Page 1 Lenovo ThinkSystem NE2552E Flex Switch Application Guide For Lenovo Enterprise Network Operating System 8.4...
Page 2 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD and the Warranty Information document that comes with the product. Third Edition (August 2018) © Copyright Lenovo 2018 Portions © Copyright IBM Corporation 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS‐35F‐05925. Lenovo and the Lenovo logo are trademarks of Lenovo in the United States, other countries, or both.
Page 3: Table Of Contents
Browser‐Based Interface . . . . . . . . . . . . . . . . . . . . . . .31 Establishing a Connection . . . . . . . . . . . . . . . . . . . . . . . .32 Using the Chassis Management Module . . . . . . . . . . . . . . . .32 Factory‐Default vs. CMM‐Assigned IP Addresses . . . . . . . . . .32 Using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Using Secure Shell. . . . . . . . . . . . . . . . . . . . . . . . . .33 Using SSH with Password Authentication . . . . . . . . . . . . .34 Using SSH with Public Key Authentication . . . . . . . . . . . . .34 Using a Web Browser . . . . . . . . . . . . . . . . . . . . . . . .35 Configuring HTTP Access to the BBI . . . . . . . . . . . . . . . .35 Configuring HTTPS Access to the BBI . . . . . . . . . . . . . . .36 BBI Summary . . . . . . . . . . . . . . . . . . . . . . . . . .37 Using Simple Network Management Protocol. . . . . . . . . . . . . .38 BOOTP/DHCP Client IP Address Services . . . . . . . . . . . . . . . . .39 Host Name Configuration . . . . . . . . . . . . . . . . . . . . . .39 SYSLOG Server . . . . . . . . . . . . . . . . . . . . . . . . . . .40 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . .40 Easy Connect Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .41 Configuring the Easy Connect Wizard . . . . . . . . . . . . . . . . .41 Basic System Mode Configuration Example . . . . . . . . . . . . .42 Transparent Mode Configuration Example . . . . . . . . . . . . .43 Redundant Mode Configuration Example . . . . . . . . . . . . .44 Switch Login Levels . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Administrator Password Recovery . . . . . . . . . . . . . . . . . . . .48 Secure FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 © Copyright Lenovo 2018...
Page 4 Boot Strict Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Acceptable Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 54 Configuring Strict Mode . . . . . . . . . . . . . . . . . . . . . . . 55 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Configuring No‐Prompt Mode . . . . . . . . . . . . . . . . . . . . . . 56 Chapter 2. Initial Setup ..... 57 Information Needed for Setup . . . . . . . . . . . . . . . . . . . . . . 58 Default Setup Options . . . . . . . . . . . . . . . . . . . . . . . . .
Page 5 Chapter 5. Authentication & Authorization Protocols ..99 RADIUS Authentication and Authorization . . . . . . . . . . . . . . . 100 How RADIUS Authentication Works . . . . . . . . . . . . . . . . 100 Configuring RADIUS on the Switch . . . . . . . . . . . . . . . . . 101 RADIUS Authentication Features in Lenovo ENOS . . . . . . . . . . 101 Switch User Accounts . . . . . . . . . . . . . . . . . . . . . . . 102 RADIUS Attributes for Lenovo ENOS User Privileges . . . . . . . . . 103 TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . 104 How TACACS+ Authentication Works. . . . . . . . . . . . . . . . 104 TACACS+ Authentication Features in Lenovo ENOS . . . . . . . . . 105 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . 105 Local Access . . . . . . . . . . . . . . . . . . . . . . . . . 106 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Command Authorization and Logging . . . . . . . . . . . . . . . . 107 TACACS+ Password Change . . . . . . . . . . . . . . . . . . . . 109 Configuring TACACS+ Authentication on the Switch . . . . . . . . . 109 LDAP Authentication and Authorization . . . . . . . . . . . . . . . . 110 Configuring the LDAP Server. . . . . . . . . . . . . . . . . . . . 110 Configuring LDAP Authentication on the Switch . . . . . . . . . . . 111 © Copyright Lenovo 2018 Contents...
Page 6 Chapter 6. 802.1X Port-Based Network Access Control ..113 Extensible Authentication Protocol over LAN . . . . . . . . . . . . . . 114 EAPoL Authentication Process . . . . . . . . . . . . . . . . . . . 115 EAPoL Message Exchange . . . . . . . . . . . . . . . . . . . . . 116 EAPoL Port States . . . . . . . . . . . . . . . . . . . . . . . . 116 Guest VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Supported RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . 118 EAPoL Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 120 Chapter 7. Access Control Lists....121 Summary of Packet Classifiers . . . . . . . . . . . . . . . . . . . . . ...
Page 7 Chapter 10. Spanning Tree Protocols....173 Spanning Tree Protocol Modes . . . . . . . . . . . . . . . . . . . . . 174 Global STP Control . . . . . . . . . . . . . . . . . . . . . . . . 174 PVRST Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Bridge Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 176 Determining the Path for Forwarding BPDUs . . . . . . . . . . . 176 Bridge Priority . . . . . . . . . . . . . . . . . . . . . . . . 176 Port Priority . . . . . . . . . . . . . . . . . . . . . . . . . 177 Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Loop Guard. . . . . . . . . . . . . . . . . . . . . . . . . . 177 Port Path Cost. . . . . . . . . . . . . . . . . . . . . . . . . 178 Simple STP Configuration . . . . . . . . . . . . . . . . . . . . . 178 Per‐VLAN Spanning Tree Groups . . . . . . . . . . . . . . . . . . 180 Using Multiple STGs to Eliminate False Loops. . . . . . . . . . . 180 VLAN and STG Assignment . . . . . . . . . . . . . . . . . . 181 Manually Assigning STGs . . . . . . . . . . . . . . . . . . . 182 Guidelines for Creating VLANs . . . . . . . . . . . . . . . . . 182 Rules for VLAN Tagged Ports . . . . . . . . . . . . . . . . . . 182 Adding and Removing Ports from STGs . . . . . . . . . . . . . 183 Switch‐Centric Configuration . . . . . . . . . . . . . . . . . . 184 Configuring Multiple STGs . . . . . . . . . . . . . . . . . . . . . 185 © Copyright Lenovo 2018 Contents...
Page 8 Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . 187 Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 RSTP Configuration Guidelines . . . . . . . . . . . . . . . . . . . 187 RSTP Configuration Example. . . . . . . . . . . . . . . . . . . . 188 Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . 189 MSTP Region. . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Common Internal Spanning Tree . . . . . . . . . . . . . . . . . . 189 MSTP Configuration Guidelines . . . . . . . . . . . . . . . . . . 190 MSTP Configuration Examples . . . . . . . . . . . . . . . . . . . 190 MSTP Configuration Example 1 . . . . . . . . . . . . . . . . . 190 MSTP Configuration Example 2 . . . . . . . . . . . . . . . . . 191 Port Type and Link Type . . . . . . . . . . . . . . . . . . . . . . . 193 Edge/Portfast Port . . . . . . . . . . . . . . . . . . . . . . . . 193 Link Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Chapter 11. Virtual Link Aggregation Groups ... . 195 VLAG Capacities . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 9 Port Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . 250 Global FIP Snooping Settings . . . . . . . . . . . . . . . . . . . . 250 FIP Snooping for Specific Ports . . . . . . . . . . . . . . . . . . . 251 FIPS LAG Support on Server Ports . . . . . . . . . . . . . . . . . 251 Port FCF and ENode Detection . . . . . . . . . . . . . . . . . . . 252 FCoE Connection Timeout . . . . . . . . . . . . . . . . . . . . . 252 FCoE ACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . 252 FCoE VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Viewing FIP Snooping Information . . . . . . . . . . . . . . . . . 253 Operational Commands . . . . . . . . . . . . . . . . . . . . . . 254 FIP Snooping Configuration . . . . . . . . . . . . . . . . . . . . 255 Priority‐Based Flow Control . . . . . . . . . . . . . . . . . . . . . . 256 Global vs. Port‐by‐Port PFC Configuration . . . . . . . . . . . . . . 257 PFC Configuration Example . . . . . . . . . . . . . . . . . . . . 258 Enhanced Transmission Selection . . . . . . . . . . . . . . . . . . . . 260 802.1p Priority Values . . . . . . . . . . . . . . . . . . . . . . . 260 Priority Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 261 PGID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Assigning Priority Values to a Priority Group . . . . . . . . . . . 262 Deleting a Priority Group. . . . . . . . . . . . . . . . . . . . 262 Allocating Bandwidth . . . . . . . . . . . . . . . . . . . . . 262 Configuring ETS . . . . . . . . . . . . . . . . . . . . . . . . . 264 © Copyright Lenovo 2018 Contents...
Page 10 Data Center Bridging Capability Exchange. . . . . . . . . . . . . . . . 266 DCBX Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Enabling and Disabling DCBX . . . . . . . . . . . . . . . . . 267 Peer Configuration Negotiation . . . . . . . . . . . . . . . . . 267 Configuring DCBX . . . . . . . . . . . . . . . . . . . . . . . . 268 FCoE Example Configuration . . . . . . . . . . . . . . . . . . . . . 270 Chapter 16. Static Multicast ARP ....273 Configuring Static Multicast ARP. . . . . . . . . . . . . . . . . . . . 274 Configuration Example . . . . . . . . . . . . . . . . . . . . . . 274 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 11 Supported Applications . . . . . . . . . . . . . . . . . . . . . . . . 334 IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 336 IPv6 Configuration Examples . . . . . . . . . . . . . . . . . . . . 336 IPv6 Configuration Example 1. . . . . . . . . . . . . . . . . . 336 IPv6 Configuration Example 2. . . . . . . . . . . . . . . . . . 337 Chapter 23. Using IPsec with IPv6 ....339 IPsec Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 © Copyright Lenovo 2018 Contents...
Page 12 Using IPsec with the NE2552E . . . . . . . . . . . . . . . . . . . . . 341 Setting up Authentication . . . . . . . . . . . . . . . . . . . . . 342 Creating an IKEv2 Proposal . . . . . . . . . . . . . . . . . . 342 Importing an IKEv2 Digital Certificate . . . . . . . . . . . . . . 343 Generating a Certificate Signing Request . . . . . . . . . . . . . 343 Generating an IKEv2 Digital Certificate . . . . . . . . . . . . . 345 Enabling IKEv2 Preshared Key Authentication . . . . . . . . . . 346 Setting Up a Key Policy . . . . . . . . . . . . . . . . . . . . . . 346 Using a Manual Key Policy. . . . . . . . . . . . . . . . . . . . . 348 Using a Dynamic Key Policy . . . . . . . . . . . . . . . . . . . . 350 Chapter 24. Routing Information Protocol ... . . 351 Distance Vector Protocol . . . . . . . . . . . . . . . . . . . . . . . ...
Page 13 Internal Versus External Routing . . . . . . . . . . . . . . . . . . 393 OSPFv2 Implementation in Lenovo ENOS . . . . . . . . . . . . . . . . 394 Configurable Parameters . . . . . . . . . . . . . . . . . . . . . . 394 Defining Areas . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Assigning the Area Index . . . . . . . . . . . . . . . . . . . . 395 Using the Area ID to Assign the OSPF Area Number . . . . . . . . 396 Attaching an Area to a Network . . . . . . . . . . . . . . . . . 396 Interface Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Electing the Designated Router and Backup . . . . . . . . . . . . . 397 Summarizing Routes . . . . . . . . . . . . . . . . . . . . . . . 397 Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Configuring Plain Text OSPF Passwords . . . . . . . . . . . . . 401 Configuring MD5 Authentication . . . . . . . . . . . . . . . . 402 Host Routes for Load Balancing . . . . . . . . . . . . . . . . . . . 403 Loopback Interfaces in OSPF . . . . . . . . . . . . . . . . . . . . 403 OSPF Features Not Supported . . . . . . . . . . . . . . . . . . . 404 © Copyright Lenovo 2018 Contents...
Page 14 Example 1: Simple OSPF Domain . . . . . . . . . . . . . . . . . . 405 Example 2: Virtual Links . . . . . . . . . . . . . . . . . . . . . . 407 Configuring OSPF for a Virtual Link on Switch #1 . . . . . . . . . 407 Configuring OSPF for a Virtual Link on Switch #2 . . . . . . . . . 408 Other Virtual Link Options . . . . . . . . . . . . . . . . . . . 410 Example 3: Summarizing Routes . . . . . . . . . . . . . . . . . . 410 Verifying OSPF Configuration . . . . . . . . . . . . . . . . . . . 412 OSPFv3 Implementation in Lenovo ENOS . . . . . . . . . . . . . . . . 413 OSPFv3 Differences from OSPFv2. . . . . . . . . . . . . . . . . . 413 OSPFv3 Requires IPv6 Interfaces . . . . . . . . . . . . . . . . 413 OSPFv3 Uses Independent Command Paths . . . . . . . . . . . 413 OSPFv3 Identifies Neighbors by Router ID . . . . . . . . . . . . 413 Other Internal Improvements . . . . . . . . . . . . . . . . . . 414 OSPFv3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . 414 OSPFv3 Configuration Example . . . . . . . . . . . . . . . . . . 414 Neighbor Configuration Example . . . . . . . . . . . . . . . . ...
Page 15 Part 7:. Network Management ....461 Chapter 33. Link Layer Discovery Protocol ... . . 463 LLDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 © Copyright Lenovo 2018 Contents...
Page 16 Enabling or Disabling LLDP . . . . . . . . . . . . . . . . . . . . . . 465 Global LLDP Setting . . . . . . . . . . . . . . . . . . . . . . . 465 Transmit and Receive Control . . . . . . . . . . . . . . . . . . . 465 LLDP Transmit Features. . . . . . . . . . . . . . . . . . . . . . . . 466 Scheduled Interval . . . . . . . . . . . . . . . . . . . . . . . . 466 Minimum Interval . . . . . . . . . . . . . . . . . . . . . . . . 466 Time‐to‐Live for Transmitted Information . . . . . . . . . . . . . . 467 Trap Notifications . . . . . . . . . . . . . . . . . . . . . . . . 467 Changing the LLDP Transmit State . . . . . . . . . . . . . . . . . 468 Types of Information Transmitted. . . . . . . . . . . . . . . . . . 469 LLDP Receive Features . . . . . . . . . . . . . . . . . . . . . . . . 471 Types of Information Received . . . . . . . . . . . . . . . . . . . 471 Viewing Remote Device Information . . . . . . . . . . . . . . . . 471 Time‐to‐Live for Received Information . . . . . . . . . . . . . . . 474 LLDP Example Configuration . . . . . . . . . . . . . . . . . . . . . 475 Chapter 34. Simple Network Management Protocol..477 SNMP Version 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 17 Alarm Example 2 . . . . . . . . . . . . . . . . . . . . . . . 542 RMON Group 9–Events . . . . . . . . . . . . . . . . . . . . . . . . 543 Chapter 39. sFLOW ..... . . 545 sFlow Statistical Counters . . . . . . . . . . . . . . . . . . . . . . . 545 sFlow Network Sampling . . . . . . . . . . . . . . . . . . . . . . . 545 sFlow Example Configuration . . . . . . . . . . . . . . . . . . . . . 546 © Copyright Lenovo 2018 Contents...
Page 18 Chapter 40. Port Mirroring ....547 Port Mirroring Behavior . . . . . . . . . . . . . . . . . . . . . . . . 548 Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . 548 Part 9:. Appendices ..... . . 549 Appendix A.
Page 19: Preface
Preface The Lenovo ThinkSystem NE2552E Flex Switch Application Guide describes how to configure and use the Lenovo ENOS 8.4 software on the Lenovo ThinkSystem NE2552E Flex Switch (referred to as NE2552E throughout this document). For documentation about installing the switch physically, see the Installation Guide for your NE2552E. © Copyright Lenovo 2018...
Page 20: Who Should Use This Guide
Who Should Use This Guide This guide is intended for network installers and system administrators engaged in configuring and maintaining a network. The administrator should be familiar with Ethernet concepts, IP addressing, Spanning Tree Protocol, and SNMP configuration parameters. NE2552E Application Guide for ENOS 8.4...
