manualshive.com logo in svg

Quanta Cloud Technology QuantaMesh QNOS5, Configuration Manual

Share
Download
Quanta Cloud Technology QuantaMesh QNOS5 Configuration Manual Download Page 133

 

                                                                                                                                                                                                     133 

 

If IPSG is disabled on the ingress port, IPSG replies that the MAC is valid. If IPSG is enabled on the ingress 
port, IPSG checks the bindings database. If the MAC address is in the bindings database and the binding 
matches the VLAN the frame was received on, IPSG replies that the MAC is valid. If the MAC is not in the 
bindings database, IPSG informs port security that the frame is a security violation. 

In the case of an IPSG violation, port security takes whatever action it normally takes upon receipt of an 
unauthorized frame. Port security limits the number of MAC addresses to a configured maximum. If the 
limit 

is less than the number of stations 

in the bindings database, port security allows only 

stations to 

use the port. If 

n > m

, port security allows only the stations in the bindings database. 

4.2.3.

 

Dynamic ARP Inspection Overview 

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents 
a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by 
poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or 
responses mapping another station’s IP address to its own MAC address. 

When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address do not 
match an entry in the DHCP snooping bindings database. You can optionally configure additional ARP packet 
validation. 

When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical ports or Port-channels) that are 
members of that VLAN. Individual interfaces are configured as trusted or untrusted. The trust configuration 
for DAI is independent of the trust configuration for DHCP snooping. 

4.2.3.1.

 

Optional DAI Features  

If you configure the MAC address validation option, DAI verifies that the sender MAC address equals the 
source MAC address in the Ethernet header. There is a configurable option to verify that the target MAC 
address equals the destination MAC address in the Ethernet header. This check applies only to ARP responses, 
since the target MAC address is unspecified in ARP requests. You can also enable IP address checking. When 
this option is enabled, DAI drops ARP packets with an invalid IP address. The following IP addresses are 
considered invalid: 

 

0.0.0.0 

 

255.255.255.255 

 

all IP multicast addresses 

 

all class E addresses (240.0.0.0/4) 

 

loopback addresses (in the range 127.0.0.0/8) 

The valid IP check is applied only on the sender IP address in ARP packets. In ARP response packets, the check is 
applied only on the target IP address. 

4.2.4.

 

Increasing Security with DHCP Snooping, DAI, and IPSG 

DHCP Snooping, IPSG, and DAI are security features that can help protect the switch and the network against 
various types of accidental or malicious attacks. It might be a good idea to enable these features on ports 

Summary of Contents for QuantaMesh QNOS5

Page 1: ...QuantaMesh Ethernet Switch Configuration Guide QNOS5 NOS Platform ...

Page 2: ...e Description Authors 1 0 15 Nov 2016 1 1st release Oliver Wu James Chu WT Chou and Thomas Lin 1 1 28 Mar 2017 1 New features added including BFD VRF Lite LACP Fallback and service prohibit access James Chu Oliver and WT Chou ...

Page 3: ...2 3x 20 1 1 13 Asymmetric Flow Control 21 1 1 14 Alternate Store and Forward ASF 21 1 1 15 Jumbo Frames Support 21 1 1 16 Auto MDI MDIX Support 21 1 1 17 Unidirectional Link Detection UDLD 21 1 1 18 Expandable Port Configuration 21 1 1 19 VLAN aware MAC based Switching 22 1 1 20 Back Pressure Support 22 1 1 21 Auto Negotiation 22 1 1 22 Storm Control 22 1 1 23 Port Mirroring 22 1 1 24 sFlow 23 1 1...

Page 4: ...ent 27 1 2 7 TACACS Client 27 1 2 8 Dot1x Authentication IEEE 802 1X 27 1 2 9 MAC Authentication Bypass 28 1 2 10 DHCP Snooping 28 1 2 11 Dynamic ARP Inspection 28 1 2 12 IP Source Address Guard 28 1 2 13 Service Prohibit Access 28 1 3 Quality of Service Features 28 1 3 1 Access Control Lists ACL 29 1 3 2 ACL Remarks 29 1 3 3 ACL Rule Priority 29 1 3 4 Differentiated Service DIffServ 29 1 3 5 Clas...

Page 5: ...ress Resolution Protocol ARP Table Management 34 1 5 7 BOOTP DHCP Relay Agent 35 1 5 8 IP Helper and UDP Relay 35 1 5 9 Routing Table 35 1 5 10 Virtual Router Redundancy Protocol VRRP 35 1 5 11 Algorithmic Longest Prefex Match ALPM 35 1 5 12 Bidirectional Forwarding Detection 35 1 5 13 VRF Lite Operation and Configuration 36 1 6 Layer 3 Multicast Features 36 1 6 1 Internet Group Management Protoco...

Page 6: ... 3 1 2 Update Image 45 2 3 1 3 Load Configuration 47 2 3 1 4 Select Serial Speed 48 2 3 1 5 Retrieve Error Log 48 2 3 1 6 Erase Current Configuration 49 2 3 1 7 Erase Permanent Storage 49 2 3 1 8 Select Boot Method 49 2 3 1 9 Activate Backup Image 50 2 3 1 10 Start Diagnostic Application 50 2 3 1 11 Reboot 50 2 3 1 12 Erase All Configuration Files 50 2 4 Understanding the User Interfaces 50 2 4 1 ...

Page 7: ...t channels 70 3 3 5 3 Configuration Static Port channels 71 3 4 LACP Fallback Configuration 72 3 4 1 Configuring Dynamic Port channels 72 3 4 2 Configuring Static Port channels 73 3 5 MLAG Operation and Configuration 74 3 5 1 Overview 75 3 5 2 Deployment Scenarios 75 3 5 2 1 Definitions 76 3 5 2 2 Configuration Consistency 77 3 5 3 MLAG Fast Failover 79 3 5 4 MLAG Configuration 79 3 6 Unidirection...

Page 8: ... 97 3 9 1 IGMP Snooping Querier 97 3 9 2 Configuring IGMP Snooping 97 3 9 3 IGMPv3 SSM Snooping 100 3 10 MLD Snooping 101 3 10 1 MLD Snooping Configuration Example 101 3 10 1 1 MLD Snooping Configuration Example 102 3 10 1 2 MLD Snooping Verification Example 103 3 10 2 MLD Snooping First Leave Configuration Example 103 3 10 2 1 MLD Snooping Configuration 104 3 10 3 MLD Snooping Querier Configurati...

Page 9: ...econdary RADIUS Servers 128 4 1 5 Configuring an Authentication Profile 129 4 2 Configuring DHCP Snooping DAI and IPSG 130 4 2 1 DHCP Snooping Overview 130 4 2 1 1 Populating the DHCP Snooping Bindings Database 131 4 2 1 2 DHCP Snooping and VLANs 131 4 2 1 3 DHCP Snooping Logging and Rate Limits 132 4 2 2 IP Source Guard Overview 132 4 2 2 1 IPSG and Port Security 132 4 2 3 Dynamic ARP Inspection ...

Page 10: ...t Methods 150 5 1 3 2 CoS Configuration Example 150 5 2 DiffServ 152 5 2 1 DiffServ Functionality and Switch Roles 153 5 2 2 Elements of DiffServ Configuration 153 5 2 3 Configuration DiffServ to Provide Subnets Equal Access to External Network 153 6 Configuring Switch Management Features 156 6 1 Managing Images and Files 156 6 1 1 Supported File Management Methods 156 6 1 2 Uploading and Download...

Page 11: ... 3 Downloading a Core Dump 169 6 3 1 Using NFS to Download a Core Dump 169 6 3 2 Using TFTP or FTP to Download a Core Dump 170 6 4 Setting the System Time 170 6 4 1 Manual Time Configuration 171 6 4 2 Configuring SNTP 172 6 5 Configuring System Log Example 172 6 5 1 Example 1 to Add Syslog Host 172 6 5 2 Example 2 to Verify Syslog Host Configuration 173 7 Configuring Routing 177 7 1 Basic Routing ...

Page 12: ... 9 200 7 5 3 2 Configuring BGP on Router 3 203 7 6 IPv6 Routing 204 7 6 1 How Does IPv6 Compare with IPv6 205 7 6 2 How are IPv6 Interface Configured 205 7 6 3 Default IPv6 Routing Values 206 7 6 4 Configuring IPv6 Routing Features 206 7 6 4 1 Configuring Global IP Routing Settings 207 7 6 4 2 Configuring IPv6 Interface Settings 207 7 6 4 3 Configuring IPv6 Neighbor Discovery 208 7 6 4 4 Configuri...

Page 13: ...M SM as the Multicast Routing Protocol 224 8 1 10 2 Using PIM DM as the Multicast Routing Protocol 225 8 2 Default L3 Multicast Values 225 8 3 L3 Multicast Configuration Examples 227 8 3 1 Configuring Multicast VLAN Routing with IGMP and PIM SM 227 8 3 2 Example 1 MLDv1 Configuration 229 8 3 3 Example 2 MLDv2 Configuration 230 8 3 4 Example 3 MLD Configuration Verification 230 9 Configuring Data C...

Page 14: ...ration and Configuration 243 9 6 1 Overview 243 9 6 1 1 VXLAN 244 9 6 2 Functional Description 244 9 6 2 1 VTEP to VN Association 244 9 6 2 2 Configuration of Remote VTEPs 245 9 6 2 3 VTEP Nex hop Resolution 246 9 6 2 4 VXLAN UDP Destination Port 246 9 6 2 5 Tunnels 246 9 6 2 6 MAC Learning and Aging 247 9 6 2 7 Host Configuration 247 9 6 2 8 ECMP 248 9 6 2 9 MTU 248 9 6 2 10 TTL and DSCP TOS 248 ...

Page 15: ...3 10 RSPAN Configuration Example 85 Figure 3 11 STP in a Small Bridged Network 89 Figure 3 12 Single STP Topology 90 Figure 3 13 Logical MSTP Environment 91 Figure 3 14 STP Example Network Diagram 94 Figure 3 15 MSTP Configuration Example 96 Figure 3 16 Switch with IGMP Snooping 98 Figure 3 17 MLD Snooping Topology 102 Figure 3 18 MLD Snooping Leave Configuration Topology 104 Figure 3 19 MLD Snoop...

Page 16: ...re 7 3 IP Unnumbered Configuration Example 181 Figure 7 4 OSPF Area Border Router 184 Figure 7 5 VRRP with Load Sharing Network Diagram 188 Figure 7 6 VRRP with Tracking Network Diagram 190 Figure 7 7 L3 Relay Network Diagram 196 Figure 7 8 Example BGP Network 198 Figure 7 9 BGP Configuration Example 200 Figure 7 10 VRF Scenarios 217 Figure 7 11 VRF routing with shared services 217 Figure 8 1 Mult...

Page 17: ...es 166 Table 6 4 Auto Install Defaults 168 Table 7 1 IP Routing Features 177 Table 7 2 Default Ports UDP Port Numbers Implied by Wildcard 193 Table 7 3 UDP Port Allocation 195 Table 7 4 IPv6 Routing Defaults 206 Table 7 5 IPv6 Interface Defaults 206 Table 7 6 Global IP Routing Settings 207 Table 7 7 IPv6 Interface Settings 208 Table 7 8 IPv6 Neighbor Discovery Settings 209 Table 7 9 IPv6 Static Ro...

Page 18: ...02 1p to TCG Mapping 242 Table 9 3 TCG Bandwidth and Scheduling 242 Table 9 4 VLAN and VXLAN Comparison 250 Table 9 5 Terms and Acronyms 254 Table 9 6 Terms and Acronyms Cont 255 Table 9 7 Terms and Acronyms Cont 256 ...

Page 19: ...ial for configuration errors The feature also makes VLAN configuration easier by reducing the amount of commands needed for port configuration For example to configure a port connected to an end user the administrator can configure the port in Access mode Ports connected to other switches can be configured in Trunk mode VLAN assignments and tagging behavior are automatically configured as appropri...

Page 20: ...in Port Fast mode is automatically placed in the forwarding state when the link is up to increase convergence time 1 1 9 Port channel Up to 32 ports can combine to form a single Port Channel This enables fault tolerance protection from physical link disruption higher bandwidth connections and improved bandwidth granularity A Port channel is composed of ports of the same speed set to full duplex op...

