IBM RackSwitch G8000 Application Manual Download Page 205 | Manualshive

Page: 205 / 362

background image

© Copyright IBM Corp. 2011

Chapter 17. IPsec with IPv6

203

Chapter 17. IPsec with IPv6

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol

(IP) communications by authenticating and encrypting each IP packet of a

communication session. IPsec also includes protocols for establishing mutual

authentication between agents at the beginning of the session and negotiation of

cryptographic keys to be used during the session.

Since IPsec was implemented in conjunction with IPv6, all implementations of IPv6

must contain IPsec. To support the National Institute of Standards and Technology

(NIST) recommendations for IPv6 implementations, IBM Networking OS IPv6

feature compliance has been extended to include the following IETF RFCs, with an

emphasis on IP Security (IPsec) and Internet Key Exchange version 2, and

authentication/confidentiality for OSPFv3:
•

RFC 4301 for IPv6 security

•

RFC 4302 for the IPv6 Authentication Header

•

RFCs 2404, 2410, 2451, 3602, and 4303 for IPv6 Encapsulating Security
Payload (ESP), including NULL encryption, CBC-mode 3DES and AES ciphers,
and HMAC-SHA-1-96.

•

RFCs 4306, 4307, 4718, and 4835 for IKEv2 and cryptography

•

RFC 4552 for OSPFv3 IPv6 authentication

•

RFC 5114 for Diffie-Hellman groups

Note:

This implementation of IPsec supports DH groups 1, 2, 5, 14, and 24.

The following topics are discussed in this chapter:
•

“IPsec Protocols” on page 203

•

“Using IPsec with the RackSwitch G8000” on page 204

IPsec Protocols

The IBM N/OS implementation of IPsec supports the following protocols:
•

Authentication Header (AH)
AHs provide connectionless integrity outand data origin authentication for IP
packets, and provide protection against replay attacks. In IPv6, the AH protects
the AH itself, the Destination Options extension header after the AH, and the IP
payload. It also protects the fixed IPv6 header and all extension headers before
the AH, except for the mutable fields DSCP, ECN, Flow Label, and Hop Limit. AH
is defined in RFC 4302.

•

Encapsulating Security Payload (ESP)
ESPs provide confidentiality, data origin authentication, integrity, an anti-replay
service (a form of partial sequence integrity), and some traffic flow confidentiality.
ESPs may be applied alone or in combination with an AH. ESP is defined in RFC
4303.

•

Internet Key Exchange Version 2 (IKEv2)
IKEv2 is used for mutual authentication between two network elements. An IKE
establishes a security association (SA) that includes shared secret information to
efficiently establish SAs for ESPs and AHs, and a set of cryptographic algorithms
to be used by the SAs to protect the associated traffic. IKEv2 is defined in RFC
4306.

Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or

authentication, and/or AH for authentication of the remote partner.

«
...
203
204
205
206
207
...
»

Summary of Contents for RackSwitch G8000

Page 1: ...RackSwitch G8000 Application Guide...

Page 2: ......

Page 3: ...RackSwitch G8000 Application Guide...

Page 4: ...Environmental Notices and User Guide documents on the IBM Documentation CD and the Warranty Information document that comes with the product First Edition November 2011 Copyright IBM Corporation 2011...

Page 5: ...nfiguration 31 Domain Specific BOOTP Relay Agent Configuration 32 Switch Login Levels 33 Setup vs the Command Line 34 Chapter 2 Initial Setup 35 Information Needed for Setup 35 Default Setup Options 3...

Page 6: ...61 Logging into an End User Account 62 Chapter 5 Authentication Authorization Protocols 63 RADIUS Authentication and Authorization 63 How RADIUS Authentication Works 63 Configuring RADIUS on the Switc...

Page 7: ...VLAN Topologies and Design Considerations 99 Multiple VLANs with Tagging Adapters 99 VLAN Configuration Example 101 Protocol Based VLANs 102 Port Based vs Protocol Based VLANs 103 PVLAN Priority Leve...

Page 8: ...126 Port States 126 RSTP Configuration Guidelines 126 RSTP Configuration Example 126 Multiple Spanning Tree Protocol 127 MSTP Region 127 Common Internal Spanning Tree 127 MSTP Configuration Guidelines...

Page 9: ...n an Existing Stack 159 Replacing or Removing Stacked Switches 161 Removing a Switch from the Stack 161 Installing the New Switch or Healing the Topology 161 Binding the New Switch to the Stack 162 IS...

Page 10: ...tion 195 IPv6 Interfaces 196 Neighbor Discovery 197 Supported Applications 199 Configuration Guidelines 201 IPv6 Configuration Examples 202 Chapter 17 IPsec with IPv6 203 IPsec Protocols 203 Using IPs...

Page 11: ...figuration 231 Troubleshooting 234 Additional IGMP Features 236 FastLeave 236 IGMP Filtering 236 Static Multicast Router 238 Chapter 20 Multicast Listener Discovery 239 MLD Terms 240 How MLD Works 241...

Page 12: ...ords 267 Configuring MD5 Authentication 268 Host Routes for Load Balancing 269 Loopback Interfaces in OSPF 269 OSPF Features Not Supported in This Release 270 OSPFv2 Configuration Examples 270 Example...

Page 13: ...00 Active Active Redundancy 301 Virtual Router Group 301 IBM N OS Extensions to VRRP 302 Virtual Router Deployment Considerations 303 High Availability Configurations 304 VRRP High Availability Using...

Page 14: ...ion 328 Saving the Switch Configuration 328 Saving a Switch Dump 329 Part 8 Monitoring 331 Chapter 28 Remote Monitoring 333 RMON Overview 333 RMON Group 1 Statistics 333 RMON Group 2 History 334 Histo...

Page 15: ...Documentation format 351 Electronic emission notices 352 Federal Communications Commission FCC statement 352 Industry Canada Class A emission compliance statement 352 Avis de conformit la r glementat...

Page 16: ...16 RackSwitch G8000 Application Guide...

Page 17: ...ation and statistics This chapter discusses a variety of manual administration interfaces including local management via the switch console and remote administration via Telnet a web browser or via SN...

Page 18: ...single aggregate switch entity Chapter 14 VMready discusses virtual machine VM support on the G8000 Part 5 IP Routing Chapter 15 Basic IP Routing describes how to configure the G8000 for IP routing us...

Page 19: ...anagement Protocol describes how to configure the switch for management through an SNMP client Part 8 Monitoring Chapter 28 Remote Monitoring describes how to configure the RMON agent on the switch so...

Page 20: ...r placeholder Replace the indicated text with the appropriate real name or value when using the command Do not type the brackets To establish a Telnet session enter host telnet IP address This also sh...

Page 21: ...with your product provides details for contacting a customer support representative If you are unable to locate this information please contact your reseller Before you call prepare the following inf...

Page 22: ...20 RackSwitch G8000 Application Guide...

Page 23: ...Copyright IBM Corp 2011 21 Part 1 Getting Started...

Page 24: ...22 RackSwitch G8000 Application Guide...

Page 25: ...on or an optional Telnet or SSH session The built in Browser Based Interface BBI available using a standard web browser SNMP support for access through network management software such as IBM Director...

Page 26: ...an IPv6 address can be obtained using IPv6 stateless address configuration Note Throughout this manual IP address is used in places where either an IPv4 or IPv6 address is allowed IPv4 addresses are e...

Page 27: ...ork management system or a Web browser For more information see the documents listed in Additional References on page 17 Using Telnet A Telnet connection offers the convenience of accessing the switch...

Page 28: ...on at that time Similarly the system will fail to do the key generation if a SSH SCP client is logging in at that time The supported SSH encryption and authentication methods are Server Host Authentic...

Page 29: ...access the BBI is port 80 However you can change the default Web server port with the following command To access the BBI from a workstation open a Web browser window and type in the URL using the IP...

Page 30: ...n a client such as a web browser connects to the switch the client is asked to accept the certificate and verify that the fields match what is expected Once BBI access is granted to the client the BBI...

Page 31: ...avigation Window This window provides a menu list of switch features and functions System this folder provides access to the configuration elements for the entire switch Switch Ports Configure each of...

Page 32: ...the switch The default read community string on the switch is public and the default write community string is private The read and write community strings on the switch can be changed using the follo...

Page 33: ...lient The request is forwarded as a UDP Unicast MAC layer message to the BOOTP DHCP servers configured for the client s VLAN or to the global BOOTP DHCP servers if no domain specific BOOTP DHCP server...

Page 34: ...is using the following commands Domain Specific BOOTP Relay Agent Configuration Use the following commands to configure up to five domain specific BOOTP relay agents for each of up to 10 VLANs As with...

