to a certain set of CIDR prefixes. Paths are tagged with various path attributes, of which the most important are AS_PATH and NEXT_HOP. One of BGP-4s most important functions is loop detection at the autonomous system level, using the AS_PATH attribute. The AS_PATH attribute is a list of ASs being used for data transport. The syntax of this attribute is made more complex by its need to support path aggregation, when multiple paths are collapsed into one to simplify further route advertisements. A simplified view of AS_PATH is that it is the list of Autonomous Systems that a route goes through to reach its destination. Loops are detected and avoided by checking for your own AS number in AS_Paths received from neighboring Autonomous Systems. An OmniSwitch using BGP could be placed at the edge of an enterprise network to handle downstream Internet traffic. However, a router using BGP should not be placed on the public Internet to handle upstream traffic. The BGP implementation in an OmniSwitch can handle up to 32 peers, but ideally should be configured with 2 peers. An example of such a configuration would be two (2) paths to the Internet, or a dual-homed network.
BGP is intended for use in networks with multiple autonomous systems. It is not intended to be used as a LAN routing protocol, such as RIP or Open Shortest Path First (OSPF). In addition, when BGP is used as an internal routing protocol, it is best used in autonomous systems with multiple exit points as it includes features that help routers decide among multiple exit paths. BGP uses TCP as its transport protocol, eliminating the need for it to implement mechanisms for updating fragmentation, retransmission, acknowledgment, and sequencing information.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 473 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Each AS has a number assigned to it by an Internet Registry, much like an IP address. BGP is the standard Exterior Gateway Protocol (EGP) used for exchanging information between ASs. The main difference between routing within an AS (IGP) and routing outside of an AS (EGP) is that IGP polices tend to be set due to traffic concerns and technical demands, while EGP polices are set more on business relationships between corporate entities.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 474 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above diagram, AS 100 and AS 200 can send and receive traffic via AS 300. AS 300 has become a transit AS using IBGP between Router B and Router C. Not all routers in an AS need to run BGP; in most cases, the internal routers use an IGP (such as RIP or OSPF) to manage internal AS routing. This alleviates the number of routes the internal non-transit routers must carry. In the above diagram, AS 100 and AS 200 can send and receive traffic via AS 300. AS 300 has become a transit AS using IBGP between Router B and Router C. Not all routers in an AS need to run BGP; in most cases, the internal routers use an IGP (such as RIP or OSPF) to manage internal AS routing. This alleviates the number of routes the internal non-transit routers must carry.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 475 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Communities
A community is a group of destinations that share some common property. A community is not restricted to one network or one autonomous system. Communities are used to simplify routing policies by identifying routes based on a logical property rather than an IP prefix or an AS number. A BGP speaker can use this attribute in conjunction with other attributes to control which routes to accept, prefer, and pass on to other BGP neighbors. Communities are not limited by physical boundaries, and routers in a community can belong to different ASs. For example, a community attribute of no export could be added to a route, preventing it from being exported, as shown:
In the above example, Route A is not propagated to AS 100 because it belongs to a community that is not to be exported by a speaker that learns it. A route can have more than community attribute. A BGP speaker that sees multiple community attributes in a route can act on one, several, or all of the attributes. Community attributes can be added or modified by a speaker before being passed on to other peers.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 476 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Route Reflectors
Route reflectors are useful if the internal BGP mesh becomes very large. A route reflector is a concentration router for other BGP peers in the local network, acting as a focal point for internal BGP sessions. Multiple client BGP routers peer with the central route server (the reflector). The router reflectors then peer with each other. Although BGP rules state that routes learned via one IBGP speaker cannot be advertised to another IBGP speaker, route reflection allows the router reflector servers to reflect routes, thereby relaxing the IBGP standards. Since the router clients in this scenario only peer with the router reflector, the session load per router is significantly reduced. The following picture demonstrates this concept:
In the diagram above, Clients 1, 2, and 3 peer with Reflector 1, and Clients 4, 5, and 6 peer with Reflector 2. Reflector 1 and 2 peer with each other. This allows each BGP speaker to maintain only one BGP session, rather than a possible seven sessions, as demonstrated below:
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 477 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
BGP Confederations
Confederations are another way of dealing with large networks with many BGP speakers. Like route reflectors, confederations are recommended when speakers are forced to handle large numbers of BGP sessions at the same time. Confederations are sub ASs within a larger AS. Inside each sub AS, all the rules of IBGP apply. Since each sub AS has its own AS number, EBGP must be used to communicate between sub ASs. The following example demonstrates a simple confederation set up:
AS 100 is now a confederation consisting of AS 1001 and AS 1002. Even though EBGP is used to communicate between AS 1001 and 1002, the entire confederation behaves as though it were using IBGP. When crossing the sub AS boundaries, the sub AS attributes are preserved.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 478 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Policies
Routing policies enable route classification for importing and exporting routes. The goal of routing policies is to control traffic flow. Policies can be applied to egress and ingress traffic. Policies act as filters to either permit or deny specified routes that are being learned or advertised from a peer. The following diagram demonstrates this concept:
AS 100 is learning routes from AS 200 and AS 300. However, there is an incoming AS Path policy at the edge of AS 100 that prevents routes that originate in AS 300 from being propagated throughout AS 100. There are four main policy types: AS Path: This policy filters routes based on AS path lists. An AS path list notes all of the ASs the route travels to reach its destination. Community Lists: Community list policies filter routes based on the community to which a route belongs. Communities can affect route behavior based on the definition of the community. Prefix Lists: Prefix list policies filter routes based on a specific network address, or a range of network addresses. Route Maps: Route map policies filter routes by amalgamating other policies into one policy. It is a way of combining many different filter options into one policy.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 479 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Regular Expressions
Regular expressions are used to identify AS paths for purposes of making routing decisions. In this context, an AS path is a list of one or more unsigned 16-bit AS numbers, in the range 1 through 65535. An ordinary pattern match string looks like: 100 200 Which matches any AS path containing the Autonomous System number 100 followed immediately by 200, anywhere within the AS path list. It would not match an AS path which was missing either number, or where the numbers did not occur in the correct order, or where the numbers were not adjacent to one another. Special pattern matching characters (sometimes called meta-characters) add the ability to specify that part of the pattern must match the beginning or end of the AS path list, or that some arbitrary number of AS numbers should match, etc. The following table defines the meta-characters used in the BGP implementation.
^ 123 . ? + * ( | ) [ ] $ ,Matches the beginning of the AS path list. Matches the AS number 123. Matches any single AS number. Matches zero or one occurrence of the previous token, which must be an AS number, a dot, an alternation, or a range. Matches one or more occurrences of the previous token, which must be an AS number, a dot, an alternation, or a range. Matches zero or more occurrences of the previous token, which must be an AS number, a dot, an alternation, or a range. Begins an alternation sequence of AS numbers. It matches any AS number listed in the alternation sequence. Separates AS numbers in an alternation sequence. Ends an alternation sequence of AS numbers. Begin a range pair consisting of two AS numbers separated by a dash. It matches any AS number within that inclusive range. Separates the endpoints of a range. Ends a range pair. Matches the end of the AS path list. Commas, underscores (_), and spaces are ignored.
The regular expressions configured in the router are compared against an incoming AS path list one at a time until a match is found, or until all patterns have been unsuccessfully matched. Unlike some implementations, which use a characterbased pattern matching logic, the BGP implementation treats AS numbers as single tokens, providing two benefits: It makes writing (and reading) policies much easier. It enables the router to begin using the policies more quickly after startup.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 480 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Route Dampening
Route dampening is a mechanism for controlling route instability. If a route is enabled and disabled frequently, it can cause an abundance of UPDATE and WITHDRAWN messages to expend speaker resources. Route dampening categorizes a route as either behaved or ill behaved. A well-behaved route shows a high degree of stability over an extended period of time, while an ill behaved route shows a high degree of instability over a short period of time. This instability is also known as flapping. Route dampening can suppress (not advertise) an ill behaved route until it has achieved a certain degree of stability. Route suppression is based on the number of times a route flaps over a period of time. The following diagram illustrates this concept:
Routes 1, 2, and 3 are entering AS 100, but Route 2 (because it is flapping) has exceeded the dampening threshold. It is therefore not propagated into the AS. The dampening threshold and suppression time of a route is determined by various factors.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 481 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 482 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above example, Speakers B and C do not re-advertise the external route they each received from Speaker A. However, this fundamental routing rule is relaxed for BGP speakers that are route reflectors.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 483 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
This same configuration using a route reflector would not require that all BGP speakers be fully meshed. One of the speakers is configured to be a route reflector for the group. In this case, the route reflector is Speaker C. When the route reflector (Speaker C) receives route information from Speaker A it advertises the information to Speaker B. This set up eliminates the peer connection between Speakers A and B:
The internal peers of a route reflector are divided into two groups: client peers and non-client peers. The route reflector sits between these two groups and reflects routes between them. The route reflector, its clients, and non-clients are all in the same autonomous system. The route reflector and its clients form a cluster. The client peers do not need to be fully meshed (and therefore take full advantage of route reflection), but the non-client peers must be fully meshed. The following illustration shows a route reflector, its clients within a cluster, and its non-client speakers outside the cluster.
Note that the non-client BGP speakers are fully meshed with each other and that the client speakers in the cluster do not communicate with the non-client speakers.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 484 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
When a route reflector receives a route it, selects the best path based on its policy decision criteria. The internal peers to which the route reflector advertises depends on the source of the route. The table below shows the rules the reflector follows when advertising path information: Route received From Route Advertised To All Clients and Non-Clients External BGP Router All Clients Non-Client Peer All Clients and Non-Clients Client Peer
Routing Policies
BGP selects routes for subsequent advertisement by applying policies available in a pre-configured local Policy Information database. This support of policy-based routing provides flexibility by applying policies based on the path (i.e. AS path list), community attributes (i.e. community lists), specific destinations (i.e. prefix lists), etc. You could also configure route maps to include all of the above in a single policy. For BGP to do policy-based routing, each BGP peer needs to be tied to inbound and/or outbound policies (direction based on whether routes are being learned or advertised). Each one of the above policies can be assigned as an in-bound or outbound policy for a peer. First, you must create policies that match one of the specified criteria: AS Paths: An AS path list notes the entire ASs the route travels to reach its destination. Community List: Communities can affect route behavior based on the definition of the community. Prefix List: Prefix list policies filter routes based on a specific network address, or a range of network addresses. Route Map: Route map policies filter routes by amalgamating other policies into one policy. Then you must assign these policies to a peer. Policies can be assigned to affect routes learned from the peer, routes being advertised to the peer, or both.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 485 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RDP
The Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on their networks. This implementation of RDP supports the router requirements as defined in RFC 1256.
RDP Specifications
RFCs Supported Router advertisements Host solicitations Maximum number of RDP interfaces per switch Advertisement destination addresses RFC 1256ICMP Router Discovery Messages Supported Only responses to solicitations supported in this release. One for each available IP interface configured on the switch. 224.0.0.1 (all systems multicast) 255.255.255.255 (broadcast)
RDP Defaults
Parameter Description RDP status for the switch RDP status for switch interfaces (router VLAN IP addresses) Advertisement destination address for an active RDP interface. Maximum time between advertisements sent from an active RDP inter-face Minimum time between advertisements sent from an active RDP inter-face Maximum time IP addresses contained in an advertisement packet are considered valid Preference level for IP addresses contained in an advertisement packet Default Value/Comments Disabled Disabled All systems multicast (224.0.0.1) 600 seconds 450 seconds (0.75 * maximum advertisement interval) 1800 seconds (3 * maximum advertisement interval) 0
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 486 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RDP Overview
End hosts (clients) sending traffic to other networks need to forward their traffic to a router. In order to do this, hosts need to find out if one or more routers exist on their LAN and learn their IP addresses. One way to discover neighboring routers is to manually configure a list of router IP addresses that the host reads at startup. Another method available involves listening to routing protocol traffic to gather a list of router IP addresses. RDP provides an alternative method for hosts to discover routers on their network that involves the use of ICMP advertisement and solicitation messages. Using RDP, hosts attached to multicast or broadcast networks send solicitation messages when they start up. Routers respond to solicitation messages with an advertisement message that contains the router IP addresses. In addition, routers send advertisement messages when their RDP interface becomes active and then subsequently at random intervals. When a host receives a router advertisement message, it adds the IP addresses contained in the message to its list of default router gateways in the order of preference. As a result, the list of router IP addresses is dynamically created and maintained, eliminating the need for manual configuration of such a list. In addition, hosts do not have to recognize many different routing protocols to discover router IP addresses. The following diagram illustrates an example of using RDP in a typical network configuration:
When interfaces 2/3 and 2/4 on hosts H-1 and H-2, respectively, become active, they transmit router solicitation ICMP messages on Network 17.0.0.0. RDP enabled routers RS-1 and RS-2 pick up these packets on their RDP interfaces 1/1 and 1/2 and respond with router advertisement ICMP messages. RS-1 and RS-2 also periodically send out router advertisements on their RDP interfaces.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 487 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RDP Interfaces
Enabling RDP on a VLAN router IP address creates an RDP interface. Once enabled, the RDP inter-face becomes active and joins the all-routers IP multicast group (224.0.0.2). The interface then transmits 3 initial router advertisement messages at random intervals that are no greater than 16 seconds apart. This process occurs upon activation to increase the likelihood that end hosts will quickly discover this router. After an RDP interface becomes active and transmits its initial advertisements, subsequent advertisements are transmitted at random intervals that fall between configurable ranges of time. This range of time is defined by specifying a maximum and minimum advertisement interval value. Because advertisements are transmitted at random intervals, the risk of system overload is reduced, as advertisements from other routers on the same link are not likely to transmit at the same time. It is important to note that advertisements are only transmitted on RDP interfaces if the following conditions are met: The RDP global status is enabled on the switch An IP interface exists and is in the enabled state An RDP interface exists and is in the enabled state Either VRRP is disabled or if VRRP is enabled, there is one or more Master IP addresses for the VLAN. If VRRP is enabled and if there are no Masters IP addresses, router advertisements are not sent on the VLAN. The router advertisement is a multicast packet sent to the all-systems IP multicast group (224.0.0.1) or the broadcast address. If VRRP is enabled, the message should be filled with IP addresses obtained from VRRP Master IP address list; otherwise the IP address of this VLAN is used. Note that RDP is not recommended for detecting neighboring router failures, referred to as black holes, in the network. However, it is possible to use RDP as a supplement for black hole detection by setting RDP interface advertisement interval and lifetime values to values lower than the default values for these parameters.
Security Concerns
ICMP RDP packets are not authenticated, which makes them vulnerable to the following attacks: Passive monitoringAttackers can use RDP to re-route traffic from vulnerable systems through the attackers system. This allows the attacker to monitor or record one side of the conversation. However, the attacker must reside on the same network as the victim for this scenario to work. Man in the middleAttacker modifies any of the outgoing traffic or plays man in the middle, acting as a proxy between the router and the end host. In this case, the victim thinks that it is communicating with an end host, not an attacker system. The end host thinks that is it communicating with a router because the attacker system is passing information through to the host from the router. If the victim is a secure web server that uses SSL, the attacker sitting in between the server and an end host could intercept unencrypted traffic. As is the case with passive monitoring, the attacker must reside on the same network as the victim for this scenario to work. Denial of service (DoS)Remote attackers can spoof these ICMP packets and remotely add bad default-route entries into a victims routing table. This would cause the victim to forward frames to the wrong address, thus making it impossible for the victims traffic to reach other networks. Because of the large number of vulnerable systems and the fact that this attack will penetrate firewalls that do not stop incoming ICMP packets, this DoS attack can become quite severe. Note. Security concerns associated with using RDP are generic to the feature as defined in RFC 1256 and not specific to this implementation.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 488 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DHCP Relay
The User Datagram Protocol (UDP) is a connectionless transport protocol that runs on top of IP networks. The DHCP Relay allows you to use non-routable protocols (such as UDP) in a routing environment. UDP is used for applications that do not require the establishment of a session and end-to-end error checking. Email and file transfer are two applications that could use UDP. UDP offers a direct way to send and receive Datagrams over an IP network and is primarily used for broadcasting messages. This section describes the DHCP Relay feature. This feature allows UDP broadcast packets to be forwarded across VLANs that have IP routing enabled.
IP addresses supported for each Relay Service. IP addresses supported for the Per-VLAN service Maximum number of UDP relay services allowed per switch Maximum number of VLANs to which forwarded UDP service port traffic is allowed Maximum number of DHCP Snooping VLANs
256
64
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 489 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DHCP
DHCP (Dynamic Host Configuration Protocol) provides a framework for passing configuration information to Internet hosts on a TCP/IP network. It is based on the Bootstrap Protocol (BOOTP), adding the ability to automatically allocate reusable network addresses and additional configuration options. DHCP consists of the following two components: A protocol for delivering host-specific configuration parameters from a DHCP server to a host. A mechanism for allocating network addresses to hosts. DHCP is built on a client-server model in which a designated DHCP server allocates network addresses and delivers configuration parameters to dynamically configured hosts. It supports the following three mechanisms for IP address allocation. AutomaticDHCP assigns a permanent IP address to a host. DynamicDHCP assigns an IP address to a host for a limited period of time (or until the host explicitly relinquishes the address). ManualThe network administrator assigns a hosts IP address and DHCP simply conveys the assigned address to the host.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 490 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 491 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The external router inserts the subnet address of the first hop segment into the DHCP request frames from the DHCP clients. This subnet address allows the DHCP server to locate the segment on which the requesting client resides. In this example, all clients attached to the OmniSwitch are DHCP-ready and will have the same subnet address (130.0.0.0) inserted into each of the requests by the routers DHCP Relay function. The DHCP server will assign a different IP address to each of the clients. The switch does not need an IP address assigned and all DHCP clients will be members of either a default VLAN or an IP protocol VLAN.
During initialization, each network client forwards a DHCP request frame to the DHCP server using the local broadcast address. For those locally attached stations, the frame will simply be switched. In this case, the DHCP server and clients must be members of the same VLAN (they could also all be members of the default VLAN). One way to accomplish this is to use DHCP rules in combination with IP protocol rules to place all IP frames in the same VLAN. Because the clients in the application example are not members of the same VLAN as the DHCP server, they must request an IP address via the DHCP Relay routing entity in the switch. When a DHCP request frame is received by the DHCP Relay entity, it will be forwarded from VLAN 3 to VLAN 2. All the DHCP-ready clients in VLAN 3 must be members of the same VLAN, and the switch must have the DHCP Relay function configured.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 492 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
For the global DHCP service, you must identify an IP address for the DHCP server. The DHCP Relay forwards BOOTP/DHCP broadcasts to and from the specified address. If multiple DHCP servers are used, one IP address must be configured for each server. You can configure up to 256 addresses for each relay service.