Page 21: ...en ASF is enabled the memory management unit MMU can forward a packet to the egress port before it has been entirely received on the Cell Buffer Pool CBP memory 1 1 15 Jumbo Frames Support Jumbo frames enable transporting data in fewer frames to ensure less overhead lower processing time and fewer interrupts The maximum transmission unit MTU size is configurable per port 1 1 16 Auto MDI MDIX Suppo...

Page 22: ...of operation The auto negotiation function provides the means to exchange information between two switches that share a point to point link segment and to automatically configure both switches to take maximum advantage of their transmission capabilities The switch enhances auto negotiation by providing configuration of port advertisement Port advertisement allows the system administrator to config...

Page 23: ...AC access list can be attached to any mirroring session or to all sessions at the same time 1 1 24 sFlow sFlow is the standard for monitoring high speed switched and routed networks sFlow technology is built into network equipment and gives complete visibility into network activity enabling effective management and control of network resources The switch supports sFlow version 5 1 1 25 Static and ...

Page 24: ...onality to flood multicast packets with DIP 224 0 0 x to ALL members of the incoming VLAN irrespective of the configured filtering behavior This enhancement depends on the ability of the underlying switching silicon to flood packets with DIP 224 0 0 x irrespective of the entries in the L2 Multicast Forwarding Tables In platforms that do not have the said hardware capability 2 ACLs one for IPv4 and...

Page 25: ...estinationport This feature is supportedfor remotemonitoringalso IP MAC access list can be attached to the mirroring session Note Flow based mirroring is supported only if QoS feature exists in the package Up to four RSPAN sessions can be configured on the switch and up to four RSPAN VLANs are supported An RSPAN VLAN cannot be configured as a source for more than one session at the same time To co...

Page 26: ...upports the configurationof the perimeter port role and FCF facing port roles and is intended for use only at the edge of the switched network The default port role in an FCoE enabled VLAN is as a perimeter port FCF facing ports are configured by the user 1 1 40 ECN Support Explicit Congestion Notification ECN is defined in RFC 3168 Conventional TCP networks signal congestion by dropping packets A...

Page 27: ... 1 2 5 MAC based Port Security The port security feature limits access on a port to users with specific MAC addresses These addresses are manually defined or learned on that port When a frame is seen on a locked port and the frame source MAC address is not tied to that port the protection mechanism is invoked 1 2 6 RADIUS Client The switch has a Remote Authentication Dial In User Service RADIUS cl...

Page 28: ... feature is supported for both IPv4 and IPv6 packets 1 2 11 Dynamic ARP Inspection Dynamic ARP Inspection DAI is a security feature that rejects invalid and malicious ARP packets The feature prevents a class of man in the middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors The malicious station sends ARP request...

Page 29: ...o add sequence numbers to ACL rule entries and re sequence them When a new ACL rule entry is added the sequence number can be specified so that the new ACL rule entry is placed in the desired position in the access list 1 3 4 Differentiated Service DIffServ The QoS Differentiated Services DiffServ feature allows traffic to be classified into streams and given certain QoS treatment in accordance wi...

Page 30: ...le Management You can upload and download files such as configurationfiles and system images by using FTP TFTP Secure FTP SFTP or Secure Copy SCP Configuration file uploads from the switch to a server are a good way to backuptheswitchconfiguration Youcanalsodownloada configuration filefromaservertotheswitchto restore the switch to the configuration in the downloaded file 1 4 5 FTP File Management ...

Page 31: ...he statistics application collects the statistics at a configurable time interval The user can specify the port number s or a range of ports for statistics to be displayed The configured time interval applies to all ports Detailed statistics are collected between the specified time range in date and time format The time range can be definedas havingan absolutetimeentryand ora periodictime For exam...

Page 32: ...s when the source IP address of the packet matches an address on one of these interfaces This feature allows the Linux IP stack to use default routes for different interfaces simultaneously 1 4 16 Core Dump The core dump feature provides the ability to retrieve the state from a crashed box such that it can be then loaded into a debugger and have that state re created there 1 4 16 1 Core Dump File ...

Page 33: ... disabled for any reason or for some reasons but not others 1 5 Routing Features 1 5 1 IP Unnumbered Each routing interface can be configured to borrow the IP address from the loopback interfaces and use this IP for all routing activities The IP Unnumbered feature was initially developed to avoid wasting an entire subnet on point to point serial links The IP Unnumbered feature can also be used in ...

Page 34: ...ted from a specific neighbor Show command to list the routes rejected from a specific neighbor Supports for BGP communities Supports for IPv6 IPv6 Transport and Prefix list Supports for BGP peer templates to simplify neighbor configuration 1 5 4 VLAN Routing QNOS software supports VLAN routing You can also configure the software to allow traffic on a VLAN to be treated as if the VLAN were a router...

Page 35: ...pability of VRRP to allow tracking of specific route interface IP states within the router that can alter the priority level of a virtual router for a VRRP group 1 5 11 Algorithmic Longest Prefex Match ALPM ALPM is a protocol used by routers to select an entry from a forwarding table When an exact match is not found in the forwarding table the match with the longest subnet mask also called longest...

Page 36: ...ries switches perform the multicast router part of the IGMP protocol which means it collects the membership information needed by the active multicast router 1 6 2 Protocol Independent Multicast 1 6 2 1 Dense Mode PIM DM Protocol Independent Multicast PIM is a standard multicast routing protocol that provides scalable inter domain multicast routing across the Internet independent of the mechanisms...

Page 37: ...iority field of the 802 1Q VLAN header An interface that is configured for PFC is automatically disabled for 802 3x flow control Note Support for PFC is not available on all platforms 1 7 2 Data Center Bridging Exchange Protocol The Data Center Bridging Exchange Protocol DCBX is used by data center bridge devices to exchange configuration information with directly connected peers The protocol is a...

Page 38: ...er 3 function IP based technologies that prepend an existing layer 2 frame with a new IP header providing layer 3 based tunneling capabilities for layer 2 frames This essentially enables a layer 2 domain to extend across a layer 3 boundary For the traffic from a VXLAN to use services on physical devices in a distant network the traffic must pass through a VXLAN Gateway The QNOS VXLAN Gateway featu...

Page 39: ...onfiguring and Applying Authentication Profiles 2 1 1 Connecting to the Switch Console To connect to the switch and configure or view network information use the following steps 1 Using a straight through modem cable connect a VT100 ANSI terminal or a workstation to the console serial port If you attached a PC Apple or UNIX workstation start a terminal emulationprogram such as HyperTerminal or Ter...

Page 40: ... and you must know the IP or IPv6 address of the management interface The switch has no IP address by default The DHCP client on the service port is enabled and the DHCP client on the management VLAN interface is disabled After you configure or view network information configure the authentication profile for telnet or SSH see Configuring and Applying Authentication Profiles and physically and log...

Page 41: ...P and manually assign an IPv6 address and optionally default gateway enter serviceport protocol none serviceport ipv6 address address prefix length eui64 serviceport ipv6 gateway gateway To view the assigned or configured network address enter show serviceport To enable the DHCP client on the service port enter serviceport protocol dhcp 2 2 1 2 Configuring the In Band Management Interface To use a...

Page 42: ...stem to move from one part of the network to another while maintaining the same IP address DHCP client Identifier Option 61 is used by DHCP clients to specify their unique identifier The client identifier option is optional and can be specified while configuring the DHCP on the interfaces DHCP Option 61 is enabled by default 2 2 2 1 Configuring DHCP Option 61 Configuring the DHCP with client id op...

Page 43: ...nts to determine if the switch is fully operational before completely booting If a critical problem is detected the program flow stops If POST passes successfully a valid executable image is loaded into RAM POST messages are displayed on the terminal and indicate test success or failure To view the text that prints to the screen during the boot process perform the following steps 1 Make sure that ...

Page 44: ...ng example mightnot representthe options available on your platform You can perform many configuration tasks through the Utility menu which can be invoked after the first part of the POST is completed To display the Utility menu boot the switch observe the output that prints to the screen After various system initialization information displays the following message appears Select startup mode If ...

Page 45: ...ons describe the Utility menu options 2 3 1 1 Start QNOS5 Application Use option 1 to resume loading the operationalcode After you enter 1 the switch exits the Startup Utility menu and the switch continues the boot process 2 3 1 2 Update Image Use option 2 to download a new software image to the switch to replace a corrupted image or to update or upgrade the system software Theswitchispreloaded wi...

Page 46: ...1 23 Note The switch uses the IP address subnet mask and default gateway information you specify for the TFTP download process only The switch automaticallyreboots after the process completes and this information is not saved 5 Enter the subnet mask associatedwith the managementinterfaceIP addressor press ENTERto accept the default value which is 255 255 255 0 6 Optionally enter the IP address of ...

Page 47: ...MODEM Send The Send File window displays b Browse to the file to download and click to select it c From the Protocol field select the protocol to use for the file transfer d Click Open to send it After you start the file transfer the software is downloaded to the switch which can take several minutes The terminal emulation application might display the loading process progress 5 Aftersoftware down...

Page 48: ...400 3 4800 4 9600 5 19200 6 38400 7 57600 8 115200 9 Exit without change Select option 1 9 To set the serial speed enter the number that corresponds to the desired speed Note The selected baud rate takes effect immediately 2 3 1 5 Retrieve Error Log Use option 5 to retrieve the error log that is stored in nonvolatile memory and upload it from the switch to your ASCII terminal or administrative sys...

Page 49: ...on 2 3 1 7 Erase Permanent Storage Use option7 to completelyerase the switch softwareapplication any log files and any configurations The boot loader and operating system are not erased Use this option only if a file has become corrupt and your are unable to use option 2 Load Code Update Package to load a new image onto the switch After you erase permanent storage you must download an image to the...

Page 50: ...d image1 activated system reboot recommended Reboot Y N Enter y to reload the switch 2 3 1 10 Start Diagnostic Application Option 10 is for field support personnel only Access to the diagnostic application is password protected 2 3 1 11 Reboot Use option 11 to restart the boot process 2 3 1 12 Erase All Configuration Files Use option 12 to clear changes to the startup config file and the factory d...

Page 51: ...you type at the command prompt If there are no additional command keywords or parameters or if additional parameters are optional the following message appears in the output cr Press Enter to execute the command For more information about the CLI see the QNOS CLI Command Reference The QNOS CLI Command Reference lists each command available from the CLI by the command name and provides a brief desc...

Page 52: ...NMP Configuration example Figure 2 1 SNMP Configuration Topology Snmp v1 v2c community and trap configuration example 1 Add new community testRO for read only and testRW for read write QCT Config snmp server community testRO ro QCT Config snmp server community testRW rw 2 Setup SNMP trap host IP address QCT Config snmp server host 172 16 1 100 traps version 1 testRO QCT Config snmp server host 172...

Page 53: ...stRO 2 162 Version 3 notifications Target Address Type Username Security UDP Filter TO Retries Level Port name Sec System Contact System Location Snmp v3 configuration example 1 Configure a view and oid tree included iso QCT Config snmp server view testVIEW iso included 2 Configure a group which use testVIEW for read write and notify trap QCT Config snmp server group testGROUP v3 noauth read testV...

Page 54: ... Default Default DefaultRead V2 NoAuth NoPriv Default Default DefaultRead V3 NoAuth NoPriv Default Default DefaultRead V3 Auth NoPriv Default Default DefaultRead V3 Auth Priv Default Default DefaultSuper V1 NoAuth NoPriv DefaultS DefaultS DefaultS uper uper uper DefaultSuper V2 NoAuth NoPriv DefaultS DefaultS DefaultS uper uper uper DefaultSuper V3 NoAuth NoPriv DefaultS DefaultS DefaultS uper upe...

Page 55: ...Read Only Default All testRO Read Only Default All testRW Read Write Default All Community String Group Name IP Address private DefaultWrite All public DefaultRead All testRO DefaultRead All testRW DefaultWrite All Traps are enabled Authentication trap is enabled Version 1 2 notifications Target Address Type Community Version UDP Filter TO Retries Port name Sec 172 16 1 100 Trap testRO 1 162 172 1...

Page 56: ...56 Version 3 notifications Target Address Type Username Security UDP Filter TO Retries Level Port name Sec 172 16 1 102 Trap testUSER NoAuth N 162 15 3 System Contact System Location ...

Page 57: ...ch as data Administrators also use VLANs to protect network resources Traffic sent by authenticatedclients might be assigned to one VLAN while traffic sent from unauthenticatedclients might be assigned to a different VLAN that allows limited network access When one host in a VLAN sends a broadcast the switch forwards traffic only to other members of that VLAN For traffic to go from a host in one V...

