IBM RackSwitch G8000 Скачать руководство пользователя страница 209

Страница: 209 / 362

Chapter 17. IPsec with IPv6

207

Setting Up a Key Policy

When configuring IPsec, you must define a key policy. This key policy can be either

manual or dynamic. Either way, configuring a policy involves the following steps:
•

Create a transform set—This defines which encryption and authentication algo-

rithms are used.

•

Create a traffic selector—This describes the packets to which the policy applies.

•

Establish an IPsec policy.

•

Apply the policy.

1. To define which encryption and authentication algorithms are used, create a

transform set:

where the following parameters are used:
–

transform ID

A number from 1-10

–

encryption method

One of the following:

esp-des

esp-3des

esp-aes-cbc

esp-null

–

integrity algorithm

One of the following:

esp-sha1

esp-md5

none

–

AH authentication algorithm

One of the following:

ah-sha1

ah-md5

none

2. Decide whether to use tunnel or transport mode. The default mode is transport.

3. To describe the packets to which this policy applies, create a traffic selector

using the following command:

where the following parameters are used:
–

traffic selector number

an integer from 1-10

–

permit

deny

whether or not to permit IPsec encryption of traffic that meets

the criteria specified in this command

–

any

apply the selector to any type of traffic

–

icmp

<type>

any

only apply the selector only to ICMP traffic of the

specified

type

(an integer from 1-255) or to any ICMP traffic

–

tcp

only apply the selector to TCP traffic

–

source IP address

any

the source IP address in IPv6 format or “any” source

–

destination IP address

any

the destination IP address in IPv6 format or “any”

destination

–

prefix length

(Optional) the length of the destination IPv6 prefix; an integer

from 1-128

Permitted traffic that matches the policy in force is encrypted, while denied traffic
that matches the policy in force is dropped. Traffic that does not match the policy
bypasses IPsec and passes through

clear

(unencrypted).

4. Choose whether to use a manual or a dynamic policy.

RS G8000(config)#

ipsec transform-set

<transform ID>

<encryption method>

<integrity algorithm> <AH authentication algorithm>

RS G8000(config)#

ipsec transform-set tunnel

transport

RS G8000(config)#

ipsec traffic-selector

<traffic selector number>

permit|deny any|icmp

<type|

any

|tcp

> <source IP address|

any

> <destination IP

address|

any

[

<prefix length>

]

Содержание RackSwitch G8000

Страница 1: ...RackSwitch G8000 Application Guide...

Страница 2: ......

Страница 3: ...RackSwitch G8000 Application Guide...

Страница 4: ...Environmental Notices and User Guide documents on the IBM Documentation CD and the Warranty Information document that comes with the product First Edition November 2011 Copyright IBM Corporation 2011...

Страница 5: ...nfiguration 31 Domain Specific BOOTP Relay Agent Configuration 32 Switch Login Levels 33 Setup vs the Command Line 34 Chapter 2 Initial Setup 35 Information Needed for Setup 35 Default Setup Options 3...

Страница 6: ...61 Logging into an End User Account 62 Chapter 5 Authentication Authorization Protocols 63 RADIUS Authentication and Authorization 63 How RADIUS Authentication Works 63 Configuring RADIUS on the Switc...

Страница 7: ...VLAN Topologies and Design Considerations 99 Multiple VLANs with Tagging Adapters 99 VLAN Configuration Example 101 Protocol Based VLANs 102 Port Based vs Protocol Based VLANs 103 PVLAN Priority Leve...

Страница 8: ...126 Port States 126 RSTP Configuration Guidelines 126 RSTP Configuration Example 126 Multiple Spanning Tree Protocol 127 MSTP Region 127 Common Internal Spanning Tree 127 MSTP Configuration Guidelines...

Страница 9: ...n an Existing Stack 159 Replacing or Removing Stacked Switches 161 Removing a Switch from the Stack 161 Installing the New Switch or Healing the Topology 161 Binding the New Switch to the Stack 162 IS...

Страница 10: ...tion 195 IPv6 Interfaces 196 Neighbor Discovery 197 Supported Applications 199 Configuration Guidelines 201 IPv6 Configuration Examples 202 Chapter 17 IPsec with IPv6 203 IPsec Protocols 203 Using IPs...

Страница 11: ...figuration 231 Troubleshooting 234 Additional IGMP Features 236 FastLeave 236 IGMP Filtering 236 Static Multicast Router 238 Chapter 20 Multicast Listener Discovery 239 MLD Terms 240 How MLD Works 241...

Страница 12: ...ords 267 Configuring MD5 Authentication 268 Host Routes for Load Balancing 269 Loopback Interfaces in OSPF 269 OSPF Features Not Supported in This Release 270 OSPFv2 Configuration Examples 270 Example...

Страница 13: ...00 Active Active Redundancy 301 Virtual Router Group 301 IBM N OS Extensions to VRRP 302 Virtual Router Deployment Considerations 303 High Availability Configurations 304 VRRP High Availability Using...

Страница 14: ...ion 328 Saving the Switch Configuration 328 Saving a Switch Dump 329 Part 8 Monitoring 331 Chapter 28 Remote Monitoring 333 RMON Overview 333 RMON Group 1 Statistics 333 RMON Group 2 History 334 Histo...

Страница 15: ...Documentation format 351 Electronic emission notices 352 Federal Communications Commission FCC statement 352 Industry Canada Class A emission compliance statement 352 Avis de conformit la r glementat...

Страница 16: ...16 RackSwitch G8000 Application Guide...

Страница 17: ...ation and statistics This chapter discusses a variety of manual administration interfaces including local management via the switch console and remote administration via Telnet a web browser or via SN...

Страница 18: ...single aggregate switch entity Chapter 14 VMready discusses virtual machine VM support on the G8000 Part 5 IP Routing Chapter 15 Basic IP Routing describes how to configure the G8000 for IP routing us...

Страница 19: ...anagement Protocol describes how to configure the switch for management through an SNMP client Part 8 Monitoring Chapter 28 Remote Monitoring describes how to configure the RMON agent on the switch so...

Страница 20: ...r placeholder Replace the indicated text with the appropriate real name or value when using the command Do not type the brackets To establish a Telnet session enter host telnet IP address This also sh...

Страница 21: ...with your product provides details for contacting a customer support representative If you are unable to locate this information please contact your reseller Before you call prepare the following inf...

Страница 22: ...20 RackSwitch G8000 Application Guide...

Страница 23: ...Copyright IBM Corp 2011 21 Part 1 Getting Started...

Страница 24: ...22 RackSwitch G8000 Application Guide...

Страница 25: ...on or an optional Telnet or SSH session The built in Browser Based Interface BBI available using a standard web browser SNMP support for access through network management software such as IBM Director...

Страница 26: ...an IPv6 address can be obtained using IPv6 stateless address configuration Note Throughout this manual IP address is used in places where either an IPv4 or IPv6 address is allowed IPv4 addresses are e...

Страница 27: ...ork management system or a Web browser For more information see the documents listed in Additional References on page 17 Using Telnet A Telnet connection offers the convenience of accessing the switch...

Страница 28: ...on at that time Similarly the system will fail to do the key generation if a SSH SCP client is logging in at that time The supported SSH encryption and authentication methods are Server Host Authentic...

Страница 29: ...access the BBI is port 80 However you can change the default Web server port with the following command To access the BBI from a workstation open a Web browser window and type in the URL using the IP...

Страница 30: ...n a client such as a web browser connects to the switch the client is asked to accept the certificate and verify that the fields match what is expected Once BBI access is granted to the client the BBI...

Страница 31: ...avigation Window This window provides a menu list of switch features and functions System this folder provides access to the configuration elements for the entire switch Switch Ports Configure each of...

Страница 32: ...the switch The default read community string on the switch is public and the default write community string is private The read and write community strings on the switch can be changed using the follo...

Страница 33: ...lient The request is forwarded as a UDP Unicast MAC layer message to the BOOTP DHCP servers configured for the client s VLAN or to the global BOOTP DHCP servers if no domain specific BOOTP DHCP server...

Страница 34: ...is using the following commands Domain Specific BOOTP Relay Agent Configuration Use the following commands to configure up to five domain specific BOOTP relay agents for each of up to 10 VLANs As with...

Страница 35: ...gure and troubleshoot problems on the G8000 Because administrators can also make temporary operator level changes as well they must be aware of the interactions between temporary and permanent changes...

Страница 36: ...plete access to the switch If the switch is still set to its factory default configuration the system will ask whether you wish to run Setup see Initial Setup on page 35 a utility designed to help you...

