Enterasys ® Fixed Switching Configuration Guide Firmware 6.61.
Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
Moldova, Mongolia, North Korea, the People’s Republic of China, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S.
13. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality, or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction.
Contents Chapter 1: Setting Up a Switch for the First Time Before You Begin ........................................................................................................................................... 1-1 Connecting to the Switch ................................................................................................................................ 1-2 Downloading New Firmware .............................................................................................................
CLI Properties Display Commands .......................................................................................................... 3-7 Chapter 4: System Configuration Factory Default Settings ................................................................................................................................. 4-1 Initial Configuration Overview .........................................................................................................................
Password Management Overview .................................................................................................................. 5-6 System Level Password Settings ............................................................................................................. 5-6 Defaults .............................................................................................................................................. 5-7 System Password Settings Configuration ........................
Displaying Cable Status ..................................................................................................................... 8-7 Configuring SFP Ports for 100BASE-FX .................................................................................................. 8-7 Example.............................................................................................................................................. 8-8 Configuring Port Link Flap Detection ...................................
Remote Authentication Dial-In Service (RADIUS) ................................................................................. 10-7 How RADIUS Data Is Used .............................................................................................................. 10-8 The RADIUS Filter-ID ....................................................................................................................... 10-8 RFC 3580 — VLAN Authorization ..............................................................
Trap Versus Inform Messages ......................................................................................................... 12-3 Access to MIB Objects ........................................................................................................................... 12-3 Community Name Strings................................................................................................................. 12-3 User-Based.......................................................................
About Security Audit Logging ....................................................................................................................... 14-6 Security Events Logged ......................................................................................................................... 14-7 Trap Generation ..................................................................................................................................... 14-7 Format Examples .....................................
Setting a Port Priority...................................................................................................................... 15-21 Assigning Port Costs ...................................................................................................................... 15-22 Adjusting Bridge Protocol Data Unit (BPDU) Intervals ................................................................... 15-22 Enabling the Backup Root Function .........................................................
Basic Edge ..................................................................................................................................... 16-13 Standard Edge................................................................................................................................ 16-14 Premium Edge................................................................................................................................ 16-14 Premium Distribution .............................................
Examples ............................................................................................................................................. 17-18 Chapter 18: Configuring Network Monitoring Basic Network Monitoring Features .............................................................................................................. 18-1 Console/Telnet History Buffer ................................................................................................................
Chapter 20: IP Configuration Enabling the Switch for Routing ................................................................................................................... 20-1 Router Configuration Modes .................................................................................................................. 20-1 Entering Router Configuration Modes .................................................................................................... 20-2 Example .................................
Configuring Area Virtual-Link Authentication .................................................................................. 22-14 Configuring Area Virtual-Link Timers.............................................................................................. 22-14 Configuring Route Redistribution ......................................................................................................... 22-14 Configuring Passive Interfaces .................................................................
Extended IPv4 ACL Configuration .................................................................................................. 24-12 MAC ACL Configuration ................................................................................................................. 24-13 Chapter 25: Configuring and Managing IPv6 Managing IPv6 ..............................................................................................................................................
Disabling and Enabling Ports ................................................................................................................. 26-9 MAC Locking Defaults ............................................................................................................................ 26-9 MAC Locking Configuration ................................................................................................................. 26-10 TACACS+ ...........................................................
11-3 13-1 13-2 13-3 14-1 15-1 15-2 15-3 15-4 15-5 15-6 15-7 15-8 15-9 15-10 15-11 15-12 15-13 15-14 15-15 15-16 15-17 16-1 17-1 17-2 17-3 17-4 17-5 19-1 19-2 19-3 19-4 19-5 19-6 22-1 22-2 22-3 22-4 22-5 22-6 23-1 23-2 23-3 25-1 Link Aggregation Example.............................................................................................................. 11-12 Communication between LLDP-enabled Devices ............................................................................ 13-3 LLDP-MED ........
4-7 4-8 5-1 6-1 7-1 7-2 7-3 8-1 8-2 8-3 8-4 9-1 9-2 9-3 10-1 10-2 10-3 10-4 11-1 11-2 11-3 11-4 11-5 11-6 11-7 12-1 12-2 12-3 12-4 12-5 13-1 13-2 13-3 13-4 13-5 13-6 14-1 14-2 14-3 14-4 15-1 15-2 15-3 15-4 15-5 15-6 15-7 15-8 15-9 15-10 15-11 16-1 16-2 16-3 16-4 16-5 xx Default DHCP Server Parameters .................................................................................................... 4-20 Configuring Pool Parameters ...........................................................................
16-6 17-1 18-1 18-2 18-3 18-4 18-5 18-6 18-7 18-8 19-1 19-2 19-3 19-4 19-5 19-6 19-7 19-8 19-9 19-10 20-1 20-2 20-3 21-1 21-2 21-3 22-1 22-2 23-1 23-2 24-1 25-1 25-2 25-3 25-4 25-5 25-6 26-1 26-2 26-3 26-4 26-5 26-6 26-7 26-8 26-9 26-10 26-11 26-12 26-13 26-14 Policy Configuration Terms and Definitions.................................................................................... 16-18 CoS Configuration Terminology .......................................................................................
xxii
About This Guide This guide provides basic configuration information for the Enterasys Networks Fixed Switch platforms using the Command Line Interface (CLI0, including procedures and code examples. For detailed information about the CLI commands used in this book, refer to the CLI Reference for your Fixed Switch platform. Important Notice Depending on the firmware version used on your Fixed Switch platform, some features described in this document may not be supported.
Getting Help The following icons are used in this guide: Note: Calls the reader’s attention to any item of information that may be of special importance. Router: Calls the reader’s attention to router-specific commands and information. Caution: Contains information essential to avoid damage to the equipment. Precaución: Contiene información esencial para prevenir dañar el equipo. Achtung: Verweißt auf wichtige Informationen zum Schutz gegen Beschädigungen.
1 Setting Up a Switch for the First Time This chapter describes how to configure an Enterasys stackable or standalone Fixed Switch received from the factory that has not been previously configured. Most of the procedures assume that you are configuring a single switch that has not been connected to a network, and they require that you have physical access to the console port on the switch.
Connecting to the Switch If the adapter cable requires a driver, install the driver on your computer. (These drivers are usually provided by the vendor of the adapter cable.) – Connect the adapter cable’s USB connector to a USB port on your PC or laptop and determine which COM port has been assigned to that USB port. (On Windows 7, this information is displayed in the Device Manager window.
Downloading New Firmware Enterasys C5 Command Line Interface Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A. Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com (c) Copyright Enterasys Networks, Inc. 2011 Chassis Serial Number: Chassis Firmware Revision: 093103209001 06.61.01.0017 Last successful login : WED DEC 07 20:23:20 2011 Failed login attempts since last login : 0 C5(su)-> 7.
Downloading New Firmware or just want to verify the contents of the images directory, refer to “Deleting a Backup Image File” on page 1-5 for more information. Note: If this switch will be added to an existing stack, you should install the primary and backup firmware versions that are currently installed on the stack units. After you have established your connection to the switch, follow these steps to download the latest firmware: 1. Start the TFTP application. 2.
Additional Configuration Tasks current.log Deleting a Backup Image File Since the stackable and standalone switches can store only two firmware images at a time, you may have to delete a backup image, if one exists, before you can manually download a new firmware image. 1. Use the dir command to display the contents of the images directory. For example: C5(su)->dir Images: ================================================================== Filename: c5-series_06.42.06.0008 Version: 06.42.06.
Additional Configuration Tasks Setting User Accounts and Passwords Enterasys switches are shipped with three default user accounts: • A super-user access account with a username of admin and no password • A read-write access account with a username of rw and no password • A read-only access account with a username of ro and no password Enterasys recommends that, for security purposes, you set up one or more unique user accounts with passwords and disable the default login accounts. 1.
Saving the Configuration and Connecting Devices C5(su)->show ssh SSH Server status: Enabled 2. Disable Telnet inbound while leaving Telnet outbound enabled, and show the current state. C5(su)->set telnet disable inbound C5(su)->show telnet Telnet inbound is currently: DISABLED Telnet outbound is currently: ENABLED 3. Disable WebView and show the current state. C5(su)->set webview disable C5(su)->show webview WebView is Disabled. 4.
Configuring a Stack of New Switches 1. Save the running configuration. C5(su)save config Saving Configuration to stacking members Configuration saved C5(su)-> 2. Optionally, save the configuration to a backup file named “myconfig” in the configs directory and copy the file to your computer using TFTP. You can use this backup configuration file to quickly restore the configuration if you need to replace the switch or change to a different firmware version.
Where to Go Next Where to Go Next For information about... Refer to ...
Getting Help Getting Help For additional support, contact Enterasys Networks using one of the following methods: World Wide Web www.enterasys.com/support Phone 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 To find the Enterasys Networks Support toll-free number in your country: www.enterasys.com/support Email support@enterasys.com To expedite your message, type [switching] in the subject line.
Downloading Firmware via the Serial Port Boot Menu Version 06.61.xx 12-09-2011 Options available 1 - Start operational code 2 - Change baud rate 3 - Retrieve event log using XMODEM (64KB). 4 - Load new operational code using XMODEM 5 - Display operational code vital product data 6 - Run Flash Diagnostics 7 - Update Boot Code 8 - Delete operational code 9 - Reset the system 10 - Restore Configuration to factory defaults (delete config files) 11 - Set new Boot Code password [Boot Menu] 2 5. Type 2.
Downloading Firmware via the Serial Port Header Version..................0x0100 Image Type......................0x82 Image Offset....................0x004d Image length....................0x006053b3 Ident Strings Length............0x0028 Ident Strings................... Image Version Length............0x8 Image Version Bytes.............0x30 0x2e 0x35 0x2e 0x30 0x2e 0x34 (x.xx.xx) The following secondary header is in the image: CRC............................................
2 Configuring Switches in a Stack This chapter provides information about configuring Enterasys switches in a stack. For information about upgrading firmware on a new stack, refer to “Configuring a Stack of New Switches” on page 1-8. For information about... Refer to page...
Removing Units from an Existing Stack • The hierarchy of the switches that will assume the function of backup manager is also determined in case the current manager malfunctions, is powered down, or is disconnected from the stack. • The console port on the manager switch remains active for out-of-band (local) switch management, but the console port on each member switch is deactivated. This enables you to set the IP address and system password using a single console port.
Considerations About Using “clear config” in a Stack 4. (Optional) If desired, change the management unit using the set switch movemanagement command, and/or change the unit numbering with the set switch member command. 5. Once the desired master unit has been selected, reset the system using the reset command. 6. After the stack has been configured, you can use the show switch unit command to physically identify each unit.
Removing Units from an Existing Stack – If the running stack uses a daisy chain topology, make the stack cable connections from the bottom of the stack to the new unit (that is, STACK DOWN port from the bottom unit of the running stack to the STACK UP port on the new unit). – If the running stack uses a ring stack topology, break the ring and make the stack cable connections to the new unit to close the ring. 3. Apply power to the new unit. 4.
Considerations About Using “clear config” in a Stack To create a virtual switch configuration in a stack environment: 1. Display the types of switches supported in the stack, using the show switch switchtype command. 2. Using the output of the show switch switchtype command, determine the switch index (SID) of the model of switch being configured. 3. Add the virtual switch to the stack using the set switch member command.
Removing Units from an Existing Stack • Use clear ip address to remove the IP address of the stack. • Use clear license to remove an applied license from a switch. Configuration parameters and stacking information can also be cleared on the master unit only by selecting the “restore configuration to factory defaults” option from the boot menu on switch startup. This selection will leave stacking priorities on all other units.
3 CLI Basics This chapter provides information about CLI conventions for stackable and standalone switches and CLI properties that you can configure. For information about... Refer to page...
Using the Command Line Interface Connecting Using the Console Port Connect a terminal to the local console port as described in “Connecting to the Switch” on page 1-2. When the boot up output is complete, the system prints a Username prompt.
Using the Command Line Interface Logging In By default, the switch is configured with three user login accounts—ro for Read-Only access, rw for Read-Write access, and admin for super-user access to all modifiable parameters. The default password is set to a blank string. For information on changing these default settings, refer to Chapter 5, User Account and Password Management.
Using the Command Line Interface commands without optional parameters, the defaults section lists “None”. For commands with optional parameters, this section describes how the CLI responds if the user opts to enter only the keywords of the command syntax. Figure 3-2 provides an example. Figure 3-2 Sample CLI Defaults Description Syntax show port status [port-string] Defaults If port-string is not specified, status information for all ports will be displayed.
Using the Command Line Interface Note: At the end of the lookup display, the system will repeat the command you entered without the ?. Displaying Scrolling Screens If the CLI screen length has been set using the set length command, CLI output requiring more than one screen will display --More-- to indicate continuing screens. To display additional screen output: • Press any key other than ENTER to advance the output one screen at a time. • Press ENTER to advance the output one line at a time.
Configuring CLI Properties Basic Line Editing Commands The CLI supports EMACs-like line editing commands. Table 3-1 lists some commonly used commands. Table 3-1 Basic Line Editing Commands Key Sequence Command Ctrl+A Move cursor to beginning of line. Ctrl+B Move cursor back one character. Ctrl+D Delete a character. Ctrl+E Move cursor to end of line. Ctrl+F Move cursor forward one character. Ctrl+H Delete character to left of cursor. Ctrl+I or TAB Complete word.
Configuring CLI Properties Table 3-2 CLI Properties Configuration Commands (continued) Task Command Set the time (in minutes) an idle console or Telnet set logout timeout CLI session will remain connected before timing out. Refer to the CLI Reference for your switch model for more information about each command. Example CLI Properties Configuration In this example, the prompt is changed and a login banner is added.
Configuring CLI Properties 3-8 CLI Basics
4 System Configuration This chapter provides basic system configuration information in the following areas: For information about... Refer to page...
Factory Default Settings Table 4-1 Default Settings for Basic Switch Operation (continued) Feature Default Setting Console (serial) port required settings Baud rate: 9600 Data bits: 8 Flow control: disabled Stop bits: 1 Parity: none DHCP server Disabled. Diffserv Disabled. (B3 platforms only) EAPOL Disabled. EAPOL authentication mode When enabled, set to auto for all ports.
Factory Default Settings Table 4-1 Default Settings for Basic Switch Operation (continued) Feature Default Setting Password history No passwords are checked for duplication. Policy classification Classification rules are automatically enabled when created. Port auto-negotiation Enabled on all ports. Port advertised ability Maximum ability advertised on all ports. Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch ports.
Factory Default Settings Table 4-1 Default Settings for Basic Switch Operation (continued) Feature Default Setting Spanning Tree topology change trap suppression Enabled. Spanning Tree version Set to mstp (Multiple Spanning Tree Protocol). SSH Disabled. System baud rate Set to 9600 baud. System contact Set to empty string. System location Set to empty string. System name Set to empty string. Telnet Enabled inbound and outbound. Telnet port (IP) Set to port number 23.
Initial Configuration Overview Table 4-2 Default Settings for Router Operation (continued) Feature Default Setting Hello interval (OSPF) Set to 10 seconds for broadcast and point-to-point networks. Set to 30 seconds for non-broadcast networks. ICMP Enabled for echo-reply and mask-reply modes. IP-directed broadcasts Disabled. IP forward-protocol Enabled with no port specified. IP interfaces Disabled with no IP addresses specified. IRDP Disabled on all interfaces.
Advanced Configuration Overview Procedure 4-1 contains the steps to assign an IP address and configure basic system parameters. Some of these steps are also covered in Chapter 1, Setting Up a Switch for the First Time. For information on the command syntax and parameters, refer to the online help or the CLL Reference for your platform. Note: When configuring any string or name parameter input for any command, do not use any letters with diacritical marks (an ancillary glyph added to a letter).
Advanced Configuration Overview Table 4-3 Advanced Configuration (continued) Task Refer to ... Configure the Telnet client and server. (Telnet client is enabled by default.) Note: For security, you may wish to disable Telnet and only use SSH. “Telnet Overview” on page 4-23 Configure the Secure Shell V2 (SSHv2) client and server. “SSH Overview” on page 4-24 Configure the Dynamic Host Configuration Protocol (DHCP) server.
Licensing Advanced Features Table 4-3 Advanced Configuration (continued) Task Refer to ... Configure RIP. “Configuring RIP” on page 21-1 Configure OSPFv2. Chapter 22, Configuring OSPFv2 Configure multicast protocols IGMP, DVMRP, and PIM, and general multicast parameters. Chapter 19, Configuring Multicast Configure VRRP. Chapter 23, Configuring VRRP Configure IPv6 Chapter 25, Configuring and Managing IPv6 Security and General Management Configure Access Control Lists (ACLs).
Licensing Advanced Features Node-Locked Licensing On the C3, B3, and G3 platforms, licenses are locked to the serial number of the switch to which the license applies. Therefore, you must know the serial number of the switch to be licensed when you activate the license on the Enterasys customer site, and also when you apply the license to the switch as described below.
Licensing Advanced Features When adding a new unit to an existing stack, the ports on a switch lacking a licensed feature that has been enabled on the master will not pass traffic until the license has been enabled on the added switch. (The ports are in the “ConfigMismatch” state.) If you clear a license from a member unit in a stack while the master unit has a activated license, the status of the member will change to “ConfigMismatch” and its ports will be detached from the stack.
SNTP Configuration b. If you need to use multiple license keys on members of a stack, use the optional unit number parameter with the set license command. The following example applies two different license keys to members of the stack.
SNTP Configuration Unicast Polling Mode When an SNTP client is operating in unicast mode, SNTP update requests are made directly to a server, configured using the set sntp server command. The client queries these configured SNTP servers at a fixed poll-interval configured using the set sntp poll-interval command. The order in which servers are queried is based on a precedence value optionally specified when you configure the server.
SNTP Configuration Use the set sntp authentication key command to configure an authentication key instance. The SNTP authentication key is associated with an SNTP server using the set sntp server command. An authentication key has to be trusted to be used with an SNTP server. Use the set sntp trustedkey command to add an authentication key to the trusted key list. Refer to Procedure 4-3 on page 4-14 to configure the switch SNTP client for authentication.
SNTP Configuration Procedure 4-2 Configuring SNTP (continued) Step Task Command(s) 3. When operating in unicast mode, optionally change the poll interval between SNTP unicast requests. set sntp poll-interval value The poll interval is 2 to the power of value in seconds, where value can range from 6 to 10. 4. When operating in unicast mode, optionally change the number of poll retries to a unicast SNTP server. set sntp poll-retry retry 5.
SNTP Configuration Table 4-5 Managing and Displaying SNTP (continued) Task Command(s) To reset the poll interval between unicast SNTP requests to its default value: clear sntp poll-interval To reset the number of poll retries to a unicast SNTP server to its default value: clear sntp poll-retry To reset the SNTP poll timeout to its default value: clear sntp poll-timeout To clear an SNTP authentication key: clear sntp authentication-key key-id To remove an authentication key from the trusted key
DHCP Configuration 192.168.10.10 1 1 Active DHCP Configuration Dynamic Host Configuration Protocol (DHCP) for IPv4 is a network layer protocol that implements automatic or manual assignment of IP addresses and other configuration information to client devices by servers. A DHCP server manages a user-configured pool of IP addresses from which it can make assignments upon client requests. A relay agent passes DHCP messages between clients and servers which are on different physical subnets.
DHCP Configuration IP Address Pools IP address pools must be configured for both automatic and manual IP address allocation by a DHCP server. Automatic IP Address Pools When configuring an IP address pool for dynamic IP address assignment, the only required steps are to name the pool and define the network number and mask for the pool using the set dhcp pool network command.