Page 21: What You'll Find In This Guide
 Chapter 5, “Authentication & Authorization Protocols,” describes different secure administration for remote administrators. This includes using Remote Authentication Dial‐in User Service (RADIUS), as well as TACACS+ and LDAP.  Chapter 6, “802.1X Port‐Based Network Access Control,” describes how to authenticate devices attached to a LAN port that has point‐to‐point connection characteristics. This feature prevents access to ports that fail authentication and authorization and provides security to ports of the NE2552E that connect to blade servers.  Chapter 7, “Access Control Lists,” describes how to use filters to permit or deny specific types of traffic, based on a variety of source, destination, and packet attributes. Part 3: Switch Basics  Chapter 8, “VLANs,” describes how to configure Virtual Local Area Networks (VLANs) for creating separate network segments, including how to use VLAN tagging for devices that use multiple VLANs. This chapter also describes Protocol‐based VLANs, and Private VLANs.  Chapter 9, “Ports and Link Aggregation (LAG),” describes how to group multiple physical ports together to aggregate the bandwidth between large‐scale network devices. © Copyright Lenovo 2018 Preface...
Page 22: Part 4: Advanced Switching Features
 Chapter 10, “Spanning Tree Protocols,” discusses how Spanning Tree Protocol (STP) configures the network so that the switch selects the most efficient path when multiple paths exist. Also includes the Rapid Spanning Tree Protocol (RSTP), Per‐VLAN Rapid Spanning Tree Plus (PVRST+), and Multiple Spanning Tree Protocol (MSTP) extensions to STP.  Chapter 11, “Virtual Link Aggregation Groups,” describes using Virtual Link Aggregation Groups (vLAG) to form LAGs spanning multiple vLAG‐capable aggregator switches.  Chapter 12, “Quality of Service,” discusses Quality of Service (QoS) features, including IP filtering using Access Control Lists (ACLs), Differentiated Services, and IEEE 802.1p priority values.  Chapter 13, “Precision Time Protocol,” describes the precision clock synchronization protocol for networked measurement and control systems. Part 4: Advanced Switching Features  Chapter 14, “Virtualization,” provides an overview of allocating resources based on the logical needs of the data center, rather than on the strict, physical nature of components. Chapter 15, “Fibre Channel over Ethernet,” discusses using various Converged  Enhanced Ethernet (CEE) features such as Priority‐based Flow Control (PFC), Enhanced Transmission Selection (ETS) and FIP Snooping for solutions such as Fibre Channel over Ethernet (FCoE).  Chapter 16, “Static Multicast ARP,” discusses the configuration of a static ARP entry with multicast MAC address for Microsoft’s Network Load Balancing ...
Page 23: Part 6: High Availability Fundamentals
Chapter 30, “Basic Redundancy,” describes how the NE2552E supports  redundancy through aggregation and Hotlinks. Chapter 31, “Layer 2 Failover,” describes how the NE2552E supports  high‐availability network topologies using Layer 2 Failover.  Chapter 32, “Virtual Router Redundancy Protocol,” describes how the NE2552E supports high‐availability network topologies using Virtual Router Redundancy Protocol (VRRP). Part 7: Network Management  Chapter 33, “Link Layer Discovery Protocol,” describes how Link Layer Discovery Protocol helps neighboring network devices learn about each others’ ports and capabilities.  Chapter 34, “Simple Network Management Protocol,” describes how to configure the switch for management through an SNMP client.  Chapter 35, “Service Location Protocol,” describes the Service Location Protocol (SLP) that allows the switch to provide dynamic directory services.  Chapter 36, “NETCONF,” describes how to manage the G8264 using the Network Configuration Protocol (NETCONF), a mechanism based on the Extensible Markup Language (XML). © Copyright Lenovo 2018 Preface...
Page 24: Part 8: Monitoring
Part 8: Monitoring  Chapter 38, “Remote Monitoring,” describes how to configure the RMON agent on the switch, so that the switch can exchange network monitoring data.  Chapter 40, “Port Mirroring,” discusses tools how copy selected port traffic to a monitor port for network analysis. Part 9: Appendices Appendix A, “Glossary,” describes common terms and concepts used  throughout this guide.  Appendix B, “Getting help and technical assistance,” describes how to get help.  Appendix C, “Notices,” provides trademark and other compliance information. NE2552E Application Guide for ENOS 8.4...
Page 25: Additional References
Additional References Additional information about installing and configuring the NE2552E is available in the following guides:  Lenovo ThinkSystem NE2552E Flex Switch Installation Guide Lenovo ThinkSystem NE2552E Flex Switch Command Reference for Lenovo Network  Operating System 8.4 © Copyright Lenovo 2018 Preface...
Page 26: Typographic Conventions
Typographic Conventions The following table describes the typographic styles used in this book. Table 1. Typographic Conventions Typeface or Meaning Example Symbol ABC123 This type is used for names of View the readme.txt file. commands, files, and directories used within the text. Main# It also depicts on‐screen computer output and prompts. ABC123 Main# sys This bold type appears in command examples. It shows text that must be typed in exactly as shown. <ABC123> This italicized type appears in To establish a Telnet session, command examples as a enter: host# telnet <IP address> parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, Read your User’s Guide ...
Page 28 NE2552E Application Guide for ENOS 8.4...
Page 29: Chapter 1. Switch Administration
Chapter 1. Switch Administration Your NE2552E Flex Switch is ready to perform basic switching functions right out of the box. Some of the more advanced features, however, require some administrative configuration before they can be used effectively. The extensive Lenovo ENOS switching software included in the NE2552E provides a variety of options for accessing the switch to perform configuration, and to view switch information and statistics. This chapter discusses the various methods that can be used to administer the switch. © Copyright Lenovo 2018...
Page 30: Administration Interfaces
 The Flex System chassis management module tools for general chassis management  A built‐in, text‐based command‐line interface and menu system for access via serial‐port connection or an optional Telnet or SSH session  The built‐in Browser‐Based Interface (BBI) available using a standard web‐browser  SNMP support for access through network management software such as IBM Director. The specific interface chosen for an administrative session depends on user preferences, as well as the switch configuration and the available client tools. In all cases, administration requires that the switch hardware is properly installed and turned on. (see the Lenovo ThinkSystem NE2552E Flex Switch Installation Guide). Chassis Management Module The NE2552E Flex Switch is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis also includes a chassis management module (CMM) as the central element for overall chassis management and control. Using the tools available through the CMM, the administrator can configure many of the NE2552E features and can also access other NE2552E administration interfaces. For more information, see “Using the Chassis Management Module” on page Industry Standard Command Line Interface The Industry Standard Command Line Interface (ISCLI) provides a simple, direct method for switch administration. Using a basic terminal, you can issue commands that allow you to view detailed information and statistics about the switch, and to perform any necessary configuration and switch software maintenance. You can establish a connection to the CLI in any of the following ways:  Serial connection via the serial port on the NE2552E (this option is always avail‐...
Page 31: Browser-Based Interface
Browser-Based Interface The Browser‐based Interface (BBI) provides access to the common configuration, management and operation features of the NE2552E through your Web browser. © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 32: Establishing A Connection
Establishing a Connection The factory default settings permit initial switch administration through the built‐in serial port. Remote access using the network requires the accessing terminal to have a valid, routable connection to the switch interface. The client IP address may be configured manually, or an IPv4 address can be provided automatically through the switch using a service such as DHCP (see “BOOTP/DHCP Client IP Address Services” on page 39), or an IPv6 address can be obtained using IPv6 stateless address configuration. Using the Chassis Management Module The NE2552E is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis includes a chassis management module (CMM) as the central element for overall chassis management and control. The NE2552E uses MGT1to communicate with the chassis management module(s). Even when the NE2552E is in a factory default configuration, you can use the 1Gb Ethernet port on each CMM to configure and manage the NE2552E. For more information about using the chassis management module, see the Lenovo ThinkSystem NE2552E Flex Switch Installation Guide. Factory-Default vs. CMM-Assigned IP Addresses Each NE2552E must be assigned its own Internet Protocol version 4 (IPv4) address, which is used for communication with an SNMP network manager or other transmission control protocol/Internet Protocol (TCP/IP) applications (for example, BOOTP or TFTP). The factory‐default IPv4 address is 10.90.90.x, where x is based on the number of the bay into which the NE2552E is installed. For additional information, see the Installation Guide. The chassis management module assigns an IPv4 address of 192.168.70.1xx, where xx is also based on the number of the bay into which each NE2552E is installed, as shown in the following table: Table 2.
Page 33: Using Telnet
Two attempts are allowed to log in to the switch. After the second unsuccessful attempt, the Telnet client is disconnected via TCP session closure. Using Secure Shell Although a remote network administrator can manage the configuration of a NE2552E via Telnet, this method does not provide a secure connection. The Secure Shell (SSH) protocol enables you to securely log into another device over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure. The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client will not be able to login if the switch is doing key generation at that time. Similarly, the system will fail to do the key generation if a SSH/SCP client is logging in at that time. The supported SSH encryption and authentication methods are listed below.  Server Host Authentication: Client RSA‐authenticates the switch when starting each connection  Key Exchange: ecdh‐sha2‐nistp521, ecdh‐sha2‐nistp384, ecdh‐sha2‐nistp256, ecdh‐sha2‐nistp224, ecdh‐sha2‐nistp192, rsa2048‐sha256, rsa1024‐sha1, diffie‐hellman‐group‐exchange‐sha256, diffie‐hellman‐group‐exchange‐sha1, diffie‐hellman‐group14‐sha1, diffie‐hellman‐group1‐sha1  Encryption: aes128‐ctr, aes128‐cbc, rijndael128‐cbc, blowfish‐cbc,3des‐cbc, arcfour256, arcfour128, arcfour MAC: hmac‐sha1, hmac‐sha1‐96, hmac‐md5, hmac‐md5‐96   User Authentication: Local password authentication, RADIUS, TACACS+ © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 34: Using Ssh With Password Authentication
The following SSH clients have been tested: OpenSSH_5.1p1 Debian‐3ubuntu1   SecureCRT 5.0 (Van Dyke Technologies, Inc.)  Putty beta 0.60 Note: The Lenovo ENOS implementation of SSH supports version 2.0 and supports SSH client version 2.0. Using SSH with Password Authentication By default, the SSH feature is enabled. For information about enabling and using SSH for switch access, see “Secure Shell and Secure Copy” on page Once the IP parameters are configured and the SSH service is enabled, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IPv4 or IPv6 address: ssh <switch IP address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Using SSH with Public Key Authentication SSH can also be used for switch authentication based on asymmetric cryptography. Public encryption keys can be uploaded on the switch and used to authenticate incoming login attempts based on the clients’ private encryption key pairs. After a predefined number of failed public key login attempts, the switch reverts to password‐based authentication. To set up public key authentication: 1. Enable SSH: NE2552E(config)# ssh enable 2.
Page 35: Using A Web Browser
Configuring HTTP Access to the BBI By default, BBI access via HTTP is disabled on the switch. To enable or disable HTTP access to the switch BBI, use the following commands: NE2552E(config)# access http enable (Enable HTTP access) ‐or‐ NE2552E(config)# no access http enable (Disable HTTP access) The default HTTP web server port to access the BBI is port 80. However, you can change the default Web server port with the following command: NE2552E(config)# access http port <TCP port> To access the BBI from a workstation, open a Web browser window and type in the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 36: Configuring Https Access To The Bbi
<name> Email (eg, email address) []: <email address> Confirm generating certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 4. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: NE2552E(config)# access https save-certificate When a client (such as a web browser) connects to the switch, the client is asked to accept the certificate and verify that the fields match what is expected. Once BBI access is granted to the client, the BBI can be used as described in the Lenovo ENOS BBI Quick Guide. NE2552E Application Guide for ENOS 8.4...
Page 37: Bbi Summary
BBI Summary The BBI is organized at a high level as follows: Context buttons—These buttons allow you to select the type of action you wish to perform. The Configuration button provides access to the configuration elements for the entire switch. The Statistics button provides access to the switch statistics and state information. The Dashboard button allows you to display the settings and operating status of a variety of switch features. Navigation Window—This window provides a menu list of switch features and functions:  System—this folder provides access to the configuration elements for the entire switch.  Switch Ports—Configure each of the physical ports on the switch. Port‐Based Port Mirroring—Configure port mirroring behavior.   Layer 2—Configure Layer 2 features for the switch.  RMON Menu—Configure Remote Monitoring features for the switch.  Layer 3—Configure Layer 3 features for the switch.  QoS—Configure Quality of Service features for the switch. Access Control—Configure Access Control Lists to filter IP packets.  © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 38: Using Simple Network Management Protocol
Using Simple Network Management Protocol Lenovo ENOS provides Simple Network Management Protocol (SNMP) version 1, version 2, and version 3 support for access through any network management software, such as IBM Director. Note: SNMP is disabled by default. However, if community strings are already configured on the switch, any software update will leave SNMP enabled. To access the SNMP agent on the NE2552E, the read and write community strings on the SNMP manager must be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: NE2552E(config)# snmp-server read-community <1‐32 characters> NE2552E(config)# snmp-server write-community <1‐32 characters> The SNMP manager can reach any of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following commands: NE2552E(config)# snmp-server trap-source <trap source IP interface> NE2552E(config)# snmp-server host <IPv4 address> <trap host community string> For more information on SNMP usage and configuration, see “Simple Network Management Protocol” on page 477. NE2552E Application Guide for ENOS 8.4...
Page 39: Bootp/Dhcp Client Ip Address Services
Unicast MAC layer message to the BOOTP/DHCP servers configured for the client’s VLAN, or to the global BOOTP/DHCP servers if no domain‐specific BOOTP/DHCP servers are configured for the client’s VLAN. The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client. The switch then forwards this reply back to the client. DHCP is described in RFC 2131, and the DHCP relay agent supported on the NE2552E is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. BOOTP and DHCP relay are collectively configured using the BOOTP commands and menus on the NE2552E. Host Name Configuration The NE2552E supports DHCP host name configuration as described in RFC 2132, option 12. DHCP host name configuration is enabled by default. Host name can be manually configured using the following command: NE2552E(config)# hostname <name> If the host name is manually configured, the switch does not replace it with the host name received from the DHCP server. After the host name is configured on the switch, if DHCP or DHCP host name configuration is disabled, the switch retains the host name. The switch prompt displays the host name. Host name configuration can be enabled/disabled using the following command: NE2552E(config)# [no] system dhcp hostname © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 40: Syslog Server
SYSLOG Server During switch startup, if the switch fails to get the configuration file, a message can be recorded in the SYSLOG server. The NE2552E supports requesting of a SYSLOG server IP address from the DHCP server as described in RFC 2132, option 7. DHCP SYSLOG server request option is enabled by default. Manually configured SYSLOG server takes priority over DHCP SYSLOG server. Up to two SYSLOG server addresses received from the DHCP server can be used. The SYSLOG server can be learnt over a management port or a data port. Use the show logging command to view the SYSLOG server address. DHCP SYSLOG server address option can be enabled/disabled using the following command: NE2552E(config)# [no] system dhcp syslog DHCP Snooping DHCP snooping provides security by filtering untrusted DHCP packets and by building and maintaining a DHCP snooping binding table. An untrusted interface is a port that is configured to receive packets from outside the network or firewall. A trusted interface receives packets only from within the network. By default, all DHCP ports are untrusted. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and port number that correspond to the local untrusted interface on the switch; it does not contain information regarding hosts interconnected with a trusted interface. By default, DHCP snooping is disabled on all VLANs. You can enable DHCP snooping on one or more VLANs. You must enable DHCP snooping globally. To enable this feature, enter the following commands: NE2552E(config)# ip dhcp snooping vlan <vlan number(s)> NE2552E(config)# ip dhcp snooping Note: When you make a DHCP release from a client, the switch does not forward ...
Page 41: Easy Connect Wizard
Current configuration will be overwritten with auto configuration settings. The wizard can be canceled anytime by pressing Ctrl+C. Select which of the following features you want enabled: #Configure Basic system (yes/no)? #Configure Transparent mode (yes/no)? © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 42: Basic System Mode Configuration Example
Basic System Mode Configuration Example This example shows the parameters available for configuration in Basic System mode: NE2552E# easyconnect Auto configures the switch into a set configuration based on the input provided. Current configuration will be overwritten with auto configuration settings. The wizard can be canceled anytime by pressing Ctrl+C. Select which of the following features you want enabled: Configure Transparent mode (yes/no)? n Configure Switch Redundant mode (yes/no)? n...