Per-VLAN DHCP
For the Per-VLAN DHCP service, you must identify the number of the VLAN that makes the relay request. You may enter one or more server IP addresses to which packets will be sent from a specified VLAN.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 493 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 494 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
How the Relay Agent Processes DHCP Packets from the Client
The following table describes how the relay agent processes DHCP packets received from clients when the Option-82 feature is enabled for the switch: If the DHCP packet from the client ... The relay agent ... Inserts Option-82 with unique information to identify Contains a zero gateway IP address (0.0.0.0) and no Option-82 data. the client source. Drops the packet, keeps the Option-82 data and forwards Contains a zero gateway IP address (0.0.0.0) and Option-82 data. the packet, or replaces the Option-82 data with its own Option-82 data and forwards the packet. The action performed by the relay agent in this case is determined by the agent information policy that is configured through the ip helper agent-information policy command. By default, this type of DHCP packet is dropped by the agent. Forwards the packet without inserting Option-82 data. Contains a non-zero gateway IP address and no Option-82 data. Drops the packet if the gateway IP address matches a Contains a non-zero gateway IP address and Option-82 data. local subnet, otherwise the packet is forwarded without inserting Option-82 data.
How the Relay Agent Processes DHCP Packets from the Server
Note that if a DHCP server does not support Option-82, the server strips the option from the packet. If the server does support this option, the server will retain the Option-82 data received and send it back in a reply packet. When the relay agent receives a DHCP packet from the DHCP server and the Option-82 feature is enabled, the agent will: 1 Extract the VLAN ID from the Circuit ID sub-option field in the packet and compare the MAC address of the IP router interface for that VLAN to the MAC address contained in the Remote ID sub-option field in the same packet. 2 If the IP router interface MAC address and the Remote ID MAC address are not the same, then the agent will drop the packet. 3 If the two MAC addresses match, then a check is made to see if the slot/port value in the Circuit ID sub-option field in the packet matches a port that is associated with the VLAN also identified in the Circuit ID sub-option field. 4 If the slot/port information does not identify an actual port associated with the Circuit ID VLAN, then the agent will drop the packet. 5 If the slot/port information does identify an actual port associated with the Circuit ID VLAN, then the agent strips the Option-82 data from the packet and forwards the packet to the port identified in the Circuit ID sub-option.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 495 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 496 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VRRP
The Virtual Router Redundancy Protocol (VRRP/VRRP3) is a standard router redundancy protocol supported in IPv4/IPv6. It is based on RFC 3768 and RFC 2787 and provides redundancy by eliminating the single point of failure inherent in a default route environment. The VRRP/VRRP3 router, which controls the IP/IPv6 address associated with a virtual router is called the master router, and it forwards the packets to that IP/IPv6 address. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Note. RFC 3768, which obsoletes RFC 2338, does not include support for authentication types. As a result, configuring VRRP authentication is no longer supported in this release.
VRRP Specifications
RFCs Supported RFC 2338Virtual Router Redundancy Protocol RFC 2787Definitions of Managed Objects for the Virtual Router Redundancy Protocol No 255 (A virtual router is defined by a virtual router identifier (VRID) and a set of associated IP addresses on the LAN) 1 for the IP address owner; more than 1 address may be configured if the router is a backup for a master router that supports multiple addresses
Compatible with HSRP? Maximum number of virtual router instances Maximum number of IP addresses
VRRP Defaults
Description Virtual router enabled or disabled Priority Preempt mode Advertising interval VRRP authentication VRRP traps VRRP tracking VRRP delay Default Virtual routers are disabled (off). 100 Preempt mode is enabled. 1 second Authentication is not enabled. Disabled Enabled 45 seconds
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 497 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VRRP Overview
VRRP allows routers on a LAN to back up a default route. VRRP dynamically assigns responsibility for a virtual router to a physical router (VRRP router) on the LAN. The virtual router is associated with an IP address (or set of IP addresses) on the LAN. A virtual router master is elected to forward packets for the virtual routers IP address. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Note. The IP address that is backed up may be the IP address of a physical router, or it may be a virtual IP address. The example provided here is intended for understanding VRRP and does not show a configuration that would be used in an actual network.
In this example, each physical router is configured with a virtual router, VRID 1, which is associated with IP address A. OmniSwitch A is the master router because it contains the physical interface to which IP address A is assigned. OmniSwitch B is the backup router. The client is configured with a gateway address of IP A. When VRRP is configured on these switches, and both switches are available, OmniSwitch A will respond to ARP requests for IP address A using the virtual routers MAC address (00:00:5E:00:01:01) instead of the physical MAC address assigned to the interface. OmniSwitch A will accept packets sent to the virtual MAC address and forward them as appropriate; it will also accept packets addressed to IP address A (such as ICMP ping requests). OmniSwitch B will respond to ARP requests for IP address B using the interfaces physical MAC address. It will not respond to ARP requests for IP address A or to the virtual router MAC address. If OmniSwitch A becomes unavailable, OmniSwitch B becomes the master router. OmniSwitch B will then respond to ARP requests for IP address A using the virtual routers MAC address (00:00:5E:00:01:01). It will also forward packets for IP address B and respond to ARP requests for IP address B using the OmniSwitch physical MAC address. OmniSwitch B, however, cannot accept packets addressed to IP address A (such as ICMP ping requests). OmniSwitch B uses IP address B to access the LAN, but IP address B is not backed up. If OmniSwitch B becomes unavailable, IP address B is unavailable.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 498 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ARP Requests
Each virtual router has a single well-known MAC address, which is used as the MAC address in ARP replies instead of a VRRP router's physical MAC address. When an end host sends an ARP request to the master routers IP address, the master router responds to the ARP request using the virtual router MAC address. If a backup router takes over for the master, and an end host sends an ARP request, the backup will reply to the request using the virtual router MAC address. Gratuitous ARP requests for the virtual router IP address or MAC address are broadcast when the OmniSwitch becomes the master router. For VRRP interfaces, gratuitous ARP requests/responses are delayed at system boot until both the IP address and the virtual router MAC address are configured. If a virtual router shares an interface IP address, the routing mechanism does not send a gratuitous ARP for the IP address (since the virtual router will send a gratuitous ARP). This prevents traffic from being forwarded to the router before its routing tables are stable.
ICMP Redirects
ICMP redirects are not sent out over VRRP interfaces.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 499 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VRRP Tracking
A virtual routers priority may be conditionally modified to prevent another router from taking over as master. Tracking policies are used to conditionally modify the priority setting whenever a VLAN, slot/port, and or IP address associated with a virtual router goes down. A tracking policy consists of a tracking ID, the value amount used to decrease the priority value, and the VLAN ID, slot/port number, or IP address to be monitored by the policy. The policy is then associated with one or more virtual routers.
Configuration Overview
VRRP is part of the base software. At startup, VRRP is loaded onto the switch and is enabled. Virtual routers must first be configured and enabled as described in the sections. Since VRRP is implemented on multiple switches in the network, some VRRP parameters must be identical across switches: VRRP and ACLs If QoS filtering rules (Access Control Lists) are configured for Layer 3 traffic on a VRRP router, all of the VRRP routers on the LAN must be configured with the same filtering rules; otherwise the security of the network will be compromised. Conflicting VRRP Parameters Across Switches All virtual routers with the same VRID on the LAN should be configured with the same advertisement interval, IP addresses, and authentication password. If the virtual routers are configured differently, it may result in more than one virtual router acting as the master router. This in turn would result in duplicate IP and MAC address messages as well as multiple routers forwarding duplicate packets to the virtual router MAC address. Use the show vrrp statistics command to check for conflicting parameters.
VRRP Authentication
VRRP is designed for a range of internetworking environments that may employ different security policies. The protocol includes two authentication methods (simple clear text password and IP authentication with MD5 HMAC). In the current release, IP authentication with MD5 HMAC is not supported. By default, VRRP authentication is not enabled. VRRP includes a mechanism, however, independent of whether or not authentication is configured, that denies VRRP packets from remote networks. Whenever a VRRP router receives a packet, it sets the Time To Live (TTL) to 255. This prevents the local VRRP network from accepting VRRP packets from remote networks. When a VRRP interface receives a VRRP packet, it verifies that the TTL is 255, the VRRP version is correct, the checksum is correct, and the packet length is greater than or equal to the VRRP header. If the virtual router is configured for authentication, it will also authenticate the packet. (The authentication process is transparent to the user.) Note. The only scenario where authentication is not recommended is an environment with minimal security risk and little chance for configuration error (such as two VRRP routers on a LAN). Typically, simple text password authentication should be configured for VRRP. Simple text password authentication is similar to simple text authentication for the Open Shortest Path First (OSPF) routing protocol. Simple text authentication is recommended because it protects against accidental misconfiguration of routers on a LAN and inadvertently backing up another router. If authentication is used, all virtual routers on the LAN must be configured with the same password and the password must not be the same as any significant security password. This type of authentication is recommended when there is minimal risk of nodes on a LAN actively disrupting VRRP operation. If this type of authentication is used, the user should be aware that the clear text password is sent out frequently. It is possible for the password to be learned by a node snooping VRRP packets on the LAN; however, the simple text authentication combined with VRRP built-in TTL check make it difficult for a VRRP packet to be sent from a remote network to disrupt VRRP operation. Note. All VRRP routers on the same LAN should be configured with the same authentication setting. If authentication is enabled, all routers must have the same password.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 501 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
VRRP Traps
A VRRP router has the capability to generate VRRP SNMP traps for events defined in the VRRP SNMP MIB. By default traps are enabled. In order for VRRP traps to be generated correctly, traps in general must be enabled on the switch through the SNMP CLI.
Note. The same VRRP configuration must be set up on the OmniSwitch 6850. The VRRP router that contains, or owns, the IP address will automatically become the master for that virtual router. If the IP address is a virtual address, the virtual router with the highest priority will become the master router. In this scenario, the master of VRID 1 will respond to ARP requests for IP address A using the virtual router MAC address for VRID 1 (00:00:5E:00:01:01). OmniSwitch 1 is the master for VRID 1 since it contains the physical interface to which 10.10.2.3 is assigned. If OmniSwitch A should become unavailable, OmniSwitch B will become master for VRID 1. In the same way, the master of VRID 2 will respond to ARP requests for IP address B using the virtual router MAC address for VRID 2 (00:00:5E:00:01:02). OmniSwitch B is the master for VRID 2 since it contains the physical interface to which 10.10.2.245 is assigned. If OmniSwitch B should become unavailable, OmniSwitch A will become master for 10.10.2.245. This configuration provides uninterrupted service for the end hosts.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 502 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
If port 3/1 on VRRP router A goes down, the master for virtual router A is still functioning but workstation clients 1 and 2 will not be able to get to the Internet. With this tracking policy enabled, however, master router 1s priority will be temporarily decremented to 50, allowing backup router 1 to take over and provide connectivity for those workstations. When port 3/1 on VRRP router A comes back up, master 1 will take over again.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 503 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Note. The same VRRP3 configuration must be set up on each switch. The VRRP3 router that contains, or owns, the IPv6 address will automatically become the master for that virtual router. If the IPv6 address is a virtual address, the virtual router with the highest priority will become the master router. In this scenario, the master of VRID 1 will respond to ARP requests for IPv6 address A using the virtual router MAC address for VRID 1 (00:00:5E:00:01:01). OmniSwitch 1 is the master for VRID 1 since it contains the physical interface to which 213:100:1::56s assigned. If OmniSwitch A should become unavailable, OmniSwitch B will become master for VRID 1. In the same way, the master of VRID 2 will respond to ARP requests for IP address B using the virtual router MAC address for VRID 2 (00:00:5E:00:01:02). OmniSwitch B is the master for VRID 2 since it contains the physical interface to which 213:100:1::57 is assigned. If OmniSwitch B should become unavailable, OmniSwitch A will become master for 213:100:1::57. This configuration provides uninterrupted service for the end hosts.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 504 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 505 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The following additional ACL features are available for improving network security and preventing malicious activity on the network: ICMP drop rulesAllows condition combinations in policies that will prevent user pings, thus reducing DoS exposure from pings. Two condition parameters are also available to provide more granular filtering of ICMP packets: icmptype and icmpcode. BPDUShutdownPortsA port group that identifies its members as ports that should not receive BPDUs. If a BPDU is received on one of these ports, the port is administratively disabled. TCP connection rulesAllows the determination of an established TCP connection by examining TCP flags found in the TCP header of the packet. Two condition parameters are available for defining a TCP connection ACL: established and tcpflags. Early ARP discardARP packets destined for other hosts are discarded to reduce processing overhead and exposure to ARP DoS attacks. No configuration is required to use this feature; it is always available and active on the switch. Note that ARPs intended for use by a local subnet, AVLAN, and VRRP are not discarded.
QoS Specifications
Maximum number of configurable policy rules per switch Maximum number of policy rules per Ethernet port Maximum number of policy rules per 10GB port Maximum number of policy conditions Maximum number of policy actions Maximum number of policy services Maximum number of groups (network, MAC, service, port) per stand-alone Maximum number of group entries Maximum number of rules per slot Maximum number of bandwidth shaping rules per slot Maximum number of priority queues per port 2048 101(OmniSwitch 6800 only) 997 (OmniSwitch 6800 only) 2048 2048 256 1024 1024 per group 1664 (OmniSwitch 6850 and 9000 only) 832 (OmniSwitch 6850 and 9000 CMM only) 8 (Note that two of the eight queues on OmniSwitch 6800 QoS ports are reserved for internal use only, so they are not available.) Some QoS commands support prefix recognition.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 506 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 507 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Valid Policies
The switch does not allow you to create invalid condition/action combinations; if you enter an invalid combination, an error message will display. It is possible to configure a valid QoS rule that is active on the switch, however the switch is not able to enforce the rule because some other switch function (for example, routing) is disabled.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 508 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Condition Combinations
The CLI prevents you from configuring invalid condition combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenario. For example, you might configure source ip and a destination ip for the same condition. This is a valid combination, but will only be used to classify bridged traffic. The following conditions are supported and may be combined with other conditions and/or actions: Layer-1source port, source port group, destination port, destination port group Layer-2source MAC, source MAC group, destination MAC, destination MAC group, 802.1p, inner 802.1p, ether-type, source VLAN, inner source VLAN, destination VLAN (multicast policies only). Layer 3IP protocol, source IP, source IPv6, multicast IP, destination IP, destination IPv6, source network group, destination network group, multicast network group, IPv6 traffic, IPv6 next header (NH), IPv6 flow label (FL), ToS, DSCP, ICMP type, ICMP code. Layer-4source TCP/UDP port, destination TCP/UDP port, service, service group, TCP flags (ECN and CWR are only supported on the OmniSwitch 6800) IP MulticastAn IP multicast condition is used in IGMP ACLs. The multicast IP is the multicast group address used in the IGMP report packet. Note the following: The 802.1p and source VLAN conditions are the only Layer 2 conditions allowed in combination with Layer 4 conditions. Source and destination parameters can be combined in Layer 2, Layer 3, and Layer 4 conditions. In a given rule, ToS or DSCP may be specified for a condition with priority specified for the action. The Layer 1 destination port condition only applies to bridged traffic, not routed traffic. This restriction does not apply to the OmniSwitch 6800. The IP multicast condition works in combination with Layer 1, Layer 2, and Layer 3 destination conditions only if these conditions specify the device that sends the IGMP report packet. All IPv6 conditions are not supported on OmniSwitch 6800. For more information about IPv6 policies Individual items and their corresponding groups cannot be combined in the same condition. For example, a source IP address cannot be included in a condition with a source IP network group. Layer 2 and Layer 3 rules are always effected on bridged and routed traffic. As a result, combining source or destination TCP/UDP port and IP protocol in a condition is allowed. The Quarantine Manager and Remediation (QMR) application and inner VLAN or inner 802.1p conditions are mutually exclusive. If one of these is active, the other one is not available. Use the following policy condition combinations table as a guide when configuring policy conditions. *IP multicast traffic (not IGMP) is treated as regular traffic; QoS functionality works the same way with this type of traffic, with the exception that the destination port condition does not apply. Layer-1 Layer-2 Layer-3* Layer-4* IP Multicast (IGMP) All All All All Destination Layer-1 only All All All Source vlan Destination Layer-2 and 802.1p only only All All All All Destination Layer-3* only All Source All All None Layer-4* vlan and 802.1p only Destination Destination Destination None N/A IP Multicast only only only (IGMP)
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 509 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Action Combinations
The CLI prevents you from configuring invalid action combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenarios. For example, an action specifying maximum bandwidth may be combined with an action specifying priority. The following actions are supported and may be combined with other actions: ACL (disposition drop) Priority 802.1p ToS/DCSP Stamping and Mapping Maximum Bandwidth Port Redirection (not supported on the OmniSwitch 6800) Link Aggregate Redirection (not supported on the OmniSwitch 6800 and 6850) Port Disable (not supported on the OmniSwitch 6800) Permanent Gateway IP (not supported on the OmniSwitch 6800 and 6850) Mirror (not supported on the OmniSwitch 6800) Use the following policy action combinations table as a guide when creating policy rules. Drop Priority Stamp/Map Max Redirect Redirect Port Permanent Mirror BW Port Linkagg Disable gateway IP N/A No No No No No No No Yes Drop No N/A Yes Yes Yes Yes No Yes Yes Priority Yes N/A Yes Yes Yes No Yes Yes Stamp/Map No No Yes Yes N/A Yes Yes No Yes Yes Max BW No Yes Yes Yes N/A No No Yes Yes Redirect Port No Yes Yes Yes No N/A No Yes Yes Redirect Linkagg No No No No No No N/A No No Port Disable Yes Yes Yes Yes Yes No N/A Yes Permanent No Gateway IP Yes Yes Yes Yes Yes Yes No Yes N/A Mirroring Note that the minimum bandwidth action is not included in the list of actions because it is no longer supported on the OmniSwitch 6800 and is not supported on the OmniSwitch 6850 or 9000.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 510 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
QoS Defaults
The following tables list the defaults for global QoS parameters, individual port settings, policy rules, and default policy rules. By default QoS is enabled on the switch. If QoS policies are configured and applied, the switch will attempt to classify traffic and apply relevant policy actions. By default, bridged, routed, and multicast flows that do not match any policies are accepted on the switch. To change the global default disposition (which determines whether the switch will accept, deny, or drop the flow), use the desired disposition setting.
802.1Q and mobile ports are always trusted; other ports are untrusted Port bandwidth Port bandwidth
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 511 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
enabled (trap sent only on port disable action or UserPort shutdown operation).
Note: policy rules configured with source and destination conditions and actions with disposition, priority, or 802.1P configured are automatically bi-directional.
