Alcatel Carrier Internetworking Solutions 6600 instruction

Configuring High Availability VLANs

Application Example 1: Firewall Cluster

This section describes how to configure the traditional firewall implementation, which uses a third-party high availability firewall cluster, described in “Traditional Firewall Implementation” on page 3-7. As shown in the figure on page 3-7, traffic from the Internet comes into the switch through high availability VLAN 10 ingress ports. This VLAN has three egress ports (2/9, 2/10, and 3/5) that connect to the third- party high availability firewall cluster. The firewall cluster is connected to three ports (4/1, 5/3, 7/6) that belong to standard VLAN 20. This VLAN connects to devices within a private network.

Follow the steps below to configure the necessary high availability VLAN on an OmniSwitch.

1Create a default VLAN for HA VLAN 10 ports with the vlan command as shown below:

-> vlan 5

2Assign ports to the new default VLAN with the vlan port default command as shown below:

-> vlan 5 port default 1/1 2/9 2/10 3/5

3Configure VLAN 10, which will have the ingress ports, with the vlan command as shown below:

-> vlan 10

4Assign the ingress port 1/1 to VLAN 10 with the vlan port-macingress-portcommand as shown below:

-> vlan 10 port-mac ingress-port 1/1

5Assign the egress ports 2/9, 2/10, and 3/5 to VLAN 10 with the vlan port-macegress-portcommand as shown below:

-> vlan 10 port-mac egress-port 2/9-10 3/5

6Configure standard VLAN 20, which will carry authorized traffic to the private network, with the vlan command as shown below:

-> vlan 20

7Assign destination MAC addresses to VLAN 10 with the mac-address-tableport-mac vlan mac command as shown below:

-> mac-address-table port-mac vlan 10 mac 00:95:2A:01:3C:10

page 3-16

Release 5.1.6.R02 User Guide Supplement June 2005

Image 126

Alcatel Carrier Internetworking Solutions 6600 manual Application Example 1 Firewall Cluster