Page 58: ...nteringthe switchare tagged with the PVID also called the native VLAN of the port If the port is added to a VLAN as an untagged member the port does not add a tag to a packet in that VLAN when it exits the port Configuring the PVID for an interface is useful when untagged and tagged packets will be sent and received on that port and a device connected to the interface does not support VLAN tagging...

Page 59: ...o haveaddedsecurityfrom misconfiguration whileexitingthemetrocore Forexample if theedge device on the other side of the metro core is not stripping the second tag the packet would never be classified as a 802 1Q tag so the packet would be dropped rather than forwarded in the incorrect VLAN Figure 3 2 Double VLAN Tagging Network Example 3 1 3 Default VLAN Behavior One VLAN exists on the switch by d...

Page 60: ...strator wants to create the VLANs in Table 2 Table 3 2 Example VLAN Figure 3 showsthe networktopologyfor this example As the figureshows there are two switches two file servers and many hosts One switch has an uplink port that connects it to a layer 3 device and the rest of the corporate network ...

Page 61: ...tches through a Port channel Some of the Marketing hosts connect to Switch 1 and some connect to Switch 2 The Engineering and Marketing departments share the same file server Because security is a concern for the Payroll VLAN the ports and Port channel that are members of this VLAN will accept and transmit only traffic tagged with VLAN 300 Table 3 shows the port assignments on the switches Table 3...

Page 62: ...6 0 20 exit 3 Assign ports 2 15 to the Payroll VLAN QCT Config interface range 0 2 0 15 QCT Interface 0 2 0 15 switchport allowed vlan add 300 QCT Interface 0 2 0 15 switchport native vlan 300 QCT Interface 0 2 0 15 exit 4 Assign Port channel1 to the Payroll VLAN and configure the frames to always be transmittedtagged with a PVID of 300 QCT Config interface port channel 1 QCT if port channel ch1 s...

Page 63: ...17 0 18 0 19 0 20 300 Payroll Static 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 10 0 11 0 12 0 13 0 14 0 15 ch1 QCT show vlan id 300 VLAN ID 300 VLAN Name Payroll VLAN Type Static Interface Current Configured Tagging 0 1 Include Include Tagged 0 2 Include Include Untagged 0 3 Include Include Untagged 0 4 Include Include Untagged 0 5 Include Include Untagged More or q uit 8 View the VLAN information for...

Page 64: ...runk port 2 Configure ports 2 10 to participate in VLAN 200 3 Configure ports 11 30 to participate in VLAN 100 4 Configure Port channel 1 to participate in VLAN 100 and VLAN 200 5 Configure port 1 and Port channel 2 as participants in ports and add VLAN 100 VLAN 200 and VLAN 300 that accept and transit tagged frames only 6 Enable ingress filtering on port 1 and Port channel 2 7 If desired copy the...

Page 65: ...ropped if the port is not a member of the VLAN identified by the VLAN ID in the tag If ingress filtering is off all taggedframes are forwarded The port decides whether to forward or drop the frame when the port receives the frame The following example configures a port in Access mode with a single VLAN membership in VLAN 10 QCT config QCT Config interface 0 5 QCT Interface 0 5 switchport mode acce...

Page 66: ...r by a Port channel that consists of four physical 10 Gbps links The Port channel provides full duplex bandwidth of 40 Gbps between the two switches Figure 3 4 Port channel Configuration 3 3 1 Static and Dynamic Port channel Port channel can be configured as either dynamic or static Dynamic configuration is supported using the IEEE 802 3ad standard which is known as Link Aggregation Control Protoc...

Page 67: ...oad balancing performance 3 3 2 1 Resilient Hasing Resilient Hashing RH is a feature on QNOS switches that introduces an extra level of indirection between the hash value and the selected output port for a layer 2 Port channel or a layer 3 ECMP route In a typical non RH configuration the output port can change for all flows when the number of ports changes even if the flow was on a port that was n...

Page 68: ...de to be set on the Port channels Hash prediction is supported only for unicast packets on QNOS based platforms 3 3 3 Port channel Interface Overview The show interface port channel brief command provides summary information about all Port channels available on the system In the following output Port channel 3 1 has been configured as a dynamic Port channel with five member ports No other Port cha...

Page 69: ...r the 802 3ad MIB statistics 3 3 5 Port channel Configuration Guidelines Ports to be aggregated must be configured so that they are compatible with the Port channel feature and with the partner switch to which they connect Ports to be added to a Port channel must meet the following requirements Interface must be a physical Ethernet link Each member of the Port channel must be running at the same s...

Page 70: ...terface 0 1 0 3 0 6 0 7 channel group 1 mode active QCT Interface 0 1 0 3 0 6 0 7 exit 3 View information about Port channel 1 QCT show interface port channel 1 Port Channel ID 1 Channel Name ch1 Link State Down Admin Mode Enabled Link Trap Mode Enabled STP Mode Enabled Type Dynamic Port channel Min links 1 Load Balance Option 3 Src Dest MAC VLAN EType incoming port LACP Min Links 1 Mbr Device Por...

Page 71: ...QCT Interface 0 10 0 12 0 14 0 17 channel group 3 mode on QCT Interface 0 10 0 12 0 14 0 17 exit QCT Config exit 3 View information about Port channel 3 QCT show interface port channel 3 Port Channel ID 3 Channel Name ch3 Link State Down Admin Mode Enabled Link Trap Mode Enabled STP Mode Enabled Type Static Port channel Min links 1 Load Balance Option 3 Src Dest MAC VLAN EType incoming port LACP M...

Page 72: ... config QCT Config interface range 0 1 0 3 0 6 0 7 2 Add the ports to Port channel 1 with LACP QCT Interface 0 1 0 3 0 6 0 7 channel group 1 mode active QCT Interface 0 1 0 3 0 6 0 7 exit 3 View information about Port channel 1 QCT show interface port channel 1 Port Channel ID 1 Channel Name ch1 Link State Down Admin Mode Enabled Link Trap Mode Enabled STP Mode Enabled Type Dynamic Port channel Mi...

Page 73: ...nel 1 Port Channel ID 1 Channel Name ch1 Link State Down Admin Mode Enabled Link Trap Mode Disabled STP Mode Enabled Type Dynamic Port channel Min links 1 Load Balance Option 3 Src Dest MAC VLAN EType incoming port LACP Fallback Mode Enabled LACP Fallback Timeout 5 LACP Min Links 1 Mbr Device Port Port Fallback Ports Timeout Speed Active 0 1 actor long 10G Full False None partner long 0 2 actor lo...

Page 74: ...how interface port channel 3 Port Channel ID 3 Channel Name ch3 Link State Down Admin Mode Enabled Link Trap Mode Enabled STP Mode Enabled Type Static Port channel Min links 1 Load Balance Option 3 Src Dest MAC VLAN EType incoming port LACP Min Links 1 Mbr Device Port Port Ports Timeout Speed Active 0 10 actor long 10G Full False partner long 0 11 actor long 10G Full False partner long 0 12 actor ...

Page 75: ...ds the Port channel bandwidth advantage across multiple QNOS switches connected to a Port channel partner device The Port channel partner device is oblivious to the fact that it is connected over a Port channel to two peer QNOS switches instead the two switches appear as a single switch to the partner with a single MAC address All links can carry data traffic across a physically diverse topology a...

Page 76: ...can pair to form one end of the Port channel Stackedswitches do not support MLAGs In the above figure SW1 and SW2 are MLAG peer switches These two switches form a single logical end point for the MLAG from the perspective of switch A MLAG interfaces MLAG functionalityis a property of Port channels Port channels configured as MLAGs are called MLAG interfaces Administrators can configure multiple in...

Page 77: ...the presence of the peer switch in the network The DCPDP protocol must not be configured on MLAG interfaces 3 5 2 2 Configuration Consistency MLAG is operational only if the MLAG domain ID MLAG system MAC address and MLAG system priority are the same on both the MLAG peer switches Note Configuring a MLAG domain ID is mandatory the MLAG system MAC address and MLAG system priority are optional these...

Page 78: ...ACL configuration 4 Interface Configuration PFC configuration CoS queue assignments 5 VLAN configuration MLAG VLANs must span the MLAG topology and be configured on both MLAG peers This means that every MLAG VLAN must connect to two partner Port channels VLAN termination of a MLAG VLAN on a MLAG peer is not supported 6 Switch firmware versions Except during firmware upgrade the peer switch firmwar...

Page 79: ...r support neither LACP reconvergence nor STP reconvergence occurs and minimal traffic loss is observed when primary device fails During the failover traffic that is being forwarded using the links connected to primary device will failover to links connected to the secondary device The traffic disruption is limited to the time required for the partner devices dual attached to the MLAG domain to det...

Page 80: ...h1 switchport allowed vlan add tagged 1 99 QCT if port channel ch1 switchport acceptable frame types tagged QCT if port channel ch1 mlag peer link QCT if port channel ch1 exit 9 Create the peer link QCT Config interface range 0 1 0 2 QCT Interface 0 1 0 2 channel group 1 mode active QCT Interface 0 1 0 2 description MLAG Peer Link 10 Enable UDLD if required QCT Interface 0 1 0 2 udld enable QCT In...

Page 81: ...CT if port channel ch2 switchport acceptable frame types tagged QCT if port channel ch2 mlag 1 QCT if port channel ch2 exit QCT Config interface lag 3 QCT if port channel ch3 switchport allowed vlan add tagged 1 99 QCT if port channel ch3 switchport acceptable frame types tagged QCT if port channel ch3 mlag 2 QCT if port channel ch3 exit The administrator must ensure that the port channel configur...

Page 82: ...o effect on the operation of the port The port is not disabled and continues operating When operating in UDLD normal mode a port will be put into a disabled state D Disable only in the following situations The UDLD PDU received from a partner does not have its own details echo When there is a loopback and information sent out on a port is received back exactly as it was sent Whenoperatingin UDLD a...

Page 83: ...er switches and enable UDLD on the ports QCT Config interface range 0 2 0 5 0 8 QCT Interface 0 2 0 5 0 8 udld enable 3 Configure the UDLD mode on the ports to be aggressive QCT Interface 0 2 0 5 0 8 udld port aggressive QCT Interface 0 2 0 5 0 8 exit QCT Config exit 1 After configuring UDLD on Switch 2 Switch 3 and Switch 4 view the UDLD status for the ports QCT show udld all Port Admin Mode UDLD...

Page 84: ...r destination ports For each source port you can specify whether to mirror ingress traffic traffic the port receives or RX egress traffic traffic the port sends or TX or both ingress and egress traffic The packet that is copied to the destination port is in the same format as the original packet on the wire This means that if the mirror is copying a received packet the copied packet is VLAN tagged...

Page 85: ...switch SW1 to a probe port on a remote switch port 12 on SW3 The mirrored traffic is carried in the RSPAN VLAN and VLAN 100 which traverses an intermediate switch SW2 The commands in this example show how to configure port mirroring on the source intermediate and destination switches Figure 10 provides a visual overview of the RSPAN configuration example Figure 3 10 RSPAN Configuration Example 3 7...

Page 86: ...ring session on the switch QCT Config port monitor session 1 mode QCT exit 3 7 2 2 Configuration on the Intermediate Switch SW2 To configure the intermediate switch 1 Access the VLAN configuration mode and create VLAN 100 QCT configure QCT Config vlan database QCT Vlan vlan 100 QCT Vlan exit 2 Enable RSPAN on vlan 100 QCT configure QCT Config vlan 100 QCT Config vlan 100 remote span QCT Config vla...

Page 87: ...e interface for the port mirroring session QCT Config port monitor session 1 source vlan 10 4 Enable the port mirroring session on the switch QCT Config port monitor session 1 mode QCT Config exit 3 7 4 Flow based Mirroring In this example traffic from port 1 is mirrored to port 18 if it matches the criteria defined in the IP ACL or MAC ACL that are associated with the port mirroring session To co...

Page 88: ... network loops STP uses the spanning tree algorithm to provide a single path between end stations on a network QNOS software supports Classic STP Multiple STP and Rapid STP 3 8 1 Classic STP Multiple STP and Rapdi STP Classic STP provides a single path between end stations avoiding and eliminating loops Multiple Spanning Tree Protocol MSTP is specified in IEEE 802 1s and supports multiple instance...

