Documente Academic
Documente Profesional
Documente Cultură
GPON TRAINING
Table of contents
www.dasannetwo
Introduction
Interface Configuration Mode
In
Interface
Configuration mode, you can
configure Ethernet interfaces.
www.dasannetwo
Security Level
It is possible to configure the security level from
0 to 15 for a system account. The level 15, as
the highest level, has a read-write authority.
The administrator can configure from level 0 to
level 14. The administrator decides which level
user uses which commands in which level. As the
basic right from level 0 to level 14, it is possible
to use exit and help command in Privileged
EXEC View mode and it is not possible to
access to Privileged EXEC Enable mode.
www.dasannetwo
www.dasannetwo
3. Auto Log-out
For security reasons of DASAN OLTs , if no command is entered within the configured inactivity time, the
user is automatically logged out of the system. Administrator can configure the inactive session timeout.
Configured interval is working only for actual active session.
On V5824G there is possible to configure
global configuration for auto log-out:
SWITCH(config)# global-timeout 50
www.dasannetwo
www.dasannetwo
www.dasannetwo
www.dasannetwo
www.dasannetwo
2. Assigning IP Address to Network Interface - to assign an IP address to a network interface, use the following
command:
3. After assigning an IP address to an interface, you need to enable the interface. If the interface is
not enabled, you cannot access it from a remote place, even though an IP address has been assigned.
www.dasannetwo
DHCP Client
An interface of the V5812G can be configured as a DHCP client, which can obtain an IP address from a DHCP server. The
configurable DHCP client functionality allows a DHCP client to use a user-specified client ID, class ID or suggested lease time
when requesting an IP address from a DHCP server. Once configured as a DHCP client, OLT cannot be configured as a
DHCP server or relay agent.
Before configuring DHCP client, server or relay agent, you need to use the service dhcp command first to activate the DHCP
function in the system:
SWITCH(config)# service dhcp
SWITCH(config)# interface 100
SWITCH(config-if[100])# ip address dhcp
SWITCH(config-if[100])# no shutdown
SWITCH(config-if[100])# exit
SWITCH(config)# show ip interface brief
www.dasannetwo
www.dasannetwo
Default Route
Default route configuration means that all traffic to the network to which there is no defined route on the routing table, will be
directed to the configured DEFAULT GATEWAY IP
SWITCH(config)# ip route default 192.168.33.1
SWITCH(config)# show ip route
www.dasannetwo
www.dasannetwo
The default scheduling mode is WRR. And it is possible to assign a different scheduling mode to each port.
You can simply manage more than 2 Flows through one Class. Flow or Class can be implemented by one policy. Both Flow
and Class cannot belong to one policy together. It means that one policy can include only one either Flow or Class.
However, a single flow or class can belong to multiple policies.
www.dasannetwo
www.dasannetwo
www.dasannetwo
4. Policy Action
To specify the rule action for the packets matching configured
classifying patterns, use the following command.
www.dasannetwo
EXAMPLE 1 overwriting higher CoS priority for IPTV VLAN 200 coming to any OLT port
SWITCH(config)# flow IPTV create
SWITCH(config-flow[IPTV])# ip any any
SWITCH(config-flow[IPTV])# apply
SWITCH(config-flow[IPTV])# exit
SWITCH(config)# policy IPTV create
SWITCH(config-policy[IPTV])# include-flow IPTV
SWITCH(config-policy[IPTV])# interface-binding vlan 200
SWITCH(config-policy[IPTV])# action match cos 6 overwrite
SWITCH(config-policy[IPTV])# apply
SWITCH(config-policy[IPTV])# exit
SWITCH(config)# qos scheduling-mode sp 1-12
www.dasannetwo
Because there is two policy for the same type of traffic (SNMP, to allow and
block) we need to define policy priority. Policy for PERMIT should have the
higher priority then for DENY.
www.dasannetwo
www.dasannetwo
EXAMPLE:
SWITCH(config)# ssh server enable
SWITCH(config)# show ssh
SWITCH(config)# ssh disconnect PID
www.dasannetwo
EXAMPLE:
SWITCH(config)# service port ssh
2222
SWITCH(config)# service port telnet
2323
www.dasannetwo
www.dasannetwo
www.dasannetwo
SNMP Version 2
For SNMP version 2 we need to configure SOMMUNITY.
