L2 Abilities

ARP Table

ARP stands for Address Resolution Protocol, which is a protocol used to map a network layer address (such as an IP address) to a physical address (such as a MAC address) in a local network. It is necessary because data communication on a local network requires the physical address of a destination device to transmit data frames.

When a device needs to send data to another device on the same local network, it checks its ARP table (also called ARP cache) to see if it already has the MAC address of the destination device. If the MAC address is not found in the ARP table, the device sends an ARP request to ask for the MAC address of the destination device. The destination device responds to the ARP request with its MAC address, and the requesting device adds the MAC address to its ARP table for future use.

The ARP table is a table that stores the mapping between IP addresses and MAC addresses that have been learned by the device through ARP requests and responses. It is a crucial component of a device’s network stack as it enables efficient and accurate communication with other devices on the same local network.

Each ARP entry in an ARP table has four fields: L3 Address``( IP Address), ``L2 Address``( MAC Address), ``Interface, and State.

Entry States are:

  • Permanent: This entry never expires and doesn’t need verification.

  • Noarp: Normally expires but doesn’t need verification.

  • Reachable: Verified and will normally expire.

  • Stale: Still usable but needs verification.

  • Delay: ARP request is scheduled.

  • Probe: ARP request is sending.

  • Incomplete: First ARP request sent.

show ip arp [IFNAME]

The command is used to display the Address Resolution Protocol (ARP) cache or ARP table.

  • IFNAME: (Optional) specifies the name of the interface for which the ARP table is to be displayed. If this parameter is omitted, the command displays the ARP table for all interfaces.

Example:

In this example, the command displays the ARP table for all interfaces. The table shows that the IP address 200.1.2.2 has been learned and is associated with the MAC address 02:fe:6e:7f:c7:75 through interface ge0. The state column indicates that this entry is verified and reachable.

clear ip arp [IFNAME A.B.C.D]

The command is used to clear the ARP cache on the device.

  • interface: (Optional) Specifies the name of the interface. This option clears the ARP cache entries for the specified interface. If this option is not specified, the command clears the ARP cache for all interfaces.

  • address: (Optional) Specifies the IP address of the ARP entry to be cleared. If this option is not specified, the command clears all the entries in the ARP cache.

For example, to clear the ARP cache for interface ge0, the command would be:

soodar# clear ip arp ge0

To clear a specific ARP entry with IP address 192.168.1.1 on interface ge0, the command would be:

soodar# clear ip arp ge0 192.168.1.1

VLAN

VLAN stands for Virtual Local Area Network, and it is a technology used in computer networking that allows the creation of logical network segments within a single physical network. A VLAN essentially enables a network administrator to logically divide a single switch into multiple, independent switches.

VLANs have several benefits, including improved network performance and security. They can be used to reduce network congestion by isolating traffic to specific VLANs, improving overall network performance. VLANs can also help improve network security by enabling network administrators to implement different security policies for each VLAN, preventing unauthorized access to specific network resources.

Subinterfaces

A subinterface is a logical interface that is created on a physical interface of the device. It allows the physical interface to be divided into multiple logical interfaces, each with its unique network address and VLAN membership.

Once the subinterface is created, you can configure it with its IP address, subnet mask, and VLAN membership using the same commands as you would use for a regular interface. Additionally, you can configure access control lists (ACLs), and other network settings specific to the subinterface.

interface IFNAME.(0-4095)

Creates a subinterface.

  • IFNAME: Refers to the name of the physical interface on which the subinterface is being created.

  • (0-4095): Subinterface identifier.

Note

Subinterface identifier and VLAN identifier could be different. Although it is recommended that both be the same.

Example :

soodar(config)# interface ge1.100
encapsulation dot1q (1-4094) [exact] [second-dot1q (1-4094)]

This command is used to configure 802.1Q VLAN tagging on a subinterface. The options and their meanings are:

  • (1-4094): specifies the VLAN ID that is being configured. The VLAN ID can range from 1 to 4094.