Page 89: ...g state to send and receive traffic All other ports are put into a blocked state to prevent redundant paths that might cause loops To determine the root path costs and maintain topology information switches that participate in the spanning tree use Bridge Protocol Data Units BPDUs to exchange information 3 8 3 MSTP in the Network In the followingdiagramof a small802 1D bridged network STP is neces...

Page 90: ... just that by allowing the configuration of MSTIs based upon a VLAN or groups of VLANs In this simple case VLAN 10 could be associated with Multiple Spanning Tree Instance MSTI 1 with an active topology similar to Figure 16 and VLAN 20 could be associated with MSTI 2 where Port 1 on both Switch A and Switch B begin discarding and all others forwarding This simple modification creates an active top...

Page 91: ...witches that exchange the same MST Configuration Identifier It is within only these MST Regions that multiple instances can exist It will also allow the election of Regional Root Bridges for each instance One common and internal spanning tree CIST Regional Root for the CIST and an MSTI Regional Root Bridge per instance will enable the possibility of alternatepathsthrougheach Region AboveSwitchA is...

Page 92: ...The CIST provides full and simple connectivity between all LANs and Bridges in the network 3 8 4 Optional STP Features QNOS software supports the following optional STP features BPDU flooding Edge Port BPDU filtering Root guard Loop guard BPDU protection 3 8 4 1 BPDU Flooding The BPDU flooding feature determines the behavior of the switch when it receives a BPDU on a port that is disabled for span...

Page 93: ...nces this port participates in should not be in a root role 3 8 4 5 Loop Guard Loop guard protects a network from forwarding loops induced by BPDU packet loss The reasons for failing to receive packets are numerous including heavy traffic software problems incorrect configuration and unidirectional link failure When a non designated port no longer receives BPDUs the spanning tree algorithm conside...

Page 94: ...t to other switches and ports 4 20 connect to hosts in Figure 14 each PC represents 17 host systems Figure 3 14 STP Example Network Diagram Of the four switches in Figure 14 the administrator decides that Switch A is the most centrally located in the network and is the least likely to be moved or redeployed For these reasons the administrator selects it as the root bridge for the spanningtree The ...

Page 95: ...erface range 0 4 0 20 QCT Interface 0 4 0 20 spanning tree edgeport QCT Interface 0 4 0 20 exit 4 Enable Loop Guard on ports 1 3 to help prevent network loops that might be caused if a port quits receiving BPDUs QCT Config interface range 0 1 0 3 QCT Interface 0 1 0 3 spanning tree guard loop QCT Interface 0 1 0 3 exit 5 Enable Port Fast BPDU Filter on ports 4 20 This feature affects only access p...

Page 96: ...e created to allow the formation of MST regions made up of all bridges that exchange the same MST Configuration Identifier It is only within these MST Regions that multiple instances can exist QCT config QCT Config vlan database QCT Vlan vlan 10 20 QCT Vlan exit 2 Set the STP operational mode to MSTP QCT config QCT Config spanning tree mode mstp 3 Create MST instance 10 and associate it to VLAN 10...

Page 97: ...m broadcasting the traffic to all ports and possibly affecting network performance The switch uses the information in the IGMP packets as they are being forwarded throughout the network to determine which segments should receive packets directed to the group address 3 9 1 IGMP Snooping Querier WhenPIM andIGMPare enabledin a networkwithIP multicastrouting the IP multicastrouteracts as the IGMP quer...

Page 98: ...e L3 multicast router is located Figure 3 16 Switch with IGMP Snooping To configure the switch 1 Enable IGMP snooping globally QCT configure QCT Config ip igmp snooping 2 Enable the IGMP snooping querier on the switch If there are no other IGMP snooping queriers this switch will become the IGMP snoopingquerier for the local network If an externalquerier is discovered this switch will not be a quer...

Page 99: ...er address is the IP address of VLAN 100 QCT Config ip igmp snooping querier address 192 168 10 2 9 Enable IGMP snooping on ports 1 3 QCT Config interface range 0 1 0 3 QCT Interface 0 1 0 3 ip igmp snooping interfacemode 10 Configure ports 1 3 as members of VLAN 100 QCT Interface 0 1 0 3 switchport allowed vlan add 100 QCT Interface 0 1 0 3 exit 11 Enable IGMP on port 24 and configure the port as...

Page 100: ...o it does not appear in the table as the following show command indicates QCT show mac address table multicast Fwd VLAN ID MAC Address Source Type Description Interface Interface 100 01 00 5E 01 01 01 IGMP Dynamic Network Assist 0 1 0 1 100 01 00 5E 01 01 02 IGMP Dynamic Network Assist 0 2 0 2 When the video server sends multicast data to group 225 1 1 1 Port 1 participates and receives multicast ...

Page 101: ...ng database QCT show igmp snooping ssm entries VLAN Source ID Group Source Ip Filter Mode Interfaces 100 225 1 1 1 192 168 10 1 include 0 1 100 225 1 1 1 192 168 20 1 include 0 1 3 10 MLD Snooping 3 10 1 MLD Snooping Configuration Example When enabled MLD Snooping on the switch it allows switch to examine MLD packet and make forwarding decisions based on MLD control packets content MLD snooping qu...

Page 102: ...ver a local invocation of IPv6MulticastListen causes a change of the filter mode i e a change from INCLUDE to EXCLUDE or from EXCLUDE to INCLUDE of the interface level state entry for a particular multicast address whether the source list changes at the same time or not Source List Change Record is sent by a node whenever a local invocation of IPv6MulticastListen causes a change of source list tha...

Page 103: ... Membership Interval secs 260 Max Response Time secs 10 Multicast Router Expiry Time secs 0 Vlan Block Mode Disabled Verify MLD snooping configuration on interface 0 3 Switch 1 Config show ipv6 mld snooping interface 0 3 MLD Snooping Admin Mode Enable Fast Leave Mode Disable Group Membership Interval secs 260 Multicast Router Expiry Time secs 0 3 10 2 MLD Snooping First Leave Configuration Example...

Page 104: ...oping interfacemode all Switch 1 Config ipv6 mld snooping fast leave OR Step 1 Enable MLD snooping on specific interface 0 3 0 7 Switch 1 Config interface range 0 3 0 7 Switch 1 Interface 0 3 0 7 ipv6 mld snooping interfacemode Switch 1 Interface 0 3 0 7 ipv6 mld snooping fast leave 3 10 3 MLD Snooping Querier Configuration Example If there is no mcast router in the network then one of the switche...

Page 105: ...ch 1 Config ipv6 mld snooping querier Switch 1 Config ipv6 mld snooping querier vlan 1 Display MLD Snooping Querier detailed information Switch 1 Config show ipv6 mld snooping querier detail VLAN ID Last Querier Address MLD Version Global MLD Snooping querier status MLD Snooping Querier Mode Enable Querier Address fe80 aaa MLD Version 1 Querier Query Interval 60 Querier Expiry Interval 125 VLAN 1 ...

Page 106: ... TLVs The TLVs only communicate information these TLVs do not automatically translate into configuration An external application may query the MED MIB and take management actions in configuring functionality LLDP and LLDP MED are used primarily in conjunction with network managementtools to provide information about network topology and configuration and to help troubleshoot problems that occur on...

Page 107: ...name sys desc sys cap port desc 5 Set the port description to be transmitted in LLDP PDUs QCT Interface 0 3 description Test Lab Port 6 Exit to Privileged EXEC mode QCT Interface 0 3 CTRL Z 7 View global LLDP settings on the switch QCT show lldp LLDP Global Configuration Transmit Interval 60 seconds Transmit Hold Multiplier 5 Reinit Delay 3 seconds Notification Interval 5 seconds 8 View summary in...

Page 108: ...ware has a built in sFlow agent that can monitor network traffic on each port and generate sFlow data to an sFlow receiver also known as a collector sFlow helps to provide visibility into network activity which enables effective management andcontrolof network resources sFlowis analternative totheNetFlow network protocol which was developed by Cisco Systems The switch supports sFlow version 5 As i...

Page 109: ...nchronized view of the whole network The receiver can analyze traffic patterns based on protocols found in the headers e g TCP IP IPX Ethernet AppleTalk This alleviates the need for a layer 2 switch to decode and understand all protocols 3 12 1 sFlow Sampling The sFlow Agent in the QNOS software uses two forms of sampling Statistical packet based sampling of switched or routed Packet Flows Time ba...

Page 110: ...nism involves a counter that is decremented with each packet When the counter reaches zero a sample is taken When a sample is taken the counter indicating how many packets to skip before taking the next sample is reset The value of the counter is set to a random integer where the sequence of random integers used over time is the Sampling Rate 3 12 1 2 Counter Sampling The primary objective of Coun...

Page 111: ...T Config interface range 0 10 0 15 QCT Interface 0 10 0 15 sflow poller 1 QCT Interface 0 10 0 15 sflow poller interval 60 QCT Interface 0 10 0 15 sflow sampler 1 QCT Interface 0 10 0 15 sflow sampler rate 8192 QCT Interface 0 10 0 15 exit 3 Configure the polling and sampling information for port 23 QCT Config interface 0 23 QCT Interface 0 23 sflow poller 1 QCT Interface 0 23 sflow poller interva...

Page 112: ...up members Port 0 8 is configured as an upstream member of the group and ports 0 3 and 0 5 are configuredas downstreammembers The state of downstreammembers is dependent on the state of the upstream member Circular dependenciesare not allowed An interface that is defined as an upstream interface cannot also be defined as a downstream interface in the same link state group An interface that is defi...

Page 113: ...d on the port QCT config QCT config interface 0 1 QCT Interface 0 1 ipv6 nd raguard attach policy QCT Interface 0 1 show ipv6 nd raguard policy Ipv6 RA Guard Configured Interfaces Interface Role 0 1 Host 3 15 FIP Snooping FIP snooping is a frame inspection method used by the QNOS FIP Snooping Bridge to monitor FIP frames and apply policies based on the L2 header information in those frames followi...

Page 114: ...r ports connectedto the FCoE Forwarders FCFs Cisco Nexus 5010 5548 enable LLDP and DCBXand configure these ports as DCBX auto up ports In this example the port connected to the FCF is port 0 11 QCT Config interface 0 11 QCT Interface 0 11 lldp transmit QCT Interface 0 11 lldp receive QCT Interface 0 11 lldp dcbx port role auto up QCT Interface 0 11 exit 3 In Global Config mode configure one to one...

Page 115: ...000 fip snooping enable QCT Config Vlan 1000 exit QCT Config exit 7 Configure FCF facing ports using below interface command By default FIP snooping ports are configured as host ENode mode QCT configure QCT Config interface 0 11 QCT Interface 0 11 fip snooping port mode fcf QCT Interface 0 11 exit QCT Config exit The following code sample shows the configuration script for the FIP snooping switch ...

Page 116: ...face 0 9 lldp dcbx port role auto down QCT Interface 0 9 exit QCT Config interface 0 10 QCT Interface 0 10 description QCT1 CNA QCT Interface 0 10 switchport allowed vlan add tagged 1000 QCT Interface 0 10 switchport priority 3 QCT Interface 0 10 lldp transmit QCT Interface 0 10 lldp receive QCT Interface 0 10 lldp dcbx port role auto down QCT Interface 0 10 exit QCT Config interface 0 11 QCT Inte...

Page 117: ...kets for early discard only when the number of packets queued for transmission on a port exceeds the relevant minimum WRED threshold The green yellow red thresholds operate on TCP packets The fourth threshold operates on non TCP packets When ECN is enabled and congestion is experienced TCP packets that are marked ECN Capable that are queuedfor transmission and are selectedfor discardedby WRED are ...

Page 118: ...xample is shown below C Users user1 Netsh int tcp set global ecncapability enabled Ok C Users user1 netsh int tcp show global Querying active state TCP Global Parameters Receive Side Scaling State enabled Chimney Offload State automatic NetDMA State enabled Direct Cache Acess DCA disabled Receive Window Auto Tuning Level normal Add On Congestion Control Provider none ECN Capability enabled RFC 132...

Page 119: ...ce QCT Config class map match all cos0 ipv4 QCT Config classmap match cos 0 QCT Config classmap exit 4 Define a class mapsuch that all TCP will be in the set of traffic TCP This will be used as a base color class for metering traffic QCT Config class map match all tcp ipv4 QCT Config classmap match protocol tcp QCT Config classmap exit 5 Definea policy mapto include packetsmatchingclass cos any IP...

