OS6850E AOS 6.4.4 R01 Release Notes
OS6850E AOS 6.4.4 R01 Release Notes
OS6850E AOS 6.4.4 R01 Release Notes
OmniSwitch 6400/6850/6850E/6855/9000E
Release 6.4.4.R01
These release notes accompany release 6.4.4.R01 software for the OmniSwitch
6400/6850//6850E/6855/9000E hardware. They provide important information on individual software
features and hardware modules. Since much of the information in these release notes is not included in
the hardware and software user manuals, it is important that you read all sections of this document
before installing new hardware or loading new software.
Release Notes
Part Number 032726-10 Rev. A
Page 1 of 99
April 2011
Contents
Contents..........................................................................................................................................................2
Related Documentation.................................................................................................................................3
System Requirements....................................................................................................................................5
Memory Requirements ................................................................................................................................5
UBoot, FPGA, Miniboot, BootROM, Upgrade Requirements....................................................................5
Prerequisites: Upgrading to 6.4.4.R01.........................................................................................................7
New Hardware Supported ............................................................................................................................9
Supported Hardware/Software Combinations .........................................................................................11
6.4.4 New Software Features and Enhancements.....................................................................................13
6.4.4 New Feature/Enhancement Summary ..............................................................................................13
6.4.4 - New Feature/Enhancement Descriptions .......................................................................................15
Page 2 of 99
April 2011
Related Documentation
These release notes should be used in conjunction with the OmniSwitch 6400, 6850, 6850E, 6855, and
9000E. The following are the titles and descriptions of the user manuals that apply to this release.
User manuals can be downloaded at:
http://enterprise.alcatel-lucent.com/?dept=UserGuides&page=Portal
Page 3 of 99
April 2011
Page 4 of 99
April 2011
System Requirements
Memory Requirements
OmniSwitch 6400 Series Release 6.4.4.R01 requires 256 MB of SDRAM and 128 MB flash
memory. This is the standard configuration shipped.
OmniSwitch 6850 Series Release 6.4.4.R01 requires 256 MB of SDRAM and 64 MB of flash
memory. This is the standard configuration shipped.
OmniSwitch 6850E Series Release 6.4.4.R01 requires 512 MB of SDRAM and 128 MB of
flash memory. This is the standard configuration shipped.
OmniSwitch 6855 Series Release 6.4.4.R01 requires 256 MB of SDRAM and 128 MB flash
memory. This is the standard configuration shipped.
OmniSwitch 9000E Series Release 6.4.4.R01 requires 1GB of SDRAM and 256 MB of flash
memory for the Chassis Management Module (CMM). This is the standard configuration
shipped.
Configuration files and the compressed software imagesincluding web management software
(WebView) imagesare stored in the flash memory. Use the show hardware info command to deterine
your SDRAM and flash memory.
OmniSwitch 9000E
Release
6.4.4.R01
Miniboot.uboot CMM
6.4.3.479.R01
UBoot CMM
6.4.3.479.R01
UBoot NI
6.4.3.479.R01
FPGA CMM
Major Revision: 2
Minor Revision: 25
(displays as 0x19;
recommended)
OmniSwitch 6850
Release
6.4.4.R01
Miniboot.uboot
6.4.3.479.R01
(Minimum)
6.4.4.213.R01
(recommended for
OS6850/OS6850E mixed stack)
UBoot
6.4.3.479.R01
(Minimum)
6.4.4.213.R01
(recommended for
OS6850/OS6850E mixed
stack)
FPGA
No minimum requirement
Page 5 of 99
April 2011
OmniSwitch 6850E
Release
6.4.4.R01
Miniboot.uboot
6.4.4.213.R01
UBoot
6.4.4.213.R01
CPLD
No minimum requirement
Miniboot.uboot
6.4.3.479.R01
UBoot
6.4.3.479.R01
FPGA
No minimum requirement
BootROM
6.4.3.565.R01
FPGA
OS6400-C24/P24 (v16)
OS6400-C48/P48 (v11)
OS6400-U24 (v10)
OmniSwitch 6400
Release
6.4.4.R01
Page 6 of 99
Miniboot
6.4.3.565.R01
April 2011
Page 7 of 99
April 2011
In a mixed OS6850/OS6850E stacked evironment you must first upgrade the existing OS6850
switches before adding the OS6850E to the stack. Additionally, its recommended that the
OS6850 switches be upgraded to U-Boot/Miniboot version 6.4.4.213.R01 to match the OS6850E
switches.
In a mixed 6850/6850E stack environment never upgrade the FPGA for all the elements at
the same time by using the all parameter of the update command. This will cause all stack
elements to use the FPGA version of the Primary element which is not compatible with both
models.
If an OS6850/OS6850E is inserted into a stack with a mode different than the primary element, the
inserted switch will not join the stack and will be put into PASS-THROUGH mode. See
OmniSwitch 6850E Stacking Mode for additional information on the OmniSwitch 6850E modes.
Page 8 of 99
April 2011
OmniSwitch 6850E-24
The OmniSwitch 6850E-24 is a stackable edge/workgroup switch offering the following:
OmniSwitch 6850E-24X
The OmniSwitch 6850E-24X is a stackable edge/workgroup switch offering the following:
OmniSwitch 6850E-48
The OmniSwitch 6850E-48 is a stackable edge/workgroup switch offering the following:
OmniSwitch 6850E-48X
The OmniSwitch 6850E-48X is a stackable edge/workgroup switch offering the following:
OmniSwitch 6850E-U24X
The OmniSwitch 6850E-U24X is a stackable edge/workgroup switch offering the following:
OmniSwitch 6850E-P24
The OmniSwitch 6850E-P24 is a stackable edge/workgroup PoE switch offering the following:
OmniSwitch 6850E-P24X
The OmniSwitch 6850E-P24X is a stackable edge/workgroup PoE switch offering the following:
Page 9 of 99
April 2011
OmniSwitch 6850E-P48
The OmniSwitch 6850E-P48X is a stackable edge/workgroup PoE switch offering the following:
OmniSwitch 6850E-P48X
The OmniSwitch 6850E-P48X is a stackable edge/workgroup PoE switch offering the following:
OS6-XNI-U2
The OS6-XNI-U2 expansion module provides 2 SFP+ ports that plugs into the back of an OmniSwitch 6850E
chassis in place of the 2 CX4 stacking connectors.
OS9-GNI-P24E
The OS9-GNI-P24E provides 802.3at PoE capability for the OS9000E:
Page 10 of 99
April 2011
Part No.
6.1.3.R01
6.1.5.R01
6.3.1.R01
6.3.2.R01
6.3.3.R01
6.3.4.R01
6.4.1.R01
6.4.2.R01
6.4.3.R01
6.4.4.R01
OS9700E/9702E-CMM
OS9702E-CMM
OS9702-CHASSIS
OS9-GNI-C24E
OS9-GNI-U24E
OS9-XNI-U2E
OS9-XNI-U12E
OS9-GNI-P24E
902668
902808
902727
902669
902670
902671
902851
902927
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
supported
no
no
no
no
no
supported
supported
supported
supported
supported
supported
no
no
supported
supported
supported
supported
supported
supported
no
no
supported
supported
supported
supported
supported
supported
supported
no
supported
supported
supported
supported
supported
supported
supported
supported
OS6855-14
OS6855-24
OS6855-U10
OS6855-U24
OS6855-U24X
902648
902664
902647
902555
902802
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
supported
supported
supported
supported
no
no
no
no
no
no
supported
supported
supported
supported
no
no
no
no
no
no
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
OS6850-24
OS6850-48
OS6850-24X
OS6850-48X
OS6850-P24
OS6850-P48
OS6850-P24X
OS6850-P48X
OS6850-U24X
OS6850-24L
OS6850-48L
OS6850-P24L
OS6850-P48L
902457
902495
902458
902462
902459
902463
902460
902464
902418
902487
902489
902488
902490
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
no
no
no
no
no
no
no
no
no
no
no
no
no
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
OS6850E-24
OS6850E-P24
OS6850E-24X
OS6850E-P24X
OS6850E-48
OS6850E-P48
OS6850E-48X
OS6850E-P48X
OS6850E-U24X
902936
902934
902937
902935
902938
902932
902939
902933
902940
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
supported
supported
supported
supported
supported
supported
supported
supported
supported
6400-24
6400-P24
6400-U24
6400-U24D
902621
902622
902623
902624
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
supported
supported
supported
supported
supported
supported
supported
supported
no
no
no
no
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
supported
Page 11 of 99
April 2011
To determine the ASIC revision for a specific NI, use the show ni command. For example, the
following show ni output display shows an A revision level for NI 1:
DC-Core ->> show ni 1
Module in slot 1
Model Name:
Description:
Part Number:
Hardware Revision:
Serial Number:
Manufacture Date:
Firmware Version:
Admin Status:
Operational Status:
Power Consumption:
Power Control Checksum:
CPU Model Type
:
MAC Address:
ASIC - Physical 1:
FPGA - Physical 1:
UBOOT Version :
UBOOT-miniboot Version :
POE SW Version :
OS9-GNI-C24E,
10 1000 RJ45,
902669-90,
F04,
J21Q0772,
MAY 03 2008,
,
POWER ON,
UP,
51,
0x872,
Motorola MPC8540 ADS,
00:d0:95:e6:54:80,
BCM56620_A1
0007/00
6.4.3.479.R01
No Miniboot
n/a
To determine the CMM board revision, use the show cmm command. For example, the following show
cmm output display shows a C revision level for the CMM board:
DC-Core ->> show cmm
Module in slot CMM-A-1
Model Name:
Description:
Part Number:
Hardware Revision:
Serial Number:
Manufacture Date:
Firmware Version:
Admin Status:
Operational Status:
Power Consumption:
Power Control Checksum:
CPU Model Type
:
MAC Address:
Page 12 of 99
OS9802-CMM,
CMM,
902672-90,
B,
J23Q0128,
MAY 08 2008,
2,
POWER ON,
UP,
40,
0x9214,
Motorola MPC8541 ADS,
00:d0:95:e0:6c:ac,
April 2011
Platform
Software Package
all
all
all
all
all
secu
secu
secu
secu
secu
all
base
all
base
Dual-Home Links
- Dual-Home Link (DHL) Active-Active
all
base
Ethernet OAM
- Virtual MEP UNI Loopback
- Fault Propogation Enhancement
all
all
base
base
Link Monitoring/Diagnostics/Recovery
- Link Monitoring/Flapping Detection
- Link Fault Propogation
- Interface Violation Recovery
- Time Domain Reflectometry
all
all
all
all
base
base
base
base
all
base
Link Aggregation
- Minimum LAG size
all
base
LLDP
- Rogue Detection
all
base
6850E
base
Access Guardian
- Accounting for Non-supplicants
- Captive Portal Enhancements
- Control Over Access Guardian
- Dynamic User Network Profiles
- Host Integrity Check (HIC) Redundancy
Page 13 of 99
April 2011
Platform
Software Package
6850E/9000E
6850E/9000E
base
base
all
base
all
base
all
base
Feature
features as OS6850
In 6850E Mode Supports same software
features as 6855-U24X (VRF/egress
policies)
Page 14 of 99
April 2011
Custom Proxy Port Allows an administrator to define a custom proxy port for users being
authenticated via Captive Portal.
Inactivity Logout Timer . When enabled this feature will flush a user from the Captive
Portal user table if there is no activity for a set amount of time. The inactivity timer is equal to
the MAC aging timer.
Public Certificate Support This feature allows the administrator to change the name of the
Captive Portal URL to match that of a public certificate on the switch. This allows PKA
authentication when using Captive Portal.
Hold - Hosts stay in their UNP and in a HIC in progress state and do not have network access.
Page 15 of 99
April 2011
Pass-through - Hosts stay in their UNP but are removed from the HIC in progress state. Hosts
have network access according the policy list set for their UNP.
This feature adds the capability to add the CVLAN in ASCII format for both the Circuit ID and the Remote
ID.
Dual-Home Links
Dual-Home Link (DHL) Active-Active
Dual-Home Link (DHL) Active-Active is a high availability feature that provides fast failover between
core and edge switches without using Spanning Tree. To provide this functionality, DHL Active-Active
splits a number of VLANs between two active links. The forwarding status of each VLAN is modified
by DHL to prevent network loops and maintain connectivity to the core when one of the links fails.
This implementation of DHL Active-Active is provided in addition to the previously released LACPbased DHL Active-Standby solution. Both versions are supported. The DHL Active-Active feature,
however, is configurable on regular switch ports and on logical link aggregate ports (linkagg ID)
instead of just LACP aggregated ports. In addition, the two DHL links are both active, as opposed to the
active and standby mode used with LACP.
Page 16 of 99
April 2011
Ethernet OAM
Virtual UNI Loopback Virtual MEP
This feature provides support for the configuration of a virtual or loopback MEP that is not attached to a
physical switch interface. This eliminates the need to use a physical port for loopback CCM messages.
Fault Propogation Enhancement
This feature is used to propagate OAM Connectivity Fault Management (CFM) events into the interface
that is attached to a MEP. This can be used with a point to point Ethernet service between a local UP
MEP and a remote UP MEP to propogate a link down event.
Wait to Restore Time Introduces a delay before the interface becomes operational
allowing the network to convergence more gracefully.
Interface errors monitoring - Physical errors such as CRC, Lost frames, Errors frames and
Alignment errors are monitored. When excessive errors are detected, the interface will be
shutdown.
Interface flapping - When excessive interface flapping is detected, the interface will be
shutdown.
Permanent shutdown - When an interface has been shutdown too many times it can be
placed in this mode requiring it to be enabled administratively.
If all the source ports in the group go down, LFP waits a configured amount of time then
shuts down another set of interfaces (configured as destination ports) that are associated
with the same group.
When any one of the source ports comes back up, all of the destination ports are brought
back up and network connectivity is restored.
Page 17 of 99
April 2011
An automatic recovery timer that indicates how much time a port remains shut down before
the switch automatically brings the port back up
A maximum number of recovery attempts setting that specifies how many recoveries can occur
before a port is permanently shutdown
A wait-to-restore timer that indicates the amount of time the switch waits to notify features that
the port is back up
An SNMP trap that is generated each time an interface is shutdown by a feature. This can
occur even when the interface is already shutdown by another feature. The trap also indicates
the reason for the violation.
An SNMP trap that is generated when a port is recovered. The trap also includes information
about how the port was recovered.
LPS now continues to learn filtering MAC addresses after the learning window has expired, but
only up to the configured filtering MAC address limit.
