Matrix DFE Series and N-SA User’s Guide Important Notice This guide is a work-in-progress. It is being made available to provide information about key configuration tasks, but it does not yet represent the full functionality of Matrix DFE Series and N-SA devices. Updated versions of this guide with additional chapters will be posted on the Enterasys Networks website as they become available. Please refer to the website and the revision history table below to determine if a newer version has been published.
Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
4. EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the Program is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.
9. OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys. 10. ENFORCEMENT.
Contents Chapter 1: Features Overview Matrix Series Features ................................................................................................................................... 1-1 Factory Default Settings ................................................................................................................................. 1-1 Device Management Methods ........................................................................................................................
Getting Help with CLI Commands ................................................................................................................ 3-10 Using Context-Sensitive Help ................................................................................................................ 3-10 Performing Keyword Lookups ................................................................................................................ 3-11 Abbreviating and Completing Commands ..................................
Chapter 6: Managing Syslog Logging Overview ........................................................................................................................................... 6-1 Syslog Terms and Definitions .................................................................................................................. 6-2 Interpreting Messages ....................................................................................................................................
Chapter 8: Configuring OSPF Using OSPF on a Matrix DFE or N-SA Series Device .................................................................................... 8-1 OSPF Overview .............................................................................................................................................. 8-1 OSPF Terminology ................................................................................................................................... 8-2 Supported Functions ............
Figures 2-1 5-1 5-2 5-3 5-4 5-5 8-1 8-2 9-1 9-2 9-3 Sample Matrix Startup Screen............................................................................................................ 2-3 Example of an MST Region................................................................................................................ 5-4 MSTI 1 in a Region............................................................................................................................. 5-6 MSTI 2 in the Same Region ...
Procedures 3-1 5-1 7-1 8-1 8-2 9-1 9-2 9-3 9-4 9-5 9-6 9-7 x Enabling the Switch for Routing ....................................................................................................... 3-16 Configuring Devices 1 and 2 for Simple MSTP ................................................................................ 5-15 Configuring VLANs for Routing .......................................................................................................... 7-8 Basic OSPF Configuration.............
1 Features Overview This chapter provides an overview of the Matrix DFE Series and N‐SA devices’ unique features and functionality, an overview of the tasks that may be accomplished using the CLI interface, an overview of ways to manage the device, and information on how to contact Enterasys Networks for technical support.
Factory Default Settings Table 1-1 Default Device Settings for Basic Switch Operation (continued) Device Feature Default Setting CDP interval Transmit frequency of CDP messages set to 60 seconds. Community name Public. EAPOL Disabled. EAPOL authentication mode When enabled, set to auto for all ports. GARP timer Join timer set to 20 centiseconds; leave timer set to 60 centiseconds; leaveall timer set to 1000 centiseconds. GVRP Globally enabled. IGMP Disabled.
Factory Default Settings Table 1-1 Default Device Settings for Basic Switch Operation (continued) Device Feature Default Setting Port duplex mode Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to full duplex. Port enable/disable Enabled. Port priority Set to 1. Port speed Set to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and 100BASE-FX, which is set to 100 Mbps. Port trap All ports are enabled to send link traps.
Factory Default Settings Table 1-1 Default Device Settings for Basic Switch Operation (continued) Device Feature Default Setting Spanning Tree version Set to mstp (Multiple Spanning Tree Protocol). SSH Disabled. System baud rate Set to 9600 baud. System contact Set to empty string. System location Set to empty string. System name Set to empty string. Terminal CLI display set to 80 columns and 24 rows. Timeout Set to 15 minutes.
Factory Default Settings Table 1-2 Default Device Settings for Router Mode Operation (continued) Device Feature Default Setting ICMP Enabled for echo-reply and mask-reply modes. IP-directed broadcasts Disabled. IP forward-protocol Enabled with no port specified. IP interfaces Disabled with no IP addresses specified. IRDP Disabled on all interfaces.
Device Management Methods Device Management Methods The Matrix DFE Series and N‐SA devices can be managed using the following methods: • Locally using a VT type terminal connected to the console port. • Remotely using a VT type terminal connected through a modem. • Remotely using an SNMP management station. • In‐band through a Telnet connection. • In‐band using Enterasys Networks’ NetSight® management application. • Remotely using WebView™, Enterasys Networks’ embedded web server application.
2 Getting Started This chapter provides information about the following basic setup procedures on the Matrix DFE Series / N‐SA device. For information about... Refer to page...
Starting the Command Line Interface Note: Depending on which Matrix Series device you are using, your default command prompt may be different than the examples shown. Table 2-1 CLI Access Modes Mode (User Name) Prompt Access Privileges Read-Only (ro) Matrix(ro)-> Permitted to view Read-Only (show) commands. Read-Write (rw) Matrix(rw)-> Permitted to modify all modifiable parameters in set and show commands, as well as view Read-Only commands.
Starting the Command Line Interface The device information and Matrix prompt displays as shown in the example in Figure 2‐1. Note: Users with Read-Write (rw) and Read-Only (ro) access can use the set password command to change their own passwords. Administrators with Super User (su) access can use the set system login command to create and change user accounts, and the set password command to change any local account password.
Setting an IP Address and Basic System Information Setting an IP Address and Basic System Information Use the procedures in this section to set an IP address for the system and to set basic system information, including the date and time the system will display, where the system is located and a system contact person within your organization. Note: Some of the commands in these procedures accept a string value. String values can be up to a maximum of 255 characters in length, including blank spaces.
Setting Syslog Parameters Example This example shows how an administrator would change the Read‐Write password from the system default (blank string): Matrix(su)->set password rw Please enter new password: ******** Please re-enter new password: ******** Password changed. Matrix(su)-> Caution: Test new passwords before saving the active configuration to the startup configuration file. To keep your passwords secure, the Matrix DFE Series / N-SA device does not have a command for displaying passwords.