Страница 37: ...Whether to use VLAN tagging or not as appropriate Optional configuration for each VLAN Name of VLAN Which ports are included in the VLAN Optional configuration of IP parameters IP address mask and VLA...

Страница 38: ...Basic System Configuration When Setup is started the system prompts 1 Enter y if you will be configuring VLANs Otherwise enter n If you decide not to configure VLANs during this session you can config...

Страница 39: ...second press Enter The system then displays the date and time settings 8 Turn Spanning Tree Protocol on or off at the prompt Enter y to turn off Spanning Tree or enter n to leave Spanning Tree on Setu...

Страница 40: ...iation mode If you selected a port that has a Gigabit Ethernet connector the system prompts Enter on to enable port autonegotiation off to disable it or press Enter to keep the current setting 5 If co...

Страница 41: ...this VLAN When you are finished adding ports to this VLAN press Enter without specifying any port 4 Configure Spanning Tree Group membership for the VLAN 5 The system prompts you to configure the next...

Страница 42: ...nterface enter the IP address in IPv4 dotted decimal notation To keep the current setting press Enter 3 At the prompt enter the IPv4 subnet mask in dotted decimal notation To keep the current setting...

Страница 43: ...s are currently supported They can be configured using the following commands Using Loopback Interfaces for Source IP Addresses The switch can use loopback interfaces to set the source IP addresses fo...

Страница 44: ...ed When all default gateways have been configured press Enter without specifying any number IP Routing When IP interfaces are configured for the various IP subnets attached to your switch IP routing b...

Страница 45: ...at the prompt Enter y to apply the changes or n to continue without applying Changes are normally applied 4 At the prompt decide whether to make the changes permanent Enter y to save the changes to fl...

Страница 46: ...p is optional Perform this procedure only if you are planning on connecting to the G8000 through a remote Telnet connection 1 Telnet is enabled by default To change the setting use the following comma...

Страница 47: ...ON Although the typical upgrade process is all that is necessary in most cases upgrading from or reverting to some versions of IBM Networking OS requires special steps prior to or after the software i...

Страница 48: ...is normally relative to the FTP or TFTP directory usually tftpboot 5 Enter your username for the server if applicable If entering an FTP server username you will also be prompted for the password The...

Страница 49: ...onfiguration mode to select which software image image1 or image2 you want to run in switch memory for the next reboot The system will then verify which image is set to be loaded at the next reset 7 R...

Страница 50: ...Management Menu The Boot Management menu allows you to switch the software image reset the switch to factory defaults or to recover from a failed software download You can interrupt the boot process a...

Страница 51: ...t characteristics Speed 9600 bps Data Bits 8 Stop Bits 1 Parity None Flow Control None 3 Boot the switch and access the Boot Management menu by pressing Shift B while the Memory Test is in progress an...

Страница 52: ...see the following message change the Serial Port characteristics to 115200 bps 10 Press Enter to continue the download yzModem CRC mode 62494 SOH 0 STX 0 CAN packets 6 retries Extracting images Do NO...

Страница 53: ...following is displayed 13 When you see the following message change the Serial Port characteristics to 9600 bps 14 Press the Escape key Esc to re display the Boot Management menu 15 Select 4 to exit a...

Страница 54: ...52 RackSwitch G8000 Application Guide...

Страница 55: ...Copyright IBM Corp 2011 53 Part 2 Securing the Switch...

Страница 56: ...54 RackSwitch G8000 Application Guide...

Страница 57: ...s between a remote administrator and the switch SSH is a protocol that enables remote administrators to log securely into the G8000 over a network to execute management commands SCP is typically used...

Страница 58: ...rd is admin Using SSH and SCP Client Commands This section shows the format for using some client commands The following examples use 205 178 15 157 as the IP address of a sample switch To Log In to t...

Страница 59: ...he new and the current configurations putcfg_apply runs the apply command after the putcfg is done putcfg_apply_save saves the new configuration to the flash after putcfg_apply is done The putcfg_appl...

Страница 60: ...e G8000 through the console port commands are not available via external Telnet connection and enter the following command to generate it manually When the switch reboots it will retrieve the host key...

Страница 61: ...ername ace to bypass the SSH authentication After an SSH connection is established you are prompted to enter the username and password the SecurID authentication is being performed now Provide your us...

Страница 62: ...e user password on the Radius server Radius authentication and user password cannot be used concurrently to access the switch Passwords for end users can be up to 128 characters in length for TACACS R...

Страница 63: ...abled before the switch recognizes and permits login under the account Once enabled the switch requires any user to enter both username and password Listing Current Users The following command display...

Страница 64: ...ing into an End User Account Once an end user account is configured and enabled the user can login to the switch using the username password combination The level of switch access is determined by the...

Страница 65: ...cation consists of the following components A protocol with a frame format that utilizes UDP over IP based on RFC 2138 and 2866 A centralized server that stores all the user authorization information...

Страница 66: ...RFC 2138 and RFC 2866 Allows RADIUS secret password up to 32 bytes and less than 16 octets Supports secondary authentication server so that when the primary authentication server is unreachable the sw...

Страница 67: ...on server the switch will verify the privileges of the remote user and authorize the appropriate access The administrator has an option to allow secure backdoor access via Telnet SSH BBI Secure backdo...

Страница 68: ...quires additional programmable variables such as re transmit attempts and time outs to compensate for best effort transport but it lacks the level of built in support that a TCP transport offers TACAC...

Страница 69: ...etween TACACS authorization levels and N OS management access levels is shown in Table 6 Use the following command to set the alternate TACACS authorization levels If the remote user is successfully a...

Страница 70: ...Command Authorization When TACACS Command Logging is enabled N OS configuration commands are logged on the TACACS server Use the following command to enable TACACS Command Logging The following exampl...

Страница 71: ...this case the switch Each entry in the LDAP server is referenced by its Distinguished Name DN The DN consists of the user account name concatenated with the LDAP domain name If the user account name i...

Страница 72: ...You may change the default TCP port number used to listen to LDAP optional The well known port for LDAP is 389 4 Configure the number of retry attempts for contacting the LDAP server and the timeout...

Страница 73: ...t prevents access to ports that fail authentication and authorization This feature provides security to ports of the RackSwitch G8000 G8000 that connect to blade servers The following topics are discu...

Страница 74: ...ator The Authenticator enforces authentication and controls access to the network The Authenticator grants network access based on the information provided by the Supplicant and the response from the...

Страница 75: ...anged between the G8000 authenticator and the RADIUS server Authentication is initiated by one of the following methods The G8000 authenticator sends an EAP Request Identity packet to the client The c...

Страница 76: ...off message to the G8000 authenticator the port transitions from authorized to unauthorized state If a client that does not support 802 1X connects to an 802 1X controlled port the G8000 authenticator...

Страница 77: ...ll access to the port Use the 802 1X global configuration commands dot1x to configure 802 1X authentication for all ports in the switch Use the 802 1X port commands to configure a single port Guest VL...

Страница 78: ...of the authenticator used for Radius communication 1 0 0 0 5 NAS Port Port number of the authenticator port to which the supplicant is attached 1 0 0 0 24 State Server specific value This is sent unm...

Страница 79: ...e authenticator relays the decoded packet to both devices 1 1 1 1 80 Message Authenticator Always present whenever an EAP Message attribute is also included Used to integrity protect a packet 1 1 1 1...

Страница 80: ...2 1X supplicant capability is not supported Therefore none of its ports can successfully connect to an 802 1X enabled port of another device such as another switch that acts as an authenticator unless...

Страница 81: ...ACLs are configured using the following ISCLI command path VLAN Maps VMaps Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports See VLAN Maps on page 88 for details Summa...

Страница 82: ...ubnet mask Type of Service value IP protocol number or name as shown in Table 8 IPv6 header options for IPv6 ACLs only Source IPv6 address and prefix length Destination IPv6 address and prefix length...

Страница 83: ...the switch treats packets that match the classifiers assigned to the ACL G8000 ACL actions include the following Pass or Drop the packet Re mark the packet with a new DiffServ Code Point DSCP Re mark...

Страница 84: ...also matched And whether the ACL action is compatible with preceding ACLs ACLs are automatically divided into precedence groups as follows Precedence Group 1 includes ACL 1 128 Precedence Group 2 incl...

Страница 85: ...edundant entries are ignored Individual ACLs The G8000 supports up to 512 ACLs Each ACL defines one filter rule for matching traffic criteria Each filter rule can also include an action permit or deny...

Страница 86: ...r if the packet conforms to the meter the packet is classified as In Profile Out of Profile If a meter is configured and the packet does not conform to the meter exceeds the committed rate or maximum...

