Common configuration tasks
This section describes common configuration tasks.
Configuring ports
*A:7210SAS_duth>config>port# info detail
----------------------------------------------
description "10/100/Gig Ethernet TX"
access
egress
pool default
resv-cbs default
slope-policy "default"
exit
exit
exit
network
egress
pool default
no amber-alarm-threshold
no red-alarm-threshold
resv-cbs default
slope-policy "default"
exit
exit
exit
----------------------------------------------
*A:7210_SAS_duth>config>port#
Configuring Ethernet port parameters
This section describes Ethernet port configuration.
Ethernet network port
A network port is network-facing and participates in the service provider transport or infrastructure network processes.
The following is a sample network port configuration output.
A:ALA-B>config>port# info
----------------------------------------------
description "Ethernet network port"
ethernet
mode network
exit
no shutdown
----------------------------------------------
A:ALA-B>config>port#
Ethernet access-uplink port
Access-uplink ports are network-facing and transport customer services. Only QinQ encapsulation can be used.
The following is a sample access-uplink port configuration output.
A:ALA-B>config>port# info
----------------------------------------------
description "Ethernet network port"
ethernet
mode access uplink
exit
no shutdown
----------------------------------------------
A:ALA-B>config>port#
Ethernet access port
Services are configured on access ports used for customer-facing traffic. If a SAP is to be configured on a port, it must be configured in access mode. When a port is configured for access mode, the appropriate encapsulation type can be specified to distinguish the services on the port. When a port has been configured for access mode, multiple services may be configured on the port.
The following is a sample Ethernet access port configuration output.
*A:7210-SAS>config>port# info
----------------------------------------------
ethernet
mode access
access
egress
exit
ingress
exit
exit
encap-type dot1q
mtu 9212
exit
no shutdown
----------------------------------------------
*A:7210-SAS>
Configuring 802.1x authentication port parameters
The following is a sample 802.1x port configuration output.
A:ALA-A>config>port>ethernet>dot1x# info detail
----------------------------------------------
port-control auto
radius-plcy dot1xpolicy
re-authentication
re-auth-period 3600
max-auth-req 2
transmit-period 30
quiet-period 60
supplicant-timeout 30
server-timeout 30
----------------------------------------------
Configuring MAC authentication port parameters
MAC authentication is only supported on 7210 SAS-Mxp, 7210 SAS-R6, 7210 SAS-Sx/S 1/10GE, and 7210 SAS-T.
The 7210 SAS supports a fallback MAC authentication mechanism for client devices (for example, PCs and cameras) on an Ethernet network that do not support 802.1x EAP.
MAC authentication provides protection against unauthorized access by forcing the device connected to the 7210 SAS to have its MAC address authenticated by a RADIUS server before the device is able to transmit packets through the 7210 SAS.
Use the following CLI syntax to configure MAC authentication for an Ethernet port.
port port-id ethernet
dot1x
mac-auth
mac-auth-wait seconds
port-control auto
quiet-period seconds
radius-plcy name
The following example shows the command usage to configure MAC authentication for an Ethernet port.
config# port 1/1/2 ethernet dot1x
config>port>ethernet>dot1x# mac-auth
config>port>ethernet>dot1x# mac-auth-wait 20
config>port>ethernet>dot1x# port-control auto
config>port>ethernet>dot1x# quiet-period 60
config>port>ethernet>dot1x# radius-plcy dot1xpolicy
Port configuration output
Use the info detail command to display port configuration information.
SAS-T>config>port>ethernet>dot1x# info detail
----------------------------------------------
port-control auto
radius-plcy dot1xpolicy
re-authentication
re-auth-period 3600
max-auth-req 2
transmit-period 30
quiet-period 60
supplicant-timeout 30
server-timeout 30
mac-auth
mac-auth-wait 20
----------------------------------------------
SAS-T>config>port>ethernet>dot1x#
Configuring VLAN authentication port parameters
VLAN authentication is only supported on 7210 SAS-Mxp, 7210 SAS-R6, 7210 SAS-Sx/S 1/10GE, and 7210 SAS-T.
The 7210 SAS supports VLAN authentication for client devices (for example, PCs and STBs) on an Ethernet network.
VLAN authentication provides protection against unauthorized access by forcing the device connected to the 7210 SAS to be authenticated by a RADIUS server before the device is able to transmit packets through the 7210 SAS.
Use the following CLI syntax to configure VLAN authentication for an Ethernet port.
port port-id ethernet
dot1x
vlan-auth
port-control auto
quiet-period seconds
radius-plcy name
The following example shows the command usage to configure VLAN authentication for an Ethernet port.
config# port 1/1/2 ethernet dot1x
config>port>ethernet>dot1x# vlan-auth
config>port>ethernet>dot1x# port-control auto
config>port>ethernet>dot1x# quiet-period 60
config>port>ethernet>dot1x# radius-plcy dot1xpolicy
Port configuration output
Use the info detail command to display port configuration information.
SAS-T>config>port>ethernet>dot1x# info detail
----------------------------------------------
port-control auto
radius-plcy dot1xpolicy
re-authentication
re-auth-period 3600
max-auth-req 2
transmit-period 30
quiet-period 60
supplicant-timeout 30
server-timeout 30
vlan-auth
----------------------------------------------
SAS-T>config>port>ethernet>dot1x#
Configuring LAG parameters
The following guidelines and restrictions apply for LAG configurations:
LAG configurations must include at least two ports.