Page 43: Transparent Mode Configuration Example
Configure Basic system (yes/no)? n Pending switch configuration: Uplink Ports: EXT1-EXT10,EXT11/1-EXT12/1,EXT12/2 Server Ports: INTA1-INTB14 Confirm erasing current config to re-configure Easy Connect (yes/no)? Notes:  If your selection for a port group contains ports of different mode or speed, the selection is not valid and you are guided to either select other ports or change the speed of the ports.  If your selection for an uplink port group contains ports of different mode or speed, the selection is not valid and you are guided to select other ports. Server ports can have ports of different mode or speed selected at the same time. You can either accept the static defaults or enter a different port list for uplink  and/or server ports. © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 44: Redundant Mode Configuration Example
Redundant Mode Configuration Example This example shows the parameters available for configuration in Redundant mode: NE2552E# # easyconnect Auto configures the switch into a set configuration based on the input provided. Current configuration will be overwritten with auto configuration settings. The wizard can be canceled anytime by pressing Ctrl+C. Select which of the following features you want enabled: Configure Transparent mode (yes/no)? n Configure Switch Redundant mode (yes/no)? y...
Page 45 Notes:  If your selection for a port group contains ports of different speed, the selection is not valid, and you are guided to either select other ports or change the speed of the ports.  All external unused ports are configured in an uplink portchanels and all internal ports are configured in vLAG portchannels.  You can either accept the static defaults or enter a different port list for ISL, uplink, and/or downlink ports. © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 46: Switch Login Levels
Switch Login Levels To enable better switch management and user accountability, three levels or classes of user access have been implemented on the NE2552E. Levels of access to CLI, Web management functions, and screens increase as needed to perform various switch management tasks. Conceptually, access classes are defined as follows:  User interaction with the switch is completely passive—nothing can be changed on the NE2552E. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.  Operators can only effect temporary changes on the NE2552E. These changes will be lost when the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation.  Administrators are the only ones that may make permanent changes to the switch configuration—changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the NE2552E. Because administrators can also make temporary (operator‐level) changes as well, they must be aware of the interactions between temporary and permanent changes. Access to switch functions is controlled through the use of unique user names and passwords. Once you are connected to the switch via console, remote Telnet, or SSH, you are prompted to enter a password. The default user names/password for each access level are listed in the following table. Note: It is recommended that you change default switch passwords after initial configuration and as regularly as required under your network security policies. For more information, see “Changing the Switch Passwords” on page Table 3. User Access Levels ‐ Default Settings User Password Description and Tasks Performed Status Account user...
Page 47 Note: Access to each user level (except admin account) can be disabled by setting the password to an empty value. To disable admin account, use the command: NE2552E(config)# no access user administrator-enable. Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 48: Administrator Password Recovery
Administrator Password Recovery Follow these steps to reset the password of the admin user to the default value: Note: Password recovery process involves reloading the switch. Make sure to save any recent switch configuration changes before performing these steps. 1. Connect to the switch using the console port. 2. Reload the switch. 3. When the system displays Memory Test, press <Shift + B>. The Boot Management menu displays: **** System Reset from boot iscli **** Disable the Transceivers ... Unmount the File System ... Unmounting filesystem Wait for umount to finish.Done Waiting for I2C Transactions to Finish ... U-Boot 2009.06 (Aug 21 2015 - 12:35:27) MPC83XX Reset Status: CPU: e300c4, MPC8378A, Rev: 2.1 at 792 MHz, CSB: 396 MHz...
Page 49 Switch is currently set to use factory default config block on next boot. Do you want to change that to the active config block (y/n) ? y Next boot will use active config block. 9. Make sure the boot configuration‐block is active. If it is not active, change the boot configuration‐block with the following command: NE2552E(config)# boot configuration-block active © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 50: Secure Ftp
Secure FTP Lenovo ENOS supports Secure FTP (SFTP) to the switch. SFTP uses Secure Shell (SSH) to transfer files. SFTP encrypts both commands and data, and prevents passwords and sensitive information from being transmitted openly over the network. All file transfer commands include SFTP support along with FTP and TFTP support. SFTP is available through the menu‐based CLI, ISCLI, BBI, and SNMP. The following examples illustrate SFTP support for ISCLI commands: NE2552E# copy sftp {image1|image2|boot-image} [mgt-port|data-port] (Copy software image from SFTP server to the switch) NE2552E# copy sftp {ca-cert|host-cert|host-key} [mgt-port|data-port] (Copy HTTPS certificate or host key from SFTP server to the switch) NE2552E Application Guide for ENOS 8.4...
Page 51: Boot Strict Mode
When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch. By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the NE2552E. Before enabling strict mode, ensure the following:  The software version on all connected switches is Lenovo ENOS 8.4.  NIST Strict compliance is enabled on the Chassis Management Module.  The supported protocol versions and cryptographic cipher suites between clients and servers are compatible. For example: if using SSH to connect to the switch, ensure that the SSH client supports SSHv2 and a strong cipher suite that is compliant with the NIST standard. Compliant Web server certificate is installed on the switch, if using BBI.   A new self‐signed certificate is generated for the switch (NE2552E(config)# access https generate-certificate). The new certificate is generated using 2048‐bit RSA key and SHA‐256 digest.  Protocols that are not NIST SP 800‐131A compliant must be disabled or not used.  Only SSHv2 or higher is used. The current configuration, if any, must be saved in a location external to the  switch. When the switch reboots, both the startup and running configuration are lost. © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 52  Only protocols/algorithms compliant with NIST SP 800‐131A specification are used/enabled on the switch. Please see the NIST SP 800‐131A publication for details. The following table lists the acceptable protocols and algorithms: Table 4. Acceptable Protocols and Algorithms Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm BGP does not comply with NIST SP Acceptable 800-131A specification. When in strict mode, BGP is disabled. However, it can be enabled, if required. Certificate RSA-2048 RSA 2048 Generation SHA-256...
Page 53 ARCFOUR HMAC-SHA1 HMAC-SHA1 HMAC-SHA1-96 HMAC-SHA1-96 HMAC-MD5 HMAC-MD5-96 TACACS+ TACACS+ does not comply with NIST Acceptable SP 800-131A specification. When in strict mode, TACACS+ is disabled. However, it can be enabled, if required. © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 54: Acceptable Cipher Suites
Acceptable Cipher Suites The following cipher suites are acceptable (listed in the order of preference) when the NE2552E Flex Switch is in compatibility mode: Table 5. List of Acceptable Cipher Suites in Compatibility Mode Cipher ID Key Authenticati Encryption Cipher Name Exchan 0xC027 ECDHE AES_128_CBC SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA2 0xC013 ECDHE AES_128_CBC SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC012 ECDHE 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC011 ECDHE SHA1 SSL_ECDHE_RSA_WITH_RC4_128_SHA 0x002F AES_128_CBC SHA1 TLS_RSA_WITH_AES_128_CBC_SHA 0x003C AES_128_CBC SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 0x0005...
Page 55: Configuring Strict Mode
For SNMPv3 default users, see “SNMP Version 3” on page 479. When strict mode is disabled, the following message is displayed: Warning, disabling security strict mode. The mode change will take effect after reloading the switch. You must reboot the switch for the boot strict mode enable/disable to take effect. Limitations In Lenovo ENOS 8.4, consider the following limitation/restrictions if you need to operate the switch in boot strict mode:  Power ITEs and High‐Availability features do not comply with NIST SP 800‐131A specification.  The NE2552E will not discover Platform agents/Common agents that are not in strict mode. Web browsers that do not use TLS 1.2 cannot be used.   Limited functions of the switch managing Windows will be available. © Copyright Lenovo 2018 Chapter 1: Switch Administration...
Page 56: Configuring No-Prompt Mode
Configuring No-Prompt Mode If you expect to administer the switch using SNSC or another browser‐based interface, you need to turn off confirmation prompts. When CLI confirmation prompts are disabled, the switch will choose the default answer. To accomplish this, use one of the following commands: NE2552E(config)# [no] prompting Note: This command will disable CLI confirmation prompts for current and future sessions. NE2552E(config)# [no] terminal dont-ask Note: This command will disable CLI confirmation prompts for the current session only. It also takes precedence over the prompting command ‐ any settings configured through the prompting command will be disregarded for the duration of the current session. For more details, see the Lenovo ThinkSystem NE2552E Flex Switch Command Reference for Lenovo ENOS 8.4. NE2552E Application Guide for ENOS 8.4...
Page 57: Chapter 2. Initial Setup
Chapter 2. Initial Setup To help with the initial process of configuring your switch, the Lenovo ENOS software includes a Setup utility. The Setup utility prompts you step‐by‐step to enter all the necessary information for basic configuration of the switch. Setup can be activated manually from the command line interface any time after login: NE2552E(config)# setup © Copyright Lenovo 2018...
Page 58: Information Needed For Setup
Information Needed for Setup Setup requests the following information:  Basic system information Date & time  Whether to use Spanning Tree Group or not   Optional configuration for each port Speed, duplex, flow control, and negotiation mode (as appropriate)  Whether to use VLAN tagging or not (as appropriate)  Optional configuration for each VLAN  Name of VLAN  Which ports are included in the VLAN   Optional configuration of IP parameters IP address/mask and VLAN for each IP interface  IP addresses for default gateway  Whether IP forwarding is enabled or not  NE2552E Application Guide for ENOS 8.4...
Page 59: Default Setup Options
Enter login username: Enter login password: 2. Enter USERID as the default administrator and PASSW0RD (with a zero) as the default password. 3. Enter the following command at the prompt: NE2552E(config)# setup Stopping Setup To abort the Setup utility, press <Ctrl+C> during any Setup question. When you abort Setup, the system will prompt: Would you like to run from top again? [y/n] Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: NE2552E(config)# setup © Copyright Lenovo 2018 Chapter 2: Initial Setup...
Page 60: Setup Part 1: Basic System Configuration
Setup Part 1: Basic System Configuration When Setup is started, the system prompts: "Set Up" will walk you through the configuration of System Date and Time, Spanning Tree, Port Speed/Mode, VLANs, and IP interfaces. [type Ctrl-C to abort "Set Up"] Next, the Setup utility prompts you to input basic system information. 1. Enter the year of the current date at the prompt: System Date: Enter year [2012]: Enter the four‐digits that represent the year. To keep the current year, press ...
Page 61 Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>. The system then displays the date and time settings: System clock set to 8:55:36 Wed Jan 28, 2012. 7. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. © Copyright Lenovo 2018 Chapter 2: Initial Setup...
Page 62: Setup Part 2: Port Configuration
Setup Part 2: Port Configuration Note: When configuring port options for your switch, some prompts and options may be different. 1. Select whether you will configure VLANs and VLAN tagging for ports: Port Config: Will you configure VLANs and Tagging/Trunk-mode for ports? [y/n] If you wish to change settings for VLANs, enter y or enter n to skip VLAN configuration. Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of chassis unit that you are using and the firmware versions and options that are installed. 2. Select the port to configure, or skip port configuration at the prompt: If you wish to change settings for individual ports, enter the number of the port you wish to configure. To skip port configuration, press <Enter> without specifying any port and go to “Setup Part 3: VLANs” on page 64. 3. Configure port flow parameters. The system prompts: Gig Link Configuration: Port Flow Control: Current Port EXT1 flow control setting: both...
Page 63 If you have selected to configure VLANs back in Part 1, the system prompts: Port Tagging/Trunk-mode config (Tagged/Trunk-mode port can be a member of multiple VLANs): Current Tagging/Trunk-mode support: disabled Enter new Tagging/Trunk-mode support [d/e]: Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port. To keep the current setting, press <Enter>. 6. The system prompts you to configure the next port: Enter port (INTA1-INTB14, EXT1-EXT12/4): When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section. © Copyright Lenovo 2018 Chapter 2: Initial Setup...
Page 64: Setup Part 3: Vlans
Setup Part 3: VLANs If you chose to skip VLANs configuration back in Part 2, skip to “Setup Part 4: IP Configuration” on page 1. Select the VLAN to configure, or skip VLAN configuration at the prompt: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to “Setup Part 4: IP Configuration” on page 2. Enter the new VLAN name at the prompt: Current VLAN name: VLAN 2 Enter new VLAN name: Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>. 3. Enter the VLAN port numbers: Define Ports in VLAN: Current VLAN 2: empty Enter ports one per line, NULL at end:...
Page 65: Setup Part 4: Ip Configuration
2. For the specified IP interface, enter the IP address in IPv4 dotted decimal notation: Current IP address: 0.0.0.0 Enter new IP address: To keep the current setting, press <Enter>. 3. At the prompt, enter the IPv4 subnet mask in dotted decimal notation: Current subnet mask: 0.0.0.0 Enter new subnet mask: To keep the current setting, press <Enter>. 4. If configuring VLANs, specify a VLAN for the interface. This prompt appears if you selected to configure VLANs back in Part 1: Current VLAN: Enter new VLAN [2-4094]: Enter the number for the VLAN to which the interface belongs, or press <Enter> without specifying a VLAN number to accept the current setting. © Copyright Lenovo 2018 Chapter 2: Initial Setup...
Page 66: Default Gateways
5. At the prompt, enter y to enable the IP interface or n to leave it disabled: Enable IP interface? [y/n] 6. The system prompts you to configure another interface: Enter interface number: (1-125, 127) Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number. Default Gateways 1. At the prompt, select an IP default gateway for configuration or skip default gateway configuration: IP default gateways: Enter default IPv4 gateway number: (1-2, 3, 4) Enter the number for the IP default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to “IP Routing” on page 2. At the prompt, enter the IPv4 address for the selected default gateway: Current IP address: 0.0.0.0 Enter new IP address: Enter the IPv4 address in dotted decimal notation, or press <Enter> without ...
Page 67: Ip Routing
IP Routing When IP interfaces are configured for the various IP subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to send inter‐subnet communication to an external router device. Routing on more complex networks, where subnets may not have a direct presence on the NE2552E, can be accomplished through configuring static routes or by letting the switch learn routes dynamically. This part of the Setup program prompts you to configure the various routing parameters. At the prompt, enable or disable forwarding for IP Routing: Enable IP forwarding? [y/n] Enter y to enable IP forwarding. To disable IP forwarding, enter n. To keep the current setting, press <Enter>. © Copyright Lenovo 2018 Chapter 2: Initial Setup...
Page 68: Setup Part 5: Final Steps
Setup Part 5: Final Steps 1. When prompted, decide whether to restart Setup or continue: Would you like to run from top again? [y/n] Enter y to restart the Setup utility from the beginning or n to continue. 2. When prompted, decide whether you wish to review the configuration changes: Review the changes made? [y/n] Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt: Apply the changes? [y/n] Enter y to apply the changes or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent: Save changes to flash? [y/n] Enter y to save the changes to flash. Enter n to continue without saving the ...
Page 69: Optional Setup For Telnet Support
Optional Setup for Telnet Support Note: This step is optional. Perform this procedure only if you are planning on connecting to the NE2552E through a remote Telnet connection. 1. Telnet is disabled by default. To change the setting, use the following command: NE2552E(config)# access telnet enable © Copyright Lenovo 2018 Chapter 2: Initial Setup...
Page 70 NE2552E Application Guide for ENOS 8.4...
Page 71: Chapter 3. Switch Software Management
CAUTION: Although the typical upgrade process is all that is necessary in most cases, upgrading from (or reverting to) some versions of Lenovo Enterprise Network Operating System requires special steps prior to or after the software installation process. Please be sure to follow all applicable instructions in the release notes document for the specific software release to ensure that your switch continues to operate as expected after installing new software.
Page 72: Loading New Software To Your Switch
Loading New Software to Your Switch The NE2552E can store up to two different switch software images (called image1 and image2) as well as special boot software (called boot). When you load new software, you must specify where it is placed: either into image1, image2 or boot. For example, if your active image is currently loaded into image1, you would probably load the new image software into image2. This lets you test the new software and reload the original active image (stored in image1), if needed. CAUTION: When you upgrade the switch software image, always load the new boot image and the new software image before you reset the switch. If you do not load a new boot image, your switch might not boot properly (To recover, see “Recover from a Failed Image Upgrade using TFTP” on page 78 or “Recovering from a Failed Image Upgrade using XModem Download” on page 81). To load a new software image to your switch, you will need the following:  The image and boot software loaded on an FTP, SFTP or TFTP server on your net‐ work. Note: Be sure to download both the new boot file and the new image file. The hostname or IP address of the FTP, SFTP or TFTP server  Note: The DNS parameters must be configured if specifying hostnames.  The name of the new software image or boot file When the software requirements are met, use one of the following procedures to download the new software to your switch. You can use the ISCLI or the BBI to download and activate new software. Loading Software via the ISCLI 1.
