Successfully pass the free certification exam at IW Academy and become an Infinet Certified Engineer.
The Switch configuration is based on a set of rules for the switching groups:
- An unique numeric identifier (1-4999) for each group
- Two or more local network interfaces (ethX, rfX, tunX, etc) and a set of rules (filters) which allow placing different types of traffic into different switching groups
- Each node can have several switching groups. The same interfaces or group of interfaces can be used in several groups simultaneously
- Switching groups are activated on different nodes of the MINT network. The nodes that have the same switching group identifier in their configurations represent a "switching zone"
- "Switching zone" exists only within the MINT network segment.
The MINT network can be viewed as one virtual distributed layer-3 switch, where border nodes act as external ports of the virtual switch. The virtual switch task is to transport frames from one external port to another. It is important to understand that switching groups should be created only on the nodes where frames enter from or leave to the "outside" network ("outside" relative to MINT). On the repeater nodes (in mesh topology) there is no need to create switching groups.
In order to put an incoming frame into one of the switching groups, a set of flexible rules is used, which allow sorting frames according to various criteria, like:
- VLAN tag
- Protocol type
- Addresses (MAC/IP)
- Any PCAP expressions.
Trunk group is a switching group in the "Trunk" mode.
Input flow from wired segment for Trunk group is divided into separate sub-groups (switching groups within Trunk group) depending on VLAN-tag of the packet. The group number of the switching group within Trunk group will be equal to the VLAN-number of packets which are switched to it.
The trunk groups are used for the ease of configuration, when VLAN flows are transmitted to several subscribers.
If you enable the trunk group at the BS side to transmit several VLAN-flows to several directions, then at the CPE side, you should use the "In-Trunk" option to specify the group number of the trunk group that includes the required switching group.
During data transmission through a wired switch, the group number is automatically converted to the 802.1q VLAN tag, and vice versa, when a packet is received through the wired switch, the VLAN tag is converted to the corresponding group number.
Trunk groups may also be used to solve the task of connecting several VLAN segments.
Special rules on interfaces allow flexible manipulations with VLAN ID tags: deleting, assigning and re-assigning (please consult the information provided in WANFleX OS User Manual).
Management connection to the unit
For the management purposes, you can create a dedicated Switch Group for all units in the MINT network, attached to the Switch Virtual Interface (SVI). Assign the IP addresses directly on the SVI interface for native management. All packets sent via SVI interface will be distributed only within the assigned switch group.
The universal way to configure Management VLAN via dedicated switch group is presented in the figure below (for more information see section "Remote management of the R5000 units").
You have to assign the Management IP addresses to "sviM" interface which is the management interface of Group M and includes "vlanX" (with parent interface "eth0") and "rf5.0" interface:
Switch Group rules
Once assigned to one of the switching groups, a frame will never leave it until it reaches one of the external ports. Switching group rules are applied only when the frame enters to MINT network through one of its external ports. When leaving the network, no rules are required as the frame already belongs to one of the switching groups and it is automatically forwarded to an external port(s) that belongs to the corresponding switching group.
Frames originated by MINT network nodes (for example: containing RIP/OSPF, ping packets, etc) do not belong to any of the switching groups. Therefore, they cannot leave MINT network via switching through any of the external ports.
Rules are used for the following purposes:
- Selecting an appropriate switching group when a packet is received through "ethX" interface. The packet is switched by the group the rules of which it fully satisfies.
A packet that cannot be associated with any switching group will not switched by the device. If there is no group with appropriate rules for the packet, it is discarded.
- When the packet is assigned to a switching group, the group decides whether the packet to be sent through one of the interfaces, or to discard it. The packet will only be sent if it satisfies the rules of this interface.
The rules consist of a "rules list" and a decision (deny/permit). While parsing the list, the switch checks whether a packet matches the rule. If it matches the rule, the decision set for this rule is applied to the packet. Otherwise, the list of rules is viewed further. Rules are taken one at a time. If a packet does not match to any rule, the default decision for this group or interface is taken.
The expression selects which packets will fit into the group. Only the packets for which the expression is “true” will be matched to the group. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers.
Examples packet filter rules:
Single IP subnet:
Several IP subnets:
Several IP subnets with exceptions:
Several IP subnets inside VLAN:
which is synonym to:
Disable IP multicast and broadcast:
Detailed filter expression syntax description
The filter expression determines which packets are selected by the filter for further processing. If no expression is given, all the packets on the net are selected. Otherwise, only the packets for which expression is “true” are selected.
