Configuring the switch through command line interface (CLI)
The IP8800/S3640-48T2XW and IP8800/S3640-24T2XW are the two models of NEC switch that support OpenFlow. "Smart" switches like the IP8800 must be configured via a command line before they can be used.
As of now, this is just a conglomeration of facts and hints on how to configure the 48-port IP8800/S3640-48T2XW. Before we begin, here are the assumptions that are made throughout these pages:
- You are running/know how to get around Linux (We are, for the most part, using Ubuntu unless specified)
- You are using the NEC IP8800/S3640-48T2XW switch.
- You know network models (e.g. TCP/IP, OSI)
- The NEC manuals can be found here: http://www.nec.co.jp/ip88n/02.html#manual04
Section I: The Basics
If you are unfamiliar with "smart" switches or how to configure them, this is the place to start. This section covers the following:
- Using the serial connection to log in
- User modes and contexts
- config modes and contexts defined
- powering the switch off (properly)
- available commands / help pages
- switching contexts and autocompletion (a remark)
- Setting up Telnet
- Using it
- VLANs and interface VLANs
- VLANs and interface VLANs defined
- steps - creating VLANs/ interface VLANs
- configuring trunking
- ports as seen from the switch
- setting port speed
These correspond very roughly to NEC Configuration Guide vol 1 : http://www.nec.co.jp/ip88n/s36_sw/html/cfguide/index.html
1. Using serial to log in (Logging into the switch for the first time.)
Out of the box, the switches are not configured for Telnet. In this case, you need to log into the switch using the serial port, which uses a standard RS-232 cable. You'll also need to have software installed on your PC to be able to establish a serial connection. Kermit is the recommended choice - it's default settings allow you to connect without changing anything.
- Name your switch. People names are easier to remember than IP addresses or machine-like names i.e. as01-hh-alex, and are easier to use in discussion if everyone agrees on names. Note, the names Bob, Nancy, and Andy are already taken.
- Install kermit. If not already installed on your box, the Debian package for kermit is ckermit, and can be easily installed with apt-get.
- Establish a connection. Connect your PC to the port labeled "console" on the switch using the RS-232 cable, and issue the following commands as root:
/$ kermit C-Kermit>set line /dev/ttyS0 C-Kermit>set carrier-watch off C-Kermit>connect
Or, you can use the shorthand one-liner:
kermit -l /dev/ttyS0 connect
You should then see something like below:
Connecting to /dev/ttyS0, speed 0 Escape character: Ctrl-\ (ASCII 28, FS): enabled Type the escape character followed by C to get back, or followed by ? to see other options. ---------------------------------------------------- login:
If the login prompt doesn't come up, hitting the enter key should bring it up. The default username is "operator", and the password is blank. Once logged in, you will be brought to the CLI (Command line interface). Commands are entered at the caret.
login: operator Copyright (c) 2005-2008 ALAXALA Networks Corporation. All rights reserved. >
Ctrl-\ qends the kermit session. The command
logoutwill just log you out of the switch, but will not end the session.
Troubleshooting serial connections
- Make sure you are root when you start up kermit.
- Kermit will balk if you try to log in while there is a session going on. Make sure that no one else is logged in via serial, and that you haven't forgotten to log out during a previous session.
- If you get a message like this with the one-liner of
kermit -l /dev/ttyS0. :
?Carrier required but not detected. *********************************** Hint: To CONNECT to a serial device that is not presenting the Carrier Detect signal, first tell C-Kermit to: SET CARRIER-WATCH OFF ***********************************type the commands given above in lowercase.
- If, for some reason, you can't use kermit or have to configure the settings for your serial connection, use the following settings:
* speed: 9600 * data bits: 8 * stop bits: 1 * Flow control: none * Parity: noneNote, we have found that minicom doesn't seem to work too well with the switches. If you get it to work, please note it!
2. User modes and contexts
Super user mode. As with Cisco switches, you must be in privileged mode to make any configuration changes on the switch (or see the full list of commands). The magic word is "enable".