A new type of static MAC address (pseudo-static) is maintained. A pseudo-static MAC address is
not user-configured; it is a dynamically learned MAC address that is treated the same as a regular
static address (will not age out or be flushed during the learning window time period). However,
the pseudo-static MAC is not saved in the running configuration.
New parameter options for the LPS port-security shutdown CLI command.
1.
2.
3.
Learning Window Start at Boot-up. A new boot-up parameter specifies whether or not
LPS will start the learning window time when the switch boots up.
New admin-state parameter for the port-security CLI command. This parameter is used to enable,
disable, or lock an LPS port. In addition, the port-security command will now accept a range of
ports.
Creating a static MAC address on a port now automatically enables LPS on that port.
Page 18 of 99
April 2011
New brief parameter for the show port-security CLI command. This parameter is used to provide
a summary of the LPS status, configuration, and MACs learned on all the LPS ports.
The VLAN ID bound to an LPS static MAC address is automatically updated when the default
VLAN for the LPS port is changed.
Duplicate LPS static MAC addresses are now allowed on different ports within the same VLAN.
However, dynamic MAC addresses that match a configured static MAC address within the same
VLAN are not learned.
The Bridge MAC Learned and LPS Violation SNMP traps now have three fields of
information: port number, VLAN ID, and MAC address.
A new LPS shutdown violation mode, discard, is now supported. This mode administratively
disables the port, but the port remains physically up. The shutdown and restricted modes are
still supported.
Link Aggregation
Minimum Link Aggregation Size
Allows an administrator to configure a minimum number of ports to be active on a link aggregate.
When number of attached ports is below the minimum size the aggregate is automatically
disabled.
When number of attached ports returns above the minimum size the aggregateis automatically
re-enabled.
If no LLDPDU is received within 3 times the LLDP transmit interval (30 seconds) after link
activation on a port that has no trusted remote agent configured
If the same chassis ID and port ID of the remote agent already exists in the trusted remote agent
database but on a different port.
Page 19 of 99
April 2011
Mode
6850 (Default)
Capability
- Allows stacking with OS6850 using CX4 module.
- Allows stacking with OS6850E using CX4 or SFP+ module.
SW Features
Same as OS6850
6850E
Same as OS6855-U24X
(Including VRF and Egress
Policies)
Note: To support a mixed stack of OS6850s and OS6850Es, the OS6850s MUST first be upgraded to AOS
Release 6.4.4.R01. Refer to the 6.4.4.R01 prerequisites section and the Upgrade Instructions for more detailed
information.
Note: If an OS6850/OS6850E is inserted into a stack with a mode different than the primary element, the
inserted switch will not join the stack and will be put into PASS-THROUGH mode.
OS6400
780W
OS6850
480W
18W
No
18W
No
OS6855
80W (C24)
66W (C14)
20W
No
OS6850E
780W
OS9-GNI-P24E
720W
30W
Yes
30W
Yes
Spanning Tree
STP Loop Guard
This feature is intended to prevent loops in a spanning tree bridged network when a device is unable to
receive BPDUs on a non-designated port in a timely manner.
Loop formation can occur when a bridge hosting a blocking port transitions that port to forwarding
erroneously. This can lead to a temporary or even a permanent loop.
This feature can be enabled either on a port or link aggregate and can be configured for any spanning
tree mode (flat, 1x1, STP, RSTP, MST, PVST). Loopguard effectively protects each STP instance when
configured on a port that supports multiple spanning tree instances.
Page 20 of 99
April 2011
It allows the WCCP enabled router for transparent redirection to discover, verify, and advertise
connectivity to one or more cache servers. This would allow deploying cache servers without the
need to reconfigure the cache-server at the client location.
It allows the designated web-cache to dictate how the router distributes redirected traffic across the
cache server cluster.
Page 21 of 99
April 2011
Platform
Software Package
all
base
all
base
Access Guardian
- Javaless Captive Portal and MAC OS Support
all
encrypt
all
base
all
all
base
base
all
base
all
all
all
base
base
base
AAA/802.1x
- Service Type information in RADIUS Access
Request
- Capture Client IP in RADIUS Accounting Message
DHCP
- Internal DHCP Server
- DHCP Client with configurable option 60
- DHCP Option 82 ASCII support
Ethernet OAM
- IEEE 802.1ag Version 8.1
- ITU Y.1731
- Service Assurance Agent (SAA) for OAM and IP
SLA Measurements
Page 22 of 99
April 2011
Feature
Platform
Software Package
6400/6850/6855/9000
6400/6850/6855/9000
all
base
base
base
all
all
all
base
base
base
Link Aggregation
- Non-unicast Load Balancing on Link Aggregation
- Active-Stand by Dual Home LinkAgg
all
all
base
base
all
all
all
base
base
base
all
base
all
base
6855-U24X/9000E
advanced routing
6400/6855-U24X/9000E
all
all
all
base
base
base
base
all
base
all
base
all
base
Security
- BPDU Shutdown Auto-Recovery Timer
- Admin User Remote Access Restriction Control
all
all
base
base
all
base
Ethernet Services
- L2 Control Protocol Tunneling (L2CP)
- Wire-Speed Ethernet Loopback
- SVLAN Routing
IP Enhancements
- Extended Ping & Traceroute
- Selectable IP Interface for Management Services
- IP Loopback0 Address In the Same Range of
Existing Subnet
Storm Control
- Extended Flood Control Metering for Unknown
Unicast, Multicast and Broadcast
Page 23 of 99
April 2011
Feature
USB Support
Page 24 of 99
Platform
Software Package
all
base
April 2011
Access Guardian
Captive Portal
MAC OS Support - Captive Portal is now supported on MAC OS using Safari version 4. The
table below provides all platform and browser support for Captive Portal.
Authentication Redirect URLs - Captive Portal provides the ability to redirect users to
different URLs based upon successful or failed authentication.
Configurable DNS dictionary By default Captive Portal replies only to DNS packets that
contain one of the following pre-defined DNS strings: www, http, proxy, wpad, captive-portal,
go.microsoft, Mozilla. Starting 643 these keywords can be replaced or augmented by the
network administrator.
Customizable Banner A customizable banner image can be configured that Captive Portal
will display at the top of all pages.
Platform
Windows 2000, Windows XP,
and Windows Vista
Linux
Mac OS X 10.5 Leopard
Page 25 of 99
April 2011
3.
4.
5.
Download an instruction file with information to obtain the configuration file, image files and/or script
files from given TFTP, FTP or SCP servers.
Download and apply the image and configuration file.
Automatically reboot with the upgraded image files and switch configuration file or if no images or
boot configuration is downloaded scripted instructions are executed on the fly and the switch is made
available remotely.
Note: New Default Switch Behavior in 6.4.3 due to Out of the Box Auto-Configuration feature.
Newly deployed or upgraded switches with no boot.cfg file running AOS 6.4.3 will automatically run the
Out of the Box Auto-Configuration feature. This causes the CMM OK/OK1 LED to blink amber while the
process is running. If the Auto-Configuration process is not successful the CMM OK/OK1 LED will
continue to blink amber as long as no boot.cfg file is on the switch, this is normal behavior in 6.4.3.
Additionally, the Auto-Configuration feature will automatically create a dhcp-client IP interface on
VLAN 1. This interface can be deleted using the no ip interface dhcp-client command if desired.
Once the Auto-Configuration process times out (approximately 30 seconds) the switch configuration can be
saved to the boot.cfg file using the write memory command. The CMM OK/OK1 LED will then turn
solid green as in previous releases.
To ensure the Auto-Configuration process is able run properly so that the write memory command
can be entered , at least one NI MUST be inserted in the chassis-based OS9000 and OS9000E
switches. (PR 148181)
DHCP
Internal DHCP Server Functionality
The OmniSwitch now supports an internal DHCP Server compliant with RFC 2131 based on Vital QIP
5.6 release. This feature can be used to provide IP addresses for small offices, management network, or
local phone services including support for option 60 and option 43.
Note: For switches shipped with AOS release 6.4.3 the following two templates are pre-loaded on the
switch and can be used as examples. If upgrading to 6.4.3 the template files can be downloaded from
the Service & Support website:
dhcpd.conf.template
dhcpd.pcy.template
Release / Renew
Lease Time
Page 26 of 99
April 2011
Ethernet OAM
The OmniSwitch now supports Ethernet OAM 802.1ag Version 8.1 and ITU Y.1731.
ETH-LB/DMM
ETH-Loopback and ETH-DMM can be used to measure delay and jitter. ETH-DMM can measure by
sending out frames with DM information to the peer MEP and receiving frames with DM information
from the peer MEP. The ETH-LB test output was improved to look like standard ping providing on
demand information for round-trip delay and a summary of min/avg/max delay.
Service Assurance Agents (SAA)
The OmniSwitchs Service Assurance Agents (SAAs) gives users the ability to verify service
guarantees, increase network reliability by validating network performance, proactively identify
network issues. Service Assurance Agent uses active monitoring to generate traffic between MEPs in a
continuous, reliable, and predictable manner, thus enabling the measurement of network performance
and health.
The SAA agent is extended to support IP-SLA meassurements using icmp with plans to include udp and
tcp support.
IP Enhancements
Extended Ping & Traceroute Functionality
Ping and Traceroute have been enhanced to allow for additional parameters to be specified.
Ping:
Set the Source IP
Set TOS value
Set DF bit in IP header
Set data pattern
Set sweep range
Traceroute:
Set the Source IP
Set Timeout in seconds
Set Probe count
Set Min and Max TTL
Set Port number
Page 27 of 99
April 2011
IP Managed Interfaces
Provides ability to configure a permanent source IP interface to be used when sending packets. The
source IP interface can be the Loopback0 address or an existing IP interface on the switch and can be
defined for the following applications:
DNS, FTP, LDAP-SERVER, NTP, RADIUS, SFLOW, SNMP, SSH, SYSLOG, TACACS,
TELNET, TFTP
Link Aggregation
Non-Unicast Load Balancing on Link Aggregation
The OmniSwitch now supports load balancing of non-unicast (broadcast, multicast, flood) traffic over Link
Aggregation. Hashing criteria is configurable.
By default the hashing keys are derived from the flow-based attributes listed below:
Page 28 of 99
April 2011
prevent users from communicating directly and ensuring that all communication happens via their default
gateway. In order to accomplish this, the OmniSwitch supports Dynamic Proxy ARP which combines the
functionality of port mapping and dhcp-snooping to dynamically learn a routers addresses and act as a local arp
proxy for the VLANs router. Dynamic Proxy ARP - MAC Forced Forwarding uses the following features:
Port Mapping - Port Mapping forwards traffic from user-ports only to network-ports, preventing
communication between L2 clients in the same VLAN in the same switch. This prevents direct
communication between clients in the same VLAN forcing all traffic to be forwarded to the head end
router.
Dynamic Proxy ARP - All ARP requests received on port mapping user-ports are answered with the
MAC address of the head end router. Dynamic Proxy ARP dynamically learns the IP and MAC address
of a head end router and responds with that routers MAC address instead of flooding the ARP request.
DHCP Snooping - Snoops the DHCP packets between the server and clients. DHCP snooping is used
to dynamically learn the IP address of the head end router.
Note: Starting in 6.4.3 MVRP is the default mode for VLAN registration.
QOS
QoS Egress Policy Rules
Omniswitch egress policy rules allow adminitrators to enforce traffic controls on the egress queues as a last
resort action. By default, QoS policy rules are applied to traffic ingressing the port. The QoS Policy List
feature includes an egress policy list option to create a list of rules that are applied to traffic egressing a
destination port(s). If a policy rule is not associated with an egress policy list, the rule will only apply to
ingress traffic.
Tri-Color Marking
Tri-Color Marking (TCM) provides a mechanism for policing network traffic by limiting the rate at which
traffic is sent or received on a switch interface. The TCM policer meters traffic based on user-configured
packet rates and burst sizes and then marks the metered packets as green, yellow, or red based on the
metering results.
TCM policer meters each packet and passes the metering result along with the packet to the Marker.
Depending upon the result sent by the Meter, the packet is then marked with either the green, yellow, or red
color. The marked packet stream is then transmitted on the egress based on the color-coded priority
assigned.
The TCM Meter operates in Color-Blind mode (the Color-Aware mode is not supported). In the ColorBlind mode, the Meter assumes that the incoming packet stream is uncolored. However incoming packets
with the CFI/DEI bit set are automatically given an internal lower priority.
There are two types of TCM marking supported:
Page 29 of 99
April 2011
Single-Rate TCM (srTCM) according to RFC 2697Packets are marked based on a Committed
Information Rate (CIR) and two associated burst size values: Committed Burst Size (CBS) and Peak
Burst Size (PBS).
Two-Rate TCM (trTCM) according to RFC 2698Packets are marked based on a CIR value and a
Peak Information Rate (PIR) value and two associated burst size values: CBS and PBS.
Both srTCM and trTCM handle the burst in the same manner. The main difference between the two
types is that srTCM uses one rate limiting value (CIR) and trTCM uses two rate limiting values (CIR
and PIR) to determine packet marking.
IEEE 802.1q/ad CFI/DEI Bit Stamping
When sr/trTCM ingress rate limiter is used, frames that are non-conforming to the SLA (yellow) might still
be delivered to the egress port when the port is not congested. By enabling CFI/DEI bit stamping on these
frames, a color-aware upstream switch would be able to treat these frames differently and drop them first
when the network is congested.
Specifying a range of 802.1p values for a policy condition is now supported. A range of values is
supported when configuring both inner and outer 802.1p policy conditions. A condition must use
either a single 802.1p value or a range of 802.1p values; both are not supported at the same time.
Map Several Inner DSCP/ToS Values to the Same Outer 802.1p Value
The ability to specify a range of 802.1p values is particularly useful when classifying Ethernet Services SAP
traffic. A new option in a SAP profile suspends the use of SAP bandwidth and priority actions. This allows
the use of QoS rules for advanced classification of SAP traffic, such as mapping several DSCP/ToS values
to the same outer 802.1p value.
QoS Statistics Enhancements
QoS statistics monitoring allows the gathering of egress CoS drop and transmit packet statistics for
individual ports. Enabling this type of monitoring also allows the user to display egress CoS queue
statistics on a per port basis using existing QoS show commands.
Tri-Color Marking (TCM) policy action now includes a counter color mode option. This option
determines which metered packets are counted based on the color the packet was marked by the
TCM policy. Enabling this option also allows the display of the counter color statistics using
existing QoS show commands.