Page 35: ...gure and troubleshoot problems on the G8000 Because administrators can also make temporary operator level changes as well they must be aware of the interactions between temporary and permanent changes...

Page 36: ...plete access to the switch If the switch is still set to its factory default configuration the system will ask whether you wish to run Setup see Initial Setup on page 35 a utility designed to help you...

Page 37: ...Whether to use VLAN tagging or not as appropriate Optional configuration for each VLAN Name of VLAN Which ports are included in the VLAN Optional configuration of IP parameters IP address mask and VLA...

Page 38: ...Basic System Configuration When Setup is started the system prompts 1 Enter y if you will be configuring VLANs Otherwise enter n If you decide not to configure VLANs during this session you can config...

Page 39: ...second press Enter The system then displays the date and time settings 8 Turn Spanning Tree Protocol on or off at the prompt Enter y to turn off Spanning Tree or enter n to leave Spanning Tree on Setu...

Page 40: ...iation mode If you selected a port that has a Gigabit Ethernet connector the system prompts Enter on to enable port autonegotiation off to disable it or press Enter to keep the current setting 5 If co...

Page 41: ...this VLAN When you are finished adding ports to this VLAN press Enter without specifying any port 4 Configure Spanning Tree Group membership for the VLAN 5 The system prompts you to configure the next...

Page 42: ...nterface enter the IP address in IPv4 dotted decimal notation To keep the current setting press Enter 3 At the prompt enter the IPv4 subnet mask in dotted decimal notation To keep the current setting...

Page 43: ...s are currently supported They can be configured using the following commands Using Loopback Interfaces for Source IP Addresses The switch can use loopback interfaces to set the source IP addresses fo...

Page 44: ...ed When all default gateways have been configured press Enter without specifying any number IP Routing When IP interfaces are configured for the various IP subnets attached to your switch IP routing b...

Page 45: ...at the prompt Enter y to apply the changes or n to continue without applying Changes are normally applied 4 At the prompt decide whether to make the changes permanent Enter y to save the changes to fl...

Page 46: ...p is optional Perform this procedure only if you are planning on connecting to the G8000 through a remote Telnet connection 1 Telnet is enabled by default To change the setting use the following comma...

Page 47: ...ON Although the typical upgrade process is all that is necessary in most cases upgrading from or reverting to some versions of IBM Networking OS requires special steps prior to or after the software i...

Page 48: ...is normally relative to the FTP or TFTP directory usually tftpboot 5 Enter your username for the server if applicable If entering an FTP server username you will also be prompted for the password The...

Page 49: ...onfiguration mode to select which software image image1 or image2 you want to run in switch memory for the next reboot The system will then verify which image is set to be loaded at the next reset 7 R...

Page 50: ...Management Menu The Boot Management menu allows you to switch the software image reset the switch to factory defaults or to recover from a failed software download You can interrupt the boot process a...

Page 51: ...t characteristics Speed 9600 bps Data Bits 8 Stop Bits 1 Parity None Flow Control None 3 Boot the switch and access the Boot Management menu by pressing Shift B while the Memory Test is in progress an...

Page 52: ...see the following message change the Serial Port characteristics to 115200 bps 10 Press Enter to continue the download yzModem CRC mode 62494 SOH 0 STX 0 CAN packets 6 retries Extracting images Do NO...

Page 53: ...following is displayed 13 When you see the following message change the Serial Port characteristics to 9600 bps 14 Press the Escape key Esc to re display the Boot Management menu 15 Select 4 to exit a...

Page 54: ...52 RackSwitch G8000 Application Guide...

Page 55: ...Copyright IBM Corp 2011 53 Part 2 Securing the Switch...

Page 56: ...54 RackSwitch G8000 Application Guide...

Page 57: ...s between a remote administrator and the switch SSH is a protocol that enables remote administrators to log securely into the G8000 over a network to execute management commands SCP is typically used...

Page 58: ...rd is admin Using SSH and SCP Client Commands This section shows the format for using some client commands The following examples use 205 178 15 157 as the IP address of a sample switch To Log In to t...

Page 59: ...he new and the current configurations putcfg_apply runs the apply command after the putcfg is done putcfg_apply_save saves the new configuration to the flash after putcfg_apply is done The putcfg_appl...

Page 60: ...e G8000 through the console port commands are not available via external Telnet connection and enter the following command to generate it manually When the switch reboots it will retrieve the host key...

Page 61: ...ername ace to bypass the SSH authentication After an SSH connection is established you are prompted to enter the username and password the SecurID authentication is being performed now Provide your us...

Page 62: ...e user password on the Radius server Radius authentication and user password cannot be used concurrently to access the switch Passwords for end users can be up to 128 characters in length for TACACS R...

Page 63: ...abled before the switch recognizes and permits login under the account Once enabled the switch requires any user to enter both username and password Listing Current Users The following command display...

Page 64: ...ing into an End User Account Once an end user account is configured and enabled the user can login to the switch using the username password combination The level of switch access is determined by the...

Page 65: ...cation consists of the following components A protocol with a frame format that utilizes UDP over IP based on RFC 2138 and 2866 A centralized server that stores all the user authorization information...

Page 66: ...RFC 2138 and RFC 2866 Allows RADIUS secret password up to 32 bytes and less than 16 octets Supports secondary authentication server so that when the primary authentication server is unreachable the sw...

Page 67: ...on server the switch will verify the privileges of the remote user and authorize the appropriate access The administrator has an option to allow secure backdoor access via Telnet SSH BBI Secure backdo...

Page 68: ...quires additional programmable variables such as re transmit attempts and time outs to compensate for best effort transport but it lacks the level of built in support that a TCP transport offers TACAC...

Page 69: ...etween TACACS authorization levels and N OS management access levels is shown in Table 6 Use the following command to set the alternate TACACS authorization levels If the remote user is successfully a...

Page 70: ...Command Authorization When TACACS Command Logging is enabled N OS configuration commands are logged on the TACACS server Use the following command to enable TACACS Command Logging The following exampl...

Page 71: ...this case the switch Each entry in the LDAP server is referenced by its Distinguished Name DN The DN consists of the user account name concatenated with the LDAP domain name If the user account name i...

Page 72: ...You may change the default TCP port number used to listen to LDAP optional The well known port for LDAP is 389 4 Configure the number of retry attempts for contacting the LDAP server and the timeout...

Page 73: ...t prevents access to ports that fail authentication and authorization This feature provides security to ports of the RackSwitch G8000 G8000 that connect to blade servers The following topics are discu...

Page 74: ...ator The Authenticator enforces authentication and controls access to the network The Authenticator grants network access based on the information provided by the Supplicant and the response from the...

Page 75: ...anged between the G8000 authenticator and the RADIUS server Authentication is initiated by one of the following methods The G8000 authenticator sends an EAP Request Identity packet to the client The c...

Page 76: ...off message to the G8000 authenticator the port transitions from authorized to unauthorized state If a client that does not support 802 1X connects to an 802 1X controlled port the G8000 authenticator...

Page 77: ...ll access to the port Use the 802 1X global configuration commands dot1x to configure 802 1X authentication for all ports in the switch Use the 802 1X port commands to configure a single port Guest VL...

Page 78: ...of the authenticator used for Radius communication 1 0 0 0 5 NAS Port Port number of the authenticator port to which the supplicant is attached 1 0 0 0 24 State Server specific value This is sent unm...

Page 79: ...e authenticator relays the decoded packet to both devices 1 1 1 1 80 Message Authenticator Always present whenever an EAP Message attribute is also included Used to integrity protect a packet 1 1 1 1...

Page 80: ...2 1X supplicant capability is not supported Therefore none of its ports can successfully connect to an 802 1X enabled port of another device such as another switch that acts as an authenticator unless...

Page 81: ...ACLs are configured using the following ISCLI command path VLAN Maps VMaps Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports See VLAN Maps on page 88 for details Summa...

Page 82: ...ubnet mask Type of Service value IP protocol number or name as shown in Table 8 IPv6 header options for IPv6 ACLs only Source IPv6 address and prefix length Destination IPv6 address and prefix length...

Page 83: ...the switch treats packets that match the classifiers assigned to the ACL G8000 ACL actions include the following Pass or Drop the packet Re mark the packet with a new DiffServ Code Point DSCP Re mark...

Page 84: ...also matched And whether the ACL action is compatible with preceding ACLs ACLs are automatically divided into precedence groups as follows Precedence Group 1 includes ACL 1 128 Precedence Group 2 incl...

Page 85: ...edundant entries are ignored Individual ACLs The G8000 supports up to 512 ACLs Each ACL defines one filter rule for matching traffic criteria Each filter rule can also include an action permit or deny...