> ena <<---whole command is 'enable' -- the switch autocompletes commands. #
Configuration mode and Contexts. All configurations, from port speed to the MoTD banner, are done from the configuration prompt. The command "configure" brings you to the prompt, which looks like this :
# config (config)#
Here, typing different sets of commands bring you to different configuration modes specific to the feature you are trying to modify. the commands that bring you to the specialized modes are called "contexts," and typing them are called "entering a context." Some contexts we want to focus on are:
vlan n- create/configure standard VLANs, n being the VLAN ID (some number)
interface vlan n- create/ configure a virtual interface with both Layer 2 and 3 characteristics
interface gigabitethernet 0/n- configure specific port, n being number between 1 and 48
line <vty|console> vtyrange<0-b>- configure telnet or console parameters, respectively
Don't worry even if these don't make sense now - The meanings of the contexts will be explained as we introduce each context.
As you can see, when you enter a context, the prompt becomes "(config-if)#." Note, however, this prompt doesn't indicate what context you are using (i.e. which port you are setting up, what VLAN, ect); you just have to keep track of what you are doing.
(config)# interface vlan 8 <<---start by entering the 'interface vlan' context !(config-if)# !(config-if)# interface gi 0/3 <<---switch to 'interface gigabitethernet' context !(config-if)# <<---note how prompt still shows up as "config-if"
If you forget where you were in a context (i.e. which vlan you were configuring, ect.), typing "show" will display all of the configurations saved for that specific context (hopefully giving you enough information to let you recall what you were trying to configure).
(config-if)# show interface gigabitethernet 0/27 switchport mode access switchport access vlan 4 !
When you make changes to the configurations (e.g. create vlan interfaces as in this example), you will see a "!" before the prompt. This is there to remind you that you've made changes that must be saved if you want them to survie a reboot. The command "save" intuitively saves the settings.
exiting/ logging off.
exit lets you exit from contexts and enabled mode, or lets you log out of the switch if you were just in user mode.
!(config-if)# save (config-if)# exit (config)# exit #
Shutting down the switch. Only shut the switch off after all users log off (shutting down the switch while someone's configuring it can break files). Use command "reload stop", then flip the power switch on the back of the device.
Finding help/ Some tips.
Using the built-in help functionalities.
Like with Cisco switches, typing
? at the prompt will list the available commands along with a brief summary. If you are in a certain context, typing
? will show you configuration options available for that context.
switching contexts and autocompletion
From the initial configuration prompt, you can let the switch autocomplete contexts. For example:
sw-sb09(config)# int gi 0/34 <<-- instead of "interface gigabitethernet 0/34" sw-sb09(config-if)#
However, if you are already in a context, and you want to switch to another context, you must type the first word in full, or else the switch will throw an error:
sw-sb09(config-if)# int gi 0/35 int gi 0/35 ^ % illegal parameter at '^' marker sw-sb09(config-if)# interface gi 0/35 sw-sb09(config-if)#
3. Setting up Telnet
Setting up telnet on the switch requires several steps that involve a few contexts. The steps can be outlined as the following:
- Create a VLAN for telnet via the "vlan" context. For clarity (and good practice), we name our VLAN "telnet" so we know what it's used for.
(config)# vlan 4 !(config-vlan)# name "telnet" !(config-vlan)# exit !(config)#
- Assign an IP address to the VLAN.
!(config)# interface vlan 4 !(config-if)# ip address 192.168.10.1 255.255.255.0 !(config-if)# exit !(config)#
- Enable telnet logins to the switch. The "line vty" context allows you to do this. The numbers following the context denote the range of virtual terminals that the users have access to for telnet. Here, vty 0-2 can be used, meaning 3 users can simultaneously telnet into the switch.
!(config)# line vty 0 2 !(config-line)# exit !(config)#
Once you've set up telnet on your switch, you can access the switch with the IP address you've assigned it during step 2 above. So for this switch you would issue the following command from your terminal:
$ telnet 192.168.10.1
The username and password are the same for this prompt once you connect.