Страница 87: ...mirroring to an ACL For IPv4 ACLs The ACL must be also assigned to it target ports as usual see Assigning Individual ACLs to a Port on page 82 or Assigning ACL Groups to a Port on page 84 For VMaps s...

Страница 88: ...2 with source IP from class 2001 0 0 5 0 0 0 2 128 is denied 1 Configure an Access Control List 2 Add ACL 2 to port 2 RS G8000 config access control list 1 ipv4 destination ip address 100 10 1 1 RS G...

Страница 89: ...l list 2 ethernet ethernet type arp RS G8000 config access control list 2 action deny RS G8000 config interface port 2 RS G8000 config if access control list 2 RS G8000 config if exit RS G8000 config...

Страница 90: ...ypes on page 166 use the global configuration mode Note Each VMap can be assigned to only one VLAN or VM group However each VLAN or VM group may have multiple VMaps assigned to it When the optional se...

Страница 91: ...it like a broadcast packet and floods it to all other ports in the VLAN broadcast domain A high rate of unknown unicast traffic can have the same negative effects as a broadcast storm Configuring Stor...

Страница 92: ...90 RackSwitch G8000 Application Guide...

Страница 93: ...ch Basics This section discusses basic switching functions VLANs Port Trunking Spanning Tree Protocols Spanning Tree Groups Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol Virtual Lin...

Страница 94: ...92 RackSwitch G8000 Application Guide...

Страница 95: ...verview Setting up virtual LANs VLANs is a way to segment networks to increase network flexibility without changing the physical network topology With network segmentation each switch port connects to...

Страница 96: ...an be configured to any VLAN number between 1 and 4094 Use the following command to view PVIDs Use the following command to set the port PVID Each port on the switch can belong to one or more VLANs an...

Страница 97: ...e that carries VLAN tagging information in the header This VLAN tagging information is a 32 bit field VLAN tag in the frame header that identifies the frame as belonging to a specific VLAN Untagged fr...

Страница 98: ...entifier PVID 1 Figure 3 through Figure 6 illustrate generic examples of VLAN tagging In Figure 3 untagged incoming packets are assigned directly to VLAN 2 PVID 2 Port 5 is configured as a tagged memb...

Страница 99: ...ment As shown in Figure 6 the tagged packet remains unchanged as it leaves the switch through port 5 which is configured as a tagged member of VLAN 2 However the tagged packet is stripped untagged as...

Страница 100: ...Port 4 Port 5 Port 2 Port 3 802 1Q Switch Key Priority CFI VID User_priority Canonical format indicator VLAN identifier PVID 2 Tagged member of VLAN 2 Untagged member of VLAN 2 After DA SA Data CRC Re...

Страница 101: ...32 can include multiple VLANs All ports involved in both trunking and port mirroring must have the same VLAN configuration If a port is on a trunk with a mirroring port the VLAN configuration cannot b...

Страница 102: ...of VLAN 1 so tagging is disabled Server 2 This server is a member of VLAN 1 and has presence in only one IP subnet The associated switch port is only a member of VLAN 1 so tagging is disabled Server 3...

Страница 103: ...ports that belong to other VLANs RS G8000 config interface port 5 RS G8000 config if tagging RS G8000 config if exit RS G8000 config interface port 19 RS G8000 config if tagging RS G8000 config if ex...

Страница 104: ...tagged frame arrives the VLAN ID in the frame s tag is used Each VLAN can contain up to eight different PVLANs You can configure separate PVLANs on different VLANs with each PVLAN segmenting traffic...

Страница 105: ...ports of a PVLAN have the same PVLAN priority level PVLAN Tagging When PVLAN tagging is enabled the switch tags frames that match the PVLAN protocol For more information about tagging see VLAN Taggin...

Страница 106: ...in the example 5 Enable the PVLAN 6 Verify PVLAN operation RS G8000 config interface port 1 2 RS G8000 config if tagging RS G8000 config if exit RS G8000 config vlan 2 RS G8000 config vlan enable Curr...

Страница 107: ...N ports are defined as follows Promiscuous A promiscuous port is a port that belongs to the primary VLAN The promiscuous port can communicate with all the interfaces including ports in the secondary V...

Страница 108: ...fig vlan member 2 RS G8000 config vlan private vlan type primary RS G8000 config vlan private vlan enable RS G8000 config vlan exit RS G8000 config vlan 110 RS G8000 config vlan enable RS G8000 config...

Страница 109: ...and alone non stacking mode or 64 trunks in stacking mode Two trunk types are available static trunk groups portchannel and dynamic LACP trunk groups Each type can contain up to 8 member ports dependi...

Страница 110: ...h multiple links However in some networks a single logical device may include multiple physical devices such as when switches are configured in a stack or when using VLAGs see Virtual Link Aggregation...

Страница 111: ...n the other switch 3 Connect the switch ports that will be members in the trunk group Trunk group 3 on the G8000 is now connected to trunk group 1 on the other switch Note In this example two G8000 sw...

Страница 112: ...pected state The following restrictions apply Any physical switch port can belong to only one trunk group Up to 8 ports can belong to the same trunk group All ports in static trunks must be have the s...

Страница 113: ...port can be aggregated The Link Aggregation ID LAG ID is constructed mainly from the system ID and the port s admin key as follows System ID an integer value based on the switch s MAC address and the...

Страница 114: ...s association with the LACP trunk group is lost When the system is initialized all ports by default are in LACP off mode and are assigned unique admin keys To make a group of ports aggregatable you as...

Страница 115: ...range of potential LACP trunk IDs is 53 104 When an LACP trunk forms the trunk ID is determined by the lowest port number in the trunk For example if the lowest port number is 1 then the LACP trunk I...

Страница 116: ...mbinations is required Source MAC address smac Destination MAC address dmac Both source and destination MAC address IPv4 IPv6 source IP address sip IPv4 IPv6 destination IP address dip Both source and...

Страница 117: ...configures the network so that only the most efficient path is used If that path fails STP automatically configures the best alternative active path on the network to sustain network operations RSTP i...

Страница 118: ...ree automatically sets up another active path on the network to sustain network operations N OS PVRST mode is based on IEEE 802 1w RSTP Like RSTP PVRST mode provides rapid Spanning Tree convergence Ho...

Страница 119: ...rity and path cost If the ports are tagged each port sends out a special BPDU containing the tagged information The generic action of a switch on receiving a BPDU is to compare the received BPDU to it...

Страница 120: ...visible by 16 the value will be automatically rounded down to the nearest valid increment whenever manually changed in the configuration or whenever a configuration file from a release prior to N OS 6...

Страница 121: ...one of the links between them In this case it is desired that STP block the link between the BLADE switches and not one of the G8000 uplinks or the Enterprise switch trunk During operation if one G800...

Страница 122: ...ing normal operation the port path cost is set to a higher value than other paths in the network To configure the port path cost on the switch to switch links in this example use the following command...

Страница 123: ...tance of Spanning Tree is running on all the ports of the G8000 a physical loop is assumed to exist and one of the VLANs is blocked impacting connectivity even though no actual loop exists Figure 12 U...

Страница 124: ...ult STG 1 If ports are tagged each tagged port sends out a special BPDU containing the tagged information Also when a tagged port belongs to more than one STG the egress BPDUs are tagged to distinguis...

Страница 125: ...pply when you add ports to or remove ports from STGs When you add a port to a VLAN that belongs to an STG the port is also added to that STG However if the port you are adding is an untagged port and...

Страница 126: ...rt 2 and Switch D receives the BPDU on port 1 Because there is a network loop between the switches in VLAN 1 either Switch D will block port 8 or Switch C will block port 1 depending on the informatio...

Страница 127: ...d by default 3 Configure the following on Switch B Add port 8 to VLAN 2 and define STG 2 for VLAN 2 VLAN 2 is automatically removed from STG 1 By default VLAN 1 remains in STG 1 4 Configure the follow...

Страница 128: ...02 1D 1998 compatible data units RSTP is not compatible with Per VLAN Rapid Spanning Tree PVRST protocol Port States RSTP port state controls are the same as for PVRST discarding learning and forwardi...

Страница 129: ...up of interconnected bridges that share the same attributes is called an MST region Each bridge within the region must share the following attributes Alphanumeric name Revision number VLAN to STG mapp...

Страница 130: ...in Figure 13 Figure 14 Implementing Multiple Spanning Tree Groups This example shows how multiple Spanning Trees can provide redundancy without wasting any uplink ports In this example the server port...

Страница 131: ...es such as directly to hosts or servers they are placed in the forwarding state as soon as the link is up Edge ports send BPDUs to upstream STP devices like normal STP ports but do not receive BPDUs I...