Page 86: ...r if the packet conforms to the meter the packet is classified as In Profile Out of Profile If a meter is configured and the packet does not conform to the meter exceeds the committed rate or maximum...

Page 87: ...mirroring to an ACL For IPv4 ACLs The ACL must be also assigned to it target ports as usual see Assigning Individual ACLs to a Port on page 82 or Assigning ACL Groups to a Port on page 84 For VMaps s...

Page 88: ...2 with source IP from class 2001 0 0 5 0 0 0 2 128 is denied 1 Configure an Access Control List 2 Add ACL 2 to port 2 RS G8000 config access control list 1 ipv4 destination ip address 100 10 1 1 RS G...

Page 89: ...l list 2 ethernet ethernet type arp RS G8000 config access control list 2 action deny RS G8000 config interface port 2 RS G8000 config if access control list 2 RS G8000 config if exit RS G8000 config...

Page 90: ...ypes on page 166 use the global configuration mode Note Each VMap can be assigned to only one VLAN or VM group However each VLAN or VM group may have multiple VMaps assigned to it When the optional se...

Page 91: ...it like a broadcast packet and floods it to all other ports in the VLAN broadcast domain A high rate of unknown unicast traffic can have the same negative effects as a broadcast storm Configuring Stor...

Page 92: ...90 RackSwitch G8000 Application Guide...

Page 93: ...ch Basics This section discusses basic switching functions VLANs Port Trunking Spanning Tree Protocols Spanning Tree Groups Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol Virtual Lin...

Page 94: ...92 RackSwitch G8000 Application Guide...

Page 95: ...verview Setting up virtual LANs VLANs is a way to segment networks to increase network flexibility without changing the physical network topology With network segmentation each switch port connects to...

Page 96: ...an be configured to any VLAN number between 1 and 4094 Use the following command to view PVIDs Use the following command to set the port PVID Each port on the switch can belong to one or more VLANs an...

Page 97: ...e that carries VLAN tagging information in the header This VLAN tagging information is a 32 bit field VLAN tag in the frame header that identifies the frame as belonging to a specific VLAN Untagged fr...

Page 98: ...entifier PVID 1 Figure 3 through Figure 6 illustrate generic examples of VLAN tagging In Figure 3 untagged incoming packets are assigned directly to VLAN 2 PVID 2 Port 5 is configured as a tagged memb...

Page 99: ...ment As shown in Figure 6 the tagged packet remains unchanged as it leaves the switch through port 5 which is configured as a tagged member of VLAN 2 However the tagged packet is stripped untagged as...

Page 100: ...Port 4 Port 5 Port 2 Port 3 802 1Q Switch Key Priority CFI VID User_priority Canonical format indicator VLAN identifier PVID 2 Tagged member of VLAN 2 Untagged member of VLAN 2 After DA SA Data CRC Re...

Page 101: ...32 can include multiple VLANs All ports involved in both trunking and port mirroring must have the same VLAN configuration If a port is on a trunk with a mirroring port the VLAN configuration cannot b...

Page 102: ...of VLAN 1 so tagging is disabled Server 2 This server is a member of VLAN 1 and has presence in only one IP subnet The associated switch port is only a member of VLAN 1 so tagging is disabled Server 3...

Page 103: ...ports that belong to other VLANs RS G8000 config interface port 5 RS G8000 config if tagging RS G8000 config if exit RS G8000 config interface port 19 RS G8000 config if tagging RS G8000 config if ex...

Page 104: ...tagged frame arrives the VLAN ID in the frame s tag is used Each VLAN can contain up to eight different PVLANs You can configure separate PVLANs on different VLANs with each PVLAN segmenting traffic...

Page 105: ...ports of a PVLAN have the same PVLAN priority level PVLAN Tagging When PVLAN tagging is enabled the switch tags frames that match the PVLAN protocol For more information about tagging see VLAN Taggin...

Page 106: ...in the example 5 Enable the PVLAN 6 Verify PVLAN operation RS G8000 config interface port 1 2 RS G8000 config if tagging RS G8000 config if exit RS G8000 config vlan 2 RS G8000 config vlan enable Curr...

Page 107: ...N ports are defined as follows Promiscuous A promiscuous port is a port that belongs to the primary VLAN The promiscuous port can communicate with all the interfaces including ports in the secondary V...

Page 108: ...fig vlan member 2 RS G8000 config vlan private vlan type primary RS G8000 config vlan private vlan enable RS G8000 config vlan exit RS G8000 config vlan 110 RS G8000 config vlan enable RS G8000 config...

Page 109: ...and alone non stacking mode or 64 trunks in stacking mode Two trunk types are available static trunk groups portchannel and dynamic LACP trunk groups Each type can contain up to 8 member ports dependi...

Page 110: ...h multiple links However in some networks a single logical device may include multiple physical devices such as when switches are configured in a stack or when using VLAGs see Virtual Link Aggregation...

Page 111: ...n the other switch 3 Connect the switch ports that will be members in the trunk group Trunk group 3 on the G8000 is now connected to trunk group 1 on the other switch Note In this example two G8000 sw...

Page 112: ...pected state The following restrictions apply Any physical switch port can belong to only one trunk group Up to 8 ports can belong to the same trunk group All ports in static trunks must be have the s...

Page 113: ...port can be aggregated The Link Aggregation ID LAG ID is constructed mainly from the system ID and the port s admin key as follows System ID an integer value based on the switch s MAC address and the...

Page 114: ...s association with the LACP trunk group is lost When the system is initialized all ports by default are in LACP off mode and are assigned unique admin keys To make a group of ports aggregatable you as...

Page 115: ...range of potential LACP trunk IDs is 53 104 When an LACP trunk forms the trunk ID is determined by the lowest port number in the trunk For example if the lowest port number is 1 then the LACP trunk I...

Page 116: ...mbinations is required Source MAC address smac Destination MAC address dmac Both source and destination MAC address IPv4 IPv6 source IP address sip IPv4 IPv6 destination IP address dip Both source and...

Page 117: ...configures the network so that only the most efficient path is used If that path fails STP automatically configures the best alternative active path on the network to sustain network operations RSTP i...

Page 118: ...ree automatically sets up another active path on the network to sustain network operations N OS PVRST mode is based on IEEE 802 1w RSTP Like RSTP PVRST mode provides rapid Spanning Tree convergence Ho...

Page 119: ...rity and path cost If the ports are tagged each port sends out a special BPDU containing the tagged information The generic action of a switch on receiving a BPDU is to compare the received BPDU to it...

Page 120: ...visible by 16 the value will be automatically rounded down to the nearest valid increment whenever manually changed in the configuration or whenever a configuration file from a release prior to N OS 6...

Page 121: ...one of the links between them In this case it is desired that STP block the link between the BLADE switches and not one of the G8000 uplinks or the Enterprise switch trunk During operation if one G800...

Page 122: ...ing normal operation the port path cost is set to a higher value than other paths in the network To configure the port path cost on the switch to switch links in this example use the following command...

Page 123: ...tance of Spanning Tree is running on all the ports of the G8000 a physical loop is assumed to exist and one of the VLANs is blocked impacting connectivity even though no actual loop exists Figure 12 U...

Page 124: ...ult STG 1 If ports are tagged each tagged port sends out a special BPDU containing the tagged information Also when a tagged port belongs to more than one STG the egress BPDUs are tagged to distinguis...

Page 125: ...pply when you add ports to or remove ports from STGs When you add a port to a VLAN that belongs to an STG the port is also added to that STG However if the port you are adding is an untagged port and...

Page 126: ...rt 2 and Switch D receives the BPDU on port 1 Because there is a network loop between the switches in VLAN 1 either Switch D will block port 8 or Switch C will block port 1 depending on the informatio...

Page 127: ...d by default 3 Configure the following on Switch B Add port 8 to VLAN 2 and define STG 2 for VLAN 2 VLAN 2 is automatically removed from STG 1 By default VLAN 1 remains in STG 1 4 Configure the follow...

Page 128: ...02 1D 1998 compatible data units RSTP is not compatible with Per VLAN Rapid Spanning Tree PVRST protocol Port States RSTP port state controls are the same as for PVRST discarding learning and forwardi...

Page 129: ...up of interconnected bridges that share the same attributes is called an MST region Each bridge within the region must share the following attributes Alphanumeric name Revision number VLAN to STG mapp...

Page 130: ...in Figure 13 Figure 14 Implementing Multiple Spanning Tree Groups This example shows how multiple Spanning Trees can provide redundancy without wasting any uplink ports In this example the server port...

Page 131: ...es such as directly to hosts or servers they are placed in the forwarding state as soon as the link is up Edge ports send BPDUs to upstream STP devices like normal STP ports but do not receive BPDUs I...

