Lenovo Flex System Fabric CN4093 Application Manual Download Page 425

Page: 425 / 634

Chapter 25: Using IPsec with IPv6

425

Decide

whether

use

tunnel

transport

mode.

The

default

mode

transport.

describe

the

packets

which

this

policy

applies,

create

traffic

selector

using

the

following

commands:

where

the

following

parameters

are

used:



traffic

selector

number

integer

from

‐



permit|deny

whether

not

permit

IPsec

encryption

traffic

that

meets

the

criteria

specified

this

command



proto/any

apply

the

selector

any

type

traffic



proto/icmp

type

|any

only

apply

the

selector

only

ICMP

traffic

the

specified

type

(an

integer

from

‐

255)

any

ICMP

traffic



proto/tcp

only

apply

the

selector

TCP

traffic



source

address

|any

the

source

address

IPv6

format

“any”

source



destination

address

|any

the

destination

address

IPv6

format

“any”

destination



prefix

length

(Optional)

the

length

the

destination

IPv6

prefix;

integer

from

‐

128

Permitted

traffic

that

matches

the

policy

force

encrypted,

while

denied

traffic

that

matches

the

policy

force

dropped.

Traffic

that

does

not

match

the

policy

bypasses

IPsec

and

passes

through

clear

(unencrypted).

Choose

whether

use

manual

dynamic

policy.

CN 4093(config)#

ipsec transform-set tunnel

transport

CN 4093(config)#

ipsec traffic-selector

<traffic

selector

number>

{permit|deny}

{any|icmp {

<ICMPv6

type>

|any}|tcp}

{

<source

address>

any}

{

<destination

address>

|any}

[

<prefix

length>

]

Summary of Contents for Flex System Fabric CN4093

Page 1: ...Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Application Guide For Lenovo Enterprise Network Operating System 8 4 ...

Page 2: ...ent that comes with the product Third Edition July 2017 Copyright Lenovo 2017 Portions Copyright IBM Corporation 2014 LIMITED AND RESTRICTED RIGHTS NOTICE If data or software is delivered pursuant a General Services Administration GSA contract use reproduction or disclosure is subject to restrictions set forth in Contract No GS 35F 05925 Lenovo and the Lenovo logo are trademarks of Lenovo in the U...

Page 3: ...er Based Interface 31 Establishing a Connection 32 Using the Chassis Management Module 32 Factory Default vs CMM Assigned IP Addresses 32 Using Telnet 33 Using Secure Shell 33 Using SSH with Password Authentication 35 Using SSH with Public Key Authentication 35 Using a Web Browser 36 Configuring HTTP Access to the BBI 36 Configuring HTTPS Access to the BBI 37 BBI Summary 38 Using Simple Network Ma...

Page 4: ... Gateways 68 IP Routing 69 Setup Part 5 Final Steps 70 Optional Setup for Telnet Support 71 Chapter 3 Switch Software Management 73 Loading New Software to Your Switch 74 Loading Software via the ISCLI 74 Loading Software via BBI 75 Updating Software on vLAG Switches 76 The Boot Management Menu 78 Boot Recovery Mode 79 Recover from a Failed Image Upgrade using TFTP 80 Recovering from a Failed Imag...

Page 5: ...ounts 94 Strong Passwords 94 User Access Control Menu 95 Setting Up User IDs 95 Defining a User s Access Level 95 Validating a User s Configuration 95 Enabling or Disabling a User 95 Locking Accounts 95 Re enabling Locked Accounts 96 Listing Current Users 96 Logging In to an End User Account 96 Protected Mode 97 Stacking Mode 97 Chapter 5 Authentication Authorization Protocols 99 RADIUS Authentica...

Page 6: ...5 ACL Metering and Re Marking 126 Metering 126 Re Marking 126 ACL Port Mirroring 127 Viewing ACL Statistics 127 ACL Logging 128 Enabling ACL Logging 128 Logged Information 128 Rate Limiting Behavior 129 Log Interval 129 ACL Logging Limitations 129 ACL Configuration Examples 130 ACL Example 1 130 ACL Example 2 130 ACL Example 3 131 VLAN Maps 132 VMap Example 133 Management ACLs 134 Part 3 Switch Ba...

Page 7: ...le LAG Hash Algorithm 165 Link Aggregation Control Protocol 167 LACP Modes 168 LACP individual 169 Configuring LACP 170 Chapter 10 Spanning Tree Protocols 171 Spanning Tree Protocol Modes 172 Global STP Control 172 PVRST Mode 173 Port States 173 Bridge Protocol Data Units 174 Determining the Path for Forwarding BPDUs 174 Bridge Priority 174 Port Priority 175 Root Guard 175 Loop Guard 175 Port Path...

Page 8: ...he VLAG 201 VLAG Configuration VLANs Mapped to MSTI 202 Configure the ISL 202 Configure the VLAG 203 Configuring Health Check 204 VLAGs with VRRP 205 Configure VLAG Peer 1 205 Configure VLAG Peer 2 208 Two tier vLAGs with VRRP 211 Configuring VLAGs in Multiple Layers 212 Configure Layer 2 3 Border Switches 212 Configure Switches in the Layer 2 Region 212 Chapter 12 Quality of Service 215 QoS Overv...

Page 9: ... Additional Master Configuration 244 Viewing Stack Connections 244 Binding Members to the Stack 245 Assigning a Stack Backup Switch 245 Managing a Stack 246 Connecting to Stack Switches via the Master 246 Rebooting Stacked Switches via the Master 246 Rebooting Stacked Switches using the ISCLI 246 Rebooting Stacked Switches using the BBI 247 Upgrading Software in a Stack 248 New Hybrid Stack 248 Co...

Page 10: ... VM Groups 281 VM Profiles 282 Initializing a Distributed VM Group 282 Assigning Members 283 Synchronizing the Configuration 283 Removing Member VEs 283 VMcheck 284 Basic Validation 284 Advanced Validation 285 Virtual Distributed Switch 286 Prerequisites 286 Guidelines 286 Migrating to vDS 287 Virtualization Management Servers 288 Assigning a vCenter 288 vCenter Scans 289 Deleting the vCenter 289 ...

Page 11: ... ACL Rules 308 FCoE VLANs 309 Viewing FIP Snooping Information 309 Operational Commands 310 FIP Snooping Configuration 310 Priority Based Flow Control 312 Global vs Port by Port PFC Configuration 313 PFC Configuration Example 314 Enhanced Transmission Selection 316 802 1p Priority Values 316 Priority Groups 317 PGID 317 Assigning Priority Values to a Priority Group 318 Deleting a Priority Group 31...

Page 12: ...y 344 Example 2 Full Fabric FC FCoE Switch 346 Fibre Channel Standard Protocols Supported 348 Chapter 19 Edge Virtual Bridging 349 EVB Operations Overview 350 VSIDB Synchronization 350 VLAN Behavior 351 Deleting a VLAN 351 Manual Reflective Relay 352 EVB Configuration 353 Configuring EVB in Stacking Mode 355 Limitations 356 Unsupported features 356 Chapter 20 Static Multicast ARP 357 Configuring S...

Page 13: ...tion 379 Example 9 8 vPorts with ETS bandwidth provisioning mode 380 Chapter 22 Switch Partition 383 SPAR Processing Modes 384 Local Domain Processing 384 Pass Through Domain Processing 385 Limitations 386 Unsupported Features 387 SPAR VLAN Management 388 Example Configurations 389 Pass Through Configuration 389 Local Domain Configuration 389 Part 5 IP Routing 391 Chapter 23 Basic IP Routing 393 I...

Page 14: ...20 Importing an IKEv2 Digital Certificate 421 Generating a Certificate Signing Request 421 Generating an IKEv2 Digital Certificate 423 Enabling IKEv2 Preshared Key Authentication 424 Setting Up a Key Policy 424 Using a Manual Key Policy 426 Using a Dynamic Key Policy 428 Chapter 26 Routing Information Protocol 429 Distance Vector Protocol 429 Stability 429 Routing Updates 430 RIPv1 430 RIPv2 430 R...

Page 15: ... Configuring MLD 451 Chapter 29 Border Gateway Protocol 453 Internal Routing Versus External Routing 454 Forming BGP Peer Routers 455 What is a Route Map 456 Incoming and Outgoing Route Maps 457 Precedence 457 Configuration Example 457 Aggregating Routes 459 Redistributing Routes 459 BGP Attributes 460 Local Preference Attribute 460 Metric Multi Exit Discriminator Attribute 460 Selecting Route Pat...

Page 16: ... Switch 1 485 Configuring OSPF for a Virtual Link on Switch 2 486 Other Virtual Link Options 488 Example 3 Summarizing Routes 488 Verifying OSPF Configuration 490 OSPFv3 Implementation in Enterprise NOS 491 OSPFv3 Differences from OSPFv2 491 OSPFv3 Requires IPv6 Interfaces 491 OSPFv3 Uses Independent Command Paths 491 OSPFv3 Identifies Neighbors by Router ID 491 Other Internal Improvements 492 OSP...

Page 17: ...toring LAG Links 516 VLAN Monitor 516 Auto Monitor Configurations 516 Setting the Failover Limit 518 Manually Monitoring Port Links 519 Monitor Port State 519 Control Port State 519 L2 Failover with Other Features 520 LACP 520 Spanning Tree Protocol 520 Configuration Guidelines 521 Auto Monitor Guidelines 521 Manual Monitor Guidelines 521 Configuring Layer 2 Failover 522 Auto Monitor Example 522 M...

Page 18: ...apter 35 Link Layer Discovery Protocol 541 LLDP Overview 542 LLDP Stacking Mode 542 Enabling or Disabling LLDP 543 Global LLDP Setting 543 Transmit and Receive Control 543 LLDP Transmit Features 544 Scheduled Interval 544 Minimum Interval 544 Time to Live for Transmitted Information 545 Trap Notifications 545 Changing the LLDP Transmit State 546 Types of Information Transmitted 547 LLDP Receive Fe...

Page 19: ...ial Keys 579 Flexible Port Mapping 580 Chapter 39 Secure Input Output Module 581 SIOM Overview 582 Switch Access in SIOM Mode 583 Using SIOM with Stacking 583 SIOM Feature Considerations 585 Creating a Policy Setting 586 Protocols Affected by the Policy Setting 586 Insecure Protocols 586 Secure Protocols 587 Insecure Protocols Unaffected by SIOM 587 Managing User Accounts 589 Using Centralized SNM...

Page 20: ...e Contamination 620 Telecommunication Regulatory Statement 621 Electronic Emission Notices 622 Federal Communications Commission FCC Statement 622 Industry Canada Class A Emission Compliance Statement 622 Avis de Conformité à la Réglementation dʹIndustrie Canada 622 Australia and New Zealand Class A Statement 622 European Union Compliance to the Electromagnetic Compatibility Directive 623 Germany ...

Page 21: ...al is intended to help those new to Enterprise NOS products with the basics of switch management This part includes the following chapters Chapter 1 Switch Administration describes how to access the CN4093 in order to configure the switch and view switch information and statistics This chapter discusses a variety of manual administration interfaces including local management via the switch console...

Page 22: ...Rapid Spanning Tree Protocol RSTP Per VLAN Rapid Spanning Tree Plus PVRST and Multiple Spanning Tree Protocol MSTP extensions to STP Chapter 11 Virtual Link Aggregation Groups describes using Virtual Link Aggregation Groups vLAG to form LAGs spanning multiple vLAG capable aggregator switches Chapter 12 Quality of Service discusses Quality of Service QoS features including IP filtering using Access...

Page 23: ...mmunications by authenticating and encrypting IP packets with emphasis on Internet Key Exchange version 2 and authentication confidentiality for OSPFv3 Chapter 26 Routing Information Protocol describes how the Enterprise NOS software implements standard Routing Information Protocol RIP for exchanging TCP IP route information with other routers Chapter 27 Internet Group Management Protocol describe...

Page 24: ...pter 38 System License Keys describes how to manage Features on Demand FoD licenses and how to allocate bandwidth between physical ports within the installed licenses limitations Part 8 Monitoring Chapter 40 Remote Monitoring describes how to configure the RMON agent on the switch so that the switch can exchange network monitoring data Chapter 41 sFLOW described how to use the embedded sFlow agent...

Page 25: ...ing the CN4093 is available in the following guides Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Command Reference for Lenovo Network Operating System 8 4 Lenovo Network Browser Based Interface Quick Guide ...

Page 26: ...ter placeholder Replace the indicated text with the appropriate real name or value when using the command Do not type the brackets To establish a Telnet session enter host telnet IP address This also shows book titles special terms or words to be emphasized Read your User s Guide thoroughly Command items shown inside brackets are optional and can be used or excluded as the situation demands Do not...

Page 27: ... Copyright Lenovo 2017 27 Part 1 Getting Started ...

Page 28: ...28 CN4093 Application Guide for N OS 8 4 ...

Page 29: ... advanced features however require some administrative configuration before they can be used effectively The extensive Enterprise NOS switching software included in the CN4093 provides a variety of options for accessing the switch to perform configuration and to view switch information and statistics This chapter discusses the various methods that can be used to administer the switch ...

Page 30: ...rned on see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide Chassis Management Module The CN4093 10 Gb Converged Scalable Switch is an integral subsystem within the overall Lenovo Flex System The Flex System chassis also includes a chassis management module CMM as the central element for overall chassis management and control Using the tools available throug...

Page 31: ...tration 31 Browser Based Interface The Browser based Interface BBI provides access to the common configuration management and operation features of the CN4093 through your Web browser For more information refer to the Enterprise NOS BBI Quick Guide ...

Page 32: ...g the Chassis Management Module The CN4093 is an integral subsystem within the overall Lenovo Flex System The Flex System chassis includes a chassis management module CMM as the central element for overall chassis management and control The CN4093 uses port 43 MGT1 to communicate with the chassis management module s Even when the CN4093 is in a factory default configuration you can use the 1Gb Eth...

Page 33: ...pt the Telnet client is disconnected via TCP session closure Using Secure Shell Although a remote network administrator can manage the configuration of a CN4093 via Telnet this method does not provide a secure connection The Secure Shell SSH protocol enables you to securely log into another device over a network to execute commands remotely As a secure alternative to using Telnet to manage switch ...

Page 34: ...sha256 rsa1024 sha1 diffie hellman group exchange sha256 diffie hellman group exchange sha1 diffie hellman group14 sha1 diffie hellman group1 sha1 Encryption aes128 ctr aes128 cbc rijndael128 cbc blowfish cbc 3des cbc arcfour256 arcfour128 arcfour MAC hmac sha1 hmac sha1 96 hmac md5 hmac md5 96 User Authentication Local password authentication RADIUS TACACS ...

Page 35: ...Login Levels on page 47 Using SSH with Public Key Authentication SSH can also be used for switch authentication based on asymmetric cryptography Public encryption keys can be uploaded on the switch and used to authenticate incoming login attempts based on the clients private encryption key pairs After a predefined number of failed public key login attempts the switch reverts to password based auth...

Page 36: ...ou first access the switch you must enter the default username and password USERID PASSW0RD with a zero You are required to change the password after first login Configuring HTTP Access to the BBI By default BBI access via HTTP is disabled on the switch To enable or disable HTTP access to the switch BBI use the following commands The default HTTP web server port to access the BBI is port 80 Howeve...

Page 37: ...icate is valid only until the switch is rebooted To save the certificate so that it is retained beyond reboot or power cycles use the following command When a client such as a web browser connects to the switch the client is asked to accept the certificate and verify that the fields match what is expected Once BBI access is granted to the client the BBI can be used as described in the Enterprise N...

Page 38: ...s window provides a menu list of switch features and functions System this folder provides access to the configuration elements for the entire switch Switch Ports Configure each of the physical ports on the switch Port Based Port Mirroring Configure port mirroring behavior Layer 2 Configure Layer 2 features for the switch RMON Menu Configure Remote Monitoring features for the switch Layer 3 Config...

Page 39: ...ngs on the switch can be changed using the following commands The SNMP manager should be able to reach any one of the IP interfaces on the switch For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch configure the trap host on the switch with the following commands For more information on SNMP usage and configuration see Simple Network Management Protocol on pag...

Page 40: ...lient s VLAN or to the global BOOTP DHCP servers if no domain specific BOOTP DHCP servers are configured for the client s VLAN The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client The switch then forwards this reply back to the client DHCP is described in RFC 2131 and the DHCP relay agent supported on the CN4093 is descri...

Page 41: ...de the network or firewall A trusted interface receives packets only from within the network By default all DHCP ports are untrusted The DHCP snooping binding table contains the MAC address IP address lease time binding type VLAN number and port number that correspond to the local untrusted interface on the switch it does not contain information regarding hosts interconnected with a trusted interf...

Page 42: ...ning configuration will not be merged or appended to the EZC configuration For any custom settings that are not included in the predefined configuration sets the user has to do it manually Notes EZC is not available in stacking mode To support scripting the feature also has a single line format For more information please refer to Lenovo Networking ISCLI Reference Guide Note To support scripting t...

Page 43: ...r management gateway Current 10 241 13 1 Pending switch port configuration Hostname host Management interface IP 10 241 13 32 Netmask 255 255 255 128 Gateway 10 241 13 1 Confirm erasing current config to re configure Easy Connect yes no CN 4093 easyconnect Configure Basic system yes no y Please enter none for no hostname Enter hostname Default None Host Select management port number Default 1 Plea...

Page 44: ...id and you are guided to select other ports Server ports can have ports of different mode or speed selected at the same time You can either accept the static defaults or enter a different port list for uplink and or server ports CN 4093 easyconnect Configure Transparent mode yes no y Select Uplink Ports Static Defaults 17 24 The following Uplink ports will be enabled Uplink ports 1G 10G 17 24 Sele...

Page 45: ...Peer IP address for vLAG healthcheck Default 1 1 1 2 Warning vLAG healthcheck Peer IP is not reachable Do you want to select another Peer IP yes no y Select Peer IP address for vLAG healthcheck Default 1 1 1 2 Warning vLAG healthcheck Peer IP is not reachable Do you want to select another Peer IP yes no n The following Uplink ports will be enabled The following Downlink ports will be enabled Pleas...

Page 46: ...ifferent speed the selection is not valid and you are guided to either select other ports or change the speed of the ports All unused port are configured as shut down in the configuration dump You can either accept the static defaults or enter a different port list for ISL uplink and or downlink ports ...

Page 47: ...ons to configure and troubleshoot problems on the CN4093 Because administrators can also make temporary operator level changes as well they must be aware of the interactions between temporary and permanent changes Access to switch functions is controlled through the use of unique user names and passwords Once you are connected to the switch via console remote Telnet or SSH you are prompted to ente...

Page 48: ...n account can be disabled by setting the password to an empty value To disable admin account use the command CN 4093 config no access user administrator enable Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege ...

Page 49: ...for the configuration block enter f System Reset from boot iscli Disable the Transceivers Unmount the File System Unmounting filesystem Wait for umount to finish Done Waiting for I2C Transactions to Finish U Boot 2009 06 Aug 21 2015 12 35 27 MPC83XX Reset Status CPU e300c4 MPC8378A Rev 2 1 at 792 MHz CSB 396 MHz Board Networking OS RackSwitch G8052 I2C ready DRAM 1 GB Memory Test Boot Menu Mode Pl...

Page 50: ... Q Reboot E Exit Please choose your menu option q Resetting the board CN 4093 ena Enable privilege granted CN 4093 configure terminal Enter configuration commands one per line End with Ctrl Z CN 4093 config copy active config running config admin pw bypass Loading to current configuration CN 4093 config password Changing admin password validation required Enter current local admin password Enter n...

Page 51: ... openly over the network All file transfer commands include SFTP support along with FTP and TFTP support SFTP is available through the menu based CLI ISCLI BBI and SNMP The following examples illustrate SFTP support for ISCLI commands CN 4093 copy sftp image1 image2 boot image mgt port data port Copy software image from SFTP server to the switch CN 4093 copy sftp ca cert host cert host key mgt por...

Page 52: ...to and from the switch By default HTTP Telnet and SNMPv1 and SNMPv2 are disabled on the CN4093 Before enabling strict mode ensure the following The software version on all connected switches is Enterprise NOS 8 4 NIST Strict compliance is enabled on the Chassis Management Module The supported protocol versions and cryptographic cipher suites between clients and servers are compatible For example i...

Page 53: ...5 IKE Key Exchange DH Group 24 DH group 1 2 5 14 24 Encryption 3DES AES 128 CBC 3DES AES 128 CBC Integrity HMAC SHA1 HMAC SHA1 HMAC MD5 IPSec AH HMAC SHA1 HMAC SHA1 HMAC MD5 ESP 3DES AES 128 CBC HMAC SHA1 3DES AES 128 CBC HMAC SHA1 HMAC MD5 LDAP LDAP does not comply with NIST SP 800 131A specification When in strict mode LDAP is disabled However it can be enabled if required Acceptable OSPF OSPF d...

Page 54: ... ECDH SHA2 NISTP384 ECDH SHA2 NISTP256 ECDH SHA2 NISTP224 ECDH SHA2 NISTP192 RSA2048 SHA256 RSA1024 SHA1 DIFFIE HELL MAN GROUP EXCHANGE SHA 256 DIFFIE HELL MAN GROUP EXCHANGE SHA 1 DIFFIE HELL MAN GROUP14 SHA1 DIFFIE HELL MAN GROUP1 SHA1 Encryption AES128 CTR AES128 CBC 3DES CBC AES128 CTR AES128 CBC RIJNDAEL128 CBC BLOWFISH CBC 3DES CBC ARCFOUR256 ARCFOUR128 ARCFOUR MAC HMAC SHA1 HMAC SHA1 96 HMA...

Page 55: ..._128_CBC SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 0x0005 RSA RSA RC4 SHA1 SSL_RSA_WITH_RC4_128_SHA 0x000A RSA RSA 3DES SHA1 SSL_RSA_WITH_3DES_EDE_CBC_SHA 0x0033 DHE RSA AES 128_CBC SHA1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0067 DHE RSA AES_128_CBC SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0016 DHE RSA 3DES SHA1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Table 6 List of Acceptable Cipher Suites in Strict Mod...

Page 56: ...093 will not discover Platform agents Common agents that are not in strict mode Web browsers that do not use TLS 1 2 cannot be used Limited functions of the switch managing Windows will be available CN 4093 config no boot strict enable Warning security strict mode limits the cryptographic algorithms used by secure protocols on this switch Please see the documentation for full details and verify th...

Page 57: ...commands Note This command will disable CLI confirmation prompts for current and future sessions Note This command will disable CLI confirmation prompts for the current session only It also takes precedence over the prompting command any settings configured through the prompting command will be disregarded for the duration of the current session For more details see the Lenovo Flex System Fabric C...

Page 58: ...58 CN4093 Application Guide for N OS 8 4 ...

Page 59: ...ring your switch the Enterprise NOS software includes a Setup utility The Setup utility prompts you step by step to enter all the necessary information for basic configuration of the switch Setup can be activated manually from the command line interface any time after login CN 4093 config setup ...

Page 60: ...ional configuration for each port Speed duplex flow control and negotiation mode as appropriate Whether to use VLAN tagging or not as appropriate Optional configuration for each VLAN Name of VLAN Which ports are included in the VLAN Optional configuration of IP parameters IP address mask and VLAN for each IP interface IP addresses for default gateway Whether IP forwarding is enabled or not ...

Page 61: ...ith a zero as the default password 3 Enter the following command at the prompt Stopping Setup To abort the Setup utility press Ctrl C during any Setup question When you abort Setup the system will prompt Enter n to abort Setup or y to restart the Setup program at the beginning Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administr...

Page 62: ...te at the prompt Enter the month as a number from 1 to 12 To keep the current month press Enter 4 Enter the day of the current date at the prompt Enter the date as a number from 1 to 31 To keep the current day press Enter The system displays the date and time settings 5 Enter the hour of the current system time at the prompt Enter the hour as a number from 00 to 23 To keep the current hour press E...

Page 63: ... settings 8 Turn BOOTP on or off at the prompt Enter e to enable BOOTP or enter d to disable BOOTP 9 Turn Spanning Tree Protocol on or off at the prompt Enter y to turn off Spanning Tree or enter n to leave Spanning Tree on Enter seconds 37 System clock set to 8 55 36 Wed Jan 28 2012 BootP Option Current BOOTP disabled Enter new BOOTP d e Spanning Tree Current Spanning Tree Group 1 setting ON Turn...

Page 64: ...he number of the port you wish to configure To skip port configuration press Enter without specifying any port and go to Setup Part 3 VLANs on page 66 3 Configure Gigabit Ethernet port flow parameters The system prompts Enter rx to enable receive flow control tx for transmit flow control both to enable both or none to turn flow control off for the port To keep the current setting press Enter 4 Con...

Page 65: ...o enable VLAN tagging for the port To keep the current setting press Enter 6 The system prompts you to configure the next port When you are through configuring ports press Enter without specifying any port Otherwise repeat the steps in this section Port Tagging Trunk mode config Tagged Trunk mode port can be a member of multiple VLANs Current Tagging Trunk mode support disabled Enter new Tagging T...

Page 66: ...Enter 3 Enter the VLAN port numbers Enter each port by port number and confirm placement of the port into this VLAN When you are finished adding ports to this VLAN press Enter without specifying any port 4 Configure Spanning Tree Group membership for the VLAN 5 The system prompts you to configure the next VLAN Repeat the steps in this section until all VLANs have been configured When all VLANs hav...

Page 67: ... management 1 Select the IP interface to configure or skip interface configuration at the prompt If you wish to configure individual IP interfaces enter the number of the IP interface you wish to configure To skip IP interface configuration press Enter without typing an interface number and go to Default Gateways on page 68 2 For the specified IP interface enter the IP address in IPv4 dotted decim...

Page 68: ...t typing a gateway number and go to IP Routing on page 69 2 At the prompt enter the IPv4 address for the selected default gateway Enter the IPv4 address in dotted decimal notation or press Enter without specifying an address to accept the current setting 3 At the prompt enter y to enable the default gateway or n to leave it disabled 4 The system prompts you to configure another default gateway Rep...

Page 69: ...al router device Routing on more complex networks where subnets may not have a direct presence on the CN4093 can be accomplished through configuring static routes or by letting the switch learn routes dynamically This part of the Setup program prompts you to configure the various routing parameters At the prompt enable or disable forwarding for IP Routing Enter y to enable IP forwarding To disable...

Page 70: ...the changes or n to continue without applying Changes are normally applied 4 At the prompt decide whether to make the changes permanent Enter y to save the changes to flash Enter n to continue without saving the changes Changes are normally saved at this point 5 If you do not apply or save the changes the system prompts whether to abort them Enter y to discard the changes Enter n to return to the ...

Page 71: ...for Telnet Support Note This step is optional Perform this procedure only if you are planning on connecting to the CN4093 through a remote Telnet connection 1 Telnet is enabled by default To change the setting use the following command CN 4093 config no access telnet ...

Page 72: ...72 CN4093 Application Guide for N OS 8 4 ...

Page 73: ...onto an FTP SFTP or TFTP server on your network Transfer the new images to your switch Specify the new software image as the one which will be loaded into switch memory the next time a switch reset occurs Reset the switch For instructions on the typical upgrade process using the ENOS ISCLI or BBI see Loading New Software to Your Switch on page 74 CAUTION Although the typical upgrade process is all...

Page 74: ...ur switch you will need the following The image and boot software loaded on an FTP SFTP or TFTP server on your net work Note Be sure to download both the new boot file and the new image file The hostname or IP address of the FTP SFTP or TFTP server Note The DNS parameters must be configured if specifying hostnames The name of the new software image or boot file When the software requirements are m...

Page 75: ...g onto the BBI perform the following steps to load a software image 1 Click the Configure context tab in the toolbar 2 In the Navigation Window select System Config Image Control The Switch Image and Configuration Management page appears 3 If you are loading software from your computer HTTP client skip this step and go to the next Otherwise if you are loading software from an FTP SFTP or TFTP serv...