Page 73 6. The switch will prompt you to confirm your request. Once confirmed, the software will begin loading into the switch. 7. When loading is complete, use the following commands to enter Global Configuration mode to select which software image (image1 or image2) you want to run in switch memory for the next reboot: Router# configure terminal Router(config)# boot image {image1|image2} The system will then verify which image is set to be loaded at the next reset: Next boot will use switch software image1 instead of image2. 8. Reboot the switch to run the new software: Router(config)# reload The system prompts you to confirm your request. Once confirmed, the switch will reboot to use the new software. © Copyright Lenovo 2018 Chapter 3: Switch Software Management...
Page 74: Loading Software Via Bbi
Loading Software via BBI You can use the Browser‐Based Interface to load software onto the NE2552E. The software image to load can reside in one of the following locations: FTP server   TFTP server SFTP server   Local computer After you log onto the BBI, perform the following steps to load a software image: 1. Click the Configure context tab in the toolbar. 2. In the Navigation Window, select System > Config/Image Control. The Switch Image and Configuration Management page appears. 3. If you are loading software from your computer (HTTP client), skip this step and go to the next. Otherwise, if you are loading software from an FTP, SFTP, or TFTP server, enter the server’s information in the FTP, SFTP, or TFTP Settings section. 4. In the Image Settings section, select the image version you want to replace (Image for Transfer).  If you are loading software from an FTP, SFTP, or TFTP server, enter the file name and click Get Image. If you are loading software from your computer, click Browse.  In the File Upload Dialog, select the file and click OK. Then click Download via  Browser. Once the image has loaded, the page refreshes to show the new software. NE2552E Application Guide for ENOS 8.4...
Page 75: Updating Software On Vlag Switches
 After Switch 1 comes up, vLAG HC will be up and vLAG mismatch will happen with vLAG ports down (since it is still Secondary).  The traffic will still be forwarding via Switch 2 (the original Primary switch). 3. On Switch 2 (the original Primary switch), shut down all links ISL, vLAG links, and vLAG HC. This is equivalent to powering off Switch 1 (the original Primary switch)  All the traffic will failover to Switch 1, which will assume the vLAG operation role of Primary.  After all the links are up on Switch 1, there will be N‐S traffic loss of around ~70 seconds due to spanning trees reconverging. 4. Upgrade Switch 2 (the original Primary switch with the new ENOS image. Use FTP, STFP, or TFTP to copy the new ENOS and boot images onto the switch. For more details, see “Loading New Software to Your Switch” on page  After Switch 2 comes up, vLAG HC, ISL, and vLAG links will be up, and Switch 1 will assume the vLAG operation role of Secondary. All the traffic will now follow the hash and load balance settings between Switch  1 and Switch 1. There will be N‐S traffic loss of around ~0.05 seconds.  5. Change the operational role of the vLAG switches to match the final topology by reloading Switch 1. There will be N‐S traffic loss of around ~0.102 seconds.  © Copyright Lenovo 2018 Chapter 3: Switch Software Management...
Page 76  Switch 2 will reassume the vLAG Primary role and Switch 1 will reassume the vLAG Secondary role. 6. Make sure that Switch 2 is now the vLAG primary switch and Switch 1 is now the vLAG secondary switch using the following command: NE2552E> show vlag information NE2552E Application Guide for ENOS 8.4...
Page 77: The Boot Management Menu
R - Boot in recovery mode (tftp and xmodem download of images to recover switch) Q - Reboot E - Exit Please choose your menu option: The Boot Management menu allows you to perform the following actions: The Boot Management menu allows you to perform the following actions:  To change the booting image, press I and follow the screen prompts.  To change the configuration block, press C and follow the screen prompts.  To boot in recovery mode press R. For more details see “Boot Recovery Mode” on page  To restart the boot process from the beginning, press Q. To exit the Boot Management menu, press E. The booting process continues.  © Copyright Lenovo 2018 Chapter 3: Switch Software Management...
Page 78: Boot Recovery Mode
Boot Recovery Mode The Boot Recovery Mode allows you to recover from a failed software or boot image upgrade using TFTP or XModem download. To enter Boot Recovery Mode you must select “Boot in recovery mode” option from the Boot Management Menu by pressing R. Entering Rescue Mode. Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image P) Physical presence test (low security mode) F) Filesystem Menu I) Select which image to boot C) Select configuration block to use...
Page 79 7. Enter the network mask of the management port: Netmask : 8. Enter the gateway of the management port: Gateway : 9. Enter the IP address of the TFTP server: Server addr: 10.Enter the filename of the image: Image Filename: 11. If the file is a software image, enter an image number: Install image as image 1 or 2 (hit return to just boot image): After the procedure is complete, the Recovery Mode menu will be re‐displayed. © Copyright Lenovo 2018 Chapter 3: Switch Software Management...
Page 80 Below is an example of a successful recovery procedure using TFTP: Entering Rescue Mode. Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image P) Physical presence test (low security mode) F) Filesystem Menu I) Select which image to boot C) Select configuration block to use R) Reboot E) Exit...
Page 81: Recovering From A Failed Image Upgrade Using Xmodem Download
8. Select the image to download. Xmodem initiates the file transfer. When download is complete, you are asked to change the Serial Port speed back to 9600 bps: Change the baud rate back to 9600 bps, hit the <ENTER> key 9. Press <Enter> to start installing the image. If the file is a software image, enter the image number: Install image as image 1 or 2 (hit return to just boot image): © Copyright Lenovo 2018 Chapter 3: Switch Software Management...
Page 82: Physical Presence
The image install will begin. After the procedure is complete, the Recovery Mode menu will be re‐displayed. Extracting images ... Do *NOT* power cycle the switch. Installing Root Filesystem: Image signature verified. 100% Installing Kernel: Image signature verified. 100% Installing Device Tree: Image signature verified. 100% Installing Boot Loader: 100% Updating install log. File image installed from xmodem at 18:06:02 on 13-3-2015 Please select one of the following options: T) Configure networking and tftp download an image...
Page 83 Hit a key to start the test. The blue location LED will blink a number of times.... How many times did the LED blink? 8. After entering the correct number, the Recovery Mode menu will re‐appear. To install an unofficial image use one of the following procedures:  TFTP (for details, see page  XModem Download (for details, see page Note: You have three attempts to successfully complete the security test. After three incorrect attempts, the switch will reboot. Note: After the test is completed, the switch will be put in low security mode. This mode will allow you to install unofficial images on the switch. To revert to normal security mode, you must reboot the switch or press P again in the Recovery Mode menu. © Copyright Lenovo 2018 Chapter 3: Switch Software Management...
Page 84: Filesystem Menu
Filesystem Menu The switch’s file system controls how data is stored and retrieved. To access the Filesystem menu enter the Boot Recovery menu and select option F. Please select one of the following options: F) Run filesystem check W) Wipe filesystem E) Exit Option? : The Filesystem menu allows you to perform the following actions:  To run a file system check, enter F. If there any errors detected, the switch repairs them automatically.  To delete all firmware images and configuration files from the switch, enter W. You are asked for confirmation. Enter y to confirm or n to cancel. To return to the Boot Management menu, enter E.  NE2552E Application Guide for ENOS 8.4...
Page 86 NE2552E Application Guide for ENOS 8.4...
Page 87: Chapter 4. Securing Administration
Chapter 4. Securing Administration This chapter discusses different methods of securing local and remote administration on the NE2552E Flex Switch (NE2552E):  “Changing the Switch Passwords” on page 88  “Secure Shell and Secure Copy” on page 89  “End User Access Control” on page 94  “Protected Mode” on page 97  “Maintenance Mode” on page 98 © Copyright Lenovo 2018...
Page 88: Changing The Switch Passwords
Changing the Switch Passwords It is recommended that you change the administrator and user passwords after initial configuration and as regularly as required under your network security policies. To change the administrator password, you must login using the administrator password. Note: If you download user and password information to a switch running a version of ENOS earlier than 8.4, or if you revert the switch to a version of ENOS earlier than 8.4, your passwords will not be transferred because the encryption algorithm changed. Changing the Default Administrator Password The administrator has complete access to all menus, information, and configuration commands, including the ability to change both the user and administrator passwords. The default administrator account is USERID. The default password for the administrator account is PASSW0RD (with a zero). To change the administrator password, use the following procedure: 1. Connect to the switch and log in as the administrator. 2. Use the following command to change the administrator password: NE2552E(config)# access user administrator-password <password> Changing the Default User Password The user login has limited control of the switch. Through a user account, you can view switch information and statistics, but you can’t make configuration changes.
Page 89: Secure Shell And Secure Copy
 Determining the permitted actions and customizing service for individual administrators  Encryption of management messages Encrypting messages between the remote administrator and switch   Secure copy support The Lenovo ENOS implementation of SSH supports both versions 1.5 and 2.0 and supports SSH clients version 1.5 ‐ 2.x. The following SSH clients have been tested:  SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)  SecureCRT 3.0.2 and SecureCRT 3.0.3 for Windows NT (Van Dyke Technologies, Inc.)  F‐Secure SSH 1.1 for Windows (Data Fellows)  Putty SSH  Cygwin OpenSSH  Mac X OpenSSH  Solaris 8 OpenSSH  AxeSSH SSHPro  SSH Communications Vandyke SSH A  F‐Secure © Copyright Lenovo 2018 Chapter 4: Securing Administration...
Page 90: Configuring Ssh/Scp Features On The Switch
Configuring SSH/SCP Features on the Switch SSH is enabled, while SCP is disabled by default. To change the setting, using the following procedures. Note: To use SCP, you must first enable SSH. To Enable or Disable the SSH Feature Begin a Telnet session from the console port and enter the following commands: NE2552E(config)# ssh enable (Turn SSH on) NE2552E(config)# no ssh enable (Turn SSH off) To Enable or Disable SCP Enter the following command to enable or disable SCP: NE2552E(config)# [no] ssh scp-enable Configuring the SCP Administrator Password To configure the SCP‐only administrator password, enter the following command ...
Page 91: To Copy The Switch Configuration File To The Scp Host
>> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply >> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply_save Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply_save The CLI diff command is automatically executed at the end of putcfg to  notify the remote client of the difference between the new and the current configurations. putcfg_apply runs the apply command after the putcfg is done.  putcfg_apply_save saves the new configuration to the flash after  putcfg_apply is done.  The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands are usually required after a putcfg; however, an SCP session is not in an interactive mode. © Copyright Lenovo 2018 Chapter 4: Securing Administration...
Page 92: To Copy The Switch Image And Boot Files To The Scp Host
To Copy the Switch Image and Boot Files to the SCP Host Syntax: >> scp [-4|-6] <username>@<switch IP address>:getimg1 <local filename> >> scp [-4|-6] <username>@<switch IP address>:getimg2 <local filename> >> scp [-4|-6] <username>@<switch IP address>:getboot <local filename> Example: >> scp scpadmin@205.178.15.157:getimg1 6.1.0_os.img To Load Switch Configuration Files from the SCP Host Syntax: >>...
Page 93: Ssh And Scp Encryption Of Management Messages
When the switch reboots, it will retrieve the host key from the FLASH memory. Notes:  The switch will perform only one session of key/cipher generation at a time. Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time. Also, key generation will fail if an SSH/SCP client is logging in at that time. Because the switch software only generates RSA keys, if there is already a  DSA‐based SSH key on the switch, this key will remain on the switch and not be replaced until you run the ssh generate-host key command to generate an RSA key. SSH/SCP Integration with RADIUS Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+ servers for authentication. The redirection is transparent to the SSH clients. © Copyright Lenovo 2018 Chapter 4: Securing Administration...
Page 94: End User Access Control
End User Access Control Lenovo ENOS allows an administrator to define end user accounts that permit end users to perform operation tasks via the switch CLI commands. Once end user accounts are configured and enabled, the switch requires username/password authentication. For example, an administrator can assign a user, who can then log into the switch and perform operational commands (effective only until the next switch reboot). Considerations for Configuring End User Accounts A maximum of 20 user IDs are supported on the switch.   Lenovo ENOS supports end user support for Console, Telnet, BBI, and SSHv1/v2 access to the switch.  If RADIUS authentication is used, the user password on the Radius server will override the user password on the NE2552E. Also note that the password change command modifies only the user switch password on the switch and has no effect on the user password on the Radius server. Radius authentication and user password cannot be used concurrently to access the switch.  Passwords can be up to 64 characters in length for Telnet, SSH, Console, and Web access. Strong Passwords The administrator can require use of Strong Passwords for users to access the NE2552E. Strong Passwords enhance security because they make password guessing more difficult. The following rules apply when Strong Passwords are enabled: Minimum length: 8 characters; maximum length: 64 characters   Must contain at least one uppercase alphabet Must contain at least one lowercase alphabet...
Page 95: User Access Control Menu
NE2552E# show access user uid 1 Enabling or Disabling a User An end user account must be enabled before the switch recognizes and permits login under the account. Once enabled, the switch requires any user to enter both username and password. NE2552E(config)# [no] access user 1 enable Locking Accounts To protect the switch from unauthorized access, the account lockout feature can be enabled. By default, account lockout is disabled. To enable this feature, ensure the strong password feature is enabled (See “Strong Passwords” on page 94). Then use the following command: NE2552E(config)# access user strong-password lockout After multiple failed login attempts, the switch locks the user account if lockout has been enabled on the switch. © Copyright Lenovo 2018 Chapter 4: Securing Administration...
Page 96: Re-Enabling Locked Accounts
Re-enabling Locked Accounts The administrator can re‐enable a locked account by reloading the switch or by using the following command: NE2552E(config)# access user strong-password clear local user lockout username <user name> However, the above command cannot be used to re‐enable an account disabled by the administrator. To re‐enable all locked accounts, use the following command: NE2552E(config)# access user strong-password clear local user lockout all Listing Current Users The show access user command displays defined user accounts and whether or not each user is currently logged into the switch. NE2552E# show access user Usernames: user - Enabled - offline...
Page 97: Protected Mode
Protected Mode Protected Mode settings allow the switch administrator to block the management module from making configuration changes that affect switch operation. The switch retains control over those functions. The following management module functions are disabled when Protected Mode is turned on: External Ports: Enabled/Disabled   External management over all ports: Enabled/Disabled Restore Factory Defaults   New Static IP Configuration In this release, configuration of the functions listed above are restricted to the local switch when you turn Protected Mode on. In future releases, individual control over each function may be added. Note: Before you turn Protected Mode on, make sure that external management (Telnet) access to one of the switch’s IP interfaces is enabled. Use the following command to turn Protected Mode on: NE2552E(config)# protected-mode enable If you lose access to the switch through the external ports, use the console port to connect directly to the switch, and configure an IP interface with Telnet access. © Copyright Lenovo 2018 Chapter 4: Securing Administration...
Page 98: Maintenance Mode
Maintenance Mode There are times when Lenovo support needs to access your switch in maintenance mode. To enable this, enter the command: NE2552E(config)# maint-internal When prompted, enter the admin password. The Lenovo support person will then enter the maintenance mode password. This introduces a second level of administration authorization before the Lenovo support representative enters the maintenance mode password, making the switch more secure and available for enhanced debugging. NE2552E Application Guide for ENOS 8.4...
Page 99: Chapter 5. Authentication & Authorization Protocols
Chapter 5. Authentication & Authorization Protocols Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured IPv4 management and device access:  “RADIUS Authentication and Authorization” on page 100  “TACACS+ Authentication” on page 104  “LDAP Authentication and Authorization” on page 110 Note: Lenovo ENOS 8.4 does not support IPv6 for RADIUS, TACACS+, or LDAP. © Copyright Lenovo 2018...
Page 100: Radius Authentication And Authorization
RADIUS Authentication and Authorization Lenovo ENOS supports the RADIUS (Remote Authentication Dial‐in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back‐end database server. A remote user (the remote administrator) interacts only with the RAS, not the back‐end server and database. RADIUS authentication consists of the following components:  A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)  A centralized server that stores all the user authorization information A client, in this case, the switch  The NE2552E—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back‐end RADIUS server. How RADIUS Authentication Works 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. NE2552E Application Guide for ENOS 8.4...