Page 132: ...other device point to point shared A half duplex link is a shared segment and can contain more than one device auto The switch dynamically configures the link type Note Any STP port in full duplex mod...

Page 133: ...ications and limit bandwidth for less critical applications Applications such as video and voice must have a certain amount of bandwidth to work correctly using QoS you can provide that bandwidth when...

Page 134: ...rameters Select actions to perform on in profile and out of profile traffic Deny packets Permit packets Mark DSCP or 802 1p Priority Set COS queue with or without re marking Queue and schedule traffic...

Page 135: ...6 8 supports up to 512 ACLs The G8000 allows you to classify packets based on various parameters For example Ethernet source MAC destination MAC VLAN number mask Ethernet type priority IPv4 Source IP...

Page 136: ...bps multiples of 64 Mbps All traffic within this Committed Rate is In Profile Additionally you set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief...

Page 137: ...f the traffic for example its source destination and protocol and performs a controlling action on the traffic when certain characteristics are matched Trusted Untrusted Ports By default all ports on...

Page 138: ...2474 QoS Levels Table 14 shows the default service levels provided by the switch listed from highest to lowest importance Drop Precedence Class 1 Class 2 Class 3 Class 4 Low AF11 DSCP 10 AF21 DSCP 18...

Page 139: ...arking globally Then you must enable DSCP re marking on any port that you wish to perform this function Interface Port mode Note If an ACL meter is configured for DSCP re marking the meter function ta...

Page 140: ...ig qos dscp dscp mapping DSCP value 0 63 new value RS G8000 config qos dscp dot1p mapping DSCP value 0 63 802 1p value RS G8000 config interface port 1 RS G8000 config if qos dscp re marking RS G8000...

Page 141: ...t priority to VoIP COS queue 7 Map priority value to COS queue for non VoIP traffic 8 Assign weight to the non VoIP COS queue RS G8000 config qos transmit queue weight cos 7 0 RS G8000 config qos tran...

Page 142: ...assigned to standard applications A value of 0 zero indicates a best effort traffic prioritization and this is the default when traffic priority has not been configured on your network The switch can...

Page 143: ...m 0 to 15 Weight values from 1 to 15 set the queue to use weighted round robin WRR scheduling which distributes larger numbers of packets to queues with the highest weight values For distribution purp...

Page 144: ...142 RackSwitch G8000 Application Guide...

Page 145: ...Copyright IBM Corp 2011 143 Part 4 Advanced Switch ing Features...

Page 146: ...144 RackSwitch G8000 Application Guide...

Page 147: ...k Aggregation VLAGs With VLAGs two switches can act as a single logical device for the purpose of establishing port trunking Active trunk links from one device can lead to both VLAG peer switches prov...

Page 148: ...146 RackSwitch G8000 Application Guide...

Page 149: ...he RackSwitch G8000 The following concepts are covered Stacking Overview on page 148 Stack Membership on page 149 Configuring a Stack on page 153 Managing a Stack on page 157 Upgrading Software in an...

Page 150: ...k as a whole are the same as for any single switch configured in stand alone mode Stacking Requirements Before IBM N OS switches can form a stack they must meet the following requirements All switches...

Page 151: ...Virtual Router Redundancy Protocol VRRP Note In stacking mode switch menus and command for unsupported features may be unavailable or may have no effect on switch operation Stack Membership A stack c...

Page 152: ...ink or Member failures will continue to operate as part of their active stack If multiple stack links or stack Member switches fail thereby separating the Master and Backup into separate sub stacks th...

Page 153: ...configuration is eligible to take over current stack control when the Master is rebooted or fails The Master automatically synchronizes configuration settings with the specified Backup to facilitate t...

Page 154: ...ports of these Member switches are placed into operator disabled state Without the Master a stack cannot respond correctly to networking events Stack Member Identification Each switch in the stack ha...

Page 155: ...creating port trunks include ports from different stack members in the trunks Avoid altering the stack asnum and csnum definitions unnecessarily while the stack is in operation When in stacking mode...

Page 156: ...e stack trunks To create the recommended topology attach the two designated stacking links in a bidirectional ring As shown in Figure 18 connect each switch in turn to the next starting with the Maste...

Page 157: ...N using the IPv4 address of the configured IP interface In the event that the Master switch fails if a Backup switch is configured see Assigning a Stack Backup Switch on page 156 the external IP inter...

Page 158: ...tch Stack name Local switch is the master Local switch csnum 1 MAC 00 00 00 00 01 00 Switch Type 9 Chassis Type 99 Switch Mode cfg Master Priority 225 Stack MAC 00 00 00 00 01 1f Master switch csnum 1...

Page 159: ...LAN reserved for internal traffic on stacking ports Note Do not use VLAN 4090 for any purpose other than internal stacking traffic Rebooting Stacked Switches using the ISCLI The administrator can rebo...

Page 160: ...ed into image 1 on the Master switch the Master will push the same firmware to image 1 on each Member switch Reboot Master Performs a software reboot reset of the Master switch The software image spec...

Page 161: ...king Push Status and view the Image Push Status Information or From the ISCLI use following command to verify the software push 3 Reboot all switches in the stack Use either the ISCLI or the BBI From...

Page 162: ...shboard Stacking Stack Switches and view the Switch Firmware Versions Information from the Attached Switches in Stack From the ISCLI use the following command RS G8000 config show stack version Switch...

Page 163: ...f the stacking links in a ring topology removing a stack switch from the interior of the chain can divide the chain and cause serious disruption to the stack operation 2 If removing a Master switch ma...

Page 164: ...ng command to specify the links to be used in the stacking trunk 8 Attach the required stack link cables to the designated stack links on the new switch 9 Attach the desired network cables to the new...

Page 165: ...t IBM Corp 2011 Chapter 13 Stacking 163 3 Apply and save your configuration changes Note If replacing the Master switch the Master will not assume control from the Backup unless the Backup is rebooted...

Page 166: ...k vlan VLAN asnum master backup all default boot stack asnum master backup all no logging log stacking no stack backup no stack name no stack switch number csnum show boot stack asnum master backup al...

Page 167: ...evel settings such as virtualization policies and ACLs The administrator can also pre provision VEs by adding their MAC addresses or their IPv4 address or VM name in a VMware environment to a VM group...

Page 168: ...VM Groups The configuration for local VM groups is maintained on the switch locally and is not directly synchronized with hypervisors Local VM groups may include only local elements local switch port...

Page 169: ...will automatically assign the next unconfigured VLAN when a VE or port is added to the VM group vmap Each VM group may optionally be assigned a VLAN based ACL see VLAN Maps on page 173 vm Add VMs VMs...

Page 170: ...e settings to the virtualization management server which in turn distributes them to the appropriate hypervisors for VE members associated with the group Creating VM profiles is a two part process Fir...

Page 171: ...then distributes changes to the appropriate hypervisors For VM membership changes hypervisors modify their internal virtual switch port groups adding or removing server port memberships to enforce th...

Page 172: ...cifies the IPv4 address and account username that the switch will use for vCenter access Once entered the administrator will be prompted to enter the password for the specified vCenter account The noa...

Page 173: ...ncludes all the virtual switch port groups to which the VM connects on the source hypervisor The VM profile export feature can be used to distribute the associated port groups to all the potential hos...

Page 174: ...becomes active on a switch port and immediately assign the proper VM group properties without further configuration Undiscovered VEs are added to or removed from VM groups using the following configur...

Page 175: ...VLAN or VM group may have multiple VMAPs assigned to it The optional serverports or non serverports parameter can be specified to apply the action to add or remove the VMAP for either the switch serve...

Page 176: ...nternal use with bandwidth control Optionally if automatic ACL selection is not desired a specific ACL may be selected If there are no unassigned ACLs available txrate cannot be configured Bandwidth P...

Page 177: ...vCenter scan see vCenter Scans on page 170 Local VE Information A concise list of local VEs and pre provisioned VEs is available with the following ISCLI privileged EXEC command Note The Index number...

Page 178: ...172 16 46 50 3 vSwitch0 172 16 46 51 0 VMkernel 2 00 50 56 4f f2 85 172 16 46 10 4 vSwitch0 172 16 46 10 0 Mgmt 3 00 50 56 7c 1c ca 172 16 46 10 4 vSwitch0 172 16 46 11 0 VMkernel 4 00 50 56 4e 62 f5...

Page 179: ...Virtual Machine VM vCenter Name halibut VM OS hostname localhost localdomain VM IP Address 172 16 46 15 VM UUID 001c41f3 ccd8 94bb 1b94 6b94b03b9200 Current VM Host 172 16 46 10 Vswitch vSwitch0 Port...