QoS commands used to display traffic statistics and system resource usage now include statistics
for egress traffic. This applies to traffic classified using egress policy rules.
Page 30 of 99
April 2011
Security
Admin User
The OmniSwitch can be configured to allow the admin user to only have access to the switch via the
console port.
BPDU shutdown auto-recovery timer
Allows ports that are configured in the UserPorts port group to be automatically re-enabled after
receiving a spanning tree BPDU.
Storm Control
The OmniSwitch flood control feature for broadcast, multicast, and unknown unicast traffic can be limited based
on bits-per-second, percentage of the port speed, or packets per second.
USB Support
The USB port can be used with an Alcatel-Lucent certified USB Flash drive to provide the following functions:
Disaster Recovery The switch can boot from the USB drive if it is unable to load AOS from flash.
Note: Disaster Recovery requires a minimum 6.4.3 version miniboot/uboot revision to operate.
Upload / Download Image and Configuration Files - To create or restore backup files.
Upgrade Code - Upgrade code with the image files stored on the USB drive.
VRF
PIM-DM and PIM-SM are now VRF aware.
Page 31 of 99
April 2011
Page 32 of 99
Platform
OS6855-U24X
all
all
Software Package
base
base
base
OS6400/OS6850/OS6855
base
OS6850/OS9000/OS9000E
base
all
OS6400/OS6855-U24X/OS9000E
OS6400/OS6850/OS6855
all
base
base
base
base
OS6850/OS9000/OS9000E
base
OS6400/OS6850/OS6855
base
OS9000E
OS9000E
OS9000E
OS9000E
OS9000E
mpls
mpls
mpls
mpls
mpls
all
OS6850/OS9000/OS9000E
base
base
OS6850/OS6855/OS9000/OS9000E
base
OS6400/OS6855-U24X/OS9000E
all
base
base
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
base
base
base
base
base
base
April 2011
Feature
- BFD
- Configure more than one sFlow
receiver
- G.8032 Ethernet Ring Protection
- IPsec Support for IPv6
- IPsec Support for OSPF3
- IPsec Support for RIPng
- IPv6 Unique Local IPv6 Unicast
- IPv6 Scoped Multicast Addresses
- Pause Control
Platform
OS9000E
OS9000E
Software Package
base
base
OS9000E
OS9000E
OS9000E
OS9000E
OS9000E
OS9000E
OS9000E
base
base/encrypt
base/encrypt
base/encrypt
base
base
base
Page 33 of 99
April 2011
Feature/Enhancement Summary
Feature
10Km Stacking
31-bit Network Mask Support
802.1AB MED Extensions
802.1Q
802.1Q 2005 (MSTP)
Access Guardian
- 802.1x Device Classification
- 802.1x RADIUS Failover
- Captive Portal
- Captive Portal Web Pages
- Host Integrity Check (HIC)
- User Network Profiles (UNP)
- QoS Policy Lists
Access Control Lists (ACLs)
- ACLs for IPv4
- ACLs for IPv6
- ACL & Layer 3 Security
- ACL Manager (ACLMAN)
Account & Password Policies
ARP Defense Optimization
ARP Poisoning Detect
Authenticated Switch Access
Authenticated VLANs
Automatic VLAN Containment (AVC)
Auto-Qos Prioritization of IP Phone Traffic
Auto-Qos Prioritization of NMS Traffic
Bi-Directional Forwarding Detection (BFD)
BGP Graceful Restart
BGP4
BPDU Shutdown Ports
Command Line Interface (CLI)
DDM
DHCP
- Option-82
- Option 82 Port-based format
- DHCP Relay
- DHCP Snooping
- DHCP Snooping Option-82 Data
Page 34 of 99
Platform
OS6855-U24X
all
all
all
all
Software Package
base
base
base
base
base
base
all
all
all
all
6400/6850/6855
all
6400/6850/6855
all
all
all
all
all
all
all
all
all
OS6400/OS6850/OS6855/OS9000
all
all
all
OS6850/OS6855/OS9000/OS9000E
OS6850/OS6855/OS9000/9000E
OS6850/OS6855/OS9000/9000E
all
all
all
base
base
base
base
base
base
base
base
base
base
base
base
base
base
base
base
base
base
base
base
base
advanced routing
advanced routing
base
base
all
OS6400/OS6850/OS6855
all
all
all
base
base
base
base
base
April 2011
Feature
Insertion Format
DNS Client
DSCP Range Condition
DVMRP
Dynamic VLAN Assignment (Mobility)
Ethernet Ring Protection (G.8032)
- Ethernet Ring Protection (ERP) - Shared
VLAN
Platform
Software Package
all
all
OS6850/OS6855/OS9000/OS9000E
all
all
all
base
base
advanced routing
base
base
base
Ethernet Services
- L2 Tunneling Enhancements
- Egress Rate Limiting
all
OS6400/OS6855-U24X/OS9000E
base
base
OS6850/OS6855/OS9000/9000E
OS6850/OS9000/OS9000E
base
base
all
all
base
base
Ethernet OAM
- Ethernet OAM 802.3ah EFM
all
all
base
base
Flood/Storm Control
Generic Routing Encapsulation (GRE)
GVRP
Hashing Control
Health Statistics
HTTP/HTTPS Port Configuration
IGMP Multicast Group Configuration Limit
IGMP Relay - Forward to Specific Host in
L3 Environment
Interface Admin Down Warning
Interswitch Protocols (AMAP)
all
all
all
OS6850/OS6855/OS9000/OS9000E
all
all
OS6400/OS6850/OS6855/OS9000
OS6850/OS9000/OS9000E
base
base
base
base
base
base
base
base
OS6400/OS6850/OS6855
All
base
base
all
OS6400/OS6850/OS6855
base
base
all
OS6850/OS6855/OS9000/OS9000E
OS6850/OS6855/OS9000/OS9000E
base
base / encrypt
base / encrypt
base / encrypt
IPv6
-Unique Local IPv6 Unicast Addresses
-IPv6 Scoped Multicast Addresses
-IPv6 Multicast Routing
-IPv6 Multicast Switching (MLD)
OS6850/OS6855/OS9000/OS9000E
OS6850/OS6855/OS9000/OS9000E
OS6850/OS6855/OS9000/OS9000E
all
advanced routing
advanced routing
advanced routing
base
OS6850//OS6855/OS9000/OS9000E
Page 35 of 99
April 2011
Feature
-IPv6 Multicast Switching (Proxying)
- IPv6 Client and/or Server Support
- IPv6 Routing
IP DoS Filtering
IP MC VLAN Support for multiple sender
ports
IP Multinetting
IP Route Map Redistribution
IP-IP Tunneling
IPv4 Multicast Switching (IPMS)
IPv4 Multicast Switching (Proxying)
IPv4 Routing
IS-IS
ISSU
L2 Static Multicast Address
L4 ACLs over IPv6
Learned MAC Address Notificaton
Learned Port Security (LPS)
Link Aggregation (static & 802.3ad)
MAC Address Mode
Mac Authentication for Supplicant/NonSupplicant
MAC Retention
Multiple Virtual Routing & Forwarding
(Multiple VRF)
MPLS
- VPLS Support
- MPLS Static Fast Re-Route
- MPLS License
- MPLS OAM-LSP Ping/Traceroute
- MPLS Traps
Network Time Protocol (NTP)
- Client
- Server
OSPFv2
OSPFv3
Pause Control/Flow Control
Port Mapping Unknown Unicast Flooding
Partitioned Switch Management
Pause Control/Flow Control
Per-VLAN DHCP Relay
PIM
Page 36 of 99
Platform
Software Package
all
base
all
base
OS6850/OS6855/OS9000/OS9000E
base
all
all
base
base
all
all
all
all
all
all
OS6850/OS9000/OS9000E
OS9000E
all
all
all
all
all
OS9000/OS9000E
all
base
base
base
base
base
base
advanced routing
base
base
base
base
base
base
base
base
OS6400/OS6850/OS6855-U24X
OS9000E/OS6855U24X
base
base
OS9000E
OS9000E
OS9000E
OS9000E
OS9000E
mpls
mpls
mpls
mpls
mpls
all
all
base
base
OS6850/OS6855/OS9000/9000E
OS6850/OS6855/OS9000/9000E
all
all
all
all
all
OS6850/OS6855/OS9000/9000E
advanced routing
advanced routing
base
base
base
base
base
advanced routing
April 2011
Feature
PIM-SSM (Source-Specific Multicast)
Policy Based Mirroring
Policy Based Routing (Permanent Mode)
Policy Server Management
Port Mapping
Port Mirroring (128:1)
Port Monitoring
Port-based Ingress Limiting
Power over Ethernet (PoE)
PVST+
Quality of Service (QoS)
Quarantine Manager and Remediation
Redirection Policies (Port and Link
Aggregate)
Remote Port Mirroring
RIPng
RIPv1/RIPv2
RMON
Router Discovery Protocol (RDP)
Routing Protocol Preference
RRSTP
Secure Copy (SCP)
Secure Shell (SSH)
Server Load Balancing
- WRR
sFlow
Smart Continuous Switching
Hot Swap
Management Module Failover
Power Monitoring
Redundancy
SNMP
Software Rollback
Source Learning
- Disable MAC learning per VLAN
- Disable MAC learning per port
Spanning Tree
SSH Public Key Authentication
Switch Logging
Syslog to Multiple Hosts
Text File Configuration
TFTP Client for IPv4
Traffic Anomaly Detection (Network
Platform
Software Package
all
all
all
all
all
all
all
OS6400/OS6850/OS6855/OS9000
all
all
all
all
base
base
base
base
base
base
base
base
base
base
base
base
all
OS6850/OS6855/OS9000/OS9000E
all
all
all
all
all
all
all
base
base
base
base
base
base
base
base
base
OS6400/OS6850/OS9000
OS6850/OS9000/OS9000E
base
base
all
all
base
base
all
all
base
base
all
OS6400/OS6855-U24X/OS9000E
all
base
base
base
all
all
all
all
all
all
OS6850/OS6855/OS9000/OS9000E
base
base
base
base
base
base
base
Page 37 of 99
April 2011
Feature
Security)
UDLD
User Definable Loopback Interface
User Network Profile (UNP)
VLAN Stacking and Translation
VLAN Stacking Eservices
VLANs
Platform
Software Package
all
all
all
all
all
all
base
base
base
base
base
base
OS9000E/OS6850-U24X
base
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
OS9000E/OS6855-U24X
base
base
base
base
base
OS6850/OS6855/OS9000/OS9000E
OS6850/OS6855/OS9000/OS9000E
OS6850/OS6855/OS9000/OS9000E
all
OS6850/OS6855/OS9000/OS9000E
base
base
base
base
advanced routing
all
base
Page 38 of 99
April 2011
Feature Descriptions
10Km Stacking
The OS6855-U24X supports stacking a maximum of four chassis into a virtual chassis using SFP+
fiber transceivers or directly attached copper SFP+ cables . A distance of up to 10Km is supported
using the iSFP-10G-LR fiber transceiver.
802.1Q
802.1Q is an IEEE standard for sending frames through the network tagged with VLAN identification.
802.1Q tagging is the IEEE version of VLANs. It is a method of segregating areas of a network into
distinct VLANs. By attaching a label, or tag, to a packet, it can be identified as being from a specific
area or identified as being destined for a specific area.
When a port is enabled to accept tagged traffic, by default both 802.1Q tagged and untagged traffic is
automatically accepted on the port. Configuring the port to accept only tagged traffic is also supported.
Access Guardian
802.1x Radius-down Fail-Open
Allows users to be moved to a specified profile when the RADIUS server is not available. This feature
is supported for 802.1x and MAC-based authentication, but not for users being authenticated by
captive-portal. Users classified through the auth-server-down policy are flagged for re-authentication
when the authentication server becomes reachable.
Captive Portal
Captive Portal authentication is a configurable option within Access Guardian that allows Web browser
clients to authenticate through the switch using 802.1x or MAC authentication via a RADIUS server.
When the Captive Portal option is invoked, a Web page is presented to the user device to prompt the
user to enter login credentials. If authentication returns a VLAN ID, the device is assigned to that
VLAN. If a VLAN ID is not returned or authentication fails, a separate Captive Portal policy then
determines the network access control for the supplicant or non-supplicant.
Captive Portal Web Pages
Customizing the following Captive Portal Web page components is allowed. These components are
incorporated and displayed when the Web-based login page is presented to the user.
Page 39 of 99
April 2011
Logo
Welcome text
Background image
Captive Portal checks the local switch for any customized files before presenting the login Web page to
the user. If any such files exist, they are incorporated into the Web page display. If no such files exist,
the default Web page components are used.
Captive Portal Browser Support
The Captive Portal authentication feature presents the user with a Web page for entering login
credentials. The following table provides the platforms and browser support information for Captive
Portal users.
Platforms Supported
Windows XP
Windows Vista
Linux
Java Version
Java 1.6 update 5 through 12
Page 40 of 99
Platforms Supported
Windows Vista, XP, 2003, 2000
Linux (Red Hat and SUSE Dists.)
April 2011
Compliance Agent
Web-based
Platforms Supported
Windows Vista, XP, 2003, 2000
Refer to the InfoExpress documentation for information about how to configure the CyberGatekeeper
server and other related products.
User Network Profile (UNP)
A User Network Profile (UNP) defines network access controls for one or more user devices. Each
device that is assigned to a specific profile is granted network access based on the profile criteria,
instead of on an individual MAC address, IP address, or port. Assigning users to a profile provides
greater flexibility and scalability across the network. Administrators can use profiles to group users
according to function. All users assigned to the same UNP become members of that profile group. The
UNP then determines what network access resources are available to a group of users, regardless of
source subnet, VLAN or other characteristics.
A UNP is a configurable option of Access Guardian device classification policies and consists of the
following attributes:
UNP Name. The UNP name is obtained from the RADIUS server and mapped to the same
profile name configured on the switch. The switch profile then identifies three attribute values:
VLAN ID, Host Integrity Check (HIC) status, and a QoS policy list name.
VLAN ID. All members of the profile group are assigned to the VLAN ID specified by the
profile.
Host Integrity Check (HIC). Enables or disables device integrity verification for all members
of the profile group.
QoS Policy List Name. Specifies the name of an existing list of QoS policy rules. The rules
within the list are applied to all members of the profile group to enforce access to network
resources. Only one policy list is allowed per profile, but multiple profiles may use the same
policy list.
A UNP is a configurable option of Access Guardian device classification policies. A policy may also
include 802.1X, MAC, or Captive Portal (Web-based) authentication to provide more granular control
of the profile.