Page 101: Configuring Radius On The Switch
NE2552E(config)# radius-server enable CAUTION: If you configure the RADIUS secret using any method other than through the console port, the secret may be transmitted over the network as clear text. 3. If desired, you may change the default UDP port number used to listen to RADIUS. The well‐known port for RADIUS is 1645. NE2552E(config)# radius-server port <UDP port> 4. Configure the number retry attempts for contacting the RADIUS server, and the timeout period. NE2552E(config)# radius-server retransmit 3 NE2552E(config)# radius-server timeout 5 RADIUS Authentication Features in Lenovo ENOS Lenovo ENOS supports the following RADIUS authentication features:  Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.  Allows a RADIUS secret password of up to 32 characters.  Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the secondary authentication server. Use the following command to show the ...
Page 102: Switch User Accounts
 Supports user‐configurable RADIUS server retry and time‐out values: Time‐out value = 1‐10 seconds  Retries = 1‐3  The switch will time out if it does not receive a response from the RADIUS server within 1‐10 seconds. The switch automatically retries connecting to the RADIUS server 1‐3 times before it declares the server down.  Supports user‐configurable RADIUS application port. The default is UDP port 1645. UDP port 1812, based on RFC 2138, is also supported.  Allows network administrator to define privileges for one or more specific users to access the switch at the RADIUS user database. Switch User Accounts The user accounts listed in Table 7 can be defined in the RADIUS server dictionary file. Table 7. User Access Levels User Account Description and Tasks Performed Password user User The User has no direct responsibility for switch management. He/she can view all switch status information and statistics but cannot make any configuration changes to the switch. oper Operator In addition to User capabilities, the Operator has ...
Page 103: Radius Attributes For Lenovo Enos User Privileges
RADIUS Attributes for Lenovo ENOS User Privileges When the user logs in, the switch authenticates his/her level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server. If the remote user is successfully authenticated by the authentication server, the switch will verify the privileges of the remote user and authorize the appropriate access. The administrator has two options: to allow local access via Telnet, SSH, HTTP, or HTTPS; to allow secure local access via console, Telnet, SSH, or BBI. Secure local access provides access to the switch when the RADIUS servers cannot be reached. The default NE2552E setting for local access and secure local access is disabled. Local access is always enabled on the console port. Whether local access is enabled or not, you can always access the switch via the console port by using noradius as the RADIUS username. You can then enter the username and password configured on the switch. If you are trying to connect via SSH/Telnet/HTTP/HTTPS, there are two possibilities:  Local access is enabled: The switch acts like it is connecting via console.  Secure local access is enabled: You must enter the username: noradius. The switch checks if RADIUS server is reachable. If it is reachable, then you must authenticate via remote authentication server. Only if RADIUS server is not reachable, you will be prompted for local user/password to be authenticated against these local credentials. All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS servers defines the administrator. The file name of the dictionary is RADIUS vendor‐dependent. The following RADIUS attributes are defined for Lenovo ENOS user privileges levels: Table 8. Lenovo ENOS‐proprietary Attributes for RADIUS User Name/Access...
Page 104: Tacacs+ Authentication
TACACS+ Authentication Lenovo ENOS supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The NE2552E functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the NE2552E either through a data or management port. TACACS+ offers the following advantages over RADIUS:  TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is UDP‐based. TCP offers a connection‐oriented transport, while UDP offers best‐effort delivery. RADIUS requires additional programmable variables such as re‐transmit attempts and time‐outs to compensate for best‐effort transport, but it lacks the level of built‐in support that a TCP transport offers.  TACACS+ offers full packet encryption whereas RADIUS offers password‐only encryption in authentication requests.  TACACS+ separates authentication, authorization and accounting. How TACACS+ Authentication Works TACACS+ works much in the same way as RADIUS authentication as described on page 100. 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a ...
Page 105: Tacacs+ Authentication Features In Lenovo Enos
TACACS+ Authentication Features in Lenovo ENOS Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Lenovo ENOS supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one‐time password authentication are not supported. Authorization Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication. The default mapping between TACACS+ authorization levels and Lenovo ENOS management access levels is shown in Table 9. The authorization levels listed in this table must be defined on the TACACS+ server. Table 9. Default TACACS+ Authorization Levels Lenovo ENOS User Access TACACS+ Level Level user oper admin (USERID) Alternate mapping between TACACS+ authorization levels and Lenovo ENOS management access levels is shown in Table 10. Use the following command to use the alternate TACACS+ authorization levels: NE2552E(config)# tacacs-server privilege-mapping Table 10.
Page 106: Local Access
Local Access The administrator has an option to allow local access via Telnet using the command: NE2552E(config)# tacacs-server backdoor The default value for Telnet access is disabled. The administrator also can enable secure local access to allow access if both the primary and the secondary TACACS+ servers fail to respond. The command for this is: NE2552E(config)# tacacs-server secure-backdoor Note: To obtain the TACACS+ local access password for your switch, contact your Service and Support line. Accounting Accounting is the action of recording a userʹs activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software login access, configuration changes, and interactive commands. The NE2552E supports the following TACACS+ accounting attributes: protocol (console/telnet/ssh/http)   start_time  stop_time  elapsed_time  disc‐cause Note: When using the Browser‐Based Interface, the TACACS+ Accounting Stop records are sent only if the Quit button on the browser is clicked. NE2552E Application Guide for ENOS 8.4...
Page 107: Command Authorization And Logging
The following rules apply to TACACS+ command authorization and logging:  Only commands from a Console, Telnet, or SSH connection are sent for authori‐ zation and logging. SNMP, BBI, or file‐copy commands (for example, TFTP or sync) are not sent. Only leaf‐level commands are sent for authorization and logging. For example:  NE2552E(config)# is not sent, but the following command is sent: NE2552E(config)# tacacs-server command-logging  The full path of each command is sent for authorization and logging. For example: NE2552E(config)# tacacs-server command-logging  Command arguments are not sent for authorization.  Only executed commands are logged.  Invalid commands are checked by Lenovo ENOS and are not sent for authoriza‐ tion or logging. © Copyright Lenovo 2018 Chapter 5: Authentication & Authorization Protocols...
Page 108  Authorization is performed on each leaf‐level command separately. If the user issues multiple commands at once, each command is sent separately as a full path.  Only the following global commands are sent for authorization and logging: diff  ping  revert  telnet  traceroute  NE2552E Application Guide for ENOS 8.4...
Page 109: Tacacs+ Password Change
NE2552E(config)# tacacs-server retransmit 3 NE2552E(config)# tacacs-server timeout 5 5. Configure custom privilege‐level mapping (optional). NE2552E(config)# tacacs-server user-mapping 2 user NE2552E(config)# tacacs-server user-mapping 3 user NE2552E(config)# tacacs-server user-mapping 4 user NE2552E(config)# tacacs-server user-mapping 5 oper © Copyright Lenovo 2018 Chapter 5: Authentication & Authorization Protocols...
Page 110: Ldap Authentication And Authorization
LDAP Authentication and Authorization Lenovo ENOS supports the LDAP (Lightweight Directory Access Protocol) method to authenticate and authorize remote administrators to manage the switch. LDAP is based on a client/server model. The switch acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the switch, not the back‐end server and database. LDAP authentication consists of the following components: A protocol with a frame format that utilizes TCP over IP   A centralized server that stores all the user authorization information A client, in this case, the switch  Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN consists of the user‐account name concatenated with the LDAP domain name. If the user‐account name is John, the following is an example DN: uid=John,ou=people,dc=domain,dc=com Configuring the LDAP Server NE2552E user groups and user accounts must reside within the same domain. On the LDAP server, configure the domain to include NE2552E user groups and user accounts, as follows:  User Accounts: Use the uid attribute to define each individual user account.  User Groups: Use the members attribute in the groupOfNames object class to create the user groups. The first word of the common name for each user group must be equal to the user group names defined in the NE2552E, as follows: admin (USERID)  oper ...
Page 111: Configuring Ldap Authentication On The Switch
NE2552E(config)# ldap-server domain <ou=people,dc=my‐domain,dc=com> 3. If desired, you may change the default TCP port number used to listen to LDAP. The well‐known port for LDAP is 389. NE2552E(config)# ldap-server port <1‐65000> 4. Configure the number of retry attempts for contacting the LDAP server and the timeout period. NE2552E(config)# ldap-server retransmit 3 (number of server retries) NE2552E(config)# ldap-server timeout 10 (enter the timeout period in seconds) 5. You may change the default LDAP attribute (uid) or add a custom attribute. For instance, Microsoft’s Active Directory requires the cn (common name) attribute. NE2552E(config)# ldap-server attribute username <1‐128 alpha‐numeric characters> © Copyright Lenovo 2018 Chapter 5: Authentication & Authorization Protocols...
Page 112 NE2552E Application Guide for ENOS 8.4...
Page 113: Chapter 6. 802.1X Port-Based Network Access Control
Chapter 6. 802.1X Port-Based Network Access Control Port‐Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the NE2552E Flex Switch (NE2552E) that connect to blade servers. The following topics are discussed in this section:  “Extensible Authentication Protocol over LAN” on page 114  “EAPoL Authentication Process” on page 115  “EAPoL Port States” on page 116  “Guest VLAN” on page 117  “Supported RADIUS Attributes” on page 118  “EAPoL Configuration Guidelines” on page 120 © Copyright Lenovo 2018...
Page 114: Extensible Authentication Protocol Over Lan
Extensible Authentication Protocol over LAN Lenovo ENOS can provide user‐level security for its ports using the IEEE 802.1X protocol, which is a more secure alternative to other methods of port‐based network access control. Any device attached to an 802.1X‐enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.1X standard describes port‐based network access control using Extensible Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics and of preventing access to that port in cases of authentication and authorization failures. EAPoL is a client‐server protocol that has the following components: Supplicant or Client  The Supplicant is a device that requests network access and provides the required credentials (user name and password) to the Authenticator and the Authenticator Server.  Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The NE2552E acts as an Authenticator.  Authentication Server The Authentication Server validates the credentials provided by the Supplicant to determine if the Authenticator should grant access to the network. The Authentication Server may be co‐located with the Authenticator. The NE2552E relies on external RADIUS servers for authentication. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed ...
Page 115: Eapol Authentication Process
802.1x Client Server EAPOL IBM Switch RADIUS-EAP Authenticator Ethernet (RADIUS Client) UDP/IP Port Unauthorized EAPOL-Start EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP-Success Port Authorized © Copyright Lenovo 2018 Chapter 6: 802.1X Port-Based Network Access Control...
Page 116: Eapol Message Exchange
EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the NE2552E authenticator, while RADIUS‐EAP messages are exchanged between the NE2552E authenticator and the RADIUS server. Authentication is initiated by one of the following methods:  The NE2552E authenticator sends an EAP‐Request/Identity packet to the client  The client sends an EAPOL‐Start frame to the NE2552E authenticator, which responds with an EAP‐Request/Identity frame. The client confirms its identity by sending an EAP‐Response/Identity frame to the NE2552E authenticator, which forwards the frame encapsulated in a RADIUS packet to the server. The RADIUS authentication server chooses an EAP‐supported authentication algorithm to verify the client’s identity, and sends an EAP‐Request packet to the client via the NE2552E authenticator. The client then replies to the RADIUS server with an EAP‐Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port. When the client later sends an EAPOL‐Logoff message to the NE2552E authenticator, the port transitions from authorized to unauthorized state. If a client that does not support 802.1X connects to an 802.1X‐controlled port, the NE2552E authenticator requests the clientʹs identity when it detects a change in the operational state of the port. The client does not respond to the request, and the port remains in the unauthorized state. Note: When an 802.1X‐enabled client connects to a port that is not 802.1X‐controlled, the client initiates the authentication process by sending an EAPOL‐Start frame. When no response is received, the client retransmits the request for a fixed number of times. If no response is received, the client assumes the port is in authorized state, and begins sending frames, even if the port is unauthorized. EAPoL Port States The state of the port determines whether the client is granted access to the network, as follows: ...
Page 117: Guest Vlan
Guest VLAN The guest VLAN provides limited access to unauthenticated ports. The guest VLAN can be configured using the following command: NE2552E(config)# dot1x guest-vlan ? Client ports that have not received an EAPOL response are placed into the Guest VLAN, if one is configured on the switch. Once the port is authenticated, it is moved from the Guest VLAN to its configured VLAN. When Guest VLAN enabled, the following considerations apply while a port is in the unauthenticated state:  The port is placed in the guest VLAN. The Port VLAN ID (PVID) is changed to the Guest VLAN ID.   Port tagging is disabled on the port. © Copyright Lenovo 2018 Chapter 6: 802.1X Port-Based Network Access Control...
Page 118: Supported Radius Attributes
Supported RADIUS Attributes The 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 11lists the RADIUS attributes that are supported as part of RADIUS‐EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 11. Support for RADIUS Attributes # Attribute Attribute Value 1 User‐Name The value of the Type‐Data field 0‐1 from the supplicant’s EAP‐Response/Identity message. If the Identity is unknown (i.e. Type‐Data field is zero bytes in length), this attribute will have the same value as the Calling‐Station‐Id. 4 NAS‐IP‐Address IPv4 address of the authenticator used for Radius communication. 5 NAS‐Port Port number of the authenticator port to which the supplicant is attached. 24 State Server‐specific value. This is 0‐1 0‐1 0‐1 sent unmodified back to the ...
Page 119 80 Message‐ Always present whenever an Authenticator EAP‐Message attribute is also included. Used to integrity‐protect a packet. 87 NAS‐Port‐ID Name assigned to the authenticator port, e.g. Server1_Port3 Legend: RADIUS Packet Types: A‐R (Access‐Request), A‐A (Access‐Accept), A‐C (Access‐Challenge), A‐R (Access‐Reject) RADIUS Attribute Support: This attribute MUST NOT be present in a packet.   Zero or more instances of this attribute MAY be present in a packet. 0‐1 Zero or one instance of this attribute MAY be present in a packet.   Exactly one instance of this attribute MUST be present in a packet.  One or more of these attributes MUST be present. © Copyright Lenovo 2018 Chapter 6: 802.1X Port-Based Network Access Control...
Page 120: Eapol Configuration Guidelines
EAPoL Configuration Guidelines When configuring EAPoL, consider the following guidelines:  The 802.1X port‐based authentication is currently supported only in point‐to‐point configurations, that is, with a single supplicant connected to an 802.1X‐enabled switch port.  When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state.  The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully connect to an 802.1X‐enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is configured in forced‐authorized mode. For example, if a NE2552E is connected to another NE2552E, and if 802.1X is enabled on both switches, the two connected ports must be configured in force‐authorized mode.  Unsupported 802.1X attributes include Service‐Type, Session‐Timeout, and Termination‐Action.  RADIUS accounting service for 802.1X‐authenticated devices or users is not currently supported.  Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately. NE2552E Application Guide for ENOS 8.4...
Page 121: Chapter 7. Access Control Lists
Chapter 7. Access Control Lists Access Control Lists (ACLs) are filters that permit or deny traffic for security purposes. They can also be used with QoS to classify and segment traffic in order to provide different levels of service to different traffic types. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made. Lenovo ENOS 8.4 supports the following ACLs:  IPv4 ACLs Up to 256 ACLs are supported for networks that use IPv4 addressing. IPv4 ACLs are configured using the following CLI menu: NE2552E(config)# access-control list <IPv4 ACL number> IPv6 ACLs  Up to 256 ACLs are supported for networks that use IPv6 addressing. IPv6 ACLs are configured using the following CLI menu: NE2552E(config)# access-control list6 <IPv6 ACL number>  Management ACLs Up to 128 MACLs are supported. ACLs for the different types of management protocols (Telnet, HTTPS, etc.) provide greater granularity for securing management traffic. Management ACLs are configured using the following command: NE2552E(config)# access-control macl <MACL number> © Copyright Lenovo 2018...
Page 122: Summary Of Packet Classifiers
Summary of Packet Classifiers ACLs allow you to classify packets according to a variety of content in the packet header (such as the source address, destination address, source port number, destination port number, and others). Once classified, packet flows can be identified for more processing. Regular ACLs allow you to classify packets based on the following packet attributes:  Ethernet header options (for regular ACLs and VMaps only) Source MAC address  Destination MAC address  VLAN number and mask  Ethernet type (ARP, IPv4, MPLS, RARP, etc.)  Ethernet Priority (the IEEE 802.1p Priority)   IPv4 header options (for regular ACLs and VMaps only) Source IPv4 address and subnet mask  Destination IPv4 address and subnet mask  Type of Service value  IP protocol number or name as shown in Table  Table 12. Well‐Known Protocol Types Number Protocol Name icmp igmp ospf vrrp NE2552E Application Guide for ENOS 8.4...
Page 123 1985 hsrp gopher snmptrap TCP/UDP application destination port and mask as shown in Table  TCP/UDP flag value as shown in Table 14.  Table 14. Well‐Known TCP flag values Flag Value 0x0020 0x0010 0x0008 0x0004 0x0002 0x0001  Packet format (for regular ACLs and VMaps only) Ethernet format (eth2, SNAP, LLC)  Ethernet tagging format  IP format (IPv4)   Egress port packets (for all ACLs) © Copyright Lenovo 2018 Chapter 7: Access Control Lists...
Page 124: Summary Of Acl Actions
Summary of ACL Actions Once classified using ACLs, the identified packet flows can be processed differently. For each ACL, an action can be assigned. The action determines how the switch treats packets that match the classifiers assigned to the ACL. NE2552E ACL actions include the following:  Pass or Drop the packet  Re‐mark the packet with a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue Assigning Individual ACLs to a Port Once you configure an ACL, you must assign the ACL to the appropriate ports. Each port can accept multiple ACLs, and each ACL can be applied for multiple ports. ACLs can be assigned individually, or in groups. To assign an individual ACL to a port, use the following IP interface commands: NE2552E(config)# interface port <port> NE2552E(config-if)# access-control list <IPv4 ACL number> When multiple ACLs are assigned to a port, higher‐priority ACLs are considered first, and their action takes precedence over lower‐priority ACLs. ACL order of precedence is discussed in the next section. To create and assign ACLs in groups, see “ACL Groups” on page 125. ACL Order of Precedence When multiple ACLs are assigned to a port, they are evaluated in numeric ...
Page 125: Acl Groups
Action = deny ACL 3: Priority = 7 DIP = 10.10.10.3 (255.255.255.0) Action = permit ACL Groups organize ACLs into traffic profiles that can be more easily assigned to ports. The NE2552E supports up to 256 ACL Groups. Note: ACL Groups are used for convenience in assigning multiple ACLs to ports. ACL Groups have no effect on the order in which ACLs are applied (see “ACL Order of Precedence” on page 124). All ACLs assigned to the port (whether individually assigned or part of an ACL Group) are considered as individual ACLs for the purposes of determining their order of precedence. Assigning ACL Groups to a Port To assign an ACL Group to a port, use the following commands: NE2552E(config)# interface port <port> NE2552E(config-if)# access-control group <ACL group number> NE2552E(config-if)# exit © Copyright Lenovo 2018 Chapter 7: Access Control Lists...
Page 126: Acl Metering And Re-Marking
ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the switch by configuring a QoS meter (if desired) and assigning ACLs to ports. Note: When you add ACLs to a port, make sure they are ordered correctly in terms of precedence (see “ACL Order of Precedence” on page 124). Actions taken by an ACL are called In‐Profile actions. You can configure additional In‐Profile and Out‐of‐Profile actions on a port. Data traffic can be metered, and re‐marked to ensure that the traffic flow provides certain levels of service in terms of bandwidth for different types of network traffic. Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile.  Out‐of‐Profile–If a meter is configured and the packet does not conform to the meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Using meters, you set a Committed Rate in Kbps (1000 bits per second in each Kbps). All traffic within this Committed Rate is In‐Profile. Additionally, you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network specifications or desired levels of service. You can configure the ACL to re‐mark a packet as follows:  Change the DSCP value of a packet, used to specify the service level that traffic should receive. ...
Page 127: Acl Port Mirroring
NE2552E(config)# access-control list <ACL number> statistics ACL Logging ACLs are generally used to enhance port security. Traffic that matches the characteristics (source addresses, destination addresses, packet type, etc.) specified by the ACLs on specific ports is subject to the actions (chiefly permit or deny) defined by those ACLs. Although switch statistics show the number of times particular ACLs are matched, the ACL logging feature can provide additional insight into actual traffic patterns on the switch, providing packet details in the system log for network debugging or security purposes. Enabling ACL Logging By default, ACL logging is disabled. Enable or disable ACL logging on a per‐ACL basis as follows: NE2552E(config)# [no] access-control list <IPv4 ACL number> log NE2552E(config)# [no] access-control list6 <IPv6 ACL number> log © Copyright Lenovo 2018 Chapter 7: Access Control Lists...
Page 128: Logged Information
Logged Information When ACL logging is enabled on any particular ACL, the switch will collect information about packets that match the ACL. The information collected depends on the ACL type:  For IP‐based ACLs, information is collected regarding Source IP address  Destination IP address  TCP/UDP port number  ACL action  Number of packets logged  For example: Aug 21 15:30:43 TA_22 NOTICE ACL-LOG: %IP-NEW Src IP: 40.0.0.8, Dst IP: 40.0.0.1, Src Intf: EXT5, ACL: list 10, Action: deny, Hit-count: 1 ...
Page 129: Acl Logging Limitations
To configure the maximum number of log entries cached in the software, use the following command: NE2552E(config)# logging ip access-list cache entries <1‐100000> To configure the number of log messages generated and sent after the initial match, in numbers of packets, use the following command: NE2552E(config)# logging ip access-list cache threshold <0‐1000000> ACL Logging Limitations ACL logging reserves packet queue 1 for internal use. Features that allow remapping packet queues (such as CoPP) may not behave as expected if other packet flows are reconfigured to use queue 1. © Copyright Lenovo 2018 Chapter 7: Access Control Lists...
Page 130: Acl Configuration Examples
ACL Configuration Examples ACL Example 1 Use this configuration to block traffic to a specific host. All traffic that ingresses on port EXT1 is denied if it is destined for the host at IP address 100.10.1.1. 1. Configure an Access Control List. NE2552E(config)# access-control list 1 ipv4 destination-ip-address 100.10.1.1 NE2552E(config)# access-control list 1 action deny 2. Add ACL 1 to port EXT1. NE2552E(config)# interface port EXT1 NE2552E(config-if)# access-control list 1 NE2552E(config-if)# exit ACL Example 2 Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses in port EXT2 with source IP from class 100.10.1.0/24 and destination IP 200.20.2.2 is denied.
Page 131: Acl Example 3
NE2552E(config)# access-control list 4 ipv4 source-ip-address 100.10.1.0 255.255.255.0 NE2552E(config)# access-control list 4 egress-port 3 NE2552E(config)# access-control list 4 action deny 2. Add ACL 4 to port EXT1. NE2552E(config)# interface port EXT1 NE2552E(config-if)# access-control list 4 NE2552E(config-if)# exit © Copyright Lenovo 2018 Chapter 7: Access Control Lists...
Page 132: Management Acls
Management ACLs Management ACLs (MACLs) filter inbound traffic (traffic heading toward the CPU). MACLs are applied switch‐wide. Traffic can be filtered based on the following:  IPv4 source address  IPv4 destination address  IPv4 protocols  TCP/UDP destination or source port Lower MACL numbers have higher priority. Up to 128 MACLs can be configured. Following is an example MACL configuration based on a destination IP address and a TCP‐UDP destination port: NE2552E(config)# access-control macl 1 ipv4 destination-ip-address 1.1.1.1 255.255.255.0 NE2552E(config)# access-control macl 1 tcp-udp destination-port 111 0xffff NE2552E(config)# access-control macl 1 statistics NE2552E(config)# access-control macl 1 action permit NE2552E(config)# access-control macl 1 enable Use the following command to view the MACL configuration: ...
Page 133: Part 3: Switch Basics
Part 3: Switch Basics This section discusses basic switching functions:  VLANs  Port Aggregation  Spanning Tree Protocols (Spanning Tree Groups, Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol)  Quality of Service © Copyright Lenovo 2018...
Page 134 NE2552E Application Guide for ENOS 8.4...
Page 135: Chapter 8. Vlans
Chapter 8. VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The following topics are discussed in this chapter:  “VLANs and Port VLAN ID Numbers” on page 137  “VLAN Tagging/Trunk Mode” on page 140  “VLAN Topologies and Design Considerations” on page 145  “Protocol‐Based VLANs” on page 148 “Private VLANs” on page 151  Note: Basic VLANs can be configured during initial switch configuration (see “Using the Setup Utility” in the NE2552E Lenovo ENOS 8.4 Command Reference). More comprehensive VLAN configuration can be done from the Command Line Interface (see “VLAN Configuration” as well as “Port Configuration” in the NE2552E Lenovo ENOS 8.4 Command Reference). © Copyright Lenovo 2018...
Page 136: Vlans Overview
VLANs Overview Setting up virtual LANs (VLANs) is a way to segment networks to increase network flexibility without changing the physical network topology. With network segmentation, each switch port connects to a segment that is a single broadcast domain. When a switch port is configured to be a member of a VLAN, it is added to a group of ports (workgroup) that belong to one broadcast domain. Ports are grouped into broadcast domains by assigning them to the same VLAN. Frames received in one VLAN can only be forwarded within that VLAN, and multicast, broadcast, and unknown unicast frames are flooded only to ports in the same VLAN. The NE2552E automatically supports jumbo frames. This default cannot be manually configured or disabled. The NE2552E Flex Switch (NE2552E) supports jumbo frames with a Maximum Transmission Unit (MTU) of 9,216 bytes. Within each frame, 18 bytes are reserved for the Ethernet header and CRC trailer. The remaining space in the frame (up to 9,198 bytes) comprise the packet, which includes the payload of up to 9,000 bytes and any additional overhead, such as 802.1q or VLAN tags. Jumbo frame support is automatic: it is enabled by default, requires no manual configuration, and cannot be manually disabled. Note: Jumbo frames are not supported for traffic sent to switch management interfaces. NE2552E Application Guide for ENOS 8.4...
Page 137: Vlans And Port Vlan Id Numbers
Default VLAN INTA2-INTB14 EXT9/1-EXT12/4 VLAN 10 EXT5-EXT12/4 VLAN 20 EXT3 EXT4 VLAN 40 empty VLAN 60 EXT1 VLAN 80 INTA1 EXT1 EXT2 EXT5-EXT12/4 4095 Mgmt VLAN EXTM MGT1 Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 138: Pvid/Native Vlan Numbers
PVID/Native VLAN Numbers Each port in the switch has a configurable default VLAN number, known as its PVID. By default, the PVID for all non‐management ports is set to 1, which correlates to the default VLAN ID. The PVID for each port can be configured to any VLAN number between 1 and 4094. Use the following CLI commands to view PVIDs:  Port information: NE2552E# show interface information (or) NE2552E# show interface trunk Port Tag RMON Lrn Fld tis tes PVID DESCRIPTION VLAN(s) NVLAN ------- --- ---- --- --- --- --- ------ -------------- ---------------- INTA1 INTA1 INTA2...
Page 139  Port Configuration: Access mode port:  NE2552E(config)# interface port <portr> NE2552E(config-if)# switchport access vlan <VLAN ID> Trunk mode port:  NE2552E(config)# interface port <port> NE2552E(config-if)# switchport trunk native vlan <VLAN ID> Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see “VLAN Tagging/Trunk Mode” on page 140). © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 140: Vlan Tagging/Trunk Mode
VLAN Tagging/Trunk Mode Lenovo ENOS software supports 802.1Q VLAN tagging, providing standards‐based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port. Since tagging fundamentally changes the format of frames transmitted on a tagged port, you must carefully plan network designs to prevent tagged frames from being transmitted to devices that do not support 802.1Q VLAN tags, or devices where tagging is not enabled. Important terms used with the 802.1Q tagging feature are:  VLAN identifier (VID)—the 12‐bit portion of the VLAN tag in the frame header that identifies an explicit VLAN.  Port VLAN identifier (PVID)—a classification mechanism that associates a port with a specific VLAN. For example, a port with a PVID of 3 (PVID =3) assigns all untagged frames received on this port to VLAN 3. Any untagged frames received by the switch are classified with the PVID of the receiving port.  Tagged frame—a frame that carries VLAN tagging information in the header. This VLAN tagging information is a 32‐bit field (VLAN tag) in the frame header that identifies the frame as belonging to a specific VLAN. Untagged frames are marked (tagged) with this classification as they leave the switch through a port that is configured as a tagged port.  Untagged frame— a frame that does not carry any VLAN tagging information in the frame header.  Untagged member—a port that has been configured as an untagged member of a specific VLAN. When an untagged frame exits the switch through an untagged member port, the frame header remains unchanged. When a tagged frame exits the switch through an untagged member port, the tag is stripped and the tagged frame is changed to an untagged frame.  Tagged member—a port that has been configured as a tagged member of a specific VLAN. When an untagged frame exits the switch through a tagged member port, the frame header is modified to include the 32‐bit tag associated ...
Page 141 Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Untagged packet 802.1Q Switch Data B efore Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45011A © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 142 As shown in Figure 4, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. The untagged packet remains unchanged as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2. Figure 4. 802.1Q tagging (after port‐based VLAN assignment) Tagged member PVID = 2 Port 1 Port 2 Port 3 of VLAN 2 802.1Q Switch CRC* Data (*Recalculated) Port 6 Port 7 Port 8 8100 Priority VID = 2 Untagged memeber of VLAN 2 16 bits 3 bits...
Page 143 16 bits 3 bits 1 bit 12 bits Data After Outgoing untagged packet changed (tag removed) Priority - User_priority - Canonical format indicator - VLAN identifier BS45014A Note: Setting the configuration to factory default (NE2552E(config)# boot configuration-block factory) will reset all non‐management ports to VLAN 1. © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 144: Ingress Vlan Tagging
Ingress VLAN Tagging Tagging can be enabled on an ingress port. When a packet is received on an ingress port, and if ingress tagging is enabled on the port, a VLAN tag with the port PVID is inserted into the packet as the outer VLAN tag. Depending on the egress port setting (tagged or untagged), the outer tag of the packet is retained or removed when it leaves the egress port. Ingress VLAN tagging is used to tunnel packets through a public domain without altering the original 802.1Q status. When ingress tagging is enabled on a port, all packets, whether untagged or tagged, will be tagged again. As shown in Figure 7, when tagging is enabled on the egress port, the outer tag of the packet is retained when it leaves the egress port. If tagging is disabled on the egress port, the outer tag of the packet is removed when it leaves the egress port. Figure 7. 802.1Q tagging (after ingress tagging assignment) Untagged packet received on ingress port 802.1Q Switch Port 1 Port 2 Port 3 Tagg PVID = 2 of V Untagged packet CRC* Data Data...
Page 145: Vlan Topologies And Design Considerations
Multiple management VLANs can be configured on the switch, in addition to the default VLAN 4095, using the following commands: NE2552E(config)# vlan <VLAN ID (3‐4094)> NE2552E(config-vlan)# management When using Spanning Tree, STG 2‐128/256 may contain only one VLAN unless  Multiple Spanning‐Tree Protocol (MSTP) mode is used. With MSTP mode, STG 1 to 32 can include multiple VLANs. VLAN Configuration Rules VLANs operate according to specific configuration rules. When creating VLANs, consider the following rules that determine how the configured VLAN reacts in any network topology:  All ports involved in aggregation and port mirroring must have the same VLAN configuration. If a port is on a LAG with a mirroring port, the VLAN configura‐ tion cannot be changed. For more information about aggregation, see “Configuring a Static LAG” on page 165.  If a port is configured for port mirroring, the port’s VLAN membership cannot be changed. For more information on configuring port mirroring, see “Port Mirroring” on page 547.  Management VLANs must contain the management port, and can include one or more internal ports (INTx). External ports (EXTx) cannot be members of any management VLAN. © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 146: Example: Multiple Vlans With Tagging Adapters
Example: Multiple VLANs with Tagging Adapters Figure 8. Multiple VLANs with VLAN‐Tagged Gigabit Adapters Server #1 Server #2 VLAN #3 VLAN #1, 2, 3 Switch Module Switch Module Shared Media Gigabit/Tagged adapter PC #1 PC #2 PC #3 PC #4 PC #5 VLAN #2 VLAN #2 VLAN #1 VLAN #3 VLAN #1 &...
Page 147 Component Description PC #4 A member of VLAN 3, this PC can only communicate with Server 1 and Server 2. The associated external switch port has tagging disabled. PC #5 A member of both VLAN 1 and VLAN 2, this PC has a VLAN‐tagging Gigabit Ethernet adapter installed. It can communicate with Server 2 and PC 3 via VLAN 1, and to Server 2, PC 1 and PC 2 via VLAN 2. The associated external switch port is a member of VLAN 1 and VLAN 2, and has tagging enabled. Note: VLAN tagging is required only on ports that are connected to other NE2552Es or on ports that connect to tag‐capable end‐stations, such as servers with VLAN‐tagging adapters. © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 148: Protocol-Based Vlans
Protocol-Based VLANs Protocol‐based VLANs (PVLANs) allow you to segment network traffic according to the network protocols in use. Traffic for supported network protocols can be confined to a particular port‐based VLAN. You can give different priority levels to traffic generated by different network protocols. With PVLAN, the switch classifies incoming packets by Ethernet protocol of the packets, not by the configuration of the ingress port. When an untagged or priority‐tagged frame arrives at an ingress port, the protocol information carried in the frame is used to determine a VLAN to which the frame belongs. If a frame’s protocol is not recognized as a pre‐defined PVLAN type, the ingress port’s PVID is assigned to the frame. When a tagged frame arrives, the VLAN ID in the frame’s tag is used. Each VLAN can contain up to eight different PVLANs. You can configure separate PVLANs on different VLANs, with each PVLAN segmenting traffic for the same protocol type. For example, you can configure PVLAN 1 on VLAN 2 to segment IPv4 traffic, and PVLAN 8 on VLAN 100 to segment IPv4 traffic. To define a PVLAN on a VLAN, configure a PVLAN number (1‐8) and specify the frame type and the Ethernet type of the PVLAN protocol. You must assign at least one port to the PVLAN before it can function. Define the PVLAN frame type and Ethernet type as follows: Frame type—consists of one of the following values:  Ether2 (Ethernet II)  SNAP (Subnetwork Access Protocol)  LLC (Logical Link Control)   Ethernet type—consists of a 4‐digit (16 bit) hex value that defines the Ethernet type. You can use common Ethernet protocol values, or define your own values. Following are examples of common Ethernet protocol values: IPv4 = 0800  IPv6 = 86dd  ARP = 0806  Port-Based vs. Protocol-Based VLANs Each VLAN supports both port‐based and protocol‐based association, as follows: ...
Page 149: Pvlan Priority Levels
140. Untagged ports must have PVLAN tagging disabled. Tagged ports can have PVLAN tagging either enabled or disabled. PVLAN tagging has higher precedence than port‐based tagging. If a port is tag enabled, and the port is a member of a PVLAN, the PVLAN tags egress frames that match the PVLAN protocol. Use the tag‐pvlan command (vlan <x> protocol-vlan <x> tag-pvlan <x>) to define the complete list of tag‐enabled ports in the PVLAN. Note that all ports not included in the PVLAN tag list will have PVLAN tagging disabled. PVLAN Configuration Guidelines Consider the following guidelines when you configure protocol‐based VLANs:  Each port can support up to 8 VLAN protocols. The NE2552E can support up to 16 protocols simultaneously.   Each PVLAN must have at least one port assigned before it can be activated. The same port within a port‐based VLAN can belong to multiple PVLANs.   An untagged port can be a member of multiple PVLANs. A port cannot be a member of different VLANs with the same protocol  association. © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 150: Configuring Pvlan
Configuring PVLAN Follow this procedure to configure a Protocol‐based VLAN (PVLAN). 1. Configure VLAN tagging/trunk mode for ports. NE2552E(config)# interface port ext1,ext2 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# exit 2. Create a VLAN and define the protocol type(s) supported by the VLAN. NE2552E(config)# vlan 2 NE2552E(config-vlan)# protocol-vlan 1 frame-type ether2 0800 3. Configure the priority value for the protocol. NE2552E(config-vlan)# protocol-vlan 1 priority 2 4. Add member ports for this PVLAN. NE2552E(config-vlan)# protocol-vlan 1 member ext1,ext2 Note: If VLAN tagging is turned on and the port being added to the VLAN has a ...
Page 151: Private Vlans
 toward ports in the primary VLAN. Each Private VLAN can contain only one Isolated VLAN. Community VLAN—carries upstream traffic from ports in the community  VLAN to other ports in the same community, and to ports in the primary VLAN. Each Private VLAN can contain multiple community VLANs. After you define the primary VLAN and one or more secondary VLANs, you map the secondary VLAN(s) to the primary VLAN. Private VLAN Ports Private VLAN ports are defined as follows:  Promiscuous—A promiscuous port is a port that belongs to the primary VLAN. The promiscuous port can communicate with all the interfaces, including ports in the secondary VLANs (Isolated VLAN and Community VLANs).  Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each isolated port has complete layer 2 separation from other ports within the same private VLAN (including other isolated ports), except for the promiscuous ports. Traffic sent to an isolated port is blocked by the Private VLAN, except the  traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.   Community—A community port is a host port that belongs to a community VLAN. Community ports can communicate with other ports in the same community VLAN, and with promiscuous ports. These interfaces are isolated at layer 2 from all other interfaces in other communities and from isolated ports within the Private VLAN. © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 152: Configuration Guidelines
Configuration Guidelines The following guidelines apply when configuring Private VLANs:  Management VLANs cannot be Private VLANs. Management ports cannot be members of a Private VLAN.  The default VLAN 1 cannot be a Private VLAN. IGMP Snooping must be disabled on Private VLANs.   All VLANs that comprise the Private VLAN must belong to the same Spanning Tree Group.  A VLAN pair is a primary VLAN and one associated secondary VLAN (isolated or community). The maximum number of VLAN pairs per port is 16. Configuration Example Follow this procedure to configure a Private VLAN. 1. Select a VLAN and define the Private VLAN type as primary. NE2552E(config)# vlan 700 NE2552E(config-vlan)# private-vlan primary NE2552E(config-vlan)# exit 2. Configure a promiscuous port for VLAN 700. NE2552E(config)# interface port 1 NE2552E(config-if)# switchport mode private-vlan NE2552E(config-if)# switchport private-vlan mapping 700 NE2552E(config-if)# exit 3.
Page 153 NE2552E(config-if)# exit NE2552E(config)# interface port 3 NE2552E(config-if)# switchport mode private-vlan NE2552E(config-if)# switchport private-vlan host-association 700 702 NE2552E(config-if)# exit 6. Verify the configuration. NE2552E(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- --------------------------------- isolated community © Copyright Lenovo 2018 Chapter 8: VLANs...
Page 154 NE2552E Application Guide for ENOS 8.4...
Page 155: Chapter 9. Ports And Link Aggregation (Lag)
Chapter 9. Ports and Link Aggregation (LAG) LAGs can provide super‐bandwidth, multi‐link connections between the NE2552E Flex Switch (NE2552E) and other LAG‐capable devices. A LAG is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter provides configuration background and examples for aggregating multiple ports together:  “Configuring Port Modes” on page 156  “Configuring QSFP28 Ports” on page 160  “Aggregation Overview” on page 163  “Static LAGs” on page 164 “Configurable LAG Hash Algorithm” on page 167   “Link Aggregation Control Protocol” on page 169 © Copyright Lenovo 2018...
Page 156: Configuring Port Modes
Configuring Port Modes The switch allows you to set the port mode. Select the port mode that fits your network configuration. The NE2552E provides support for the following:  A combination of either 28x10G/25G or 14x50G ports internally.  8x10G/25G SFP28 ports that can be configured as 2x100G ports.  4x100G QSFP28 ports, and 10/100/1000 Base‐T management port externally. The 100G ports are capable of 1x40G configuration and 4x10G/25G, or 2x50G breakout configurations. To configure the port modes, use the following command: speed NE2552E(config-if)# {10000|25000|40000|50000|100000|auto} The following speed combinations are allowed on the internal ports: INTA1 INTB1 INTA2 INTB2 auto auto auto auto auto auto auto auto Note: Prior to setting the speed to auto, make sure to enable auto‐negotiation on the ports. The following speed combinations are allowed on the external SFP ports: EXT1 EXT2 EXT3 EXT4 100G NE2552E Application Guide for ENOS 8.4...
Page 157: Considerations For Configuring Port Modes
8.4.6/8.4.7 Command 8.4.8 Command translation boot port-mode 10Gports speed 10000 boot port-mode 25Gports speed 25000 boot port-mode 40Gports speed 40000 boot port-mode 50Gports speed 50000 boot port-mode 100Gports speed 100000 © Copyright Lenovo 2018 Chapter 9: Ports and Link Aggregation (LAG)
Page 158 Use the following commands to verify the port configuration: NE2552E(config)# show interface information Port Tag RMON Lrn Fld tis tes PVID DESCRIPTION VLAN(s) NVLAN INTA1 INTA1 INTA2 INTA2 INTA3 INTA3 INTA4 INTA4 INTA5 INTA5 INTA6 INTA6 INTA7 INTA7 INTA8 INTA8 INTA9 INTA9 INTA10 INTA10 INTA11 INTA11 INTA12 INTA12 INTA13 INTA13 INTA14...
Page 159 EXT12/2 full* auto down EXT12/2 EXT12/3 full* auto down EXT12/3 EXT12/4 full* auto down EXT12/4 EXTM full EXTM MGT1 full MGT1 * = value set by configuration; not autonegotiated. © Copyright Lenovo 2018 Chapter 9: Ports and Link Aggregation (LAG)
Page 160: Configuring Qsfp28 Ports
Configuring QSFP28 Ports The supported 4x100G QSFP28 ports are capable of 1x40G configuration and 4x10G/25G, or 2x50G breakout configurations, as shown in Table 15. Table 15. QSFP28 Port Numbering QSFP28 40GbE/ 50GbE 10GbE/ Port Group 100GbE mode 25GbE mode mode Port EXT9 Port Ports EXT9/1, EXT9/3 Ports EXT9/1‐EXT9/4 EXT9/1 Port EXT10 Port Ports EXT10/1, EXT10/3 Ports EXT10/1‐EXT10/4 EXT10/1 Port EXT11 Port Ports EXT11/1, EXT11/3 Ports EXT11/1‐EXT11/4 EXT11/1 Port EXT12 Port Ports EXT12/1, EXT12/3 Ports EXT12/1‐EXT12/4 EXT12/1 Note: By default, QSFP28 ports are configured as 25 Gb/s ports. NE2552E Application Guide for ENOS 8.4...
Page 161: Configuring Sfp Ports
Configuring SFP Ports The supported 8x10G/25G SFP28 ports are capable of 2x100G ports configuration, as shown in Table 16. Table 16. SFP Port Numbering SFP Port Group 100GbE mode 10GbE / 25GbE mode EXT1 EXT1 EXT1‐EXT4 EXT5 EXT5 EXT5‐EXT8 © Copyright Lenovo 2018 Chapter 9: Ports and Link Aggregation (LAG)
Page 162: Forwarding Error Correction
Forwarding Error Correction The NE2572 switch supports forwarding error correction (FEC). Note: By default, this option is disabled on internal ports and set to auto on external ports. To configure FEC, enter: NE2552E(config-if)# fec {auto|cl74|cl91|off} where: Parameter Description auto Enables and configures FEC automatically based on the port speed for interfaces configured with 25 Gb/s, 40Gb/s, 50 Gb/s or 100 Gb/s. cl74 Enables FEC with clause 74 for interfaces configured with 25 Gb/s, 40Gb/s, 50 Gb/s or 100 Gb/s port speeds. cl91 Enables FEC with clause 91 for interfaces configured with 25 Gb/s, 40 Gb/s, 50 Gb/s or 100 Gb/s port speeds. Disables FEC on the interface. NE2552E Application Guide for ENOS 8.4...
Page 163: Aggregation Overview
Aggregation Overview When using LAGs between two switches, as shown in Figure 9, you can create a virtual link between them, operating with combined throughput levels that depends on how many physical ports are included. Two types of aggregation are available: static LAGs and dynamic Link Aggregation Control Protocol (LACP) LAGs. Up to 52 LAGs of each type are supported, depending of the number and type of available ports. Each LAG can include up to 24 member ports. Figure 9. Link Aggregation Group (LAG) Switch 1 Switch 2 LAGs are also useful for connecting a NE2552E to third‐party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL aggregation technology) and Sunʹs Quad Fast Ethernet Adapter. Static LAG technology is compatible with these devices when they are configured manually. LAG traffic is statistically distributed among the ports in a LAG, based on a variety of configurable options. Also, since each LAG is comprised of multiple physical links, the LAG is inherently fault tolerant. As long as one connection between the switches is available, the LAG remains active and statistical load balancing is maintained whenever a port in the LAG is lost or returned to service. © Copyright Lenovo 2018 Chapter 9: Ports and Link Aggregation (LAG)
Page 164: Static Lags
Static LAGs When you create and enable a static LAG, the LAG members (switch ports) take on certain settings necessary for correct operation of the aggregation feature. Before Configuring Static LAGs Before you configure your LAG, you must consider these settings, along with specific configuration rules, as follows:  Read the configuration rules provided in the section, “Static LAG Configuration Rules” on page 164.” Determine which switch ports are to become LAG members (the specific ports  making up the LAG).  Ensure that the chosen switch ports are set to enabled.  Ensure all member ports in a LAG have the same VLAN configuration.  Consider how the existing Spanning Tree will react to the new LAG configuration. See “Spanning Tree Protocols” on page 173 for configuration guidelines. Consider how existing VLANs will be affected by the addition of a LAG.  Static LAG Configuration Rules The aggregation feature operates according to specific configuration rules. When creating LAGs, consider the following rules that determine how a LAG reacts in any network topology:  All LAGs must originate from one network entity (a single device or multiple devices acting in a stack) and lead to one destination entity. For example, you cannot combine links from two different servers into one LAG.  Any physical switch port can belong to only one LAG.
Page 165: Configuring A Static Lag
Configuring a Static LAG In the following example, three ports are aggregated between two switches. Figure 10. LAG Configuration Example Application Switch Application Switch LAG 3: Ports 2, 12, and 22 Lenovo Blade LAG 1: Ports EXT1, EXT2, and EXT3 Switch Lenovo Blade Chassis Prior to configuring each switch in the preceding example, you must connect to the appropriate switch’s Command Line Interface (CLI) as the administrator. Note: For details about accessing and using any of the menu commands described in this example, see the Lenovo ENOS Command Reference. © Copyright Lenovo 2018...
Page 166 1. Connect the switch ports that will be members in the LAG. 2. Configure the LAG using these steps on the NE2552E: a. Define a LAG. NE2552E(config)# portchannel 1 port ext1,ext2,ext3 (Add ports to LAG 1) NE2552E(config)# portchannel 1 enable b. Verify the configuration. NE2552E(config)# show portchannel information Examine the resulting information. If any settings are incorrect, make appropriate changes. 3. Repeat the process on the other switch. NE2552E(config)# portchannel 3 port 2,12,22 NE2552E(config)# portchannel 3 enable LAG 1 (on the NE2552E) is now connected to LAG 3 on the Application Switch. Note: In this example, a NE2552E and an application switch are used. If a third‐party device supporting link aggregation is used (such as Cisco routers and switches with EtherChannel technology or Sunʹs Quad Fast Ethernet Adapter), LAGs on the third‐party device should be configured manually. Connection ...
Page 167: Configurable Lag Hash Algorithm
For Layer 3 IPv4/IPv6 traffic, one of the following are permitted: Source IP address (sip)  NE2552E(config)# portchannel thash l3thash l3-source-ip-address Destination IP address (dip)  NE2552E(config)# portchannel thash l3thash l3-destination-ip-address Both source and destination IP address (enabled by default)  NE2552E(config)# portchannel thash l3thash l3-source-destination-ip If Layer 2 hashing is preferred for Layer 3 traffic, disable the Layer 3 sip and dip hashing options and enable the useL2 option: NE2552E(config)# portchannel thash l3thash l3-use-l2-hash © Copyright Lenovo 2018 Chapter 9: Ports and Link Aggregation (LAG)
Page 168 Layer 3 traffic will then use Layer 2 options for hashing.  Ingress port number (disabled by default) NE2552E(config)# portchannel thash ingress Layer 4 port information (disabled by default)  NE2552E(config)# portchannel thash l4port When enabled, Layer 4 port information (TCP, UPD, etc.) is added to the hash if available. The L4port option is ignored when Layer 4 information is not included in the packet (such as for Layer 2 packets) or when the useL2 option is enabled. Note: For MPLS packets, Layer 4 port information is excluded from the hash calculation. Instead, other IP fields are used, along with the first two MPLS labels. NE2552E Application Guide for ENOS 8.4...