Page 180: ...trunk previously configured that includes switch uplink ports 3 and 4 1 Define the server ports 2 Enable the VMready feature 3 Specify the VMware vCenter IPv4 address When prompted enter the user pass...

Page 181: ...oup contains ports that also exist in other VM groups make sure tagging is enabled in both VM groups In this example configuration no ports exist in more than one VM group 7 Save the configuration RS...

Page 182: ...180 RackSwitch G8000 Application Guide...

Page 183: ...g traffic at near line rates the application switch can perform multi protocol routing This section discusses basic routing and advanced routing protocols Basic Routing IPv6 Host Management Routing In...

Page 184: ...182 RackSwitch G8000 Application Guide...

Page 185: ...eed The combination of faster routing and switching in a single device allows you to build versatile topologies that account for legacy configurations For example consider a corporate campus that has...

Page 186: ...t communication is relayed to the default gateway in this case the router for the next level of routing intelligence The router fills in the necessary address information and sends the data back to th...

Page 187: ...mine which switch ports and IP interfaces belong to which VLANs The following table adds port and VLAN information Note To perform this configuration you must be connected to the switch Command Line I...

Page 188: ...RS G8000 config vlan enable RS G8000 config vlan exit Port 4 is an untagged port and its PVID is changed from 1 to 3 RS G8000 config interface ip 1 Select IP interface 1 RS G8000 config ip if ip addr...

Page 189: ...teway fails it is removed from the routing table and an SNMP trap is sent OSPF Integration When a dynamic route is added through Open Shortest Path First OSPF the switch checks the route s gateway aga...

Page 190: ...d up to five 5 gateways for each static route Use the following command to check the status of ECMP static routes RS G8000 config ip route 10 10 1 1 255 255 255 255 100 10 1 1 1 RS G8000 config ip rou...

Page 191: ...on a switch interface use the following command DHCP Relay Agent DHCP is described in RFC 2131 and the DHCP relay agent supported on the G8000 is described in RFC 1542 DHCP uses UDP as its transport...

Page 192: ...ary or secondary servers The client request is forwarded to the BOOTP servers configured on the switch The use of two servers provide failover redundancy However no health checking is supported Use th...

Page 193: ...Cs for IPv6 related features This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management RFC 1981 RFC 2404 RFC 2410 RFC 2451 RFC 2460 RFC 246...

Page 194: ...es to be configured using either IPv4 or IPv6 address formats However the following switch features support IPv4 only Default switch management IP address SNMP trap host destination IP address Bootstr...

Page 195: ...AA FF FA 4CA2 Unlike IPv4 a subnet mask is not used for IPv6 addresses IPv6 uses the subnet prefix as the network identifier The prefix is the part of the address that indicates the bits that have fix...

Page 196: ...onfiguration neighbor discovery or when no routers are present Routers must not forward any packets with link local source or destination addresses to other links Multicast Multicast is communication...

Page 197: ...tions Stateless address configuration Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options N OS 6 8 supports stateless add...

Page 198: ...onfigure an IPv4 address on an IPv6 management interface Each interface can be configured with only one address type either IPv4 or IPv6 but not both When changing between IPv4 and IPv6 address format...

Page 199: ...itations to discover IPv6 routers When a router receives a Router Solicitation it responds immediately to the host Routers uses Router Advertisements to announce its presence on the network and to pro...

Page 200: ...ding is turned on all IPv6 interfaces configured on the switch can forward packets You can configure each IPv6 interface as either a host node or a router node You can manually assign an IPv6 address...

Page 201: ...ollowing format to perform a traceroute to an IPv6 address traceroute host name IPv6 address max hops 1 32 msec delay 1 4294967295 Telnet server The telnet command supports IPv6 addresses Use the foll...

Page 202: ...ve the hostname with an IPv4 address If no A record is found for that hostname no IPv4 address for that hostname an AAAA query is sent to resolve the hostname with a IPv6 address If you set the reques...

Page 203: ...ses A single interface can accept only one IPv4 address If you change the IPv6 address of a configured interface to an IPv4 address all IPv6 settings are deleted A single VLAN can support only one IPv...

Page 204: ...ghbor Discovery advertisements for the interface optional 4 Verify the configuration RS G8000 config interface ip 2 RS G8000 config ip if ip6host RS G8000 config ip if enable RS G8000 config ip if exi...

Page 205: ...rts DH groups 1 2 5 14 and 24 The following topics are discussed in this chapter IPsec Protocols on page 203 Using IPsec with the RackSwitch G8000 on page 204 IPsec Protocols The IBM N OS implementati...

Page 206: ...o the following IKEv2 SAs 5 IPsec SAs 10 5 SAs in each direction SPDs 20 10 policies in each direction IPsec is implemented as a software cryptography engine designed for handling control traffic such...

Page 207: ...le 3 Import the host certificate file RS G8000 config ikev2 proposal RS G8000 config ikev2 prop encryption 3des aes cbc des default 3des RS G8000 config ikev2 prop integrity md5 sha1 default sha1 RS G...

Page 208: ...tion type by entering one of the following commands To disable IKEv2 RSA signature authentication method and enable preshared key authentication enter RS G8000 config access https generate certificate...

Page 209: ...arameters are used traffic selector numberan integer from 1 10 permit denywhether or not to permit IPsec encryption of traffic that meets the criteria specified in this command anyapply the selector t...

Page 210: ...ator key code in hexadecimal outbound AH IPsec key The outbound AH key code in hexadecimal outbound AH IPsec SPI A number from 256 4294967295 outbound ESP cipher key The outbound ESP key code in hexad...

Page 211: ...ble disable Whether to enable or disable the perfect forward security feature The default is disable Note In a dynamic policy the AH and ESP keys are created by IKEv2 3 After you configure the IPSec p...

Page 212: ...210 RackSwitch G8000 Application Guide...

Page 213: ...nts routing loops from continuing indefinitely by implementing a limit on the number of hops allowed in a path from the source to a destination The maximum number of hops in a path is 15 The network d...

Page 214: ...you to configure RIPv2 in RIPv1compatibility mode for using both RIPv2 and RIPv1 routers within a network In this mode the regular routing updates use broadcast UDP data packet to allow RIPv1 routers...

Page 215: ...the interface The metric value typically indicates the total number of hops to the destination The metric value of 16 represents an unreachable destination Authentication RIPv2 authentication uses pla...

Page 216: ...phasing out of the routing table with metric 16 use the following command Locally configured static routes do not appear in the RIP Routes table vlan 2 config vlan enable config vlan member 2 Port 2...

Page 217: ...ussed in this chapter IGMP Terms on page 215 How IGMP Works on page 216 IGMP Capacity and Default Values on page 217 IGMP Snooping on page 218 IGMP Relay on page 228 Additional IGMP Features on page 2...

Page 218: ...er periodically sends Membership Queries to ensure that a host wants to continue receiving multicast traffic If a host does not respond the IGMP Snooper stops sending traffic to the host The host can...

Page 219: ...c Mrouters 128 Number of IGMP Filters 16 IPMC Groups IGMP Relay 1000 Table 20 IGMP Default Configuration Settings Field Default Value Global IGMP State Disabled IGMP Querier Disabled IGMP Snooping Dis...

Page 220: ...the same IGMP group using the same VLAN only a single IGMP entry is used IGMPv3 Snooping IGMPv3 includes new Membership Report messages that extend IGMP functionality The switch provides snooping capa...

Page 221: ...it sees Query messages The switch then floods the IGMP queries on all other ports including a Trunk Group if any Multicast hosts send IGMP Reports as a reply to the IGMP Queries sent by the Mrouter Th...

Page 222: ...rned by the switch RS G8000 config ip igmp snoop vlan 1 RS G8000 config ip igmp snoop enable RS G8000 config ip igmp snoop igmpv3 enable RS G8000 config ip igmp enable RS G8000 show ip igmp groups Not...

Page 223: ...30 0 2 1 230 0 2 2 Source 22 10 0 1 VLAN 3 230 0 2 3 230 0 2 5 Source 22 10 0 3 The Mrouter sends IGMP Query packets in VLAN 2 and VLAN 3 The Mrouter s IP address is 10 10 10 10 The multicast hosts se...

Page 224: ...n Figure 20 Switch A Configuration 1 Configure VLANs and tagging 2 Configure an IP interface with IPv4 address and assign a VLAN 3 Configure STP Assign a bridge priority lower than the default bridge...

Page 225: ...0 config interface port 4 RS G8000 config if lacp key 200 RS G8000 config if lacp mode active RS G8000 config interface port 1 4 6 RS G8000 config if tagging RS G8000 config if exit RS G8000 config vl...

Page 226: ...p snoop igmpv3 enable RS G8000 config ip igmp snoop igmpv3 sources 64 RS G8000 config ip igmp snoop enable RS G8000 config vlan 2 RS G8000 config vlan no flood RS G8000 config vlan exit RS G8000 confi...