Note that in the current software release the deny and drop options produce the same effect that is, the traffic is silently dropped. Note. There are no defaults for the policy condition.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 512 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 513 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 514 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 515 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Shared Queues
Eight priority queues are available at startup for each port. Flows always share queues; however, when a shared action is specified in policies, the policies will use the same values to implement maximum and minimum bandwidth. Note that the OmniSwitch 6800 also has eight priority queues per port but that two of these queues are reserved for internal use and are not available.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 516 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Queuing Schemes
There are four queuing schemes available for each switch port: one strict priority scheme and three weighted fair queuing (WFQ) schemes. By default the strict priority scheme is used and consists of eight priority queues (SPQ). All eight queues on the port are serviced strictly by priority. Lower priority traffic is dropped in the presence of higher priority traffic. The following WFQ schemes are available: WRRAll queues participate in a weighted round robin scheme. Traffic is serviced from each queue based on the weight of the queue. Note that the WRR scheme is not supported on the OmniSwitch6800, 9700, or 9800. Priority-WRRA type of WRR scheme that combines Strict-Priority queues (zero weight) and WRR queues (non-zero weight). Note that Priority-WRR is the only WFQ scheme supported on the OmniSwitch 6800. DRRAll queues participate in a deficit round robin scheme. Traffic is serviced from each queue based on the weight of the queue. The weight of each of the WRR/DRR queues is a configurable value. Note the following when configuring WRR/DRR queue weights: Weights are configured with a value between 0 and 15. The default weight for each WRR/DRR queue is set to one. Each queue can have a different weight value, and configuring these values in ascending or descending order is not required. When a queue is given a weight of 0, it is configured as a Strict-Priority queue. The CLI requires the user to enter eight queue weights on the OmniSwitch 6800, even though there are only six queues per port available on this switch. The last two weight values entered are ignored. A Priority-WRR scheme is configured by assigning a weight of zero to one or more WRR queues to make them StrictPriority queues and a non-zero weight to the other WRR queues. Note that a Priority-WRR scheme is the only WFQ scheme that is supported on the OmniSwitch 6800. If there are multiple SPQs configured, the SPQs are scheduled according to their CoS queue number before any WFQs are scheduled. The weight assigned to a WRR queue designates the number of packets the queue sends out before the scheduler moves on to the next queue. For example, a queue weight of 10 sends out 10 packets at each interval. The weight assigned to a DRR queue determines the number of bytes that the queue will service. Each weight value is associated with the following number of bytes: 1=10K, 2=20K, 3=40K, 4=80K, 5=160K, 6=320K, 7=640K, 8=1280K, 9=2560K, 10=5120K, 11=10M, 12=20M, 13=40M, 14=80M, and 15=160M. For example, if the configured DRR queue weights are 1 1 2 2 3 3 4 4, queues 1/2 will service up to 10K each, queues 3/4 will service up to 20K each, queues 5/6 will service up to 40K each, and queues 7/8 will service up to 80K. The higher the queue weight assigned to a DRR queue, the higher the percentage of traffic that is serviced by that queue. For example, a queue with a weight of three will send four times as much traffic as a queue with a weight of one. The queuing scheme selected is the scheme that is used to shape traffic on destination (egress) ports and is referred to as the QoS servicing mode for the port. It is possible to configure a default servicing mode that will apply to all switch ports or configure the servicing mode on an individual port basis. Note that the QoS servicing mode only applies to destination ports because it is at this point where traffic shaping is effected on the flows. In addition, different ports can use different servicing modes.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 517 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 518 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Policies
Basic commands for creating policies are as follows: Policy condition Policy action Policy rule Note. A policy rule may include a policy condition or a policy action that was created through PolicyView rather than the CLI. But a policy rule, policy action, or policy condition may only be modified through the source that created it. For example, if an action was created in PolicyView, it may be included in a policy rule configured through the CLI, but it cannot be modified through the CLI.
ASCII-File-Only Syntax
When the policy rule, policy condition, and policy action commands as well as any of the condition group commands are configured and saved in an ASCII file (typically through the snapshot command), the commands included in the file will include syntax indicating the commands origin. The origin specifies where the rule, condition, condition group, or action was created, either an LDAP server or the CLI (from ldap or from CLI).
Policy Conditions
There are many options for configuring a condition. But, it all depends on how the user wants the switch to classify traffic for a given policy. The following conditions are supported and may be combined with other conditions and/or actions: Layer-1source port, source port group, destination port, destination port group Layer-2source MAC, source MAC group, destination MAC, destination MAC group, 802.1p, inner 802.1p, ether-type, source VLAN, inner source VLAN, destination VLAN (multicast policies only). Layer 3IP protocol, source IP, source IPv6, multicast IP, destination IP, destination IPv6, source network group, destination network group, multicast network group, IPv6 traffic, IPv6 next header (NH), IPv6 flow label (FL), ToS, DSCP, ICMP type, ICMP code. Layer-4source TCP/UDP port, destination TCP/UDP port, service, service group, TCP flags (ECN and CWR are only supported on the OmniSwitch 6800) IP MulticastAn IP multicast condition is used in IGMP ACLs. The multicast IP is the multicast group address used in the IGMP report packet. Note. The group options refer to groups of addresses, services, or ports that you configure separately through policy group commands. Rather than creating a separate condition for each address, service, or port, use groups and attach the group to a single condition. More than one condition parameter may be specified. Some condition parameters though are mutually exclusive.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 519 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Policy Actions
A policy action should specify the way traffic should be treated. For example, it might specify a priority for the flow, a source address to rewrite in the IP header, or it may specify that the flow may simply be dropped. More than one action parameter may be specified. Some parameters may be mutually exclusive. In addition, some action parameters are only supported with particular condition parameters. Policy Actions that are supported: ACL (Disposition drop) Priority Maximum bandwidth 802.1p, ToS/DSCP Stamping and Mapping Port-disable (not supported on the OS6800) Redirect port (not supported on the OS6800) Redirect linkagg (not supported on the OS6800 & OS6850) Permanent Gateway IP (not supported on the OS6800 & OS6850) Mirror (not supported on the OS6800) Note. If you combine priority with 802.1p, dscp, tos, or map, in an action, the priority value is used to prioritize the flow.
Rule Precedence
The switch attempts to classify flows coming into the switch according to policy precedence. Only the rule with the highest precedence will be applied to the flow. This is true even if the flow matches more than one rule. Precedence is particularly important for Access Control Lists (ACLs).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 520 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Testing Conditions
Before applying policies to the configuration through the qos apply command, you may want to see how the policies will be used to classify traffic. Or you may want to see how theoretical traffic would be classified by policies that are already applied on the switch. You can use the show policy classify commands to see how the switch will classify certain condition parameters. This command is used to examine the set of pending policies only. Use the applied keyword with the command to examine the applied set of policies only. The command includes a keyword (l2, l3, multicast) to indicate whether the Layer-2, Layer-3, or multicast classifier should be used to classify the traffic. The keywords used with these commands are similar to the keywords used for the policy condition command. The keyword should be relevant to the type of traffic as listed in the table here:
show policy classify l2 Source port Destination port Source mac Destination mac Source vlan show policy classify l3 Source port Destination port Source ip Destination ip Source & Destination IPv6 IP Protocol IPv6 Nh Flow-label Source ip port Destination ip port Tos Dscp Destination port Destination mac Destination vlan (multicast only) Destination ip
To test a theoretical condition against the set of pending policies, enter the command and the relevant keyword and value. The switch will display information about the potential traffic and attempt to match it to a policy (pending policies only).
Note. The policy service group can include only services with all source ports, all destination ports, or all source and destination ports. For example, the group cannot include a service that specifies a source port and another service that specifies a destination port.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 522 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 523 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 524 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Policy Applications
Policies are used to classify incoming flows and treat the relevant outgoing flows. There are many ways to classify the traffic and many ways to apply QoS parameters to the traffic. Classifying traffic may be as simple as identifying a Layer 2 or Layer 3 address of an incoming flow. Treating the traffic might involve prioritizing the traffic or rewriting an IP address. How the traffic is treated (the action in the policy rule) typically defines the type of policy: Type of Policy Description Action Parameters Used Basic QoS policies Prioritizes particular Maximum bandwidth flows, and/ or shapes the Priority bandwidth for the flow Redirects flows to a redirect port Redirection policies specific port redirect linkagg or link aggregate ID. Policy Based Mirroring Mirrors ingress and egress ingress mirror packets egress mirror to a specific port. ingress egress mirror Filters, prioritizes, and/or Disposition ICMP policies rate limits ICMP traffic Priority Maximum bandwidth Sets or resets the egress 802.1p 802.1p, ToS, and DSCP 802.1p, ToS, or DSCP TOS tagging or mapping policies values DSCP Map group Redirects routed traffic. permanent ip Policy Based Routing Note that PBR is not (PBR) supported on the OmniSwitch 6800 and 6850. Access Control Lists Groups of policies rules Disposition used for filtering traffic (ACLs) (allow/deny) Policies used for Layer 2 and Layer 3/4 filters, are commonly referred to as Access Control Lists (ACLs). Policies may also be used for prioritizing traffic in dynamic link aggregation groups.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 525 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Note. If multiple addresses, services, or ports should be given the same priority, use a policy condition group to specify the group and associate the group with the condition. Note that some condition parameters may be used in combination only under particular circumstances; also, there are restrictions on condition/action parameter combinations.
Basic Commands
The following policy action commands are used for traffic prioritization or shaping: Policy action priority Policy action maximum bandwidth
To create a policy rule to prioritize the traffic from Network 1, first create a condition for the traffic that you want to prioritize. In this example, the condition is called ip_traffic. Then create an action to prioritize the traffic as highest priority. In this example, the action is called high. Combine the condition and the action into a policy rule called rule1. -> Policy condition ip_traffic source ip 10.10.4.0 mask 255.255.255.0 -> Policy action high priority 7 -> Policy rule rule1 condition ip_traffic action high The rule is not active on the switch until the qos apply command is entered on the command line. When the rule is activated, any flows coming into the switch from 10.10.4.0 will be given the highest priority.
Redirection Policies
A redirection policy sends traffic that matches the policy to a specific port or link aggregate instead of the originally intended destination. This type of policy may use any condition; the policy action determines which port or link aggregate to which the traffic is sent. The following policy action commands are used for port and link aggregate redirection: policy action redirect port policy action redirect linkagg Note the following regarding the use and configuration of redirection policies: Redirection policies apply to both bridged and routed traffic. When redirecting routed traffic from VLAN A to VLAN B, the redirect port or link aggregate ID must belong to VLAN B (tagged or default VLAN). Routed packets (from VLAN A to VLAN B) are not modified after they are redirected; the source and MAC address remain the same. In addition, if the redirect port or link aggregate ID is tagged, the redirected packets will have a tag from the ingress VLAN A. If a route exists for the redirected flow, then redirected packets are the final post-routing packets. If a route does not exist for the redirected flow, the flow is not redirected to the specified port or link aggregate ID and is blackholed. As soon as a route is available, the flow is then redirected as specified in the policy. In most cases, a redirected flow will not trigger an update to the routing and ARP tables. When the ARP table is cleared or timed out, port/link aggregate redirection will cease until the ARP table is refreshed. If necessary, create a static route for the flow or assign the redirect port or link aggregate ID to the ingress VLAN (VLAN A) to send packets to the redirect port until a route is available. When redirecting bridged traffic on VLAN A, the redirect port or link aggregate ID must belong to VLAN A (tagged or default VLAN). In the following example, flows destined for UDP port 80 is redirected to switch port 3/2: -> policy condition L4PORTCOND destination udp port 80 -> policy action REDIRECTPORT redirect port 3/2 -> policy rule L4PORTRULE condition L4PORTCOND action REDIRECTPORT In the following example, flows destined for IP address 40.2.70.200 are redirected to link aggregate 10: -> policy condition L4LACOND destination IP 40.2.70.200 -> policy action REDIRECTLA redirect linkagg 10 -> policy rule L4LARULE condition L4LACOND action REDIRECTLA Note that in both examples above, the rules are not active on the switch until the qos apply command is entered on the command line.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 527 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 528 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 529 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In this example, all traffic originating in the 10.3 network is routed through the firewall, regardless of whether or not a route exists. Note that the functionality of the firewall is important. In the example, the firewall is sending the traffic to be routed remotely. If you instead set up a firewall to send the traffic back to the switch to be routed, you should set up the policy condition with a built-in source port group so that traffic coming back from the firewall will not get looped and sent back out to the firewall.
In this scenario, traffic from the firewall is sent back to the switch to be re-routed. But because the traffic re-enters the switch through a port that is not in the Slot01 port group, the traffic does not match the Redirect. All policy and is routed normally through the switch. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 530 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 531 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 532 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 533 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 534 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Multicast Switching
IP Multicast Switching is a one-to-many communication technique employed by emerging applications such as video distribution, news feeds, conferencing, netcasting, and resource discovery (OSPF, RIP2, BOOTP). Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any sub-network that has at least one device requesting the multicast traffic. Multicast switching also requires much less bandwidth than unicast techniques and broadcast techniques since the source hosts only send one data stream to the ports on which destination hosts that request it are attached. Destination hosts signal their intent to receive a specific multicast stream by sending a request to do so to a nearby switch using Internet Group Management Protocol (IGMP). The switch then learns on which ports multicast group subscribers are attached and can intelligently deliver traffic only to the respective ports. This mechanism is often referred to as IGMP snooping (or IGMP gleaning). Alcatel-Lucents implementation of IGMP snooping is called IP Multicast Switching (IPMS). IPMS allow OmniSwitch 6850 Series switches to efficiently deliver multicast traffic in hardware at wire speed. Note. You can also configure and monitor IPMS with WebView, Alcatel-Lucents embedded web-based device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a web browser.
IPMS Specifications
The table below lists specifications for Alcatel-Lucents IPMS software.
RFCs Supported RFC 1112 Host Extensions for IP Multicasting RFC 2236 Internet Group Management Protocol, Version 2 RFC 2933 Internet Group Management Protocol MIB RFC 3376 Internet Group Management Protocol, Version 3 Draft-ietf-magma-snoop Considerations for IGMP and MLD Snooping Switches 1 to 65535 seconds 1 to 65535 seconds 1 to 65535 seconds 1 to 65535 in tenths of seconds 1 to 65535 in tenths of seconds
IETF Internet-Drafts Supported IGMP Query Interval IGMP Router Timeout IGMP Source Timeout IGMP Query Response Interval IGMP Last Member Query Interval
IPv6MS Specifications
The table below lists specifications for Alcatel-Lucents IPv6MS software.
RFCs Supported RFC 2710 Multicast Listener Discovery for IPv6 RFC 3810 Multicast Listener Discovery Version 2 for IPv6 RFC 3019 IPv6 MIB for Multicast Listener Discovery Protocol Draft-ietf-magma-snoop Considerations for IGMP and MLD Snooping Switches 1 to 65535 seconds 1 to 65535 seconds 1 to 65535 seconds 1 to 65535 in milliseconds 1 to 65535 in milliseconds
IETF Internet-Drafts Supported MLD Query Interval MLD Router Timeout MLD Source Timeout MLD Query Response Interval MLD Last Member Query Interval
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 535 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 536 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IPMS Overview
A multicast group is defined by a multicast group address, which is a Class D IP address in the range 224.0.0.0 to 239.255.255.255. (Addresses in the range 239.0.0.0 to 239.255.255.255 are reserved for boundaries.) The multicast group address is indicated in the destination address field of the IP header. IPMS track the source VLAN on which the Internet Group Management Protocol (IGMP) requests are received. The network interfaces verify that a multicast packet is received by the switch on the source (or expected) port. Note. Jumbo multicast packets are not supported. The maximum MTU size supported by Alcatel-Lucents IPMS software is 1500.
IPMS Example
The following figure shows an IPMS network where video content can be provided to clients that request it. A server is attached to the switch that provides the source (i.e., multicast) IP addresses. Clients from two different attached networks send IGMP reports to the switch to receive the video content.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 537 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Multicast Routing
IP multicast routing can be used for IP Multicast Switching and Routing (IPMSR). IP multicast routing is a way of controlling multicast traffic across networks. The IP multicast router discovers which networks want to receive multicast traffic by sending out Internet Group Management Protocol (IGMP) queries and receiving IGMP reports from attached networks. The IGMP reports signal that users want to join a multicast group. The IPv6 multicast router discovers multicast listeners by sending out Multicast Listener Discovery (MLD) Protocol queries and receiving MLD reports from attached networks. The MLD reports signal that users want to join a IPv6 multicast group. If there is more than one IP multicast router in the network, the router with the lowest IP address is elected as the querier router, which is responsible for querying the sub-network for group members. The IP multicast routing package provides the following two separate protocols: Protocol Independent Multicast Sparse Mode (PIM-SM) and Dense Mode (PIM-DM) Distance Vector Multicast Routing Protocol (DVMRP) The multicast routing protocols build and maintain a multicast routing database. The multicast routing protocols forward multicast traffic to networks that have requested group membership to a specific multicast group. IPMS uses decisions made by the routing protocols and forwards multicast traffic to ports that request group membership.
PIM
Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information provided by unicast routing protocols, such as RIP and OSPF. Sparse Mode PIM (PIM-SM) contrasts with flood-and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIM-DM), in that multicast forwarding in PIM-SM is initiated only via specific requests. Downstream routers must explicitly join PIM-SM distribution trees in order to receive multicast streams on behalf of directly connected receivers or other downstream PIM-SM routers. This paradigm of receiver-initiated forwarding makes PIM-SM ideal for network environments where receiver groups are thinly populated and bandwidth conservation is a concern, such as in Wide Area Networks (WANs). PIM-DM packets are transmitted on the same socket as PIM-SM packets as both use the same protocol and message format. Unlike PIM-SM, in PIM-DM there are no periodic joins transmitted; only explicitly triggered prunes and grafts. In PIM-DM, unlike PIM-SM, there is no Rendezvous Point (RP).
DVMRP
Distance Vector Multicast Routing Protocol (DVMRP) is a distributed multicast routing protocol that dynamically generates per-source delivery trees based upon routing exchanges. When a multicast source begins to transmit, the multicast data is flooded down the delivery tree to all points in the network. DVMRP then prunes (i.e., removes branches from) the delivery tree where the traffic is unwanted. This is in contrast to PIM-SM, which uses receiver-initiated (i.e., forward path) multicasting.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 538 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IGMP Version 3
IGMP is used by IPv4 systems (hosts and routers) to report their IP multicast group memberships to any neighboring multicast routers. IGMP version 2 (IGMPv2) handles forwarding by IP multicast destination address only. IGMP version 3 (IGMPv3) handles forwarding by source IP address and IP multicast destination address. OmniSwitch 6850 Series switches support IGMPv2 and IGMPv3. In IGMPv2, each membership report contains only one multicast group. In IGMPv3, membership reports contain many multicast groups up to the Maximum Transmission Unit (MTU) size of the interface. IGMPv3 uses source filtering and reports multicast memberships to neighboring routers by sending membership reports. IGMPv3 also supports Source Specific Multicast (SSM) by allowing hosts to report interest in receiving packets only from specific source addresses or from all but specific source addresses. Note. It should be noted that in the current release SSM packet forwarding is not done between ports in the same VLAN. However, SSM forwarding between different VLANs (routing) is supported. In addition, the current implementation of IGMPv3 and SSM only forwards packets to a list of included sources for a given multicast destination. Exclude list forwarding is not supported, as it is not a requirement for SSM, and specifically Protocol Independent MulticastSource Specific Multicast (PIM-SSM).