4. Creating and configuring VLANs and interface VLANs
Here we cover the VLAN and interface VLAN in greater detail. You should be familiar with the following before going through this section or on to configuration:
- classic VLANs - http://en.wikipedia.org/wiki/Virtual_LAN
- tagging/trunking - http://en.wikipedia.org/wiki/IEEE_802.1Q
- native VLANs -
In the context of switching, VLANs tie Layer 1 with Layer 2 by assigning each port a VLAN. A host connected to a port assigned to VLAN n will become a member of that VLAN. The VLANs on a switch can be seen with the command "show vlan" under enabled (super user) mode:
sw-sb09# sh vlan Date 2010/01/20 03:12:01 UTC VLAN counts:6 VLAN tunneling enabled VLAN ID:1 Type:Port based Status:Up Learning:On Tag-Translation: BPDU Forwarding: EAPOL Forwarding: Router Interface Name:VLAN0001 IP Address:172.16.19.253/16 <<---IP address of VLAN interface Source MAC address: 0012.e2c8.1f9c(System) Description:Network Spanning Tree: AXRP RING ID: AXRP VLAN group: GSRP ID: GSRP VLAN group: L3: IGMP snooping: MLD snooping: Untagged(10) :0/39-48 VLAN ID:3 Type:Port based Status:Up ...
In addition to the classic VLANs, the IP8800 also allows you to assign IP addresses and subnets to VLANs as if they are IP Layer constructs. These L2/L3 conglomerates are referred to as "interface VLANs", and give the switch extra functionality that would otherwise only be found in higher-layer devices.
Interface VLANs are also important because it provides a means to interact with a Layer 2 device (the switch) using Layer 3 means (IP). For example, The IP addresses used to uniquely identify each switch on the network is assigned to the switch via an interface VLAN.
Creating VLANs and Interface VLANs
The following steps outline the general configuration of VLANs and interface VLANs through the CLI.
- Creating VLANs. Entering the "vlan n" context creates a new VLAN when VLAN n doesn't exist already. Here we create VLAN 3, and name it "CM".
(config)# vlan 3 !(config-vlan)# name "CM" !(config-vlan)# exit
Many VLANs can be created at once by denoting a range of VLANs when entering a context:
(config)# vlan 1-8 <<--create 8 VLANs numbered 1 through 8 !(config-vlan)#
This cannot be done with interface VLANs (see step 3 for details and caveats)
- Associate Ports. A VLAN is fairly useless without hosts. Hosts become part of a VLAN if they are connected to a port associated with it. By default, all ports on the IP8800 are associated to VLAN 1,so you must specify which ports are associated with which VLAN manually. Here we associate port 0/25 with the VLAN we just created.
(config)# int gi 0/25 (config-if)# switchport mode access (config-if)# swi acc vlan 3 <<-- full command is "switchport access vlan 3" (config-if)# exit
- "switchport mode access" means that the port only has access to the VLAN 3 that exists on the local switch (no trunking - see next section )
- "switchport access vlan 3" means that this port has access to VLAN 3
As with the VLANs, we can configure more than one port at a time using the "interface range" context. For example, to configure ports 1-4 and 30 at once:
sw-sb09(config)# int range gigabitethernet 0/1-4, gigabitethernet 0/30 sw-sb09(config-if-range)#
Note how the prompt becomes "(config-if-range)" in this case. The exact same sets of commands apply to this context as for the single-port context.
- Configure the interface VLAN. If we need an IP address or some other higher-layer characteristic associated with our VLAN, we create an interface VLAN of the same VLAN ID (number) as the VLAN, and configure it. So, to assign an IP address to VLAN 3:
(config)# interface vlan 3 !(config-if)# ip address 172.16.100.10 255.255.255.0 !(config-if)# exit !(config)#
When the "interface vlan" context is entered for a VLAN ID that the switch doesn't know about, a new interface VLAN and VLAN of that ID are created automatically. But, as stated before, the "interface range vlan" context cannot be used to create multiple interface VLANs at once. This range context is used when configuring multiple interface VLANs at once, given that the range of VLAN IDs exist on the switch. Hence, if we want to configure multiple interface VLANs at once, we must first create the VLANs using the "VLAN <range>" context.