Page 227: ...edge RS G8000 config if shutdown RS G8000 config if no shutdown RS G8000 config if exit RS G8000 config interface port 1 2 RS G8000 config if lacp key 400 RS G8000 config if lacp mode active RS G8000...

Page 228: ...GMP groups are displayed in the table close the application that may be sending the IGMP Reports for these groups Identify the traffic source by using a sniffer on the hosts and reading the source IP...

Page 229: ...d C If it is not learned on switch B but is learned on switch C check the link state of the trunk group VLAN membership and STP convergence If it is not learned on any switch ensure the multicast appl...

Page 230: ...0 to participate in network multicasts with no configuration of the various multicast routing protocols so you can deploy it in the network with minimal effort To an IGMP host connected to the G8000 I...

Page 231: ...figure IP interfaces with IPv4 addresses and assign VLANs 2 Turn IGMP on 3 Enable IGMP Relay and add VLANs to the downstream network RS G8000 config ip igmp relay vlan VLAN number RS G8000 config vlan...

Page 232: ...10 0 11 225 10 0 15 The multicast hosts send the following IGMP Reports Host 1 225 10 0 11 225 10 0 12 VLAN 3 Host 2 225 10 0 12 225 10 0 13 VLAN 2 225 10 0 14 225 10 0 15 VLAN 3 Host 3 225 10 0 13 2...

Page 233: ...bridge priority lower than the default bridge priority to enable the switch to become the STP root in STG 2 and 3 4 Configure LACP dynamic trunk groups portchannels RS G8000 config vlan 2 RS G8000 con...

Page 234: ...RS G8000 config interface ip 2 RS G8000 config ip if ip address 2 2 2 20 enable RS G8000 config ip if vlan 2 RS G8000 config ip if exit RS G8000 config interface ip 3 RS G8000 config ip if ip address...

Page 235: ...config vlan 2 RS G8000 config vlan enable RS G8000 config vlan member 1 5 RS G8000 config vlan exit RS G8000 config vlan 5 RS G8000 config vlan enable RS G8000 config vlan member 6 7 RS G8000 config v...

Page 236: ...e To avoid such a scenario disable IPMC flooding for all VLANs enabled on the switches if this is an acceptable configuration RS G8000 config interface port 1 2 RS G8000 config if lacp key 400 RS G800...

Page 237: ...flapping disabling then re enabling the port Note To clear all IGMP groups use the following command RS G8000 config clear ip igmp groups However this will clear all the IGMP groups and will influenc...

Page 238: ...query response interval If no Mrouters have been learned on that port With FastLeave enabled on the VLAN a port can be removed immediately from the port list of the group entry when the IGMP Leave mes...

Page 239: ...ilter to deny IPv4 multicasts then IGMP Membership Reports from multicast groups within the range are dropped You can configure a secondary filter to allow IPv4 multicasts to a small range of addresse...

Page 240: ...an accept a static Mrouter When you configure a static Mrouter on a VLAN it replaces any dynamic Mrouters learned through IGMP Snooping Configure a Static Multicast Router 1 For each Mrouter configure...

Page 241: ...roup Management Protocol version 2 IGMPv2 and MLDv2 is derived from IGMPv3 MLD uses ICMPv6 IP Protocol 58 message types See RFC 2710 and RFC 3810 for details MLDv2 protocol when compared to MLDv1 adds...

Page 242: ...pecific Query Sent to learn if for a specified multicast address there are nodes still listening to a specific set of sources Supported only in MLDv2 Note Multicast Address Specific Queries and Multic...

Page 243: ...he host immediately reports these changes through a State Change Report message The Querier sends a Multicast Address Specific Query to verify if hosts are listening to a specified multicast address o...

Page 244: ...cts as a Querier and periodically at short query intervals sends query messages in the subnet If there are multiple Mrouters in the subnet only one can be the Querier All Mrouters on the subnet listen...

Page 245: ...able Table 21 G8000 Capacity Table Variable Maximum Value IPv6 Multicast Entries 256 IPv6 Interfaces for MLD 8 Table 22 MLD Timers and Default Values Field Default Value Robustness Variable RV 2 Query...

Page 246: ...l RS G8000 config ipv6 mld RS G8000 config router mld enable RS G8000 config router mld exit RS G8000 config interface ip 2 RS G8000 config ip if enable RS G8000 config ip if ipv6 address 2002 1 0 0 0...

Page 247: ...on on page 253 Default Redistribution and Route Aggregation Example on page 254 Internal Routing Versus External Routing To ensure effective processing of network traffic every router on your network...

Page 248: ...advertised For example if you advertise 192 204 4 0 24 you are declaring that if another router sends you data destined for any address in 192 204 4 0 24 you know how to carry that data to its destin...

Page 249: ...en injecting it in and out of BGP Route maps are used by OSPF only for redistributing routes For example a route map is used to set a preference value for a specific route from a peer router and anoth...

Page 250: ...n outgoing route map list behave similar to route maps in an incoming route map list If a route map is not configured in the outgoing route map list all routes are advertised or permitted If a route m...

Page 251: ...ps 3 Optional Configure the AS filter attributes 4 Set up the BGP attributes If you want to overwrite the attributes that the peer router is sending define the following BGP attributes Specify the AS...

Page 252: ...d then add the route map to the incoming route map list or to the outgoing route map list 8 Exit Router BGP mode RS G8000 config router bgp RS G8000 config router bgp enable RS G8000 config router bgp...

Page 253: ...port OSPF routes fixed routes and static routes For an example configuration see Default Redistribution and Route Aggregation Example on page 254 Default routes can be configured using the following m...

Page 254: ...the best path It does not rely on metric attributes to determine the best path When the same network is learned via more than one BGP peer BGP uses its policy for selecting the best route to that netw...

Page 255: ...to announce themselves as default gateways to the G8000 Figure 24 BGP Failover Configuration Example On the G8000 one peer router the secondary one is configured with a longer AS path than the other s...

Page 256: ...edistribution and Route Aggregation Example This example shows you how to configure the switch to redistribute information from one routing protocol to another and create an aggregate route entry in t...

Page 257: ...figure the IPv4 routes that you want aggregated router bgp config router bgp as 135 config router bgp exit ip router id 10 1 1 135 router bgp config router bgp neighbor 1 remote address 10 1 1 4 confi...

Page 258: ...256 RackSwitch G8000 Application Guide...

Page 259: ...routing devices maintain link information in their own Link State Database LSDB The LSDB for all routing devices within an area is identical but is not exchanged between different areas Only routing u...

Page 260: ...Autonomous System Boundary Router ASBR a router that acts as a gateway between the OSPF domain and non OSPF domains such as RIP BGP and static routes Figure 27 OSPF Domain and an Autonomous System Bac...

Page 261: ...information to the other neighbors The Link State Database OSPF is a link state routing protocol A link represents an interface or routable path from the routing device By establishing an adjacency wi...

Page 262: ...be done with static routes or using active internal routing protocols such as OSPF RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers about the routes you...

Page 263: ...smission interval and interface transmit delay In addition to the preceding parameters you can specify the following Shortest Path First SPF interval Time interval between successive calculations of t...

Page 264: ...as follows Note The area option is an arbitrary index used only on the switch and does not represent the actual OSPF area number The actual OSPF area number is defined in the area portion of the comma...

Page 265: ...be sure that the area IDs are in the same format throughout an area Attaching an Area to a Network Once an OSPF area has been defined it must be associated with a network To attach the area to a netwo...

Page 266: ...a DR or BDR In case of a tie the routing device with the highest router ID wins Interfaces configured as passive do not participate in the DR or BDR election process Summarizing Routes Route summariza...

Page 267: ...as Figure 28 Injecting Default Routes If the switch is in a transit area and has a configured default gateway it can inject a default route into rest of the OSPF domain Use the following command to co...

Page 268: ...ID For a detailed configuration example on Virtual Links see Example 2 Virtual Links on page 273 Router ID Routing devices in OSPF areas are identified by a router ID The router ID is expressed in IP...

Page 269: ...r the virtual link between area 2 and area 0 Area 1 is not configured for OSPF authentication Figure 29 OSPF Authentication Configuring Plain Text OSPF Passwords To configure simple plain text OSPF pa...

Page 270: ...tween Area 2 and Area 0 on switches 2 and 4 RS G8000 config router ospf RS G8000 config router ospf area 2 authentication type password RS G8000 config router ospf area virtual link 1 key blade RS G80...

Page 271: ...paths of equal cost to a given destination are calculated and the next hops for all equal cost paths are inserted into the routing table If redundant routes via multiple routing processes such as OSPF...