MLD
MLD is used by IPv6 systems (hosts and routers) to report their IPv6 multicast group memberships to any neighboring multicast routers. MLD Version 1 (MLDv1) handles forwarding by IPv6 multicast destination addresses only. MLD Version 2 (MLDv2) handles forwarding by source IPv6 addresses and IPv6 multicast destination addresses. The OmniSwitch 6850 switch supports MLDv1 and MLDv2. MLDv2 uses source filtering and reports multicast memberships to neighboring routers by sending membership reports. MLDv2 also supports Source Specific Multicast (SSM) by allowing hosts to report interest in receiving packets only from specific source addresses or from all but specific source addresses.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 539 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 540 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Note. If software routing is used, the number of total flows supported is variable, depending on the number of flows and the number of routes per flow.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 541 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
A router port is configured on VLAN 2, with the IP address 172.22.2.44. The router port is also referred to as the router interface; the IP address serves as the identifier for the interface. In this example, the multicast address boundary has been defined as 239.140.120.0. The mask value of 255.255.255.0 is shown in Classless Inter-Domain Routing (CIDR) prefix format as /24. This specifies that no multicast traffic addressed to multicast addresses 239.140.120.0 through 239.140.120.255 will be forwarded on interface 172.22.2.44.
Although the same block of multicast addresses239.140.120.0 through 239.140.120.255is being used in two different domains at once, multicast traffic from one domain cannot conflict with multicast traffic in the other domain because they are effectively confined by boundaries on their corresponding interfaces. In this case, the boundary 239.140.120.0/24 has been configured on interfaces 172.22.2.120 and 178.14.1.43.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 542 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DVMRP
This section includes descriptions for Distance Vector Multicast Routing Protocol (DVMRP). DVMRP is a dense-mode multicast routing protocol. DVMRPwhich is essentially a broadcast and prune routing protocolis designed to assist routers in propagating IP multicast traffic through a network.
DVMRP Specifications
RFCs Supported IETF Internet-Drafts Supported DVMRP Version Supported DVMRP Attributes Supported 2667IP Tunnel MIB Distance-Vector Multicast Routing Protocol MIB draft-ietf-idmr-dvmrp-v3-11.txt DVMRPv3.255 Reverse Path Multicasting, Neighbor Discovery, Multicast Source Location, Route Report Messages, Distance metrics, Dependent Downstream Routers, Poison Reverse, Pruning, Grafting, DVMRP Tunnels Flash update interval, Graft retransmissions, Neighbor probe interval, Neighbor timeout, Prune lifetime, Prune retransmission, Route report interval, Route holddown, Route expiration timeout 1 to 31 0 to 255 1 (e.g., you cannot enable both PIM-SM and DVMRP on the same IP interface)
Range for Interface Distance Metrics Range for Tunnel TTL Value Multicast Protocols per Interface
DVMRP Defaults
Parameter Description DVMRP load status DVMRP status DVMRP interface status Flash update interval Graft retransmission timeout Neighbor probe interval time Neighbor timeout Prune lifetime Prune retransmission timeout Route report interval Route holddown time Route expiration timeout Interface distance metric DVMRP tunnel status DVMRP tunnel TTL value Subordinate neighbor status Default Value/Comments Unloaded Disabled Disabled 5 seconds 5 seconds 10 seconds 35 seconds 7200 seconds 30 seconds 60 seconds 120 seconds 140 seconds 1 Disabled 255 True
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 543 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DVMRP Overview
Distance Vector Multicast Routing Protocol (DVMRP) Version 3 is a multicast routing protocol that enables routers to efficiently propagate IP multicast traffic through a network. Multicast traffic consists of a data stream that originates from a single source and is sent to hosts that have subscribed to that stream. Live video broadcasts; video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news services are examples of multicast traffic. Multicast traffic is distinguished from unicast traffic and broadcast traffic as follows: Unicast traffic is addressed to a single host. Broadcast traffic is transmitted to all hosts. Multicast traffic is transmitted to a subset of hosts (the hosts that have subscribed to the multicast data stream). DVMRP is a distributed multicast routing protocol that dynamically generates per-source delivery trees based upon routing exchanges, using a technique called Reverse Path Multicasting. When a multicast source begins to transmit, the multicast data is flooded down the delivery tree to all points in the network. DVMRP then prunes (i.e., removes branches from) the delivery tree where the traffic is unwanted. Pruning continues to occur as group membership changes or routers determine that no group members are present. This restricts the delivery trees to the minimum branches necessary to reach all group members, thus optimizing router performance. New branches can also be added to the delivery trees dynamically as new members join the multicast group. The addition of new branches is referred to as grafting.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 544 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Neighbor Discovery
DVMRP routers must maintain a database of DVMRP adjacencies with other DVMRP routers. A DVMRP router must be aware of its DVMRP neighbors on each interface. To gather this information, DVMRP routers use a neighbor discovery mechanism and periodically multicast DVMRP Probe messages to the All-DVMRP-Routers group address (224.0.0.4). Each Probe message includes Neighbor List of DVMRP routers known to the transmitting router. When a DVMRP router (lets call it router B) receives a Probe (lets say from router A), it adds the IP address of router A to its own internal list of DVMRP neighbors on that interface. It then sends a Probe of its own with the IP address of router A included in the Probes Neighbor List. When a DVMRP router receives a Probe with its own IP address included in the Neighbor List, the router knows that a two-way adjacency has been successfully formed between itself and the neighbor that sent the Probe. Probes effectively serve three main purposes: Probes provide a mechanism for DVMRP routers to locate each other as described above. Probes provide a way for DVMRP routers to determine each others capabilities. This is deduced from the major and minor version numbers in the Probe packet and directly from the capability flags in the Probe packet. Probes provide a keep-alive function in order to quickly detect neighbor loss. A DVMRP router sends periodic Route Report messages to its DVMRP neighbors (by default, every 60 seconds). A Route Report message contains the senders current routing table, which contains entries that advertise a source network (with a mask) and a hop-count that is used as the routing metric. This routing information is used to build source distribution trees and to perform multicast forwarding. The DVMRP neighbor that advertises the route with the lowest metric will be used for forwarding. (In case of a tie, the DVMRP neighbor with the lowest IP address will be used.) In DVMRPv3, a router will not accept a Route Report from another DVMRP router until it has established adjacency with that neighboring router. Note. Older versions of DVMRP use Route Report messages to perform neighbor discovery rather than the Probe messages used in DVMRP Version 3.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 545 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 546 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
DVMRP Tunnels
Because not all IP routers support native multicast routing, DVMRP includes direct support for tunneling IP multicast packets through routers. Tunnel interfaces are used when routers incapable of supporting multicast traffic exist between DVMRP neighbors. In tunnel interfaces, IP multicast packets are encapsulated in unicast IP packets and addressed directly to the routers that do not support native multicast routing. DVMRP protocol messages (such as Route Reports, Probes for neighbor discovery, etc.) and multicast traffic are sent between tunnel endpoints using unicast, rather than multicast, packets. Multicast data is encapsulated using a standard IP-IP encapsulation method. The unicast IP addresses of the tunnel endpoints are used as the source and destination IP addresses in the outer IP header. The inner IP header remains unchanged from the original multicast packet.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 547 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
PIM
Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information provided by unicast routing protocols such as RIP and OSPF. PIM is protocol-independent because it does not rely on any particular unicast routing protocol. Sparse mode PIM (PIM-SM) contrasts with flood and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIM-DM) in that multicast forwarding in PIM-SM is initiated only via specific requests, referred to as Join messages. PIMDM packets are transmitted on the same socket as PIM-SM packets, as both use the same protocol and message format. Unlike PIM-SM, in PIM-DM there are no periodic joins transmitted; only explicitly triggered prunes and grafts. Unlike PIM-SM, there is no Rendezvous Point (RP) in PIM-DM. Source-Specific Multicast (PIM-SSM). The current implementation of PIM includes support for Source- Specific Multicast (PIM-SSM).
PIM Specifications
RFCs Supported 2362Protocol Independent Multicast-Sparse Mode (PIM-SM) Protocol Specification 2934Protocol Independent Multicast MIB for Ipv4 2932Ipv4 Multicast Routing MIB 3973Protocol Independent Multicast-Dense Mode (PIM-DM) 3376Internet Group Management Protocol Draft-ietf-pim-sm-v2-new-05.txtProtocol Independent Multicast Sparse Mode PIM-SM Draft-ietf-pim-mib-v2-00.txtProtocol Independent Multicast MIB includes support for PIM-DM Draft-ietf-pim-sm-bsr-02.txtBootstrap Router (BSR) Mechanism for PIM Sparse Mode PIM-SMv2 Shared trees (also referred to as RP trees), Designated Routers (DRs), Bootstrap Routers (BSRs), Candidate Bootstrap Routers (C-BSRs), Rendezvous Points (RPs) (applicable only for PIM-SM), Candidate Rendezvous Points (C-RPs)) C-RP expiry, C-RP holdtime, C-RP advertisement, Join/Prune, Probe, Register suppression, Hello, Expiry, Assert, Neighbor liveness 100 (default value is 32) 1 1 (e.g., you cannot enable both PIM-SM and DVMRP on the same IP interface)
PIM Timers Supported Maximum Rendezvous Point (RP) routers allowed in a PIM-SM domain Maximum Bootstrap Routers (BSRs) allowed in a PIM domain Multicast Protocols per Interface
PIM Defaults
Parameter Description PIM status PIM load status sparse mode PIM load status dense mode C-BSR mask length Static RP configuration RP threshold C-RP expiry time C-RP holdtime C-RP advertisement interval C-RP priority Source, group data timeout Global Join/Prune interval Maximum RP routers allowed Probe timer Register checksum value Register suppression timer Switchover to Shortest Path Tree (SPT) PIM interface status Interface graft retry interval Interface max graft retries Interface sr ttl threshold Interface Hello message interval Default Value/Comments Disabled Disabled Disabled 30 bits Disabled 65536 300 seconds 150 seconds 60 seconds 0 210 seconds 60 seconds 32 5 seconds Header 60 seconds Enabled Disabled on all interfaces 3 seconds 2 0 30 seconds
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 548 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Interface Join/Prune interval Interface C-BSR preference Interface DR priority Interface LAN prune-delay status Interface LAN prune-delay Interface override interval Interface triggered hello time Interface hello hold time Interface generation ID status Interface Join/Prune hold time Source lifetime Successive state refresh interval State refresh message limit State refresh ttl
60 seconds; this value automatically matches the configured global Join/Prune interval. 0 1 Disabled 500 milliseconds 2500 milliseconds 5 seconds 105 seconds Enabled 210 seconds 210 seconds 60 seconds 0 16
PIM Overview
Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information provided by unicast routing protocols such as RIP and OSPF. Note that PIM is not dependent on any particular unicast routing protocol. Sparse mode PIM (PIM-SM) contrasts with flood-and-prune dense mode multicast protocols such as DVMRP in that multicast forwarding in PIM-SM is initiated only via specific requests, referred to as join messages. Downstream routers must explicitly join PIM-SM distribution trees in order to receive multicast streams on behalf of receivers or other downstream PIM-SM routers. This paradigm of receiver-initiated forwarding makes PIM-SM ideal for network environments where receiver groups are thinly populated and bandwidth conservation is a concern, such as in wide area networks (WANs). PIM-DM differs from PIM-SM in two essential ways: There are no periodic joins transmitted, only explicitly triggered prunes and grafts. There is no Rendezvous Point (RP). This is particularly important in networks that cannot tolerate a single point of failure. Note. OmniSwitch 6850 switches support PIM-DM, PIM-SMv2 and are not compatible with PIMSMv1. These components include: Rendezvous Points (RPs) and Candidate Rendezvous Points (C-RPs) Bootstrap Routers (BSRs) and Candidate Bootstrap Routers (C-BSRs) Designated Routers (DRs) Shared Trees, also referred to as Rendezvous Point Trees (RPTs) Avoiding Register Encapsulation
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 549 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Note. Depending on the network configuration, multiple routers may exist between the receivers DR and the RP router. In this case, the (*, G) Join message travels hop-by-hop toward the RP. In each router along the way, the multicast tree state for group G is instantiated. These Join messages converge on the RP to form a distribution tree for group G that is rooted at the RP. Sender 1 sends multicast data to its Designated Router (DR). The source DR then unicast-encapsulates the data into PIM-SM Register messages and sends it on to the RP.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 550 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Once the distribution tree for group G is learned at the RP, the encapsulated data being sent from the source DR is now un-encapsulated at the RP and forwarded natively to the Receiver.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 551 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
When the Senders DR receives the (S,G) Join, it sends data natively as well. When these data packets arrive natively at the RP, the RP will be receiving two copies of each of these packetsone natively and one encapsulated. The RP drops the register-encapsulated packets and forwards only the native packets.
A register-stop packet is sent back to the senders DR to prevent the DR from unnecessarily encapsulating the packets. Once the register-encapsulated packets are discontinued, the packets are flowing natively from the sender to the RP along the source-specific tree to the RP and, from there, along the shared tree to all receivers.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 552 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Because packets are still forwarded along the shared tree from the RP to all of the receivers, this does not constitute a true Shortest Path Tree (SPT). For many receivers, the route via the RP may involve a significant detour when compared with the shortest path from the source to the receivers.
SPT Switchover
It is the last hop Designated Router (DR) that initiates the switchover to a true Shortest Path Tree (SPT) once it receives the first multicast data packet. This method does not use any preconfigured thresholds, such as RP threshold (as described above). Instead, the switchover is initiated automatically, as long as the SPT status is enabled on the switch. Important. SPT status must be enabled for SPT switchover to occur. SPT status is enabled by default. If the SPT status is disabled, the SPT switchover will not occur. The SPT status is configured via the ip pimsm spt status command. To view the current SPT status, use the show ip pimsm command Upon receiving the first multicast data packet, the last hop DR issues a (S, G) source-specific Join message toward the source.
Once the Senders DR receives the (S,G) Join message, it sends the multicast packets natively along the Shortest Path Tree. At this point, Router X (the router shown between the Senders DR and the Receivers DR) will be receiving two copies of the multicast dataone from the SPT, and one from the RPT. This router drops the packets arriving via the RP tree and forwards only those packets arriving via the SPT.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 553 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
An (S, G, RPT) Prune message is sent toward the RP. As a result, traffic destined for this group from this particular source will no longer be forwarded along the RPT. The RP will still receive traffic from the Source. If there are no other routers wishing to receive data from the source, the RP will send an (S, G) Prune message toward the source to stop this unrequested traffic.
The Receiver is now receiving multicast traffic along the Shortest Path Tree between the Receiver and the Source.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 554 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
PIM-SSM Support
Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) is a highly efficient extension of PIM. SSM, using an explicit channel subscription model, allows receivers to receive multicast traffic directly from the source; an RP tree model is not used. In other words, a Shortest Path Tree (SPT) between the receiver and the source is created without the use of a Rendezvous Point (RP). By default, PIM-SM software supports Source-Specific Multicast. No additional user configuration is required. PIM-SSM is automatically enabled and operational as long as PIM-SM is loaded and IGMPv3 source-specific joins are received within the SSM address range. For detailed information on PIM-SSM and Source-Specific Multicast, refer to the IETF Internet Drafts draft-ietf-pim-sm-v2-new-05.txt and draft-ietf-ssm-arch-04.txt, as well as RFC 3569, An Overview of Source-Specific Multicast (SSM). Note. For networks using IGMP proxy, be sure that the IGMP proxy version is set to Version 3. Otherwise, PIM-SSM will not function.
PIM-SSM Specification
RFCs Supported Internet Drafts Supported Valid SSM Address Range 3569An Overview of Source-Specific Multicast (SSM) Draft-ietf-pim-sm-v2-new-05.txtProtocol Independent Multicast Sparse Mode (PIM-SM) Draft-ietf-ssm-arch-04.txtAn Overview of Source-Specific Multicast (SSM) 232.0.0.0 to 232.255.255.255
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 555 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IP Multicast VLAN
Multicasting is a one-to-many transmission mode. It is similar to broadcasting, except that multicasting means sending to specific groups, whereas broadcasting implies sending to all. When sending voluminous data, multicast saves considerable bandwidth as the bulk of the data is transmitted only once from its source through major backbones and are distributed out at switching points closer to end users. IP Multicast VLAN (IPMV) is an innovative feature for service providers delivering residential voice and video services. It involves the creation of separate dedicated VLANs built specifically for multicast traffic distribution. These distribution VLANs connect to the nearest multicast router and support multicast traffic only. Note. IP Multicast VLAN is only supported in Release 6.2.1 for the OmniSwitch 6850 Series. Note. You can also configure and monitor IPMV through WebView, Alcatels embedded web-based device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a web browser. Please refer to WebViews online documentation for more information on configuring and monitoring IPMV through WebView.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 556 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 557 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The following limitations should be noted in the c-tag translation mode: The translation rule applies only to double-tagged frames. IP address translation rule applies to untagged IGMP reports received from customer. The translation rule applies only to the VLAN Stacking IPMVLANs.
Enterprise Mode
IP Multicast VLANs in the Enterprise mode contain normal user ports (fixed/tagged) as their member ports.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 558 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The paths taken by the packets are described in the following subsections: Untagged Control Packets Ingressing on the Receiver Port The following steps describe the path taken by untagged control packets ingressing on the receiver port: 1: Untagged IPMS join reports for the multicast group G1 are sent to the receiver port. 2: The IPMS reports sent to the CPU of the Ethernet switch are single-tagged with the default SVLAN tag (s-tag). 3: IPMS overwrites the SVLAN tag with the IPMV tag after IPMV table lookup. 4: A single IPMS report, single-tagged with IPMV, is sent to the multicast server for group G1. 5: The single multicast data packet, single-tagged with IPMV, is generated by the multicast server for group G1. 6: The generated multicast data packets are flooded on the receiver port. These data packets are untagged. C-Tag Translation Rule in the VLAN Stacking Mode The following steps describe how the c-tag translation rule works in the VLAN Stacking mode: 1: The IPMS join reports for multicast group G1, which are single-tagged with the CVLAN tag (c-tag) are sent to the receiver port. 2: SVLAN tags are attached before the CVLAN tags in all the IPMS reports going to the CPU of the Ethernet switch. 3: IPMS overwrites the SVLAN tags with the IPMV tags after IPMV table lookup for the inner c-tag. 4: A single IPMS double-tagged report with an IPMV outer tag and a CVLAN inner tag is sent to the multicast server for group G1. 5: The single multicast double-tagged data packets with an IPMV outer tag and a CVLAN inner tag are generated by the multicast server for group G1. 6: The VLAN Stacking egress logic removes the IPMV outer tag. The generated multicast data packets flooded on the receiver port are single-tagged with CVLAN. Single-Tagged Control Packets (with CVLAN) Ingressing on the Receiver Port in the VLAN Stacking Double-Tag Mode The following steps describe the path taken by single-tagged control packets ingressing on the receiver port in the VLAN Stacking double-tag mode: 1: The IPMS join reports for multicast group G1, single-tagged with the CVLAN tag (c-tag), are sent to the receiver. 2: SVLAN tags are attached after the CVLAN tags in all the IPMS reports going to the CPU of the Ethernet switch. 3: IPMS overwrites the SVLAN tags with the IPMV tags after IPMV table lookup for the inner c-tag. 4: A single IPMS double-tagged report with an IPMV outer tag and a CVLAN inner tag is sent to the multicast server for group G1.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 559 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
5: The single multicast double-tagged data packets with an IPMV outer tag and a CVLAN inner tag are generated by the multicast server for group G1. 6: The VLAN Stacking egress logic removes the IPMV outer tag. The generated multicast data packets flooded on the receiver port are single-tagged with CVLAN. Note. All the IPMS control traffic specified for a single multicast service should be tagged with the same CVLAN. Single-Tagged Control Packets (with CVLAN) Ingressing on the Receiver Port in the VLAN Stacking Translation Mode The following steps describe the path taken by single-tagged control packets ingressing on the receiver port in the VLAN Stacking translation mode: 1: The IPMS join reports for multicast group G1, which are single-tagged with the CVLAN tag (c-tag) are sent to the receiver port. 2: CVLAN tags are replaced by the SVLAN tags in all the IPMS reports going to the CPU of the Ethernet switch. 3: IPMS overwrites the SVLAN tags with the IPMV tags after IPMV table lookup. 4: A single IPMV-tagged IPMS report is sent to the multicast server for Group G1. 5: The single multicast packets single-tagged with IPMV are generated by the multicast server for group G1. 6: The VLAN Stacking egress logic replaces the IPMV tag with the CVLAN tag. The multicast data packets flooded on the receiver port are single-tagged with CVLAN. Note. All the IPMS control traffic specified for a single multicast service should be tagged with the same CVLAN.