About the Matrix DFE-Platinum Series Distributed Console Model 2. (Optional) Verify the Syslog settings. show logging server index For more information, refer to Chapter 6, ʺManaging Syslogʺ. About the Matrix DFE-Platinum Series Distributed Console Model Note: The distributed console and redundant management features described in this section do not apply to Matrix DFE-Gold or Matrix N-SA (standalone) devices.
About Redundant Management on Matrix DFE-Gold Series Modules About Redundant Management on Matrix DFE-Gold Series Modules Notes: Interoperability of Matrix DFE-Gold Series modules is dependent upon module placement rules during installation in the chassis. For details on these rules and their effects on system management, refer to the Matrix DFE-Gold Series Installation Guide.
Downloading a New Firmware Image Displaying and Changing the Current Configuration Use these commands to display and change the current configuration: 1. Display current default and non‐default configuration settings: show config all 2. (Optional) View one or all configuration files stored in the system: dir [filename] 3. (Optional) View the contents of a specific configuration file: show file filename 4. Upload or download a new configuration file.
Downloading a New Firmware Image • Using FTP download. This procedure uses an FTP server connected to the network and downloads the firmware using the FTP protocol. It is the most robust downloading mechanism. • Using TFTP download. This procedure uses a TFTP server connected to the network and downloads the firmware using the TFTP protocol. • Using the serial (console) port. This procedure is an out‐of‐band operation that copies the firmware through the serial port to the device.
Downloading a New Firmware Image 4. You can now set the device to load the new image file at startup using the set boot system command as described in “Reviewing and Selecting a Boot Firmware Image” (page 2‐11). Downloading Using the Serial Port To download device firmware using the serial (console) port: 1. With the console port connected as described in the Matrix DFE Series or N‐SA Installation Guide for your product, power up the device.
Reviewing and Selecting a Boot Firmware Image 8. From the System Image Loader prompt, type setbaud 9600 to set the device baud rate back to 9600 and press ENTER. 9. From your terminal application, set the terminal baud rate back to 9600. 10. Type setboot filename to set the device to boot to the new firmware image and press ENTER. In this example, the downloaded image file is named “myimage.
Resetting the Device Resetting the Device Use the procedures in this section to reset one or more device modules, to schedule a system reset in order to load a new boot image, or to clear the user‐defined switch and router configuration. Resetting a Module or the System Immediately Use the following command to reset a module or the entire device without losing any user‐ defined configuration settings: reset [mod-num | system ] If mod‐num is not specified, the entire system will be reset.
Activating Licensed Features Clearing User-Defined Configuration Parameters Use the following command to clear the user‐defined system configuration parameters for one or more modules and reset those modules back to factory defaults: clear config mod-num | all Note: This command does not affect the switch IP address. If the module being reset is in a chassis with other active modules, it will inherit system settings from the system.
Using WebView 4. Verify license activation: show license Using WebView WebView is the Enterasys Networks embedded web server for device configuration and management tasks. By default, WebView is enabled on TCP port number 80 of the Matrix device. You can verify WebView status, enable or disable WebView, and reset the WebView port as described in the following section.
3 Using the CLI This chapter provides information about using the CLI on Matrix DFE Series / N‐SA devices. For information about... Refer to page...
Configuring CLI Access Security • Repeated characters (e.g., “AAAAAA” or “999999ʺ) • Sports teams or terms (such as “Bulls” or “Golfer”) • Favorite recording artist • Obscenities or sexual terms In addition to avoiding weak passwords, Enterasys also recommends that you: • Do NOT write down the password and post it near the terminal. • Do NOT use the login name and password of a former employee.
Configuring CLI Access Security Table 3-1 Password Combinations (continued) Number of Characters in Password Possible Combinations (Letters A-Z only) Possible Combinations (Letters A-Z, with numbers 0-9) 9 5,429,503,678,976 101,559,956,668,416 10 141,167,095,653,376 3,656,158,440,062,980 For a password to be strong and hard to break, it should: • Be at least 8 characters long.
Configuring CLI Access Security Setting New System Passwords 1. To set system passwords for the default Admin, Read‐Write or Read‐Only user accounts, from the su prompt enter: set password {admin | rw | ro} 2. Press ENTER. When prompted, enter a password as shown in the example below. Passwords are case sensitive and must be a minimum of 8 characters and a maximum of 40 characters.
Configuring CLI Access Security Disabling a User Account From the su prompt, use the following command to disable an existing user account: set system login username disable Removing a User Account From the su prompt, use the following command to remove an existing user account: clear system login username Note: The default admin account cannot be deleted or disabled.
Configuring CLI Access Security Example This example shows how to display login account information. In this case, device defaults have not been changed: Matrix(su)->show system login Password history size: 0 Password aging : disabled Username Access State admin ro rw super-user read-only read-write enabled enabled enabled Setting Password Policies Once a password is established, the default password policies listed in Table 3‐2 apply unless configured otherwise.
Starting and Configuring Telnet Setting Lockout Attempts and Duration From the su prompt, use the following command to reset the number of failed login attempts allowed and the duration of the timeout. This setting will: • Disable a Read‐Write or Read‐Only user account, or • Lockout the default Admin (su) account for a specified number of minutes after maximum login attempts. set system lockout {[attempts attempts] [time time]} Valid attempts values are 1 to 10. Default is 3.
Configuring Secure Shell (SSH) Server Configuring Secure Shell (SSH) Server Understanding the SSHv2 Protocol Secure Shell (SSH) is a “secure” replacement for Telnet. When using Telnet, all communications, including passwords, are sent across the network in clear text (that is, un‐encrypted), making eavesdropping on communications an easy task for a knowledgeable user with access to the network.
Setting CLI Parameters Generating Host Keys Before enabling the SSH server, at least one host key must be generated. Use the following command to generate a host key: set ssh hostkey Example This example shows how to generate SSH private and public host keys. By default, bit size for the DSA and RSA key pairs is 1,024, which is considered very secure: Matrix(rw)->set ssh hostkey Generating 1024-bit dsa key pair Key generated. 1024-bit dsa Private key saved to sshdrv:/.