Page 120: ...ith rates less than or equal to the CIR CBS in class cos 1 are conformingto the rate green These packets will be dropped randomly at an increasing rate between 0 3 when the outgoing interface is congested between 80 and 100 TCP packets with rates above the CIR CBS and less than or equal to PIR PBS in either class cos 1 or class cos 2 are policed as exceeding the CIR yellow These packets will be dr...

Page 121: ...QCT Interface 0 22 service policy in simple policy QCT Interface 0 22 exit QCT Config interface 0 23 QCT Interface 0 23 service policy in two rate policy QCT Interface 0 23 exit 3 16 3 Example 2 Data Cetner TCP DCTCP Configuration This examplegloballyconfiguresan QNOS switch to utilize ECN markingof green packets queued for egress on CoS queues 0 and 1 using the DCTCP threshold as it appears in DC...

Page 122: ...eyword enables ECN markingof ECN capablepackets on CoS queues 0 and 1 The weightingconstant is set to 0 in the second line of the configuration as described in the DCTCP paper cited above Finally CoS queues 0 and 1 are configured for WRED in the last line of the configuration QCT config QCT Config random detect queue parms 0 1 min thresh 13 30 20 100 max thresh 13 90 80 100 drop prob 100 10 10 10 ...

Page 123: ...rge network One such type of Authentication Server supports the Remote Authentication Dial In User Service RADIUS protocol as defined by RFC 2865 For authenticating users prior to access the RADIUS standard has become the protocol of choice by administrators of large accessible networks To accomplish the authentication in a secure manner the RADIUS client and RADIUS server must both be configured ...

Page 124: ...thentication Dial In User Services This feature enables a RADIUS server or any other external server to send messages to a Network Access Server NAS to terminate a user s session This is desirable when a device or user session is causing problems in normal network operation RFC 5176 defines the DAS and Dynamic Authorization Client DAC and the following types of messages Disconnect messages This me...

Page 125: ...dynamic RADIUS clients QCT config radius da auth type any 4 Set the port on which to listen for CoA and disconnect requests QCT config radius da port 4747 QCT config radius da exit 5 Set the network access server NAS IP address for the RADIUS server QCT config radius server attribute 4 10 130 65 4 6 Specify a RADIUS server host and type accounting authentication QCT config radius server host auth ...

Page 126: ...it is used only to encrypt the data 4 1 3 Configuring and Applying Authentication Profiles A user can access the switch management interface only after providing a valid user name and password combination that matches the user account information stored in the user database configured on the switch QNOS software include several additional features to increase management security and help prevent u...

Page 127: ...access the switch management interface Profiles can be applied to each of the following access types Login Authenticates all attempts to login to the switch Enable Authenticates all attempts to enter Privileged EXEC mode Console Authenticatesaccess through the console port Telnet Authenticates users accessing the CLI by using telnet SSH Authenticates users accessing the CLI by using an SSH client ...

Page 128: ...ation The IAS database is stored locally on the switch 4 1 4 Configuring the Primary and Secondary RADIUS Servers The commands in this example configure primary and secondary RADIUS servers that the switch will use to authenticate access The RADIUS servers use the same RADIUS secret To configure the switch 1 Configure the primary and secondary RADIUS servers QCT configure QCT Config radius server ...

Page 129: ... on the switch To see an example of how to configure a RADIUS server on the switch see Configuring the Primary and Secondary RADIUS Servers 2 Enter line configuration mode for Telnet and specify that any attempt to access the switch by using Telnet are authenticated using the methods defined in the profile created in the previous step QCT Config line vty QCT Config vty login authentication myList ...

Page 130: ...ose sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database 4 2 1 DHCP Snooping Overview Dynamic Host Configuration Protocol DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to accomplish the following tasks Filter harmful DHCP messages Build a bindings database with entries that consist of the follo...

Page 131: ...pplicationignores the ACK messages as a reply to the DHCP Inform messages receivedon trusted ports You can also enter static bindings into the binding database When a switch learns of new bindings or loses bindings the switch immediately updates the entries in the database The switch also updates the entries in the binding file The frequency at which the file is updated is based on a configurable ...

Page 132: ...aces DHCP snoopingmonitors the receive rate on each interface separately If the receive rate exceeds a configurablelimit DHCP snooping brings down the interface Administrative intervention is necessary to enable the port either by using the no shutdown command in Interface Config mode 4 2 2 IP Source Guard Overview IPSG is a security feature that filters IP packets basedon source ID This feature h...

Page 133: ...er IP addressdo not match an entry in the DHCP snooping bindings database You can optionally configure additional ARP packet validation When DAI is enabled on a VLAN DAI is enabled on the interfaces physical ports or Port channels that are members of that VLAN Individual interfaces are configured as trusted or untrusted The trust configuration for DAI is independent of the trust configuration for ...

Page 134: ...nd are members of VLAN 100 These ports are configured to limit the maximum number of DHCP packets with a rate limit of 100 packets per second Port channel 1 which is also a member of VLAN 100 and contains ports 21 24 is the trunk port that connects the switch to the data center so it is configured as a trusted port Figure 4 3 DHCP Snooping Configuration Topology The commands in this example also e...

Page 135: ...nfig ip dhcp snooping QCT Config exit 6 View DHCP snooping information QCT show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs 100 Interface Trusted Log Invalid Pkts 4 2 6 Configuring IPSG This examplebuilds on the previousexampleand uses the same topologyshownin Figure 20 In this configuration example IP s...

Page 136: ...pports ACL configuration in both the ingress and egress direction Egress ACLs provide the capability to implement security rules on the egress flows traffic leaving a port rather than the ingress flows traffic enteringa port Ingress and egress ACLs can be appliedto any physicalport Port channel or VLANroutingport Dependingon whether an ingress or egress ACL is applied to a port when the traffic en...

Page 137: ...en field should be used to permit or deny access to the network and may apply to one or more of the following fields within a packet Destination IP with wildcard mask Destination L4 Port Every Packet IP DSCP IP Precedence IP TOS Protocol Source IP with wildcard mask Source L4 port IPv4 fragmented packets tcp flags igmp type icmp type icmp code icmp message 4 3 3 ACL Redirect Function The redirect ...

Page 138: ...lbyspecifying a timerangeona per rulebasiswithinanACL sothatthe time restrictions are imposed on the ACL rule With a time basedACL you can define when and for how long an individual rule of an ACL is in effect To apply a time to an ACL first you define a specific time interval and then apply it to an individual ACL rule so that it is operational only duringthe specifiedtimerange for example during...

Page 139: ... that is it is made the lowest priorityrule or if the rule is the first one created for the ACL it is assigned sequence number 10 4 3 9 ACL Limitations The following limitations apply to ingress and egress ACLs Maximum of 100 ACLs Maximum number configurable rules per list is 1023 Maximum ACL rules system wide foringressis 4096 Maximum ACL rules system wide foregressis 1024 You can configure mirro...

Page 140: ...For example rules that specify a TCP or UDP port value should also specify the TCP or UDP protocol and the IPv4 or IPv6 EtherType Rules that specify an IP protocol shouldalso specify the EtherTypevalue for the frame In general any rule that specifies matching on an upper layer protocol field should also include matching constraints for each of the lower layer protocols For example a rule to match ...

Page 141: ...pon the underlying switching silicon IP ACLs can be applied on ingress and egress interfaces VLANs of a switch router 4 3 13 ACL Configuration Examples This section contains the following examples Configuring an IP ACL Configuring a MAC ACL Configuring a Time Based ACL 4 3 13 1 Configuring an IP ACL The commandsin this example set up an IP ACL that permits hosts in the 192 168 77 0 24 subnet to se...

Page 142: ...permit tcp 192 168 77 0 0 0 0 255 192 168 77 50 0 0 0 0 2 Define the rule to set similar conditions for UDP traffic as for TCP traffic QCT Config access list 100 permit udp 192 168 77 0 0 0 0 255 192 168 77 3 0 0 0 255 3 Apply the rule to inbound ingress traffic on port 2 Only traffic matching the criteria will be accepted on this port QCT Config interface 0 2 QCT Interface 0 2 ip access group 100...

Page 143: ...itted To configure the switch 1 Create a MAC Access List named mac1 QCT config QCT Config mac access list extended mac1 2 Configurea rule to deny all IPX traffic regardlessof the sourceor destinationMAC address Before creating the rule add a remark that identifies the rule QCT Config mac access list remark Denies all IPX traffic from for any source or dest MAC QCT Config mac access list deny any a...

Page 144: ...3 0 44 0 45 0 46 0 47 0 48 0 49 0 50 0 51 0 52 0 53 0 54 0 55 0 56 0 57 0 58 0 59 0 60 0 61 0 62 0 63 0 64 0 65 0 66 0 67 0 68 Sequence Number 1 Action deny Ethertype ipx Sequence Number 2 Action permit Match All TRUE 4 3 13 3 Configuring a Time based ACL The following example configures an ACL that denies HTTP traffic from 8 00 pm to 12 00 pm and 1 00 pm to 6 00 pm on weekdaysandfrom 8 30 am to 1...

Page 145: ...s group 101 vlan 100 in QCT Config exit 7 Verify the configuration QCT show ip access lists 101 ACL ID 101 Inbound VLAN ID s 100 Sequence Number 1 Action deny Match All FALSE Protocol 6 tcp Destination L4 Port Keyword 80 www http Time Range Name work hours Rule Status inactive 4 4 Control Plane Policing CoPP Control plane policing CoPP uses access control list ACL rules to create filters for a sys...

Page 146: ...QCT Config ipv4 acl deny icmp 172 16 2 100 0 0 0 255 any QCT Config ipv4 acl deny tcp 172 16 2 100 0 0 0 255 any eq 22 QCT Config ipv4 acl deny tcp 172 16 2 100 0 0 0 255 any eq telnet 2 Permit ICMP packets for the specified source IP address 172 16 1 100 24 and rate limit is 1000kbps QCT Config ipv4 acl permit icmp 172 16 1 100 0 0 0 255 any rate limit 1000 1 3 Permit any other packets QCT Config...

Page 147: ... IPv4 Protocol 6 tcp Source IP Address 172 16 2 100 Source IP Wildcard Mask 0 0 0 255 Destination L4 Port Keyword 22 Sequence Number 3 Action deny Match All False IPv4 Protocol 6 tcp Source IP Address 172 16 2 100 Source IP Wildcard Mask 0 0 0 255 Destination L4 Port Keyword 23 telnet Sequence Number 4 Action permit Match All False IPv4 Protocol 1 icmp Source IP Address 172 16 1 100 Source IP Wild...

Page 148: ... snmp access via switch front port 4 5 1 Configuring Service Prohibit The following command sequence enables Service Prohibit Access feature 1 enable Service Prohibit Access and deny snmp ssh telnet access via switch front ports Switch configure Switch Config service prohibit access snmp Switch Config service prohibit access ssh Switch Config service prohibit access telnet Switch Config show servi...

Page 149: ...ty designation or packets from ports you ve identified as untrusted get forwarded according to this default 5 1 1 Trusted and Untrusted Port Modes Ports can be configured in trusted mode or untrusted mode with respect to ingress traffic Ports in Trusted Mode When a port is configured in trusted mode the system accepts at face value a priority designation encoded within packets arriving on the port...

Page 150: ...centage of the total queue size below which no packets of the selected drop precedence level are dropped M ax i m um Threshold A percentage of the total queue size above which all packets of the selected drop precedence level are dropped D ro p Probability When the queue depth is between the minimum and maximum thresholds this value provides a scaling factor for increasing the number of packets of...

Page 151: ...der is 6 followed by 5 followed by 1 Assumingeach queue unloads all packets shown in the diagram the packet transmissionorder as seen on the network leading out of Port 0 8 is B A D C Thus packet B with its higher user precedence than the others is able to work its way through the device with minimal delay and is transmitted ahead of the other packets at the egress port The following commands conf...

Page 152: ...nterface Shaping Rate 0 WRED Decay Exponent 9 Queue Id Min Bandwidth Scheduler Type Queue Management Type 0 0 Weighted Tail Drop 1 0 Weighted Tail Drop 2 5 Weighted Tail Drop 3 5 Weighted Tail Drop 4 10 Weighted Tail Drop 5 20 Weighted Tail Drop 6 40 Strict Tail Drop 7 0 Weighted Tail Drop 5 2 DiffServ StandardIP basednetworksare designedto providebest effort data deliveryservice Best effort servi...