Enterprise Mode
In the Enterprise mode, two types of control packets ingress on the receiver ports. The paths taken by the packets (as shown in the diagram on page 33-5) are described in the following subsections. Untagged Control Packets Ingressing on the Receiver Port The following steps describe the path taken by untagged control packets ingressing on the receiver port: 1: Untagged IPMS join reports for the multicast group G1 are sent to the receiver port. 2: The IPMS reports sent to the CPU of the Ethernet switch are single-tagged with the default VLAN. 3: IPMS overwrites the tag with the IPMV tag after IPMV table lookup. 4: A single IPMS report, single-tagged with IPMV, is sent to the multicast server for group G1. 5: The single multicast data packet, single-tagged with IPMV, is generated by the multicast server for group G1. 6: The generated multicast data packets are flooded on the receiver port. These data packets are untagged.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 560 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Tagged Control Packets Ingressing on the Receiver Port The following steps describe the path taken by tagged control packets ingressing on the receiver port: 1: The single-tagged IPMS join reports for the multicast group G1 are sent to the receiver port. 2: The IPMS reports are sent to the CPU of the Ethernet switch. 3: IPMS overwrites the tag with the IPMV tag after IPMV table lookup. 4: A single IPMS report, single-tagged with IPMV, is sent to the multicast server for group G1. 5: The single multicast data packet, single-tagged with IPMV, is generated by the multicast server for group G1. 6: The generated multicast data packets are flooded on the receiver port. These data packets are untagged.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 561 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Simplified Manageability
Recognizing a great demand in the marketplace and customers expectation for a level of synergism in the network management, Alcatel-Lucent has developed comprehensive and unified NMS solutions for its full array of networking products. Alcatel-Lucents OmniVista is the voice and data network management platform that features OneTouch Manageability, which allows network managers to quickly configure and manage the switches in the network. OneTouch QoS is a feature of the Alcatel-Lucent policy management software that allows network managers to quickly assign QoS priorities to network traffic based on the characteristics of different applications. OneTouch SecureView is a feature of the AlcatelLucent policy management software that allows network managers to quickly assign security policies to network traffic based on the characteristics of different applications. The AOS OmniSwitch product family offers service-level and policy based-configurations with support for LDAP directory services to enable flexible integration with existing platforms. AOS OmniSwitch product family further supports ease-of-use configuration choices for network administrators proactive network management using SNMPv3, four-groups of RMON-I (statistics, history, alarms, and events), and port mirroring to aid in troubleshooting the network. In addition, switch configuration and management can occur through the following mechanisms: SNMP, Telnet, FTP, Java-based GUI/WebView (standard Web-based Element Manager supporting HTTP/S-HTTP) with OmniVista management, a Command Line Interface (CLI), and fully editable ASCIIText-Based Configuration File. All switch management is completely tied to SNMPv3 since the switch uses public and private MIBs for management. An Overview of the Alcatel-Lucent AOS ease-of-Management features: Carrier-Class Dynamic Mobility This concept which allows user mobility with Voice-over-IP and data roaming across the global enterprise has evolved as an important product-differentiating feature. Users are becoming increasingly mobile, and this can create challenges for network administrators. The AOS OmniSwitch product family features Dynamic Mobility, which simplifies the task of managing remote and mobile users. This allows users to move anywhere in the network without reconfiguration hassle. Users can change locations, connect to a new network switch port, and have access to all their resources without the network administrator intervention. Dynamic mobility can be fully integrated with authentication and policy-based VLANs to provide secure mobility across an entire enterprise network. OmniVista NMS: Alcatel-Lucents Single voice, data and services network management including OneTouch QoS and SecureView. This NMS application encompasses the entire Alcatel-Lucent product family and switching and routing products including the standard-based Wireless LAN solution. o Integration with SNMP manager OmniVista for network wide management WebView Element Manager: Alcatel-Lucents AOS OmniSwitch product family Web-Based Element Manager o Easy to use, point-and-click web based element manager (WebView) with built-in help for easy configuration of new technology features IGMPv1/v2/v3 snooping to optimize multicast traffic BootP/DHCP client allows auto-config of switch IP information to simplify deployment o DHCP relay to forward client requests to a DHCP server Alcatel-Lucent Mapping Adjacency Protocol (AMAP) o Alcatel Mapping Adjacency Protocol (AMAP) for building topology maps within OmniVista Policy-Based Management with LDAP Directory Services, Authentication Servers such as RADIUS, LDAP, and ACE servers Monitoring Tools: Port Mirroring, Port Monitoring, Switch Health, sFlow, and RMON-I o Supports RFC 2819 RMON group (1-Statistics, 2-History, 3-Alarm & 9-Events) o SFlow v5 support to monitor and effectively control and manage the network usage o Port based, port mirroring for troubleshooting and lawful interception, supports four sessions with multiple sources-to-one destination configuration o Port monitoring feature that allows capture of Ethernet packets to a file, or for on-screen display to assist in troubleshooting Through the application of a comprehensive QoS feature set, the AOS OmniSwitch product family is capable of supporting converged applications such as the VoIP Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 562 Software & Hardware Release: AOSv6.3.1r01
Switch Logging, Memory Monitoring, and Switch Configuration Local (on the flash) and remote logging (Syslog) Logging into the Switch through Telnet, FTP, HTTP, SSH, SSL, and SNMPv1&v2&v3 o Remote telnet management or secure shell access using SSH o Secured file upload using SFTP, or SCP o SNMPv1/v2/v3 System File Management o Dual image and dual configuration file storage provides backup Intuitive Alcatel CLI with familiar interface reducing training costs Human readable ASCII based config files for offline editing and bulk configuration Managing Switch Users Accounts & Partitioned Management feature Managing Switch Security Auto-negotiating 10/100/1000 ports automatically configure port speed and duplex setting Auto MDI/MDIX automatically configures transmit and receive signals to support straight through and crossover cabling Network Time Protocol (NTP) for network wide time synchronization GVRP for 802.1Q-compliant VLAN pruning and dynamic VLAN creation
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 563 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Interswitch Protocols
Alcatel-Lucent Interswitch Protocols (AIP) is used to discover adjacent switches and retain mobile port information across switches. The following protocols are supported: Alcatel-Lucent Mapping Adjacency Protocol (AMAP), which is used to discover the topology of OmniSwitches.
AIP Specifications
Standards Maximum number of IP addresses propagated by AMAP Not applicable at this time. AMAP is an Alcatel-Lucent proprietary protocol. 255
AMAP Defaults
Parameter Description AMAP Status Discovery Time Interval Common Time Interval Default Enabled 30 seconds 300 seconds
AMAP Overview
The Alcatel-Lucent Mapping Adjacency Protocol (AMAP) is used to discover the topology of OmniSwitches or Omni S/R(s) in a particular installation. Using this protocol, each switch determines which OmniSwitches or Omni S/R(s) is adjacent to it by sending and responding to Hello update packets. For the purposes of AMAP, adjacent switches are those that: Have a Spanning Tree path between them Do not have any switch between them on the Spanning Tree path that has AMAP enabled AMAP switch ports are either in the discovery transmission state, common transmission state, or passive reception state. Ports transition to these states depending on whether or not they receive Hello responses from adjacent switches. Note. All Hello packet transmissions are sent to a well-known MAC address (0020da:007004).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 564 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 565 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
IEEE 802.1AB
Link Layer Discovery Protocol (LLDP) is an emerging standard to provide a solution for the configuration issues caused by expanding networks. LLDP supports the network management software used for complete network management. LLDP is implemented as per the IEEE 802.1AB standard. LLDP specifically defines a standard method for Ethernet network devices to exchange information with its neighboring devices and maintain a database of the information. The exchanged information, passed as LLDPDU, is in TLV (Type, Length, and Value) format. The information available to the network management software must be as new as possible; hence, remote device information is periodically updated.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 566 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
802.1AB Overview
LLDP is a Layer 2 protocol for detecting adjacent devices in a network. Each device in a network sends and receives LLDPDUs through all its ports, when the protocol is enabled. If the protocol is disabled on a port or on a device, then LLDPDUs received on that port or device are dropped. The LLDPDUs are transmitted at a certain interval that can be configured. When an LLDPDU is received from a neighboring device, the LLDPDU software validates the frame and stores the information in its remote device Management Information Base (MIB). This information is aged periodically, if an LLDPDU is not received from the same device within the time mentioned in the TTL TLV of the LLDPDU. By exchanging information with all the neighbors, each device will know its neighbor on each port. The information within the LLDPDU is transmitted in TLV (Type, Length, Value) format and falls under two categories: Mandatory Optional Each LLDPDU contains all the four mandatory TLVs and optional TLVs. Mandatory TLVs The mandatory TLV's information contains the LAN device's MAC service access point (MSAP) identifier and the time period for the validity of the LAN device's associated information. The mandatory TLVs contained in a LLDPDU are listed below: Chassis ID TLV Port ID TLV Time to live TLV End of LLDPDU TLV Optional TLVs The optional TLVs defined as part of LLDP are grouped into the following sets listed below: Basic management TLV set Port Description TLV System Name TLV System Description TLV System capabilities TLV Management address TLV Note. This optional TLV set is required for all LLDP implementation. IEEE 802.1 organizationally specific TLV set Port VLAN ID TLV Port and Protocol VLAN ID TLV VLAN name TLV Protocol identity TLV Note. If one TLV from this set is included in the LLDPDU, then all TLVs need to be included. IEEE 802.3 organizationally specific TLV set MAC/PHY configuration/status TLV Power Via MDI TLV (In network connectivity TLV set, Extended Power-Via-MDI TLV is supported.) Link Aggregation TLV Maximum frame size TLV ANSI-TIA LLDP-MED TLV sets Network connectivity TLV set LLDP-MED capabilities TLV Network Policy TLV Location Identification TLV Extended Power-via-MDI TLV When an 802.1AB supporting system receives an LLDPDU containing MED capability TLV, then the remote device is identified as an edge device (IP phone, IP PBX, etc.). In such a case the Alcatel device will stop sending LLDPDU and start sending MED LLDPDU on the port connected to the edge device. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 567 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
LLDP Agent Operation A network device that implements LLDP supports an LLDP agent. An LLDP agent operates in any one of the following three modes: Transmit-only mode: The agent can only transmit the information about the capabilities and the current status of the local system at regular intervals. Receive-only mode: The agent can only receive information about the capabilities and the current status of the remote systems. Transmit and receive mode: The agent can transmit the capabilities and status information of the local system and receive the capabilities and the status information of the remote system. LLDPDU Transmission and Reception LLDP operates in a one-way direction, so that the information in the LLDPDUs flows from one device to another. LLDPDUs are not exchanged as an information request by one device and a response sent by another device. The other devices do not acknowledge LLDP information received from a device. The transmission of LLDPDU is based on two factors: Transmit countdown timing counter. For example, whenever the counter expires, it will go through the entire database of ports that have links and send the LLDPDU if the current time has surpassed the retransmission time interval. If there is change in status of any of the ports. For example, a new port is attached or a new link has come up. Reception of LLDPDU is a two phase process: LLDPDU and TLV error handling as per the 802.1AB standard. LLDP remote system MIB update. Aging Time The remote system's LLDP specific information is stored in the LLDP MIB. The TTL TLV carries a positive value in seconds, and tells the other device as how long this information is valid. Once a remote device is learned on a local port, if the receiving device doesn't receive an LLDPDU from the same remote device and on the same local port within the TTL mentioned in the previous LLDPDU, then the local device discards that entry from its database. This is called the aging time and can be set by the user.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 568 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Other RFCs
Maximum number of authentication servers in single authority mode Maximum number of authentication servers in multiple authority mode Maximum number of servers per Authenticated Switch Access type CLI Command Prefix Recognition
Server Defaults
RADIUS Authentication Servers
Defaults for the aaa radius-server command are as follows:
Description Number of retries on the server before the switch tries a backup server Timeout for server replies to authentication requests UDP destination port for authentication UDP destination port for accounting Default 3 2 1645* 1646*
* The port defaults are based on the older RADIUS standards; some servers are set up with port numbers based on the newer standards (ports 1812 and 1813 respectively).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 569 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Server Overview
Authentication servers are sometimes referred to as AAA servers (authentication, authorization, and accounting). These servers are used for storing information about users who want to manage the switch (Authenticated Switch Access) and users who need access to a particular VLAN or VLANs (Authenticated VLANs). RADIUS or LDAP servers may be used for Authenticated Switch Access and/or Authenticated VLANs. Another type of server, SecurIDs ACE/Server, may be used for authenticated switch access only; the ACE/Server is an authentication-only server (no authorization or accounting). Only RADIUS servers are supported for 802.1X Port-Based Network Access Control. The following table describes how each type of server may be used with the switch:
Server Type ACE/Server RADIUS LDAP Authenticated Switch Access Yes (except SNMP) Yes (except SNMP) Yes (including SNMP) Authenticated VLANs No Yes Yes 802.1X Port-Based Network Access Control No Yes No
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 570 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Authenticated VLANs
For authenticated VLANs, authentication servers contain a database of user names and passwords, challenges/ responses, and other authentication criteria such as time-of-day access. The Authenticated VLAN attribute is required on servers set up in multiple authority modes. Servers may be configured using one of two different modes, single authority mode or multiple authority modes. The mode specifies how the servers are set up for authentication: single authority mode uses a single list (an authentication server and any backups) to poll with authentication requests. Multiple authority modes use multiple lists, one list for each authenticated VLAN.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 571 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
ACE/Server
An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2 authentication or for policy management. Attributes are not supported on ACE/Servers. These values must be configured on the switch through the user commands. Since an ACE/Server does not store or send user privilege information to the switch, the switch determines user privileges for Secur/ID logins. When a user attempts to log into the switch, the user ID and password is sent to the ACE/Server. The server determines whether the login is valid. If the login is valid, the user privileges must be determined. The switch checks its user database for the users privileges. If the user is not in the database, the switch uses the default privilege, which is determined by the default user account. There are no server-specific parameters that must be configured for the switch to communicate with an attached ACE/Server; however, you must FTP the sdconf.rec file from the server to the switchs/network directory. This file is required so that the switch will know the IP address of the ACE/Server. The ACE client in the switch is version 4.1; it does not support the replicating and locking feature of ACE 5.0, but it may be used with an ACE 5.0 server if a legacy configuration file is loaded on the server. The legacy configuration must specify authentication to two specific servers (master and slave). To display information about any servers configured for authentication, use the show aaa server command. Also, you may need to clear the ACE/Server secret occasionally because of misconfiguration or required changes in configuration. The ACE/Server generates secrets that it sends to clients for authentication. While you cannot configure the secret on the switch, you can clear it. The secret may need to be cleared because the server and the switch get out of synch.
RADIUS Servers
RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific Attributes (VSAs) is required. The Alcatel-Lucent attributes may include VLAN information, time-of-day, or slot/port restrictions.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 572 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
LDAP Servers
Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP client in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256. The protocol was developed as a way to use directory services over TCP/IP and to simplify the directory access protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort. Originally it was a front-end for X.500 DAP. The protocol synchronizes and governs the communications between the LDAP client and the LDAP server. The protocol also dictates how its databases of information, which are normally stored in hierarchical form, are searched, from the root directory down to distinct entries. In addition, LDAP has its own format that permits LDAP-enabled Web browsers to perform directory searches over TCP/IP.
Directory Entries
Directory entries are used to store data in directory servers. LDAPenabled directory entries contain information about an object (person, place, or thing) in the form of a Distinguished Name (DN) that should be created in compliance with the LDAP protocol naming conventions. Distinguished names are constructed from Relative Distinguished Names (RDNs), related entries that share no more than one attribute value with a DN. RDNs are the components of DNs, and DNs are string representations of entry names in directory servers. Distinguished names typically consist of descriptive information about the entries they name, and frequently include the full names of individuals in a network, their email addresses, TCP/IP addresses, with related attributes such as a department name, used to further distinguish the DN. Entries include one or more object classes, and often a number of attributes that are defined by values. Object classes define all required and optional attributes (a set of object classes is referred to as a schema). As a minimum, every entry must include the DN and one defined object class, like the name of an organization. Attributes required by a particular object class must also be defined. Some commonly used attributes that comprise a DN include the following: Country (c), State or Province (st), Locality (l), Organization (o), Organization Unit (ou), and Common Name (cn) Although each attribute would necessarily have its own values, the attribute syntax determines what kind of values are allowed for a particular attribute, e.g., (c=US), where country is the attribute and US is the value. Extra consideration for attribute language codes will be necessary if entries are made in more than one language. Entries are usually based on physical locations and established policies in a Directory Information Tree (DIT); the DN locates an entry in the hierarchy of the tree. Alias entries pointing to other entries can also be used to circumvent the hierarchy during searches for entries. Once a directory is set up, DN attributes should thereafter be specified in the same order to keep the directory paths consistent. Commas as shown in this example separate DN attributes: cn=your name, ou=your function, o= your company, c=US As there are other conventions used, please refer to the appropriate RFC specification for further details.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 573 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In addition to managing attributes in directory entries, LDAP makes the descriptive information stored in the entries accessible to other applications. The general structure of entries in a directory tree is shown in the following illustration. It also includes example entries at various branches in the tree.