Page 272: ...e steps is covered in the following sections 1 Configure IP interfaces One IP interface is required for each desired network range of IP addresses being assigned to an OSPF area on the switch 2 Option...

Page 273: ...ed Interface 1 for the backbone network on 10 10 7 0 24 Interface 2 for the stub area network on 10 10 12 0 24 Note OSPFv2 supports IPv4 only IPv6 is supported in OSPFv3 see OSPFv3 Implementation in I...

Page 274: ...id 0 0 0 1 RS G8000 config router ospf area 1 type stub RS G8000 config router ospf area 1 enable RS G8000 config router ospf exit RS G8000 config interface ip 1 RS G8000 config ip if ip ospf area 0...

Page 275: ...on 10 10 12 0 24 2 Configure the router ID A router ID is required when configuring virtual links Later when configuring the other end of the virtual link on Switch 2 the router ID specified here wil...

Page 276: ...config router ospf area 1 type transit RS G8000 config router ospf area 1 enable RS G8000 config router ospf exit RS G8000 config interface ip 1 RS G8000 config ip if ip ospf area 0 RS G8000 config i...

Page 277: ...ig ip router id 10 10 14 1 RS G8000 config router ospf RS G8000 config router ospf enable RS G8000 config router ospf area 0 area id 0 0 0 0 RS G8000 config router ospf area 0 enable RS G8000 config r...

Page 278: ...dundant paths by configuring multiple virtual links Only the endpoints of the virtual link are configured The virtual link path may traverse multiple routers in an area as long as there is a routable...

Page 279: ...PFv3 Implementation in IBM N OS on page 279 Figure 32 Summarizing Routes Note You can specify a range of addresses to prevent advertising by using the hide option In this example routes in the range 3...

Page 280: ...ospf area 1 area id 0 0 0 1 RS G8000 config router ospf area 1 type stub RS G8000 config router ospf area 1 enable RS G8000 config router ospf exit RS G8000 config interface ip 1 RS G8000 config ip if...

Page 281: ...ne area 0 0 0 0 is created by default and is always active OSPFv3 Requires IPv6 Interfaces OSPFv3 is designed to support IPv6 addresses This requires IPv6 interfaces to be configured on the switch and...

Page 282: ...mple Addressing fields have been removed from Router and Network LSAs Link local flooding scope has been added along with a Link LSA This allows flooding information to relevant local neighbors withou...

Page 283: ...00 config ip if ipv6 address 10 0 0 0 0 0 0 1 RS G8000 config ip if ipv6 prefixlen 56 RS G8000 config ip if enable RS G8000 config ip if exit RS G8000 config interface ip 4 RS G8000 config ip if ip ad...

Page 284: ...m advertising to the backbone This differs from OSPFv2 only in that the OSPFv3 command path is used and the address and prefix are specified in IPv6 format RS G8000 config ipv6 router ospf RS G8000 co...

Page 285: ...ic consists of myriad services and applications which use the Internet Protocol IP for data delivery However IP is not optimized for all the various applications High Availability goes beyond IP and m...

Page 286: ...284 RackSwitch G8000 Application Guide...

Page 287: ...tive The links to the server are also trunked allowing the secondary NIC to take over in the event that the primary NIC link fails Figure 34 Trunking Ports for Link Redundancy For more information on...

Page 288: ...the duration of the Forward Delay period If the link is unstable the Forward Delay period starts again Preemption You can configure the Master interface to resume the active state whenever it becomes...

Page 289: ...nds to configure Hot Links RS G8000 config hotlinks trigger 1 enable Enable Hot Links Trigger 1 RS G8000 config hotlinks trigger 1 master port 1 Add port to Master interface RS G8000 config hotlinks t...

Page 290: ...th two aggregators supporting a number of AMP groups Figure 35 AMP Topology Each AMP group requires two links on each switch Each AMP link consists of a single port a static trunk group or an LACP tru...

Page 291: ...hat link FDB Flush When an AMP port trunk is the blocking state FDB flush is performed on that port trunk Any time there is a change in the data path for an AMP group the FDB entries associated with t...

Page 292: ...or one AMP group link connects to the other aggregator and one to the access switch Configuring an Access Switch Perform the following steps to configure AMP on an access switch 1 Turn off Spanning Tr...

Page 293: ...le stack using two switches provides full redundancy in the event that either switch were to fail As shown with the servers in the example stacking permits ports within different physical switches to...

Page 294: ...292 RackSwitch G8000 Application Guide...

Page 295: ...tch enables the control ports This causes the NIC team on the affected servers to fail back to the primary switch unless Auto Fallback is disabled on the NIC team The backup switch processes traffic u...

Page 296: ...f any of these conditions is false the monitor port is considered to have failed Control Port State A control port is considered Operational if the monitor trigger is up As long as the trigger is up t...

Page 297: ...elines This section provides important information about configuring Layer 2 Failover Any specific failover trigger can monitor ports only static trunks only or LACP trunks only The different types ca...

Page 298: ...296 RackSwitch G8000 Application Guide...

Page 299: ...VRRP Overview on page 298 This section discusses VRRP operation and IBM N OS redundancy configurations Failover Methods on page 300 This section describes the three modes of high availability IBM N OS...

Page 300: ...ide a single Destination IPv4 DIP address for upstream routers to reach various servers and provide a virtual default Gateway for the servers VRRP Components Each physical router running VRRP is known...

Page 301: ...ne of the virtual router backups becomes the master and assumes its responsibilities Virtual Interface Router At Layer 3 a Virtual Interface Router VIR allows two VRRP routers to share an IP interface...

Page 302: ...to send its own advertisements The current master sees that the backup has higher priority and will stop functioning as the master A backup router can stop receiving advertisements for one of two reas...

Page 303: ...a group all virtual routers on the switch and therefore the switch itself are in either a master or standby state A VRRP group has the following characteristics When enabled all virtual routers behave...

Page 304: ...the current master then the standby can assume the role of the master See Configuring the Switch for Tracking on page 303 for an example on how to configure the switch for tracking VRRP priority Tabl...

Page 305: ...running one server down is less disruptive than bringing a new master online and severing all active connections in the process If switch 1 is the master and it has two or more active servers fewer th...

Page 306: ...enario illustrated in Figure 39 traffic destined for IPv4 address 10 0 1 1 is forwarded through the Layer 2 switch at the top of the drawing and ingresses G8000 1 on port 1 Return traffic uses default...

Page 307: ...if ip address 10 0 1 100 255 255 255 0 RS G8000 config ip if enable RS G8000 config ip if exit RS G8000 config interface ip 4 RS G8000 config ip if ip address 10 0 2 101 255 255 255 0 RS G8000 config...

Page 308: ...0 RS G8000 config ip if vlan 20 RS G8000 config ip if enable RS G8000 config ip if exit RS G8000 config interface ip 3 RS G8000 config ip if ip address 10 0 1 101 255 255 255 0 RS G8000 config ip if e...

Page 309: ...example RS G8000 config vrrp virtual router 1 track ports RS G8000 config vrrp virtual router 2 track ports RS G8000 config vrrp virtual router 2 priority 101 RS G8000 config vrrp exit RS G8000 config...

Page 310: ...308 RackSwitch G8000 Application Guide...

Page 311: ...Copyright IBM Corp 2011 309 Part 7 Network Management...

Page 312: ...310 RackSwitch G8000 Application Guide...

Page 313: ...covery of network resources and notification of network changes LLDP can help administrators quickly recognize a variety of common network configuration problems such as unintended VLAN exclusions or...

Page 314: ...ver time though individual ports comply with the configured interval The global transmit interval can be configured using the following command where interval is the number of seconds between LLDP tra...

Page 315: ...s whenever LLDP transmissions are sent By default trap notification is disabled for each port The trap notification state can be changed using the following commands Interface Port mode In addition to...

Page 316: ...ion delay interval can be globally configured for all ports using the following command where interval is the number of seconds to wait before resuming LLDP transmissions The range is between 1 and 10...

Page 317: ...h will set a change flag within the MIB for convenient notification to SNMP based management systems Viewing Remote Device Information LLDP information collected from neighboring systems can be viewed...

Page 318: ...output RS G8000 config show lldp remote device index number RS G8000 config show lldp remote device LLDP Remote Devices Information LocalPort Index Remote Chassis ID Remote Port Remote System Name 3...

Page 319: ...log reporting 5 Verify the configuration settings 6 View remote device information as needed RS G8000 config lldp enable RS G8000 config lldp transmission delay 30 Transmit each 30 seconds RS G8000 co...

Page 320: ...318 RackSwitch G8000 Application Guide...