Страница 132: ...other device point to point shared A half duplex link is a shared segment and can contain more than one device auto The switch dynamically configures the link type Note Any STP port in full duplex mod...

Страница 133: ...ications and limit bandwidth for less critical applications Applications such as video and voice must have a certain amount of bandwidth to work correctly using QoS you can provide that bandwidth when...

Страница 134: ...rameters Select actions to perform on in profile and out of profile traffic Deny packets Permit packets Mark DSCP or 802 1p Priority Set COS queue with or without re marking Queue and schedule traffic...

Страница 135: ...6 8 supports up to 512 ACLs The G8000 allows you to classify packets based on various parameters For example Ethernet source MAC destination MAC VLAN number mask Ethernet type priority IPv4 Source IP...

Страница 136: ...bps multiples of 64 Mbps All traffic within this Committed Rate is In Profile Additionally you set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief...

Страница 137: ...f the traffic for example its source destination and protocol and performs a controlling action on the traffic when certain characteristics are matched Trusted Untrusted Ports By default all ports on...

Страница 138: ...2474 QoS Levels Table 14 shows the default service levels provided by the switch listed from highest to lowest importance Drop Precedence Class 1 Class 2 Class 3 Class 4 Low AF11 DSCP 10 AF21 DSCP 18...

Страница 139: ...arking globally Then you must enable DSCP re marking on any port that you wish to perform this function Interface Port mode Note If an ACL meter is configured for DSCP re marking the meter function ta...

Страница 140: ...ig qos dscp dscp mapping DSCP value 0 63 new value RS G8000 config qos dscp dot1p mapping DSCP value 0 63 802 1p value RS G8000 config interface port 1 RS G8000 config if qos dscp re marking RS G8000...

Страница 141: ...t priority to VoIP COS queue 7 Map priority value to COS queue for non VoIP traffic 8 Assign weight to the non VoIP COS queue RS G8000 config qos transmit queue weight cos 7 0 RS G8000 config qos tran...

Страница 142: ...assigned to standard applications A value of 0 zero indicates a best effort traffic prioritization and this is the default when traffic priority has not been configured on your network The switch can...

Страница 143: ...m 0 to 15 Weight values from 1 to 15 set the queue to use weighted round robin WRR scheduling which distributes larger numbers of packets to queues with the highest weight values For distribution purp...

Страница 144: ...142 RackSwitch G8000 Application Guide...

Страница 145: ...Copyright IBM Corp 2011 143 Part 4 Advanced Switch ing Features...

Страница 146: ...144 RackSwitch G8000 Application Guide...

Страница 147: ...k Aggregation VLAGs With VLAGs two switches can act as a single logical device for the purpose of establishing port trunking Active trunk links from one device can lead to both VLAG peer switches prov...

Страница 148: ...146 RackSwitch G8000 Application Guide...

Страница 149: ...he RackSwitch G8000 The following concepts are covered Stacking Overview on page 148 Stack Membership on page 149 Configuring a Stack on page 153 Managing a Stack on page 157 Upgrading Software in an...

Страница 150: ...k as a whole are the same as for any single switch configured in stand alone mode Stacking Requirements Before IBM N OS switches can form a stack they must meet the following requirements All switches...

Страница 151: ...Virtual Router Redundancy Protocol VRRP Note In stacking mode switch menus and command for unsupported features may be unavailable or may have no effect on switch operation Stack Membership A stack c...

Страница 152: ...ink or Member failures will continue to operate as part of their active stack If multiple stack links or stack Member switches fail thereby separating the Master and Backup into separate sub stacks th...

Страница 153: ...configuration is eligible to take over current stack control when the Master is rebooted or fails The Master automatically synchronizes configuration settings with the specified Backup to facilitate t...

Страница 154: ...ports of these Member switches are placed into operator disabled state Without the Master a stack cannot respond correctly to networking events Stack Member Identification Each switch in the stack ha...

Страница 155: ...creating port trunks include ports from different stack members in the trunks Avoid altering the stack asnum and csnum definitions unnecessarily while the stack is in operation When in stacking mode...

Страница 156: ...e stack trunks To create the recommended topology attach the two designated stacking links in a bidirectional ring As shown in Figure 18 connect each switch in turn to the next starting with the Maste...

Страница 157: ...N using the IPv4 address of the configured IP interface In the event that the Master switch fails if a Backup switch is configured see Assigning a Stack Backup Switch on page 156 the external IP inter...

Страница 158: ...tch Stack name Local switch is the master Local switch csnum 1 MAC 00 00 00 00 01 00 Switch Type 9 Chassis Type 99 Switch Mode cfg Master Priority 225 Stack MAC 00 00 00 00 01 1f Master switch csnum 1...

Страница 159: ...LAN reserved for internal traffic on stacking ports Note Do not use VLAN 4090 for any purpose other than internal stacking traffic Rebooting Stacked Switches using the ISCLI The administrator can rebo...

Страница 160: ...ed into image 1 on the Master switch the Master will push the same firmware to image 1 on each Member switch Reboot Master Performs a software reboot reset of the Master switch The software image spec...

Страница 161: ...king Push Status and view the Image Push Status Information or From the ISCLI use following command to verify the software push 3 Reboot all switches in the stack Use either the ISCLI or the BBI From...

Страница 162: ...shboard Stacking Stack Switches and view the Switch Firmware Versions Information from the Attached Switches in Stack From the ISCLI use the following command RS G8000 config show stack version Switch...

Страница 163: ...f the stacking links in a ring topology removing a stack switch from the interior of the chain can divide the chain and cause serious disruption to the stack operation 2 If removing a Master switch ma...

Страница 164: ...ng command to specify the links to be used in the stacking trunk 8 Attach the required stack link cables to the designated stack links on the new switch 9 Attach the desired network cables to the new...

Страница 165: ...t IBM Corp 2011 Chapter 13 Stacking 163 3 Apply and save your configuration changes Note If replacing the Master switch the Master will not assume control from the Backup unless the Backup is rebooted...

Страница 166: ...k vlan VLAN asnum master backup all default boot stack asnum master backup all no logging log stacking no stack backup no stack name no stack switch number csnum show boot stack asnum master backup al...

Страница 167: ...evel settings such as virtualization policies and ACLs The administrator can also pre provision VEs by adding their MAC addresses or their IPv4 address or VM name in a VMware environment to a VM group...

Страница 168: ...VM Groups The configuration for local VM groups is maintained on the switch locally and is not directly synchronized with hypervisors Local VM groups may include only local elements local switch port...

Страница 169: ...will automatically assign the next unconfigured VLAN when a VE or port is added to the VM group vmap Each VM group may optionally be assigned a VLAN based ACL see VLAN Maps on page 173 vm Add VMs VMs...

Страница 170: ...e settings to the virtualization management server which in turn distributes them to the appropriate hypervisors for VE members associated with the group Creating VM profiles is a two part process Fir...

Страница 171: ...then distributes changes to the appropriate hypervisors For VM membership changes hypervisors modify their internal virtual switch port groups adding or removing server port memberships to enforce th...

Страница 172: ...cifies the IPv4 address and account username that the switch will use for vCenter access Once entered the administrator will be prompted to enter the password for the specified vCenter account The noa...

Страница 173: ...ncludes all the virtual switch port groups to which the VM connects on the source hypervisor The VM profile export feature can be used to distribute the associated port groups to all the potential hos...

Страница 174: ...becomes active on a switch port and immediately assign the proper VM group properties without further configuration Undiscovered VEs are added to or removed from VM groups using the following configur...

Страница 175: ...VLAN or VM group may have multiple VMAPs assigned to it The optional serverports or non serverports parameter can be specified to apply the action to add or remove the VMAP for either the switch serve...

Страница 176: ...nternal use with bandwidth control Optionally if automatic ACL selection is not desired a specific ACL may be selected If there are no unassigned ACLs available txrate cannot be configured Bandwidth P...

Страница 177: ...vCenter scan see vCenter Scans on page 170 Local VE Information A concise list of local VEs and pre provisioned VEs is available with the following ISCLI privileged EXEC command Note The Index number...

Страница 178: ...172 16 46 50 3 vSwitch0 172 16 46 51 0 VMkernel 2 00 50 56 4f f2 85 172 16 46 10 4 vSwitch0 172 16 46 10 0 Mgmt 3 00 50 56 7c 1c ca 172 16 46 10 4 vSwitch0 172 16 46 11 0 VMkernel 4 00 50 56 4e 62 f5...

Страница 179: ...Virtual Machine VM vCenter Name halibut VM OS hostname localhost localdomain VM IP Address 172 16 46 15 VM UUID 001c41f3 ccd8 94bb 1b94 6b94b03b9200 Current VM Host 172 16 46 10 Vswitch vSwitch0 Port...