Directory Searches
DNs are always the starting point for searches unless indicated otherwise in the directory schema. Searches involve the use of various criteria including scopes and filters, which must be predefined, and utility routines, such as Sort. Searches should be limited in scope to specific durations and areas of the directory. Some other parameters used to control LDAP searches include the size of the search and whether to include attributes associated with name searches. Base objects and scopes are specified in the searches, and indicate where to search in the directory. Filters are used to specify entries to select in a given scope. The filters are used to test the existence of object class attributes, and enable LDAP to emulate a read of entry listings during the searches. All search preferences are implemented by means of a filter in the search. Filtered searches are based on some component of the DN.
Directory Modifications
Modifications to directory entries contain changes to DN entry attribute values, and are submitted to the server by an LDAP client application. The LDAP-enabled directory server uses the DNs to find the entries to either add or modify their attribute values. Attributes are automatically created for requests to add values if the attributes are not already contained in the entries. All attributes are automatically deleted when requests to delete the last value of an attribute are submitted. Attributes can also be deleted by specifying delete value operations without attaching any values. Modified attribute values are replaced with other given values by submitting replace requests to the server, which then translates and performs the requests.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 574 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 575 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 576 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 577 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
UDLD
Uni Directional Link Detection (UDLD) is a protocol for detecting and disabling unidirectional Ethernet fiber or copper links caused by mis-wiring of fiber strands, interface malfunctions, media converter faults, etc. The UDLD operates at Layer 2 in conjunction with IEEE 802.3's existing Layer 1 fault detection mechanisms. UDLD is a lightweight protocol that can be used to detect and disable one-way connections before they create dangerous situations such as Spanning Tree loops or other protocol malfunctions. The protocol is mainly used to advertise the identities of all the UDLD-capable devices attached to the same LAN segment and to collect the information received on the ports of each device to determine whether the Layer 2 communication is functioning properly. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, the protocol administratively shuts down the affected port and generates a trap to alert the user.
UDLD Specifications
The following table lists important information about UDLD Specifications:
RFCs supported IEEE Standards supported Probe-message advertisement timer Echo-based detection timer Maximum neighbors per UDLD port Maximum number of UDLD ports per system
Not applicable at this time Not applicable at this time 7 to 90 in seconds 4 to 15 in seconds 32 128
UDLD Defaults
Description UDLD administrative state UDLD status of a port UDLD operational mode Probe-message advertisement timer Echo-based detection timer Default Disabled Disabled Normal 15 Seconds 8 Seconds
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 578 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
UDLD Overview
UDLD is a Layer 2 protocol used to examine the physical configuration connected through fiber-optic or twisted-pair Ethernet cables. UDLD detects and administratively shuts down the affected port, and alerts the user when a unidirectional link exists. Unidirectional links can create hazardous situations such as Spanning-Tree topology loops caused, for instance, by unwiring of fiber strands, interface malfunctions, media converters faults, etc. The UDLD feature is supported on the following port types: Copper ports Fiber ports
Normal Mode
In this mode, the protocol depends on explicit information instead of implicit information. If the protocol is unable to retrieve any explicit information, the port is not put in the shutdown state; instead, it is marked as Undetermined. The port is put in the shutdown state only when it is explicitly determined that the link is defective when it is determined on the basis of UDLD-PDU processing that link has become unidirectional. In any such state transition, a trap is raised.
Aggressive Mode
In this mode, UDLD checks whether the connections are correct and the traffic is flowing bidirectionally between the respective neighbors. The loss of communication with the neighbor is considered an event to put the port in shutdown state. Thus, if the UDLD PDUs are not received before the expiry of a timer, the port is put in the UDLD-shutdown state. Since the lack of information is not always due to a defective link, this mode is optional and is recommended only for point-to-point links. UDLD shuts down the affected interface when one of these problems occurs: On fiber-optic or twisted-pair links, one of the interfaces cannot send or receive traffic. On fiber-optic or twisted-pair links, one of the interfaces is down while the other is up. One of the fiber strands in the cable is disconnected.
Echo detection
UDLD depends on an echo-detection mechanism. UDLD restarts the detection window on its side of the connection and sends echo messages in response to the request, whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor. This behavior is the same on all UDLD neighbors because the sender of the echoes expects to receive an echo as a response. If the detection window ends and no valid response is received, the link will be shut down, depending on the UDLD mode. When UDLD is in normal mode, the link is considered to be undetermined and will not be shut down. When UDLD is in aggressive mode, the link is considered to be unidirectional, and the interface is shut down. In normal mode, if UDLD is in the advertisement or in the detection phase and all the neighbor cache entries are aged out, UDLD restarts the link-up sequence to re-synchronize with potentially out-of-sync neighbors. In aggressive mode, if UDLD is in the advertisement or in the detection phase and all the neighbors of a port are aged out, UDLD restarts the link-up sequence to re-synchronize with potentially out-of-sync neighbors. UDLD shuts down the port, after the continuous messages, if the link state is undetermined.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 580 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Port Mirroring
Port mirroring copies all incoming and outgoing traffic from a single mirrored Ethernet port to a second mirroring Ethernet port, where it can be monitored with a Remote Network Monitoring (RMON) probe or network analysis device without disrupting traffic flow on the mirrored port. Switch Health monitoring software checks previously configured threshold levels for the switchs consumable resources, and notifies the Network Monitoring Station (NMS) if those limits are violated.
On OmniSwitch 9000 switches, you can set up port mirroring between Ethernet ports within the same switch chassis, while on OmniSwitch 6800 and 6850 switches, you can set up port mirroring across switches within a stack. Ethernet ports supporting port mirroring include 10BaseT/100BaseTX/1000BaseT (RJ-45), 1000BaseSX/LX/LH, and 10GBaseS/L (LC) connectors. When port mirroring is enabled, the active mirrored port transmits and receives network traffic normally, and the mirroring port receives a copy of all transmit and receive traffic to the active port. You can connect an RMON probe or network analysis device to the mirroring port to see an exact duplication of traffic on the mirrored port without disrupting network traffic to and from the mirrored port. Port mirroring runs in the Chassis Management software and is supported for Ethernet (10 Mbps), Fast Ethernet (100 Mbps), Gigabit Ethernet (1000 Mbps), and 10 Gigabit Ethernet (10000 Mbps) ports. In addition, the switch supports N-to-1 port mirroring, where up to 24 (OS6800) or 128 (OS6850/OS9000) source ports can be mirrored to a single destination port. Note the following restriction when configuring a port mirroring session: One (1) port mirroring session is supported per standalone switch chassis, or in the case of OmniSwitch 6800 and 6850 switches, in a stack consisting of two or more switches. You cannot configure a port mirroring and a port monitoring session on the same NI module in an OmniSwitch 9000. You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch 6850 Series switches. Each switching ASIC controls 24 ports (e.g., ports 124, 2548, etc.). For example, if a port mirroring session is configured for ports 1/12 and 1/22, then configuring a port monitoring session for any of the ports between 1 and 24 is not allowed. You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch 6800 Series switches. Each switching ASIC controls 12 ports (e.g., ports 112, 1324, etc.). For example, if a port mirroring session is configured for ports 1/6 and 1/10, then configuring a port monitoring session for any of the ports between 1 and 12 is not allowed. If a port mirroring session is configured across two switching ASICs, then configuring a monitoring session is not allowed on any of the ports controlled by each of the ASICs involved. For example, if a port mirroring session is configured for ports 1/8 and 1/30 on a 48-port switch, then configuring a port monitoring session involving any of the ports between 1 and 48 is not allowed. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 581 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
By default, port-mirroring sessions are bi-directional. What Ports Can Be Mirrored? OmniSwitch 6800/6850/9000 Series switches support mirroring (where applicable) between any 10/100/1000 port to any other 10/100/1000 port and between any fiber MiniGBIC SFP to any other fiber MiniGBIC SFP port. How Port Mirroring Works When a frame is received on a mirrored port, it is copied and sent to the mirroring port. The received frame is actually transmitted twice across the switch backplaneonce for normal bridging and then again to the mirroring port. When the mirrored port transmits a frame, a copy of the frame is made, tagged with the mirroring port as the destination, and sent back over the switch backplane to the mirroring port. The diagram below illustrates the data flow between the mirrored and mirroring ports. Note that when port mirroring is enabled, performance may be affected, since all frames received and transmitted by the mirrored port need to be copied and sent to the mirroring port.
What Happens to the Mirroring Port When you set up port mirroring and attach cables to the mirrored and mirroring ports, the mirroring port remains enabled and part of the Bridging Spanning Tree until you protect it from Spanning Tree updates by specifying an unblocked VLAN as part of the configuration command line. The mirroring port does not transmit or receive any traffic on its own. Mirroring on Multiple Ports If mirroring is enabled on multiple ports and the same traffic is passing through these ports, then only one copy of each packet is sent to the mirroring destination. When the packet is mirrored first time, the switching ASIC flags the packet as already mirrored If the packet goes through one more port where mirroring is enabled, that packet will not be mirrored again. If both mirroring and monitoring are enabled then the packet will be either mirrored or monitored (i.e., sent to CPU), whichever comes first. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 582 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Creating a Mirroring Session Before port mirroring can be used, it is necessary to create a port mirroring session. The port mirroring source destination CLI command can be used to create a mirroring session between a mirrored (active) port and a mirroring port. One (1) port mirroring session is supported in a standalone switch or in a stack consisting of two or more switches. In addition, N-to-1 port mirroring is supported; where up to 24 (OS6800) or 128 (OS6850/OS9000) source ports can be mirrored to a single destination port. Note. To prevent the mirroring (destination) port from being blocked due to Spanning Tree changes, be sure to specify the VLAN ID number (from 1 to 4094) for the port that will remain unblocked (protected from these changes while port mirroring is active). This parameter is optional; if it is not specified, changes resulting from Spanning Tree could cause the port to become blocked (default).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 583 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Application Example
The following diagram shows an example of a Remote Port Mirroring Configuration.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 584 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Port Monitoring
Port Monitoring Specifications
Ports Supported Monitoring Sessions Supported File Type Supported Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/Gigabit Ethernet (1 Gb/1000 Mbps) /10 Gigabit Ethernet (10 Gb/10000 Mbps) One per switch. ENC file format (Network General Sniffer Network Analyzer Format)
An essential tool of the network engineer is a network packet capture device. A packet capture device is usually a PC-based computer, such as the Sniffer, that provides a means for understanding and measuring data traffic of a network. Understanding data flow in a VLAN-based switch presents unique challenges primarily because traffic takes place inside the switch, especially on dedicated devices. By default, a port monitoring session will never be disabled. The length of time before a port monitoring session is disabled is from 0 (the default, where the session is permanent) to 2147483647 seconds. By default, a file called pmonitor.enc is created in the /flash directory when you configure and enable a port monitoring session. By default, port-monitoring sessions are bi-directional. The port-monitoring feature allows you to examine packets to and from a specific Ethernet port. Port monitoring has the following features: Software commands to enable and display captured port data. Captures data in Network General file format. A file called pmonitor.enc is created in /flash memory when you configure and enable a port monitoring session. Data packets time stamped. One port monitored at a time. RAM-based file system. Statistics gathering and display The port-monitoring feature also has the following restrictions: Estimated packet capture rate is around 500 packets/second. The maximum number of monitoring session is limited one per switch Link Aggregation ports can not be monitored If both mirroring and monitoring are enabled then packets will be either mirrored or monitored (i.e., sent to CPU), whichever comes first. You can select to dump real-time packets to a file. Once a file is captured, you can FTP it to a Sniffer or PC for viewing. Note. Port monitoring requires Release 6.1.1.R01 or later.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 585 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Flavor (Probe Type) Status History Control Interval (seconds) History Sample Index Range Alarm Interval (seconds) Alarm Startup Alarm Alarm Sample Type RMON Traps Supported
Remote Network Monitoring (RMON) is an SNMP protocol used to manage networks remotely. RMON probes can be used to collect, interpret, and forward statistical data about network traffic from designated active ports in a LAN segment to an NMS (Network Management System) application for monitoring and analysis without negatively impacting network performance. RMON software is fully integrated in the Chassis Management software and works with the Ethernet software to acquire statistical information. The following diagram illustrates how an External RMON probe can be used with port mirroring to copy RMON probe frames and Management frames to and from the mirroring and mirrored ports. Frames received from an RMON probe attached to the mirroring port can be seen as being received by the mirrored port. These frames from the mirroring port are marked as if they are received on the mirrored port before being sent over the switch backplane to an NMS station. Therefore, management frames that are destined for the RMON probe are first forwarded out of the mirrored port. After being received on the mirrored port, copies of the frames are mirrored out of the mirroring portthe probe attached to the mirroring port receives the management frames.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 586 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
RMON probes can be enabled or disabled via CLI commands. Configuration of Alarm threshold values for RMON traps is a function reserved for RMON-monitoring NMS stations. This feature supports basic RMON 4 group implementation in compliance with RFC 2819, including the Ethernet Statistics, History (Control & Statistics), Alarms and Events groups (described below). Note. RMON 10 group and RMON2 are not implemented in the current release. An external RMON probe that includes RMON 10 group and RMON2 may be used where full RMON probe functionality is required.
Ethernet Statistics
Ethernet statistics probes are created whenever new ports are inserted and activated in the chassis. When a port is removed from the chassis or deactivated, the Ethernet statistics group entry associated with the physical port is invalidated and the probe is deleted. The Ethernet statistics group includes port utilization and error statistics measured by the RMON probe for each monitored Ethernet interface on the switch. Examples of these statistics include CRC (Cyclic Redundancy Check)/alignment, undersized/oversized packets, fragments, broadcast/multicast/unicast, and bandwidth utilization statistics.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 587 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Alarm
The Alarm group collects periodic statistical samples from variables in the probe and compares them to previously configured thresholds. If a sample crosses a previously configured threshold value, an Event is generated. Examples include Absolute or Relative Values, Rising or Falling Thresholds on the Utilization Frame Count and CRC Errors.
Event
The Event group controls generation and notification of events from the switch to NMS stations. For example, customized reports based on the type of Alarm can be generated, printed and/or logged. Notes. The following RMON groups are not implemented: Host, HostTopN, Matrix, Filter and Packet Capture. Network activity on sub-networks attached to an RMON probe can be monitored by Network Management Software (NMS) applications.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 588 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Switch Health
Switch Health Specifications
Health Functionality Supported Switch level CPU Utilization Statistics (percentage); Switch/module/port level Input Utilization Statistics (percentage); Switch/module/port level Input/Output Utilization Statistics (percentage); Switch level Memory Utilization Statistics (percentage); Device level Temperature Statistics (Celsius). Most recent utilization level; Average utilization level during last minute; Average utilization level during last hour; Maximum utilization level during last hour. Saved for previous 60 seconds. Stored. Calculated for previous 60 seconds and stored. Indicates that none of the resource was measured for the period. Indicates that a non-zero amount of the resource (less than 2%) was measured for the period. Calculated based on Resource Measured During Period/Total Capacity. Apply automatically across all levels of switch (switch/module/port). A Resource Threshold was exceeded by its corresponding utilization value in the current cycle. A Resource Threshold was exceeded by its corresponding utilization value in the previous cycle, but is not exceeded in the current cycle. Device, module, port-level threshold crossings.
Resource Utilization Raw Sample Values Resource Utilization Current Sample Values Resource Utilization Maximum Utilization Value Utilization Value = 0 Utilization Value = 1 Percentage Utilization Values Resource Threshold Levels Rising Threshold Crossing Falling Threshold Crossing Threshold Crossing Traps Supported
To monitor resource availability, the NMS (Network Management System) needs to collect significant amounts of data from each switch. As the number of ports per switch (and the number of switches) increases, the volume of data can become overwhelming. The Health Monitoring feature can identify and monitor a switchs resource utilization levels and thresholds, improving efficiency in data collection.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 589 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Health Monitoring provides the following data to the NMS: Switch-level Input/Output, Memory and CPU Utilization Levels Module-level and Port-level Input/Output Utilization Levels Health monitoring software monitors threshold levels for the switchs consumable resourcesbandwidth, RAM memory, and CPU capacityas well as the ambient chassis temperature. When a threshold is exceeded, the Health Monitoring feature sends a trap to the Network Management Station (NMS). A trap is an alarm alerting the user to specific network events and, in the case of Health-related traps, indicates specifically which threshold has been crossed. Note. When a resource falls back below the configured threshold, an addition trap is sent to the user. This indicates that the resource is no longer operating beyond its configured threshold limit. For each monitored resource, the following variables are defined: Most recent utilization level (percentage) Average utilization level over the last minute (percentage) Average utilization level over the last hour (percentage) Maximum utilization level over the last hour (percentage) Threshold level Additionally, Health Monitoring provides the capacity to specify thresholds for the resource utilization levels it monitors, and generates traps based on the specified threshold criteria. The CLI commands that can be used to configure resource parameters and monitor or reset statistics for switch resources include: Health thresholdConfigures threshold limits for input traffic (RX), output/input traffic (TX/RX), memory usage, CPU usage, and chassis temperature. Show health thresholdDisplays current health threshold settings. Health intervalConfigures sampling interval between health statistics checks. Show health intervalDisplays current health sampling interval, measured in seconds. Show health Displays health statistics for the switch, as percentages of total resource capacity. Health statistics resetResets health statistics for the switch.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 590 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
SFlow
SFlow is a network monitoring technology that gives visibility in to the activity of the network, by providing network usage information. It provides the data required to effectively control and manage the network usage. SFlow is a sampling technology that meets the requirements for a network traffic monitoring solution. SFlow provides a network-wide view of usage and active routes. It is used for measuring network traffic, collecting, storing, and analyzing the traffic data. As it is scalable, that doesnt add significant network load. SFlow is an industry standard with many vendors delivering products with this support. Some of the applications of the sFlow data include: Detecting, diagnosing, and fixing network problems Real-time congestion management Detecting unauthorized network activity Usage accounting and billing Understanding application mix Route profiling and peer optimization Capacity planning SFlow is a sampling technology embedded within switches/routers. It provides the ability to monitor the traffic flows. It requires a sFlow Agent software process running as part of the switch software and a sFlow collector which receives and analyses the monitored data. sFlow collector makes use of SNMP to communicate with a sFlow agent in order to configure sFlow monitoring on the device (switch). SFlow agent running on the switch/router, combines interface counters and traffic flow (packet) samples preferably on all the interfaces into sFlow Datagrams that are sent across the network to a sFlow collector. Packet sampling on the switch/router is typically performed by the switching/routing ASICs, providing wire-speed performance. In this case, sFlow agent does very little processing, by packaging data into sFlow Datagrams that are immediately sent on network. This minimizes the memory and CPU utilization by sFlow agent. MIB information for the sFlow commands is as follows: Filename: Alcatel-LucentIND1PortMirMon.MIB Module: Alcatel-Lucent-IND1-PORT-MIRRORING-MONITORING-MIB Filename: SFLOW_RFC3176.MIB Module: SFLOW-MIB
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 591 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Switch Logging
Switch logging is an event logging utility that is useful in maintaining and servicing the switch. Switch logging uses a formatted string mechanism to either record or discard event data from switch applications. The log records are copied to the output devices configured for the switch. Log records can be sent to a text file and written into the flash file system. The log records can also be scrolled to the switchs console or to a remote IP address. Switch logging information can be customized and configured through Command Line Interface (CLI) commands, WebView and SNMP. Log information can be helpful in resolving configuration or authentication issues, as well as general switch errors. Notes. Switch logging commands are not intended for use with low-level hardware and software debugging. It is strongly recommended that you contact an Alcatel-Lucent Customer Service representative for assistance with debugging functions.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 592 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 593 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The fields in the above example are defined as follows: The FILE ID field specifies the File name (e.g., swlog1.log), endPtr Global Sequence ID reference number (e.g., 9968), Configuration Size (e.g., 10000), Current Size (e.g., 10000), and Mode (e.g., 2). The Timestamp field indicates when the swlog entry occurred (e.g., THU, NOV 12, 02:06:52 2001). The Application field specifies the application ID for which the stored swlog information is displayed (e.g., SYSTEM). The Level field specifies the severity level for which the stored information is displayed (e.g., Warning). The Log Message field specifies the condition recorded by the switch-logging feature. The information in this field usually wraps around to the next line of the screen display as shown in this example.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 594 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Monitoring Memory
Debug memory monitor commands can monitor memory allocation and free memory (such as detection of invalid free addresses and maintenance of size statistics). These commands are useful for monitoring logging of events, leak detection, classification of memory allocations, detection of invalid free addresses, and maintenance of size statistics. Notes. System Debug (kTrace and sysTrace) commands is intended for use by qualified Alcatel-Lucent Customer Support personnel to assist customers in diagnosing or debugging system performance. For information about these commands, see the chapter titled, Memory Monitoring Commands in the OmniSwitch CLI Reference Guide. It is strongly recommended that you contact an Alcatel-Lucent Customer Service representative for assistance. The Switch Logging feature is a high-level event logging mechanism that can also be useful in maintaining and servicing the switch. The configuration snapshot command can be used to capture and save all kTrace, sysTrace, Memory Monitor, and Switch Logging configuration settings in a snapshot text file that can be viewed, edited, and used as a configuration file.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 595 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Logging Specifications
Telnet clients supported FTP clients supported HTTP (WebView) clients supported Any standard Telnet client. Any standard FTP client. Internet Explorer for Windows NT, Windows XP, and Windows 2000, version 6.0 Netscape for Windows NT, Windows XP, and Windows 2000, version 7.1 Netscape for Sun OS 2.8, version 4.79 Netscape for HP-UX 11.0, version 4.79. Any standard Secure Shell client (Secure Shell Version 2). Any standard SNMP manager.