Only an authorized person can access SNMP agent by
configuring SNMP community with a community name
and additional information.
SNMP Version 3
For SNMP version 3, You need to create user with
authentication key, group, view and access record.
www.dasannetwo
You can easily implement DASAN OLTs with Your own Management System using SNMP protocol. All setting
which You can set on CLI and read on CLI, You can also read/set using SNMP protocol.
www.dasannetwo
www.dasannetwo
13. Syslog
Syslog
The syslog is a function that allows the network element to generate the event notification and forward it to the event
message collector like a syslog server. This function is enabled as default, so even though you disable this function
manually, the syslog will be enabled again.
The order of priority is emergency > alert > critical > error > warning > notice > info > debug. If you set a specific
level of syslog output, you will receive only a syslog message for selected level or higher. If you want receive a syslog
message for all the levels, you need to set the level to debug.
www.dasannetwo
www.dasannetwo
www.dasannetwo
www.dasannetwo
Port
1
2
2
1
2
1
2
Ver
v2
v2
v2
v2
v2
v2
v2
Mode
EX,ALLOW
EX,ALLOW
EX,ALLOW
EX,ALLOW
EX,ALLOW
EX,ALLOW
EX,ALLOW
Last Reporter
10.201.32.34
10.201.32.40
10.201.32.40
10.201.32.34
10.201.32.40
10.210.160.46
10.210.160.18
Expire
00:03:53
00:03:55
00:03:49
00:03:52
00:03:53
00:03:57
00:03:52
The 32:1 address mapping ambiguity can lead to over subscription problem at hosts. You must consider it when you
allocate IP multicast addresses for network applications to prevent unexpected behavior.
www.dasannetwo
DHCP Subnet
To specify a subnet of the DHCP pool, use the following
command:
Range of IP Address
To specify a range of IP addresses that will be assigned
to DHCP clients, use the following command. You can also
specify several inconsecutive ranges of IP addresses in a
single DHCP pool, e.g. 100.1.1.1 to 100.1.1.62 and
100.1.1.129 to 100.1.1.190. When specifying a range of IP
address, the start IP address must be prior to the end IP
address.
Default Gateway
To specify a default gateway of the DHCP pool, use the
following command
www.dasannetwo
DNS Server
To specify a DNS server to inform DHCP clients, use the
following command.
Manual Binding
To manually assign a static IP address to a DHCP
client who has a specified MAC address, use the
following command.
Domain Name
To set a domain name, use the following command.
www.dasannetwo
EXAMPLE:
SWITCH# configure terminal
SWITCH(config)# service dhcp
SWITCH(config)# bridge
SWITCH(bridge)# vlan create 100,200
SWITCH(bridge)# vlan add 100 1-4 tagged
SWITCH(bridge)# vlan add 200 10 tagged
SWITCH(bridge)# exit
SWITCH(config)# interface 200
SWITCH(config-if[200])# ip address 172.16.16.1/24
SWITCH(config-if[200])# no shutdown
SWITCH(config-if[200])# exit
SWITCH(config)# interface 100
SWITCH(config-if[100])# ip address 192.168.15.2/24
SWITCH(config-if[100])# no shutdown
SWITCH(config-if[100])# exit
SWITCH(config)# ip route default 172.16.16.2
SWITCH(config)# ip dhcp pool DHCP-SERVER-VLAN100
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# network 192.168.15.0/24
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# default-router 192.168.15.2
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# range 192.168.15.100 192.168.15.240
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# dns-server 172.16.16.240 8.8.8.8
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# fixed-address 192.168.15.11 00:d0:cb:d8:ad:61
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# exit
www.dasannetwo
EXAMPLE:
SWITCH# configure terminal
SWITCH(config)# service dhcp
SWITCH(config)# bridge
SWITCH(bridge)# vlan create 100
SWITCH(bridge)# vlan add 100 1-4,10 tagged
SWITCH(bridge)# exit
SWITCH(config)# interface 100
SWITCH(config-if[100])# ip address 192.168.15.2/24
SWITCH(config-if[100])# no shutdown
SWITCH(config-if[100])# exit
SWITCH(config)# ip dhcp pool DHCP-SERVER-VLAN100
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# network 192.168.15.0/24
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# default-router 192.168.15.1
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# range 192.168.15.100 192.168.15.240
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# dns-server 172.16.16.240 8.8.8.8
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# fixed-address 192.168.15.11 00:d0:cb:d8:ad:61
SWITCH(config-dhcp[DHCP-SERVER-VLAN100])# exit
www.dasannetwo
www.dasannetwo
service dhcp
ip dhcp snooping
ip dhcp snooping vlan 100,200
ip dhcp snooping trust 10-12
www.dasannetwo
17. DHCP Snooping and ARP Inspection blocking static IPs (1)
1. FIRST configure DHCP Snooping as in previous
slide
2. ARP Access List
You can exclude a given range of IP addresses from
the ARP inspection using ARP access lists. ARP access lists
are created by the arp access-list command on the Global
Configuration mode. ARP access list permits or denies the
ARP packets of a given range of IP addresses.