  • exact: (Optional) Specifies that input packets must have the same number of VLAN tags as the configuration.

  • second-dot1q (1-4094): (optional) specifies a second VLAN ID to be used for the inner tag in a QinQ configuration. This is only used when the interface is configured for QinQ encapsulation.

Note

Although we can add two tags, it’s a good practice to use dot1ad encapsulation for this purpose since dot1q was designed for one tag, and adding two tags, heavily depends on router implementation and its configuration.

Note

A subinterface before this command is not ready to use and can’t be added to bridges.

encapsulation dot1ad (1-4094) dot1q (1-4094)

This command is used in devices to configure a double VLAN tagging protocol, also known as QinQ. QinQ is used to allow service providers to extend VLANs across their network while maintaining the customers’ VLAN IDs.

The command has the following parameters:

  • dot1ad (1-4094): This specifies the outer VLAN ID and is also known as the Service VLAN ID (S-VID). The range of valid VLAN IDs is from 1 to 4094.

  • dot1q (1-4094): This specifies the inner VLAN ID and is also known as the Customer VLAN ID (C-VID). The range of valid VLAN IDs is from 1 to 4094.

This command can be used in interfaces that support QinQ. When an interface is configured with this command, it will add two tags to the Ethernet frame, with the outer tag representing the service provider’s VLAN ID and the inner tag representing the customer’s VLAN ID.

encapsulation default

All packets with VLAN IDs not matched to other subinterfaces are sent to this subinterface

Example :

soodar(config)# interface ge1.100
soodar(config-if)# encapsulation dot1q 100
soodar(config-if)# ip address 200.1.2.20/24
soodar(config-if)# interface ge1.200
soodar(config-if)# encapsulation default

Tag rewrite

An interface can be set up to add or remove( and in the future, translate) VLAN tags.

rewrite tag push <1|2> <dot1q|dot1ad> (0-4095) [(0-4095)]

Push 1 or 2 tags to ingress traffic. The no form negates all changes caused by this command.

Note

if dot1ad is used, only the first tag is dot1ad and the second tag is dot1q

rewrite tag pop <1|2>

Pop 1 or 2 tags from ingress traffic. The no form negates all changes caused by this command.

Example :

soodar(config)# int ge2
soodar(config-if)# rewrite tag push 1 dot1q 300

Bridge

A bridge is a networking device that connects multiple network segments together and forwards traffic between them. Bridges operate at the Data Link Layer (Layer 2) of the OSI model and are used to divide large networks into smaller, more manageable subnetworks.

Add an interface to a bridge

bridge-group (1-65535) [split-horizon group (0-255)]

Add an interface to a bridge-group. The bridge-group is identified by a number. When a new packet arrives at the interface, if the destination MAC address is not available in the bridge-group MAC table, the packet is flooded to all interfaces in the same bridge-group( except the one from which it was received and the ones who share the same split-horizon group with interface).

A split-horizon group of 0 means the interface is not in any split-horizon group and is the default value for SHG.

  • (1-65535): specifies the bridge group number to which the interface is assigned. The range is from 1 to 65535.

  • (0-255): (optional) enables the split horizon feature for the specified bridge group number. Split horizon is a technique used in bridged networks to prevent loops by not advertising routes back out the interface on which they were learned. The range is from 0 to 255.

Example : .. code-block:: frr

n1(config-if)# bridge-group 600 split-horizon group 2

Debugging bridge

show bridge (1-65535)

Example :

n1(config)# do sh bridge 600
 |--------------------------------------------------|
 | Domain | Interface   | Split-Horizon Group | BVI |
 |--------+-------------+---------------------+-----|
 | 600    | loopback4   | 0                   | *   |
 |--------+-------------+---------------------+-----|
 |        | ge1         | 0                   | -   |
 |--------------------------------------------------|

Monitoring traffic

To monitor incoming/outgoing traffics of the device interfaces, SoodarOS provides 2 tools:

  • SPAN

  • Trace

SPAN

SPAN stands for Switched Port Analyzer, which is a feature that allows network administrators to monitor network traffic passing through the device. SPAN enables the administrator to copy or mirror network traffic from one or more source ports to a destination port. This can be useful for network troubleshooting, security analysis, and performance monitoring. With SPAN, administrators can capture and analyze traffic without disrupting the normal operation of the network.