One of the attributes of a User Network Profile (UNP) specifies the name of a list of QoS policy rules.
This list is applied to a user device when the device is assigned to the user profile. Using policy lists
allows the administrator to associate a group of users to a set of QoS policy rules.
A default policy list exists in the switch configuration. Rules are automatically added to this list when
the rule is created. A rule can belong to multiple policy lists. As a result, the rule remains a member a
of the default list even when it is subsequently assigned to additional lists. The user does have the
option to exclude the rule from the default list to preserve system resources.
Up to 13 policy lists (including the default list) are supported per switch. Only one policy list per UNP
is allowed, but a policy list can be associated with multiple profiles.
Page 41 of 99
April 2011
traffic is specified in the policy condition. The policy action determines whether the traffic is allowed
or denied.
In general, the types of ACLs include:
Layer 2 ACLsfor filtering traffic at the MAC layer. Usually uses MAC addresses or MAC
groups for filtering.
Layer 3/4 ACLsfor filtering traffic at the network layer. Typically uses IP addresses or IP
ports for filtering; note that IPX filtering is not supported.
ICMP drop rulesAllows condition combinations in policies that will prevent user pings,
thus reducing DoS exposure from pings. Two condition parameters are also available to
provide more granular filtering of ICMP packets: icmptype and icmpcode.
Early ARP discardARP packets destined for other hosts are discarded to reduce processing
overhead and exposure to ARP DoS attacks. No configuration is required to use this feature, it
is always available and active on the switch. Note that ARPs intended for use by a local
subnet, AVLAN, and VRRP are not discarded.
UserPortsA port group that identifies its members as user ports to prevent spoofed IP
traffic. When a port is configured as a member of this group, packets received on the port are
dropped if they contain a source IP network address that does not match the IP subnet for the
port.
DropServicesA service group that improves the performance of ACLs that are intended to
deny packets destined for specific TCP/UDP ports. This group only applies to ports that are
members of the UserPorts group. Using the DropServices group for this function minimizes
processing overhead, which otherwise could lead to a DoS condition for other applications
trying to use the switch.
Page 42 of 99
April 2011
Trusted/untrusted behavior is the same for IPv6 traffic as it is for IPv4 traffic.
IPv6 policies do not support the use of network groups, service groups, map groups, or MAC
groups.
The default (built-in) network group, Switch, only applies to IPv4 interfaces. There is no
such group for IPv6 interfaces.
IPv6 ACLs are not supported on A1 NI modules. Use the show ni command to verify the version of the
NI module. Contact your Alcatel-Lucent support representative if you are using A1 boards.
ACL Manager
The Access Control List Manager (ACLMAN) is a function of the Quality of Service (QoS)
application that provides an interactive shell for using common industry syntax to create ACLs.
Commands entered using the ACLMAN shell are interpreted and converted to Alcatel-Lucent CLI
syntax that is used for creating QoS filtering policies.
This implementation of ACLMAN also provides the following features:
The ability to assign a name, instead of a number, to an ACL or a group of ACL entries.
Modifying specific ACL entries without having to enter the entire ACL each time to make a
change.
ACL logging extensions to display Layer 2 through 4 packet information associated with an
ACL.
Page 43 of 99
April 2011
Remote Authentication Dial-In User Service (RADIUS). Authentication using this type of
server was certified with Funk/Juniper Steel Belted RADIUS server (any industry standard
RADIUS server should work).
Authentication-only servers are able to authenticate users for switch management access, but authorization (or what privileges the user has after authenticating) are determined by the switch. Authenticationonly servers cannot return user privileges to the switch. The authentication-only server supported by
the switch is ACE/Server, which is a part of RSA Securitys SecurID product suite. RSA Securitys
ACE/ Agent is embedded in the switch.
By default, switch management users may be authenticated through the console port via the local user
database. If external servers are configured for other management interfaces but the servers become
unavailable, the switch will poll the local user database for login information if the switch is configured
for local checking of the user database. The database includes information about whether or not a user
is able to log into the switch and what kinds of privileges or rights the user has for managing the
switch.
Authenticated VLANs
Authenticated VLANs control user access to network resources based on VLAN assignment and a user
log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another
type of security is device authentication, which is set up through the use of port-binding VLAN
policies or static port assignment.)
The total number of possible AVLAN users is 2K per system, not to exceed 1K per module or
stackable unit. This number is a total number of users that applies to all authenticated clients, such as
AVLAN and 802.1X supplicants or non-supplicants. The Omniswitch supports the use of all
authentication methods and Learned Port Security (LPS) on the same port.
Layer 2 Authentication is different from Authenticated Switch Access, which is used to grant
individual users access to manage the switch.
The following table provides the platforms and browser support information for AVLAN web
authentication:
Platforms Supported
Windows 2000
Windows XP
Windows Vista
Linux
MAC OS 10.5
Java Version
Java 1.6 update 5 through 12
Java 1.6 update 5 through 12
Java 1.6 update 5 through 12
-Java 12.0
Page 44 of 99
April 2011
a topology change that could lead to a loss of connectivity between VLANs/switches. Enabling
Automatic VLAN Containment (AVC) helps to prevent this from happening by making such a port an
undesirable choice for the root.
When AVC is enabled, it identifies undesirable ports and automatically configures them with an
infinite path cost value.
Balancing VLANs across links according to their Multiple Spanning Tree Instance (MSTI) grouping is
highly recommended to ensure that there is not a loss of connectivity during any possible topology
changes. Enabling AVC on the switch is another way to prevent undesirable ports from becoming the
root for an MSTI.
BGP4
The Border Gateway Protocol (BGP) is an exterior routing protocol that guarantees the loop-free
exchange of routing information between autonomous systems. The Alcatel-Lucent implementation
supports BGP version 4 as defined in RFCs 1771/4271, 2439, 3392, 2385, 1997, 4456, 3065, 4273 and
4486.
The Alcatel-Lucent implementation of BGP is designed for enterprise networks, specifically for border
routers handling a public network connection, such as the organizations Internet Service Provider
(ISP) link. Up to 65,000 route table entries and next hop routes can be supported by BGP.
Page 45 of 99
April 2011
Temperature
Supply Voltage
Current
Output Power
Input Power
Traps can be enabled if any of these above values crosses the pre-defined low or high thresholds of the
transceiver.
Note: Not all transceivers support DDM, refer to the Transceivers Guide for additional DDM
information.
DHCP Relay
DHCP Relay allows you to forward DHCP broadcast requests to configurable DHCP server IP address
in a routing environment.
DHCP Relay is configured using the IP helper set of commands.
Preboot Execution Environment (PXE) support was enabled by default in previous releases. Note that
in this release, it is disabled by default and is now a user-configurable option using the ip helper pxesupport command.
Page 46 of 99
April 2011
If the relay agent receives a DHCP packet from a client that already contains Option-82 data, the
packet is dropped by default. However, it is possible to configure a DHCP Option-82 policy that
directs the relay agent to drop, keep, or replace the existing Option-82 data and then forward the packet
to the server.
The OmniSwitch enhances the Option 82 capability by allowing the interface alias to be
inserted into the Circuit ID and Remote ID suboptions of the Option-82 field
DHCP Snooping
DHCP Snooping improves network security by filtering DHCP packets received from devices outside
the network and building and maintaining a binding table (database) to log DHCP client access
information. There are two levels of operation available for the DHCP Snooping feature: switch level
or VLAN level.
To identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes ports
as either trusted or untrusted. A port is trusted if it is connected to a device inside the network, such as
a DHCP server. A port is untrusted if it is connected to a device outside the network, such as a
customer switch or workstation. The port trust mode is also configurable through the CLI.
Additional DHCP Snooping functionality includes the following:
IP Source FilteringRestricts DHCP Snooping port traffic to only packets that contain the
client source MAC address and IP address obtained from the DHCP lease information. The
DHCP Snooping binding table is used to verify the client lease information for the port that is
enabled for IP source filtering.
Rate LimitingLimits the number of DHCP packets on a port. This functionality is provided
using the QoS application to configure ACLs for the port.
DNS Client
A Domain Name System (DNS) resolver is an internet service that translates host names into IP
addresses. Every time you enter a host name, a DNS service must look up the name on a server and
resolve the name to an IP address. You can configure up to three domain name servers that will be
queried in turn to resolve the host name. If all servers are queried and none can resolve the host name
to an IP address, the DNS fails. If the DNS fails, you must either enter an IP address in place of the
host name or specify the necessary lookup tables on one of the specified servers.
Page 47 of 99
April 2011
DVMRP
Distance Vector Multicast Routing Protocol (DVMRP) is a dense-mode multicast routing protocol.
DVMRPwhich is essentially a broadcast and prune routing protocolis designed to assist routers
in propagating IP multicast traffic through a network. DVMRP works by building per-source broadcast
trees based on routing exchanges, then dynamically creating per-source, group multicast delivery trees
by pruning the sources truncated broadcast tree.
Ethernet Interfaces
Ethernet and Gigabit Ethernet port software is responsible for a variety of functions that support
Ethernet, Gigabit, and 10 Gigabit Ethernet ports. These functions include initialization of ports,
notifying other software modules when a port goes down, configuration of basic line parameters,
gathering of statistics for Ethernet and Gigabit Ethernet ports, and responding to administrative
enable/disable requests.
Configurable parameters include: autonegotiation (copper ports 10/100/1000), trap port link messages,
flood control, line speed, duplex mode, inter-frame gap, resetting statistics counters, and maximum and
peak flood rates.
Flood control is configurable on ingress interfaces (flood rate and including/excluding multicast).
Ethernet OAM
Ethernet OAM (Operation, Administration, and Maintenance) provides service assurance over a
converged Ethernet network. Ethernet OAM focuses on two main areas that are most in need by
service providers and are rapidly evolving in the standards bodies: Service OAM and Link OAM.
These two OAM protocols have unique objectives but are complementary to each other. Service OAM
provides monitoring and troubleshooting of end-to-end Ethernet service instances, while Link OAM
allows a provider to monitor and troubleshoot an individual Ethernet link. The end-to-end service
management capability is the most important aspect of Ethernet OAM for service providers.
Ethernet First Mile (EFM)
IEEE 802.3ah, defining Ethernet in the access networks that connects subscribers to their immediate
service provider. EFM, EFM-OAM and LINKOAM refers to IEEE 802.3ah standard.
LINK OAM (operation, administration, and maintenance) is a tool which monitors Layer-2 link status
on the network by sending OAM protocol data units (OAMPDUs) between the network devices.
OAMPDUs contain control and status information used to monitor, test and troubleshoot OAMenabled links. By enabling LINK OAM on switch ports, network administators can monitor the linkrelated issues on the first mile. LINK OAM provides network administrators the ability to monitor link
performance, remote fault detection and remote loopback control.
Page 48 of 99
April 2011
This implementation of ERP is based on ITU-T G.8032 and uses the ring Automatic Protection
Switching (APS) protocol to coordinate the prevention of network loops within a bridged Ethernet ring.
Loop prevention is achieved by allowing the traffic to flow on all but one of the links within the
protected Ethernet ring. This link is blocked and is referred to as the Ring Protection Link (RPL).
When a ring failure condition occurs, the RPL is unblocked to allow the flow of traffic to continue
through the ring.
ERP Overlapping Protected VLANs on a Single Node
In a network where all connected nodes cannot belong to a single ERP ring, the OmniSwitch supports
multiple ERP rings. Each of the ERP rings has a different Service VLAN configured which allows the ERP
PDUs to be processed by the corresponding ERP ring nodes. The Service VLANs configured for each of the
ERP rings can be configured as a protected VLAN on the other ERP ring. The protected VLANS can be
shared across ERP rings.
Ethernet Services
Ethernet Services provides a mechanism for tunneling multiple customer VLANs (CVLAN) through a
service provider network over the Ethernet Metropolitan Area Network (EMAN). The service provider
network uses one or more service provider VLANs (SVLAN) by appending an 802.1Q double tag or
VLAN Translation on a customer port that contains the customers assigned tunnel ID. This traffic is
then encapsulated into the tunnel and transmitted through the service provider network. It is received
on another Provider Edge (PE) that has the same tunnel ID.
This feature enables service providers to provide their customers with Transparent LAN Services
(TLS). This service is multipoint in nature so as to support multiple customer sites or networks
distributed over the edges of a service provider network.. Ethernet Services provides the following:
Ethernet service-based approach that is similar to configuring a virtual private LAN service
(VPLS).
Ingress bandwidth rate limiting on a per UNI port, per CVLAN, or CVLAN per UNI port
basis.
CVLAN (inner) tag 802.1p-bit mapping to SVLAN (outer) tag 802.1p bit.
CVLAN (inner) tag DSCP mapping to SVLAN (outer) tag 802.1p bit.
This feature allows for egress rate limiting for traffic going out on UNI ports. When a SAP is
configured and bound to a SAP profile, the following information is used to provide egress rate
limiting on traffic going out on the UNI port
Page 49 of 99
April 2011
Enhances the User Network Interface (UNI) profile to allow the control packets for 802.1x, 802.1ab,
802.3ad, 802.3ah, GVRP, and AMAP to be tunneled, discarded, or peered on UNI ports.
Note: 802.3ad and 802.3ah packets use the same MAC address. Therefore, the configuration for
802.3ad also applies to 802.3ah control packets.
GVRP
The GARP VLAN Registration Protocol (GVRP), a protocol compliant with 802.1Q, dynamically
learns and further propagates VLAN membership information across a bridged network. GVRP
dynamically maintains and updates the registration and de-registration of VLANs and prunes
unnecessary broadcast and unicast traffic. Through propagation of GVRP information, a device is
continuously able to update its knowledge of the set of VLANs that currently have active members and
of the ports through which those members can be reached. With GVRP, a single switch is manually
configured with all the desired VLANs for the network, and all other switches on the network
dynamically learn those VLANs. An end station can be plugged into any switch and can be connected
to its desired VLAN. However, for end stations to make use of GVRP, they need Network Interface
Cards (NIC) aware of GVRP.
Hashing Control
Hashing helps in achieving better load balancing on the switch for features such as Link Aggregation,
ECMP and Server Load Balancing. Depending on the OmniSwitch configuration, this feature allows the
hashing mode to be configured to help improve switch load balancing performance.
There are two hashing algorithms available, Brief Mode or Extended Mode. In brief mode UDP/TCP ports
will not be included in the hashing algorithm and only source IP and destination IP addresses are
considered. Extended mode allows for additional bits to be used in the hashing algorithm as well as
providing the option of allowing UDP/TCP ports to be included in the hashing algorithm resulting in more
efficient load balancing.