DHCP Configuration DHCP Configuration on a Non-Routing System The following procedure provides basic DHCP server functionality when the DHCP pool is associated with the system’s host IP address. This procedure would typically be used when the system is NOT configured for routing. Refer to the CLI Reference for your platform for details about the commands listed below. Procedure 4-4 DHCP Server Configuration on a Non-Routing System Step Task Command(s) 1.
DHCP Configuration Procedure 4-5 DHCP Server Configuration on a Routing System Step Task Command(s) 1. Create a VLAN and add ports to the VLAN. Only DHCP clients associated with this VLAN will be served IP addresses from the DHCP address pool associated with this routed interface (VLAN). set vlan create vlan-id Create a routed interface for the VLAN in router configuration mode. interface vlan vlan-id 2. set port vlan port-string vlan-id no shutdown ip address ip-addr ip-mask 3.
DHCP Configuration C5(su)->router(Config)#exit C5(su)->router#exit C5(su)->router>exit C5(su)->set dhcp enable C5(su)->set dhcp pool autopool2 network 6.6.0.0 255.255.0.0 Managing and Displaying DHCP Server Parameters Table 4-6 lists additional DHCP server tasks. Refer to Table 4-7 on page 4-20 for default DHCP server settings.
DHCP Configuration Table 4-7 Default DHCP Server Parameters Parameter Description Default Value Number of ping packets Specifies the number of ping packets the DHCP server sends to an IP address before assigning the address to a requesting client 2 packets Configuring DHCP IP Address Pools This section provides procedures for the basic configuration of automatic (dynamic) and manual (static) IP address pools, as well as a list of the commands to configure other optional pool parameters.
DHCP Configuration • The subnet of the IP address being issued should be on the same subnet as the ingress interface (that is, the subnet of the host IP address of the switch, or if routing interfaces are configured, the subnet of the routing interface). • A manual pool can be configured using either the client’s hardware address (set dhcp pool hardware-address) or the client’s client-identifier (set dhcp pool client-identifier), but using both is not recommended.
Telnet Overview identifier configured in this example must be 01:00:01:22:33:44:55. We then set the lease duration to infinite. C5(rw)->set dhcp pool manual3 client-identifier 01:00:01:22:33:44:55 C5(rw)->set dhcp pool manual3 host 10.12.1.10 255.255.255.0 C5(rw)->set dhcp pool manual3 lease infinite Configuring Additional Pool Parameters Table 4-8 lists the commands that can be used to configure additional IP address pool parameters.
SSH Overview Configuring Telnet Procedure 4-8 Configuring Telnet Step Task Command(s) 1. Enable or disable Telnet services, inbound, outbound, or all. set telnet {enable | disable} [inbound | outbound | all] Inbound = Telnet to the switch from a remote device Outbound = Telnet to other devices from the switch 2. Display Telnet status show telnet 3.
MAC Address Settings Aging time: 600 seconds Limiting MAC Addresses to Specific VLANs Use the set mac multicast command to define on what ports within a VLAN a multicast address can be dynamically learned on, or on what ports a frame with the specified MAC address can be flooded. Also, use this command to append ports to or clear ports from the egress ports list.
Configuring Node Aliases Procedure 4-10 Configuring MAC Address Settings Step Task Command(s) 1. Display the MAC addresses in the switch’s filtering database (FID). show mac [address mac-address] [fid fid] [port port-string] [type {other | learned | self | mgmt | mcast}] 2. Display the current timeout period for aging learned MAC entries/ show mac agetime 3. Optionally, set the timeout period for aging learned MAC entries. set mac agetime time 4.
Configuring Node Aliases C5(su)->show nodealias config ge.1.1 Port Number ----------ge.1.1 Max Entries ----------32 Used Entries -----------32 Status ---------Enable The following command disables the node alias agent on port ge.1.8: C5(su)->set nodealias disable ge.1.
Configuring Node Aliases 4-28 System Configuration
5 User Account and Password Management This chapter describes user account and password management features, which allow enhanced control of password usage and provide additional reporting of usage. Account and password feature behavior and defaults differ depending on the security mode of the switch. For information about security modes and profiles, see Chapter 26, Configuring Security Features. For information about... Refer to page...
User Account Overview • The start and end hour and minute time period for which access will be allowed for this user based upon 24 hour time. (Not applicable for super user accounts.) • The days of the week for which access will be allowed for this user. (Not applicable for super user accounts.
User Account Overview • The emergency access user is still subject to the system lockout interval even on the console port. Account Lockout User accounts can be locked out based on the number of failed login attempts or a period of inactivity. Lockout is configured at the system level, not at the user account level. Use the set system lockout command to: • Set the number of failed login attempts allowed before disabling a read-write or read-only user account or locking out a super-user account.
User Account Overview Procedure 5-2 on page 5-4 shows how a super-user creates a new super-user account and assigns it as the emergency access account. Refer to the CLI Reference for your platform for details about the commands listed below. Procedure 5-1 Creating a New Read-Write or Read-Only User Account Step Task Command(s) 1. Create a new read-write or read-only user login account and enable it. set system login username {readwrite|read-only} enable (All other parameters are optional.) 2.
User Account Overview Procedure 5-2 Configuring a New Super-User / Emergency Access User Account Step Task Command(s) 4. Assign the new super-user account as the emergency access account. set system lockout emergency-access username 5. Display the system lockout settings show system lockout 6. Disable the default super-user account, admin set system login admin super-user disable This example creates a new super-user account named “usersu” and enables it.
Password Management Overview guest read-only enabled 0 0 no 00:00 24:00 mon tue wed Password Management Overview Individual user account passwords are configured with the set password command. Configured passwords are transmitted and stored in a one-way encrypted form, using a FIPS 140-2 compliant algorithm. When passwords are entered on the switch using the CLI, the switch automatically suppresses the clear text representation of the password.
Password Management Overview – Special characters (default 0) The set of special characters recognized is: ! @ # $ % ^ & * () ? = [ ] \ ; ? , ./ `. • • Whether the switch enforces aging of system passwords. – The switch can enforce a system-wide default for password aging (set system password aging). – The switch can enforce a password aging interval on a per-user basis (set system login aging).
Password Management Overview Table 5-1 User Account and Password Parameter Defaults by Security Mode (continued) Parameter Normal Mode Default C2 Mode Default Minimum number of characters in password 8 9 Allow consecutively repeating characters in password yes 2 characters Aging of system passwords disabled 90 days Password required at time of new user account creation no yes Substring matching at password validation 0 (no checking) 0 (no checking) New users required to change password
Password Reset Button Functionality Procedure 5-3 Configuring System Password Settings (continued) Step Task Command(s) 2. Display the current password settings. show system password 3. Reset password settings to default values.
Management Authentication Notification MIB Functionality Refer to the CLI Reference for your platform for detailed information about the commands listed below in Procedure 5-4. Procedure 5-4 Configuring Management Authentication Notification MIB Settings Step Task Command(s) 1. Display the current settings for the Management Authentication Notification MIB. show mgmt-auth-notify 2. Enable or disable notifications for one or more authentication notification types.
6 Firmware Image and File Management This chapter describes how to download and install a firmware image file and how to save and display the system configuration as well as manage files on the switch. For information about... Refer to page... Managing the Firmware Image 6-1 Managing Switch Configuration and Files 6-4 Managing the Firmware Image This section describes how to download a firmware image, set the firmware to be used at system startup, revert to a previous image, and set TFTP parameters.
Managing the Firmware Image Downloading from a TFTP or SFTP Server This procedure assumes that the switch or stack of switches has been assigned an IP address and that it is connected to the network. It also assumes that the network has a TFTP or SFTP server to which you have access. If these assumptions are not true, please refer to Chapter 1, Setting Up a Switch for the First Time for more information. To perform a TFTP or SFTP download: 1.
Managing the Firmware Image Setting the Boot Firmware Use the show boot system command to display the image file currently configured to be loaded at startup. For example: A4(su)->show boot system Current system image to boot: a4-series_06.61.00.0026 Use the set boot system command to set the firmware image to be loaded at startup. You can choose to reset the system to use the new firmware image immediately, or you can choose to only specify the new image to be loaded the next time the switch is rebooted.
Managing Switch Configuration and Files Caution: If you do not follow the steps above, you may lose remote connectivity to the switch. Setting TFTP Parameters You can configure some of the settings used by the switch during data transfers using TFTP. Use the show tftp settings command to display current settings.
Managing Switch Configuration and Files Using an I-Series Memory Card The I3H-4FX-MEM and I3H-6TX-MEM IOMs provide a memory card slot where a small, separately-purchased memory card (I3H-MEM) may be inserted. The memory card provides a removable, non-volatile means for storing the system configuration and IP address only, and may be used to move the system’s configuration to another switch. Note: Only one IOM containing a memory card slot may be installed in an I-Series switch.
Managing Switch Configuration and Files Displaying the Configuration Executing show config without any parameters will display all the non-default configuration settings. Using the all parameter will display all default and non-default configuration settings. To display non-default information about a particular section of the configuration, such as port or system configuration, use the name of the section (or facility) with the command.
Managing Switch Configuration and Files Images: ================================================================== Filename: b5-series_06.42.03.0001 Version: 06.42.03.0001 Size: 6856704 (bytes) Date: Tue Dec 14 14:12:21 2010 CheckSum: 043637a2fb61d8303273e16050308927 Compatibility: B5G124-24, B5G124-24P2, B5G124-48, B5G124-48P2, B5K125-24 B5K125-24P2, B5K125-48, B5K125-48P2 Filename: b5-series_06.61.01.0032 (Active) (Boot) Version: 06.61.01.
Managing Switch Configuration and Files Managing Files Table 6-1 lists the tasks and commands used to manage files. Table 6-1 6-8 File Management Commands Task Command List all the files stored on the system, or only a specific file. dir [filename] Display the system configuration. On I-Series only, display contents of memory card. show config [all | facility | memcard] Display the contents of a file located in the configs or logs directory. show file directory/filename Delete a file.
7 Configuring System Power and PoE This chapter describes how to configure Redundant Power Supply mode on the C5 and G-Series switches, and how to configure Power over Ethernet (PoE) on platforms that support PoE. The information about Power over Ethernet (PoE) applies only to fixed switching platforms that provide PoE support. PoE is not supported on the I-Series switches. For information about... Refer to page...
Power over Ethernet Overview • Pan/Tilt/Zoom (PTZ) IP surveillance cameras • Devices that support Wireless Application Protocol (WAP) such as wireless access points Ethernet implementations employ differential signals over twisted pair cables. This requires a minimum of two twisted pairs for a single physical link. Both ends of the cable are isolated with transformers blocking any DC or common mode voltage on the signal pair.
Power over Ethernet Overview balance of power available for PoE. When any change is made to the hardware configuration, power supply status, or redundancy mode, the firmware recalculates the power available for PoE. On the S-Series, N-Series, and K-Series switches, you can also manually configure the maximum percentage of PoE power available to the chassis as a percentage of the total installed PoE power with the set inlinepower available command. (This feature is not configurable on the G-Series.
Configuring PoE • Class mode, in which the PoE controller manages power based on the IEEE 802.3af/.3at definition of the class limits advertised by the attached devices, with the exception that for class 0 and class 4 devices, actual power consumption will always be used. In this mode, the maximum amount of power required by a device in the advertised class is reserved for the port, regardless of the actual amount of power being used by the device.
Configuring PoE Stackable A4, B3, and C3 Devices Procedure 7-1 PoE Configuration for Stackable A4, B3, and C3 Devices Step Task Command(s) 1. Configure PoE parameters on ports to which PDs are attached. set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]} • admin — Enables (auto) or disables (off) PoE on a port. The default setting is auto. • priority — Sets which ports continue to receive power in a low power situation.
Configuring PoE Stackable B5 and C5 Devices Procedure 7-2 PoE Configuration for Stackable B5 and C5 Devices Step Task Command(s) 1. Configure PoE parameters on ports to which PDs are attached. set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]} • admin — Enables (auto) or disables (off) PoE on a port. The default setting is auto. • priority — Sets which ports continue to receive power in a low power situation.
Configuring PoE Procedure 7-2 PoE Configuration for Stackable B5 and C5 Devices (continued) Step Task Command(s) 6. (Optional on C5 only) Set the power redundancy mode on the system if two power supplies are installed. set system power {redundant | nonredundant} • redundant (default) — The power available to the system equals the maximum output of the lowest rated supply (400W or 1200W). If two supplies are installed in redundant mode, system power redundancy is guaranteed if one supply fails.
Configuring PoE Procedure 7-3 PoE Configuration for G-Series Devices (continued) Step Task Command(s) 4. (Optional) Specify the method the Enterasys device uses to detect connected PDs. set inlinepower detectionmode {auto | ieee} • auto (default) — The Enterasys device first uses the IEEE 802.3af/at standards resistorbased detection method. If that fails, the device uses the proprietary capacitor-based detection method. • ieee — The Enterasys device uses only the IEEE 802.
Configuring PoE Procedure 7-3 PoE Configuration for G-Series Devices (continued) Step Task Command(s) 7. (Optional) Configure the allocation mode for system power available for PoE. set inlinepower mode {auto | manual} • auto (default) — Available power is distributed evenly to PoE modules based on PoE port count.
Configuring PoE Refer to the switch’s CLI Reference Guide for more information about each command. Example PoE Configuration A PoE-compliant G-Series device is configured as follows: • One 400W power supply is installed. The power available for PoE is 150W. • Two PoE modules are installed. • The set inlinepower mode command is set to auto, which means that the power available for PoE (150W) is distributed evenly—75W to each PoE module.
8 Port Configuration This chapter describes the basic port parameters and how to configure them. Also described in this chapter are port link flap detection, port mirroring, and transmit queue monitoring and how to configure them. Link Aggregation Control Protocol (LACP) is described in Chapter 11, Configuring Link Aggregation. For information about... Refer to page...
Port Configuration Overview vlan for vlan interfaces lag for IEEE802.3 link aggregation ports Where unit_or_slotnumber can be: 1 - 8 for stackable switches (up to 8 units in a stack) 1 - 3 for I-Series standalone switches (Note that the uplink ports are considered to be slot 3) 1 - 4 for G-Series standalone switches Where port number depends on the device. The highest valid port number is dependent on the number of ports in the device and the port type.
Port Configuration Overview C5(su)->show console vt100 terminal mode disabled Baud Flow Bits StopBits Parity ------ ------- ---- ---------- -----9600 Disable 8 1 none Use the set console baud command to change the baud rate of the console port. For example, to set the console port baud rate to 19200: C5(su)->set console baud 19200 VT100 Terminal Mode VT100 terminal mode supports automatic console session termination on removal of the serial connection (vs. timeout).
Port Configuration Overview Auto-Negotiation and Advertised Ability Auto-negotiation is an Ethernet feature that facilitates the selection of port speed, duplex, and flow control between the two members of a link, by first sharing these capabilities and then selecting the fastest transmission mode that both ends of the link support. Auto-negotiation is enabled by default. Use the set port negotiation command to disable or enable auto-negotiation.
Port Configuration Overview By default, Enterasys switch devices are configured to automatically detect the cable type connection, straight through (MDI) or cross-over (MDIX), required by the cable connected to the port. You can configure ports to only use MDI or MDIX connections with the set port mdix command. The set port mdix command only configures Ethernet ports, and cannot be used to configure combo ports on the switch. Fiber ports always have a status of MDIX.
Port Configuration Overview maximum number of packets which can be received per second with the set port broadcast command: Maximum packet per second values are: • 148810 for Fast Ethernet ports • 1488100 for 1-Gigabit ports. • 14881000 for 10- Gigabit ports Use the show port broadcast command to display current threshold settings. Use the clear port broadcast command to return broadcast threshold settings to the default of 14881 packets per second.
Port Configuration Overview Table 8-1 Displaying Port Status Task Command Display whether or not one or more ports are enabled for switching. show port [port-string] Display operating and admin status, speed, duplex mode and port type for one or more ports on the device. show port status [port-string] Display port counter statistics detailing traffic through the device and through all MIB2 network devices.
Configuring Port Link Flap Detection Procedure 8-1 Configuring SFP Ports for 100BASE-FX Step Task Command(s) 4. Set the port duplex mode to full. set port duplex port-string full 5. (Optional) Verify the new settings. show port status port-string Example This example shows how to configure port ge.2.1 in the G3G-24SFP module to operate with a 100BASE-FX transceiver installed. First, the module is verified as present in Slot 2, and the port status is shown as operating as a 1000BASE-SX port.
Configuring Port Link Flap Detection If left unresolved, link flapping can be detrimental to network stability by triggering Spanning Tree and routing table recalculations. By enabling the link flap detection feature on your Enterasys switch, you can monitor and act upon link flapping to avoid these recalculations. You can enable link flap detection globally on your Enterasys switch or on specific ports, such as uplink ports.
Configuring Port Link Flap Detection Procedure 8-2 Link Flap Detection Configuration (continued) Step Task Command(s) 4. (Optional) Set the number of link flapping instances necessary to trigger the link flap action. By default, this value is 10 link flapping instances. set linkflap threshold port-string threshold_value 5.
Transmit Queue Monitoring If no additional power losses occur on the PoE devices and no additional link flapping conditions occur, the network administrator disables link flap detection on the PoE ports. C5(rw)->set linkflap portstate disable ge.1.1-12 Link Flap Detection Display Commands Table 8-3 lists link flap detection show commands. Table 8-3 Link Flap Detection Show Commands Task Command Display whether the port is enabled for generating an SNMP trap message if its link state changes.
Port Mirroring Table 8-4 Transmit Queue Monitoring Tasks Task Command Configure the time interval, in seconds, that ports disabled by the transmit queue monitoring feature remain disabled. set txqmonitor downtime seconds The default value is 0, meaning that disabled ports will remain disabled until cleared manually or until their next link state transition. Set the minimum rate (in packets per second) of transmitted packets in a sampling interval.
Port Mirroring • LAG ports can be a mirror source port, but not a mirror destination port. If a LAG port is a mirror source port, no other ports can be configured as source ports. • Both transmit and receive traffic will be mirrored. • A destination port will only act as a mirroring port when the session is operationally active. • When a port mirror is created, the mirror destination port is removed from the egress list of VLAN 1 after a reboot.
Port Mirroring Remote port mirroring is an extension to port mirroring which facilitates simultaneous mirroring of multiple source ports on multiple switches across a network to one or more remote destination ports. Remote port mirroring involves configuration of the following port mirroring related parameters: 1. Configuration of normal port mirroring source ports and one destination port on all switches, as described above. 2.
Port Mirroring Configuring SMON MIB Port Mirroring SMON port mirroring support allows you to redirect traffic on ports remotely using SMON MIBs. This is useful for troubleshooting or problem solving when network management through the console port, telnet, or SSH is not feasible. Procedures Perform the following steps to configure and monitor port mirroring using SMON MIB objects. To create and enable a port mirroring instance: 1. Open a MIB browser, such as Netsight MIB Tools 2.
Port Mirroring 2. Enter MIB option 6 (destroy) and perform an SNMP Set operation. 3. (Optional) Use the CLI to verify the port mirroring instance has been deleted as shown in the following example: C5(su)->show port mirroring No Port Mirrors configured.
9 Configuring VLANs This chapter describes how to configure VLANs on Enterasys fixed stackable and standalone switches. For information about... Refer to page...
Implementing VLANs building has its own internal network. The end stations in each building connect to a switch on the bottom floor. The two switches are connected to one another with a high speed link.
Understanding How VLANs Operate Preparing for VLAN Configuration A little forethought and planning is essential to a successful VLAN implementation. Before attempting to configure a single device for VLAN operation, consider the following: • What is the purpose of my VLAN design? (For example: security or traffic broadcast containment). • How many VLANs will be required? • What stations (end users, servers, etc.