Login Defaults
Parameter Description Session login attempts allowed before the TCP connection is closed. Timeout period allowed for session login before the TCP connection is closed. Inactivity timeout period. The length of time the switch can remain idle during a login session before the switch will close the session. Default 3 attempts 55 seconds 4 minutes
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 596 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Management Interfaces
Logging into the switch may be done locally or remotely. Remote connections may be secure or insecure, depending on the method. Management interfaces are enabled using the aaa authentication command. This command also requires specifying the external servers and/or local user database that will be used to authenticate users. The process of authenticating users to manage the switch is called Authenticated Switch Access (ASA).
User Accounts
User accounts may be configured and stored directly on the switch, and user accounts may also be configured and stored on an external authentication server or servers. The accounts include a username and password. In addition, they also specify the users privileges or end-user profile, depending on the type of user account. In either case, the user is given read-only or read-write access to particular commands. Local User Database The user command creates accounts directly on the switch. External Authentication Servers The switch may be set up to communicate with external authentication servers that contain user information. The user information includes usernames and passwords; it may also include privilege information or reference an end-user profile name. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 597 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Using Telnet
Telnet may be used to log into the switch from a remote station. All of the standard Telnet commands are supported by software in the switch. When Telnet is used to log in, the switch is acting as a Telnet server. A Telnet session may also be initiated from the switch itself during a login session. In this case, the switch is acting as a Telnet client. Logging Into the Switch Via Telnet Before you can log into the OmniSwitch using a Telnet interface, the telnet option of the aaa authentication command must be enabled. Once enabled, any standard Telnet client may be used to log into the switch. To log into the switch, open your Telnet application and enter the switchs IP address (the IP address will typically be the same as the one configured for the EMP). The switchs welcome banner and login prompt display. Note. A Telnet connection is not secure. Secure Shell is recommended instead of Telnet or FTP as a secure method of accessing the switch.
Using FTP
The OmniSwitch can function as an FTP server. Any standard FTP client may be used. Note. An FTP connection is not secure. Secure Shell is recommended instead of FTP or Telnet as a secure method of accessing the switch. Using FTP to Log Into the Switch You can access the OmniSwitch with a standard FTP application. To login to the switch, start your FTP client. Where the FTP client asks for Name, enter the IP address of your switch. Where the FTP client tasks for User ID, enter the username of your login account on the switch. Where the FTP client asks for Password, enter your switch password. Note. If you are using Authenticated Switch Access (ASA), the port interface must be authenticated for FTP use and the username profile must have permission to use FTP. Otherwise the switch will not accept an FTP login. Note. You must use the binary mode (bin) to transfer image files via FTP.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 598 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The drawing below shows a slightly different application. Here, a terminal connected to a single OmniSwitch acting as a Secure Shell client as an entry point into the network. In this scenario, the client portion of the Secure Shell software is used on the connecting OmniSwitch and the server portion of Secure Shell is used on the switches or servers being managed.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 599 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Protocol Identification
When the Secure Shell client in the OmniSwitch connects to a Secure Shell server, the server accepts the connection and responds by sending back an identification string. The client will parse the servers identification string and send an identification string of its own. The purpose of the identification strings is to validate that the attempted connection was made to the correct port number. The strings also declare the protocol and software version numbers. This information is needed on both the client and server sides for debugging purposes. At this point, the protocol identification strings are in human-readable form. Later in the authentication process, the client and the server switch to a packet-based binary protocol, which is machine-readable only.
Note. The OmniSwitch generates a 512-bit DSA host key at initial startup. The DSA key on the switch is made up of two files contained in the /flash/network directory; the public key is called ssh_host_dsa_key.pub, and the private key is called ssh_host_dsa_key. To generate a different DSA key, use the Secure Shell tools available on your Unix or Windows system and copy the files to the /flash/network directory on your switch. The new DSA key will take effect after the OmniSwitch is rebooted. Authentication Phase When the client tries to authenticate, the server determines the process used by telling the client which authentication methods can be used. The client has the freedom to attempt several methods listed by the server. The server will disconnect itself from the client if a certain number of failed authentications are attempted or if a timeout period expires. Authentication is performed independent of whether the Secure Shell interface or the SFTP file transfer protocol will be implemented. Connection Phase After successful authentication, both the client and the server process the Secure Shell connection protocol. The OS6850 supports one channel for each Secure Shell connection. This channel can be used for a Secure Shell session or a Secure Shell FTP session.
File Transfer
The switch can receive and send files using industry standard local and remote transfer methods. Because file transfers can involve logging onto the switch from a remote host, security factors, such as DNS resolver and Authenticated Switch Access requirements should be considered. It is not enough to simply transfer a file onto the switch. Once files are on the switch, they must be registered in order to become functional. The OmniSwitch has a directory structure that allows you to install new software while maintaining a backup copy of your old configuration.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 601 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Switch Directories
You can create your own directories in the switch flash directory. This allows you to organize your configuration and text files on the switch. You can also use the vi command to create files.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 602 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Using Wildcards
Wildcards allow you to substitute symbols (* or ?) for text patterns while using file and directory commands. The asterisk (*) takes the place of multiple characters and the question mark character (?) takes the place of single characters. More than one wildcard can be used within a single text string.
Directory Commands
The directory commands are applied to the switch file system and to files contained within the file system. When you first enter the flash directory, your login is located at the top of the directory tree. You may navigate within this directory by using the pwd and cd commands. The location of your login within the directory structure is called your current directory. You need to observe your login location because when you issue a command, that command applies only to directories and files in your current directory unless another path is specified. Note: Although, the following illustrates the OmniSwitch 6800 logical representation of the file directory, the OmniSwitch 6850 logical representation of the file directory is also very similar.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 603 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Using Zmodem
A Zmodem application is included in the switch software so that new programs and archives can be uploaded through the switchs serial console port. There are generally two situations that would require you to use the switchs console serial port to load software-using Zmodem. Your system is having problems and the FTP transfer method does not work. The switchs Ethernet Management port is either not functioning or not configured. To use Zmodem, you must have a terminal emulator that supports the Zmodem protocol. There are many Zmodem products available that operate differently.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 604 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 605 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 606 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
NTP Specifications
RFCs supported Maximum number of NTP servers per client 1305Network Time Protocol 3
NTP Defaults
Parameter Description Specifies an NTP server from which this switch will receive updates. Default Value/Comments Version: 4 Minpoll: 6 Prefer: no Key: 0 Disabled Disabled 4000 microseconds
Used to activate client Used to activate NTP client broad-cast mode Used to set the advertised broadcast delay, in microseconds.
NTP Overview
The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver. It provides client time accuracies within a millisecond on LANs, and up to a few tens of milliseconds on WANs relative to a primary server synchronized to Universal Coordinated Time (UTC) (via a Global Positioning Service receiver, for example). Typical NTP configurations utilize multiple redundant servers and diverse network paths in order to achieve high accuracy and reliability. Some configurations include cryptographic authentication to prevent accidental or malicious protocol attacks. It is important for networks to maintain accurate time synchronization between network nodes. The standard timescale used by most nations of the world is based on a combination of UTC (representing the Earths rotation about its axis), and the Gregorian Calendar (representing the Earths rotation about the Sun). The UTC timescale is disciplined with respect to International Atomic Time (TAI) by inserting leap seconds at intervals of about 18 months. UTC time is disseminated by various means, including radio and satellite navigation systems, telephone modems, and portable clocks. Special purpose receivers are available for many time-dissemination services, including the Global Position System (GPS) and other services operated by various national governments. For reasons of cost and convenience, it is not possible to equip every computer with one of these receivers. However, it is possible to equip some computers with these clocks, which then act as primary timeservers to synchronize a much larger number of secondary servers and clients connected by a common network. In order to do this, a distributed network clock synchronization protocol is required which can read a server clock, transmit the reading to one or more clients, and adjust each client clock as required. Protocols that do this include NTP. Note. The Alcatel-Lucent OmniSwitch 6600, 6800, 6850, 7700, 7800, 8800, and 9000 switches can only be NTP clients in an NTP network. They cannot act as NTP servers.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 607 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Stratum
Stratum is the term used to define the relative proximity of a node in a network to a time source (such as a radio clock). Stratum 1 is the server connected to the time source itself. (In most cases the time source and the stratum 1 server are in the same physical location.) An NTP client or server connected to a stratum 1 source would be stratum 2. A client or server connected to a stratum 2 machine would be stratum 3, and so on, as demonstrated in the diagram below.
The farther away from stratum 1 a device is, the more likely there will be discrepancies or errors in the time adjustments done by NTP. A list of stratum 1 and 2 sources available to the public can be found on the Internet. Note. It is not required that NTP be connected to an officially recognized time source (for example, a radio clock). NTP can use any time source to synchronize time in the network.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 608 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Servers 1a & 1b receive time information from, or synchronize with, a UTC time source such as a radio clock. (In most cases, these servers would not be connected to the same UTC source, though it is shown this way for simplicity.). Servers 1a and 1b become stratum 1 NTP servers and are peered with each other, allowing them to check UTC time information against each other. These machines support machines 2a and 2b as clients, and these clients are synchronized to the higher stratum Servers 1a & 1b. Clients 2a and 2b are also peered with each other for time checks, and become stratum 2 NTP servers for more clients (3a and 3b, which are also peered). In this hierarchy, the stratum 1 servers synchronize to the most accurate time source available, and then check the time information with peers at the same stratum. The stratum 2 machines synchronize to the stratum 1 servers, but do not send time information to the stratum 1 machines. Machines 2a and 2b in turn provide time information to the stratum 3 machines. It is important to consider the issue of robustness when selecting sources for time synchronization.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 609 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
It is suggested that at least three sources should be available, and at least one should be close to you in terms of network topology. It is also suggested that each NTP client is peered with at least three other same stratum clients, so that time information crosschecking will be performed. Note. Alcatel-Lucents current implementation of NTP only allows the OmniSwitch to act as a passive client, not as a server. A passive client only receives NTP information and adjusts its time accordingly. In the above example, an OmniSwitch could be either Server 3a or 3b. An OmniSwitch as Server 3a or 3b would also not be able to peer with other servers on the same stratum. When planning your network, it is helpful to use the following general rules: It is usually not a good idea to synchronize a local time server with a peer (in other words, a server at the same stratum), unless the latter is receiving time updates from a source that has a lower stratum than from where the former is receiving time updates. This minimizes common points of failure. Peer associations should only be configured between servers at the same stratum level. Higher Strata should configure lower Strata, not the reverse. It is inadvisable to configure time-servers in a domain to a single time source. Doing so invites common points of failure. Note. NTP does not support year date values greater than 2035 (the reasons are documented in RFC 1305 in the data format section). This should not be a problem (until the year 2035) as setting the date this far in advance runs counter to the administrative intention of running NTP.
Authentication
NTP is designed to use MD5 encryption authentication to prevent outside influence upon NTP timestamp information. Using a key file does this. The key file is loaded into the switch memory, and consists of a text file that lists key identifiers that correspond to particular NTP entities. If authentication is enabled on an NTP switch, any NTP message sent to the switch must contain the correct key ID in the message packet to use in decryption. Likewise, any message sent from the authentication-enabled switch will not be readable unless the receiving NTP entity possesses the correct key ID. The key file is a text (.txt) file that contains a list of keys that are used to authenticate NTP servers. It should be located in the /networking directory of the switch. Key files are created by a system administrator independent of the NTP protocol, and then placed in the switch memory when the switch boots. An example of a key file is show below:
2 14 M M RIrop8KPPvQvYotM Sundial # md5 key as an ASCII random string md5 key as an ASCII string
In a key file, the first token is the key number ID, the second is the key format, and the third is the key itself. (The text following a # is not counted as part of the key, and is used merely for description.) The key format indicates an MD5 key written as a 1 to 31 character ASCII string with each character standing for a key octet. The key file (with identical MD5 keys) must be located on both the local NTP client and the clients server.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 610 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Management Specifications
Size of Flash Memory Size of RAM Memory Maximum Length of File Names Maximum Length of Directory Names Default Boot Directory 64 MB 256 MB 32 Characters 32 Characters Certified
Management Files
Three types of files control the management of a single switch: Image files, which are proprietary code developed by Alcatel-Lucent to run the hardware. These files are not configurable by the user, but may be upgraded from one release to the next. These files are also known as archive files, as they are really the repositories of several smaller files grouped together under a common heading. A configuration file, named boot.cfg, which is an ASCII-based text file that sets and controls the configurable functions inherent in the image files provided with the switch. The user can modify this file. When the switch boots, it looks for the file called boot.cfg. It uses this file to set various switch parameters defined by the image files. A boot file in OmniSwitch 6850, is an ASCII-based text file that controls the console ports baud rate and displays directory loading information and is located in the Flash memory of the switch. Modifications to the switch parameters affect or change the configuration file. The image files are static for the purposes of running the switch (though they can be updated and revised with future releases or enhancements). Image and configuration files are stored in the Flash memory (which is equivalent to a hard drive memory) in specified directories. When the switch is running, it loads the image and configuration files from the Flash memory into the RAM. When changes are made to the configuration file, the changes are first stored in RAM.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 611 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Redundancy
Management software redundancy is one of the switchs most important fail over features. In OmniSwitch 68500 stackable configuration, two fully operational Management units must be present at all times. In addition, the Management software must be synchronized. When two Management units are running in an OmniSwitch 6850 stack, one Management unit has the primary role and the other has the secondary role at any given time. The primary Management unit manages the current switch operations while the secondary Management unit provides backup (also referred to as fail over).
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 612 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
The certified directory software should be the best, most reliable versions of both the image files and the boot.cfg file (configuration file). The switch will run from the certified directory after boot if the working and certified directories are not exactly the same. If they are the same, then the switch will run from the working directory, allowing changes made to the running configuration to be saved. If the switch is running from the certified directory, you cannot save any changes to the running configuration, or copy files between the directories. Note: It is possible to cause a reboot of the primary or secondary Management unit at a future time.
In this diagram: 1. The switch boots from the certified directory, and the software is loaded to the RAM memory to create a running configuration. 2. Changes are made in the running configuration and are saved to the working directory. Now the boot.cfg file in the running configuration and the boot.cfg file in the working directory are identical. Should the switch go down or reboot, the configuration changes made can be restored. Note. If the switch is rebooted at this point in the process, since the certified and working directory boot.cfg files are not the same, the switch will boot and run from the certified directory. The modifications made to the functionality of the switch are recorded in the running configuration, in RAM. These changes in RAM memory are only valid until the switch is rebooted. At that time, the switch reboots from the certified directory. If the running configuration is not saved to the working directory before a reboot, then the changes made in the running configuration are lost. To save these changes it is necessary to save the contents of the running configuration to the working directory.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 614 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In the above diagram: 1. The certified directory is used to initially boot the switch. 2. Changes are made to the configuration file and are saved to the configuration file in the working directory using the copy running-config working command. 3. The switch is rebooted from the working directory using the reload working command. When a reload working command is entered, the switch prohibits a takeover from the secondary Management Unit. Switch functions will be suspended until the boot process is complete. If you decide against using the new software booted from the working directory, the switch can revert to the software stored in the certified directory by using the copy certified working command, or by using the reload command.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 615 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
In this diagram: 1. The switch boots from the certified directory and changes are made to the running configuration. 2. The changes are saved to the working directory as the boot.cfg file. 3. The contents of the working directory are saved to the certified directory. Once the working directory is copied to the certified directory, and the switch reboots, it will reboot from the certified directory but run from the working directory. When the switch runs in this fashion, changes made to the running configuration can be saved to the working directory. Note. Only software that has been thoroughly validated, as viable and reliant software should be copied to the certified directory. Once you copy software to the certified directory, you will not be able to recover a previous version of the image or configuration files. When the software on the working directory of a switch has proven to be effective and reliable, eventually the contents of the working directory should be copied into the certified directory. Note: It is also possible to copy the contents of the certified directory to the working directory.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 616 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
CLI Specifications
Configuration Methods Command Capture Feature User Service Features Online configuration via real-time sessions using CLI commands. Offline configuration using text file holding CLI commands. Snapshot feature captures switch configurations in a text file. Command Line Editing Command Prefix Recognition CLI Prompt Option Command Help Keyword Completion Command History (up to 30 commands) Command Logging (up to 100 commands; detailed information) Syntax Error Display Alias Command Option More Command
CLI Overview
The CLI uses single-line text commands that are similar to other industry standard switch interfaces. However, the Alcatel-Lucent CLI is different from industry standard interfaces in that the Alcatel-Lucent uses a single level command hierarchy. Unlike other switch interfaces, the Alcatel-Lucent CLI has no concept of command modes. Other CLIs require you to step your way down a tree-type hierarchy to access commands. Once you enter a command mode, you must step your way back to the top of the hierarchy before you can enter a command in a different mode. The Alcatel-Lucent switch will answer any CLI command at any time because there is no hierarchy.