Page 50 of 99
April 2011
Changing the hash mode affects all features that rely on hashing, including Link Aggregation, ECMP
and Server Load Balancing. Changing the hash mode per feature is not supported.
Server Load Balancing uses dynamic port assignment, therefore it is not recommended to enable the
TCP/UDP port hashing option with extended mode when SLB is configured on the switch.
The hash control mode also impacts the fabric load balancing for chassis-based products. It is not
recommended to set brief hashing mode on chassis-based products
Health Statistics
To monitor resource availability, the NMS (Network Management System) needs to collect significant
amounts of data from each switch. As the number of ports per switch (and the number of switches)
increases, the volume of data can become overwhelming. The Health Monitoring feature can identify
and monitor a switchs resource utilization levels and thresholds, improving the efficiency in data
collection.
Health Monitoring provides the following data to the NMS:
Threshold level
Additionally, Health Monitoring provides the capacity to specify thresholds for the resource utilization
levels it monitors, and generates traps based on the specified threshold criteria.
Page 51 of 99
April 2011
Use the well-known prefix FC00::/7 to allow for easy filtering at site boundaries.
Allow sites to be combined or privately interconnected without creating any address conflicts
or requiring renumbering of interfaces that use these prefixes.
Internet Service Provider independent and can be used for communications inside of a site
without having any permanent or intermittent Internet connectivity.
If accidentally leaked outside of a site via routing or DNS, there is no conflict with any other
addresses.
In practice, applications may treat these addresses like global scoped addresses.
A 40-bit global identifier is used to make the local IPv6 address prefixes globally unique. This
global ID can either be explicitly configured, or created using the pseudo-algorithm
recommended in RFC 4193.
Page 52 of 99
April 2011
IP/IP Tunneling
The IP/IP tunneling feature allows IP traffic to be tunneled through an IP network. This feature can be
used to establish connctivity between remote IP networks using an intermediate IP network such as the
Internet.
IP Multicast VLAN
IP Multicast VLAN involves the creation of separate, dedicated VLANs constructed specifically for
multicast traffic distribution. These distribution VLANs connect to the nearest multicast router and
support multicast traffic only. The IP Multicast feature works in both the enterprise environment and
the VLAN Stacking environment. The ports are separately classified as VLAN stacking ports or as
legacy ports (Fixed ports/Tagged Ports). To ascertain that data flow is limited to either the VLAN
Stacking domain or the enterprise domain, VLAN Stacking ports must be members of only the VLAN
Stacking VLANs, while the normal legacy ports must be members of only enterprise mode VLANs.
Inlcudes support for multiple sender ports.
Do not have any switch between them on the Spanning Tree path that has AMAP enabled
IPv4 Support
Internet Protocol (IP) is a network-layer (Layer 3) protocol that contains addressing and control
information that allow packets to be forwarded on a network. IP is the primary network-layer protocol
in the Internet protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the
heart of the Internet protocols. IP is associated with several Layer 3 and Layer 4 protocols. These
protocols are built into the base code loaded on the switch and they include:
Page 53 of 99
April 2011
RIP I / RIP II
Static Routes
The base IP software allows one to configure an IP router interface, static routes, a default route, the
Address Resolution Protocol (ARP), the router primary address, the router ID, the Time-to-Live (TTL)
Value, IP-directed broadcasts, and the Internet Control Message Protocol (ICMP). In addition, this
software allows one to trace an IP route, display Transmission Control Protocol (TCP) information,
and display User Datagram Protocol (UDP) information.
IPv6 Support
IPv6 (documented in RFC 2460) is designed as a successor to IPv4 and is supported on the
OmniSwitch 6850, 6855 and 9000/9000E. The changes from IPv4 to IPv6 fall primarily into the
following categories:
ICMPv6
Neighbor Discovery
Stateless Autoconfiguration
OSPFv3
RIPng
Static Routes
Ping, traceroute
IP DoS Filtering
By default, the switch filters the following denial of service (DoS) attacks, which are security attacks
aimed at devices that are available on a private network or the Internet:
Invalid IP Attack
Ping Overload
Page 54 of 99
April 2011
and BOOTP). Unlike unicast, which sends one packet per destination, multicast sends one packet to all
devices in any subnetwork that has at least one device requesting the multicast traffic. Multicast
switching also requires much less bandwidth than unicast techniques and broadcast techniques since
the source hosts only send one data stream to the ports on which destination hosts that request it are
attached.
Destination hosts signal their intent to receive a specific multicast stream by sending a request to do so
to a nearby switch using Internet Group Management Protocol (IGMP). The switch then learns on
which ports multicast group subscribers are attached and can intelligently deliver traffic only to the
respective ports. This mechanism is often referred to as IGMP snooping (or IGMP gleaning). AlcatelLucents implementation of IGMP snooping is called IP Multicast Switching (IPMS). IPMS allows
switches to efficiently deliver multicast traffic in hardware at wire speed.
Both IGMP version 3 (IGMPv3), which handles forwarding by source IP address and IP multicast
destination, and IGMP version 2 (IGMPv2), which handles forwarding by IP multicast destination
address only, are supported.
IP Multinetting
IP multinetting allows multiple subnets to coexist within the same VLAN domain. This
implementation of the multinetting feature allows for the configuration of up to eight IP interfaces per
a single VLAN. Each interface is configured with a different subnet.
IS-IS
Intermediate System-to-Intermediate System (IS-IS) is an International Organization for
Standardization (ISO) dynamic routing specification. IS-IS is a shortest path first (SPF), or link state
protocol. Also considered an interior gateway protocol (IGP), IS-IS distributes routing information
between routers in a single Autonomous System (AS) in IP environments. IS-IS chooses the least-cost
path as the best path. It is suitable for complex networks with a large number of routers by providing
faster convergence where multiple flows to a single destination can be simultaneously forwarded
through one or more interfaces.
Page 55 of 99
April 2011
Switches running an R## build, such as 6.4.2.123.R01 do not support ISSU upgrades. The
switch must first be upgraded to an S## build such as 6.4.2 .123.S01.
Periodic ISSU capable patches will be available on the Service & Support website. These patches
contain all CMM-only related fixes and will support the ISSU capability.
ISSU patches are only supported within the same S## branch. For example, if a switch is running
6.4.2.123.S01 then only 6.4.2.###.S01 images can used to perform an ISSU patch. If a switch is
running 6.4.2.234.S02 then only 6.4.2.###.S02 images can used to perform an ISSU patch.
Approximately every six months a new ISSU capable branch will be available from Service &
Support (i.e. S01, S02, S03, etc.). Each new branch will include all NI related fixes that were
not supported in the previous ISSU branch. Upgrading from one ISSU branch to another will
require a reboot and should be scheduled during a maintenance window.
If a critical NI related patch is required, it will be necessary to move to an R## related build.
Since R## related builds do not support the ISSU feature, a reboot will be required and should
be scheduled during a maintenance window.
The images which are ISSU capable are Jbase.img, Jsecu.img, Jadvrout.img and Jos.img.
A minimum of 25 MB flash space must be present in the switch to accommodate the image files
that are used to patch existing image files. This feature is only supported on the OmniSwitch
9000E.
A configurable source learning time limit that applies to all LPS ports.
Two methods for handling unauthorized traffic: Shutting down the port or only blocking
traffic that violates LPS criteria.
A configurable limit to the number of filtered MAC addresses allowed on an LPS port.
Conversion of dynamically learned MAC addresses to static MAC address entries.
Support for all authentication methods and LPS on the same switch port.
Page 56 of 99
April 2011
Scalability (OS6400/6850/6855). You can configure up to 32 link aggregation groups that can
consist of 2, 4, or 8 Ethernetports.
Scalability (OS9000/OS9000E). You can configure up to 128 link aggregation groups that
can consist of 2, 4, or 8 Ethernetports.
Reliability. If one of the physical links in a link aggregate group goes down, the link
aggregate group can still operate.
Ease of Migration. Link aggregation can ease the transition from a Gigabit Ethernet backbone
to a 10 Gigabit Ethernet backbone.
Interoperability with Legacy Switches. Static link aggregation can interoperate with
OmniChannel on legacy switches.
Alcatel-Lucents link aggregation software allows you to configure the following two different types of
link aggregation groups:
2
4
8
128
64
32
Page 57 of 99
April 2011
This implementation of MPLS provides the network architecture that is needed to set up a Virtual
Private LAN Service (VPLS). VPLS allows multiple customer sites to transparently connect through a
single bridging domain over an IP/MPLS-based network.
The MPLS architecture provided is based on the Label Distribution Protocol (LDP). The LDP consists
of a set of procedures used by participating Label Switching Routers (LSRs) to define Label Switched
Paths (LSPs), also referred to as MPLS tunnels. These tunnels provide the foundation necessary to
provision VPLS.
MPLS Software Licensing Requirement. The MPLS feature, including the VPLS application,
requires the purchase of an Alcatel-Lucent software license. The licenses are available through the
Alcatel-Lucent Software License portal.
VPLS Support
A Virtual Private LAN Service (VPLS) is a Virtual Private Network (VPN) technology that allows
any-to-any (multipoint) connectivity. The provider network emulates a LAN by connecting all the
remote customer sites at the edge of the provider network to a single bridged LAN. A full mesh of
pseudo-wires (PW) is established to form a VPLS.
A VPLS-capable network consists of Customer Edges (CE), Provider Edges (PE), and a core MPLS
network. The IP/MPLS core network interconnects the PEs but does not participate in the VPN
functionality. Traffic is simply switched based on the MPLS labels.
This implementation of VPLS makes use of a service-based architecture that provides the following
logical entities that are required to provision a service:
Customers (subscribers). An account is created for each customer and assigned an ID. The
customer ID is required and associated with the service at the time the service is created.
Service Access Points (SAPs). Each subscriber service type is configured with at least one
SAP. A SAP identifies the point at which customer traffic enters the service.
Service Distribution Points (SDPs). A SDP provides a logical point at which customer
traffic is directed from one PE to another PE through a one-way service tunnel.
Static LSPs. A Static LSP specifies a statically defined path of LSRs. Configuration of label
mappings and MPLS actions is required on each router that will participate in the static path.
No signaling protocol, such as the Label Distribution Protocol (LDP), is required, and there is
no dependence on a gateway protocol topology or local forwarding table. Static LSPs are able
to cross an Autonomous System (AS) boundary.
Signaled LSP. The LSPs are set up using a signaling protocol, such as LDP. The signaling
protocol allows the automatic assignment of labels from an ingress router to the egress router.
Signaling is triggered by the ingress router, therefore configuration is only required on this
router. A signaled LSP is confined to one gateway protocol area and, therefore, cannot cross
an AS boundary.
Page 58 of 99
April 2011
In addition to static LSPs, a static Fast Reroute (FRR) feature is available that allows the configuration
of backup static LSP tunnels. FRR uses these backup tunnels to provide alternate routes in the event an
LSP goes down.
LSP Ping and Traceroute are used to verify that packets associated with a particular Forwarding
Equivalence Class (FEC) actually end their MPLS path on a Label Switching Router (LSR) that is an
Egress LSR for that FEC.
MPLS Traps
The OmniSwitch AOS implementation of MPLS generates the following SNMP traps.
mplsXCup
mplsXCdown
vRtrMplsStateChange
vRtrMplsIfStateChange
vRtrMplsLspUp
vRtrMplsLspDown
vRtrLdpInstanceStateChange
vRtrLdpGroupIdMismatch
svcStatusChanged
sapStatusChanged
sdpBindStatusChanged
sdpStatusChanged
sapPortStateChangeProcessed
sdpBindStateChangeProcessed
sdpKeepAliveProbeFailure
sdpKeepAliveStarted
sdpKeepAliveStopped
Multiple routing instances within the same physical switch. Each VRF instance is associated
with a set of IP interfaces and creates and maintains independent routing tables. Traffic
between IP interfaces is only routed and forwarded within those interfaces/routes that belong
to the same VRF instance.
Multiple instances of IP routing protocols, such as static, RIP, IPv4, BGPv4, and OSPFv2 on
the same physical switch. An instance of each type of protocol operates within its own VRF
instance.
Page 59 of 99
April 2011
The ability to use duplicate IP addresses across VRF instances. Each VRF instance maintains
its own IP address space to avoid any conflict with the service provider network or other
customer networks.
Separate IP routing domains for customer networks. VRF instances configured on the
Provider Edge (PE) are used to isolate and carry customer traffic through the shared provider
network.
The Multiple VRF feature uses a context-based command line interface (CLI). When the switch
boots up, a default VRF instance is automatically created and active. Any commands subsequently
entered apply to this default instance. If a different VRF instance is selected, then all subsequent
commands apply to that instance. The CLI command prompt indicates which instance is the active
VRF CLI context by adding the name of the VRF instance as a prefix to the command prompt (for
example, vrf1: ->).
VRF - Qos Enhancements
Enhances QoS policy configuration by adding a field in the policy condition to allow a VRF instance to
be specified. The VRF classification can be combined with any existing condition and allows for the
configuration of VRF aware policy rules.
VRF - Switch Authentication Enhancement
This feature allows a RADIUS server to be placed in a VRF other than the default VRF. This allows
for the creation of a Management VRF instance where all authentication servers can be placed.
Authentication servers may also be left in the non-default VRF instance.
VRF - Switch Access and Utilities
Enhances Telnet and SSH to make them VRF aware. This feature applies only to outgoing Telnet and
SSH connections from any VRF instance, incoming requests always go to the default VRF instance.
Additionally, the ping and traceroute utilites are also VRF aware.
VRF - VRRP
Enhances VRRP making it VRF aware. Allows for the configuration of independent VRRP instances
in multiple VRFs.
o
o
o
The existing VRRP commands and syntaxes (including show commands and outputs) are now
accessible in a VRF context.
VRRP instances can be configured independently of one another on as many VRFs as the
underlying platform supports.
Each VRRP/VRF instance receives, sends, and processes VRRP packets independently of VRRP
instances running in other VRFs.
Page 60 of 99
April 2011
VRF UDP/DHCP Relay
VRF support for UDP/DHCP Relay allows for the configuration and management of relay agents and
servers within the context of a VRF instance. However, the level of VRF support and functionality for
individual UDP/DHCP Relay commands falls into one of the following three categories:
VRF-Aware commands. These commands are allowed in any of the VRF instances configured
in the switch. The settings in one VRF are independent of the settings in another VRF.