Understanding How VLANs Operate • Shared Virtual Local Area Network (VLAN) Learning (SVL): Two or more VLANs are grouped to share common source address information. This setting is useful for configuring more complex VLAN traffic patterns, without forcing the switch to flood the unicast traffic in each direction. This allows VLANs to share addressing information.
Understanding How VLANs Operate Forwarding Decisions VLAN forwarding decisions for transmitting frames is determined by whether or not the traffic being classified is or is not in the VLAN’s forwarding database as follows: • Unlearned traffic: When a frame’s destination MAC address is not in the VLAN’s forwarding database (FDB), it will be forwarded out of every port on the VLAN’s egress list with the frame format that is specified.
VLAN Support on Enterasys Switches If a unicast untagged frame is received on Port 5, it would be classified for VLAN 50. Port 5 has its own filtering database and is not aware of what addressing information has been learned by other VLANs. Port 5 looks up the destination MAC address in its FID. If it finds a match, it forwards the frame out the appropriate port, if and only if, that port is allowed to transmit frames for VLAN 50.
VLAN Support on Enterasys Switches the perspective of the access layer—where users are most commonly located—egress is generally untagged. Policy-Based VLANs Rather than making VLAN membership decisions simply based on port configuration, each incoming frame can be examined by the classification engine which uses a match-based logic to assign the frame to a desired VLAN.
Configuring VLANs Figure 9-3 Example of VLAN Propagation Using GVRP Switch 3 Switch 2 R 2D 1 3 1 D R Switch 1 1 R 2 End Station A D 3 D 1 R D Switch 4 1 R Switch 5 R = Port registered as a member of VLAN Blue = Port declaring VLAN Blue VLANpropagation GVMP Note: If a port is set to “forbidden” for the egress list of a VLAN, then the VLAN’s egress list will not be dynamically updated with that port. Administratively configuring a VLAN on an 802.
Configuring VLANs Default Settings Table 9-1 lists VLAN parameters and their default values. Table 9-1 Default VLAN Parameters Parameter Description Default Value garp timers Configures the three GARP timers. The setting is critical and should only be done by someone familiar with the 802.1Q standard. • Join timer: 20 centiseconds Enables or disables the GARP VLAN Registration Protocol (GVRP) on a specific set of ports or all ports. GVRP must be enabled to allow creation of dynamic VLANs.
Configuring VLANs Procedure 9-1 Static VLAN Configuration (continued) Step Task Command(s) 4. Assign switch ports to the VLAN. This sets the port VLAN ID (PVID). The PVID determines the VLAN to which all untagged frames received on the port will be classified. set port vlan port-string vlan-id [modify-egress | no-modify-egress] Optionally, specify whether or not the ports should be added to the VLAN’s untagged egress list and removed from other untagged egress lists.
Configuring VLANs Procedure 9-1 Static VLAN Configuration (continued) Step Task Command(s) 7. Optionally, choose to discard tagged or untagged, (or both) frames on selected ports. Select none to allow all frames to pass through. set port discard port-string {tagged | untagged | none | both} 8. If the device supports routing, enter router configuration mode and configure an IP address on the VLAN interface.
Configuring VLANs the device. It also makes management secure by preventing configuration through ports assigned to other VLANs. Procedure 9-2 provides an example of how to create a secure management VLAN. This example, which sets the new VLAN as VLAN 2, assumes the management station is attached to ge.1.1, and wants untagged frames. The process described in this section would be repeated on every device that is connected in the network to ensure that each device has a secure management VLAN. .
Configuring VLANs Procedure 9-3 Dynamic VLAN Configuration (continued) Step Task Command(s) 4. Optionally, set the GARP join, leave, and leaveall timer values. Each timer value is in centiseconds. set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string Caution: The setting of GARP timers is critical and should only be changed by personnel familiar with 802.1Q standards.
Terms and Definitions 2. Ports 1 through 5 on the switch unit 4 are configured as egress ports for the VLANs while ports 8 through 10 on the switch unit 5 are configured as ingress ports that will do the policy classification. 3. Policy profile number 1 is created that enables PVID override and defines the default behavior (classify to VLAN 3) if none of the classification rules created for the profile are matched. 4.
Terms and Definitions Table 9-3 VLAN Terms and Definitions (continued) Term Definition Forwarding List A list of the ports on a particular device that are eligible to transmit frames for a selected VLAN. GARP Multicast Registration Protocol (GMRP) A GARP application that functions in a similar fashion as GVRP, except that GMRP registers multicast addresses on ports to control the flooding of multicast frames.
Terms and Definitions 9-16 Configuring VLANs
10 Configuring User Authentication This chapter describes the user authentication methods supported by Enterasys fixed switch platforms. For information about... Refer to page...
User Authentication Overview Implementing User Authentication Take the following steps to implement user authentication: • Determine the types of devices to be authenticated. • Determine the correct authentication type for each device. • Determine an appropriate policy best suited for the use of that device on your network. • Configure RADIUS user accounts on the authentication server for each device. • Configure user authentication. Authentication Methods For information about... Refer to page.
User Authentication Overview devices that do not support 802.1x or web authentication. Since MAC-based authentication authenticates the device, not the user, and is subject to MAC address spoofing attacks, it should not be considered a secure authentication method. However, it does provide a level of authentication for a device where otherwise none would be possible. The stackable fixed switch and standalone fixed switch devices support MAC-based authentication.
User Authentication Overview Multi-User Authentication Multi-user authentication provides for the per-user or per-device provisioning of network resources when authenticating.
User Authentication Overview Figure 10-1 Applying Policy to Multiple Users on a Single Port Authentication Request User 1 Switch Authentication Response Radius Server SMAC 00-00-00-11-11-11 Authentication Credentials User 1 Authentication Credentials User 2 Authentication Request Authentication Credentials User 3 Authentication Response User 2 SMAC 00-00-00-22-22-22 Port ge.1.5 Authentication Request User 3 Dynamic Admin Rule for Policy 1 SMAC = 00-00-00-11-11-11 ge.1.
User Authentication Overview credentials sent to the RADIUS server. RADIUS looks up the user account for that user based upon the SMAC. The Filter-ID for that user is returned to the switch in the authentication response, and the authentication is validated for that user. Figure 10-2 Authenticating Multiple Users With Different Methods on a Single Port Authentication Method 802.
User Authentication Overview Figure 10-3 Selecting Authentication Method When Multiple Methods are Validated SMAC=User 1 SMAC=User 2 SMAC=User 3 Switch MultiAuth Sessions Auth. Agent 802.
User Authentication Overview password configured on the switch to the authentication server. The authentication server verifies the credentials and returns an Accept or Reject message back to the switch. How RADIUS Data Is Used The Enterasys switch bases its decision to open the port and apply a policy or close the port based on the RADIUS message, the port's default policy, and unauthenticated behavior configuration.
User Authentication Overview Dynamic VLAN Assignment The RADIUS server may optionally include RADIUS tunnel attributes in a RADIUS Access-Accept message for dynamic VLAN assignment of the authenticated end system. RFC 3580’s RADIUS tunnel attributes are often configured on a RADIUS server to dynamically assign users belonging to the same organizational group within an enterprise to the same VLAN, or to place all offending users according to the organization’s security policy in a Quarantine VLAN.
User Authentication Overview • Value: Indicates the type of tunnel. A value of 0x06 indicates that the tunneling medium pertains to 802 media (including Ethernet) Tunnel-Private-Group-ID attribute indicates the group ID for a particular tunneled session. Set the Tunnel-Private-Group-ID attribute parameters as follows: • Type: Set to 81 for Tunnel-Private-Group-ID RADIUS attribute • Length: Set to a value greater than or equal to 3.
User Authentication Overview When the maptable response is set to tunnel mode, the system will use the tunnel attributes in the RADIUS reply to apply a VLAN to the authenticating user and will ignore any Filter-ID attributes in the RADIUS reply. When tunnel mode is configured, VLAN-to-policy mapping will not occur on a stackable fixed switch or standalone fixed switch platform.
Configuring Authentication If VLAN authorization is not enabled, the tunnel attributes are ignored. When Policy Maptable Response is “Profile” When the switch is configured to use only Filter-ID attributes, by setting the set policy maptable command response parameter to policy: • If the Filter-ID attributes are present, the specified policy profile will be applied to the authenticating user. If no Filter-ID attributes are present, the default policy (if it exists) will be applied.
Configuring Authentication Table 10-1 Default Authentication Parameters (continued) Parameter Description Default Value macauthentication Globally enables or disables MAC authentication on a device. Disabled. macauthentication port Enables or disables MAC authentication on a port Disabled. MultiAuth idle-timeout Specifies the period length for which no traffic is received before a MultiAuth session is set to idle. 300 seconds. MultiAuth mode Globally sets MultiAuth for this device.
Configuring Authentication Table 10-1 Default Authentication Parameters (continued) Parameter Description Default Value realm Specifies authentication server configuration scope. Both: management-access and network-access. VLAN authorization status Enables or disables globally and per port VLAN authorization. Globally: Disabled. Per Port: Enabled. VLAN authorization egress format Determines whether dynamic VLAN tagging will be none, tagged, untagged, or dynamic for an egress frame. Untagged.
Configuring Authentication Procedure 10-1 IEEE 802.1x Configuration (continued) Step Task Command(s) 2. Display the access entity index values. Ports used to authenticate and authorize supplicants utilize access entities that maintain entity state, counters, and statistics for an individual supplicant. You need to know the index value associated with a single entity to enable, disable, initialize, or reauthenticate a single entity. show dot1x auth-session-stats 3.
Configuring Authentication Procedure 10-2 MAC-Based Authentication Configuration (continued) Step Task Command(s) 3. Enable or disable MAC authentication globally on the device. By default, MAC authentication is globally disabled on the device. set macauthentication {enable | disable} 4. Set the MultiAuth mode. set multiauth mode multi 5. Display MAC authentication configuration or status of active sessions.
Configuring Authentication Optionally Enable Guest Network Privileges With PWA enhanced mode enabled, you can optionally configure guest networking privileges. Guest networking allows an administrator to specify a set of credentials that will, by default, appear on the PWA login page of an end station when a user attempts to access the network.
Configuring Authentication Procedure 10-4 MultiAuth Authentication Configuration Step Task Command(s) 1. For a single user, single authentication 802.1x port configuration, set MultiAuth mode to strict. set multiauth mode strict 2. For multiple user 802.1x authentication or any non-802.1x authentication, set the system authentication mode to use multiple authenticators simultaneously. set multiauth mode multi 3. To clear the MultiAuth authentication mode.
Configuring Authentication • Authentication Required – Authentication methods are active on the port, based on the global and per port authentication method configured. Before authentication succeeds, no traffic is forwarded onto the network. After authentication succeeds, the user or device gains access to the network based upon the policy information returned by the authentication server in the form of the RADIUS Filter-ID attribute, or the static configuration on the switch.
Configuring Authentication Procedure 10-7 MultiAuth Authentication Timers Configuration Step Task Command(s) 1. Optionally set the MultiAuth authentication idle timeout value for the specified authentication method. set multiauth idle-timeout auth-method timeout 2. Reset the MultiAuth authentication idle timeout value to its default value for the specified authentication method. clear multiauth idle-timeout auth-method 3.
Configuring Authentication • dynamic – Egress formatting will be based upon information contained in the authentication response. The VLAN authorization table will always list any tunnel attribute’s VIDs that have been received for authenticated end systems, but a VID will not actually be assigned unless VLAN authorization is enabled both globally and on the authenticating port. Dynamic VLAN authorization overrides the port PVID. Dynamic VLAN authorization is not reflected in the show port vlan display.
Configuring Authentication • Server identification provides for the configuration of the server IP address and index value. The index determines the order in which the switch will attempt to establish a session with an authentication server. After setting the index and IP address you are prompted to enter a secret value for this authentication server. Any authentication requests to this authentication server must present the correct secret value to gain authentication.
Configuring Authentication Note: User + IP Phone authentication is not supported on the I-Series With “User + IP Phone” authentication, the policy role for the IP phone is statically mapped using a policy admin rule which assigns any frames received with a VLAN tag set to a specific VID (for example, Voice VLAN) to a specified policy role (for example, IP Phone policy role). Therefore, it is required that the IP phone be configured to send VLAN-tagged frames tagged for the “Voice” VLAN.
Configuring Authentication The following code example: • Creates and names two VLANS, one for the users and one for the phones. • Creates a CoS setting of index 55. • Sets the number of users to 2 on all the user ports. • Creates a user policy profile that uses the user VLAN. • Creates a policy profile for the phones and a policy rule that maps tagged frames on the user ports to that policy profile. • Minimally configures RADIUS, 802.1x, and MAC authentication.
Authentication Configuration Example Authentication Configuration Example Our example covers the three supported stackable and fixed switch authentication types being used in an engineering group: end-user stations, an IP phone, a printer cluster, and public internet access. Figure 10-4 provides an overview of the fixed switch authentication configuration.
Authentication Configuration Example Configuring MultiAuth Authentication MultiAuth authentication must be set to multi whenever multiple users of 802.1x need to be authenticated or whenever any MAC-based or PWA authentication is present. For ports where no authentication is present, such as switch to switch, or switch to router connections, you should also set MultiAuth port mode to force authenticate to assure that traffic is not blocked by a failed authentication.
Authentication Configuration Example In an 802.1x configuration, policy is specified in the RADIUS account configuration on the authentication server using the RADIUS Filter-ID. See “The RADIUS Filter-ID” on page 8 for RADIUS Filter-ID information. If a RADIUS Filter-ID exists for the user account, the RADIUS protocol returns it in the RADIUS Accept message and the firmware applies the policy to the user. Note: Globally enabling 802.1x on a switch sets the port-control type to auto for all ports.
Terms and Definitions Configuring the Public Area PWA Station The public area PWA station provides visitors to your business site with open access to the internet, while at the same time isolating the station from any access to your internal network. In order to provide a default set of network resources to communicate over HTTP, policy must be set to only allow DHCP, ARP, DNS, and HTTP. You may want to set a rate limit that would guard against excessive streaming.
Terms and Definitions Table 10-4 Authentication Configuration Terms and Definitions (continued) Term Definition Dynamic Host Configuration Protocol (DHCP) A protocol used by networked clients to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. Extensible Authentication Protocol (EAP) A protocol that provides the means for communicating the authentication information in an IEEE 802.1x context. IEEE 802.
Terms and Definitions 10-30 Configuring User Authentication
11 Configuring Link Aggregation This chapter describes how to configure link aggregation on the fixed switch platforms. For information about... Refer to page... Link Aggregation Overview 11-1 Configuring Link Aggregation 11-9 Link Aggregation Configuration Example 11-11 Terms and Definitions 11-15 Link Aggregation Overview IEEE 802.3ad link aggregation provides a standardized means of grouping multiple parallel Ethernet interfaces into a single logical Layer 2 link.
Link Aggregation Overview problems if they also wanted, or needed, to use a different brand of networking hardware. Link aggregation is standards based allowing for interoperability between multiple vendors in the network. Older implementations required manual configuration. With LACP, if a set of links can aggregate, they will aggregate. LACP’s ability to automatically aggregate links represents a timesaver for the network administrator who will not be required to manually configure the aggregates.
Link Aggregation Overview Note: A given link is allocated to, at most, one LAG at a time. The allocation mechanism attempts to maximize aggregation, subject to management controls. • Attaches the port to the aggregator used by the LAG, and detaches the port from the aggregator when it is no longer used by the LAG. • Uses information from the partner device’s link aggregation control entity to decide whether to aggregate ports.
Link Aggregation Overview Figure 11-1 LAG Formation Device B PARTNER Port Speed Admin Key 1 100M 100 2 100M 100 3 100M 100 ACTOR Device A Admin Key Port Speed 100 100M 1 100 100M 2 200 100M 3 100 100M 4 100 100M 5 100 1Gb 6 1 100M 100 300 1Gb 7 2 100M 100 400 1Gb 8 3 100M 100 4 100M 100 5 100M 100 6 1Gb 100 7 1Gb 100 8 1Gb 100 LAG 1 LAG 2 Device C Actor ports 1 - 3 on device A directly connect to partner ports 1 - 3 on device B: • We have
Link Aggregation Overview • Investigating port admin keys, we see that ports 4 - 6 on device A are set to 100 (the same setting as all LAG ports on the device), while ports 7 and 8 on device A are set to 300 and 400, respectively. Because port admin keys for all LAGs and the physical ports 4 - 6 are the same, physical ports 4 - 6 satisfy rule 2. Because the admin key settings for physical ports 7 and 8 do not agree with any LAG admin key setting on the device, ports 7 and 8 can not be part of any LAG.
Link Aggregation Overview Because port 6 has both a different speed and a higher priority than the port with the lowest priority in the LAG, it is not moved to the attached state. If LAG members with different port speeds should tie for the lowest port priority, the LAG member with the lowest port number breaks the tie.
Link Aggregation Overview Single Port Attached State Rules By default, a LAG must contain two or more actor and partner port pairs for the LAG to be initiated by this device. A feature exists to allow the creation of a single port LAG that is disabled by default. If single port LAG is enabled, a single port LAG can be created on this device. If single port LAG is disabled, a single port LAG will not be initiated by this device.
Link Aggregation Overview Table 11-2 LAG Port Parameters (continued) Term Definition Administrative State A number of port level administrative states can be set for both the actor and partner ports. The following port administrative states are set by default: • lacpactive - Transmitting LACP PDUs is enabled. • lacptimeout - Transmitting LACP PDUs every 30 seconds. If this state is disabled, LACP PDUs are transmitted every 1 second. Note that the actor and partner LACP timeout values must agree.
Configuring Link Aggregation The virtual link aggregation ports continue to be designated as lag.0.x, where x can range from 1 to 24, depending on the maximum number of LAGs configured. Configuring Link Aggregation This section provides details for the configuration of link aggregation on the N-Series, S-Series, stackable, and standalone switch products. Table 11-3 lists link aggregation parameters and their default values.
Configuring Link Aggregation Procedure 11-1 Configuring Link Aggregation (continued) Step Task Command(s) 4. Optionally, change the administratively assigned key for each aggregation on the device. set lacp aadminkey port-string value 5. Optionally, enable single port LAGs on the device. set lacp singleportlag {enable | disable} 6. Optionally, modify the LAG port parameters. See Table 11-2 on page 11-7 for a description of port parameters.
Link Aggregation Configuration Example Table 11-4 Managing Link Aggregation (continued) Task Command Reset the maximum number of LACP groups to the default of 6. clear lacp groups If the number of LACP groups has been changed from the default, executing this command will result in a system reset and LACP configuration settings will be returned to their default values, including the group limit. Table 11-5 describes how to display link aggregation information and statistics.
Link Aggregation Configuration Example on each device is to ensure that LAGs form only where we configure them. Since the admin key for the LAG and its associated ports must agree for the LAG to form, an easy way to ensure that LAGs do not automatically form is to set the admin key for all LAGS on all devices to a nondefault value. The physical ports will initially retain admin key defaults. In our example, the admin keys for all LAGs are set to the highest configurable value of 65535.
Link Aggregation Configuration Example Table 11-6 LAG and Physical Port Admin Key Assignments Device LAG LAG Admin Key Physical Port Physical Port Admin Key S8 Distribution Switch 1 100 ge.1.1 100 ge.2.1 100 ge.3.1 100 ge.4.1 100 ge.1.2 200 ge.2.2 200 ge.3.2 200 ge.4.2 200 ge.1.21 100 ge.1.22 100 ge.2.23 100 ge.3.24 100 ge.1.21 200 ge.1.22 200 ge.1.23 200 ge.1.24 200 ge.2.17 300 ge.2.19 300 ge.2.22 300 ge.2.