www.dasannetwo
17. DHCP Snooping and ARP Inspection blocking static IPs (2)
4. Enabling ARP Inspection Filtering
To enable/disable the ARP inspection filtering of a certain
range of IP addresses from the ARP access list, use the
following command. ARP inspection actually runs in the
system after the configured ARP access list applies to
specific VLAN using the ip arp inspection filter command.
5. ARP Inspection
ARP provides IP communication by mapping an IP address to a MAC address. However, a malicious user can attack ARP
caches of systems by intercepting the traffic intended for other hosts on the subnet. For example, Host B generates a
broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP
address of Host A. If Host C responses with an IP address of Host A (or B) and a MAC address of Host C, Host A and Host B can
use Host C s MAC address as the destination MAC address for traffic intended for Host A and Host B. ARP Inspection is a
security feature that validates ARP packets in a network. It discards ARP packets with invalid IP-MAC address binding.
6. ARP Inspection Start Time
This function sets the time before ARP inspection starts to
run. Before setting this, ARP inspection should be turned on.
ARP inspect ion checks validity of incoming ARP packets by
using DHCP snooping binding table and denies the ARP
packets if they are not identified in the table. However,
the V5812G may be rebooted with any reason, then DHCP
snooping binding table entries, which are dynamically
learned from DHCP packets back and forth the V5812G ,
would be lost. Thus, ARP inspection should be delayed to
start during some time so that DHCP snooping table can
build entries. If no time given, ARP inspection sees
empty snooping table and drop every ARP packet.
If You are using arp inspection and want to enable communication (L2), between ONTs on the same GPON PORT,
You should to disable PORT-PORT BRIDGE feature and set ARP alias for IPs which should communicate each
other.
ARP Alias
Although clients are joined in the same client switch, it may be impossible to communicate between them for
security reasons. When you need to make them communicate each other, the V5812G supports ARP alias, which
responses the ARP request from client net through the concentrating switch.
www.dasannetwo
17. DHCP Snooping and ARP Inspection blocking static IPs (3)
DHCP Snooping Database Agent
When the DHCP snooping is enabled, the system uses the
DHCP snooping binding database to store information about
untrusted interfaces. Each database entry (binding) has an IP
address, associated MAC address, lease time, interface to
which the binding applies and VLAN to which the interface
belongs. You can save the current binding entries in a file
at a remote location (TFTP server). Upon reloading, the
switch can read the file to build the DHCP snooping database
for the binding. The system keeps the current file by writing to
the file as the database changes.