Страница 180: ...trunk previously configured that includes switch uplink ports 3 and 4 1 Define the server ports 2 Enable the VMready feature 3 Specify the VMware vCenter IPv4 address When prompted enter the user pass...

Страница 181: ...oup contains ports that also exist in other VM groups make sure tagging is enabled in both VM groups In this example configuration no ports exist in more than one VM group 7 Save the configuration RS...

Страница 182: ...180 RackSwitch G8000 Application Guide...

Страница 183: ...g traffic at near line rates the application switch can perform multi protocol routing This section discusses basic routing and advanced routing protocols Basic Routing IPv6 Host Management Routing In...

Страница 184: ...182 RackSwitch G8000 Application Guide...

Страница 185: ...eed The combination of faster routing and switching in a single device allows you to build versatile topologies that account for legacy configurations For example consider a corporate campus that has...

Страница 186: ...t communication is relayed to the default gateway in this case the router for the next level of routing intelligence The router fills in the necessary address information and sends the data back to th...

Страница 187: ...mine which switch ports and IP interfaces belong to which VLANs The following table adds port and VLAN information Note To perform this configuration you must be connected to the switch Command Line I...

Страница 188: ...RS G8000 config vlan enable RS G8000 config vlan exit Port 4 is an untagged port and its PVID is changed from 1 to 3 RS G8000 config interface ip 1 Select IP interface 1 RS G8000 config ip if ip addr...

Страница 189: ...teway fails it is removed from the routing table and an SNMP trap is sent OSPF Integration When a dynamic route is added through Open Shortest Path First OSPF the switch checks the route s gateway aga...

Страница 190: ...d up to five 5 gateways for each static route Use the following command to check the status of ECMP static routes RS G8000 config ip route 10 10 1 1 255 255 255 255 100 10 1 1 1 RS G8000 config ip rou...

Страница 191: ...on a switch interface use the following command DHCP Relay Agent DHCP is described in RFC 2131 and the DHCP relay agent supported on the G8000 is described in RFC 1542 DHCP uses UDP as its transport...

Страница 192: ...ary or secondary servers The client request is forwarded to the BOOTP servers configured on the switch The use of two servers provide failover redundancy However no health checking is supported Use th...

Страница 193: ...Cs for IPv6 related features This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management RFC 1981 RFC 2404 RFC 2410 RFC 2451 RFC 2460 RFC 246...

Страница 194: ...es to be configured using either IPv4 or IPv6 address formats However the following switch features support IPv4 only Default switch management IP address SNMP trap host destination IP address Bootstr...

Страница 195: ...AA FF FA 4CA2 Unlike IPv4 a subnet mask is not used for IPv6 addresses IPv6 uses the subnet prefix as the network identifier The prefix is the part of the address that indicates the bits that have fix...

Страница 196: ...onfiguration neighbor discovery or when no routers are present Routers must not forward any packets with link local source or destination addresses to other links Multicast Multicast is communication...

Страница 197: ...tions Stateless address configuration Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options N OS 6 8 supports stateless add...

Страница 198: ...onfigure an IPv4 address on an IPv6 management interface Each interface can be configured with only one address type either IPv4 or IPv6 but not both When changing between IPv4 and IPv6 address format...

Страница 199: ...itations to discover IPv6 routers When a router receives a Router Solicitation it responds immediately to the host Routers uses Router Advertisements to announce its presence on the network and to pro...

Страница 200: ...ding is turned on all IPv6 interfaces configured on the switch can forward packets You can configure each IPv6 interface as either a host node or a router node You can manually assign an IPv6 address...

Страница 201: ...ollowing format to perform a traceroute to an IPv6 address traceroute host name IPv6 address max hops 1 32 msec delay 1 4294967295 Telnet server The telnet command supports IPv6 addresses Use the foll...

Страница 202: ...ve the hostname with an IPv4 address If no A record is found for that hostname no IPv4 address for that hostname an AAAA query is sent to resolve the hostname with a IPv6 address If you set the reques...

Страница 203: ...ses A single interface can accept only one IPv4 address If you change the IPv6 address of a configured interface to an IPv4 address all IPv6 settings are deleted A single VLAN can support only one IPv...

Страница 204: ...ghbor Discovery advertisements for the interface optional 4 Verify the configuration RS G8000 config interface ip 2 RS G8000 config ip if ip6host RS G8000 config ip if enable RS G8000 config ip if exi...

Страница 205: ...rts DH groups 1 2 5 14 and 24 The following topics are discussed in this chapter IPsec Protocols on page 203 Using IPsec with the RackSwitch G8000 on page 204 IPsec Protocols The IBM N OS implementati...

Страница 206: ...o the following IKEv2 SAs 5 IPsec SAs 10 5 SAs in each direction SPDs 20 10 policies in each direction IPsec is implemented as a software cryptography engine designed for handling control traffic such...

Страница 207: ...le 3 Import the host certificate file RS G8000 config ikev2 proposal RS G8000 config ikev2 prop encryption 3des aes cbc des default 3des RS G8000 config ikev2 prop integrity md5 sha1 default sha1 RS G...

Страница 208: ...tion type by entering one of the following commands To disable IKEv2 RSA signature authentication method and enable preshared key authentication enter RS G8000 config access https generate certificate...

Страница 209: ...arameters are used traffic selector numberan integer from 1 10 permit denywhether or not to permit IPsec encryption of traffic that meets the criteria specified in this command anyapply the selector t...

Страница 210: ...ator key code in hexadecimal outbound AH IPsec key The outbound AH key code in hexadecimal outbound AH IPsec SPI A number from 256 4294967295 outbound ESP cipher key The outbound ESP key code in hexad...

Страница 211: ...ble disable Whether to enable or disable the perfect forward security feature The default is disable Note In a dynamic policy the AH and ESP keys are created by IKEv2 3 After you configure the IPSec p...

Страница 212: ...210 RackSwitch G8000 Application Guide...

Страница 213: ...nts routing loops from continuing indefinitely by implementing a limit on the number of hops allowed in a path from the source to a destination The maximum number of hops in a path is 15 The network d...

Страница 214: ...you to configure RIPv2 in RIPv1compatibility mode for using both RIPv2 and RIPv1 routers within a network In this mode the regular routing updates use broadcast UDP data packet to allow RIPv1 routers...

Страница 215: ...the interface The metric value typically indicates the total number of hops to the destination The metric value of 16 represents an unreachable destination Authentication RIPv2 authentication uses pla...

Страница 216: ...phasing out of the routing table with metric 16 use the following command Locally configured static routes do not appear in the RIP Routes table vlan 2 config vlan enable config vlan member 2 Port 2...

Страница 217: ...ussed in this chapter IGMP Terms on page 215 How IGMP Works on page 216 IGMP Capacity and Default Values on page 217 IGMP Snooping on page 218 IGMP Relay on page 228 Additional IGMP Features on page 2...

Страница 218: ...er periodically sends Membership Queries to ensure that a host wants to continue receiving multicast traffic If a host does not respond the IGMP Snooper stops sending traffic to the host The host can...

Страница 219: ...c Mrouters 128 Number of IGMP Filters 16 IPMC Groups IGMP Relay 1000 Table 20 IGMP Default Configuration Settings Field Default Value Global IGMP State Disabled IGMP Querier Disabled IGMP Snooping Dis...

Страница 220: ...the same IGMP group using the same VLAN only a single IGMP entry is used IGMPv3 Snooping IGMPv3 includes new Membership Report messages that extend IGMP functionality The switch provides snooping capa...

Страница 221: ...it sees Query messages The switch then floods the IGMP queries on all other ports including a Trunk Group if any Multicast hosts send IGMP Reports as a reply to the IGMP Queries sent by the Mrouter Th...

Страница 222: ...rned by the switch RS G8000 config ip igmp snoop vlan 1 RS G8000 config ip igmp snoop enable RS G8000 config ip igmp snoop igmpv3 enable RS G8000 config ip igmp enable RS G8000 show ip igmp groups Not...

Страница 223: ...30 0 2 1 230 0 2 2 Source 22 10 0 1 VLAN 3 230 0 2 3 230 0 2 5 Source 22 10 0 3 The Mrouter sends IGMP Query packets in VLAN 2 and VLAN 3 The Mrouter s IP address is 10 10 10 10 The multicast hosts se...

Страница 224: ...n Figure 20 Switch A Configuration 1 Configure VLANs and tagging 2 Configure an IP interface with IPv4 address and assign a VLAN 3 Configure STP Assign a bridge priority lower than the default bridge...