There are three different kinds of qualifier:
More complex filter expressions are built up by using the words “and”, “or” and “not” to combine primitives. For example: “host foo and not port ftp and not port ftp-data”. To save typing time, identical qualifier lists can be omitted. For example: “tcp dst port ftp or ftp-data or domain” is exactly the same as “tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain”.
Allowable primitives are:
|dst host host|
|src host host|
|ether dst ehost|
|ether src ehost|
|ether host ehost|
|dst net net|
|src net net|
|net net mask netmask|
|dst port port|
|src port port|
|dst portrange port1-port2|
|src portrange port1-port2|
|ip proto protocol|
|ip protochain protocol|
|ether proto protocol|
|ip, arp, rarp, atalk, aarp, iso, stp, ipx, netbeui|
|tcp, udp, icmp|
|iso proto protocol|
|clnp, esis, isis|
|expr relop expr|
Primitives may be combined using:
- A parenthesized group of primitives and operators (parentheses are special to the Shell and must be escaped)
- Negation (`!' or `not')
- Concatenation (`&&' or `and')
- Alternation (`||' or `or').
Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit and tokens, not juxtaposition, are now required for concatenation. If an identifier is given without a keyword, the most recent keyword is assumed. For example, “not host 18.104.22.168 and 22.214.171.124” is short for “not host 126.96.36.199 and host 188.8.131.52” and should not be confused with “not (host 184.108.40.206 or 220.127.116.11)”.
MAC Switch Group parameters
In the "MAC Switch Group parameters" section, you can view the Switch Groups and Rules that are already created, including the management switch group; you can change the parameters for these Switch Groups, delete them by clicking the «Remove Group» button or create new ones by clicking the «Create Switch Group» button. The same operations are available for the switching rules: add a new rule within a switch group by clicking the «Add Rule» button (located within sub-menu "Rules" of this group) or delete an existing rule by clicking the «Remove Rule» button.
General options in this section:
- Enable Switch - enables/disables global switch operation
- Max Sources - sets the maximum allowed number of records in the switch MAC address table. The default number of records is 5000.
- STP MINT mode - enables/disables the STP MINT mode. STP MINT mode is used to exclude the wired switches with the enabled STP protocol influence on the network operation. The mode blocks the BPDU frames of the STP protocol configured on wired switches so that the switch cannot detect the loop and block its ports. STP MINT mode in conjunction with the RSTP protocol enabled in the Infinet devices allows to break the loop and support the PRF protocol functioning that operates through the wired segment.
Disabling the switch in the absence of routing settings can lead to termination of packet transmitting through the device.
- Remove L3 Management - by clicking this button you can delete the "sviX" interface, which is available in the default configuration, for the unit management
- Create L3 Management - by clicking this button you can add an "sviX" interface for the unit management via Web interface (please consult the configuration examples presented in chapter "Configuration scenarios").
"Switch Group configuration" section:
|Default QM Channel|
You can change the list order of the switch group using the "up/down" arrows.
A set of rules are applied to all packets within a switch group. You can create several switch rules within a switch group. The following parameters are available for switch rules:
|Switch Rules parameter||Description|
|Packet capture filter|
In all three types of filters: Switching, IP Firewall and Traffic Shaping, there is the same syntax called “PCAP expression” for setting a rule. It is a universal tool for creating filters.
In this section you can set the IGMP-parameters for the groups for which support of IGMP snooping is enabled (the IGMP check box is marked for these groups in the "MAC Switch" section).
IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. By listening to and analyzing IGMP messages, the device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
In order for IGMP snooping to function, a multicast router must exist on the network and generate IGMP queries. The tables created for snooping (holding the member ports for each a multicast group) are associated with the multicast router. Without a multicast router, the tables are not created and snooping will not work. Furthermore, IGMP general queries must be unconditionally forwarded by all switches involved in IGMP snooping.
IGMP Snooping parameters can be set within "MAC Switch" section:
|IGMP Snooping parameter||Description|
|Router Port Forwarding|
|Flood IGMP Reports|
|Permit Zero IP Querier|
|Replace Source IP|
|Last Member Query Timeout (LMQT)|
|Group Membership Interval (GMI)|
|Multicast Group Limit|
Read the information in the section "Apply, Try and Preview buttons for the configuration" in order to find out the output of the «Apply», «Test» and «Preview» buttons for the new configuration performed.