Page 76: ...nd vLAG mismatch will happen with vLAG ports down since it is still Secondary The traffic will still be forwarding via Switch 1 the original Primary switch 3 On Switch 1 the original Primary switch shut down all links ISL vLAG links and vLAG HC This is equivalent to powering off Switch 1 the original Primary switch All the traffic will failover to Switch 2 which will assume the vLAG operation role...

Page 77: ... 77 Switch 1 will reassume the vLAG Primary role and Switch 2 will reassume the vLAG Secondary role 6 Make sure that Switch 1 is now the vLAG primary switch and Switch 2 is now the vLAG secondary switch using the following command CN 4093 show vlag information ...

Page 78: ...form the following actions The Boot Management menu allows you to perform the following actions To change the booting image press I and follow the screen prompts To change the configuration block press C and follow the screen prompts To boot in recovery mode press R For more details see Boot Recovery Mode on page 79 To restart the boot process from the beginning press Q To exit the Boot Management...

Page 79: ...m a Failed Image Upgrade using TFTP on page 80 To recover from a failed software or boot image upgrade using XModem download press X and follow the screen prompts For more details see Recovering from a Failed Image Upgrade using XModem Download on page 82 To enable the loading of an unofficial image press P and follow the screen prompts For more details see Physical Presence on page 84 To restart ...

Page 80: ...ss and the dots are being displayed 4 Enter Boot Recovery Mode by pressing R The Recovery Mode menu will appear 5 To start the recovery process using TFTP press T The following message will appear 6 Enter the IP address of the management port 7 Enter the network mask of the management port 8 Enter the gateway of the management port 9 Enter the IP address of the TFTP server 10 Enter the filename of...

Page 81: ...10 72 97 135 Image Filename CN4093 8 3 1 0_OS img Netmask 255 255 255 128 Gateway 10 241 6 66 Configuring management port Installing image CN4093 8 3 1 0_OS img from TFTP server 10 72 97 135 Extracting images Do NOT power cycle the switch Installing Application Image signature verified Install image as image 1 or 2 hit return to just boot image 2 Installing image as image2 100 Image2 updated succe...

Page 82: ... Xmodem download You will see the following display 6 When you see the following message change the Serial Port speed to 115200 bps 7 Press Enter to set the system into download accept mode When the readiness meter displays a series of C characters start Xmodem on your terminal emulator You will see a display similar to the following 8 Select the image to download Xmodem initiates the file transfe...

Page 83: ...alling Root Filesystem Image signature verified 100 Installing Kernel Image signature verified 100 Installing Device Tree Image signature verified 100 Installing Boot Loader 100 Updating install log File image installed from xmodem at 18 06 02 on 13 3 2015 Please select one of the following options T Configure networking and tftp download an image X Use xmodem 1K to serial download an image P Phys...

Page 84: ...ity test will be performed The system location blue LED will blink a number of times between 1 and 12 Enter that number 8 After entering the correct number the Recovery Mode menu will re appear To install an unofficial image use one of the following procedures TFTP for details see page 80 XModem Download for details see page 82 Note You have three attempts to successfully complete the security tes...

Page 85: ... Copyright Lenovo 2017 85 Part 2 Securing the Switch ...

Page 86: ...86 CN4093 Application Guide for N OS 8 4 ...

Page 87: ...ter discusses different methods of securing local and remote administration on the CN4093 10 Gb Converged Scalable Switch CN4093 Changing the Switch Passwords on page 88 Secure Shell and Secure Copy on page 89 End User Access Control on page 94 Protected Mode on page 97 ...

Page 88: ...oth the user and administrator passwords The default administrator account is USERID The default password for the administrator account is PASSW0RD with a zero To change the administrator password use the following procedure 1 Connect to the switch and log in as the administrator 2 Use the following command to change the administrator password Changing the Default User Password The user login has ...

Page 89: ...ecure channels Although SSH and SCP are disabled by default enabling and using these features provides the following benefits Identifying the administrator using Name Password Authentication of remote administrators Authorization of remote administrators Determining the permitted actions and customizing service for individual administrators Encryption of management messages Encrypting messages bet...

Page 90: ...SSH and SCP Client Commands This section shows the format for using some common client commands To Log In to the Switch from the Client Syntax Note The 4 option the default specifies that an IPv4 switch address will be used The 6 option specifies IPv6 Example CN 4093 config ssh enable Turn SSH on CN 4093 config no ssh enable Turn SSH off CN 4093 config no ssh scp enable CN 4093 config no ssh scp p...

Page 91: ...en the new and the current configurations putcfg_apply runs the apply command after the putcfg is done putcfg_apply_save saves the new configuration to the flash after putcfg_apply is done The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands are usually required after a putcfg however an SCP session is not in an interactive mode scp 4 6 username switch...

Page 92: ...ss getimg1 local filename scp 4 6 username switch IP address getimg2 local filename scp 4 6 username switch IP address getboot local filename scp scpadmin 205 178 15 157 getimg1 6 1 0_os img scp 4 6 local filename username switch IP address putimg1 scp 4 6 local filename username switch IP address putimg2 scp 4 6 local filename username switch IP address putboot scp 6 1 0_os img scpadmin 205 178 1...

Page 93: ...mand to generate it manually When the switch reboots it will retrieve the host key from the FLASH memory Note The switch will perform only one session of key cipher generation at a time Thus an SSH SCP client will not be able to log in if the switch is performing key generation at that time Also key generation will fail if an SSH SCP client is logging in at that time SSH SCP Integration with RADIU...

Page 94: ...n the switch and has no effect on the user password on the Radius server Radius authentication and user password cannot be used concurrently to access the switch Passwords can be up to 64 characters in length for Telnet SSH Console and Web access Strong Passwords The administrator can require use of Strong Passwords for users to access the CN4093 Strong Passwords enhance security because they make...

Page 95: ...onfiguration Enabling or Disabling a User An end user account must be enabled before the switch recognizes and permits login under the account Once enabled the switch requires any user to enter both username and password Locking Accounts To protect the switch from unauthorized access the account lockout feature can be enabled By default account lockout is disabled To enable this feature ensure the...

Page 96: ...to an End User Account Once an end user account is configured and enabled the user can login to the switch using the username password combination The level of switch access is determined by the Class of Service established for the end user account CN 4093 config access user strong password clear local user lockout username user name CN 4093 config access user strong password clear local user lock...

Page 97: ...net access to one of the switch s IP interfaces is enabled Use the following command to turn Protected Mode on CN 4093 config protected mode enable If you lose access to the switch through the external ports use the console port to connect directly to the switch and configure an IP interface with Telnet access Stacking Mode When the switch is in stacking mode Protected Mode is automatically enable...

Page 98: ...98 CN4093 Application Guide for N OS 8 4 ...

Page 99: ...gnificant management functions across the Internet The following are some of the functions for secured IPv4 management and device access RADIUS Authentication and Authorization on page 100 TACACS Authentication on page 104 LDAP Authentication and Authorization on page 110 Note Enterprise NOS 8 4 does not support IPv6 for RADIUS TACACS or LDAP ...

Page 100: ...nformation A client in this case the switch The CN4093 acting as the RADIUS client communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866 Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network In addition the remote administrator passwo...

Page 101: ... supports the following RADIUS authentication features Supports RADIUS client on the switch based on the protocol definitions in RFC 2138 and RFC 2866 Allows a RADIUS secret password of up to 32 characters Supports secondary authentication server so that when the primary authentication server is unreachable the switch can send client authentication requests to the secondary authentication server U...

Page 102: ... Accounts The user accounts listed in Table 7 can be defined in the RADIUS server dictionary file Table 7 User Access Levels User Account Description and Tasks Performed Password User The User has no direct responsibility for switch management He she can view all switch status information and statistics but cannot make any configuration changes to the switch user Operator In addition to User capab...

Page 103: ...via the console port by using noradius as radius username You can then enter the username and password configured on the switch If you are trying to connect via SSH Telnet HTTP HTTPS there are two possibilities Backdoor is enabled The switch acts like it is connecting via console Secure backdoor is enabled You must enter the username noradius The switch checks if RADIUS server is reachable If it i...

Page 104: ...mit attempts and time outs to compensate for best effort transport but it lacks the level of built in support that a TCP transport offers TACACS offers full packet encryption whereas RADIUS offers password only encryption in authentication requests TACACS separates authentication authorization and accounting How TACACS Authentication Works TACACS works much in the same way as RADIUS authentication...

Page 105: ...s table must be defined on the TACACS server Alternate mapping between TACACS authorization levels and Enterprise NOS management access levels is shown in Table 10 Use the following command to use the alternate TACACS authorization levels You can customize the mapping between TACACS privilege levels and CN4093 management access levels Use the following command to manually map each TACACS privilege...

Page 106: ...ities on the device for the purposes of billing and or security It follows the authentication and authorization actions If the authentication and authorization is not performed via TACACS there are no TACACS accounting messages sent out You can use TACACS to record and track software login access configuration changes and interactive commands The CN4093 supports the following TACACS accounting att...

Page 107: ... or sync are not sent Only leaf level commands are sent for authorization and logging For example is not sent but the following command is sent The full path of each command is sent for authorization and logging For example Command arguments are not sent for authorization Only executed commands are logged Invalid commands are checked by Enterprise NOS and are not sent for authori zation or logging...

Page 108: ...on is performed on each leaf level command separately If the user issues multiple commands at once each command is sent separately as a full path Only the following global commands are sent for authorization and logging diff ping revert telnet traceroute ...

Page 109: ...r of retry attempts and the timeout period 5 Configure custom privilege level mapping optional CN 4093 config no tacacs server password change CN 4093 config tacacs server chpassp Change primary TACACS password CN 4093 config tacacs server chpasss Change secondary TACACS password Enter primary server IPv4 address CN 4093 config tacacs server primary host 10 10 1 1 CN 4093 config tacacs server prim...

Page 110: ...ion A client in this case the switch Each entry in the LDAP server is referenced by its Distinguished Name DN The DN consists of the user account name concatenated with the LDAP domain name If the user account name is John the following is an example DN uid John ou people dc domain dc com Configuring the LDAP Server CN4093 user groups and user accounts must reside within the same domain On the LDA...

Page 111: ...he timeout period 5 You may change the default LDAP attribute uid or add a custom attribute For instance Microsoft s Active Directory requires the cn common name attribute CN 4093 config ldap server enable CN 4093 config ldap server primary host 10 10 1 1 CN 4093 config ldap server secondary host 10 10 1 2 CN 4093 config ldap server domain ou people dc my domain dc com CN 4093 config ldap server p...

Page 112: ...112 CN4093 Application Guide for N OS 8 4 ...

Page 113: ...ess to ports that fail authentication and authorization This feature provides security to ports of the CN4093 10 Gb Converged Scalable Switch CN4093 that connect to blade servers The following topics are discussed in this section Extensible Authentication Protocol over LAN on page 114 EAPoL Authentication Process on page 115 EAPoL Port States on page 116 Guest VLAN on page 117 Supported RADIUS Att...

Page 114: ...cator The Authenticator enforces authentication and controls access to the network The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server The Authenticator acts as an intermediary between the Supplicant and the Authentication Server requesting identity information from the client forwarding that information to the...

Page 115: ...n method over Ethernet frames called EAP over LAN EAPOL Figure 1 shows a typical message exchange initiated by the client Figure 1 Authenticating a Port Using EAPoL 802 1x Client RADIUS Server Radius Access Request Radius Access Challenge Radius Access Request Radius Access Accept EAP Request Credentials EAP Response Credentials EAP Success EAP Request Credentials EAP Response Credentials EAPOL St...

Page 116: ...rolled port When the client later sends an EAPOL Logoff message to the CN4093 authenticator the port transitions from authorized to unauthorized state If a client that does not support 802 1X connects to an 802 1X controlled port the CN4093 authenticator requests the clientʹs identity when it detects a change in the operational state of the port The client does not respond to the request and the p...

Page 117: ...received an EAPOL response are placed into the Guest VLAN if one is configured on the switch Once the port is authenticated it is moved from the Guest VLAN to its configured VLAN When Guest VLAN enabled the following considerations apply while a port is in the unauthenticated state The port is placed in the guest VLAN The Port VLAN ID PVID is changed to the Guest VLAN ID Port tagging is disabled o...

Page 118: ...of the authenticator used for Radius communication 1 0 0 0 5 NAS Port Port number of the authenticator port to which the supplicant is attached 1 0 0 0 24 State Server specific value This is sent unmodified back to the server in an Access Request that is in response to an Access Challenge 0 1 0 1 0 1 0 30 Called Station ID The MAC address of the authenticator encoded as an ASCII string in canonica...

Page 119: ...enticator relays the decoded packet to both devices 1 1 1 1 80 Message Authenticator Always present whenever an EAP Message attribute is also included Used to integrity protect a packet 1 1 1 1 87 NAS Port ID Name assigned to the authenticator port e g Server1_Port3 1 0 0 0 Legend RADIUS Packet Types A R Access Request A A Access Accept A C Access Challenge A R Access Reject RADIUS Attribute Suppo...

Page 120: ...802 1X supplicant capability is not supported Therefore none of its ports can successfully connect to an 802 1X enabled port of another device such as another switch that acts as an authenticator unless access control on the remote port is disabled or is configured in forced authorized mode For example if a CN4093 is connected to another CN4093 and if 802 1X is enabled on both switches the two con...

Page 121: ...v4 ACLs are configured using the following CLI menu IPv6 ACLs Up to 128 ACLs are supported for networks that use IPv6 addressing IPv6 ACLs are configured using the following CLI menu Management ACLs Up to 128 MACLs are supported ACLs for the different types of management protocols Telnet HTTPS etc provide greater granularity for securing management traffic Management ACLs are configured using the ...

Page 122: ...ou to classify packets based on the following packet attributes Ethernet header options for regular ACLs and VMaps only Source MAC address Destination MAC address VLAN number and mask Ethernet type ARP IPv4 MPLS RARP etc Ethernet Priority the IEEE 802 1p Priority IPv4 header options for regular ACLs and VMaps only Source IPv4 address and subnet mask Destination IPv4 address and subnet mask Type of...

Page 123: ...Egress port packets for all ACLs Table 13 Well Known Application Ports Port TCP UDP Application Port TCP UDP Application Port TCP UDP Application 20 21 22 23 25 37 42 43 53 69 70 ftp data ftp ssh telnet smtp time name whois domain tftp gopher 79 80 109 110 111 119 123 143 144 161 162 finger http pop2 pop3 sunrpc nntp ntp imap news snmp snmptrap 179 194 220 389 443 520 554 1645 1812 1813 1985 bgp i...

Page 124: ... over lower priority ACLs ACL order of precedence is discussed in the next section To create and assign ACLs in groups see ACL Groups on page 125 ACL Order of Precedence When multiple ACLs are assigned to a port they are evaluated in numeric sequence based on the ACL number Lower numbered ACLs take precedence over higher numbered ACLs For example ACL 1 if assigned to the port is evaluated first an...

Page 125: ...p ACL Group is a collection of ACLs For example ACL Groups organize ACLs into traffic profiles that can be more easily assigned to ports The CN4093 supports up to 256 ACL Groups Note ACL Groups are used for convenience in assigning multiple ACLs to ports ACL Groups have no effect on the order in which ACLs are applied see ACL Order of Precedence on page 124 All ACLs assigned to the port whether in...

Page 126: ... ACL as follows In Profile If there is no meter configured or if the packet conforms to the meter the packet is classified as In Profile Out of Profile If a meter is configured and the packet does not conform to the meter exceeds the committed rate or maximum burst rate of the meter the packet is classified as Out of Profile Using meters you set a Committed Rate in Kbps 1000 bits per second in eac...

Page 127: ...he following commands to add mirroring to an ACL For regular ACLs The ACL must be also assigned to it target ports as usual see Assigning Individual ACLs to a Port on page 124 or Assigning ACL Groups to a Port on page 125 For VMaps see VLAN Maps on page 132 Viewing ACL Statistics ACL statistics display how many packets have hit matched each ACL Use ACL statistics to check filter performance or to ...

Page 128: ...mation When ACL logging is enabled on any particular ACL the switch will collect information about packets that match the ACL The information collected depends on the ACL type For IP based ACLs information is collected regarding Source IP address Destination IP address TCP UDP port number ACL action Number of packets logged For example Sep 27 4 20 28 DUT3 NOTICE ACL LOG IP ACCESS LOG list ACL IP 1...

Page 129: ...val value can be changed as follows Where the interval rate is specified in seconds In any given interval packets that have identical log information are condensed into a single message However the packet count shown in the ACL log message represents only the logged messages which due to rate limiting may be significantly less than the number of packets actually matched by the ACL Also the switch ...

Page 130: ...from class 100 10 1 0 24 and destination IP 200 20 2 2 is denied 1 Configure an Access Control List 2 Add ACL 2 to port EXT2 CN 4093 config access control list 1 ipv4 destination ip address 100 10 1 1 CN 4093 config access control list 1 action deny CN 4093 config interface port EXT1 CN 4093 config if access control list 1 CN 4093 config if exit CN 4093 config access control list 2 ipv4 source ip ...

Page 131: ...m the network 100 10 1 0 24 and is destined for port 3 is denied 1 Configure an Access Control List 2 Add ACL 4 to port EXT1 CN 4093 config access control list 4 ipv4 source ip address 100 10 1 0 255 255 255 0 CN 4093 config access control list 4 egress port 3 CN 4093 config access control list 4 action deny CN 4093 config interface port EXT1 CN 4093 config if access control list 4 CN 4093 config ...

Page 132: ...ned to it When the optional intports or extports parameter is specified the action to add or remove the vMAP is applies for either the internal downlink ports or external uplink ports only If omitted the operation will be applied to all ports in the associated VLAN or VM group Note VMAPs have a lower priority than port based ACLs If both an ACL and a VMAP match a particular packet both filter acti...

Page 133: ...ic from VLAN 3 server ports is mirrored to a network monitor on port 4 CN 4093 config access control vmap 21 packet format ethernet ethernet type2 CN 4093 config access control vmap 21 mirror port 4 CN 4093 config access control vmap 21 action permit CN 4093 config vlan 3 CN 4093 config vlan vmap 21 intports ...

Page 134: ... MACL configuration based on a destination IP address and a TCP UDP destination port Use the following command to view the MACL configuration CN 4093 config access control macl 1 ipv4 destination ip address 1 1 1 1 255 255 255 0 CN 4093 config access control macl 1 tcp udp destination port 111 0xffff CN 4093 config access control macl 1 statistics CN 4093 config access control macl 1 action permit...

Page 135: ...135 Part 3 Switch Basics This section discusses basic switching functions VLANs Port Aggregation Spanning Tree Protocols Spanning Tree Groups Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol Quality of Service ...

Page 136: ...136 CN4093 Application Guide for N OS 8 4 ...

Page 137: ...topics are discussed in this chapter VLANs and Port VLAN ID Numbers on page 139 VLAN Tagging Trunk Mode on page 142 VLAN Topologies and Design Considerations on page 147 Protocol Based VLANs on page 150 Private VLANs on page 153 Note Basic VLANs can be configured during initial switch configuration see Using the Setup Utility in the CN4093 Enterprise NOS 8 4 Command Reference More comprehensive VL...

Page 138: ...multicast broadcast and unknown unicast frames are flooded only to ports in the same VLAN The CN4093 automatically supports jumbo frames This default cannot be manually configured or disabled The CN4093 10 Gb Converged Scalable Switch CN4093 supports jumbo frames with a Maximum Transmission Unit MTU of 9 216 bytes Within each frame 18 bytes are reserved for the Ethernet header and CRC trailer The ...

Page 139: ...AN SoL management a feature available on certain server blades Management functions can also be assigned to other VLANs using the following command Use the following command to view VLAN information Note The sample screens that appear in this document might differ slightly from the screens displayed by your system Screen content varies based on the type of blade chassis unit that you are using and...

Page 140: ...2 1 INTA3 3 n Internal d e e 1 INTA3 1 INTA4 4 n Internal d e e 1 INTA4 1 INTA5 5 n Internal d e e 1 INTA5 1 INTA6 6 n Internal d e e 1 INTA6 1 INTA7 7 n Internal d e e 1 INTA7 1 INTA8 8 n Internal d e e 1 INTA8 1 INTA9 9 n Internal d e e 1 INTA9 1 INTC13 41 n Internal d e e 1 INTC13 1 INTC14 42 n Internal d e e 1 INTC14 1 EXT1 43 n External d e e 1 EXT1 1 EXT2 44 n External d d d 1 EXT2 1 EXT3 45...

Page 141: ...AN can have any number of switch ports in its membership Any port that belongs to multiple VLANs however must have VLAN tagging enabled see VLAN Tagging Trunk Mode on page 142 CN 4093 config interface port port number CN 4093 config if switchport access vlan VLAN ID CN 4093 config interface port port number CN 4093 config if switchport trunk native vlan VLAN ID ...

Page 142: ...ed frames received by the switch are classified with the PVID of the receiving port Tagged frame a frame that carries VLAN tagging information in the header This VLAN tagging information is a 32 bit field VLAN tag in the frame header that identifies the frame as belonging to a specific VLAN Untagged frames are marked tagged with this classification as they leave the switch through a port that is c...

Page 143: ... generic examples of VLAN tagging In Figure 3 untagged incoming packets are assigned directly to VLAN 2 PVID 2 Port 5 is configured as a tagged member of VLAN 2 and port 7 is configured as an untagged member of VLAN 2 Note The port assignments in the following figures are general examples and are not meant to match any specific CN4093 Figure 3 Port based VLAN assignment Port 1 DA SA Data CRC Incom...

Page 144: ...e packet Port 5 is configured as a tagged member of VLAN 2 and port 7 is configured as an untagged member of VLAN 2 Figure 5 802 1Q tag assignment BS45012A Port 6 Port 7 Port 8 Port 1 Port 4 Port 5 Port 2 Port 3 802 1Q Switch Key Priority CFI VID User_priority Canonical format indicator VLAN identifier PVID 2 Tagged member of VLAN 2 Untagged memeber of VLAN 2 After DA SA Data CRC Recalculated Outg...

Page 145: ...tagging after 802 1Q tag assignment Note Setting the configuration to factory default CN 4093 config boot configuration block factory will reset all non management ports to VLAN 1 BS45014A Port 6 Port 7 Port 8 Port 1 Port 4 Port 5 Port 2 Port 3 802 1Q Switch Key Priority CFI VID User_priority Canonical format indicator VLAN identifier PVID 2 Tagged member of VLAN 2 Untagged member of VLAN 2 After ...

Page 146: ... port the outer tag of the packet is removed when it leaves the egress port Figure 7 802 1Q tagging after ingress tagging assignment By default ingress tagging is disabled To enable ingress tagging on a port use the following commands Limitations Ingress tagging cannot be configured with the following features configurations vNIC ports VMready ports UFP ports Management ports CN 4093 config interf...

Page 147: ...P mode STG 1 to 32 can include multiple VLANs VLAN Configuration Rules VLANs operate according to specific configuration rules When creating VLANs consider the following rules that determine how the configured VLAN reacts in any network topology All ports involved in aggregation and port mirroring must have the same VLAN configuration If a port is on a LAG with a mirroring port the VLAN configura ...

Page 148: ...urned on The adapter is attached to one of the internal switch ports that is a member of VLANs 1 2 and 3 and has tagging enabled Because of the VLAN tagging capabilities of both the adapter and the switch the server is able to communicate on all three IP subnets in this network Broadcast separation between all three VLANs and subnets however is maintained PCs 1 and 2 These PCs are attached to a sh...

Page 149: ... of VLAN 3 this PC can only communicate with Server 1 and Server 2 The associated external switch port has tagging disabled PC 5 A member of both VLAN 1 and VLAN 2 this PC has a VLAN tagging Gigabit Ethernet adapter installed It can communicate with Server 2 and PC 3 via VLAN 1 and to Server 2 PC 1 and PC 2 via VLAN 2 The associated external switch port is a member of VLAN 1 and VLAN 2 and has tag...

Page 150: ...egment IPv4 traffic To define a PVLAN on a VLAN configure a PVLAN number 1 8 and specify the frame type and the Ethernet type of the PVLAN protocol You must assign at least one port to the PVLAN before it can function Define the PVLAN frame type and Ethernet type as follows Frame type consists of one of the following values Ether2 Ethernet II SNAP Subnetwork Access Protocol LLC Logical Link Contro...

Page 151: ...LAN tagging has higher precedence than port based tagging If a port is tag enabled and the port is a member of a PVLAN the PVLAN tags egress frames that match the PVLAN protocol Use the tag pvlan command vlan x protocol vlan x tag pvlan x to define the complete list of tag enabled ports in the PVLAN Note that all ports not included in the PVLAN tag list will have PVLAN tagging disabled PVLAN Confi...

Page 152: ...the current VLAN 5 Enable the PVLAN 6 Verify PVLAN operation CN 4093 config interface port 1 2 CN 4093 config if switchport mode trunk CN 4093 config if exit CN 4093 config vlan 2 CN 4093 config vlan protocol vlan 1 frame type ether2 0800 CN 4093 config vlan protocol vlan 1 priority 2 CN 4093 config vlan protocol vlan 1 member 1 2 CN 4093 config vlan protocol vlan 1 enable CN 4093 config vlan exit...

Page 153: ... community and to ports in the primary VLAN Each Private VLAN can contain multiple community VLANs After you define the primary VLAN and one or more secondary VLANs you map the secondary VLAN s to the primary VLAN Private VLAN Ports Private VLAN ports are defined as follows Promiscuous A promiscuous port is a port that belongs to the primary VLAN The promiscuous port can communicate with all the i...

Page 154: ...lect a VLAN and define the Private VLAN type as primary 2 Configure a promiscuous port for VLAN 700 3 Configure two secondary VLANs isolated VLAN and community VLAN 4 Map secondary VLANs to primary VLAN CN 4093 config vlan 700 CN 4093 config vlan private vlan primary CN 4093 config vlan exit CN 4093 config interface port 1 CN 4093 config if switchport mode private vlan CN 4093 config if switchport...

Page 155: ...private vlan CN 4093 config if switchport private vlan host association 700 701 CN 4093 config if exit CN 4093 config interface port 3 CN 4093 config if switchport mode private vlan CN 4093 config if switchport private vlan host association 700 702 CN 4093 config if exit CN 4093 config show vlan private vlan Primary Secondary Type Ports 700 701 isolated 1 2 700 702 community 1 3 ...

Page 156: ...156 CN4093 Application Guide for N OS 8 4 ...

Page 157: ...is a group of ports that act together combining their bandwidth to create a single larger virtual link This chapter provides configuration background and examples for aggregating multiple ports together Configuring Port Modes on page 158 Configuring QSFP Ports on page 160 Aggregation Overview on page 161 Static LAGs on page 162 Configurable LAG Hash Algorithm on page 165 Link Aggregation Control P...

Page 158: ... the port mode you must obtain a software license key The following command sequence is an example of how to upgrade the port mode e g switch SN Y010CM2CN058 Note Upgrade 1 and Upgrade 2 can be independently installed in any order You can choose to install any one upgrade or both CN 4093 software key Enter hostname or IP address of SFTP TFTP server 9 44 143 105 Enter name of file on SFTP TFTP serv...

Page 159: ...T2 44 n External d e e 1 EXT2 1 EXT3 45 n External d e e 1 EXT3 1 EXT4 46 n External d e e 1 EXT4 1 EXT5 47 n External d e e 1 EXT5 1 EXT6 48 n External d e e 1 EXT6 1 EXT7 49 n External d e e 1 EXT7 1 EXT8 50 n External d e e 1 EXT8 1 EXT9 51 n External d e e 1 EXT9 1 EXT10 52 n External d e e 1 EXT10 1 EXT11 53 n External d e e 1 EXT11 1 EXT12 54 n External d e e 1 EXT12 1 EXT13 55 n External d ...

