Common configuration tasks

This section describes common configuration tasks.

Configuring ports


*A:7210SAS_duth>config>port# info detail
----------------------------------------------
        description "10/100/Gig Ethernet TX"
        access
            egress
                pool default
                    resv-cbs default
                    slope-policy "default"
                exit
            exit
        exit
        network
            egress
                pool default
                    no amber-alarm-threshold
                    no red-alarm-threshold
                    resv-cbs default
                    slope-policy "default"
                exit
            exit
        exit
----------------------------------------------
*A:7210_SAS_duth>config>port#

Configuring Ethernet port parameters

This section describes Ethernet port configuration.

Ethernet network port

A network port is network-facing and participates in the service provider transport or infrastructure network processes.

The following is a sample network port configuration output.

A:ALA-B>config>port# info
----------------------------------------------
   description "Ethernet network port"
   ethernet
      mode network 
   exit
   no shutdown
----------------------------------------------
A:ALA-B>config>port#

Ethernet access-uplink port

Access-uplink ports are network-facing and transport customer services. Only QinQ encapsulation can be used.

The following is a sample access-uplink port configuration output.

A:ALA-B>config>port# info
----------------------------------------------
   description "Ethernet network port"
   ethernet
      mode access uplink 
   exit
   no shutdown
----------------------------------------------
A:ALA-B>config>port#

Ethernet access port

Services are configured on access ports used for customer-facing traffic. If a SAP is to be configured on a port, it must be configured in access mode. When a port is configured for access mode, the appropriate encapsulation type can be specified to distinguish the services on the port. When a port has been configured for access mode, multiple services may be configured on the port.

The following is a sample Ethernet access port configuration output.

*A:7210-SAS>config>port# info 
----------------------------------------------
        ethernet
            mode access 
            access
                egress
                exit
                ingress
                exit
            exit
            encap-type dot1q
            mtu 9212
        exit
        no shutdown
----------------------------------------------
*A:7210-SAS>

Configuring 802.1x authentication port parameters

The following is a sample 802.1x port configuration output.

A:ALA-A>config>port>ethernet>dot1x# info detail
----------------------------------------------
                port-control auto
                radius-plcy dot1xpolicy
                re-authentication
                re-auth-period 3600
                max-auth-req 2
                transmit-period 30
                quiet-period 60
                supplicant-timeout 30
                server-timeout 30 
----------------------------------------------

Configuring MAC authentication port parameters

Note:

MAC authentication is only supported on 7210 SAS-Mxp, 7210 SAS-R6, 7210 SAS-Sx/S 1/10GE (standalone), and 7210 SAS-T.

The 7210 SAS supports a fallback MAC authentication mechanism for client devices (for example, PCs and cameras) on an Ethernet network that do not support 802.1x EAP.

MAC authentication provides protection against unauthorized access by forcing the device connected to the 7210 SAS to have its MAC address authenticated by a RADIUS server before the device is able to transmit packets through the 7210 SAS.

Use the following CLI syntax to configure MAC authentication for an Ethernet port.

 port port-id ethernet
         dot1x
             mac-auth
             mac-auth-wait seconds
             port-control auto
             quiet-period seconds
             radius-plcy name

The following example shows the command usage to configure MAC authentication for an Ethernet port.

     config# port 1/1/2 ethernet dot1x
     config>port>ethernet>dot1x# mac-auth
     config>port>ethernet>dot1x# mac-auth-wait 20
     config>port>ethernet>dot1x# port-control auto
     config>port>ethernet>dot1x# quiet-period 60
     config>port>ethernet>dot1x# radius-plcy dot1xpolicy
Port configuration output

Use the info detail command to display port configuration information.

SAS-T>config>port>ethernet>dot1x# info detail
----------------------------------------------
             port-control auto
             radius-plcy dot1xpolicy
             re-authentication
             re-auth-period 3600
             max-auth-req 2
             transmit-period 30
             quiet-period 60
             supplicant-timeout 30
             server-timeout 30
             mac-auth
             mac-auth-wait 20
----------------------------------------------
SAS-T>config>port>ethernet>dot1x#

Configuring VLAN authentication port parameters

Note:

VLAN authentication is only supported on 7210 SAS-Mxp, 7210 SAS-R6, 7210 SAS-Sx/S 1/10GE (standalone), and 7210 SAS-T.

The 7210 SAS supports VLAN authentication for client devices (for example, PCs and STBs) on an Ethernet network.

VLAN authentication provides protection against unauthorized access by forcing the device connected to the 7210 SAS to be authenticated by a RADIUS server before the device is able to transmit packets through the 7210 SAS.

Use the following CLI syntax to configure VLAN authentication for an Ethernet port.

 port port-id ethernet
         dot1x
             vlan-auth
             port-control auto
             quiet-period seconds
             radius-plcy name

The following example shows the command usage to configure VLAN authentication for an Ethernet port.

     config# port 1/1/2 ethernet dot1x
     config>port>ethernet>dot1x# vlan-auth
     config>port>ethernet>dot1x# port-control auto
     config>port>ethernet>dot1x# quiet-period 60
     config>port>ethernet>dot1x# radius-plcy dot1xpolicy
Port configuration output

Use the info detail command to display port configuration information.

SAS-T>config>port>ethernet>dot1x# info detail
----------------------------------------------
             port-control auto
             radius-plcy dot1xpolicy
             re-authentication
             re-auth-period 3600
             max-auth-req 2
             transmit-period 30
             quiet-period 60
             supplicant-timeout 30
             server-timeout 30
             vlan-auth
----------------------------------------------
SAS-T>config>port>ethernet>dot1x#

Configuring LAG parameters

The following guidelines and restrictions apply for LAG configurations:

  • LAG configurations must include at least two ports.