Command parameters are visible and configurable within the context of any VRF.
Global commands. These commands are supported only in the default VRF, but are visible and
applied to all VRF instances configured in the switch. This command behavior is similar to
how command parameters are applied in the per-VLAN DHCP Relay mode. For example, the
maximum hops value configured in the default VRF is applied to all DHCP Relay agents
across all VRF instances. This value is not configurable in any other VRF instance.
Default VRF commands. These commands are supported only in the default VRF and are not
applied to any other VRF instance configured in the switch. For example, per-VLAN mode,
DHCP Snooping, and boot-up commands fall into this category.
Refer to the Configuring Multiple VRF chapter in the OmniSwitch AOS Release 6 Configuration
Guide for a list of UDP/DHCP Relay VRF related commands.
Note: Refer to the Configuring Multiple VRF chapter in the OmniSwitch AOS Release 6
Configuration Guide for a list of VRF supported features and commands.
Note: A switch running multiple VRF instances can only be managed with SNMPv3. A context
must be specified that matches the VRF instance to be managed.
Page 61 of 99
April 2011
NTP Client
The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to
another server or reference time source, such as a radio or satellite receiver. It provides client time
accuracies within half a second on LANs and WANs relative to a primary server synchronized to
Universal Coordinated Time (UTC) (via a Global Positioning Service receiver, for example).
NTP Server
Enhances the NTP functionality to allow the OmniSwitch to act as an NTP server. The OmniSwitch
software by default will be able to respond to NTP client requests, and establish a client/server peering
relationship. With the server cli commands now enabled, the Omniswitch can now also establish an
active peering relationship with another server, enable broadcast server functionality, disable a given IP
for NTP and employ MD5 authentication for clients and active peers.
OSPFv2/OSPFv3
Open Shortest Path First version 3 (OSPFv3) is available. OSPFv3 is an extension of OSPF version 2
(OSPFv2) that provides support for networks using the IPv6 protocol. OSPFv2 is for IPv4 networks.
Both versions of OSPF are shortest path first (SPF), or link-state, protocols for IP networks. Also
considered interior gateway protocols (IGP), both versions distribute routing information between
routers in a single Autonomous System (AS). OSPF chooses the least-cost path as the best path. OSPF
is suitable for complex networks with a large number of routers by providing faster convergence, loop
free routing, and equal-cost multi-path routing where packets to a single destination can be sent to
more than one interface simultaneously. OSPF adjacencies over non-broadcast links are also supported.
In addition, OSPFv2 supports graceful (hitless) support during failover, which is the time period
between the restart and the reestablishment of adjacencies after a planned (e.g., the users performs the
takeover) or unplanned (e.g., the primary management module unexpectedly fails) failover. Note that
OSPFv3 does not support graceful restart.
Page 62 of 99
April 2011
PIM-SM/PIM-DM/PIM-SSM
Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information
provided by unicast routing protocols, such as RIP and OSPF. PIM is protocol-independent because
it does not rely on any particular unicast routing protocol. Sparse mode PIM (PIM-SM) contrasts with
flood-and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIM-DM) in
that multicast forwarding in PIM-SM is initiated only via specific requests, referred to as Join
messages.
PIM-DM for IPv4 is supported. PIM-DM packets are transmitted on the same socket as PIM-SM packets, as both use the same protocol and message format. Unlike PIM-SM, in PIM-DM there are no periodic joins transmitted; only explicitly triggered prunes and grafts. In addition, there is no Rendezvous
Point (RP) in PIM-DM.
Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) is a highly-efficient extension
of PIM. SSM, using an explicit channel subscription model, allows receivers to receive multicast traffic
directly from the source; an RP tree model is not used. In other words, a Shortest Path Tree (SPT)
between the receiver and the source is created without the use of a Rendezvous Point (RP).
Port Monitoring
The Port Monitoring feature allows you to examine packets to and from a specific Ethernet port (either
ingress or egress). You can select to dump captured data to a file, which can be up to 140K. Once a file
Page 63 of 99
April 2011
is captured, you can FTP it to a Protocol Analyzer or PC for viewing. The OmniSwitch 9000/9000E
supports one session per switch.
By default, the switch will create a data file called pmonitor.enc in flash memory. When the 140K
limit is reached the switch will begin overwriting the data starting with the oldest captured data.
However, you can configure the switch so it will not overwrite the data file. In addition, you can
configure additional port monitoring files as long as you have enough room in flash memory. You
cannot configure port mirroring and port monitoring on the same NI module.
PVST+ Interoperability
The current Alcatel-Lucent 1x1 Spanning Tree mode has been extended to allow all user ports on an
OmniSwitch to transmit and receive either the standard IEEE BPDUs or proprietary PVST+ BPDUs.
An OmniSwitch can have ports running in either 1x1 mode when connecting to another OmniSwitch,
or PVST+ mode simultaneously.
It is mandatory that all the Cisco switches have the Mac Reduction Mode feature enabled.
Priority values can only be assigned in multiples of 4096 to be compatible with the Cisco
MAC Reduction mode.
The same default path cost mode, long or short, must be configured the same way on all
switches.
Page 64 of 99
April 2011
Access Control Lists (ACLs)ACLs are a specific type of QoS policy used for Layer 2,
Layer 3/4, and multicast filtering.
Page 65 of 99
April 2011
Traffic with a classification criterion based on packet contents other than addresses (for
example , based on protocol, priority).
The policy mirror action must specify the same analyzer port for all policies in which the
action is used.
One port-based mirroring session supported per switch. Note that policy-based and port-base
mirroring are both allowed on the same port at the same time.
Remediation server and exception subnet group. This is a reserved QoS network group,
called alaExceptionSubnet, that is configured with the IP address of a remediation server
and any subnets to which a quarantined client is allowed access. The quarantined client is
redirected to the remediation server to obtain updates and correct its quarantined state.
Remediation server URL. This is the URL for the remediation server. Note that this done in
addition to specifying the server IP address in the alaExceptionSubnet network group.
Quarantined Page. When a client is quarantined and a remediation server URL is not
configured, QMR can send a Quarantine Page to notify the client of its quarantined state.
HTTP proxy port group. This is a known QoS service group, called alaHTTPProxy, that
specifies the HTTP port to which quarantined client traffic is redirected for remediation. The
default HTTP port used is TCP 80 and TCP 8080.
Note: Configuring QMR and QoS inner VLAN or inner 802.1p policies is mutually exclusive.
QMR overlays the inner VLAN tag, thus creating a conflict with related QoS policies. This is
also true with QMR and VLAN Stacking services.
Page 66 of 99
April 2011
QMR is activated when OVQM populates the MAC address group on the LDAP server with quarantined MAC addresses. If VLAN Stacking services or QoS inner VLAN/802.1p policies are configured
on the switch, QMR will not activate.
Note: This feature is designed to work in conjunction with OmniVistas Quarantine Manager
application. Refer to the OmniVista documentation for a detailed overview of the Quarantine
Manager application.
Within OmniVistas Quarantine Manager application, if a MAC is added or removed from the
quarantined group, or when an IP address is added or removed from the IP DA remediation, OmniVista
will trigger the configured switches to perform a recache action. The switches will then query
OmniVistas LDAP database and pull the addresses from the database, these addresses will then be
added or removed from the switchs quarantined or remediation group.
There must not be any physical loop present in the remote port mirroring VLAN.
Spanning Tree must be disabled for the remote port mirroring VLAN.
BPDU mirroring will be disabled by default on all OS9000s with B2 revision ASICs. (Contact
Service and Support to enable)
BPDU mirroring will be enabled by default on all OS9000s with A0/A1 revision ASICs.
Source learning must be disabled or overridden on the ports belonging to the remote port
mirroring VLAN on the intermediate and destination switches.
RIPv1/RIPv2
Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop
count as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of
their own routing table. The RIP routing table uses the most efficient route to a destination, that is, the
route with the fewest hops and longest matching prefix.
The OmniSwitch supports RIP version 1 (RIPv1), RIP version 2 (RIPv2), and RIPv2 that is compatible
with RIPv1. In addition, text key and MD5 authentication, on an interface basis, for RIPv2 is also
supported as well as ECMP for up to 16 paths.
RIPng
The OmniSwitch supports Routing Information Protocol next generation (RIPng) for IPv6 networks.
RIPng is based on RIPv1/RIPv2 and is an Interior Gateway Protocol (IGP) best suited for moderate
sized networks.
InvalidThe amount of time before an active route expires and transitions to the garbage
state.
Page 67 of 99
April 2011
GarbageThe amount of time an expired route remains in the garbage state before it is
removed from the RIB.
HolddownThe amount of time during which a route remains in the hold-down state.
RMON
Remote Network Monitoring (RMON) is an SNMP protocol used to manage networks remotely.
RMON probes can be used to collect, interpret, and forward statistical data about network traffic from
designated active ports in a LAN segment to an NMS (Network Management System) application for
monitoring and analyzing without negatively impacting network performance. RMON software is fully
integrated in the software to acquire statistical information.
This feature supports basic RMON 4 group implementation in compliance with RFC 2819, including
the Ethernet Statistics, History (Control & Statistics), Alarms, and Events groups.
RRSTP
Ring Rapid Spanning Tree Protocol (RRSTP) is complimentary to either the Rapid Spanning Tree
(RSTP) or the Multiple Spanning Tree Protocol (MSTP) but is designed to enhance convergence time
in a ring configuration when a link failure occurs. Note that RRSTP is supported only in a ring
topology where switches are connected point to point. In addition, there can be no alternate
connections for the same instance between any two switches within a ring topology.
RRSTP reduces convergence time by finding the bridge that hosts the alternate (ALT) port and
immediately changing the ALT port state to forwarding without altering the port state. This process
quickly enables the data path. The RRSTP frame travels from the point of failure to the ALT port in
both directions. The MAC addresses corresponding to the ports in the ring are flushed to make the data
path convergence time much faster. While RRSTP is already reacting to the loss of connectivity, the
standard BPDU carrying the information about the link failure is processed in normal fashion at each
hop. When this BPDU reaches the bridge whose ALT port is now in the "ALT FWD" state, due to
RRSTP frame processing, it updates the state of the two ports in the ring as per the STP standard.
RRSTP is only supported when the switch is configured in Flat mode (RRSTP or MSTP).
Page 68 of 99
April 2011
When used as an SSH Client, the following SSH Software is supported on the indicated operating
systems:
SSH Software
OpenSSH
F-Secure
SSH-Communication
Page 69 of 99
April 2011
reliability (if one physical server goes down the remaining servers can handle the remaining workload),
and flexibility (you can tailor workload requirements individually to servers within a cluster).
Server Load Balancing - WRR
Enhances the Server Load Balancing to allow for the configuration of a Weighted Round Robin
distribution algorithm. When configured, SLB will distribute traffic according to the relative weight
a server has within an SLB cluster.
sFlow
sFlow is a network monitoring technology that gives visibility to the activity of the network, by
providing network usage information. It provides the data required to effectively control and manage
the network usage. sFlow is a sampling technology that meets the requirements for a network traffic
monitoring solution.
sFlow is a sampling technology embedded within switches/routers. It provides the ability to monitor
the traffic flows. It requires an sFlow agent software process running as part of the switch software and
an sFlow collector, which receives and analyses the monitored data. The sFlow collector makes use of
SNMP to communicate with an sFlow agent in order to configure sFlow monitoring on the device
(switch).
Up to two sFlow receivers can be configured.
Page 70 of 99
April 2011
SNMP
The Simple Network Management Protocol (SNMP) is an application-layer protocol that allows
communication between SNMP managers and SNMP agents on an IP network. Network administrators
use SNMP to monitor network performance and to solve network problems. SNMP provides an
industry standard communications model used by network administrators to manage and monitor their
network devices. The OmniSwitch supports SNMPv1, SNMPv2, and SNMPv3.
Source Learning
Source Learning builds and maintains the MAC address table on each switch. New MAC address table
entries are created in one of two ways: they are dynamically learned or statically assigned.
Dynamically learned MAC addresses are those that are obtained by the switch when source learning
examines data packets and records the source address and the port and VLAN it was learned on. Static
MAC addresses are user defined addresses that are statically assigned to a port and VLAN.
In addition, Source Learning also tracks MAC address age and removes addresses from the MAC
address table that have aged beyond the configurable aging timer value.
Accessing MAC Address Table entries is useful for managing traffic flow and troubleshooting network
device connectivity problems.
Disable Learning on a per port basis
Provides the option to disable source learning on a per port basis. This feature is only supported on
hardware learning ports and is not supported on mobile ports, LPS ports or Access Guardian ports.
The feature is also supported for Link Aggregation where all ports in the aggregate are set to disable
source learning. Configuration of static mac-addresses on such ports is still allowed.
Disable MAC learning on a per VLAN basis
Provides the option to disable source learning for all the ports of a VLAN. This feature is meant to be
used on a ring topology where a VLAN only contains two ports.
Page 71 of 99
April 2011
It is recommended to have only 2 ports in a VLAN that has source learning disabled.
Software Rollback
The directory structure inherent in an OmniSwitch switch allows for a switch to return to a previous,
more reliable version of image or configuration files.
Changes made to the configuration file may alter switch functionality. These changes are not saved
unless explicitly done so by the user. If the switch reboots before the configuration file is saved,
changes made to the configuration file prior to the reboot are lost.
Likewise, new image files should be placed in the working (non-certified) directory first. New image
or configuration files can be tested to decide whether they are reliable. Should the configuration or
image files prove to be less reliable than their older counterparts in the certified directory, then the
switch can be rebooted from the certified directory, and rolled back to an earlier version.
Once the contents of the working directory are established as good files, then these files can be saved
to the certified directory and used as the most reliable software to which the switch can be rolled back
to in an emergency situation.
Spanning Tree
In addition to the Q2005 version of MSTP, the Alcatel-Lucent Spanning Tree implementation also
provides support for the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP) and the 802.1D
Spanning Tree Algorithm and Protocol (STP). All three supported protocols ensure that there is always
only one data path between any two switches for a given Spanning Tree instance to prevent network
loops.
Q2005 (MSTP) is only available when the flat mode is active for the switch. The flat mode applies a
single spanning tree instance across all VLAN port connections on a switch. MSTP allows the
configuration of Multiple Spanning Tree Instances (MSTIs) in addition to the CST instance. Each
MSTI is mapped to a set of VLANs. As a result, flat mode can now support the forwarding of VLAN
traffic over separate data paths.