With the "access mode" ports in the previous section, VLANs with the same VLAN ID that are on different but connected switches would be recognized as different VLANs despite same VLAN ID. In order to allow the two same-ID VLANs to communicate with one another, we need to 1) set up trunking between the two switches, and 2) enable "dot1q tunneling" on the ports.
- Configure the trunk port. Say that ports 0/45-48 are trunk ports (Remember, if you are just configuring one port, you can always use the singular "interface gigabitethernet" context.):
!(config-if)# interface range gi 0/45-48 !(config-if-range)# switchport mode trunk !(config-if-range)# switchport trunk allowed vlan 3,27,28
- "interface range gi 0/45-48" - configure all four ports at once with "interface range" context
- "switchport mode trunk" - make the ports trunk ports
- "switchport trunk allowed vlan 3,27,28" - allow the trunk to only carry frames from VLANs 3,27,or 28 (frames from these VLANs will get tagged)
Some extensions of the "switchport trunk allow" context." Without these sub-contexts you'd have to undo the whole "switchport trunk allowed vlan" bit each time you need to add or remove VLANs from the access list.
First off, as per the switch's help output:
sw-sb09(config-if-range)# switchport trunk allowed vlan ? <vlan id list> <List style>. 1 to 4094. ex. "10-20", "30,40" add add the VLANs to use this port remove remove the VLANs to use these port
- "switchport trunk…vlan add <VLAN IDs> - add VLANs to your current list.
- "switchport trunk…vlan remove <VLAN IDs> - remove VLANs from your current list
- Associate the trunk with a Native VLAN. Native VLANs allows hosts that do not understand VLAN tagging to function on a network implementing trunking (IEEE 802.1q). In context of the switch, the native VLAN is much like a trunk port version of an interface VLAN; It essentially assigns an IP address and VLAN to the switch's trunk port(s), and provides a means to transport non-tagged frames on the trunk.
!(config-if-range)# switchport trunk native vlan 1
- "switchport trunk native vlan 1" - make VLAN 1 the native VLAN for trunk port 0/48 (any frames from VLAN 1 will pass through the trunk untagged)
By the way, this is the configuration for interface VLAN 1, which should be done ahead of time:
(config-vlan)# interface vlan 1 (config-if)# ip address 172.16.19.253 255.255.0.0
…And that's it for the trunks. If you now go into a context for one of your trunk ports and do a "show", your configurations should look like this:
!(config-if-range)# interface gi 0/48 !(config-if)# show interface gigabitethernet 0/48 switchport mode trunk switchport trunk allowed vlan 1,3,27-28 switchport trunk native vlan 1
- Configure the ports associated with the trunked VLANs. The steps are same as configuring the ports for regular VLANs, except instead of "switchport mode access" we specify "switchport mode dot1q-tunnel" in this case:
(config)# int ran gi 0/13-22 (config-if-range)# sw mo dot1q-tunnel !(config-if-range)# sw acc vlan 3 !(config-if-range)# save <<<-----VERY important if you want the configurations saved!
…error messages, undoing configs, ect to come here
5. Port configurations
While we have been mentioning ports perpetually via contexts, this section covers them in deeper detail.
ports as seen by the switch
By configuring the ports, you can control physical layer properties of the switch e.g. port speed, whether it is full or half duplex, and whether the port is up or down.
There are 48 RJ-45 (Ethernet) 1GBps ports and two sockets for GBICs (10GBps fiber links) on the switch. The switch identifies the ports by giving them unique names based on their speed and location. RJ45 ports are geth0/1 through geth0/48, and the GBICs, tengeth0/49 and 0/50.
The command "show port status" can be used to see this:
sw-sb09> sh po st Date 2010/01/18 05:44:23 UTC Port Counts: 50 Port Name Status T/R All packets Multicast Broadcast Discard 0/ 1 geth0/1 up Tx 950638 581 437112 0 Rx 83404 0 2376 0 0/ 2 geth0/2 up Tx 948981 581 437196 0 Rx 81580 0 2292 0 0/ 3 geth0/3 up Tx 948982 581 437194 0 Rx 81584 0 2294 2 ... 0/47 geth0/47 down Tx 0 0 0 0 Rx 0 0 0 0 0/48 geth0/48 up Tx 281248 10 6975 0 Rx 4358554 3135424 481238 0 0/49 tengeth0/49 down Tx 0 0 0 0 Rx 0 0 0 0 0/50 tengeth0/50 down Tx 0 0 0 0 Rx 0 0 0 0
The ports are counted beginning the top left RJ-45 at 0/1 and end at the lower right port at 0/48. If you look at the front of the switch you can see that they are labeled above the link lights of each of the pairs of ports.