Страница 225: ...0 config interface port 4 RS G8000 config if lacp key 200 RS G8000 config if lacp mode active RS G8000 config interface port 1 4 6 RS G8000 config if tagging RS G8000 config if exit RS G8000 config vl...

Страница 226: ...p snoop igmpv3 enable RS G8000 config ip igmp snoop igmpv3 sources 64 RS G8000 config ip igmp snoop enable RS G8000 config vlan 2 RS G8000 config vlan no flood RS G8000 config vlan exit RS G8000 confi...

Страница 227: ...edge RS G8000 config if shutdown RS G8000 config if no shutdown RS G8000 config if exit RS G8000 config interface port 1 2 RS G8000 config if lacp key 400 RS G8000 config if lacp mode active RS G8000...

Страница 228: ...GMP groups are displayed in the table close the application that may be sending the IGMP Reports for these groups Identify the traffic source by using a sniffer on the hosts and reading the source IP...

Страница 229: ...d C If it is not learned on switch B but is learned on switch C check the link state of the trunk group VLAN membership and STP convergence If it is not learned on any switch ensure the multicast appl...

Страница 230: ...0 to participate in network multicasts with no configuration of the various multicast routing protocols so you can deploy it in the network with minimal effort To an IGMP host connected to the G8000 I...

Страница 231: ...figure IP interfaces with IPv4 addresses and assign VLANs 2 Turn IGMP on 3 Enable IGMP Relay and add VLANs to the downstream network RS G8000 config ip igmp relay vlan VLAN number RS G8000 config vlan...

Страница 232: ...10 0 11 225 10 0 15 The multicast hosts send the following IGMP Reports Host 1 225 10 0 11 225 10 0 12 VLAN 3 Host 2 225 10 0 12 225 10 0 13 VLAN 2 225 10 0 14 225 10 0 15 VLAN 3 Host 3 225 10 0 13 2...

Страница 233: ...bridge priority lower than the default bridge priority to enable the switch to become the STP root in STG 2 and 3 4 Configure LACP dynamic trunk groups portchannels RS G8000 config vlan 2 RS G8000 con...

Страница 234: ...RS G8000 config interface ip 2 RS G8000 config ip if ip address 2 2 2 20 enable RS G8000 config ip if vlan 2 RS G8000 config ip if exit RS G8000 config interface ip 3 RS G8000 config ip if ip address...

Страница 235: ...config vlan 2 RS G8000 config vlan enable RS G8000 config vlan member 1 5 RS G8000 config vlan exit RS G8000 config vlan 5 RS G8000 config vlan enable RS G8000 config vlan member 6 7 RS G8000 config v...

Страница 236: ...e To avoid such a scenario disable IPMC flooding for all VLANs enabled on the switches if this is an acceptable configuration RS G8000 config interface port 1 2 RS G8000 config if lacp key 400 RS G800...

Страница 237: ...flapping disabling then re enabling the port Note To clear all IGMP groups use the following command RS G8000 config clear ip igmp groups However this will clear all the IGMP groups and will influenc...

Страница 238: ...query response interval If no Mrouters have been learned on that port With FastLeave enabled on the VLAN a port can be removed immediately from the port list of the group entry when the IGMP Leave mes...

Страница 239: ...ilter to deny IPv4 multicasts then IGMP Membership Reports from multicast groups within the range are dropped You can configure a secondary filter to allow IPv4 multicasts to a small range of addresse...

Страница 240: ...an accept a static Mrouter When you configure a static Mrouter on a VLAN it replaces any dynamic Mrouters learned through IGMP Snooping Configure a Static Multicast Router 1 For each Mrouter configure...

Страница 241: ...roup Management Protocol version 2 IGMPv2 and MLDv2 is derived from IGMPv3 MLD uses ICMPv6 IP Protocol 58 message types See RFC 2710 and RFC 3810 for details MLDv2 protocol when compared to MLDv1 adds...

Страница 242: ...pecific Query Sent to learn if for a specified multicast address there are nodes still listening to a specific set of sources Supported only in MLDv2 Note Multicast Address Specific Queries and Multic...

Страница 243: ...he host immediately reports these changes through a State Change Report message The Querier sends a Multicast Address Specific Query to verify if hosts are listening to a specified multicast address o...

Страница 244: ...cts as a Querier and periodically at short query intervals sends query messages in the subnet If there are multiple Mrouters in the subnet only one can be the Querier All Mrouters on the subnet listen...

Страница 245: ...able Table 21 G8000 Capacity Table Variable Maximum Value IPv6 Multicast Entries 256 IPv6 Interfaces for MLD 8 Table 22 MLD Timers and Default Values Field Default Value Robustness Variable RV 2 Query...

Страница 246: ...l RS G8000 config ipv6 mld RS G8000 config router mld enable RS G8000 config router mld exit RS G8000 config interface ip 2 RS G8000 config ip if enable RS G8000 config ip if ipv6 address 2002 1 0 0 0...

Страница 247: ...on on page 253 Default Redistribution and Route Aggregation Example on page 254 Internal Routing Versus External Routing To ensure effective processing of network traffic every router on your network...

Страница 248: ...advertised For example if you advertise 192 204 4 0 24 you are declaring that if another router sends you data destined for any address in 192 204 4 0 24 you know how to carry that data to its destin...

Страница 249: ...en injecting it in and out of BGP Route maps are used by OSPF only for redistributing routes For example a route map is used to set a preference value for a specific route from a peer router and anoth...

Страница 250: ...n outgoing route map list behave similar to route maps in an incoming route map list If a route map is not configured in the outgoing route map list all routes are advertised or permitted If a route m...

Страница 251: ...ps 3 Optional Configure the AS filter attributes 4 Set up the BGP attributes If you want to overwrite the attributes that the peer router is sending define the following BGP attributes Specify the AS...

Страница 252: ...d then add the route map to the incoming route map list or to the outgoing route map list 8 Exit Router BGP mode RS G8000 config router bgp RS G8000 config router bgp enable RS G8000 config router bgp...

Страница 253: ...port OSPF routes fixed routes and static routes For an example configuration see Default Redistribution and Route Aggregation Example on page 254 Default routes can be configured using the following m...

Страница 254: ...the best path It does not rely on metric attributes to determine the best path When the same network is learned via more than one BGP peer BGP uses its policy for selecting the best route to that netw...

Страница 255: ...to announce themselves as default gateways to the G8000 Figure 24 BGP Failover Configuration Example On the G8000 one peer router the secondary one is configured with a longer AS path than the other s...

Страница 256: ...edistribution and Route Aggregation Example This example shows you how to configure the switch to redistribute information from one routing protocol to another and create an aggregate route entry in t...

Страница 257: ...figure the IPv4 routes that you want aggregated router bgp config router bgp as 135 config router bgp exit ip router id 10 1 1 135 router bgp config router bgp neighbor 1 remote address 10 1 1 4 confi...

Страница 258: ...256 RackSwitch G8000 Application Guide...

Страница 259: ...routing devices maintain link information in their own Link State Database LSDB The LSDB for all routing devices within an area is identical but is not exchanged between different areas Only routing u...

Страница 260: ...Autonomous System Boundary Router ASBR a router that acts as a gateway between the OSPF domain and non OSPF domains such as RIP BGP and static routes Figure 27 OSPF Domain and an Autonomous System Bac...

Страница 261: ...information to the other neighbors The Link State Database OSPF is a link state routing protocol A link represents an interface or routable path from the routing device By establishing an adjacency wi...

Страница 262: ...be done with static routes or using active internal routing protocols such as OSPF RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers about the routes you...

Страница 263: ...smission interval and interface transmit delay In addition to the preceding parameters you can specify the following Shortest Path First SPF interval Time interval between successive calculations of t...

Страница 264: ...as follows Note The area option is an arbitrary index used only on the switch and does not represent the actual OSPF area number The actual OSPF area number is defined in the area portion of the comma...

Страница 265: ...be sure that the area IDs are in the same format throughout an area Attaching an Area to a Network Once an OSPF area has been defined it must be associated with a network To attach the area to a netwo...

Страница 266: ...a DR or BDR In case of a tie the routing device with the highest router ID wins Interfaces configured as passive do not participate in the DR or BDR election process Summarizing Routes Route summariza...

Страница 267: ...as Figure 28 Injecting Default Routes If the switch is in a transit area and has a configured default gateway it can inject a default route into rest of the OSPF domain Use the following command to co...

Страница 268: ...ID For a detailed configuration example on Virtual Links see Example 2 Virtual Links on page 273 Router ID Routing devices in OSPF areas are identified by a router ID The router ID is expressed in IP...

Страница 269: ...r the virtual link between area 2 and area 0 Area 1 is not configured for OSPF authentication Figure 29 OSPF Authentication Configuring Plain Text OSPF Passwords To configure simple plain text OSPF pa...

Страница 270: ...tween Area 2 and Area 0 on switches 2 and 4 RS G8000 config router ospf RS G8000 config router ospf area 2 authentication type password RS G8000 config router ospf area virtual link 1 key blade RS G80...

Страница 271: ...paths of equal cost to a given destination are calculated and the next hops for all equal cost paths are inserted into the routing table If redundant routes via multiple routing processes such as OSPF...

Страница 272: ...e steps is covered in the following sections 1 Configure IP interfaces One IP interface is required for each desired network range of IP addresses being assigned to an OSPF area on the switch 2 Option...

Страница 273: ...ed Interface 1 for the backbone network on 10 10 7 0 24 Interface 2 for the stub area network on 10 10 12 0 24 Note OSPFv2 supports IPv4 only IPv6 is supported in OSPFv3 see OSPFv3 Implementation in I...

Страница 274: ...id 0 0 0 1 RS G8000 config router ospf area 1 type stub RS G8000 config router ospf area 1 enable RS G8000 config router ospf exit RS G8000 config interface ip 1 RS G8000 config ip if ip ospf area 0...

Страница 275: ...on 10 10 12 0 24 2 Configure the router ID A router ID is required when configuring virtual links Later when configuring the other end of the virtual link on Switch 2 the router ID specified here wil...

Страница 276: ...config router ospf area 1 type transit RS G8000 config router ospf area 1 enable RS G8000 config router ospf exit RS G8000 config interface ip 1 RS G8000 config ip if ip ospf area 0 RS G8000 config i...

Страница 277: ...ig ip router id 10 10 14 1 RS G8000 config router ospf RS G8000 config router ospf enable RS G8000 config router ospf area 0 area id 0 0 0 0 RS G8000 config router ospf area 0 enable RS G8000 config r...

Страница 278: ...dundant paths by configuring multiple virtual links Only the endpoints of the virtual link are configured The virtual link path may traverse multiple routers in an area as long as there is a routable...

Страница 279: ...PFv3 Implementation in IBM N OS on page 279 Figure 32 Summarizing Routes Note You can specify a range of addresses to prevent advertising by using the hide option In this example routes in the range 3...

Страница 280: ...ospf area 1 area id 0 0 0 1 RS G8000 config router ospf area 1 type stub RS G8000 config router ospf area 1 enable RS G8000 config router ospf exit RS G8000 config interface ip 1 RS G8000 config ip if...

Страница 281: ...ne area 0 0 0 0 is created by default and is always active OSPFv3 Requires IPv6 Interfaces OSPFv3 is designed to support IPv6 addresses This requires IPv6 interfaces to be configured on the switch and...

Страница 282: ...mple Addressing fields have been removed from Router and Network LSAs Link local flooding scope has been added along with a Link LSA This allows flooding information to relevant local neighbors withou...

Страница 283: ...00 config ip if ipv6 address 10 0 0 0 0 0 0 1 RS G8000 config ip if ipv6 prefixlen 56 RS G8000 config ip if enable RS G8000 config ip if exit RS G8000 config interface ip 4 RS G8000 config ip if ip ad...

Страница 284: ...m advertising to the backbone This differs from OSPFv2 only in that the OSPFv3 command path is used and the address and prefix are specified in IPv6 format RS G8000 config ipv6 router ospf RS G8000 co...

Страница 285: ...ic consists of myriad services and applications which use the Internet Protocol IP for data delivery However IP is not optimized for all the various applications High Availability goes beyond IP and m...

Страница 286: ...284 RackSwitch G8000 Application Guide...

Страница 287: ...tive The links to the server are also trunked allowing the secondary NIC to take over in the event that the primary NIC link fails Figure 34 Trunking Ports for Link Redundancy For more information on...

Страница 288: ...the duration of the Forward Delay period If the link is unstable the Forward Delay period starts again Preemption You can configure the Master interface to resume the active state whenever it becomes...

Страница 289: ...nds to configure Hot Links RS G8000 config hotlinks trigger 1 enable Enable Hot Links Trigger 1 RS G8000 config hotlinks trigger 1 master port 1 Add port to Master interface RS G8000 config hotlinks t...

Страница 290: ...th two aggregators supporting a number of AMP groups Figure 35 AMP Topology Each AMP group requires two links on each switch Each AMP link consists of a single port a static trunk group or an LACP tru...

Страница 291: ...hat link FDB Flush When an AMP port trunk is the blocking state FDB flush is performed on that port trunk Any time there is a change in the data path for an AMP group the FDB entries associated with t...

Страница 292: ...or one AMP group link connects to the other aggregator and one to the access switch Configuring an Access Switch Perform the following steps to configure AMP on an access switch 1 Turn off Spanning Tr...

Страница 293: ...le stack using two switches provides full redundancy in the event that either switch were to fail As shown with the servers in the example stacking permits ports within different physical switches to...

Страница 294: ...292 RackSwitch G8000 Application Guide...

Страница 295: ...tch enables the control ports This causes the NIC team on the affected servers to fail back to the primary switch unless Auto Fallback is disabled on the NIC team The backup switch processes traffic u...

Страница 296: ...f any of these conditions is false the monitor port is considered to have failed Control Port State A control port is considered Operational if the monitor trigger is up As long as the trigger is up t...

Страница 297: ...elines This section provides important information about configuring Layer 2 Failover Any specific failover trigger can monitor ports only static trunks only or LACP trunks only The different types ca...

Страница 298: ...296 RackSwitch G8000 Application Guide...

Страница 299: ...VRRP Overview on page 298 This section discusses VRRP operation and IBM N OS redundancy configurations Failover Methods on page 300 This section describes the three modes of high availability IBM N OS...

Страница 300: ...ide a single Destination IPv4 DIP address for upstream routers to reach various servers and provide a virtual default Gateway for the servers VRRP Components Each physical router running VRRP is known...

Страница 301: ...ne of the virtual router backups becomes the master and assumes its responsibilities Virtual Interface Router At Layer 3 a Virtual Interface Router VIR allows two VRRP routers to share an IP interface...

Страница 302: ...to send its own advertisements The current master sees that the backup has higher priority and will stop functioning as the master A backup router can stop receiving advertisements for one of two reas...

Страница 303: ...a group all virtual routers on the switch and therefore the switch itself are in either a master or standby state A VRRP group has the following characteristics When enabled all virtual routers behave...

Страница 304: ...the current master then the standby can assume the role of the master See Configuring the Switch for Tracking on page 303 for an example on how to configure the switch for tracking VRRP priority Tabl...

Страница 305: ...running one server down is less disruptive than bringing a new master online and severing all active connections in the process If switch 1 is the master and it has two or more active servers fewer th...

Страница 306: ...enario illustrated in Figure 39 traffic destined for IPv4 address 10 0 1 1 is forwarded through the Layer 2 switch at the top of the drawing and ingresses G8000 1 on port 1 Return traffic uses default...

Страница 307: ...if ip address 10 0 1 100 255 255 255 0 RS G8000 config ip if enable RS G8000 config ip if exit RS G8000 config interface ip 4 RS G8000 config ip if ip address 10 0 2 101 255 255 255 0 RS G8000 config...

Страница 308: ...0 RS G8000 config ip if vlan 20 RS G8000 config ip if enable RS G8000 config ip if exit RS G8000 config interface ip 3 RS G8000 config ip if ip address 10 0 1 101 255 255 255 0 RS G8000 config ip if e...

Страница 309: ...example RS G8000 config vrrp virtual router 1 track ports RS G8000 config vrrp virtual router 2 track ports RS G8000 config vrrp virtual router 2 priority 101 RS G8000 config vrrp exit RS G8000 config...

Страница 310: ...308 RackSwitch G8000 Application Guide...

Страница 312: ...310 RackSwitch G8000 Application Guide...

Страница 313: ...covery of network resources and notification of network changes LLDP can help administrators quickly recognize a variety of common network configuration problems such as unintended VLAN exclusions or...

Страница 314: ...ver time though individual ports comply with the configured interval The global transmit interval can be configured using the following command where interval is the number of seconds between LLDP tra...

Страница 315: ...s whenever LLDP transmissions are sent By default trap notification is disabled for each port The trap notification state can be changed using the following commands Interface Port mode In addition to...

Страница 316: ...ion delay interval can be globally configured for all ports using the following command where interval is the number of seconds to wait before resuming LLDP transmissions The range is between 1 and 10...

Страница 317: ...h will set a change flag within the MIB for convenient notification to SNMP based management systems Viewing Remote Device Information LLDP information collected from neighboring systems can be viewed...