Page 160: ...ode to reset the ports to 10GbE mode Physical Port Number 40GbE mode 10GbE mode Port EXT3 Port EXT3 Ports EXT3 EXT6 Port EXT7 Port EXT7 Ports EXT7 EXT10 CN 4093 show boot qsfp port modes QSFP ports booted configuration Port EXT3 EXT4 EXT5 EXT6 10G Mode Port EXT7 EXT8 EXT9 EXT10 10G Mode QSFP ports saved configuration Port EXT3 EXT4 EXT5 EXT6 10G Mode Port EXT7 EXT8 EXT9 EXT10 10G Mode CN 4093 conf...

Page 161: ...gation Group LAG LAGs are also useful for connecting a CN4093 to third party devices that support link aggregation such as Cisco routers and switches with EtherChannel technology not ISL aggregation technology and Sunʹs Quad Fast Ethernet Adapter Static LAG technology is compatible with these devices when they are configured manually LAG traffic is statistically distributed among the ports in a LA...

Page 162: ...AGs consider the following rules that determine how a LAG reacts in any network topology All LAGs must originate from one network entity a single device or multiple devices acting in a stack and lead to one destination entity For example you cannot combine links from two different servers into one LAG Any physical switch port can belong to only one LAG Depending on port availability the switch sup...

Page 163: ... however LAG members can be monitored All ports in static LAGs must have the same link configuration speed duplex flow control Configuring a Static LAG In the following example three ports are aggregated between two switches Figure 10 LAG Configuration Example Prior to configuring each switch in the preceding example you must connect to the appropriate switch s Command Line Interface CLI as the ad...

Page 164: ...on problems could arise when using automatic LAG negotiation on the third party device 4 Examine the aggregation information on each switch Information about each port in each configured LAG is displayed Make sure that LAGs consist of the expected ports and that each port is in the expected state The following restrictions apply Any physical switch port can belong to only one LAG Up to 24 ports ca...

Page 165: ...tions may be applied Source MAC address smac Destination MAC address dmac Both source and destination MAC address enabled by default Note At least one Layer 2 option must always be enabled The smac and dmac options may not both be disabled at the same time For Layer 3 IPv4 IPv6 traffic one of the following are permitted Source IP address sip Destination IP address dip Both source and destination I...

Page 166: ...ion is enabled Note For MPLS packets Layer 4 port information is excluded from the hash calculation Instead other IP fields are used along with the first two MPLS labels The CN4093 supports the following FCoE hashing options CN 4093 config portchannel thash ingress CN 4093 config portchannel thash l4port CN 4093 config portchannel thash fcoe cntag id CN 4093 config portchannel thash fcoe destinati...

Page 167: ...rt can be aggregated The Link Aggregation ID LAG ID is constructed mainly from the system ID and the port s admin key as follows System ID an integer value based on the switch s MAC address and the system priority assigned in the CLI Admin key a port s admin key is an integer value 1 65535 that you can configure in the CLI Each CN4093 port that participates in the same LACP LAG must have the same ...

Page 168: ...ink aggregation LACP Modes Each port in the CN4093 can have one of the following LACP modes off default The user can configure this port in to a regular static LAG active The port is capable of forming a LACP LAG This port sends LACPDU packets to partner system ports passive The port is capable of forming a LACP LAG This port only responds to the LACPDU packets sent from a LACP active port Each ac...

Page 169: ...ted ports to be treated as normal link up ports which may forward data traffic according to STP Hot Links or other applications if they do not receive any LACPDUs To configure the LACP individual setting for all the ports in a static LACP LAG use the following commands Note By default ports are configured as below external ports with lacp suspend individual internal ports with no lacp suspend indi...

Page 170: ...e and define the admin key Only ports with the same admin key can form a LACP LAG 3 Set the LACP mode 4 Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received 5 Set the link aggregation as static by associating it with LAG ID 65 CN 4093 config interface port 7 9 CN 4093 config if lacp key 100 CN 4093 config if lacp mode active CN 4093 config if ...

Page 171: ...event broadcast loops and ensure that the CN4093 10 Gb Converged Scalable Switch CN4093 uses only the most efficient network path This chapter covers the following topics Spanning Tree Protocol Modes on page 172 Global STP Control on page 172 PVRST Mode on page 173 Rapid Spanning Tree Protocol on page 185 Multiple Spanning Tree Protocol on page 187 Port Type and Link Type on page 191 ...

Page 172: ... based on RSTP to provide rapid Spanning Tree convergence but supports instances of Spanning Tree allowing one STG per VLAN PVRST mode is compatible with Cisco R PVST R PVST mode PVRST is the default Spanning Tree mode on the CN4093 See PVRST Mode on page 173 for details Multiple Spanning Tree Protocol MSTP IEEE 802 1Q 2003 MSTP provides both rapid convergence and load balancing in a VLAN environm...

Page 173: ...available STGs with each STG acting as an independent simultaneous instance of STP PVRST uses IEEE 802 1Q tagging to differentiate STP BPDUs and is compatible with Cisco R PVST R PVST modes The relationship between ports LAGs VLANs and Spanning Trees is shown in Table 17 Port States The port state controls the forwarding and learning processes of Spanning Tree In PVRST the port state has been cons...

Page 174: ...er than its own priority it will replace its BPDU with the received BPDU Then the switch adds its own bridge ID number and increments the path cost of the BPDU The switch uses this information to block any necessary ports Note If STP is globally disabled BPDUs from external devices will transit the switch transparently If STP is globally enabled for ports where STP is turned off inbound BPDUs will...

Page 175: ...rcing STP re convergence If a root guard enabled port detects a root device that port will be placed in a blocked state You can configure the root guard at the port level using the following commands The default state is none disabled Loop Guard In general STP resolves redundant network topologies into loop free topologies The loop guard feature performs additional checking to detect loops that mi...

Page 176: ...e of 0 the default indicates that the default cost will be computed for an auto negotiated link or LAG speed Use the following command to modify the port path cost The port path cost can be a value from 1 to 200000000 Specify 0 for automatic path cost Simple STP Configuration Figure 11 depicts a simple topology using a switch to switch link between two switches via either external ports or interna...

Page 177: ...link on the other CN4093 as shown in Figure 12 Figure 12 Spanning Tree Restoring the Switch to Switch Link In this example port 10 on each switch is used for the switch to switch link To ensure that the CN4093 switch to switch link is blocked during normal operation the port path cost is set to a higher value than other paths in the network To configure the port path cost on the switch to switch l...

Page 178: ...igure two ports on a CN4093 are connected to two ports on an application switch Each of the links is configured for a different VLAN preventing a network loop However in the first network since a single instance of Spanning Tree is running on all the ports of the CN4093 a physical loop is assumed to exist and one of the VLANs is blocked impacting connectivity even though no actual loop exists Figu...

Page 179: ... when a VLAN is deleted if its STG is not associated with any other VLAN the STG is returned to the available pool The specific STG number to which the VLAN is assigned is based on the VLAN number itself For low VLAN numbers 1 through 127 the switch will attempt to assign the VLAN to its matching STG number For higher numbered VLANs the STG assignment is based on a simple modulus calculation the a...

Page 180: ... a different STG see Manually Assigning STGs on page 180 The VLAN is automatically removed from its old STG before being placed into the new STG Each VLANs must be contained within a single STG a VLAN cannot span multiple STGs By confining VLANs within a single STG you avoid problems with Spanning Tree blocking ports and causing a loss of connectivity within the VLAN When a VLAN spans multiple swi...

Page 181: ...the PVID from 3 to 1 When you remove a port from VLAN that belongs to an STG that port will also be removed from the STG However if that port belongs to another VLAN in the same STG the port remains in the STG As an example assume that port 2 belongs to only VLAN 2 and that VLAN 2 belongs to STG 2 When you remove port 2 from VLAN 2 the port is moved to default VLAN 1 and is removed from STG 2 Howe...

Page 182: ...on port 2 and Switch D receives the BPDU on port 1 Because there is a network loop between the switches in VLAN 1 either Switch D will block port 8 or Switch C will block port 1 depending on the information provided in the BPDU VLAN 2 Participation Switch B the root bridge generates a BPDU for STG 2 from port 8 Switch A receives this BPDU on port 17 which is assigned to VLAN 2 STG 2 Because switch...

Page 183: ... 3 VLAN 2 and VLAN 3 are removed from STG 1 Note In PVRST mode each instance of STG is enabled by default 3 Configure the following on Switch B Add port 8 to VLAN 2 Ports 1 and 2 are by default in VLAN 1 assigned to STG 1 CN 4093 config spanning tree mode pvrst CN 4093 config vlan 2 CN 4093 config vlan exit CN 4093 config vlan 3 CN 4093 config vlan exit If VASA is disabled enter the following comm...

Page 184: ... VLAN 3 is automatically removed from STG 1 By default VLAN 1 remains in STG 1 Switch D does not require any special configuration for multiple Spanning Trees Switch D uses default STG 1 only CN 4093 config vlan 3 CN 4093 config vlan stg 3 CN 4093 config vlan exit CN 4093 config interface port 8 CN 4093 config if switchport mode trunk CN 4093 config if exit If VASA is disabled enter the following ...

Page 185: ...h devices that run IEEE 802 1D 1998 Spanning Tree Protocol If the switch detects IEEE 802 1D 1998 BPDUs it responds with IEEE 802 1D 1998 compatible data units RSTP is not compatible with Per VLAN Rapid Spanning Tree PVRST protocol Note In RSTP mode Spanning Tree for the management ports is turned off by default Port States RSTP port state controls are the same as for PVRST discarding learning and...

Page 186: ...ing tree mode rstp CN 4093 config spanning tree stp 1 bridge priority 8192 CN 4093 config spanning tree stp 1 bridge hello time 5 CN 4093 config spanning tree stp 1 bridge forward delay 20 CN 4093 config spanning tree stp 1 bridge maximum age 30 CN 4093 config no spanning tree stp 1 enable CN 4093 config interface port 3 CN 4093 config if spanning tree stp 1 priority 240 CN 4093 config if spanning...

Page 187: ... Type on page 191 bypass the Discarding and Learning states and enter directly into the Forwarding state Note In MSTP mode Spanning Tree for the management ports is turned off by default MSTP Region A group of interconnected bridges that share the same attributes is called an MST region Each bridge within the region must share the following attributes Alphanumeric name Revision number VLAN to STG ...

Page 188: ...umber and VLAN mapping MSTP Configuration Examples MSTP Configuration Example 1 This section provides steps to configure MSTP on the CN4093 1 Configure port and VLAN membership on the switch 2 Configure Multiple Spanning Tree region parameters and set the mode to MSTP 3 Map VLANs to MSTP instances CN 4093 config spanning tree mst configuration Enter MST configuration mode CN 4093 config mst name n...

Page 189: ...t backing up the other 1 Configure port membership and define the STGs for VLAN 1 Enable tagging on uplink ports that share VLANs Port 19 and port 20 connect to the Enterprise Routing switches 2 Configure MSTP Spanning Tree mode region name and version Enterprise Routing Switch MSTP Group 1 Root Enterprise Routing Switch MSTP Group 2 Root Server 1 VLAN 1 Server 2 VLAN 1 Server 3 VLAN 2 Server 4 VL...

Page 190: ...ts 3 4 and 5 to VLAN 2 Add uplink ports 19 and 20 to VLAN 2 Assign VLAN 2 to STG 2 Note Each STG is enabled by default CN 4093 config spanning tree mst configuration CN 4093 config mst instance 1 vlan 1 CN 4093 config mst instance 2 vlan 2 CN 4093 config interface port 3 4 5 19 20 CN 4093 config if switchport access vlan 2 CN 4093 config if exit ...

Page 191: ...ine or clear a port as an edge port Link Type The link type determines how the port behaves in regard to Rapid Spanning Tree Use the following commands to define the link type for the port where type corresponds to the duplex mode of the port as follows p2p A full duplex link to another device point to point shared A half duplex link is a shared segment and can contain more than one device auto Th...

Page 192: ...192 CN4093 Application Guide for N OS 8 4 ...

Page 193: ... uplinks remain active utilizing all available bandwidth Two switches are paired into VLAG peers and act as a single virtual entity for the purpose of establishing a multi port aggregation Ports from both peers can be grouped into a VLAG and connected to the same LAG capable target device From the perspective of the target device the ports connected to the VLAG peers appear to be a single LAG conn...

Page 194: ...C switches Other devices connecting to the VLAG peers are configured using regular static or dynamic LAGs Note Do not configure a VLAG for connecting only one switch in the peer set to another device or peer set For instance in VLAG Peer C a regular LAG is employed for the downlink connection to VLAG Peer B because only one of the VLAG Peer C switches is involved ISL VLAG 3 VLAG 3 VLAG 5 VLAG 6 LA...

Page 195: ...dition when used with VRRP VLAGs can provide seamless active active failover for network links For example Figure 18 VLAG Application with VRRP Note VLAG is not compatible with UFP vPorts on the same ports ISL VLAG Server VRRP Master VRRP Backup VLAG Peers Active Traffic Flows ...

Page 196: ...tatic LAG portchannel or dynamic LACP LAG and consumes one slot from the overall port LAG capacity pool The type of aggregation must match that used on VLAG client devices Additional configuration is then required to implement the VLAG on both VLAG peer switches You may configure up to 52 LAGs on the switch with all types regular or VLAG static or LACP sharing the same pool The maximum number of c...

Page 197: ...ated inter switch link ISL for synchronization The ports used to create the ISL must have the following properties ISL ports must have VLAN tagging turned on ISL ports must be configured for all VLAG VLANs ISL ports must be placed into a regular port LAG dynamic or static A minimum of two ports on each switch are recommended for ISL use Dynamic routing protocols such as OSPF cannot terminate on VL...

Page 198: ...er and manually enable the ISL If you have enabled VLAG on the switch and you need to change the STP mode ensure that you first disable VLAG and then change the STP mode When VLAG is enabled you may see two root ports on the secondary VLAG switch One of these will be the actual root port for the secondary VLAG switch and the other will be a root port synced with the primary VLAG switch The LACP ke...

Page 199: ...mic LACP port LAG The VLAG peer switches share a dedicated ISL for synchronizing VLAG information On the individual VLAG peers each port leading to a specific client switch and part of the client switch s port LAG is configured as a VLAG In the following example configuration only the configuration for VLAG 1 on VLAG Peer 1 is shown VLAG Peer 2 and all other VLAGs are configured in a similar fashi...

Page 200: ...VLAG ports must be members of the same VLANs 3 Configure VLAG Tier ID This is used to identify the VLAG switch in a multi tier environment 4 Configure the ISL for the VLAG peer Make sure you configure the VLAG peer VLAG Peer 2 using the same ISL aggregation type dynamic or static the same VLAN and the same STP mode and tier ID used on VLAG Peer 1 CN 4093 config spanning tree mode pvrst CN 4093 con...

Page 201: ...figuration for VLAG Peer 2 For each corresponding VLAG on the peer the port LAG type dynamic or static the port s VLAN and STP mode and ID must be the same as on VLAG Peer 1 5 Enable VLAG globally 6 Verify the completed configuration CN 4093 config vlan 100 CN 4093 config vlan exit CN 4093 config interface port 8 CN 4093 config if switchport mode trunk CN 4093 config if exit CN 4093 config interfa...

Page 202: ...is case a dynamic LAG is shown A static LAG portchannel could be configured instead b ISL ports and VLAG ports must be members of the same VLANs 3 Configure VLAG Tier ID This is used to identify the VLAG switch in a multi tier environment 4 Configure the ISL for the VLAG peer Make sure you configure the VLAG peer VLAG Peer 2 using the same ISL aggregation type dynamic or static the same VLAN for v...

Page 203: ... each corresponding VLAG on the peer the port LAG type dynamic or static the port s VLAN and STP mode and ID must be the same as on VLAG Peer 1 6 Verify the completed configuration CN 4093 config vlan 100 CN 4093 config vlan exit CN 4093 config interface port 8 CN 4093 config if switchport mode trunk CN 4093 config if exit CN 4093 config spanning tree mst configuration CN 4093 config mst instance ...

Page 204: ... does not have a dedicated management interface configure a VLAN for the health check interface The health check interface can be configured with an IPv4 or IPv6 address Note Configure a similar interface on VLAG Peer 2 For example use IP address 10 10 10 2 2 Specify the IPv4 or IPv6 address of the VLAG Peer Note For VLAG Peer 2 the management interface would be configured as 10 10 10 2 and the he...

Page 205: ...routing Although OSPF is used in this example static routing could also be deployed For more information see OSPF on page 467 or Basic IP Routing on page 393 3 Configure a server facing interface Internet 10 0 1 1 10 0 1 2 10 0 1 3 Layer 3 Router Layer 3 Router 1 2 4 5 4 5 1 2 Server 1 Server 2 Server 3 VLAG Peer 1 ISL VLAG 1 VLAG 2 VLAG 3 VRRP Master VRRP Backup Network 10 0 1 0 24 VIR 10 0 1 100...

Page 206: ... 100 CN 4093 config vrrp virtual router 1 enable CN 4093 config vrrp virtual router 1 priority 101 CN 4093 config vrrp exit CN 4093 config interface port 4 5 CN 4093 config if switchport mode trunk CN 4093 config if lacp mode active CN 4093 config if lacp key 2000 CN 4093 config if exit CN 4093 config interface port 1 CN 4093 config if switchport access vlan 10 CN 4093 config if exit CN 4093 confi...

Page 207: ...ig ip if ip address 172 1 1 10 255 255 255 0 CN 4093 config ip if vlan 10 CN 4093 config ip if enable CN 4093 config ip if ip ospf area 1 CN 4093 config ip if ip ospf enable CN 4093 config ip if exit CN 4093 config interface ip 2 CN 4093 config ip if ip address 172 1 3 10 255 255 255 0 CN 4093 config ip if vlan 20 CN 4093 config ip if enable CN 4093 config ip if ip ospf area 1 CN 4093 config ip if...

Page 208: ...id 10 CN 4093 config vlag enable CN 4093 config router ospf CN 4093 config router ospf area 1 area id 0 0 0 1 CN 4093 config router ospf enable CN 4093 config router ospf exit CN 4093 config interface ip 3 CN 4093 config ip if ip address 10 0 1 11 255 255 255 0 CN 4093 config ip if vlan 100 CN 4093 config ip if exit CN 4093 config router vrrp CN 4093 config vrrp enable CN 4093 config vrrp virtual ...

Page 209: ... trunk CN 4093 config if exit CN 4093 config vlan 40 CN 4093 config vlan exit CN 4093 config interface port 2 CN 4093 config if switchport mode trunk CN 4093 config if exit CN 4093 config vlan 100 CN 4093 config vlan exit CN 4093 config interface port 4 5 10 12 CN 4093 config if switchport mode trunk CN 4093 config if exit CN 4093 config interface ip 1 CN 4093 config ip if ip address 172 1 2 11 25...

Page 210: ...fig if lacp key 1000 CN 4093 config if exit CN 4093 config interface port 11 CN 4093 config if lacp mode active CN 4093 config if lacp key 1100 CN 4093 config if exit CN 4093 config interface port 12 CN 4093 config if lacp mode active CN 4093 config if lacp key 1200 CN 4093 config if exit CN 4093 config vlag adminkey 1000 enable CN 4093 config vlag adminkey 1100 enable CN 4093 config vlag adminkey...

Page 211: ...ve mode In active mode Layer 3 traffic is forwarded in all vLAG related VRRP domains To enable vLAG VRRP active mode on a switch use the following command Note This is the default vLAG VRRP mode 2 vLAG VRRP Passive Half Active Active mode In passive mode Layer 3 traffic is forwarded in a vLAG related VRRP domain only if either the switch or its peer virtual router is the VRRP master To enable vLAG...

Page 212: ... and B ports 1 2 Ports connecting to Layer 2 3 ports 5 6 Ports on switches A and B connecting to switches C and D ports 10 11 Ports on switch B connecting to switch E ports 15 16 Ports on switch B connecting to switch F ports 17 18 ISL VLAG 3 VLAG 5 VLAG 6 LAG LAG VLAG 2 LAG ISL ISL Layer 2 3 Border Layer 2 Region with multiple levels Servers VLAG Peers C VLAG Peers B VLAG Peers A VLAG 1 LAG LAG V...

Page 213: ...onfig if exit CN 4093 config vlag isl adminkey 200 CN 4093 config vlan exit CN 4093 config vlan 10 VLAN number 10 with name VLAN 10 created VLAN 10 was assigned to STG 10 CN 4093 config vlan exit CN 4093 config interface port 1 2 5 CN 4093 config if switchport mode trunk CN 4093 config if exit CN 4093 config interface port 5 CN 4093 config if lacp key 400 CN 4093 config if lacp mode active CN 4093...

Page 214: ...and F as shown in Step 1 8 Configure the Switch G as shown in Step 2 CN 4093 config vlan 20 CN 4093 config vlan exit CN 4093 config interface port 10 11 CN 4093 config if switchport mode trunk CN 4093 config if lacp key 600 CN 4093 config if lacp mode active CN 4093 config if exit CN 4093 config vlag adminkey 600 enable CN 4093 config vlan 30 CN 4093 config vlan exit CN 4093 config interface port ...

Page 215: ...ecessary Also you can put a high priority on applications that are sensitive to timing out or those that cannot tolerate delay assigning that traffic to a high priority queue By assigning QoS levels to traffic flows on your network you can ensure that network resources are allocated where they are needed most QoS features allow you to prioritize network traffic thereby providing better service for...

Page 216: ...packets are assigned to different Class of Service COS queues and scheduled for transmission The basic CN4093 QoS model works as follows Classify traffic Read DSCP Read 802 1p Priority Match ACL filter parameters Meter traffic Define bandwidth and burst parameters Select actions to perform on in profile and out of profile traffic Perform actions Drop packets Pass packets Mark DSCP or 802 1p Priori...

Page 217: ... destination port TCP flag Packet format Ethernet format tagging format IPv4 IPv6 Egress port For ACL details see Access Control Lists on page 121 Summary of ACL Actions Actions determine how the traffic is treated The CN4093 QoS actions include the following Pass or Drop the packet Re mark the packet with a new DiffServ Code Point DSCP Re mark the 802 1p field Set the COS queue ACL Metering and R...

Page 218: ...v6 ACLs All traffic matching an IPv6 ACL is considered in profile for re marking purposes Using meters you set a Committed Rate in Kbps 1000 bits per second in each Kbps All traffic within this Committed Rate is In Profile Additionally you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period These parameters define the In Profile traff...

Page 219: ...sified by their DSCP value The Differentiated Services DS field in the IP header is an octet and the first six bits called the DS Code Point DSCP can provide QoS functions Each packet carries its own QoS state in the DSCP There are 64 possible DSCP values 0 63 Figure 23 Layer 3 IPv4 Packet The CN4093 can perform the following actions to the DSCP Read the DSCP value of ingress packets Re mark the D...

Page 220: ...cribed in RFC 2598 Assured Forwarding AF This PHB contains four service levels each with a different drop precedence as shown below Routers use drop precedence to determine which packets to discard last when the network becomes congested AF PHB is described in RFC 2597 Class Selector CS This PHB has eight priority classes with CS7 representing the highest priority and CS0 representing the lowest p...

Page 221: ...you must enable DSCP re marking on any port that you wish to perform this function Note If an ACL meter is configured for DSCP re marking the meter function takes precedence over QoS re marking Table 18 Default QoS Service Levels Service Level Default PHB 802 1p Priority Critical CS7 7 Network Control CS6 6 Premium EF CS5 5 Platinum AF41 AF42 AF43 CS4 4 Gold AF31 AF32 AF33 CS3 3 Silver AF21 AF22 A...

Page 222: ...SCP value 0 63 new value CN 4093 config qos dscp dot1p mapping DSCP value 0 63 802 1p value CN 4093 config interface port 1 CN 4093 config if qos dscp re marking CN 4093 config if exit CN 4093 config access control list 2 tcp udp source port 5060 0xffff CN 4093 config access control list 2 meter committed rate 10000000 CN 4093 config access control list 2 meter enable CN 4093 config access control...

Page 223: ...ict priority to VoIP COS queue 7 Map priority value to COS queue for non VoIP traffic 8 Assign weight to the non VoIP COS queue CN 4093 config qos transmit queue weight cos 7 0 CN 4093 config qos transmit queue mapping 1 1 CN 4093 config qos transmit queue weight cos 1 2 ...

Page 224: ...zero indicates a best effort traffic prioritization and this is the default when traffic priority has not been configured on your network The CN4093 can filter packets based on the 802 1p values and it can assign or overwrite the 802 1p value in the packet Figure 24 Layer 2 802 1q 802 1p VLAN Tagged Packet Ingress packets receive a priority value as follows Tagged packets CN4093 reads the 802 1p p...

Page 225: ...th the highest weight values For distribution purposes each packet is counted the same regardless of the packet s size A scheduling weight of 0 zero indicates strict priority Traffic in strict priority queue has precedence over other all queues If more than one queue is assigned a weight of 0 the strict queue with highest queue number will be served first Once all traffic in strict queues is deliv...

Page 226: ...anneled through a common packet queue However one protocol cannot be channeled through multiple packet queues These packet queues are applicable only to the packets received by the software and does not impact the regular switching or routing traffic Packet queue with a higher number has higher priority You can configure the bandwidth for each packet queue Protocols that share a packet queue will ...

Page 227: ...following command Setting the logging interval to 0 will log packet drops immediately with up to 1 second delay and will ignore further drops on the same queue during the next 2 minutes Setting the logging interval to a greater value 1 30 minutes regularly displays packet drop information at the designated time intervals Once the packet drops stop or if new packet drops are encountered only within...

Page 228: ...228 CN4093 Application Guide for N OS 8 4 ...

Page 229: ... Copyright Lenovo 2017 229 Part 4 Advanced Switching Features ...

Page 230: ...230 CN4093 Application Guide for N OS 8 4 ...

Page 231: ...em Fabric CN4093 10 Gb Converged Scalable Switch The following concepts are covered Stacking Overview on page 232 Stack Membership on page 235 Configuring a Stack on page 240 Managing a Stack on page 246 Upgrading Software in a Stack on page 248 Replacing or Removing Stacked Switches on page 249 ISCLI Stacking Commands on page 258 ...

Page 232: ...v4 addresses The CLI for Individual Member switches is available via the Master switch serial console or using remote Telnet SSH access to the Master Once the stacking links have been established see the next section the number of ports available in a stack equals the total number of remaining ports of all the switches that are part of the stack The number of available IP interfaces VLANs LAGs LAG...

Page 233: ...lows Stack of two units Maximum of two 10Gb ports or two 40 Gb ports Omni ports cannot be used as stack LAG links You cannot combine 10Gb ports with 40Gb ports in the stack LAGs An LACP port cannot be a stack LAG member If you need to use the port in the stack LAG you must first set the LACP port mode to off CN 4093 config if lacp mode off The cables used for connecting the switches in a stack car...

Page 234: ...d blocking Protocol based VLANs Router IDs Route maps Routing Information Protocol RIP sFlow port monitoring Spanning Tree Protocol STP Root Guard and Loop Guard Static MAC address adding Static Multicast Routes Storm control Switch Partition SPAR Uni Directional Link Detection UDLD Virtual Link Aggregation Groups VLAG Virtual Router Redundancy Protocol VRRP Note In stacking mode switch menus and ...

Page 235: ...ember switch can be designated as a Backup to the Master The Backup takes over control of the stack if the Master fails Configuration information and run time data are synchronized with the Master The Master Switch An operational stack can have only one active Master at any given time In a normal stack configuration one switch is configured as a Master and all others are configured as Members When...

Page 236: ...en the merger occurs the original Master will reassert its role as active Master for the entire stack If any configuration elements were changed and applied on the Backup during the time it acted as Master and forwarded to its connected Members the Backup and its affected Members will reboot and will be reconfigured by the returning Master before resuming their regular roles Note When the Backup b...