Link Aggregation Configuration Example The output algorithm defaults to selecting the output port based upon the destination and source IP address. This setting will not be changed in our example. In any case, note that the stackable switch does not support the output algorithm feature. Configuring the S8 Distribution Switch The first thing we want to do is set the admin key for all LAGs to the non-default value of 65535 so that no LAGs will automatically form: S8(rw)->set lacp aadminkey lag.0.
Terms and Definitions LACP port state is disabled by default on the B5s and C5s, so we will enable LACP port state here. We next want to set the admin keys for the stackable switch physical ports: Stack2(rw)->set Stack2(rw)->set Stack2(rw)->set Stack2(rw)->set Stack2(rw)->set Stack2(rw)->set Stack2(rw)->set Stack2(rw)->set port port port port port port port port lacp lacp lacp lacp lacp lacp lacp lacp port port port port port port port port ge.1.21 ge.1.22 ge.1.23 ge.1.24 ge.2.17 ge.2.19 ge.2.22 ge.2.
Terms and Definitions Table 11-7 11-16 Link Aggregation Configuration Terms and Definitions (continued) Term Definition Port Priority Port priority determines which physical ports are moved to the attached state when physical ports of differing speeds form a LAG. Port priority also determines which ports will join a LAG when the number of supported ports for a LAG is exceeded. System Priority Value used to build a LAG ID, which determines aggregation precedence.
12 Configuring SNMP This chapter describes basic SNMP concepts, the SNMP support provided on Enterasys fixed stackable and standalone switches, and how to configure SNMP on the switches using CLI commands. For information about... Refer to page...
SNMP Concepts 2. Setting security access rights 3. Setting SNMP Management Information Base (MIB) view attributes 4. Setting target parameters to control the formatting of SNMP notification messages 5. Setting target addresses to control where SNMP notifications are sent 6. Setting SNMP notification parameters (filters) 7.
SNMP Support on Enterasys Switches Table 12-1 SNMP Message Functions (continued) Operation Function get-response Replies to a get-request, get-next-request, and set-request sent by a management station. set-request Stores a value in a specific variable. trap | inform3 Unsolicited message sent by an SNMP agent to an SNMP manager when an event has occurred. 1. With this operation, an SNMP manager does not need to know the exact variable name.
SNMP Support on Enterasys Switches Versions Supported Enterasys devices support three versions of SNMP: • Version 1 (SNMPv1) — This is the initial implementation of SNMP. Refer to RFC 1157 for a full description of functionality. • Version 2 (SNMPv2c) — The second release of SNMP, described in RFC 1907, has additions and enhancements to data types, counter size, and protocol operations.
SNMP Support on Enterasys Switches Terms and Definitions Table 12-2 lists common SNMP terms and defines their use on Enterasys devices. Table 12-2 SNMP Terms and Definitions Term Definition community A name string used to authenticate SNMPv1 and v2c users. context A subset of MIB information to which associated users have access rights. engine ID A value used by both the SNMPv3 sender and receiver to propagate inform notifications.
SNMP Support on Enterasys Switches Table 12-2 SNMP Terms and Definitions (continued) Term Definition USM User-Based Security Model, the SNMPv3 authentication model which relies on a user name match for access to network management components. VACM View-based Access Control Model, which determines remote access to SNMP managed objects, allowing subsets of management information to be organized into user views.
Configuring SNMP security model and security level used to request access. In this way, VACM allows you to permit or deny access to any individual item of management information depending on a user's group membership and the level of security provided by the communications channel. Configuring SNMP This section provides the following information about configuring SNMP on Enterasys devices: For information about... Refer to page...
Configuring SNMP doorstep. To determine if all these elements are in place, the SNMP agent processes a device configuration as follows: 1. Determines if the “keys” for trap “doors” do exist. The key that SNMP is looking for is the notification entry created with the set snmp notify command. 2. Searches for the doors matching such a key and verifies that the door is available. If so, this door is tagged or bound to the notification entry.
Configuring SNMP Configuring SNMPv1/SNMPv2c Creating a New Configuration Procedure 12-1 shows how to create a new SNMPv1 or SNMPv2c configuration. This example assumes that you haven’t any preconfigured community names or access rights. Note: The v1 parameter in this example can be replaced with v2 for SNMPv2c configuration. Procedure 12-1 New SNMPv1/v2c Configuration Step Task Command(s) 1. Create a community name. set snmp community community_name 2.
Configuring SNMP enterasys(su)->set snmp view viewname RW subtree 0.0 enterasys(su)->set snmp view viewname RW subtree 1.3.6.1.6.3.13.1 excluded enterasys(su)->set snmp targetparams TVv1public user public security-model v1 message processing v1 enterasys(su)->set snmp targetaddr TVTrap 10.42.1.10 param TVv1public taglist TVTrapTag enterasys(su)->set snmp notify TVTrap tag TVTrapTag Adding to or Modifying the Default Configuration By default, SNMPv1 is configured on Enterasys switches.
Configuring SNMP . Procedure 12-2 SNMPv3 Configuration Step Task Command(s) 1. Create an SNMPv3 user and specify authentication, encryption, and security credentials. set snmp user user [remote remoteid] [privacy privpassword] [authentication {md5 | sha}] [authpassword] • If remote is not specified, the user will be registered for the local SNMP engine. • If authentication is not specified, no authentication will be applied. • If privacy is not specified, no encryption will be applied. 2.
Configuring SNMP Procedure 12-2 SNMPv3 Configuration (continued) Step Task Command(s) 6. Set the SNMP target address for notification message generation. set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile] • If not specified, udpport will be set to 162. • If not specified, mask will be set to 255.255.255.255. • If not specified, timeout will be set to 1500 (15 seconds).
Configuring SNMP enterasys(su)-> set snmp notify SNMPv3TrapGen tag v3TrapTag inform How SNMP Will Process This Configuration As described in “How SNMP Processes a Notification Configuration” on page 12-7, if the SNMP agent on the device needs to send an inform message, it looks to see if there is a notification entry that says what to do with inform messages. Then, it looks to see if the tag list (v3TrapTag) specified in the notification entry exists.
Configuring SNMP Procedure 12-3 Configuring an EngineID (continued) Step Task Command(s) 4. On the Enterasys switch, define the same user as in the above example (v3user) with this EngineID and with the same Auth/Priv passwords you used previously. set snmp user v3user remote 800007e5804f190000d232aa40 privacy despasswd authentication md5 md5passwd Note: You can omit the 0x from the EngineID. You can also use the colon notation like this: 80:00:07:e5:80:4f:19:00:00:d2:32:aa:40 5.
Configuring SNMP Subtree OID Subtree mask View Type Storage type Row status = = = = = 1.3.6.1.2.1 View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = All 1.3.6.1.2.1.2 included nonVolatile active excluded nonVolatile active You can test this configuration using any MIB browser directed to the IP of the configured device and using the default community name public associated with the view All.
Configuring SNMP Procedure 12-4 Configuring Secure Community Names Step Task Command(s) 1. Create the following SNMP view group configurations.
Configuring SNMP Procedure 12-4 Configuring Secure Community Names (continued) Step Task Command(s) 5. Using the viewnames assigned in Step 1, create restricted views for v1/v2c users, and unrestricted views for v3 users. set snmp view viewname securedviewname subtree 1 set snmp view viewname securedviewname subtree 0.0 set snmp view viewname unsecuredviewname subtree 1 set snmp view viewname unsecuredviewname subtree 0.0 6.
Reviewing SNMP Settings Reviewing SNMP Settings Table 12-5 Commands to Review SNMP Settings Task Command Display SNMPv1/SNMPv2c community names and status. show snmp community name Display the context list configuration for SNMP view- show snmp context based access control. 12-18 Display SNMP traffic counter values. show snmp counters Display SNMP engine properties. show snmp engineid Display SNMP group information. show snmp group groupname grpname Display an SNMP group’s access rights.
13 Configuring Neighbor Discovery This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), the Enterasys Discovery Protocol, and the Cisco Discovery Protocol on Enterasys fixed stackable and standalone switches. For information about... Refer to page...
Neighbor Discovery Overview connected neighbors. While Enterasys Discovery Protocol and Cisco Discovery Protocol are vendor-specific protocols, LLDP is an industry standard (IEEE 802.1AB), vendor-neutral protocol. The LLDP-enabled device periodically advertises information about itself (such as management address, capabilities, media-specific configuration information) in an LLDPDU (Link Layer Discovery Protocol Data Unit), which is sent in a single 802.3 Ethernet frame (see Figure 13-3 on page 13-6).
Neighbor Discovery Overview Figure 13-1 Communication between LLDP-enabled Devices Discovery MIB Port Device ge. 1.1 IP phone ge. 1.2 PC ge. 1.4 IP switch Discovery MIB Port Device ge. 1.1 IP switch ge. 1.2 IP phone ge. 1.4 IP phone ge. 1.6 IP-PBX Info x.x.x.x x.x.x.x x.x.x.x Info x.x.x.x x.x.x.x x.x.x.x x.x.x.
Neighbor Discovery Overview There are two primary LLDP-MED device types (as shown in Figure 13-2 on page 13-5): 13-4 • Network connectivity devices, which are LAN access devices such as LAN switch/routers, bridges, repeaters, wireless access points, or any device that supports the IEEE 802.1AB and MED extensions defined by the standard and can relay IEEE 802 frames via any method.
Neighbor Discovery Overview Figure 13-2 LLDP-MED LLDP-MED Network Connectivity Devices: Provide IEEE 802 network access to LLDP-MED endpoints (for example, L2/L3 switch) LLDP-MED Generic Endpoints (Class I): Basic participant endpoints in LLDP-MED (for example, IP communications controller) IP Network Infrastructure (IEEE 802 LAN) LLDP-MED Media Endpoints (Class ll): Supports IP media streams (for media gateways, conference bridges) LLDP-MED Communication Device Endpoints (Class III): Support IP comm
Neighbor Discovery Overview Figure 13-3 Frame Format IEEE 802.3 LLDP frame format LLDP Ethertype Data + pad MAC address 88-CC LLDPDU FCS 6 octets 2 octets 1500 octets 4 octets DA SA LLDP_Multicast address 6 octets LLDPDU format Chassis ID TLV Port ID TLV (M) (M) Time to Live TLV (M) Optional TLV ...
Configuring LLDP – • Maximum Frame Size — Advertises the maximum supported 802.3 frame size of the sending station. LLDP-MED extension TLVs: – Capabilities — Indicates the network connectivity device’s capabilities. – Network Policy — Used to configure tagged/untagged VLAN ID/L2 priority/DSCP on LLDP-MED endpoints (for example, IP phones).
Configuring LLDP Table 13-1 13-8 LLDP Configuration Commands (continued) Task Command Enable or disable transmitting and processing received LLDPDUs on a port or range of ports. set lldp port status {tx-enable | rxenable | both | disable} port-string Enable or disable sending LLDP traps when a remote system change is detected.
Configuring LLDP Table 13-1 LLDP Configuration Commands (continued) Task Command Clear the optional LLDP and LLDP-MED TLVs to be transmitted in LLDPDUs by the specified port or ports to the default value of disabled.
Configuring Enterasys Discovery Protocol System(rw)->set lldp port tx-tlv med-loc ge.1.1-6 LLDP Display Commands Table 13-2 lists LLDP show commands. Table 13-2 LLDP Show Commands Task Command Display LLDP configuration information. show lldp Display the LLDP status of one or more ports.
Configuring Cisco Discovery Protocol Table 13-3 Enterasys Discovery Protocol Configuration Commands (continued) Task Command Reset Enterasys Discovery Protocol settings to defaults. clear cdp {[state] [port-state portstring] [interval] [hold-time] [authcode]} Refer to your device’s CLI Reference Guide for more information about each command.
Configuring Cisco Discovery Protocol • There is a one-to-one correlation between the value set with the cos parameter and the 802.1p value assigned to ingressed traffic by the Cisco IP phone. A value of 0 equates to an 802.1p priority of 0. Therefore, a value of 7 is given the highest priority. Note: The Cisco Discovery Protocol must be globally enabled using the set ciscodp status command before operational status can be set on individual ports.
Configuring Cisco Discovery Protocol Refer to your device’s CLI Reference Guide for a description of the output of each command.
Configuring Cisco Discovery Protocol 13-14 Configuring Neighbor Discovery
14 Configuring Syslog This chapter describes how System Logging, or Syslog, operates on Enterasys fixed stackable and standalone switches, and how to configure Syslog. For information about... Refer to page...
Syslog Operation By default, Syslog is operational on Enterasys switch devices at startup. All generated messages are eligible for logging to local destinations and to remote servers configured as Syslog servers.
Syslog Components and Their Use The following sections provide greater detail on modifying key Syslog components to suit your enterprise. Syslog Components and Their Use Table 14-1 describes the Enterasys implementation of key Syslog components. Table 14-1 Syslog Terms and Definitions Term Definition Enterays Usage Facility Categorizes which functional process is generating an error message. Syslog combines this value and the severity value to determine message priority.
Syslog Components and Their Use Table 14-1 14-4 Syslog Terms and Definitions (continued) Term Definition Enterays Usage Syslog server A remote server configured to collect and store Syslog messages. Enterasys devices allow up to 8 server IP addresses to be configured as destinations for Syslog messages. By default, Syslog server is globally enabled, with no IP addresses configured, at a severity level of 8.
Syslog Components and Their Use Basic Syslog Scenario Figure 14-1 shows a basic scenario of how Syslog components operate on an Enterasys switch. By default, all applications running on the Enterasys switch are allowed to forward Syslog messages generated at severity levels 6 through 1. In the configuration shown, these default settings have not been changed.
Interpreting Messages For more information on how to configure these basic settings, refer to “Syslog Command Precedence” on page 14-8, and the “Configuration Examples” on page 14-12. Interpreting Messages Every system message generated by the Enterasys switch platforms follows the same basic format: time stamp address application [unit] message text Example This example shows Syslog informational messages, displayed with the show logging buffer command.
About Security Audit Logging The secure.log file stored in the secure/logs directory cannot be deleted, edited, or renamed. Super-users can copy the secure.log file using SCP, SFTP, or TFTP. By default, security audit logging is disabled. Only a system administrator (super-user) may enable the security audit logging function, and only a system administrator has the ability to retrieve, copy, or upload the secure.log file. Security audit logging is enabled or disabled with the command set logging local.
Configuring Syslog If, for any reason, an event that is to be sent to the secure log gets dropped, resulting in the failure to record the event, an SNMP trap will be generated. The trap generation will be done using the Enterasys Syslog Client MIB notification etsysSyslogSecureLogDroppedMsgNotification. Format Examples The following examples illustrate secure log entry formats for different types of events. • User logs in via console <164>Apr 21 08:44:13 10.27.12.
Configuring Syslog Table 14-3 Syslog Command Precedence (continued) Syslog Component Command Function Server settings set logging server index ip-addr ipaddr [facility facility] [severity severity] [descr descr] [port port] state enable | disable During or after new server setup, specifies a server index, IP address, and operational state for a Syslog server.
Configuring Syslog Modifying Syslog Server Defaults Unless otherwise specified, the switch will use the default server settings listed in Table 14-4 for its configured Syslog servers: Table 14-4 Syslog Server Default Settings Parameter Default Setting facility local4 severity 8 (accepting all levels) descr no description applied port UDP port 514 Use the following commands to change these settings either during or after enabling a new server.
Configuring Syslog Displaying Current Application Severity Levels To display logging severity levels for one or all applications currently running on your device: show logging application {mnemonic|all} Example This example shows output from the show logging application all command. A numeric and mnemonic value for each application is listed with the severity level at which logging has been configured and the server(s) to which messages will be sent.
Configuring Syslog Note: The set logging local command requires that you specify both console and file settings. For example, set logging local console enable would not execute without also specifying file enable or disable. Configuration Examples Enabling a Server and Console Logging Procedure 14-1 shows how you would complete a basic Syslog configuration.
15 Configuring Spanning Tree This chapter provides the following information about configuring and monitoring the Spanning Tree protocol on Enterasys stackable and standalone fixed switches. For information about... Refer to page...
Spanning Tree Protocol Overview While the network is in a steady state, alternate and backup ports are in blocking state; root and designated ports are in forwarding state. STP allows for the automatic reconfiguration of the network. When bridges are added to or removed from the network, root election takes place and port roles are recalculated.
STP Operation STP Operation Enterasys switch devices support the Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP) as defined in the following standards and described in IEEE 802.1Q: • IEEE 802.1D (Spanning Tree Protocol) • IEEE 802.1w (Rapid Spanning Tree Protocol) • IEEE 802.1s (Multiple Spanning Tree Protocol) • IEEE 802.1t (Update to 802.
STP Operation Rapid Spanning Tree Operation Rapid Spanning Tree (RSTP) optimizes convergence in a properly configured network by significantly reducing the time to reconfigure the network’s active topology when physical topology or configuration parameter changes occur. RSTP is defined in the IEEE 802.1w standard. Spanning Tree’s primary goal is to ensure a fully connected, loop-free topology.
STP Operation Figure 15-3 Multiple Spanning Tree Overview Common and Internal Spanning Tree (CIST) ROOT Bridge MST Region MSTCentral MST Region Root S1 Root Non-Regional Bridge KEY: CIST Region SID 0 SID 1 Blocked Port SID 0 is the default Spanning Tree and interconnects all bridges to the Root Bridge. SID 0 within the MST is the Internal Spanning Tree (IST) and provides connectivity out to the CST as well as functioning as another Spanning Tree instance within the MST region.
Functions and Features Supported on Enterasys Devices Functions and Features Supported on Enterasys Devices Spanning Tree Versions MSTP and RSTP automatically detect the version of Spanning Tree being used on a LAN. RSTP bridges receiving MSTP BPDUs interpret them as RSTP BPDUs. MSTP and RSTP bridges receiving STP BPDUs will switch to use STP BPDUs when sending on the port connected to the STP bridge.
Functions and Features Supported on Enterasys Devices Disabling Spanning Tree Spanning Tree may be disabled globally or on a per port basis. If Spanning Tree is disabled globally all linked ports will be in a forwarding state and the Spanning Tree Protocol will not run. Additionally, a received BPDU will be treated as any multicast packet and flooded out all ports.
Functions and Features Supported on Enterasys Devices before their states are allowed to become forwarding. Further, if a BPDU timeout occurs on a port, its state becomes listening until a new BPDU is received. In this way, both upstream and downstream facing ports are protected. When a root or alternate port loses its path to the root bridge, due to message age expiration, it takes on the role of designated port and will not forward traffic until a BPDU is received.
Spanning Tree Basics Spanning Tree Basics This section provides you with a more detailed understanding of how the Spanning Tree operates in a typical network environment. For information about... Refer to page...
Spanning Tree Basics underlying physical ports. The port cost value may also be administratively assigned using the set spantree adminpathcost command. This may be done to choose a particular path. Paths to Root If the bridge is not elected as root, one or more ports provide a path back to the root bridge. The port with the best path is selected as the root port. The best path is the one that has the lowest designated cost.
Spanning Tree Basics that port will be selected as root. In the case of no single port having a lowest port priority, the root port is selected based upon the overall port ID value. Figure 15-5 on page 15-11 presents a root port configuration for Bridge B determined by the port priority setting. If there is still a tie, these ports are connected via a shared medium. The final tie breaker is the receiving port ID.
Spanning Tree Basics Identifying Designated, Alternate, and Backup Port Roles Ports in a Spanning Tree configuration are assigned one of four roles: root, designated, alternate, or backup. Figure 15-6 presents an overview of Spanning Tree port roles.
Spanning Tree Basics designated port (Figure 15-6, call out 6), takes the role of backup port. In the shared LAN example it may take over as designated port if the original designated port is disabled. All operational ports which are not root, alternate or backup are designated ports. These ports provide a path to the root for attached devices. Table 15-2 provides a summary of STP port roles.