802.1D STP and 802.1w RSTP are available in both the flat and 1x1 mode. However, when using
802.1D or 802.1w in the flat mode, the single spanning tree instance per switch algorithm applies. Note
that 802.1w is now the default Spanning Tree protocol for the switch regardless of which mode is
active. This default value will apply to future releases as well.
Switch Logging
The Switch Logging feature is designed to provide a high-level event logging mechanism that can be
useful in maintaining and servicing the switch. Switch Logging uses a formatted string mechanism to
process log requests from applications. When a log request is received, Switch Logging verifies
whether the Severity Level included with the request is less than or equal to the Severity Level stored
Page 72 of 99
April 2011
for the appropriate Application ID. If it is, a log message is generated using the formatting specified by
the log request and placed on the Switch Log Queue, and Switch Logging returns control back to the
calling application. Otherwise, the request is discarded. The default output device is the log file located
in the Flash File System. Other output devices can be configured via Command Line Interface. All log
records generated are copied to all configured output devices.
Command Line Interface can be used to display and configure Switch Logging information. Log
information can be helpful in resolving configuration or authentication issues, as well as general errors.
Text File Configuration
The text file configuration feature allows you to configure the switch using an ASCII-based text file.
You may type CLI commands directly into a text document to create a configuration file. This file
resides in the switchs file system. You can create configuration files in the following ways.
You may create, edit and view a file using a standard text editor (such as Microsoft NotePad)
on a workstation. The resulting configuration file is then uploaded to the switch.
You can invoke the switchs CLI snapshot command to capture the switchs current
configuration into a text file.
You can use the switchs text editor to create or make changes to a configuration file.
Page 73 of 99
April 2011
provides a unique IP address for the switch that is easily identifiable to network management
applications.
VLANs
One of the main benefits of using VLANs to segment network traffic, is that VLAN configuration and
port assignment is handled through switch software. This eliminates the need to physically change a
network device connection or location when adding or removing devices from the VLAN broadcast
domain.
The VLAN management software handles the following VLAN configuration tasks:
Enabling or disabling classification of mobile port traffic by 802.1Q tagged VLAN ID.
Enabling or disabling unique MAC address assignments for each router VLAN defined.
Up to 4094 VLANs for Flat Spanning Tree mode and 252 VLANs for 1x1 Spanning Tree mode are
supported. In addition, it is also possible to specify a range of VLAN IDs when creating or deleting
VLANs and/or configuring VLAN parameters, such as Spanning Tree bridge values.
VRRPv2/VRRPv3
The Virtual Router Redundancy Protocol version 3 (VRRPv3) implementation is based on the latest
Internet-Draft for VRRP for IPv6. VRRP version 2 (VRRPv2) is based on RFC 2338.
Similar to VRRPv2, VRRPv3 is a standard router redundancy protocol that provides redundancy by
eliminating the single point of failure inherent in a default route environment. The VRRPv3 router,
which controls the IPv6 address associated with a virtual router is called the master router, and is
responsible for forwarding virtual router advertisements. If the master router becomes unavailable, the
highest priority backup router will transition to the master state.
Both versions of VRRP allow routers on a LAN to back up a static default route with a virtual router.
VRRP dynamically assigns responsibility for a virtual router to a physical router (VRRP router) on the
LAN. The virtual router is associated with an IP address (or set of IP addresses) on the LAN. A virtual
router master is elected to forward packets for the virtual routers IP address. If the master router
becomes unavailable, the highest priority backup router will transition to the master state.
Authentication is not supported.
In addition, both versions support VRRP Tracking. A virtual routers priority may be conditionally
modified to prevent another router from taking over as master. Tracking policies are used to
Page 74 of 99
April 2011
conditionally modify the priority setting whenever an ip interface, slot/port, and/or IP address
associated with a virtual router goes down.
VRRPv2 is available on all supported OmniSwitch platforms in this release.
Global VRRP Configuration
The following capabilities for VRRP2 were added:
View or configure default values such as priority, preempt, or advertising interval on all or a
group or VRRP instances.
IE6, IE7, Firefox 2, Firefox 3 for Windows NT, 2000, 2003, XP, Windows Vista
WebView contains modules for configuring all software features in the switch. Configuration and
monitoring pages include context-sensitive on-line help.
Page 75 of 99
April 2011
SNMP Traps
The following table provides a list of AOS Release 6.4.4.R01 SNMP traps managed by the switch.
No.
Trap Name
Platfor
ms
Description
coldStart
all
warmStart
all
linkDown
all
linkUp
all
authenticationFailure
all
entConfigChange
all
aipAMAPStatusTrap
all
7
8
aipGMAPConflictTrap
policyEventNotification
all
chassisTrapsStr
all
10
chassisTrapsAlert
all
11
12
chassisTrapsStateChange
chassisTrapsMacOverlap
all
all
13
vrrpTrapNewMaster
all
14
15
16
17
18
vrrpTrapAuthFailure
healthMonDeviceTrap
healthMonModuleTrap
healthMonPortTrap
bgpEstablished
all
all
all
all
19
bgpBackwardTransition
all
20
esmDrvTrapDropsLink
all
21
pimNeighborLoss
all
Page 76 of 99
April 2011
No.
Trap Name
Platfor
ms
22
dvmrpNeighborLoss
all
23
dvmrpNeighborNotPruning
all
24
risingAlarm
all
25
fallingAlarm
all
26
stpNewRoot
all
27
stpRootPortChange
all
28
29
mirrorConfigError
mirrorUnlikeNi
all
30
slPCAMStatusTrap
all
31
32
33
unused
unused
slbTrapOperStatus
34
ifMauJabberTrap
all
Description
neighbors on the same interface with a lower IP
address than itself.
A 2-way adjacency relationship with a neighbor
has been lost. This trap is generated when the
neighbor state changes from active to oneway, ignoring or down. The trap is sent
only when the switch has no other neighbors on
the same interface with a lower IP address than
itself.
A non-pruning neighbor has been detected in an
implementation-dependent manner. This trap is
generated at most once per generation ID of the
neighbor. For example, it should be generated at
the time a neighbor is first heard from if the
prune bit is not set. It should also be generated if
the local system has the ability to tell that a
neighbor which sets the prune bit is not pruning
any branches over an extended period of time.
The trap should be generated if the router has no
other neighbors on the same interface with a
lower IP address than itself.
An Ethernet statistical variable has exceeded its
rising threshold. The variables rising threshold
and whether it will issue an SNMP trap for this
condition are configured by an NMS station
running RMON.
An Ethernet statistical variable has dipped
below its falling threshold. The variables
falling threshold and whether it will issue an
SNMP trap for this condition are configured by
an NMS station running RMON.
Sent by a bridge that became the new root of the
spanning tree.
A root port has changed for a spanning tree
bridge. The root port is the port that offers the
lowest cost path from this bridge to the root
bridge.
Unsupported.
The mirroring configuration is deleted due to the
swapping of different NI board type. The Port
Mirroring session which was active on a slot
cannot continue with the insertion of different
NI type in the same slot.
The trap status of the Layer 2 pesudoCAM for
this NI.
Page 77 of 99
April 2011
No.
Trap Name
35
sessionAuthenticationTrap
Platfor
ms
all
36
trapAbsorptionTrap
all
37
alaStackMgrDuplicateSlotTrap
38
alaStackMgrNeighborChangeTrap
39
alaStackMgrRoleChangeTrap
40
lpsViolationTrap
6400
6850
6850E
6855
6400
6850
6850E
6855
6400
6850
6850E
6855
all
41
alaDoSTrap
all
42
gmBindRuleViolation
all
43
44
45
46
47
unused
unused
unused
unused
pethPsePortOnOff
48
pethPsePortPowerMaintenanceStatus
49
pethMainPowerUsageOn
50
pethMainPowerUsageOff
51
ospfNbrStateChange
all
52
ospfVirtNbrStateChange
all
53
httpServerDoSAttackTrap
all
54
alaStackMgrDuplicateRoleTrap
6400
6850
6850E
6855
55
alaStackMgrClearedSlotTrap
6400
Page 78 of 99
Description
An authentication failure trap is sent each time a
user authentication is refused.
The absorption trap is sent when a trap has been
absorbed at least once.
Two or more slots claim to have the same slot
number.
April 2011
No.
Trap Name
56
alaStackMgrOutOfSlotsTrap
57
alaStackMgrOutOfTokensTrap
58
alaStackMgrOutOfPassThruSlotsTrap
59
gmHwVlanRuleTableOverloadAlert
Platfor
ms
6850
6850E
6855
6400
6850
6850E
6855
6400
6850
6850E
6855
6400
6850
6850E
6855
all
60
lnkaggAggUp
all
61
lnkaggAggDown
all
62
lnkaggPortJoin
all
63
lnkaggPortLeave
all
64
lnkaggPortRemove
all
65
pktDrop
all
66
monitorFileWritten
67
alaVrrp3TrapProtoError
all
68
alaVrrp3TrapNewMaster
all
69
gmHwMixModeSubnetRuleTableOverloadAlert
all
70
71
pethPwrSupplyConflict
pethPwrSupplyNotSupported
all
all
Description
MgrSlotNINumber will enter the pass through
mode because its operational slot was cleared
with immediate effect.
One element of the stack will enter the pass
through mode because there are no slot numbers
available to be assigned to this element.
The element identified by alaStack
MgrSlotNINumber will enter the pass through
mode because there are no tokens available to
be assigned to this element.
There are no pass through slots avail able to be
assigned to an element that is supposed to enter
the pass through mode.
An overload trap occurs whenever a new entry
to the hardware VLAN rule table gets dropped
due to the overload of the table.
Indicates the link aggregate is active. This trap
is sent when any one port of the link aggregate
group goes into the attached state.
Indicates the link aggregate is not active. This
trap is sent when all ports of the link aggregate
group are no longer in the attached state.
This trap is sent when any given port of the link
aggregate group goes to the attached state.
This trap is sent when any given port detaches
from the link aggregate group.
This trap is sent when any given port of the link
aggregate group is removed due to an invalid
configura tion.
The pktDrop trap indicates that the sending
agent has dropped certain packets (to blocked IP
ports, from spoofed addresses, etc.).
A File Written Trap is sent when the amount of
data requested by the user has been written by
the port monitoring instance.
Indicates that a TTL, checksum, or version error
was encountered upon receipt of a VRRP
advertisement.
The SNMP agent has transferred from the
backup state to the master state.
A subnet overload trap occurs in mixed mode
whenever a new entry to the HW subnet rule
table gets dropped due to the overload of the
table.
Power supply type conflict trap.
Power supply not supported trap.
Page 79 of 99
April 2011
No.
Trap Name
72
lpsPortUpAfterLearningWindowExpiredTrap
Platfor
ms
all
73
vRtrIsisDatabaseOverload
all
74
vRtrIsisManualAddressDrops
all
75
vRtrIsisCorruptedLSPDetected
all
76
vRtrIsisMaxSeqExceedAttempt
all
77
vRtrIsisIDLenMismatch
all
78
vRtrIsisMaxAreaAddrsMismatch
all
79
vRtrIsisOwnLSPPurge
all
80
vRtrIsisSequenceNumberSkip
all
81
vRtrIsisAutTypeFail
all
82
vRtrIsisAuthFail
all
83
vRtrIsisVersionSkew
all
84
vRtrIsisAreaMismatch
all
85
vRtrIsisRejectedAdjacency
all
86
vRtrIsisLSPTooLargeToPropagate
all
87
vRtrIsisOrigLSPBufSizeMismatch
all
Page 80 of 99
Description
When an LPS port joins or is enabled after the
Learning Window is expired, the MAC address
learning on the port will be disabled, and this
trap is
generated as a notification.
This notification is generated when the system
enters or leaves the
Overload state.
Generated when one of the manual area
addresses assigned to this system is ignored
when computing routes.
This notification is generated when an LSP that
was stored in memory has become corrupted.
Generated when the sequence number on an
LSP wraps the 32 bit sequence counter
Need Desc. A notification sent when a PDU is
received with a different value of the System ID
Length.
A notification sent when a PDU is received with
a different value of the Maximum Area
Addresses.
A notification sent when a PDU is received with
an OmniSwitch systemID and zero age
When we recieve an LSP is received without a
System ID and different contents.
A notification sent when a PDU is received with
the wrong authentication type field.
A notification sent when a PDU is received with
an incorrent authentication information field.
A notification sent when a a Hello PDU is
received from an IS running a different version
of the protocol.
A notification sent when a Hello PDU is
received from an IS which does not share any
area address.
A notification sent when a Hello
PDU is
received from an IS, but does not establish an
adjacency due to a lack of resources.
A notification sent when an attempt to propagate
an LSP which is larger than the
dataLinkBlockSize for a circuit.
A notification sent when a Level 1 LSP or Level
2 LSP is received which is larger than the local
value for the originating L1LSP BufferSize or
originating L2LSPBufferSize respectively. Also
when a Level 1 LSP or Level2 LSP is received
containing the originating LSPBufferSize option
and the value in the PDU option field does not
match the local value for originating L1LSP
BufferSize or originatingL2LSP BufferSize
respectively.
April 2011
No.
Trap Name
88
vRtrIsisProtoSuppMismatch
Platfor
ms
all
89
vRtrIsisAdjacencyChange
all
90
vRtrIsisCircIdExhausted
all
91
vRtrIsisAdjRestartStatusChange
all
92
dot1agCfmFaultAlarm
all
93
94
Unused
lldpRemTablesChange
all
all
95
chassisTrapsPossibleDuplicateMac
96
97
unused
alaPimInvalidRegister
6400
6850
6850E
6855
all
all
98
alaPimInvalidJoinPrune
all
99
alaPimRPMappingChange
all
100
alaPimInterfaceElection
all
101
lpsLearnTrap
all
102
gvrpVlanLimitReachedEvent
all
103
104
105
alaNetSecPortTrapAnomaly
alaNetSecPortTrapQuarantine
udldStateChange
all
all
all
106
107
108
healthMonIpcTrap
bcmHashCollisionTrap
healthMonCpuShutPortTrap
all
all
all
Description
A notification sent when a non-pseudonode
segment 0 LSP is received that has no matching
protocols supported.
A notification sent when an adjacency changes
state, entering or leaving state up. The first 6
bytes of the vRtrIsisTrapLSPID are the
SystemID of the adjacent IS.
A notification sent when ISIS cannot be started
on a LAN interface because a unique circId
could not be assigned due to the exhaustion of
the circId space.
A notification sent when an adjancency's
graceful restart status changes.
A MEP has lost contact with one or more MEPs.