Getting Help with CLI Commands Table 3-3 CLI Parameters (continued) Task Command Syntax Enables the CLI command completion function, which allows you to complete a unique CLI command fragment using the keyboard spacebar. set cli completion enable [default] Displaying Scrolling Screens If the CLI screen length has been set using the set length command as described in Table 3‐3, CLI output requiring more than one screen will display --More-- to indicate continuing screens.
Getting Help with CLI Commands Example This example shows how to display context‐sensitive help for the set length command: Matrix(rw)->set length help Command: set length Number of lines Usage: set length screenlength Length of the screen (5..512, 0 to disable 'more') Performing Keyword Lookups Entering a space and a question mark (?) after a keyword will display all commands beginning with the keyword. Example This example shows how to perform a keyword lookup for the show snmp command.
Abbreviating and Completing Commands Example This example shows how to use the partial keyword function for all commands beginning with co: Matrix(rw)->co? configure copy Matrix(rw)->co Execute a configuration file Upload or download an image or configuration file Note: At the end of the lookup display, the system will repeat the command you entered without the ?.
Using Basic Line Editing Commands Using Basic Line Editing Commands The CLI supports EMACs‐like line editing commands. Table 3‐4 lists some commonly used line editing keystrokes and their associated commands. Table 3-4 Basic Line Editing Commands Key Sequence Command Ctrl+A Move cursor to beginning of line. Ctrl+B Move cursor back one character. Ctrl+C Abort command. Ctrl+D Delete a character. Ctrl+E Move cursor to end of line. Ctrl+F Move cursor forward one character.
Understanding Module and Port Numbering Switch Ports Matrix devices have fixed front panel switch ports and, depending on the model, optional expansion module slots. The numbering scheme used to identify the switch ports on the front panel and the expansion module(s) installed is interface‐type dependent and, in chassis‐based systems, is also dependent upon the chassis in which the module(s) are installed.
Understanding Module and Port Numbering Port String Syntax for the Matrix N-SA Device Use this syntax to specify a port string: port type.port group.port number Where port type can be: • fe for 100‐Mbps Ethernet • ge for 1‐Gbps Ethernet • com for the COM (console) port • host for host port • vlan for vlan interfaces • lag for IEEE802.
Preparing the Device for Router Mode Table 3-5 Examples of Port String Designations (continued) Port Type and Location Port-String Syntax All ports (of any interface type) of all modules in the chassis or standalone device *.*.* The console port in module 1 or in a standalone device com.1.1 Virtual LAG port 2 lag.0.2 Preparing the Device for Router Mode Pre-Routing Configuration Tasks The following pre‐routing tasks must be performed from the switch CLI. • Starting up the CLI.
Preparing the Device for Router Mode Procedure 3-1 Enabling the Switch for Routing (continued) Step Task Command(s) 3. In router mode: enable Enable router Privileged EXEC mode. 4. In router Privileged EXEC mode: configure terminal Enable global router configuration mode. 5. In Global Configuration mode: Enable interface configuration mode using the interface of the routing module. 6.
Preparing the Device for Router Mode Table 3-6 3-18 Using the CLI Router Configuration Modes (continued) Use this mode... To... Access method... Resulting Prompt... Global Configuration Mode Set system-wide parameters. Type configure terminal from Privileged EXEC mode. Matrix>Router1(config)# Interface Configuration Mode Configure router interfaces. Type interface vlan or interface loopback and the interface’s id from Global Configuration mode.
Preparing the Device for Router Mode Table 3-6 Router Configuration Modes (continued) Use this mode... To... Access method... Resulting Prompt... DHCP Pool Configuration Mode Configure a DHCP server address pool. Type ip dhcp pool and the address pool name from Global Configuration Mode. Matrix>Router1 (config-dhcp-pool)# DHCP Class Configuration Mode Configure a DHCP client class. Type client-class and the client class name from DHCP Pool or Host Configuration Mode.
Preparing the Device for Router Mode 3-20 Using the CLI
4 Configuring Link Aggregation This chapter provides information about the following link aggregation configuration procedures on the Matrix DFE Series or N‐SA device. For information about... Refer to page...
Link Aggregation Control Protocol (LACP) Overview LACP Operation For each aggregatable port in the device, LACP: • Maintains configuration information (reflecting the inherent properties of the individual links as well as those established by management) to control aggregation. • Exchanges configuration information with other devices to allocate the link to a Link Aggregation Group (LAG). Note: A given link is allocated to, at most, one Link Aggregation Group (LAG) at a time.
Link Aggregation Control Protocol (LACP) Overview Table 4-1 LACP Terms and Definitions (continued) Term Definition LACPDU Link Aggregation Control Protocol Data Unit. The protocol exchanges aggregation state/mode information by way of a port’s actor and partner operational states. LACPDUs sent by the first party (the actor) convey to the second party (the actor’s protocol partner) what the actor knows, both about its own state and that of its partner.
Configuring LAG Aggregator Keys and Priority LACP uses a system priority value to build a LAG ID, which determines aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator. There are a few cases in which ports will not aggregate: • An underlying physical port is attached to another port on this same switch (loopback).
Configuring Underlying Physical Ports Assigning a LAG Aggregator Key LACP allows only underlying physical ports with keys that match their aggregators to join a LAG. You can change the default aggregator admin key for one or more ports, allowing those ports to join a LAG with a matching key value. Use this command to change the aggregator key for one or more LAG ports: set lacp aadminkey lagport-string value The lagport‐string must specify a virtual LAG port (lag.0.
Configuring Underlying Physical Ports Example This example shows how to add Fast Ethernet port 6 in slot 1 to the LAG of aggregator port 4: Matrix(rw)->set lacp static lag.0.4 fe.1.6 Setting Underlying LACP Port Parameters Link aggregation parameters can be set for underlying physical ports that will determine their ability to join a LAG, and their administrative state once aggregated. Use the following commands to set link aggregation actor and partner parameters for one or more underlying ports.