Страница 318: ...output RS G8000 config show lldp remote device index number RS G8000 config show lldp remote device LLDP Remote Devices Information LocalPort Index Remote Chassis ID Remote Port Remote System Name 3...

Страница 319: ...log reporting 5 Verify the configuration settings 6 View remote device information as needed RS G8000 config lldp enable RS G8000 config lldp transmission delay 30 Transmit each 30 seconds RS G8000 co...

Страница 320: ...318 RackSwitch G8000 Application Guide...

Страница 321: ...switch configure the trap host on the switch with the following command Note You can use a loopback interface to set the source IP address for SNMP traps Use the following command to apply a configur...

Страница 322: ...iso the user type has access to all private and public MIBs RS G8000 config snmp server user 1 16 name 1 32 characters RS G8000 config snmp server user 1 16 authentication protocol md5 sha authenticat...

Страница 323: ...Network Management Protocol 321 3 Assign the user to the user group Use the group table to link the user to a particular access group RS G8000 config snmp server group 5 user name admin RS G8000 conf...

Страница 324: ...ring is used in the trap cfg sys ssnmp snmpv3 usm 10 name v1trap cfg sys ssnmp snmpv3 access user number c sys ssnmp snmpv3 access 10 Access group to view SNMPv1 traps name v1trap model snmpv1 nview i...

Страница 325: ...00 config snmp server access 10 security snmpv2 RS G8000 config snmp server access 10 notify view iso RS G8000 config snmp server notify 10 name v2trap RS G8000 config snmp server notify 10 tag v2trap...

Страница 326: ...S enterprise MIB document RS G8000 config snmp server access 1 32 level RS G8000 config snmp server target parameters 1 16 RS G8000 config snmp server user 11 name v3trap RS G8000 config snmp server u...

Страница 327: ...d in RFC 1215 ColdStart WarmStart LinkDown LinkUp AuthenticationFailure The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493 NewRoot TopologyChange The following are the enterpr...

Страница 328: ...safety limits altSwStgNewRoot Signifies that the bridge has become the new root of the STG altSwStgTopologyChanged Signifies that there was a STG topology change altSwStgBlockingState An altSwStgBloc...

Страница 329: ...erver Load a previously saved switch configuration from a FTP TFTP server Save the switch configuration to a FTP TFTP server Save a switch dump to a FTP TFTP server Table 26 MIBs for Switch Image and...

Страница 330: ...uration with the name MyRunningConfig cfg into the switch follow these steps This example shows a TFTP server at IPv4 address 192 168 10 10 though IPv6 is also supported 1 Set the FTP TFTP server addr...

Страница 331: ...a switch dump to a FTP TFTP server follow these steps This example shows an FTP TFTP server at 192 168 10 10 though IPv6 is also supported 1 Set the FTP TFTP server address where the configuration wi...

Страница 332: ...330 RackSwitch G8000 Application Guide...

Страница 333: ...onitoring The ability to monitor traffic passing through the G8000 can be invaluable for troubleshooting some types of networking problems This sections cover the following monitoring features Remote...

Страница 334: ...332 RackSwitch G8000 Application Guide...

Страница 335: ...itable for the management of Ethernet networks The RMON agent continuously collects statistics and proactively monitors switch performance RMON allows you to monitor traffic flowing through the switch...

Страница 336: ...f buckets granted by the system based on the amount of system memory available The system grants a maximum of 50 buckets You can use an SNMP browser to view History samples History MIB Object ID The t...

Страница 337: ...1 2 2 1 1 1 3 View RMON history for the port RS G8000 config interface port 1 RS G8000 config if rmon RS G8000 config if exit RS G8000 config rmon history 1 interface oid 1 3 6 1 2 1 2 2 1 1 x RS G800...

Страница 338: ...p An example statistic follows 1 3 6 1 2 1 5 1 0 mgmt icmp icmpInMsgs 1 3 6 1 2 1 2 2 1 10 x ifInOctets The last digit x represents the interface on which to monitor which corresponds to the interface...

Страница 339: ...ic exceeds 200 within a 60 second interval an alarm is generated that triggers event index 110 RS G8000 config rmon alarm 1 oid 1 3 6 1 2 1 5 8 0 RS G8000 config rmon alarm 1 alarm type rising RS G800...

Страница 340: ...es a syslog host to send syslog messages Therefore an existing syslog host must be configured for event log notification to work properly Each log event generates a syslog of type RMON that correspond...

Страница 341: ...ured sFlow analyzer For each port the sFlow sampling rate can be configured to occur once each 256 to 65536 packets or 0 to disable the default A sampling rate of 256 means that one sample will be tak...

Страница 342: ...s or 0 to disable By default polling is 0 disabled for each port 3 On a per port basis define the data sampling rate Specify a sampling rate between 256 and 65536 packets or 0 to disable By default th...

Страница 343: ...0 supports three monitor ports in stand alone non stacking mode Only one monitor port is supported in stacking mode Each monitor port can receive mirrored traffic from any number of target ports IBM N...

Страница 344: ...000 Application Guide 3 View the current configuration RS G8000 show port mirroring Port Monitoring Enabled Monitoring Ports Mirrored Ports 1 none 2 none 3 1 in 2 both 4 none 5 none 6 none 7 none 8 no...

Страница 346: ...344 RackSwitch G8000 Application Guide...

Страница 347: ...r Virtual Router starts advertising with a higher priority Priority In VRRP the value given to a Virtual Router to determine its ranking with its peer s Minimum value is 1 and maximum value is 254 Def...

Страница 348: ...efault gateway that is always available Two or more devices sharing an IP interface are either advertising or listening for advertisements These advertisements are sent via a broadcast message to an a...

Страница 349: ...ms also describes the diagnostic tests that you can perform Most systems operating systems and programs come with documentation that contains troubleshooting procedures and explanations of error messa...

Страница 350: ...w ibm com planetwide for support telephone numbers In the U S and Canada call 1 800 IBM SERV 1 800 426 7378 Hardware service and support You can receive hardware service through your IBM reseller or I...

Страница 351: ...not allow disclaimer of express or implied warranties in certain transactions therefore this statement may not apply to you This information could include technical inaccuracies or typographical error...

Страница 352: ...e speed is the variable read rate Actual speeds vary and are often less than the possible maximum When referring to processor storage real and virtual storage or channel volume KB stands for 1024 byte...

Страница 353: ...lity Documentation format The publications for this product are in Adobe Portable Document Format PDF and should be compliant with accessibility standards If you experience difficulties when you use t...

Страница 354: ...tions to this equipment Unauthorized changes or modifications could void the user s authority to operate the equipment This device complies with Part 15 of the FCC Rules Operation is subject to the fo...

Страница 355: ...ohne Zustimmung der IBM ver ndert bzw wenn Erweiterungskomponenten von Fremdherstellern ohne Empfehlung der IBM gesteckt eingebaut werden EN 55022 Klasse A Ger te m ssen mit folgendem Warnhinweis ver...

Страница 356: ...oduct based on the standard of the Voluntary Control Council for Interference VCCI If this equipment is used in a domestic environment radio interference may occur in which case the user may be requir...

Страница 357: ...Copyright IBM Corp 2011 Appendix C Notices 355 Taiwan Class A compliance statement...

Страница 358: ...356 RackSwitch G8000 Application Guide...

Страница 359: ...roadcast storm control 89 Browser Based Interface 23 261 C Cisco EtherChannel 108 110 CIST 127 Class A electronic emission notice 352 Class of Service queueCOS queue 141 command conventions 18 Command...

Страница 360: ...on via setup 39 IP interfaces 40 example configuration 185 186 IP routing 40 cross subnet example 183 default gateway configuration 187 IP interface configuration 185 186 IP subnets 183 subnet configu...

Страница 361: ...131 Quality of Service 131 Querier IGMP 242 R RADIUS authentication 63 port 1812 and 1645 81 port 1813 81 SSH SCP 59 Rapid Spanning Tree Protocol RSTP 126 Rapid Spanning Tree Protocol RSTP RSTP 126 r...

Страница 362: ...gged member 95 untagged frame 95 untagged member 95 VLAN identifier VID 95 telephone assistance 348 telephone numbers 348 Telnet support optional setup for Telnet support 44 text conventions 18 time s...

Результаты поиска

Содержание RackSwitch G8000

Отзывы:

Похожие инструкции для RackSwitch G8000

Бренды по названию

Популярные бренды

IBM RackSwitch G8000, Инструкция по применению

Результаты поиска

Содержание RackSwitch G8000

Отзывы:

Похожие инструкции для RackSwitch G8000

Бренды по названию

Популярные бренды