Page 237: ...al stack participants by any operational Master switches they are not brought into operation within the stack until explicitly assigned or bound to a specific Master switch Consider two independent stacks Stack A and Stack B which are merged into one stacking topology The stacks will behave independently until the switches in Stack B are bound to Master A or vice versa In this example once the Sta...

Page 238: ...the configured switch is attached the command will take effect and the switch will become the Backup A new Master assumes operation as active Master in the stack and uses its own configured Backup settings The active Master is rebooted with the boot configuration set to factory defaults clearing the Backup setting Master Failover When the Master switch is present it controls the operation of the s...

Page 239: ...n Each switch in the stack has two numeric identifiers as follows Attached Switch Number asnum An asnum is automatically assigned by the Master switch based on each Member switch s physical connection in relation to the Master The asnum is mainly used as an internal ID by the Master switch and is not user configurable Configured Switch Number csnum The csnum is the logical switch ID assigned by th...

Page 240: ...ck Configure the desired stacking interlinks Reboot the stack switches Configure the stack after the reboot Bind Member switches to the Master Assign a Backup switch These tasks are covered in detail in the following sections Best Configuration Practices The following are guidelines for building an effective switch stack Always connect the stack switches in a complete ring topology see Figure 25 o...

Page 241: ...e internal management IP interface for each switch assigned by the management system and use the ISCLI to perform the following steps Note IPv6 is not supported in stacking mode IP interfaces must use IPv4 addressing for proper stack configuration 1 On each switch enable stacking 2 On each switch set the stacking membership mode By default each switch is set to Member mode However one switch must ...

Page 242: ...tch To complete the ring connect the last Member switch back to the Master Figure 25 Example of Stacking Connections Note The stacking feature is designed such that the stacking links in a ring topology do not result in broadcast loops The stacking ring is thus valid no stacking links are blocked even when Spanning Tree protocol is enabled Once the stack LAGs are connected the switches will perfor...

Page 243: ...gement IP address will be used by the backup switch when taking over management from the failed master node To configure the floating Management IP address use the following command Note The Management IP and floating Management IP addresses on the master switch as well as the Management IP address on the backup switch must be in the same subnet Note In case of a stack split the floating IP cannot...

Page 244: ...8d 00 UUID 534c8ca1605846299148305adc9a1f6d Bay Number 4 Configured Switches csnum UUID Bay MAC asnum C1 534c8ca1605846299148305adc9a1f6d 4 74 99 75 21 8d 00 A5 C2 98c587636548429aba5010f8c62d4e27 3 74 99 75 21 8c 00 A1 C3 534c8ca1605846299148305adc9a1f6d 1 00 00 00 00 00 00 C4 25b884f3c75341e7a0a6417d8602180b 4 08 17 f4 84 34 00 A2 C5 98c587636548429aba5010f8c62d4e27 4 34 40 b5 73 8a 00 A3 C6 534...

Page 245: ... switches in the stack that do not yet have a number assigned Assigning a Stack Backup Switch To define a Member switch as a Backup optional which will assume the Master role if the Master switch fails execute the following command CN 4093 config stack switch number csnum universal unic id chassis UUID CN 4093 config stack switch number csnum bay bay number 1 4 or CN 4093 config stack switch numbe...

Page 246: ...f any IP interface that is member of the VLAN Connecting to Stack Switches via the Master From the Master switch you can connect to any other switch in the stack directly from the ISCLI using the following command Rebooting Stacked Switches via the Master Rebooting Stacked Switches using the ISCLI The administrator can reboot individual switches in the stack or the entire stack using the following...

Page 247: ...t on the Master For example if the new image is loaded into image 1 on the Master switch the Master will push the same firmware to image 1 on each Member switch Table 19 Stacking Boot Management buttons Field Description Reboot Stack Performs a software reboot reset of all switches in the stack The software image specified in the Image To Boot drop down list becomes the active image Reboot Master ...

Page 248: ... of EN4093R switches that will be combined with CN4093 switches to form a hybrid stack up to two CN4093 and up to six EN4093R switches 1 Install ENOS version 8 4 on the Master EN4093R switch 2 Install ENOS version 8 4 on each CN4093 switch 3 Reload the switches 4 Configure stacking on the CN4093 switch es The CN4093 must be configured as the Master of the hybrid stack Reload the switch es to estab...

Page 249: ...the stacking links in a ring topology removing a stack switch from the interior of the chain can divide the chain and cause serious disruption to the stack operation 2 If removing a Master switch make sure that a Backup switch exists in the stack then turn off the Master switch This will force the Backup switch to assume Master operations for the stack 3 Remove the stack link cables from the old s...

Page 250: ...mended that the default VLAN 4090 be reserved for stacking as shown in the following command 7 Designate the stacking links Use the following command to specify the links to be used in the stacking LAG 8 Attach the required stack link cables to the designated stack links on the new switch 9 Attach the desired network cables to the new switch 10 Reboot the new switch When the new switch boots it wi...

Page 251: ...e newly installed Master 2 From the stack interface assign the csnum for the new switch You can bind Member switches to a stack csnum using either the new switch s asnum or MAC address Note If replacing the Master switch the Master will not assume control from the Backup unless the Backup is rebooted or fails CN 4093 config stack switch number csnum universal unic id uuid bay Slot ID or CN 4093 co...

Page 252: ...ous connectivity to the upstream network From the point of view of the stack it is as though a series of switch and uplink failures are occurring When the design is cabled and configured properly the environment redirects traffic For detailed instructions on upgrading and rebooting see Chapter 3 Switch Software Management Starting a Rolling Reload To start a rolling reload use the command where de...

Page 253: ...the boot image with a non staggered copy 2 Load the firmware image with a staggered copy CN 4093 config copy tftp ftp sftp boot image address IP address filename image filename CN 4093 config copy tftp ftp sftp image1 image2 address IP address filename image filename staggered upgrade delay 2 20 minutes ...

Page 254: ...formation to an external host using the specified protocol SFTP or TFTP In case the feature of saving log to flash is disabled this command must be rejected To copy syslog content to an external host using SFTP or TFTP use the command where CN 4093 config no logging log stacking CN 4093 config show logging swn configured switch number messages reverse severity 0 7 configured switch number The conf...

Page 255: ...ogs from clients on the master CN 4093 config copy log swn 3 tftp 10 10 10 1 Copy logs from stack member 3 CN 4093 config logging host host instance address IPv4 address address6 IPv6 address facility facility 0 7 severity severity 0 7 host instance The host instance either 1 or 2 IPv4 address The IPv4 address of the host being logged IPv6 address The IPv6 address of the host being logged facility...

Page 256: ... associated with flexible port mapping can only be run from the master switch in the stack and can have an additional parameter no boot port map csnum port number or range Adds or removes ports of a stack switch to from the port map by specifying the switch s configured number and port number or range of ports For example default boot port map csnum Resets the port map configuration to the default...

Page 257: ...57 1 58 1 59 1 60 1 61 1 62 1 63 1 64 Unmapped ports Switch 2 Maximum bandwidth 640G Used bandwidth 640G Mapped ports 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 10 2 11 2 12 2 13 2 14 2 15 2 16 2 17 2 18 2 19 2 20 2 21 2 22 2 23 2 24 2 25 2 26 2 27 2 28 2 29 2 30 2 31 2 32 2 33 2 34 2 35 2 36 2 37 2 38 2 39 2 40 2 41 2 42 2 43 2 44 2 45 2 46 2 47 2 48 2 49 2 50 2 51 2 52 2 53 2 54 2 55 2 56 2 57 2 61 U...

Page 258: ...facility 0 7 severity severity 0 7 no logging log stacking no stack backup csnum stack bind no stack name 1 63 characters no stack switch number csnum description show boot stack asnum master backup all show logging swn csnum messages reverse severity severity 0 7 show interface link switch csnum type stacking non stacking show interface link type stacking non stacking show interface link port ali...

Page 259: ...e server s OS or hypervisor Each vNIC appears as a regular independent NIC with some portion of the physical NIC s overall bandwidth ENOS 8 4 supports up to four vNICs over each internal switch port For details on this feature see Virtual NICs on page 261 Virtual Link Aggregation Groups VLAGs With VLAGs two switches can act as a single logical device for the purpose of establishing port LAGs Activ...

Page 260: ... physical link connecting to a server NIC or to a Converged Network Adapter CNA UFP provides a switch fabric component to control the NIC For details on this feature see Unified Fabric Port on page 361 Enterprise NOS virtualization features provide a highly flexible framework for allocating and managing switch resources ...

Page 261: ...ex Virtual Fabric Adapter Fabric Mezz for Lenovo Flex System to provide the following vNIC features Up to four vNICs are supported on each internal switch port Each vNIC can accommodate one of the following traffic types regular Ethernet iSCSI or Fibre Channel over Ethernet FCoE vNICs with traffic of the same type can be grouped together along with regular internal ports external uplink ports and ...

Page 262: ...Switch Enterprise NOS 8 4 supports up to four vNICs attached to each internal switch port Each vNIC is provided its own independent virtual pipe on the port On stand alone non stacked switches each vNIC is identified by port and vNIC number port number or alias vNIC pipe number 1 4 For example INTA1 1 INTA1 2 INTA1 3 and INTA1 4 represent the vNICs on port INTA1 INTA2 1 INTA2 2 INTA2 3 and INTA2 4...

Page 263: ...x Virtual Fabric Adapter 2 port 10Gb LOM For Emulex Virtual Fabric Adapter Fabric Mezz when replacing the LOM card Table 20 vNIC ID Correlation PCIe Function ID NIC Port Switch Slot vNIC Pipe vNIC ID 0 0 Bay 1 1 INTAx 1 2 0 Bay 1 2 INTAx 2 4 0 Bay 1 3 INTAx 3 6 0 Bay 1 4 INTAx 4 1 1 Bay 2 1 INTAx 1 3 1 Bay 2 2 INTAx 2 5 1 Bay 2 3 INTAx 3 7 1 Bay 2 4 INTAx 4 Table 21 vNIC ID Correlation PCIe Functi...

Page 264: ...x 4 1 4 Bay 2 1 INTBx 1 3 4 Bay 2 2 INTBx 2 5 4 Bay 2 3 INTBx 3 7 4 Bay 2 4 INTBx 4 Table 23 vNIC ID Correlation PCIe Function ID NIC Port Switch Slot vNIC Pipe vNIC ID First ASIC 0 1 Bay 3 1 INTAx 1 2 1 Bay 3 2 INTAx 2 4 1 Bay 3 3 INTAx 3 6 1 Bay 3 4 INTAx 4 1 2 Bay 4 1 INTAx 1 3 2 Bay 4 2 INTAx 2 5 2 Bay 4 3 INTAx 3 7 2 Bay 4 4 INTAx 4 Table 24 vNIC ID Correlation PCIe Function ID NIC Port Switc...

Page 265: ...and its corresponding server node of the vNIC pipe Each physical NIC port is connected to a different switch bay in the blade chassis 6 3 Bay 3 4 INTBx 4 1 4 Bay 4 1 INTBx 1 3 4 Bay 4 2 INTBx 2 5 4 Bay 4 3 INTBx 3 7 4 Bay 4 4 INTBx 4 Table 24 vNIC ID Correlation PCIe Function ID NIC Port Switch Slot vNIC Pipe vNIC ID ...

Page 266: ...signed to an uplink port This port can be a regular port or a LAG port The vNIC groups share the uplink You may assign a few vNIC groups to share an uplink and the other vNIC groups to have a single uplink each In either case the switch still operates in shared mode As in the dedicated mode the NIC places an outer tag on the vNIC group packets This outer tag contains the vNIC group VLAN The uplink...

Page 267: ...lete the port from the vNIC group VLAN and add it back to the default VLAN 1 when the vNIC group is disabled deleted or when the vNIC feature is globally disabled Remove the port from a vNIC group VLAN when the vNIC group is dis abled deleted When the vNIC feature is globally disabled or the port is not added in any vNIC group remove the port from all vNIC group VLANs and add it back to default VL...

Page 268: ...ed a bandwidth value of 0 A combined maximum of 100 units can be allocated among vNIC pipes enabled for any specific port bandwidth values for disabled pipes are not counted If more than 100 units are assigned to enabled pipes an error will be reported when attempting to apply the configuration The bandwidth metering configuration is automatically synchronized between the switch and vNICs for regu...

Page 269: ...Traffic of different types may not be mixed within any vNIC group External ports that are part of a LAG may not be individually added to a vNIC group Only one individual external port one static LAG or one dynamic LAG consisting of multiple external ports may be added to any given vNIC group In dedicated mode for any internal ports external port or port LAG group connected to regular non vNIC devi...

Page 270: ...gned by the network server or hypervisor The outer vNIC group VLAN is used only between the CN4093 and the NIC Figure 27 Outer and Inner VLAN Tags Within the CN4093 all Layer 2 switching for packets within a vNIC group is based on the outer vNIC group VLAN The CN4093 does not consider the regular inner VLAN ID if any for any VLAN specific operation The outer vNIC group VLAN is removed by the NIC b...

Page 271: ...er VLAN Following is an use case An ESX server is presented with eight vNICs four from bay 7 and four from bay 9 used with four virtual switches of the ESX host and with no tagged port groups A pair of odd even vNICs is placed within each virtual switch On the CN4093 four vNIC groups are created and the desired VLAN for each vNIC group is configured For example if vNIC group 1 on the CN4093 has fo...

Page 272: ...ave not lost their external uplinks ENOS 8 4 and the Emulex Virtual Fabric Adapter for Lenovo Flex System provide vNIC aware failover In the dedicated mode when a vNIC group s external uplink ports fail the switch cooperates with the affected NIC to prompt failover only on the appropriate vNICs This allows the vNICs that are not affected by the failure to continue without disruption see Figure 30 ...

Page 273: ...N 4093 config vnic vnicgroup group number CN 4093 vnic group config failover Hypervisor NIC VNIC VNIC VNIC VNIC VNIC VNIC VNIC VNIC vSwitch VM 3 VM 4 Hypervisor NIC VNIC VNIC VNIC VNIC VNIC VNIC VNIC VNIC vSwitch VM 1 VM 2 Lenovo Servers EXT1 EXT2 INTA1 INTA2 VNIC Group 1 VNIC Group 2 X Primary Lenovo Switch To Backup Switch Virtual Pipes X X Upon EXT1 link failure the switch informs the server hy...

Page 274: ...T3 and EXT4 vNIC failover is enabled for both vNIC groups vNIC bandwidth on port INTA1 is set to 60 for vNIC 1 and 40 for vNIC 2 Other enabled vNICs INTA2 1 INTA2 2 and INTA3 2 are permitted the default bandwidth of 25 2 5Gbsp on their respective ports All remaining vNICs are disabled by default and are automatically allocated 0 bandwidth OS or Hypervisor VNIC VNIC VNIC VNIC VNIC VNIC VNIC VNIC OS...

Page 275: ...eady CN 4093 config portchannel 1 port EXT3 EXT4 enable CN 4093 config vnic enable CN 4093 config vnic port INTA1 index 1 Select vNIC 1 on the port CN 4093 vnic config enable Enable the vNIC pipe CN 4093 vnic config bandwidth 60 Allow 60 egress bandwidth CN 4093 vnic config exit CN 4093 config vnic port INTA1 index 2 Select vNIC 2 on the port CN 4093 vnic config enable Enable the vNIC pipe CN 4093...

Page 276: ... 4093 vnic group config port INTA4 Add non vNIC port to the group CN 4093 vnic group config port EXT1 Add uplink port to the group CN 4093 vnic group config failover Enable vNIC failover for the group CN 4093 vnic group config enable Enable the vNIC group CN 4093 vnic group config exit CN 4093 config vnic vnicgroup 2 CN 4093 vnic group config vlan 1774 CN 4093 vnic group config member INTA1 2 CN 4...

Page 277: ...ot supported simultaneously on the same switch ports as VMready 3 Add ports and virtual pipes to a vNIC group CN 4093 vnic enable CN 4093 config vnic port INTA1 index 2 Select vNIC 2 on the server port CN 4093 vnic_config enable Enable the vNIC pipe CN 4093 vnic_config exit CN 4093 config vnic port INTA2 index 2 Select vNIC 2 on the server port CN 4093 vnic_config enable Enable the vNIC pipe CN 40...

Page 278: ...igure the FCoE ports and VLAN enable VLAN tagging on all FCoE ports and place FCoE ports into a supported VLAN When CEE is turned on and the regular FCoE configuration is complete FCoE traffic will be automatically assigned to PFC priority 3 and be initially allocated 50 of port bandwidth via ETS The following steps are specific to vNIC configuration 2 On the NIC ensure that FCoE traffic occurs on...

Page 279: ...ettings such as virtualization policies and ACLs The administrator can also pre provision VEs by adding their MAC addresses or their IPv4 address or VM name in a VMware environment to a VM group When a VE with a pre provisioned MAC address becomes connected to the switch the switch will automatically apply the appropriate group membership configuration The CN4093 with VMready also detects the migr...

Page 280: ...ports or pre provisioned on the switch Local VM groups support limited VE migration as VMs and other VEs move to different hypervisors connected to different ports on the switch the configuration of their group identity and features moves with them However VE migration to and from more distant hypervisors those not connected to the CN4093 may require manual configuration when using local VM groups...

Page 281: ...d for local VM groups If one is not explicitly configured the switch will automatically assign the next unconfigured VLAN when a VE or port is added to the VM group vmap Each VM group may optionally be assigned a VLAN based ACL see VLAN Maps on page 291 vm Add VMs VMs and other VEs are primarily specified by MAC address They can also be specified by UUID or by the index number as shown in various ...

Page 282: ... set bandwidth policies for individual VEs see VM Policy Bandwidth Control on page 292 Once configured the VM profile may be assigned to a distributed VM group as shown in the following section Initializing a Distributed VM Group Note A VM profile is required before a distributed VM group may be configured See VM Profiles on page 282 for details Once a VM profile is available a distributed VM grou...

Page 283: ... fashion can be identified in the virtual management server by the name of the VM profile formatted as follows Lenovo_ VM profile name or Lenovo_ VM profile name _ index number for vDS profiles Using the VM Group command path CN 4093 config virt vmgroup x vm to add a server host interface to a distributed VM group does not create a new port group on the virtual switch or move the host Instead beca...

Page 284: ...ode or to disable validation Basic Validation This mode provides port based validation by identifying the port used by a hypervisor It is suitable for environments in which MAC reassignment or duplication cannot occur The switch using the hello message information identifies a hypervisor port If the hypervisor port is found in the hello message information it is deemed to be a trusted port Basic v...

Page 285: ...CLs to be used for dropping traffic Use the following command to set the action to be performed if the switch is unable to validate the VM MAC address Following are the other VMcheck commands CN 4093 config virt vmcheck acls max 1 640 CN 4093 config virt vmcheck action advanced log link acl Table 26 VMcheck Commands Command Description CN 4093 config virt vmware hello ena hport port number haddr h...

Page 286: ... the following VMware vCenter is fully installed and configured and includes a bladevm administration account and a valid SSL certificate A virtual distributed switch instance has been created on the vCenter The vDS version must be higher or the same as the hypervisor version on the hosts At least two hypervisors are configured Guidelines Before migrating VMs to a vDS consider the following At any...

Page 287: ...ort group operations CN 4093 virt vmware dvswitch add Add a dvSwitch to a DataCenter addhost Add a host to a dvSwitch adduplnk Add a physical NIC to dvSwitch uplink ports del Remove a dvSwitch from a DataCenter remhost Remove a host from a dvSwitch remuplnk Remove a physical NIC from dvSwitch uplink ports CN 4093 virt vmware dpg add Add a port group to a dvSwitch del Delete a port group from a dvS...

Page 288: ...o provide access for the switch The account must have at a minimum the following vCenter user privileges Network Host Network Configuration Virtual Machine Modify Device Settings Once vCenter requirements are met the following configuration command can be used on the CN4093 to associate the vCenter with the switch This command specifies the IPv4 address and account username that the switch will us...

Page 289: ...group on the switch will affect only switch operation changes on the switch will not be reflected in the vCenter or on the VEs Likewise any changes made to VE configuration on the vCenter will no longer be reflected on the switch Exporting Profiles VM profiles for discovered VEs in distributed VM groups are automatically synchronized with the virtual management server and the appropriate hyperviso...

Page 290: ...ed EXEC commands Pre Provisioning VEs VEs may be manually added to VM groups in advance of being detected on the switch ports By pre provisioning the MAC address of VEs that are not yet active the switch will be able to later recognize the VE when it becomes active on a switch port and immediately assign the proper VM group properties without further configuration Undiscovered VEs are added to or ...

Page 291: ...AN or VM group However each VLAN or VM group may have multiple VMAPs assigned to it The optional intports or extports parameter can be specified to apply the action to add or remove the VMAP for either the internal ports or external ports only If omitted the operation will be applied to all ports in the associated VLAN or VM group Note VMAPs have a lower priority than port based ACLs If both an AC...

Page 292: ...rom the perspective of the VE the switch command for TX Rate Control txrate sets the data rate to be sent from the VM to the switch and the RX Rate Control rxrate sets the data rate to be received by the VM from the switch The committed rate is specified in multiples of 64 kbps from 64 to 40 000 000 The maximum burst rate is specified as 32 64 128 256 1024 2048 or 4096 kb If both the committed rat...

Page 293: ...h Bandwidth shaping and bandwidth policies can be used separately or in concert VMready Information Displays The CN4093 can be used to display a variety of VMready information Note Some displays depict information collected from scans of a VMware vCenter and may not be available without a valid vCenter If a vCenter is assigned see Assigning a vCenter on page 288 scan information might not be avail...

Page 294: ...72 16 46 50 3 vSwitch0 172 16 46 51 0 VMkernel 2 00 50 56 4f f2 85 172 16 46 10 4 vSwitch0 172 16 46 10 0 Mgmt 3 00 50 56 7c 1c ca 172 16 46 10 4 vSwitch0 172 16 46 11 0 VMkernel 4 00 50 56 4e 62 f5 172 16 46 50 3 vSwitch0 172 16 46 50 0 Mgmt 5 00 50 56 9c 00 c8 quark 4 vSwitch0 172 16 46 25 172 16 46 10 0 Corp 6 00 50 56 9c 29 29 particle 3 vSwitch0 172 16 46 35 172 16 46 50 0 VM Network 7 00 50 ...

Page 295: ...Virtual Machine VM vCenter Name halibut VM OS hostname localhost localdomain VM IP Address 172 16 46 15 VM UUID 001c41f3 ccd8 94bb 1b94 6b94b03b9200 Current VM Host 172 16 46 10 Vswitch vSwitch0 Port Group BNT_Default VLAN ID 0 CN 4093 show virt vmware vms UUID Name s IP Address 001cdf1d 863a fa5e 58c0 d197ed3e3300 30vm1 001c1fba 5483 863f de04 4953b5caa700 VM90 001c0441 c9ed 184c 7030 d6a6bc9b4d0...

Page 296: ...tion about a specific VE CN 4093 show virt vmware showvm VM UUID VM IPv4 address VM name MAC Address 00 50 56 9c 21 2f Port 4 Type Virtual Machine VM vCenter Name halibut VM OS hostname localhost localdomain VM IP Address 172 16 46 15 VM UUID 001c41f3 ccd8 94bb 1b94 6b94b03b9200 Current VM Host 172 16 46 10 Vswitch vSwitch0 Port Group BNT_Default VLAN ID 0 ...

Page 297: ... the vCenter 3 Create the VM profile 4 Define the VM group When VMs are added the internal server ports on which they appear are automatically added to the VM group In this example there is no need to manually add ports EXT1 and EXT2 5 If necessary enable VLAN tagging for the VM group Note If the VM group contains ports which also exist in other VM groups tagging should be enabled in both VM group...

Page 298: ...298 CN4093 Application Guide for N OS 8 4 ...

Page 299: ...to carry converged LAN SAN IPC traffic on a single physical link CEE features can also be utilized in traditional LAN non FCoE networks to provide lossless guarantees on a per priority basis and to provide efficient bandwidth allocation Priority Based Flow Control on page 312 Priority Based Flow Control PFC extends 802 3x standard flow control to allow the switch to pause traffic based on the 802 ...

Page 300: ...ght Omni ports belonging to a single VLAN connected to the FCF bridge The FCoE Topology In an end to end Fibre Channel network switches and end devices generally establish trusted point to point links Fibre Channel switches validate end devices enforce zoning configurations and device addressing and prevent certain types of errors and attacks on the network In a converged multi hop FCoE network wh...

Page 301: ...formation about connected FCoE devices This information is used to automatically determine the appropriate ACLs required to block certain types of undesired or unvalidated FCoE traffic Automatic FCoE related ACLs are independent from ACLs used for typical Ethernet purposes FCoE Requirements The following are required for implementing FCoE using the Lenovo Flex System Fabric CN4093 10 Gb Converged ...

Page 302: ...networks to provide lossless guarantees on a per priority basis and to provide efficient bandwidth allocation based on application needs Turning CEE On or Off By default on the CN4093 CEE is turned off To turn CEE on or off use the following ISCLI configuration mode commands CAUTION Turning CEE on will automatically change some 802 1p QoS and 802 3x standard flow control settings on the CN4093 Rea...

Page 303: ... PGIDs as shown in Table 27 When CEE is on the default ETS configuration also allocates a portion of link bandwidth to each PGID as shown in Table 28 If the prior non CEE configuration used 802 1p priority values for different purposes or does not expect bandwidth allocation as shown in Table 28 on page 303 when CEE is turned on the administrator should reconfigure ETS settings as appropriate Each...

Page 304: ... for 802 1p priority value 3 This default is chosen because priority value 3 is commonly used to identify FCoE traffic in a CEE environment and must be guaranteed lossless behavior PFC is disabled for all other priority values It is recommend that a configuration backup be made prior to turning CEE on or off Viewing the configuration file will allow the administrator to manually re create the equi...

Page 305: ... FIP snooping bridge feature The CN4093 must be connected to the Fibre Channel network through a FCF such as a Lenovo Rackswitch G8264CS another Lenovo CN4093 10Gb Converged Scalable Switch or a Cisco Nexus 5000 Series Switch For each CN4093 switch port participating in FCoE the connected server must use a FCoE licensed Converged Network Adapter CNA and must have the FCoE license enabled if applic...

Page 306: ... Global FIP Snooping Settings By default the FIP snooping feature is turned off for the CN4093 The following commands are used to turn the feature on or off Note FIP snooping requires CEE to be turned on see Turning CEE On or Off on page 302 When FIP snooping is on port participation may be configured on a port by port basis see below When FIP snooping is off all FCoE related ACLs generated by the...

Page 307: ...and not any other port Thus FCoE traffic then strictly transmits across only the assigned port within the LAG for each Enode Similarly any VN Port MACs are pinned on a port by port basis within a LAG Regular non FCoE Ethernet traffic will continue to operate across the LAG normally using any of the links based on balancing algorithm This feature is automatically activated upon server port LAG mode...

Page 308: ...s that are configured to have FIP snooping disabled will not have any FIP or FCoE related ACLs installed Prevent transmission of all FCoE frames from an ENode prior to its successful completion of login FLOGI to the FCF After successful completion of FLOGI ensure that the ENode uses only those FCoE source addresses assigned to it by the FCF After successful completion of FLOGI ensure that all ENod...

Page 309: ...ed to identify traffic on a FCoE VLAN The valid FC Map values are from 0xefcf00 to 0x0efcff and are configured automatically for each FCoE vlan If you need to manually configure the FC MAP use values in the range 0xefcf00 to 0x0efcf4 The other FC Map values are reserved Viewing FIP Snooping Information ACLs automatically generated under FIP snooping are independent of regular manually configure AC...

Page 310: ...lacing ports into the VLAN after tagging is enabled helps to ensure that their port VLAN ID PVID is not accidentally changed 3 Turn CEE on Note Turning CEE on will automatically change some 802 1p QoS and 802 3x standard flow control settings and menus see Turning CEE On or Off on page 302 4 Turn global FIP snooping on 5 Disable FIP snooping on all non FCoE external ports CN 4093 no fcoe fips fcf ...

Page 311: ...utomatic detection The configuration in this step is unnecessary if default settings have not been changed and is shown merely as a manual configuration example 7 Save the configuration CN 4093 config fcoe fips port INTA1 enable Enable FIPS on FCoE ports CN 4093 config fcoe fips port INTA1 fcf mode off Set as ENode connection CN 4093 config fcoe fips port EXT22 fcf mode on Set as FCF connection ...

Page 312: ...C is useful for a variety of applications it is required for FCoE implementation where storage SAN and networking LAN traffic are converged on the same Ethernet links Typical LAN traffic tolerates Ethernet packet loss that can occur from congestion or other factors but SAN traffic must be lossless and requires flow control For FCoE standard flow control would pause both SAN and LAN traffic during ...

Page 313: ...y on ports connected to CEE devices and not on any ports connected to non CEE devices In such cases PFC can be configured globally on specific priority values even though not all ports make use them PFC is not restricted to CEE and FCoE networks In any LAN where traffic is separated into different priorities PFC can be enabled on priority values for loss sensitive traffic If all ports have the sam...

Page 314: ...E on will automatically change some 802 1p QoS and 802 3x standard flow control settings and menus see Turning CEE On or Off on page 302 2 Enable PFC for the FCoE traffic Note PFC is enabled on priority 3 by default If using the defaults the manual configuration commands shown in this step are not necessary Table 29 Port Based PFC Configuration Switch Port 802 1p Priority Usage PFC Setting EXT1 0 ...

Page 315: ...ication 4 Save the configuration CN 4093 config cee port INTA2 pfc priority 4 enable LAN priority CN 4093 config cee port INTA2 pfc priority 4 description Critical LAN CN 4093 config cee port EXT1 pfc priority 4 enable LAN priority CN 4093 config cee port EXT1 pfc priority 4 description Critical LAN ...

Page 316: ...le priority values with values numbered 0 through 7 which can be placed in the priority field of the 802 1Q VLAN tag Servers and other network devices may be configured to assign different priority values to packets belonging to different traffic types such as SAN and LAN ETS uses the assigned 802 1p priority values to identify different traffic types The various priority values are assigned to pr...

Page 317: ...on page 302 for the ETS feature to function A priority group must be assigned a priority group ID PGID one or more 802 1p priority values and allocated link bandwidth greater than 0 PGID Each priority group is identified with number 0 through 7 and 15 known as the PGID PGID 0 through 7 may each be assigned a portion of the switch s available bandwidth PGID 8 through 14 are reserved as per the 802 ...

Page 318: ... or unassigned To remove a priority value from a PGID it must be moved to another PGID For PGIDs 0 through 7 bandwidth allocation can also be configured through the ETS Priority Group menu See for Allocating Bandwidth on page 319 for details Note In a stacking setup when there are multiple priorities assigned to the same low bandwidth PG and the PG traffic is composed of various packet sizes a mar...

Page 319: ...cing the bandwidth allocation of any PGID also requires adjusting the allocation of other PGIDs to compensate If these conditions are not met the switch will report an error when applying the configuration Note Actual bandwidth used by any specific PGID may vary from configured values by up to 10 of the available bandwidth in accordance with 802 1Qaz ETS standard For example a setting of 10 may be...

Page 320: ...anagement traffic has been assigned Finally the bandwidth allocation for priority groups 1 2 and 3 are revised Note DCBX may be configured to permit sharing or learning PFC configuration with or from external devices This example assumes that PFC configuration is being performed manually See Data Center Bridging Capability Exchange on page 322 for more information on DCBX Table 30 ETS Configuratio...

Page 321: ...N 4093 config cee global ets priority group pgid 0 description Regular LAN Set a group description optional CN 4093 config cee global ets priority group pgid 1 priority 3 Select a group for SAN traffic and set for 802 1p priority 3 CN 4093 config cee global ets priority group pgid 1 description SAN Set a group description optional CN 4093 config cee global ets priority group pgid 2 priority 4 Sele...

Page 322: ...purpose of automatically configuring advanced CEE features such as PFC ETS and for some CNAs FIP The administrator can determine which CEE feature settings on the switch are communicated to and matched by CEE neighbors and also which CEE feature settings on the switch may be configured by neighbor requirements The DCBX feature requires CEE to be turned on see Turning CEE On or Off on page 302 DCBX...

Page 323: ...emote CEE peer If the peer is capable of the feature and willing to accept the CN4093 settings it will be automatically reconfigured to match the switch The willing flag Set this flag when required by the remote CEE peer for a particular feature as part of DCBX signaling and support Although some devices may also expect this flag to indicate that the switch will accept overrides on feature setting...

Page 324: ...oE related ports will be configured for advertising CEE capabilities but not to accept external configuration Other LAN ports that use CEE features will also be configured to advertise feature settings to remote peers but not to accept external configuration DCBX will be disabled on all non CEE ports This example can be configured using the following commands 1 Turn CEE on Note Turning CEE on will...

Page 325: ...cbx enable CN 4093 config cee port INTA2 dcbx app_proto advertise CN 4093 config cee port INTA2 dcbx ets advertise CN 4093 config cee port INTA2 dcbx pfc advertise CN 4093 config cee port EXT1 dcbx enable CN 4093 config cee port EXT1 dcbx app_proto advertise CN 4093 config cee port EXT1 dcbx ets advertise CN 4093 config cee port EXT1 dcbx pfc advertise CN 4093 config no cee port INTA3 INTC14 EXT2 ...

Page 326: ...ble FIP snooping on all non FCoE external ports 5 Enable FIP snooping on FCoE ports and set the desired FCF mode Note By default FIP snooping is enabled on all ports and the FCF mode set for automatic detection The configuration in this step is unnecessary if default settings have not been changed and is shown merely as a manual configuration example Switch Servers Lenovo Chassis EXT1 EXT22 INTA1 ...

Page 327: ...EXT1 pfc priority 4 description Critical LAN CN 4093 config cee global ets priority group pgid 0 priority 0 1 2 Select a group for regular LAN and set for 802 1p priorities 0 1 and 2 CN 4093 config cee global ets priority group pgid 0 description Regular LAN Set a group description optional CN 4093 config cee global ets priority group pgid 1 priority 3 Select a group for SAN traffic and set for 80...

Page 328: ...cbx app_proto advertise CN 4093 config cee port INTA1 dcbx ets advertise CN 4093 config cee port INTA1 dcbx pfc advertise CN 4093 config cee port INTA2 dcbx enable CN 4093 config cee port INTA2 dcbx app_proto advertise CN 4093 config cee port INTA2 dcbx ets advertise CN 4093 config cee port INTA2 dcbx pfc advertise CN 4093 config cee port EXT1 dcbx enable CN 4093 config cee port EXT1 dcbx app_prot...

Page 329: ... Copyright Lenovo 2017 329 Chapter 18 Fibre Channel This chapter describes how to configure the CN4093 for use with Fibre Channel networks ...

Page 330: ...t and dynamic scalability In Fibre Channel networks the connecting ports must be fully authorized to communicate with their well defined neighbors Bandwidth for properly connected devices is tuned to avoid loss due to congestion Also routes for traffic are converged in advance ensuring that only one route is used by any given traffic stream so that packets arrive in their expected sequence Etherne...

Page 331: ...ll fabric switch performing stateless FC FCoE encapsulation and decapsulation This helps resolve a typical problem in Fibre Channel networks where port density is low on Director Class SAN switches or considered too valuable to relegate to individual nodes As an NPV gateway the CN4093 acts as a proxy to the upstream full fabric switch on behalf of the connected nodes The CN4093 supports standard N...

Page 332: ...hanges When acting as a full fabric switch the CN4093 can be connected to NPV gateways or directly to Fibre Channel nodes In full fabric mode the CN4093 can be connected directly to another full fabric CN4093 or a Lenovo RackSwitch G8264CS through Fibre Channel ISL For further details see E Ports on page 341 Limitations In Enterprise NOS 8 4 CN4093 does not support the following Fibre Channel port...

Page 333: ...external connectors High Capacity Ethernet Ports External EXT3 EXT10 ports 45 52 These 40Gb QSFP Ethernet ports can be configured as either two 40Gb Ethernet ports EXT3 and EXT7 or as four 10Gb Ethernet ports EXT3 EXT6 EXT7 EXT10 Omni Ports External EXT11 EXT22 ports 53 64 These 10Gb SFP hybrid ports can be configured to operate either in Ethernet mode the default or in Fibre Channel mode for dire...

Page 334: ...nt VLAN for FCoE be sure that any connected servers and FCoE bridge will support your selection This command initiates VLAN configuration mode All VLAN related Fibre Channel configuration is performed in this mode Enable or disable the VLAN Exit VLAN configuration mode Port Membership As with typical VLAN configuration each VLAN used with a Fibre Channel network must include a description of its p...

Page 335: ...ing modes NPV mode to uplink one or more nodes to a full fabric switch Full fabric mode The CN4093 supports up to 12 Fibre Channel VLANs at any given time Only one mode can be active on any specific VLAN at a given time and only one VLAN can operate in full fabric mode From within VLAN configuration mode the following commands are used to specify the Fibre Channel mode To enable or disable NPV mod...

Page 336: ...se CEE and FCoE see FCoE and CEE on page 299 is permitted with no additional configuration Ethernet Traffic on regular non FCoE Ethernet ports will be blocked on Fibre Channel VLANs NPV Disruptive Load Balancing Every server connected to the NPV gateway logs into an upstream FC switch through a NP uplink If multiple NP uplinks are available in a NPV VLAN the logins are evenly distributed over the ...

Page 337: ...tomated option will only take care of the imbalances caused by Fibre Channel uplinks flapping not Enodes flapping In the later case manual load balance command should be used Note To check which VLANs are have automated disruptive load balancing enabled use the following command The load balancing is disruptive in nature as few devices are forced to logout and initiate a re login The switch attemp...

Page 338: ...ers and one or more storage devices Ports and devices in a zone are called zone members A zone contains one or more zone members A device can belong to one or more zones End nodes that are members of a zone can communicate with each other but they are isolated from nodes in other zones of which they are not a member Note Only use the default zoneset with a limited number of FCoE connections or for...

Page 339: ...oneset no zonesets are active until you activate another zoneset If you activate one zoneset while another zoneset is active the currently active zoneset is deactivated When you activate a zoneset the new zoneset access policies are applied Up to four zonesets can be configurated on the switch at any given time though only one can be active Traffic flow between end devices is restricted by default...

Page 340: ...ve until explicitly activated by the administrator When activated the new zoneset will be synchronized throughout the Fibre Channel fabric for each modified zone Fibre Channel traffic will be temporarily disrupted in modified zones as changes to the fabric are recognized by the connected devices Until activation the previously established zoneset will remain in effect The basic zoneset commands ar...

Page 341: ... individual switch was active The following table lists the zone merge rules E ports cannot be used to form stack LAG links CN 4093 config system port port range type fc CN 4093 config interface fc port range CN 4093 config if type e CN 4093 config show interface fc information Table 31 Zone merge rules Adjacent Zoning Configuration Local Zoning Configuration Result in Local Switch Zone Set State ...

Page 342: ... achieve low latency if the Zone check is done on Ethernet switch module for FCoE FCoE traffic Optimized feature is enabled by default in Full fabric mode and is not applicable to NPV mode Note FCoE FC and FC FC traffic is not optimized If needed the administrator can disable optimized forwarding feature Prior to that disable FIP snooping Use the following commands To re enable optimized forwardin...

Page 343: ...ollback Zoning updates Create and destroy zone set zone and zone alias Add Remove zone to zone set zone alias or port WWN to zone and port WWN to zone alias Activate and deactivate zoneset The IBM Director includes Tivoli Storage Productivity Center TPC is used to configure and administer the fibre channel fabric Connection with the SMI S agent can be established via IPv4 or IPv6 management interf...

Page 344: ...er devices However when an FC alias is used only 10 devices can be members of a zone In a stack setup the full fabric mode or NPV gateway mode is bound to a single switch as determined by the external FC ports in the VLAN All FC ports belonging to a Fibre Channel VLAN must be part of the same switch Both full fabric mode and NPV mode can be configured on the Master as well as the Backup switch For...

Page 345: ...is example depicts two Fibre Channel ports connected to the upstream device this is done for the sake of network redundancy Only one Fibre Channel port is actually required 7 Remove unused ports ports that are not part of the uplink to the Fibre Channel fabric from the NPV VLAN CN 4093 config system port ext11 ext12 type fc CN 4093 config interface port inta1 inta4 CN 4093 config if switchport mod...

Page 346: ...ed only to Omni Ports Omni Ports connected to FCoE devices are considered part of the Ethernet network and should be left to operate in Ethernet mode 2 Enable tagging trunk mode for internal ports participating in FCoE 3 Specify all member ports for the VLAN Note At least one Fibre Channel port must be included 4 Specify a VLAN for the this Fibre Channel network FCoE FCoE FCoE FCoE Zone1 Zone1 Zon...

Page 347: ...onfig zone member pwwn 20 34 00 80 e5 28 31 13 CN 4093 config zone member pwwn 20 34 00 80 e5 28 31 14 CN 4093 config zone exit CN 4093 config zone name Zone2 CN 4093 config zone member pwwn 20 34 00 80 e5 28 43 57 CN 4093 config zone member pwwn 20 34 00 80 e5 18 b3 58 CN 4093 config zone member pwwn 20 34 00 80 e5 28 31 13 CN 4093 config zone exit CN 4093 config zoneset name City1 CN 4093 config...

Page 348: ... INCITS 230 1994 AM2 1999 FC PH 2 Revision 7 4 ANSI INCITS 297 1997 FC PH 3 Revision 9 4 ANSI INCITS 303 1998 FC PI Revision 13 ANSI INCITS 352 2002 FC PI 2 Revision 10 ANSI INCITS 404 2006 FC PI 4 Revision 7 0 FC FS Revision 1 9 ANSI INCITS 373 2003 FC FS 2 Revision 0 91 FC_FS_3 Revision 1 11 FC LS Revision 1 2 FC SW 2 Revision 5 3 ANSI INCITS 355 2001 FC SW 3 Revision 6 6 ANSI INCITS 384 2004 FC...

Page 349: ...idging VEB and Virtual Ethernet Port Aggregator VEPA VEB and VEPA are mechanisms for switching between VMs on the same hypervisor VEB enables switching with the server either in the software vSwitch or in the hardware using single root I O virtualization capable NICs VEPA requires the edge switch to support Reflective Relay an operation where the switch forwards a frame back to the port on which i...

Page 350: ...em Networking Distributed Switch 5000V guide for details on how to specify the VSI type The hypervisor sends a VSI ASSOCIATE which contains the VSI type ID to the switch port after the VM is started The switch updates its configuration based on the requested VSI type The switch configures the per VM bandwidth using the VMpolicy The Enterprise NOS supports the following policies for VMs ACLs Bandwi...

Page 351: ...the switch port if the VLAN does not already exist VLANs that are dynamically created will be automatically removed from the switch port when there are no VMs using that VLAN on the port Dynamic VLAN information will not be displayed in the running configuration However the VLAN port and STP commands display the dynamic VLAN information with a If you configure any Layer 2 Layer 3 features on dynam...

Page 352: ...pability exchange with the peer using the IEEE802 1QBG protocol This is the usual mode of operation When the switch interoperates with devices that do not support IEEE 802 1QBG protocols RR can be manually configured using the following command Manual RR and EVB profile cannot be configured on a port at the same time Note If a port is a member of an isolated VLAN the manual reflective relay will n...

Page 353: ...om 1 16 CN 4093 conf evbprof reflective relay CN 4093 conf evbprof vsi discovery CN 4093 conf evbprof exit CN 4093 config interface port 1 CN 4093 config if evb profile 1 Enter EVB profile ID CN 4093 config if exit CN 4093 config ecp retransmit interval 8000 Enter retransmission interval in milliseconds 100 9000 CN 4093 config virt evb vsidb 1 CN 4093 conf vsidb protocol http https Select VSI data...

Page 354: ...onnect to a SNSC VSIDB the port docpath configuration is as follows HTTP Port 40080 Docpath snsc rest vsitypes HTTPS Port 40443 Docpath snsc rest vsitypes When you connect to a 5000v VSIDB the port docpath configuration is as follows Port 80 Docpath vsitypes ...

Page 355: ...ive configuration changes run time information and software updates from the Master Backup One member switch can be designated as a Backup to the Master The Backup takes over control of the stack if the Master fails Configuration information and run time data are synchronized with the Master For details on implementing the stacking feature see Stacking on page 231 EVB can be configured on any port...

Page 356: ... bandwidth metering ACLs based on a source MAC or VLAN must match the source MAC and VLAN of the VM If not the policy will be ignored and you will see the following warning message Unsupported features The following features are not supported on ports configured with EVB LAG VLAG vNIC VMready vm VSI Type ID 100 Associated mac 00 50 56 b6 c0 ff on port 6 ignore 1 mismatched ACL ...

Page 357: ...way or Layer 2 Layer 3 node With these configurations a packet with a unicast IPv4 destination address and multicast MAC address can be sent out as per the multicast MAC address configuration NLB maps the unicast IP address and multicast MAC address as follows Cluster multicast MAC address 03 BF W X Y Z where W X Y Z is the cluster unicast IP address You must configure the static multicast ARP ent...

Page 358: ...ample Consider the following example Cluster unicast IP address 10 10 10 42 Cluster multicast MAC address 03 bf 0a 0a 0a 2a Cluster VLAN 42 List of individual or port LAGs to which traffic should be forwarded 54 and 56 Following are the steps to configure the static multicast ARP based on the given example 1 Configure the static multicast FDB entry 2 Configure the static multicast ARP entry You ca...

Page 359: ...ort 10 241 38 1 00 11 25 c3 70 0a 4095 1 MGT1 10 241 38 101 00 11 25 c3 70 0a 4095 2 MGT1 10 241 38 102 P 74 99 75 08 9b ef 4095 MGT1 Data ARP entries Current ARP configuration rearp 5 Current static ARP IP address MAC address Port VLAN 10 10 10 42 03 bf 0a 0a 0a 2a 42 Total number of arp entries 2 IP address Flags MAC address VLAN Age Port 10 10 10 1 P fc cf 62 9d 74 00 42 10 10 10 42 P 03 bf 0a ...

Page 360: ...warded to all the ports as specified in the Multicast MAC address configuration If VLAN membership changes for the ports you must update this static multicast MAC entry If not the ports whose membership has changed will report discards ACLs take precedence over static multicast ARP If an ACL is configured to match and permit ingress of unicast traffic the traffic will be forwarded based on the ACL...

Page 361: ...e channel as defined in the channel profile The channels share the high speed physical link bandwidth For each channel the vNIC on the server side communicates with virtual port on the switch side Any 10 Gbps internal server port can be configured as a UFP port Figure 37 UFP vPorts The UFP protocol has the following operation categories Channel Initialization The server NIC and the switch port neg...

Page 362: ...vPort which is configured in auto VLAN mode VMready and EVB cannot be configured on the same physical port UFP vPorts support up to 1024 VLANs in trunk and auto mode on the switch in standalone mode Stacking switches have a limitation of 256 VLANs in both auto and trunk mode When CEE is turned on FCoE vPort must be used for lossless priority traffic For loss tolerant priority traffic a non FCoE UF...

Page 363: ...this S tag to indicate the vPort or vNIC to which the packet is being transmitted No VLAN mapping is required Such packets can be single tagged or double tagged with S tag vPort VLAN Mapping In local domain data path type the switch and server identify the vPort and vNIC by the port and VLAN tag in the incoming and outgoing packets Because no two vPorts carry traffic for the same VLAN the port and...

Page 364: ...Trunk Mode In trunk mode a vPort can carry packets that have inner tags that belong to up to 1024 VLANs When UFP is enabled the following 9 VLANs are reserved for UFP operation 1 and 4002 4009 Each VLAN in the inner tag requires a VLAN translation entry Note Two vPorts operating in trunk mode on the same physical port cannot carry the same set of VLANs in the inner tag Figure 39 Packet passing thr...

Page 365: ... mode can only be attached to a Fibre Channel FC VLAN A vPort in FCoE mode operates as a local domain data path type with packets being single tagged Auto VLAN Mode When a vPort is configured in auto VLAN mode the vPort participates in VM discovery using VMready or 802 1Qbg VLANs are dynamically provisioned based on VMready discovery or 802 1Qbg VM association When a vPort operates in auto VLAN mo...

Page 366: ...gate the configured parameters for the vPort to apply appropriate traffic coloring and shaping at the source When operating in this mode traffic scheduling and bandwidth allocation behavior on switch egress is driven by the ETS class of traffic When two vPorts use the same traffic class configuration the order in which switch schedules traffic at egress depends on the order the traffic arrives at ...

Page 367: ...switch provides a no drop packet forwarding behavior which improves end to end TCP throughput performance Note If a vPort is configured with low upper limit it might lead to head of line congestion on the egress port ETS mode is disabled when strict bandwidth provisioning mode is enabled By default uplink ports have a separate traffic class for storage traffic with guaranteed bandwidth The rest of...

Page 368: ...4 VLANs on the switch in standalone mode For more information on VLAN configuration see VLANs on page 137 Private VLANs It supports the following Private VLAN modes in UFP vPorts Disabled Trunk Promiscuous Host The following are the criteria of these Private VLAN modes Private VLAN mode is disabled Allows only non private domain Private VLAN mode is trunk Allows both primary and secondary VLAN whi...

Page 369: ... same private VLAN domain vPorts cannot be configured with a primary VLAN as a default VLAN only with secondary VLANs UFP ports cannot have switchport mode private VLAN enabled on them Private VLAN is supported only on vPorts configured with trunk or access mode UFP cannot be configured on promiscuous ports For more information on private VLANs see Private VLANs on page 153 VMReady Configuring wit...

Page 370: ...e VLAN for external port 1 CN4093 config ufp enable CN4093 config ufp port INTA1 enable Warning Tagging Trunk mode is enabled on UFP port INTA1 CN4093 config ufp port INTA1 vport 1 CN4093 config_ufp_vport network mode access CN4093 config_ufp_vport network default vlan 100 CN4093 config_ufp_vport qos bandwidth min 30 in percentage CN4093 config_ufp_vport qos bandwidth max 90 in percentage CN4093 c...

Page 371: ...rt trunk mode CN 4093 config ufp enable CN4093 config ufp port INTA1 enable Warning Tagging Trunk mode is enabled on UFP port INTA1 CN4093 config ufp port INTA1 vport 1 CN4093 config_ufp_vport network mode trunk CN4093 config_ufp_vport network default vlan 100 CN4093 config_ufp_vport qos bandwidth min 15 in percentage CN4093 config_ufp_vport qos bandwidth max 80 in percentage CN4093 config_ufp_vpo...

Page 372: ...nfig_ufp_vport qos bandwidth min 15 in percentage CN4093 config_ufp_vport qos bandwidth max 95 in percentage CN4093 config_ufp_vport enable CN4093 config_ufp_vport exit CN4093 config interface port EXT1 CN4093 config if switchport mode trunk CN4093 config if switchport trunk native vlan 100 CN4093 config if switchport trunk allowed vlan add 200 300 CN4093 config if exit CN4093 config vlan 200 CN40...

Page 373: ...Trunk mode is enabled on UFP port INTA1 CN4093 config ufp port INTA1 vport 1 CN4093 config_ufp_vport network default vlan 100 CN4093 config_ufp_vport network mode auto CN4093 config_ufp_vport qos bandwidth min 20 in percentage CN4093 config_ufp_vport qos bandwidth max 90 in percentage CN4093 config_ufp_vport enable CN4093 config_ufp_vport exit CN4093 config virt enable CN4093 config virt vmware vc...

Page 374: ...nel mode Note VLAN is dynamically added by 802 1Qbg 6 Configure the EVG profile for the vPort 7 Specify QoS parameters for the vPort CN4093 config show virt vm CN4093 config virt vmgroup 1 vm 1 CN4093 config show virt vm CN 4093 config ufp enable CN4093 config ufp port INTA1 enable Warning Tagging Trunk mode is enabled on UFP port INTA1 CN4093 config_ufp_vport ufp port INTA1 vport 1 CN4093 config_...

Page 375: ... vPort CN4093 config_ufp_vport enable CN4093 config_ufp_vport exit CN4093 config virt evb profile 1 CN4093 conf evbprof reflective relay CN4093 conf evbprof vsi discovery CN4093 conf evbprof exit CN4093 config virt evb vsidb 1 CN4093 conf vsidb host 10 100 48 20 CN4093 conf vsidb filepath vsitypes CN4093 conf vsidb exit CN 4093 config ufp enable CN4093 config ufp port INTA1 enable Warning Tagging ...

Page 376: ...rt 6 Configure vPort FCoE mode 7 Configure vPort default VLAN CN4093 config_ufp_vport enable CN4093 config_ufp_vport exit CN4093 config interface port EXT1 CN4093 config if tagpvid ingress CN4093 config if no vlan dot1q tag native CN4093 config if switchport access vlan 4000 CN4093 config if exit CN4093 config cee enable CN4093 config fcoe fips enable CN 4093 config ufp enable CN4093 config ufp po...

Page 377: ...port EXT4 CN4093 config if switchport mode trunk CN4093 config if switchport trunk native vlan 1 CN4093 config if switchport trunk allowed vlan add 1 1002 CN4093 config if exit CN 4093 config vlan 700 CN 4093 config private vlan primary CN 4093 config exit CN4093 config interface port INTA10 CN4093 config if switchport mode private vlan CN4093 config if switchport private vlan mapping 700 CN4093 c...

Page 378: ...work mode trunk CN4093 config ufp vport enable CN4093 config ufp vport exit CN4093 config ufp port INTA3 enable CN4093 config ufp port INTA3 vport 1 CN4093 config ufp vport network private vlan host CN4093 config ufp vport network default vlan 300 CN4093 config ufp vport network mode trunk CN4093 config ufp vport enable CN4093 config ufp vport exit CN4093 config vlan 700 CN4093 config vlan vmember...

Page 379: ...Mode on page 370 for steps to configure a vPort in access mode Follow the steps below for configuring the failover trigger 1 Enable failover globally 2 Configure trigger 1 and add monitor and control ports Note If you try to add a physical port that has vPorts configured as a member of a trigger you may see the following error message when you enable the trigger CN4093 config failover trigger 1 en...

Page 380: ...3 config ufp port INTA10 vport 4 CN4093 config_ufp_vport network mode trunk CN4093 config_ufp_vport network default vlan 400 CN4093 config_ufp_vport qos ets priority 2 CN4093 config_ufp_vport enable CN4093 config_ufp_vport exit CN4093 config ufp port INTA10 vport 5 CN4093 config_ufp_vport network mode trunk CN4093 config_ufp_vport network default vlan 43 CN4093 config_ufp_vport qos ets priority 4 ...

Page 381: ...TS mode as the UFP QoS mode for port INTA10 3 Enable UFP on port INTA10 4 Globally enable Converged Enhanced Ethernet CEE 5 Globally enable UFP CN4093 config ufp port INTA10 qos mode ets CN4093 config ufp port INTA10 enable CN4093 config cee enable CN4093 config ufp enable ...

Page 382: ...382 CN4093 Application Guide for N OS 8 4 ...

Page 383: ...ed switch traffic from one SPAR is never delivered to another SPAR Traffic from one SPAR can however be delivered to another SPAR by traversing an upstream link and switch Each individual SPAR requires exactly one uplink which can be a port a port channel or an LACP group Limiting SPAR connectivity to one external uplink prevents the creation of loops SPAR operates as a Layer 2 broadcast network H...

Page 384: ...onfigured as a 802 1Q trunk port so it can process multiple VLAN traffic from a SPAR The SPAR domain uses a single uplink port or LAG shared among all the VLANs For link redundancy or greater bandwidth the uplinks can be grouped as static or LACP LAG If a VLAN is defined on multiple SPARs the egress port mask is used to prevent communication between the SPARs in the same local domain VLAN Since po...

Page 385: ... S VLAN service VLAN associated with the SPAR Although the uplink can be shared by multiple networks using the pass through domain SPAR will not be server VLAN aware Hence multiple VLAN traffic will be mixed together in a single broadcast domain that is broadcast traffic on different VLANs from the upstream network will reach all servers attached to the SPAR pass through domain The servers drop th...

Page 386: ...d A monitor port is used as a filtering criteria and the monitor port does not belong to the same SPAR as the mirrored port and is not defined on the global switch These ACL restrictions apply to all ACLs defined in an ACL group Port mirroring can be configured on SPAR ports but the monitor port must either belong to the same SPAR as the mirrored port or must be defined on the global switch Layer ...

Page 387: ...ures The following features are not supported when SPAR is configured 802 1x Edge Virtual Bridging Fibre Channel over Ethernet FCoE Hotlinks IGMP Layer 3 Configuration Management VLAN Private VLAN Protocol VLAN sFlow Stacking STP RSTP MRSTP PVST UFP vLAG VMAP VMready VNIC ...

Page 388: ...s on the switch The VLAN ID can be in the range of 2 4094 VLAN 1 and the management VLAN 4095 are reserved for the global switch context A VLAN assigned to a SPAR cannot be used for any other switch application Similarly VLAN used by any other switch application cannot be assigned to a SPAR SPAR member ports cannot be members of any other VLAN ...

Page 389: ...Set the mode of the SPAR to passthrough 4 Configure SPAR VLAN to 4081 5 Add ports INTA5 through INTA10 to SPAR 1 6 Enable SPAR 1 Local Domain Configuration This example demonstrates how to create a SPAR in local domain mode consisting of internal server ports INTA11 INTA14 and a single uplink port EXT 2 1 Create SPAR 2 2 Add uplink port EXT 2 to SPAR 2 CN 4093 config spar 1 CN 4093 config spar upl...

Page 390: ...bers of the that VLAN 9 Create local domain 3 assign VLAN 30 and specify the SPAR ports that are members of the that VLAN 10 Enable SPAR 2 CN 4093 config spar domain mode local CN 4093 config spar domain default vlan 4082 CN 4093 config spar domain default member INTA11 INTA14 CN 4093 config spar domain local 1 vlan 10 CN 4093 config spar domain local 1 member INTA11 INTA14 CN 4093 config spar dom...

Page 391: ...to switching traffic at near line rates the application switch can perform multi protocol routing This section discusses basic routing and advanced routing protocols Basic Routing Routing Information Protocol RIP Internet Group Management Protocol IGMP Border Gateway Protocol BGP Open Shortest Path First OSPF ...

Page 392: ...392 CN4093 Application Guide for N OS 8 4 ...

Page 393: ...bination of faster routing and switching in a single device provides another service it allows you to build versatile topologies that account for legacy configurations Consider an example in which a corporate campus has migrated from a router centric topology to a faster more powerful switch based topology As is often the case the legacy of network growth and redesign has left the system with a mi...

Page 394: ...ateway in this case the router for the next level of routing intelligence The router fills in the necessary address information and sends the data back to the switch which then relays the packet to the proper destination subnet using Layer 2 switching With Layer 3 IP routing in place on the CN4093 routing between different IP subnets can be accomplished entirely within the switch This leaves the r...

Page 395: ...uters 205 21 17 1 and 205 21 17 2 2 First Floor Client Workstations 100 20 10 2 254 3 Second Floor Client Workstations 131 15 15 2 254 4 Common Servers 206 30 15 2 254 Table 34 Subnet Routing Example IP Interface Assignments Interface Devices IP Interface Address IF 1 Primary and Secondary Default Routers 205 21 17 3 IF 2 First Floor Client Workstations 100 20 10 1 IF 3 Second Floor Client Worksta...

Page 396: ...e the default gateways to the routers addresses Configuring the default gateways allows the switch to send outbound traffic to the routers 5 Verify the configuration Examine the resulting information If any settings are incorrect make the appropriate changes CN 4093 config ip gateway 1 address 205 21 17 1 enable CN 4093 config ip gateway 2 address 205 21 17 2 enable CN 4093 config show interface i...

Page 397: ...g Example Optional VLAN Ports VLAN Devices IP Interface Switch Port VLAN 1 First Floor Client Workstations 2 EXT1 1 Second Floor Client Workstations 3 EXT2 1 2 Primary Default Router 1 EXT3 2 Secondary Default Router 1 EXT4 2 3 Common Servers 1 4 INT5A 3 Common Servers 2 4 INT6A 3 CN 4093 config vlan 1 CN 4093 config vlan exit CN 4093 config interface port ext1 ext2 Add ports to VLAN 1 CN 4093 con...

Page 398: ... the appropriate changes Port 4 is an untagged port and its current PVID is 1 Confirm changing PVID from 1 to 2 y n CN 4093 config interface ip 1 Select IP interface 1 CN 4093 config ip if vlan 2 Add VLAN 2 CN 4093 config vlan exit CN 4093 config interface ip 2 Select IP interface 2 CN 4093 config ip if vlan 1 Add VLAN 1 CN 4093 config ip if exit CN 4093 config interface ip 3 Select IP interface 3...

Page 399: ...ailover redundancy The client request is forwarded to both BOOTP servers configured on the switch However no health checking is supported BOOTP Relay Agent Configuration To enable the CN4093 to be the BOOTP forwarder you need to configure the BOOTP server IP addresses on the switch and enable BOOTP relay on the interface s on which the BOOTP requests are received Generally you should configure the...

Page 400: ...OTP relay agents for each of up to 10 VLANs As with global relay agent servers domain specific BOOTP DHCP functionality may be assigned on a per interface basis CN 4093 config ip bootp relay bcast domain 1 10 vlan VLAN number CN 4093 config ip bootp relay bcast domain 1 10 server 1 5 address IPv4 address CN 4093 config ip bootp relay bcast domain 1 10 enable ...

Page 401: ... Without the DHCP relay agent there must be at least one DHCP server deployed at each subnet that has hosts needing to perform the DHCP request Note The switch accepts gateway configuration parameters if they were not configured manually The switch ignores DHCP gateway parameters if the gateway is configured DHCP Relay Agent DHCP is described in RFC 2131 and the DHCP relay agent supported on CN409...

Page 402: ...Relay Agent Configuration In CN4093 implementation there is no need for primary or secondary servers The client request is forwarded to the BOOTP servers configured on the switch The use of two servers provide failover redundancy However no health checking is supported Use the following commands to configure the switch as a DHCP relay agent Additionally DHCP Relay functionality can be assigned on ...

Page 403: ...Cs for IPv6 related features This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management RFC 1981 RFC 2404 RFC 2410 RFC 2451 RFC 2460 RFC 2461 RFC 2462 RFC 2474 RFC 2526 RFC 2711 RFC 2740 RFC 3289 RFC 3306 RFC 3307 RFC 3411 RFC 3412 RFC 3413 RFC 3414 RFC 3484 RFC 3602 RFC 3810 RFC 3879 RFC 4007 RFC 4213 RFC 4291 RFC 4293 RFC 4293 RFC 4301 ...

Page 404: ...atures permit IP addresses to be configured using either IPv4 or IPv6 address formats However the following switch features support IPv4 only Default switch management IP address Bootstrap Protocol BOOTP and DHCP RADIUS TACACS and LDAP QoS metering and re marking ACLs for out profile traffic VMware Virtual Center vCenter for VMready Routing Information Protocol RIP Internet Group Management Protoc...

Page 405: ...FF FA 4CA2 Unlike IPv4 a subnet mask is not used for IPv6 addresses IPv6 uses the subnet prefix as the network identifier The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix An IPv6 prefix is written in address prefix length notation For example in the following address 64 is the network prefix 21DA D300 0000 2F3C 64 IPv6 addres...

Page 406: ... interface ID must be unique within the same subnet Link local unicast address An address used to communicate with a neighbor on the same link Link local addresses use the format FE80 EUI Link local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration neighbor discovery or when no routers are present Routers must not forward any pac...

Page 407: ...ingle sender and a list of addresses Anycast addresses are allocated from the unicast address space using any of the defined unicast address formats Thus anycast addresses are syntactically indistinguishable from unicast addresses When a unicast address is assigned to more than one interface thus turning it into an anycast address the nodes to which the address is assigned must be explicitly confi...

Page 408: ...address configuration Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options Enterprise NOS 8 4 supports stateless address configuration Stateless address configuration allows hosts on a link to configure themselves with link local addresses and with addresses derived from prefixes advertised by local routers Even if no ro...

Page 409: ...cannot configure an IPv4 address on an IPv6 management interface Each interface can be configured with only one address type either IPv4 or IPv6 but not both When changing between IPv4 and IPv6 address formats the prior address settings for the interface are discarded Each IPv6 interface can belong to only one VLAN Each VLAN can support only one IPv6 interface Each VLAN can support multiple IPv4 i...

Page 410: ...e sender s role on the network IPv6 hosts use Router Solicitations to discover IPv6 routers When a router receives a Router Solicitation it responds immediately to the host Routers uses Router Advertisements to announce its presence on the network and to provide its address prefix to neighbor devices IPv6 hosts listen for Router Advertisements and uses the information to build a list of default ro...

Page 411: ...erfaces configured on the switch can forward packets You can configure each IPv6 interface as either a host node or a router node You can manually assign an IPv6 address to an interface in host mode or the interface can be assigned an IPv6 address by an upstream router using information from router advertisements to perform stateless auto configuration To set an interface to host mode use the foll...

Page 412: ...o an IPv6 address traceroute host name IPv6 address max hops 1 32 msec delay 1 4294967295 Telnet server The telnet command supports IPv6 addresses but not link local addresses Use the following format to Telnet into an IPv6 interface on the switch telnet host name IPv6 address port Telnet client The telnet command supports IPv6 addresses but not link local addresses Use the following format to Tel...

Page 413: ... first to resolve the hostname with an IPv4 address If no A record is found for that hostname no IPv4 address for that hostname an AAAA query is sent to resolve the hostname with a IPv6 address If you set the request version to ipv6 the DNS application sends an AAAA query first to resolve the hostname with an IPv6 address If no AAAA record is found for that hostname no IPv6 address for that hostna...

Page 414: ... IPv6 gateways IPv6 interfaces support Path MTU Discovery The CPU s MTU is fixed at 1500 bytes Support for jumbo frames 1 500 to 9 216 byte MTUs is limited Any jumbo frames intended for the CPU must be fragmented by the remote node The switch can re assemble fragmented packets up to 9k It can also fragment and transmit jumbo packets received from higher layers IPv6 Configuration Examples IPv6 Conf...

Page 415: ...rtisements for the interface optional 4 Verify the configuration CN 4093 config interface ip 3 CN 4093 config ip if ipv6 address 2001 BA98 7654 BA98 FEDC 1234 ABCD 5214 CN 4093 config ip if ipv6 prefixlen 64 CN 4093 config ip if ipv6 seccaddr6 2003 1 32 CN 4093 config ip if vlan 2 CN 4093 config ip if enable CN 4093 config ip if exit CN 4093 config ip gateway6 1 address 2001 BA98 7654 BA98 FEDC 12...

Page 416: ...416 CN4093 Application Guide for N OS 8 4 ...

Page 417: ...commendations for IPv6 implementations Enterprise NOS IPv6 feature compliance has been extended to include the following IETF RFCs with an emphasis on IP Security IPsec and Internet Key Exchange version 2 and authentication confidentiality for OSPFv3 RFC 4301 for IPv6 security RFC 4302 for the IPv6 Authentication Header RFCs 2404 2410 2451 3602 and 4303 for IPv6 Encapsulating Security Payload ESP ...

Page 418: ...an anti replay service a form of partial sequence integrity and some traffic flow confidentiality ESPs may be applied alone or in combination with an AH ESP is defined in RFC 4303 Internet Key Exchange Version 2 IKEv2 IKEv2 is used for mutual authentication between two network elements An IKE establishes a security association SA that includes shared secret information to efficiently establish SAs...

Page 419: ...outgoing IPv6 packet is checked against the IPsec policies in force For each outbound packet after the packet is encrypted the software compares the packet size with the MTU size that it either obtains from the default minimum maximum transmission unit MTU size 1500 or from path MTU discovery If the packet size is larger than the MTU size the receiver drops the packet and sends a message containin...

Page 420: ...al certificate signed by a trusted Certificate Authority and the private key for that digital certificate The side performing the authentication only needs a copy of the trusted certificate authorities digital certificate During IKEv2 authentication the side being validated sends a copy of the digital certificate and a hash value signed using the private key The certificate can be either generated...

Page 421: ...e The CSR can then be exported to a remote device to be signed by a CA 1 Create an HTTPS CSR defining the information you want to be used in the various fields CN 4093 config copy tftp ca cert address hostname or IPv4 address Source file name path and filename of CA certificate file Port type DATA MGT Confirm download operation y n y CN 4093 config copy tftp host key address hostname or IPv4 addre...

Page 422: ...bd 17 3f 11 f2 85 4b d6 b4 1d 3f 70 1f 13 bb 5e 2e 4c a8 ad 6a 7f 11 36 97 a6 25 0a 87 66 31 c9 92 59 03 31 5d ff df c6 aa 93 7c 51 9f 8e 1b 6f 2a be c4 4c 66 d6 2c 4b 6d e6 ae 4e 02 82 fc fa a1 de 3b c9 24 25 d5 6e 15 15 18 ce 9b a6 98 ad 0c 32 1f 94 01 Exponent 65537 0x10001 Attributes a0 00 Signature Algorithm sha256WithRSAEncryption 24 26 dd 96 49 47 9d 78 74 48 9b 63 4c 32 f0 78 da 7d 82 c9 1...

Page 423: ...ZvbJo V4qq pgQOt9ZJOMDrGQ0YmO1p84 GdxXVwGePCOvCRLESsq5rQb3zPSVvWnTsq0G gURvbV VQN9dI9lANZGZJi6BRNIRdBen dH0KRcCAwEAAaAAMA0GCSqGSIb3DQEB BQUAA4IBAQCSLDOrOnl7kaZri2OjDpzgiiG 9Skde3MehaklddfZnCkT1ALL3ZXY xWwYnvF5jAgnHhxRJbPOzwHNDWMtZiiNOTHyzHVptsyRBv70Kb8odJmuyKWDqunJ Ho1hHe63a7MRLFkQ 6io3kGrmq1bdM5U6xvvS 0ZXXUaiK1p lNLOrsYk45D01Az YHhcdRQtFUbQxqbirpi0jLsi82X7JCNQ2XCP6dhphkWKI6wsCvmlJdazW V gH X wqMk...

Page 424: ...tication algo rithms are used Create a traffic selector This describes the packets to which the policy applies Establish an IPsec policy Apply the policy 1 To define which encryption and authentication algorithms are used create a transform set where the following parameters are used transform ID A number from 1 10 encryption method One of the following esp des esp 3des esp aes cbc esp null integr...

Page 425: ... or to any ICMP traffic proto tcp only apply the selector to TCP traffic source IP address any the source IP address in IPv6 format or any source destination IP address any the destination IP address in IPv6 format or any destination prefix length Optional the length of the destination IPv6 prefix an integer from 1 128 Permitted traffic that matches the policy in force is encrypted while denied tr...

Page 426: ...ound ESP authenticator key The inbound ESP authenticator key code in hexadecimal outbound AH IPsec key The outbound AH key code in hexadecimal outbound AH IPsec SPI A number from 256 4294967295 outbound ESP cipher key The outbound ESP key code in hexadecimal outbound ESP SPI A number from 256 4294967295 CN 4093 config ipsec manual policy policy number CN 4093 config ipsec manual peer peer s IPv6 a...

Page 427: ...onfigure the IPSec policy you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot To accomplish this enter CN 4093 config ip interface ip IP interface number 1 128 CN 4093 config ip if address IPv6 address CN 4093 config ip if ipsec manual policy policy index 1 10 CN 4093 config ip if enable enable the IP interface CN ...

Page 428: ...e Whether to enable or disable the perfect forward security feature The default is disable Note In a dynamic policy the AH and ESP keys are created by IKEv2 3 After you configure the IPSec policy you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot To accomplish this enter CN 4093 config ipsec dynamic policy policy ...

Page 429: ...ally is 1 When a switch receives a routing update that contains a new or changed destination network entry the switch adds 1 to the metric value indicated in the update and enters the network in the routing table The IPv4 address of the sender is used as the next hop Stability RIP includes a number of other stability features that are common to many routing protocols For example RIP implements the...

Page 430: ... routing updates do not carry subnet mask information Hence the router cannot determine whether the route is a subnet route or a host route It is of limited usage after the introduction of RIPv2 For more information about RIPv1 and RIPv2 refer to RFC 1058 and RFC 2453 RIPv2 RIPv2 is the most popular and preferred configuration for most networks RIPv2 expands the amount of useful information carrie...

Page 431: ...without waiting for the regular update interval It is recommended to enable Triggered Updates Multicast RIPv2 messages use IPv4 multicast address 224 0 0 9 for periodic updates Multicast RIPv2 updates are not processed by RIPv1 routers IGMP is not needed since these are inter router messages which are not forwarded To configure RIPv2 in RIPv1 compatibility mode set multicast to disable and set ver...

Page 432: ...hen RIPv1 and unauthenticated RIPv2 messages are accepted authenticated RIPv2 messages are discarded If the router is configured to authenticate RIPv2 messages then RIPv1 and RIPv2 messages which pass authentication testing are accepted unauthenticated and failed authentication RIPv2 messages are discarded For maximum security RIPv1 messages are ignored when authentication is enabled interface ip ...

Page 433: ...D is 1 Confirm changing PVID from 1 to 2 y n y CN 4093 config vlan 3 CN 4093 config vlan exit CN 4093 config interface port 3 CN 4093 config if switchport mode trunk CN 4093 config if switchport trunk allowed vlan add 3 CN 4093 config if exit Port 3 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 3 y n y CN 4093 config interface ip 2 CN 4093 config ip if enable CN 409...

Page 434: ...the routing table of the switch For those RIP learnt routes within the garbage collection period that are routes phasing out of the routing table with metric 16 use the following command Locally configured static routes do not appear in the RIP Routes table CN 4093 show ip route CN 4093 show ip rip routes ...

Page 435: ...istening for IPv4 hosts reporting their host group memberships This process is used to set up a client server relationship between an IPv4 Multicast source that provides the data streams and the clients that want to receive the data The CN4093 10 Gb Converged Scalable Switch CN4093 can perform IGMP Snooping or act as an IGMP Relay proxy device Note Enterprise NOS 8 4 does not support IPv6 for IGMP...

Page 436: ...set up as follows An IPv4 Multicast Router Mrouter sends Membership Queries to the switch which forwards them to all ports in a given VLAN Hosts that want to receive the multicast data stream send Membership Reports to the switch which sends a proxy Membership Report to the Mrouter The switch sets up a path between the Mrouter and the host and blocks all other ports from receiving the multicast Pe...

Page 437: ...om specific source addresses or from all but specific source addresses The CN4093 supports the following IGMPv3 filter modes INCLUDE mode The host requests membership to a multicast group and provides a list of IPv4 addresses from which it wants to receive traffic EXCLUDE mode The host requests membership to a multicast group and provides a list of IPv4 addresses from which it does not want to rec...

Page 438: ... relevant for v2 entries CN 4093 config ip igmp snoop vlan 1 CN 4093 config ip igmp snoop enable CN 4093 config ip igmp snoop igmpv3 enable CN 4093 config ip igmp enable Turn on IGMP CN 4093 show ip igmp groups Total entries 5 Total IGMP groups 2 Note The Total IGMP groups number is computed as the number of unique Group Vlan entries Note Local groups 224 0 0 x are not snooped relayed and will not...

Page 439: ...hen static Mrouters are used the switch will continue learning dynamic Mrouters via IGMP snooping However dynamic Mrouters may not replace static Mrouters If a dynamic Mrouter has the same port and VLAN combination as a static Mrouter the dynamic Mrouter will not be learned Following is an example of configuring a static multicast router 1 For each Mrouter configure a port VLAN and IGMP version of...

Page 440: ...ed join messages from its attached hosts IGMP Relay also forwards multicast traffic between the Mrouter and end stations similar to IGMP Snooping You can configure up to two Mrouters to use with IGMP Relay One Mrouter acts as the primary Mrouter and one is the backup Mrouter The CN4093 uses ICMP health checks to determine if the primary and backup mrouters are reachable Configuration Guidelines Co...

Page 441: ...g ip if ip address 10 10 1 1 255 255 255 0 enable CN 4093 config ip if vlan 2 CN 4093 config ip if exit CN 4093 config interface ip 3 CN 4093 config ip if ip address 10 10 2 1 255 255 255 0 enable CN 4093 config ip if vlan 3 CN 4093 config ip if exit CN 4093 config ip igmp enable CN 4093 config ip igmp relay mrouter 1 address 100 0 1 2 CN 4093 config ip igmp relay mrouter 1 enable CN 4093 config i...

Page 442: ...n be based on IPv4 address or MAC address Note When IGMP Querier is enabled on a VLAN the switch performs the role of IGMP querier only if it meets the IGMP querier election criteria IGMP Querier Configuration Example Follow this procedure to configure IGMP Querier 1 Enable IGMP and configure the source IPv4 address for IGMP Querier on a VLAN 2 Enable IGMP Querier on the VLAN 3 Configure the queri...

Page 443: ...ved unless a multicast router was learned on the port Enable FastLeave only on VLANs that have only one host connected to each physical port IGMP Filtering With IGMP Filtering you can allow or deny a port to learn certain IGMP or IPMC groups This allows you to restrict users from receiving certain multicast traffic If access to a multicast group is denied IGMP Membership Reports from the port are ...

Page 444: ... addresses within a larger range that a primary filter is configured to deny The two filters work together to allow IPv4 multicasts to a small subset of addresses within the larger range of addresses Note Lower numbered filters take precedence over higher number filters For example the action defined for IGMP Filter 1 supersedes the action defined for IGMP Filter 2 IGMP Filtering Configuration Exa...

Page 445: ...roup Management Protocol version 2 IGMPv2 and MLDv2 is derived from IGMPv3 MLD uses ICMPv6 IP Protocol 58 message types See RFC 2710 and RFC 3810 for details MLDv2 protocol when compared to MLDv1 adds support for source filtering the ability for a node to report interest in listening to packets only from specific source addresses or from all but specific source addresses sent to a particular multi...

Page 446: ...e Specific Query Sent to learn if for a specified multicast address there are nodes still listening to a specific set of sources Supported only in MLDv2 Note Multicast Address Specific Queries and Multicast Address and Source Specific Queries are sent only in response to State Change Reports and never in response to Current State Reports Multicast Listener Report Sent by a host when it joins a mul...

Page 447: ... host immediately reports these changes through a State Change Report message The Querier sends a Multicast Address Specific Query to verify if hosts are listening to a specified multicast address or not Similarly if MLDv2 is configured the Querier sends a Multicast Address and Source Specific Query to verify for a specified multicast address if hosts are listening to a specific set of sources or ...

Page 448: ...er An Mrouter acts as a Querier and periodically at short query intervals sends query messages in the subnet If there are multiple Mrouters in the subnet only one can be the Querier All Mrouters on the subnet listen to the messages sent by the multicast address listeners and maintain the same multicast listening information state All MLDv2 queries are sent with the FE80 64 link local source addres...

Page 449: ...ters on the ingress VLANs of the MLD enabled interface All report or done messages are forwarded to these Mrouters By default the option of dynamically learning Mrouters is disabled To enable it use the following command CN 4093 config interface ip interface number CN 4093 config ip if ipv6 mld dmrtr enable ...

Page 450: ...le RV 2 Query Interval QI 125 seconds Query Response Interval QRI 10 seconds Multicast Address Listeners Interval MALI 260 seconds derived RV QI QRI Other Querier Present Interval OQPT 255 seconds derived RV QI QRI Start up Query Interval SQI 31 25 seconds derived QI Startup Query Count SQC 2 derived RV Last Listener Query Interval LLQI 1 second Last Listener Query Count LLQC 2 derived RV Last Lis...

Page 451: ...listener query interval CN 4093 config ipv6 mld CN 4093 config router mld enable CN 4093 config router mld exit CN 4093 config interface ip 2 CN 4093 config ip if enable CN 4093 config ip if ipv6 address 2002 1 0 0 0 0 0 3 CN 4093 config ip if ipv6 prefixlen 64 CN 4093 config ip if ipv6 mld enable CN 4093 config ip if ipv6 mld version 1 2 MLD version CN 4093 config ip if ipv6 mld robust 1 10 Robus...

Page 452: ...452 CN4093 Application Guide for N OS 8 4 ...

Page 453: ...ovider s BGP is defined in RFC 1771 CN4093 10 Gb Converged Scalable Switches CN4093s can advertise their IP interfaces and IPv4 addresses using BGP and take BGP feeds from as many as BGP router peers This allows more resilience and flexibility in balancing traffic from the Internet Note Enterprise NOS 8 4 does not support IPv6 for BGP The following topics are discussed in this section Internal Rou...

Page 454: ...ame autonomous system An iBGP is a type of internal routing protocol you can use to do active routing inside your network It also carries AS path information which is important when you are an ISP or doing BGP transit The iBGP peers have to maintain reciprocal sessions to every other iBGP router in the same AS in a full mesh manner in order to propagate route information throughout the AS If the i...

Page 455: ... containing the new route For each route removed from the route table if the route has already been sent to a peer an update message containing the route to withdraw is sent to that peer For each Internet host you must be able to send a packet to that host and that host has to have a path back to you This means that whoever provides Internet connectivity to that host must have a path to you Ultima...

Page 456: ...s and AS number It also allows users to overwrite the local preference metric and to append the AS number in the AS route See BGP Failover Configuration on page 462 Enterprise NOS allows you to configure 32 route maps Each route map can have up to eight access lists Each access list consists of a network filter A network filter defines an IPv4 address and subnet mask of the network that you want t...

Page 457: ...ifying a precedence value with the following commands The smaller the value the higher the precedence If two route maps have the same precedence value the smaller number has higher precedence Configuration Example To configure route maps you need to do the following 1 Define network filter Enter a filter number from 1 to 256 Specify the IPv4 address and subnet mask of the network that you want to ...

Page 458: ...reference for the matched route Specify the metric Multi Exit Discriminator MED for the matched route 5 Enable the route map 6 Turn BGP on 7 Assign the route map to a peer router Select the peer router and then add the route map to the incoming route map list or to the outgoing route map list 8 Exit Router BGP mode CN 4093 config route map as path list 1 as 1 CN 4093 config route map as path list ...

Page 459: ...of routes between routing domains by defining a method known as route maps between the two domains For more information on route maps see What is a Route Map on page 456 Redistributing routes is another way of providing policy control over whether to export OSPF routes fixed routes and static routes For an example configuration see Default Redistribution and Route Aggregation Example on page 464 D...

Page 460: ...it Discriminator Attribute This attribute is a hint to external neighbors about the preferred path into an AS when there are multiple entry points A lower metric value is preferred over a higher metric value The default value of the metric attribute is 0 Unlike local preference the metric attribute is exchanged between ASs however a metric attribute that comes into an AS does not leave the AS When...

Page 461: ...tes with higher local preference values are selected 3 In the case of multiple routes of equal preference the route with lower AS path weight is selected AS path weight 128 x AS path length number of autonomous systems traversed 4 In the case of equal weight and routes learned from peers that reside in the same AS the lower metric is selected Note A route with a metric is preferred over a route wi...