Page 153: ...n terms of classes policies and services Class A class consists of a set of rules that identify which packets belong to the class Inbound traffic is separated into traffic classes based on Layer 2 Layer 3 and Layer 4 header data The class type All is supported this specifies that every match criterion defined for the class must be true for a match to occur Policy A policy defines the QoS attribute...

Page 154: ...nable DiffServ operation for the switch QCT config QCT Config diffserv 2 Create a DiffServ class of type all for each of the departments and name them Also define the match criteria Source IP address for the new classes QCT Config class map match all finance_dept QCT Config classmap match srcip 172 16 10 0 255 255 255 0 QCT Config classmap exit QCT Config class map match all marketing_dept QCT Con...

Page 155: ...olicy classmap exit QCT Config policy map class development_dept QCT Config policy classmap assign queue 4 QCT Config policy classmap exit QCT Config policy map exit 4 Attach the defined policy to interfaces 0 1 through 0 4 in the inbound direction QCT Config interface range 0 1 0 4 QCT Interface 0 1 0 4 service policy in internet_access QCT Interface 0 1 0 4 exit 5 Set the CoS queue configuration...

Page 156: ...following actions depending on the file type Copy a file from the switch to a remote server Copy a file from a remote server to the switch Overwrite the contents of the destination file with the contents of the source file Table 6 1 Files to Manage 6 1 1 Supported File Management Methods For most file types you can use any of the following protocols to download files from a remote system to the sw...

Page 157: ...mage after the switch reloads If you activate a new image and reload the switch and the switch is unable to complete the boot process due to a corrupt image or other problem you can use the boot menu to activate the backup image You must be connected to the switch through the console port to access the boot menu To create a backupcopy of the firmwareon the switch copy the active image to the backu...

Page 158: ...is partial if the script fails For example if the script executes four of ten commands and the script fails the script stops at four and the final six commands are not executed Scripts cannot be modified or deleted while being applied Validation of scripts checks for syntax errors only It does not validate that the script will run The file extension must be scr There is no limit on the maximum num...

Page 159: ...and managing delta configurations is difficult on a large scale The following commands can be used to apply the configuration gracefully reload configuration Applies the startup config gracefully reload configuration scriptfile Applies the given script file gracefully 6 1 5 Saving the Running Configuration Changes you make to the switch configuration while the switch is operating are written to th...

Page 160: ...ime 2 msec Reply From 172 16 1 102 icmp_seq 1 time 1 msec Reply From 172 16 1 102 icmp_seq 2 time 1 msec 172 16 1 102 PING statistics 3 packets transmitted 3 packets received 0 packet loss round trip msec min avg max 1 1 2 2 Copy the image file to the appropriatedirectoryon the TFTP server 3 View information about the current image QCT show bootvar Image Descriptions active backup Images currently...

Page 161: ...em opcode backup Activating image backup 6 View information about the current image QCT show bootvar Image Descriptions active backup Images currently available on Flash unit active backup current active next active 1 5 4 0 31 5 4 0 32 5 4 00 31 5 4 0 32 7 Copy the running configuration to the startup configuration to save the current configuration to NVRAM QCT copy running config startup config T...

Page 162: ...t table To configure the switch 1 Open a text editor on an administrative computer and type the commands as if you were entering them by using the CLI 2 Save the file with an scr extension and copy it to the appropriate directory on your TFTP server 3 Download the file from the TFTP server to the switch QCT copy tftp 172 16 1 102 labhost scr script labhost scr Mode TFTP Set Server IP 172 16 1 102 ...

Page 163: ... exit Configuration script validated File transfer operation completed successfully 5 Run the script to execute the commands QCT script apply labhost scr Are you sure you want to apply the configuration script y n y configure ip host labpc1 192 168 3 56 ip host labpc2 192 168 3 58 ip host labpc3 192 168 3 59 exit Configuration script labhost scr applied 6 Verify that the script was successfully ap...

Page 164: ... request copy running config startup config in order to save the configuration 6 2 1 1 Obtaining IP address Information DHCP is enabled by default on the service port If an IP address has not been assigned the switch issues requests for an IP address assignment A network DHCP server returns the following information IP address and subnet mask to be assigned to the interface IP address of a default...

Page 165: ...ion might fail for one of the following reasons The path or filename of the image on the TFTP server does not match the information specified in DHCP option 125 The downloaded image is the same as the current image The validation checks such as valid CRC Checksum fails If the download or installation was unsuccessful a message is logged 6 2 1 4 Obtaining the Configuration File If the DHCP OFFER id...

Page 166: ... downloaded and the order in which they are sought Table 6 2 Configuration File Possibilities Table 10 displays the determining factors for issuing unicast or broadcast TFTP requests Table 6 3 TFTP Request Types 6 2 2 Monitoring and Completing the DHCP Auto Install Process When the switch boots and triggers an Auto Install a message is written to the buffered log After the process completes the Au...

Page 167: ...st specific file 6 2 2 3 Managing Downloaded Configuration Files The configuration files downloaded to the switch by Auto Install are stored in the nonvolatile memory as scr files The files may be managed viewed or deleted along with files downloaded by the configuration scripting utility If the Auto Install persistent mode is enabled boot system host autoinstall and the switch reboots the scr con...

Page 168: ...ed After an image is successfully downloaded during the Auto Install process the switch automatically reboots and makes the downloaded image the active image Table 6 4 Auto Install Defaults 6 2 5 Enabling DHCP Auto Install and Auto Image Download A network administrator is deploying three switches and wants to quickly and automatically install the latest image and a common configuration file that ...

Page 169: ...ork This networkmust have a route to the DHCP server and TFTP server that are used for Auto Install process 8 Reboot each switch QCT reload 6 3 Downloading a Core Dump The core dump file can be downloaded using the following methods NFS TFTP FTP On systems that have gigabytes of flash storage the core dump file can also be copied to flash 6 3 1 Using NFS to Download a Core Dump Use the following c...

Page 170: ...igured protocol tftp test PASS QCT 6 4 Setting the System Time The switchuses the systemclock to providetime stamps on logmessages Additionally someshow commands includethetimeinthecommandoutput Forexample theshow users login history command includes a Login Time field The system clock provides the information for the Login Time field Youcanconfigurethe systemtimemanually or youcan configure the s...

Page 171: ... 23 00 2 Configure the time zone In this example the time zone is India Standard Time IST which is UTC 5 hours and 30 minutes QCT Config clock timezone 5 minutes 30 zone IST 3 Configure the offset for a hypothetical daylight saving time In this example the offset is one hour It occurs every year on Sunday in the first week of April and ends the fourth Sunday in October The start and end times are ...

Page 172: ...offset for DST QCT Config clock summer time recurring USA 4 Enable the SNTP client on the device in unicast mode QCT Config sntp client mode unicast 5 View the time information QCT show sntp QCT show sntp Last Update Time Apr 27 16 42 23 2012 Last Unicast Attempt Time Apr 27 16 43 28 2012 Last Attempt Status Success QCT show calendar Current Time Mon Apr 30 18 49 33 2012 Time source is SNTP 6 5 Co...

Page 173: ...tion To configure Switch A 1 Configure log server ip address 172 16 100 90 QCT Config logging host 172 16 100 90 ipv4 2 Configure log server received port number to 514 Note Default syslog server port is 514 QCT Config logging host reconfigure 1 port 514 3 Change the log severity level to 6 QCT Config logging host reconfigure 1 severitylevel 6 ...

Page 174: ...ing number emergency 0 alert 1 critical 2 error 3 warning 4 notice 5 info 6 debug 7 4 Enable syslog feature QCT Config logging syslog Result The syslog server receives log messages from switch A Please refer the figure below ...

Page 175: ... 6 3 Syslog packet capture Using show logging command to verify the logging configuration QCT Config show logging Logging Client Local Port 514 Logging Client Source Interface not configured CLI Command Logging disabled Console Logging enabled ...

Page 176: ...w logging hosts command to verify the logging hosts configuration Switch 1 show logging hosts Index IP Address Hostname Type Severity Port Status 1 172 16 100 90 ipv4 notice 514 Active Example3 Remove Syslog host Using show logging hosts to check the syslog server index Switch 1 show logging hosts Index IP Address Hostname Type Severity Port Status 1 172 16 100 90 ipv4 notice 514 Active 2 172 16 1...

Page 177: ...N routing interfaces makes inter VLAN routing possible For each VLAN routing interface you can assign a static IP address or you can allow a network DHCP server to assign a dynamic IP address When a port is enabled for bridging L2 switching rather than routing which is the default all normal bridge processing is performed for an inbound packet which is then associated with a VLAN It s MAC Destinat...

Page 178: ...n VLAN 10 to communicate with Host C in VLAN 20 the switch must perform inter VLAN routing Figure 7 1 Inter VLAN Routing 7 1 2 IP Routing Configuration Example In this example the switches are L3 switches with VLAN routing interfaces VLAN routing is configured on Switch A and Switch B This allows the host in VLAN 10 to communicate with the server in VLAN 30 A static route to the VLAN 30 subnet is ...

Page 179: ...lan 10 Interface vlan 10 created for VLAN ID 10 QCT if vlan10 interface vlan 20 Interface vlan 20 created for VLAN ID 20 QCT if vlan20 interface vlan 30 Interface vlan 30 created for VLAN ID 30 QCT if vlan30 interface vlan 50 Interface vlan 50 created for VLAN ID 50 QCT if vlan50 exit 3 Enable routing on the switch QCT configure QCT Config ip routing 4 Assign an IP address to VLAN 10 This command ...

Page 180: ...witch B as the next hop address QCT Config ip route 192 168 30 0 255 255 255 0 192 168 20 25 8 Configure the backbone router interface as the default gateway QCT Config ip route default 192 168 50 2 7 1 2 2 Configuring Switch B To configure Switch B 1 Create the VLANs QCT Config vlan database QCT Vlan vlan 20 30 2 Configure the VLANs for routing QCT Config interface vlan 20 Interface vlan 20 creat...

Page 181: ...nation is sent to Switch A for forwarding QCT Config ip route default 192 168 20 20 7 1 3 IP Unnumbered Configuration Example This IP unnumbered configuration example shows how the same IP is used on two different unnumbered interfaces on router 1 so it can communicate with router 2 and router 3 Figure 7 3 IP Unnumbered Configuration Example To configure the router 1 1 Enable routing on the switch...

Page 182: ...witch QCT configure QCT Config ip routing 2 Configure the loopback interface QCT Config interface loopback 1 QCT Interface loopback 1 ip address 2 0 0 2 24 QCT Interface loopback 1 exit 3 Configure port 0 2 QCT Config interface 0 2 QCT Interface 0 2 routing QCT Interface 0 2 ip unnumbered loopback 1 QCT Interface 0 2 exit 4 Configure port 0 3 QCT Interface 0 3 routing QCT Interface 0 3 ip unnumber...

Page 183: ...ted throughout the network Areas are identified by a numeric ID in IP address format n n n n note however that these are not used as actual IP addresses For simplicity the area can be configured and referred to in normal integer notation For example Area 20 is identified as 0 0 0 20 and Area 256 as 0 0 1 0 The area identified as 0 0 0 0 is referred to as Area 0 and is considered the OSPF backbone ...

Page 184: ...ure Border Router A 1 Enable routing on the switch QCT configure QCT Config ip routing 2 Create VLANS 70 80 and 90 QCT Config vlan database QCT Vlan vlan 70 80 90 3 Configure the VLANs for routing and assign the interface port numbers QCT Config interface vlan 70 Interface vlan 70 created for VLAN ID 70 QCT if vlan70 interface vlan 80 Interface vlan 80 created for VLAN ID 80 QCT if vlan80 interfac...

Page 185: ...uter ospf QCT Config router router id 192 150 9 9 QCT Config router exit 7 Configure the OSPF area ID and cost for each interface Note OSPF is globally enabled by default To make it operational on the router you configure OSPF for particular interfaces and identify which area the interface is associated with QCT Config interface vlan 70 QCT if vlan70 ip ospf area 0 0 0 0 QCT if vlan70 ip ospf cost...