SPAN is also known as port mirroring or port monitoring.

Configuration

Each monitor session can have multiple source interfaces. But only one destination interface.

monitor session (1-66) source interface INTERFACE [both|rx|tx]

The command is used to specify the source of the SPAN session, which can be an interface or VLAN

  • (1-66): is the number assigned to the SPAN session. Valid values are from 1 to 66.

  • INTERFACE is the interface or VLAN to be monitored. This can be a physical or logical interface.

  • both: specifies that both ingress and egress traffic on the interface will be monitored.

  • rx: specifies that only ingress traffic on the interface will be monitored.

  • tx: rx specifies that only egress traffic on the interface will be monitored.

Note

A session is not established unless a valid destination is available.

Note

By default both ingress and egress traffic will be monitored.

monitor session (1-66) destination interface INTERFACE

The destination interface option is used to specify the interface where the copied traffic will be sent to for analysis. This command can be used in conjunction with the source interface option to define the source ports for the SPAN session.

  • (1-66): Specifies the session number for the SPAN session. This number can range from 1 to 66.

  • INTERFACE: Specifies the interface that will be used as the destination for the copied traffic. This can be a physical interface or a VLAN interface.

Example :

soodar(config)# monitor session 12 source interface ge0
soodar(config)# monitor session 12 destination interface ge3
soodar(config)# interface ge3
soodar(config-if)# no shutdown

The commands configure a :abbr:`SPAN (Switched Port Analyzer)` session with session number 12. The SPAN session copies traffic from the source interface ge0 and sends it to the destination interface ge3.

The last command no shutdown enables the interface ge3.

Note

Since the exact packet is mirrored on port( without changing anything), the interface on the receiver side must be in promiscuous mode

Trace

A capturing tool to save traffics as pcap and export them for further analyzes.

monitor capture start

Start capturing traffic. User can provide the interface to be captured( default all interfaces traffics are captured), the direction of traffic to be captured(in, out or both) and limit the number of captured packets( default is 100).

monitor capture stop

Stop the current capturing process and save captured pcap.

Note

Currently only one capture is stored in memory. So starting a new capture will overwrite the previous one.

monitor capture export scp:

Export the stored capture pcap to a remote server.

Note

scp URI is: scp:[user]:[password]@[host]:[address]

monitor dispatch-trace start

Start capturing traffic with Dataplane debugging info( viewable by wireshark). The only parameters settable by admin is the limit of captured packets

Note

Each incoming/outgoing packet could produce 2 or more dispatch-trace packets. This is because each step is individually stored in pcap.

Warning

Generated pcaps in this way could become very huge in size( hundereds of megabytes and more).

Warning

Using this trace could cause performance degradation( and in rare cases instability of system).

monitor dispatch-trace stop

Stop current dispatch tracing process and save resulst as a pcap file.

monitor dispatch-trace export scp:

Export the stored dispatch trace pcap to a remote server.

Logging

Debugging logs can be set in case of need.

debug vlan event

log data plane installation processes and results

debug bridge event

log data plane installation processes and results

debug span event

log data plane installation processes and results

LACP

LACP stands for Link Aggregation Control Protocol. It is a protocol used in computer networking to bundle multiple physical links into a single logical link to increase bandwidth and provide redundancy. LACP is used in conjunction with the Link Aggregation Group (LAG) to automatically detect and configure the bundled links between switches, routers, or servers. LACP allows the end devices to exchange information about the physical links and decide which ones should be bundled together to form the logical link.

LACP provides several benefits, including:

  • Increased bandwidth: By bundling multiple physical links, the logical link can provide higher bandwidth than a single link.