A notification (fault alarm) is sent to the
management entity with the OID of the MEP
that has detected the fault.
A lldpRemTablesChange notification is sent
when the value of
lldpStatsRemTableLastChangeTime changes.
The old PRIMARY element cannot be detected
in the stack. There is a possiblity of a duplicate
MAC address in the network
An alaPimInvalidRegister notification signifies
that an invalid PIM Register message was
received by this device
A alaPimInvalidJoinPrune notification signifies
that an invalid PIM Join/Prune message was
received by this device.
An alaPimRPMappingChange notification
signifies a change to the active RP mapping on
this device.
An alaPimInterfaceElection notification
signifies that a new DR or DR has been elected
on a network.
Generated when an LPS port learns a bridged
MAC.
Generated when the number of vlans learned
dynamically by GVRP has reached a
configured limit.
Trap for an anomaly detected on a port.
Trap for an anomalous port quarantine.
Generated when the state of the UDLD protocol
changes.
This trap is sent when IPC Pools exceed usage.
This trap is sent when port is shut down because
Page 81 of 99
April 2011
No.
Trap Name
Platfor
ms
109
arpMaxLimitReached
all
110
ndpMaxLimitReached
all
111
ripRouteMaxLimitReached
all
112
ripngRouteMaxLimitReached
all
113
114
aaaHicServerTrap
alaErpRingStateChanged
all
all
115
alaErpRingMultipleRpl
all
116
alaErpRingRemoved
all
117
e2eGvrpVlanMatch
all
118
e2eStackTopoChange
all
119
dot3OamThresholdEvent
all
120
dot3OamNonThresholdEvent
all
This trap is sent when a local or remote nonthreshold crossing event is detected. A local
event is detected by the local entity, while a
remote event is detected by the reception of an
Ethernet OAM Event Notification OAMPDU
that indicates a non-threshold crossing event.
121
alaDot3OamThresholdEventClear
all
122
alaDot3OamNonThresholdEventClear
all
Page 82 of 99
Description
of a CPU spike.
This IP Trap is sent when the hardware table has
reached the maximum number of entries supported. The OS6400 will not generate new ARP
request for new nexthops.
This IPv6 Trap is sent when the hardware table
has reached the maximum number of entries
supported. The OS6400 will not generate new
ARP request for new nexthops.
This trap is sent when the RIP database reaches
the supported maximum number of entries.
When the maximum number is reached, RIP
discards any new updates.
This trap is sent when the RIPng database
reaches the supported maximum number of
entries. When the maximum number is reached,
RIPng discards any new updates.
This trap is sent when the HIC server is down.
This trap is sent when the ERP Ring State has
changed from Idle to Protection.
This trap is sent when multiple RPLs are
detected in the Ring.
This trap is sent when the Ring is removed
dynamically.
This trap is sent when GVRP recieves a
registration for a VLAN that is configured for
End-to-End Flow Control.
This trap is sent when the stack topology
changes.
This trap is sent when a local or remote
threshold crossing event is detected. A local
threshold crossing event is detected by the local
entity, while a remote threshold crossing event
is detected by the reception of an Ethernet OAM
Event Notification OAMPDU that indicates a
threshold event.
April 2011
No.
Trap Name
Platfor
ms
Description
123
ntpMaxAssociation
all
124
alaLicenseExpired
9000E
125
vRtrLdpInstanceStateChange
all
126
vRtrLdpGroupIdMismatch
all
127
mplsXCup
9000E
128
mplsXCdown
9000E
129
vRtrMplsStateChange
9000E
130
vRtrMplsIfStateChange
9000E
131
vRtrMplsLspUp
9000E
132
vRtrMplsLspDown
9000E
133
svcStatusChanged
9000E
134
sapStatusChanged
9000E
135
sdpBindStatusChanged
9000E
136
sdpStatusChanged
9000E
137
sapPortStateChangeProcessed
9000E
Page 83 of 99
April 2011
No.
Trap Name
Platfor
ms
Description
138
sdpBindSdpStateChangeProcessed
9000E
139
unused
140
unused
141
unused
142
ddmTemperatureThresholdViolated
all
143
ddmVoltageThresholdViolated
all
144
ddmCurrentThresholdViolated
all
145
ddmTxPowerThresholdViolated
all
146
ddmRxPowerThresholdViolated
all
147
halHashCollisionTrap
all
148
alaLbdStateChangeToShutdown
all
149
alaLbdStateChangeForClearViolationA
all
150
alaLbdStateChangeForAutoRecovery
all
Page 84 of 99
April 2011
No.
Trap Name
151
pimBsrElectedBSRLostElection
Platfor
ms
all
Description
152
pimBsrCandidateBSRWinElection
all
153
alaErpRingPortStatusChanged
all
154
lnkaggPortReserve
all
155
esmViolationRecoveryTimeout
all
156
alaMvrpVlanLimitReachedEvent
all
157
alaMvrpE2eVlanConflict
all
158
alaDhcpSrvLeaseUtilizationThreshold
all
159
alaDhcpClientAddressAddTrap
all
160
alaDhcpClientAddressExpiryTrap
all
161
alaDhcpClientAddressModifyTrap
all
162
alaDyingGaspTrap
all
163
alaTestOamTxDoneTrap
all
164
alaTestOamRxReadyTrap
all
165
alaTestOamTestAbortTrap
all
166
Reserved40
167
Reserved41
Page 85 of 99
April 2011
No.
168
alaSaaIPIterationCompleteTrap
Platfor
ms
all
169
alaSaaEthIterationCompleteTrap
all
170
alaSaaMacIterationCompleteTrap
171
aaaHicServerChangeTrap
all
172
aaaHicServerUpTrap
all
173
alaLldpTrustViolation
all
174
alaStackMgrIncompatibleModeTrap
all
175
alaEsmDBChange
all
176
alaDHLVlanMoveTrap
all
177
esmPortViolation
all
178
stpLoopGuardError
all
179
stpLoopGuardRecovery
all
Page 86 of 99
Trap Name
Description
This trap is sent when an IP SAA iteration is
completed.
This trap is sent is sent when a Eth-LB or EthDMM SAA iteration is completed.
-
April 2011
Platform
all
OS9000E
all
OS9000E
all
Software Package
base
base
base
base
base
Page 87 of 99
April 2011
BGP
BFD
Chassis Mac Server
Chassis Supervision
DHCP Relay
Ethernet Interfaces
Flow Control
Hot Swap
Source IP Management
NTP
PIM
Page 88 of 99
April 2011
Software Feature
QoS
RIP
System
VLANs
VRF
Tunneling L2 Protocols
Page 89 of 99
April 2011
Unsupported MIBs
The following MIBs are not supported in AOS Release 6.4.4.R01:
Feature
Quality of Service (QoS)
Flow Control
MIB
IETF_P_BRIDGE
AlcatelIND1Port
AlcatelIND1Dot1Q
AlcatelIND1GroupMobility
AlcatelIND1Health
AlcatelIND1Ipms
AlcatelIND1LAG
AlcatelIND1Pcam
Page 90 of 99
April 2011
MIB Name
AlcatelIND1Port
AlcatelIND1QoS
Page 91 of 99
April 2011
MIB Name
AlcatelIND1Slb
AlcatelIND1StackManager
AlcatelIND1SystemService
AlcatelIND1VlanManager
AlcatelIND1WebMgt
IEEE_802_1X
IETF_BGP4
IETF_BRIDGE
IETF_ENTITY
IETF_ETHERLIKE
IETF_IF
IETF_IP_FORWARD_MIB
IETF_IPMROUTE_STD
IETF_MAU (RFC 2668)
Page 92 of 99
April 2011
MIB Name
IETF_OSPF_TRAP
IETF-PIM
IETF_P_BRIDGE
IETF_RIPv2
IETF_RMON
IETF_SNMP_USER_BASED_SM
(RFC 2574)
IETF_SNMP_VIEW_BASED_ACM
(RFC 2575)
Page 93 of 99
April 2011
SWITCH MANAGEMENT
SNMP
PR
157020
Description
PoE connect and disconnect traps are received only on the
initial disconnect. Subsequent disconnects do not generate a
trap.
Workaround
There is no known workaround at
this time.
LAYER 2
Ethernet OAM
PR
156081
Description
efm-oam l1-ping does not work with dynamic link
aggregation ports.
Workaround
Configure static link aggregation
ports.
152732
Description
If port 1/1 is configured as part of a Dual-Home Link
Aggregate (Active-Active), either as a physical port or part
of a link aggregate, the default VLAN cannot be changed on
any other port in the switch.
After removing VLANs using the 'no vlan' command the
VLANs are not removed from the Dual-home Link vlanmap.
Workaround
Do not configure port 1/1 as part of
a Dual-Home Link Aggregate
(Active-Active).
Manually remove the VLANs from
the DHL configuration
LLDP
PR
153023
153696
Description
In some circumstances an LLDP port may be moved to
the "violation" state before the default violation timer
interval of (3 * LLDP transmit interval).
If a port is operationally down or LLDP trust-agent is
disabled the state of the port displays as TRUSTED".
Page 94 of 99
Workaround
There is no known workaround at this
time.
There is no known workaround at this
time.
April 2011
Source Learning
PR
152080
152082
Description
Workaround
LAYER 3
BGP
PR
156500
Description
Unable to ping IPv6 neighbor after entering 'no ip bgp
bestpath med missing-as-worst' command and resetting the
ports.
Workaround
There is no known workaround at
this time.
Security
Access Guardian
PR
Description
157990
157480
157739
Workaround
Re-enter the command using the
new CLI parameter:
-> port-security
<slot/port> admin-status
enable
Port Mirroring/Monitoring
PR
151905
Description
On an OmniSwitch 9000E when port monitoring is configured on
an egress port only the unmodified ingress BOOTP/DHCP
unicast routed packets will be monitored if DHCP relay is not
configured.
Workaround
User port mirroring
Page 95 of 99
April 2011
111029
113928
138770
143071
Description
Temporary traffic loops could happen under the following
scenarios:
1. Reloading of a non root bridge. This happens when the
bridge is going down and is due to the sequential bringing
down of NIs during a reload process .It is purely temporary in
nature and stops when all the NIs eventually get powered off.
2. NI power down When an NI power down command is
executed for an NI and if that NI has the Root port port and
other NIs have Alternate ports, it is possible to see some traffic
looping back from the newly elected Root port. The traffic loop
back is temporary and will stop once the NI gets powered off.
3. New Root bridge selection Temporary loops could occur
during the process of electing a new Root bridge, if this
election process is triggered by the assignment a worse priority
for the existing root bridge or a root bridge failure. This
happens due to the inconsistent spanning tree topology during
the convergence and stops entirely once the network converges
The 'show mac-address-table count' command may not display
the correct number of learned MAC entries for link aggregation
ports after an STP event.
After a MAC movement due to a new mobility rule match the
entry may still be displayed with the previous information.
In a stacked environment on a takeover where the NI is reset,
the polling frame from the switch does not reach the
supplicant.
Sometimes an AVLAN MAC address doesn't get removed
from the CLI display when using the 'show mac-address-table'
command.
145589
145667
Page 96 of 99
Workaround
For items 1 and 2 above there is no
work around presently. For item 3
the following work around could be
applied: 1. Tune the max age (and
or max hops in the case of MSTP)
parameter to a lower value that is
optimal for the network. This will
reduce the convergence time and
thereby the duration of temporary
loops. 2. To select a new root
bridge, consider assigning better
priority for that bridge instead of
assigning worse priority for the
existing root bridge.
April 2011
Manual invocation of failover (by user command or Primary pull) should only be done during times
when traffic loads are minimal.
Hot standby redundancy or failover to a secondary CMM without significant loss of traffic is only
supported if the secondary is fully flash synchronized with the contents of the primarys flash.
Hot standby redundancy or failover to a secondary module without significant loss of traffic is only
supported if all the remaining units in the stack are fully flash synchronized with the contents of the
primarys flash.
Failover/Redundancy is not supported when the primary and secondary CMMs are not synchronized
(i.e., unsaved configs, different images etc.). In this case, upon failover, all the NIs will reset and might
go to "down" state, and to recover, need to power down the switch and power it back up.
Primary and Redundant power supplies must be of the same type. For example, having a primary
510W power supply with a redundant 360W power supply is not supported.
Hot swap of NIs needs to be preceded by the removal of all cables connected to the NI.
The reload ni command is not supported. Please use no power ni/power ni as an alternative.
All insertions of NI modules cannot be followed by another hot swap activity until the OK2 LED on
the inserted NI blinks green.
When removing modules from the stack (powering off the module and/or pulling out its stacking
cables), the loop back stacking cable must be present at all times to guarantee redundancy. If a module
is removed from the stack, rearrange the stacking cables to establish the loopback before attempting to
remove a second unit.
When inserting a new module in the stack, the loop back has to be broken. Full redundancy is not guaranteed until the loop back is restored.
All removals of NI modules must have a 30 second interval before initiating another hot swap activity.
All insertions of NI modules must have a 3 minute interval before initiating another hot swap activity.
All hot swaps of CMM modules must have a 10 minute interval before initiating another hot swap,
reload or takeover activity.
All takeovers must have a 10 minute interval before following with another hot swap, reload or takeover activity.
Page 97 of 99
April 2011
All insertions of stack elements must be done one at a time and the inserted element must be fully
integrated and operational as part of the stack before inserting another element.
Page 98 of 99
April 2011
Technical Support
Alcatel-Lucent technical support is committed to resolving our customers technical issues in a timely
manner. Customers with inquiries should contact us at:
Region
North America
Latin America
Europe
Asia Pacific
Phone Number
800-995-2696
877-919-9526
+33-38-855-6929
+65 6240 8484
Email: esd.support@alcatel-lucent.com
Web: service.esd.alcatel-lucent.com
Internet: Customers with Alcatel-Lucent service agreements may open cases 24 hours a day via
Alcatel-Lucent s support web page at: service.esd.alcatel-lucent.com.
Upon opening a case, customers will receive a case number and may review, update, or escalate
support cases on-line. Please specify the severity level of the issue per the definitions below. For fastest
resolution, please have telnet or dial-in access, hardware configurationmodule type and revision by
slot, software revision, and configuration file available for each switch.
Severity 1 Production network is down resulting in critical impact on businessno workaround
available.
Severity 2 Segment or Ring is down or intermittent loss of connectivity across network.
Severity 3 Network performance is slow or impairedno loss of connectivity or data.
Severity 4 Information or assistance on product feature, functionality, configuration, or installation.
Page 99 of 99