Online Configuration
To configure parameters and view statistics you must connect the switch to a terminal, such as a PC or UNIX workstation, using terminal emulation software. This connection can be made directly to the switchs serial port, through a modem, or over a network via Telnet. Once you are logged in to the switch, you may configure the switch directly using CLI commands. Commands executed in this manner normally take effect immediately. The majority of CLI commands are independent, single-line commands and therefore can be entered in any order. However, some functions may require you to configure specific network information before other commands can be entered. For example, before you can assign a port to a VLAN, you must first create the VLAN.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 617 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Text Conventions
The following table contains text conventions and usage guidelines for CLI commands.
bold text (Quotation Marks) Indicates basic command and keyword syntax. Example: show snmp station Used to enclose text strings that contain spaces Example: vlan 2 name new test vlan
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 618 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Command Help
The CLI has an internal help feature you can invoke by using the question mark (?) character as a command. The CLI help feature provides progressive information on how to build your command syntax, one keyword at a time. If you do not know the first keyword of the command you need, you can use a question mark character at the CLI system prompt. The CLI responds by listing command keywords divided into command sets. You can find the first keyword for the command you need by referring to the list on your screen. The following is a partial display: ->? WHOAMI WHO VIEW VI USER TTY TELNET SYSTEM SWLOG SSH SHOW SFTP SESSION RZ RMDIR RM RENAME PWD PROMPT NTP NSLOOKUP NO NEWFS MV MOVE MORE MODIFY MKDIR LS KILL IP INSTALL HISTORY FTP FSCK FREESPACE EXIT DSHELL DIR DELETE DEBUG CP COMMAND-LOG CHMOD CD ATTRIB ALIAS (System Service & File Mgmt Command Set) (Additional output not shown) Note that the command keywords are shown in all capital letters. The name of the command set is listed parenthetically below the keywords in initial caps. The following table contains the first-level commands and their set names as they are listed on the display screen when you enter a single question mark and press Enter.
Command Set Name System Service & File Management Commands WHOAMI, WHO, VIEW, VI, VERBOSE, USER, UPDATE, TTY, TELNET, SYSTEM, SWLOG, SSH, SHOW, SFTP, SESSION, RZ, RMDIR, RM, RENAME, PWD, PROMPT, NTP, NSLOOKUP, NO, NEWFS, MV, MOVE, MORE, MODIFY, MKDIR, LS, KILL, IP, INSTALL, HISTORY, FTP, FSCK, FREESPACE, EXIT, DSHELL, DIR, DELETE, DEBUG, CP, COMMAND-LOG, CHMOD, CD, AUTO, ATTRIB, AL COPY, WRITE, POWER, TEMP-THRESHOLD, TAKEOVER, SYSTEM, SHOW, RRM, RPUT, RLS, RGET, RELOAD, RDF, RCP, NO, DEBUG, CONFIGURE SOURCE-LEARNING, SHOW, PORT-SECURITY, NO, MACADDRESS-TABLE, DEBUG SHOW, BRIDGE VLAN, SHOW, NO, MAC-ADDRESS-TABLE, DEBUG STATIC, SHOW, NO, LINKAGG, LACP HTTP, TRACEROUTE, SNMP, SHOW, RMON, PORT, POLICY, PING, NO, MACRANGE, MAC, LANPOWER, IP, IPV6, ICMP, HTTPS, HRE, HEALTH, GMAP, DEBUG, CLEAR, ARP, AMAP, 802.1X USER, SHOW, PASSWORD, NO, END-USER, DEBUG, CONFIGURATION, AVLAN, AAA TRAP, SHOW, NO, INTERFACES, FLOW, DEBUG, 10GIG DEBUG, VRRP3, VRRP, TRACEROUTE6, SHOW, PING6, NO, IPV6, IP, CLEAR SHOW, QOS, POLICY, NO, DEBUG UPDATE, SHOW, NO, DEBUG
Chassis Supervision Source Learning Spanning Tree VLAN Link Aggregation Miscellaneous
AAA & Configuration Manager Interface IP Routing & Multicast QoS Debug
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 619 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
CLI Services
There are several services built into the CLI that help you use the interface. The Command Line Editing service makes it easy for you to enter and edit repetitive commands. Other CLI services, such as syntax checking, command help, prefix prompt, and history assist you in selecting and using the correct command syntax for the task you are performing.
Syntax Checking
If you make a mistake while entering command syntax, the CLI gives you clues about how to correct your error. Whenever you enter an invalid command, two indicators are displayed. The Error message tells you what the error is. The caret (^) character tells you where the error is in your syntax.
Prefix Recognition
Prefix Recognition is a CLI feature that reduces redundant command line entry by storing prefix information for certain network commands. When you configure network services, you may have to enter the same command prefix multiple times. Entering the same prefix again and again can be cumbersome and prone to error. The prefix recognition feature addresses the problem of redundant command entry by allowing the CLI to store commonly used prefix information. This prefix information stored by the switch then becomes part of the next CLI command entered. The following command families support the prefix recognition feature. AAA Interface Link Aggregation QOS Spanning Tree VLAN Management When certain commands are entered from one of these families, the CLI will retain the prefix information in a memory buffer. Then, if a valid related command is entered next, the CLI will assume the stored prefix is part of the next command. In this case, you are only required to enter the suffix information for the next command.
Command History
The history command allows you to view commands you have recently issued to the switch. The switch has a history buffer that stores up to 30 of the most recently executed commands. Note. The command history feature differs from the command-logging feature in that command logging stores up to 100 of the most recent commands to a separate command.log file. Also, the command-logging feature includes additional information, such as full command syntax, login user name, entry date and time, session IP address, and entry results.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 621 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 622 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Users typically log into the switch through one of the following methods: Console portA direct connection to the switch through the console port. TelnetAny standard Telnet client may be used for logging into the switch. FTPAny standard FTP client may be used for logging into the switch. HTTPThe switch has a Web browser management interface for users logging in via HTTP. This management tool is called WebView. Secure ShellAny standard Secure Shell client may be used for logging into the switch. SNMPAny standard SNMP browser may be used for logging into the switch.
Startup Defaults
By default, a single user management account is available at the first boot up of the switch. This account has the following user name and password: User nameadmin Passwordswitch Initially, the admin user can only be authorized on the switch through the console port. Management access through any other interface is disabled. The Authenticated Switch Access commands may be used to enable access through other interfaces/services (Telnet, HTTP, etc.); however, SNMP access is not allowed for the admin user. Also, the admin user cannot be modified, except for the password. Password expiration for the admin user is disabled by default. In addition, another account, default, is available on the switch for default settings only; this account cannot be used to log into the switch. It is used to store and modify default settings for new users. Note. Up to 64 users may be configured in the local switch database. To set up a user account, use the user command, which specifies the following: PasswordThe password is required for new users or when modifying a users SNMP access. The password will not appear in an ASCII configuration file created via the snapshot command. PrivilegesThe users read and write access to command domains and families. SNMP accessWhether or not the user is permitted to manage the switch via SNMP. End-User ProfileThe users read and write access to command areas, port ranges, and VLAN ranges; used for customer login accounts. Typically, options for the user (privileges or end-user profile; SNMP access) are configured at the same time the user is created.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 623 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
End-User Profiles
End-user profiles are designed for user accounts in the carrier market. With end-user profiles, a network administrator can configure customer login accounts that restrict users to particular command areas over particular ports and/or VLANs. End-user profiles are only managed and stored on the switch; profiles are not stored on external servers. Note. End-user profiles cannot be used in conjunction with user-partitioned management; the features are mutually exclusive.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 624 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
An external RADIUS or LDAP server can supply both user login and authorization information. ACE/Server can provide login information; user authorization information is available through the switchs local user database. External servers may also be used for accounting, which includes logging statistics about user sessions. If an external server is not available or is not configured, user login information and user authorization may be provided through the local user database on the switch. Logging may also be accomplished directly on the switch.
Authentication-onlyACE/Server
Authentication-only servers are able to authenticate users for switch management access, but authorization (or what privileges the user has after authenticating) are determined by the switch. Authentication-only servers cannot return user privileges or end-user profiles to the switch. The authentication-only server supported by the switch is ACE/Server, which is a part of RSA Securitys SecurID product suite. RSA Securitys ACE/Agent is embedded in the switch. The following illustration shows the two different user types attempting to authenticate with an ACE/Server:
Note. A RADIUS server supporting the challenge and response mechanism as defined in RADIUS RFC 2865 may access an ACE/Server for authentication purposes. The ACE/Server is then used for user authentication, and the RADIUS server is used for user authorization.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 626 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Using WebView
The switch can be monitored and configured using WebView, Alcatel-Lucents web-based device management tool. The WebView application is embedded in the switch and is accessible via the following web browsers: Internet Explorer 6.0 and later for Windows NT, 2000, XP, 2003 Firefox 2.0 for Windows and Solaris SunOS 5.10 Windows Vista
WebView Overview
The following section provides an overview of WebView page layouts.
Toolbar is used to access WebView features. Feature Options is used to access specific configuration options for each feature (displayed in drop-down menus at the top of the page). View/Configuration Area is used to view/configure a feature.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 628 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Banner
The following features are available in the WebView Banner: OptionsBrings up the User Options Page, which is used to change the user login password. Save ConfigBrings up the Save Configuration Screen. Click Apply to save the switchs running configuration for the next startup. HelpBrings up general WebView Help. Specific help pages are also available on each configuration page. WebView Help: A general help page for using WebView is available from the banner at the top of the page. In addition, on-line help is available on every WebView page. Each help page provides a description of the page and specific instructions for each configurable field. AboutProvides basic WebView product information TelnetBrings up a Telnet session window, through which you can access the switch for CLI configuration. Log OutLogs the user out of the switch and ends the user session. After logout, the login screen appears. The user can log back into the switch or just close the login screen.
Toolbar
Switch configuration is divided into configuration groups in the toolbar (for example, Physical, Layer 2, etc.). Under each configuration group are switch features, identified by a name and an icon.
Feature Options
Feature configuration options are displayed as drop-down menus at the top of each feature page.
View/Configuration Area
The View/Configuration area is where switch configuration information is displayed and where configuration pages appear. After logging into WebView, a real-time graphical representation of the switch displays all of the switchs current components. The feature configuration options on this page are used to configure the switch.
WebView Help
A general help page for using WebView is available from the banner at the top of the page. In addition, on-line help is available on every WebView page. Each help page provides a description of the page and specific instructions for each configurable field.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 629 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Using SNMP
The Simple Network Management Protocol (SNMP) is an application-layer protocol that allows communication between SNMP managers and SNMP agents on an IP network. Network administrators use SNMP to monitor network performance and to manage network resources.
SNMP Specifications
RFCs Supported for SNMPv2 RFCs Supported for SNMPv3 1902 through 1907 - SNMPv2c Management Framework 1908 - Coexistence and transitions relating to SNMPv1 and SNMPv2c 2570 Version 3 of the Internet Standard Network Management Framework 2571 Architecture for Describing SNMP Management Frameworks 2572 Message Processing and Dispatching for SNMP 2573 SNMPv3 Applications 2574 User-based Security Model (USM) for version 3 SNMP 2575 View-based Access Control Model (VACM) for SNMP 2576 Coexistence between SNMP versions The SNMPv3 protocol is ascending compatible with SNMPv1 and v2 and supports all the SNMPv1 and SNMPv2 PDUs Community Strings None Sets and Gets SHA, MD5 DES Non-authenticated Sets, Non-authenticated Gets and Get-Nexts, Authenticated Sets, Authenticated Gets and Get-Nexts, Encrypted Sets, Encrypted Gets and Get-Nexts For a list and description of traps, refer to the SNMP Traps Table in Appendix #1. For a list and description of system MIBs, refer to Industry Standard MIBs and Enterprise (Proprietary) MIBs in Appendix #2.
SNMPv1, SNMPv2, SNMPv3 SNMPv1 and SNMPv2 Authentication SNMPv1, SNMPv2 Encryption SNMPv1 and SNMPv2 Security requests accepted by the switch SNMPv3 Authentication SNMPv3 Encryption SNMPv3 Security requests accepted by the switch SNMP traps SNMP MIBs
SNMP Defaults
Parameter Description SNMP Management Station Community Strings SNMP Security setting Trap filtering Trap Absorption Enables the forwarding of traps to WebView Enables or disables SNMP authentication failure trap forwarding Default Value/Comments UDP port 162, SNMPv3, Enabled Enabled Privacy all (highest) security Disabled Enabled Enabled Disabled
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 630 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
SNMP Overview
SNMP provides an industry standard communications model used by network administrators to manage and monitor their network devices. The SNMP model defines two components: the SNMP Manager and the SNMP Agent.
The SNMP Manager resides on a workstation hosting the management application. It can query agents using SNMP operations. An SNMP manager is commonly called a Network Management System (NMS). NMS refers to a system made up of a network device (such as a workstation) and the NMS software. It provides an interface that allows users to request data or see alarms resulting from traps or informs. It can also store data that can be used for network analysis. The SNMP Agent is the software entity that resides within the switch on the network. It maintains the management data about a particular network device and reports these data, as needed, to the managing systems. The agent also responds to requests for data from the SNMP Manager. Along with the SNMP agent, the switch also contains Management Information Bases (MIBs). MIBs are databases of managed objects, written in the SNMP module language that can be monitored by the NMS. The SNMP agent contains MIB variables, which have values the NMS can request or change using Get, GetNext, GetBulk, or Set operations. The agent can also send unsolicited messages (traps or informs) to the NMS to notify the manager of network conditions.
SNMP Operations
Devices on the network are managed through transactions between the NMS and the SNMP agent residing on the network device (i.e., switch). SNMP provides two kinds of management transactions: manager-request/agent-response and unsolicited notifications (traps or informs) from the agent to the manager. In a manager-request/agent-response transaction, the SNMP manager sends a request packet, referred to as a Protocol Data Unit (PDU), to the SNMP agent in the switch. The SNMP agent complies with the request and sends a response PDU to the manager. The types of management requests are Get, GetNext, and GetBulk requests. These transactions are used to request information from the switch (Get, GetNext, or GetBulk) or to change the value of an object instance on the switch (Set). In an unsolicited notification, the SNMP agent in the switch sends a trap PDU to the SNMP manager to inform it that an event has occurred. The SNMP manager normally does not send confirmation to the agent acknowledging receipt of a trap.
SNMP Versions
The SNMP agent in the switch can communicate with multiple managers. You can configure the switch to communicate with different management stations using different versions of SNMP. The switch supports three versions of SNMPv1&v2&v3.
SNMPv1
SNMPv1 is the original implementation of the SNMP protocol and network management model. It is characterized by the Get, Set, GetNext, and Trap protocol operations. SNMPv1 uses a rudimentary security system where each PDU contains information called a community string. The community string acts like a combination username and password. When you configure a device for SNMP management you normally specify one community string that provides read-write access to objects within the device and another community string that limits access to read-only. If the community string in a data unit matches one of these strings, the request is granted. If not, the request is denied. The community string security standard offers minimal security and is generally insufficient for networks where need for security is high. Although SNMPv1 lacks bulk message retrieval capabilities and security features, it is widely used and is a de facto standard in the Internet environment.
SNMPv2
SNMPv2 is a later version of the SNMP protocol. It uses the same Get, Set, GetNext, and Trap operations as SNMPv1 and supports the same community-based security standard. SNMPv1 is incompatible with SNMPv2 in certain applications due to the following enhancements. Management Information Structure SNMPv2 includes new macros for defining object groups, traps compliance characteristics, and capability characteristics. Protocol Operations SNMPv2 has two new PDUs not supported by SNMPv1. The GetBulkRequest PDU enables the manager to retrieve large blocks of data efficiently. In particular, it is well suited to retrieving multiple rows in a table. The InformRequest PDU enables one manager to send trap information to another manager.
SNMPv3
SNMPv3 supports the View-Based Access Control Model (VACM) and User-Based Security Model (USM) security models along with these added security features: Message integrityEnsuring that a packet has not been tampered with in transit Time Frame ProtectionLimiting requests to specified time frames. The user can specify a time frame so that any PDU bearing an out of date timestamp will be ignored. EncryptionScrambling the contents of a packet to prevent it from being learned by an unauthorized source AuthenticationDetermining that the message is from a valid source holding the correct privileges.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 632 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Trap Filtering
You can filter SNMP traps in at least two ways. You can filter traps by limiting user access to trap families or you can filter according to individual traps.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 633 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Authentication Trap
The authentication trap is sent when an SNMP authentication failure is detected. This trap is a signal to the management station that the switch received a message from an unauthorized protocol entity. This normally means that a network entity attempted an operation on the switch for which it had insufficient authorization. When the SNMP authentication trap is enabled, the switch will forward a trap to the management station. The trap will be suppressed if the SNMP authentication trap is disabled.
Trap Management
Several CLI commands allow you to control trap forwarding from the agent in the switch to the SNMP management station.
Replaying Traps
The switch normally stores all traps that have been sent out to the SNMP management stations. You can list the last stored traps by using the show snmp trap replay command. This command lists the traps along with their sequence number. The sequence number is a record of the order in which the traps were previously sent out. You may want to replay traps that have been stored on the switch for testing or troubleshooting purposes. This is useful in the event that any traps are lost in the network. To replay stored traps, use the snmp trap replay command followed by the IP address for an SNMP management station. This command replays (or re-sends) all stored traps from the switch to the specified management station on demand. If you do not want to replay all of the stored traps, you can specify the sequence number from which the trap replay will start. The switch will start the replay with a trap sequence number greater than or equal to the sequence number given in the CLI command. The number of traps replayed depends on the number of traps stored for this station.
Absorbing Traps
The switch may send the same traps to the management station many, many times. You can suppress the transmission of identical repetitive traps by issuing the snmp trap absorption command. When trap absorption is enabled, traps that are identical to traps previously sent will be suppressed and therefore not forwarded to the SNMP management station.
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 634 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 635 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Appendix #1
SNMP Trap Tables
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 636 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 637 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 638 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 639 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 640 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 641 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 642 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 643 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 644 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 645 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 646 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 647 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 648 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 649 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 650 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 651 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 652 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 653 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 654 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
Note: all refers to OS6800/OS6850/OS9000 platforms. OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 655 Software & Hardware Release: AOSv6.3.1r01 Alcatel-Lucent-ESD Calabasas/CA./USA
Appendix #2
SNMP MIB Tables
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 656 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 657 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 658 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 659 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 660 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 661 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 662 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 663 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 664 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA
OS6850 Series Boilerplate Doc. Rev.6.0 / Feb. 2008 Page 665 Software & Hardware Release: AOSv6.3.1r01
Alcatel-Lucent-ESD Calabasas/CA./USA