Contents

Release 5.1.6.R02 Release 5.1.6.R02 User Guide Supplement June Contents Contents Deleting a Vlan Contents OmniSwitch CLI Reference Guide IPv6 CommandsHigh Availability Vlan Commands Following new command should be included in this chapter Mac-address-table port-mac vlan mac Vlan port-mac bandwidth Vlan vid port-mac bandwidth mbps Bandwidth 802.1X Commands 802.1x slot/port guest-vlan vid disable 802.1x guest-vlan AlaDot1xGuestVlanConfTable AlaDot1xGuestVlanNumber 802.1x supp-polling retry 802.1x slot/port supp-polling retry retries 802.1x guest-vlan Show 802.1x non-supp Show 802.1x non-supp slot/port Configuring IP OmniSwitch 7700/7800/8800 Network Configuration GuideIP Commands Configuring a Loopback0 Interface Configuring Quick Steps for Configuring Show 802.1x users Slot Configuring a Guest Vlan Guest VLANs for Non-802.1x Supplicants Configuring High Availability VLANs Configuring BGPConfiguring a BGP Peer with the Loopback0 Interface OmniSwitch 6600 Family Network Configuration Guide Supp command Configuring a Guest Vlan User Documentation Addendum Show 802.1x non-supp IPv6 Commands Summary of the IPv6 commands is listed here Ipv6 interface Ra-max-interval interval Enable disable Example Parameterdefault Ipv6 address Displays IPv6 Interface Table Ipv6 interface tunnel source destination Ifname ipv4source ipv4destination Related Commands MIB Objects Ipv6 dad-check Ipv6 hop-limit Ipv6 hop-limit value No ipv6 hop-limit Ipv6 pmtu-lifetime Ipv6 pmtu-lifetime time Ipv6 host Ipv6 neighbor Ipv6 prefix Valid-lifetime time Displays IPv6 prefixes used in router advertisements Ipv6 route Ping6 To a specified destination Traceroute6 Used to test whether an IPv6 destination can be reached from Debug ipv6 packet File filename write debug information to the specified file Raw bytes Related Commands Debug ipv6 trace-category Configures the display of IPv6 debug messages Name Show ipv6 hostsShow ipv6 hosts substring IPv6 Address Show ipv6 icmp statistics Show ipv6 icmp statistics ifname Parameter Problems ErrorsAdministratively Prohibited Total MIB Objects IPv6 Address/Prefix Length Show ipv6 interfaceShow ipv6 interface ifname loopback Status Show ipv6 interface v6if-6to4-137 Administrative status IPv6 interface indexOperational status RA retransmit timer ms RA managed config flagRA other config flag RA default lifetime ms Show ipv6 interface Destination Address Show ipv6 pmtu tableShow ipv6 pmtu table Expires Path MTU Table Clear ipv6 pmtu table Clear ipv6 pmtu table Show ipv6 neighbors Configures a static entry in the IPv6 Neighbor Table Clear ipv6 neighbors Clear ipv6 neighbors Valid Lifetime Show ipv6 prefixesShow ipv6 prefixes Preferred Lifetime Prefixes for router advertisements Show ipv6 routes AgeProtocol Protocol by which the route was learned Configures a static entry in the IPv6 route Local Address Show ipv6 tcp portsShow ipv6 tcp ports Remote Address Displays the UDP Over IPv6 Listener Table Show ipv6 traffic Reassembly needed Header errorsAddress errors Reassembly failed Show ipv6 icmp statistics Displays IPv6 Icmp statistics Clear ipv6 traffic Clear ipv6 traffic Show ipv6 tunnel Show ipv6 tunnel Ipv6 interface tunnel source Show ipv6 udp ports Show ipv6 udp ports Show ipv6 udp ports Ipv6 load rip Ipv6 load rip Ipv6 rip status enable disable Parameterdefault Enable disableIpv6 rip status Ipv6 rip invalid-timer Ipv6 rip invalid-timer seconds Ipv6 rip garbage-timer Ipv6 rip garbage-timer seconds Ipv6 rip holddown-timer Ipv6 rip holddown-timer seconds Ipv6 rip jitter Ipv6 rip jitter value Ipv6 rip route-tag Ipv6 rip route-tag value Ipv6 rip update-interval Ipv6 rip update-interval seconds None RIPng routes are not added to triggered updates Ipv6 rip triggered-sends all updated-only noneUpdate packets Parameterdefault All updated-only none Updated-only Ipv6 rip interface Ipv6 rip interface ifname No ipv6 rip interface ifname Is set to enable, packets can be received on this interface Ipv6 rip interface metric Ipv6 rip interface ifname metric value Ipv6 rip interface ifname recv-status enable disable Ipv6 rip interface recv-status Ipv6 rip interface ifname send-status enable disable Ipv6 rip interface send-status Parameterdefault None split-only poison Poison Ipv6 rip interface horizonIpv6 rip interface ifname horizon none split-only poison Ipv6 rip debug-level Ipv6 rip debug-type Configures the RIPng debug level Show ipv6 rip Interval Show ipv6 rip interface Interface namePackets Recvd Metric Next updateHorizon mode Interface status MIB Objects Show ipv6 rip peer Show ipv6 rip peer ipv6addresss Show ipv6 rip peer Show ipv6 rip routes DestGateway Show ipv6 rip routes detail 9900/100 MIB Objects Show ipv6 rip debug Show ipv6 rip debug Debug Level Debug Type Status on/off Configuring High Availability VLANs This Chapter High Availability VLANs Specifications High Availability Default Values Quick Steps for Creating High Availability VLANs Configuring High Availability VLANs High Availability Vlan Overview Ingress and Egress Traffic Flows High Availability Firewall ClustersIngress to Egress Port Flow Traditional Firewall Implementation Firewall and High Availability Cluster Configuring High Availability VLANs on a Switch Creating and Deleting VLANs Creating a Vlan Assigning and Removing Ingress Ports Deleting a VlanAssigning Ingress Ports Removing Ingress Ports Assigning and Removing Egress Ports Assigning Egress PortsRemoving Egress Ports Assigning and Removing MAC Addresses Assigning MAC Addresses Configuring Inter-switch Ports for HA VLANs Removing MAC Addresses Configuring the Flood Queue Bandwidth Application Example 1 Firewall Cluster Application Example 2 Inter-Switch HA VLANs HA Vlan Inter-Switch ConfigurationIngress Traffic Flow Vlan 2 port default 1/1-3 5/4 Displaying High Availability Vlan Status and Statistics Show vlan Screen similar to the following will be displayed