www.dasannetwo
17. DHCP Snooping and ARP Inspection blocking static IPs (4) - EXAMPLE
EXAMPLE TARGETs:
allow communication to the network for hosts which received IP addresses from DHCP servers connected
on ports 10-12 side,
blocking static IP addresses
allow communication on the same gpon ports for range: 172.16.16.30 ~ 172.16.16.90
SWITCH(config)# service dhcp
SWITCH(config)# ip dhcp snooping
SWITCH(config)# ip dhcp snooping vlan 100,200
SWITCH(config)# ip dhcp snooping trust 10-12
SWITCH(config)# arp access-list ACL
SWITCH(config-arp-acl[ACL])# permit dhcp-snoop-inspection
SWITCH(config-arp-acl[ACL])# exit
SWITCH(config)# ip arp inspection trust port 10-12
SWITCH(config)# ip arp inspection filter ACL vlan 100,200
SWITCH(config)# ip dhcp snooping arp-inspection start 3600
SWITCH(config)# ip arp inspection vlan 100,200
If You are using arp inspection and want to enable
communication (L2), between ONTs on the same
GPON PORT, You should disable PORT-PORT
BRIDGE feature and set ARP alias for IPs which
should communicate each other:
SWITCH(config)# bridge
SWITCH(bridge)# port port-bridge disable 1
SWITCH(bridge)# exit
SWITCH(config)#
arp
alias
172.16.16.30
172.16.16.90
IPs from this range can communicate each other
www.dasannetwo
www.dasannetwo
www.dasannetwo
www.dasannetwo
www.dasannetwo
www.dasannetwo
SWITCH(config)# ip dhcp option format circuit-gpon (used for Clients behind ONT)
SWITCH(dhcp-opt[circuit-gpon])# attr 1 type 1 length variable value string %MAC
SWITCH(dhcp-opt[circuit-gpon])# attr 2 type 2 length variable value string %VID
SWITCH(dhcp-opt[circuit-gpon])# attr 3 type 3 length variable value string %ONU-ID
SWITCH(dhcp-opt[circuit-gpon])# attr 4 type 4 length variable value string %ONU_SERIAL_NUM
SWITCH(dhcp-opt[circuit-gpon])# exit
SWITCH(config)# ip dhcp option format circuit-uplink (used for DHCP Clients connected to OLT uplink
ports)
SWITCH(dhcp-opt[circuit-uplink])# attr 1 type 1 length variable value string %MAC
SWITCH(dhcp-opt[circuit-uplink])# attr 2 type 2 length variable value string %VID
SWITCH(dhcp-opt[circuit-uplink])# exit
SWITCH(config)# ip dhcp option82
SWITCH(config-opt82)# trust default permit
SWITCH(config-opt82)# system-circuit-id port-type physical
SWITCH(config-opt82)# system-remote-id option format remote
SWITCH(config-opt82)# system-circuit-id 1-4 option format circuit-gpon
SWITCH(config-opt82)# system-circuit-id 5-8 option format circuit-uplink
www.dasannetwo
www.dasannetwo
SWITCH(config)# ip multicast-routing
SWITCH(bridge)# vlan create 100 - Subscriber VLAN
SWITCH(bridge)# vlan create 200 - Uplink VLAN
SWITCH(bridge)# vlan add 100 1 tagged
SWITCH(bridge)# vlan add 200 12 tagged
SWITCH(config)# interface 100
SWITCH(config-if[100])# ip address 10.1.1.254/24
SWITCH(config-if[100])# ip pim sparse-mode passive
SWITCH(config-if[100])# no shutdown
SWITCH(config-if[100])#
SWITCH(config)# interface 200
SWITCH(config-if[200])# ip address 100.1.1.254/24
SWITCH(config-if[200])# ip pim sparse-mode
SWITCH(config-if[200])# no shutdown
SWITCH(config-if[200])# exit
SWITCH(config)# ip pim rp-address 100.1.1.254
SWITCH(config)# ip igmp snooping vlan 100
SWITCH(config)# ip igmp snooping vlan 100 version 2
SWITCH(config)# ip igmp snooping vlan 100 immediate-leave
SWITCH(config)# show ip pim interface
SWITCH(config)# show ip pim mroute
SWITCH(config)# show ip pim local-members
www.dasannetwo
www.dasannetwo
EXAMPLE:
Enable OSPF routing:
SWITCH(config) # router OSPF 1
Router ID (IP address format):
SWITCHG(config-router)# router-id 1.1.1.1
Add network to the OSPF:
SWITCH(config-router)# network 10.10.10.0/24 area
0
SWITCH(config-router)# network 172.16.16.0/24
area 0
www.dasannetwo
EXAMPLE:
SWITCH(config)# ip igmp snooping vlan
200
SWITCH(config)# ip unknown-multicast
block
www.dasannetwo
STEP 2
To access web-based GUI, open a web browser and enter the
IP address of the V8240 on URL address bar:
http://A.B.C.D ip address of V8240
STEP 3
A new window is displayed on the screen as the following figure, it
will require you to set your login ID and password when you first
access the web interface. The default account is admin with no
password. Click on Send button.
www.dasannetwo
www.dasannetwo
THANK YOU
www.dasannetwo