Page 321: ...switch configure the trap host on the switch with the following command Note You can use a loopback interface to set the source IP address for SNMP traps Use the following command to apply a configur...

Page 322: ...iso the user type has access to all private and public MIBs RS G8000 config snmp server user 1 16 name 1 32 characters RS G8000 config snmp server user 1 16 authentication protocol md5 sha authenticat...

Page 323: ...Network Management Protocol 321 3 Assign the user to the user group Use the group table to link the user to a particular access group RS G8000 config snmp server group 5 user name admin RS G8000 conf...

Page 324: ...ring is used in the trap cfg sys ssnmp snmpv3 usm 10 name v1trap cfg sys ssnmp snmpv3 access user number c sys ssnmp snmpv3 access 10 Access group to view SNMPv1 traps name v1trap model snmpv1 nview i...

Page 325: ...00 config snmp server access 10 security snmpv2 RS G8000 config snmp server access 10 notify view iso RS G8000 config snmp server notify 10 name v2trap RS G8000 config snmp server notify 10 tag v2trap...

Page 326: ...S enterprise MIB document RS G8000 config snmp server access 1 32 level RS G8000 config snmp server target parameters 1 16 RS G8000 config snmp server user 11 name v3trap RS G8000 config snmp server u...

Page 327: ...d in RFC 1215 ColdStart WarmStart LinkDown LinkUp AuthenticationFailure The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493 NewRoot TopologyChange The following are the enterpr...

Page 328: ...safety limits altSwStgNewRoot Signifies that the bridge has become the new root of the STG altSwStgTopologyChanged Signifies that there was a STG topology change altSwStgBlockingState An altSwStgBloc...

Page 329: ...erver Load a previously saved switch configuration from a FTP TFTP server Save the switch configuration to a FTP TFTP server Save a switch dump to a FTP TFTP server Table 26 MIBs for Switch Image and...

Page 330: ...uration with the name MyRunningConfig cfg into the switch follow these steps This example shows a TFTP server at IPv4 address 192 168 10 10 though IPv6 is also supported 1 Set the FTP TFTP server addr...

Page 331: ...a switch dump to a FTP TFTP server follow these steps This example shows an FTP TFTP server at 192 168 10 10 though IPv6 is also supported 1 Set the FTP TFTP server address where the configuration wi...

Page 332: ...330 RackSwitch G8000 Application Guide...

Page 333: ...onitoring The ability to monitor traffic passing through the G8000 can be invaluable for troubleshooting some types of networking problems This sections cover the following monitoring features Remote...

Page 334: ...332 RackSwitch G8000 Application Guide...

Page 335: ...itable for the management of Ethernet networks The RMON agent continuously collects statistics and proactively monitors switch performance RMON allows you to monitor traffic flowing through the switch...

Page 336: ...f buckets granted by the system based on the amount of system memory available The system grants a maximum of 50 buckets You can use an SNMP browser to view History samples History MIB Object ID The t...

Page 337: ...1 2 2 1 1 1 3 View RMON history for the port RS G8000 config interface port 1 RS G8000 config if rmon RS G8000 config if exit RS G8000 config rmon history 1 interface oid 1 3 6 1 2 1 2 2 1 1 x RS G800...

Page 338: ...p An example statistic follows 1 3 6 1 2 1 5 1 0 mgmt icmp icmpInMsgs 1 3 6 1 2 1 2 2 1 10 x ifInOctets The last digit x represents the interface on which to monitor which corresponds to the interface...

Page 339: ...ic exceeds 200 within a 60 second interval an alarm is generated that triggers event index 110 RS G8000 config rmon alarm 1 oid 1 3 6 1 2 1 5 8 0 RS G8000 config rmon alarm 1 alarm type rising RS G800...

Page 340: ...es a syslog host to send syslog messages Therefore an existing syslog host must be configured for event log notification to work properly Each log event generates a syslog of type RMON that correspond...

Page 341: ...ured sFlow analyzer For each port the sFlow sampling rate can be configured to occur once each 256 to 65536 packets or 0 to disable the default A sampling rate of 256 means that one sample will be tak...

Page 342: ...s or 0 to disable By default polling is 0 disabled for each port 3 On a per port basis define the data sampling rate Specify a sampling rate between 256 and 65536 packets or 0 to disable By default th...

Page 343: ...0 supports three monitor ports in stand alone non stacking mode Only one monitor port is supported in stacking mode Each monitor port can receive mirrored traffic from any number of target ports IBM N...

Page 344: ...000 Application Guide 3 View the current configuration RS G8000 show port mirroring Port Monitoring Enabled Monitoring Ports Mirrored Ports 1 none 2 none 3 1 in 2 both 4 none 5 none 6 none 7 none 8 no...

Page 345: ...Copyright IBM Corp 2011 343 Part 9 Appendices...

Page 346: ...344 RackSwitch G8000 Application Guide...

Page 347: ...r Virtual Router starts advertising with a higher priority Priority In VRRP the value given to a Virtual Router to determine its ranking with its peer s Minimum value is 1 and maximum value is 254 Def...

Page 348: ...efault gateway that is always available Two or more devices sharing an IP interface are either advertising or listening for advertisements These advertisements are sent via a broadcast message to an a...

Page 349: ...ms also describes the diagnostic tests that you can perform Most systems operating systems and programs come with documentation that contains troubleshooting procedures and explanations of error messa...

Page 350: ...w ibm com planetwide for support telephone numbers In the U S and Canada call 1 800 IBM SERV 1 800 426 7378 Hardware service and support You can receive hardware service through your IBM reseller or I...

Page 351: ...not allow disclaimer of express or implied warranties in certain transactions therefore this statement may not apply to you This information could include technical inaccuracies or typographical error...

Page 352: ...e speed is the variable read rate Actual speeds vary and are often less than the possible maximum When referring to processor storage real and virtual storage or channel volume KB stands for 1024 byte...

Page 353: ...lity Documentation format The publications for this product are in Adobe Portable Document Format PDF and should be compliant with accessibility standards If you experience difficulties when you use t...

Page 354: ...tions to this equipment Unauthorized changes or modifications could void the user s authority to operate the equipment This device complies with Part 15 of the FCC Rules Operation is subject to the fo...

Page 355: ...ohne Zustimmung der IBM ver ndert bzw wenn Erweiterungskomponenten von Fremdherstellern ohne Empfehlung der IBM gesteckt eingebaut werden EN 55022 Klasse A Ger te m ssen mit folgendem Warnhinweis ver...

Page 356: ...oduct based on the standard of the Voluntary Control Council for Interference VCCI If this equipment is used in a domestic environment radio interference may occur in which case the user may be requir...

Page 357: ...Copyright IBM Corp 2011 Appendix C Notices 355 Taiwan Class A compliance statement...

Page 358: ...356 RackSwitch G8000 Application Guide...

Page 359: ...roadcast storm control 89 Browser Based Interface 23 261 C Cisco EtherChannel 108 110 CIST 127 Class A electronic emission notice 352 Class of Service queueCOS queue 141 command conventions 18 Command...

Page 360: ...on via setup 39 IP interfaces 40 example configuration 185 186 IP routing 40 cross subnet example 183 default gateway configuration 187 IP interface configuration 185 186 IP subnets 183 subnet configu...

Page 361: ...131 Quality of Service 131 Querier IGMP 242 R RADIUS authentication 63 port 1812 and 1645 81 port 1813 81 SSH SCP 59 Rapid Spanning Tree Protocol RSTP 126 Rapid Spanning Tree Protocol RSTP RSTP 126 r...

Page 362: ...gged member 95 untagged frame 95 untagged member 95 VLAN identifier VID 95 telephone assistance 348 telephone numbers 348 Telnet support optional setup for Telnet support 44 text conventions 18 time s...

Reviews:

No comments

Related manuals for RackSwitch G8000

Brand: Campbell Pages: 42

Brand: Javad Pages: 35

Brand: Vivotek Pages: 136

ADSL 2/2+ Router with USB Port ADE-3410v2

Brand: Planet Pages: 62

Brand: TP-Link Pages: 3

Brand: Direct IP Pages: 76

HiGain HLU-231 List 8F

Brand: ADC Pages: 7

Brand: Lancom Pages: 25

IMACS Network Device

Brand: Zhone Pages: 114

ELITENAS EN104L+(B)

Brand: Sans Digital Pages: 9

Brand: iDirect Pages: 72

AlterPath Manager 2500

Brand: Cyclades Pages: 368

Brand: Keysight Technologies Pages: 106

Brand: E-TOP Pages: 90

Brand: Billion Pages: 8

GREENLEE SURE SIGNAL 46060

Brand: Greenlee Pages: 2

Brand: Tripp Lite Pages: 2

Brand: AVM Pages: 180

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands