Lenovo ThinkSystem NE2552E Application Manual Download Page 530

Page: 530 / 574

530

NE2552E Application Guide for ENOS 8.4

Implementing Secure LDAP (LDAPS)

Lightweight

Summary of Contents for ThinkSystem NE2552E

Page 1: ...Lenovo ThinkSystem NE2552E Flex Switch Application Guide For Lenovo Enterprise Network Operating System 8 4 ...

Page 2: ...nt that comes with the product Third Edition August 2018 Copyright Lenovo 2018 Portions Copyright IBM Corporation 2014 LIMITED AND RESTRICTED RIGHTS NOTICE If data or software is delivered pursuant a General Services Administration GSA contract use reproduction or disclosure is subject to restrictions set forth in Contract No GS 35F 05925 Lenovo and the Lenovo logo are trademarks of Lenovo in the ...

Page 3: ...er Based Interface 31 Establishing a Connection 32 Using the Chassis Management Module 32 Factory Default vs CMM Assigned IP Addresses 32 Using Telnet 33 Using Secure Shell 33 Using SSH with Password Authentication 34 Using SSH with Public Key Authentication 34 Using a Web Browser 35 Configuring HTTP Access to the BBI 35 Configuring HTTPS Access to the BBI 36 BBI Summary 37 Using Simple Network Ma...

Page 4: ... 66 IP Routing 67 Setup Part 5 Final Steps 68 Optional Setup for Telnet Support 69 Chapter 3 Switch Software Management 71 Loading New Software to Your Switch 72 Loading Software via the ISCLI 72 Loading Software via BBI 74 Updating Software on vLAG Switches 75 The Boot Management Menu 77 Boot Recovery Mode 78 Recover from a Failed Image Upgrade using TFTP 78 Recovering from a Failed Image Upgrade...

Page 5: ...Accounts 94 Strong Passwords 94 User Access Control Menu 95 Setting Up User IDs 95 Defining a User s Access Level 95 Validating a User s Configuration 95 Enabling or Disabling a User 95 Locking Accounts 95 Re enabling Locked Accounts 96 Listing Current Users 96 Logging In to an End User Account 96 Protected Mode 97 Maintenance Mode 98 Chapter 5 Authentication Authorization Protocols 99 RADIUS Auth...

Page 6: ...gning ACL Groups to a Port 125 ACL Metering and Re Marking 126 Metering 126 Re Marking 126 ACL Port Mirroring 127 Viewing ACL Statistics 127 ACL Logging 127 Enabling ACL Logging 127 Logged Information 128 Log Interval 128 ACL Logging Limitations 129 ACL Configuration Examples 130 ACL Example 1 130 ACL Example 2 130 ACL Example 3 131 Management ACLs 132 Part 3 Switch Basics 133 Chapter 8 VLANs 135 ...

Page 7: ...ion Rules 164 Configuring a Static LAG 165 Configurable LAG Hash Algorithm 167 Link Aggregation Control Protocol 169 LACP Modes 170 LACP individual 171 Configuring LACP 172 Chapter 10 Spanning Tree Protocols 173 Spanning Tree Protocol Modes 174 Global STP Control 174 PVRST Mode 175 Port States 175 Bridge Protocol Data Units 176 Determining the Path for Forwarding BPDUs 176 Bridge Priority 176 Port...

Page 8: ...e the VLAG 203 VLAG Configuration VLANs Mapped to MSTI 204 Configure the ISL 204 Configure the VLAG 205 Configuring Health Check 206 VLAGs with VRRP 207 Configure VLAG Peer 1 207 Configure VLAG Peer 2 210 Two tier vLAGs with VRRP 213 vLAG Peer Gateway 214 Configuring VLAGs in Multiple Layers 215 Configure Layer 2 3 Border Switches 215 Configure Switches in the Layer 2 Region 215 Chapter 12 Quality...

Page 9: ...7 Effects on Flow Control 248 RoCE and iSCSI 248 RoCE Requirements 248 FCoE Initialization Protocol Snooping 249 FIP Snooping Requirements 249 Port Aggregation 250 Global FIP Snooping Settings 250 FIP Snooping for Specific Ports 251 FIPS LAG Support on Server Ports 251 Port FCF and ENode Detection 252 FCoE Connection Timeout 252 FCoE ACL Rules 252 FCoE VLANs 253 Viewing FIP Snooping Information 25...

Page 10: ...mple 282 Chapter 19 Unified Fabric Port 285 UFP Considerations 286 Virtual Ports Modes 287 vPort S Tag Mapping 287 vPort VLAN Mapping 287 UFP vPort Mode 287 Tunnel Mode 288 802 1Q Trunk Mode 288 Access Mode 289 FCoE Mode 289 UFP Bandwidth Provisioning 290 Enhanced Transmission Selection mode 290 UFP Strict Bandwidth Provisioning mode 291 Using UFP with Other NE2552E Flex Switch Features 292 Layer ...

Page 11: ...elay Agent 321 BOOTP Relay Agent Configuration 321 Domain Specific BOOTP Relay Agent Configuration 322 Dynamic Host Configuration Protocol 323 DHCP Relay Agent 323 DHCP Relay Agent Configuration 324 Chapter 22 Internet Protocol Version 6 325 IPv6 Limitations 326 IPv6 Address Format 327 IPv6 Address Types 328 Unicast Address 328 Multicast Address 328 Anycast Address 329 IPv6 Address Auto configurat...

Page 12: ...1 352 RIPv2 352 RIPv2 in RIPv1 Compatibility Mode 352 RIP Features 353 Poison Reverse 353 Triggered Updates 353 Multicast 353 Default Route 353 Metric 353 Authentication 354 RIP Configuration Example 355 Chapter 25 Internet Group Management Protocol 357 IGMP Snooping 358 IGMP Groups 359 IGMPv3 359 IGMP Snooping Configuration Example 360 Static Multicast Router 361 IGMP Relay 362 Configuration Guid...

Page 13: ...Default Redistribution and Route Aggregation Example 386 Chapter 28 OSPF 389 OSPFv2 Overview 389 Types of OSPF Areas 390 Types of OSPF Routing Devices 391 Neighbors and Adjacencies 392 The Link State Database 392 The Shortest Path First Tree 393 Internal Versus External Routing 393 OSPFv2 Implementation in Lenovo ENOS 394 Configurable Parameters 394 Defining Areas 395 Assigning the Area Index 395 ...

Page 14: ... 417 Chapter 29 Protocol Independent Multicast 419 PIM Overview 419 Supported PIM Modes and Features 420 Basic PIM Settings 421 Globally Enabling or Disabling the PIM Feature 421 Defining a PIM Network Component 421 Defining an IP Interface for PIM Use 422 PIM Neighbor Filters 422 Additional Sparse Mode Settings 424 Specifying the Rendezvous Point 424 Influencing the Designated Router Selection 42...

Page 15: ...onents 446 Virtual Router 446 Virtual Router MAC Address 446 Owners and Renters 446 Master and Backup Virtual Router 446 Virtual Interface Router 447 VRRP Operation 447 Selecting the Master VRRP Router 447 Failover Methods 448 Active Active Redundancy 449 Hot Standby Redundancy 449 Virtual Router Group 450 Lenovo ENOS Extensions to VRRP 451 Virtual Router Deployment Considerations 452 Assigning VR...

Page 16: ...ement Protocol 477 SNMP Version 1 478 SNMP Version 3 479 Default Configuration 479 User Configuration Example 480 View Based Configurations 481 Secure Audit Logging 483 Configuring SNMP Trap Hosts 484 SNMPv1 Trap Host Configuration 484 SNMPv2 Trap Host Configuration 485 SNMPv3 Trap Host Configuration 486 SNMP MIBs 487 Switch Images and Configuration Files 494 Loading a New Switch Image 495 Loading...

Page 17: ...ecure Protocols Unaffected by SIOM 526 Managing User Accounts 528 Using Centralized SNMPv3 Management with SIOM 528 Implementing SNMPv3 with SIOM 528 Implementing Secure LDAP LDAPS 530 Enabling LDAPS 530 Disabling LDAPS 531 Syslogs and LDAPS 532 SIOM Dependencies 533 Part 8 Monitoring 535 Chapter 38 Remote Monitoring 537 RMON Overview 537 RMON Group 1 Statistics 538 RMON Group 2 History 539 Histor...

Page 18: ...sion FCC Statement 562 Industry Canada Class A Emission Compliance Statement 562 Avis de Conformité à la Réglementation dʹIndustrie Canada 562 Australia and New Zealand Class A Statement 562 European Union Compliance to the Electromagnetic Compatibility Directive 563 Germany Class A Statement 563 Japan VCCI Class A Statement 564 Japan Electronics and Information Technology Industries Association J...

Page 19: ... Application Guide describes how to configure and use the Lenovo ENOS 8 4 software on the Lenovo ThinkSystem NE2552E Flex Switch referred to as NE2552E throughout this document For documentation about installing the switch physically see the Installation Guide for your NE2552E ...

Page 20: ...is Guide This guide is intended for network installers and system administrators engaged in configuring and maintaining a network The administrator should be familiar with Ethernet concepts IP addressing Spanning Tree Protocol and SNMP configuration parameters ...

Page 21: ...ault switch passwords using Secure Shell and Secure Copy for administration connections configuring end user access control and placing the switch in protected mode Chapter 5 Authentication Authorization Protocols describes different secure administration for remote administrators This includes using Remote Authentication Dial in User Service RADIUS as well as TACACS and LDAP Chapter 6 802 1X Port...

Page 22: ...ntrol PFC Enhanced Transmission Selection ETS and FIP Snooping for solutions such as Fibre Channel over Ethernet FCoE Chapter 16 Static Multicast ARP discusses the configuration of a static ARP entry with multicast MAC address for Microsoft s Network Load Balancing NLB feature to function efficiently Chapter 17 DHCP Snooping describes how DHCP snooping provides security by filtering untrusted DHCP...

Page 23: ...and provides examples of how to configure your switch for OSPF support Chapter 29 Protocol Independent Multicast describes how multicast routing can be efficiently accomplished using the Protocol Independent Multicast PIM feature Part 6 High Availability Fundamentals Chapter 30 Basic Redundancy describes how the NE2552E supports redundancy through aggregation and Hotlinks Chapter 31 Layer 2 Failov...

Page 24: ...twork monitoring data Chapter 40 Port Mirroring discusses tools how copy selected port traffic to a monitor port for network analysis Part 9 Appendices Appendix A Glossary describes common terms and concepts used throughout this guide Appendix B Getting help and technical assistance describes how to get help Appendix C Notices provides trademark and other compliance information ...

Page 25: ...dditional information about installing and configuring the NE2552E is available in the following guides Lenovo ThinkSystem NE2552E Flex Switch Installation Guide Lenovo ThinkSystem NE2552E Flex Switch Command Reference for Lenovo Network Operating System 8 4 ...

Page 26: ...eter placeholder Replace the indicated text with the appropriate real name or value when using the command Do not type the brackets To establish a Telnet session enter host telnet IP address This also shows book titles special terms or words to be emphasized Read your User s Guide thoroughly Command items shown inside brackets are optional and can be used or excluded as the situation demands Do no...

Page 27: ... Copyright Lenovo 2018 27 Part 1 Getting Started ...

Page 28: ...28 NE2552E Application Guide for ENOS 8 4 ...

Page 29: ...d features however require some administrative configuration before they can be used effectively The extensive Lenovo ENOS switching software included in the NE2552E provides a variety of options for accessing the switch to perform configuration and to view switch information and statistics This chapter discusses the various methods that can be used to administer the switch ...

Page 30: ...erly installed and turned on see the Lenovo ThinkSystem NE2552E Flex Switch Installation Guide Chassis Management Module The NE2552E Flex Switch is an integral subsystem within the overall Lenovo Flex System The Flex System chassis also includes a chassis management module CMM as the central element for overall chassis management and control Using the tools available through the CMM the administra...

Page 31: ...vo 2018 Chapter 1 Switch Administration 31 Browser Based Interface The Browser based Interface BBI provides access to the common configuration management and operation features of the NE2552E through your Web browser ...

Page 32: ...n each CMM to configure and manage the NE2552E For more information about using the chassis management module see the Lenovo ThinkSystem NE2552E Flex Switch Installation Guide Factory Default vs CMM Assigned IP Addresses Each NE2552E must be assigned its own Internet Protocol version 4 IPv4 address which is used for communication with an SNMP network manager or other transmission control protocol ...

Page 33: ...does not provide a secure connection The Secure Shell SSH protocol enables you to securely log into another device over a network to execute commands remotely As a secure alternative to using Telnet to manage switch configuration SSH ensures that all data sent over the network is encrypted and secure The switch can do only one session of key cipher generation at a time Thus a SSH SCP client will n...

Page 34: ...ls on page 46 Using SSH with Public Key Authentication SSH can also be used for switch authentication based on asymmetric cryptography Public encryption keys can be uploaded on the switch and used to authenticate incoming login attempts based on the clients private encryption key pairs After a predefined number of failed public key login attempts the switch reverts to password based authentication...

Page 35: ...ddress When you first access the switch you must enter the default username and password USERID PASSW0RD with a zero You are required to change the password after first login Configuring HTTP Access to the BBI By default BBI access via HTTP is disabled on the switch To enable or disable HTTP access to the switch BBI use the following commands The default HTTP web server port to access the BBI is p...

Page 36: ...s valid only until the switch is rebooted To save the certificate so that it is retained beyond reboot or power cycles use the following command When a client such as a web browser connects to the switch the client is asked to accept the certificate and verify that the fields match what is expected Once BBI access is granted to the client the BBI can be used as described in the Lenovo ENOS BBI Qui...

Page 37: ...ings and operating status of a variety of switch features Navigation Window This window provides a menu list of switch features and functions System this folder provides access to the configuration elements for the entire switch Switch Ports Configure each of the physical ports on the switch Port Based Port Mirroring Configure port mirroring behavior Layer 2 Configure Layer 2 features for the swit...

Page 38: ...figured to match those on the switch The read and write community strings on the switch can be changed using the following commands The SNMP manager can reach any of the IP interfaces on the switch For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch configure the trap host on the switch with the following commands For more information on SNMP usage and configu...

Page 39: ...or the client s VLAN or to the global BOOTP DHCP servers if no domain specific BOOTP DHCP servers are configured for the client s VLAN The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client The switch then forwards this reply back to the client DHCP is described in RFC 2131 and the DHCP relay agent supported on the NE2552E ...

Page 40: ... receives packets only from within the network By default all DHCP ports are untrusted The DHCP snooping binding table contains the MAC address IP address lease time binding type VLAN number and port number that correspond to the local untrusted interface on the switch it does not contain information regarding hosts interconnected with a trusted interface By default DHCP snooping is disabled on al...

Page 41: ...nning configuration will not be merged or appended to the EZC configuration For any custom settings that are not included in the predefined configuration sets the user has to do it manually Notes To support scripting the feature also has a single line format For more information please refer to Lenovo Networking ISCLI Reference Guide Note To support scripting the feature also has a single line for...

Page 42: ...pressing Ctrl C Select which of the following features you want enabled Configure Transparent mode yes no n Configure Switch Redundant mode yes no n Configure Basic system yes no y Please enter none for no hostname Enter hostname Default None host Please enter dhcp for dhcp IP Select EXTM IP address Default DHCP 10 241 38 222 Enter EXTM netmask Default 255 0 0 0 255 255 255 128 Please enter none f...

Page 43: ...r ports Server ports can have ports of different mode or speed selected at the same time You can either accept the static defaults or enter a different port list for uplink and or server ports NE2552E easyconnect Auto configures the switch into a set configuration based on the input provided Current configuration will be overwritten with auto configuration settings The wizard can be canceled anyti...

Page 44: ...h as vLAG Primary or Secondary Peer primary secondary pri Select ISL Ports Static Defaults EXT9 1 EXT12 ext9 1 ext10 2 The following ISL ports will be enabled ISL ports 25G EXT9 1 EXT10 2 Select vLAG TierID Default 101 Select EXTM IP address Default 1 1 1 1 10 241 38 222 Enter EXTM netmask Default 255 0 0 0 255 255 255 128 Select Peer IP address for vLAG healthcheck Default 1 1 1 2 10 241 38 221 P...

Page 45: ...selection is not valid and you are guided to either select other ports or change the speed of the ports All external unused ports are configured in an uplink portchanels and all internal ports are configured in vLAG portchannels You can either accept the static defaults or enter a different port list for ISL uplink and or downlink ports ...

Page 46: ...onfigure and troubleshoot problems on the NE2552E Because administrators can also make temporary operator level changes as well they must be aware of the interactions between temporary and permanent changes Access to switch functions is controlled through the use of unique user names and passwords Once you are connected to the switch via console remote Telnet or SSH you are prompted to enter a pas...

Page 47: ...cept admin account can be disabled by setting the password to an empty value To disable admin account use the command NE2552E config no access user administrator enable Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege ...

Page 48: ...configuration block enter f System Reset from boot iscli Disable the Transceivers Unmount the File System Unmounting filesystem Wait for umount to finish Done Waiting for I2C Transactions to Finish U Boot 2009 06 Aug 21 2015 12 35 27 MPC83XX Reset Status CPU e300c4 MPC8378A Rev 2 1 at 792 MHz CSB 396 MHz Board Networking OS RackSwitch G8052 I2C ready DRAM 1 GB Memory Test Boot Menu Mode Platform R...

Page 49: ...Please choose your menu option q Resetting the board NE2552E ena Enable privilege granted NE2552E configure terminal Enter configuration commands one per line End with Ctrl Z NE2552E config copy active config running config admin pw bypass Loading to current configuration NE2552E config password Changing admin password validation required Enter current local admin password Enter new admin password...

Page 50: ...ver the network All file transfer commands include SFTP support along with FTP and TFTP support SFTP is available through the menu based CLI ISCLI BBI and SNMP The following examples illustrate SFTP support for ISCLI commands NE2552E copy sftp image1 image2 boot image mgt port data port Copy software image from SFTP server to the switch NE2552E copy sftp ca cert host cert host key mgt port data po...

Page 51: ...to and from the switch By default HTTP Telnet and SNMPv1 and SNMPv2 are disabled on the NE2552E Before enabling strict mode ensure the following The software version on all connected switches is Lenovo ENOS 8 4 NIST Strict compliance is enabled on the Chassis Management Module The supported protocol versions and cryptographic cipher suites between clients and servers are compatible For example if ...

Page 52: ...y Exchange DH Group 24 DH group 1 2 5 14 24 Encryption 3DES AES 128 CBC 3DES AES 128 CBC Integrity HMAC SHA1 HMAC SHA1 HMAC MD5 IPSec AH HMAC SHA1 HMAC SHA1 HMAC MD5 ESP 3DES AES 128 CBC HMAC SHA1 3DES AES 128 CBC HMAC SHA1 HMAC MD5 LDAP LDAP does not comply with NIST SP 800 131A specification When in strict mode LDAP is disabled However it can be enabled if required Acceptable OSPF OSPF does not ...

Page 53: ...NISTP521 ECDH SHA2 NISTP384 ECDH SHA2 NISTP256 ECDH SHA2 NISTP224 ECDH SHA2 NISTP192 RSA2048 SHA256 RSA1024 SHA1 DIFFIE HELL MAN GROUP EXCHANGE SHA 256 DIFFIE HELL MAN GROUP EXCHANGE SHA 1 DIFFIE HELL MAN GROUP14 SHA1 DIFFIE HELL MAN GROUP1 SHA1 Encryption AES128 CTR AES128 CBC 3DES CBC AES128 CTR AES128 CBC RIJNDAEL128 CBC BLOWFISH CBC 3DES CBC ARCFOUR256 ARCFOUR128 ARCFOUR MAC HMAC SHA1 HMAC SHA...

Page 54: ...H_AES_128_CBC_SHA256 0x0005 RSA RSA RC4 SHA1 SSL_RSA_WITH_RC4_128_SHA 0x000A RSA RSA 3DES SHA1 SSL_RSA_WITH_3DES_EDE_CBC_SHA 0x0033 DHE RSA AES 128_CBC SHA1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0067 DHE RSA AES_128_CBC SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0016 DHE RSA 3DES SHA1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Table 6 List of Acceptable Cipher Suites in Strict Mode Cipher ID Key Exchan ge A...

Page 55: ...he NE2552E will not discover Platform agents Common agents that are not in strict mode Web browsers that do not use TLS 1 2 cannot be used Limited functions of the switch managing Windows will be available NE2552E config no boot strict enable Warning security strict mode limits the cryptographic algorithms used by secure protocols on this switch Please see the documentation for full details and ve...

Page 56: ...lowing commands Note This command will disable CLI confirmation prompts for current and future sessions Note This command will disable CLI confirmation prompts for the current session only It also takes precedence over the prompting command any settings configured through the prompting command will be disregarded for the duration of the current session For more details see the Lenovo ThinkSystem N...

Page 57: ...uring your switch the Lenovo ENOS software includes a Setup utility The Setup utility prompts you step by step to enter all the necessary information for basic configuration of the switch Setup can be activated manually from the command line interface any time after login NE2552E config setup ...

Page 58: ...tional configuration for each port Speed duplex flow control and negotiation mode as appropriate Whether to use VLAN tagging or not as appropriate Optional configuration for each VLAN Name of VLAN Which ports are included in the VLAN Optional configuration of IP parameters IP address mask and VLAN for each IP interface IP addresses for default gateway Whether IP forwarding is enabled or not ...

Page 59: ...ith a zero as the default password 3 Enter the following command at the prompt Stopping Setup To abort the Setup utility press Ctrl C during any Setup question When you abort Setup the system will prompt Enter n to abort Setup or y to restart the Setup program at the beginning Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administr...

Page 60: ...31 To keep the current day press Enter The system displays the date and time settings 4 Enter the hour of the current system time at the prompt Enter the hour as a number from 00 to 23 To keep the current hour press Enter 5 Enter the minute of the current time at the prompt Enter the minute as a number from 00 to 59 To keep the current minute press Enter 6 Enter the seconds of the current time at ...

Page 61: ...press Enter The system then displays the date and time settings 7 Turn Spanning Tree Protocol on or off at the prompt Enter y to turn off Spanning Tree or enter n to leave Spanning Tree on System clock set to 8 55 36 Wed Jan 28 2012 Spanning Tree Current Spanning Tree Group 1 setting ON Turn Spanning Tree Group 1 OFF y n ...

Page 62: ...settings for individual ports enter the number of the port you wish to configure To skip port configuration press Enter without specifying any port and go to Setup Part 3 VLANs on page 64 3 Configure port flow parameters The system prompts Enter rx to enable receive flow control tx for transmit flow control both to enable both or none to turn flow control off for the port To keep the current setti...

Page 63: ...able VLAN tagging for the port To keep the current setting press Enter 6 The system prompts you to configure the next port When you are through configuring ports press Enter without specifying any port Otherwise repeat the steps in this section Port Tagging Trunk mode config Tagged Trunk mode port can be a member of multiple VLANs Current Tagging Trunk mode support disabled Enter new Tagging Trunk...

Page 64: ...N name press Enter 3 Enter the VLAN port numbers Enter each port by port number and confirm placement of the port into this VLAN When you are finished adding ports to this VLAN press Enter without specifying any port 4 Configure Spanning Tree Group membership for the VLAN 5 The system prompts you to configure the next VLAN Repeat the steps in this section until all VLANs have been configured When ...

Page 65: ... Select the IP interface to configure or skip interface configuration at the prompt If you wish to configure individual IP interfaces enter the number of the IP interface you wish to configure To skip IP interface configuration press Enter without typing an interface number and go to Default Gateways on page 66 2 For the specified IP interface enter the IP address in IPv4 dotted decimal notation T...

Page 66: ... the prompt enter the IPv4 address for the selected default gateway Enter the IPv4 address in dotted decimal notation or press Enter without specifying an address to accept the current setting 3 At the prompt enter y to enable the default gateway or n to leave it disabled 4 The system prompts you to configure another default gateway 5 At the prompt enter y to enable the default gateway or n to lea...

Page 67: ...al router device Routing on more complex networks where subnets may not have a direct presence on the NE2552E can be accomplished through configuring static routes or by letting the switch learn routes dynamically This part of the Setup program prompts you to configure the various routing parameters At the prompt enable or disable forwarding for IP Routing Enter y to enable IP forwarding To disabl...

Page 68: ... the changes or n to continue without applying Changes are normally applied 4 At the prompt decide whether to make the changes permanent Enter y to save the changes to flash Enter n to continue without saving the changes Changes are normally saved at this point 5 If you do not apply or save the changes the system prompts whether to abort them Enter y to discard the changes Enter n to return to the...

Page 69: ... Telnet Support Note This step is optional Perform this procedure only if you are planning on connecting to the NE2552E through a remote Telnet connection 1 Telnet is disabled by default To change the setting use the following command NE2552E config access telnet enable ...

Page 70: ...70 NE2552E Application Guide for ENOS 8 4 ...

Page 71: ...ge onto an FTP SFTP or TFTP server on your network Transfer the new images to your switch Specify the new software image as the one which will be loaded into switch memory the next time a switch reset occurs Reset the switch For instructions on the typical upgrade process using the ENOS ISCLI or BBI see Loading New Software to Your Switch on page 72 CAUTION Although the typical upgrade process is ...

Page 72: ...eed the following The image and boot software loaded on an FTP SFTP or TFTP server on your net work Note Be sure to download both the new boot file and the new image file The hostname or IP address of the FTP SFTP or TFTP server Note The DNS parameters must be configured if specifying hostnames The name of the new software image or boot file When the software requirements are met use one of the fo...

Page 73: ...n loading into the switch 7 When loading is complete use the following commands to enter Global Configuration mode to select which software image image1 or image2 you want to run in switch memory for the next reboot The system will then verify which image is set to be loaded at the next reset 8 Reboot the switch to run the new software The system prompts you to confirm your request Once confirmed ...

Page 74: ...guration Management page appears 3 If you are loading software from your computer HTTP client skip this step and go to the next Otherwise if you are loading software from an FTP SFTP or TFTP server enter the server s information in the FTP SFTP or TFTP Settings section 4 In the Image Settings section select the image version you want to replace Image for Transfer If you are loading software from a...

Page 75: ...ill be up and vLAG mismatch will happen with vLAG ports down since it is still Secondary The traffic will still be forwarding via Switch 2 the original Primary switch 3 On Switch 2 the original Primary switch shut down all links ISL vLAG links and vLAG HC This is equivalent to powering off Switch 1 the original Primary switch All the traffic will failover to Switch 1 which will assume the vLAG ope...

Page 76: ... 2 will reassume the vLAG Primary role and Switch 1 will reassume the vLAG Secondary role 6 Make sure that Switch 2 is now the vLAG primary switch and Switch 1 is now the vLAG secondary switch using the following command NE2552E show vlag information ...

Page 77: ... you to perform the following actions The Boot Management menu allows you to perform the following actions To change the booting image press I and follow the screen prompts To change the configuration block press C and follow the screen prompts To boot in recovery mode press R For more details see Boot Recovery Mode on page 78 To restart the boot process from the beginning press Q To exit the Boot...

Page 78: ...hange the booting image enter I and follow the screen prompts To change the active configuration file enter C and follow the screen prompts To restart the boot process from the beginning press R To exit Boot Recovery Mode menu press E The boot process continues Recover from a Failed Image Upgrade using TFTP Use the following procedure to recover from a failed image upgrade using TFTP 1 Connect a P...

Page 79: ...t 8 Enter the gateway of the management port 9 Enter the IP address of the TFTP server 10 Enter the filename of the image 11 If the file is a software image enter an image number After the procedure is complete the Recovery Mode menu will be re displayed Performing TFTP rescue Please answer the following questions enter q to quit IP addr Netmask Gateway Server addr Image Filename Install image as ...

Page 80: ...5 Image Filename NE2552E 8 3 1 0_OS img Netmask 255 255 255 128 Gateway 10 241 6 66 Configuring management port Installing image NE2552E 8 3 1 0_OS img from TFTP server 10 72 97 135 Extracting images Do NOT power cycle the switch Installing Application Image signature verified Install image as image 1 or 2 hit return to just boot image 2 Installing image as image2 100 Image2 updated succeeded Upda...

Page 81: ...Press X for Xmodem download You will see the following display 6 When you see the following message change the Serial Port speed to 115200 bps 7 Press Enter to set the system into download accept mode When the readiness meter displays a series of C characters start Xmodem on your terminal emulator You will see a display similar to the following 8 Select the image to download Xmodem initiates the f...

Page 82: ...sing R The Recovery Mode menu will appear 5 To begin the Physical Presence procedure press P The following warning message will appear 6 You will be prompted for confirmation Extracting images Do NOT power cycle the switch Installing Root Filesystem Image signature verified 100 Installing Kernel Image signature verified 100 Installing Device Tree Image signature verified 100 Installing Boot Loader...

Page 83: ...etails see page 78 XModem Download for details see page 81 Note You have three attempts to successfully complete the security test After three incorrect attempts the switch will reboot Note After the test is completed the switch will be put in low security mode This mode will allow you to install unofficial images on the switch To revert to normal security mode you must reboot the switch or press ...

Page 84: ...ows you to perform the following actions To run a file system check enter F If there any errors detected the switch repairs them automatically To delete all firmware images and configuration files from the switch enter W You are asked for confirmation Enter y to confirm or n to cancel To return to the Boot Management menu enter E Please select one of the following options F Run filesystem check W ...

Page 85: ... Copyright Lenovo 2018 85 Part 2 Securing the Switch ...

Page 86: ...86 NE2552E Application Guide for ENOS 8 4 ...

Page 87: ...iscusses different methods of securing local and remote administration on the NE2552E Flex Switch NE2552E Changing the Switch Passwords on page 88 Secure Shell and Secure Copy on page 89 End User Access Control on page 94 Protected Mode on page 97 Maintenance Mode on page 98 ...

Page 88: ...both the user and administrator passwords The default administrator account is USERID The default password for the administrator account is PASSW0RD with a zero To change the administrator password use the following procedure 1 Connect to the switch and log in as the administrator 2 Use the following command to change the administrator password Changing the Default User Password The user login has...

Page 89: ...ia secure channels Although SSH and SCP are disabled by default enabling and using these features provides the following benefits Identifying the administrator using Name Password Authentication of remote administrators Authorization of remote administrators Determining the permitted actions and customizing service for individual administrators Encryption of management messages Encrypting messages...

Page 90: ...Using SSH and SCP Client Commands This section shows the format for using some common client commands To Log In to the Switch from the Client Syntax Note The 4 option the default specifies that an IPv4 switch address will be used The 6 option specifies IPv6 Example NE2552E config ssh enable Turn SSH on NE2552E config no ssh enable Turn SSH off NE2552E config no ssh scp enable NE2552E config no ssh...

Page 91: ...en the new and the current configurations putcfg_apply runs the apply command after the putcfg is done putcfg_apply_save saves the new configuration to the flash after putcfg_apply is done The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands are usually required after a putcfg however an SCP session is not in an interactive mode scp 4 6 username switch...

Page 92: ...ess getimg1 local filename scp 4 6 username switch IP address getimg2 local filename scp 4 6 username switch IP address getboot local filename scp scpadmin 205 178 15 157 getimg1 6 1 0_os img scp 4 6 local filename username switch IP address putimg1 scp 4 6 local filename username switch IP address putimg2 scp 4 6 local filename username switch IP address putboot scp 6 1 0_os img scpadmin 205 178 ...

Page 93: ...e switch will perform only one session of key cipher generation at a time Thus an SSH SCP client will not be able to log in if the switch is performing key generation at that time Also key generation will fail if an SSH SCP client is logging in at that time Because the switch software only generates RSA keys if there is already a DSA based SSH key on the switch this key will remain on the switch a...

Page 94: ...the switch and has no effect on the user password on the Radius server Radius authentication and user password cannot be used concurrently to access the switch Passwords can be up to 64 characters in length for Telnet SSH Console and Web access Strong Passwords The administrator can require use of Strong Passwords for users to access the NE2552E Strong Passwords enhance security because they make ...

Page 95: ...onfiguration Enabling or Disabling a User An end user account must be enabled before the switch recognizes and permits login under the account Once enabled the switch requires any user to enter both username and password Locking Accounts To protect the switch from unauthorized access the account lockout feature can be enabled By default account lockout is disabled To enable this feature ensure the...

Page 96: ...to an End User Account Once an end user account is configured and enabled the user can login to the switch using the username password combination The level of switch access is determined by the Class of Service established for the end user account NE2552E config access user strong password clear local user lockout username user name NE2552E config access user strong password clear local user lock...

Page 97: ...led Restore Factory Defaults New Static IP Configuration In this release configuration of the functions listed above are restricted to the local switch when you turn Protected Mode on In future releases individual control over each function may be added Note Before you turn Protected Mode on make sure that external management Telnet access to one of the switch s IP interfaces is enabled Use the fo...

Page 98: ...er the command When prompted enter the admin password The Lenovo support person will then enter the maintenance mode password This introduces a second level of administration authorization before the Lenovo support representative enters the maintenance mode password making the switch more secure and available for enhanced debugging NE2552E config maint internal ...

Page 99: ...ignificant management functions across the Internet The following are some of the functions for secured IPv4 management and device access RADIUS Authentication and Authorization on page 100 TACACS Authentication on page 104 LDAP Authentication and Authorization on page 110 Note Lenovo ENOS 8 4 does not support IPv6 for RADIUS TACACS or LDAP ...

Page 100: ...formation A client in this case the switch The NE2552E acting as the RADIUS client communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866 Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network In addition the remote administrator passwo...

Page 101: ...S supports the following RADIUS authentication features Supports RADIUS client on the switch based on the protocol definitions in RFC 2138 and RFC 2866 Allows a RADIUS secret password of up to 32 characters Supports secondary authentication server so that when the primary authentication server is unreachable the switch can send client authentication requests to the secondary authentication server ...

Page 102: ...r Accounts The user accounts listed in Table 7 can be defined in the RADIUS server dictionary file Table 7 User Access Levels User Account Description and Tasks Performed Password User The User has no direct responsibility for switch management He she can view all switch status information and statistics but cannot make any configuration changes to the switch user Operator In addition to User capa...

Page 103: ...onsole port by using noradius as the RADIUS username You can then enter the username and password configured on the switch If you are trying to connect via SSH Telnet HTTP HTTPS there are two possibilities Local access is enabled The switch acts like it is connecting via console Secure local access is enabled You must enter the username noradius The switch checks if RADIUS server is reachable If i...

Page 104: ...mit attempts and time outs to compensate for best effort transport but it lacks the level of built in support that a TCP transport offers TACACS offers full packet encryption whereas RADIUS offers password only encryption in authentication requests TACACS separates authentication authorization and accounting How TACACS Authentication Works TACACS works much in the same way as RADIUS authentication...

Page 105: ... table must be defined on the TACACS server Alternate mapping between TACACS authorization levels and Lenovo ENOS management access levels is shown in Table 10 Use the following command to use the alternate TACACS authorization levels You can customize the mapping between TACACS privilege levels and NE2552E management access levels Use the following command to manually map each TACACS privilege le...

Page 106: ...activities on the device for the purposes of billing and or security It follows the authentication and authorization actions If the authentication and authorization is not performed via TACACS there are no TACACS accounting messages sent out You can use TACACS to record and track software login access configuration changes and interactive commands The NE2552E supports the following TACACS accounti...

Page 107: ... or sync are not sent Only leaf level commands are sent for authorization and logging For example is not sent but the following command is sent The full path of each command is sent for authorization and logging For example Command arguments are not sent for authorization Only executed commands are logged Invalid commands are checked by Lenovo ENOS and are not sent for authoriza tion or logging NE...

Page 108: ...ion is performed on each leaf level command separately If the user issues multiple commands at once each command is sent separately as a full path Only the following global commands are sent for authorization and logging diff ping revert telnet traceroute ...

Page 109: ...ber of retry attempts and the timeout period 5 Configure custom privilege level mapping optional NE2552E config no tacacs server password change NE2552E config tacacs server chpassp Change primary TACACS password NE2552E config tacacs server chpasss Change secondary TACACS password Enter primary server IPv4 address NE2552E config tacacs server primary host 10 10 1 1 NE2552E config tacacs server pr...

Page 110: ... A client in this case the switch Each entry in the LDAP server is referenced by its Distinguished Name DN The DN consists of the user account name concatenated with the LDAP domain name If the user account name is John the following is an example DN uid John ou people dc domain dc com Configuring the LDAP Server NE2552E user groups and user accounts must reside within the same domain On the LDAP ...

Page 111: ...he timeout period 5 You may change the default LDAP attribute uid or add a custom attribute For instance Microsoft s Active Directory requires the cn common name attribute NE2552E config ldap server enable NE2552E config ldap server primary host 10 10 1 1 NE2552E config ldap server secondary host 10 10 1 2 NE2552E config ldap server domain ou people dc my domain dc com NE2552E config ldap server p...

Page 112: ...112 NE2552E Application Guide for ENOS 8 4 ...

Page 113: ...vents access to ports that fail authentication and authorization This feature provides security to ports of the NE2552E Flex Switch NE2552E that connect to blade servers The following topics are discussed in this section Extensible Authentication Protocol over LAN on page 114 EAPoL Authentication Process on page 115 EAPoL Port States on page 116 Guest VLAN on page 117 Supported RADIUS Attributes o...

Page 114: ...tor The Authenticator enforces authentication and controls access to the network The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server The Authenticator acts as an intermediary between the Supplicant and the Authentication Server requesting identity information from the client forwarding that information to the A...

Page 115: ...n method over Ethernet frames called EAP over LAN EAPOL Figure 1 shows a typical message exchange initiated by the client Figure 1 Authenticating a Port Using EAPoL 802 1x Client RADIUS Server Radius Access Request Radius Access Challenge Radius Access Request Radius Access Accept EAP Request Credentials EAP Response Credentials EAP Success EAP Request Credentials EAP Response Credentials EAPOL St...

Page 116: ...ontrolled port When the client later sends an EAPOL Logoff message to the NE2552E authenticator the port transitions from authorized to unauthorized state If a client that does not support 802 1X connects to an 802 1X controlled port the NE2552E authenticator requests the clientʹs identity when it detects a change in the operational state of the port The client does not respond to the request and ...

Page 117: ...received an EAPOL response are placed into the Guest VLAN if one is configured on the switch Once the port is authenticated it is moved from the Guest VLAN to its configured VLAN When Guest VLAN enabled the following considerations apply while a port is in the unauthenticated state The port is placed in the guest VLAN The Port VLAN ID PVID is changed to the Guest VLAN ID Port tagging is disabled o...

Page 118: ... of the authenticator used for Radius communication 1 0 0 0 5 NAS Port Port number of the authenticator port to which the supplicant is attached 1 0 0 0 24 State Server specific value This is sent unmodified back to the server in an Access Request that is in response to an Access Challenge 0 1 0 1 0 1 0 30 Called Station ID The MAC address of the authenticator encoded as an ASCII string in canonic...

Page 119: ...enticator relays the decoded packet to both devices 1 1 1 1 80 Message Authenticator Always present whenever an EAP Message attribute is also included Used to integrity protect a packet 1 1 1 1 87 NAS Port ID Name assigned to the authenticator port e g Server1_Port3 1 0 0 0 Legend RADIUS Packet Types A R Access Request A A Access Accept A C Access Challenge A R Access Reject RADIUS Attribute Suppo...

Page 120: ...802 1X supplicant capability is not supported Therefore none of its ports can successfully connect to an 802 1X enabled port of another device such as another switch that acts as an authenticator unless access control on the remote port is disabled or is configured in forced authorized mode For example if a NE2552E is connected to another NE2552E and if 802 1X is enabled on both switches the two c...

Page 121: ...lowing ACLs IPv4 ACLs Up to 256 ACLs are supported for networks that use IPv4 addressing IPv4 ACLs are configured using the following CLI menu IPv6 ACLs Up to 256 ACLs are supported for networks that use IPv6 addressing IPv6 ACLs are configured using the following CLI menu Management ACLs Up to 128 MACLs are supported ACLs for the different types of management protocols Telnet HTTPS etc provide gr...

Page 122: ... classify packets based on the following packet attributes Ethernet header options for regular ACLs and VMaps only Source MAC address Destination MAC address VLAN number and mask Ethernet type ARP IPv4 MPLS RARP etc Ethernet Priority the IEEE 802 1p Priority IPv4 header options for regular ACLs and VMaps only Source IPv4 address and subnet mask Destination IPv4 address and subnet mask Type of Serv...

Page 123: ...Egress port packets for all ACLs Table 13 Well Known Application Ports Port TCP UDP Application Port TCP UDP Application Port TCP UDP Application 20 21 22 23 25 37 42 43 53 69 70 ftp data ftp ssh telnet smtp time name whois domain tftp gopher 79 80 109 110 111 119 123 143 144 161 162 finger http pop2 pop3 sunrpc nntp ntp imap news snmp snmptrap 179 194 220 389 443 520 554 1645 1812 1813 1985 bgp i...

Page 124: ...heir action takes precedence over lower priority ACLs ACL order of precedence is discussed in the next section To create and assign ACLs in groups see ACL Groups on page 125 ACL Order of Precedence When multiple ACLs are assigned to a port they are evaluated in numeric sequence based on the ACL number Lower numbered ACLs take precedence over higher numbered ACLs For example ACL 1 if assigned to th...

Page 125: ...Group ACL Group is a collection of ACLs For example ACL Groups organize ACLs into traffic profiles that can be more easily assigned to ports The NE2552E supports up to 256 ACL Groups Note ACL Groups are used for convenience in assigning multiple ACLs to ports ACL Groups have no effect on the order in which ACLs are applied see ACL Order of Precedence on page 124 All ACLs assigned to the port wheth...

Page 126: ...h ACL as follows In Profile If there is no meter configured or if the packet conforms to the meter the packet is classified as In Profile Out of Profile If a meter is configured and the packet does not conform to the meter exceeds the committed rate or maximum burst rate of the meter the packet is classified as Out of Profile Using meters you set a Committed Rate in Kbps 1000 bits per second in ea...

Page 127: ...ics to check filter performance or to debug the ACL filter configuration You must enable statistics for each ACL that you wish to monitor ACL Logging ACLs are generally used to enhance port security Traffic that matches the characteristics source addresses destination addresses packet type etc specified by the ACLs on specific ports is subject to the actions chiefly permit or deny defined by those...

Page 128: ...Action deny Hit count 1 Log Interval For each log enabled ACL the first packet that matches the ACL initiates an immediate message in the system log Beyond that additional matches are subject to the log interval By default the switch will buffer ACL log messages for a period of 300 seconds At the end of that interval all messages in the buffer are written to the system log The global interval valu...

Page 129: ...t after the initial match in numbers of packets use the following command ACL Logging Limitations ACL logging reserves packet queue 1 for internal use Features that allow remapping packet queues such as CoPP may not behave as expected if other packet flows are reconfigured to use queue 1 NE2552E config logging ip access list cache entries 1 100000 NE2552E config logging ip access list cache thresh...

Page 130: ...from class 100 10 1 0 24 and destination IP 200 20 2 2 is denied 1 Configure an Access Control List 2 Add ACL 2 to port EXT2 NE2552E config access control list 1 ipv4 destination ip address 100 10 1 1 NE2552E config access control list 1 action deny NE2552E config interface port EXT1 NE2552E config if access control list 1 NE2552E config if exit NE2552E config access control list 2 ipv4 source ip ...

Page 131: ...m the network 100 10 1 0 24 and is destined for port 3 is denied 1 Configure an Access Control List 2 Add ACL 4 to port EXT1 NE2552E config access control list 4 ipv4 source ip address 100 10 1 0 255 255 255 0 NE2552E config access control list 4 egress port 3 NE2552E config access control list 4 action deny NE2552E config interface port EXT1 NE2552E config if access control list 4 NE2552E config ...

Page 132: ...e MACL configuration based on a destination IP address and a TCP UDP destination port Use the following command to view the MACL configuration NE2552E config access control macl 1 ipv4 destination ip address 1 1 1 1 255 255 255 0 NE2552E config access control macl 1 tcp udp destination port 111 0xffff NE2552E config access control macl 1 statistics NE2552E config access control macl 1 action permi...

Page 133: ...133 Part 3 Switch Basics This section discusses basic switching functions VLANs Port Aggregation Spanning Tree Protocols Spanning Tree Groups Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol Quality of Service ...

Page 134: ...134 NE2552E Application Guide for ENOS 8 4 ...

Page 135: ...g topics are discussed in this chapter VLANs and Port VLAN ID Numbers on page 137 VLAN Tagging Trunk Mode on page 140 VLAN Topologies and Design Considerations on page 145 Protocol Based VLANs on page 148 Private VLANs on page 151 Note Basic VLANs can be configured during initial switch configuration see Using the Setup Utility in the NE2552E Lenovo ENOS 8 4 Command Reference More comprehensive VL...

Page 136: ...VLAN and multicast broadcast and unknown unicast frames are flooded only to ports in the same VLAN The NE2552E automatically supports jumbo frames This default cannot be manually configured or disabled The NE2552E Flex Switch NE2552E supports jumbo frames with a Maximum Transmission Unit MTU of 9 216 bytes Within each frame 18 bytes are reserved for the Ethernet header and CRC trailer The remainin...

Page 137: ...blades Management functions can also be assigned to other VLANs using the following command Use the following command to view VLAN information Note The sample screens that appear in this document might differ slightly from the screens displayed by your system Screen content varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed NE...

Page 138: ...rmation or NE2552E show interface trunk Port Tag RMON Lrn Fld tis tes PVID DESCRIPTION VLAN s Trk NVLAN INTA1 n d e e d d 1 INTA1 1 INTA2 n d e e d d 1 INTA2 1 INTA3 n d e e d d 1 INTA3 1 INTA4 n d e e d d 1 INTA4 1 INTA5 n d e e d d 1 INTA5 1 INTA6 n d e e d d 1 INTA6 1 INTA7 n d e e d d 1 INTA7 1 INTA8 n d e e d d 1 INTA8 1 INTA9 n d e e d d 1 INTA9 1 INTA10 n d e e d d 1 INTA10 1 INTA11 n d e e...

Page 139: ...each VLAN can have any number of switch ports in its membership Any port that belongs to multiple VLANs however must have VLAN tagging enabled see VLAN Tagging Trunk Mode on page 140 NE2552E config interface port portr NE2552E config if switchport access vlan VLAN ID NE2552E config interface port port NE2552E config if switchport trunk native vlan VLAN ID ...

Page 140: ...d frames received by the switch are classified with the PVID of the receiving port Tagged frame a frame that carries VLAN tagging information in the header This VLAN tagging information is a 32 bit field VLAN tag in the frame header that identifies the frame as belonging to a specific VLAN Untagged frames are marked tagged with this classification as they leave the switch through a port that is co...

Page 141: ... generic examples of VLAN tagging In Figure 3 untagged incoming packets are assigned directly to VLAN 2 PVID 2 Port 5 is configured as a tagged member of VLAN 2 and port 7 is configured as an untagged member of VLAN 2 Note The port assignments in the following figures are general examples and are not meant to match any specific NE2552E Figure 3 Port based VLAN assignment Port 1 DA SA Data CRC Inco...

Page 142: ...e packet Port 5 is configured as a tagged member of VLAN 2 and port 7 is configured as an untagged member of VLAN 2 Figure 5 802 1Q tag assignment BS45012A Port 6 Port 7 Port 8 Port 1 Port 4 Port 5 Port 2 Port 3 802 1Q Switch Key Priority CFI VID User_priority Canonical format indicator VLAN identifier PVID 2 Tagged member of VLAN 2 Untagged memeber of VLAN 2 After DA SA Data CRC Recalculated Outg...

Page 143: ...tagging after 802 1Q tag assignment Note Setting the configuration to factory default NE2552E config boot configuration block factory will reset all non management ports to VLAN 1 BS45014A Port 6 Port 7 Port 8 Port 1 Port 4 Port 5 Port 2 Port 3 802 1Q Switch Key Priority CFI VID User_priority Canonical format indicator VLAN identifier PVID 2 Tagged member of VLAN 2 Untagged member of VLAN 2 After ...

Page 144: ... egress port the outer tag of the packet is retained when it leaves the egress port If tagging is disabled on the egress port the outer tag of the packet is removed when it leaves the egress port Figure 7 802 1Q tagging after ingress tagging assignment By default ingress tagging is disabled To enable ingress tagging on a port use the following commands Limitations Ingress tagging cannot be configu...

Page 145: ... MSTP mode STG 1 to 32 can include multiple VLANs VLAN Configuration Rules VLANs operate according to specific configuration rules When creating VLANs consider the following rules that determine how the configured VLAN reacts in any network topology All ports involved in aggregation and port mirroring must have the same VLAN configuration If a port is on a LAG with a mirroring port the VLAN config...

Page 146: ...turned on The adapter is attached to one of the internal switch ports that is a member of VLANs 1 2 and 3 and has tagging enabled Because of the VLAN tagging capabilities of both the adapter and the switch the server is able to communicate on all three IP subnets in this network Broadcast separation between all three VLANs and subnets however is maintained PCs 1 and 2 These PCs are attached to a s...

Page 147: ... of VLAN 3 this PC can only communicate with Server 1 and Server 2 The associated external switch port has tagging disabled PC 5 A member of both VLAN 1 and VLAN 2 this PC has a VLAN tagging Gigabit Ethernet adapter installed It can communicate with Server 2 and PC 3 via VLAN 1 and to Server 2 PC 1 and PC 2 via VLAN 2 The associated external switch port is a member of VLAN 1 and VLAN 2 and has tag...

Page 148: ...egment IPv4 traffic To define a PVLAN on a VLAN configure a PVLAN number 1 8 and specify the frame type and the Ethernet type of the PVLAN protocol You must assign at least one port to the PVLAN before it can function Define the PVLAN frame type and Ethernet type as follows Frame type consists of one of the following values Ether2 Ethernet II SNAP Subnetwork Access Protocol LLC Logical Link Contro...

Page 149: ...LAN tagging has higher precedence than port based tagging If a port is tag enabled and the port is a member of a PVLAN the PVLAN tags egress frames that match the PVLAN protocol Use the tag pvlan command vlan x protocol vlan x tag pvlan x to define the complete list of tag enabled ports in the PVLAN Note that all ports not included in the PVLAN tag list will have PVLAN tagging disabled PVLAN Confi...

Page 150: ...ent VLAN 5 Enable the PVLAN 6 Verify PVLAN operation NE2552E config interface port ext1 ext2 NE2552E config if switchport mode trunk NE2552E config if exit NE2552E config vlan 2 NE2552E config vlan protocol vlan 1 frame type ether2 0800 NE2552E config vlan protocol vlan 1 priority 2 NE2552E config vlan protocol vlan 1 member ext1 ext2 NE2552E config vlan protocol vlan 1 enable NE2552E config vlan ...

Page 151: ...community and to ports in the primary VLAN Each Private VLAN can contain multiple community VLANs After you define the primary VLAN and one or more secondary VLANs you map the secondary VLAN s to the primary VLAN Private VLAN Ports Private VLAN ports are defined as follows Promiscuous A promiscuous port is a port that belongs to the primary VLAN The promiscuous port can communicate with all the in...

Page 152: ...lect a VLAN and define the Private VLAN type as primary 2 Configure a promiscuous port for VLAN 700 3 Configure two secondary VLANs isolated VLAN and community VLAN 4 Map secondary VLANs to primary VLAN NE2552E config vlan 700 NE2552E config vlan private vlan primary NE2552E config vlan exit NE2552E config interface port 1 NE2552E config if switchport mode private vlan NE2552E config if switchport...

Page 153: ...private vlan NE2552E config if switchport private vlan host association 700 701 NE2552E config if exit NE2552E config interface port 3 NE2552E config if switchport mode private vlan NE2552E config if switchport private vlan host association 700 702 NE2552E config if exit NE2552E config show vlan private vlan Primary Secondary Type Ports 700 701 isolated 1 2 700 702 community 1 3 ...

Page 154: ...154 NE2552E Application Guide for ENOS 8 4 ...

Page 155: ... of ports that act together combining their bandwidth to create a single larger virtual link This chapter provides configuration background and examples for aggregating multiple ports together Configuring Port Modes on page 156 Configuring QSFP28 Ports on page 160 Aggregation Overview on page 163 Static LAGs on page 164 Configurable LAG Hash Algorithm on page 167 Link Aggregation Control Protocol ...

Page 156: ... 1x40G configuration and 4x10G 25G or 2x50G breakout configurations To configure the port modes use the following command The following speed combinations are allowed on the internal ports Note Prior to setting the speed to auto make sure to enable auto negotiation on the ports The following speed combinations are allowed on the external SFP ports NE2552E config if speed 10000 25000 40000 50000 10...

Page 157: ...e does not require resetting the switch Due to ASIC limitation 10G and 25G cannot co exist in the same port group When using Browser Based Interface BBI or Simple Network Management Protocol SNMP to change the port mode make sure to change the speed prior to adding other configurations Upgrading the software image from 8 4 7 or older versions to 8 4 8 will automatically apply the following port mo...

Page 158: ...INTB9 n d e e d d 1 INTB9 1 INTB10 n d e e d d 1 INTB10 1 INTB11 n d e e d d 1 INTB11 1 INTB12 n d e e d d 1 INTB12 1 INTB13 n d e e d d 1 INTB13 1 INTB14 n d e e d d 1 INTB14 1 EXT1 n d e e d d 1 EXT1 1 EXT2 n d e e d d 1 EXT2 1 EXT3 n d e e d d 1 EXT3 1 EXT4 n d e e d d 1 EXT4 1 EXT5 n d e e d d 1 EXT5 1 EXT6 n d e e d d 1 EXT6 1 EXT7 n d e e d d 1 EXT7 1 EXT8 n d e e d d 1 EXT8 1 EXT9 1 n d e e...

Page 159: ... INTB9 INTB10 any full yes yes off down INTB10 INTB11 any full yes yes off down INTB11 INTB12 any full yes yes off down INTB12 INTB13 any full yes yes off down INTB13 INTB14 any full yes yes off down INTB14 EXT1 25G full no no auto down EXT1 EXT2 25G full no no auto down EXT2 EXT3 25G full no no auto down EXT3 EXT4 25G full no no auto down EXT4 EXT5 25G full no no cl74 up EXT5 EXT6 25G full no no ...

Page 160: ...5 QSFP28 Port Numbering Note By default QSFP28 ports are configured as 25 Gb s ports QSFP28 Port Group 40GbE 100GbE mode 50GbE mode 10GbE 25GbE mode Port EXT9 Port EXT9 1 Ports EXT9 1 EXT9 3 Ports EXT9 1 EXT9 4 Port EXT10 Port EXT10 1 Ports EXT10 1 EXT10 3 Ports EXT10 1 EXT10 4 Port EXT11 Port EXT11 1 Ports EXT11 1 EXT11 3 Ports EXT11 1 EXT11 4 Port EXT12 Port EXT12 1 Ports EXT12 1 EXT12 3 Ports E...

Page 161: ...ggregation LAG 161 Configuring SFP Ports The supported 8x10G 25G SFP28 ports are capable of 2x100G ports configuration as shown in Table 16 Table 16 SFP Port Numbering SFP Port Group 100GbE mode 10GbE 25GbE mode EXT1 EXT1 EXT1 EXT4 EXT5 EXT5 EXT5 EXT8 ...

Page 162: ...NE2552E config if fec auto cl74 cl91 off Parameter Description auto Enables and configures FEC automatically based on the port speed for interfaces configured with 25 Gb s 40Gb s 50 Gb s or 100 Gb s cl74 Enables FEC with clause 74 for interfaces configured with 25 Gb s 40Gb s 50 Gb s or 100 Gb s port speeds cl91 Enables FEC with clause 91 for interfaces configured with 25 Gb s 40 Gb s 50 Gb s or 1...

Page 163: ...ation Group LAG LAGs are also useful for connecting a NE2552E to third party devices that support link aggregation such as Cisco routers and switches with EtherChannel technology not ISL aggregation technology and Sunʹs Quad Fast Ethernet Adapter Static LAG technology is compatible with these devices when they are configured manually LAG traffic is statistically distributed among the ports in a LA...

Page 164: ...LAGs consider the following rules that determine how a LAG reacts in any network topology All LAGs must originate from one network entity a single device or multiple devices acting in a stack and lead to one destination entity For example you cannot combine links from two different servers into one LAG Any physical switch port can belong to only one LAG Depending on port availability the switch su...

Page 165: ...can be configured into the same static or LACP LAG However the member port will be err disabled if its run time capability state speed duplex flow control FEC differs from other forward member ports run time capability state in this LAG Configuring a Static LAG In the following example three ports are aggregated between two switches Figure 10 LAG Configuration Example Prior to configuring each swi...

Page 166: ...ty device should be configured manually Connection problems could arise when using automatic LAG negotiation on the third party device 4 Examine the aggregation information on each switch Information about each port in each configured LAG is displayed Make sure that LAGs consist of the expected ports and that each port is in the expected state The following restrictions apply Any physical switch p...

Page 167: ...tions may be applied Source MAC address smac Destination MAC address dmac Both source and destination MAC address enabled by default Note At least one Layer 2 option must always be enabled The smac and dmac options may not both be disabled at the same time For Layer 3 IPv4 IPv6 traffic one of the following are permitted Source IP address sip Destination IP address dip Both source and destination I...

Page 168: ...P UPD etc is added to the hash if available The L4port option is ignored when Layer 4 information is not included in the packet such as for Layer 2 packets or when the useL2 option is enabled Note For MPLS packets Layer 4 port information is excluded from the hash calculation Instead other IP fields are used along with the first two MPLS labels NE2552E config portchannel thash ingress NE2552E conf...

Page 169: ... can be aggregated The Link Aggregation ID LAG ID is constructed mainly from the system ID and the port s admin key as follows System ID an integer value based on the switch s MAC address and the system priority assigned in the CLI Admin key a port s admin key is an integer value 1 65535 that you can configure in the CLI Each NE2552E port that participates in the same LACP LAG must have the same a...

Page 170: ...ink aggregation LACP Modes Each port in the NE2552E can have one of the following LACP modes off default The user can configure this port in to a regular static LAG active The port is capable of forming a LACP LAG This port sends LACPDU packets to partner system ports passive The port is capable of forming a LACP LAG This port only responds to the LACPDU packets sent from a LACP active port Each a...

Page 171: ...he selected ports to be treated as normal link up ports which may forward data traffic according to STP Hot Links or other applications if they do not receive any LACPDUs To configure the LACP individual setting for all the ports in a static LACP LAG use the following commands Note By default ports are configured as below external ports with lacp suspend individual internal ports with no lacp susp...

Page 172: ... and define the admin key Only ports with the same admin key can form a LACP LAG 3 Set the LACP mode 4 Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received 5 Set the link aggregation as static by associating it with LAG ID 65 NE2552E config interface port inta1 inta2 NE2552E config if lacp key 100 NE2552E config if lacp mode active NE2552E con...

Page 173: ...ts can prevent broadcast loops and ensure that the NE2552E Flex Switch NE2552E uses only the most efficient network path This chapter covers the following topics Spanning Tree Protocol Modes on page 174 Global STP Control on page 174 PVRST Mode on page 175 Rapid Spanning Tree Protocol on page 187 Multiple Spanning Tree Protocol on page 189 Port Type and Link Type on page 193 ...

Page 174: ...RST is the default Spanning Tree mode on the NE2552E See PVRST Mode on page 175 for details Multiple Spanning Tree Protocol MSTP IEEE 802 1Q 2003 MSTP provides both rapid convergence and load balancing in a VLAN environment MSTP allows multiple STGs with multiple VLANs in each See Multiple Spanning Tree Protocol on page 189 for details Global STP Control By default the Spanning Tree feature is glo...

Page 175: ... available STGs with each STG acting as an independent simultaneous instance of STP PVRST uses IEEE 802 1Q tagging to differentiate STP BPDUs and is compatible with Cisco R PVST R PVST modes The relationship between ports LAGs VLANs and Spanning Trees is shown in Table 18 Port States The port state controls the forwarding and learning processes of Spanning Tree In PVRST the port state has been con...

Page 176: ...its own priority it will replace its BPDU with the received BPDU Then the switch adds its own bridge ID number and increments the path cost of the BPDU The switch uses this information to block any necessary ports Note If STP is globally disabled BPDUs from external devices will transit the switch transparently If STP is globally enabled for ports where STP is turned off inbound BPDUs will instead...

Page 177: ...ot and thereby forcing STP re convergence If a root guard enabled port detects a root device that port will be placed in a blocked state You can configure the root guard at the port level using the following commands The default state is none disabled Loop Guard In general STP resolves redundant network topologies into loop free topologies The loop guard feature performs additional checking to det...

Page 178: ...ue of 0 the default indicates that the default cost will be computed for an auto negotiated link or LAG speed Use the following command to modify the port path cost The port path cost can be a value from 1 to 200000000 Specify 0 for automatic path cost Simple STP Configuration Figure 11 depicts a simple topology using a switch to switch link between two switches via either external ports or intern...

Page 179: ...nk on the other NE2552E as shown in Figure 12 Figure 12 Spanning Tree Restoring the Switch to Switch Link In this example port EXT1 on each switch is used for the switch to switch link To ensure that the NE2552E switch to switch link is blocked during normal operation the port path cost is set to a higher value than other paths in the network To configure the port path cost on the switch to switch...

Page 180: ...he figure two ports on a NE2552E are connected to two ports on an application switch Each of the links is configured for a different VLAN preventing a network loop However in the first network since a single instance of Spanning Tree is running on all the ports of the NE2552E a physical loop is assumed to exist and one of the VLANs is blocked impacting connectivity even though no actual loop exist...

Page 181: ...o its own STG Conversely when a VLAN is deleted if its STG is not associated with any other VLAN the STG is returned to the available pool The specific STG number to which the VLAN is assigned is based on the VLAN number itself For low VLAN numbers 1 through 127 255 the switch will attempt to assign the VLAN to its matching STG number For higher numbered VLANs the STG assignment is based on a simp...

Page 182: ...rent STG see Manually Assigning STGs on page 182 The VLAN is automatically removed from its old STG before being placed into the new STG Each VLANs must be contained within a single STG a VLAN cannot span multiple STGs By confining VLANs within a single STG you avoid problems with Spanning Tree blocking ports and causing a loss of connectivity within the VLAN When a VLAN spans multiple switches it...

Page 183: ...the PVID from 3 to 1 When you remove a port from VLAN that belongs to an STG that port will also be removed from the STG However if that port belongs to another VLAN in the same STG the port remains in the STG As an example assume that port 2 belongs to only VLAN 2 and that VLAN 2 belongs to STG 2 When you remove port 2 from VLAN 2 the port is moved to default VLAN 1 and is removed from STG 2 Howe...

Page 184: ...on port 2 and Switch D receives the BPDU on port 1 Because there is a network loop between the switches in VLAN 1 either Switch D will block port 8 or Switch C will block port 1 depending on the information provided in the BPDU VLAN 2 Participation Switch B the root bridge generates a BPDU for STG 2 from port 8 Switch A receives this BPDU on port 17 which is assigned to VLAN 2 STG 2 Because switch...

Page 185: ...N 3 VLAN 2 and VLAN 3 are removed from STG 1 Note In PVRST mode each instance of STG is enabled by default 3 Configure the following on Switch B Add port 8 to VLAN 2 Ports 1 and 2 are by default in VLAN 1 assigned to STG 1 NE2552E config spanning tree mode pvrst NE2552E config vlan 2 NE2552E config vlan exit NE2552E config vlan 3 NE2552E config vlan exit If VASA is disabled enter the following com...

Page 186: ... VLAN 3 is automatically removed from STG 1 By default VLAN 1 remains in STG 1 Switch D does not require any special configuration for multiple Spanning Trees Switch D uses default STG 1 only NE2552E config vlan 3 NE2552E config vlan stg 3 NE2552E config vlan exit NE2552E config interface port 8 NE2552E config if switchport mode trunk NE2552E config if exit If VASA is disabled enter the following ...

Page 187: ...ith devices that run IEEE 802 1D 1998 Spanning Tree Protocol If the switch detects IEEE 802 1D 1998 BPDUs it responds with IEEE 802 1D 1998 compatible data units RSTP is not compatible with Per VLAN Rapid Spanning Tree PVRST protocol Note In RSTP mode Spanning Tree for the management ports is turned off by default Port States RSTP port state controls are the same as for PVRST discarding learning a...

Page 188: ...ing tree mode rstp NE2552E config spanning tree stp 1 bridge priority 8192 NE2552E config spanning tree stp 1 bridge hello time 5 NE2552E config spanning tree stp 1 bridge forward delay 20 NE2552E config spanning tree stp 1 bridge maximum age 30 NE2552E config no spanning tree stp 1 enable NE2552E config interface port 3 NE2552E config if spanning tree stp 1 priority 240 NE2552E config if spanning...

Page 189: ... Type on page 193 bypass the Discarding and Learning states and enter directly into the Forwarding state Note In MSTP mode Spanning Tree for the management ports is turned off by default MSTP Region A group of interconnected bridges that share the same attributes is called an MST region Each bridge within the region must share the following attributes Alphanumeric name Revision number VLAN to STG ...

Page 190: ... number and VLAN mapping MSTP Configuration Examples MSTP Configuration Example 1 This section provides steps to configure MSTP on the NE2552E 1 Configure port and VLAN membership on the switch 2 Configure Multiple Spanning Tree region parameters and set the mode to MSTP 3 Map VLANs to MSTP instances NE2552E config spanning tree mst configuration Enter MST configuration mode NE2552E config mst nam...

Page 191: ...t backing up the other 1 Configure port membership and define the STGs for VLAN 1 Enable tagging on uplink ports that share VLANs Port 19 and port 20 connect to the Enterprise Routing switches 2 Configure MSTP Spanning Tree mode region name and version Enterprise Routing Switch MSTP Group 1 Root Enterprise Routing Switch MSTP Group 2 Root Server 1 VLAN 1 Server 2 VLAN 1 Server 3 VLAN 2 Server 4 VL...

Page 192: ...ts 3 4 and 5 to VLAN 2 Add uplink ports 19 and 20 to VLAN 2 Assign VLAN 2 to STG 2 Note Each STG is enabled by default NE2552E config spanning tree mst configuration NE2552E config mst instance 1 vlan 1 NE2552E config mst instance 2 vlan 2 NE2552E config interface port 3 4 5 19 20 NE2552E config if switchport access vlan 2 NE2552E config if exit ...

Page 193: ...ine or clear a port as an edge port Link Type The link type determines how the port behaves in regard to Rapid Spanning Tree Use the following commands to define the link type for the port where type corresponds to the duplex mode of the port as follows p2p A full duplex link to another device point to point shared A half duplex link is a shared segment and can contain more than one device auto Th...

Page 194: ...194 NE2552E Application Guide for ENOS 8 4 ...

Page 195: ... uplinks remain active utilizing all available bandwidth Two switches are paired into VLAG peers and act as a single virtual entity for the purpose of establishing a multi port aggregation Ports from both peers can be grouped into a VLAG and connected to the same LAG capable target device From the perspective of the target device the ports connected to the VLAG peers appear to be a single LAG conn...

Page 196: ...C switches Other devices connecting to the VLAG peers are configured using regular static or dynamic LAGs Note Do not configure a VLAG for connecting only one switch in the peer set to another device or peer set For instance in VLAG Peer C a regular LAG is employed for the downlink connection to VLAG Peer B because only one of the VLAG Peer C switches is involved ISL VLAG 3 VLAG 3 VLAG 5 VLAG 6 LA...

Page 197: ...oups 197 In addition when used with VRRP VLAGs can provide seamless active active failover for network links For example Figure 18 VLAG Application with VRRP Note VLAG is not compatible with UFP vPorts on the same ports ISL VLAG VRRP Master VRRP Backup VLAG Peers ...

Page 198: ...tatic LAG portchannel or dynamic LACP LAG and consumes one slot from the overall port LAG capacity pool The type of aggregation must match that used on VLAG client devices Additional configuration is then required to implement the VLAG on both VLAG peer switches You may configure up to 52 LAGs on the switch with all types regular or VLAG static or LACP sharing the same pool The maximum number of c...

Page 199: ...ated inter switch link ISL for synchronization The ports used to create the ISL must have the following properties ISL ports must have VLAN tagging turned on ISL ports must be configured for all VLAG VLANs ISL ports must be placed into a regular port LAG dynamic or static A minimum of two ports on each switch are recommended for ISL use Dynamic routing protocols such as OSPF cannot terminate on VL...

Page 200: ...er and manually enable the ISL If you have enabled VLAG on the switch and you need to change the STP mode ensure that you first disable VLAG and then change the STP mode When VLAG is enabled you may see two root ports on the secondary VLAG switch One of these will be the actual root port for the secondary VLAG switch and the other will be a root port synced with the primary VLAG switch The LACP ke...

Page 201: ...mic LACP port LAG The VLAG peer switches share a dedicated ISL for synchronizing VLAG information On the individual VLAG peers each port leading to a specific client switch and part of the client switch s port LAG is configured as a VLAG In the following example configuration only the configuration for VLAG 1 on VLAG Peer 1 is shown VLAG Peer 2 and all other VLAGs are configured in a similar fashi...

Page 202: ...VLAG ports must be members of the same VLANs 3 Configure VLAG Tier ID This is used to identify the VLAG switch in a multi tier environment 4 Configure the ISL for the VLAG peer Make sure you configure the VLAG peer VLAG Peer 2 using the same ISL aggregation type dynamic or static the same VLAN and the same STP mode and tier ID used on VLAG Peer 1 NE2552E config spanning tree mode pvrst NE2552E con...

Page 203: ...figuration for VLAG Peer 2 For each corresponding VLAG on the peer the port LAG type dynamic or static the port s VLAN and STP mode and ID must be the same as on VLAG Peer 1 5 Enable VLAG globally 6 Verify the completed configuration NE2552E config vlan 100 NE2552E config vlan exit NE2552E config interface port 8 NE2552E config if switchport mode trunk NE2552E config if exit NE2552E config interfa...

Page 204: ...his case a dynamic LAG is shown A static LAG portchannel could be configured instead b ISL ports and VLAG ports must be members of the same VLANs 3 Configure VLAG Tier ID This is used to identify the VLAG switch in a multi tier environment 4 Configure the ISL for the VLAG peer Make sure you configure the VLAG peer VLAG Peer 2 using the same ISL aggregation type dynamic or static the same VLAN for ...

Page 205: ... each corresponding VLAG on the peer the port LAG type dynamic or static the port s VLAN and STP mode and ID must be the same as on VLAG Peer 1 6 Verify the completed configuration NE2552E config vlan 100 NE2552E config vlan exit NE2552E config interface port 8 NE2552E config if switchport mode trunk NE2552E config if exit NE2552E config spanning tree mst configuration NE2552E config mst instance ...

Page 206: ...h does not have a dedicated management interface configure a VLAN for the health check interface The health check interface can be configured with an IPv4 or IPv6 address Note Configure a similar interface on VLAG Peer 2 For example use IP address 10 10 10 2 2 Specify the IPv4 or IPv6 address of the VLAG Peer Note For VLAG Peer 2 the management interface would be configured as 10 10 10 2 and the h...

Page 207: ...routing Although OSPF is used in this example static routing could also be deployed For more information see OSPF on page 389 or Basic IP Routing on page 315 3 Configure a server facing interface Internet 10 0 1 1 10 0 1 2 10 0 1 3 Layer 3 Router Layer 3 Router 1 2 4 5 4 5 1 2 Server 1 Server 2 Server 3 VLAG Peer 1 ISL VLAG 1 VLAG 2 VLAG 3 VRRP Master VRRP Backup Network 10 0 1 0 24 VIR 10 0 1 100...

Page 208: ... 100 NE2552E config vrrp virtual router 1 enable NE2552E config vrrp virtual router 1 priority 101 NE2552E config vrrp exit NE2552E config interface port 4 5 NE2552E config if switchport mode trunk NE2552E config if lacp mode active NE2552E config if lacp key 2000 NE2552E config if exit NE2552E config interface port 1 NE2552E config if switchport access vlan 10 NE2552E config if exit NE2552E confi...

Page 209: ...ig ip if ip address 172 1 1 10 255 255 255 0 NE2552E config ip if vlan 10 NE2552E config ip if enable NE2552E config ip if ip ospf area 1 NE2552E config ip if ip ospf enable NE2552E config ip if exit NE2552E config interface ip 2 NE2552E config ip if ip address 172 1 3 10 255 255 255 0 NE2552E config ip if vlan 20 NE2552E config ip if enable NE2552E config ip if ip ospf area 1 NE2552E config ip if...

Page 210: ... id 10 NE2552E config vlag enable NE2552E config router ospf NE2552E config router ospf area 1 area id 0 0 0 1 NE2552E config router ospf enable NE2552E config router ospf exit NE2552E config interface ip 3 NE2552E config ip if ip address 10 0 1 11 255 255 255 0 NE2552E config ip if vlan 100 NE2552E config ip if exit NE2552E config router vrrp NE2552E config vrrp enable NE2552E config vrrp virtual...

Page 211: ... trunk NE2552E config if exit NE2552E config vlan 40 NE2552E config vlan exit NE2552E config interface port 2 NE2552E config if switchport mode trunk NE2552E config if exit NE2552E config vlan 100 NE2552E config vlan exit NE2552E config interface port 4 5 10 12 NE2552E config if switchport mode trunk NE2552E config if exit NE2552E config interface ip 1 NE2552E config ip if ip address 172 1 2 11 25...

Page 212: ...fig if lacp key 1000 NE2552E config if exit NE2552E config interface port 11 NE2552E config if lacp mode active NE2552E config if lacp key 1100 NE2552E config if exit NE2552E config interface port 12 NE2552E config if lacp mode active NE2552E config if lacp key 1200 NE2552E config if exit NE2552E config vlag adminkey 1000 enable NE2552E config vlag adminkey 1100 enable NE2552E config vlag adminkey...

Page 213: ...ve mode In active mode Layer 3 traffic is forwarded in all vLAG related VRRP domains To enable vLAG VRRP active mode on a switch use the following command Note This is the default vLAG VRRP mode 2 vLAG VRRP Passive Half Active Active mode In passive mode Layer 3 traffic is forwarded in a vLAG related VRRP domain only if either the switch or its peer virtual router is the VRRP master To enable vLAG...

Page 214: ...trunk therefore improving ISL usage and avoiding potential traffic loss To make it functional vLAG Peer Gateway must be configured on both vLAG peer switches By default the feature is disabled To enable it use the following command Use the no form of the command to disable vLAG Peer Gateway To display information about the current vLAG Peer Gateway settings use the following commands NE2552E confi...

Page 215: ... on switches A and B ports 1 2 Ports connecting to Layer 2 3 ports 5 6 Ports on switches A and B connecting to switches C and D ports 10 11 Ports on switch B connecting to switch E ports 15 16 Ports on switch B connecting to switch F ports 17 18 ISL VLAG 3 VLAG 5 VLAG 6 LAG LAG VLAG 2 LAG ISL ISL Layer 2 3 Border Layer 2 Region with multiple levels Servers VLAG Peers C VLAG Peers B VLAG Peers A VL...

Page 216: ...NE2552E config vlag isl adminkey 200 NE2552E config vlan exit NE2552E config vlan 10 VLAN number 10 with name VLAN 10 created VLAN 10 was assigned to STG 10 NE2552E config vlan exit NE2552E config interface port 1 2 5 NE2552E config if switchport mode trunk NE2552E config if exit NE2552E config interface port 5 NE2552E config if lacp key 400 NE2552E config if lacp mode active NE2552E config if exi...

Page 217: ...and between E and F as shown in Step 1 8 Configure the Switch G as shown in Step 2 NE2552E config vlan 20 NE2552E config vlan exit NE2552E config interface port 10 11 NE2552E config if switchport mode trunk NE2552E config if lacp key 600 NE2552E config if lacp mode active NE2552E config if exit NE2552E config vlag adminkey 600 enable NE2552E config vlan 30 NE2552E config vlan exit NE2552E config i...

Page 218: ...218 NE2552E Application Guide for ENOS 8 4 ...

Page 219: ... applications and limit bandwidth for less critical applications Applications such as video and voice must have a certain amount of bandwidth to work correctly using QoS you can provide that bandwidth when necessary Also you can put a high priority on applications that are sensitive to timing out or those that cannot tolerate delay assigning that traffic to a high priority queue By assigning QoS l...

Page 220: ... match those specified in a traffic pattern the policy instructs the NE2552E to perform specified actions on each packet that passes through it The packets are assigned to different Class of Service COS queues and scheduled for transmission The basic NE2552E QoS model works as follows Classify traffic Read DSCP Read 802 1p Priority Match ACL filter parameters Meter traffic Define bandwidth and bur...

Page 221: ... destination port TCP flag Packet format Ethernet format tagging format IPv4 IPv6 Egress port For ACL details see Access Control Lists on page 121 Summary of ACL Actions Actions determine how the traffic is treated The NE2552E QoS actions include the following Pass or Drop the packet Re mark the packet with a new DiffServ Code Point DSCP Re mark the 802 1p field Set the COS queue ACL Metering and ...

Page 222: ...Pv6 ACLs All traffic matching an IPv6 ACL is considered in profile for re marking purposes Using meters you set a Committed Rate in Kbps 1000 bits per second in each Kbps All traffic within this Committed Rate is In Profile Additionally you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period These parameters define the In Profile traf...

Page 223: ...ified by their DSCP value The Differentiated Services DS field in the IP header is an octet and the first six bits called the DS Code Point DSCP can provide QoS functions Each packet carries its own QoS state in the DSCP There are 64 possible DSCP values 0 63 Figure 23 Layer 3 IPv4 Packet The NE2552E can perform the following actions to the DSCP Read the DSCP value of ingress packets Re mark the D...

Page 224: ...scribed in RFC 2598 Assured Forwarding AF This PHB contains four service levels each with a different drop precedence as shown below Routers use drop precedence to determine which packets to discard last when the network becomes congested AF PHB is described in RFC 2597 Class Selector CS This PHB has eight priority classes with CS7 representing the highest priority and CS0 representing the lowest ...

Page 225: ... you must enable DSCP re marking on any port that you wish to perform this function Note If an ACL meter is configured for DSCP re marking the meter function takes precedence over QoS re marking Table 19 Default QoS Service Levels Service Level Default PHB 802 1p Priority Critical CS7 7 Network Control CS6 6 Premium EF CS5 5 Platinum AF41 AF42 AF43 CS4 4 Gold AF31 AF32 AF33 CS3 3 Silver AF21 AF22 ...

Page 226: ...DSCP value 0 63 new value NE2552E config qos dscp dot1p mapping DSCP value 0 63 802 1p value NE2552E config interface port 1 NE2552E config if qos dscp re marking NE2552E config if exit NE2552E config access control list 2 tcp udp source port 5060 0xffff NE2552E config access control list 2 meter committed rate 10000000 NE2552E config access control list 2 meter enable NE2552E config access contro...

Page 227: ...ict priority to VoIP COS queue 7 Map priority value to COS queue for non VoIP traffic 8 Assign weight to the non VoIP COS queue NE2552E config qos transmit queue weight cos 7 0 NE2552E config qos transmit queue mapping 1 1 NE2552E config qos transmit queue weight cos 1 2 ...

Page 228: ...ro indicates a best effort traffic prioritization and this is the default when traffic priority has not been configured on your network The NE2552E can filter packets based on the 802 1p values and it can assign or overwrite the 802 1p value in the packet Figure 24 Layer 2 802 1q 802 1p VLAN Tagged Packet Ingress packets receive a priority value as follows Tagged packets NE2552E reads the 802 1p p...

Page 229: ...th the highest weight values For distribution purposes each packet is counted the same regardless of the packet s size A scheduling weight of 0 zero indicates strict priority Traffic in strict priority queue has precedence over other all queues If more than one queue is assigned a weight of 0 the strict queue with highest queue number will be served first Once all traffic in strict queues is deliv...

Page 230: ...hanneled through a common packet queue However one protocol cannot be channeled through multiple packet queues These packet queues are applicable only to the packets received by the software and does not impact the regular switching or routing traffic Packet queue with a higher number has higher priority You can configure the bandwidth for each packet queue Protocols that share a packet queue will...

Page 231: ... following command Setting the logging interval to 0 will log packet drops immediately with up to 1 second delay and will ignore further drops on the same queue during the next 2 minutes Setting the logging interval to a greater value 1 30 minutes regularly displays packet drop information at the designated time intervals Once the packet drops stop or if new packet drops are encountered only withi...

Page 232: ...isable microburst detection use the following command To configure the polling interval in milliseconds used by microburst detection to evaluate traffic burst To see the current microburst state use the following command Below is a basic configuration example for Microburst Detection 1 Enter Configuration mode and enable Microburst Detection choosing a threshold value 2 Configure the polling inter...

Page 233: ...L INTA11 NORMAL INTA12 NORMAL INTA13 NORMAL INTA14 NORMAL INTB1 NORMAL INTB2 NORMAL INTB3 NORMAL INTB4 NORMAL INTB5 NORMAL INTB6 NORMAL INTB7 NORMAL INTB8 NORMAL INTB9 NORMAL INTB10 NORMAL INTB11 NORMAL INTB12 NORMAL INTB13 NORMAL INTB14 NORMAL EXT1 NORMAL EXT2 NORMAL EXT3 NORMAL EXT4 NORMAL EXT5 NORMAL EXT6 NORMAL EXT7 NORMAL EXT8 NORMAL EXT9 1 NORMAL EXT9 2 NORMAL EXT9 3 NORMAL EXT9 4 NORMAL EXT...

Page 234: ...234 NE2552E Application Guide for ENOS 8 4 ...

Page 235: ... packets the ordinary clock adjusts its time with the master clock Boundary clock A boundary clock connects to multiple networks It synchronizes with the attached master clock and in turn acts as a master clock to all attached ordinary clocks Boundary clocks help to reduce the effect of jitter in Ethernet based networks Transparent clock A transparent clock listens for PTP packets and adjusts the ...

Page 236: ... the following command Note If there are no interfaces on the switch that belong to the VLAN from which the sync messages are received then the ordinary clock will not function An error message will be generated You can view this message using the following command Transparent Clock Mode When the NE2552E is configured as a transparent clock its time can be set manually or using any time protocol Y...

Page 237: ... UDP Port PTP primary All PTP messages except peer delay mechanism messages 224 0 1 129 PTP pdelay Peer delay mechanism messages 224 0 0 107 Event Messages Sync delay request peer delay request peer delay response 319 General Messages Announce follow up delay response peer delay response follow up management 320 Table 21 PTP Information Commands Command Description NE2552E config show ptp Displays...

Page 238: ...238 NE2552E Application Guide for ENOS 8 4 ...

Page 239: ... Copyright Lenovo 2018 239 Part 4 Advanced Switching Features ...

Page 240: ...240 NE2552E Application Guide for ENOS 8 4 ...

Page 241: ...to other devices In addition to aggregating capacity LAGs provides link redundancy For details on this feature see Ports and Link Aggregation LAG on page 155 Virtual Link Aggregation Groups VLAGs With VLAGs two switches can act as a single logical device for the purpose of establishing port LAGs Active LAG links from one device can lead to both VLAG peer switches providing enhanced redundancy incl...

Page 242: ...242 NE2552E Application Guide for ENOS 8 4 ...

Page 243: ...oach toward network consolidation allowing Fibre Channel equipment and tools to be retained while leveraging cheap ubiquitous Ethernet networks for growth With server virtualization servers capable of hosting both Fibre Channel and Ethernet applications will provide advantages in server efficiency particularly as FCoE enabled network adapters provide consolidated SAN and LAN traffic capabilities T...

Page 244: ... FCoE LAN server connected to the NE2552E using a CNA This allows the LAN server to take advantage of some CEE features that are useful even outside of an FCoE environment To block undesired or unvalidated traffic on FCoE links that exists outside the regular Fibre Channel topology Ethernet ports used in FCoE are configured with Access Control Lists ACLs that are narrowly tailored to permit expect...

Page 245: ...he FCoE license enabled if applicable on the CNA CEE must be turned on see Turning CEE On or Off on page 246 When CEE is on the DCBX PFC and ETS features are enabled and configured with default FCoE settings These features may be reconfigured but must remain enabled in order for FCoE to function FIP snooping must be turned on see FCoE Initialization Protocol Snooping on page 249 When FIP snooping ...

Page 246: ...ntees on a per priority basis and to provide efficient bandwidth allocation based on application needs Turning CEE On or Off By default on the NE2552E CEE is turned off To turn CEE on or off use the following CLI commands For an example see FIP Snooping Configuration on page 255 CAUTION Turning CEE on and applying the configuration will automatically change some 802 1p QoS and 802 3x standard flow...

Page 247: ... turned on prior 802 1p QoS settings are replaced with new defaults designed for use with ETS priority groups PGIDs as shown in Table 22 When CEE is on the default ETS configuration also allocates a portion of link bandwidth to each PGID as shown in Table 23 If the prior non CEE configuration used 802 1p priority values for different purposes or does not expect bandwidth allocation as shown in Tab...

Page 248: ...out involving the host CPU Both the transport processing and the memory translation and placement are performed by hardware resulting in dramatically lower latency and higher performance There are two RoCE versions RoCEv1 and RoCEv2 RoCEv1 is an Ethernet link layer protocol and hence allows communication between any two hosts in the same Ethernet broadcast domain while RoCEv2 is designed to allow ...

Page 249: ...ooping Requirements The following are required for implementing the FIP snooping bridge feature The NE2552E must be connected to the Fibre Channel network through a FCF such as a Lenovo Rackswitch G8264CS a Lenovo CN4093 10Gb Converged Scalable Switch or a Cisco Nexus 5000 Series Switch For each NE2552E switch port participating in FCoE the connected server must use a FCoE licensed Converged Netwo...

Page 250: ...LAG member its configuration does not change Note If the ports chosen to be part of a certain LAG do not have the same PFC ETS or DCBX configurations the switch will display an error Global FIP Snooping Settings By default the FIP snooping feature is turned off for the NE2552E The following commands are used to turn the feature on or off Note FIP snooping requires CEE to be turned on see Turning C...

Page 251: ... to be consolidated into a LAG FIPS LAG Support allows FCoE traffic and traditional Ethernet traffic to use the same ports for traffic by pinning each destination FCoE Enode MAC to a static switch port within the LAG This is due to each server port within a LAG expecting FCoE traffic with a destination MAC as its Enode MAC to arrive on the same port within the LAG from the switch i e FCoE traffic ...

Page 252: ...other FCoE connections that timeout fail or are disconnected without FIP notification By default automatic removal of ACLs upon timeout is enabled To change this function use the following CLI command FCoE ACL Rules When FIP Snooping is enabled on a port the switch automatically installs the appropriate ACLs to enforce the following rules for FCoE traffic Ensure that FIP frames from ENodes may onl...

Page 253: ...attached FCF Each ENode port must have VLAN tagging enabled and must belong to the same VLAN as the FCF to which it will connect In topologies where a single FCF is connected to the switch all ENode and FCF ports belong to the same VLAN typically VLAN 1002 When multiple FCFs are connected to the switch each FCF must be assigned a unique VLAN and each ENode must be assigned to the VLAN for only one...

Page 254: ...own The administrator can also view other FCoE information Operational Commands The administrator may use the operational commands to delete FIP related entries from the switch To delete a specific FCF entry and all associated ACLs from the switch use the following command NE2552E show fcoe fips fcf Show all detected FCFs NE2552E show fcoe fips fcoe Show all FCoE connections NE2552E no fcoe fips f...

Page 255: ...F into a unique VLAN supported by that FCF Note Placing ports into the VLAN after tagging is enabled helps to ensure that their port VLAN ID PVID is not accidentally changed 6 Set by default Enable FIP snooping on FCoE ports and set the desired FCF mode 7 Save the configuration NE2552E config fcoe fips enable NE2552E config no fcoe fips port EXT5 EXT10 enable NE2552E config cee enable NE2552E conf...

Page 256: ...FC is useful for a variety of applications it is required for FCoE implementation where storage SAN and networking LAN traffic are converged on the same Ethernet links Typical LAN traffic tolerates Ethernet packet loss that can occur from congestion or other factors but SAN traffic must be lossless and requires flow control For FCoE standard flow control would pause both SAN and LAN traffic during...

Page 257: ... occurs only on ports connected to CEE devices and not on any ports connected to non CEE devices In such cases PFC can be configured globally on specific priority values even though not all ports make use them PFC is not restricted to CEE and FCoE networks In any LAN where traffic is separated into different priorities PFC can be enabled on priority values for loss sensitive traffic If all ports h...

Page 258: ...ure 25 on page 244 In this example the following topology is used In this example PFC is to facilitate lossless traffic handling for FCoE priority value 3 and a business critical LAN application priority value 4 Table 24 Port Based PFC Configuration Switch Port 802 1p Priority Usage PFC Setting EXT5 0 2 LAN Disabled 3 not used Enabled 4 Business critical LAN Enabled others not used Disabled 3 FCoE...

Page 259: ... commands shown in this step are not necessary 3 Enable PFC for the business critical LAN application 4 Save the configuration NE2552E config cee enable NE2552E config cee port INTA1 pfc priority 3 enable FCoE priority NE2552E config cee port INTA1 pfc priority 3 description FCoE Optional NE2552E config cee port EXT4 pfc priority 3 enable FCoE priority NE2552E config cee port EXT4 pfc priority 3 d...

Page 260: ...le priority values with values numbered 0 through 7 which can be placed in the priority field of the 802 1Q VLAN tag Servers and other network devices may be configured to assign different priority values to packets belonging to different traffic types such as SAN and LAN ETS uses the assigned 802 1p priority values to identify different traffic types The various priority values are assigned to pr...

Page 261: ...or Off on page 246 for the ETS feature to function A priority group must be assigned a priority group ID PGID one or more 802 1p priority values and allocated link bandwidth greater than 0 PGID Each priority group is identified with number 0 through 7 and 15 known as the PGID PGID 0 through 7 may each be assigned a portion of the switch s available bandwidth PGID 8 through 14 are reserved as per t...

Page 262: ...assigned to the new group when the configuration is applied Each priority value must be assigned to a PGID Priority values may not be deleted or unassigned To remove a priority value from a PGID it must be moved to another PGID For PGIDs 0 through 7 bandwidth allocation can also be configured through the ETS Priority Group menu See for Allocating Bandwidth on page 262 for details Deleting a Priori...

Page 263: ...ndwidth allocation of any PGID also requires adjusting the allocation of other PGIDs to compensate If these conditions are not met the switch will report an error when applying the configuration Notes Actual bandwidth used by any specific PGID may vary from configured values by up to 10 of the available bandwidth in accordance with 802 1Qaz ETS standard For example a setting of 10 may be served an...

Page 264: ...management traffic has been assigned Finally the bandwidth allocation for priority groups 1 2 and 3 are revised Note DCBX may be configured to permit sharing or learning PFC configuration with or from external devices This example assumes that PFC configuration is being performed manually See Data Center Bridging Capability Exchange on page 266 for more information on DCBX Table 25 ETS Configurati...

Page 265: ... 0 1 and 2 NE2552E config cee global ets priority group pgid 0 description Regular LAN Set a group description optional NE2552E config cee global ets priority group pgid 1 priority 3 Select a group for SAN traffic and set for 802 1p priority 3 NE2552E config cee global ets priority group pgid 1 description SAN Set a group description optional NE2552E config cee global ets priority group pgid 2 pri...

Page 266: ...e purpose of automatically configuring advanced CEE features such as PFC ETS and for some CNAs FIP The administrator can determine which CEE feature settings on the switch are communicated to and matched by CEE neighbors and also which CEE feature settings on the switch may be configured by neighbor requirements The DCBX feature requires CEE to be turned on see Turning CEE On or Off on page 246 DC...

Page 267: ...tings will be transmit to the remote CEE peer If the peer is capable of the feature and willing to accept the NE2552E settings it will be automatically reconfigured to match the switch The willing flag Set this flag when required by the remote CEE peer for a particular feature as part of DCBX signaling and support Although some devices may also expect this flag to indicate that the switch will acc...

Page 268: ...NT2 and EXT5 All other ports are disabled or are connected to regular non CEE LAN devices In this example the NE2552E acts as the central point for CEE configuration FCoE related ports will be configured for advertising CEE capabilities but not to accept external configuration Other LAN ports that use CEE features will also be configured to advertise feature settings to remote peers but not to acc...

Page 269: ... dcbx ets advertise NE2552E config cee port INTA1 dcbx pfc advertise NE2552E config cee port EXT4 dcbx enable NE2552E config cee port EXT4 dcbx app_proto advertise NE2552E config cee port EXT4 dcbx ets advertise NE2552E config cee port EXT4 dcbx pfc advertise NE2552E config cee port INTA2 dcbx enable NE2552E config cee port INTA2 dcbx ets advertise NE2552E config cee port INTA2 dcbx pfc advertise ...

Page 270: ...ontrol settings see Turning CEE On or Off on page 246 4 Configure the FCoE VLAN 5 Configure the FCoE ports and enable VLAN tagging Place all FCoE ports associated with each FCF into a unique VLAN supported by that FCF Note Placing ports into the VLAN after tagging is enabled helps to ensure that their port VLAN ID PVID is not accidentally changed Switch Servers Lenovo Chassis EXT5 EXT4 INTA1 INTA2...

Page 271: ...tical LAN NE2552E config cee global ets priority group pgid 0 priority 0 1 2 Select a group for regular LAN and set for 802 1p priorities 0 1 and 2 NE2552E config cee global ets priority group pgid 0 description Regular LAN Set a group description optional NE2552E config cee global ets priority group pgid 1 priority 3 Select a group for SAN traffic and set for 802 1p priority 3 NE2552E config cee ...

Page 272: ...guration NE2552E config cee port INTA1 EXT4 dcbx enable NE2552E config cee port INTA1 EXT4 dcbx app_proto advertise NE2552E config cee port INTA1 EXT4 dcbx ets advertise NE2552E config cee port INTA1 EXT4 dcbx pfc advertise NE2552E config cee port INTA2 EXT5 dcbx enable NE2552E config cee port INTA2 EXT5 dcbx ets advertise NE2552E config cee port INTA2 EXT5 dcbx pfc advertise NE2552E config no cee...

Page 273: ...teway or Layer 2 Layer 3 node With these configurations a packet with a unicast IPv4 destination address and multicast MAC address can be sent out as per the multicast MAC address configuration NLB maps the unicast IP address and multicast MAC address as follows Cluster multicast MAC address 03 BF W X Y Z where W X Y Z is the cluster unicast IP address You must configure the static multicast ARP e...

Page 274: ...ample Consider the following example Cluster unicast IP address 10 10 10 42 Cluster multicast MAC address 03 bf 0a 0a 0a 2a Cluster VLAN 42 List of individual or port LAGs to which traffic should be forwarded 54 and 56 Following are the steps to configure the static multicast ARP based on the given example 1 Configure the static multicast FDB entry 2 Configure the static multicast ARP entry You ca...

Page 275: ...ort 10 241 38 1 00 11 25 c3 70 0a 4095 1 MGT1 10 241 38 101 00 11 25 c3 70 0a 4095 2 MGT1 10 241 38 102 P 74 99 75 08 9b ef 4095 MGT1 Data ARP entries Current ARP configuration rearp 5 Current static ARP IP address MAC address Port VLAN 10 10 10 42 03 bf 0a 0a 0a 2a 42 Total number of arp entries 2 IP address Flags MAC address VLAN Age Port 10 10 10 1 P fc cf 62 9d 74 00 42 10 10 10 42 P 03 bf 0a ...

Page 276: ...arded to all the ports as specified in the Multicast MAC address configuration If VLAN membership changes for the ports you must update this static multicast MAC entry If not the ports whose membership has changed will report discards ACLs take precedence over static multicast ARP If an ACL is configured to match and permit ingress of unicast traffic the traffic will be forwarded based on the ACL ...

Page 277: ...ontain information regarding hosts interconnected with a trusted interface By default DHCP snooping is disabled on all VLANs You can enable DHCP snooping on one or more VLANs You must enable DHCP snooping globally To enable this feature enter the following commands Note When you make a DHCP release from a client the switch does not forward the Unicast DHCP release packet to the server the entry is...

Page 278: ...278 NE2552E Application Guide for ENOS 8 4 ...

Page 279: ...populates its ARP cache with a poisoned entry having IP address IB and MAC address MC Host A will use the MAC address MC as the destination MAC address for traffic intended for Host B Host C then intercepts that traffic Because Host C knows the true MAC addresses associated with Host B it forwards the intercepted traffic to that host by using the correct MAC address as the destination keeping the ...

Page 280: ...st state with each interface on the switch In a typical network configuration you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted With this configuration all ARP packets entering the network from a given switch bypass the security check The trust state configuration should be done carefully configuring interfaces as un...

Page 281: ...do not configure the interfaces connecting such switches as untrusted However to validate the bindings of packets from switches where DAI is not configured configure static DHCP snooping binding entries on the switch running DAI When you cannot determine such bindings isolate switches running DAI at Layer 3 from switches not running DAI DAI ensures that hosts on untrusted interfaces connected to a...

Page 282: ...ARP requests and ARP responses For non DHCP environments for each static IP address add a static DHCP Snooping binding entry with the biggest lease time in order not to expire Ports belonging to a port channel must have the same trust state DAI Configuration Example Following is the configuration for the example in Figure 30 SwitchA config ip arp inspection vlan 2 SwitchA config interface port 1 2...

Page 283: ...s IP Address Lease seconds Type VLAN Interface 00 00 00 00 00 01 Host1_IP 1000 Dynamic 2 3 00 00 00 00 00 02 Host2_IP 2000 Dynamic 2 2 Total number of bindings 2 SwitchB show ip dhcp snooping binding Mac Address IP Address Lease seconds Type VLAN Interface 00 00 00 00 00 02 Host2_IP 2000 Dynamic 2 3 Total number of bindings 1 SwitchA show ip dhcp snooping binding Output of show commands SwitchA sh...

Page 284: ...284 NE2552E Application Guide for ENOS 8 4 ...

Page 285: ...its properties and functionality The server communicates with the switch over the channel as defined in the channel profile The channels share the high speed physical link bandwidth Figure 31 UFP vPorts The UFP protocol has the following operation categories Channel Initialization The server NIC and the switch port negotiate the number of channels and establish channel identifiers Each UFP channel...

Page 286: ... to 1024 VLANs in trunk mode on the switch in standalone mode When CEE is turned on FCoE vPort must be used for lossless priority traffic For loss tolerant priority traffic a non FCoE UFP vPort must be used The lossless property of FCoE vPort is not guaranteed if lossless and loss tolerant traffic are combined When the vPort is enabled and the channel link state is up the system does not support c...

Page 287: ...he server NIC or switch transmit frames they add this S tag to indicate the vPort or vNIC to which the packet is being transmitted No VLAN mapping is required Such packets can be single tagged or double tagged with S tag vPort VLAN Mapping In local domain data path type the switch and server identify the vPort and vNIC by the port and VLAN tag in the incoming and outgoing packets Because no two vP...

Page 288: ... Trunk Mode In trunk mode a vPort can carry packets that have inner tags that belong to up to 1024 VLANs When UFP is enabled the following 9 VLANs are reserved for UFP operation 1 and 4002 4009 Each VLAN in the inner tag requires a VLAN translation entry Note Two vPorts operating in trunk mode on the same physical port cannot carry the same set of VLANs in the inner tag Figure 33 Packet passing th...

Page 289: ...ng FCoE Mode FCoE traffic is carried by a vPort The server side endpoint of this virtual port will be represented through a FC vHBA Setting a virtual port in FCoE mode will enable Priority based Flow Control PFC on the physical port A vPort configured in FCoE mode can only be attached to a Fibre Channel FC VLAN A vPort in FCoE mode operates as a local domain data path type with packets being singl...

Page 290: ...P protocols propagate the configured parameters for the vPort to apply appropriate traffic coloring and shaping at the source When operating in this mode traffic scheduling and bandwidth allocation behavior on switch egress is driven by the ETS class of traffic When two vPorts use the same traffic class configuration the order in which switch schedules traffic at egress depends on the order the tr...

Page 291: ...hich improves end to end TCP throughput performance Note If a vPort is configured with low upper limit it might lead to head of line congestion on the egress port ETS mode is disabled when strict bandwidth provisioning mode is enabled By default uplink ports have a separate traffic class for storage traffic with guaranteed bandwidth The rest of the bandwidth is shared equally among other traffic U...

Page 292: ...n the switch in standalone mode For more information on VLAN configuration see VLANs on page 135 Private VLANs It supports the following Private VLAN modes in UFP vPorts Disabled Trunk Promiscuous Host The following are the criteria of these Private VLAN modes Private VLAN mode is disabled Allows only non private domain Private VLAN mode is trunk Allows both primary and secondary VLAN which belong...

Page 293: ...belong to the same private VLAN domain vPorts cannot be configured with a primary VLAN as a default VLAN only with secondary VLANs UFP ports cannot have switchport mode private VLAN enabled on them Private VLAN is supported only on vPorts configured with trunk or access mode UFP cannot be configured on promiscuous ports For more information on private VLANs see Private VLANs on page 151 IGMP A vPo...

Page 294: ... for external port 1 NE2552E config ufp enable NE2552E config ufp port INTA1 enable Warning Tagging Trunk mode is enabled on UFP port INTA1 NE2552E config ufp port INTA1 vport 1 NE2552E config_ufp_vport network mode access NE2552E config_ufp_vport network default vlan 100 NE2552E config_ufp_vport qos bandwidth min 30 in percentage NE2552E config_ufp_vport qos bandwidth max 90 in percentage NE2552E...

Page 295: ...unk mode NE2552E config ufp enable NE2552E config ufp port INTA1 enable Warning Tagging Trunk mode is enabled on UFP port INTA1 NE2552E config ufp port INTA1 vport 1 NE2552E config_ufp_vport network mode trunk NE2552E config_ufp_vport network default vlan 100 NE2552E config_ufp_vport qos bandwidth min 15 in percentage NE2552E config_ufp_vport qos bandwidth max 80 in percentage NE2552E config_ufp_v...

Page 296: ...fp_vport qos bandwidth min 15 in percentage NE2552E config_ufp_vport qos bandwidth max 95 in percentage NE2552E config_ufp_vport enable NE2552E config_ufp_vport exit NE2552E config interface port EXT1 NE2552E config if switchport mode trunk NE2552E config if switchport trunk native vlan 100 NE2552E config if switchport trunk allowed vlan add 200 300 NE2552E config if exit NE2552E config vlan 200 N...

Page 297: ... vPorts in FCoE mode This example is consistent with the network shown in NE2552E config ufp enable NE2552E config ufp port INTA1 enable Warning Tagging Trunk mode is enabled on UFP port INTA1 NE2552E config ufp port INTA1 vport 1 NE2552E config_ufp_vport network mode tunnel NE2552E config_ufp_vport network default vlan 4000 NE2552E config_ufp_vport qos bandwidth min 15 in percentage NE2552E confi...

Page 298: ...g ufp port INTA1 enable Warning Tagging Trunk mode is enabled on UFP port INTA1 NE2552E config ufp port INTA1 vport 2 NE2552E config_ufp_vport network mode fcoe NE2552E config_ufp_vport network default vlan 1002 NE2552E config_ufp_vport qos bandwidth min 20 in percentage NE2552E config_ufp_vport qos bandwidth max 85 in percentage NE2552E config_ufp_vport enable NE2552E config_ufp_vport exit NE2552...

Page 299: ...ig exit NE2552E config interface port INTA10 NE2552E config if switchport mode private vlan NE2552E config if switchport private vlan mapping 700 NE2552E config if exit NE2552E config vlan 701 NE2552E config vlan private vlan isolated NE2552E config vlan exit NE2552E config vlan 702 NE2552E config vlan private vlan community NE2552E config vlan exit NE2552E config vlan 703 NE2552E config vlan priv...

Page 300: ...ort network mode trunk NE2552E config ufp vport enable NE2552E config ufp vport exit NE2552E config ufp port INTA3 enable NE2552E config ufp port INTA3 vport 1 NE2552E config ufp vport network private vlan host NE2552E config ufp vport network default vlan 300 NE2552E config ufp vport network mode trunk NE2552E config ufp vport enable NE2552E config ufp vport exit NE2552E config vlan 700 NE2552E c...

Page 301: ...ion NE2552E config ufp port INTA1 vport 1 NE2552E config_ufp_vport network mode access NE2552E config_ufp_vport network default vlan 100 NE2552E config_ufp_vport enable NE2552E config_ufp_vport exit NE2552E config ip igmp snoop vlan 100 NE2552E config ip igmp snoop enable NE2552E config ip igmp enable Turn on IGMP NE2552E config show ip igmp groups interface vport inta1 1 or NE2552E config show ip...

Page 302: ...ge 294 for steps to configure a vPort in access mode Follow the steps below for configuring the failover trigger 1 Enable failover globally 2 Configure trigger 1 and add monitor and control ports Note If you try to add a physical port that has vPorts configured as a member of a trigger you may see the following error message when you enable the trigger NE2552E config failover trigger 1 ena Failove...

Page 303: ...552E config ufp port INTA10 vport 4 NE2552E config_ufp_vport network mode trunk NE2552E config_ufp_vport network default vlan 400 NE2552E config_ufp_vport qos ets priority 2 NE2552E config_ufp_vport enable NE2552E config_ufp_vport exit NE2552E config ufp port INTA10 vport 5 NE2552E config_ufp_vport network mode trunk NE2552E config_ufp_vport network default vlan 43 NE2552E config_ufp_vport qos ets...

Page 304: ...FP 6 Add VLANs to IGMP Snooping and enable IGMP Snooping 7 Enable IGMPv3 Snooping optional 8 Enable IGMP NE2552E config ufp port INTA10 qos mode ets NE2552E config ufp port INTA10 enable NE2552E config cee enable NE2552E config ufp enable NE2552E config ip igmp snoop vlan 101 NE2552E config ip igmp snoop enable NE2552E config ip igmp snoop igmpv3 enable NE2552E config ip igmp enable Turn on IGMP ...

Page 305: ...ed switch traffic from one SPAR is never delivered to another SPAR Traffic from one SPAR can however be delivered to another SPAR by traversing an upstream link and switch Each individual SPAR requires exactly one uplink which can be a port a port channel or an LACP group Limiting SPAR connectivity to one external uplink prevents the creation of loops SPAR operates as a Layer 2 broadcast network H...

Page 306: ...onfigured as a 802 1Q trunk port so it can process multiple VLAN traffic from a SPAR The SPAR domain uses a single uplink port or LAG shared among all the VLANs For link redundancy or greater bandwidth the uplinks can be grouped as static or LACP LAG If a VLAN is defined on multiple SPARs the egress port mask is used to prevent communication between the SPARs in the same local domain VLAN Since po...

Page 307: ... S VLAN service VLAN associated with the SPAR Although the uplink can be shared by multiple networks using the pass through domain SPAR will not be server VLAN aware Hence multiple VLAN traffic will be mixed together in a single broadcast domain that is broadcast traffic on different VLANs from the upstream network will reach all servers attached to the SPAR pass through domain The servers drop th...

Page 308: ...ed A monitor port is used as a filtering criteria and the monitor port does not belong to the same SPAR as the mirrored port and is not defined on the global switch These ACL restrictions apply to all ACLs defined in an ACL group Port mirroring can be configured on SPAR ports but the monitor port must either belong to the same SPAR as the mirrored port or must be defined on the global switch Layer...

Page 309: ...Partition 309 Unsupported Features The following features are not supported when SPAR is configured 802 1x Edge Virtual Bridging Hotlinks IGMP Layer 3 Configuration Management VLAN Private VLAN Protocol VLAN sFlow STP RSTP MRSTP PVST UFP vLAG ...

Page 310: ...s on the switch The VLAN ID can be in the range of 2 4094 VLAN 1 and the management VLAN 4095 are reserved for the global switch context A VLAN assigned to a SPAR cannot be used for any other switch application Similarly VLAN used by any other switch application cannot be assigned to a SPAR SPAR member ports cannot be members of any other VLAN ...

Page 311: ...Set the mode of the SPAR to passthrough 4 Configure SPAR VLAN to 4081 5 Add ports INTA5 through INTA10 to SPAR 1 6 Enable SPAR 1 Local Domain Configuration This example demonstrates how to create a SPAR in local domain mode consisting of internal server ports INTA11 INTA14 and a single uplink port EXT 2 1 Create SPAR 2 2 Add uplink port EXT 2 to SPAR 2 NE2552E config spar 1 NE2552E config spar upl...

Page 312: ...bers of the that VLAN 9 Create local domain 3 assign VLAN 30 and specify the SPAR ports that are members of the that VLAN 10 Enable SPAR 2 NE2552E config spar domain mode local NE2552E config spar domain default vlan 4082 NE2552E config spar domain default member INTA11 INTA14 NE2552E config spar domain local 1 vlan 10 NE2552E config spar domain local 1 member INTA11 INTA14 NE2552E config spar dom...

Page 313: ...to switching traffic at near line rates the application switch can perform multi protocol routing This section discusses basic routing and advanced routing protocols Basic Routing Routing Information Protocol RIP Internet Group Management Protocol IGMP Border Gateway Protocol BGP Open Shortest Path First OSPF ...

Page 314: ...314 NE2552E Application Guide for ENOS 8 4 ...

Page 315: ...of faster routing and switching in a single device provides another service it allows you to build versatile topologies that account for legacy configurations Consider an example in which a corporate campus has migrated from a router centric topology to a faster more powerful switch based topology As is often the case the legacy of network growth and redesign has left the system with a mix of illo...

Page 316: ...gateway in this case the router for the next level of routing intelligence The router fills in the necessary address information and sends the data back to the switch which then relays the packet to the proper destination subnet using Layer 2 switching With Layer 3 IP routing in place on the NE2552E routing between different IP subnets can be accomplished entirely within the switch This leaves the...

Page 317: ...ters 205 21 17 1 and 205 21 17 2 2 First Floor Client Workstations 100 20 10 2 254 3 Second Floor Client Workstations 131 15 15 2 254 4 Common Servers 206 30 15 2 254 Table 27 Subnet Routing Example IP Interface Assignments Interface Devices IP Interface Address IF 1 Primary and Secondary Default Routers 205 21 17 3 IF 2 First Floor Client Workstations 100 20 10 1 IF 3 Second Floor Client Workstat...

Page 318: ...e the default gateways to the routers addresses Configuring the default gateways allows the switch to send outbound traffic to the routers 5 Verify the configuration Examine the resulting information If any settings are incorrect make the appropriate changes NE2552E config ip gateway 1 address 205 21 17 1 enable NE2552E config ip gateway 2 address 205 21 17 2 enable NE2552E config show interface i...

Page 319: ...g Example Optional VLAN Ports VLAN Devices IP Interface Switch Port VLAN 1 First Floor Client Workstations 2 EXT1 1 Second Floor Client Workstations 3 EXT2 1 2 Primary Default Router 1 EXT3 2 Secondary Default Router 1 EXT4 2 3 Common Servers 1 4 INT5A 3 Common Servers 2 4 INT6A 3 NE2552E config vlan 1 NE2552E config vlan exit NE2552E config interface port ext1 ext2 Add ports to VLAN 1 NE2552E con...

Page 320: ... the appropriate changes Port 4 is an untagged port and its current PVID is 1 Confirm changing PVID from 1 to 2 y n NE2552E config interface ip 1 Select IP interface 1 NE2552E config ip if vlan 2 Add VLAN 2 NE2552E config vlan exit NE2552E config interface ip 2 Select IP interface 2 NE2552E config ip if vlan 1 Add VLAN 1 NE2552E config ip if exit NE2552E config interface ip 3 Select IP interface 3...

Page 321: ...ailover redundancy The client request is forwarded to both BOOTP servers configured on the switch However no health checking is supported BOOTP Relay Agent Configuration To enable the NE2552E to be the BOOTP forwarder you need to configure the BOOTP server IP addresses on the switch and enable BOOTP relay on the interface s on which the BOOTP requests are received Generally you should configure th...

Page 322: ...OOTP relay agents for each of up to 10 VLANs As with global relay agent servers domain specific BOOTP DHCP functionality may be assigned on a per interface basis NE2552E config ip bootp relay bcast domain 1 10 vlan VLAN number NE2552E config ip bootp relay bcast domain 1 10 server 1 5 address IPv4 address NE2552E config ip bootp relay bcast domain 1 10 enable ...

Page 323: ...Without the DHCP relay agent there must be at least one DHCP server deployed at each subnet that has hosts needing to perform the DHCP request Note The switch accepts gateway configuration parameters if they were not configured manually The switch ignores DHCP gateway parameters if the gateway is configured DHCP Relay Agent DHCP is described in RFC 2131 and the DHCP relay agent supported on NE2552...

Page 324: ...Relay Agent Configuration In NE2552E implementation there is no need for primary or secondary servers The client request is forwarded to the BOOTP servers configured on the switch The use of two servers provide failover redundancy However no health checking is supported Use the following commands to configure the switch as a DHCP relay agent Additionally DHCP Relay functionality can be assigned on...

Page 325: ...Cs for IPv6 related features This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management RFC 1981 RFC 2404 RFC 2410 RFC 2451 RFC 2460 RFC 2461 RFC 2462 RFC 2474 RFC 2526 RFC 2711 RFC 2740 RFC 3289 RFC 3306 RFC 3307 RFC 3411 RFC 3412 RFC 3413 RFC 3414 RFC 3484 RFC 3602 RFC 3810 RFC 3879 RFC 4007 RFC 4213 RFC 4291 RFC 4293 RFC 4293 RFC 4301 ...

Page 326: ...r Lenovo ENOS 8 4 features permit IP addresses to be configured using either IPv4 or IPv6 address formats However the following switch features support IPv4 only Default switch management IP address Bootstrap Protocol BOOTP and DHCP RADIUS TACACS and LDAP QoS metering and re marking ACLs for out profile traffic Routing Information Protocol RIP Internet Group Management Protocol IGMP Border Gateway...

Page 327: ... FF FA 4CA2 Unlike IPv4 a subnet mask is not used for IPv6 addresses IPv6 uses the subnet prefix as the network identifier The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix An IPv6 prefix is written in address prefix length notation For example in the following address 64 is the network prefix 21DA D300 0000 2F3C 64 IPv6 addre...

Page 328: ... interface ID must be unique within the same subnet Link local unicast address An address used to communicate with a neighbor on the same link Link local addresses use the format FE80 EUI Link local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration neighbor discovery or when no routers are present Routers must not forward any pac...

Page 329: ...ingle sender and a list of addresses Anycast addresses are allocated from the unicast address space using any of the defined unicast address formats Thus anycast addresses are syntactically indistinguishable from unicast addresses When a unicast address is assigned to more than one interface thus turning it into an anycast address the nodes to which the address is assigned must be explicitly confi...

Page 330: ...s address configuration Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options Lenovo ENOS 8 4 supports stateless address configuration Stateless address configuration allows hosts on a link to configure themselves with link local addresses and with addresses derived from prefixes advertised by local routers Even if no rou...

Page 331: ...cannot configure an IPv4 address on an IPv6 management interface Each interface can be configured with only one address type either IPv4 or IPv6 but not both When changing between IPv4 and IPv6 address formats the prior address settings for the interface are discarded Each IPv6 interface can belong to only one VLAN Each VLAN can support only one IPv6 interface Each VLAN can support multiple IPv4 i...

Page 332: ...he sender s role on the network IPv6 hosts use Router Solicitations to discover IPv6 routers When a router receives a Router Solicitation it responds immediately to the host Routers uses Router Advertisements to announce its presence on the network and to provide its address prefix to neighbor devices IPv6 hosts listen for Router Advertisements and uses the information to build a list of default r...

Page 333: ...rfaces configured on the switch can forward packets You can configure each IPv6 interface as either a host node or a router node You can manually assign an IPv6 address to an interface in host mode or the interface can be assigned an IPv6 address by an upstream router using information from router advertisements to perform stateless auto configuration To set an interface to host mode use the follo...

Page 334: ...o an IPv6 address traceroute host name IPv6 address max hops 1 32 msec delay 1 4294967295 Telnet server The telnet command supports IPv6 addresses but not link local addresses Use the following format to Telnet into an IPv6 interface on the switch telnet host name IPv6 address port Telnet client The telnet command supports IPv6 addresses but not link local addresses Use the following format to Tel...

Page 335: ... first to resolve the hostname with an IPv4 address If no A record is found for that hostname no IPv4 address for that hostname an AAAA query is sent to resolve the hostname with a IPv6 address If you set the request version to ipv6 the DNS application sends an AAAA query first to resolve the hostname with an IPv6 address If no AAAA record is found for that hostname no IPv6 address for that hostna...

Page 336: ...r IPv6 gateways IPv6 interfaces support Path MTU Discovery The CPU s MTU is fixed at 1500 bytes Support for jumbo frames 1 500 to 9 216 byte MTUs is limited Any jumbo frames intended for the CPU must be fragmented by the remote node The switch can re assemble fragmented packets up to 9k It can also fragment and transmit jumbo packets received from higher layers IPv6 Configuration Examples IPv6 Con...

Page 337: ...rtisements for the interface optional 4 Verify the configuration NE2552E config interface ip 3 NE2552E config ip if ipv6 address 2001 BA98 7654 BA98 FEDC 1234 ABCD 5214 NE2552E config ip if ipv6 prefixlen 64 NE2552E config ip if ipv6 seccaddr6 2003 1 32 NE2552E config ip if vlan 2 NE2552E config ip if enable NE2552E config ip if exit NE2552E config ip gateway6 1 address 2001 BA98 7654 BA98 FEDC 12...

Page 338: ...338 NE2552E Application Guide for ENOS 8 4 ...

Page 339: ... NIST recommendations for IPv6 implementations Lenovo ENOS IPv6 feature compliance has been extended to include the following IETF RFCs with an emphasis on IP Security IPsec and Internet Key Exchange version 2 and authentication confidentiality for OSPFv3 RFC 4301 for IPv6 security RFC 4302 for the IPv6 Authentication Header RFCs 2404 2410 2451 3602 and 4303 for IPv6 Encapsulating Security Payload...

Page 340: ...n anti replay service a form of partial sequence integrity and some traffic flow confidentiality ESPs may be applied alone or in combination with an AH ESP is defined in RFC 4303 Internet Key Exchange Version 2 IKEv2 IKEv2 is used for mutual authentication between two network elements An IKE establishes a security association SA that includes shared secret information to efficiently establish SAs ...

Page 341: ...6 packet is checked against the IPsec policies in force For each outbound packet after the packet is encrypted the software compares the packet size with the MTU size that it either obtains from the default minimum maximum transmission unit MTU size 1500 or from path MTU discovery If the packet size is larger than the MTU size the receiver drops the packet and sends a message containing the MTU si...

Page 342: ...g validated must hold a digital certificate signed by a trusted Certificate Authority and the private key for that digital certificate The side performing the authentication only needs a copy of the trusted certificate authorities digital certificate During IKEv2 authentication the side being validated sends a copy of the digital certificate and a hash value signed using the private key The certif...

Page 343: ...e The CSR can then be exported to a remote device to be signed by a CA 1 Create an HTTPS CSR defining the information you want to be used in the various fields NE2552E config copy tftp ca cert address hostname or IPv4 address Source file name path and filename of CA certificate file Port type DATA MGT Confirm download operation y n y NE2552E config copy tftp host key address hostname or IPv4 addre...

Page 344: ...bd 17 3f 11 f2 85 4b d6 b4 1d 3f 70 1f 13 bb 5e 2e 4c a8 ad 6a 7f 11 36 97 a6 25 0a 87 66 31 c9 92 59 03 31 5d ff df c6 aa 93 7c 51 9f 8e 1b 6f 2a be c4 4c 66 d6 2c 4b 6d e6 ae 4e 02 82 fc fa a1 de 3b c9 24 25 d5 6e 15 15 18 ce 9b a6 98 ad 0c 32 1f 94 01 Exponent 65537 0x10001 Attributes a0 00 Signature Algorithm sha256WithRSAEncryption 24 26 dd 96 49 47 9d 78 74 48 9b 63 4c 32 f0 78 da 7d 82 c9 1...

Page 345: ...ZvbJo V4qq pgQOt9ZJOMDrGQ0YmO1p84 GdxXVwGePCOvCRLESsq5rQb3zPSVvWnTsq0G gURvbV VQN9dI9lANZGZJi6BRNIRdBen dH0KRcCAwEAAaAAMA0GCSqGSIb3DQEB BQUAA4IBAQCSLDOrOnl7kaZri2OjDpzgiiG 9Skde3MehaklddfZnCkT1ALL3ZXY xWwYnvF5jAgnHhxRJbPOzwHNDWMtZiiNOTHyzHVptsyRBv70Kb8odJmuyKWDqunJ Ho1hHe63a7MRLFkQ 6io3kGrmq1bdM5U6xvvS 0ZXXUaiK1p lNLOrsYk45D01Az YHhcdRQtFUbQxqbirpi0jLsi82X7JCNQ2XCP6dhphkWKI6wsCvmlJdazW V gH X wqMk...

Page 346: ...tication algo rithms are used Create a traffic selector This describes the packets to which the policy applies Establish an IPsec policy Apply the policy 1 To define which encryption and authentication algorithms are used create a transform set where the following parameters are used transform ID A number from 1 10 encryption method One of the following esp des esp 3des esp aes cbc esp null integr...

Page 347: ...ype an integer from 1 255 or to any ICMP traffic proto tcp only apply the selector to TCP traffic source IP address any the source IP address in IPv6 format or any source destination IP address any the destination IP address in IPv6 format or any destination prefix length Optional the length of the destination IPv6 prefix an integer from 1 128 Permitted traffic that matches the policy in force is ...

Page 348: ...bound ESP authenticator key The inbound ESP authenticator key code in hexadecimal outbound AH IPsec key The outbound AH key code in hexadecimal outbound AH IPsec SPI A number from 256 4294967295 outbound ESP cipher key The outbound ESP key code in hexadecimal outbound ESP SPI A number from 256 4294967295 NE2552E config ipsec manual policy policy number NE2552E config ipsec manual peer peer s IPv6 ...

Page 349: ...onfigure the IPSec policy you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot To accomplish this enter NE2552E config ip interface ip IP interface number 1 128 NE2552E config ip if address IPv6 address NE2552E config ip if ipsec manual policy policy index 1 10 NE2552E config ip if enable enable the IP interface NE2...

Page 350: ...e Whether to enable or disable the perfect forward security feature The default is disable Note In a dynamic policy the AH and ESP keys are created by IKEv2 3 After you configure the IPSec policy you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot To accomplish this enter NE2552E config ipsec dynamic policy policy ...

Page 351: ...y is 1 When a switch receives a routing update that contains a new or changed destination network entry the switch adds 1 to the metric value indicated in the update and enters the network in the routing table The IPv4 address of the sender is used as the next hop Stability RIP includes a number of other stability features that are common to many routing protocols For example RIP implements the sp...

Page 352: ...he routing updates do not carry subnet mask information Hence the router cannot determine whether the route is a subnet route or a host route It is of limited usage after the introduction of RIPv2 For more information about RIPv1 and RIPv2 refer to RFC 1058 and RFC 2453 RIPv2 RIPv2 is the most popular and preferred configuration for most networks RIPv2 expands the amount of useful information carr...

Page 353: ...thout waiting for the regular update interval It is recommended to enable Triggered Updates Multicast RIPv2 messages use IPv4 multicast address 224 0 0 9 for periodic updates Multicast RIPv2 updates are not processed by RIPv1 routers IGMP is not needed since these are inter router messages which are not forwarded To configure RIPv2 in RIPv1 compatibility mode set multicast to disable and set versi...

Page 354: ...hen RIPv1 and unauthenticated RIPv2 messages are accepted authenticated RIPv2 messages are discarded If the router is configured to authenticate RIPv2 messages then RIPv1 and RIPv2 messages which pass authentication testing are accepted unauthenticated and failed authentication RIPv2 messages are discarded For maximum security RIPv1 messages are ignored when authentication is enabled interface ip ...

Page 355: ...D is 1 Confirm changing PVID from 1 to 2 y n y NE2552E config vlan 3 NE2552E config vlan exit NE2552E config interface port 3 NE2552E config if switchport mode trunk NE2552E config if switchport trunk allowed vlan add 3 NE2552E config if exit Port 3 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 3 y n y NE2552E config interface ip 2 NE2552E config ip if enable NE2552...

Page 356: ... the routing table of the switch For those RIP learnt routes within the garbage collection period that are routes phasing out of the routing table with metric 16 use the following command Locally configured static routes do not appear in the RIP Routes table NE2552E show ip route NE2552E show ip rip routes ...

Page 357: ...t server relationship between an IPv4 Multicast source that provides the data streams and the clients that want to receive the data IGMP reports over the current 3K limit will be forwarded to a Mrouter If no Mrouter exists such IGMP reports will be discarded IGMPv2 leaves for groups not known by the switch will also be forwarded to the multicast router The NE2552E Flex Switch NE2552E can perform I...

Page 358: ...set up as follows An IPv4 Multicast Router Mrouter sends Membership Queries to the switch which forwards them to all ports in a given VLAN Hosts that want to receive the multicast data stream send Membership Reports to the switch which sends a proxy Membership Report to the Mrouter The switch sets up a path between the Mrouter and the host and blocks all other ports from receiving the multicast Pe...

Page 359: ...om specific source addresses or from all but specific source addresses The NE2552E supports the following IGMPv3 filter modes INCLUDE mode The host requests membership to a multicast group and provides a list of IPv4 addresses from which it wants to receive traffic EXCLUDE mode The host requests membership to a multicast group and provides a list of IPv4 addresses from which it does not want to re...

Page 360: ...t relevant for v2 entries NE2552E config ip igmp snoop vlan 1 NE2552E config ip igmp snoop enable NE2552E config ip igmp snoop igmpv3 enable NE2552E config ip igmp enable Turn on IGMP NE2552E show ip igmp groups Total entries 5 Total IGMP groups 2 Note The Total IGMP groups number is computed as the number of unique Group Vlan entries Note Local groups 224 0 0 x are not snooped relayed and will no...

Page 361: ...hen static Mrouters are used the switch will continue learning dynamic Mrouters via IGMP snooping However dynamic Mrouters may not replace static Mrouters If a dynamic Mrouter has the same port and VLAN combination as a static Mrouter the dynamic Mrouter will not be learned Following is an example of configuring a static multicast router 1 For each Mrouter configure a port VLAN and IGMP version of...

Page 362: ...ted join messages from its attached hosts IGMP Relay also forwards multicast traffic between the Mrouter and end stations similar to IGMP Snooping You can configure up to two Mrouters to use with IGMP Relay One Mrouter acts as the primary Mrouter and one is the backup Mrouter The NE2552E uses ICMP health checks to determine if the primary and backup mrouters are reachable Configuration Guidelines ...

Page 363: ...g ip if ip address 10 10 1 1 255 255 255 0 enable NE2552E config ip if vlan 2 NE2552E config ip if exit NE2552E config interface ip 3 NE2552E config ip if ip address 10 10 2 1 255 255 255 0 enable NE2552E config ip if vlan 3 NE2552E config ip if exit NE2552E config ip igmp enable NE2552E config ip igmp relay mrouter 1 address 100 0 1 2 NE2552E config ip igmp relay mrouter 1 enable NE2552E config i...

Page 364: ...an be based on IPv4 address or MAC address Note When IGMP Querier is enabled on a VLAN the switch performs the role of IGMP querier only if it meets the IGMP querier election criteria IGMP Querier Configuration Example Follow this procedure to configure IGMP Querier 1 Enable IGMP and configure the source IPv4 address for IGMP Querier on a VLAN 2 Enable IGMP Querier on the VLAN 3 Configure the quer...

Page 365: ...ved unless a multicast router was learned on the port Enable FastLeave only on VLANs that have only one host connected to each physical port IGMP Filtering With IGMP Filtering you can allow or deny a port to learn certain IGMP or IPMC groups This allows you to restrict users from receiving certain multicast traffic If access to a multicast group is denied IGMP Membership Reports from the port are ...

Page 366: ...f addresses within a larger range that a primary filter is configured to deny The two filters work together to allow IPv4 multicasts to a small subset of addresses within the larger range of addresses Note Lower numbered filters take precedence over higher number filters For example the action defined for IGMP Filter 1 supersedes the action defined for IGMP Filter 2 IGMP Filtering Configuration Ex...

Page 367: ...roup Management Protocol version 2 IGMPv2 and MLDv2 is derived from IGMPv3 MLD uses ICMPv6 IP Protocol 58 message types See RFC 2710 and RFC 3810 for details MLDv2 protocol when compared to MLDv1 adds support for source filtering the ability for a node to report interest in listening to packets only from specific source addresses or from all but specific source addresses sent to a particular multi...

Page 368: ...ce Specific Query Sent to learn if for a specified multicast address there are nodes still listening to a specific set of sources Supported only in MLDv2 Note Multicast Address Specific Queries and Multicast Address and Source Specific Queries are sent only in response to State Change Reports and never in response to Current State Reports Multicast Listener Report Sent by a host when it joins a mu...

Page 369: ... host immediately reports these changes through a State Change Report message The Querier sends a Multicast Address Specific Query to verify if hosts are listening to a specified multicast address or not Similarly if MLDv2 is configured the Querier sends a Multicast Address and Source Specific Query to verify for a specified multicast address if hosts are listening to a specific set of sources or ...

Page 370: ...er An Mrouter acts as a Querier and periodically at short query intervals sends query messages in the subnet If there are multiple Mrouters in the subnet only one can be the Querier All Mrouters on the subnet listen to the messages sent by the multicast address listeners and maintain the same multicast listening information state All MLDv2 queries are sent with the FE80 64 link local source addres...

Page 371: ...ters on the ingress VLANs of the MLD enabled interface All report or done messages are forwarded to these Mrouters By default the option of dynamically learning Mrouters is disabled To enable it use the following command NE2552E config interface ip interface number NE2552E config ip if ipv6 mld dmrtr enable ...

Page 372: ...able RV 2 Query Interval QI 125 seconds Query Response Interval QRI 10 seconds Multicast Address Listeners Interval MALI 260 seconds derived RV QI QRI Other Querier Present Interval OQPT 255 seconds derived RV QI QRI Start up Query Interval SQI 31 25 seconds derived QI Startup Query Count SQC 2 derived RV Last Listener Query Interval LLQI 1 second Last Listener Query Count LLQC 2 derived RV Last L...

Page 373: ...listener query interval NE2552E config ipv6 mld NE2552E config router mld enable NE2552E config router mld exit NE2552E config interface ip 2 NE2552E config ip if enable NE2552E config ip if ipv6 address 2002 1 0 0 0 0 0 3 NE2552E config ip if ipv6 prefixlen 64 NE2552E config ip if ipv6 mld enable NE2552E config ip if ipv6 mld version 1 2 MLD version NE2552E config ip if ipv6 mld robust 1 10 Robus...

Page 374: ...374 NE2552E Application Guide for ENOS 8 4 ...

Page 375: ...pstream provider s BGP is defined in RFC 1771 NE2552E Flex Switches NE2552Es can advertise their IP interfaces and IPv4 addresses using BGP and take BGP feeds from as many as BGP router peers This allows more resilience and flexibility in balancing traffic from the Internet Note Lenovo ENOS 8 4 does not support IPv6 for BGP The following topics are discussed in this section Internal Routing Versus...

Page 376: ...ame autonomous system An iBGP is a type of internal routing protocol you can use to do active routing inside your network It also carries AS path information which is important when you are an ISP or doing BGP transit The iBGP peers have to maintain reciprocal sessions to every other iBGP router in the same AS in a full mesh manner in order to propagate route information throughout the AS If the i...

Page 377: ... containing the new route For each route removed from the route table if the route has already been sent to a peer an update message containing the route to withdraw is sent to that peer For each Internet host you must be able to send a packet to that host and that host has to have a path back to you This means that whoever provides Internet connectivity to that host must have a path to you Ultima...

Page 378: ...ess and AS number It also allows users to overwrite the local preference metric and to append the AS number in the AS route See BGP Failover Configuration on page 384 Lenovo ENOS allows you to configure 32 route maps Each route map can have up to eight access lists Each access list consists of a network filter A network filter defines an IPv4 address and subnet mask of the network that you want to...

Page 379: ...ifying a precedence value with the following commands The smaller the value the higher the precedence If two route maps have the same precedence value the smaller number has higher precedence Configuration Example To configure route maps you need to do the following 1 Define network filter Enter a filter number from 1 to 256 Specify the IPv4 address and subnet mask of the network that you want to ...

Page 380: ...reference for the matched route Specify the metric Multi Exit Discriminator MED for the matched route 5 Enable the route map 6 Turn BGP on 7 Assign the route map to a peer router Select the peer router and then add the route map to the incoming route map list or to the outgoing route map list 8 Exit Router BGP mode NE2552E config route map as path list 1 as 1 NE2552E config route map as path list ...

Page 381: ...f routes between routing domains by defining a method known as route maps between the two domains For more information on route maps see What is a Route Map on page 378 Redistributing routes is another way of providing policy control over whether to export OSPF routes fixed routes and static routes For an example configuration see Default Redistribution and Route Aggregation Example on page 386 De...

Page 382: ...it Discriminator Attribute This attribute is a hint to external neighbors about the preferred path into an AS when there are multiple entry points A lower metric value is preferred over a higher metric value The default value of the metric attribute is 0 Unlike local preference the metric attribute is exchanged between ASs however a metric attribute that comes into an AS does not leave the AS When...

Page 383: ...tes with higher local preference values are selected 3 In the case of multiple routes of equal preference the route with lower AS path weight is selected AS path weight 128 x AS path length number of autonomous systems traversed 4 In the case of equal weight and routes learned from peers that reside in the same AS the lower metric is selected Note A route with a metric is preferred over a route wi...

Page 384: ...ring to the switch to be three router hops away 1 Define the VLANs For simplicity both default gateways are configured in the same VLAN in this example The gateways could be in the same VLAN or different VLANs 2 Define the IP interfaces with IPv4 addresses The switch will need an IP interface for each default gateway to which it will be connected Each interface must be placed in the appropriate VL...

Page 385: ...ity for a Denial of Service DoS attack the forwarding of directed broadcasts is disabled by default 4 Configure BGP peer router 1 and 2 NE2552E config ip routing Enable IP forwarding NE2552E config router bgp NE2552E config router bgp ip router id 8 8 8 8 NE2552E config router bgp as 816 NE2552E config router bgp neighbor 1 remote address 200 200 200 2 NE2552E config router bgp neighbor 1 remote a...

Page 386: ...nfigure internal peer router 1 and external peer router 2 4 Configure redistribution for Peer 1 GbE Switch Module 10 1 1 135 Aggregate routes 135 0 0 0 8 traversing from AS 135 to AS 200 0 0 0 0 0 Default routes towards internal peer router AS 135 AS 200 Internal peer router 1 10 1 1 4 135 110 0 0 16 135 120 0 0 16 20 20 20 135 External peer router 2 20 20 20 2 NE2552E config router bgp NE2552E co...

Page 387: ...7 Border Gateway Protocol 387 5 Configure aggregation policy control Configure the routes that you want aggregated NE2552E config router bgp aggregate address 1 135 0 0 0 255 0 0 0 NE2552E config router bgp aggregate address 1 enable ...

Page 388: ...388 NE2552E Application Guide for ENOS 8 4 ...

Page 389: ...cting the designated router summarizing routes defining route maps and so forth OSPFv2 Configuration Examples on page 405 This section provides step by step instructions on configuring different OSPFv2 examples Creating a simple OSPF domain Creating virtual links Summarizing routes OSPFv3 Implementation in Lenovo ENOS on page 413 This section describes differences and additional features found in ...

Page 390: ... stub areas Not So Stubby Area NSSA similar to a stub area with additional capabilities Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas External routes from outside the AS can be advertised within the NSSA but can be configured to not be distributed into other areas Transit Area an area that carries data traffic which neither originates nor terminat...

Page 391: ... Border Router ABR a router that has interfaces in multiple areas ABRs maintain one LSDB for each connected area and disseminate routing information between areas Autonomous System Boundary Router ASBR a router that acts as a gateway between the OSPF domain and non OSPF domains such as RIP BGP and static routes Figure 42 OSPF Domain and an Autonomous System Backbone Area 0 Area 3 Area 2 Area 1 Int...

Page 392: ...information to the other neighbors The Link State Database OSPF is a link state routing protocol A link represents an interface or routable path from the routing device By establishing an adjacency with the DR each routing device in an OSPF area maintains an identical Link State Database LSDB describing the network topology for its area Each routing device transmits a Link State Advertisement LSA ...

Page 393: ...an be done with static routes or using active internal routing protocols such as OSPF RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers about the routes you have access to in your network Sharing of routing information between autonomous systems is known as external routing Typically an AS will have one or more border routers peer routers that exchange...

Page 394: ...als retransmission interval and interface transmit delay In addition to the preceding parameters you can specify the following Shortest Path First SPF interval Time interval between successive calculations of the shortest path tree using the Dijkstra s algorithm Stub area metric A stub area can be configured to send a numeric metric value such that all routes received via that stub area carry the ...

Page 395: ...rea are as follows Note The aindex option above is an arbitrary index used only on the switch and does not represent the actual OSPF area number The actual OSPF area number is defined in the areaid portion of the command as explained in the following sections Assigning the Area Index The aindex area index option is actually just an arbitrary index 0 2 used only by the NE2552E This index does not n...

Page 396: ... formats are supported be sure that the area IDs are in the same format throughout an area Attaching an Area to a Network Once an OSPF area has been defined it must be associated with a network To attach the area to a network you must assign the OSPF area index to an IP interface that participates in the area The commands are as follows For example the following commands could be used to configure...

Page 397: ...t router ID wins Interfaces configured as passive do not participate in the DR or BDR election process Summarizing Routes Route summarization condenses routing information Without summarization each routing device in an OSPF network would retain a route to every subnet in the network With summarization routing devices can reduce some sets of routes to a single advertisement reducing both the load ...

Page 398: ... configured default gateway it can inject a default route into rest of the OSPF domain Use the following command to configure the switch to inject OSPF default routes In the command above metric value sets the priority for choosing this switch for default route The value none sets no default and 1 sets the highest priority for default route Metric type determines the method for influencing routing...

Page 399: ...her direction To provide the NE2552E with a router ID see the following section Router ID For a detailed configuration example on Virtual Links see Example 2 Virtual Links on page 407 Router ID Routing devices in OSPF areas are identified by a router ID expressed in IP address format The router ID is not required to be part of any IP interface range or in any OSPF area and may even use the NE2552E...

Page 400: ...asswords and MD5 cryptographic authentication This type of authentication allows a password to be configured per area We strongly recommend that you implement MD5 cryptographic authentication as a best practice Figure shows authentication configured for area 0 with the password test Simple authentication is also configured for the virtual link between area 2 and area 0 Area 1 is not configured for...

Page 401: ...t password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4 NE2552E config router ospf area 0 authentication type password NE2552E config router ospf exit NE2552E config interface ip 1 NE2552E config ip if ip ospf key test NE2552E config ip if exit NE2552E config interface ip 2 NE2552E config ip if ip ospf key test NE2552E config ip if exit NE2552E config i...

Page 402: ...k on switches 2 and 4 NE2552E config router ospf area 0 authentication type md5 NE2552E config router ospf message digest key 1 md5 key test NE2552E config router ospf exit NE2552E config interface ip 1 NE2552E config ip if ip ospf message digest key 1 NE2552E config ip if exit NE2552E config interface ip 2 NE2552E config ip if ip ospf message digest key 1 NE2552E config ip if exit NE2552E config ...

Page 403: ...owards any given destination ECMP allows separate routes to be calculated for each IP Type of Service All paths of equal cost to a given destination are calculated and the next hops for all equal cost paths are inserted into the routing table If redundant routes via multiple routing processes such as OSPF RIP BGP or static routes exist on your network the switch defaults to the OSPF derived route ...

Page 404: ...es Not Supported The following OSPF features are not supported in this release Summarizing external routes Filtering OSPF routes Using OSPF to forward multicast routes Configuring OSPF on non broadcast multi access networks such as frame relay X 25 or ATM ...

Page 405: ...are used for attaching networks to the various areas 6 Optional Configure route summarization between OSPF areas 7 Optional Configure virtual links 8 Optional Configure host routes Example 1 Simple OSPF Domain In this example two OSPF areas are defined one area is the backbone and the other is a stub area A stub area does not allow advertisements of external routes thus reducing the size of the da...

Page 406: ...e stub area NE2552E config interface ip 1 NE2552E config ip if ip address 10 10 7 1 255 255 255 0 enable NE2552E config ip if exit NE2552E config interface ip 2 NE2552E config ip if ip address 10 10 12 1 255 255 255 0 enable NE2552E config ip if exit NE2552E config router ospf NE2552E config router ospf enable NE2552E config router ospf area 0 area id 0 0 0 0 NE2552E config router ospf area 0 type...

Page 407: ... configuring virtual links Later when configuring the other end of the virtual link on Switch 2 the router ID specified here will be used as the target virtual neighbor nbr address 3 Enable OSPF 4 Define the backbone BladeCenter IF 1 10 10 7 1 IF 2 10 10 12 1 IF 1 10 10 12 2 IF 1 10 10 24 1 Backbone Transit Area Stub Area Application Switch 1 Switch 2 Area 0 0 0 0 0 Area 1 0 0 0 1 Area 2 0 0 0 2 V...

Page 408: ...0 24 0 24 NE2552E config router ospf area 1 area id 0 0 0 1 NE2552E config router ospf area 1 type transit NE2552E config router ospf area 1 enable NE2552E config router ospf exit NE2552E config interface ip 1 NE2552E config ip if ip ospf area 0 NE2552E config ip if ip ospf enable NE2552E config ip if exit NE2552E config interface ip 2 NE2552E config ip if ip ospf area 1 NE2552E config ip if ip os...

Page 409: ...a NE2552E config ip router id 10 10 14 1 NE2552E config router ospf NE2552E config router ospf enable NE2552E config router ospf area 0 area id 0 0 0 0 NE2552E config router ospf area 0 enable NE2552E config router ospf area 1 area id 0 0 0 1 NE2552E config router ospf area 1 type transit NE2552E config router ospf area 1 enable NE2552E config router ospf area 2 area id 0 0 0 2 NE2552E config rout...

Page 410: ...summary route that includes all the individual IP addresses within the area The following example shows one summary route from area 1 stub area injected into area 0 the backbone The summary route consists of all IP addresses from 36 128 192 0 through 36 128 254 255 except for the routes in the range 36 128 200 0 through 36 128 200 255 Note OSPFv2 supports IPv4 only IPv6 is supported in OSPFv3 see ...

Page 411: ...ble NE2552E config ip if exit NE2552E config router ospf NE2552E config router ospf enable NE2552E config router ospf area 0 area id 0 0 0 0 NE2552E config router ospf area 0 type transit NE2552E config router ospf area 0 enable NE2552E config router ospf area 1 area id 0 0 0 1 NE2552E config router ospf area 1 type stub NE2552E config router ospf area 1 enable NE2552E config router ospf exit NE25...

Page 412: ... on your switch show ip ospf show ip ospf neighbor show ip ospf database database summary show ip ospf routes Refer to the Lenovo ENOS Command Reference for information on the preceding commands NE2552E config router ospf NE2552E config router ospf area range 2 address 36 128 200 0 255 255 255 0 NE2552E config router ospf area range 2 area 1 NE2552E config router ospf area range 2 hide NE2552E con...

Page 413: ...d assigned to OSPF areas in much the same way IPv4 interfaces are assigned to areas in OSPFv2 This is the primary configuration difference between OSPFv3 and OSPFv2 See Internet Protocol Version 6 on page 325 for configuring IPv6 interfaces OSPFv3 Uses Independent Command Paths Though OSPFv3 and OSPFv2 are very similar they are configured independently OSPFv3 command paths are located as follows I...

Page 414: ...ed so link LSA is not originated for the interface Use the command NE2552E config ip if ipv6 ospf linklsasuppress OSPFv3 Limitations Lenovo ENOS 8 4 does not currently support the following OSPFv3 features Multiple instances of OSPFv3 on one IPv6 link OSPFv3 Configuration Example The following example depicts the OSPFv3 equivalent configuration of Example 3 Summarizing Routes on page 410 for OSPFv...

Page 415: ...e ip 3 NE2552E config ip if ipv6 address 10 0 0 0 0 0 0 1 NE2552E config ip if ipv6 prefixlen 56 NE2552E config ip if enable NE2552E config ip if exit NE2552E config interface ip 4 NE2552E config ip if ip address 36 0 0 0 0 0 1 NE2552E config ip if ipv6 prefixlen 56 NE2552E config ip if enable NE2552E config ip if exit NE2552E config ipv6 router ospf NE2552E config router ospf3 enable NE2552E conf...

Page 416: ...ses from advertising to the backbone This differs from OSPFv2 only in that the OSPFv3 command path is used and the address and prefix are specified in IPv6 format NE2552E config ipv6 router ospf NE2552E config router ospf3 area range 1 address 36 0 0 0 0 0 0 0 32 NE2552E config router ospf3 area range 1 area 0 NE2552E config router ospf3 area range 1 enable NE2552E config router ospf area range 2 ...

Page 417: ...onfig ip if ipv6 ospf dead interval 40 NE2552E config ip if ipv6 ospf network point to multipoint NE2552E config ip if ipv6 ospf poll interval 120 NE2552E config ip if ipv6 ospf enable NE2552E config ip if exit NE2552E config ipv6 router ospf NE2552E config router ospf3 router id 12 12 12 12 NE2552E config router ospf3 enable NE2552E config router ospf3 area 0 area id 0 0 0 0 NE2552E config router...

Page 418: ...418 NE2552E Application Guide for ENOS 8 4 ...

Page 419: ...receivers or when it reaches a necessary bifurcation point leading to different receiver domains PIM is used by multicast source stations client receivers and intermediary routers and switches to build and maintain efficient multicast routing trees PIM is protocol independent It collects routing information using the existing unicast routing functions underlying the IPv4 network but does not rely ...

Page 420: ...PIM DM PIM SM is used in networks where multicast senders and receivers comprise a relatively small sparse portion of the overall network PIM SM uses a more complex process than PIM DM for collecting and optimizing multicast routes but minimizes impact on other IP services and is more commonly used PIM DM is used where multicast devices are a relatively large dense portion of the network with very...

Page 421: ...default PIM is disabled on the switch PIM can be globally enabled or disabled using the following ISCLI commands Defining a PIM Network Component The NE2552E can be attached to a maximum of two independent PIM network components Each component represents a different PIM network and can be defined for either PIM SM or PIM DM operation Basic PIM component configuration is performed using the followi...

Page 422: ...Filters The NE2552E accepts connection to up to 24 PIM interfaces By default the switch accepts all PIM neighbors attached to the PIM enabled interfaces up to the maximum number 72 neighbors Once the maximum is reached the switch will deny further PIM neighbors To ensure that only the appropriate PIM neighbors are accepted by the switch the administrator can use PIM neighbor filters to specify whi...

Page 423: ...ng command You can view configured PIM neighbor filters globally or for a specific IP interface using the following commands NE2552E config ip if ip pim neighbor addr neighbor IPv4 address deny NE2552E config ip if exit NE2552E config show ip pim neighbor filters NE2552E config show ip pim interface Interface number neighbor filters ...

Page 424: ... Router Selection Using PIM SM All PIM enabled IP interfaces are considered as potential Designate Routers DR for their domain By default the interface with the highest IP address on the domain is selected However if an interface is configured with a DR priority value it overrides the IP address selection process If more than one interface on a domain is configured with a DR priority the one with ...

Page 425: ...date routers For each PIM enabled IP interface the administrator can set the preference level for which the local interface becomes the BSR A value of 255 highly prefers the local interface as a BSR A value of 1 indicates that the PIM CBSR preference is not configured on the local interface NE2552E config interface ip Interface number NE2552E config ip if ip pim cbsr preference 0 to 255 NE2552E co...

Page 426: ...figured with a PIM SM or PIM DM multicast group IPv4 address Using the ISCLI IGMP Query is disabled by default If IGMP Querier is needed with PIM be sure to enable the IGMP Query feature globally as well as on each VLAN where it is needed If the switch is connected to multicast receivers and or hosts be sure to enable IGMP snooping globally as well as on each VLAN where PIM receivers are attached ...

Page 427: ...resents the PIM network being connected to the switch The IPv4 addresses in the defined range must not be included in another IP interface on the switch under a different VLAN 4 Enable PIM on the IP interface and assign the PIM component Note Because PIM component 1 is assigned to the interface by default the component id command is needed only if the setting has been previously changed 5 Set the ...

Page 428: ...h are configured on a different PIM component as shown in Figure 49 Note In the following example since the receivers and sources are connected in different areas the border router must be configured for the IPMC traffic to be forwarded Lenovo ENOS supports only partial configuration of PIM border router Figure 49 Network with both PIM DM and PIM SM Components NE2552E config ip pim static rp enabl...

Page 429: ...ode the DR RP and BSR settings do not apply NE2552E config ip pim enable NE2552E config ip pim component 2 NE2552E config ip pim comp mode dense NE2552E config ip pim comp exit NE2552E config interface ip 22 NE2552E config ip if ip address 10 10 1 2 255 255 255 255 NE2552E config ip if vlan 102 NE2552E config ip if enable NE2552E config ip if ip pim enable NE2552E config ip if ip pim component id ...

Page 430: ...430 NE2552E Application Guide for ENOS 8 4 ...

Page 431: ...ic consists of myriad services and applications which use the Internet Protocol IP for data delivery However IP is not optimized for all the various applications High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations ...

Page 432: ...432 NE2552E Application Guide for ENOS 8 4 ...

Page 433: ...inherently fault tolerant As long as one connection between the switches is available the LAG remains active In Figure 50 four ports are aggregated together between the switch and the enterprise routing device Connectivity is maintained as long as one of the links remains active The links to the server are also aggregated allowing the secondary NIC to take over in the event that the primary NIC li...

Page 434: ...tion occurs the interface must maintain a stable link for the duration of the Forward Delay interval For example if you set the Forward delay timer to 10 seconds using the command the switch will select an interface to become active only if a link remained stable for the duration of the Forward Delay period If the link is unstable the Forward Delay period starts again Preemption You can configure ...

Page 435: ...the Backup interface A port that is a member of one Hot Links trigger cannot be a member of another Hot Links trigger An individual port that is configured as a Hot Link interface cannot be a member of a LAG Configuring Hot Links Use the following commands to configure Hot Links NE2552E config hotlinks trigger 1 enable Enable Hot Links Trigger 1 NE2552E config hotlinks trigger 1 master port EXT1 A...

Page 436: ...436 NE2552E Application Guide for ENOS 8 4 ...

Page 437: ...Cs on each server share the same IP address and are configured into a team One NIC is the primary link and the other is a standby link For more details refer to the documentation for your Ethernet adapter Note Only two links per server blade can be used for Layer 2 LAG Failover one primary and one backup Network Adapter Teaming allows only one backup NIC for each server blade ...

Page 438: ...r The VLAN Monitor allows Layer 2 Failover to discern different VLANs With VLAN Monitor turned on If enough links in a trigger fail see Setting the Failover Limit on page 440 the switch disables all internal ports that reside in the same VLAN membership as the LAG s in the trigger When enough links in the trigger return to service the switch enables the internal ports that reside in the same VLAN ...

Page 439: ... Figure 52 Two LAGs each in a different Failover Trigger Figure 53 shows a configuration with two LAGs VLAN Monitor is turned off so only one Failover Trigger is configured on each switch Switch 1 is the primary switch for Server 1 and Server 2 Switch 2 is the primary switch for Server 3 and Server 4 STP is turned off If all links in trigger 1 go down switch 1 disables all internal links to server...

Page 440: ...e the trigger initiates a failover event For example if the limit is two a failover event occurs when the number of operational links in the trigger is two or fewer When you set the limit to zero the switch triggers a failover event only when no links in the trigger are operational Trigger 1 Trigger 1 VLAN 1 VLAN 2 VLAN Monitor Off Routing Switch Enterprise Internet Server 1 Server 3 Server 2 Serv...

Page 441: ...operational as long as the following conditions are true The port must be in the Link Up state If STP is enabled the port must be in the Forwarding state If the port is part of an LACP LAG the port must be in the Aggregated state If any of the above conditions is false the monitor port is considered to have failed Control Port State A control port is considered Operational if the monitor trigger i...

Page 442: ...ber of the trigger Note If you change the LACP system priority on an LACP aggregation the failover trigger goes down Spanning Tree Protocol If Spanning Tree Protocol STP is enabled on the ports in a failover trigger the switch monitors the port STP state rather than the link state A port failure results when STP is not in a Forwarding state such as Learning Discarding or No Link The switch automat...

Page 443: ...ply All external ports in all static or LACP LAGs added to a specific failover trigger must belong to the same VLAN and have the same PVID Different triggers are not permitted to operate on the same VLAN Different triggers are not permitted to operate on the same internal port For each port in each LAG in a specific failover trigger the trigger will monitor the STP state on only the default PVID M...

Page 444: ...nks to disable when the failover limit is reached 4 Configure general Layer 2 Failover parameters 5 Enable failover globally 6 Verify the configuration NE2552E config portchannel 1 port EXT1 EXT2 EXT3 enable NE2552E config failover trigger 1 enable NE2552E config failover trigger 1 limit 0 1024 NE2552E config failover trigger 1 amon portchannel 1 NE2552E config show failover trigger 1 information ...

Page 445: ...rview In a high availability network topology no device can create a single point of failure for the network or force a single point of failure to any other part of the network This means that your network will remain in service despite the failure of any single device To achieve this usually requires redundancy for all vital network components VRRP enables redundant router configurations within a...

Page 446: ...P pings TCP connections and so on There is no requirement for any VRRP router to be the IPv4 address owner Most VRRP installations choose not to implement an IPv4 address owner For the purposes of this chapter VRRP routers that are not the IPv4 address owner are called renters Master and Backup Virtual Router Within each virtual router one VRRP router is selected to be the virtual router master Se...

Page 447: ...master periodically sends advertisements to an IPv4 multicast address As long as the backups receive these advertisements they remain in the backup state If a backup does not receive an advertisement for three advertisement intervals it initiates a bidding process to determine which VRRP router has the highest priority and takes over as master In addition to the three advertisement intervals a man...

Page 448: ... as an inefficient use of network resources because one functional application switch sits by idly until a failure calls it into action Service providers now demand that vendorsʹ equipment support redundant configurations where all devices can process traffic when they are healthy increasing site throughput and decreasing user response times when no device has failed Lenovo ENOS high availability ...

Page 449: ...primary application for VRRP based hot standby is to support Server Load Balancing when you have configured Network Adapter Teaming on your server blades With Network Adapter Teaming the NICs on each server share the same IPv4 address and are configured into a team One NIC is the primary link and the others are backup links For more details refer to the relevant network adapter documentation The h...

Page 450: ...onfigurations or any other configuration that require shared interfaces A VRRP group has the following characteristics When enabled all virtual routers behave as one entity and all group settings override any individual virtual router settings All individual virtual routers once the VRRP group is enabled assume the group s tracking and priority When one member of a VRRP group fails the priority of...

Page 451: ... master then the standby can assume the role of the master See Configuring the Switch for Tracking on page 452 for an example on how to configure the switch for tracking VRRP priority Table 31 VRRP Tracking Parameters Parameter Description Number of IP interfaces on the switch that are active up tracking priority increment interfaces Helps elect the virtual routers with the most available routes a...

Page 452: ... is less disruptive than bringing a new master online and severing all active connections in the process If switch 1 is the master and it has two or more active servers fewer than switch 2 then switch 2 becomes the master If switch 2 is the master it remains the master even if servers are restored on switch 1 such that it has one fewer or an equal number of servers If switch 2 is the master and it...

Page 453: ...us Switches in a virtual router need not be identically configured In the scenario illustrated in Figure 57 traffic destined for IPv4 address 10 0 1 1 is forwarded through the Layer 2 switch at the top of the drawing and ingresses NE2552E 1 on port EXT1 Return traffic uses default gateway 1 192 168 1 1 If the link between NE2552E 1 and the Layer 2 switch fails NE2552E 2 becomes the Master because ...

Page 454: ...onfig ip if enable NE2552E config ip if exit NE2552E config interface ip 4 NE2552E config ip if ip address 10 0 2 101 255 255 255 0 NE2552E config ip if enable NE2552E config ip if exit NE2552E config ip gateway 1 address 192 168 1 1 NE2552E config ip gateway 1 enable NE2552E config ip gateway 2 address 192 168 2 1 NE2552E config ip gateway 2 enable NE2552E config router vrrp NE2552E config vrrp e...

Page 455: ...d 20 NE2552E config if exit NE2552E config no spanning tree stp 1 NE2552E config interface ip 1 NE2552E config ip if ip address 192 168 1 101 255 255 255 0 NE2552E config ip if vlan 10 NE2552E config ip if enable NE2552E config ip if exit NE2552E config interface ip 2 NE2552E config ip if ip address 192 168 2 100 255 255 255 0 NE2552E config ip if vlan 20 NE2552E config ip if enable NE2552E config...

Page 456: ...outer id 2 NE2552E config vrrp virtual router 2 interface 2 NE2552E config vrrp virtual router 2 address 192 168 2 200 NE2552E config vrrp virtual router 2 enable NE2552E config vrrp virtual router 1 track ports NE2552E config vrrp virtual router 2 track ports NE2552E config vrrp virtual router 2 priority 101 NE2552E config vrrp exit NE2552E config vlan 10 NE2552E config vlan exit NE2552E config i...

Page 457: ... peer switches should have an equal number of connected ports If hot standby is implemented in a looped environment the hot standby feature automatically disables the hot standby ports on the VRRP Standby If the Master switch should failover to the Standby switch it would change the hot standby ports from disabled to forwarding without relying on Spanning Tree or manual intervention Therefore Span...

Page 458: ...xit NE2552E config router vrrp NE2552E config vrrp enable NE2552E config vrrp virtual router 1 virtual router id 1 NE2552E config vrrp virtual router 1 interface 1 NE2552E config vrrp virtual router 1 address 174 14 20 100 NE2552E config vrrp virtual router 1 enable NE2552E config vrrp virtual router 2 virtual router id 2 NE2552E config vrrp virtual router 2 interface 2 NE2552E config vrrp virtual...

Page 459: ...erface 2 NE2552E config ip if enable NE2552E config ip if exit NE2552E config router vrrp NE2552E config vrrp enable NE2552E config vrrp virtual router 1 virtual router id 1 NE2552E config vrrp virtual router 1 interface 1 NE2552E config vrrp virtual router 1 address 174 14 20 100 NE2552E config vrrp virtual router 1 enable NE2552E config vrrp virtual router 2 virtual router id 2 NE2552E config vr...

Page 460: ...460 NE2552E Application Guide for ENOS 8 4 ...

Page 462: ...462 NE2552E Application Guide for ENOS 8 4 ...

Page 463: ...are support Link Layer Discovery Protocol LLDP This chapter discusses the use and configuration of LLDP on the switch LLDP Overview on page 464 Enabling or Disabling LLDP on page 465 LLDP Transmit Features on page 466 LLDP Receive Features on page 471 LLDP Example Configuration on page 475 ...

Page 464: ...elp administrators quickly recognize a variety of common network configuration problems such as unintended VLAN exclusions or mis matched port aggregation membership The LLDP transmit function and receive function can be independently configured on a per port basis The administrator can allow any given port to transmit only receive only or both transmit and receive LLDP information The LLDP inform...

Page 465: ...ange the LLDP transmit and receive state the following commands are available To view the LLDP transmit and receive status use the following commands NE2552E config no lldp enable Turn LLDP on or off globally NE2552E config interface port x Select a switch port NE2552E config if lldp admin status tx_rx Transmit and receive LLDP NE2552E config if lldp admin status tx_only Only transmit LLDP NE2552E...

Page 466: ...l is the number of seconds between LLDP transmissions The range is 5 to 32768 The default is 30 seconds Minimum Interval In addition to sending LLDP information at scheduled intervals LLDP information is also sent when the NE2552E detects relevant changes to its configuration or status such as when ports are enabled or disabled To prevent the NE2552E from sending multiple LLDP packets in rapid suc...

Page 467: ...sent when the NE2552E detects relevant changes to its configuration or status such as when ports are enabled or disabled To prevent the NE2552E from sending multiple trap notifications in rapid succession when port status is in flux a global trap delay timer can be configured The trap delay timer represents the minimum time permitted between successive trap notifications on any port Any interval d...

Page 468: ...LDP information associated with the NE2552E port from their MIB In addition if LLDP is fully disabled on a port using admstat disabled and later re enabled the NE2552E will temporarily delay resuming LLDP transmissions on the port in order to allow the port LLDP information to stabilize The reinitialization delay interval can be globally configured for all ports using the following command where i...

Page 469: ...ptional Information Types Type Description Default portdesc Port Description Enabled sysname System Name Enabled sysdescr System Description Enabled syscap System Capabilities Enabled mgmtaddr Management Address Enabled portvid IEEE 802 1 Port VLAN ID Disabled portprot IEEE 802 1 Port and Protocol VLAN ID Disabled vlanname IEEE 802 1 VLAN Name Disabled protid IEEE 802 1 Protocol Identity Disabled ...

Page 470: ...S 8 4 dcbx Data Center Bridging Capability Exchange Protocol DCBX for the port Enabled all Select all optional LLDP information for inclusion or exclusion Disabled Table 32 LLDP Optional Information Types continued Type Description Default ...

Page 471: ...remote LLDP capable device is responsible for transmitting regular LLDP updates If the received updates contain LLDP information changes to port state configuration LLDP MIB structures deletion the switch will set a change flag within the MIB for convenient notification to SNMP based management systems Viewing Remote Device Information LLDP information collected from neighboring systems can be vie...

Page 472: ...umn NB Nearest Bridge 01 80 C2 00 00 0E NnTB Nearest non TPMR Bridge 01 80 C2 00 00 03 NCB Nearest Customer Bridge 01 80 C2 00 00 00 Total number of current entries 1 LocalPort Index Remote Chassis ID Remote Port Remote System Name DMAC EXT3 1 00 18 b1 33 1d 00 23 C12 NB NE2552E config show lldp remote device 1 Local Port Alias EXT3 Remote Device Index 1 Remote Device TTL 99 Remote Device RxChange...

Page 473: ...d bridge router System Capabilities Enabled bridge router Remote Management Address Subtype IPv4 Address 11 1 58 5 Interface Subtype ifIndex Interface Number 58 Object Identifier Local Port Alias EXT24 Remote Device Index 2 Remote Device TTL 108 Remote Device RxChanges false Chassis Type Mac Address Chassis Id 74 99 75 1c 71 00 Port Type Locally Assigned Port Id 56 Port Description EXT14 System Na...

Page 474: ... receive an LLDP update from the remote device before the time to live clock expires the switch will consider the remote information to be invalid and will remove all associated information from the MIB Remote devices can also intentionally set their LLDP time to live to 0 indicating to the switch that the LLDP information is invalid and should be immediately removed ...

Page 475: ...ig lldp holdtime multiplier 4 Remote hold 4 intervals NE2552E config lldp reinit delay 2 Wait 2 sec after reinit NE2552E config lldp trap notification interval 5 Minimum 5 sec between NE2552E config interface port n Select a switch port NE2552E config if lldp admin status tx_rx Transmit and receive LLDP NE2552E config if lldp trap notification Enable SNMP trap notifications NE2552E config if lldp ...

Page 476: ...476 NE2552E Application Guide for ENOS 8 4 ...

Page 477: ...77 Chapter 34 Simple Network Management Protocol Lenovo ENOS provides Simple Network Management Protocol SNMP version 1 version 2 and version 3 support for access through any network management software such as Lenovo Director ...

Page 478: ... For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch configure the trap host on the switch with the following command Note You can use a loopback interface to set the source IP address for SNMP traps Use the following command to apply a configured loopback interface NE2552E config snmp server trap source loopback 1 5 NE2552E config snmp server read community 1...

Page 479: ...command path For more information on SNMP MIBs and the commands used to configure SNMP on the switch see the Lenovo ENOS 8 4 Command Reference Default Configuration Lenovo ENOS has SNMPv3 disabled by default If a user created SNMPv3 user is found on the system SNMPv3 is enabled for backwards compatibility Up to 17 SNMP users can be configured on the switch To modify an SNMP user enter the followin...

Page 480: ...config snmp server user 5 authentication protocol md5 authentication password Changing authentication password validation required Enter current admin password admin password Enter new authentication password auth password Re enter new authentication password auth password New authentication password accepted NE2552E config snmp server user 5 privacy protocol des privacy password Changing privacy ...

Page 481: ...E config snmp server group 3 group name usrgrp Create views for user NE2552E config snmp server view 6 name usr NE2552E config snmp server view 6 tree 1 3 6 1 4 1 1872 2 5 1 2 Agent information NE2552E config snmp server view 7 name usr NE2552E config snmp server view 7 tree 1 3 6 1 4 1 1872 2 5 1 3 L2 statistics NE2552E config snmp server view 8 name usr NE2552E config snmp server view 8 tree 1 3...

Page 482: ...nfig snmp server view 20 name oper NE2552E config snmp server view 20 tree 1 3 6 1 4 1 1872 2 5 1 2 Agent information NE2552E config snmp server view 21 name oper NE2552E config snmp server view 21 tree 1 3 6 1 4 1 1872 2 5 1 3 L2 statistics NE2552E config snmp server view 22 name oper NE2552E config snmp server view 22 tree 1 3 6 1 4 1 1872 2 5 2 2 L2 information NE2552E config snmp server view 2...

Page 483: ...orts both retrieving the logs via SNMP ʹGetʹ requests and the forwarding of event logs via SNMP traps Supported management tools are xHMC and other security and information event management SIEM tools like Qradar Security audit logging refers to the following event types NTP Server DHCP server configuration changes Switch management IP address changes OSPF BGP RIP authentication changes Software R...

Page 484: ...community string is used in the trap NE2552E config snmp server user 10 name v1trap NE2552E config snmp server access user number NE2552E config snmp server access 10 Access group to view SNMPv1 traps name v1trap security snmpv1 notify view iso NE2552E config snmp server group 10 Assign user to the access group security snmpv1 user name v1trap group name v1trap NE2552E config snmp server notify 10...

Page 485: ...e v2trap NE2552E config snmp server access 10 security snmpv2 NE2552E config snmp server access 10 notify view iso NE2552E config snmp server notify 10 name v2trap NE2552E config snmp server notify 10 tag v2trap NE2552E config snmp server target address 10 name v2trap address 100 10 2 1 NE2552E config snmp server target address 10 taglist v2trap NE2552E config snmp server target address 10 paramet...

Page 486: ...otocol md5 authentication password Changing authentication password validation required Enter current admin password admin password Enter new authentication password auth password Re enter new authentication password auth password New authentication password accepted NE2552E config snmp server access 11 notify view iso NE2552E config snmp server access 11 level authnopriv NE2552E config snmp serve...

Page 487: ...ap definitions of the Lenovo ENOS SNMP agent are contained in the following Lenovo ENOS enterprise MIB document GbScSE 10G L2L3 mib The Lenovo ENOS SNMP agent supports the following standard MIBs dot1x mib ieee8021ab mib ieee8023ad mib lldpxdcbx mib rfc1213 mib rfc1215 mib rfc1493 mib rfc1573 mib rfc1643 mib rfc1657 mib rfc1757 mib rfc1850 mib rfc1907 mib rfc2037 mib rfc2233 mib rfc2465 mib rfc257...

Page 488: ...rom which the attempt was made altSwValidLogin Signifies that a user login has occurred altSwApplyComplete Signifies that new configuration has been applied altSwSaveComplete Signifies that new configuration has been saved altSwFwDownloadSucess Signifies that firmware has been downloaded to image1 image2 boot image altSwFwDownloadFailure Signifies that firmware downloaded failed to image1 image2 b...

Page 489: ...SwHotlinksBackupDn Signifies that the Backup interface is not active altSwHotlinksNone Signifies that there are no active interfaces altSwStgBlockingState Signifies port state has changed to blocking state altSwTeamingCtrlUp Signifies that the teaming is up altSwTeamingCtrlDown Signifies that the teaming control is down altSwTeamingCtrlDownTearDown Blked Signifies that the teaming control is down ...

Page 490: ... gateway is alive ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax ipCurCfgGwAddr is the IP address of the default gateway altSwDefGwDown Signifies that the default gateway is down ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax ipCurCfgGwAddr is th...

Page 491: ...ent has transitioned to Backup state vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable The range is from 1 to vrrpVirtRtrTableMaxSize vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address altSwVrrpAuthFailure Signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this routerʹs auth...

Page 492: ...etached from the stack altSwStackBackupPresent Signifies that a new backup has been set altSwStackBackupGone Signifies that the backup switch has been made unavailable altSwStackMasterAfterInit Signifies that the switch has become master after init altSwStackMasterFromBackup Signifies that the switch has become master from backup altSwStackDuplicateJoinAttempt Signifies that a new switch with dupl...

Page 493: ...oted config of a newly attached switch does not match that of the master altSwStackNvramMasterJoin Signifies that a switch which was configured as a master in NVRAM has attached to the stack altSwStackForceDetach Signifies that the master has sent a FORCE DETACH message to a member altVMGroupVMotion Signifies that a virtual machine has moved from a port to another altVMGroupVMOnline Signifies that...

Page 494: ...sly saved switch configuration from a FTP TFTP SFTP server Save the switch configuration to a FTP TFTP SFTP server Save a switch dump to a FTP TFTP SFTP server Table 34 MIBs for Switch Image and Configuration Files MIB Name MIB OID agTransferServer 1 3 6 1 4 1872 2 5 1 1 7 1 0 agTransferImage 1 3 6 1 4 1872 2 5 1 1 7 2 0 agTransferImageFileName 1 3 6 1 4 1872 2 5 1 1 7 3 0 agTransferCfgFileName 1 ...

Page 495: ...FTP server enter a password Set agTransferPassword 0 MyPassword 6 Initiate the transfer To transfer a switch image enter 2 gtimg Set agTransferAction 0 2 Loading a Saved Switch Configuration To load a saved switch configuration with the name MyRunningConfig cfg into the switch follow the steps below This example shows a TFTP server at IPv4 address 192 168 10 10 though IPv6 is also supported 1 Set ...

Page 496: ...TP server enter a password Set agTransferPassword 0 MyPassword 5 Initiate the transfer To save a running configuration file enter 4 Set agTransferAction 0 4 Saving a Switch Dump To save a switch dump to a FTP TFTP SFTP server follow the steps below This example shows an FTP TFTP SFTP server at 192 168 10 10 though IPv6 is also supported 1 Set the FTP TFTP SFTP server address where the configuratio...

Page 497: ...by User Agents There can only be one Directory Agent present per given host The Directory Agent acts as an intermediate tier in the SLP architecture placed between the User Agents and the Service Agents so they communicate only with the Directory Agent instead of with each other This eliminates a large portion of the multicast request or reply traffic on the network and it protects the Service Age...

Page 498: ...498 NE2552E Application Guide for ENOS 8 4 ...

Page 499: ...es a session with the switch acting as a NETCONF server using a Remote Procedure Call RPC NETCONF is based on the Extensible Markup Language XML for encoding data and for exchanging configuration and protocol messages The following topics are discussed in this section NETCONF Overview on page 500 XML Requirements on page 501 Installing the NETCONF Client on page 502 Using Juniper Perl Client on pa...

Page 500: ...connection to the switch acting as a NETCONF server 2 The client and switch exchange hello messages to declare their capabilities 3 The client sends a request via rpc message to the switch 4 The switch sends a response via rpc reply message to the client Note Steps 3 and 4 must be repeated for each request that the client sends to the switch 5 The client sends a close session message to the switch...

Page 501: ...owing namespace urn ietf params xml ns netconf base 1 0 NETCONF capability names must be Uniform Resource Identifiers URIs urn ietf params netconf capability name 1 0 where name is the name of the capability Document type declarations must not appear in the NETCONF content For Secure Shell SSH you must use a special message termination sequence of six characters to provide message framing ...

Page 502: ...the Blade NETCONF Python Client BNClient 1 Extract the file blade netconf python client v0 1 zip to the following folder C You will see two folders under the root folder C blade netconf python client v0 1 blade netconf python client python ssh library Note Ensure you see Paramiko version 1 7 4 or higher in the folder C blade netconf python client v0 1 python ssh library 2 Open the command prompt S...

Page 503: ...to establish a session d Enter the following command to get the running configuration Note get py is an example of a NETCONF operation python script You can edit the script or write a new script as per your requirements python C blade netconf python client v0 1 blade netconf python client bnclient bnclient py h python C blade netconf python client v0 1 blade netconf python client bnclient bnclient...

Page 504: ...e to the following directory home user juniper netconf perl client b Extract the following file netconf perl 10 0R2 10 tar gz c Change to the following directory home user juniper netconf perl client netconf perl 10 0R 2 10 d Install the client as per the instructions in the README file Note If the prerequisites package installation fails manually install each file in home user juniper netconf per...

Page 505: ...SSH connection 2 Type or paste the following hello message The switch returns a hello message ssh admin switch IP address p 830 s netconf hello capabilities capability urn ietf params netconf base 1 0 capability capabilities hello hello xmlns urn ietf params xml ns netconf base 1 0 capabilities capability urn ietf params netconf base 1 0 capability capability urn ietf params netconf capability wri...

Page 506: ...switch sends the following response rpc message id 100 get filter type subtree configuration text filter get rpc rpc reply message id 100 data configuration text xmlns http www lenovo com netconf 1 0 config text version 6 9 1 switch type Lenovo Networking Operating System Lenovo ThinkSystem NE2552E Flex Switch no system dhcp mgta interface ip 127 ip address 172 31 36 51 enable exit ip gateway 3 ad...

Page 507: ...artup configuration copy config Replace the target running or startup configuration with a source running or startup configuration delete config Delete startup configuration lock Lock the running configuration to prevent other users via another NETCONF session from changing it unlock Release a locked running configuration get Retrieve running configuration and device state information close sessio...

Page 508: ...type subtree configuration text xmlns http www lenovo com netconf 1 0 config text filter get config rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 data configuration text xmlns http www lenovo com netconf 1 0 config text configuration text configuration text data rpc reply Table 36 get config Tag Element Values Tag Element Description Value source The configuration text...

Page 509: ...e 1 0 edit config target running target default operation merge default operation error option stop on error error option config text xmlns http www lenovo com netconf 1 0 config text configuration text hostname Router configuration text config text edit config rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply ...

Page 510: ...onding level replace The new configuration replaces the target configuration none The target configuration does not change unless the configuration data in the configuration text parameter uses the operation attribute to request a different operation error option Set the option to handle configuration error stop on error Abort the edit config operation on first error This is the default error opti...

Page 511: ...etf params xml ns netconf base 1 0 copy config target startup target source running source copy config rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply Table 38 copy config Tag Element Values Tag Element Description Value target Configuration that needs to be changed running or startup source Source configuration running or startup ...

Page 512: ...delete config rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply Table 39 delete config Tag Element Values Tag Element Description Value target Configuration that needs to be deleted startup rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 lock target running target lock rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ...

Page 513: ...nts and their values rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 unlock target running target unlock rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply Table 41 unlock Tag Element Values Tag Element Description Value target Configuration being edited running ...

Page 514: ... of the configuration configuration text xmlns http www lenovo com netconf 1 0 config text filter get rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 data configuration text xmlns http www lenovo com netconf 1 0 config text configuration text configuration text data rpc reply Table 42 get Tag Element Values Tag Element Description Value filter Filter type subtree configu...

Page 515: ...netconf base 1 0 close session rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 kill session session id 4 session id kill session rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 ok rpc reply Table 43 kill session Tag Element Values Tag Element Description session id ID...

Page 516: ...tion database commited format text rpc rpc reply message id 101 xmlns urn ietf params xml ns netconf base 1 0 data configuration text xmlns http www lenovo com netconf 1 0 config text configuration text configuration text data rpc reply Table 44 get configuration Tag Element Values Tag Element Description Attributes get configuratio n Retrieve the configuration database supports only committed for...

Page 517: ...tatus oper status local index local index if type if type link level type link level type mtu mtu speed speed link type link type traffic statistics input bytes input bytes output bytes output bytes input packets input packets output packets output packets traffic statistics input error list input errors input errors framing errors framing errors input giants input giants input discards input disc...

Page 518: ...ace information Tag Element Values Tag Element Description interface name Interface name or number You can use the tags brief or detail to specify the amount of information you need name Name of the port or IP interface admin status Administration status of port interface shutdown or no shutdown oper status Operational status of port interface link up or link down local index Local index of port i...

Page 519: ...ames in discarding state output collisions Number of Ethernet collisions output errors Sum of the outgoing frame aborts and FCS errors output drops Number of frames dropped address family name inet ifa destination Protocol network address of the interface ifa local Protocol host address on the interface ifa broadcast Network broadcast address Table 45 get interface information Tag Element Values T...

Page 520: ...520 NE2552E Application Guide for ENOS 8 4 ...

Page 521: ...which protocols can be enabled The SIOM only allows secured traffic and secured authentication management The following topics are discussed in this chapter SIOM Overview on page 522 Creating a Policy Setting on page 525 Managing User Accounts on page 528 Implementing Secure LDAP LDAPS on page 530 SIOM Dependencies on page 533 ...

Page 522: ...Chassis Management Module containing it must be running SIOM capable software and the IOM must have SIOM enabled In all other cases the IOM operates in LIOM mode When the IOM is in SIOM mode the security characteristics configured on the CMM are sent to the IOM These characteristics can be divided into the following categories Policy setting User Account Management Secure LDAP LDAPS authentication...

Page 523: ...be used to access the switch To access the switch you may now use one of the following methods The CMM credentials Other user credentials which depend on the SIOM security policy setting as follows In legacy mode if RADIUS or TACACS is enabled they will replace LDAP as the authentication method If LDAP backdoor mode is enabled you can still use local authentication by using noldap as the username ...

Page 524: ...IOM Switch boots up with all operational data ports disabled Although the management ports are enabled they canʹt be used by admin to set up the switch until the configuration is applied Internal management port is used by the CMM during the provisioning to exchange information with IOM At the end of provisioning when SIOM is enabled the rest of the operational ports come up and the switch will be...

Page 525: ...cols When you are in Secure Mode the following protocols are deemed insecure and are disabled HTTP LDAP Client SNMPv1 SNMPv2 Telnet server and client FTP server and client Radius client TFTP Server Except for the TFTP server these protocols cannot be enabled when the switch is operating in Secure Mode because the commands to enable or disable them are no longer enabled The following protocols alth...

Page 526: ...abled in any mode NTP Client v4 LDAPS Client The following protocols are also deemed secure on the NE2552E and can be enabled IKE IPSec The default state for these protocols in Secure Mode whether enabled or disabled is the same as in Legacy Mode The following protocols are deemed secure but are not currently supported by the NE2552E EAPoL SCP S MIME SNMPv3 Manager TCP command secure mode Port 609...

Page 527: ...yright Lenovo 2018 Chapter 37 Secure Input Output Module 527 SNMPv3 IPv6 bootp Notes Telnet IPv6 and TFTP IPv6 are disabled in Secure Mode TFTP IPv6 is allowed in Secure Mode for signed image transfers only ...

Page 528: ...le Node Accounts and will disable Local Accounts When the IOM runs as LIOM or the Centralized Flag is disabled SNMPv3 will use Local Accounts and disable Node Accounts Node Accounts represent accounts configured on the CMM while Local Accounts are accounts configured on the IOM Since there is no case where both the Node Account and Local Account are enabled the username of a Node Account can be du...

Page 529: ...ight Lenovo 2018 Chapter 37 Secure Input Output Module 529 For more information about these commands see the Lenovo ISCLI Industry Standard CLI Command Reference for the Lenovo ThinkSystem NE2552E Flex Switch ...

Page 530: ...M mode all LDAP configurations are made from the CMM and pushed to the IOM When the IOM is in LIOM mode the CLI can be used to configure LDAP settings LDAPS is disabled by default To enable LDAPS 1 Turn LDAP authentication on 2 Enable LDAP Enhanced Mode This changes the ldap server subcommands to support LDAPS 3 Configure the IPv4 addresses of each LDAP server 4 You may change the default TCP port...

Page 531: ... group filter attribute optional Note The group filter string must contain no whitespace If no group filter attribute is configured no groups will be filtered and all groups will be considered in any search 12 Enable DNS server verification Disabling LDAPS To disable LDAPS enter For information about using LDAP in Legacy Mode see LDAP Authentication and Authorization on page 110 NE2552E config lda...

Page 532: ...ide for ENOS 8 4 Syslogs and LDAPS Syslogs are displayed for the following error conditions Password change required on first login Password expired Username or password invalid Account temporarily locked Unknown no reason given ...

Page 533: ... depends upon the settings on the CMM This is especially important for NTP and LDAP which ensure switch operability For example if the LDAP client is configured incorrectly the switch cannot be managed The Enhanced Configuration and Management EHCM module configures the NTP client Therefore the NTP client is dependent upon the ECHM module being enabled and functional Some protocols cannot be chang...

Page 534: ...534 NE2552E Application Guide for ENOS 8 4 ...

Page 535: ...nitoring The ability to monitor traffic passing through the NE2552E can be invaluable for troubleshooting some types of networking problems This sections cover the following monitoring features Remote Monitoring RMON sFLOW Port Mirroring ...

Page 536: ...536 NE2552E Application Guide for ENOS 8 4 ...

Page 537: ...rview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application The RMON MIB is described in RFC 1757 The RMON standard defines objects that are suitable for the management of Ethernet networks The RMON agent continuously collects statistics and proactively monitors switch performance RMON allows you to monitor traffic flowing through the switch The...

Page 538: ...RMON statistics 2 View RMON statistics for the port NE2552E config interface port 23 NE2552E config if rmon NE2552E config if show interface port 23 rmon counters RMON statistics for port 23 etherStatsDropEvents NA etherStatsOctets 7305626 etherStatsPkts 48686 etherStatsBroadcastPkts 4380 etherStatsMulticastPkts 6612 etherStatsCRCAlignErrors 22 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 et...

Page 539: ...dex object type as described in RFC1213 and RFC1573 The most common data type for the history sample is as follows 1 3 6 1 2 1 2 2 1 1 x mgmt interfaces ifTable ifIndex interface The last digit x represents the interface on which to monitor which corresponds to the switch port number History sampling is done per port by utilizing the interface number to specify the port number Configuring RMON His...

Page 540: ...ion Guide for ENOS 8 4 3 View RMON history for the port NE2552E config show rmon history RMON History group configuration Index IFOID Interval Rbnum Gbnum 1 1 3 6 1 2 1 2 2 1 1 1 120 30 30 Index Owner 1 rmon port 1 history ...

Page 541: ... 6 1 2 1 5 1 x mgmt icmp icmpInMsgs where x represents the interface on which to monitor which corresponds to the switch interface number or port number as follows 1 through 128 Switch interface number 129 Switch port 1 130 Switch port 2 131 Switch port 3 and so on This value represents the alarmʹs MIB OID as a string Note that for non tables you must supply a 0 to specify an end node Configuring ...

Page 542: ... generated that triggers event index 5 Configure the RMON Alarm parameters to track ICMP messages NE2552E config rmon alarm 1 oid 1 3 6 1 2 1 5 8 0 NE2552E config rmon alarm 1 alarm type rising NE2552E config rmon alarm 1 rising crossing index 110 NE2552E config rmon alarm 1 interval time 60 NE2552E config rmon alarm 1 rising limit 200 NE2552E config rmon alarm 1 sample delta NE2552E config rmon a...

Page 543: ...erly RMON uses a syslog host to send syslog messages Therefore an existing syslog host must be configured for event log notification to work properly Each log event generates a system log message of type RMON that corresponds to the event For example to configure the RMON event parameters This configuration creates an RMON event that sends a syslog message each time it is triggered by an alarm NE2...

Page 544: ...544 NE2552E Application Guide for ENOS 8 4 ...

Page 545: ... sent to the configured sFlow analyzer For each port the sFlow sampling rate can be configured to occur once each 256 to 65536 packets or 0 to disable the default A sampling rate of 256 means that one sample will be taken for approximately every 256 packets received on the port The sampling rate is statistical however It is possible to have slightly more or fewer samples sent to the analyzer for a...

Page 546: ...een 5 and 60 seconds or 0 to disable By default polling is 0 disabled for each port 3 On a per port basis define the data sampling rate Specify a sampling rate between 256 and 65536 packets or 0 to disable By default the sampling rate is 0 disabled for each port 4 Save the configuration NE2552E config sflow server IPv4 address sFlow server address NE2552E config sflow port service port Set the opt...

Page 547: ...irroring is configured so that only ingress traffic is copied and forwarded to the monitor A device attached to port EXT3 can analyze the resulting mirrored traffic Figure 60 Mirroring Ports The NE2552E supports two monitor ports with two way mirroring or four monitor ports with one way mirroring Lenovo ENOS does not support one to many or many to many mirroring models where traffic from a specifi...

Page 548: ...he following procedure may be used to configure port mirroring for the example shown in Figure 60 on page 547 1 Specify the monitoring port the mirroring port s and the port mirror direction 2 Enable port mirroring 3 View the current configuration NE2552E config port mirroring monitor port EXT3 mirroring port EXT1 in NE2552E config port mirroring monitor port EXT3 mirroring port EXT2 both NE2552E ...

Page 550: ...550 NE2552E Application Guide for ENOS 8 4 ...

Page 551: ...alue is 1 and maximum value is 254 Default is 100 A higher number will win out for master designation Proto Protocol The protocol of a frame Can be any value represented by a 8 bit value in the IP header adherent to the IP specification for example TCP UDP OSPF ICMP and so on SIP The source IP address of a frame SPort The source port application socket for example HTTP 80 HTTPS 443 DNS 53 Tracking...

Page 552: ... default gateway that is always available Two or more devices sharing an IP interface are either advertising or listening for advertisements These advertisements are sent via a broadcast message to an address such as 224 0 0 18 With VRRP one switch is considered the master and the other the backup The master is always advertising via the broadcasts The backup switch is always listening for the bro...

Page 553: ...d on Check for updated software firmware and operating system device drivers for your Lenovo product The Lenovo Warranty terms and conditions state that you the owner of the Lenovo product are responsible for maintaining and updating all software and firmware for the product unless it is covered by an additional maintenance contract Your service technician will request that you upgrade your softwa...

Page 554: ... You can solve many problems without outside assistance by following the troubleshooting procedures that Lenovo provides in the online help or in the Lenovo product documentation The Lenovo product documentation also describes the diagnostic tests that you can perform The documentation for most systems operating systems and programs contains troubleshooting procedures and explanations of error mes...

Page 555: ...ss or implied warranties in certain transactions therefore this statement may not apply to you This information could include technical inaccuracies or typographical errors Changes are periodically made to the information herein these changes will be incorporated in new editions of the publication Lenovo may make improvements and or changes in the product s and or the program s described in this p...

Page 556: ...nments may vary significantly Some measurements may have been made on development level systems and there is no guarantee that these measurements will be the same on generally available systems Furthermore some measurements may have been estimated through extrapolation Actual results may vary Users of this document should verify the applicable data for their specific environment ...

Page 557: ...he United States other countries or both Intel and Intel Xeon are trademarks of Intel Corporation in the United States other countries or both Internet Explorer Microsoft and Windows are trademarks of the Microsoft group of companies Linux is a registered trademark of Linus Torvalds Other company product or service names may be trademarks or service marks of others ...

Page 558: ...with the largest currently supported drives that are available from Lenovo Maximum memory might require replacement of the standard memory with an optional memory module Each solid state memory cell has an intrinsic finite number of write cycles that the cell can incur Therefore a solid state device has a maximum number of write cycles that it can be subjected to expressed as total bytes written T...

Page 559: ... of information technology IT equipment to responsibly recycle their equipment when it is no longer needed Lenovo offers a variety of programs and services to assist equipment owners in recycling their IT products For information on recycling Lenovo products go to http www lenovo com recycling ...

Page 560: ...Lenovo may condition provision of repair or replacement of devices or parts on implementation of appropriate remedial measures to mitigate such environmental contamination Implementation of such remedial measures is a customer responsibility Contaminant Limits Particulate The room air must be continuously filtered with 40 atmospheric dust spot efficiency MERV 9 according to ASHRAE Standard 52 21 A...

Page 561: ...t This product may not be certified in your country for connection by any means whatsoever to interfaces of public telecommunications networks Further certification may be required by law prior to making any such connection Contact a Lenovo representative or reseller for any questions ...

Page 562: ...own expense Properly shielded and grounded cables and connectors must be used to meet FCC emission limits Lenovo is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment Unauthorized changes or modifications could void the user s authority to operate the equipment This devi...

Page 563: ...erence in which case the user may be required to take adequate measures Germany Class A Statement Deutschsprachiger EU Hinweis Hinweis für Geräte der Klasse A EU Richtlinie zur Elektromagnetischen Verträglichkeit Dieses Produkt entspricht den Schutzanforderungen der EU Richtlinie 2014 30 EU früher 2004 108 EC zur Angleichung der Rechtsvorschriften über die elektromagnetische Verträglichkeit in den...

Page 564: ...n in diesem Fall kann vom Betreiber verlangt werden angemessene Maßnahmen durchzuführen und dafür aufzukommen Nach dem EMVG Geräte dürfen an Orten für die sie nicht ausreichend entstört sind nur mit besonderer Genehmigung des Bundesministers für Post und Telekommunikation oder des Bundesamtes für Post und Telekommunikation betrieben werden Die Genehmigung wird erteilt wenn keine elektromagnetische...

Page 565: ...d Information Technology Industries Association JEITA Confirmed Harmonics Guidelines with Modifications products greater than 20 A per phase Korea Communications Commission KCC Statement This is electromagnetic wave compatibility equipment for business Type A Sellers and users need to pay attention to it This is for any areas other than home Russia Electromagnetic Interference EMI Class A statemen...

Page 566: ...566 NE2552E Application Guide for ENOS 8 4 ...

Page 567: ...Bootstrap Router PIM 425 Border Gateway Protocol BGP 375 attributes 382 failover configuration 384 route aggregation 381 route maps 378 selecting route paths 383 bridge module 244 270 Bridge Protocol Data Unit BPDU 176 broadcast domains 135 319 Browser Based Interface 30 394 BSR PIM 425 C Canada Class A electronic emission statement 562 CEE 246 802 1p QoS 247 bandwidth allocation 247 DCBX 246 266 ...

Page 568: ... LAN 114 external routing 376 393 F factory default configuration 59 failover 437 overview 448 FC BB 5 243 FCC Class A notice 562 FCC Class A 562 FCF 244 245 249 detection mode 252 FCoE 243 bridge module 244 270 CEE 245 246 248 CNA 244 ENodes 244 FCF 244 245 FIP snooping 244 249 FLOGI 252 point to point links 244 requirements 245 248 SAN 243 246 topology 244 VLANs 253 FCoE Forwarder See FCF Fibre ...

Page 569: ...Japan Electronics and Information Technology Indus tries Association statement 565 JEITA statement 565 jumbo frames 136 K Korea Class A electronic emission statement 565 L LACP 169 Layer 2 Failover 437 LDAP authentication secure 530 LDAP authentication 110 Link Aggregation Control Protocol 169 LLDP 246 267 logical segment See IP subnets lossless Ethernet 243 246 LSAs 392 M management module 30 32 ...

Page 570: ... ID 138 PVLAN 148 Q Q In Q 307 QoS 499 QSFP 160 161 Quality of Service 499 Querier IGMP 364 370 R RADIUS authentication 100 port 1812 and 1645 123 port 1813 123 SSH SCP 93 Rapid Spanning Tree Protocol RSTP 187 receive flow control 62 redistributing routes 381 386 redundancy active active 449 hot standby 449 re mark 126 222 Rendezvous Point PIM 419 424 restarting switch setup 59 RIP Routing Informa...

Page 571: ...tifier PVID 140 tagged frame 140 tagged member 140 untagged frame 140 untagged member 140 VLAN identifier VID 140 Telnet support optional setup for Telnet support 69 text conventions 26 time setup 60 trademarks 557 transmit flow control 62 tx flow control 62 typographic conventions 26 U UDP 122 United States FCC Class A notice 562 upgrade switch software 71 user account 46 102 V virtual interface ...

Page 572: ...572 NE2552E Application Guide for ENOS 8 4 ...

Page 573: ......

Page 574: ...Part Number 01KN246 Printed in USA IP P N 01KN246 ...

Search results

Summary of Contents for ThinkSystem NE2552E

Reviews:

Related manuals for ThinkSystem NE2552E

Brands by name

Popular brands

Lenovo ThinkSystem NE2552E, Application Manual

Search results

Summary of Contents for ThinkSystem NE2552E

Reviews:

Related manuals for ThinkSystem NE2552E

Brands by name

Popular brands