  • Up to eight ports can be included in a LAG, depending on the platform. All ports in the LAG must share the same characteristics (speed, duplex, hold-timer, and so on). The port characteristics are inherited from the primary port.

  • Autonegotiation must be disabled or set to limited mode for ports that are part of a LAG to guarantee a specific port speed.

  • Ports in a LAG must be configured as full duplex.

  • The 7210 SAS-Mxp, 7210 SAS-R6, and 7210 SAS-R12 support IP DSCP table-based classification for LAG. See ‟Service Ingress QoS Policies” in the 7210 SAS-Mxp, R6, R12, S, Sx, T Quality of Service Guide for more information.

LAG configuration output

*A:7210SAS>config>lag# info detail
----------------------------------------------
        no mac
        mode hybrid
        encap-type dot1q
        no enable-dei
        no enable-table-classification
        port 6/1/1 priority 32768 sub-group 1
        no dynamic-cost
        lacp active administrative-key 32770
        port-threshold 0 action down
        lacp-xmit-interval fast
        lacp-xmit-stdby
        no selection-criteria
        no hold-time
        standby-signaling lacp
        no shutdown
----------------------------------------------
*A:7210SAS>config>lag#

Configuring BFD Over LAG links

After the LAG and associated links are configured, you can configure BFD in the LAG context to create and establish the micro-BFD session per link. Before micro-BFD can be established, an IP interface must be associated with the LAG or a VLAN within the LAG, if dot1q encapsulation is used.

Perform the following to enable and configure BFD over individual LAG links.

  1. Within the lag context, enter the bfd context and enable BFD.

  2. Configure the address family for the micro-BFD sessions. Only one address family per LAG can be configured. On the 7210 SAS-T, 7210 SAS-R6, and 7210 SAS-R12, only the IPv4 address family can be configured.

  3. Configure the local IP address for the BFD sessions.

  4. Configure the remote IP address for the BFD sessions.

When configuring the local and remote IP address for the BFD over LAG link sessions, ensure that the local-ip parameter should always match an IP address associated with the IP interface to which the LAG is bound. In addition, the remote-ip parameter must match an IP address on the remote system and should also be in the same subnet as the local-ip address. If the LAG bundle is reassociated with a different IP interface, modify the local-ip and remote-ip parameters to match the new IP subnet. The local-ip and remote-ip values do not have to match a configured interface in the case of tagged LAG or ports.

The following optional parameters can be configured for BFD over LAG links:

  • transmit interval

  • receive interval

  • multiplier

  • max-wait-for-up-time — This parameter controls how long a link will remain active if BFD is enabled after the LAG and associated links are active and in a forwarding state.

  • max-time-admin-down — This parameter controls how long the system will wait before bringing the associated link out of service if an admin down message is received from the far end.

The following is a sample configuration output.

*A:Dut-C>config>lag# info 
----------------------------------------------
        bfd
            family ipv4
                local-ip-address 10.120.1.2
                receive-interval 1000
                remote-ip-address 10.120.1.1
                transmit-interval 1000
                no shutdown
            exit
        exit
        no shutdown

Configuring access egress queue overrides

Queue override support on an access port in the egress direction allows users to override queue parameters such as adaptation rule, percent CIR and PIR rates, queue management policy, queue mode, CIR and PIR rates, and queue weight.

When the queue override feature is not used, queue parameters for the port are taken from the access egress QoS policy assigned to the port.

The following is a sample queue override configuration output.

*A:dut-g>config>port>ethernet>access>egr>queue-override# info 
----------------------------------------------
     queue "1" create
        queue-mgmt default
        queue-mode strict
        weight 7
        rate cir 3000 pir 90000
        adaptation-rule cir min pir max
        exit
     queue "5" create
        queue-mgmt 200
        queue-mode weighted
        weight 1
        percent-rate cir 5.00 pir 10.00
        adaptation-rule cir min pir closest
        exit
     queue "8" create
     exit
----------------------------------------------
*A:dut-g>config>port>ethernet>access>egr>queue-override# 

CRC error monitoring

This feature allows the user to track CRC (cyclic redundancy check) errors received on a specific port. The detection mechanism is based around a configurable threshold specified by the administrator. Two thresholds are configurable, one for CRC degrade and one for CRC signal fail. The first threshold crossing generates an alarm, log entry, and trap, but does not bring the physical port down, while the second (signal fail) threshold crossing logs an alarm, generates a trap, and brings the port operationally down.

The thresholds are configurable with the CLI command config>port>ethernet crc-monitor.

Note:

This behavior is enabled on a per-port basis. By default, the command and functionality is disabled for signal degrade and signal fail.

The user can configure different values for the sf-threshold and the sd-threshold. However, the sf-threshold value must be less than or equal to the sd-threshold value.

The values provided by the user for threshold and multiplier are used to compute the error ratio as (multiplier * (10 ^ - (threshold value)). Port statistics are collected once per second and accumulated over the configured window size. Each second, the oldest sample is discarded and the new sample is added to a running total. If the error ratio exceeds the configured threshold (as computed previously) over the window size for 2 consecutive seconds, appropriate actions are taken as follows.

  • If the number of CRC errors exceeds the signal degrade threshold value, a log warning message, syslog event and SNMP trap with the message ‟CRC errors in excess of the configured degrade threshold <M>*10e-<N> Set” is raised.

  • If the CRC error rate increases further and exceeds the configured signal fail threshold value, an alarm log message, syslog event, and SNMP trap are raised, and the port is brought operationally down.

When the condition is cleared, a SNMP trap message to clear the event is generated.