Page 462: ...ng to the switch to be three router hops away 1 Define the VLANs For simplicity both default gateways are configured in the same VLAN in this example The gateways could be in the same VLAN or different VLANs 2 Define the IP interfaces with IPv4 addresses The switch will need an IP interface for each default gateway to which it will be connected Each interface must be placed in the appropriate VLAN...

Page 463: ...ity for a Denial of Service DoS attack the forwarding of directed broadcasts is disabled by default 4 Configure BGP peer router 1 and 2 CN 4093 config ip routing Enable IP forwarding CN 4093 config router bgp CN 4093 config router bgp ip router id 8 8 8 8 CN 4093 config router bgp as 816 CN 4093 config router bgp neighbor 1 remote address 200 200 200 2 CN 4093 config router bgp neighbor 1 remote a...

Page 464: ...figure internal peer router 1 and external peer router 2 4 Configure redistribution for Peer 1 GbE Switch Module 10 1 1 135 Aggregate routes 135 0 0 0 8 traversing from AS 135 to AS 200 0 0 0 0 0 Default routes towards internal peer router AS 135 AS 200 Internal peer router 1 10 1 1 4 135 110 0 0 16 135 120 0 0 16 20 20 20 135 External peer router 2 20 20 20 2 CN 4093 config router bgp CN 4093 con...

Page 465: ...9 Border Gateway Protocol 465 5 Configure aggregation policy control Configure the routes that you want aggregated CN 4093 config router bgp aggregate address 1 135 0 0 0 255 0 0 0 CN 4093 config router bgp aggregate address 1 enable ...

Page 466: ...466 CN4093 Application Guide for N OS 8 4 ...

Page 467: ...parameters electing the designated router summarizing routes defining route maps and so forth OSPFv2 Configuration Examples on page 483 This section provides step by step instructions on configuring different OSPFv2 examples Creating a simple OSPF domain Creating virtual links Summarizing routes OSPFv3 Implementation in Enterprise NOS on page 491 This section describes differences and additional f...

Page 468: ... stub areas Not So Stubby Area NSSA similar to a stub area with additional capabilities Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas External routes from outside the AS can be advertised within the NSSA but can be configured to not be distributed into other areas Transit Area an area that carries data traffic which neither originates nor terminat...

Page 469: ... Border Router ABR a router that has interfaces in multiple areas ABRs maintain one LSDB for each connected area and disseminate routing information between areas Autonomous System Boundary Router ASBR a router that acts as a gateway between the OSPF domain and non OSPF domains such as RIP BGP and static routes Figure 48 OSPF Domain and an Autonomous System Backbone Area 0 Area 3 Area 2 Area 1 Int...

Page 470: ...information to the other neighbors The Link State Database OSPF is a link state routing protocol A link represents an interface or routable path from the routing device By establishing an adjacency with the DR each routing device in an OSPF area maintains an identical Link State Database LSDB describing the network topology for its area Each routing device transmits a Link State Advertisement LSA ...

Page 471: ...an be done with static routes or using active internal routing protocols such as OSPF RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers about the routes you have access to in your network Sharing of routing information between autonomous systems is known as external routing Typically an AS will have one or more border routers peer routers that exchange...

Page 472: ...intervals retransmission interval and interface transmit delay In addition to the preceding parameters you can specify the following Shortest Path First SPF interval Time interval between successive calculations of the shortest path tree using the Dijkstra s algorithm Stub area metric A stub area can be configured to send a numeric metric value such that all routes received via that stub area carr...

Page 473: ... area are as follows Note The aindex option above is an arbitrary index used only on the switch and does not represent the actual OSPF area number The actual OSPF area number is defined in the areaid portion of the command as explained in the following sections Assigning the Area Index The aindex area index option is actually just an arbitrary index 0 2 used only by the CN4093 This index does not ...

Page 474: ...rmats are supported be sure that the area IDs are in the same format throughout an area Attaching an Area to a Network Once an OSPF area has been defined it must be associated with a network To attach the area to a network you must assign the OSPF area index to an IP interface that participates in the area The commands are as follows For example the following commands could be used to configure IP...

Page 475: ...router ID wins Interfaces configured as passive do not participate in the DR or BDR election process Summarizing Routes Route summarization condenses routing information Without summarization each routing device in an OSPF network would retain a route to every subnet in the network With summarization routing devices can reduce some sets of routes to a single advertisement reducing both the load on...

Page 476: ...configured default gateway it can inject a default route into rest of the OSPF domain Use the following command to configure the switch to inject OSPF default routes In the command above metric value sets the priority for choosing this switch for default route The value none sets no default and 1 sets the highest priority for default route Metric type determines the method for influencing routing ...

Page 477: ...ther direction To provide the CN4093 with a router ID see the following section Router ID For a detailed configuration example on Virtual Links see Example 2 Virtual Links on page 485 Router ID Routing devices in OSPF areas are identified by a router ID expressed in IP address format The router ID is not required to be part of any IP interface range or in any OSPF area and may even use the CN4093 ...

Page 478: ...passwords and MD5 cryptographic authentication This type of authentication allows a password to be configured per area We strongly recommend that you implement MD5 cryptographic authentication as a best practice Figure shows authentication configured for area 0 with the password test Simple authentication is also configured for the virtual link between area 2 and area 0 Area 1 is not configured fo...

Page 479: ...t password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4 CN 4093 config router ospf area 0 authentication type password CN 4093 config router ospf exit CN 4093 config interface ip 1 CN 4093 config ip if ip ospf key test CN 4093 config ip if exit CN 4093 config interface ip 2 CN 4093 config ip if ip ospf key test CN 4093 config ip if exit CN 4093 config i...

Page 480: ...k on switches 2 and 4 CN 4093 config router ospf area 0 authentication type md5 CN 4093 config router ospf message digest key 1 md5 key test CN 4093 config router ospf exit CN 4093 config interface ip 1 CN 4093 config ip if ip ospf message digest key 1 CN 4093 config ip if exit CN 4093 config interface ip 2 CN 4093 config ip if ip ospf message digest key 1 CN 4093 config ip if exit CN 4093 config ...

Page 481: ... towards any given destination ECMP allows separate routes to be calculated for each IP Type of Service All paths of equal cost to a given destination are calculated and the next hops for all equal cost paths are inserted into the routing table If redundant routes via multiple routing processes such as OSPF RIP BGP or static routes exist on your network the switch defaults to the OSPF derived rout...

Page 482: ...es Not Supported The following OSPF features are not supported in this release Summarizing external routes Filtering OSPF routes Using OSPF to forward multicast routes Configuring OSPF on non broadcast multi access networks such as frame relay X 25 or ATM ...

Page 483: ...re used for attaching networks to the various areas 6 Optional Configure route summarization between OSPF areas 7 Optional Configure virtual links 8 Optional Configure host routes Example 1 Simple OSPF Domain In this example two OSPF areas are defined one area is the backbone and the other is a stub area A stub area does not allow advertisements of external routes thus reducing the size of the dat...

Page 484: ...he stub area CN 4093 config interface ip 1 CN 4093 config ip if ip address 10 10 7 1 255 255 255 0 enable CN 4093 config ip if exit CN 4093 config interface ip 2 CN 4093 config ip if ip address 10 10 12 1 255 255 255 0 enable CN 4093 config ip if exit CN 4093 config router ospf CN 4093 config router ospf enable CN 4093 config router ospf area 0 area id 0 0 0 0 CN 4093 config router ospf area 0 typ...

Page 485: ...en configuring virtual links Later when configuring the other end of the virtual link on Switch 2 the router ID specified here will be used as the target virtual neighbor nbr address 3 Enable OSPF 4 Define the backbone BladeCenter IF 1 10 10 7 1 IF 2 10 10 12 1 IF 1 10 10 12 2 IF 1 10 10 24 1 Backbone Transit Area Stub Area Application Switch 1 Switch 2 Area 0 0 0 0 0 Area 1 0 0 0 1 Area 2 0 0 0 2...

Page 486: ... 24 0 24 CN 4093 config router ospf area 1 area id 0 0 0 1 CN 4093 config router ospf area 1 type transit CN 4093 config router ospf area 1 enable CN 4093 config router ospf exit CN 4093 config interface ip 1 CN 4093 config ip if ip ospf area 0 CN 4093 config ip if ip ospf enable CN 4093 config ip if exit CN 4093 config interface ip 2 CN 4093 config ip if ip ospf area 1 CN 4093 config ip if ip osp...

Page 487: ...rea CN 4093 config ip router id 10 10 14 1 CN 4093 config router ospf CN 4093 config router ospf enable CN 4093 config router ospf area 0 area id 0 0 0 0 CN 4093 config router ospf area 0 enable CN 4093 config router ospf area 1 area id 0 0 0 1 CN 4093 config router ospf area 1 type transit CN 4093 config router ospf area 1 enable CN 4093 config router ospf area 2 area id 0 0 0 2 CN 4093 config ro...

Page 488: ...mmary route that includes all the individual IP addresses within the area The following example shows one summary route from area 1 stub area injected into area 0 the backbone The summary route consists of all IP addresses from 36 128 192 0 through 36 128 254 255 except for the routes in the range 36 128 200 0 through 36 128 200 255 Note OSPFv2 supports IPv4 only IPv6 is supported in OSPFv3 see OS...

Page 489: ...ble CN 4093 config ip if exit CN 4093 config router ospf CN 4093 config router ospf enable CN 4093 config router ospf area 0 area id 0 0 0 0 CN 4093 config router ospf area 0 type transit CN 4093 config router ospf area 0 enable CN 4093 config router ospf area 1 area id 0 0 0 1 CN 4093 config router ospf area 1 type stub CN 4093 config router ospf area 1 enable CN 4093 config router ospf exit CN 4...

Page 490: ...n your switch show ip ospf show ip ospf neighbor show ip ospf database database summary show ip ospf routes Refer to the Enterprise NOS Command Reference for information on the preceding commands CN 4093 config router ospf CN 4093 config router ospf area range 2 address 36 128 200 0 255 255 255 0 CN 4093 config router ospf area range 2 area 1 CN 4093 config router ospf area range 2 hide CN 4093 co...

Page 491: ...nd assigned to OSPF areas in much the same way IPv4 interfaces are assigned to areas in OSPFv2 This is the primary configuration difference between OSPFv3 and OSPFv2 See Internet Protocol Version 6 on page 403 for configuring IPv6 interfaces OSPFv3 Uses Independent Command Paths Though OSPFv3 and OSPFv2 are very similar they are configured independently OSPFv3 command paths are located as follows ...

Page 492: ... so link LSA is not originated for the interface Use the command CN 4093 config ip if ipv6 ospf linklsasuppress OSPFv3 Limitations Enterprise NOS 8 4 does not currently support the following OSPFv3 features Multiple instances of OSPFv3 on one IPv6 link OSPFv3 Configuration Example The following example depicts the OSPFv3 equivalent configuration of Example 3 Summarizing Routes on page 488 for OSPF...

Page 493: ...e ip 3 CN 4093 config ip if ipv6 address 10 0 0 0 0 0 0 1 CN 4093 config ip if ipv6 prefixlen 56 CN 4093 config ip if enable CN 4093 config ip if exit CN 4093 config interface ip 4 CN 4093 config ip if ip address 36 0 0 0 0 0 1 CN 4093 config ip if ipv6 prefixlen 56 CN 4093 config ip if enable CN 4093 config ip if exit CN 4093 config ipv6 router ospf CN 4093 config router ospf3 enable CN 4093 conf...

Page 494: ...es from advertising to the backbone This differs from OSPFv2 only in that the OSPFv3 command path is used and the address and prefix are specified in IPv6 format CN 4093 config ipv6 router ospf CN 4093 config router ospf3 area range 1 address 36 0 0 0 0 0 0 0 32 CN 4093 config router ospf3 area range 1 area 0 CN 4093 config router ospf3 area range 1 enable CN 4093 config router ospf area range 2 a...

Page 495: ...onfig ip if ipv6 ospf dead interval 40 CN 4093 config ip if ipv6 ospf network point to multipoint CN 4093 config ip if ipv6 ospf poll interval 120 CN 4093 config ip if ipv6 ospf enable CN 4093 config ip if exit CN 4093 config ipv6 router ospf CN 4093 config router ospf3 router id 12 12 12 12 CN 4093 config router ospf3 enable CN 4093 config router ospf3 area 0 area id 0 0 0 0 CN 4093 config router...

Page 496: ...496 CN4093 Application Guide for N OS 8 4 ...

Page 497: ...des multiple receivers or when it reaches a necessary bifurcation point leading to different receiver domains PIM is used by multicast source stations client receivers and intermediary routers and switches to build and maintain efficient multicast routing trees PIM is protocol independent It collects routing information using the existing unicast routing functions underlying the IPv4 network but d...

Page 498: ...M DM PIM SM is used in networks where multicast senders and receivers comprise a relatively small sparse portion of the overall network PIM SM uses a more complex process than PIM DM for collecting and optimizing multicast routes but minimizes impact on other IP services and is more commonly used PIM DM is used where multicast devices are a relatively large dense portion of the network with very f...

Page 499: ... default PIM is disabled on the switch PIM can be globally enabled or disabled using the following ISCLI commands Defining a PIM Network Component The CN4093 can be attached to a maximum of two independent PIM network components Each component represents a different PIM network and can be defined for either PIM SM or PIM DM operation Basic PIM component configuration is performed using the followi...

Page 500: ...Filters The CN4093 accepts connection to up to 24 PIM interfaces By default the switch accepts all PIM neighbors attached to the PIM enabled interfaces up to the maximum number 72 neighbors Once the maximum is reached the switch will deny further PIM neighbors To ensure that only the appropriate PIM neighbors are accepted by the switch the administrator can use PIM neighbor filters to specify whic...

Page 501: ...ng command You can view configured PIM neighbor filters globally or for a specific IP interface using the following commands CN 4093 config ip if ip pim neighbor addr neighbor IPv4 address deny CN 4093 config ip if exit CN 4093 config show ip pim neighbor filters CN 4093 config show ip pim interface Interface number neighbor filters ...

Page 502: ... Router Selection Using PIM SM All PIM enabled IP interfaces are considered as potential Designate Routers DR for their domain By default the interface with the highest IP address on the domain is selected However if an interface is configured with a DR priority value it overrides the IP address selection process If more than one interface on a domain is configured with a DR priority the one with ...

Page 503: ...date routers For each PIM enabled IP interface the administrator can set the preference level for which the local interface becomes the BSR A value of 255 highly prefers the local interface as a BSR A value of 1 indicates that the PIM CBSR preference is not configured on the local interface CN 4093 config interface ip Interface number CN 4093 config ip if ip pim cbsr preference 0 to 255 CN 4093 co...

Page 504: ...an be configured with a PIM SM or PIM DM multicast group IPv4 address Using the ISCLI IGMP Query is disabled by default If IGMP Querier is needed with PIM be sure to enable the IGMP Query feature globally as well as on each VLAN where it is needed If the switch is connected to multicast receivers and or hosts be sure to enable IGMP snooping globally as well as on each VLAN where PIM receivers are ...

Page 505: ...resents the PIM network being connected to the switch The IPv4 addresses in the defined range must not be included in another IP interface on the switch under a different VLAN 4 Enable PIM on the IP interface and assign the PIM component Note Because PIM component 1 is assigned to the interface by default the component id command is needed only if the setting has been previously changed 5 Set the ...

Page 506: ...are configured on a different PIM component as shown in Figure 55 Note In the following example since the receivers and sources are connected in different areas the border router must be configured for the IPMC traffic to be forwarded Enterprise NOS supports only partial configuration of PIM border router Figure 55 Network with both PIM DM and PIM SM Components CN 4093 config ip pim static rp enab...

Page 507: ...ode the DR RP and BSR settings do not apply CN 4093 config ip pim enable CN 4093 config ip pim component 2 CN 4093 config ip pim comp mode dense CN 4093 config ip pim comp exit CN 4093 config interface ip 22 CN 4093 config ip if ip address 10 10 1 2 255 255 255 255 CN 4093 config ip if vlan 102 CN 4093 config ip if enable CN 4093 config ip if ip pim enable CN 4093 config ip if ip pim component id ...

Page 508: ...508 CN4093 Application Guide for N OS 8 4 ...

Page 509: ...ic consists of myriad services and applications which use the Internet Protocol IP for data delivery However IP is not optimized for all the various applications High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations ...

Page 510: ...510 CN4093 Application Guide for N OS 8 4 ...

Page 511: ...s inherently fault tolerant As long as one connection between the switches is available the LAG remains active In Figure 56 four ports are aggregated together between the switch and the enterprise routing device Connectivity is maintained as long as one of the links remains active The links to the server are also aggregated allowing the secondary NIC to take over in the event that the primary NIC ...

Page 512: ...tion occurs the interface must maintain a stable link for the duration of the Forward Delay interval For example if you set the Forward delay timer to 10 seconds using the command the switch will select an interface to become active only if a link remained stable for the duration of the Forward Delay period If the link is unstable the Forward Delay period starts again Preemption You can configure ...

Page 513: ...nterface A port that is a member of one Hot Links trigger cannot be a member of another Hot Links trigger An individual port that is configured as a Hot Link interface cannot be a member of a LAG Configuring Hot Links Use the following commands to configure Hot Links CN 4093 config hotlinks trigger 1 enable Enable Hot Links Trigger 1 CN 4093 config hotlinks trigger 1 master port 38 Add port to Mas...

Page 514: ...514 CN4093 Application Guide for N OS 8 4 ...

Page 515: ...Cs on each server share the same IP address and are configured into a team One NIC is the primary link and the other is a standby link For more details refer to the documentation for your Ethernet adapter Note Only two links per server blade can be used for Layer 2 LAG Failover one primary and one backup Network Adapter Teaming allows only one backup NIC for each server blade ...

Page 516: ...r The VLAN Monitor allows Layer 2 Failover to discern different VLANs With VLAN Monitor turned on If enough links in a trigger fail see Setting the Failover Limit on page 518 the switch disables all internal ports that reside in the same VLAN membership as the LAG s in the trigger When enough links in the trigger return to service the switch enables the internal ports that reside in the same VLAN ...

Page 517: ... Figure 58 Two LAGs each in a different Failover Trigger Figure 59 shows a configuration with two LAGs VLAN Monitor is turned off so only one Failover Trigger is configured on each switch Switch 1 is the primary switch for Server 1 and Server 2 Switch 2 is the primary switch for Server 3 and Server 4 STP is turned off If all links in trigger 1 go down switch 1 disables all internal links to server...

Page 518: ... the trigger initiates a failover event For example if the limit is two a failover event occurs when the number of operational links in the trigger is two or fewer When you set the limit to zero the switch triggers a failover event only when no links in the trigger are operational Trigger 1 Trigger 1 VLAN 1 VLAN 2 VLAN Monitor Off Routing Switch Enterprise Internet Server 1 Server 3 Server 2 Serve...

Page 519: ...operational as long as the following conditions are true The port must be in the Link Up state If STP is enabled the port must be in the Forwarding state If the port is part of an LACP LAG the port must be in the Aggregated state If any of the above conditions is false the monitor port is considered to have failed Control Port State A control port is considered Operational if the monitor trigger i...

Page 520: ...ber of the trigger Note If you change the LACP system priority on an LACP aggregation the failover trigger goes down Spanning Tree Protocol If Spanning Tree Protocol STP is enabled on the ports in a failover trigger the switch monitors the port STP state rather than the link state A port failure results when STP is not in a Forwarding state such as Learning Discarding or No Link The switch automat...

Page 521: ...xternal ports in all static or LACP LAGs added to a specific failover trigger must belong to the same VLAN and have the same PVID Different triggers are not permitted to operate on the same VLAN Different triggers are not permitted to operate on the same internal port For each port in each LAG in a specific failover trigger the trigger will monitor the STP state on only the default PVID Manual Mon...

Page 522: ...ks to disable when the failover limit is reached 4 Configure general Layer 2 Failover parameters 5 Enable failover globally 6 Verify the configuration CN 4093 config portchannel 1 port EXT1 EXT2 EXT3 enable CN 4093 config failover trigger 1 enable CN 4093 config failover trigger 1 limit 0 1024 CN 4093 config failover trigger 1 amon portchannel 1 CN 4093 config show failover trigger 1 information C...

Page 523: ...ge 535 VRRP Overview In a high availability network topology no device can create a single point of failure for the network or force a single point of failure to any other part of the network This means that your network will remain in service despite the failure of any single device To achieve this usually requires redundancy for all vital network components VRRP enables redundant router configur...

Page 524: ...P pings TCP connections and so on There is no requirement for any VRRP router to be the IPv4 address owner Most VRRP installations choose not to implement an IPv4 address owner For the purposes of this chapter VRRP routers that are not the IPv4 address owner are called renters Master and Backup Virtual Router Within each virtual router one VRRP router is selected to be the virtual router master Se...

Page 525: ...master periodically sends advertisements to an IPv4 multicast address As long as the backups receive these advertisements they remain in the backup state If a backup does not receive an advertisement for three advertisement intervals it initiates a bidding process to determine which VRRP router has the highest priority and takes over as master In addition to the three advertisement intervals a man...

Page 526: ...n inefficient use of network resources because one functional application switch sits by idly until a failure calls it into action Service providers now demand that vendorsʹ equipment support redundant configurations where all devices can process traffic when they are healthy increasing site throughput and decreasing user response times when no device has failed Enterprise NOS high availability co...

Page 527: ...primary application for VRRP based hot standby is to support Server Load Balancing when you have configured Network Adapter Teaming on your server blades With Network Adapter Teaming the NICs on each server share the same IPv4 address and are configured into a team One NIC is the primary link and the others are backup links For more details refer to the relevant network adapter documentation The h...

Page 528: ...nfigurations or any other configuration that require shared interfaces A VRRP group has the following characteristics When enabled all virtual routers behave as one entity and all group settings override any individual virtual router settings All individual virtual routers once the VRRP group is enabled assume the group s tracking and priority When one member of a VRRP group fails the priority of ...

Page 529: ...urrent master then the standby can assume the role of the master See Configuring the Switch for Tracking on page 530 for an example on how to configure the switch for tracking VRRP priority Table 38 VRRP Tracking Parameters Parameter Description Number of IP interfaces on the switch that are active up tracking priority increment interfaces Helps elect the virtual routers with the most available ro...

Page 530: ... is less disruptive than bringing a new master online and severing all active connections in the process If switch 1 is the master and it has two or more active servers fewer than switch 2 then switch 2 becomes the master If switch 2 is the master it remains the master even if servers are restored on switch 1 such that it has one fewer or an equal number of servers If switch 2 is the master and it...

Page 531: ...ous Switches in a virtual router need not be identically configured In the scenario illustrated in Figure 63 traffic destined for IPv4 address 10 0 1 1 is forwarded through the Layer 2 switch at the top of the drawing and ingresses CN4093 1 on port EXT1 Return traffic uses default gateway 1 192 168 1 1 If the link between CN4093 1 and the Layer 2 switch fails CN4093 2 becomes the Master because it...

Page 532: ...nfig ip if enable CN 4093 config ip if exit CN 4093 config interface ip 4 CN 4093 config ip if ip address 10 0 2 101 255 255 255 0 CN 4093 config ip if enable CN 4093 config ip if exit CN 4093 config ip gateway 1 address 192 168 1 1 CN 4093 config ip gateway 1 enable CN 4093 config ip gateway 2 address 192 168 2 1 CN 4093 config ip gateway 2 enable CN 4093 config router vrrp CN 4093 config vrrp en...

Page 533: ... 20 CN 4093 config if exit CN 4093 config no spanning tree stp 1 CN 4093 config interface ip 1 CN 4093 config ip if ip address 192 168 1 101 255 255 255 0 CN 4093 config ip if vlan 10 CN 4093 config ip if enable CN 4093 config ip if exit CN 4093 config interface ip 2 CN 4093 config ip if ip address 192 168 2 100 255 255 255 0 CN 4093 config ip if vlan 20 CN 4093 config ip if enable CN 4093 config ...

Page 534: ...uter id 2 CN 4093 config vrrp virtual router 2 interface 2 CN 4093 config vrrp virtual router 2 address 192 168 2 200 CN 4093 config vrrp virtual router 2 enable CN 4093 config vrrp virtual router 1 track ports CN 4093 config vrrp virtual router 2 track ports CN 4093 config vrrp virtual router 2 priority 101 CN 4093 config vrrp exit CN 4093 config vlan 10 CN 4093 config vlan exit CN 4093 config in...

Page 535: ... peer switches should have an equal number of connected ports If hot standby is implemented in a looped environment the hot standby feature automatically disables the hot standby ports on the VRRP Standby If the Master switch should failover to the Standby switch it would change the hot standby ports from disabled to forwarding without relying on Spanning Tree or manual intervention Therefore Span...

Page 536: ...it CN 4093 config router vrrp CN 4093 config vrrp enable CN 4093 config vrrp virtual router 1 virtual router id 1 CN 4093 config vrrp virtual router 1 interface 1 CN 4093 config vrrp virtual router 1 address 174 14 20 100 CN 4093 config vrrp virtual router 1 enable CN 4093 config vrrp virtual router 2 virtual router id 2 CN 4093 config vrrp virtual router 2 interface 2 CN 4093 config vrrp virtual ...

Page 537: ...rface 2 CN 4093 config ip if enable CN 4093 config ip if exit CN 4093 config router vrrp CN 4093 config vrrp enable CN 4093 config vrrp virtual router 1 virtual router id 1 CN 4093 config vrrp virtual router 1 interface 1 CN 4093 config vrrp virtual router 1 address 174 14 20 100 CN 4093 config vrrp virtual router 1 enable CN 4093 config vrrp virtual router 2 virtual router id 2 CN 4093 config vrr...

Page 538: ...538 CN4093 Application Guide for N OS 8 4 ...

Page 540: ...540 CN4093 Application Guide for N OS 8 4 ...

Page 541: ...tware support Link Layer Discovery Protocol LLDP This chapter discusses the use and configuration of LLDP on the switch LLDP Overview on page 542 Enabling or Disabling LLDP on page 543 LLDP Transmit Features on page 544 LLDP Receive Features on page 549 LLDP Example Configuration on page 553 ...

Page 542: ...ort aggregation membership The LLDP transmit function and receive function can be independently configured on a per port basis The administrator can allow any given port to transmit only receive only or both transmit and receive LLDP information The LLDP information to be distributed by the CN4093 ports and that which has been collected from other LLDP stations is stored in the switch s Management...

Page 543: ...nge the LLDP transmit and receive state the following commands are available To view the LLDP transmit and receive status use the following commands CN 4093 config no lldp enable Turn LLDP on or off globally CN 4093 config interface port x Select a switch port CN 4093 config if lldp admin status tx_rx Transmit and receive LLDP CN 4093 config if lldp admin status tx_only Only transmit LLDP CN 4093 ...

Page 544: ...e global transmit interval can be configured using the following command where interval is the number of seconds between LLDP transmissions The range is 5 to 32768 The default is 30 seconds Minimum Interval In addition to sending LLDP information at scheduled intervals LLDP information is also sent when the CN4093 detects relevant changes to its configuration or status such as when ports are enabl...

Page 545: ... sent when the CN4093 detects relevant changes to its configuration or status such as when ports are enabled or disabled To prevent the CN4093 from sending multiple trap notifications in rapid succession when port status is in flux a global trap delay timer can be configured The trap delay timer represents the minimum time permitted between successive trap notifications on any port Any interval dr...

Page 546: ...LDP information associated with the CN4093 port from their MIB In addition if LLDP is fully disabled on a port using admstat disabled and later re enabled the CN4093 will temporarily delay resuming LLDP transmissions on the port in order to allow the port LLDP information to stabilize The reinitialization delay interval can be globally configured for all ports using the following command where int...

Page 547: ...ptional Information Types Type Description Default portdesc Port Description Enabled sysname System Name Enabled sysdescr System Description Enabled syscap System Capabilities Enabled mgmtaddr Management Address Enabled portvid IEEE 802 1 Port VLAN ID Disabled portprot IEEE 802 1 Port and Protocol VLAN ID Disabled vlanname IEEE 802 1 VLAN Name Disabled protid IEEE 802 1 Protocol Identity Disabled ...