Enabling LACP Flow Regeneration To set the actor or partner administrative states: set port lacp port port-string aadminstate | padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire} Admin state parameters allow for actor or partner ports to perform as follows: • lacpactive ‐ Transmit LACP PDUs. • lacptimeout ‐ Transmit LACP PDUs every 1 second versus 30 seconds (default). • lacpagg ‐ Aggregate on this port.
Enabling LACP Flow Regeneration 4-8 Configuring Link Aggregation
5 Configuring Spanning Trees This chapter provides the following information about configuring and monitoring Spanning Tree protocols on the Matrix DFE Series and N‐SA device: For information about... Refer to page...
Overview of Spanning Tree Protocols Table 5-1 Spanning Tree Terms and Definitions (continued) Term Definition BPDU Bridge Protocol Data Unit messages. Used by STP to exchange information, including designating a bridge for each switched LAN segment, and one root bridge for the spanning tree. Bridge Switching device. Bridge priority Assigns the bridge’s relative priority compared to other bridges.
Overview of Spanning Tree Protocols Spanning Tree (IEEE 802.1D) The Spanning Tree Protocol (STP) defined in IEEE 802.1D allows bridges to dynamically discover a subset of the topology that is loop‐free. The loop‐free tree that is discovered contains paths to every LAN segment. The Spanning Tree Protocol is used to eliminate data loops in an Ethernet network by creating a tree where there is only one data route between any two end stations. STP blocks redundant data paths.
Overview of Spanning Tree Protocols • In addition to using hello time, forward delay, and max age information, MSTP also utilizes the hop count for improved performance. MSTP can automatically detect the version of spanning tree being used on a LAN and send out the equivalent type of BPDU. In addition, MSTP incorporates a force version feature where the user may force MSTP to behave as STP or RSTP.
Overview of Spanning Tree Protocols • Format Selector ‐ One octet in length and is always 0. It cannot be administratively changed. • Configuration Name ‐ A user‐assigned, case sensitive name given to the region. The maximum length of the name is 32 octets. • Revision Level ‐ Two octets in length. The default value of 0 may be administratively changed.
Overview of Spanning Tree Protocols Various options may be configured on a per‐MSTI basis to allow for differing topologies between MSTIs. To reduce network complexity and processing power needed to maintain MSTIs, you should only create as many MSTIs as needed.
Overview of Spanning Tree Protocols Figure 5-4 Example of Multiple Regions and MSTIs Region 1 1 Region 2 2 Region 3 6 8 5 12 3 4 CIST Regional Root 7 10 CIST Root and CIST Regional Root CIST Regional Root Master Port Table 5-2 9 11 Master Port MSTI Characteristics for Figure 5-4 MSTI / Region Characteristics MSTI 1 in Region 1 Root is Device 4, which is also the CIST regional root MSTI 2 in Region 1 Root is Device 5 MSTI 1 in Region 2 Root is Device 7, which is also the CIST ro
Configuring STP and RSTP Configuring STP and RSTP Caution: Spanning Tree configuration should be performed only by personnel who are very knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithms. Otherwise, the proper operation of the network could be at risk.
Configuring STP and RSTP 3. Review the status of spanning tree on one or more ports: show spantree portenable [port port-string] 4. If necessary, re‐enable spanning tree on one or more ports: set spantree portenable port-string enable Adjusting Spanning Tree Parameters You may need to adjust certain spanning tree parameters if the default values are not suitable for your bridge configuration.
Configuring STP and RSTP Setting a Port Priority You can set a spanning tree priority for a port, which will be used to break the tie when two bridges tie for position as the root bridge. The bridge with the lowest port value will be elected. To set a port priority: set spantree portpri port-string priority [sid sid] Valid priority values are 0 ‐ 240 (in increments of 16) with 0 indicating high priority. Valid sid values are 0 ‐ 4094. If not specified, SID 0 will be assumed.
Configuring STP and RSTP Adjusting the Bridge Hello Time Caution: Poorly chosen adjustments to bridge and port hello time parameters can have a negative impact on network performance. It is recommended that you do not change these parameters unless you are familiar with spanning tree configuration and have determined that adjustments are necessary. Please refer to the 1EEE 802.1D specification for guidance. Hello time is the interval at which the bridge or individual ports send BPDU messages.
Configuring STP and RSTP Defining the Maximum Age If a bridge does not hear BPDUs from the root bridge within a specified interval, it assumes that the network has changed and recomputes the spanning tree topology. To adjust the maximum age setting: set spantree maxage agingtime Valid agingtime values are 6 ‐ 40.
Configuring STP and RSTP Defining Point-to-Point Links By default, the administrative point‐to‐point status is set to auto on all spanning tree ports, allowing the Matrix DFE Series or N‐SA firmware to determine each port’s point‐to‐point status. In most cases, this setting will not need to be changed and will provide optimal RSTP functionality. You can, however, use the following commands to review and, if necessary, change the point‐to‐point status of a spanning tree link.
Configuring MSTP 4. Display the edge port administrative status of one or more port(s): show spantree adminedge[port port-string] A status of “true” indicates the port is administratively set to be considered an edge port. A status of “false” indicates the port is administratively set to be considered a non edge port. If port‐string is not specified, edge port administrative status will be displayed for all spanning tree ports. 5.
Configuring MSTP Figure 5-5 MSTP Sample Network Configuration Device #1 VLAN 2 VLAN 3 MST Region South Device #2 Procedure 5‐1 shows how to configure Devices 1 and 2 for MSTP. Procedure 5-1 Configuring Devices 1 and 2 for Simple MSTP Step Task Command(s) 1. Create VLANs 2 and 3. set vlan create 2-3 2. Set each device’s configuration name to South. set spantree mstcfgid South 3. Create MSTI SID 2. set spantree msti sid 2 create 4. Create MSTI SID 3. set spantree msti sid 3 create 5.
Configuring Spanguard Table 5-4 Commands for Monitoring MSTP (continued) Task Command Display the mapping of one or more filtering database IDs (FIDs) to spanning trees. Since VLANs are mapped to FIDs, this shows to which SID a VLAN is mapped. show spantree mstmap [fid fid] Display the spanning tree ID(s) assigned to one or more VLANs.
Configuring Spanguard Enabling and Adjusting Spanguard Use the following commands to configure device ports for Spanguard, to enable the Spanguard function, and to review Spanguard status on the device. Reviewing and Setting Edge Port Status Note: In order to utilize the Spanguard function, you must know which ports are connected between switches as ISLs (inter-switch links).
Configuring Spanguard To review the Spanguard timeout setting on one or more ports: show spantree spanguardtimeout To review the status of the Spanguard trap function: show spantree spanguardtrapenable 5-18 Configuring Spanning Trees
6 Managing Syslog This chapter provides information about the following system logging procedures on the Matrix DFE Series and N‐SA devices. For information about... Refer to page... Logging Overview 6-1 Interpreting Messages 6-2 Configuring Syslog Servers, Applications, and Console Logging 6-3 Logging Overview The Syslog implementation on the Matrix DFE Series or N‐SA device uses a series of system logging messages to track device activity and status.
Interpreting Messages Syslog Terms and Definitions Table 6‐1 lists terms and definitions used in Syslog configuration. Table 6-1 Syslog Terms and Definitions Term Definition Facility The Syslog specification uses a facility code to categorize which functional process is generating an error message. Syslog combines the facility and severity values to determine message priority. The Matrix DFE Series and N-SA implementation uses the eight facility designations reserved for local use: local0 - local7.
Configuring Syslog Servers, Applications, and Console Logging Example This example shows Syslog informational messages, displayed with the show logging buffer command. It indicates that messages were generated by facility 16 at severity level 5 from the CLI application on IP address 10.42.71.13. Table 6‐2 describes the components of these messages. Matrix(rw)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet) <165>Sep 4 07:43:24 10.42.71.
Configuring Syslog Servers, Applications, and Console Logging About Server Versus Application Severity Levels The default Syslog configuration allows client applications to generate messages on a severity level of 6 and the Syslog server to log messages from clients at a severity level of 8. This means that all enabled servers will accept messages from all logging applications generated for error conditions at levels 6, 7 and 8.
Configuring Syslog Servers, Applications, and Console Logging Modifying default settings You can change factory default logging settings using one of the following methods.
Configuring Syslog Servers, Applications, and Console Logging configured and the server(s) to which messages will be sent.
Configuring Syslog Servers, Applications, and Console Logging Enabling Console Logging and File Storage You can configure logging to display messages to the current console CLI session only, or to display to the console and save to a persistent file. Console logging allows you to view only as many messages as will fit on the screen. As new messages appear, old messages simply scroll off the console.
Configuring Syslog Servers, Applications, and Console Logging 6-8 Managing Syslog
7 Configuring IP This chapter provides information about the following Internet Protocol (IP) configuration procedures on the Matrix DFE Series and N‐SA devices. These procedures involve general non‐ routing protocol configuration tasks that are independent of routing protocol (such as OSPF) operation of the device. For information on configuring the OSPF routing protocol, refer to Chapter 8, Configuring OSPF. For information on configuring the VRRP routing protocol, refer to Chapter 9, Configuring VRRP.
Using the Matrix DFE Series or N-SA Device as a Router Example Scenario Imagine you are using a Matrix DFE Series or N‐SA switch device that is configured for 10 VLANs. Each VLAN includes 20 physical ports with one client on each port, for a total of 200 users in the 10 VLANs. Since, in the switching world, the only users that can talk to each other are the users in the same VLAN, the 20 users in VLAN 3 can talk to each other, but they can’t talk to the 180 other users in the rest of your network.
Using the Matrix DFE Series or N-SA Device as a Router Pre-Routing Configuration Tasks The discussed previously, following pre‐routing tasks must be performed from the switch CLI.
Using the Matrix DFE Series or N-SA Device as a Router Table 7-2 7-4 Configuring IP Router CLI Configuration Modes (continued) Use this mode... To... Access method... Resulting Prompt... Router Configuration Mode Set IP protocol parameters. Type router and the protocol name from Global or Interface Configuration mode. Matrix>Router1 (config-router)# Key Chain Configuration Mode Set protocol (RIP) authentication key parameters.
Reviewing and Configuring Router Interfaces Table 7-2 Router CLI Configuration Modes (continued) Use this mode... To... Access method... Resulting Prompt... DHCP Host Configuration Mode Configure DHCP host parameters. Type clientidentifier and the identifier, or hardware-address and an address from any DHCP configuration mode. Matrix>Router1 (config-dhcp-host)# Note: To jump to a lower configuration mode, type exit at the command prompt.
Reviewing and Configuring Router Interfaces This example shows how to use the show ip interface command to display IP configuration information for VLAN 1, including administrative status, IP address, MTU (Maximum Transmission Unit) size and bandwidth, and ACL configurations. Table 7‐3 provides a detailed description of the command output: Matrix>Router1#show ip interface vlan 1 Vlan 1 is Admin UP Vlan 1 is Oper UP IP Address 81.81.7.3 Mask 255.255.255.128 Frame Type ARPA MAC-Address 0001.f4da.
Reviewing and Configuring Router Interfaces Configuring Interfaces for IP Routing Each Matrix DFE Series or N‐SA module can support up to 256 routing interfaces, which can be configured for IP routing using the procedures in this section. Creating and Enabling IP Routing Interfaces Each VLAN or loopback interface must be configured for routing separately using the interface command.
Reviewing and Configuring Router Interfaces Sample Configuration The following sample configuration assumes the example network scenario described in “Using the Matrix DFE Series or N‐SA Device as a Router” on page 7‐1. The administrator wants to allow five out of 10 VLANs to exchange traffic. These are VLANs 20, 30, 40, 50, and 60. Procedure 7‐1 lists the steps and the associated commands necessary to complete this process.
Reviewing and Configuring Router Interfaces **Set the inbound PVID associations for untagged frames** Matrix(rw)->set port vlan fe.1.1-20 10 Matrix(rw)->set port vlan fe.1.21-40 20 Matrix(rw)->set port vlan fe.2.1-20 30 Matrix(rw)->set port vlan fe.2.21-40 40 Matrix(rw)->set port vlan fe.3.1-20 50 Matrix(rw)->set port vlan fe.3.21-40 60 Matrix(rw)->set port vlan fe.4.1-20 70 Matrix(rw)->set port vlan fe.4.21-40 80 Matrix(rw)->set port vlan fe.5.1-20 90 Matrix(rw)->set port vlan fe.5.
Managing Router Configuration Files Managing Router Configuration Files Each Matrix DFE Series or N‐SA device provides a single configuration interface which allows you to perform both switch and router configuration with the same command set. This section demonstrates managing configuration files while operating in router mode only.
Managing Router Configuration Files Saving or Erasing the Running Configuration From privileged EXEC mode, use this command to save the router running configuration to NVRAM, to erase it, or to display it to output devices. write [erase | file [filename config-file] | terminal] If filename config‐file is not specified, the configuration will be saved to startup.cfg. If no options are specified, the configuration will be displayed to the terminal.
Reviewing and Configuring the ARP Table Displaying or Writing the Current Config to a File The Matrix DFE Series / N‐SA’s single configuration interface allows you use the show config command to display or write the current router configuration to a file. For details, refer back to Displaying the Running Configuration on page 7‐10. Configuring the Router You can configure the router using either of the following methods. Using a downloaded file... 1.
Reviewing and Configuring the ARP Table Examples This example shows how to display all entries in the ARP table: Matrix>Router1#show ip arp Protocol Address Age (min) Hardware Addr Type Interface --------------------------------------------------------------------------Internet 134.141.235.251 0 0003.4712.7a99 ARPA Vlan1 Internet 134.141.235.165 0002.1664.a5b3 ARPA Vlan1/fe.1.1 Internet 134.141.235.167 4 00d0.cf00.
Configuring IP Broadcast Settings Disabling or Re-enabling Proxy ARP on an Interface A variation of the ARP protocol, proxy ARP allows the routing module to send an ARP response on behalf of an end node to the requesting host. Proxy ARP can lessen bandwidth use on slow‐ speed WAN links. It is enabled by default.
Configuring IP Broadcast Settings Enabling or Disabling IP Directed Broadcasts Directed broadcasts are network or subnet broadcast packets which are sent to a router for forwarding. They can be misused to create Denial of Service (DoS) attacks. By default, the Matrix DFE Series or N‐SA device protects against this possibility by not forwarding directed broadcasts. However, depending on your network requirements, you may want to enable this function.
Configuring Routes and Monitoring IP Traffic Note: If a particular service exists inside the node, and there is no need to forward the request to remote networks, the “no” form of this command should be used to disable the forwarding for the specific port. Such requests will not be automatically blocked from being forwarded, just because a service for them exists in the node.
Configuring Routes and Monitoring IP Traffic Adding or Removing Static IP Routes From global configuration mode, use this command to add a static IP route. ip route prefix mask {forward-addr | vlan vlan-id} [distance] [permanent] [tag value] The forward‐addr or vlan‐id specifies the next hop gateway. Valid distance values are 1 ‐ 255. Routes with lower values receive higher preference in route selection. If not specified, the default value of 1 will be applied.
Configuring ICMP Clearing IP Traffic Counters From privileged EXEC mode, use this command to clear all IP traffic statistics counters (IP, ICMP, UDP, TCP, IGMP, and ARP).
Configuring ICMP This example shows an unsuccessful ping to IP address 182.127.63.24: Matrix>Router1#ping 182.127.63.24 Timed Out Timed Out Timed Out ------ PING 182.127.63.24 : Statistics -----3 packets transmitted, 0 packets received, 100% packet loss Using Traceroute From privileged EXEC mode, use this command to display a hop‐by‐hop path through an IP network from the device to a specific destination host.
Configuring ICMP 7-20 Configuring IP
8 Configuring OSPF This chapter provides information about the following Open Shortest Path First (OSPF) protocol configuration procedures on the Matrix DFE Series or N‐SA device. For information about... Refer to page... Using OSPF on a Matrix DFE or N-SA Series Device 8-1 OSPF Overview 8-1 Configuring OSPF 8-7 Monitoring and Maintaining OSPF 8-12 * Advanced License Required * OSPF is an advanced routing feature that must be enabled with a license key.
OSPF Overview router being added to the network, OSPF uses the Shortest Path First (SPF) algorithm (also referred to as the Dijkstra algorithm) to calculate new routes. OSPF Terminology Table 8‐1 defines key terminology used in OSPF configuration. Table 8-1 OSPF Terms and Definitions Term Definition ABR Area Border Router located on the border of one or more OSPF area connecting those areas to the backbone network.
OSPF Overview Link-State Advertisements (LSAs) Using OSPF, the Matrix DFE‐Platinum Series system floods link‐state advertisement (LSA) packets to keep its topological database updated, and to help ensure the databases of its neighbors are also current. Types of LSAs, each relating to a particular part of the OSPF routing domain, are as follows. Router link advertisements are sent by each DFE Series system configured with OSPF to describe the router’s links within the area.
OSPF Overview Figure 8-1 OSPF Topology OSPF Backbone ABR Area 1 ABR ABR Area 2 ASBR Internet OSPF Areas OSPF allows networks to be grouped into areas — a collection of subnets that are grouped in a logical fashion. These areas communicate with other areas through the backbone area. Routing information passed between areas is abstracted, potentially allowing a significant reduction in routing traffic.
OSPF Overview that fall within the specified ranges are not advertised into other areas as inter‐area routes. Instead, the specified ranges are advertised as summary network LSAs. Note: Although this does not apply to most changes to OSPF and other routing-based entries in the configuration file, the following actions force the OSPF Link State Databases (LSDB) to reinitialize: • Adding a network to or removing one from an area. • Changing an area’s type.
OSPF Overview Autonomous System External (ASE) Link Advertisements An autonomous system boundary router (ASBR) advertises external destinations throughout the OSPF autonomous system. In many cases, external link states make up a large percentage of the link states in the databases of every router. A stub area is an area in which you do not allow advertisements of external routes, thus reducing the size of the database even more. Instead, a default summary route (0.0.0.
Configuring OSPF Table 8-3 Router Modes Used for OSPF Configuration (continued) Use this mode... To... Access method... Resulting Prompt... Interface Configuration Mode Configure router interfaces. Type interface vlan or interface loopback and the interface’s id from Global Configuration mode. Matrix>Router1 (config-if(Vlan 1 | Lpbk 1))# OSPF Router Configuration Mode Set OSPF parameters. Type router ospf and the OSPF process-id from Global or Interface Configuration mode.
Configuring OSPF Table 8-4 OSPF Default Settings (continued) Parameter Default Setting Config Mode Command Authentication (simple text) None configured Interface ip ospf authentication-key password Cost (interface) 10 Interface ip ospf cost cost Cost (stub area from ABR) 1 Router (OSPF) area area-id default-cost cost Dead interval 40 seconds Interface ip ospf dead-interval seconds Database overflow Not configured Router (OSPF) database-overflow external {[exit-overflow-interval inte
Configuring OSPF Activating Advanced Routing In order to enable advanced routing protocols, such as OSPF and extended ACLs, on a Matrix DFE Series or N‐SA device, you must purchase and activate a license key. If you have purchased an advanced routing license, and have enabled routing on the device as described back in Procedure 3‐1, you can proceed to activate your license as described in this section. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. 1.
Configuring OSPF Figure 8-2 Topology for Basic OSPF Configuration Router 1 Router 2 VLAN 100 Procedure 8-1 Basic OSPF Configuration Step Task Command 1. From switch mode, enter router mode on router 1. router 1 2. Enable router 1. enable 3. Enable global configuration mode. configure terminal 4. Create routing instance 1 on router 1, and enable OSPF router configuration mode for this instance. router ospf 1 5. Assign network interface 131.108.1.1 to area 1. network 131.108.1.1 255.
Configuring OSPF Configuring an OSPF NSSA As described in “OSPF Areas” on page 8‐4, OSPF networks are grouped into areas. Routing information passed between areas is abstracted, potentially allowing a significant reduction in routing traffic.
Monitoring and Maintaining OSPF Example This example shows the complete configuration described in Procedure 8‐2, beginning with VLAN 100 configuration in switch mode. **Create the VLAN** Matrix(rw)->set vlan create 100 **Set the inbound PVID associations for untagged frames** Matrix(rw)->set port vlan fe.5.21-40 100 **Set the list of egress ports and tagging for the VLAN** Matrix(rw)->set vlan egress 100 fe.5.
Monitoring and Maintaining OSPF Displaying OSPF Information From any router mode, use the commands listed in Table 8‐5 to display OSPF information. Table 8-5 Displaying OSPF Information Command Output show ip ospf OSPF instance information, including area, interfaces, and global parameters. show ip ospf border-routers Information about Autonomous System (AS) and Area Border Routers (ABRs).
Monitoring and Maintaining OSPF Resetting OSPF From Privileged EXEC mode, use this command to reset the OSPF process, forcing adjacencies to be reestablished and routes to be reconverged. clear ip ospf process process-id Debugging OSPF From Privileged EXEC mode, use this command to generate OSPF debugging output displaying adjacency, flooding, retransmission events, LSA generation or packet processing information.
9 Configuring VRRP This chapter provides the following information about configuring and monitoring the Virtual Router Redundancy Protocol (VRRP) on the Matrix DFE Series or N‐SA device: For information about... Refer to page... VRRP Overview 9-1 Configuring VRRP 9-2 Modifying a Configuration 9-13 Monitoring VRRP 9-17 VRRP Configuration Notes 9-17 VRRP Overview This section provides a brief overview of VRRP configuration on the Matrix DFE Series or N‐SA device. VRRP is defined in RFC 3678.
Configuring VRRP Table 9-1 VRRP Terms and Definitions (continued) Term Definition master The router assigned to forward traffic designated for the virtual router. The master sends an advertisement to all other VRRP routers declaring its status and assumes responsibility for forwarding packets associated with its VRID. backup The router that takes over and begins forwarding traffic for the virtual router if the master router becomes unavailable.
Configuring VRRP Basic VRRP Configuration Figure 9‐1 shows a basic VRRP configuration with a single virtual router. Routers R1 and R2 are both configured with one virtual router (VRID 1). Router R1 serves as the master and Router R2 serves as the backup. The four end hosts are configured to use 10.0.0.1/16 as the default route. IP address 10.0.0.1/16 is associated with virtual router ID (VRID) 1. Figure 9-1 Basic VRRP Configuration Master Backup R1 R2 VRID 1 Interface Addr. = 10.0.0.
Configuring VRRP Procedure 9-1 Configuring Router 1 for Basic VRRP (continued) Step Task Command(s) 4. create vlan 1 1 In VRRP Configuration mode: Create a VRRP session for this router on VLAN 1 with a VRID of 1. 5. Set a virtual router address as VLAN 1, VRID 1, interface 10.0.0.1, and set this router as the master (owner value 1). 6. Enable VRRP on this router on VLAN 1, VRID 1. enable vlan 1 1 address vlan 1 1 10.0.0.
Configuring VRRP Example: Basic VRRP Configuration This example shows the complete configuration for basic VRRP on Routers 1 and 2: **Router 1** Matrix>Router1(config)#interface vlan 1 Matrix>Router1(config-if(Vlan 1))#ip address 10.0.0.1 255.255.255.0 Matrix>Router1(config-if(Vlan 1))#no shutdown Matrix>Router1(config)#router vrrp Matrix>Router1(config-router)#create vlan 1 1 Matrix>Router1(config-router)#address vlan 1 1 10.0.0.
Configuring VRRP Figure 9-2 Symmetrical VRRP Configuration Master for VRID 1 Backup for VRID 2 Master for VRID 2 Backup for VRID 1 R1 R2 Interface Addr. = 10.0.0.1/16 VRID 1; Addr. = 10.0.0.1/16 VRID 2; Addr. = 10.0.0.2/16 VRID 1 VRID 2 10.0.0.1/16 H1 H2 Default Route = 10.0.0.1/16 10.0.0.2/16 Interface Addr. = 10.0.0.2/16 VRID 1; Addr. = 10.0.0.1/16 VRID 2; Addr. = 10.0.0.2/16 H3 H4 Default Route = 10.0.0.2/16 In this configuration, half the hosts use 10.0.0.
Configuring VRRP Procedure 9-3 Configuring Router 1 for Symmetrical VRRP (continued) Step Task Command(s) 6. Set a virtual router address as VLAN 1, VRID 1, interface 10.0.0.1, and set this router as the master (owner value 1). address vlan 1 1 10.0.0.1 1 7. Set a virtual router address as VLAN 1, VRID 2, interface 10.0.0.2, and set this router as backup (owner value 0). address vlan 1 2 10.0.0.2 0 8. Enable VRRP on this router on VLAN 1, VRIDs 1 and 2.
Configuring VRRP Procedure 9-4 Configuring Router 2 for Symmetrical VRRP (continued) Step Task Command(s) 8. enable vlan 1 1 Enable VRRP on this router on VLAN 1, VRIDs 1 and 2. enable vlan 1 2 Note: Before enabling VRRP on this router you must set the other options described in this section. Once enabled, you cannot make any configuration changes to VRRP on this router without first disabling VRRP using the no enable vlan command.
Configuring VRRP Figure 9-3 Multi-Backup VRRP Configuration Master for VRID 1 1st Backup for VRID 2 1st Backup for VRID 3 Master for VRID 2 1st Backup for VRID 1 2nd Backup for VRID 3 Master for VRID 3 2nd Backup for VRID 1 2nd Backup for VRID 2 R1 R2 R3 VRID 1 10.0.0.1/16 H1 10.0.0.3/16 10.0.0.2/16 H2 Default Route = 10.0.0.1/16 VRID 3 VRID 2 H3 H4 H5 Default Route = 10.0.0.2/16 H6 Default Route = 10.0.0.
Configuring VRRP Procedure 9-5 Configuring Router 1 for Multi-Backup VRRP (continued) Step Task Command(s) 3. router vrrp In Global Configuration mode: Enable VRRP configuration mode on this router. 4. In VRRP Configuration Mode: create vlan 1 1 Create a VRRP session for this router on VLAN 1 with a VRID of 1. 5. Create a second VRRP with a VRID of 2. create vlan 1 2 6. Create a third VRRP session with a VRID of 3. create vlan 1 3 7.
Configuring VRRP Router R2 Configuration Use the following procedure to configure Router R2 as shown back in Figure 9‐3: Procedure 9-6 Configuring Router 2 for Multi-Backup VRRP Step Task Command(s) 1. interface vlan 1 In Global Configuration mode: Create a routing interface for Router 2 on VLAN 1. 2. 3. In Interface Configuration mode: ip address 10.0.0.2 255.255.255.0 Set and enable IP address 10.0.0.2 255.255.255.0 on this router and VLAN.
Configuring VRRP Table 9‐3 shows the priorities for each virtual router configured on Router R2. Table 9-3 Priorities for Virtual Routers Configured on Router 2 Configured Default Priority Priority Virtual Router Comments VRID 1 on IP address 10.0.0.1/16 200 100 Changing Router R2’s priority from 100 to 200 makes this virtual router primary backup for VRID 1. Since this number is higher than Router R3’s priority for VRID 1, R3 is the secondary backup. VRID 2 on IP address 10.0.0.
Configuring VRRP Procedure 9-7 Configuring Router 3 for Multi-Backup VRRP (continued) Step Task Command(s) 10. priority vlan 1 1 100 Set a priority of 100 for this router on VRIDs 1 and 2, making it a secondary backup. Note: This command is shown for illustration purposes only since 100 is the default priority value and doesn’t have to be set. 11. Enable VRRP on this router on VLAN 1, VRIDs 1, 2, and 3.
Modifying a Configuration **Router 2** Matrix>Router2(config)#interface vlan 1 Matrix>Router2(config-if(Vlan 1))#ip address 10.0.0.2 255.255.255.0 Matrix>Router2(config-if(Vlan 1))#no shutdown Matrix>Router2(config)#router vrrp Matrix>Router2(config-router)#create vlan 1 1 Matrix>Router2(config-router)#create vlan 1 2 Matrix>Router2(config-router)#create vlan 1 3 Matrix>Router2(config-router)#address vlan 1 2 10.0.0.2 1 Matrix>Router2(config-router)#address vlan 1 1 10.0.0.
Modifying a Configuration Setting the Advertisement Interval The VRRP master router sends periodic advertisement messages to let the other routers know that the master is up and running. By default, advertisement messages are sent once each second. Use the following command in router configuration mode to change the VRRP advertisement interval: advertise-interval vlan vlan-id vrid interval Valid interval values are from 1 to 255 seconds.
Modifying a Configuration Setting an Authentication Key VRRP Packet Authentication Fields As shown in the following illustration, each VRRP packet contains authentication fields in its IP header. Table 9‐5 describes VRRP packet authentication fields and their descriptions.
Monitoring VRRP VRRP Authentication Commands By default, no authentication of VRRP packets is performed on the Matrix DFE Series or N‐SA device. You can specify a clear text or a message digest (MD5) password to be used to authenticate VRRP exchanges on routing interfaces. Use the following command in interface configuration mode to set a clear text authentication password: ip vrrp authentication-key password Password is a text string 1 to 8 characters in length.
VRRP Configuration Notes • Default backup router priority = 100 • Master‐down‐interval = time it takes a backup to detect the master is down – = (3 * adv‐interval) + skew‐time – = (3 * 1 second) + ((256 ‐ 100) / 256) – = 3.6 seconds Note: In some instances, a heavy load on a VRRP master may delay VRRP packet transmission and cause the backup router to assume the role of master.