Spanning Tree Basics RSTP Operation RSTP optimizes convergence by significantly reducing the time to reconfigure the network’s active topology when physical topology or configuration parameter changes occur. RSTP provides rapid connectivity following the failure of a switching device, switch port, or the addition of a switch into the network. A new root port may forward as soon as any recent root ports are put into blocking. A designated port may forward with the exchange of two BPDUs in rapid succession.
Spanning Tree Basics The MSTP enabled network may contain any combination of Single Spanning Tree (SST) regions and Multiple Spanning Tree (MST) regions. A typical network may contain multiple MST regions as well as separate LAN segments running legacy STP and RSTP Spanning Tree protocols. The CIST contains a root bridge, which is the root of the Spanning Tree for the network. The CIST root may be, but is not necessarily, located inside an MST region.
Spanning Tree Basics string corresponding to the bridge MAC address. This guarantees that the default behavior of a bridge is to not be part of an MST region. • Revision Level – Two octets in length. The default value of 0 may be administratively changed. • Configuration Digest – 16-octet HMAC-MD5 signature created from the configured VLAN Identification (VID)/Filtering Identification (FID) to Multiple Spanning Tree Instances (MSTI) mappings.
Spanning Tree Basics displayed in the following example. By default, every bridge will have a FID-to-SID mapping that equals VLAN FID 1/SID 0. Use the show spantree mstcfgid command to determine MSTI configuration identifier information, and whether or not there is a misconfiguration due to non-matching configuration identifier components: This example shows how to display MSTI configuration identifier information.
Spanning Tree Basics Figure 15-8 MSTI 1 in a Region CIST Root 1 MSTI 1 2 5 MST CIST Regional Root 3 4 MSTI 1 Regional Root Legend: Physical Link Blocked VLANs Figure 15-9 MSTI2 in the Same Region MSTI 2 1 5 MST CIST Regional Root 3 2 MSTI 2 Regional Root 4 Legend: Physical Link Blocked VLANs Figure 15-10 on page 15-19 shows 3 regions with five MSTIs. Table 15-5 on page 15-19 defines the characteristics of each MSTI.
Configuring STP and RSTP Figure 15-10 Example of Multiple Regions and MSTIs Region 1 1 Region 2 2 Region 3 6 8 5 12 3 4 CIST Regional Root 7 10 CIST Root and CIST Regional Root CIST Regional Root Master Port Table 15-5 9 11 Master Port MSTI Characteristics for Figure 15-10 MSTI / Region Characteristics MSTI 1 in Region 1 Root is switching device 4, which is also the CIST regional root MSTI 2 in Region 1 Root is switching device 5 MSTI 1 in Region 2 Root is switching device 7, w
Configuring STP and RSTP Reviewing and Enabling Spanning Tree By default, Spanning Tree is enabled globally on Enterasys switch devices and enabled on all ports. On all switching devices, the default Spanning Tree version is set to MSTP (802.1s) mode. Since MSTP mode is fully compatible and interoperable with legacy STP and RSTP bridges, in most networks, this default should not be changed. Use the following commands to review, re-enable, and reset the Spanning Tree mode. 1.
Configuring STP and RSTP variations of the global bridge configuration commands. Interface-specific parameters are configured with variations of the Spanning Tree port configuration commands. Default settings are listed in Table 15-6: Table 15-6 Spanning Tree Port Default Settings Setting Default Value Bridge priority mode 802.
Configuring STP and RSTP set spantree portpri port-string priority [sid sid] Valid priority values are 0–240 (in increments of 16) with 0 indicating high priority. Valid sid values are 0–4094. If not specified, SID 0 will be assumed. Assigning Port Costs Each interface has a Spanning Tree port cost associated with it, which helps to determine the quickest path between the root bridge and a specified destination. By convention, the higher the port speed, the lower the port cost.
Configuring STP and RSTP 2. Set a new hello time interval: set spantree hello interval Valid interval values are 1–10. Adjusting the Forward Delay Interval When rapid transitioning is not possible, forward delay is used to synchronize BPDU forwarding. The forward delay interval is the amount of time spent listening for topology change information after an interface has been activated for bridging and before forwarding actually begins.
Configuring MSTP Defining Edge Port Status By default, edge port status is disabled on all ports. When enabled, this indicates that a port is on the edge of a bridged LAN. You can use the following commands to review and, if necessary, change the edge port detection status on the device and the edge port status of Spanning Tree ports. Review and define edge port status as follows: 1. Display the status of edge port detection: show spantree autoedge 2.
Configuring MSTP For information about... Refer to page... Monitoring MSTP 15-29 Example 1: Configuring MSTP for Traffic Segregation This example illustrates the use of MSTP for traffic segregation by VLAN and SID. Bridges A, B, C and D participate in VLAN 10. Bridges A, B, E and F participate in VLAN 20. Figure 15-11 shows the problem that arises when using a single Spanning Tree configuration for traffic segregation with redundancy.
Configuring MSTP Figure 15-12 Traffic Segregation in an MSTP Network Configuration Bridge C VLAN 10 ge.1.2 ge.1.1 MAC Address: 00-00-00-00-00-03 All Priority = 32768 VLAN 10 SID 1 Port Path Cost = 1 Bridge D VLAN 10 ge.1.1 ge.1.2 VLAN 10 MAC Address: 00-00-00-00-00-04 All Priority = 32768 ge.1.1 ge.1.2 ge.1.1 ge.1.2 ge.1.3 ge.1.4 ge.1.3 ge.1.4 Bridge A Bridge B MAC Address: 00-00-00-00-00-01 All Priority = 4096 MAC Address: 00-00-00-00-00-02 All Priority = 8192 Bridge E ge.1.2 ge.1.
Configuring MSTP Example 2: Configuring MSTP for Maximum Bandwidth Utilization This example illustrates the use of MSTP for maximum bandwidth utilization. Maximum bandwidth utilization takes place when all bridges participate on all VLANs. Figure 15-13 shows that with a single Spanning Tree configuration, only a single link towards the root forwards on a bridge. The alternate ports are blocking.
Configuring MSTP Figure 15-14 Maximum Bandwidth in an MSTP Network Configuration Bridge A Bridge B SID 86 Priority = 4096 SID 99 Priority = 32768 SID 86 Priority = 32768 SID 99 Priority = 4096 ge.1.3 ge.1.1 ge.1.3 ge.1.2 ge.1.1 ge.1.1 ge.1.2 ge.1.2 ge.1.2 ge.1.
Understanding and Configuring SpanGuard Monitoring MSTP Use the commands in Table 15-8 to monitor MSTP statistics and configurations on stackable, and standalone switch devices. You can also use the show commands described in “Reviewing and Enabling Spanning Tree” on page 15-20 to review information related to all Spanning Tree protocol activity. Table 15-8 Commands for Monitoring MSTP Task Command Verify that MSTP is running on the device.
Understanding and Configuring SpanGuard How Does It Operate? SpanGuard helps protect against Spanning Tree Denial of Service (DoS) SpanGuard attacks as well as unintentional or unauthorized connected bridges, by intercepting received BPDUs on configured ports and locking these ports so they do not process any received packets.
Understanding and Configuring Loop Protect Valid values are 0–65535 seconds. Default is 300 seconds. Setting the value to 0 will set the timeout to forever. Use this command to manually unlock a port that was locked by the SpanGuard function. This overrides the specified timeout variable: set spantree spanguardlock port-string Monitoring SpanGuard Status and Settings Use the commands in Table 15-9 to review SpanGuard status and settings.
Understanding and Configuring Loop Protect • Communicating port non-forwarding status through traps and syslog messages • Disabling a port based on frequency of failure events Port Modes and Event Triggers Ports work in two Loop Protect operational modes. If the port is configured so that it is connected to a switching device known to implement Loop Protect, it uses full functional (enhanced) mode. Otherwise, it operates in limited functional (standard) mode.
Understanding and Configuring Loop Protect Figure 15-15 Basic Loop Protect Scenario Figure 15-16 shows that, without Loop Protect, a failure could be as simple as someone accidentally disabling Spanning Tree on the port between Switch 2 and 3. Switch 3’s blocking port eventually transitions to a forwarding state which leads to a looped condition.
Understanding and Configuring Loop Protect For information about... Refer to page... Setting the Loop Protect Event Threshold and Window 15-34 Enabling or Disabling Loop Protect Event Notifications 15-35 Setting the Disputed BPDU Threshold 15-35 Monitoring Loop Protect Status and Settings 15-35 Enabling or Disabling Loop Protect By default, Loop Protect is disabled on all ports.
Understanding and Configuring Loop Protect Enabling or Disabling Loop Protect Event Notifications Loop Protect traps are sent when a Loop Protect event occurs, that is, when a port goes to listening due to not receiving BPDUs. The trap indicates port, SID and loop protection status. Use this command to enable or disable Loop Protect event notification.
Terms and Definitions LoopProtect Lock status for port lag.0.2, SID 56_ is UNLOCKED Enterasys->show spantree lpcapablepartner port lag.0.2 Link partner of port lag.0.2_is LoopProtect-capable. Enterasys->show spantree nonforwardingreason port lag.0.2 Port lag.0.2 has been placed in listening or blocking state on SID 0 by the LoopProtect feature. Terms and Definitions Table 15-11 lists terms and definitions used in Spanning Tree configuration.
Terms and Definitions Table 15-11 Spanning Tree Terms and Definitions (continued) Term Definition Max age Maximum time (in seconds) the bridge can wait without receiving a configuration message (bridge “hello”) before attempting to reconfigure. MST region An MSTP group of devices configured together to form a logical region. The MST region presents itself to the rest of the network as a single device, which simplifies administration. MSTI Multiple Spanning Tree Instance.
Terms and Definitions 15-38 Configuring Spanning Tree
16 Configuring Policy This chapter provides an overview of Enterasys policy operation, describes policy terminology, and explains how to configure policy on Fixed Switch platforms using the CLI. However, Enterasys Networks strongly recommends that you use NetSight Policy Manager, not CLI commands, to configure policy in your network. For information about... Refer to page...
Policy Configuration Overview • Identifying and restricting routing to legitimate routing IP addresses to prevent DoS, spoofing, data integrity and other routing related security issues. • Ensuring that FTP/TFTP file transfers and firmware upgrades only originate from authorized file and configuration management servers. • Preventing clients from using legacy protocols such as IPX, Apple Talk, and DECnet that should no longer be running on your network.
Policy Configuration Overview regardless of the number of moves, adds, or changes to the policy role, Policy Manager automatically enforces roles on Enterasys security-enabled infrastructure devices. This document presents policy configuration from the perspective of the Fixed Switch CLI. Though it is possible to configure policy from the CLI, CLI policy configuration in even a small network can be prohibitively complex from an operational point of view.
Policy Configuration Overview The following example creates a policy profile with a profile-index value of 1 and a profile name, student, that can be used by the RADIUS Filter-ID functionality: System(rw)->set policy profile 1 name student Setting a Default VLAN for a Role A default VLAN can be configured for a policy role. The policy VLAN will always be used unless an Ether type-to-VLAN classification rule exists and is hit.
Policy Configuration Overview QoS configuration details are beyond the scope of this chapter. See Chapter 17, Configuring Quality of Service in this book for a complete discussion of QoS configuration.
Policy Configuration Overview Table 16-2 Policy Rule Traffic Descriptions/Classifications Traffic Classification Precedence Level Description macsource Classifies based on MAC source address. 1 macdest Classifies based on MAC destination address. 2 ipsourcesocket Classifies based on source IP address and optional post-fixed L4 TCP/UDP port. 12 ipdestsocket Classifies based on destination IP address and optional post-fixed L4 TCP/UDPport.
Policy Configuration Overview Examples This example assigns a rule to policy profile 3 that will filter Ethernet II Type 1526 frames to VLAN 7: C5(su)->set policy rule 3 ether 1526 vlan 7 This example assigns a rule to policy profile 5 that will forward UDP packets from source port 45: C5(su)->set policy rule 5 udpsourceport 45 forward This example assigns a rule to policy profile 1 that will drop IP source traffic from IP address 1.2.3.4, UDP port 123. C5(su)->set policy rule 1 ipsourcesocket 1.2.3.
Policy Configuration Overview Applying a Default Policy The following example assigns a default policy with index 100 to all user ports (ge.1.1 through ge.1.22) on a switch: System(su)-> set policy port ge.1.1-22 100 Applying Policies Dynamically Dynamic policy assignment requires that users authenticate through a RADIUS server.
Configuring Policy Table 16-4 Non-Edge Protocols (continued) Protocol Policy Effect Web Server Protocol Stop malicious proxies and application-layer attacks by ensuring only the right Web servers can connect from the right location at the right time, by blocking HTTP on the source port for this device. Legacy Protocols If IPX, AppleTalk, DECnet or other protocols should no longer be running on your network, prevent clients from using them.
Configuring Policy Procedure 16-1 Step Configuring Policy Roles (continued) Task Command • egress-vlans – (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined with this parameter. Frames will egress as tagged. [egress-vlans egressvlans] • forbidden-vlans – (Optional) Specifies the port to which this policy profile is applied should be added as forbidden to the egress list of the VLANs defined with this parameter.
Configuring Policy Table 16-5 on page 16-11 describes how to display policy information and statistics. Table 16-5 Displaying Policy Configuration and Statistics Task Command(s) Display policy role information. show policy profile {all | profile-index [consecutive-pids] [-verbose]} Display policy classification and admin rule information.
Policy Configuration Example Policy Configuration Example This section presents a college-based policy configuration example. Figure 16-1 displays an illustration of the policy configuration of a example infrastructure.
Policy Configuration Example Roles The example defines the following roles: • guest – Used as the default policy for all unauthenticated ports. Connects a PC to the network providing internet only access to the network. Provides guest access to a limited number of the edge switch ports to be used specifically for internet only access. Policy is applied using the port level default configuration. • student – Connects a dorm room PC to the network through a “Student” Fixed Switch port.
Policy Configuration Example Standard Edge Edge Switch platforms will be rate-limited using a configured CoS that will be applied to the student and faculty, and phoneFS policy roles. Policies will be applied dynamically at authentication using a RADIUS authentication server and the Filter-ID attribute. Premium Edge The S-Series Edge Switch will be rate-limited using a configured CoS that is applied to the services and phoneES policy role.
Policy Configuration Example Configuring Guest Policy on Edge Platforms All edge ports will be set with a default guest policy using the set policy port command. This guest policy provides for an internet-only access to the network. Users on all ports will attempt to authenticate. If the authentication succeeds, the policy returned by authentication overrides the default port policy setting. If authentication fails, the guest policy is used.
Policy Configuration Example • A CoS of 8 Create a policy role that applies a CoS 8 to data VLAN 10 and configures it to rate-limit traffic to 200,000 kbps with a moderate priority of 5. StudentFS(rw)->set policy profile 2 name student pvid-status enable pvid 10 cos-status enable cos 8 Assigning Traffic Classification Rules Forward traffic on UDP source port for IP address request (68), and UDP destination ports for protocols DHCP (67) and DNS (53).
Policy Configuration Example destination ports for protocols DHCP (67) and DNS (53) on the phone VLAN, to facilitate phone auto configuration and IP address assignment.
Terms and Definitions Configuring Dynamic Policy Assignment Configure the RADIUS server user accounts with the appropriate information using the Filter-ID attribute for faculty role members and devices. When a faculty member authenticates through the RADIUS server, the name of the faculty policy is returned in the RADIUS Access-Accept response message and that policy is applied by the switch to the faculty user.
17 Configuring Quality of Service This chapter describes the following QoS features: For information about... Refer to page...
Quality of Service Overview secondly, you must identify these flows in a way that QoS can recognize. In this sense, QoS is the third step in a three step process.
Quality of Service Overview There are up to four areas of CoS configuration depending on what type of hardware resource you want to configure. The terminology associated with CoS configuration is introduced in Table 17-1. Table 17-1 CoS Configuration Terminology Term Description CoS Setting Maps configured resources to a CoS index. When a packet is received, the packet is mapped to a CoS index based on the packet 802.1 priority, port, and policy role, if a policy role is present.
Quality of Service Overview • Figure 17-1 Is propagated through the network in the protocol packet header Assigning and Marking Traffic with a Priority The ICMP protocol, used for error messaging, has a low bandwidth requirement, with a high tolerance for delay and jitter, and is appropriate for a low priority setting.
Quality of Service Overview Additional port groups, up to eight (0 through 7) total, may be created by changing the port group value. Ports assigned to a new port group cannot belong to another non-default port group entry and must be comprised of the same port type as defined by the port group you are associating it with. The creation of additional port groups could be used to combine similar ports by their function for flexibility.
Quality of Service Overview Preferential Queue Treatment for Packet Forwarding There are three types of preferential queue treatments for packet forwarding: strict priority, weighted fair, and hybrid. Strict Priority Queuing With Strict Priority Queuing, a higher priority queue must be empty before a lower priority queue can transmit any packets. Strict priority queuing is illustrated in Figure 17-2.
Quality of Service Overview queue 2 has access to its percentage of time slices, and so on round robin. Weighted fair queuing assures that each queue will get at least the configured percentage of bandwidth time slices. The value of weighted fair queuing is in its assurance that no queue is starved for bandwidth.
Quality of Service Overview Figure 17-4 Hybrid Queuing Packet Behavior Rate Limiting Rate limiting is used to control the rate of traffic entering (inbound) a switch per CoS. Rate limiting allows for the throttling of traffic flows that consume available bandwidth, in the process providing room for other flows. Rate limiting guarantees the availability of bandwidth for other traffic by preventing the rate limited traffic from consuming more than the assigned amount of a network’s resources.
CoS Hardware Resource Configuration Figure 17-5 Rate Limiting Clipping Behavior Flood Control CoS-based flood control is a form of rate limiting that prevents configured ports from being disrupted by a traffic storm, by rate limiting specific types of packets through those ports. When flood control is enabled on a port, incoming traffic is monitored over one second intervals.
CoS Hardware Resource Configuration System(su)->set cos port-config irl 1.0 ports ge.1.3-5 CoS Port Resource Layer For the CoS port resource layer, use the set cos port-resource irl command to set the kilobits per second rate to 1000 and enable Syslog for this IRL port group 1.0 mapped to IRL resource 0: System(su)->set cos port-resource irl 1.
CoS Hardware Resource Configuration 1.0 4 irl none 1.0 5 irl none 1.0 6 irl none 1.0 7 irl none 1.0 8 irl none 1.0 9 irl none 1.0 10 irl none 1.0 95 irl none 1.0 96 irl none 1.0 97 irl none 1.0 98 irl none 1.0 99 irl none ... ... Use the show cos port-resource irl command to display the data rate and unit of the rate limiter for port 1.0: System(su)->show cos port-resource irl 1.
CoS Hardware Resource Configuration Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name : Port Group :1 Port Type :0 Assigned Ports :ge.1.
CoS Hardware Resource Configuration 4 4 * * enabled 5 5 * * enabled 6 6 * * enabled 7 7 * * enabled Use the show cos port-resource flood-ctrl command to display the flood control unit and rate to flood control resource mapping: System(su)->show cos port-resource flood-ctrl 1.0 '?' after the rate value indicates an invalid rate value Group Resource Type Unit Rate Rate Limit Index Action type --------- ----------- ---------- ---- ---------- --------------- ------ 1.
The QoS CLI Command Flow The QoS CLI Command Flow Procedure 17-1 provides a CLI flow summary of each step in the configuration flow along with the show commands to verify the configuration. Procedure 17-1 Step Task Command(s) 1. Inspect both the TxQs and IRL support for the installed ports. This information is used to determine the module port type for port group.