Page 548: ... 8 4 dcbx Data Center Bridging Capability Exchange Protocol DCBX for the port Enabled all Select all optional LLDP information for inclusion or exclusion Disabled Table 39 LLDP Optional Information Types continued Type Description Default ...

Page 549: ... updates contain LLDP information changes to port state configuration LLDP MIB structures deletion the switch will set a change flag within the MIB for convenient notification to SNMP based management systems Note In stacking mode both the Master and the Backup receive LLDP information for all the ports in a stack and update the LLDP table The Master and Backup switches synchronize the LLDP tables...

Page 550: ...Bridge 01 80 C2 00 00 0E NnTB Nearest non TPMR Bridge 01 80 C2 00 00 03 NCB Nearest Customer Bridge 01 80 C2 00 00 00 Total number of current entries 1 LocalPort Index Remote Chassis ID Remote Port Remote System Name DMAC EXT3 1 00 18 b1 33 1d 00 23 C12 NB CN 4093 config show lldp remote device 1 Local Port Alias EXT3 Remote Device Index 1 Remote Device TTL 99 Remote Device RxChanges false Chassis...

Page 551: ...d bridge router System Capabilities Enabled bridge router Remote Management Address Subtype IPv4 Address 11 1 58 5 Interface Subtype ifIndex Interface Number 58 Object Identifier Local Port Alias EXT24 Remote Device Index 2 Remote Device TTL 108 Remote Device RxChanges false Chassis Type Mac Address Chassis Id 74 99 75 1c 71 00 Port Type Locally Assigned Port Id 56 Port Description EXT14 System Na...

Page 552: ...receive an LLDP update from the remote device before the time to live clock expires the switch will consider the remote information to be invalid and will remove all associated information from the MIB Remote devices can also intentionally set their LLDP time to live to 0 indicating to the switch that the LLDP information is invalid and should be immediately removed ...

Page 553: ...ig lldp holdtime multiplier 4 Remote hold 4 intervals CN 4093 config lldp reinit delay 2 Wait 2 sec after reinit CN 4093 config lldp trap notification interval 5 Minimum 5 sec between CN 4093 config interface port n Select a switch port CN 4093 config if lldp admin status tx_rx Transmit and receive LLDP CN 4093 config if lldp trap notification Enable SNMP trap notifications CN 4093 config if lldp ...

Page 554: ...554 CN4093 Application Guide for N OS 8 4 ...

Page 555: ... Chapter 36 Simple Network Management Protocol Enterprise NOS provides Simple Network Management Protocol SNMP version 1 version 2 and version 3 support for access through any network management software such as Lenovo Director ...

Page 556: ...For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch configure the trap host on the switch with the following command Note You can use a loopback interface to set the source IP address for SNMP traps Use the following command to apply a configured loopback interface CN 4093 config snmp server trap source loopback 1 5 CN 4093 config snmp server read community 1 ...

Page 557: ...d5 The authentication used is MD5 the privacy protocol used is DES User 2 name is adminsha password adminsha The authentication used is SHA the privacy protocol used is DES User 3 name is mmv3_mgr password mmv3_mgr The authentication used is MD5 the privacy protocol used is DES User 3 with the default password is used for EHCM level 1 access For EHCM level 2 and level 3 access the CMM generates a ...

Page 558: ...protocol md5 sha authentication password or CN 4093 config snmp server user 1 17 authentication protocol none CN 4093 config snmp server user 5 name admin CN 4093 config snmp server user 5 authentication protocol md5 authentication password Changing authentication password validation required Enter current admin password admin password Enter new authentication password auth password Re enter new a...

Page 559: ...3 config snmp server group 3 group name usrgrp Create views for user CN 4093 config snmp server view 6 name usr CN 4093 config snmp server view 6 tree 1 3 6 1 4 1 1872 2 5 1 2 Agent information CN 4093 config snmp server view 7 name usr CN 4093 config snmp server view 7 tree 1 3 6 1 4 1 1872 2 5 1 3 L2 statistics CN 4093 config snmp server view 8 name usr CN 4093 config snmp server view 8 tree 1 3...

Page 560: ...nfig snmp server view 20 name oper CN 4093 config snmp server view 20 tree 1 3 6 1 4 1 1872 2 5 1 2 Agent information CN 4093 config snmp server view 21 name oper CN 4093 config snmp server view 21 tree 1 3 6 1 4 1 1872 2 5 1 3 L2 statistics CN 4093 config snmp server view 22 name oper CN 4093 config snmp server view 22 tree 1 3 6 1 4 1 1872 2 5 2 2 L2 information CN 4093 config snmp server view 2...

Page 561: ...orts both retrieving the logs via SNMP ʹGetʹ requests and the forwarding of event logs via SNMP traps Supported management tools are xHMC and other security and information event management SIEM tools like Qradar Security audit logging refers to the following event types NTP Server DHCP server configuration changes Switch management IP address changes OSPF BGP RIP authentication changes Software R...

Page 562: ... community string is used in the trap CN 4093 config snmp server user 10 name v1trap CN 4093 config snmp server access user number CN 4093 config snmp server access 10 Access group to view SNMPv1 traps name v1trap security snmpv1 notify view iso CN 4093 config snmp server group 10 Assign user to the access group security snmpv1 user name v1trap group name v1trap CN 4093 config snmp server notify 1...

Page 563: ...me v2trap CN 4093 config snmp server access 10 security snmpv2 CN 4093 config snmp server access 10 notify view iso CN 4093 config snmp server notify 10 name v2trap CN 4093 config snmp server notify 10 tag v2trap CN 4093 config snmp server target address 10 name v2trap address 100 10 2 1 CN 4093 config snmp server target address 10 taglist v2trap CN 4093 config snmp server target address 10 parame...

Page 564: ...tocol md5 authentication password Changing authentication password validation required Enter current admin password admin password Enter new authentication password auth password Re enter new authentication password auth password New authentication password accepted CN 4093 config snmp server access 11 notify view iso CN 4093 config snmp server access 11 level authnopriv CN 4093 config snmp server...

Page 565: ...definitions of the Enterprise NOS SNMP agent are contained in the following Enterprise NOS enterprise MIB document GbScSE 10G L2L3 mib The Enterprise NOS SNMP agent supports the following standard MIBs dot1x mib ieee8021ab mib ieee8023ad mib lldpxdcbx mib rfc1213 mib rfc1215 mib rfc1493 mib rfc1573 mib rfc1643 mib rfc1657 mib rfc1757 mib rfc1850 mib rfc1907 mib rfc2037 mib rfc2233 mib rfc2465 mib ...

Page 566: ...her the login attempt was from CONSOLE or TELNET In case of TELNET login it also specifies the IP address of the host from which the attempt was made altSwValidLogin Signifies that a user login has occurred altSwApplyComplete Signifies that new configuration has been applied altSwSaveComplete Signifies that new configuration has been saved altSwFwDownloadSucess Signifies that firmware has been dow...

Page 567: ...terface is active altSwHotlinksMasterDn Signifies that the Master interface is not active altSwHotlinksBackupUp Signifies that the Backup interface is active altSwHotlinksBackupDn Signifies that the Backup interface is not active altSwHotlinksNone Signifies that there are no active interfaces altSwStgBlockingState Signifies port state has changed to blocking state altSwTeamingCtrlUp Signifies that...

Page 568: ...G instance is down identified in the trap message altSwVlagIslUp Signifies that connection between VLAG switches is up altSwVlagIslDown Signifies that connection between VLAG switches is down altSwDefGwUp Signifies that the default gateway is alive ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax ipCurCfgGwAddr is the IP ad...

Page 569: ...TableMax ipCurCfgGwAddr is the IP address of the default gateway altSwVrrpNewMaster Indicates that the sending agent has transitioned to Master state vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable The range is from 1 to vrrpVirtRtrTableMaxSize vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address altSwVrrpNewBackup Indicates that the sending...

Page 570: ...altSwECMPGatewayUp Signifies that the ECMP gateway is up altSwECMPGatewayDown Signifies that the ECMP gateway is down altSwOspfRouteUpdated Signifies that an OSPF route update message was received altSwTempExceedThreshold Signifies that the switch temperature has exceeded maximum safety limits altSwTempReturnThreshold Signifies that the switch temperature has returned to under maximum safety limit...

Page 571: ...attempted to join the stack altSwStackImageSlotMismatch Signifies that the slot of the boot image of a newly attached switch does not match that of the master altSwStackImageVersMismatch Signifies that the version of the boot image of a newly attached switch does not match that of the master altSwStackBootCfgMismatch Signifies that the booted config of a newly attached switch does not match that o...

Page 572: ... altVMGroupVMVlanChange Signifies that a virtual machine has entered a VLAN or changed the VLAN vmCheckSpoofedvm Signifies that a spoofed VM MAC was found Table 40 Enterprise NOS Supported Enterprise SNMP Traps continued Trap Name Description ...

Page 573: ... Load a previously saved switch configuration from a FTP TFTP SFTP server Save the switch configuration to a FTP TFTP SFTP server Save a switch dump to a FTP TFTP SFTP server Table 41 MIBs for Switch Image and Configuration Files MIB Name MIB OID agTransferServer 1 3 6 1 4 1872 2 5 1 1 7 1 0 agTransferImage 1 3 6 1 4 1872 2 5 1 1 7 2 0 agTransferImageFileName 1 3 6 1 4 1872 2 5 1 1 7 3 0 agTransfe...

Page 574: ...r a password Set agTransferPassword 0 MyPassword 6 Initiate the transfer To transfer a switch image enter 2 gtimg Set agTransferAction 0 2 Loading a Saved Switch Configuration To load a saved switch configuration with the name MyRunningConfig cfg into the switch follow the steps below This example shows a TFTP server at IPv4 address 192 168 10 10 though IPv6 is also supported 1 Set the FTP TFTP SF...

Page 575: ...using an SFTP FTP server enter a password Set agTransferPassword 0 MyPassword 5 Initiate the transfer To save a running configuration file enter 4 Set agTransferAction 0 4 Saving a Switch Dump To save a switch dump to a FTP TFTP SFTP server follow the steps below This example shows an FTP TFTP SFTP server at 192 168 10 10 though IPv6 is also supported 1 Set the FTP TFTP SFTP server address where t...

Page 576: ...576 CN4093 Application Guide for N OS 8 4 ...

Page 577: ... There can only be one Directory Agent present per given host The Directory Agent acts as an intermediate tier in the SLP architecture placed between the User Agents and the Service Agents so they communicate only with the Directory Agent instead of with each other This eliminates a large portion of the multicast request or reply traffic on the network and it protects the Service Agents from being...

Page 578: ...Code You will need to provide the unique ID UID of the specific CN4093 where the key will be installed The UID is the last 12 characters of the CN4093 serial number This serial number is located on the Part Number PN label and is also displayed during successful login to the device When available download the activation key file from the FoD site Installing Activation Keys Once FoD activation key ...

Page 579: ...Features on Demand FoD website http www ibm com systems x fod Trial keys expire after a predefined number of days 10 days before the expiration date the switch will begin to issue the following syslog messages When the trial license expires all features enabled by the key are disabled configuration files active and backup are deleted and the switch revert to the default port map To prevent this ei...

Page 580: ... internal and 2 external 10 Gbps ports To implement the above scenario follow these steps a Deactivate the ports required to clear the 80 Gbps required bandwidth b Activate the required ports c To verify the configuration run the following command Flexible Port Mapping is disabled if all available licenses are installed all physical ports are available Removing a license key reverts the port mappi...

Page 581: ...which protocols can be enabled The SIOM only allows secured traffic and secured authentication management The following topics are discussed in this chapter SIOM Overview on page 582 Creating a Policy Setting on page 586 Managing User Accounts on page 589 Implementing Secure LDAP LDAPS on page 591 SIOM Dependencies on page 594 ...

Page 582: ...hassis Management Module containing it must be running SIOM capable software and the IOM must have SIOM enabled In all other cases the IOM operates in LIOM mode When the IOM is in SIOM mode the security characteristics configured on the CMM are sent to the IOM These characteristics can be divided into the following categories Policy setting User Account Management Secure LDAP LDAPS authentication ...

Page 583: ...h local user accounts The switch may perform an additional reboot automatically after changing the SIOM state or upgrading the CMM software Using SIOM with Stacking In stacking mode configuring SIOM is only supported on the Master switch Hence the command is only supported on the Master switch On stack member switches SIOM is configured by the Master switch and the member switches automatically in...

Page 584: ...abled software to SIOM enabled software takes about 15 minutes If a staggered upgrade procedure is used this duration increases according to the number of switches in the stack If the Master switch gets rebooted the Backup switch becomes the Master operation called Master failover and it will be SIOM provisioned If the SIOM provisioning occurs for the first time on this switch it will also reboot ...

Page 585: ...switch in SIOM Switch boots up with all operational data ports disabled Although the management ports are enabled they canʹt be used by admin to set up the switch until the configuration is applied Internal management port is used by the CMM during the provisioning to exchange information with IOM At the end of provisioning when SIOM is enabled the rest of the operational ports come up and the swi...

Page 586: ...ls When you are in Secure Mode the following protocols are deemed insecure and are disabled HTTP LDAP Client SNMPv1 SNMPv2 Telnet server and client FTP server and client Radius client TFTP Server Except for the TFTP server these protocols cannot be enabled when the switch is operating in Secure Mode because the commands to enable or disable them are no longer enabled The following protocols althou...

Page 587: ...annot be disabled in any mode NTP Client v4 LDAPS Client The following protocols are also deemed secure on the CN4093 and can be enabled IKE IPSec The default state for these protocols in Secure Mode whether enabled or disabled is the same as in Legacy Mode The following protocols are deemed secure but are not currently supported by the CN4093 EAPoL SCP S MIME SNMPv3 Manager TCP command secure mod...

Page 588: ...588 CN4093 Application Guide for ENOS 8 4 SNMPv3 IPv6 bootp Notes Telnet IPv6 and TFTP IPv6 are disabled in Secure Mode TFTP IPv6 is allowed in Secure Mode for signed image transfers only ...

Page 589: ...3 will enable Node Accounts and will disable Local Accounts When the IOM runs as LIOM or the Centralized Flag is disabled SNMPv3 will use Local Accounts and disable Node Accounts Node Accounts represent accounts configured on the CMM while Local Accounts are accounts configured on the IOM Since there is no case where both the Node Account and Local Account are enabled the username of a Node Accoun...

Page 590: ...93 Application Guide for ENOS 8 4 For more information about these commands see the Lenovo ISCLI Industry Standard CLI Command Reference for the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch ...

Page 591: ...OM is in SIOM mode all LDAP configurations are made from the CMM and pushed to the IOM When the IOM is in LIOM mode the CLI can be used to configure LDAP settings LDAPS is disabled by default To enable LDAPS 1 Turn LDAP authentication on 2 Enable LDAP Enhanced Mode This changes the ldap server subcommands to support LDAPS 3 Configure the IPv4 addresses of each LDAP server 4 You may change the defa...

Page 592: ...er attribute optional Note The group filter string must contain no whitespace If no group filter attribute is configured no groups will be filtered and all groups will be considered in any search 12 Enable DNS server verification Disabling LDAPS To disable LDAPS enter For information about using LDAP in Legacy Mode see LDAP Authentication and Authorization on page 110 CN 4093 config ldap server bi...

Page 593: ...ure Input Output Module 593 Syslogs and LDAPS Syslogs are displayed for the following error conditions Password change required on first login Password expired Username or password invalid Account temporarily locked Unknown no reason given ...

Page 594: ...n the settings on the CMM This is especially important for NTP and LDAP which ensure switch operability For example if the LDAP client is configured incorrectly the switch cannot be managed The Enhanced Configuration and Management EHCM module configures the NTP client Therefore the NTP client is dependent upon the ECHM module being enabled and functional Some protocols cannot be changed from enab...

Page 595: ...onitoring The ability to monitor traffic passing through the CN4093 can be invaluable for troubleshooting some types of networking problems This sections cover the following monitoring features Remote Monitoring RMON sFLOW Port Mirroring ...

Page 596: ...596 CN4093 Application Guide for N OS 8 4 ...

Page 597: ...rview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application The RMON MIB is described in RFC 1757 The RMON standard defines objects that are suitable for the management of Ethernet networks The RMON agent continuously collects statistics and proactively monitors switch performance RMON allows you to monitor traffic flowing through the switch The...

Page 598: ...MON statistics 2 View RMON statistics for the port CN 4093 config interface port 23 CN 4093 config if rmon CN 4093 config if show interface port 23 rmon counters RMON statistics for port 23 etherStatsDropEvents NA etherStatsOctets 7305626 etherStatsPkts 48686 etherStatsBroadcastPkts 4380 etherStatsMulticastPkts 6612 etherStatsCRCAlignErrors 22 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 eth...

Page 599: ...dex object type as described in RFC1213 and RFC1573 The most common data type for the history sample is as follows 1 3 6 1 2 1 2 2 1 1 x mgmt interfaces ifTable ifIndex interface The last digit x represents the interface on which to monitor which corresponds to the switch port number History sampling is done per port by utilizing the interface number to specify the port number Configuring RMON His...

Page 600: ...on Guide for N OS 8 4 3 View RMON history for the port CN 4093 config show rmon history RMON History group configuration Index IFOID Interval Rbnum Gbnum 1 1 3 6 1 2 1 2 2 1 1 1 120 30 30 Index Owner 1 rmon port 1 history ...

Page 601: ... 6 1 2 1 5 1 x mgmt icmp icmpInMsgs where x represents the interface on which to monitor which corresponds to the switch interface number or port number as follows 1 through 128 Switch interface number 129 Switch port 1 130 Switch port 2 131 Switch port 3 and so on This value represents the alarmʹs MIB OID as a string Note that for non tables you must supply a 0 to specify an end node Configuring ...

Page 602: ...generated that triggers event index 5 Configure the RMON Alarm parameters to track ICMP messages CN 4093 config rmon alarm 1 oid 1 3 6 1 2 1 5 8 0 CN 4093 config rmon alarm 1 alarm type rising CN 4093 config rmon alarm 1 rising crossing index 110 CN 4093 config rmon alarm 1 interval time 60 CN 4093 config rmon alarm 1 rising limit 200 CN 4093 config rmon alarm 1 sample delta CN 4093 config rmon al...

Page 603: ...erly RMON uses a syslog host to send syslog messages Therefore an existing syslog host must be configured for event log notification to work properly Each log event generates a system log message of type RMON that corresponds to the event For example to configure the RMON event parameters This configuration creates an RMON event that sends a syslog message each time it is triggered by an alarm CN ...

Page 604: ...604 CN4093 Application Guide for N OS 8 4 ...

Page 605: ...sent to the configured sFlow analyzer For each port the sFlow sampling rate can be configured to occur once each 256 to 65536 packets or 0 to disable the default A sampling rate of 256 means that one sample will be taken for approximately every 256 packets received on the port The sampling rate is statistical however It is possible to have slightly more or fewer samples sent to the analyzer for an...

Page 606: ...en 5 and 60 seconds or 0 to disable By default polling is 0 disabled for each port 3 On a per port basis define the data sampling rate Specify a sampling rate between 256 and 65536 packets or 0 to disable By default the sampling rate is 0 disabled for each port 4 Save the configuration CN 4093 config sflow server IPv4 address sFlow server address CN 4093 config sflow port service port Set the opti...

Page 607: ...e the resulting mirrored traffic Figure 65 Mirroring Ports In standalone non stacking mode the CN4093 supports two monitor ports with two way mirroring or four monitor ports with one way mirroring In stacking mode one monitor port with two way mirroring or two monitor ports with one way mirroring is supported Each monitor port can receive mirrored traffic from any number of target ports Enterprise...

Page 608: ...e following procedure may be used to configure port mirroring for the example shown in Figure 65 on page 607 1 Specify the monitoring port the mirroring port s and the port mirror direction 2 Enable port mirroring 3 View the current configuration CN 4093 config port mirroring monitor port EXT3 mirroring port EXT1 in CN 4093 config port mirroring monitor port EXT3 mirroring port EXT2 both CN 4093 c...

Page 610: ...610 CN4093 Application Guide for N OS 8 4 ...

Page 611: ...value is 1 and maximum value is 254 Default is 100 A higher number will win out for master designation Proto Protocol The protocol of a frame Can be any value represented by a 8 bit value in the IP header adherent to the IP specification for example TCP UDP OSPF ICMP and so on SIP The source IP address of a frame SPort The source port application socket for example HTTP 80 HTTPS 443 DNS 53 Trackin...

Page 612: ...default gateway that is always available Two or more devices sharing an IP interface are either advertising or listening for advertisements These advertisements are sent via a broadcast message to an address such as 224 0 0 18 With VRRP one switch is considered the master and the other the backup The master is always advertising via the broadcasts The backup switch is always listening for the broa...

Page 613: ...rned on Check for updated software firmware and operating system device drivers for your Lenovo product The Lenovo Warranty terms and conditions state that you the owner of the Lenovo product are responsible for maintaining and updating all software and firmware for the product unless it is covered by an additional maintenance contract Your service technician will request that you upgrade your sof...

Page 614: ... You can solve many problems without outside assistance by following the troubleshooting procedures that Lenovo provides in the online help or in the Lenovo product documentation The Lenovo product documentation also describes the diagnostic tests that you can perform The documentation for most systems operating systems and programs contains troubleshooting procedures and explanations of error mes...

Page 615: ...ss or implied warranties in certain transactions therefore this statement may not apply to you This information could include technical inaccuracies or typographical errors Changes are periodically made to the information herein these changes will be incorporated in new editions of the publication Lenovo may make improvements and or changes in the product s and or the program s described in this p...

Page 616: ...ments may vary significantly Some measurements may have been made on development level systems and there is no guarantee that these measurements will be the same on generally available systems Furthermore some measurements may have been estimated through extrapolation Actual results may vary Users of this document should verify the applicable data for their specific environment ...

Page 617: ...he United States other countries or both Intel and Intel Xeon are trademarks of Intel Corporation in the United States other countries or both Internet Explorer Microsoft and Windows are trademarks of the Microsoft group of companies Linux is a registered trademark of Linus Torvalds Other company product or service names may be trademarks or service marks of others ...

Page 618: ...ith the largest currently supported drives that are available from Lenovo Maximum memory might require replacement of the standard memory with an optional memory module Each solid state memory cell has an intrinsic finite number of write cycles that the cell can incur Therefore a solid state device has a maximum number of write cycles that it can be subjected to expressed as total bytes written TB...

Page 619: ... of information technology IT equipment to responsibly recycle their equipment when it is no longer needed Lenovo offers a variety of programs and services to assist equipment owners in recycling their IT products For information on recycling Lenovo products go to http www lenovo com recycling ...

Page 620: ...Lenovo may condition provision of repair or replacement of devices or parts on implementation of appropriate remedial measures to mitigate such environmental contamination Implementation of such remedial measures is a customer responsibility Contaminant Limits Particulate The room air must be continuously filtered with 40 atmospheric dust spot efficiency MERV 9 according to ASHRAE Standard 52 21 A...

Page 621: ...t This product may not be certified in your country for connection by any means whatsoever to interfaces of public telecommunications networks Further certification may be required by law prior to making any such connection Contact a Lenovo representative or reseller for any questions ...

Page 622: ...own expense Properly shielded and grounded cables and connectors must be used to meet FCC emission limits Lenovo is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment Unauthorized changes or modifications could void the user s authority to operate the equipment This devi...

Page 623: ...erence in which case the user may be required to take adequate measures Germany Class A Statement Deutschsprachiger EU Hinweis Hinweis für Geräte der Klasse A EU Richtlinie zur Elektromagnetischen Verträglichkeit Dieses Produkt entspricht den Schutzanforderungen der EU Richtlinie 2014 30 EU früher 2004 108 EC zur Angleichung der Rechtsvorschriften über die elektromagnetische Verträglichkeit in den...

Page 624: ...n in diesem Fall kann vom Betreiber verlangt werden angemessene Maßnahmen durchzuführen und dafür aufzukommen Nach dem EMVG Geräte dürfen an Orten für die sie nicht ausreichend entstört sind nur mit besonderer Genehmigung des Bundesministers für Post und Telekommunikation oder des Bundesamtes für Post und Telekommunikation betrieben werden Die Genehmigung wird erteilt wenn keine elektromagnetische...

Page 625: ...d Information Technology Industries Association JEITA Confirmed Harmonics Guidelines with Modifications products greater than 20 A per phase Korea Communications Commission KCC Statement This is electromagnetic wave compatibility equipment for business Type A Sellers and users need to pay attention to it This is for any areas other than home Russia Electromagnetic Interference EMI Class A statemen...

Page 626: ...626 CN4093 Application Guide for N OS 8 4 ...

Page 627: ... Bootstrap Router PIM 503 Border Gateway Protocol BGP 453 attributes 460 failover configuration 462 route aggregation 459 route maps 456 selecting route paths 461 bridge module 278 Bridge Protocol Data Unit BPDU 174 broadcast domains 137 397 Browser Based Interface 30 472 BSR PIM 503 C Canada Class A electronic emission statement 622 CEE 299 302 802 1p QoS 303 bandwidth allocation 303 DCBX 299 302...

Page 628: ... 318 European Union EMC Directive conformance statement 623 EVB 349 Extensible Authentication Protocol over LAN 114 external routing 454 471 F factory default configuration 61 failover 515 overview 526 FC BB 5 300 FCC Class A notice 622 FCC Class A 622 FCF 278 300 301 305 detection mode 307 FCoE 299 300 bridge module 278 CEE 301 302 CNA 301 ENodes 301 FCF 278 300 301 FIP snooping 299 301 305 FLOGI...

Page 629: ...ets 394 routing 393 394 VLANs 137 IPSec maximum traffic load 419 IPsec 417 key policy 424 IPv6 addressing 403 405 ISL Aggregation 161 Isolated VLAN 153 J Japan Class A electronic emission statement 624 Japan Electronics and Information Technology Indus tries Association statement 625 JEITA statement 625 jumbo frames 138 K Korea Class A electronic emission statement 625 L LACP 167 Layer 2 Failover ...

Page 630: ... 161 port flow control See flow control port mirroring 607 configuration rules 162 port modes 160 ports configuration 64 for services 123 monitoring 607 physical See switch ports preshared key 420 enabling 424 priority groups 317 priority value 802 1p 224 304 316 Priority based Flow Control See PFC Private VLANs 153 promiscuous port 153 Protocol Independant Multicast see PIM 497 protocol types 122...

Page 631: ...iguring 90 RSA host and server keys 93 stacking 232 355 starting switch setup 61 Static ARP 357 stopping switch setup 61 Storage Area Network See SAN subnet mask 67 subnets 67 summarizing routes 475 switch failover 526 switch ports VLANs membership 141 T TACACS 104 tagging See VLANs tagging Taiwan Class A electronic emission statement 625 TCP 122 technical assistance 613 technical terms port VLAN ...

Page 632: ...ultiple VLANs 142 name setup 66 port members 141 PVID 140 routing 397 security 137 setup 66 Spanning Tree Protocol 173 tagging 65 141 topologies 147 vNICs 261 VRRP Virtual Router Redundancy Protocol active active redundancy 527 hot standby redundancy 527 overview 523 virtual interface router 524 virtual router ID numbering 530 vrid 524 VSI 349 VSI Database See VSIDB VSI Discovery and Configuration...

Page 633: ......

Page 634: ...Part Number 00MY375 Printed in USA IP P N 00MY375 ...

Search results

Summary of Contents for Flex System Fabric CN4093

Reviews:

Related manuals for Flex System Fabric CN4093

Brands by name

Popular brands

Lenovo Flex System Fabric CN4093, Application Manual

Search results

Summary of Contents for Flex System Fabric CN4093

Reviews:

Related manuals for Flex System Fabric CN4093

Brands by name

Popular brands