  • Redundancy: In the event that one of the physical links fails, traffic can be automatically rerouted through the remaining links.

  • Load balancing: LACP can distribute traffic across the bundled links to optimize network performance.

LACP is defined in the IEEE 802.3ad standard and is supported by many networking devices, Soodar.

Bundle interface

A bundle interface refers to a logical interface that combines multiple physical interfaces into a single logical interface for increased bandwidth and redundancy. This is also known as link aggregation or port-channeling.

When multiple physical interfaces are combined into a bundle interface, they appear as a single logical interface to the network. This logical interface can then be configured with an IP address and other network settings, just like a physical interface.

interface bundle-ether (1-65535)

creates a bundle interface that can be used to bundle multiple physical interfaces into a single logical interface.

  • (1-65535): is the number of the bundle interface, from 1 to 65535.

set mode <rr|xor|active-backup|broadcast|lacp> <l2|l23|l34>

Enslave an interface

bundle id (1-65535)

Enslave an interface to the bundle interface with the given ID. The no form detaches an interface from the bundle.

Note

Slave interface should be up.

Note

Slave interfaces should not have any valid IPs any subinterface and should not be in a bridge group.

Note

Subinterfaces should be created on bundle-ether interfaces.

Example :

soodar(config)# interface ge0
soodar(config-if)# bridge-group 100
soodar(config-if)# quit
soodar(config)# interface ge1
soodar(config-if)# ip address 10.0.0.1/16
soodar(config-if)# quit
soodar(config)# interface bundle-ether 55
soodar(config-if)# set mode lacp l23
soodar(config-if)# ip address 192.168.1.22/24
soodar(config-if)# quit
soodar(config)# interface ge0
soodar(config-if)# no shutdown
soodar(config-if)# no bridge-group 100
soodar(config-if)# bundle id 55
soodar(config-if)# quit
soodar(config)# interface ge0
soodar(config-if)# no ip address 10.0.0.1/16
soodar(config-if)# bundle id 55

Logging

Debugging logs can be set in case of need.

debug bond event

log data plane installation processes and results

Port Security

Port security is a feature that provides Layer 2 security by allowing the switch to restrict input to an interface by limiting and identifying MAC addresses of the devices that are allowed to connect to the interface. Port security helps prevent unauthorized access to a network by controlling the number of allowed devices and limiting their location to specific switch ports. This feature can also be configured to dynamically learn and store MAC addresses and limit the number of MAC addresses per port.

Commands

port-security mac-address sticky X:X:X:X:X:X

The command is used to configure port security with sticky MAC addresses. When this command is executed, the router dynamically learns the MAC address and adds it to the running configuration as a sticky MAC address. This ensures that only the specific devices with the sticky MAC addresses are allowed to connect to the port. Sticky MAC addresses are saved in the configuration file and retained across router reboots. When a device is connected to a switch port with port security enabled, the MAC address of that device is dynamically learned and stored in the secure address table( if the maximum address configuration is met). Subsequent traffic from that MAC address is allowed on the port, while traffic from any other MAC address is blocked.

  • X:X:X:X:X:X: is the MAC address that you want to configure as a sticky MAC address. It should be in the format of six groups of two hexadecimal digits separated by colons.

port-security maximum (1-100)

The command is used to set the maximum number of learned secure MAC addresses allowed on a port. When this limit is reached, the switch will restrict the port.

  • (1-100): is the maximum number of secure MAC addresses allowed on the port. The value can range from 1 to 100.

show port-security address [IFNAME]

The command can be used to view the learned MAC addresses, and the total secure MAC addresses allowed on the interface.

Note

this command only displays the secure MAC addresses and does not display any other MAC addresses learned by the switch. To see all MAC addresses learned by the device, use the show ip arp command.

show port-security interface [IFNAME]

The command displays the port security settings and status for a specific interface. It provides information about the number of secure MAC addresses that have been configured on the interface and the current secure MAC addresses.

  • IFNAME: is the name of the interface that you want to view the port security configuration and status for.