Port Priority and Transmit Queue Configuration Port Priority and Transmit Queue Configuration The fixed switch devices allow you to assign mission-critical data to higher priority through the device by delaying less critical traffic during periods of congestion. The higher priority traffic through the device is serviced first before lower priority traffic. The Class of Service capability of the device is implemented by a priority queueing mechanism. Class of Service is based on the IEEE 802.1D (802.
Port Priority and Transmit Queue Configuration The default mappings are shown in the following example: System(su)->show port priority-queue ge.1.1 Port P0 P1 P2 P3 P4 P5 P6 P7 --------- -- -- -- -- -- -- -- -ge.1.1 1 0 0 2 3 4 5 5 The following table describes the default mappings shown in the output above: Frames with priority ... Are mapped to transmit queue ...
Port Traffic Rate Limiting You can mix WRR and SP by assigning SP to the higher numbered queues and assigning WRR to the lower numbered queues, making sure that the values assigned to the WRR queues totals 100 percent. For example, you could assign WRR to queues 0 through 4 by assigning 20 percent to each of those queues, and then setting queue 5 to SP. Note: Priority mode and weight cannot be configured on LAGs, only on the physical ports that make up the LAG.
Port Traffic Rate Limiting When a CoS is configured with an inbound rate limiter (IRL), and that IRL CoS is configured as part of a policy profile using the set policy profile command, CoS-based inbound rate limiting will take precedence over port rate limits set with set port ratelimit. Examples This example displays the current ratelimit configuration on port fe.1.1. System(su)->show port ratelimit fe.1.1 Global Ratelimiting status is disabled.
18 Configuring Network Monitoring This chapter describes network monitoring features on the Fixed Switches and their configuration. For information about... Refer to page... Basic Network Monitoring Features 18-1 RMON 18-5 sFlow 18-9 Basic Network Monitoring Features Console/Telnet History Buffer The history buffer lets you recall your previous CLI input. The size of the history buffer determines how many lines of previous CLI input are available for recall.
Basic Network Monitoring Features Network Diagnostics Fixed Switch network diagnostics provide for: • Pinging another node on the network to determine its availability • Performing a traceroute through the IP network to display a hop-by-hop path from the device to a specific destination host Use the ping command, in switch mode or in router privileged exec mode, to determine whether the specified node is available. C5(rw)->ping 10.10.10.1 10.10.10.
RMON Users You can display information about the active console port or Telnet session(s) logged in to the switch. You can also close an active console port or Telnet session form the switch CLI. Use the show users command to display information for active console port or Telnet sessions on the switch. Use the disconnect command to close a console or Telnet session. C5(rw)->show users Session User Location -------- ----- -------------------------* console telnet admin console (via com.1.1) rw 134.141.
RMON Table 18-1 RMON Group Event RMON Monitoring Group Functions and Commands (continued) What It Does... What It Monitors... CLI Command(s) Controls the generation and notification of events from the device. Event type, description, last time event was sent. show rmon event set rmon event properties set rmon event status clear rmon event Filter Allows packets to be matched by a filter definition. These matched packets form a data stream or “channel” that may be captured or may generate events.
RMON – • There are only three Filter Entries available, and a user can associate all three Filter Entries with the Channel Entry. Configured channel, filter, and buffer information will be saved across resets, but not frames within the capture buffer. Configuring RMON This section provides details for the configuration of RMON on the Fixed Switch products. Table 18-2 lists RMON parameters and their default values.
RMON Table 18-2 Default RMON Parameters (continued) Parameter Description Default Value capture asksize The RMON capture requested maximum octets to save in the buffer. -1 (request as many octets as possible) capture slice The RMON capture maximum number of octets from each packet to be saved to the buffer. 1518 capture loadsize The RMON capture maximum number of cotets from each packet to be downloaded from the buffer. 100 Procedure 18-1 describes how to configure RMON.
RMON Procedure 18-1 Step Configuring Remote Network Monitoring (continued) Task Command(s) • startup - (Optional) Specifies the alarm type generated when this event is first enabled • rthresh - (Optional) Specifies the minimum threshold that will cause a rising alarm • fthresh - (Optional) Specifies the minimum threshold that will cause a falling alarm • revent - (Optional) Specifies the index number of the RMON event to be triggered when the rising threshold is crossed • fevent - (Optional) Specifies
RMON Procedure 18-1 Configuring Remote Network Monitoring (continued) Step Task Command(s) 8. Configure an RMON filter entry.
sFlow Table 18-3 describes how to manage remote network monitoring.
sFlow Using sFlow in Your Network The advantages of using sFlow include: • sFlow makes it possible to monitor ports of a switch, with no impact on the distributed switching performance. (See “Overview” on page 18-12 for more information.) • sFlow requires very little memory or CPU usage. Samples are not aggregated into a flow-table on the switch — they are forwarded immediately over the network to the sFlow Collector. • The system is tolerant to packet loss in the network.
sFlow sFlow Agent Functionality Packet flow sampling and counter sampling are performed by sFlow Instances associated with individual Data Sources within the sFlow Agent. Packet flow sampling and counter sampling are designed as part of an integrated system. Both types of samples are combined in sFlow datagrams. Packet flow sampling will cause a steady, but random, stream of sFlow datagrams to be sent to the sFlow Collector. Counter samples may be taken opportunistically in order to fill these datagrams.
sFlow 2. When a Packet Flow Sample is generated, the sFlow Agent examines the list of counter sources and adds counters to the sample datagram, least recently sampled first. Counters are only added to the datagram if the sources are within a short period, 5 seconds say, of failing to meet the required sampling interval. 3. Periodically, say every second, the sFlow Agent examines the list of counter sources and sends any counters that need to be sent to meet the sampling interval requirement.
sFlow Configuring Poller and Sampler Instances A poller instance performs counter sampling on the data source to which it is configured. You must first associate a receiver/Collector in the sFlow Receivers Table with the poller instance, before configuring the polling interval with the set sflow port poller command. A sampler instance performs packet flow sampling on the data source to which it is configured.
sFlow Procedure Procedure 18-2 on page 18-14 provides the steps and commands to configure sFlow. Procedure 18-2 Configuring sFlow Step Task Command(s) 1. Configure the owner identity string and timeout value for an sFlow Collector in the switch’s sFlow Receivers Table set sflow receiver index owner owner-string timeout timeout 2. Configure the IP address of the sFlow Collector being configured. set sflow receiver index ip ipaddr 3.
sFlow Table 18-7 lists the commands to display sFlow information and statistics. Refer to the CLI Reference for your platform for command details. Table 18-7 Displaying sFlow Information Task Command to display the contents of the sFlow Receivers Table, or to display information about a specific sFlow Collector listed in the table show sflow receivers [index] To display information about configured poller instances show sflow pollers To display information about configured sampler instances.
sFlow 18-16 Configuring Network Monitoring
19 Configuring Multicast This chapter describes the multicast features supported by the Enterasys fixed switches. For information about... Refer to page... Using Multicast in Your Network 19-1 Configuring IGMP 19-15 Configuring DVMRP 19-18 Configuring PIM-SM 19-21 Using Multicast in Your Network Multicast is a “one source to many destinations” method of simultaneously sending information over a network using the most efficient delivery strategy over each link.
Using Multicast in Your Network 2. Enabling the multicast protocol(s) on configured interfaces. – For PIM, you must also configure a unicast routing protocol, such as OSPF. – For both DVMRP and PIM-SM for IPv4 to operate, IGMP must be enabled. Multicast Operation Multicast allows a source to send a single copy of data using a single IP address from a welldefined range for an entire group of recipients (a multicast group).
Using Multicast in Your Network Figure 19-1 IGMP Querier Determining Group Membership IGMP Querier IGMP Query IGMP Membership IGMP Membership Router for 224.1.1.1 Router for 226.7.8.9 Member of 224.1.1.1 Member of 226.7.8.9 As shown in Figure 19-1, a multicast-enabled device can periodically ask its hosts if they want to receive multicast traffic.
Using Multicast in Your Network IGMP snooping is disabled by default on Enterasys devices. You can enable it using the set igmpsnooping adminmode command on Enterasys stackable and standalone devices as described in “Configuring IGMP” on page 19-15. • Actively sending IGMP query messages to learn locations of multicast switches and member hosts in multicast groups within each VLAN. • Configuration of static IGMP groups using the set igmpsnooping add-static on the fixed switches.
Using Multicast in Your Network – unsolicited join (sent as a request without receiving an IGMP query first) In Figure 19-2, this type of exchange occurs between Router 2 and Host 2 when: (6) Host 2 sends a join message to Router 2. (7) Router 2 forwards the multicast stream to Host 2. (8) When it no longer wants to receive the stream, Host 2 can do one of the following: - Send a leave message to Router 2. - Time out the IGMP entry by not responding to further queries from Router 2.
Using Multicast in Your Network DVMRP routing is implemented on Enterasys devices as specified in RFC 1075 and draft-ietf-idmrdvmrp-v3-10.txt.
Using Multicast in Your Network Generation ID gen id: 1331801871 10.5.40.0/255.255.255.0 [2] via neighbor: 10.5.50.1 Uptime: 66704 , expires: 0 version: 3 Generation ID gen id: 1331805217 10.5.50.0/255.255.255.0 [0] via neighbor: direct 10.5.51.0/255.255.255.0 [0] via neighbor: direct direct direct Uptime: 3615 , expires: 0 version: 3 10.5.70.0/255.255.255.0 [3] via neighbor: Uptime: 66716 , expires: 0 version: 3 10.5.60.0/255.255.255.
Using Multicast in Your Network A DVMRP device forwards multicast packets first by determining the upstream interface, and then by building the downstream interface list. If a downstream router has no hosts for a multicast stream, it sends a prune message to the upstream router. If the upstream router’s outbound list is now empty, it may send a prune message to its upstream router.
Using Multicast in Your Network 1. Decides if the upstream neighbor is capable of receiving prunes. • If it is not, then the sending device proceeds no further. • If it is, then the sending device proceeds as follows. 2. Stops any pending grafts awaiting acknowledgments. 3. Determines the prune lifetime. This value should be the minimum of the default prune lifetime (randomized to prevent synchronization) and the remaining prune lifetimes of the downstream neighbors. 4.
Using Multicast in Your Network • A new dependent downstream device appears on a pruned branch. • A dependent downstream device on a pruned branch restarts. • A graft retransmission timer expires before a graft ACK is received. Graft messages are sent upstream hop-by-hop until the multicast tree is reached. Since there is no way to tell whether a graft message was lost or the source has stopped sending, each graft message is acknowledged hop-by-hop.
Using Multicast in Your Network Figure 19-3 DVMRP Pruning and Grafting Source DVMRP Multicast Multicast Traffic Graft Prune Prune* IGMP Join * Prune before new host was added New Host Existing Host Protocol Independent Multicast (PIM) Overview PIM dynamically builds a distribution tree for forwarding multicast data on a network. It is designed for use where there may be many devices communicating at the same time, and any one of the devices could be the sender at any particular time.
Using Multicast in Your Network Figure 19-4 PIM Traffic Flow 7 3 1 DR RP Source 5 4 2 6 Last Hop Router Receiver 1. The source’s DR registers (that is, encapsulates) and sends multicast data from the source directly to the RP via a unicast routing protocol (number 1 in figure). The RP de-encapsulates each register message and sends the resulting multicast packet down the shared tree. 2.
Using Multicast in Your Network PIM Support on Enterasys Devices Note: PIM is supported on Enterasys fixed switches on which advanced routing has been enabled. Refer to “Licensing Advanced Features” on page 4-8 for more information. Enterasys devices support version 2 of the PIM protocol as described in RFC 4601 and draft-ietfpim-sm-v2-new-09. The PIM specifications define several modes or methods by which a PIM router can build the distribution tree.
Using Multicast in Your Network Table 19-1 PIM-SM Message Types (continued) Message Type Description Join/Prune (J/P) These messages contain information on group membership received from downstream routers. PIM-SM adopts RPF technology in the join/prune process.
Configuring IGMP Table 19-2 PIM Terms and Definitions (continued) Term Definition Rendezvous Point (RP) The root of a group-specific distribution tree whose branches extend to all nodes in the PIM domain that want to receive traffic sent to the group. RPs provide a place for receivers and senders to meet. Senders use RPs to announce their existence, and receivers use RPs to learn about new senders of a group. The RP router, for the group, is selected by using the hash algorithm defined in RFC 2362.
Configuring IGMP Table 19-3 Layer 2 IGMP Configuration Commands Task Command Enable or disable IGMP on the system. set igmpsnooping adminmode {enable | disable} Enable or disable IGMP on one or all ports. set igmpsnooping interfacemode port-string {enable | disable} Configure the IGMP group membership interval time for the system. set igmpsnooping groupmembershipinterval time Configure the IGMP query maximum response time for the system.
Configuring IGMP Table 19-4 Layer 3 IGMP Configuration Commands Task Command Set the maximum response time being inserted into group-specific queries sent in response to leave group messages. Use the no command to reset the IGMP last member query interval to the default value of 1 second. ip igmp last-member-query-interval time Set the number of group-specific queries sent before assuming there are no local members.
Configuring DVMRP System(su)->router(Config-if(Vlan 1))#exit System(su)->router(Config)#interface vlan 2 System(su)->router(Config-if(Vlan 2))#ip igmp enable System(su)->router(Config-if(Vlan 2))#exit IGMP Display Commands Table 19-5 lists Layer 2 IGMP show commands for Enterasys stackable and standalone devices. Table 19-5 Layer 2 IGMP Show Commands Task Command Display IGMP snooping information. show igmpsnooping Display static IGMP ports for one or more VLANs or IGMP groups.
Configuring DVMRP Basic DVMRP Configuration By default, DVMRP is disabled globally and on each interface. Basic DVMRP configuration includes the following steps: 1. Creating and enabling VLANs. 2. Enabling IGMP globally on the device and on the VLANs. 3. Enabling DVMRP globally on the device and on the VLANs. Procedure 19-3 describes the basic steps to configure DVMRP on fixed switches with advanced routing enabled. Procedure 19-3 assumes VLANs have been configured and enabled with IP interfaces.
Configuring DVMRP System1(su)->router#configure Enter configuration commands: System1(su)->router(Config)#ip igmp System1(su)->router(Config)#ip dvmrp System1(su)->router(Config)#interface vlan 1 System1(su)->router(Config-if(Vlan 1))#ip address 192.0.1.2 255.255.255.
Configuring PIM-SM Table 19-8 DVMRP Show Commands Task Command Display DVMRP routing information, neighbor information, or DVMRP enable status. show ip dvmrp [route | neighbor | status] Display the IP multicast routing table. show ip mroute [unicast-source-address | multicast-group-address] [summary] Refer to the device’s CLI Reference Guide, as applicable, for an example of each command’s output. Configuring PIM-SM PIM-SM is an advanced routing feature that must be enabled with a license key.
Configuring PIM-SM Basic PIM-SM Configuration By default, PIM-SM is disabled globally on Enterasys fixed switches and attached interfaces. Basic PIM-SM configuration includes the following steps: 1. Creating and enabling VLANs with IP interfaces. 2. Configuring the underlying unicast routing protocol (for example, OSPF). 3. Enabling IGMP on the device and on the VLANs. 4. Configuring PIM-SM on the device and on the VLANs.
Configuring PIM-SM Figure 19-6 PIM-SM Configuration VLAN 9 172.2.2/24 Router R2 VLAN 3 VLAN 5 VLAN 7 VLAN 2 172.2.4/24 VLAN 8 172.1.2/24 Router R1 172.1.1/24 Router R4 172.4.4/24 172.3.4/24 172.1.3/24 VLAN 4 VLAN 6 Router R3 172.3.3/24 VLAN 10 Routers R1 and R4 Configuration On Router R1, at the switch level, IGMP snooping is enabled globally and on the ports connected to hosts.
Configuring PIM-SM R1(su)->router(Config)#interface vlan 3 R1(su)->router(Config-if(Vlan 3))#ip address 172.1.2.1 255.255.255.0 R1(su)->router(Config-if(Vlan 3))#ip igmp enable R1(su)->router(Config-if(Vlan 3))#ip ospf enable R1(su)->router(Config-if(Vlan 3))#ip pimsm enable R1(su)->router(Config-if(Vlan 3))#no shutdown R1(su)->router(Config-if(Vlan 3))#exit R1(su)->router(Config)#interface vlan 4 R1(su)->router(Config-if(Vlan 4))#ip address 172.1.3.1 255.255.255.
20 IP Configuration This chapter provides general IPv4 routing configuration information. For information about... Refer to page...
Enabling the Switch for Routing Table 20-1 Router CLI Configuration Modes Use this mode... To... Access method... Privileged EXEC Mode Show configuration parameters and statistics From the switch CLI: Restart the OSPF process (advanced feature) Resulting Prompt... Type router, then C5(su)->router> Type enable. C5(su)->router# Debug network issues with ping and traceroute Global Configuration Mode Set system-wide router parameters. Type configure from Privileged EXEC mode.
Routing Interfaces Example The following example shows how to enable RIP on the switch, then configure VLAN 1 with IP address 192.168.63.1 255.255.255.0 as a routing interface and enable RIP on the interface. C5(su)->router C5(su)->router>enable C5(su)->router#configure Enter configuration commands: C5(su)->router(Config)#router rip C5(su)->router(Config-router)#exit C5(su)->router(Config)#interface vlan 1 C5(su)->router(Config-if(Vlan 1))#ip address 192.168.63.1 255.255.255.
IP Static Routes Procedure 20-2 Configuring the Routing Interface Step Task Command(s) 1. Enter router interface configuration command mode for the specified interface from global configuration command mode. interface {vlan vlan-id | loopback loopbackid } 2. Set the primary, and optionally the secondary, IPv4 address for this interface, in interface configuration command mode. ip address ip-address ip-mask [secondary] 3.
Testing Network Connectivity Configuring Static Routes Procedure 20-3 lists the commands to configure a static route. Procedure 20-3 Configuring Static Routes Step Task Command(s) 1. In global configuration mode, configure an IPv4 static route. ip route dest-prefix dest-prefixmask forwarding-rtr-addr [distance] 2. Optionally, remove a static route. no ip route dest-prefix dest-prefixmask forwarding-rtr-addr 3.
The ARP Table This example shows output from a successful ping to IP address 182.127.63.23: C5(su)->router#ping 182.127.63.23 182.127.63.23 is alive Use the traceroute command to display a hop-by-hop path through an IP network from the device to a specific destination host. Three ICMP probes will be transmitted for each hop between the source and the traceroute destination. The traceroute command is available in both switch and routing command modes.
IP Broadcast Settings – the clear arp command to delete a specific entry or all entries from the switch ARP table. – the show arp command to display the link level ARP table. Proxy ARP This variation of the ARP protocol allows the router to send an ARP response on behalf of an end node to the requesting host. Proxy ARP can be used to resolve routing issues on end stations that are unable to route in the subnetted environment.
IP Broadcast Settings specific network or subnet. The directed broadcast address includes the network or subnet fields, with the binary bits of the host portion of the address set to one. For example, for a network with the address 192.168.0.0/16, the directed broadcast address would be 192.168.255.255. For a subnet with the address 192.168.12.0/24, the directed broadcast address would be 192.168.12.255.
IP Broadcast Settings Table 20-2 UDP Broadcast Forwarding Port Default (continued) Port Number Protocol 4011 Alternate Service Boot The no form of the ip forward-protocol command removes a UDP port or protocol, disabling forwarding. DHCP and BOOTP Relay DHCP/BOOTP relay functionality is applied with the help of UDP broadcast forwarding. A typical situation occurs when a host requests an IP address with no DHCP server located on that segment.
Configuring ICMP Redirects This example shows how to enable IP directed broadcasts on VLAN 1 and have all client DHCP requests for users in VLAN 1 to be forwarded to the remote DHCP server with IP address 192.168.1.28 C5(su)->router(Config)#interface vlan 1 C5(su)->router(Config-if(Vlan 1))#ip directed-broadcast C5(su)->router(Config-if(Vlan 1))#ip forward-protocol udp C5(su)->router(Config-if(Vlan 1))#ip helper-address 192.168.1.
Terms and Definitions Table 20-3 IP Routing Terms and Definitions (continued) Term Definition relay agent A DHCPv6 application that provides a means for relaying DHCPv6 requests between a subnet to which no DHCP server is connected to other subnets on which servers are attached. routing interface A VLAN or loopback interface configured for IP routing.
Terms and Definitions 20-12 IP Configuration
21 IPv4 Basic Routing Protocols This chapter describes how to configure the Routing Information Protocol (RIP) and the ICMP Router Discovery Protocol (IRDP). For information about... Refer to page... Configuring RIP 21-1 Configuring IRDP 21-5 Configuring RIP Using RIP in Your Network The fixed switches support Routing Information Protocol (RIP) Version 1 and 2. RIP is a distance-vector routing protocol for use in small networks — it is not intended for complex networks. RIP is described in RFC 2453.
Configuring RIP Table 21-1 Routing Protocol Route Preferences Route Source Default Distance Connected 0 Static 1 OSPF (Requires support for advanced routing features on the switch) 110 RIP 120 Also in router configuration mode, you can disable automatic route summarization with the no auto-summary command. By default, RIP version 2 supports automatic route summarization, which summarizes sub-prefixes to the classful network boundary when crossing network boundaries.
Configuring RIP • Configure a RIP authentication key for use on the interface. Authentication can be either clear text or encrypted MD5. RIP Configuration Example Table 21-2 lists the default RIP configuration values. Procedure 21-1 lists the basic steps to configure RIP and the commands used.
Configuring RIP Procedure 21-1 Basic RIP Configuration (continued) Step Task Command(s) 3. In router configuration mode, optionally disable automatic route summarization (necessary for enabling CIDR). no auto-summary 4. In router configuration mode, optionally enable split horizon poison reverse. split-horizon poison 5. In router configuration mode, optionally enable route redistribution of non-RIP protocol routes.
Configuring IRDP Configuring IRDP Using IRDP in Your Network The ICMP Router Discovery Protocol (IRDP), described in RFC 1256, enables a host on multicast or broadcast networks to determine the address of a router it can use as a default gateway. Routing interfaces that are enabled for IRDP periodically send out ICMP Router Advertisement messages announcing the IP address of that interface. Hosts on the link discover the addresses of their neighboring routers by listening for advertisements.
Configuring IRDP Table 21-3 IRDP Default Values (continued) Parameter Description Default Value advertisement holdtime The length of time this advertised address should be considered valid. three times the maximum advertisement interval. Can be no less than the max advertisement interval. (1800 seconds) preference level The preference value for this advertised address. 0 advertisement address IP destination address for advertisements. 224.0.0.
Configuring IRDP The following code example enables IRDP on VLAN 10, leaving all default values, and then shows the IRDP configuration on that VLAN. This example assumes that VLAN 10 has already been configured for routing.
Configuring IRDP 21-8 IPv4 Basic Routing Protocols
22 Configuring OSPFv2 This chapter gives a brief overview of OSPFv2 and then presents several configuration scenarios. OSPFv2 is available only on those fixed switch platforms that support advanced routing and on which an advanced feature license has been enabled. Note: OSPF is an advanced routing feature that must be enabled with a license key.
OSPF Overview The OSPF protocol is designed expressly for the TCP/IP internet environment. It provides for the authentication of routing updates, and utilizes IP multicast when sending and receiving the updates. OSPF routes IP packets based solely on the destination IP address found in the IP packet header. IP packets are not encapsulated in any further protocol headers as they transit the Autonomous System (AS).
Basic OSPF Topology Configuration OSPF Router Types OSPF router type is an attribute of an OSPF process. A Fixed Switch device uses one OSPF router process that can be any number between 1 and 65535. OSPF defines four router types: • Area border router (ABR) An ABR is a router that connects one or more areas to the backbone area, and is a member of every area to which it is connected. An ABR keeps a separate copy of the link-state database for each area to which it is connected.
Basic OSPF Topology Configuration 1. See “Configuring OSPF Areas” on page 22-8 for additional discussion of OSPF area configuration. This basic configuration requires the configuration of four interfaces and associated IP addresses. Also configured are two loopback interfaces, to use for the router IDs. Configuring the Router ID OSPF initially assigns all routers a router ID based on the highest loopback IP address of the interfaces configured for IP routing.
Basic OSPF Topology Configuration Router 1(su)->router(Config-if(Vlan 2))#no shutdown Router 1(su)->router(Config-if(Vlan 2))#exit Router 1(su)->router(Config)#interface loopback 0 Router 1(su)->router(Config-if(Lpbk 0))#ip address 10.10.10.10 255.255.255.255 Router 1(su)->router(Config-if(Lpbk 0))#no shutdown Router 1(su)->router(Config-if(Lpbk 0))#exit Router 1(su)->router(Config)#router id 10.10.10.
Basic OSPF Topology Configuration To elect a DR from a host of candidates on the network, each router multicasts a hello packet and examines the priority of hello packets received from other routers. The router with the highest priority is elected the DR, and the router with the next highest priority is elected the BDR. Any router with a priority of 0 will opt out of the DR election process.
Basic OSPF Topology Configuration Router 1(su)->router(Config-if(Vlan 1))#ip ospf areaid 0.0.0.1 Router 1(su)->router(Config-if(Vlan 1))#ip ospf enable Router 1(su)->router(Config-if(Vlan 1))#exit Router 2 CLI Input Router 2(su)->router(Config)#interface vlan 1 Router 2(su)->router(Config-if(Vlan 1))#ip ospf priority 10 Router 2(su)->router(Config-if(Vlan 1))#ip ospf areaid 0.0.0.
Configuring OSPF Areas 0 to 4294967295. A value of 0 means that two consecutive SPF calculations are performed one immediately after the other. + Configuring OSPF Areas OSPF allows collections of contiguous networks and hosts to be grouped together. Such a group, together with the routers having interfaces to any one of the included networks, is called an area. Each area has its own link-state database.
Configuring OSPF Areas Area 2 ABR2(su)->router(Config)#router ospf 1 ABR2(su)->router(Config-router)#area 0.0.0.2 range 10.3.0.0 255.255.0.0 ABR2(su)->router(Config-router)#area 0.0.0.2 range 10.3.2.0 255.255.255.0 noadvertise Area 3 ABR3(su)->router(Config)#router ospf 1 ABR3(su)->router(Config-router)#area 0.0.0.3 range 10.1.0.0 255.255.0.0 Figure 22-3 OSPF Summarization Topology Configuring a Stub Area A stub area is a non-transit area.
Configuring OSPF Areas injected into the stub area to enable other stub routers within the stub area to reach any external routes that are no longer inserted into the stub area. A stub area can be configured such that the ABR is prevented from sending type 3 summary LSAs into the stub area using the no-summary option. In this case, all destinations outside of the stub area are represented by means of a default route. There are a couple of restrictions on the use of stub areas.
Configuring OSPF Areas Router 3(su)->router(Config-router)#area 0.0.0.1 stub no-summary Router 3(su)->router(Config-router)#area 0.0.0.1 default-cost 15 Router 5 Router 5(su)->router(Config)#router ospf 1 Router 5(su)->router(Config-router)#area 0.0.0.2 stub Router 5(su)->router(Config-router)#area 0.0.0.2 default-cost 15 Router 6 Router 6(su)->router(Config)#router ospf 1 Router 6(su)->router(Config-router)#area 0.0.0.2 stub Router 6(su)->router(Config-router)#area 0.0.0.
Configuring OSPF Areas Example Figure 22-5 OSPF NSSA Topology Area 1 RIP Backbone Router 1 Router 2 Router 3 Router 4 Router 5 Using the topology shown in Figure 22-5, the following code examples will configure Router 2 as the ABR between Area 1 and the backbone area 0. Router 4 is configured as an ASBR connected to a RIP autonomous system. Router 2 will translate Type 7 LSAs from the connected domain to Type 5 routes into the backbone.
Configuring OSPF Areas The virtual-link is treated as if it were an unnumbered point-to-point network belonging to the backbone and joining the two ABRs. The cost of a virtual link is not configured. It is auto configured with the cost of the intra-area path between the two ABRs that make up the virtuallink. Use the area virtual-link command in OSPF router configuration command mode, providing the transit area ID and the ABRs router ID, to configure an area virtual-link.
Configuring OSPF Areas Configuring Area Virtual-Link Authentication An area virtual-link can be configured for simple authentication. Neighbor virtual link routers must have the same password. Use the area virtual-link authentication-key command in OSPF router configuration command mode to configure simple authentication on this area virtual-link. The key is an alphanumeric string of up to 8 characters.
Configuring OSPF Interfaces They do not send or receive hello packets. OSPF adjacencies can not be formed on a passive interface. Use the passive-interface command in router configuration command mode to configure an interface as passive or to set passive as the default mode of operation for all interfaces. Configuring OSPF Interfaces OSPF is disabled by default and must be enabled on routing interfaces with the ip ospf enable command in interface configuration mode.
Default Settings Configuring OSPF Interface Timers The following OSPF timers are configured at the interface level in interface configuration mode: • Hello Interval • Dead Interval • Retransmit Interval • Transmit Delay Use the hello interval (ip ospf hello-interval) and dead interval (ip ospf dead-interval) timers to ensure efficient adjacency between OSPF neighbors. The hello interval is the period between transmissions of hello packet advertisements.
Configuration Procedures Table 22-1 Default OSPF Parameters (continued) Parameter Description Default Value retransmit interval A timer that determines the retransmission of LSAs in order to ensure reliable flooding. 5 seconds transmit delay Specifies the number of seconds it takes to transmit a link state update packet over this interface. 1 second hello interval The period between transmissions of hello packet advertisements.
Configuration Procedures OSPF Interface Configuration Procedure 22-2 on page 22-18 describes the OSPF interface configuration tasks. All OSPF interface configuration commands are executed in router interface configuration mode. Procedure 22-2 OSPF Interface Configuration Step Task Command(s) 1. In interface configuration mode, configure an IP address for all routing interfaces in the AS. See Procedure 20-2 on page 20-4. ip address ip-address ip-mask [secondary] 2. Enable OSPF in the interface.
Configuration Procedures Procedure 22-3 OSPF Area Configuration (continued) Step Task Command(s) 4. On ABRs connected to stub areas and NSSAs, configure the cost value for the default route sent into stub areas and NSSAs. area area-id default-cost cost 5. If necessary, configure an OSPF virtual link. area area-id virtual-link router-id Refer to “Configuring Area Virtual-Links” on page 22-12 for more information. 6. Optionally, configure authentication and/or timer values for the virtual link.
Configuration Procedures 22-20 Configuring OSPFv2
23 Configuring VRRP This chapter describes the Virtual Router Redundancy Protocol (VRRP) feature and its configuration. VRRP is available only on those fixed switch platforms that support advanced routing and on which an advanced feature license has been enabled. Note: VRRP is an advanced routing feature that must be enabled with a license key.
VRRP Overview Figure 23-1 Basic VRRP Topology VRID 1 172.111.1.1 Router R1 Router R2 ge.1.1 VLAN 111 172.111.1.1/16 ge.1.1 VLAN 111 172.111.1.2/16 Host 1 172.111.1.100/16 Default Gateway 172.111.1.1 Figure 23-1 shows a basic VRRP topology with a single virtual router. Routers R1 and R2 are both configured with one virtual router (VRID 1). Router R1 serves as the master and Router R2 serves as the backup. The hosts are configured to use 172.111.1.1/16 as the default route.
Configuring VRRP then advertisements are sent every advertising interval to let other VRRP routers in this VRID know the router is still acting as master of the VRID. All routers with the same VRID should be configured with the same advertisement interval. Use the advertise-interval command to change the advertise-interval for this VRID. Enabling Master Preemption By default, a router is enabled to preempt a lower priority master for the configured virtual router.
Configuring VRRP Table 23-1 Default VRRP Parameters (continued) Parameter Description Default Value advertise-interval Specifies the interval between the advertisement the master sends to other routers participating in the selection process. 1 second priority Specifies the router priority for the master election for this virtual router. 100 VRRP preemption Specifies whether higher priority backup VRRP routers can preempt a lower priority master VRRP router and become master.
Configuring VRRP The master advertise-interval is changed to 2 seconds for VRID 1. If Router R1 should become unavailable, Router R2 would take over virtual router VRID 1 and its associated IP addresses. Packets sent to 172.111.1.1/16 would go to Router R2. When Router R1 comes up again, it would take over as master, and Router R2 would revert to backup. Figure 23-2 Basic Configuration Example VRID 1 172.111.1.1 Router R1 Router R2 ge.1.1 VLAN 111 172.111.1.1/16 ge.1.1 VLAN 111 172.111.1.
Configuring VRRP Router 2(su)->router(Config-router)#exit Multiple Backup VRRP Configuration Figure 23-3 shows a multi-backup sample configuration. Figure 23-3 Multi-Backup VRRP Configuration Example 172.111.0.0/18 Default Gateway 172.111.1.1 ge.1.1 VLAN 111 172.111.1.1/16 172.111.128.0/18 Default Gateway 172.111.1.150 172.111.64.0/18 Default Gateway 172.111.1.50 VRID 1 172.111.1.1 VRID 2 172.111.1.50 VRID 3 172.111.1.150 Router R1 ge.1.1 VLAN 111 172.111.1.2/16 Router R2 ge.1.2 172.200.2.
Configuring VRRP 2. Therefore, Router R2’s interface 172.111.1.2 will be Master for VRID 2 handling traffic on this LAN segment sourced from subnets 172.111.64.0/18. In this configuration, an interface on VLAN 111 for Router R1 or Router R2, or VRID 1, 2, or 3 fails, the interface on the other router will take over for forwarding outside the local LAN segment. Router R1 Router 1(su)->router(Config)#interface vlan 111 Router 1(su)->router(Config-if(Vlan 111))#ip address 172.111.1.1 255.255.255.
Terms and Definitions Router 2(su)->router(Config-router)#create vlan 111 3 Router 2(su)->router(Config-router)#address vlan 111 3 172.111.1.150 0 Router 2(su)->router(Config-router)#master-icmp-reply vlan 111 3 Router 2(su)->router(Config-router)#enable vlan 111 3 Router 2(su)->router(Config-router)#exit Terms and Definitions Table 23-2 lists terms and definitions used in this VRRP configuration discussion.
24 Configuring Access Control Lists This chapter describes how to configure access control lists on the Fixed Switch platforms. ACLs on the A4 are described separately in this chapter since ACL support on the A4 is different from the support on the other Fixed Switch platforms. For information about... Refer to page...
ACL Configuration Overview • – Inserting a new ACL rule entry into an ACL – Moving an ACL rule to a new location in an ACL Apply the ACL to VLAN interfaces, to ports, or to Link Aggregation ports. ACL Configuration Overview This section describes ACL creation, rule entry, and application of the ACL to a port or routing VLAN required to implement an ACL, as well as, the features available for managing ACL rules and displaying ACLs.
ACL Configuration Overview Creating ACL Rules ACL rules define the basis upon which a hit will take place for the ACL. Rules in an ACL are order-dependent. A packet is either forwarded (a permit rule) or not forwarded (a deny rule) according to the first rule that is matched. The matching criteria available is determined based upon whether the ACL is a standard or extended IPv4 ACL, an IPv6 ACL, or a MAC ACL. As soon as a rule is matched, processing of the access list stops.
ACL Configuration Overview IPv6 Rules For IPv6 rules, IPv6 source and destination addresses and prefix length are specified, or the any option can be used. For an IPv6 ACLs, the following protocols can be specified in a rule: • Any IPv6 protocol • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP) • IPv6 Internet Control Message Protocol (ICMPv6) TCP and UDP rules can match specific source and destination ports.
ACL Configuration Overview The following example displays IPv4 extended access control list 120, then deletes entries 2 and 3, and redisplays the ACL. C5(su)->router(Config)#show access-lists 120 Extended IP access list 120 1: deny ip 20.0.0.1 0.0.255.255 any 2: deny ip 30.0.0.1 0.0.255.255 any 3: deny ip 40.0.0.1 0.0.255.255 any 4: permit ip any any C5(su)->router(Config)#no access-list 120 2 3 C5(su)->router(Config)#show access-lists 120 Extended IP access list 120 1: deny ip 20.0.0.1 0.0.255.
ACL Configuration Overview 2: deny ip 30.0.0.1 0.0.255.255 any 3: deny ip 40.0.0.1 0.0.255.255 any 4: permit ip any any Inserting ACL Rules When you enter an ACL rule, the new rule is appended to the end of the existing rules by default. You can insert a new rule into a specified entry location using the insert option. The following example inserts a new entry into IPv4 extended ACL 121 before entry 2. C5(su)->router(Config)#show access-lists 121 Extended IP access list 121 1: deny ip 10.0.0.1 0.0.255.
Configuring ACLs Port-string ----------ge.1.29 Access-list ----------121 Configuring ACLs This section provides procedures and examples for configuring IPv4, IPv6, and MAC ACLs. With the exception of A4 ACLs, all ACLs are terminated with an implicit “deny all” rule. Configuring IPv4 ACLs Procedure 24-1 describes how to configure IPv4 standard and extended ACLs. Procedure 24-1 Configuring IPv4 Standard and Extended ACLs Step Task 1.
Configuring ACLs Procedure 24-1 Configuring IPv4 Standard and Extended ACLs (continued) Step Task Command(s) 6. Optionally, display the ACLs associated with a VLAN or port. show access-lists [interface [portstring]] | [vlan [vlan-id]] 7. Optionally, delete an entire ACL or a single rule or range of rules. no access-list acl-number [entryno [entryno]] Example The following example creates an IPv4 extended ACL and associates it with VLAN 100.
Configuring ACLs Procedure 24-2 Configuring IPv6 ACLs (continued) Step Task Command(s) 3. After the switch resets, return to global router configuration mode, create the ACL and define the rules. access-list ipv6 name {deny | permit} protocol {srcipv6-addr/ prefix-length | any} [eq port] {dstipv6-addr/prefix-length | any} [eq port] [dscp dscp] [flow-label label-value] [assign-queue queue-id] 4. Optionally, insert new or replace existing rules.
Configuring ACLs C5(su)->router(Config)#show access-lists ipv6list1 ipv6list1 IPV6 access-list 1: deny icmpv6 2001:DB08:10::1/64 any 2: permit tcp 2001:db08:20::20/64 eq snmp any assign-queue 5 3: permit ipv6 2001:FFFF:30::30/64 any C5(su)->router(Config)#interface vlan 200 C5(su)->router(Config-if(Vlan 200))#ipv6 access-group ipv6list1 in C5(su)->router(Config-if(Vlan 200))#exit Configuring MAC ACLs Procedure 24-3 describes how to configure a MAC ACL.
Access Control Lists on the A4 C5(su)->router>enable C5(su)->router#show access-lists ipv6mode ipv6mode disabled C5(su)->router#configure Enter configuration commands: C5(su)->router(Config)#access-list ipv6mode Changing ipv6mode will result in a system reset.
Access Control Lists on the A4 Table 24-1 ACL Rule Precedence (continued) ACL Type and Rule Priority Example IP SIP any DIP exact 18 permit any 10.0.1.22 IP SIP any DIP any 17 deny any any MAC SA any DA any 16 deny any any Rule actions include: • Deny — drop the packet. • Permit — allow the frame to be switched. • Assign to queue — assign the packet to a queue Note: Unlike other Fixed Switch platforms, A4 ACLs are not terminated with an implicit “deny all” rule.