Page 186: ...r The greater the number the higher the priority If the virtual IP address is the IP address of a VLAN routing interface on one of the routers in the VRRP group the router with IP address that is the same as the virtual IP address is the interface owner and automatically has a priority of 255 By default this router is the VRRP master in the group If no router in the group owns the VRRP virtual IP ...

Page 187: ...te and Interface Tracking The VRRP Route Interface Tracking feature extends VRRP capability to allow tracking of specific routes and interface IP states within the router that can alter the priority level of a virtual router for a VRRP group VRRP interface tracking monitors a specific interface IP state within the router Depending on the state of the tracked interface the feature can alter the VRR...

Page 188: ...for VRID 20 and the backup for VRID 10 If Router A fails Router B will become the master of VRID 10 and will use the virtual IP address 192 168 10 1 Traffic from the clients configured to use Router A as the default gateway will be handled by Router B To configure Router A 1 Create and configure the VLAN routing interface to use as the default gateway for network clients This example assumes all o...

Page 189: ...p 10 mode QCT if vlan10 ip vrrp 20 mode QCT if vlan10 exit QCT Config exit The only difference between the Router A and Router B configurations is the IP address assigned to VLAN 10 On Router B the IP address of VLAN 10 is 192 168 10 2 Because this is also the virtual IP address of VRID 20 Router B is the interface owner and VRRP master of VRRP group 20 To configure Router B 1 Enable routing for t...

Page 190: ... priority value is 255 by default QCT if vlan10 ip vrrp 20 ip 192 168 10 2 8 Enable the VRRP groups on the interface QCT if vlan10 ip vrrp 10 mode QCT if vlan10 ip vrrp 20 mode QCT if vlan10 exit QCT Config exit 7 3 2 2 VRRP with Route and Interface Tracking In Figure 29 the VRRPprioritiesareconfiguredso thatRouterA is the VRRPmaster andRouterB is the VRRP backup Router A forwards IP traffic from ...

Page 191: ...CT if vlan10 exit 3 Enable VRRP for the switch QCT Config ip vrrp 4 Assign a virtual router ID to the VLAN routing interface for the VRRP group QCT Config interface vlan 10 QCT if vlan10 ip vrrp 10 5 Specify the IP address that the virtual router function will use QCT if vlan10 ip vrrp 10 ip 192 168 10 15 6 Configure the router priority QCT if vlan10 ip vrrp 10 priority 200 7 Enable preempt mode s...

Page 192: ...igure the VLAN routing interface to use as the default gateway for network clients This example assumes all other routing interfaces such as the interface to the external network have been configured QCT Config interface vlan 10 QCT if vlan10 ip address 192 168 10 2 255 255 255 0 QCT if vlan10 exit 3 Enable VRRP for the switch QCT Config ip vrrp 4 Assign a virtual router ID to the VLAN routing int...

Page 193: ...ed on a specific interfacewhenthose packetswouldotherwisebe relayedaccordingto a global relay entry Discardrelay entries may be configured on interfaces but are not configured globally Additionally you can configure which UDP ports are forwarded Certain UDP port numbers can be specified by name in the CLI but you can also configure a relay entry with any UDP port number You may configure relay ent...

Page 194: ...uration for the destination UDP port If so the relay agent unicaststhe packet to the configuredserverIP addresses Otherwisethe packet is not relayed Note If the packet matchesa discardrelay entry on the ingress interface thepacket is not forwarded regardless of the global configuration The relay agent relays packets that meet only the following conditions The destination MAC address must be the al...

Page 195: ...195 Table 7 3 UDP Port Allocation 7 4 1 Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent IP helper to relay and discard various protocols ...

Page 196: ...8 40 35 QCT Config interface vlan 10 QCT if vlan10 ip helper address 192 168 40 35 dhcp 3 Relay DNS packets received on VLAN 10 to 192 168 40 43 QCT if vlan10 ip helper address 192 168 40 35 domain QCT if vlan10 exit 4 Relay SNMP traps port 162 received on VLAN 20 to 192 168 23 1 QCT Config interface vlan 20 QCT if vlan20 ip helper address 192 168 23 1 162 5 The clients on VLAN 20 have statically ...

Page 197: ...ith network peers knownas neighbors via TCP IP sessions BGP relies on the local route table whichis populatedby IGP routing protocols in order to establish connectivity for routes contained within NLRI definitions For routes with establishedconnectivity BGP determinesthe best route amongthose learned from one or more peers and then installs those routes to the local route table as well as advertis...

Page 198: ... NLRIs which have been acquired via External BGP peers to all other Internal BGP peers within the AS The BGP protocol requires that all IBGP peers within an AS are logically connected as a full mesh Thus all BGP routers within the AS can have a consistent view of the inter network destinations An illustration of the above scenario can be observed in the figure 31 between routers R1 and R2 7 5 1 3 ...

Page 199: ...ork destination Additionally local policy configuration may filter or modify the BGP attributes of NLRIs that are received from BGP peers Once BGP has chosen the best path to a network destination based on the BGP attributes given in an NLRI also known as the decision process it must determine if there is connectivity to the destinationdefined by the BGP nexthop attribute from the best NLRI Here B...

Page 200: ...peer with the lower router ID 9 Prefer the route learned from the peer with the lower peer IP address 7 5 3 BGP Configuration Example Figure 32 shows the topology of a large network that includes two autonomous systems The commands in this example configure Router 3 R3 in AS 65049 and Router 9 in AS 65001 Figure 7 9 BGP Configuration Example 7 5 3 1 Configuring BGP on Router 9 To configure R9 as s...

Page 201: ...erfacethat is connectedto R3 which is in a different AS Assign an IP address to the interface and enable routing on the interface R9 Interface 0 12 interface 0 12 R9 Interface 0 12 ip address 172 19 1 30 255 255 255 252 R9 Interface 0 12 routing R9 Interface 0 12 exit 7 Enter Interface Config mode for port 0 20 This interface is connected to R7 which is part of the same AS Assign an IP address to ...

Page 202: ...umber of next hops BGP may include in an ECMP route derived from paths received from neighbors within the local autonomous system R9 Config router maximum paths ibgp 24 17 Enable the logging of adjacency state changes R9 Config router bgp log neighbor changes 18 Allow the aggregation of routes with different MED attributes R9 Config router bgp aggregate different meds 19 Configure the keepalive an...

Page 203: ...or 192 168 0 11 next hop self R9 Config router neighbor 192 168 0 11 update source loopback 0 R9 Config router neighbor 192 168 0 1 remote as 65001 R9 Config router neighbor 192 168 0 1 description R1 R9 Config router neighbor 192 168 0 1 next hop self R9 Config router neighbor 192 168 0 1 update source loopback 0 R9 Config router neighbor 192 168 0 2 remote as 65001 R9 Config router neighbor 192 ...

Page 204: ...numberof next hops BGP may include in an ECMP routederived from paths received from neighbors outside the local autonomous system R3 Config router maximum paths 4 8 Enable the logging of adjacency state changes R3 Config router bgp log neighbor changes 9 Configure BGP to advertise connected routes with a metric value of 100 R3 Config router redistribute connected metric 100 10 Configure the keepal...

Page 205: ...and multicast Unicast addresses allow direct one to one communication between two hosts whereas multicast addresses allow one to many communication Multicast addresses are used as destinations only Unicast addresses will have 00 through fe in the most significant octets and multicast addresses will have ff in the most significant octets 7 6 2 How are IPv6 Interface Configured In the QNOS software ...

Page 206: ... a packet is sent over such a link it is encapsulated in IPv4 in order to traverse an IPv4 network and has the IPv4 headers removed at the other end of the tunnel 7 6 3 Default IPv6 Routing Values Table 15 shows the default values for the IP routing features this section describes Table 7 4 IPv6 Routing Defaults Table 16 shows the default IPv6 interface values after a VLAN routing interface has be...

Page 207: ...7 6 4 1 Configuring Global IP Routing Settings Use the following commands to configure various global IP routing settings for the QNOS software Table 7 6 Global IP Routing Settings 7 6 4 2 Configuring IPv6 Interface Settings Use the following commands to configure IPv6 settings for VLAN tunnel or loopback interfaces ...

Page 208: ...208 Table 7 7 IPv6 Interface Settings 7 6 4 3 Configuring IPv6 Neighbor Discovery Use the following commands to configure IPv6 Neighbor Discovery settings ...

Page 209: ...209 Table 7 8 IPv6 Neighbor Discovery Settings ...

Page 210: ...ute Table Entries and Route Preferences Use the following commands to configure IPv6 Static Routes Table 7 9 IPv6 Static Routes 7 6 4 5 IPv6 Show Commands Use the following commands to view IPv6 configuration status and related data ...

Page 211: ... the packet Source and Destination IP address of the packet Source IP address and Source TCP UDP Port field associated with the packet Destination IP address and Destination TCP UDP Port field associated with the packet Source Destination IP address and Source Destination TCP UDP Port field associated with the packet For tunneled packets the user also must select whether the inner or the outer IP ...

Page 212: ...mplementation works with IPv4 and IPv6 networks and supports IPv4 v6 address based encapsulations 7 8 1 Configuring BFD The following command sequence enables BFD and configures session parameters 1 First globally enable BFD Switch configure Switch Config feature bfd 2 Configure session settings These can be configured globally or on a per interface basis Switch Config bfd interval 100 min_rx 200 ...

Page 213: ...r but the routes and host entries are distributed across the virtual routing domains based on the user configuration IP prefixes can overlap between two VR instances The same IP address can be configured on two interfaces that are a part of different VR instances A packet is routed based on the route table look up result in the corresponding VR instance The VR instance is derived based on the ingr...

Page 214: ...in the router For bidirectionaltraffic to work betweenVRs using leaked routes the correspondingroutes should be leaked between the VRs 7 9 4 CPU Originated Traffic For CPU originated traffic from different applications ping traceroute syslog IP helper that may use the leakedroutesto accessthe destination or sharedservice the followingconditionsare requiredto ensure proper operation 1 The sourceIP ...

Page 215: ... not cause the switch to reboot All OSPF features including graceful restart and NSF are supported for OSPFv2 in each VR instance OSPF v3 The OSPFv3 protocol is supported only in the default router RIP RIP is not currently supported in the Virtual Router VRRP The Virtual Routing Redundancy Protocol is a fault tolerance feature that enables two or more routers to appear as one router to the IP clie...

Page 216: ...otocols working at L2 IP Helper IP Helper relays the broadcast packets received on a Routing interface in the VRF context to the configured server address The server is looked up in the RTO specific to that VR only Relay across VRs is not supported OpEN API The applications using existing OpEN APIs are not affected by the VRF feature Layer 2 Features The VRF feature does not affect the switch laye...

Page 217: ...10 10 0 24 and11 11 11 0 24 belongto the virtual routingdomain HR Dept and subnetworks 20 20 20 0 24 and 22 22 22 0 24 belong to virtual routing domain Finance Dept Hence the hosts in networks 10 10 10 0 24 can communicate only with other network 11 11 11 0 24 via the router and the hosts in networks 20 20 20 0 24can communicateonly with other network 22 22 22 0 24via the router If there is a shar...

Page 218: ...ernal Type 1 E2 OSPF External Type 2 N1 OSPF NSSA External Type 1 N2 OSPF NSSA External Type 2 L Leaked Route C 20 20 20 0 24 0 1 directly connected vlan 20 C 22 22 22 0 24 0 1 directly connected vlan 22 S L 30 30 30 0 24 1 1 directly connected vlan 30 S L 50 50 50 0 24 1 1 via 30 30 30 2 02d 22h 15m Vlan 30 Switch show ip route Route Codes R RIP Derived O OSPF Derived C Connected S Static B BGP D...

Page 219: ...f Blue Switch Config vrf Blue description human resources department Switch Config vrf Blue maximum routes 4096 Switch Config vrf Blue ip routing Switch Config vrf Blue exit 2 In Interface Config mode assign interfaces to each virtual router Switch Config interface 0 1 Switch Interface 1 0 1 ip vrf forwarding Red Warning routing interface moved from Default router instance to Red router instance S...

Page 220: ... 0 0 1 24 Switch Interface 0 27 interface 0 26 Switch Interface 0 26 routing Switch Interface 0 26 ip address 9 0 0 1 24 Switch Interface 0 26 exit Switch Config ip route 56 6 6 0 255 255 255 0 9 0 0 2 4 To leak routes from the global routing table to the VRF route table use the following example Switch Config ip route vrf Red 9 0 0 2 255 255 255 255 9 0 0 2 0 26 Switch Config ip route vrf Red 56 ...

