Page 1 Lenovo Flex System CN4093 10Gb Converged Scalable Switch Application Guide For Lenovo Network Operating System 8.3...
Page 2 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD and the Warranty Information document that comes with the product.
Page 4 Protected Mode ......82 Stacking Mode ......82 CN4093 Application Guide for N/OS 8.3...
Page 5 Configuring RADIUS on the Switch ....85 RADIUS Authentication Features in Lenovo N/OS... .85 Switch User Accounts .
Page 6 Loop Guard ......155 Port Path Cost ......156 CN4093 Application Guide for N/OS 8.3...
Page 8 Rebooting Stacked Switches using the ISCLI ... 225 Rebooting Stacked Switches using the BBI ... . 226 CN4093 Application Guide for N/OS 8.3...
Page 10 Global vs. Port-by-Port PFC Configuration ....293 PFC Configuration Example ....294 CN4093 Application Guide for N/OS 8.3...
Page 12 UFP Strict Bandwidth Provisioning mode ....347 Using UFP with Other CN4093 10Gb Converged Scalable Switch Features . . 348 Layer 2 Failover ......348 Increased VLAN Limits .
Page 14 IPsec Protocols ......398 Using IPsec with the CN4093..... . 399 Setting up Authentication .
Page 15 Internal Versus External Routing ....451 OSPFv2 Implementation in Lenovo N/OS ....452 Configurable Parameters .
Page 16 Verifying OSPF Configuration ....470 OSPFv3 Implementation in Lenovo N/OS ....471 OSPFv3 Differences from OSPFv2.
Page 17 Virtual Router Group ..... . . 508 Lenovo N/OS Extensions to VRRP ....509 Virtual Router Deployment Considerations .
Page 18 Active-Active Configuration ....511 Task 1: Configure CN4093 1 ....512 Task 2: Configure CN4093 2 .
Page 20 Taiwan Class A compliance statement ....589 Index ......591 CN4093 Application Guide for N/OS 8.3...
Page 21: Preface
Preface The Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch Application Guide describes how to configure and use the Lenovo N/OS 8.3 software on the Lenovo Flex System CN4093 10Gb Converged Scalable Switch (referred to as CN4093 throughout this document).
Page 22 LAN port that has point-to-point connection characteristics. This feature prevents access to ports that fail authentication and authorization and provides security to ports of the CN4093 that connect to blade servers. ...
Page 23 (BGP) concepts and features supported in Lenovo N/OS.  Chapter 30, “OSPF,” describes key Open Shortest Path First (OSPF) concepts and their implemented in Lenovo N/OS, and provides examples of how to configure your switch for OSPF support.  Chapter 31, “Protocol Independent Multicast,”...
Page 24 Appendix A, “Glossary,” describes common terms and concepts used throughout this guide.  Appendix B, “Getting help and technical assistance,” describes how to get help.  Appendix C, “Notices,” provides trademark and other compliance information. CN4093 Application Guide for N/OS 8.3...
Page 25: Additional References
Additional References Additional information about installing and configuring the CN4093 is available in the following guides:  Lenovo Flex System CN4093 10Gb Converged Scalable Switch Installation Guide Lenovo Flex System CN4093 10Gb Converged Scalable Switch Command Reference for  Lenovo Network Operating System 8.3 ...
Page 26: Typographic Conventions
Select only one of the listed options. Do not type the vertical bar. AaBbCc123 Click the Save button. This block type depicts menus, buttons, and other controls that appear in Web browsers and other graphical interfaces. CN4093 Application Guide for N/OS 8.3...
Page 28 CN4093 Application Guide for N/OS 8.3...
Page 29: Chapter 1. Switch Administration
In all cases, administration requires that the switch hardware is properly installed and turned on. (see the Lenovo Flex System CN4093 10Gb Converged Scalable Switch Installation Guide). Chassis Management Module The CN4093 10Gb Converged Scalable Switch is an integral subsystem within the overall Lenovo Flex System.
Page 30: Industry Standard Command Line Interface
You can establish a connection to the CLI in any of the following ways:  Serial connection via the serial port on the CN4093 (this option is always avail- able)  Telnet connection over the network ...
Page 31: Establishing A Connection
The CN4093 uses port 66 (MGT1) to communicate with the chassis management module(s). Even when the CN4093 is in a factory default configuration, you can use the 1Gb Ethernet port on each CMM to configure and manage the CN4093. For more information about using the chassis management module, see the Lenovo Flex System CN4093 10Gb Converged Scalable Switch Installation Guide.
Page 32: Using Telnet
Using Secure Shell Although a remote network administrator can manage the configuration of a CN4093 via Telnet, this method does not provide a secure connection. The Secure Shell (SSH) protocol enables you to securely log into another device over a network to execute commands remotely.
Page 33: Using Ssh With Password Authentication
SecureCRT 5.0 (Van Dyke Technologies, Inc.)  Putty beta 0.60 Note: The Lenovo N/OS implementation of SSH supports version 2.0 and supports SSH client version 2.0. Using SSH with Password Authentication By default, the SSH feature is enabled. For information about enabling and using SSH for switch access, see “Secure Shell and Secure Copy”...
Page 34: Using A Web Browser
Using a Web Browser The switch provides a Browser-Based Interface (BBI) for accessing the common configuration, management and operation features of the CN4093 through your Web browser. You can access the BBI directly from an open Web browser window. Enter the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6...
Page 35: Configuring Https Access To The Bbi
When a client (such as a web browser) connects to the switch, the client is asked to accept the certificate and verify that the fields match what is expected. Once BBI access is granted to the client, the BBI can be used as described in the Lenovo N/OS BBI Quick Guide.
Page 36: Bbi Summary
Access Control—Configure Access Control Lists to filter IP packets.   Virtualization – Configure VMready for virtual machine (VM) support. For information on using the BBI, refer to the Lenovo N/OS BBI Quick Guide. CN4093 Application Guide for N/OS 8.3...
Page 37: Using Simple Network Management Protocol
2, and version 3 support for access through any network management software, such as IBM Director. To access the SNMP agent on the CN4093, the read and write community strings on the SNMP manager should be configured to match those on the switch.
Page 38: Bootp/Dhcp Client Ip Address Services
DHCP is described in RFC 2131, and the DHCP relay agent supported on the CN4093 is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.
Page 39: Syslog Server
During switch startup, if the switch fails to get the configuration file, a message can be recorded in the SYSLOG server. The CN4093 supports requesting of a SYSLOG server IP address from the DHCP server as described in RFC 2132, option 7. DHCP SYSLOG server request option is enabled by default.
Page 40: Switch Login Levels
Switch Login Levels To enable better switch management and user accountability, three levels or classes of user access have been implemented on the CN4093. Levels of access to CLI, Web management functions, and screens increase as needed to perform various switch management tasks.
Page 41 To disable admin account, use the command: CN 4093(config)# no access user administrator-enable. Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 42: Secure Ftp
Secure FTP Lenovo N/OS supports Secure FTP (SFTP) to the switch. SFTP uses Secure Shell (SSH) to transfer files. SFTP encrypts both commands and data, and prevents passwords and sensitive information from being transmitted openly over the network. All file transfer commands include SFTP support along with FTP and TFTP support.
Page 43: Boot Strict Mode
When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch. By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the CN4093. Before enabling strict mode, ensure the following: ...
Page 44 Secure NTP does not comply with Acceptable NIST SP 800-131A specification. When in strict mode, secure NTP is dis- abled. However, it can be enabled, if required. SHA-256 or higher RSA/DSA 2048 or higher CN4093 Application Guide for N/OS 8.3...
Page 45 ARCFOUR HMAC-SHA1 HMAC-SHA1 HMAC-SHA1-96 HMAC-SHA1-96 HMAC-MD5 HMAC-MD5-96 TACACS+ TACACS+ does not comply with NIST Acceptable SP 800-131A specification. When in strict mode, TACACS+ is disabled. However, it can be enabled, if required. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 46: Acceptable Cipher Suites
Acceptable Cipher Suites The following cipher suites are acceptable (listed in the order of preference) when the CN4093 10Gb Converged Scalable Switch is in compatibility mode: Table 5. List of Acceptable Cipher Suites in Compatibility Mode Cipher ID Key Authenticati...
Page 47: Configuring Strict Mode
Power ITEs and High-Availability features do not comply with NIST SP 800-131A specification.  The CN4093 will not discover Platform agents/Common agents that are not in strict mode. Web browsers that do not use TLS 1.2 cannot be used. ...
Page 48: Configuring No-Prompt Mode
For more details, see the Lenovo Flex System CN4093 10Gb Converged Scalable Switch Command Reference for Lenovo N/OS 8.3. CN4093 Application Guide for N/OS 8.3...
Page 49: Chapter 2. Initial Setup
Chapter 2. Initial Setup To help with the initial process of configuring your switch, the Lenovo N/OS software includes a Setup utility. The Setup utility prompts you step-by-step to enter all the necessary information for basic configuration of the switch.
Page 50: Default Setup Options
Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: CN 4093(config)# setup CN4093 Application Guide for N/OS 8.3...
Page 51: Setup Part 1: Basic System Configuration
If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Lenovo N/OS Application Guide. Next, the Setup utility prompts you to input basic system information.
Page 52 9. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. CN4093 Application Guide for N/OS 8.3...
Page 53: Setup Part 2: Port Configuration
If you selected a port that has a Gigabit Ethernet connector, the system prompts: Port Auto Negotiation: Current Port EXT1 autonegotiation: Enter new value ["on"/"off"]: Enter on to enable port autonegotiation, off to disable it or press <Enter> to keep the current setting. © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 54 To keep the current setting, press <Enter>. 6. The system prompts you to configure the next port: Enter port (INTA1-C14, EXT1-22): When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section. CN4093 Application Guide for N/OS 8.3...
Page 55: Setup Part 3: Vlans
Enter VLAN number from 2 to 4094, NULL at end: Repeat the steps in this section until all VLANs have been configured. When all VLANs have been configured, press <Enter> without specifying any VLAN. © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 56: Setup Part 4: Ip Configuration
IP interfaces are used for defining the networks to which the switch belongs. Up to 128 IP interfaces can be configured on the CN4093 10Gb Converged Scalable Switch (CN4093). The IP address assigned to each IP interface provides the switch with an IP presence on your network.
Page 57: Default Gateways
4. The system prompts you to configure another default gateway: Enter default gateway number: (1-4) Repeat the steps in this section until all default gateways have been configured. When all default gateways have been configured, press <Enter> without specifying any number. © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 58: Ip Routing
Routing on more complex networks, where subnets may not have a direct presence on the CN4093, can be accomplished through configuring static routes or by letting the switch learn routes dynamically.
Page 59: Setup Part 5: Final Steps
Enter y to discard the changes. Enter n to return to the “Apply the changes?” prompt. Note: After initial configuration is complete, it is recommended that you change the default passwords as shown in “Changing the Switch Passwords” on page © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 60: Optional Setup For Telnet Support
Optional Setup for Telnet Support Note: This step is optional. Perform this procedure only if you are planning on connecting to the CN4093 through a remote Telnet connection. 1. Telnet is enabled by default. To change the setting, use the following command: CN 4093(config)# no access telnet CN4093 Application Guide for N/OS 8.3...
Page 61: Chapter 3. Switch Software Management
Chapter 3. Switch Software Management The switch software image is the executable code running on the CN4093. A version of the image comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your switch. To get...
Page 62: Loading New Software To Your Switch
Loading New Software to Your Switch The CN4093 can store up to two different switch software images (called image1 and image2) as well as special boot software (called boot). When you load new software, you must specify where it is placed: either into image1, image2 or boot.
Page 63: Loading Software Via Bbi
The system prompts you to confirm your request. Once confirmed, the switch will reboot to use the new software. Loading Software via BBI You can use the Browser-Based Interface to load software onto the CN4093. The software image to load can reside in one of the following locations: ...
Page 64: The Boot Management Menu
To boot in recovery mode press R. For more details see  “Boot Recovery Mode” on page To restart the boot process from the beginning, press Q.  To exit the Boot Management menu, press E. The booting process continues.  CN4093 Application Guide for N/OS 8.3...
Page 65: Boot Recovery Mode
For more details, see “Physical Presence” on page To restart the boot process from the beginning, press R.  To exit Boot Recovery Mode menu, press E. The boot process continues.  © Copyright Lenovo 2015 Chapter 3: Switch Software Management...
Page 66: Recover From A Failed Image Upgrade Using Tftp
11. If the file is a software image, enter an image number: Install image as image 1 or 2 (hit return to just boot image): After the procedure is complete, the Recovery Mode menu will be re-displayed. CN4093 Application Guide for N/OS 8.3...
Page 67 Netmask : 255.255.255.128 Gateway : 10.241.6.66 Configuring management port....... Installing image CN4093-8.3.1.0_OS.img from TFTP server 10.72.97.135 Extracting images ... Do *NOT* power cycle the switch. Installing Application: Image signature verified. Install image as image 1 or 2 (hit return to just boot image): 2...
Page 68: Recovering From A Failed Image Upgrade Using Xmodem Download
Change the baud rate back to 9600 bps, hit the <ENTER> key 9. Press <Enter> to start installing the image. If the file is a software image, enter the image number: Install image as image 1 or 2 (hit return to just boot image): CN4093 Application Guide for N/OS 8.3...
Page 69 T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image P) Physical presence (low security mode) R) Reboot E) Exit Option? : Boot image recovery is complete. © Copyright Lenovo 2015 Chapter 3: Switch Software Management...
Page 70: Physical Presence
Note: After the test is completed, the switch will be put in low security mode. This mode will allow you to install unofficial images on the switch. To revert to normal security mode, you must reboot the switch or press P again in the Recovery Mode menu. CN4093 Application Guide for N/OS 8.3...
Page 72 CN4093 Application Guide for N/OS 8.3...
Page 73: Chapter 4. Securing Administration
Chapter 4. Securing Administration This chapter discusses different methods of securing local and remote administration on the CN4093 10Gb Converged Scalable Switch (CN4093):  “Changing the Switch Passwords” on page 73  “Secure Shell and Secure Copy” on page 74 ...
Page 74: Secure Shell And Secure Copy
CN4093 over a network to execute management commands. SCP is typically used to copy files securely from one machine to another. SCP uses SSH for encryption of data on the network. On a CN4093, SCP is used to download and upload the switch configuration via secure channels.
Page 75: Configuring Ssh/Scp Features On The Switch
-or- >> ssh [-4|-6] <login name>@<switch IP address> Note: The -4 option (the default) specifies that an IPv4 switch address will be used. The -6 option specifies IPv6. Example: >> ssh scpadmin@205.178.15.157 © Copyright Lenovo 2015 Chapter 4: Securing Administration...
Page 76: To Copy The Switch Configuration File To The Scp Host
 putcfg_apply is done. The putcfg_apply and putcfg_apply_save commands are provided  because extra apply and save commands are usually required after a putcfg; however, an SCP session is not in an interactive mode. CN4093 Application Guide for N/OS 8.3...
Page 77: To Copy The Switch Image And Boot Files To The Scp Host
To Load Switch Configuration Files from the SCP Host Syntax: >> scp [-4|-6] <local filename> <username>@<switch IP address>:putimg1 >> scp [-4|-6] <local filename> <username>@<switch IP address>:putimg2 >> scp [-4|-6] <local filename> <username>@<switch IP address>:putboot Example: >> scp 6.1.0_os.img scpadmin@205.178.15.157:putimg1 © Copyright Lenovo 2015 Chapter 4: Securing Administration...
Page 78: Ssh And Scp Encryption Of Management Messages
When the SSH server is first enabled and applied, the switch automatically generates the RSA host key and stores it in FLASH memory. To configure RSA host key, first connect to the CN4093 through the console port (commands are not available via external Telnet connection), and enter the following command to generate it manually.
Page 79: End User Access Control
 If RADIUS authentication is used, the user password on the Radius server will override the user password on the CN4093. Also note that the password change command modifies only the user switch password on the switch and has no effect on the user password on the Radius server.
Page 80: User Access Control Menu
“Strong Passwords” on page 79). Then use the following command: CN 4093(config)# access user strong-password lockout After multiple failed login attempts, the switch locks the user account if lockout has been enabled on the switch. CN4093 Application Guide for N/OS 8.3...
Page 81: Re-Enabling Locked Accounts
Once an end user account is configured and enabled, the user can login to the switch, using the username/password combination. The level of switch access is determined by the Class of Service established for the end user account. © Copyright Lenovo 2015 Chapter 4: Securing Administration...
Page 82: Protected Mode
AMM management port. If required, the functionality of new static IP configuration can also be disabled by turning off Protected Mode (CN 4093(config)# no protected-mode enable) and turning it back on (CN 4093(config)# protected-mode enable). CN4093 Application Guide for N/OS 8.3...
Page 83: Chapter 5. Authentication & Authorization Protocols
IPv4 management and device access:  “RADIUS Authentication and Authorization” on page 84  “TACACS+ Authentication” on page 88  “LDAP Authentication and Authorization” on page 93 Note: Lenovo N/OS 8.3 does not support IPv6 for RADIUS, TACACS+ or LDAP. © Copyright Lenovo 2015...
Page 84: Radius Authentication And Authorization
A client, in this case, the switch  The CN4093—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network.
Page 85: Configuring Radius On The Switch
Configuring RADIUS on the Switch Use the following procedure to configure Radius authentication on your CN4093. 1. Turn RADIUS authentication on, then configure the Primary and Secondary RADIUS servers. CN 4093(config)# radius-server primary-host 10.10.1.1 CN 4093(config)# radius-server secondary-host 10.10.1.2 2. Configure the RADIUS secret.
Page 86: Switch User Accounts
(other than management ports). PASSW0RD Administrator The super-user Administrator has complete access to all menus, information, and configuration (USERID) commands on the switch, including the ability to change both the user and administrator passwords. CN4093 Application Guide for N/OS 8.3...
Page 87: Radius Attributes For Lenovo N/Os User Privileges
Secure backdoor provides access to the switch when the RADIUS servers cannot be reached. The default CN4093 setting for backdoor and secure backdoor access is disabled. Backdoor access is always enabled on the console port. Irrespective of backdoor being enabled or not, you can always access the switch via the console port by using noradius as radius username.
Page 88: Tacacs+ Authentication
TACACS+ Authentication Lenovo N/OS supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The CN4093 functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server.
Page 89: Tacacs+ Authentication Features In Lenovo N/Os
Lenovo N/OS supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password authentication are not supported.
Page 90: Accounting
If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software login access, configuration changes, and interactive commands. The CN4093 supports the following TACACS+ accounting attributes:  protocol (console/telnet/ssh/http) ...
Page 91: Command Authorization And Logging
Command arguments are not sent for authorization. Only executed commands are logged.   Invalid commands are checked by Lenovo N/OS, and are not sent for authoriza- tion or logging.  Authorization is performed on each leaf-level command separately. If the user issues multiple commands at once, each command is sent separately as a full path.
Page 92: Tacacs+ Password Change
TACACS+ Password Change Lenovo N/OS supports TACACS+ password change. When enabled, users can change their passwords after successful TACACS+ authorization. Use the following command to enable or disable this feature: CN 4093(config)# [no] tacacs-server password-change Use the following commands to change the password for the primary and...
Page 93: Ldap Authentication And Authorization
If the user-account name is John, the following is an example DN: uid=John,ou=people,dc=domain,dc=com Configuring the LDAP Server CN4093 user groups and user accounts must reside within the same domain. On the LDAP server, configure the domain to include CN4093 user groups and user accounts, as follows: ...
Page 94: Configuring Ldap Authentication On The Switch
CN 4093(config)# ldap-server timeout 10 (enter the timeout period in seconds) 5. You may change the default LDAP attribute (uid) or add a custom attribute. For instance, Microsoft’s Active Directory requires the cn (common name) attribute. CN 4093(config)# ldap-server attribute username <1-128 alpha-numeric characters> CN4093 Application Guide for N/OS 8.3...
Page 95: Chapter 6. 802.1X Port-Based Network Access Control
LAN port that has point-to-point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the CN4093 10Gb Converged Scalable Switch (CN4093) that connect to blade servers.
Page 96: Extensible Authentication Protocol Over Lan
Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The CN4093 acts as an Authenticator. ...
Page 97: Eapol Authentication Process
802.1x Client Server EAPOL IBM Switch RADIUS-EAP Authenticator Ethernet (RADIUS Client) UDP/IP Port Unauthorized EAPOL-Start EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP-Success Port Authorized © Copyright Lenovo 2015 Chapter 6: 802.1X Port-Based Network Access Control...
Page 98: Eapol Message Exchange
The RADIUS authentication server chooses an EAP-supported authentication algorithm to verify the client’s identity, and sends an EAP-Request packet to the client via the CN4093 authenticator. The client then replies to the RADIUS server with an EAP-Response containing its credentials.
Page 99: Guest Vlan
The port is placed in the guest VLAN. The Port VLAN ID (PVID) is changed to the Guest VLAN ID.   Port tagging is disabled on the port. © Copyright Lenovo 2015 Chapter 6: 802.1X Port-Based Network Access Control...
Page 100: Supported Radius Attributes
The attribute must be untagged (the Tag field must be 0). 65 Tunnel-Medium- Only 802 (type 6) is currently Type supported (for 802.1X RADIUS VLAN assignment). The attribute must be untagged (the Tag field must be 0). CN4093 Application Guide for N/OS 8.3...
Page 101 Zero or one instance of this attribute MAY be present in a packet.   Exactly one instance of this attribute MUST be present in a packet.  One or more of these attributes MUST be present. © Copyright Lenovo 2015 Chapter 6: 802.1X Port-Based Network Access Control...
Page 102: Eapol Configuration Guidelines
For example, if a CN4093 is connected to another CN4093, and if 802.1X is enabled on both switches, the two connected ports must be configured in force-authorized mode.
Page 103: Chapter 7. Access Control Lists
Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made. Lenovo N/OS 8.3 supports the following ACLs:  IPv4 ACLs Up to 256 ACLs are supported for networks that use IPv4 addressing.
Page 104: Summary Of Packet Classifiers
Destination IPv4 address and subnet mask  Type of Service value  IP protocol number or name as shown in Table  Table 12. Well-Known Protocol Types Number Protocol Name icmp igmp ospf vrrp CN4093 Application Guide for N/OS 8.3...
Page 105 0x0001  Packet format (for regular ACLs and VMaps only) Ethernet format (eth2, SNAP, LLC)  Ethernet tagging format  IP format (IPv4)   Egress port packets (for all ACLs) © Copyright Lenovo 2015 Chapter 7: Access Control Lists...
Page 106: Summary Of Acl Actions
Once classified using ACLs, the identified packet flows can be processed differently. For each ACL, an action can be assigned. The action determines how the switch treats packets that match the classifiers assigned to the ACL. CN4093 ACL actions include the following: ...
Page 107: Acl Groups
The redundant entries are ignored. Individual ACLs  The CN4093 supports up to 256 ACLs. Each ACL defines one filter rule for matching traffic criteria. Each filter rule can also include an action (permit or deny the packet). For example:...
Page 108: Acl Metering And Re-Marking
You can configure the ACL to re-mark a packet as follows:  Change the DSCP value of a packet, used to specify the service level that traffic should receive.  Change the 802.1p priority of a packet. CN4093 Application Guide for N/OS 8.3...
Page 109: Acl Port Mirroring
ACL statistics to check filter performance or to debug the ACL filter configuration. You must enable statistics for each ACL that you wish to monitor: CN 4093(config)# access-control list <ACL number> statistics © Copyright Lenovo 2015 Chapter 7: Access Control Lists...
Page 110: Acl Configuration Examples
CN 4093(config)# access-control list 2 ipv4 destination-ip-address 200.20.2.2 255.255.255.255 CN 4093(config)# access-control list 2 action deny 2. Add ACL 2 to port EXT2. CN 4093(config)# interface port EXT2 CN 4093(config-if)# access-control list 2 CN 4093(config-if)# exit CN4093 Application Guide for N/OS 8.3...
Page 111: Acl Example 3
CN 4093(config)# access-control list 4 egress-port 3 CN 4093(config)# access-control list 4 action deny 2. Add ACL 4 to port EXT1. CN 4093(config)# interface port EXT1 CN 4093(config-if)# access-control list 4 CN 4093(config-if)# exit © Copyright Lenovo 2015 Chapter 7: Access Control Lists...
Page 112: Vlan Maps
Enable access control list statistics tcp-udp TCP and UDP filtering options The CN4093 supports up to 128 VMAPs. Individual VMAP filters are configured in the same fashion as regular ACLs, except that VLANs cannot be specified as a filtering criteria (unnecessary, since the VMAP are assigned to a specific VLAN or associated with a VM group VLAN).
Page 113: Vmap Example
CN 4093(config)# access-control vmap 21 packet-format ethernet ethernet-type2 CN 4093(config)# access-control vmap 21 mirror port 4 CN 4093(config)# access-control vmap 21 action permit CN 4093(config)# vlan 3 CN 4093(config-vlan)# vmap 21 intports © Copyright Lenovo 2015 Chapter 7: Access Control Lists...
Page 114: Management Acls
Use the following command to view the MACL configuration: CN 4093(config)# show access-control macl 1 MACL 1 profile : Enabled IPv4 - DST IP : 1.1.1.1/255.255.255.0 TCP/UDP - DST Port : 111/0xffff Action : Permit Statistics : Enabled CN4093 Application Guide for N/OS 8.3...
Page 115: Part 3: Switch Basics
Part 3: Switch Basics This section discusses basic switching functions:  VLANs  Port Aggregation  Spanning Tree Protocols (Spanning Tree Groups, Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol)  Quality of Service © Copyright Lenovo 2015...
Page 116 CN4093 Application Guide for N/OS 8.3...
Page 117: Chapter 8. Vlans
 Note: Basic VLANs can be configured during initial switch configuration (see “Using the Setup Utility” in the CN4093 Lenovo N/OS 8.3 Command Reference). More comprehensive VLAN configuration can be done from the Command Line Interface (see “VLAN Configuration” as well as “Port Configuration” in the CN4093 Lenovo N/OS 8.3 Command Reference).
Page 118: Vlans Overview
Frames received in one VLAN can only be forwarded within that VLAN, and multicast, broadcast, and unknown unicast frames are flooded only to ports in the same VLAN. The CN4093 automatically supports jumbo frames. This default cannot be manually configured or disabled. The CN4093 10Gb Converged Scalable Switch (CN4093) supports jumbo frames with a Maximum Transmission Unit (MTU) of 9,216 bytes.
Page 119: Vlans And Port Vlan Id Numbers
VLANs and Port VLAN ID Numbers VLAN Numbers Lenovo N/OS supports up to 4095 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 4095, each can be identified with any number between 1 and 4094. VLAN 1 is the default VLAN for the external ports and the internal blade ports.
Page 120: Pvid/Native Vlan Numbers
Note: The sample output that appears in this document might differ slightly from that displayed by your system. Output varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. CN4093 Application Guide for N/OS 8.3...
Page 121 Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see “VLAN Tagging/Trunk Mode” on page 122). © Copyright Lenovo 2015 Chapter 8: VLANs...
Page 122: Vlan Tagging/Trunk Mode
VLAN Tagging/Trunk Mode Lenovo N/OS software supports 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port.
Page 123 Port 5 is configured as a tagged member of VLAN 2, and port 7 is configured as an untagged member of VLAN 2. Note: The port assignments in the following figures are general examples and are not meant to match any specific CN4093. Figure 3. Port-based VLAN assignment Port 1...
Page 124 Figure 5. 802.1Q tag assignment Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Tagged packet 802.1Q Switch Data B efore Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45013A CN4093 Application Guide for N/OS 8.3...
Page 125 (tag removed) Priority - User_priority - Canonical format indicator - VLAN identifier BS45014A Note: Setting the configuration to factory default (CN 4093(config)# boot configuration-block factory) will reset all non-management ports to VLAN 1. © Copyright Lenovo 2015 Chapter 8: VLANs...
Page 126: Ingress Vlan Tagging
By default, ingress tagging is disabled. To enable ingress tagging on a port, use the following commands: CN 4093(config)# interface port <number> CN 4093(config-if)# tagpvid-ingress Limitations Ingress tagging cannot be configured with the following features/configurations: vNIC ports   VMready ports  UFP ports  Management ports CN4093 Application Guide for N/OS 8.3...
Page 127: Vlan Topologies And Design Considerations
VLAN Topologies and Design Considerations  By default, the Lenovo N/OS software is configured so that tagging is disabled on all external ports and on all internal ports.  By default, the Lenovo N/OS software is configured so that all internal ports are members of VLAN 1.
Page 128: Example: Multiple Vlans With Tagging Adapters
IP subnet as Server 2 and PC 5. The associated external switch port has tagging disabled. PC #3 A member of VLAN 1, this PC can only communicate with Server 2 and PC 5. The associated external switch port has tagging disabled. CN4093 Application Guide for N/OS 8.3...
Page 129 VLAN 1 and VLAN 2, and has tagging enabled. Note: VLAN tagging is required only on ports that are connected to other CN4093s or on ports that connect to tag-capable end-stations, such as servers with VLAN-tagging adapters. © Copyright Lenovo 2015 Chapter 8: VLANs...
Page 130: Protocol-Based Vlans
VLAN. For example, if you delete PVLAN 1 from VLAN 2, port EXT1 remains a member of VLAN 2.  When you delete a port from a VLAN, the port is deleted from all corresponding PVLANs. CN4093 Application Guide for N/OS 8.3...
Page 131: Pvlan Priority Levels
Consider the following guidelines when you configure protocol-based VLANs:  Each port can support up to 8 VLAN protocols. The CN4093 can support up to 16 protocols simultaneously.   Each PVLAN must have at least one port assigned before it can be activated.
Page 132: Configuring Pvlan
Type Ports vPorts ------- --------- ------- ---------------- ------------------ PVLAN Protocol FrameType EtherType Priority Status Ports ----- -------- --------- --------- -------- ------- -------------- Ether2 0800 enabled INTA1 INTA2 PVLAN PVLAN-Tagged Ports ----- --------------------------- none none CN4093 Application Guide for N/OS 8.3...
Page 133: Private Vlans
Private VLANs can control traffic within a VLAN domain, and provide port-based security for host servers. Lenovo N/OS supports Private VLAN configuration as described in RFC 5517. Use Private VLANs to partition a VLAN domain into sub-domains. Each...
Page 134: Configuration Guidelines
CN 4093(config-vlan)# private-vlan community CN 4093(config-vlan)# exit 4. Map secondary VLANs to primary VLAN. CN 4093(config)# vlan 700-702 CN 4093(config-vlan)# stg 1 CN 4093(config-vlan)# exit CN 4093(config)# vlan 700 CN 4093(config-vlan)# private-vlan association 701,702 CN 4093(config-vlan)# exit CN4093 Application Guide for N/OS 8.3...
Page 135 CN 4093(config-if)# switchport mode private-vlan CN 4093(config-if)# switchport private-vlan host-association 700 702 CN 4093(config-if)# exit 6. Verify the configuration. CN 4093(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- --------------------------------- isolated community © Copyright Lenovo 2015 Chapter 8: VLANs...
Page 136 CN4093 Application Guide for N/OS 8.3...
Page 137: Chapter 9. Ports And Link Aggregation (Lag)
Chapter 9. Ports and Link Aggregation (LAG) LAGs can provide super-bandwidth, multi-link connections between the CN4093 10Gb Converged Scalable Switch (CN4093) and other LAG-capable devices. A LAG is a group of ports that act together, combining their bandwidth to create a single, larger virtual link.
Page 138: Configuring Port Modes
A Reboot is required for the new settings to take effect. Note: Upgrade 1 and Upgrade 2 can be independently installed in any order. You can choose to install any one upgrade or both. CN4093 Application Guide for N/OS 8.3...
Page 139 External EXT22 EXTM Mgmt 4095 EXTM 4095 MGT1 Mgmt 4095 MGT1 4095 * = PVID/Native-VLAN is tagged. # = PVID is ingress tagged. = Trunk mode NVLAN = Native-VLAN © Copyright Lenovo 2015 Chapter 9: Ports and Link Aggregation (LAG)
Page 140: Configuring Qsfp+ Ports
Port EXT7, EXT8, EXT9, EXT10 - 10G Mode 4. Reset the switch. CN 4093(config)# reload Remove the configured port from QSFP+ mode to reset the ports to 10GbE mode. CN 4093(config)# no boot qsfp-40Gports ext3 CN4093 Application Guide for N/OS 8.3...
Page 141: Aggregation Overview
Figure 9. Link Aggregation Group (LAG) Switch 1 Switch 2 LAGs are also useful for connecting a CN4093 to third-party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL aggregation technology) and Sun's Quad Fast Ethernet Adapter.
Page 142: Static Lags
All LAG members must be in the same Spanning Tree Group (STG) and can belong to only one Spanning Tree Group (STG). However if all ports are tagged, then all LAG ports can belong to multiple STGs. CN4093 Application Guide for N/OS 8.3...
Page 143: Configuring A Static Lag
Figure 10. LAG Configuration Example Application Switch Application Switch LAG 3: Ports 2, 12, and 22 Lenovo Blade LAG 1: Ports EXT1, EXT2, and EXT3 Switch Lenovo Blade Chassis Prior to configuring each switch in the preceding example, you must connect to the appropriate switch’s Command Line Interface (CLI) as the administrator.
Page 144 CN 4093(config)# portchannel 3 port 2,12,22 CN 4093(config)# portchannel 3 enable LAG 1 (on the CN4093) is now connected to LAG 3 on the Application Switch. Note: In this example, a CN4093 and an application switch are used. If a...
Page 145: Configurable Lag Hash Algorithm
Traffic in a LAG is statistically distributed among member ports using a hash process where various address and attribute bits from each transmitted frame are recombined to specify the particular LAG port the frame will use. The CN4093 uses the RTAG7 model for LAG hashing.
Page 146 Note: For MPLS packets, Layer 4 port information is excluded from the hash calculation. Instead, other IP fields are used, along with the first two MPLS labels. The CN4093 supports the following FCoE hashing options: CN 4093(config)# portchannel thash fcoe cntag-id...
Page 147: Link Aggregation Control Protocol
LACP LAG fails, traffic is reassigned dynamically to the remaining link or links of the dynamic LAG. The CN4093 supports up to 16 ports in a single LACP LAG. It also supports a total of 64 LACP LAGs. Note: LACP implementation in Lenovo N/OS does not support the Churn machine, an option used to detect if the port is operable within a bounded time period between the actor and the partner.
Page 148: Lacp Modes
LACP provides for the controlled addition and removal of physical links for the link aggregation. LACP Modes Each port in the CN4093 can have one of the following LACP modes. off (default)  The user can configure this port in to a regular static LAG.
Page 149: Lacp Individual
CN 4093(config-if)# interface portchannel lacp <LAG admin key> CN 4093(config-if)# [no] lacp suspend-individual Note: By default, ports are configured as below: external ports with lacp suspend-individual  internal ports with no lacp suspend-individual  © Copyright Lenovo 2015 Chapter 9: Ports and Link Aggregation (LAG)
Page 150: Configuring Lacp
4. Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received. CN 4093(config-if)# no lacp suspend-individual CN 4093(config-if)# exit 5. Set the link aggregation as static, by associating it with LAG ID 65: CN 4093(config-if)# portchannel 65 lacp key 100 CN4093 Application Guide for N/OS 8.3...
Page 151: Chapter 10. Spanning Tree Protocols
When multiple paths exist between two points on a network, Spanning Tree Protocol (STP), or one of its enhanced variants, can prevent broadcast loops and ensure that the CN4093 10Gb Converged Scalable Switch (CN4093) uses only the most efficient network path.
Page 152: Spanning Tree Protocol Modes
PVRST mode is based on RSTP to provide rapid Spanning Tree convergence, but supports instances of Spanning Tree, allowing one STG per VLAN. PVRST mode is compatible with Cisco R-PVST/R-PVST+ mode. PVRST is the default Spanning Tree mode on the CN4093. See “PVRST Mode” on page 153 for details.
Page 153: Pvrst Mode
Spanning Tree automatically sets up another active path on the network to sustain network operations. Lenovo N/OS PVRST mode is based on IEEE 802.1w RSTP. Like RSTP, PVRST mode provides rapid Spanning Tree convergence. However, PVRST mode is enhanced for multiple instances of Spanning Tree. In PVRST mode, each VLAN may be automatically or manually assigned to one of 127 available STGs, with each STG acting as an independent, simultaneous instance of STP.
Page 154: Bridge Protocol Data Units
When determining which port to use for forwarding and which port to block, the CN4093 uses information in the BPDU, including each bridge ID. A technique based on the “lowest root cost” is then computed to determine the most efficient path for forwarding.
Page 155: Port Priority
To enable loop guard at the port level, enter the following command: CN 4093(config)# interface port <port alias or number> CN 4093(config-if)# spanning-tree guard loop The default state is “none”, i.e. disabled. © Copyright Lenovo 2015 Chapter 10: Spanning Tree Protocols...
Page 156: Port Path Cost
(via either external ports or internal Inter-Switch Links). Figure 11. Spanning Tree Blocking a Switch-to-Switch Link Enterprise Routing Switches Switch 1 Switch 2 Blocks Link Server Server Server Server CN4093 Application Guide for N/OS 8.3...
Page 157 In this case, it is desired that STP block the link between the blade switches, and not one of the CN4093 uplinks or the Enterprise switch LAG. During operation, if one CN4093 experiences an uplink failure, STP will activate...
Page 158: Per-Vlan Spanning Tree Groups
However, in the first network, since a single instance of Spanning Tree is running on all the ports of the CN4093, a physical loop is assumed to exist, and one of the VLANs is blocked, impacting connectivity even though no actual loop exists.
Page 159: Vlan And Stg Assignment
If VASA is disabled, when you create a new VLAN, that VLAN automatically belongs to default STG 1. To place the VLAN in a different STG, assign it manually. VASA applies only to PVRST mode and is ignored in RSTP and MSTP modes. © Copyright Lenovo 2015 Chapter 10: Spanning Tree Protocols...
Page 160: Manually Assigning Stgs
Tagged ports can belong to more than one STG, but untagged ports can belong to only one STG. When a tagged port belongs to more than one STG, the egress BPDUs are tagged  to distinguish the BPDUs of one STG from those of another STG. CN4093 Application Guide for N/OS 8.3...
Page 161: Adding And Removing Ports From Stgs
VLAN members, Spanning Tree will be off on all ports belonging to that VLAN. The relationship between port, LAGs, VLANs and Spanning Trees is shown in Table 17 on page 153. © Copyright Lenovo 2015 Chapter 10: Spanning Tree Protocols...
Page 162: Switch-Centric Configuration
Switch C receives this BPDU on port 8 and is identified as participating in VLAN 3, STG 3. Since Switch C has no additional ports participating in STG 3, this BPDU is not forwarded to any additional ports and Switch A remains the designated root. CN4093 Application Guide for N/OS 8.3...
Page 163: Configuring Multiple Stgs
1. Set the Spanning Tree mode on each switch to PVRST. CN 4093(config)# spanning-tree mode pvrst Note: PVRST is the default mode on the CN4093. This step is not required unless the STP mode has been previously changed, and is shown here merely as an example of manual configuration.
Page 164 VLAN 3 is automatically removed from STG 1. By default VLAN 1 remains in STG 1. Switch D does not require any special configuration for multiple Spanning Trees. Switch D uses default STG 1 only. CN4093 Application Guide for N/OS 8.3...
Page 165: Rapid Spanning Tree Protocol
 STP parameters apply only to STG 1.  Only STG 1 is available. All other STGs are turned off.  All VLANs, including management VLANs, are moved to STG 1. © Copyright Lenovo 2015 Chapter 10: Spanning Tree Protocols...
Page 166: Rstp Configuration Example
CN 4093(config)# no spanning-tree stp 1 enable 4. Configure port parameters: CN 4093(config)# interface port 3 CN 4093(config-if)# spanning-tree stp 1 priority 240 CN 4093(config-if)# spanning-tree stp 1 path-cost 500 CN 4093(config-if)# no spanning-tree stp 1 enable CN 4093(config-if)# exit CN4093 Application Guide for N/OS 8.3...
Page 167: Multiple Spanning Tree Protocol
VLANs. MSTP was originally defined in IEEE 802.1s (2002) and was later included in IEEE 802.1Q (2003). In MSTP mode, the CN4093 supports up to 32 instances of Spanning Tree, corresponding to STGs 1-32, with each STG acting as an independent, simultaneous instance of STP.
Page 168: Mstp Configuration Guidelines
MSTP Configuration Examples MSTP Configuration Example 1 This section provides steps to configure MSTP on the CN4093. 1. Configure port and VLAN membership on the switch. 2. Configure Multiple Spanning Tree region parameters and set the mode to MSTP.
Page 169: Mstp Configuration Example 2
CN 4093(config)# spanning-tree mst configuration CN 4093(config-mst)# name MyRegion (Define the Region name) CN 4093(config-mst)# revision 100 (Define the Revision level) CN 4093(config-mst)# exit CN 4093(config)# spanning-tree mode mst (Set mode to Multiple Spanning Trees) © Copyright Lenovo 2015 Chapter 10: Spanning Tree Protocols...
Page 170 5 to VLAN 2. Add uplink ports 19 and 20 to VLAN 2. Assign VLAN 2 to STG 2. CN 4093(config)# interface port 3,4,5,19,20 CN 4093(config-if)# switchport access vlan 2 CN 4093(config-if)# exit Note: Each STG is enabled by default. CN4093 Application Guide for N/OS 8.3...
Page 171: Port Type And Link Type
Note: Any STP port in full-duplex mode can be manually configured as a shared port when connected to a non-STP-aware shared device (such as a typical Layer 2 switch) used to interconnect multiple STP-aware devices. © Copyright Lenovo 2015 Chapter 10: Spanning Tree Protocols...
Page 172 CN4093 Application Guide for N/OS 8.3...
Page 173: Chapter 11. Virtual Link Aggregation Groups
The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are also useful in multi-layer environments for both uplink and downlink redundancy to any regular LAG-capable device. For example: © Copyright Lenovo 2015...
Page 174 For instance, in VLAG Peer C, a regular LAG is employed for the downlink connection to VLAG Peer B because only one of the VLAG Peer C switches is involved. CN4093 Application Guide for N/OS 8.3...
Page 175 For example: Figure 18. VLAG Application with VRRP VLAG Peers VRRP VRRP VLAG Master Backup Active Server Traffic Flows Note: VLAG is not compatible with UFP vPorts on the same ports. © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 176: Vlag Capacities
PVRST/MSTP with one VLAG instance belonging to multiple  VLANs/STGs: Maximum of 20 VLAG instances Note: VLAG is not supported in RSTP mode. Each type of aggregation can contain up to 16 member ports, depending on the port type and availability. CN4093 Application Guide for N/OS 8.3...
Page 177: Vlags Versus Port Lags
VLAGs are configured using additional commands.  It is recommended that end-devices connected to VLAG switches use NICs with dual-homing. This increases traffic efficiency, reduces ISL load and provides faster link failover. © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 178: Configuring Vlags
Native VLAN tagging   Native VLAN/PVID STP mode   BPDU Guard setting STP port setting   MAC aging timers Static MAC entries   ACL configuration parameters QoS configuration parameters  CN4093 Application Guide for N/OS 8.3...
Page 179: Basic Vlag Configuration
In the following example configuration, only the configuration for VLAG 1 on VLAG Peer 1 is shown. VLAG Peer 2 and all other VLAGs are configured in a similar fashion. © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 180: Configure The Isl
Make sure you configure the VLAG peer (VLAG Peer 2) using the same ISL aggregation type (dynamic or static), the same VLAN and the same STP mode and tier ID used on VLAG Peer 1. CN4093 Application Guide for N/OS 8.3...
Page 181: Configure The Vlag
VLAN, and STP mode and ID must be the same as on VLAG Peer 1. 5. Enable VLAG globally. CN 4093(config)# vlag enable 6. Verify the completed configuration: CN 4093(config)# show vlag information © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 182: Vlag Configuration - Vlans Mapped To Msti
Make sure you configure the VLAG peer (VLAG Peer 2) using the same ISL aggregation type (dynamic or static), the same VLAN for vLAG ports and vLAG ISL ports, and the same STP mode and tier ID used on VLAG Peer 1. CN4093 Application Guide for N/OS 8.3...
Page 183: Configure The Vlag
For each corresponding VLAG on the peer, the port LAG type (dynamic or static), the port’s VLAN and STP mode and ID must be the same as on VLAG Peer 1. 6. Verify the completed configuration: CN 4093# show vlag information © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 184: Configuring Health Check
Configuring Health Check We strongly recommend that you configure the CN4093 to check the health status of its VLAG peer. Although the operational status of the VLAG peer is generally determined via the ISL connection, configuring a network health check provides an alternate means to check peer status in case the ISL links fail.
Page 185: Vlags With Vrrp
“OSPF” on page 447 “Basic IP Routing” on page 373. 3. Configure a server-facing interface. CN 4093(config)# interface ip 3 CN 4093(config-ip-if)# ip address 10.0.1.10 255.255.255.0 CN 4093(config-ip-if)# vlan 100 CN 4093(config-ip-if)# exit © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 186 CN 4093(config-if)# switchport access vlan 100 CN 4093(config-if)# exit CN 4093(config)# interface port 11 CN 4093(config-if)# switchport access vlan 100 CN 4093(config-if)# exit CN 4093(config)# interface port 12 CN 4093(config-if)# switchport access vlan 100 CN 4093(config-if)# exit CN4093 Application Guide for N/OS 8.3...
Page 187 12. Assign the LAGs to the VLAGs: CN 4093(config)# vlag adminkey 1000 enable CN 4093(config)# vlag adminkey 1100 enable CN 4093(config)# vlag adminkey 1200 enable 13. Verify the completed configuration: CN 4093(config)# show vlag © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 188: Configure Vlag Peer 2
CN 4093(config-if)# exit 6. Configure the upstream ports. CN 4093(config)# interface port 1 CN 4093(config-if)# switchport access vlan 30 CN 4093(config-if)# exit CN 4093(config)# interface port 2 CN 4093(config-if)# switchport access vlan 40 CN 4093(config-if)# exit CN4093 Application Guide for N/OS 8.3...
Page 189 CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 172.1.4.12 255.255.255.0 CN 4093(config-ip-if)# vlan 40 CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# ip ospf area 1 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 190 11. Assign the LAGs to the VLAGs: CN 4093(config)# vlag adminkey 1000 enable CN 4093(config)# vlag adminkey 1100 enable CN 4093(config)# vlag adminkey 1200 enable 12. Verify the completed configuration: CN 4093(config)# show vlag CN4093 Application Guide for N/OS 8.3...
Page 191: Two-Tier Vlags With Vrrp
VRRP passive mode on a switch, use the following command: CN 4093(config)# no vlag vrrp active To verify the currently configured vLAG VRRP mode you can use the following command: CN 4093(config)# show vlag vrrp © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 192: Configuring Vlags In Multiple Layers
Ports on switches A and B connecting to switches C and D: ports 10, 11  Ports on switch B connecting to switch E: ports 15, 16  Ports on switch B connecting to switch F: ports 17, 18 CN4093 Application Guide for N/OS 8.3...
Page 193 CN 4093(config-if)# lacp key 500 CN 4093(config-if)# lacp mode active CN 4093(config-if)# exit CN 4093(config)# vlag adminkey 500 enable Repeat these steps on Switch B for ports connecting to Layer 2/3 router 2. © Copyright Lenovo 2015 Chapter 11: Virtual Link Aggregation Groups...
Page 194 CN 4093(config-if)# lacp mode active CN 4093(config-if)# exit 7. Configure ISL between switches C and D, and between E and F as shown in Step 1. 8. Configure the Switch G as shown in Step 2. CN4093 Application Guide for N/OS 8.3...
Page 195: Chapter 12. Quality Of Service
Meter Re-Mark Queue The CN4093 uses the Differentiated Services (DiffServ) architecture to provide QoS functions. DiffServ is described in IETF RFC 2474 and RFC 2475. With DiffServ, you can establish policies for directing traffic. A policy is a traffic-controlling mechanism that monitors the characteristics of the traffic (for example, its source, destination, and protocol) and performs a controlling action on the traffic when certain characteristics are matched.
Page 196 The CN4093 can classify traffic by reading the DiffServ Code Point (DSCP) or IEEE 802.1p priority value, or by using filters to match specific criteria. When network traffic attributes match those specified in a traffic pattern, the policy instructs the CN4093 to perform specified actions on each packet that passes through it.
Page 197: Using Acl Filters
Set the COS queue ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the CN4093 by configuring a QoS meter (if desired) and assigning ACL Groups to ports. When you add ACL Groups to a port, make sure they are ordered correctly in terms of precedence.
Page 198: Metering
You can configure the ACL to re-mark a packet as follows: Change the DSCP value of a packet, used to specify the service level traffic  should receive.  Change the 802.1p priority of a packet. CN4093 Application Guide for N/OS 8.3...
Page 199: Using Dscp Values To Provide Qos
Re-mark the DSCP value to a new value  Map the DSCP value to an 802.1p priority Once the DSCP value is marked, the CN4093 can use it to direct traffic prioritization. © Copyright Lenovo 2015 Chapter 12: Quality of Service...
Page 200: Per-Hop Behavior
QoS policies are built by applying a set of rules to packets, based on the DSCP value, as they hop through the network. The CN4093 default settings are based on the following standard PHBs, as defined in the IEEE standards: ...
Page 201: Qos Levels
DF, CS0 DSCP Re-Marking and Mapping The CN4093 can re-mark the DSCP value of ingress packets to a new value, and set the 802.1p priority value, based on the DSCP value. You can view the settings by using the following command:...
Page 202: Dscp Re-Marking Configuration Example 1
CN 4093(config-if)# dscp-marking CN 4093(config-if)# exit 4. Enable DSCP re-marking globally. CN 4093(config)# qos dscp re-marking 5. Assign the DSCP re-mark value. CN 4093(config)# qos dscp dscp-mapping 40 9 CN 4093(config)# qos dscp dscp-mapping 46 9 CN4093 Application Guide for N/OS 8.3...
Page 203 7. Map priority value to COS queue for non-VoIP traffic. CN 4093(config)# qos transmit-queue mapping 1 1 8. Assign weight to the non-VoIP COS queue. CN 4093(config)# qos transmit-queue weight-cos 1 2 © Copyright Lenovo 2015 Chapter 12: Quality of Service...
Page 204: Using 802.1P Priorities To Provide Qos
Using 802.1p Priorities to Provide QoS Lenovo N/OS provides Quality of Service functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1q VLAN header.) The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding.
Page 205: Queuing And Scheduling
Queuing and Scheduling The CN4093 can be configured to have either 2 or 8 output Class of Service (COS) queues per port, into which each packet is placed. Each packet’s 802.1p priority determines its COS queue, except when an ACL action sets the COS queue of the packet.
Page 206: Control Plane Protection
The following commands configure the control plane protection (CoPP) feature: Configure a queue for a protocol: CN 4093(config)# qos protocol-packet-control packet-queue-map <0-47> <protocol> Set the bandwidth for the queue, in packets per second: CN 4093(config)# qos protocol-packet-control rate-limit-packet-queue <0-47> <1-10000> CN4093 Application Guide for N/OS 8.3...
Page 207: Packet Drop Logging
Once the packet drops stop, or if new packet drops are encountered only within 2 minutes after a syslog message, the switch does not display any more messages. © Copyright Lenovo 2015 Chapter 12: Quality of Service...
Page 208 CN4093 Application Guide for N/OS 8.3...
Page 210 CN4093 Application Guide for N/OS 8.3...
Page 211: Chapter 13. Stacking
“ISCLI Stacking Commands” on page 237 Stacking Overview A hybrid stack is a group of eight switches: two CN4093 10Gb Converged Scalable Switches and six EN4093R 10Gb Scalable Switches. A stack can also be formed with just two CN4093 10Gb Converged Scalable Switches.
Page 212: Stacking Requirements
Stacking Requirements Before Lenovo N/OS switches can form a stack, they must meet the following requirements: Switches in a hybrid stack must be of the model CN4093 10Gb Converged  Scalable Switch or EN4093R 10Gb Scalable Switch.  In a hybrid stack, the EN4093R switches cannot act as Backup switches. You must use only the CN4093 10Gb Converged Scalable switches as the Master switch and Backup switch.
Page 213 Virtual Link Aggregation Groups (VLAG)   Virtual Router Redundancy Protocol (VRRP) Note: In stacking mode, switch menus and command for unsupported features may be unavailable or may have no effect on switch operation. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 214: Stack Membership
When this occurs, one Master switch will automatically be chosen as the active Master for the entire stack. The selection process is designed to promote stable, predictable stack operation and minimize stack reboots and other disruptions. CN4093 Application Guide for N/OS 8.3...
Page 215: Splitting And Merging One Stack
If, while the stack is still split, the Backup (acting as Master) is explicitly reconfigured to become a regular Master, then when the split stacks are finally merged, the Master with the lowest MAC address will become the new active Master for the entire stack. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 216: Merging Independent Stacks
8 of them can forward networking traffic, the rest having the data links disabled. Note: Do not merge hybrid stacks if the total number of CN4093 switches exceeds two units. Although all switches which are configured for stacking and joined by stacking...
Page 217: Backup Switch Selection
Master does not reassert itself as the stack Master. Instead, the prior Master will assume a role as a secondary Backup to avoid further stack disruption. Upon stack reboot, the Master and Backup will resume their regular roles. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 218: No Backup
It is recommended that asnum 1 and csnum 1 be used for identifying the Master switch. By default, csnum 1 is assigned to the Master. If csnum 1 is not available, the lowest available csnum is assigned to the Master. CN4093 Application Guide for N/OS 8.3...
Page 219: Configuring A Stack
When in stacking mode, the highest QoS priority queue is reserved for internal  stacking requirements. Therefore, only seven priority queues will be available for regular QoS use.  Configure only as many QoS levels as necessary. This allows the best use of packet buffers. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 220: Stacking Vlans
Although any VLAN (except VLAN 1) may be defined for stack traffic, it is highly recommended that the default, VLAN 4090 as shown in the following example, be reserved for stacking. CN 4093(config)# boot stack vlan 4090 4. On each switch, designate the stacking links. CN4093 Application Guide for N/OS 8.3...
Page 221 Note: Although stack link failover/failback is accomplished on a sub-second basis, to maintain the best stacking operation and avoid traffic disruption, it is recommended not to disrupt stack links after the stack is formed. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 222: Configuring A Management Ip Interface
Management IP address on the backup switch, must be in the same subnet. Note: In case of a stack split, the floating IP cannot be used anymore due to duplicate IP address issue. CN4093 Application Guide for N/OS 8.3...
Page 223: Additional Master Configuration
CN 4093(config)# show stack switch Stack name: STK Local switch: csnum - 74:99:75:21:8c:00 UUID - 98c587636548429aba5010f8c62d4e27 Bay Number Switch Type - 14 (CN4093) Chassis Type - 6 (Flex Enterprise) Switch Mode (cfg) - Member (backup) Priority - 245 Stack MAC - 74:99:75:21:8d:1f...
Page 224: Binding Members To The Stack
To define a Member switch as a Backup (optional) which will assume the Master role if the Master switch fails, execute the following command: CN 4093(config)# stack backup <csnum> -or- CN 4093(config)# stack bind CN4093 Application Guide for N/OS 8.3...
Page 225: Managing A Stack
(Reboot only the stack Master) CN 4093(config)# reload switch <csnum list> (Reboot only the listed switches) Note: If no backup switch is present in the stack, the reload master command will reboot all switches. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 226: Rebooting Stacked Switches Using The Bbi
Master. For example, if the new image is loaded into image 1 on the Master switch, the Master will push the same firmware to image 1 on each Member switch. CN4093 Application Guide for N/OS 8.3...
Page 227: Upgrading Software In A Stack
Converting a EN4093R Stack to a Hybrid Stack Use the following procedure to install software on a stack of EN4093R switches that will be combined with CN4093 switches to form a hybrid stack (up to two CN4093 and up to six EN4093R switches): 1.
Page 228: Replacing Or Removing Stacked Switches
1. Make sure the new switch meets the stacking requirements on page 212. 2. Place the new switch in its determined place according to the CN4093 10Gb Converged Scalable Switch Installation Guide. 3. Connect to the ISCLI of the new switch (not the stack interface) 4.
Page 229 9. Attach the desired network cables to the new switch. 10. Reboot the new switch: CN 4093(config)# reload When the new switch boots, it will join the existing stack. Wait for this process to complete. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 230: Binding The New Switch To The Stack
CN 4093(config)# stack switch-number <csnum> bind <asnum> -or- CN 4093(config)# stack bind Note: If replacing the Master switch, the Master will not assume control from the Backup unless the Backup is rebooted or fails. CN4093 Application Guide for N/OS 8.3...
Page 231: Performing A Rolling Reload Or Upgrade
IP address from which the firmware is being copied  filename is the name of the firmware file that is being copied  delay is the delay between each reload, in minutes  © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 232 CN 4093(config)# copy {tftp|ftp|sftp} boot-image {address <IP address>} {filename <image filename>} 2. Load the firmware image with a staggered copy: CN 4093(config)# copy {tftp|ftp|sftp} {image1|image2} {address <IP address>} {filename <image filename>} staggered-upgrade [delay <2-20 minutes>] CN4093 Application Guide for N/OS 8.3...
Page 233: Saving Syslog Messages
<switch number> The configured switch number. If no number is supplied, the command applies to the master switch. address The IP address of the TFTP host. filename The filename on the TFTP host. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 234 <severity> configures the severity of logs to be sent to the console. To configure the severity of syslogs written to flash, use the command: CN 4093(config)# logging buffer severity <severity (0-7)> where <severity> configures the severity of logs to be written to flash. CN4093 Application Guide for N/OS 8.3...
Page 235: Flexible Port Mapping In Stacking
Resets the port map configuration to the default settings for the whole stack. If a configured switch number is specified, the command will reset the port map configuration only for the selected stack switch. © Copyright Lenovo 2015 Chapter 13: Stacking...
Page 236 3:21 3:22 3:23 3:24 3:25 3:26 3:27 3:28 3:29 3:30 3:31 3:32 3:33 3:34 3:35 3:36 3:37 3:38 3:39 3:40 3:41 3:42 3:43 3:44 3:45 3:49 3:53 3:54 3:55 3:56 3:57 3:58 3:59 3:60 3:61 3:62 3:63 3:64 Unmapped ports: CN4093 Application Guide for N/OS 8.3...
Page 237: Iscli Stacking Commands
ISCLI Stacking Commands Stacking-related ISCLI commands are listed here. For details on specific commands, see the CN4093 10Gb Converged Scalable Switch Command Reference. [no] boot stack enable  boot stack higig-trunk <port alias or number>  boot stack mode {master|member} [<asnum>|master|backup|all] ...
Page 238 CN4093 Application Guide for N/OS 8.3...
Page 239: Chapter 14. Virtualization
Virtualization allows resources to be allocated in a fluid manner based on the logical needs of the data center, rather than on the strict, physical nature of components. The following virtualization features are included in Lenovo N/OS 8.3 on the CN4093 10Gb Converged Scalable Switch (CN4093): ...
Page 240 NIC or to a Converged Network Adapter (CNA). UFP provides a switch fabric component to control the NIC. For details on this feature, see “Unified Fabric Port” on page 341. Lenovo N/OS virtualization features provide a highly-flexible framework for allocating and managing switch resources. CN4093 Application Guide for N/OS 8.3...
Page 241: Chapter 15. Virtual Nics
INTA1 VNIC VNIC A CN4093 with Lenovo N/OS 8.3 supports the Emulex Virtual Fabric Adapter (VFA) 2-port 10Gb LOM and Emulex Virtual Fabric Adapter (Fabric Mezz) for Lenovo Flex System to provide the following vNIC features: Up to four vNICs are supported on each internal switch port.
Page 242: Vnic Ids On The Switch
Physical NIC (PNIC) mode, in which case vNIC features are non-applicable. vNIC IDs on the Switch Lenovo N/OS 8.3 supports up to four vNICs attached to each internal switch port. Each vNIC is provided its own independent virtual pipe on the port.
Page 243: Vnic Interface Names On The Server
ID Function ID Pipe First ASIC Bay 1 INTAx.1 Bay 1 INTAx.2 Bay 1 INTAx.3 Bay 1 INTAx.4 Bay 2 INTAx.1 Bay 2 INTAx.2 Bay 2 INTAx.3 Bay 2 INTAx.4 © Copyright Lenovo 2015 Chapter 15: Virtual NICs...
Page 244 INTAx.2 Bay 4 INTAx.3 Bay 4 INTAx.4 Table 24. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID Function ID Pipe Second ASIC Bay 3 INTBx.1 Bay 3 INTBx.2 Bay 3 INTBx.3 CN4093 Application Guide for N/OS 8.3...
Page 245 In this, the x in the vNIC ID represents the internal switch port and its corresponding server node of the vNIC pipe. Each physical NIC port is connected to a different switch bay in the blade chassis. © Copyright Lenovo 2015 Chapter 15: Virtual NICs...
Page 246: Vnic Uplink Modes
Effectively, each vNIC group is a VLAN, which you can assign by configuring the VLAN to the vNIC group. You must enable the tag configuration on the uplink port. For details, see “vNIC Groups in Shared Mode” on page 251. CN4093 Application Guide for N/OS 8.3...
Page 247 Failover An uplink up/event can trigger An uplink up/event can trigger the the failover state change only of failover state change of multiple vNIC one vNIC group. groups. © Copyright Lenovo 2015 Chapter 15: Virtual NICs...
Page 248: Vnic Bandwidth Metering
Bandwidth Metering Lenovo N/OS 8.3 supports bandwidth metering for vNIC traffic. By default, each of the four vNICs on any given port is allowed an equal share (25%) of NIC capacity when enabled. However, you may configure the percentage of available switch port bandwidth permitted to each vNIC.
Page 249: Vnic Groups
Lenovo N/OS 8.3 supports up to 32 independent vNIC groups. To enforce group boundaries, each vNIC group is assigned its own unique VLAN. The VLAN configured for the vNIC group will be automatically assigned to member vNICs, ports and LAGs and should not be manually configured for those elements.
Page 250: Vnic Groups In Dedicated Mode
NIC strips outer tag Inbound Packet Within the CN4093, all Layer 2 switching for packets within a vNIC group is based on the outer vNIC group VLAN. The CN4093 does not consider the regular, inner VLAN ID (if any) for any VLAN-specific operation.
Page 251: Vnic Groups In Shared Mode
NIC strips outer tag Inbound Packet Within the CN4093, all Layer 2 switching for packets within a vNIC group is based on the outer vNIC group VLAN. The CN4093 does not consider the regular, inner VLAN ID (if any) for any VLAN-specific operation.
Page 252: Vnic Teaming Failover
Switch To avoid disrupting vNICs that have not lost their external uplinks, N/ OS 8.3 and the Emulex Virtual Fabric Adapter for Lenovo Flex System provide vNIC-aware failover. In the dedicated mode, when a vNIC group’s external uplink ports fail, the switch cooperates with the affected NIC to prompt failover only on the appropriate vNICs.
Page 253 By default, vNIC Teaming Failover is disabled on each vNIC group, but can be enabled or disabled independently for each vNIC group using the following commands: CN 4093(config)# vnic vnicgroup <group number> CN 4093(vnic-group-config)# failover © Copyright Lenovo 2015 Chapter 15: Virtual NICs...
Page 254: Vnic Configuration Example
 Other enabled vNICs (INTA2.1, INTA2.2, and INTA3.2) are permitted the default bandwidth of 25% (2.5Gbsp) on their respective ports.  All remaining vNICs are disabled (by default) and are automatically allocated 0 bandwidth. CN4093 Application Guide for N/OS 8.3...
Page 255 When a vNIC is added to the vNIC group (in the next step), the switch will prompt you to confirm automatically enabling the vNIC if it is not yet enabled (shown for INT3.2). Note: vNICs are not supported simultaneously on the same switch ports as VMready. © Copyright Lenovo 2015 Chapter 15: Virtual NICs...
Page 256 CN 4093(vnic-group-config)# exit Once VLAN 1000 and 1774 are configured for vNIC groups, they will not be available for regular configuration. Note: vNICs are not supported simultaneously on the same switch ports as VMready. CN4093 Application Guide for N/OS 8.3...
Page 257: Vnics For Iscsi On Emulex Virtual Fabric Adapter
Emulex Virtual Fabric Adapter The N/ OS vNIC feature works with standard network applications like iSCSI as previously described. However, the Emulex Virtual Fabric Adapter for Lenovo Flex System expects iSCSI traffic to occur only on a single vNIC pipe. When using the Emulex Adapter 2, only vNIC pipe 2 may participate in iSCSI.
Page 258: Vnics For Fcoe Using The Emulex Vfa
FCoE Using the Emulex VFA Similar to the iSCSI application, when using the Emulex VFA for Lenovo chassis systems, FCoE traffic is expected to occur only on vNIC pipe 2. In this case, the additional vNIC configuration for FCoE support is minimal.
Page 259: Chapter 16. Vmready
VMs can even migrate between host hypervisors, moving to different physical hosts while maintaining their virtual identity and services. The Lenovo N/OS 8.3 VMready feature supports up to 4096 VEs in a virtualized data center environment. The switch automatically discovers the VEs attached to switch ports, and distinguishes between regular VMs, Service Console Interfaces, ®...
Page 260: Vm Group Types
The elements within a VM group automatically share certain group-level settings. Lenovo N/OS 8.3 supports up to 4096 VM groups. There are two different types: Local VM groups are maintained locally on the switch. Their configuration is not ...
Page 261: Distributed Vm Groups
Distributed VM Groups Distributed VM groups allow configuration profiles to be synchronized between the CN4093 and associated hypervisors and VEs. This allows VE configuration to be centralized, and provides for more reliable VE migration across hypervisors. Using distributed VM groups requires a virtualization management server. The management server acts as a central point of access to configure and maintain multiple hypervisors and their VEs (VMs, virtual switches, and so on).
Page 262: Vm Profiles
VLAN, VMs, or port members). Any VM group number currently configured for a local VM group (see “Local VM Groups” on page 260) cannot be converted and must be deleted before it can be used for a distributed VM group. CN4093 Application Guide for N/OS 8.3...
Page 263: Assigning Members
Lenovo_Default_<index number> in case of vDS) port group in VLAN 0 (zero). Traffic shaping will be disabled for the VE.   All other properties will be reset to default values inherited from the virtual switch. © Copyright Lenovo 2015 Chapter 16: VMready...
Page 264: Vmcheck
VMcheck The CN4093 primarily identifies virtual machines by their MAC addresses. An untrusted server or a VM could identify itself by a trusted MAC address leading to MAC spoofing attacks. Sometimes, MAC addresses get transferred to another VM, or they get duplicated.
Page 265: Advanced Validation
CN 4093# no virt vmcheck acl [mac-address Delete ACL(s): all [<port number>]|port] ACLs/an ACL by MAC address ((optional) and port number) /all ACLs installed on a port © Copyright Lenovo 2015 Chapter 16: VMready...
Page 266: Virtual Distributed Switch
CN 4093# virt vmware dvswitch add <datacenter name> <dvSwitch name> [<dvSwitch-version>] Prerequisites Before adding a vDS on the CN4093, ensure the following: VMware vCenter is fully installed and configured and includes a “bladevm”  administration account and a valid SSL certificate.
Page 267: Migrating To Vds
Migrating to vDS You can migrate VMs to the vDS using vCenter. The migration may also be accomplished using the operational commands on the CN4093 available in the following CLI menus: For VMware vDS operations: CN 4093# virt vmware dvswitch ?
Page 268: Virtualization Management Servers
Note: By default, the vCenter includes only a self-signed SSL certificate. If using the default certificate, the noauth option is required. Once the vCenter configuration has been applied on the switch, the CN4093 will connect to the vCenter to collect VE information.
Page 269: Vcenter Scans
Deleting the assigned vCenter prevents synchronizing the configuration between the CN4093 and VEs. VEs already operating in distributed VM groups will continue to function as configured, but any changes made to any VM profile or distributed VM group on the switch will affect only switch operation;...
Page 270: Vmware Operational Commands
(the administrator must assign uplinks using VMware management tools. VMware Operational Commands The CN4093 may be used as a central point of configuration for VMware virtual switches and port groups using the VMware operational menu, available with the following ISCLI privileged EXEC commands:...
Page 271: Vlan Maps
TCP and UDP filtering options Lenovo N/OS 8.3 supports up to 128 VMAPs. Individual VMAP filters are configured in the same fashion as regular ACLs, except that VLANs cannot be specified as a filtering criteria (unnecessary, since VMAPs are assigned to a specific VLAN or associated with a VM group VLAN).
Page 272: Vm Policy Bandwidth Control
When txrate is specified, the switch automatically selects an available ACL for internal use with bandwidth control. Optionally, if automatic ACL selection is not desired, a specific ACL may be selected. If there are no unassigned ACLs available, txrate cannot be configured. CN4093 Application Guide for N/OS 8.3...
Page 273: Bandwidth Policies Vs. Bandwidth Shaping
CN4093. VM Policy Bandwidth Control is configured per VE, and can be set independently for transmit and receive traffic. Bandwidth policies are enforced by the CN4093. VE traffic that exceeds configured levels is dropped by the switch upon ingress (for txrate) or before egress (for rxrate).
Page 274: Vcenter Hypervisor Hosts
UUID of all VMware hosts, providing an essential overview of the data center: CN 4093# show virt vmware hosts UUID Name(s), IP Address --------------------------------------------------------------- 00a42681-d0e5-5910-a0bf-bd23bd3f7800 172.16.41.30 002e063c-153c-dd11-8b32-a78dd1909a00 172.16.46.10 00f1fe30-143c-dd11-84f2-a8ba2cd7ae00 172.16.44.50 0018938e-143c-dd11-9f7a-d8defa4b8300 172.16.46.20 CN4093 Application Guide for N/OS 8.3...
Page 275: Vcenter Ves
CN 4093# show virt vmware vms UUID Name(s), IP Address ---------------------------------------------------------------------- 001cdf1d-863a-fa5e-58c0-d197ed3e3300 30vm1 001c1fba-5483-863f-de04-4953b5caa700 VM90 001c0441-c9ed-184c-7030-d6a6bc9b4d00 VM91 001cc06e-393b-a36b-2da9-c71098d9a700 vm_new 001c6384-f764-983c-83e3-e94fc78f2c00 sturgeon 001c7434-6bf9-52bd-c48c-a410da0c2300 VM70 001cad78-8a3c-9cbe-35f6-59ca5f392500 VM60 001cf762-a577-f42a-c6ea-090216c11800 30VM6 001c41f3-ccd8-94bb-1b94-6b94b03b9200 halibut, localhost.localdomain, 172.16.46.15 001cf17b-5581-ea80-c22c-3236b89ee900 30vm5 001c4312-a145-bf44-7edd-49b7a2fc3800 001caf40-a40a-de6f-7b44-9c496f123b00 30VM7 © Copyright Lenovo 2015 Chapter 16: VMready...
Page 276: Vcenter Ve Details
--------------------------------------------------------------------- MAC Address 00:50:56:9c:21:2f Port Type Virtual Machine VM vCenter Name halibut VM OS hostname localhost.localdomain VM IP Address 172.16.46.15 VM UUID 001c41f3-ccd8-94bb-1b94-6b94b03b9200 Current VM Host 172.16.46.10 Vswitch vSwitch0 Port Group BNT_Default VLAN ID CN4093 Application Guide for N/OS 8.3...
Page 277: Vmready Configuration Example
Note: If the VM group contains ports which also exist in other VM groups, tagging should be enabled in both VM groups. In this example configuration, no ports exist in more than VM group. © Copyright Lenovo 2015 Chapter 16: VMready...
Page 278 CN4093 Application Guide for N/OS 8.3...
Page 279: Chapter 17. Fcoe And Cee
Chapter 17. FCoE and CEE This chapter provides conceptual background and configuration examples for using Converged Enhanced Ethernet (CEE) features of the CN4093 10Gb Converged Scalable Switch, with an emphasis on Fibre Channel over Ethernet (FCoE) solutions. The following topics are addressed in this chapter: ...
Page 280: Fibre Channel Over Ethernet
Fibre Channel Node Port Virtualized (NPV) switch may perform the FCF function. Although it may be possible to use an external FCF device, this chapter focuses on using the built-in Fibre Channel features of the CN4093 itself. CN4093 Application Guide for N/OS 8.3...
Page 281: Fcoe Requirements
Network Adapter (CNA) known in Fibre Channel as an Ethernet Node (ENode). Note: The figure also shows a non-FCoE LAN server connected to the CN4093 using a CNA. This allows the LAN server to take advantage of some CEE features that are useful even outside of an FCoE environment.
Page 282: Converged Enhanced Ethernet
Turning CEE On or Off By default on the CN4093, CEE is turned off. To turn CEE on or off, use the following ISCLI configuration mode commands: CN 4093(config)# [no] cee enable CAUTION: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard...
Page 283: Effects On 802.1P Quality Of Service
Effects on 802.1p Quality of Service While CEE is off (the default), the CN4093 allows 802.1p priority values to be used for Quality of Service (QoS) configuration (see “Quality of Service” on page 195). 802.1p QoS default settings are shown in...
Page 284: Effects On Flow Control
If flow control is required on additional priorities on any given port, consider using standard flow control on that port, so that regardless of which priority traffic becomes congested, a flow control frame is generated. CN4093 Application Guide for N/OS 8.3...
Page 285: Fcoe Initialization Protocol Snooping
The following are required for implementing the FIP snooping bridge feature:  The CN4093 must be connected to the Fibre Channel network through a FCF such as a Lenovo Rackswitch G8264CS, another Lenovo CN4093 10Gb Converged Scalable Switch or a Cisco Nexus 5000 Series Switch.
Page 286: Port Aggregation
ETS or DCBX configurations, the switch will display an error. Global FIP Snooping Settings By default, the FIP snooping feature is turned off for the CN4093. The following commands are used to turn the feature on or off: CN 4093(config)# [no] fcoe fips enable Note: FIP snooping requires CEE to be turned on (see “Turning CEE On or Off”...
Page 287: Fips Lag Support On Server Ports
ENodes will be installed. When the mode is changed (either through manual configuration or as a result of automatic detection), the appropriate ACLs are automatically added, removed, or changed to reflect the new FCF or ENode connection. © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 288: Fcoe Connection Timeout
When an FCoE connection logs out, or times out (if ACL timeout is enabled), the related ACLs will be automatically removed. FCoE-related ACLs are independent of manually configured ACLs used for regular Ethernet purposes. FCoE ACLs generally have a higher priority over standard ACLs. CN4093 Application Guide for N/OS 8.3...
Page 289: Fcoe Vlans
The administrator can also view other FCoE information: CN 4093# show fcoe fips fcf (Show all detected FCFs) CN 4093# show fcoe fips fcoe (Show all FCoE connections) © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 290: Operational Commands
“Turning CEE On or Off” on page 282). 4. Turn global FIP snooping on: CN 4093(config)# fcoe fips enable 5. Disable FIP snooping on all non-FCoE external ports: CN 4093(config)# no fcoe fips port INTA2-EXT21 enable CN4093 Application Guide for N/OS 8.3...
Page 291 Note: By default, FIP snooping is enabled on all ports and the FCF mode set for automatic detection. The configuration in this step is unnecessary if default settings have not been changed, and is shown merely as a manual configuration example. 7. Save the configuration. © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 292: Priority-Based Flow Control
LAN application. Note: For any given port, only one flow control method can be implemented at any given time: either PFC or standard IEEE 802.3x flow control. CN4093 Application Guide for N/OS 8.3...
Page 293: Global Vs. Port-By-Port Pfc Configuration
Port-by-port PFC configuration is desirable in most mixed environments where  some CN4093 ports are connected to CEE-capable (FCoE) switches, gateways, and Converged Network Adapters (CNAs), and other CN4093 ports are connected to non-CEE Layer 2/Layer 3 switches, routers and Network Interface Cards (NICs).
Page 294: Pfc Configuration Example
In this example, PFC is to facilitate lossless traffic handling for FCoE (priority value 3) and a business-critical LAN application (priority value 4). Assuming that CEE is off (the CN4093 default), the example topology shown in Table 29 on page 294 can be configured using the following commands: 1.
Page 295 CN 4093(config)# cee port INTA2 pfc priority 4 description "Critical LAN" CN 4093(config)# cee port EXT1 pfc priority 4 enable( LAN priority) CN 4093(config)# cee port EXT1 pfc priority 4 description "Critical LAN" 4. Save the configuration. © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 296: Enhanced Transmission Selection
802.1p priority values may be assigned by the administrator for a variety of purposes. However, when CEE is turned on, the CN4093 sets the initial default values for ETS configuration as follows: Figure 33.
Page 297: Priority Groups
Note: The default assignment of 802.1p priority values on the CN4093 changes depending on whether CEE is on or off. See “Turning CEE On or Off” on page 282 for details.
Page 298: Assigning Priority Values To A Priority Group
Note: The total bandwidth allocated to PGID 0 through 7 must equal exactly 100%. Reducing the bandwidth allocation of any group will require increasing the allocation to one or more of the other groups (see “Allocating Bandwidth” on page 299). CN4093 Application Guide for N/OS 8.3...
Page 299: Allocating Bandwidth
Note: Consider traffic load when assigning priority values to PGID 15. Heavy traffic in this group may restrict the bandwidth available to other groups. © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 300: Configuring Ets
Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices. This example assumes that PFC configuration is being performed manually. See “Data Center Bridging Capability Exchange” on page 302 for more information on DCBX. CN4093 Application Guide for N/OS 8.3...
Page 301 CN 4093(config)# cee global ets priority-group pgid 15 description "Network Management" Note: Priority group 15 is permitted unlimited bandwidth. As such, the commands for priority group 15 do not include bandwidth allocation. 4. Save the configuration. © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 302: Data Center Bridging Capability Exchange
DCBX provides two main functions on the CN4093: Peer information exchange  The switch uses DCBX to exchange information with connected CEE devices. For normal operation of any FCoE implementation on the CN4093, DCBX must remain enabled on all ports participating in FCoE.  Peer configuration negotiation...
Page 303: Enabling And Disabling Dcbx
When this flag is set for a particular feature, the switch settings will be transmit to the remote CEE peer. If the peer is capable of the feature, and willing to accept the CN4093 settings, it will be automatically reconfigured to match the switch. The willing flag ...
Page 304: Configuring Dcbx
 All other ports are disabled or are connected to non-CEE devices. In this example, the CN4093 acts as the central point for CEE configuration. FCoE-related ports will be configured for advertising CEE capabilities, but not to accept external configuration. Other LAN ports that use CEE features will also be configured to advertise feature settings to remote peers, but not to accept external configuration.
Page 305 CN 4093(config)# cee port EXT1 dcbx ets advertise CN 4093(config)# cee port EXT1 dcbx pfc advertise 4. Disable DCBX for each non-CEE port as appropriate: CN 4093(config)# no cee port INTA3-INTC14,EXT2-EXT22 dcbx enable 5. Save the configuration. © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 306: Fcoe Example Configuration
Figure 34 on page 306, a Fibre Channel network is connected to the CN4093 on port EXT22. The FCoE-enabled CN4093 is internally connected to a blade server (ENode) through an FCoE-enabled CNA on port INTA1. An internal FCF bridges the networks.
Page 307 CN 4093(config)# cee global ets priority-group pgid 15 description "Network Management" Note: Priority group 15 is permitted unlimited bandwidth. As such, the commands for priority group 15 do not include bandwidth allocation. © Copyright Lenovo 2015 Chapter 17: FCoE and CEE...
Page 308 309. Although VLAN properties for Fibre Channel and FCoE can be configured together, the additional Fibre Channel elements for this configuraiton are included at the end of this example in order to focus on the FCoE steps. 14. Save the configuration. CN4093 Application Guide for N/OS 8.3...
Page 309: Chapter 18. Fibre Channel
Chapter 18. Fibre Channel This chapter describes how to configure the CN4093 for use with Fibre Channel networks. Ethernet vs. Fibre Channel As a converged switch, the CN4093 10Gb Converged Scalable Switch provides simultaneous support of Ethernet and Fibre Channel networks.
Page 310: Supported Switch Roles
NPV Gateway As a Node Port Virtualized (NPV) gateway, the CN4093 can act as a Fibre Channel collector, connecting numerous Fibre Channel end-point devices (known as nodes) for uplink to a Fibre Channel full fabric switch, performing stateless FC/FCoE encapsulation and decapsulation.
Page 311: Full-Fabric Fc/Fcoe Switch
Fibre Channel IDs, enforces port security among zones, and informs neighboring devices of network changes. When acting as a full-fabric switch, the CN4093 can be connected to NPV gateways or directly to Fibre Channel nodes. In full-fabric mode, the CN4093 can be connected directly to another full fabric CN4093 or a Lenovo RackSwitch G8264CS through Fibre Channel ISL.
Page 312: Implementing Fibre Channel
Note: Use only the ISCLI or BBI to configure Fibre Channel. Lenovo N/OS CLI is not supported. After configuring Fibre Channel, save any subsequent configurations only in ISCLI or BBI. If Lenovo N/OS CLI is used to save any switch configuration, the Fibre Channel configuration will be lost.
Page 313: Fibre Channel Vlans
CN 4093(config)# [no] system port <low port>-<high port> type fc Fibre Channel VLANs On the CN4093, each Fibre Channel network connected to the switch must be assigned its own VLAN. For each VLAN used with Fibre Channel, following properties must be defined: ...
Page 314: Switching Mode
 Full fabric mode The CN4093 supports up to 12 Fibre Channel VLANs at any given time. Only one mode can be active on any specific VLAN at a given time, and only one VLAN can operate in full fabric mode.
Page 315: Npv Gateway
NPV Gateway As a Node Port Virtualized (NPV) gateway, the CN4093 can act as a Fibre Channel collector, connecting numerous Fibre Channel end-point devices (known as nodes) for uplink to a Fibre Channel full fabric switch, performing stateless FC/FCoE encapsulation and decapsulation. For more details, see “NPV Gateway”...
Page 316: Limitations
Other CNAs (such as Qlogic) store FCF information and try to login to the same FCF (uplink), so they are not balanced. Servers with AIX Operating Systems also can't be load-balanced for this reason. CN4093 Application Guide for N/OS 8.3...
Page 317: Full Fabric Mode
311. Full Fabric Zoning The CN4093 supports Fibre Channel zones and zonesets for VLANs operating in full fabric mode. In NPV gateway mode, zoning is controlled by the upstream full fabric switch and is not configurable in the NPV gateway VLAN.
Page 318 Fibre Channel initiators and targets. The CN4093 supports up the 64 zones per zoneset, each with up to 20 member devices. However, when an FC alias is used, only 10 devices can be members of a zone.
Page 319 CN 4093(config)# [no] zoneset activate name <zoneset name>  View the settings for the active zoneset: CN 4093# show zoneset active  View the settings for the pending configuration changes: CN 4093# show zoneset © Copyright Lenovo 2015 Chapter 18: Fibre Channel...
Page 320: E_Ports
Set contains Zones that are not included in the Zone Set is the merge of the Adjacent Zone Set. local Zones plus the Adjacent Zones. E-ports cannot be used to form stack LAG links. CN4093 Application Guide for N/OS 8.3...
Page 321: Optimized Fcoe Traffic Flow
Limitations  Lenovo N/OS supports ISL distance up to 3 kms. E_ports can be configured only on Lenovo Flex System CN4093 10Gb  Converged Scalable Switch and Lenovo RackSwitch G8264CS. E_ports cannot interoperate with the switches from other vendors. ...
Page 322: Storage Management Initiative Specification (Smi-S)
Lenovo N/OS provides a programming interface using the SMI-S to ease interoperability in a multivendor SAN environment. In this release, only limited support is provided. The CN4093 switch must be operating in full fabric mode. An embedded SMI-S agent runs on the CN4093 and includes standard profiles as specified in the SMI-S.
Page 323: Fibre Channel Configuration
Zones and zonesets apply only to a VLAN in full fabric mode. Up to 4 zonesets may be configured, but only 1 can be active at any given time. The CN4093 supports up the 64 zones per zoneset, each with up to 20 member devices.
Page 324 1. Specify which Omni Ports are directly connected to Fibre Channel devices: CN 4093(config)# system port ext11-ext12 type fc Note: On the CN4093, FC devices can be connected only to Omni Ports. Omni Ports connected to FCoE devices are considered part of the Ethernet network and should be left to operate in Ethernet mode.
Page 325: Example 2: Full Fabric Fc/Fcoe Switch
Server Zone1 Lenovo Chassis In this example network, the CN4093 acts as the full fabric switch for the Fibre Channel network in two zones. Note: Although up to 12 Fibre Channel VLANs can be configured on the switch at any given time, only one can operate in full fabric mode. The rest may be configured as NPV gateways.
Page 326 CN 4093(config-zone)# member pwwn 20:34:00:80:e5:18:b3:58 CN 4093(config-zone)# member pwwn 20:34:00:80:e5:28:31:13 CN 4093(config-zone)# exit CN 4093(config)# zoneset name City1 CN 4093(config-zoneset)# member Zone1 CN 4093(config-zoneset)# member Zone2 CN 4093(config-zoneset)# exit CN 4093(config)# zoneset activate name City1 CN4093 Application Guide for N/OS 8.3...
Page 327: Fibre Channel Standard Protocols Supported
Fibre Channel Standard Protocols Supported Following table lists the standard FC protocols supported on the CN4093 10Gb Converged Scalable Switch. Table 32. FC Protocols Supported Protocol Fibre Channel FCoE ∙ T11 FCoE Initialization Protocol (FIP) (FC-BB-5) Fibre Channel forwarding (FCF)
Page 328 CN4093 Application Guide for N/OS 8.3...
Page 329: Chapter 19. Edge Virtual Bridging
NIC (vNIC) configuration information is available to EVB devices. This information is generally not available to an 802.1Q bridge. Lenovo N/OS EVB features are compliant with the IEEE 802.1Qbg Authors Group Draft 0.2. For a list of documents on this feature, see: http://www.ieee802.org/1/pages/802.1bg.html.
Page 330: Evb Operations Overview
VSIDB. The VSIDB operates in the following sequence: 1. Define VSI types in the VSIDB. The VSIDB exports the database when the CN4093 sends a request. 2. Create a VM. Specify VSI type for each VM interface. See the SNSC, FSM, or Lenovo System Networking Distributed Switch 5000V guide for details on how to specify the VSI type.
Page 331: Vlan Behavior
VLAN, you will see a warning message similar to the following: Warning: Port INTB1 in Vlan 10 is used by VM and can’t be removed. The VMs will not get disassociated. © Copyright Lenovo 2015 Chapter 19: Edge Virtual Bridging...
Page 332: Manual Reflective Relay
Manual RR and EVB profile cannot be configured on a port at the same time. Note: If a port is a member of an isolated VLAN, the manual reflective relay will not work. See “Private VLANs” on page 133 for more information on isolated VLANs. CN4093 Application Guide for N/OS 8.3...
Page 333: Evb Configuration
(Set VSI database Manager port) CN 4093(conf-vsidb)# filepath “vsidb” (Set VSI database document path) CN 4093(conf-vsidb)# filename “all.xml” (Set VSI database file name) CN 4093(conf-vsidb)# update-interval 30 (Set update interval in seconds) CN 4093(conf-vsidb)# exit © Copyright Lenovo 2015 Chapter 19: Edge Virtual Bridging...
Page 334  Port: 40080  Docpath: snsc/rest/vsitypes  HTTPS:  Port: 40443  Docpath: snsc/rest/vsitypes  When you connect to a 5000v VSIDB, the port/docpath configuration is as follows:  Port: 80  Docpath: vsitypes CN4093 Application Guide for N/OS 8.3...
Page 335: Configuring Evb In Stacking Mode
Configuring EVB in Stacking Mode A stack is a group of up to eight CN4093 10Gb Converged Scalable Switch switches with Lenovo N/OS that work together as a unified system. The switches in a stack are interconnected by a stack LAG in a local ring topology.
Page 336: Limitations
"vm: VSI Type ID 100 Associated mac 00:50:56:b6:c0:ff on port 6, ignore 1 mismatched ACL" Unsupported features The following features are not supported on ports configured with EVB:  LAG/VLAG  vNIC  VMready CN4093 Application Guide for N/OS 8.3...
Page 337: Chapter 20. Static Multicast Arp
You must configure the static multicast ARP entry only at the Layer 2/Layer 3 or Router node, and not at the Layer 2-only node. Lenovo N/OS supports a maximum of 20 static multicast ARP entries. Note: If you use the ACL profile or IPMC-OPT profile, an ACL entry is consumed for each Static Multicast ARP entry that you configure.
Page 338: Configuring Static Multicast Arp
CN 4093(config)# ip arp 10.10.10.42 03:bf:0a:0a:0a:2a vlan 42 You can verify the configuration using the following commands:  Verify static multicast FDB entry: CN 4093(config)# show mac-address-table multicast address 03:bf:0a:0a:0a:2a Multicast Address VLAN Port(s) ----------------- ---- --------- 03:bf:0a:0a:0a:2a 54 56 CN4093 Application Guide for N/OS 8.3...
Page 339 --------------- ----------------- ---- ---- 10.10.10.42 03:bf:0a:0a:0a:2a Total number of arp entries : 2 IP address Flags MAC address VLAN Age Port --------------- ----- ----------------- ---- --- ---- 10.10.10.1 fc:cf:62:9d:74:00 10.10.10.42 03:bf:0a:0a:0a:2a © Copyright Lenovo 2015 Chapter 20: Static Multicast ARP...
Page 340: Limitations
Limitations  You must configure the ARP only in the Layer 2/Layer 3 node or the router node but not in the Layer 2-only node. Lenovo N/OS cannot validate if the node is Layer 2-only.  The packet is always forwarded to all the ports as specified in the Multicast MAC address configuration.
Page 341: Chapter 21. Unified Fabric Port
MAC address of the control message frame is a well-known address 01-80-C2-00-00-03.  Discovery Capability: UFP can discover other ports that are UFP enabled. Once you enable UFP, you can check the information statistics for established channels. © Copyright Lenovo 2015 Chapter 21: Unified Fabric Port...
Page 342: Ufp Limitations
VMReady Local Group configuration is not supported by UFP.  If QoS ETS mode is used, a FCoE vPort must be configured with priority 3.  UFP vPorts cannot be aggregated to form a LAG/vLAG client. CN4093 Application Guide for N/OS 8.3...
Page 343: Virtual Ports Modes
VLAN. Use the following command to configure UFP vPort mode: CN 4093(config)# ufp port <num> vport <num> CN 4093(config_ufp_vport)# network mode {access|trunk|auto|tunnel|fcoe} Note: Default mode is tunnel. © Copyright Lenovo 2015 Chapter 21: Unified Fabric Port...
Page 344: Tunnel Mode
Figure 39. Packet passing through in Trunk Mode Server vNIC vPort Lenovo Switch Ports without vNICs OS/Hypervisor Regular VLAN VLAN NIC attaches UFP Switch strips Translation Classification VLAN IDs Channel VLAN ID outer tag Outbound Packet CN4093 Application Guide for N/OS 8.3...
Page 345: Access Mode
802.1Qbg, when a vPort operates in auto-VLAN mode, the maximum number of VLANs in the inner tag is 1024 when switch is configured in standalone mode. The vPort cannot be configured in Virtual Ethernet Port Aggregator (VEPA) mode. © Copyright Lenovo 2015 Chapter 21: Unified Fabric Port...
Page 346: Ufp Bandwidth Provisioning
Note: ETS mode requires Converged Enhanced Ethernet (CEE) to be enabled globally. This mode functions with the ETS feature available on the CN4093. You must first define the ETS characteristics of the CN4093. Assign each vPort to the desired traffic class by assigning a system class priority. The Data Center Bridging...
Page 347: Ufp Strict Bandwidth Provisioning Mode
CN 4093(config_ufp_vport)# qos bandwidth {max|min} <10-100> min - Sets minimum guaranteed bandwidth max - Sets maximum allowed bandwidth Note: Total minimum guaranteed bandwidth of enabled vPorts on a physical switch port needs to be 100%. © Copyright Lenovo 2015 Chapter 21: Unified Fabric Port...
Page 348: Using Ufp With Other Cn4093 10Gb Converged Scalable Switch Features
Using UFP with Other CN4093 10Gb Converged Scalable Switch Features UFP works with other CN4093 features, as described with limitations and details. Layer 2 Failover UFP failover can be configured with auto-monitoring or manual monitoring. In auto-monitoring, a vPort is automatically associated with a Failover trigger if it has any VLAN in common with the monitor ports.
Page 349: Vmready
For more information on private VLANs, see “Private VLANs” on page 133 VMReady Configuring with UFP and VMReady, the CN4093 can support up to 32 VMGroups with UFP vPorts in auto mode. VMReady is supported only on a vPort which is configured in auto-VLAN mode.
Page 350: Ufp Configuration Examples
2. Configure internal port as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA1 3. Configure virtual port. CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort access mode. CN4093(config_ufp_vport)# network mode access 5. Configure vPort default VLAN.
Page 351: Example 2: Trunk Mode
2. Configure internal port 1 as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA1 3. Configure virtual port. CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort trunk mode. CN4093(config_ufp_vport)# network mode trunk 5. Configure vPort default VLAN.
Page 352 15. Enable tagging/trunk mode on external port 1. CN4093(config)# interface port EXT1 CN4093(config-if)# switchport mode trunk CN4093(config-if)# switchport trunk native vlan 100 CN4093(config-if)# switchport trunk allowed vlan add 200,300 CN4093(config-if)# exit 16. Configure VLAN 200 parameters. CN4093(config)# vlan 200 CN4093(config-vlan)# vmember INTA1.1 CN4093(config-vlan)# vmember INTA2.3...
Page 353: Example 3: Auto-Vlan Mode With Vmready
CN4093(config)# virt vmware vcspec 10.100.14.195 Administrator noauth 7cee7fa528e02aa036b6b6e6eb508952cdaed2acb702182cf62208fa72dec13fb19d6fec2 fac6598d19b 8f45acff3f6a1e237ae3c984709f874f61aecd2ede7a 10. Create a distributed VMGroup.. CN4093(config)# virt vmprofile “vlan 30” CN4093(config)# virt vmprofile edit “vlan 30” vlan 30 CN4093(config)# virt vmgroup 1 profile “vlan30” © Copyright Lenovo 2015 Chapter 21: Unified Fabric Port...
Page 354: Example 4: Auto-Vlan Mode With Edge Virtual Bridging
11. Verify the virtual machine settings. CN4093(config)# show virt vm 12. Add the virtual machine associated with the vPort to the VMGroup. CN4093(config)# virt vmgroup 1 vm 1 13. Verify the VMGroup associations. CN4093(config)# show virt vm Example 4: Auto-VLAN Mode with Edge Virtual Bridging Following is an example configuration of UFP vPorts in auto mode.
Page 355: Example 5: Tunnel Mode
2. Configure internal port as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA1 3. Configure virtual port. CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort tunnel mode. CN4093(config_ufp_vport)# network mode tunnel 5. Configure vPort default VLAN.
Page 356: Example 6: Fcoe Mode
CN4093(config_ufp_vport)# exit 8. Configure tagging of ingress frames with the port’s VLAN ID on external port 1. CN4093(config)# interface port EXT1 CN4093(config-if)# tagpvid-ingress CN4093(config-if)# no vlan dot1q tag native CN4093(config-if)# switchport access vlan 4000 CN4093(config-if)# exit Example 6: FCoE Mode Following is an example configuration of UFP vPorts in FCoE mode.
Page 357: Example 7: Private Vlan Configuration
10. Enable tagging/trunk mode on external port. CN4093(config)# interface port EXT4 CN4093(config-if)# switchport mode trunk CN4093(config-if)# switchport trunk native vlan 1 CN4093(config-if)# switchport trunk allowed vlan add 1,1002 CN4093(config-if)# exit Example 7: Private VLAN Configuration Follow this procedure to configure a Private VLAN.
Page 358 5. Set up vPorts on ports 1 and 2. CN4093(config)# ufp port INTA1 enable CN4093(config)# ufp port INTA1 vport 1 CN4093(config-ufp-vport)# network private-vlan trunk CN4093(config-ufp-vport)# network default-vlan 100 CN4093(config-ufp-vport)# network mode trunk CN4093(config-ufp-vport)# enable CN4093(config-ufp-vport)# exit CN4093(config)# ufp port INTA2 enable...
Page 359: Example 8: Layer 2 Failover Configuration
1. Enable failover globally: CN4093(config)# failover enable 2. Configure trigger 1 and add monitor and control ports: CN4093(config)# failover trigger 1 mmon monitor member EXT1 CN4093(config)# failover trigger 1 mmon control member INTA8 CN4093(config)# failover trigger 1 mmon control vmember INTA9.1, INTA10.2,INTA11.3...
Page 360: Example 9: 8 Vports With Ets Bandwidth Provisioning Mode
Follow this procedure to configure 8 vPorts for a single UFP port with ETS bandwidth provisioning mode. 1. Configure each individual vPort of a specific port: CN4093(config)# ufp port INTA10 vport 1 CN4093(config_ufp_vport)# network mode access CN4093(config_ufp_vport)# network default-vlan 101...
Page 361 2. Configure ETS mode as the UFP QoS mode for port INTA10: CN4093(config)# ufp port INTA10 qos-mode ets 3. Enable UFP on port INTA10: CN4093(config)# ufp port INTA10 enable 4. Globally enable Converged Enhanced Ethernet (CEE): CN4093(config)# cee enable 5. Globally enable UFP: CN4093(config)# ufp enable ©...
Page 362 CN4093 Application Guide for N/OS 8.3...
Page 363: Chapter 22. Switch Partition
SPAR operates as a Layer 2 broadcast network. Hosts on the same VLAN, attached to a SPAR, can communicate with each other and with the upstream switch. Hosts on the same VLAN, but attached to different SPARs, communicate via the upstream switch. © Copyright Lenovo 2015 Chapter 22: Switch Partition...
Page 364: Spar Processing Modes
 Ingress VLAN tagging is disabled on all SPAR ports.  PVID/Native VLAN is based on any VLAN defined in SPAR. CN 4093(config)# interface port <num> CN 4093(config-if)# switchport trunk native vlan <VLAN number> CN4093 Application Guide for N/OS 8.3...
Page 365: Pass-Through Domain Processing
 Ingress VLAN tagging is enabled on all SPAR ports. PVID/Native VLAN is based on the SPAR DVLAN.  CN 4093(config)# interface port <num> CN 4093(config-if)# switchport trunk native vlan <VLAN number> © Copyright Lenovo 2015 Chapter 22: Switch Partition...
Page 366: Limitations
Layer 2 failover features can be configured on SPAR ports. However, the Layer 2 failover Auto Monitor (AMON) option is not supported. Only the Layer 2 failover Manual Monitor (MMON) option can be used when all ports defined within the trigger belong to the same SPAR. CN4093 Application Guide for N/OS 8.3...
Page 367: Unsupported Features
  Layer 3 Configuration Management VLAN   Private VLAN Protocol VLAN   sFlow Stacking   STP, RSTP, MRSTP, PVST   vLAG VMAP   VMready  VNIC © Copyright Lenovo 2015 Chapter 22: Switch Partition...
Page 368: Spar Vlan Management
A VLAN assigned to a SPAR cannot be used for any other switch application. Similarly, VLAN used by any other switch application cannot be assigned to a SPAR. SPAR member ports cannot be members of any other VLAN. CN4093 Application Guide for N/OS 8.3...
Page 369: Example Configurations
INTA11-INTA14 and a single uplink port, EXT 2. 1. Create SPAR 2. CN 4093(config)# spar 2 2. Add uplink port EXT 2 to SPAR 2. CN 4093(config-spar)# uplink port EXT2 © Copyright Lenovo 2015 Chapter 22: Switch Partition...
Page 370 9. Create local domain 3, assign VLAN 30, and specify the SPAR ports that are members of the that VLAN. CN 4093(config-spar)# domain local 3 vlan 30 CN 4093(config-spar)# domain local 3 member INTA11-INTA14 CN 4093(config-spar)# domain local 3 enable 10. Enable SPAR 2. CN 4093(config-spar)# enable CN4093 Application Guide for N/OS 8.3...
Page 371: Part 5: Ip Routing
This section discusses basic routing and advanced routing protocols:  Basic Routing  Routing Information Protocol (RIP)  Internet Group Management Protocol (IGMP)  Border Gateway Protocol (BGP)  Open Shortest Path First (OSPF) © Copyright Lenovo 2015...
Page 372 CN4093 Application Guide for N/OS 8.3...
Page 373: Chapter 23. Basic Ip Routing
 “Dynamic Host Configuration Protocol” on page 381 IP Routing Benefits The CN4093 uses a combination of configurable IP switch interfaces and IP routing options. The switch IP routing capabilities provide the following benefits:  Connects the server IP subnets to the rest of the backbone network.
Page 374 Layer 2 switching. With Layer 3 IP routing in place on the CN4093, routing between different IP subnets can be accomplished entirely within the switch. This leaves the routers free to handle inbound and outbound traffic for this group of subnets.
Page 375: Subnet Routing Example
(CLI) as the administrator. Note: For details about accessing and using any of the menu commands described in this example, see the Lenovo N/OS Command Reference. 1. Assign an IP address (or document the existing one) for each router and client workstation.
Page 376 CN 4093(config)# ip gateway 1 address 205.21.17.1 enable CN 4093(config)# ip gateway 2 address 205.21.17.2 enable 5. Verify the configuration. CN 4093(config)# show interface ip Examine the resulting information. If any settings are incorrect, make the appropriate changes. CN4093 Application Guide for N/OS 8.3...
Page 377: Using Vlans To Segregate Broadcast Domains
CN 4093(config)# vlan 3 CN 4093(config-vlan)# exit CN 4093(config)# interface port inet5a,int6a (Add ports to VLAN 3) CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# switchport trunk allowed vlan add 3 CN 4093(config-if)# exit © Copyright Lenovo 2015 Chapter 23: Basic IP Routing...
Page 378 CN 4093(config-ip-if)# exit 4. Verify the configuration. CN 4093(config)# show vlan CN 4093(config)# show interface information CN 4093(config)# show interface ip Examine the resulting information. If any settings are incorrect, make the appropriate changes. CN4093 Application Guide for N/OS 8.3...
Page 379: Bootp Relay Agent
BOOTP Relay Agent Configuration To enable the CN4093 to be the BOOTP forwarder, you need to configure the BOOTP server IP addresses on the switch, and enable BOOTP relay on the interface(s) on which the BOOTP requests are received.
Page 380: Domain-Specific Bootp Relay Agent Configuration
CN 4093(config)# ip bootp-relay bcast-domain <1-10> server <1-5> address <IPv4 address> CN 4093(config)# ip bootp-relay bcast-domain <1-10> enable As with global relay agent servers, domain-specific BOOTP/DHCP functionality may be assigned on a per-interface basis. CN4093 Application Guide for N/OS 8.3...
Page 381: Dynamic Host Configuration Protocol
IP configuration parameters it needs to operate in the TCP/IP network. In the DHCP environment, the CN4093 acts as a relay agent. The DHCP relay feature enables the switch to forward a client request for an IP address to two BOOTP servers with IP addresses that have been configured on the switch.
Page 382: Dhcp Relay Agent Configuration
VLAN to send the server response to the client. DHCP Relay Agent Configuration To enable the CN4093 to be the BOOTP forwarder, you need to configure the DHCP/BOOTP server IP addresses on the switch. Generally, you should configure the switch IP interface on the client side to match the client’s subnet, and configure VLANs to separate client and server subnets.
Page 383: Chapter 24. Internet Protocol Version 6
RFC 4302  RFC 5095  RFC 2711  RFC 3602  RFC 4303  RFC 5114 This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management. © Copyright Lenovo 2015...
Page 384: Ipv6 Limitations
Border Gateway Protocol for IPv6 (BGP)  Routing Information Protocol for IPv6 (RIPng) Most other Lenovo N/OS 8.3 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. However, the following switch features support IPv4 only: ...
Page 385: Ipv6 Address Format
In most implementations, the interface identifier is derived from the switch's MAC address, using a method called EUI-64. Most Lenovo N/OS 8.3 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. Throughout this manual, IP address is used in places where either an IPv4 or IPv6 address is allowed.
Page 386: Ipv6 Address Types
FF02::1:FF00:0000/104 with the low-order 24 bits of the unicast or anycast address. The following well-known multicast addresses are pre-defined. The group IDs defined in this section are defined for explicit scope values, as follows: FF00:::::::0 through FF0F:::::::0 CN4093 Application Guide for N/OS 8.3...
Page 388: Ipv6 Address Auto-Configuration
Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options. Lenovo N/OS 8.3 supports stateless address configuration. Stateless address configuration allows hosts on a link to configure themselves with link-local addresses and with addresses derived from prefixes advertised by local routers.
Page 389: Ipv6 Interfaces
CN 4093(config)# ip gateway6 1 address <IPv6 address> CN 4093(config)# ip gateway6 1 enable IPv6 gateway 1 is reserved for IPv6 data interfaces. IPv6 gateway 3 and 4 are the default IPv6 management gateways. © Copyright Lenovo 2015 Chapter 24: Internet Protocol Version 6...
Page 390: Neighbor Discovery
CN 4093(config)# interface ip <interface number> CN 4093(config-ip-if)# [no] ipv6 nd ? CN 4093(config-ip-if)# exit To add or remove entries in the static neighbor cache, use the following command path: CN 4093(config)# [no] ip neighbors ? CN4093 Application Guide for N/OS 8.3...
Page 391: Host Vs. Router
CN 4093(config)# interface ip <interface number> CN 4093(config-ip-if)# ip6host CN 4093(config-ip-if)# exit By default, host mode is enabled on the management interface, and disabled on data interfaces. The CN4093 supports up to 1156 IPv6 routes. © Copyright Lenovo 2015 Chapter 24: Internet Protocol Version 6...
Page 392: Supported Applications
-u 2001:2:3:4:0:0:0:142  TFTP The TFTP commands support both IPv4 and IPv6 addresses. Link-local addresses are not supported.  The FTP commands support both IPv4 and IPv6 addresses. Link-local addresses are not supported. CN4093 Application Guide for N/OS 8.3...
Page 393 IPv6 address. If no AAAA record is found for that hostname (no IPv6 address for that hostname) an A query is sent to resolve the hostname with an IPv4 address. © Copyright Lenovo 2015 Chapter 24: Internet Protocol Version 6...
Page 394: Ipv6 Configuration
CN 4093(config-ip-if)# exit 2. Configure the IPv6 default gateway. CN 4093(config)# ip gateway6 1 address 2001:BA98:7654:BA98:FEDC:1234: ABCD:5412 CN 4093(config)# ip gateway6 1 enable 3. Verify the interface address. CN 4093(config)# show interface ip 2 CN4093 Application Guide for N/OS 8.3...
Page 395: Ipv6 Configuration Example 2
CN 4093(config)# ip gateway6 1 enable 3. Configure Router advertisements for the interface (optional) CN 4093(config)# interface ip 3 CN 4093(config-ip-if)# no ipv6 nd suppress-ra 4. Verify the configuration. CN 4093(config-ip-if)# show layer3 © Copyright Lenovo 2015 Chapter 24: Internet Protocol Version 6...
Page 396 CN4093 Application Guide for N/OS 8.3...
Page 397: Chapter 25. Using Ipsec With Ipv6
Note: This implementation of IPsec supports DH groups 1, 2, 5, 14, and 24. The following topics are discussed in this chapter: “IPsec Protocols” on page 398   “Using IPsec with the CN4093” on page 399 © Copyright Lenovo 2015...
Page 398: Ipsec Protocols
IPsec Protocols The Lenovo N/OS implementation of IPsec supports the following protocols:  Authentication Header (AH) AHs provide connectionless integrity and data origin authentication for IP packets, and provide protection against replay attacks. In IPv6, the AH protects the AH itself, the Destination Options extension header after the AH, and the IP payload.
Page 399: Using Ipsec With The Cn4093
Using IPsec with the CN4093 IPsec supports the fragmentation and reassembly of IP packets that occurs when data goes to and comes from an external device. The Lenovo Flex System CN4093 10Gb Converged Scalable Switch acts as an end node that processes any fragmentation and reassembly of packets but does not forward the IPsec traffic.
Page 400: Setting Up Authentication
2. Set the DES encryption algorithm. CN 4093(config-ikev2-prop)# encryption {3des|aes-cbc|des} (default: 3des) 3. Set the authentication integrity algorithm type. CN 4093(config-ikev2-prop)# integrity {md5|sha1} (default: sha1) 4. Set the Diffie-Hellman group. CN 4093(config-ikev2-prop)# group {1|2|5|14|24} (default: 2) CN4093 Application Guide for N/OS 8.3...
Page 401: Importing An Ikev2 Digital Certificate
Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm Generate CSR? [y/n]: y ..........+++ ....+++ Cert Req generated successfully © Copyright Lenovo 2015 Chapter 25: Using IPsec with IPv6...
Page 402 [pem-format|txt-format] CN 4093> show https host-csr txt-format Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Cali, L=Santa Barbara, O=Lenovo, OU=Sales, CN=www.zagat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit):...
Page 403: Generating An Ikev2 Digital Certificate
The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: CN 4093(config)# access https save-certificate 3. Enable IKEv2 RSA-signature authentication: CN 4093(config)# access https enable © Copyright Lenovo 2015 Chapter 25: Using IPsec with IPv6...
Page 404: Enabling Ikev2 Preshared Key Authentication
One of the following: esp-des | esp-3des |  encryption method esp-aes-cbc | esp-null One of the following: esp-sha1 | esp-md5 |  integrity algorithm none One of the following: ah-sha1 | ah-md5 | none AH authentication algorithm  CN4093 Application Guide for N/OS 8.3...
Page 405 Traffic that does not match the policy bypasses IPsec and passes through clear (unencrypted). 4. Choose whether to use a manual or a dynamic policy. © Copyright Lenovo 2015 Chapter 25: Using IPsec with IPv6...
Page 406: Using A Manual Key Policy
The outbound AH key code, in hexadecimal   outbound AH IPsec SPI A number from 256-4294967295  outbound ESP cipher key The outbound ESP key code, in hexadecimal outbound ESP SPI A number from 256-4294967295  CN4093 Application Guide for N/OS 8.3...
Page 407 CN 4093(config-ip)# interface ip <IP interface number, 1-128> CN 4093(config-ip-if)# address <IPv6 address> CN 4093(config-ip-if)# ipsec manual-policy <policy index, 1-10> CN 4093(config-ip-if)# enable (enable the IP interface) CN 4093# write (save the current configuration) © Copyright Lenovo 2015 Chapter 25: Using IPsec with IPv6...
Page 408: Using A Dynamic Key Policy
CN 4093(config-ip)# interface ip <IP interface number, 1-128> CN 4093(config-ip-if)# address <IPv6 address> CN 4093(config-ip-if)# ipsec dynamic-policy <policy index, 1-10> CN 4093(config-ip-if)# enable (enable the IP interface) CN 4093# write (save the current configuration) CN4093 Application Guide for N/OS 8.3...
Page 409: Chapter 26. Routing Information Protocol
In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP). Lenovo N/OS software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IPv4 route information with other routers.
Page 410: Routing Updates
Lenovo N/OS supports using clear password for RIPv2. RIPv2 in RIPv1 Compatibility Mode Lenovo N/OS allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive those packets.
Page 411: Rip Features
RIP Features Lenovo N/OS provides the following features to support RIPv1 and RIPv2: Poison Reverse Simple split horizon in RIP omits routes learned from one neighbor in updates sent to that neighbor. That is the most common configuration used in RIP, with the Poison Reverse feature disabled.
Page 412: Authentication
For maximum security, RIPv1 messages are ignored when authentication is enabled (interface ip <x>/ ip rip auth type/password); otherwise, the routing information from authenticated messages is propagated by RIPv1 routers in an unauthenticated manner. CN4093 Application Guide for N/OS 8.3...
Page 413: Rip Configuration Example
CN 4093(config-router-rip)# enable CN 4093(config-router-rip)# exit CN 4093# interface ip 2 CN 4093(config-ip-if)# ip rip enable CN 4093(config-ip-if)# exit CN 4093# interface ip 3 CN 4093(config-ip-if)# ip rip enable CN 4093(config-ip-if)# exit © Copyright Lenovo 2015 Chapter 26: Routing Information Protocol...
Page 414 For those RIP learnt routes within the garbage collection period, that are routes phasing out of the routing table with metric 16, use the following command: CN 4093# show ip rip routes Locally configured static routes do not appear in the RIP Routes table. CN4093 Application Guide for N/OS 8.3...
Page 415: Chapter 27. Internet Group Management Protocol
IPv4 Multicast source that provides the data streams and the clients that want to receive the data. The CN4093 10Gb Converged Scalable Switch (CN4093) can perform IGMP Snooping, or act as an IGMP Relay (proxy) device. Note: Lenovo N/OS 8.3 does not support IPv6 for IGMP.
Page 416: Igmp Snooping
The switch then sends a Proxy Leave packet to the Mrouter in order to update it. If the FastLeave option is enabled on a VLAN, the multicast path is terminated immediately and the Leave packet is directly forwarded to the Mrouter. CN4093 Application Guide for N/OS 8.3...
Page 417: Igmp Groups
IGMP Groups The CN4093 supports a maximum of 3072 IGMP entries, on a maximum of 1024 (1022 in stacking mode) VLANs. One IGMP entry is allocated for each unique join request, based on the VLAN and IGMP group address only (regardless of the port).
Page 418: Igmp Snooping Configuration Example
IGMP Snooping Configuration Example This section provides steps to configure IGMP Snooping on the CN4093, using the Command-Line Interface (CLI). 1. Configure port and VLAN membership on the switch. 2. Add VLANs to IGMP Snooping and enable IGMP Snooping. CN 4093(config)# ip igmp snoop vlan 1 CN 4093(config)# ip igmp snoop enable 3.
Page 419: Static Multicast Router
A static multicast router (Mrouter) can be configured for a particular port on a particular VLAN. A total of 128 static Mrouters can be configured on the CN4093. Both internal and external ports can accept a static Mrouter. Note: When static Mrouters are used, the switch will continue learning dynamic Mrouters via IGMP snooping.
Page 420: Igmp Relay
IGMP Relay The CN4093 can act as an IGMP Relay (or IGMP Proxy) device that relays IGMP multicast messages and traffic between an Mrouter and end stations. IGMP Relay allows the CN4093 to participate in network multicasts with no configuration of the various multicast routing protocols, so you can deploy it in the network with minimal effort.
Page 421: Igmp Relay Configuration Example
4. Add VLANs to the downstream network and enable IGMP Relay CN 4093(config)# ip igmp relay vlan 2 CN 4093(config)# ip igmp relay vlan 3 CN 4093(config)# ip igmp relay enable © Copyright Lenovo 2015 Chapter 27: Internet Group Management Protocol...
Page 422: Igmp Querier
CN 4093# show ip igmp querier vlan 2 Current VLAN 2 IGMP querier settings: ON querier type: ipv4 max response time: 100 querier interval: 125 Querier robustness: 2 source IP: 10.10.10.15 startup count: 2 startup query interval: 31 version: v3 CN4093 Application Guide for N/OS 8.3...
Page 423: Additional Igmp Features
IGMP filter, you must configure a range of IPv4 multicast groups, choose whether the filter will allow or deny multicast traffic for groups within the range, and enable the filter. © Copyright Lenovo 2015 Chapter 27: Internet Group Management Protocol...
Page 424: Configuring The Range
1 action deny CN 4093(config) ip igmp profile 1 enable 3. Assign the IGMP filter to a port. CN 4093(config) interface port 3 CN 4093(config-if)# ip igmp profile 1 CN 4093(config-if)# ip igmp filtering CN4093 Application Guide for N/OS 8.3...
Page 425: Chapter 28. Multicast Listener Discovery
The following topics are discussed in this chapter:  “MLD Terms” on page 426  “How MLD Works” on page 427  “MLD Capacity and Default Values” on page 430  “Configuring MLD” on page 431 © Copyright Lenovo 2015...
Page 426: Mld Terms
General Query: Sent periodically to learn multicast address listeners from an  attached link. CN4093 uses these queries to build and refresh the Multicast Address Listener state. General Queries are sent to the link-scope all-nodes multicast address (FF02::1), with a multicast address field of 0, and a maximum response delay of query response interval.
Page 427: How Mld Works
Query to verify if, for a specified multicast address, there are hosts still listening to a specific set of sources. CN4093 supports MLD versions 1 and 2. Note: MLDv2 operates in version 1 compatibility mode when, in a specific network, not all hosts are configured with MLDv2.
Page 428: How Flooding Impacts Mld
When the other querier present timer expires, it regains the Querier state and starts sending general queries. Note: When MLD Querier is enabled on a VLAN, the switch performs the role of an MLD Querier only if it meets the MLD Querier election criteria. CN4093 Application Guide for N/OS 8.3...
Page 429: Dynamic Mrouters
All report or done messages are forwarded to these Mrouters. By default, the option of dynamically learning Mrouters is disabled. To enable it, use the following command: CN 4093(config)# interface ip <interface number> CN 4093(config-ip-if)# ipv6 mld dmrtr enable © Copyright Lenovo 2015 Chapter 28: Multicast Listener Discovery...
Page 430: Mld Capacity And Default Values
MLD Capacity and Default Values Table 36 lists the maximum and minimum values of the CN4093 variables. Table 36. CN4093 Capacity Table Variable Maximum Value IPv6 Multicast Entries IPv6 Interfaces for MLD Table 37 lists the default settings for MLD features and variables.
Page 431: Configuring Mld
CN 4093(config-ip-if)# ipv6 mld robust <1-10> (Robustness) CN 4093(config-ip-if)# ipv6 mld qri <1-256> (In seconds) CN 4093(config-ip-if)# ipv6 mld qintrval <1-608> (In seconds) CN 4093(config-ip-if)# ipv6 mld llistnr <1-32> (In seconds) © Copyright Lenovo 2015 Chapter 28: Multicast Listener Discovery...
Page 432 CN4093 Application Guide for N/OS 8.3...
Page 433: Chapter 29. Border Gateway Protocol
BGP is defined in RFC 1771. CN4093 10Gb Converged Scalable Switches (CN4093s) can advertise their IP interfaces and IPv4 addresses using BGP and take BGP feeds from as many as BGP router peers.
Page 434: Internal Routing Versus External Routing
IPv4 space represented in the route being advertised. For example, if you advertise 192.204.4.0/24, you are declaring that if another router sends you data destined for any address in 192.204.4.0/24, you know how to carry that data to its destination. CN4093 Application Guide for N/OS 8.3...
Page 435: Forming Bgp Peer Routers
Ultimately, this means that they must “hear a route” which covers the section of the IPv4 space you are using; otherwise, you will not have connectivity to the host in question. © Copyright Lenovo 2015 Chapter 29: Border Gateway Protocol...
Page 436: What Is A Route Map
442. Lenovo N/OS allows you to configure 32 route maps. Each route map can have up to eight access lists. Each access list consists of a network filter. A network filter defines an IPv4 address and subnet mask of the network that you want to include in the filter.
Page 437: Incoming And Outgoing Route Maps
Specify the access list and associate the network filter number configured in Step 1. CN 4093(config)# route-map 1 CN 4093(config-route-map)# access-list 1 match-address 1 CN 4093(config-route-map)# access-list 1 metric <metric value> CN 4093(config-route-map)# access-list 1 action deny CN 4093(config-route-map)# access-list 1 enable © Copyright Lenovo 2015 Chapter 29: Border Gateway Protocol...
Page 438 Select the peer router and then add the route map to the incoming route map list, CN 4093(config-router-bgp)# neighbor 1 route-map in <1-32> or to the outgoing route map list. CN 4093(config-router-bgp)# neighbor 1 route-map out <1-32> 8. Exit Router BGP mode. CN 4093(config-router-bgp)# exit CN4093 Application Guide for N/OS 8.3...
Page 439: Aggregating Routes
Route Aggregation Example” on page 444. Redistributing Routes In addition to running multiple routing protocols simultaneously, Lenovo N/OS software can redistribute information from one routing protocol to another. For example, you can instruct the switch to use BGP to re-advertise static routes. This applies to all of the IP-based routing protocols.
Page 440: Bgp Attributes
AS. When BGP sends that update to another AS, the metric is reset to 0. Unless otherwise specified, the router compares metric attributes for paths from external neighbors that are in the same AS. CN4093 Application Guide for N/OS 8.3...
Page 441: Selecting Route Paths In Bgp
When the same network is learned via more than one BGP peer, BGP uses its policy for selecting the best route to that network. The BGP implementation on the CN4093 uses the following criteria to select a path when the same route is received from multiple peers.
Page 442: Bgp Failover Configuration
IP: 200.200.200.11 IP: 200.200.200.10 On the CN4093, one peer router (the secondary one) is configured with a longer AS path than the other, so that the peer with the shorter AS path will be seen by the switch as the primary default gateway. ISP 2, the secondary peer, is configured with a metric of “3,”...
Page 443 CN 4093(config-router-bgp)# neighbor 1 remote-address 200.200.200.2 CN 4093(config-router-bgp)# neighbor 1 remote-as 100 CN 4093(config-router-bgp)# no neighbor 1 shutdown CN 4093(config-router-bgp)# neighbor 2 remote-address 210.210.210.2 CN 4093(config-router-bgp)# neighbor 2 remote-as 200 CN 4093(config-router-bgp)# no neighbor 2 shutdown © Copyright Lenovo 2015 Chapter 29: Border Gateway Protocol...
Page 444: Default Redistribution And Route Aggregation Example
46, you have two peer routers: an internal and an external peer router. Configure the CN4093 to redistribute the default routes from AS 200 to AS 135. At the same time, configure for route aggregation to allow you to condense the number of routes traversing from AS 135 to AS 200.
Page 445 5. Configure aggregation policy control. Configure the routes that you want aggregated. CN 4093(config-router-bgp)# aggregate-address 1 135.0.0.0 255.0.0.0 CN 4093(config-router-bgp)# aggregate-address 1 enable © Copyright Lenovo 2015 Chapter 29: Border Gateway Protocol...
Page 446 CN4093 Application Guide for N/OS 8.3...
Page 447: Chapter 30. Ospf
Chapter 30. OSPF Lenovo N/OS supports the Open Shortest Path First (OSPF) routing protocol. The Lenovo N/OS implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583, and OSPF version 3 specifications in RFC 5340. The following sections discuss OSPF support for the CN4093 10Gb Converged Scalable Switch (CN4093): ...
Page 448: Types Of Ospf Areas
Backbone (NSSA) External LSA Routes ASBR Stub Area, NSSA, ABR = Area Border Router or Transit Area ASBR = Autonomous System Connected to Backbone Boundary Router via Virtual Link Non-OSPF Area RIP/BGP AS CN4093 Application Guide for N/OS 8.3...
Page 449: Types Of Ospf Routing Devices
OSPF domain and non-OSPF domains, such as RIP, BGP, and static routes. Figure 48. OSPF Domain and an Autonomous System OSPF Autonomous System Backbone Area 3 Area 0 Inter-Area Routes External (Summary Routes) ASBR Routes Internal ASBR Router Area 1 Area 2 © Copyright Lenovo 2015 Chapter 30: OSPF...
Page 450: Neighbors And Adjacencies
For each route removed from the route table, if the route has already been sent to an adjacency, an update message containing the route to withdraw is sent. CN4093 Application Guide for N/OS 8.3...
Page 451: The Shortest Path First Tree
For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination. © Copyright Lenovo 2015 Chapter 30: OSPF...
Page 452: Ospfv2 Implementation In Lenovo N/Os
OSPFv2 Implementation in Lenovo N/OS Lenovo N/OS supports a single instance of OSPF and up to 2K routes on the network. The following sections describe OSPF implementation in Lenovo N/OS:  “Configurable Parameters” on page 452 “Defining Areas” on page 453 ...
Page 453: Defining Areas
“Virtual Links” on page 457). Up to three OSPF areas can be connected to the CN4093 with Lenovo N/OS software. To configure an area, the OSPF number must be defined and then attached to a network interface on the switch. The full process is explained in the following sections.
Page 454: Using The Area Id To Assign The Ospf Area Number
“area 0.0.0.2” represents OSPF area 2 and can be specified directly on the CN4093 as “area-id 0.0.0.2”. On the CN4093, using the last octet in the area ID, “area 1” is equivalent to “area-id 0.0.0.1”. Note: Although both types of area ID formats are supported, be sure that the area IDs are in the same format throughout an area.
Page 455: Interface Cost
Backup Designated Router (BDR) is elected in case the DR fails. DR and BDR elections are made through the hello process. The election can be influenced by assigning a priority value to the OSPF interfaces on the CN4093. The command is as follows: CN 4093(config-ip-if)# ip ospf priority <priority value (0-255)>...
Page 456: Default Routes
Each CN4093 acting as an ABR automatically inserts a default route into each attached area. In simple OSPF stub areas or NSSAs with only one ABR leading...
Page 457: Virtual Links
<router ID> is the IP address of the virtual neighbor (nbr), the routing device at the target endpoint. Another router ID is needed when configuring a virtual link in the other direction. To provide the CN4093 with a router ID, see the following section,...
Page 458: Authentication
OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on pre-defined passwords. Lenovo N/OS supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication. This type of authentication allows a password to be configured per area.
Page 459: Configuring Plain Text Ospf Passwords
CN 4093(config-router-ospf)# area 2 authentication-type password 4. Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4. CN 4093(config-router-ospf)# area-virtual-link 1 key IBM © Copyright Lenovo 2015 Chapter 30: OSPF...
Page 460: Configuring Md5 Authentication
5. Configure MD5 key for the virtual link between Area 2 and Area 0 on switch 2 and switch 4. CN 4093(config-router-ospf)# message-digest-key 2 md5-key test 6. Assign MD5 key ID to OSPF virtual link on switches 2 and 4. CN 4093(config-router-ospf)# area-virtual-link 1 message-digest-key 2 CN 4093(config-router-ospf)# exit CN4093 Application Guide for N/OS 8.3...
Page 461: Host Routes For Load Balancing
Host Routes for Load Balancing Lenovo N/OS implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks, accomplishing the following goals:  ABR Load Sharing As a form of load balancing, host routes can be used for dividing OSPF traffic among multiple ABRs.
Page 462: Ospf Features Not Supported
The following OSPF features are not supported in this release:  Summarizing external routes  Filtering OSPF routes  Using OSPF to forward multicast routes  Configuring OSPF on non-broadcast multi-access networks (such as frame relay, X.25, or ATM) CN4093 Application Guide for N/OS 8.3...
Page 463: Ospfv2 Configuration Examples
OSPFv2 Configuration Examples A summary of the basic steps for configuring OSPF on the CN4093 is listed here. Detailed instructions for each of the steps is covered in the following sections: 1. Configure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the switch.
Page 464 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit 6. Attach the network interface to the stub area. CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip ospf area 1 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit CN4093 Application Guide for N/OS 8.3...
Page 465: Example 2: Virtual Links
Network Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo N/OS” on page 471). Configuring OSPF for a Virtual Link on Switch #1 1. Configure IP interfaces on each network that will be attached to the switch.
Page 466: Configuring Ospf For A Virtual Link On Switch #2
Interface 2 for the stub area network on 10.10.24.0/24 CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip address 10.10.12.2 255.255.255.0 enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 10.10.24.1 255.255.255.0 enable CN 4093(config-ip-if)# exit CN4093 Application Guide for N/OS 8.3...
Page 467 CN 4093(config)# router ospf CN 4093(config-router-ospf)# enable 4. Define the backbone. This version of Lenovo N/OS requires that a backbone index be configured on the non-backbone end of the virtual link as follows: CN 4093(config-router-ospf)# area 0 area-id 0.0.0.0 CN 4093(config-router-ospf)# area 0 enable 5.
Page 468: Other Virtual Link Options
36.128.254.x 10.10.7.0/24 36.128.192.0/18 Network Network Note: You can specify a range of addresses to prevent advertising by using the hide option. In this example, routes in the range 36.128.200.0 through 36.128.200.255 are kept private. CN4093 Application Guide for N/OS 8.3...
Page 469 7. Configure route summarization by specifying the starting address and mask of the range of addresses to be summarized. CN 4093(config)# router ospf CN 4093(config-router-ospf)# area-range 1 address 36.128.192.0 255.255.192.0 CN 4093(config-router-ospf)# area-range 1 area 1 CN 4093(config-router-ospf)# area-range 1 enable CN 4093(config-router-ospf)# exit © Copyright Lenovo 2015 Chapter 30: OSPF...
Page 470: Verifying Ospf Configuration
Use the following commands to verify the OSPF configuration on your switch: show ip ospf  show ip ospf neighbor  show ip ospf database database-summary  show ip ospf routes  Refer to the Lenovo N/OS Command Reference for information on the preceding commands. CN4093 Application Guide for N/OS 8.3...
Page 471: Ospfv3 Implementation In Lenovo N/Os
Although OSPFv2 and OSPFv3 are very similar, they represent independent features on the CN4093. They are configured separately, and both can run in parallel on the switch with no relation to one another, serving different IPv6 and IPv4 traffic, respectively.
Page 472: Other Internal Improvements
CN 4093(config-ip-if)# OSPFv3 Limitations Lenovo N/OS 8.3 does not currently support the following OSPFv3 features:  Multiple instances of OSPFv3 on one IPv6 link. OSPFv3 Configuration Example The following example depicts the OSPFv3 equivalent configuration of “Example 3: Summarizing Routes”...
Page 473 6. Attach the network interface to the stub area. CN 4093(config)# interface ip 4 CN 4093(config-ip-if)# ipv6 ospf area 1 CN 4093(config-ip-if)# ipv6 ospf enable CN 4093(config-ip-if)# exit The ipv6 command path is used instead of the OSPFv2 ip command path. © Copyright Lenovo 2015 Chapter 30: OSPF...
Page 474 CN 4093(config-router-ospf)# area-range 2 area 0 CN 4093(config-router-ospf)# area-range 2 hide CN 4093(config-router-ospf)# exit This differs from OSPFv2 only in that the OSPFv3 command path is used, and the address and prefix are specified in IPv6 format. CN4093 Application Guide for N/OS 8.3...
Page 475: Neighbor Configuration Example
CN 4093(config-router-ospf3)# area 0 type transit CN 4093(config-router-ospf3)# area 0 enable 4. Configure neighbor entry: CN 4093(config-router-ospf3)# neighbor 1 address fe80:0:0:0:dceb:ff:fe00:9 CN 4093(config-router-ospf3)# neighbor 1 interface 10 CN 4093(config-router-ospf3)# neighbor 1 priority 1 CN 4093(config-router-ospf3)# neighbor 1 enable © Copyright Lenovo 2015 Chapter 30: OSPF...
Page 476 CN4093 Application Guide for N/OS 8.3...
Page 477: Chapter 31. Protocol Independent Multicast
Lenovo N/OS supports Protocol Independent Multicast (PIM) in Sparse Mode (PIM-SM) and Dense Mode (PIM-DM). Note: Lenovo N/OS 8.3 does not support IPv6 for PIM. The following sections discuss PIM support for the CN4093 10Gb Converged Scalable Switch: “PIM Overview” on page 477 ...
Page 478: Supported Pim Modes And Features
PIM-SM, but uses broadcasts that can consume more bandwidth in establishing and optimizing routes. The following PIM modes and features are not currently supported in Lenovo N/OS 8.3: Hybrid Sparse-Dense Mode (PIM-SM/DM). Sparse Mode and Dense Mode may ...
Page 479: Basic Pim Settings
CN 4093(config)# [no] ip pim enable Defining a PIM Network Component The CN4093 can be attached to a maximum of two independent PIM network components. Each component represents a different PIM network, and can be defined for either PIM-SM or PIM-DM operation. Basic PIM component configuration is performed using the following commands: CN 4093(config)# ip pim component <1-2>...
Page 480: Defining An Ip Interface For Pim Use
To change the VLAN, first disable PIM on the interface. PIM Neighbor Filters The CN4093 accepts connection to up to 24 PIM interfaces. By default, the switch accepts all PIM neighbors attached to the PIM-enabled interfaces, up to the maximum number (72 neighbors).
Page 481 You can view configured PIM neighbor filters globally or for a specific IP interface using the following commands: CN 4093(config)# show ip pim neighbor-filters CN 4093(config)# show ip pim interface <Interface number> neighbor-filters © Copyright Lenovo 2015 Chapter 31: Protocol Independent Multicast...
Page 482: Additional Sparse Mode Settings
CN 4093(config-ip-if)# ip pim dr-priority <value (0-4294967294)> CN 4093(config-ip-if)# exit Note: A value of 0 (zero) specifies that the CN4093 will not act as the DR. This setting requires the CN4093 to be connected to a peer that has a DR priority setting of 1 or higher in order to ensure that a DR will be present in the network.
Page 483: Specifying A Bootstrap Router
CN 4093(config-ip-if)# exit A value of 255 highly prefers the local interface as a BSR. A value of -1 indicates that the PIM CBSR preference is not configured on the local interface. © Copyright Lenovo 2015 Chapter 31: Protocol Independent Multicast...
Page 484: Using Pim With Other Features
IGMP Query feature globally, as well as on each VLAN where it is needed. If the switch is connected to multicast receivers and/or hosts, be sure to enable  IGMP snooping globally, as well as on each VLAN where PIM receivers are attached. CN4093 Application Guide for N/OS 8.3...
Page 485: Pim Configuration Examples
Note: Because, PIM component 1 is assigned to the interface by default, the component-id command is needed only if the setting has been previously changed. 5. Set the Bootstrap Router (BSR) preference: CN 4093(config-ip-if)# ip pim cbsr-preference 135 CN 4093(config-ip-if)# exit © Copyright Lenovo 2015 Chapter 31: Protocol Independent Multicast...
Page 486: Example 2: Pim-Sm With Static Rp
Note: In the following example, since the receivers and sources are connected in different areas, the border router must be configured for the IPMC traffic to be forwarded. Lenovo N/OS supports only partial configuration of PIM border router. Figure 55. Network with both PIM-DM and PIM-SM Components...
Page 487 CN 4093(config-ip-if)# ip pim border-bit CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 11 CN 4093(config-ip-if)# ip pim border-bit CN 4093(config-ip-if)# exit Note: For PIM Dense Mode, the DR, RP, and BSR settings do not apply. © Copyright Lenovo 2015 Chapter 31: Protocol Independent Multicast...
Page 488 CN4093 Application Guide for N/OS 8.3...
Page 489: Part 6: High Availability Fundamentals
Internet traffic consists of myriad services and applications which use the Internet Protocol (IP) for data delivery. However, IP is not optimized for all the various applications. High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations. © Copyright Lenovo 2015...
Page 490 CN4093 Application Guide for N/OS 8.3...
Page 491: Chapter 32. Basic Redundancy
Chapter 32. Basic Redundancy Lenovo N/OS 8.3 includes various features for providing basic link or device redundancy:  “Aggregation for Link Redundancy” on page 491  “Hot Links” on page 492 Aggregation for Link Redundancy Multiple switch ports can be combined together to form robust, high-bandwidth LAGs to other devices.
Page 492: Hot Links
(FDB) over the active interface, so that other devices on the network can learn the new path. The Hot Links FBD update option uses the station update rate to determine the rate at which to send FDB packets. CN4093 Application Guide for N/OS 8.3...
Page 493: Configuration Guidelines
CN 4093(config)# hotlinks trigger 1 master port 38 (Add port to Master interface) CN 4093(config)# hotlinks trigger 1 backup port 39 (Add port to Backup interface) CN 4093(config)# hotlinks enable (Turn on Hot Links) © Copyright Lenovo 2015 Chapter 32: Basic Redundancy...
Page 494 CN4093 Application Guide for N/OS 8.3...
Page 495: Chapter 33. Layer 2 Failover
Auto Monitoring LAG Links Layer 2 Failover can be enabled on any LAG in the CN4093, including LACP LAGs. LAGs can be added to failover trigger groups. Then, if some specified number of trigger links fail, the switch disables all the internal ports in the switch (unless VLAN Monitor is turned on).
Page 496: Auto Monitor Configurations
Auto Monitor Configurations Figure 57 is a simple example of Layer 2 Failover. One CN4093 is the primary and the other is used as a backup. In this example, all external ports on the primary switch belong to a single LAG, with Layer 2 Failover enabled and Failover Limit set to 2.
Page 497: Setting The Failover Limit
When you set the limit to zero, the switch triggers a failover event only when no links in the trigger are operational. © Copyright Lenovo 2015 Chapter 33: Layer 2 Failover...
Page 498: Manually Monitoring Port Links
To view the state of any port, use one of the following commands: CN 4093# show interface link (View port link status) CN 4093# show interface port <x> spanning-tree stp <x> (View port STP status) CN 4093# show lacp information (View port LACP status) CN4093 Application Guide for N/OS 8.3...
Page 499: L2 Failover With Other Features
When the switch determines that ports in the trigger are in STP Forwarding state, then it automatically enables the appropriate internal ports, based on the VLAN monitor. The switch fails back to normal operation. © Copyright Lenovo 2015 Chapter 33: Layer 2 Failover...
Page 500: Configuration Guidelines
A maximum of two LACP keys can be added per trigger.  Management ports, FC ports and stacking ports cannot be monitored.  Control ports for different triggers must not overlap. Monitor ports may overlap. CN4093 Application Guide for N/OS 8.3...
Page 501: Configuring Layer 2 Failover
The following procedure pertains to the configuration shown in Figure 1. Configure Network Adapter Teaming on the servers. 2. Define a LAG on the CN4093. CN 4093(config)# portchannel 1 port EXT1,EXT2,EXT3 enable 3. Configure Failover parameters. CN 4093(config)# failover trigger 1 enable CN 4093(config)# failover trigger 1 limit <0-1024>...
Page 502 CN4093 Application Guide for N/OS 8.3...
Page 503: Chapter 34. Virtual Router Redundancy Protocol
Chapter 34. Virtual Router Redundancy Protocol The CN4093 10Gb Converged Scalable Switch (CN4093) supports IPv4 high-availability network topologies through an enhanced implementation of the Virtual Router Redundancy Protocol (VRRP). Note: Lenovo N/OS 8.3 does not support IPv6 for VRRP. The following topics are discussed in this chapter: “VRRP Overview”...
Page 504: Vrrp Components
Within a virtual router, the VRRP routers not selected to be the master are known as virtual router backups. Should the virtual router master fail, one of the virtual router backups becomes the master and assumes its responsibilities. CN4093 Application Guide for N/OS 8.3...
Page 505: Virtual Interface Router
To prevent this from happening, configure redundant links to be used between the switches that form a virtual router. © Copyright Lenovo 2015 Chapter 34: Virtual Router Redundancy Protocol...
Page 506: Failover Methods
Lenovo N/OS high availability configurations are based on VRRP. The implementation of VRRP includes proprietary extensions. The Lenovo N/OS implementation of VRRP supports the following modes of high availability: Active-Active—based on proprietary Lenovo N/OS extensions to VRRP ...
Page 507: Active-Active Redundancy
For more details, refer to the relevant network adapter documentation. The hot-standby model is shown in Figure Figure 62. Hot-Standby Redundancy Active 10.10.10.1 Clients Switch 1 Interswitch Servers Link Enterprise Switch 2 Routing Switch 10.10.10.2 Standby Backup Link © Copyright Lenovo 2015 Chapter 34: Virtual Router Redundancy Protocol...
Page 508: Virtual Router Group
Master to Standby. Each VRRP advertisement can include up to 128 addresses. All virtual routers are advertised within the same packet, conserving processing and buffering resources. CN4093 Application Guide for N/OS 8.3...
Page 509: Lenovo N/Os Extensions To Vrrp
Lenovo N/OS Extensions to VRRP This section describes VRRP enhancements that are implemented in Lenovo N/OS. Lenovo N/OS supports a tracking function that dynamically modifies the priority of a VRRP router, based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same switch.
Page 510: Virtual Router Deployment Considerations
Note: There is no shortcut to setting tracking parameters. The goals must first be set and the outcomes of various configurations and scenarios analyzed to find settings that meet the goals. CN4093 Application Guide for N/OS 8.3...
Page 511: High Availability Configurations
CN4093 1 on port EXT1. Return traffic uses default gateway 1 (192.168.1.1). If the link between CN4093 1 and the Layer 2 switch fails, CN4093 2 becomes the Master because it has a higher priority. Traffic is forwarded to CN4093 2, which forwards it to CN4093 1 through port EXT4.
Page 512: Task 1: Configure Cn4093 1
4. Enable tracking on ports. Set the priority of Virtual Router 1 to 101, so that it becomes the Master. CN 4093(config-vrrp)# virtual-router 1 track ports CN 4093(config-vrrp)# virtual-router 1 priority 101 CN 4093(config-vrrp)# virtual-router 2 track ports CN 4093(config-vrrp)# exit CN4093 Application Guide for N/OS 8.3...
Page 513: Task 2: Configure Cn4093 2
CN 4093(config-if)# switchport trunk allowed vlan add 20 CN 4093(config-if)# exit 6. Turn off Spanning Tree Protocol globally.. CN 4093(config)# no spanning-tree stp 1 Task 2: Configure CN4093 2 1. Configure client and server interfaces. CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip address 192.168.1.101 255.255.255.0...
Page 514 CN 4093(config)# interface port EXT2 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# switchport trunk allowed vlan add 20 CN 4093(config-if)# exit 6. Turn off Spanning Tree Protocol globally. CN 4093(config)# no spanning-tree stp 1 CN4093 Application Guide for N/OS 8.3...
Page 515: Hot-Standby Configuration
Switch 2 NIC 1 IP = 10.0.1.2 Enterprise Server 2 Routing Switch IF 1: 174.14.20.111 IF 2: 10.1.1.111 = Active Links VIR 1: 174.14.20.100 VIR 2: 10.1.1.100 = Standby Links © Copyright Lenovo 2015 Chapter 34: Virtual Router Redundancy Protocol...
Page 516: Task 1: Configure Cn4093 1
Task 1: Configure CN4093 1 1. On CN4093 1, configure the interfaces for clients (174.14.20.110) and servers (10.1.1.110). CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip address 174.14.20.110 (Define IPv4 address for interface 1) CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 10.1.1.110...
Page 517: Task 2: Configure Cn4093 2
Task 2: Configure CN4093 2 1. On CN4093 2, configure the interfaces for clients (174.14.20.111) and servers (10.1.1.111). CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip address 174.14.20.111 (Define IPv4 address for interface 1) CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 10.1.1.111...
Page 518 CN4093 Application Guide for N/OS 8.3...
Page 520 CN4093 Application Guide for N/OS 8.3...
Page 521: Chapter 35. Link Layer Discovery Protocol
Chapter 35. Link Layer Discovery Protocol The Lenovo N/OS software support Link Layer Discovery Protocol (LLDP). This chapter discusses the use and configuration of LLDP on the switch:  “LLDP Overview” on page 522  “Enabling or Disabling LLDP” on page 523 ...
Page 522: Lldp Overview
The administrator can allow any given port to transmit only, receive only, or both transmit and receive LLDP information. The LLDP information to be distributed by the CN4093 ports, and that which has been collected from other LLDP stations, is stored in the switch’s Management Information Base (MIB).
Page 523: Enabling Or Disabling Lldp
Enabling or Disabling LLDP Global LLDP Setting By default, LLDP is enabled on the CN4093. To turn LLDP off or on, use the following command: (Turn LLDP on or off globally) CN 4093(config)# [no] lldp enable Transmit and Receive Control The CN4093 can also be configured to transmit or receive LLDP information on a port-by-port basis.
Page 524: Lldp Transmit Features
Minimum Interval In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the CN4093 detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the CN4093 from sending multiple LLDP packets in rapid succession when port status is in flux, a transmit delay timer can be configured.
Page 525: Time-To-Live For Transmitted Information
CN 4093(config-if)# exit In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the CN4093 detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the CN4093 from sending multiple trap notifications in rapid succession when port status is in flux, a global trap delay timer can be configured.
Page 526: Changing The Lldp Transmit State
CN4093 port from their MIB. In addition, if LLDP is fully disabled on a port (using admstat disabled) and later re-enabled, the CN4093 will temporarily delay resuming LLDP transmissions on the port in order to allow the port LLDP information to stabilize. The...
Page 527: Types Of Information Transmitted
IEEE 802.3 Link Aggregation status for Disabled the port. framesz IEEE 802.3 Maximum Frame Size for the Disabled port. © Copyright Lenovo 2015 Chapter 35: Link Layer Discovery Protocol...
Page 528 Table 39. LLDP Optional Information Types (continued) Type Description Default dcbx Data Center Bridging Capability Enabled Exchange Protocol (DCBX) for the port. Select all optional LLDP information for Disabled inclusion or exclusion. CN4093 Application Guide for N/OS 8.3...
Page 529: Lldp Receive Features
System Capabilities Supported/Enabled  Remote Management Address The CN4093 stores the collected LLDP information in the MIB. Each remote LLDP-capable device is responsible for transmitting regular LLDP updates. If the received updates contain LLDP information changes (to port state, configuration, LLDP MIB structures, deletion), the switch will set a change flag within the MIB for convenient notification to SNMP-based management systems.
Page 530 Port Id : 23 Port Description : EXT7 System Name System Description : Lenovo Flex System CN4093 10Gb Converged Scalable Switch, Lenovo N/OS: version 8.3, boot image: version 6.9.1.14 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router...
Page 531 : 56 Port Description : EXT14 System Name : CFC System Description : Lenovo Flex System CN4093 10Gb Converged Scalable Switch, Lenovo Networking OS: version 7.8.0.48, Boot image: version 7.8.0.48 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router...
Page 532: Time-To-Live For Received Information
MIB. Remote devices can also intentionally set their LLDP time-to-live to 0, indicating to the switch that the LLDP information is invalid and should be immediately removed. CN4093 Application Guide for N/OS 8.3...
Page 533: Lldp Example Configuration
5. Verify the configuration settings: CN 4093(config)# show lldp 6. View remote device information as needed. CN 4093(config)# show lldp remote-device CN 4093(config)# show lldp remote-device <index number> CN 4093(config)# show lldp remote-devices detail © Copyright Lenovo 2015 Chapter 35: Link Layer Discovery Protocol...
Page 534 CN4093 Application Guide for N/OS 8.3...
Page 535: Chapter 36. Simple Network Management Protocol
Lenovo Director. SNMP Version 1 To access the SNMP agent on the CN4093, the read and write community strings on the SNMP manager should be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: CN 4093(config)# snmp-server read-community <1-32 characters>...
Page 536: Default Configuration
Default Configuration Lenovo N/OS has four SNMPv3 users by default. All the four users have access to all the MIBs supported by the switch: User 1 name is adminmd5 (password adminmd5). Authentication used is MD5.  Privacy protocol used is DES.
Page 537: User Configuration Example
CN 4093(config)# snmp-server group 5 user-name admin CN 4093(config)# snmp-server group 5 group-name admingrp If you want to allow user access only to certain MIBs, see “View-Based Configuration,” next. © Copyright Lenovo 2015 Chapter 36: Simple Network Management Protocol...
Page 538: View-Based Configurations
CN 4093(config)# snmp-server view 9 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 statistics) CN 4093(config)# snmp-server view 10 name usr CN 4093(config)# snmp-server view 10 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 information) CN 4093(config)# snmp-server view 11 name usr CN 4093(config)# snmp-server view 11 tree 1.3.6.1.4.1.1872.2.5.3.3 CN4093 Application Guide for N/OS 8.3...
Page 539 CN 4093(config)# snmp-server view 24 name oper CN 4093(config)# snmp-server view 24 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 information) CN 4093(config)# snmp-server view 25 name oper CN 4093(config)# snmp-server view 25 tree 1.3.6.1.4.1.1872.2.5.3.3 © Copyright Lenovo 2015 Chapter 36: Simple Network Management Protocol...
Page 540: Secure Audit Logging
Note: Audit logging is enabled by default and cannot be disabled. The audit logs are accessed remotely via SNMPv3 hosts. Use the following commands to locally manage the logs: CN 4093(config)# show sal reverse (Display most recent logs first) CN 4093(config)# clear sal (Clear audit logs) CN4093 Application Guide for N/OS 8.3...
Page 541: Configuring Snmp Trap Hosts
CN 4093(config)# snmp-server target-parameters 10 user-name v1only CN 4093(config)# snmp-server target-parameters 10 message snmpv1 Note: Lenovo N/OS 8.3 supports only IPv4 addresses for SNMP trap hosts. 5. Use the community table to specify which community string is used in the trap.
Page 542: Snmpv2 Trap Host Configuration
CN 4093(config)# snmp-server target-parameters 10 security snmpv2 CN 4093(config)# snmp-server community 10 index v2trap CN 4093(config)# snmp-server community 10 user-name v2trap Note: Lenovo N/OS 8.3 supports only IPv4 addresses for SNMPv1 and SNMP v2 trap hosts. CN4093 Application Guide for N/OS 8.3...
Page 543: Snmpv3 Trap Host Configuration
CN 4093(config)# snmp-server target-address 11 taglist v3trap CN 4093(config)# snmp-server target-address 11 parameters-name v3param CN 4093(config)# snmp-server target-parameters 11 name v3param CN 4093(config)# snmp-server target-parameters 11 user-name v3trap CN 4093(config)# snmp-server target-parameters 11 level authNoPriv © Copyright Lenovo 2015 Chapter 36: Simple Network Management Protocol...
Page 544: Snmp Mibs
SNMP GET operation and “private” for SNMP SET operation. The community string can be modified only through the Command Line Interface (CLI). Detailed SNMP MIBs and trap definitions of the Lenovo N/OS SNMP agent are contained in the following Lenovo N/OS enterprise MIB document: GbScSE-10G-L2L3.mib...
Page 545 The Lenovo N/OS SNMP agent supports the following generic traps as defined in RFC 1215:  ColdStart  WarmStart  LinkDown  LinkUp  AuthenticationFailure The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493: ...
Page 546 Signifies that the teaming control is down but teardown is blocked. altSwTeamingCtrlError Signifies error, action is undefined. altSwLACPPortBlocked Signifies that LACP is operationally down on a port, and traffic is blocked on the port. CN4093 Application Guide for N/OS 8.3...
Page 547 Table 40. Lenovo N/OS-Supported Enterprise SNMP Traps (continued) Trap Name Description altSwLACPPortUnblocked Signifies that LACP is operationally up on a port, and traffic is no longer blocked on the port. altSwLFDPortErrdisabled Signifies that a port is error-disabled due to excessive link flaps.
Page 548 Indicates that the sending agent has transitioned to “Backup” state. vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable. The range is from 1 to vrrpVirtRtrTableMaxSize. vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address. CN4093 Application Guide for N/OS 8.3...
Page 549 Table 40. Lenovo N/OS-Supported Enterprise SNMP Traps (continued) Trap Name Description altSwVrrpAuthFailure Signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this router's authentication key or authentication type. Implementation of this trap is optional.
Page 550 Signifies that the master has sent a FORCE DETACH message to a member. altVMGroupVMotion Signifies that a virtual machine has moved from a port to another. altVMGroupVMOnline Signifies that an advance provisioned virtual machine has came online. CN4093 Application Guide for N/OS 8.3...
Page 551 Table 40. Lenovo N/OS-Supported Enterprise SNMP Traps (continued) Trap Name Description altVMGroupVMVlanChange Signifies that a virtual machine has entered a VLAN, or changed the VLAN. vmCheckSpoofedvm Signifies that a spoofed VM MAC was found. © Copyright Lenovo 2015 Chapter 36: Simple Network Management Protocol...
Page 552: Switch Images And Configuration Files
Load a new Switch image (boot or running) from a FTP/TFTP/SFTP server  Load a previously saved switch configuration from a FTP/TFTP/SFTP server  Save the switch configuration to a FTP/TFTP/SFTP server  Save a switch dump to a FTP/TFTP/SFTP server CN4093 Application Guide for N/OS 8.3...
Page 553: Loading A New Switch Image
Set agTransferUserName.0 "MyName" 4. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To restore a running configuration, enter 3: Set agTransferAction.0 "3" © Copyright Lenovo 2015 Chapter 36: Simple Network Management Protocol...
Page 554: Saving The Switch Configuration
3. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To save a dump file, enter 5: Set agTransferAction.0 "5" CN4093 Application Guide for N/OS 8.3...
Page 555: Chapter 37. Service Location Protocol
Uniform Resource Locator (URL) pointing to the service desired, and other information, such as server load, needed by the User Agent. For more details on SLP configuration, see the Lenovo Flex System CN4093 10Gb Converged Scalable Switch Command Reference for Lenovo N/OS 8.3.
Page 556: Chapter 38. System License Keys
FoD website to purchase an Authorization Code. You will need to provide the unique ID (UID) of the specific CN4093 where the key will be installed. The UID is the last 12 characters of the CN4093 serial number.
Page 557: Transferring Activation Keys
Licenses keys are based on the unique CN4093 device serial number and are non-transferable. In the event that the CN4093 must be replaced, a new activation key must be acquired and installed. When the replacement is handled through Lenovo Service and Support, your original license will be transferred to the serial number of the replacement unit and you will be provided a new license key.
Page 558: Flexible Port Mapping
Removing a license key reverts the port mapping to the default settings for the remaining licensing level. To manually revert the port mapping to the default settings use the following command: CN4093(config)# default boot port-map CN4093 Application Guide for N/OS 8.3...
Page 559: Part 8: Monitoring
Part 8: Monitoring The ability to monitor traffic passing through the CN4093 can be invaluable for troubleshooting some types of networking problems. This sections cover the following monitoring features:  Remote Monitoring (RMON)  sFLOW  Port Mirroring © Copyright Lenovo 2015...
Page 560 CN4093 Application Guide for N/OS 8.3...
Page 561: Chapter 39. Remote Monitoring
RMON allows you to monitor traffic flowing through the switch. The switch supports the following RMON Groups, as described in RFC 1757:  RMON Group 1–Statistics  RMON Group 2–History  RMON Group 3–Alarms  RMON Group 9–Events © Copyright Lenovo 2015...
Page 562: Rmon Group 1-Statistics
CN 4093(config-if)# show interface port 23 rmon-counters ------------------------------------------------------------------ RMON statistics for port 23: etherStatsDropEvents: etherStatsOctets: 7305626 etherStatsPkts: 48686 etherStatsBroadcastPkts: 4380 etherStatsMulticastPkts: 6612 etherStatsCRCAlignErrors: etherStatsUndersizePkts: etherStatsOversizePkts: etherStatsFragments: etherStatsJabbers: etherStatsCollisions: etherStatsPkts64Octets: 27445 etherStatsPkts65to127Octets: 12253 etherStatsPkts128to255Octets: 1046 etherStatsPkts256to511Octets: etherStatsPkts512to1023Octets: 7283 etherStatsPkts1024to1518Octets: CN4093 Application Guide for N/OS 8.3...
Page 563: Rmon Group 2-History
CN 4093(config)# rmon history 1 polling-interval 120 CN 4093(config)# rmon history 1 owner "rmon port 1 history" where <x> is the number of the port to monitor. For example, the full OID for port 1 would be: 1.3.6.1.2.1.2.2.1.1.1 © Copyright Lenovo 2015 Chapter 39: Remote Monitoring...
Page 564 3. View RMON history for the port. CN 4093(config)# show rmon history RMON History group configuration: Index IFOID Interval Rbnum Gbnum ----- ----------------------- -------- ----- ----- 1.3.6.1.2.1.2.2.1.1.1 Index Owner ----- ---------------------------------------------- rmon port 1 history CN4093 Application Guide for N/OS 8.3...
Page 565: Rmon Group 3-Alarms
CN 4093(config)# rmon alarm 1 alarm-type rising CN 4093(config)# rmon alarm 1 rising-crossing-index 100 CN 4093(config)# rmon alarm 1 interval 3600 CN 4093(config)# rmon alarm 1 rising-limit 2000000000 CN 4093(config)# rmon alarm 1 owner "Alarm for ifInOctets" © Copyright Lenovo 2015 Chapter 39: Remote Monitoring...
Page 566: Alarm Example 2
CN 4093(config)# rmon alarm 1 rising-crossing-index 110 CN 4093(config)# rmon alarm 1 interval-time 60 CN 4093(config)# rmon alarm 1 rising-limit 200 CN 4093(config)# rmon alarm 1 sample delta CN 4093(config)# rmon alarm 1 owner "Alarm for icmpInEchos" CN4093 Application Guide for N/OS 8.3...
Page 567: Rmon Group 9-Events
CN 4093(config)# rmon event 110 description "SYSLOG_this_alarm" CN 4093(config)# rmon event 110 owner "log icmpInEchos alarm" This configuration creates an RMON event that sends a syslog message each time it is triggered by an alarm. © Copyright Lenovo 2015 Chapter 39: Remote Monitoring...
Page 568 CN4093 Application Guide for N/OS 8.3...
Page 569: Chapter 40. Sflow
Note: Lenovo N/OS 8.3 does not support IPv6 for sFLOW. sFlow Statistical Counters The CN4093 can be configured to send network statistics to an sFlow analyzer at regular intervals. For each port, a polling interval of 5 to 60 seconds can be configured, or 0 (the default) to disable this feature.
Page 570: Sflow Example Configuration
CN 4093(config-if)# sflow sampling <sampling rate>(Data sampling rate) Specify a sampling rate between 256 and 65536 packets, or 0 to disable. By default, the sampling rate is 0 (disabled) for each port. 4. Save the configuration. CN4093 Application Guide for N/OS 8.3...
Page 571: Chapter 41. Port Mirroring
Chapter 41. Port Mirroring The Lenovo N/OS port mirroring feature allows you to mirror (copy) the packets of a target port, and forward them to a monitoring port. Port mirroring functions for all layer 2 and layer 3 traffic on a port. This feature can be used as a troubleshooting tool or to enhance the security of your network.
Page 572: Port Mirroring Behavior
Port Mirroring Behavior This section describes the composition of monitored packets in the CN4093, based on the configuration of the ports.  Packets mirrored at port egress are mirrored prior to VLAN tag processing and may have a different PVID than packets that egress the port toward their actual network destination.
Page 574 CN4093 Application Guide for N/OS 8.3...
Page 575: Appendix A. Glossary
VLAN. If there is more than one VLAN defined on the Web switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member. © Copyright Lenovo 2015...
Page 576 Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338. CN4093 Application Guide for N/OS 8.3...
Page 577: Appendix B. Getting Help And Technical Assistance
Lenovo to assist you. Use this information to obtain additional information about Lenovo and Lenovo products, and determine what to do if you experience a problem with your Lenovo system or optional device. Note: This section includes references to IBM web sites and information about obtaining service.
Page 578 Electronic Service Request. You can solve many problems without outside assistance by following the troubleshooting procedures that Lenovo provides in the online help or in the Lenovo product documentation. The Lenovo product documentation also describes the diagnostic tests that you can perform. The documentation for most systems, operating systems, and programs contains troubleshooting procedures and explanations of error messages and error codes.
Page 579: Appendix C. Notices
Web sites. The materials at those Web sites are not part of the materials for this Lenovo product, and use of those Web sites is at your own risk.
Page 580 Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. CN4093 Application Guide for N/OS 8.3...
Page 581: Trademarks
Trademarks Lenovo, the Lenovo logo, Flex System, System x, NeXtScale System, and X-Architecture are trademarks of Lenovo in the United States, other countries, or both. Intel and Intel Xeon are trademarks of Intel Corporation in the United States, other countries, or both.
Page 582: Important Notes
(TBW). A device that has exceeded this limit might fail to respond to system-generated commands or might be incapable of being written to. Lenovo is not responsible for replacement of a device that has exceeded its maximum guaranteed number of program/erase cycles, as documented in the Official Published Specifications for the device.
Page 583: Recycling Information
Recycling Information Lenovo encourages owners of information technology (IT) equipment to responsibly recycle their equipment when it is no longer needed. Lenovo offers a variety of programs and services to assist equipment owners in recycling their IT products. For information on recycling Lenovo products, go to: http://www.lenovo.com/recycling...
Page 584: Particulate Contamination
If Lenovo determines that the levels of particulates or gases in your environment have caused damage to the device, Lenovo may condition provision of repair or replacement of devices or parts on implementation of appropriate remedial measures to mitigate such environmental contamination.
Page 585: Telecommunication Regulatory Statement
This product may not be certified in your country for connection by any means whatsoever to interfaces of public telecommunications networks. Further certification may be required by law prior to making any such connection. Contact a Lenovo representative or reseller for any questions. © Copyright Lenovo 2015 Appendix C: Notices...
Page 586: Electronic Emission Notices
Properly shielded and grounded cables and connectors must be used to meet FCC emission limits. Lenovo is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment.
Page 587: European Union - Compliance To The Electromagnetic Compatibility Directive
Grenzwerte der Klasse A der Norm gemäß Richtlinie. Um dieses sicherzustellen, sind die Geräte wie in den Handbüchern beschrieben zu installieren und zu betreiben. Des Weiteren dürfen auch nur von der Lenovo empfohlene Kabel angeschlossen werden. Lenovo übernimmt keine Verantwortung für die Einhaltung der Schutzanforderungen, wenn das Produkt ohne Zustimmung der Lenovo verändert bzw.
Page 588: Japan Vcci Class A Statement
Dieses Gerät ist berechtigt, in Übereinstimmung mit dem Deutschen EMVG das EG-Konformitätszeichen - CE - zu führen. Verantwortlich für die Konformitätserklärung nach Paragraf 5 des EMVG ist die Lenovo (Deutschland) GmbH, Meitnerstr. 9, D-70563 Stuttgart. Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4: Das Gerät erfüllt die Schutzanforderungen nach EN 55024 und EN 55022 Klasse...
Page 589: Japan Electronics And Information Technology Industries Association (Jeita) Statement
Sellers and users need to pay attention to it. This is for any areas other than home. Russia Electromagnetic Interference (EMI) Class A statement People’s Republic of China Class A electronic emission statement Taiwan Class A compliance statement © Copyright Lenovo 2015 Appendix C: Notices...
Page 590 CN4093 Application Guide for N/OS 8.3...
Page 591: Index
BBI. See Browser-Based Interface port aggregation 144 Bootstrap Router, PIM 483 spanning tree groups 163 Border Gateway Protocol (BGP) 433 contamination, particulate and gaseous 584 attributes 440 Converged Enhanced Ethernet. See CEE. Converged Network Adapter. See CNA. © Copyright Lenovo 2015 Index...
Page 592 50 IBM Director 535 failover 495 IBM DirectorSNMP overview 506 IBM Director 37 FC-BB-5 280 ICMP 104 FCC Class A notice 586 FCC, Class A 586 FCF 258 detection mode 287 CN4093 Application Guide for N/OS 8.3...
Page 593 404 IPv6 addressing 383 ISL Aggregation 141 Isolated VLAN 133 Japan Class A electronic emission statement 588 Japan Electronics and Information Technology Indus- tries Association statement 589 JEITA statement 589 jumbo frames 118 © Copyright Lenovo 2015 : Index...
Page 594 Router ID, OSPF 457 EtherChannel 141 routers 373 port flow control. See flow control. border 451 port mirroring 571 peer 451 configuration rules 142 port aggregation 141 port modes 140 switch-based routing topology 374 routes, advertising 451 CN4093 Application Guide for N/OS 8.3...
Page 595 75 virtual router ID numbering 510 RSA host and server keys 78 Virtual Station Interface, See VSI. stacking 211 VLAN tagging starting switch setup 50 setup 54 Static ARP 337 stopping switch setup 50 © Copyright Lenovo 2015 : Index...
Page 596 507 overview 503 virtual interface router 504 virtual router ID numbering 510 vrid 504 VSI 329 VSI Database, See VSIDB. VSI Discovery and Configuration Protocol, See VDP. VSIDB 330 willing flag (DCBX) 303 CN4093 Application Guide for N/OS 8.3...
Page 598 Part Number: 00MY375 Printed in USA (IP) P/N: 00MY375...

Lenovo CN4093 Application Manual

Preface

Part 1: Getting Started

Chapter 1. Switch Administration

Chapter 2. Initial Setup

Chapter 3. Switch Software Management

Part 2: Securing the Switch

Chapter 4. Securing Administration

Chapter 5. Authentication & Authorization Protocols

Chapter 6. 802.1X Port-Based Network Access Control

Chapter 7. Access Control Lists

Part 3: Switch Basics

Chapter 8. Vlans

Chapter 9. Ports and Link Aggregation (LAG)

Chapter 10. Spanning Tree Protocols

Chapter 11. Virtual Link Aggregation Groups

Chapter 12. Quality of Service

Part 4: Advanced Switching Features

Chapter 13. Stacking

Chapter 14. Virtualization

Chapter 15. Virtual Nics

Quick Links

Related Manuals for Lenovo CN4093

Summary of Contents for Lenovo CN4093