Access Control Lists on the A4 A4(su)->router#configure Enter configuration commands: A4(su)->router(Config)#access-list 101 deny ip host 192.168.10.10 any A4(su)->router(Config)#access-list 101 deny ip host 164.108.20.20 host 164.20.40.40 A4(su)->router(Config)#access-list 101 ip permit host 148.12.111.1 any assignqueue 5 A4(su)->router(Config)#show access-lists 101 Extended IP access list 101 1: deny ip host 192.168.10.10 any 2: deny ip host 164.108.20.20 host 164.20.40.40 3: permit ip host 148.12.111.
Access Control Lists on the A4 A4(su)->router(Config)#access-list mac mymac permit 00:01:00:02:00:01 any assignqueue 2 A4(su)->router(Config)#show access-lists mymac mymac MAC access-list 1: deny 00-E0-ED-1D-90-D5 any 2: permit 00:01:00:02:00:01 any assign-queue 2 A4(su)->router(Config)#access-list interface mymac fe.1.2 in A4(su)->router(Config)#show access-lists interface fe.1.2 24-14 Port-string Access-list ----------- ----------- fe.1.
25 Configuring and Managing IPv6 This chapter provides information about the following topics: For information about... Refer to page... Managing IPv6 25-1 IPv6 Routing Configuration 25-3 IPv6 Neighbor Discovery 25-11 DHCPv6 Configuration 25-14 Managing IPv6 At the switch command level, you can: • Enable or disable the IPv6 management function • Configure the IPv6 host and default gateway addresses • Monitor network connectivity By default, IPv6 management is disabled.
Managing IPv6 Configuring IPv6 Management Procedure 25-1 describes how to enable IPv6 management and optionally, create a host IPv6 global unicast address and replace the automatically generated default gateway IPv6 address. Refer to the CLI Reference for your platform for more information about the commands listed below. Procedure 25-1 Configuring IPv6 Management Step Task Command(s) 1. Display current IPv6 management status. show ipv6 status If necessary, enable IPv6 management.
IPv6 Routing Configuration -----------host host gateway ---------------------------------------FE80::201:F4FF:FE5C:2880/64 2001:DB8:1234:5555:201:F4FF:FE5C:2880/64 FE80::201:F4FF:FE5D:1234 Monitoring Network Connections Table 25-1 describes the tasks and commands used to monitor network connections at the switch level. Refer to the CLI Reference for your platform for more information about the commands listed below.
IPv6 Routing Configuration Neighbor Discovery is the IPv6 replacement for ARP. The Enterasys Fixed Switches support neighbor advertise and solicit, duplicate address detection, and unreachability detection. Router Advertisement is part of the Neighbor Discovery process and is required for IPv6. Stateless autoconfiguration is part of Router Advertisement and the Enterasys Fixed Switches can support both stateless and stateful autoconfiguration of end nodes.
IPv6 Routing Configuration Setting Routing General Parameters IPv6 routing parameters are set in router global configuration mode. Table 25-3 lists the tasks and commands. Refer to the CLI Reference for your platform for more information about the commands listed below. Table 25-3 Setting Routing General Parameters Task Command(s) Enable or disable IPv6 forwarding. Forwarding is enabled by default ipv6 forwarding Set the value of the hop limit field in IPv6 packets originated by this device.
IPv6 Routing Configuration Enabling an Interface for IPv6 Routing In addition to enabling an interface for routing, you must enable unicast routing on the switch with the ipv6 unicast-routing command in global router configuration mode. To enable an interface, including VLAN, tunnel, and loopback interfaces, for IPv6 routing, in router interface configuration mode: • Use the ipv6 address command to configure a global IPv6 address on an interface.
IPv6 Routing Configuration C5(su)->router(Config)#show ipv6 interface vlan 100 Vlan Vlan IPv6 IPv6 100 Administrative Mode 100 IPv6 Routing Operational Mode is Prefix is Enabled Enabled Enabled FE80::211:88FF:FE55:4A7F/128 3FFE:501:FFFF:101:211:88FF:FE55:4A7F/64 Routing Mode Enabled Interface Maximum Transmit Unit 1500 Router Duplicate Address Detection Transmits 1 Router Advertisement NS Interval 0 Router Advertisement Lifetime Interval 1800 Router Advertisement Reachable Time 0 Router Advertisement Min
IPv6 Routing Configuration the MTU value for the tunnel interfaces was reduced by 20 octets, to allow for the basic IPv4 headers added to IPv6 packets. Figure 25-1 Basic IPv6 Over IPv4 Tunnel Router R1 Router R2 VLAN 20 – 195.167.20.1 Tunnel 10 IPv6 Addr: 2001:DB8:111:1::20/127 Tunnel Source: 195.167.20.1 Tunnel Destination: 192.168.10.1 VLAN 10 – 192.168.10.1 Tunnel 10 IPv6 Addr: 2001:DB8:111:1::10/127 Tunnel Source: 192.168.10.1 Tunnel Destination: 195.167.20.
IPv6 Routing Configuration Router R2 R2(su)->router R2(su)->router>enable R2su)->router#configure Enter configuration commands: R2(su)->router(Config)#interface vlan 20 R2(su)->router(Config-if(Vlan 20))#ip address 195.167.20.1 255.255.255.0 R2(su)->router(Config-if(Vlan 20))#no shutdown R2(su)->router(Config-if(Vlan 20))#exit R2(su)->router(Config)#interface tunnel 10 R2(su)->router(Config-if(Tnnl 101))#ipv6 address 2001:db8:111:1::20/127 R2(su)->router(Config-if(Tnnl 101))#tunnel source 195.167.20.
IPv6 Routing Configuration Procedure 25-4 Configuring Static Routers Step Task Command(s) 1. In global configuration mode, configure an IPv6 static route. ipv6 route ipv6-prefix/prefix-length {global-next-hop-addr | interface {tunnel tunnel-id | vlan vlan-id} ll-next-hop-addr} [pref] 2. Optionally, configure a default distance, or preference, for static IPv6 routes that do not have a preference specified. ipv6 route distance pref 3. Display the routing table, including static routes.
IPv6 Neighbor Discovery Testing Network Connectivity Use the ping ipv6 command to determine whether another device is on the network. Use the ping ipv6 interface command to ping a link-local or global IPv6 address of an interface, specifying a loopback, tunnel, or logical interface as the source. To use the ping commands, configure the switch for network (in-band) connection. Both source and target devices need to support ICMPv6 echo requests and echo responses.
IPv6 Neighbor Discovery Neighbor Solicitation Messages Neighbor Solicitation messages are sent on the local link to determine the link-local address of another node on the link, as well as to verify the uniqueness of a unicast address for DAD. Neighbor Solicitation messages are also used to verify the reachability of a neighbor after the linklocal address is known. Use the ipv6 nd ns-interval command to configure the interval between Neighbor Solicitation messages sent on an interface.
IPv6 Neighbor Discovery Neighbor Discovery Configuration Refer to Table 25-2 on page 25-4 for the default Neighbor Discovery values. Procedure 25-5 on page 25-13 lists the tasks and commands to configure Neighbor Discovery on routing interfaces. Refer to the CLI Reference for your platform for more information about the commands listed below. Procedure 25-5 Neighbor Discovery Configuration Step Task Command(s) 1.
DHCPv6 Configuration DHCPv6 Configuration DHCP is generally used between clients (for example, hosts) and servers (for example, routers) for the purpose of assigning IP addresses, gateways, and other networking definitions such as DNS, NTP, and/or SIP parameters. However, IPv6 natively provides for auto-configuration of IP addresses through the IPv6 Neighbor Discovery Protocol (NDP) and the use of Router Advertisement messages.
DHCPv6 Configuration address, a multicast address, or a link-local address. If the address is a multicast or link-local address, then you must also specify the interface to be used to contact the DHCPv6 server. Alternatively, you can specify only the interface to be used to contact the DHCPv6 server and the Fixed Switch device will use the DHCPV6-ALL-AGENTS multicast address (FF02::1:2) to relay DHCPv6 messages to the DHCPv6 server.
DHCPv6 Configuration Default Conditions The following table lists the default DHCPv6 conditions. Condition Default Value IPv6 DHCP Disabled IPv6 DHCP Relay Agent Information Option 32 IPv6 DHCP Relay Agent Information Remote ID Sub-option 1 IPv6 DHCP Preferred Lifetime 2592000 seconds IPv6 DHCP Valid Lifetime 604800 seconds Configuration Examples Procedure 25-6 describes the tasks to configure a Fixed Switch interface as a DHCPv6 relay agent. A code example follows the procedure.
DHCPv6 Configuration Relay Remote ID Option Flags Procedure 25-7 on page 25-17 describes the tasks to configure a Fixed Switch interface as a DHCPv6 server. A code example follows the procedure. Refer to the CLI Reference for your platform for more information about these commands. Procedure 25-7 DHCPv6 Server Configuration Step Task Command(s) 1. In router global configuration mode, enable DHCPv6. ipv6 dhcp enable 2. Create a DHCPv6 pool and enter pool configuration mode for that pool.
DHCPv6 Configuration DHCPv6 Pool: pool22 Static Bindings: Binding for Client 00:01:00:06:99:a3:ff:11:22:33:44:55:66:77 IA PD: IA ID not specified, Prefix: 3001:2222::/48 Preferred Lifetime infinite, Valid Lifetime infinite Static Bindings: Binding for Client 00:01:00:06:99:a3:ff:11:22:33:44:55:66:77 IA PD: IA ID not specified, Prefix: 3001:3333::/48 Preferred Lifetime infinite, Valid Lifetime infinite DNS Server: 2001:DB8:222:111::10 DNS Server: 2001:DB8:4444:5555::20 Domain Name: enterasys.
26 Configuring Security Features This chapter. describes the following security features and how to configure them on the Fixed Switch platforms. For information about... Refer to page... Security Mode Configuration 26-1 IPsec Configuration 26-4 RADIUS Management Authentication 26-6 MAC Locking 26-7 TACACS+ 26-11 Service ACLs 26-16 DHCP Snooping 26-18 Dynamic ARP Inspection 26-22 Security Mode Configuration For information about... Refer to page...
Security Mode Configuration FIPS mode is disabled by default. It can be enabled using the set security profile c2 command. FIPS mode is persistent and shown in the running configuration. When changing between Normal and FIPS mode, a system reboot is required, indicated by a warning message: Warning: Changing the security profile requires system reset. Do you want to continue (y/n) [n]? FIPS mode can be cleared using the clear security profile command.
Security Mode Configuration Table 26-1 SNMP Commands Affected by Security Mode Settings (continued) Commands Access When Security Mode Setting Is: Normal C2 set/clear snmp targetaddr Read-Write Super User set/clear snmp notify Read-Write Super User set/clear snmp notifyfilter Read-Write Super User set/clear snmp notifyprofile Read-Write Super User Security Mode and User Authentication and Passwords The switch ensures that passwords are safeguarded during transit and while in storage using F
IPsec Configuration how to enable security audit logging. Refer to Chapter 14, Configuring Syslog for more information about system logging in general. Table 26-3 lists the logging commands that require different user access permissions when the security mode is set to C2.
IPsec Configuration • IPsec and IKE (Internet Key Exchange protocol) are defined for the RADIUS host application only. This implementation supports the creation of Security Associations (SAs) with servers configured for RADIUS, and the RADIUS application helps define the IPsec flow. • Only the Encapsulating Security Payload (ESP) mode of operation is supported. Authentication Header (AH) mode is not supported.
RADIUS Management Authentication Procedure 26-2 Configuring IPsec Step Task Command(s) 1. Display the current IPsec settings. show ipsec 2. Optionally, change the authentication protocol. set ipsec authentication {md5 | sha1} Note: This command is not available if the security mode setting is C2. 3. Optionally, change the encryption type. set ipsec encryption {3des | aes128 | aes192 | aes256} 4.
MAC Locking Response Validation When the MS-CHAP2-Success attribute is received in an access accept RADIUS response frame, it will be validated according to RFC2548 and RFC2759. This attribute contains the 42 byte authenticator response. Upon receipt, the RADIUS client software will calculate its own authenticator response using the information that was passed in the MS-CHAP2-Response attribute and the user's passed clear text password.
MAC Locking You can configure the switch to issue a violation trap if a packet arrives with a source MAC address different from any of the currently locked MAC addresses for that port. MACs are unlocked as a result of: • A link down event • When MAC locking is disabled on a port • When a MAC is aged out of the forwarding database when FirstArrival aging is enabled When properly configured, MAC locking is an excellent security tool as it prevents MAC spoofing on configured ports.
MAC Locking • If a connected end station exceeds the maximum values configured with the set maclock firstarrival and set maclock static commands (a violation). When “send-on-violation” is enabled, this feature authorizes the switch to send an SNMP trap message if an end station is connected that exceeds the maximum values configured using the set maclock firstarrival and set maclock static commands. Violating MAC addresses are dropped from the device’s (or stack’s) filtering database.
MAC Locking Table 26-6 MAC Locking Defaults (continued) Parameter Description Default Value First arrival MAC address aging Specifies that dynamic MAC locked Disabled addresses will be aged out of the database. MAC lock traps Specifies whether SNMP traps associated with MAC locking will be sent. Disabled MAC lock Syslog messages Specifies whether Syslog messages associated with MAC locking will be sent.
TACACS+ Procedure 26-3 MAC Locking Configuration (continued) Step Task Command(s) 7. Optionally, enable the aging of first arrival MAC addresses on a port or ports. set maclock agefirstarrival port-string enable Use either the set maclock agefirstarrival disable or clear maclock firstarrival commands to disable aging. 8. Optionally, disable clearing of dynamic MAC addresses on link change.
TACACS+ You can also configure TACACS+ to use a single TCP connection for all TACACS+ client requests to a given TACACS+ server. Up to 5 TACACS+ servers can be configured, with the index value of 1 having the highest priority. If you want to change the default timeout value for a specific server or all servers, you must enter the set tacacs server command using the timeout parameter.
TACACS+ Configuring the Source Address You can configure the source IP address used by the TACACS+ application on the switch when generating packets for management purposes. Any of the management interfaces, including VLAN routing interfaces, can be configured as the source IP address used in packets generated by the TACACS+ client. An interface must have an IP address assigned to it before it can be set as the TACACS+ source.
TACACS+ Basic TACACS+ Configuration Procedure 26-4 describes the basic steps to configure TACACS+ on Enterasys devices. It assumes that you have gathered the necessary TACACS+ server information, such as the server’s IP address, the TCP port to use, shared secret, the authorization service name, and access level attribute-value pairs. Note: You must be logged in to the Enterasys device with read-write access rights to use the commands shown in this procedure.
TACACS+ Procedure 26-4 TACACS+ Configuration (continued) Step Task Command(s) 8. Optionally, enable the TACACS+ client to send multiple requests to the server over a single TCP connection. set tacacs singleconnect enable To disable the use of a single TCP connection, use the set tacacs singleconnect disable command. 9. Optionally, set the interface used for the source IP address of the TACACS+ packets generated by the switch.
Service ACLs Table 26-8 TACACS+ Show Commands (continued) Task Command Displays only the current TACACS+ session settings. The [state] option is valid only for S-Series and Matrix N-Series devices. show tacacs session {authorization | accounting} [state] Displays only the current status for TACACS+ per-command authorization and accounting. The [state] option is valid only for S-Series and Matrix N-Series devices.
Service ACLs Restricting Management Access to the Console Port You can restrict access to system management to the switch’s serial port only. This is done using the set system service-class console-only command. When console-only access is configured, all TCP SYN packets and UDP packets are dropped, with the exception of UDP packets sent to the DHCP Server or DHCP Client ports. Attempting to map a router ACL to a host service will fail.
DHCP Snooping ------set system service-acl my-sacl deny ip-source 192.168.10.10 mask 255.255.255.255 service ssh priority 1 set system service-acl my-sacl permit port ge.1.1 priority 2 set system service-acl my-sacl permit port ge.1.2 priority 3 set system service-acl my-sacl permit ip-source 10.10.22.
DHCP Snooping into the software forwarding path, where it may be processed by the DHCP relay agent, the local DHCP server, or forwarded as an IP packet. DHCP snooping forwards valid DHCP client messages received on non-routing VLANs. The message is forwarded on all trusted interfaces in the VLAN. If a DHCP relay agent or local DHCP server co-exist with the DHCP snooping feature, DHCP client messages will be sent to the DHCP relay agent or local DHCP server to process further.
DHCP Snooping Procedure 26-6 Basic Configuration for DHCP Snooping Step Task Command(s) 1. Enable DHCP snooping globally on the switch. set dhcpsnooping enable 2. Determine where DHCP clients will be connected and enable DHCP snooping on their VLANs. set dhcpsnooping vlan vlan-list enable 3. Determine which ports will be connected to the DHCP server and configure them as trusted ports. set dhcpsnooping trust port port-string enable 4.
DHCP Snooping Table 26-9 DHCP Snooping Default Parameters (continued) Parameter Default Setting Burst interval 1 second Managing DHCP Snooping Table 26-10 on page 21 lists the commands to display DHCP snooping information. Table 26-11 on page 21 lists the commands to manage DHCP snooping. Refer to the CLI Reference for your platform for command details.
Dynamic ARP Inspection Dynamic ARP Inspection Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses in which the attacker claims to be someone else.
Dynamic ARP Inspection • Loopback addresses (in the range 127.0.0.0/8) Logging Invalid Packets By default, DAI writes a log message to the normal buffered log for each invalid ARP packet it drops. You can configure DAI to not log invalid packets for specific VLANs. Packet Forwarding DAI forwards valid ARP packets whose destination MAC address is not local. The ingress VLAN could be a switching or routing VLAN. ARP requests are flooded in the VLAN. ARP responses are unicast toward their destination.
Dynamic ARP Inspection Basic Configuration Procedure 26-7 below lists the commands used to configure DAI. Refer to the CLI Reference for your platform for command details. Procedure 26-7 Basic Dynamic ARP Inspection Configuration Step Task Command(s) 1. Configure DHCP snooping. Refer to Procedure 26-6 on page 26-20. 2. Enable ARP inspection on the VLANs where clients are connected, and optionally, enable logging of invalid ARP packets. set arpinspection vlan vlan-range [logging] 3.
Dynamic ARP Inspection Table 26-13 Displaying Dynamic ARP Inspection Information (continued) Task Command To display the ARP configuration of one or more VLANs show arpinspection vlan vlan-range To display ARP statistics for all DAI-enabled VLANs or for specific VLANs show arpinspection statistics [vlan vlan-range] Table 26-14 Managing Dynamic ARP Inspection Task Command To remove additional optional ARP validation parameters that were previously configured.
Dynamic ARP Inspection Dynamic ARP Inspection Configuration set arpinspection vlan 10 set arpinspection trust port ge.1.1 enable Routing Example T Note: This example applies only to platforms that support routing. The following example configures DHCP snooping and dynamic ARP inspection in a routing environment using RIP.
Dynamic ARP Inspection VLAN Configuration set vlan create 10 set vlan create 192 clear vlan egress 1 ge.1.1-2 set vlan egress 10 ge.1.2 untagged set vlan egress 192 ge.1.1 untagged DHCP Snooping Configuration set dhcpsnooping enable set dhcpsnooping vlan 1 enable set dhcpsnooping vlan 10 enable set dhcpsnooping vlan 192 enable set dhcpsnooping verify mac-address disable set dhcpsnooping trust port ge.1.
Dynamic ARP Inspection 26-28 Configuring Security Features