By default, the switch autonegociates. You can change this by going into configuration mode for each port, and changing settings.
- Shut port(s) to configure down. Shutting the ports down before configuring them allows the changes to take immediate effect upon bringing them back up.
sw-sb09(config)# interface gi 0/13 sw-sb09(config-if)# shutdown !sw-sb09(config-if)# 02/06 03:35:48 E3 PORT GigabitEthernet0/13 25011100 1350:000000000000 Port disabled administratively.
It is normal to see an output message when you take down ports.
- Set speed. The sub-context "speed" allows you to configure the port speed. The syntax is the following:
speed auto [10|100|1000]- autonegociate. If a speed is specified, the port will be shut down by the switch if the host refuses to negotiate to the set speed.
speed [10|100|1000]- force port to run at a specific speed, no autonegociation
Where the numbers denote Mbps. Here, we configure the port to go at 1000Mbps (1Gbps), and bring it back up:
!sw-sb09(config-if)# speed auto 1000 !sw-sb09(config-if)# no shutdown
Section II: Access Lists and SNMP
Assuming you haven't broken your switch, now you are ready to do fancier things. This section will explain how to configure access control lists (ACLs) to secure your device, and determine who gets to use Simple Network Management Protocol (SNMP) to look up and change information on your switch.
ACLs (Access Control Lists)
ACLs keep your switch secure by setting permissions about who can access the CLI. These permissions are set based on IP addresses. The ACL is basically a list of IP address blocks paired with group names stating which IP address blocks are able to communicate with the switch. Access Lists are manipulated using the "access-list" context.
For a explanation of SNMP: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
In the IP8800 guide: http://www.nec.co.jp/ip88n/s36_sw/html/cfguide2/index.html
MIB references: http://www.alvestrand.no/objectid/
Configuring the IP8800
Use of SNMP (Simple Network Management Protocol) is not set by default; you must create access lists with IP addresses allowed to request information as a manager device. In this case, an ACL is created for all the interfaces of SB9, eth1:
!sw-sb09(config)# access-list 1 permit 10.19.0.10 0.0.0.0 !sw-sb09(config)# access-list 1 permit 192.168.100.28 0.0.0.0 !sw-sb09(config)# access-list 1 permit 192.168.1.28 0.0.0.0 !sw-sb09(config)# access-list 1 permit 172.16.100.1 0.0.0.0 !sw-sb09(config)# sh access-list access-list 1 10 permit host 10.19.0.10 access-list 1 20 permit host 192.168.100.28 access-list 1 30 permit host 192.168.1.28 access-list 1 40 permit host 172.16.100.1
To add a block of IP's to the ACL, you need the starting IP address and wildcard (range of host addresses available) for that IP block. To add the Network VLAN subnet to the ACL:
access-list 1 50 permit 172.16.0.1 0.0.255.255
to include it in the snmp access list, use the following command:
sw-sb09(config)# snmp-server community "NET" rw 1
where "NET" is the group name, "rw" - read/write, as opposed to "ro", read-only, and "1" is the access list allowed.
Accessing MIBs on the IP8800
accessing it through the switch itsself is easy enough:
sw-sb09# snmp walk 220.127.116.11.2.1.1 Name: sysDescr.0 Value: ALAXALA AX3640S AX-3640-48T2XW-L [AX3640S-48T2XW] Switching software Ver. 10.7 [OS-L3L] Name: sysObjectID.0 Value: ax3640s Name: sysUpTime.0 Value: 25724205 Name: sysContact.0 Value: Name: sysName.0 Value: sw-sb09 Name: sysLocation.0 Value: Name: sysServices.0 Value: 78