Page 221: ... 255 255 255 When a packet with a broadcast or multicast destination IP address is received the switch will forward a copy into each of the remaining network segments in accordance with the IEEE MAC Bridge standard Eventually the packet is made accessible to all nodes connected to the network This approach works well for broadcast packets that are intended to be seen or processed by all connected ...

Page 222: ...e IGMP Snooping If the local network does not have a multicast router you can configure the switch to act as the IGMP querier For more information see IGMP Snooping Querier If the switch is configured as a L3 switch and handles inter VLAN routing through static routes or OSPF and multicast traffic is transmitted within the network enabling and configuring L3 multicast routing on the switch is reco...

Page 223: ...que upstream interface explicitly configured It performs the host side of the IGMP protocol on its upstream interface and the router side of the IGMP protocol on its downstream interfaces The IGMPproxyoffersa mechanism for multicastforwarding basedonly onIGMPmembership information The router must decide about forwarding packets on each of its interfaces based on the IGMP membership information The...

Page 224: ...a Join Prune Graftmechanism to build a tree PIM switches support two types of PIM sparse mode PIM SM and dense mode PIM DM PIM SM is most effective in networks with a sparse population of multicast receivers In contrast PIM DM is most effective in networks with densely populated multicast receivers In other words PIM DM can be used if the majority of network hosts request to receive a multicast st...

Page 225: ... use of reverse path forwarding RPF PIM DM assumes that when a sender starts sending data all downstream routers and hosts want to receive a multicast datagram PIM DM initially floods multicast traffic throughout the network Routers that do not have any downstream neighbors prune back the unwanted traffic In addition to PRUNE messages PIM DM makes use of graft and assert messages Graft messagesare...

Page 226: ...226 Table 8 2 L3 Multicast Defaults ...

Page 227: ...r the multicast group Note PIM does not require OSPF specifically static routing could also be configured for unicast routing The configuration in this example takes place on L3 switch A shown in Figure 33 The red arrows indicate the path that multicast traffic takes L3 Switch A is configured as the RP for the PIM domain so it is in charge of sending the multicast stream to L3 Switch B and L3 Swit...

Page 228: ...hport native vlan 10 QCT Interface 0 23 switchport allowed vlan remove 1 QCT Interface 0 23 exit QCT Config interface 0 24 QCT Interface 0 24 switchport allowed vlan add 20 QCT Interface 0 24 switchport native vlan 20 QCT Interface 0 24 switchport allowed vlan remove 1 QCT Interface 0 24 exit 4 Enable routing on the switch and configure the OSPF router ID QCT Config ip routing QCT Config router os...

Page 229: ...erface QCT if vlan20 ip igmp QCT if vlan20 ip igmp version 2 QCT if vlan20 ip pim QCT if vlan20 exit 9 Globally enable IGMP snooping IP multicast IGMP and PIM SM on the switch QCT Config ip igmp snooping QCT Config ip multicast QCT Config ip igmp QCT Config ip pim sparse 10 Configure VLAN 10 as the RP and specify the range of multicast groups for PIM SM to control QCT Config ip pim rp address 192 ...

Page 230: ...r Switch 2 if vlan1 ipv6 mld version 1 8 3 3 Example 2 MLDv2 Configuration Switch 1 Configuration Step 1 Enable MLD and relative routing command on global mode Switch 1 Config ip routing Switch 1 Config ipv6 mld router Switch 1 Config ipv6 unicast routing Switch 1 Config ip multicast Step 2 Enable MLD on specific interface or VLAN interface Switch 1 Config interface range 0 3 0 9 Switch 1 Interfac...

Page 231: ...ber Query Interval milli secs 1000 Last Member Query Count 2 Check multicast group information under vlan 1 Switch 1 Config show ipv6 mld groups vlan 1 Group Address ff15 777 Interface vlan 1 Up Time hh mm ss 00 00 19 Expiry Time hh mm ss 00 04 03 Check multicast group ff15 777 information Switch1 Config show ipv6 mld groups ff15 777 Interface vlan 1 Group Address ff15 777 Last Reporter fe80 1 Up ...

Page 232: ...riorities within a single physical link By pausing the congested priority or priorities independently protocols that are highly loss sensitive can share the same link with traffic that has different loss tolerances Thisfeatureis usedinnetworks wherethetraffichasdifferinglosstolerances Forexample FibreChannel traffic is highly sensitive to traffic loss If a link contains both loss sensitivedata and...

Page 233: ...gurable on physical full duplex interfaces only To enable PFC on a Port channel interface the member interfaces must have the same configuration When PFC is disabled the interface defaults to the IEEE 802 3 flow control setting for the interface PFC is disabled by default If you enable priority based flow control for a particular priority value on an interface make sure 802 1p priority values are ...

Page 234: ...t the capabilities of the peer device It is a means to determine if the peer device supports a particular feature such as PFC DCB feature misconfiguration detection DCBX can be used to detect misconfiguration of a feature between the peers on a link Misconfiguration detection is feature specific because some features may allow asymmetric configuration Peer configuration of DCB features DCBX can be...

Page 235: ... in the manual role do not have their configuration affected by peer devices or by internal propagation of configuration These ports have their operational mode traffic classes and bandwidth informationspecified explicitly by the operator These ports advertise their configurationto their peer if DCBX is enabled on that port Incompatible peer configurations are logged and counted with an error coun...

Page 236: ...ion ports however no automatic electionof a new configuration sourceport is allowed Eventsthat causeselectionof a new configuration source are ignored The configuration received over the configuration source port is maintained until cleared by the operator set the port to the manual role 9 3 3 Configuration Source Port Selection Process When an auto upstream or auto downstream port receives a conf...

Page 237: ...ut the configuration source port into manual mode When a new port is selected as configuration source it is marked as the configuration source the DCBX configurationis refreshedon all auto configuration ports and each port may begin configuration negotiation with their peer again if any information has changed 9 3 4 Configuring DCBX In this example port 0 1 on the QNOS switch connects to a FCoE fa...

Page 238: ...ts have no place to be held for transmissionand get droppedby the device The drop precedence of a packet is an indication of whether the packet is more or less likely to be dropped during times of queue congestion Often referred to as packet coloring a low drop precedence green allows the packet to be transmitted under most circumstances a higher drop precedence yellow subjects the packet to dropp...

Page 239: ...Precedence IP DSCP Packets arriving at the port ingress are inspected and their trusted field value is used to designate the COS queue that the packet is placed when forwardedto the appropriateegress port A mapping table associates the trusted field value with the desired COS queue 9 4 1 2 Un trusted Port Default Priority Alternatively a port may be configured as un trusted whereby it does not tru...

Page 240: ...bandwidth TCG configuration parameters are similar to that of COS queues That is the configuration of scheduling attributes such as minimum bandwidth maximum bandwidth and schedulingalgorithm also apply to TCG The behavior of a TCG with respect to scheduling algorithm and bandwidth allocation configuration is the same as that of COS Queues Each TCG is associated with a weight percentage which defi...

Page 241: ...nsitive traffic even during traffic bursts Assign 802 1p priority 7 traffic to TCG0 QCT Config classofservice traffic class group 4 1 QCT Config classofservice traffic class group 1 2 QCT Config classofservice traffic class group 7 0 4 Enable VLAN tagging on the ports so the 802 1p priority is identified The interfaces in this example are members of VLAN 100 which has been previously configured QC...

Page 242: ...n to DCBX are as follows Willing Bit This bit is set to TRUE for auto upstream interfaces if there is no configuration source or FALSE if there is a configuration source and FALSE for auto downstream and manual ports Credit based Shaper support and Max TC These are platform specific values Priority Assignment Table Table 25 contains the default values advertised by DCBX to the peer DCBX device If ...

Page 243: ...eed to occur 1 Configure COS queues to Traffic Class Group mapping for the egress ports 2 Configure weight percentage bandwidth allocation for each TCG 3 Enable appropriate scheduling algorithm for each TCG CoS information is exchanged with peer DCBX devices using ETS TLVs As part of the ETS TLV by default DCBX advertises the following parameters which are populated on per port basis Mapping betwe...

Page 244: ...ant systems can participatein a VXLANby using a VXLAN gateway A VXLAN gateway is a networkingdevice that does VXLAN encapsulationand decapsulation A server s first hoprouter often referredto as a top of rack ToR device can be a VXLAN gateway With VXLAN the inner Ethernet header can optionally include an incoming VLAN tag The VXLAN application always strips the inner VLAN information from the incom...

Page 245: ...y being that the data center networks that would be used as underlays often do not enable IP multicast because it does not scale to the size of large public cloud networks Because of this limitation VXLAN implementation requires user configuration of the remote VTEPs associated with a particular VPN Dynamic VTEP learning through IP multicast is not currently supported Whena gatewayreceivesa broadc...

Page 246: ...hes that supported earlier draft versions used custom defined UDP port numbers To be compatible with those switches VXLAN supports switch level VXLAN UDP destination port configuration By default the VXLAN UDP destination port is set to 4789 on the switch The switch terminates incoming VXLAN traffic when the UDP destination port in the VXLAN header matches 4789 and encapsulates VXLAN tenant traffi...

Page 247: ...MAC address of a tenant system behind a remote VTEP For access side entries the associated interface is the physical or Port channel interface who are members of the configured VXLAN VLAN The MAC address in access side entries is the MAC address of a tenant system behind the local interface physical or Port channel interface VXLAN MAC entries are not listed in the show mac addr table command outpu...

Page 248: ...y default Note At VXLAN initiation payload fields are used for hashing at the egress and also to generate the entropy into the UDP source port which becomes part of VXLAN tunnel information This UDP source port can be used by transit switches for hashing purposes 9 6 2 9 MTU VXLAN encapsulation adds 50 bytes of overhead This additional overhead can cause an encapsulatedpacket to exceed the MTU of ...

Page 249: ...d and multitenant data center designs over a shared common physical infrastructure For crossing the Layer 3 network VXLAN uses MAC in UDP encapsulation scheme The original Layer 2 frame are added a VXLAN header and is encapsulated in a IP UDP packet With this MAC in UDP encapsulation VXLAN tunnels Layer 2 network over Layer 3 network The difference between VLAN and VXLAN VLANs uses a 12 bit VLAN I...

Page 250: ...EP capable router Crossing Layer 3 boundary No Yes ECMP support No Yes Table 9 4 VLAN and VXLAN Comparison 9 6 3 1 Unicast VXLAN Configuration Figure 9 2 Unicast VXLAN Topology Switch 1 Configuration Step 1 Create VLAN 201 Switch 1 configure Switch 1 Config vlan database Switch 1 Vlan vlan 201 ...

Page 251: ...able OSPF and add network Switch 1 configure Switch 1 Config router ospf Switch 1 config router router id 10 1 1 1 Switch 1 config router network 10 1 1 1 0 0 0 0 area 0 Switch 1 config router network 11 1 1 0 0 0 0 3 area 0 Switch 1 config router exit Step 5 Enable VXLAN and configure static VXLAN unicast group Switch 1 Config interface vxlan 1 Switch 1 if vxlan 1 vxlan mode unicast Switch 1 if v...

Page 252: ...F and add network Switch 2 configure Switch 2 Config router ospf Switch 2 config router router id 10 1 1 2 Switch 2 config router network 10 1 1 2 0 0 0 0 area 0 Switch 2 config router network 11 1 1 0 0 0 0 3 area 0 Switch 2 config router exit Step 5 Enable VXLAN and configure static VXLAN unicast group Switch 1 Config interface vxlan 1 Switch 1 if vxlan 1 vxlan mode unicast Switch 1 if vxlan 1 v...

Page 253: ...dress 10 1 1 3 10 1 1 2 show remote VTEP learning status Switch 1 show vxlan vtep Remote VTEPs for Vxlan 10 1 1 2 Check the VXLAN address table Switch 1 show vxlan address table Tenant ID Tenant MAC VTEP Interface AppIfIndex Entry Type 201 00 00 00 00 00 0A 0 1 8529 Learned 201 00 00 00 00 00 0B 10 1 1 2 338 Learned ...

Page 254: ...254 Appendix A Term and Acronyms Table 9 5 Terms and Acronyms ...

Page 255: ...255 Table 9 6 Terms and Acronyms Cont ...

Page 256: ...256 Table 9 7 Terms and Acronyms Cont ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands