NEC N8406-026 10Gb Intelligent L3 Switch Application Guide Part number: 856-127950-102-00 First edition: Oct 2008 456-01797-000 PN# 456-01797-000
Legal notices © 2008 NEC Corporation. The information contained herein is subject to change without notice. The only warranties for NEC products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. NEC shall not be liable for technical or editorial errors or omissions contained herein. Microsoft®, Windows®, and Windows NT® are U.S. registered trademarks of Microsoft Corporation.
Contents Accessing the switch Introduction .................................................................................................................................................................. 7 Additional references ................................................................................................................................................. 7 Typographical conventions ............................................................................................................
VLAN tagging .............................................................................................................................................................46 VLANs and IP interfaces ...........................................................................................................................................49 VLAN topologies and design considerations .......................................................................................................
QoS levels ..............................................................................................................................................................83 Using 802.1p priorities to provide QoS ...................................................................................................................83 802.1p configuration (AOS CLI example)........................................................................................................84 802.1p configuration (BBI example) ...
Remote monitoring Introduction ..............................................................................................................................................................132 Overview ...................................................................................................................................................................132 RMON group 1 — statistics .....................................................................................................................
Accessing the switch Introduction This guide will help you plan, implement, and administer the switch software. Where possible, each section provides feature overviews, usage examples, and configuration instructions. “Accessing the switch” describes how to configure and view information and statistics on the switch over an IP network.
Table 1 Typographic conventions Typeface or symbol Meaning Example AaBbCc123 This type displays in command examples and shows text that must be typed in exactly as shown. This bracketed type displays in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows guide titles, special terms, or words to be emphasized.
To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the telnet command, followed by the switch IP address: telnet Connecting through Secure Shell By default, the Secure Shell (SSH) protocol is disabled on the switch. SSH enables you to securely log into another computer over a network to execute commands remotely.
>> # /cfg/l3/if 250 (Select IP interface 250) >> IP Interface 250# addr 205.21.17.3(Assign IP address for the interface) Current IP address: 0.0.0.0 New pending IP address: 205.21.17.3 Pending new subnet mask: 255.255.255.0 . . . . . . . . . . . . >> IP Interface 250# ena (Enable IP interface 250) 4. If necessary, configure default gateway. 5. Configuring the default gateways allows the switch to send outbound traffic to the routers. >> IP Interface 250# ../gw 254 6.
SNMP v1.0 To access the SNMP agent on the switch, the read and write community strings on the SNMP manager should be configured to match those on the switch. The default read community string on the switch is public and the default write community string is private. The read and write community strings on the switch can be changed using the following commands on the CLI.
2. Configure a user access group, along with the views the group may access. Use the access table to configure the group's access level.
View based configurations CLI user equivalent To configure an SNMP user equivalent to the CLI 'user,' use the following configuration: /c/sys/ssnmp/snmpv3/usm 4 name "usr" /c/sys/ssnmp/snmpv3/access 3 name "usrgrp" rview "usr" wview "usr" nview "usr" /c/sys/ssnmp/snmpv3/group 4 uname usr gname usrgrp /c/sys/ssnmp/snmpv3/view 6 name "usr" tree " 1.3.6.1.4.1.26543.2.6.1.2" /c/sys/ssnmp/snmpv3/view 7 name "usr" tree " 1.3.6.1.4.1.26543.2.6.1.3" /c/sys/ssnmp/snmpv3/view 8 name "usr" tree " 1.3.6.1.4.1.26543.2.
Configuring SNMP trap hosts SNMPv1 trap host 1. Configure a user with no authentication and password. /c/sys/ssnmp/snmpv3/usm 10 name "v1trap" 2. (Configure user named "v1trap") Configure an access group and group table entries for the user.
SNMPv2 trap host configuration The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model, specify snmpv2 instead of snmpv1. c/sys/ssnmp/snmpv3/usm 10 name "v2trap" /c/sys/ssnmp/snmpv3/access 10 name "v2trap" model snmpv2 nview "iso" /c/sys/ssnmp/snmpv3/group 10 model snmpv2 uname v2trap gname v2trap /c/sys/ssnmp/snmpv3/taddr 10 name v2trap addr 47.81.25.
For more information on using SNMP, see the Command Reference Guide. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Secure access to the switch Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured management: Limiting management users to a specific IP address range. See the ―Setting allowable source IP address ranges‖ section in this chapter. Authentication and authorization of remote administrators.
How RADIUS authentication works RADIUS authentication works as follows: 1. A remote administrator connects to the switch and provides the user name and password. 2. Using Authentication/Authorization protocol, the switch sends the request to the authentication server. 3. The authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access.
6. Configure the number of retry attempts for contacting the RADIUS server and the timeout period. >> RADIUS Server# apply >> RADIUS Server# save Configuring RADIUS on the switch (BBI example) 1. Configure RADIUS parameters. a. Click the Configure context button. b. Open the System folder, and select Radius. Open Select c. Enter the IP address of the primary and secondary RADIUS servers, and enter the RADIUS secret for each server. Enable the RADIUS server.
2. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save RADIUS authentication features The switch supports the following RADIUS authentication features: Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866. Allows RADIUS secret password up to 32 bytes. Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the secondary authentication server.
RADIUS attributes for user privileges When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server. If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the remote user and authorizes the appropriate access.
to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password authentication are not supported. Authorization Authorization is the action of determining a user‘s privileges on the device, and usually takes place after authentication. The default mapping between TACACS+ authorization privilege levels and switch management access levels is shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+ server.
Configuring TACACS+ authentication on the switch (AOS CLI example) 1. Turn TACACS+ authentication on, then configure the Primary and Secondary TACACS+ servers. >> Main# /cfg/sys/tacacs (Select the TACACS+ Server menu) >> TACACS+ Server# on (Turn TACACS+ on) Current status: OFF New status: ON >> TACACS+ Server# prisrv 10.10.1.1 -mgt (Enter primary server IP) Current primary TACACS+ server: 0.0.0.0 New pending primary TACACS+ server: 10.10.1.1 >> TACACS+ Server# secsrv 10.10.1.
Configuring TACACS+ authentication on the switch (BBI example) 1. Configure TACACS+ authentication for the switch. a. Click the Configure context button. b. Open the System folder, and select Tacacs+. Open Select c. Enter the IP address of the primary and secondary TACACS+ servers, and enter the TACACS+ secret. Enable TACACS+. d. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
e. 2. Configure custom privilege-level mapping (optional). Click Submit to accept each mapping change. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Secure Shell and Secure Copy Secure Shell (SSH) and Secure Copy (SCP) use secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing a switch does not provide a secure connection. SSH is a protocol that enables remote administrators to log securely into the switch over a network to execute management commands. By default, SSH is disabled (off) on the switch.
Enabling or disabling SCP apply and save Enter the following commands from the switch CLI to enable the SCP putcfg_apply and putcfg_apply_save commands: >> # /cfg/sys/sshd/ena (Enable SCP apply and save) >> # /cfg/sys/sshd/dis (Disable SCP apply and save) SSHD# apply (Apply the changes) Configuring the SCP administrator password To configure the scpadmin (SCP administrator) password, first connect to the switch via the RS-232 management console.
For example: >> # scp ad4.cfg admin@205.178.15.157:putcfg Applying and saving configuration Enter the apply and save commands after the command above (scp ad4.cfg 205.178.15.157:putcfg), or use the following commands. You will be prompted for a password. >> # scp @:putcfg_apply >> # scp @:putcfg_apply_save For example: >> # scp ad4.cfg admin@205.178.15.157:putcfg_apply >> # scp ad4.cfg admin@205.178.15.
Generating RSA host and server keys for SSH access To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the switch. The server key is 768 bits and is used to make it impossible to decipher a captured session by breaking into the switch at a later time. When the SSH server is first enabled and applied, the switch automatically generates the RSA host and server keys and is stored in the flash memory.
User access control The switch allows an administrator to define end user accounts that permit end users to perform limited actions on the switch. Once end user accounts are configured and enabled, the switch requires username/password authentication. The administrator defines access levels for each switch user, as shown in the following table.
Ports and trunking Introduction The first part of this chapter describes the different types of ports used on the switch. For specific information on how to configure ports for speed, auto-negotiation, and duplex modes, see the port commands in the Command Reference Guide. The second part of this chapter provides configuration background and examples for trunking multiple ports together. Trunk groups can provide super-bandwidth, multi-link connections between switches or other trunk-capable devices.
calculate the trunk port to use for forwarding traffic by implementing the load distribution algorithm on value equals to modulus of (XOR of last 3 bits of Source and last 3 bits of Destination MAC address). Built-in fault tolerance Since each trunk group is composed of multiple physical links, the trunk group is inherently fault tolerant. As long as even one physical link between the switches is available, the trunk remains active.
Port trunking example In this example, the Gigabit uplink ports on each switch, and the crosslink ports are configured into a total of 4 trunk groups: 2 on each switch, and one trunk group at the crosslink between the 2 switches. NOTE: The actual mapping of switch ports to NIC interfaces is dependant on the operating system software, the type of server blade, and the enclosure type. For more information, see the N8406-026 10Gb Intelligent L3 Switch User’s Guide.
Configuring trunk groups (AOS CLI example) 1. 2.
Configuring trunk groups (BBI example) 1. Configure trunk groups. a. Click the Configure context button on the Toolbar. b. Open the Layer 2 folder, and select Trunk Groups. Open Select c. Click a Trunk Group number to select it. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. d. Enable the Trunk Group. To add ports, select each port in the Ports Available list, and click Add. e. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save 3. Examine the trunking information on each switch. a. Click the Dashboard context button on the Toolbar. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
b. Select Trunk Groups. Open Select c. Information about each configured trunk group is displayed. Make sure that trunk groups consist of the expected ports and that each port is in the expected state. Configurable Trunk Hash algorithm This feature allows you to configure the particular parameters for the switch Trunk Hash algorithm instead of having to utilize the defaults. You can configure new default behavior for Layer 2 traffic and Layer 3 traffic, using the CLI menu cfg/l2/thash.
Link Aggregation Control Protocol Link Aggregation Control Protocol (LACP) is an IEEE 802.3ad standard for grouping several physical ports into one logical port (known as a dynamic trunk group or Link Aggregation group) with any device that supports the standard. Refer to the IEEE 802.3ad-2002 for a full description of the standard. The 802.3ad standard allows standard Ethernet links to form a single Layer 2 link using the Link Aggregation Control Protocol (LACP).
NOTE: If you configure LACP on ports with 802.1x network access control, make sure the ports on both sides of the connection are properly configured for both LACP and 802.1x. Configuring LACP Use the following procedure to configure LACP for port 20 and port 21 to participate in link aggregation. 1. Set the LACP mode on port 20. >> # /cfg/l2/lacp/port 20 >> LACP port 20# mode active 2. Define the admin key on port 20. Only ports with the same admin key can form a LACP trunk group.
Port-based Network Access and traffic control Port-based Network Access control Port-based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to all ports of the 10Gb switch (except the management port 17).
The following figure shows a typical message exchange initiated by the client. Figure 2 Using EAPoL to authenticate a port Switch EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the switch authenticator, while RADIUS-EAP messages are exchanged between the switch authenticator and the Radius authentication server. Authentication is initiated by one of the following methods: Switch authenticator sends an EAP-Request/Identity packet to the client.
NOTE: When an 802.1x-enabled client connects to a port that is not 802.1x-controlled, the client initiates the authentication process by sending an EAPOL-Start frame. When no response is received, the client retransmits the request for a fixed number of times. If no response is received, the client assumes the port is in authorized state, and begins sending frames, even if the port is unauthorized. 802.
Table 9 EAP support for RADIUS attributes # Attribute Attribute Value A-R A-A A-C A-R Legend: RADIUS Packet Types: A-R (Access-Request), A-A (Access-Accept), A-C (Access-Challenge), A-R (Access-Reject) RADIUS Attribute Support: 0 This attribute MUST NOT be present in a packet. 0+ Zero or more instances of this attribute MAY be present in a packet. 0-1 Zero or one instance of this attribute MAY be present in a packet. 1 Exactly one instance of this attribute MUST be present in a packet.
Configuring port-based traffic control To configure a port for traffic control, perform the following steps: 1. Configure the traffic-control threshold and enable traffic control. Main# /cfg/port 2 >> Port 2# brate 150000 >> Port 2# mrate 150000 >> Port 2# drate 150000 2. To disable a traffic-control threshold, use the following command: >> Port 2# mrate dis 3. (Set broadcast threshold) (Set multicast threshold) (Set DLF threshold) (Disable multicast threshold) Apply and save the configuration.
VLANs Introduction This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments.
Viewing and configuring PVIDs You can view PVIDs from the following AOS CLI commands: Port information >> /info/port Port Tag RMON PVID NAME VLAN(s) ---- --- ---- ---- -------------- ------------------------------1 n d 1 Downlink1 1 2 n e 1 Downlink2 1 3 n d 1 Downlink3 1 4 n d 1 Downlink4 1 5 n d 1 Downlink5 1 6 n d 1 Downlink6 1 7 n d 1 Downlink7 1 : : Port configuration >> /cfg/port 21/pvid 21 Current port VLAN ID: 1 New pending port VLAN ID: 21 >> Port 22# Each port on the switch can belong to one or
NOTE: If an 802.1Q tagged frame is sent to a port that has VLAN-tagging disabled, then the frames are forwarded based on their port-VLAN ID (PVID). Figure 3 Default VLAN settings NOTE: The port numbers specified in these illustrations may not directly correspond to the physical port configuration of your switch model. When you configure VLANs, you configure the switch ports as tagged or untagged members of specific VLANs. See the following figures.
Figure 5 802.1Q tagging (after port-based VLAN assignment) In the following figure, the tagged incoming packet is assigned directly to VLAN 2 (PVID=2) because of the tag assignment in the packet. Port 5 is configured as a tagged member of VLAN 2, and port 7 is configured as an untagged member of VLAN 2. Figure 6 802.1Q tag assignment As shown in the following figure, the tagged packet remains unchanged as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2.
VLANs and IP interfaces Carefully consider how you create VLANs within the switch, so that communication with the switch remains possible. In order to access the switch for remote configuration, trap messages, and other management functions, be sure that at least one IP interface on the switch has a VLAN defined. You can also inadvertently cut off access to management functions if you exclude the ports from the VLAN membership.
Multiple VLANS with tagging The following figure shows only those switch port to server links that must be configured for the example. While not shown, all other server links remain set at their default settings. Figure 8 Multiple VLANs with VLAN tagging The features of this VLAN are described in the following table: NOTE: The port numbers specified in these illustrations may not directly correspond to the physical port configuration of your switch model.
Table 10 Multiple VLANs with tagging Component Description CPU Blade Server #1 This high-use blade server needs to be accessed from all VLANs and IP subnets. The server has a VLAN-tagging adapter installed with VLAN tagging turned on. One adapter is attached to one of the switch's 10 Gbps ports, that is configured for VLANs 1 and 2. One adapter is configured for VLANs 3 and 4.
2. Configure the VLANs and their member ports. Since all ports are by default configured for VLAN 1, configure only those ports that belong to VLAN 2. crosslink ports 17 and 18 must belong to VLANs 1 and 3.
2. Configure the VLANs and their member ports. Since all ports are by default configured for VLAN 1, configure only those ports that belong to other VLANs. >> /cfg/l2/vlan 3 >> VLAN 3# add 2 Current ports for VLAN 3: empty Pending new ports for VLAN 3: 2 >> VLAN 3# add 4 Port 4 is an UNTAGGED port and its current PVID is 1.
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
c. Click a port number to select it. d. Enable the port and enable VLAN tagging. e. Click Submit. Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. Configure the VLANs and their member ports. a. Open the Virtual LANs folder, and select Add VLAN. Open Select b. Enter the VLAN name, VLAN ID number, and enable the VLAN. To add ports, select each port in the Ports Available list and click Add. Since all ports are configured for VLAN 1 by default, configure only those ports that belong to VLAN 2. c. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
The external Layer 2 switches should also be configured for VLANs and tagging. 3. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save FDB static entries Static entries in the Forwarding Database (FDB) allow the switch to forward packets without flooding ports to perform a lookup. A FDB static entry is a MAC address associated with a specific port and VLAN. The switch supports 128 static entries.
Spanning Tree Protocol Introduction When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network so that a switch uses only the most efficient path. The following topics are discussed in this chapter: Overview Bridge Protocol Data Units (BPDUs) Spanning Tree Group (STG) configuration guidelines Multiple Spanning Trees Overview Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network.
Port path cost The port path cost assigns lower values to high-bandwidth ports, such as Gigabit Ethernet, to encourage their use. The objective is to use the fastest links so that the route with the lowest cost is chosen. A value of 0 indicates that port cost is computed dynamically based on link speed. This works when forcing link speed, so it does not just apply to ―auto negotiated link speed‖. By default, all switch ports have the path cost set to 2, independent of the link speed.
Adding and removing ports from STGs Information on adding and removing ports from STGs is as follows: By default, all ports except Port 17 belong to VLAN 1 and STG 1. Each port is always a member of at least one VLAN. Each VLAN is always a member of at least one STG. Port membership within VLANs can be changed, and VLAN membership within STGs can be changed. To move a port from one STG to another, move the VLAN to which the port belongs, or move the port to a VLAN that belongs to the STG.
Figure 9 Two VLANs on one instance of Spanning Tree Protocol In the following figure, VLAN 1 and VLAN 2 belong to different Spanning Tree Groups. The two instances of spanning tree separate the topology without forming a loop, so that both VLANs can forward packets between the switches without losing connectivity.
Configuring Switch 1 (AOS CLI example) 1. Configure port and VLAN membership on Switch 1 as described in the ―Configuring ports and VLANs on Switch 1 (AOS CLI example)‖ section, in the ―VLANs‖ chapter of this guide. 2. Add VLAN 2 to Spanning Tree Group 2. >> /cfg/l2/stp 2 >> Spanning Tree Group 2# add 2 (Select Spanning Tree Group 2) (Add VLAN 2) VLAN 2 is automatically removed from spanning tree group 1. 3. Apply and save.
3. c. Enter the Spanning Tree Group number and set the Switch Spanning Tree State to on. To add a VLAN to the Spanning Tree Group, select the VLAN in the VLANs Available list, and click Add. VLAN 2 is automatically removed from Spanning Tree Group 1. d. Scroll down, and click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3.
Configuring Port Fast Forwarding Use the following CLI commands to enable Port Fast Forwarding on an external port.
RSTP and MSTP Introduction Rapid Spanning Tree Protocol (IEEE 802.1w) enhances the Spanning Tree Protocol (IEEE 802.1D) to provide rapid convergence on Spanning Tree Group 1. Multiple Spanning Tree Protocol (IEEE 802.1s) extends the Rapid Spanning Tree Protocol to provide both rapid convergence and load balancing in a VLAN environment.
Link type The link type determines how the port behaves in regard to Rapid Spanning Tree. The link type corresponds to the duplex mode of the port. A full-duplex link is point-to-point (p2p), while a half-duplex link should be configured as shared. If you select auto as the link type, the port dynamically configures the link type.
b. Open the MSTP/RSTP folder, and select General. Open Select 3. c. Select RSTP mode, and set the MSTP/RSTP state to ON. d. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Multiple Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree extends the IEEE 802.1w Rapid Spanning Tree Protocol through multiple Spanning Tree Groups. MSTP maintains up to 32 spanning-tree instances that correspond to STP Groups 132. In Multiple Spanning Tree Protocol (MSTP), several VLANs can be mapped to each Spanning-Tree instance. Each Spanning-Tree instance is independent of other instances.
>> Multiple Spanning Tree: rev xx 3. (Define the Region revision level) Assign VLANs to Spanning Tree Groups. >> /cfg/l2/stp 2 (Select Spanning Tree Group 2) >> Spanning Tree Group 2# add 2 (Add VLAN 2) >> Spanning Tree Group 2# apply (Apply the configurations) Configuring Multiple Spanning Tree Protocol (BBI example) 1. Configure port and VLAN membership on the switch, as described in the ―Configuring ports and VLANs (BBI example)‖ section in the ―VLANs‖ chapter of this guide. 2.
3. Configure Common Internal Spanning Trees (CIST) bridge parameters. a. Open the MSTP/RSTP folder, and select CIST-Bridge. Open Select b. Enter the Bridge Priority, Maximum Age, and Forward Delay values. c. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
4. Configure Common Internal Spanning Tree (CIST) port parameters. a. Open the MSTP/RSTP folder, and select CIST-Ports. Open Select b. Click a port number to select it. Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
5. c. Enter the Port Priority, Path Cost, and select the Link Type. Set the CIST Port State to ON. d. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Quality of Service Introduction Quality of Service features allow you to allocate network resources to mission-critical applications at the expense of applications that are less sensitive to such factors as time delays or network congestion. You can configure your network to prioritize specific types of traffic, ensuring that each type receives the appropriate Quality of Service (QoS) level.
Queue and schedule traffic: Place packets in one of two COS queues Schedule transmission based on the COS queue weight Using ACL filters Access Control Lists are filters that allow you to classify and segment traffic, so you can provide different levels of service to different traffic types. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made.
Table 15 Well-known application ports Number TCP/UDP Application Number TCP/UDP Application Number TCP/UDP Application 69 tftp 161 snmp 1985 hsrp 70 gopher 162 snmptrap Table 16 Well-krown TCP flag values Flag Value URG 0x0020 ACK 0x0010 PSH 0x0008 RST 0x0004 SYN 0x0002 FIN 0x0001 Packet Format Ethernet format (EthernetⅡ, SNAP, LLC) Ethernet tagging format Egress port packets Note that the egress port ACL will not match a broadcast, multicast, unknown unicast, or Layer 3 packet
Using ACL Groups Access Control Lists (ACLs) allow you to classify packets according to a particular content in the packet header, such as the source address, destination address, source port number, destination port number, and others. Packet classifiers identify flows for more processing. You can define a traffic profile by compiling a number of ACLs into an ACL Group, and assigning the ACL Group to a port. ACL Groups are assigned and enabled on a per-port basis.
Out-of-Profile : If a meter is configured and the packet does not conform to the meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out-of-Profile. Using meters, you set a Committed Rate in Kb/s (1024 bits per second in each Kb/s). All traffic within this Committed Rate is In-Profile. Additionally, you set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In-Profile traffic.
Example 3: Use this configuration to block traffic from a source that is destined for a specific egress port. >> >> >> >> >> >> >> >> >> >> >> >> >> >> Main# /cfg/acl/acl 1 (Define ACL 1) ACL 1# ethernet/smac 00:21:00:00:00:00 ff:ff:ff:ff:ff:ff Filtering Ethernet# ..
c. Configure the ACL parameters. Set the Filter Action to Deny, the Ethernet Type to IPv4, and the Destination IP Address to 100.10.1.116. d. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save 3. Add ACL 1 to port 1. a. Click the Configure context button on the Toolbar. b. Select Switch Ports (click the underlined text, not the folder). Open Select c. Select a port. Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
4. d. Add the ACL to the port. e. Click Submit. Apply, verify, and save the configuration. 1. Apply 2. Verify 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Using DSCP values to provide QoS The six most significant bits in the TOS byte of the IP header are defined as DiffServ Code Points (DSCP). Packets are marked with a certain value depending on the type of treatment the packet must receive in the network device. DSCP is a measure of the Quality of Service (QoS) level of the packet. Differentiated Services concepts To differentiate between traffic flows, packets can be classified by their DSCP value.
Class Selector (CS) : This PHB has 8 priority classes, with CS7 representing the highest priority, and CS0 representing the lowest priority, as shown below. CS PHB is described in RFC 2474.
Figure 13 Layer 2 802.1q/802.1p VLAN tagged packet Ingress packets receive a priority value, as follows: Tagged packets—switch reads the 802.1p priority in the VLAN tag. Untagged packets—switch tags the packet and assigns an 802.1p priority, based on the port‘s default priority (/cfg/port x/8021ppri). Egress packets are placed in a COS queue based on the priority value, and scheduled for transmission based on the scheduling weight of the COS queue.
802.1p configuration (BBI example) 1. Configure a port‘s default 802.1p priority. a. Click the Configure context button on the Toolbar. b. Select Switch Ports (click the underlined text, not the folder). Open Select c. Select a port. Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. d. Set the 802.1p priority value. e. Click Submit. Map the 802.1p priority value to a COS queue. a. b. Click the Configure context button on the Toolbar. Open the 802.1p folder, and select Priority - CoS. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
3. c. Select an 802.1p priority value. d. Select a Class of Service queue (CoSQ) to correlate with the 802.1p priority value. e. Click Submit. Set the COS queue scheduling weight. a. Click the Configure context button on the Toolbar. b. Open the 802.1p folder, and select CoS - Weight. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
4. c. Select a Class of Service queue (CoS). d. Enter a value for the weight of the Class of Service queue. e. Click Submit. Apply, verify, and save the configuration. 1. Apply 2. Verify 3. Save Queuing and scheduling The switch can be configured with either two or eight output Class of Service queues (COSq), into which each packet is placed. Each packet‘s 802.1p priority determines its COSq, except when an ACL action sets the COSq of the packet.
Basic IP routing This chapter provides configuration background and examples for using the switch to perform IP routing functions. The following topics are addressed in this chapter: IP Routing Benefits Routing Between IP Subnets Example of Subnet Routing IP routing benefits The switch uses a combination of configurable IP switch interfaces and IP routing options.
In this example, a corporate campus has migrated from a router-centric topology to a faster, more powerful, switch-based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets. This is a situation that switching alone cannot cure. Instead, the router is flooded with cross-subnet communication. This compromises efficiency in two ways: Routers can be slower than switches.
Example of subnet routing Prior to configuring, you must be connected to the switch Command Line Interface (CLI) as the administrator. NOTE: For details about accessing and using any of the menu commands described in this example, see the Command Reference Guide. 1. Assign an IP address (or document the existing one) for each router and client workstation.
4. Configure the default gateways to the routers‘ addresses. Configuring the default gateways allows the switch to send outbound traffic to the routers: >> IP Interface 5# ../gw 1 (Select primary default gateway) >> Default gateway 1# addr 205.21.17.1(Assign IP address) >> Default gateway 1# ena (Enable primary default gateway) >> Default gateway 1# ../gw 2 (Select secondary default gateway) >> Default gateway 2# addr 205.21.17.2 (Assign address) >> Default gateway 2# ena 5.
2. Add the switch ports to their respective VLANs. The VLANs shown in the table above are configured as follows: >> # /cfg/l2/vlan 1 (Select VLAN 1) >> VLAN 1# add port 20 (Add port for 1st floor to VLAN 1) >> VLAN 1# add port 21 (Add port for 2nd floor to VLAN 1) >> VLAN 1# ena (Enable VLAN 1) >> VLAN 1# ../VLAN 2 (Select VLAN 2) >> VLAN 2# add port 18 (Add port for default router 1) >> VLAN 2# add port 19 (Add port for default router 2) >> VLAN 2# ena (Enable VLAN 2) >> VLAN 2# ..
Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically, using the Routing Information Protocol (RIP). The switch supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IP route information with other routers. Distance vector protocol RIP is known as a distance vector protocol.
RIPv2 in RIPv1 compatibility mode The switch allows you to configure RIPv2 in RIPv1 compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive those packets. With RIPv1 routers as recipients, the routing updates have to carry natural or host mask. Hence, it is not a recommended configuration for most network topologies.
RIP configuration example NOTE: An interface RIP disabled uses all the default values of the RIP, no matter how the RIP parameters are configured for that interface. RIP sends out RIP regular updates to include an Up interface, but not a Down interface. 1. Add VLANs for routing interfaces. >> Main# cfg/l2/vlan 2/ena (Enable VLAN 2) >> VLAN 2# add 20 (Add port 20 to VLAN 2) Port 20 is an UNTAGGED port and its current PVID is 1.
IGMP Snooping Introduction IGMP Snooping allows the switch to forward multicast traffic only to those ports that request it. IGMP Snooping prevents multicast traffic from being flooded to all data ports. The switch learns which server hosts are interested in receiving multicast traffic, and forwards it only to ports connected to those servers.
EXCLUDE mode: The host requests membership to a multicast group and provides a list of IP addresses from which it does not want to receive traffic. This indicates that the host wants to receive traffic only from sources that are not part of the Exclude list. To disable snooping on EXCLUDE mode reports, use the following command: /cfg/l3/igmp/snoop/igmpv3/exclude dis By default, the switch snoops the first eight sources listed in the IGMPv3 Group Record.
When you configure a static Mrouter on a VLAN, it replaces any dynamic Mrouters learned through IGMP Snooping. IGMP Snooping configuration example This section provides steps to configure IGMP Snooping on the switch, using the Command Line Interface (CLI) or the Browser-based Interface (BBI). Configuring IGMP Snooping (AOS CLI example) 1. Configure port and VLAN membership on the switch, as described in the ―Configuring ports and VLANs (CLI example)‖ section in the ―VLANs‖ chapter. 2.
Configuring IGMP Filtering (AOS CLI example) 1. Enable IGMP Filtering on the switch. >> /cfg/l3/igmp/igmpflt (Select IGMP Filtering menu) >> IGMP Filter# ena (Enable IGMP Filtering) Current status: disabled New status: enabled 2. Define an IGMP Filter. >> /cfg/l3/igmp/igmpflt (Select IGMP Filtering menu) >>IGMP Filter# filter 1 (Select Filter 1 Definition menu) >>IGMP Filter 1 Definition# range 224.0.1.
Configuring a Static Mrouter (AOS CLI example) 1. Configure a port to which the static Mrouter is connected, and enter the appropriate VLAN. >> /cfg/l3/igmp/mrouter (Select IGMP Mrouter menu) >> Static Multicast Router# add 20 (Add port 20 as Static Mrouter port) Enter VLAN number: (1-4094) 1 (Enter the VLAN number) Enter the version number of mrouter [1|2|3]: 2 (Enter the IGMP version number) 2. Apply, verify, and save the configuration.
c. Enable IGMP Snooping. d. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
3. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Configuring IGMP Filtering (BBI example) 1. Configure IGMP Snooping. 2. Enable IGMP Filtering. a. Click the CONFIGURE button. b. Open the IGMP folder, and select IGMP Filters (click the underlined text, not the folder). Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
3. c. Enable IGMP Filtering globally. d. Click Submit. Define the IGMP Filter. a. Select Layer 3 > IGMP > IGMP Filters > Add Filter. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
4. b. Enable the IGMP Filter. Assign the range of IP multicast addresses and the filter action (allow or deny). c. Click Submit. Assign the filter to a port and enable IGMP Filtering on the port. a. Select Layer 3 > IGMP > IGMP Filters > Switch Ports. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
b. Select a port from the list. Select c. Enable IGMP Filtering on the port. Select a filter in the IGMP Filters Available list, and click Add. d. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
5. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Configuring a Static Multicast Router (BBI example) 1. Configure Static Mrouter. a. Click the Configure context button. b. Open the Switch folder and select IP Menu > IGMP > IGMP Static MRouter. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. c. Enter a port number, VLAN ID number, and IGMP version number. d. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
OSPF The switch supports the Open Shortest Path First (OSPF) routing protocol. The switch implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss OSPF support for the switch: OSPF Overview: This section provides information on OSPF concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.
Figure 16 OSPF area types Types of OSPF routing devices As shown in the figure, OSPF uses the following types of routing devices: Internal Router (IR) : a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area. Area Border Router (ABR) : a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas.
Neighbors and adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others‘ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces.
OSPF implementation The switch supports a single instance of OSPF and up to 4K routes on the network. The following sections describe OSPF implementation in the switch: Configurable Parameters Defining Areas Interface Cost Electing the Designated Router and Backup Summarizing Routes Default Routes Virtual Links Router ID Authentication Configurable parameters OSPF parameters can be configured through the Command Line Interface (CLI), Browser-Based Interface (BBI) for the switches, or through SNMP.
Assigning the area index The aindex option is actually just an arbitrary index (0-2) used only by the switch. This index does not necessarily represent the OSPF area number, though for configuration simplicity, it should where possible. For example, both of the following sets of commands define OSPF area 0 (the backbone) and area 1 because that information is held in the area ID portion of the command.
Interface cost The OSPF link-state algorithm (Dijkstra‘s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth.
Figure 18 Injecting default routes Blade Enclosure Blade Enclosure In more complex OSPF areas with multiple ABRs or ASBRs (such as area 0 and area 2 in the figure), there are multiple routes leading from the area. In such areas, traffic for unrecognized destinations cannot tell which route leads upstream without further configuration. To resolve the situation and select one default route among multiple choices in an area, you can manually configure a metric value on each ABR.
Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area. The router ID can be configured in one of the following two ways: Dynamically : OSPF protocol configures the lowest IP interface IP address as the router ID. This is the default.
3. Enable OSPF authentication for Area 2 on switch 4. >> # /cfg/l3/ospf/aindex 2/auth password 4. Configure a simple text password up to 8 characters for the virtual link between Area 2 and Area 0 on switches 2 and 4. >> # /cfg/l3/ospf/virt 1/key alteon Use the following commands to configure MD5 authentication on the switches shown in the figure: 5. Enable OSPF MD5 authentication for Area 0 on switches 1, 2, and 3 >> # /cfg/l3/ospf/aindex 0/auth md5 6.
OSPF features not supported The following OSPF features are not supported: Summarizing external routes Filtering OSPF routes Using OSPF to forward multicast routes Configuring OSPF on non-broadcast multi-access networks (such as frame relay, X.25, and ATM) OSPF configuration examples A summary of the basic steps for configuring OSPF on the switch is listed here. Detailed instructions for each of the steps is covered in the following sections: Configure IP interfaces.
>> IP Interface 2 # /cfg/l3/ospf/on 3. (Enable OSPF on the switch) Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0 >> >> >> >> 4. Shortest Path First # aindex 0 Select menu for area index 0) Area (index) 0 # areaid 0.0.0.0 (Set the ID for backbone area 0) Area (index) 0 # type transit (Define backbone as transit type) Area (index) 0 # enable (Enable the area) Define the stub area. >> >> >> >> 5.
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. c. Configure an IP interface. Enter the IP address, subnet mask, and enable the interface. d. Click Submit. Apply, verify, and save the configuration. 1. Apply 2. Verify 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
3. Enable OSPF. a. Open the OSPF Routing Protocol folder, and select General. Open Select b. Enable OSPF. c. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
4. Configure OSPF Areas. a. Open the OSPF Areas folder, and select Add OSPF Area. Open Select b. Configure the OSPF backbone area 0. c. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
d. Select Add OSPF Area. e. Configure the OSPF area 1. f. Click Submit. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
5. Configure OSPF Interfaces. a. Open the OSPF Interfaces folder, and select Add OSPF Interface. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
b. Configure the OSPF Interface 1, and attach it to the backbone area 0. c. Click Submit. d. Select Add OSPF Interface. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
6. e. Configure the OSPF Interface 2, and attach it to the stub area 1. f. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Example 2: Virtual links In the example shown in the following figure, area 2 is not physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1. The virtual link must be configured at each endpoint.
In this example, two IP interfaces are needed on Switch A: one for the backbone network on 10.10.7.0/24 and one for the transit area network on 10.10.12.0/24. >> >> >> >> >> >> (Select menu for IP interface 1) addr 10.10.7.1 (Set IP address on backbone network) mask 255.255.255.0 (Set IP mask on backbone network) enable (Enable IP interface 1) ../if 2 (Select menu for IP interface 2) addr 10.10.12.1 (Set IP address on transit area network) >> IP Interface 2 # mask 255.255.255.
Configuring OSPF for a virtual link on Switch B 1. Configure IP interfaces on each network that will be attached to OSPF areas. Two IP interfaces are needed on Switch B: one for the transit area network on 10.10.12.0/24 and one for the stub area network on 10.10.24.0/24. >> # /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.12.2 >> IP Interface 1 # >> >> >> >> >> 2.
9. Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that was configured for Switch A in step 2. >> OSPF Interface 2 # ../virt 1 >> OSPF Virtual Link 1 # aindex 1 (Specify a virtual link number) (Specify the transit area for the virtual link) >> OSPF Virtual Link 1 # nbr 10.10.10.1(Specify the router ID of the recipient) >> OSPF Virtual Link 1 # enable (Enable the virtual link) 10. Apply and save the configuration changes.
>> IP Interface 2 # /cfg/l3/ospf/on 3. Define the backbone. >> Open Shortest Path First # aindex 0 (Select menu for area index 0) >> OSPF Area (index) 0 # areaid 0.0.0.0 (Set the ID for backbone area 0) >> OSPF Area (index) 0 # type transit (Define backbone as transit type) >> OSPF Area (index) 0 # enable (Enable the area) 4. Define the stub area. >> OSPF Area (index) 0 # ../aindex 1 >> OSPF Area (index) 1 # areaid 0.0.0.1 >> OSPF Area (index) 1 # type stub >> OSPF Area (index) 1 # enable 5.
Remote monitoring Introduction Remote Monitoring (RMON) allows network devices to exchange network monitoring data. RMON performs the following major functions: Gathers cumulative statistics for Ethernet interfaces Tracks a history of statistics for Ethernet interfaces Creates and triggers alarms for user-defined events Overview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application. The RMON MIB is described in RFC 1757.
2. View RMON statistics for the port.
c. Select a port. Select d. Enable RMON on the port. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
e. 2. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save RMON group 2 — history The RMON History group allows you to sample and archive Ethernet statistics for a specific interface during a specific time interval. The switch supports up to 5 RMON History groups. NOTE: RMON port statistics must be enabled for the port before an RMON history group can monitor the port. Data is stored in buckets, which store data gathered during discreet sampling intervals.
This configuration creates an RMON History group to monitor port 21. It takes a data sample every 2 minutes, and places the data into one of the 30 requested buckets. After 30 samples are gathered, the new samples overwrite the previous samples, beginning with the first bucket. Use SNMP to view the data. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Configure RMON History (BBI example) 1. Configure an RMON History group. a. Click the Configure context button. b. Open the Switch folder, and select RMON > History > Add History Group. Open Select 2. c. Configure RMON History Group parameters. d. Click Submit. Apply, verify, and save the configuration. 1. Apply 2. Verify 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
RMON group 3 — alarms The RMON Alarm group allows you to define a set of thresholds used to determine network performance. When a configured threshold is crossed, an alarm is generated. For example, you can configure the switch to issue an alarm if more than 1,000 CRC errors occur during a 10-minute time interval. Each Alarm index consists of a variable to monitor, a sampling time interval, and parameters for rising and falling thresholds.
Configure RMON Alarms (AOS CLI example 2) 1. Configure the RMON Alarm parameters to track ICMP messages. >> /cfg/rmon/alarm 5 (Select RMON Alarm 5) >> RMON Alarm 5# oid 1.3.6.1.2.1.5.8.0 >> RMON Alarm 5# intrval 60 >> RMON Alarm 5# almtype rising >> RMON Alarm 5# rlimit 200 >> RMON Alarm 5# revtidx 5 >> RMON Alarm 5# sample delta >> RMON Alarm 5# owner “Alarm_for_icmpInEchos” 2. Apply and save the configuration.
2. c. Configure RMON Alarm Group parameters to check ifInOctets on port 20 once every hour. Enter a rising limit of two billion, and a rising event index of 6. This configuration creates an RMON alarm that checks ifInOctets on port 20 once every hour. If the statistic exceeds two billion, an alarm is generated that triggers event index 6. d. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3.
Configure RMON Alarms (BBI example 2) 1. Configure an RMON Alarm group. a. Click the Configure context button. b. Open the Switch folder, and select RMON > Alarm > Add Alarm Group. Open Select c. Configure RMON Alarm Group parameters to check icmpInEchos, with a polling interval of 60, a rising limit of 200, and a rising event index of 5. This configuration creates an RMON alarm that checks icmpInEchos on the switch once every minute.
2. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save RMON group 9 — events The RMON Event group allows you to define events that are triggered by alarms. An event can be a log message, an SNMP trap message, or both. When an alarm is generated, it triggers a corresponding event notification. Use the /cfg/rmon/alarm x/revtidx and /fevtidx commands to correlate an event index to an alarm. RMON events use SNMP and syslogs to send notifications.
Configuring RMON Events (BBI example) 1. Configure an RMON Event group. a. b. Click the Configure context button. Open the Switch folder, and select RMON > Event > Add Event Group. Open Select 2. c. Configure RMON Event Group parameters. This configuration creates an RMON event that sends a SYSLOG message each time it is triggered by an alarm. d. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3.
High availability Introduction Switches support high availability network topologies. This release provides information about Uplink Failure Detection and Virtual Router Redundancy Protocol (VRRP). Uplink Failure Detection Uplink Failure Detection (UFD) is designed to support Network Adapter Teaming on the CPU Blades. UFD allows the switch to monitor specific uplink ports to detect link failures. When the switch detects a link failure, it automatically disables specific downlink ports.
Failure Detection Pair To use UFD, you must configure a Failure Detection Pair and then turn UFD on. A Failure Detection Pair consists of the following groups of ports: Link to Monitor (LtM) The Link to Monitor group consists of one uplink port (18-21), one trunk group that contains only uplink ports, or one LACP trunk group that contains only uplink ports. The switch monitors the LtM for link failure.
>> Information# ufd Uplink Failure Detection 1: Enabled LtM status: Down Member STG STG State Link Status -------------------------------port 19 down 1 DISABLED 10 DISABLED * 15 DISABLED * * = STP turned off for this port.
2. >> Trunk group 2# ena (Enable trunk group 2) >> Trunk group 2# add 18 (Add port 18 to trunk group 2) >> Trunk group 2# add 19 (Add port 19 to trunk group 2) Assign the trunk group to be monitored for communication failure. >> Main# /cfg/ufd/fdp 1/ena 3. 4. (Enable Failure Detection Pair 1) >> FDP# ltm (Select Link to Monitor menu) >> Failover Link to Monitor# addtrnk 2 (Monitor trunk group 2) Assign downlink ports (1-16) to disable when an uplink failure occurs.
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. d. Enable the FDP. Select ports in the LtM Ports Available list, and click Add to place the ports into the Link to Monitor (LtM). Select ports in the LtD Ports Available list, and click Add to place the ports into the Link to Disable (LtD). e. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
VRRP overview In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure (SPOF) to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components.
NOTE: Every VIR must be assigned to an IP interface, and every IP interface must be assigned to a VLAN. If no port in a VLAN has link up, the IP interface of that VLAN is down, and if the IP interface of a VIR is down, that VIR goes into INIT state. VRRP operation Only the virtual router master responds to ARP requests. Therefore, the upstream routers only forward packets destined to the master. The master also responds to ICMP ping requests.
The switch high availability configurations are based on VRRP. The switch implementation of VRRP supports the Active-Active mode of high availability. Active-Active redundancy In an active-active configuration, shown in the following figure, two switches provide redundancy for each other, with both active at the same time. Each switch processes traffic on a different subnet. When a failure occurs, the remaining switch can process traffic on all subnets.
Virtual router deployment considerations Review the following issues described in this section to prevent network problems when deploying virtual routers: Assigning VRRP Virtual Router ID Configuring the Switch for Tracking Assigning VRRP virtual router ID During the software upgrade process, VRRP virtual router IDs are assigned automatically if failover is enabled on the switch.
High availability configurations The switches offer flexibility in implementing redundant configurations. This section discusses the ActiveActive configuration. Active-Active configuration The following figure shows an example configuration, where two switches are used as VRRP routers in an active-active configuration. In this configuration, both switches respond to packets.
>> IP Interface 4# mask 255.255.255.0 >> IP Interface 4# ena 3. Configure the default gateways. Each default gateway points to one of the Layer 2 routers. /cfg/l3/gw 1 >> Default gateway >> Default gateway >> Default gateway >> Layer 3# gw 2 >> Default gateway >> Default gateway 4. (Define subnet mask for interface 4) (Enable interface 4) (Select default gateway 1) 1# addr 192.168.1.1 (Point gateway to the first L2 router) 1# ena (Enable the default gateway) 1# ..
>> IP Interface 4# ena (Enable interface 4) Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
3. Configure the default gateways. Each default gateway points to one of the Layer 2 routers. /cfg/l3/gw 1 >> Default gateway >> Default gateway >> Default gateway >> Layer 3# gw 2 >> Default gateway >> Default gateway 4. (Select default gateway 1) 1# addr 192.168.2.1 (Point gateway to the first L2 router) 1# ena (Enable the default gateway) 1# .. (Select default gateway 2) 2# addr 192.168.1.
2. c. Configure port 20 as a member of VLAN 10 and port 21 as a member of VLAN 20. Enable each VLAN. d. Click Submit. Configure the following client and server interfaces: IF 1 IP address = 192.168.1.100 Subnet mask = 255.255.255.0 VLAN 10 IF 2 IP address = 192.168.2.101 Subnet mask = 255.255.255.0 VLAN 20 IF 3 IP address = 10.0.1.100 Subnet mask = 255.255.255.0 IF 4 IP address = 10.0.2.101 Subnet mask = 255.255.255.0 a. Open the IP Interfaces folder, and select Add IP Interface.
3. b. Configure an IP interface. Enter the IP address, subnet mask, and VLAN membership. Enable the interface. c. Click Submit. Configure the default gateways. Each default gateway points to one of the Layer 2 routers. a. Open the Default Gateways folder, and select Add Default Gateway. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
4. b. Configure the IP address for each default gateway. Enable the default gateways. c. Click Submit. Turn on VRRP and configure 2 Virtual Interface routers. a. Open the Virtual Router Redundancy Protocol folder, and select General. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
b. Enable VRRP processing. c. Click Submit. d. Open the Virtual Routers folder, and select Add Virtual Router. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
e. Configure the IP address for Virtual Router 1 (VR1). Enable tracking on ports, and set the priority to 101. Enable The Virtual Router. f. Click Submit. g. Select Add Virtual Router. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
5. h. Configure the IP address for Virtual Router 2 (VR2). Enable tracking on ports, but set the priority to 100 (default value). Enable The Virtual Router. i. Click Submit. Turn off Spanning Tree globally. a. Select Spanning Tree Groups. Open Select Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
6. b. Enter Spanning Tree Group ID 1 and set the Switch Spanning Tree State to off. c. Click Submit. Apply, verify, and save the configuration. 1. Apply 2. Verify 3. Save Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Troubleshooting tools Introduction This appendix discusses some tools to help you use the Port Mirroring feature to troubleshoot common network problems on the switch. Port Mirroring The Port Mirroring feature on the switch is very useful for troubleshooting any connection-oriented problem. Any traffic in or out of one or more ports can be mirrored to a single monitoring port to which a network monitor can be attached.
Configuring Port Mirroring (AOS CLI example) To configure Port Mirroring for the example shown in the preceding figure: 1. Specify the monitoring port. >> # /cfg/pmirr/monport 18 2. (Select port 18 for monitoring) Select the ports that you want to mirror.
Configuring Port Mirroring (BBI example) 1. Configure Port Mirroring. a. Click the Configure context button. b. Open the Switch folder, and select Port-Based Port Mirroring (click the underlined text, not the folder). Open Select c. Click a port number to select a monitoring port. Select d. Click Add Mirrored Port. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
2. e. Enter a port number for the mirrored port, and select the Port Mirror Direction. f. Click Submit. Apply, verify, and save the configuration. 2. Verify 1. Apply 3. Save 3. Verify the Port Mirroring information on the switch. Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here.
Other network troubleshooting techniques Other network troubleshooting techniques include the following. Console and Syslog messages When a switch experiences a problem, review the console and Syslog messages. The switch displays these informative messages when state changes and system problems occur. Syslog messages can be viewed by using the /info/sys/log command. For more information on interpreting syslog messages, see the Command Reference Guide.