Up to eight ports can be included in a LAG, depending on the platform. All ports in the LAG must share the same characteristics (speed, duplex, hold-timer, and so on). The port characteristics are inherited from the primary port.
Autonegotiation must be disabled or set to limited mode for ports that are part of a LAG to guarantee a specific port speed.
Ports in a LAG must be configured as full duplex.
The 7210 SAS-Mxp, 7210 SAS-R6, and 7210 SAS-R12 support IP DSCP table-based classification for LAG. See ‟Service Ingress QoS Policies” in the 7210 SAS-Mxp, R6, R12, S, Sx, T Quality of Service Guide for more information.
LAG configuration output
*A:7210SAS>config>lag# info detail
----------------------------------------------
no mac
mode hybrid
encap-type dot1q
no enable-dei
no enable-table-classification
port 6/1/1 priority 32768 sub-group 1
no dynamic-cost
lacp active administrative-key 32770
port-threshold 0 action down
lacp-xmit-interval fast
lacp-xmit-stdby
no selection-criteria
no hold-time
standby-signaling lacp
no shutdown
----------------------------------------------
*A:7210SAS>config>lag#
Configuring BFD Over LAG links
After the LAG and associated links are configured, you can configure BFD in the LAG context to create and establish the micro-BFD session per link. Before micro-BFD can be established, an IP interface must be associated with the LAG or a VLAN within the LAG, if dot1q encapsulation is used.
Perform the following to enable and configure BFD over individual LAG links.
Within the lag context, enter the bfd context and enable BFD.
Configure the address family for the micro-BFD sessions. Only one address family per LAG can be configured. On the 7210 SAS-T, 7210 SAS-R6, and 7210 SAS-R12, only the IPv4 address family can be configured.
Configure the local IP address for the BFD sessions.
Configure the remote IP address for the BFD sessions.
When configuring the local and remote IP address for the BFD over LAG link sessions, ensure that the local-ip parameter should always match an IP address associated with the IP interface to which the LAG is bound. In addition, the remote-ip parameter must match an IP address on the remote system and should also be in the same subnet as the local-ip address. If the LAG bundle is reassociated with a different IP interface, modify the local-ip and remote-ip parameters to match the new IP subnet. The local-ip and remote-ip values do not have to match a configured interface in the case of tagged LAG or ports.
The following optional parameters can be configured for BFD over LAG links:
transmit interval
receive interval
multiplier
max-wait-for-up-time — This parameter controls how long a link will remain active if BFD is enabled after the LAG and associated links are active and in a forwarding state.
max-time-admin-down — This parameter controls how long the system will wait before bringing the associated link out of service if an admin down message is received from the far end.
The following is a sample configuration output.
*A:Dut-C>config>lag# info
----------------------------------------------
bfd
family ipv4
local-ip-address 10.120.1.2
receive-interval 1000
remote-ip-address 10.120.1.1
transmit-interval 1000
no shutdown
exit
exit
no shutdown
Configuring access egress queue overrides
Queue override support on an access port in the egress direction allows users to override queue parameters such as adaptation rule, percent CIR and PIR rates, queue management policy, queue mode, CIR and PIR rates, and queue weight.
When the queue override feature is not used, queue parameters for the port are taken from the access egress QoS policy assigned to the port.
The following is a sample queue override configuration output.
*A:dut-g>config>port>ethernet>access>egr>queue-override# info
----------------------------------------------
queue "1" create
queue-mgmt default
queue-mode strict
weight 7
rate cir 3000 pir 90000
adaptation-rule cir min pir max
exit
queue "5" create
queue-mgmt 200
queue-mode weighted
weight 1
percent-rate cir 5.00 pir 10.00
adaptation-rule cir min pir closest
exit
queue "8" create
exit
----------------------------------------------
*A:dut-g>config>port>ethernet>access>egr>queue-override#
CRC error monitoring
This feature allows the user to track CRC (cyclic redundancy check) errors received on a specific port. The detection mechanism is based around a configurable threshold specified by the administrator. Two thresholds are configurable, one for CRC degrade and one for CRC signal fail. The first threshold crossing generates an alarm, log entry, and trap, but does not bring the physical port down, while the second (signal fail) threshold crossing logs an alarm, generates a trap, and brings the port operationally down.
The thresholds are configurable with the CLI command config>port>ethernet crc-monitor.
This behavior is enabled on a per-port basis. By default, the command and functionality is disabled for signal degrade and signal fail.
The user can configure different values for the sf-threshold and the sd-threshold. However, the sf-threshold value must be less than or equal to the sd-threshold value.
The values provided by the user for threshold and multiplier are used to compute the error ratio as (multiplier * (10 ^ - (threshold value)). Port statistics are collected once per second and accumulated over the configured window size. Each second, the oldest sample is discarded and the new sample is added to a running total. If the error ratio exceeds the configured threshold (as computed previously) over the window size for 2 consecutive seconds, appropriate actions are taken as follows.
If the number of CRC errors exceeds the signal degrade threshold value, a log warning message, syslog event and SNMP trap with the message ‟CRC errors in excess of the configured degrade threshold <M>*10e-<N> Set” is raised.
If the CRC error rate increases further and exceeds the configured signal fail threshold value, an alarm log message, syslog event, and SNMP trap are raised, and the port is brought operationally down.
When the condition is cleared, a SNMP trap message to clear the event is generated.