Page 169: Link Aggregation Control Protocol
Admin key: a port’s admin key is an integer value (1 ‐ 65535) that you can configure in the CLI. Each NE2552E port that participates in the same LACP LAG must have the same admin key value. The admin key is locally significant, which means the partner switch does not need to use the same admin key value. For example, consider two switches, an Actor (the NE2552E) and a Partner (another switch), as shown in Table Table 17. Actor vs. Partner LACP configuration Actor Switch Partner Switch 1 Port 38 (admin key = 100) Port 1 (admin key = 50) Port 39 (admin key = 100) Port 2 (admin key = 50) Port 40 (admin key = 100) Port 3 (admin key = 70) In the configuration shown in Table 17, Actor switch ports 38 and 39 aggregate to form an LACP LAG with Partner switch ports 1 and 2. Only ports with the same LAG ID are aggregated in the LAG. Actor switch port 40 is not aggregated in the LAG because it has a different LAG ID. Switch ports configured with the same admin key on the Actor switch but have a different LAG ID (due to Partner switch admin key configuration or due to partner switch MAC address being different) can be aggregated in another LAG i.e. Actor switch port 40 can be aggregated in another LAG with ports that have the same LAG ID as port 40. © Copyright Lenovo 2018 Chapter 9: Ports and Link Aggregation (LAG)
Page 170: Lacp Modes
To avoid the Actor switch ports (with the same admin key) from aggregating in another LAG, you can configure a LAG ID. Ports with the same admin key (although with different LAG IDs) compete to get aggregated in a LAG. The LAG ID for the LAG is decided based on the first port that is aggregated in the LAG. Ports with this LAG ID get aggregated and the other ports are placed in suspended mode. As per the configuration shown in Table 17, if port 38 gets aggregated first, then the LAG ID of port 38 would be the LAG ID of the LAG. Port 40 would be placed in suspended mode. When in suspended mode, a port transmits only LACP data units (LACPDUs) and discards all other traffic. A port may also be placed in suspended mode for the following reasons:  When LACP is configured on the port but it stops receiving LACPDUs from the partner switch.  When the port has a different LAG ID because of the partner switch MAC being different. For example: when a switch is connected to two partners. LAG ID can be configured using the following command: NE2552E(config)# portchannel <53‐104> lacp key <adminkey of the LAG> LACP provides for the controlled addition and removal of physical links for the link aggregation. LACP Modes Each port in the NE2552E can have one of the following LACP modes. off (default)  The user can configure this port in to a regular static LAG. active  The port is capable of forming a LACP LAG. This port sends LACPDU packets to partner system ports. passive  The port is capable of forming a LACP LAG. This port only responds to the LACPDU packets sent from a LACP active port. Each active LACP port transmits LACP data units (LACPDUs), while each passive ...
Page 171: Lacp Individual
NE2552E(config)# interface port <port> NE2552E(config-if)# no lacp suspend-individual This allows the selected ports to be treated as normal link‐up ports, which may forward data traffic according to STP, Hot Links or other applications, if they do not receive any LACPDUs. To configure the LACP individual setting for all the ports in a static LACP LAG, use the following commands: NE2552E(config-if)# interface portchannel lacp <LAG admin key> NE2552E(config-if)# [no] lacp suspend-individual Note: By default, ports are configured as below: external ports with lacp suspend-individual  internal ports with no lacp suspend-individual  © Copyright Lenovo 2018 Chapter 9: Ports and Link Aggregation (LAG)
Page 172: Configuring Lacp
Configuring LACP Use the following procedure to configure LACP for ports INTA1 and INTA2 to participate in a single link aggregation. 1. Configure port parameters. All ports that participate in the LACP LAG must have the same settings, including VLAN membership. 2. Select the port range and define the admin key. Only ports with the same admin key can form a LACP LAG. NE2552E(config)# interface port inta1-inta2 NE2552E(config-if)# lacp key 100 3. Set the LACP mode. NE2552E(config-if)# lacp mode active NE2552E(config-if)# exit 4. Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received. NE2552E(config-if)# no lacp suspend-individual NE2552E(config-if)# exit 5. Set the link aggregation as static, by associating it with LAG ID 65: NE2552E(config-if)# portchannel 65 lacp key 100 NE2552E Application Guide for ENOS 8.4...
Page 173: Chapter 10. Spanning Tree Protocols
Chapter 10. Spanning Tree Protocols When multiple paths exist between two points on a network, Spanning Tree Protocol (STP), or one of its enhanced variants, can prevent broadcast loops and ensure that the NE2552E Flex Switch (NE2552E) uses only the most efficient network path. This chapter covers the following topics:  “Spanning Tree Protocol Modes” on page 174  “Global STP Control” on page 174  “PVRST Mode” on page 175  “Rapid Spanning Tree Protocol” on page 187  “Multiple Spanning Tree Protocol” on page 189 “Port Type and Link Type” on page 193  © Copyright Lenovo 2018...
Page 174: Spanning Tree Protocol Modes
Spanning Tree Protocol Modes Lenovo ENOS 8.4 supports the following STP modes:  Rapid Spanning Tree Protocol (RSTP) IEEE 802.1D (2004) RSTP allows devices to detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, STP configures the network so that only the most efficient path is used. If that path fails, STP automatically configures the best alternative active path on the network in order to sustain network operations. RSTP is an enhanced version of IEEE 802.1D (1998) STP, providing more rapid convergence of the Spanning Tree network path states on STG 1. See “Rapid Spanning Tree Protocol” on page 187 for details.  Per‐VLAN Rapid Spanning Tree (PVRST+) PVRST mode is based on RSTP to provide rapid Spanning Tree convergence, but supports instances of Spanning Tree, allowing one STG per VLAN. PVRST mode is compatible with Cisco R‐PVST/R‐PVST+ mode. PVRST is the default Spanning Tree mode on the NE2552E. See “PVRST Mode” on page 175 for details.  Multiple Spanning Tree Protocol (MSTP) IEEE 802.1Q (2003) MSTP provides both rapid convergence and load balancing in a VLAN environment. MSTP allows multiple STGs, with multiple VLANs in each. See “Multiple Spanning Tree Protocol” on page 189 for details. Global STP Control By default, the Spanning Tree feature is globally enabled on the switch, and is set for PVRST mode. Spanning Tree (and thus any currently configured STP mode) can be globally disabled or re‐enabled using the following commands: (Globally disable Spanning Tree) NE2552E(config)# spanning-tree mode disable Spanning Tree can be re‐enabled by specifying the STP mode: ...
Page 175: Pvrst Mode
IEEE 802.1Q tagging to differentiate STP BPDUs and is compatible with Cisco R‐PVST/R‐PVST+ modes. The relationship between ports, LAGs, VLANs and Spanning Trees is shown in Table Table 18. Ports, LAGs and VLANs Switch Element Belongs To Port LAG or one or more VLANs One or more VLANs VLAN (non‐default)  PVRST: One VLAN per STG  RSTP: All VLANs are in STG 1 MSTP: Multiple VLANs per STG  Port States The port state controls the forwarding and learning processes of Spanning Tree. In PVRST, the port state has been consolidated to the following: discarding, learning or forwarding. Due to the sequence involved in these STP states, considerable delays may occur while paths are being resolved. To mitigate delays, ports defined as edge ports (“Port Type and Link Type” on page 193) may bypass the discarding and learning states, and enter directly into the forwarding state. © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 176: Bridge Protocol Data Units
Bridge Protocol Data Units To create a Spanning Tree, the switch generates a configuration Bridge Protocol Data Unit (BPDU), which it then forwards out of its ports. All switches in the Layer 2 network participating in the Spanning Tree gather information about other switches in the network through an exchange of BPDUs. A bridge sends BPDU packets at a configurable regular interval (2 seconds by default). The BPDU is used to establish a path, much like a hello packet in IP routing. BPDUs contain information about the transmitting bridge and its ports, including bridge MAC addresses, bridge priority, port priority, and path cost. If the ports are tagged, each port sends out a special BPDU containing the tagged information. The generic action of a switch on receiving a BPDU is to compare the received BPDU to its own BPDU that it will transmit. If the priority of the received BPDU is better than its own priority, it will replace its BPDU with the received BPDU. Then, the switch adds its own bridge ID number and increments the path cost of the BPDU. The switch uses this information to block any necessary ports. Note: If STP is globally disabled, BPDUs from external devices will transit the switch transparently. If STP is globally enabled, for ports where STP is turned off, inbound BPDUs will instead be discarded. Determining the Path for Forwarding BPDUs When determining which port to use for forwarding and which port to block, the NE2552E uses information in the BPDU, including each bridge ID. A technique based on the “lowest root cost” is then computed to determine the most efficient path for forwarding. Bridge Priority The bridge priority parameter controls which bridge on the network is the STG root bridge. To make one switch become the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. Use the following command to configure the bridge priority: NE2552E(config)# spanning-tree stp <STP instance or range>...
Page 177: Port Priority
NE2552E(config-if)# spanning-tree guard root The default state is none (disabled). Loop Guard In general, STP resolves redundant network topologies into loop‐free topologies. The loop guard feature performs additional checking to detect loops that might not be found using Spanning Tree. STP loop guard ensures that a non‐designated port does not become a designated port. To globally enable loop guard, enter the following command: NE2552E(config)# spanning-tree loopguard Note: The global loop guard command will be effective on a port only if the port‐level loop guard command is set to default as shown below: NE2552E(config-if)# spanning-tree guard loop none To enable loop guard at the port level, enter the following command: NE2552E(config)# interface port <port> NE2552E(config-if)# spanning-tree guard loop The default state is “none”, i.e. disabled. © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 178: Port Path Cost
Port Path Cost The port path cost assigns lower values to high‐bandwidth ports, such as 10 Gigabit Ethernet, to encourage their use. The cost of a port also depends on whether the port operates at full‐duplex (lower cost) or half‐duplex (higher cost). For example, if a 100‐Mbps (Fast Ethernet) link has a “cost” of 10 in half‐duplex mode, it will have a cost of 5 in full‐duplex mode. The objective is to use the fastest links so that the route with the lowest cost is chosen. A value of 0 (the default) indicates that the default cost will be computed for an auto‐negotiated link or LAG speed. Use the following command to modify the port path cost: NE2552E(config)# interface port <port> NE2552E(config-if)# spanning-tree stp <STP instance or range> path-cost <path cost value> NE2552E(config-if)# exit The port path cost can be a value from 1 to 200000000. Specify 0 for automatic path cost. Simple STP Configuration Figure 11 depicts a simple topology using a switch‐to‐switch link between two switches (via either external ports or internal Inter‐Switch Links). Figure 11. Spanning Tree Blocking a Switch‐to‐Switch Link Enterprise Routing Switches Switch 1 Switch 2 Blocks Link Server...
Page 179 Uplink Routing Failure Switches Switch 1 Switch 2 Restores Link Server Server Server Server In this example, port EXT1 on each switch is used for the switch‐to‐switch link. To ensure that the NE2552E switch‐to‐switch link is blocked during normal operation, the port path cost is set to a higher value than other paths in the network. To configure the port path cost on the switch‐to‐switch links in this example, use the following commands on each switch. NE2552E(config)# interface port EXT1 NE2552E(config-if)# spanning-tree stp 1 path-cost 60000 NE2552E(config-if)# exit © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 180: Per-Vlan Spanning Tree Groups
Per-VLAN Spanning Tree Groups PVRST mode supports a maximum of 128/256 STGs, with each STG acting as an independent, simultaneous instance of STP. Multiple STGs provide multiple data paths which can be used for load‐balancing and redundancy. To enable load balancing between two NE2552Es using multiple STGs, configure each path with a different VLAN and then assign each VLAN to a separate STG. Since each STG is independent, they each send their own IEEE 802.1Q tagged Bridge Protocol Data Units (BPDUs). Each STG behaves as a bridge group and forms a loop‐free topology. The default STG 1 may contain multiple VLANs (typically until they can be assigned to another STG). STGs 2‐128/256 may contain only one VLAN each. Using Multiple STGs to Eliminate False Loops Figure 13 shows a simple example of why multiple STGs are needed. In the figure, two ports on a NE2552E are connected to two ports on an application switch. Each of the links is configured for a different VLAN, preventing a network loop. However, in the first network, since a single instance of Spanning Tree is running on all the ports of the NE2552E, a physical loop is assumed to exist, and one of the VLANs is blocked, impacting connectivity even though no actual loop exists. Figure 13. Using Multiple Instances of Spanning Tree Group Switch 1 Switch 2 STG 1 STG 2 False VLAN 1 VLAN 30...
Page 181: Vlan And Stg Assignment
By default, all other STGs (STG 2 through 127/255) are enabled, though they initially include no member VLANs. VLANs must be assigned to STGs. By default, this is done automatically using VLAN Automatic STG Assignment (VASA), though it can also be done manually (see “Manually Assigning STGs” on page 182). When VASA is enabled (as by default), each time a new VLAN is configured, the switch will automatically assign that new VLAN to its own STG. Conversely, when a VLAN is deleted, if its STG is not associated with any other VLAN, the STG is returned to the available pool. The specific STG number to which the VLAN is assigned is based on the VLAN number itself. For low VLAN numbers (1 through 127/255), the switch will attempt to assign the VLAN to its matching STG number. For higher numbered VLANs, the STG assignment is based on a simple modulus calculation; the attempted STG number will “wrap around,” starting back at the top of STG list each time the end of the list is reached. However, if the attempted STG is already in use, the switch will select the next available STG. If an empty STG is not available when creating a new VLAN, the VLAN is automatically assigned to default STG 1. If ports are tagged, each tagged port sends out a special BPDU containing the tagged information. Also, when a tagged port belongs to more than one STG, the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG. VASA is enabled by default, but can be disabled or re‐enabled using the following command: NE2552E(config)# [no] spanning-tree stg-auto If VASA is disabled, when you create a new VLAN, that VLAN automatically belongs to default STG 1. To place the VLAN in a different STG, assign it manually. VASA applies only to PVRST mode and is ignored in RSTP and MSTP modes. © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 182: Manually Assigning Stgs
Manually Assigning STGs The administrator may manually assign VLANs to specific STGs, whether or not VASA is enabled. If no VLANs exist (other than default VLAN 1), see “Guidelines for Creating VLANs” on page 182 for information about creating VLANs and assigning ports to them. 2. Assign the VLAN to an STG using one of the following methods: From the global configuration mode:  NE2552E(config)# spanning-tree stp <STP instance or range> vlan <VLAN> Or from within the VLAN configuration mode:  NE2552E(config)# vlan <VLAN number> NE2552E(config-vlan)# stg <STG number> NE2552E(config-vlan)# exit When a VLAN is assigned to a new STG, the VLAN is automatically removed from its prior STG. Note: For proper operation with switches that use Cisco PVST+, it is recommended that you create a separate STG for each VLAN. Guidelines for Creating VLANs  When you create a new VLAN, if VASA is enabled (the default), that VLAN is automatically assigned its own STG. If VASA is disabled, the VLAN ...
Page 183: Adding And Removing Ports From Stgs
VLAN is 3. Confirm changing PVID/Native VLAn from 3 to 1 [y/n]:" y  When you remove a port from VLAN that belongs to an STG, that port will also be removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 2 belongs to only VLAN 2, and that VLAN 2 belongs to STG 2. When you remove port 2 from VLAN 2, the port is moved to default VLAN 1 and is removed from STG 2. However, if port 2 belongs to both VLAN 1 and VLAN 2, and both VLANs belong to STG 1, removing port 2 from VLAN 2 does not remove port 2 from STG 1, because the port is still a member of VLAN 1, which is still a member of STG 1.  An STG cannot be deleted, only disabled. If you disable the STG while it still contains VLAN members, Spanning Tree will be off on all ports belonging to that VLAN. The relationship between port, LAGs, VLANs and Spanning Trees is shown in Table 18 on page 175. © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 184: Switch-Centric Configuration
Switch-Centric Configuration PVRST is switch‐centric: STGs are enforced only on the switch where they are configured. The STG ID is not transmitted in the Spanning Tree BPDU. Each Spanning Tree decision is based entirely on the configuration of the particular switch. For example, in Figure 14, though VLAN 2 is shared by the Switch A and Switch B, each switch is responsible for the proper configuration of its own ports, VLANs, and STGs. Switch A identifies its own port 17 as part of VLAN 2 on STG 2, and the Switch B identifies its own port 8 as part of VLAN 2 on STG 2. Figure 14. Implementing Multiple Spanning Tree Groups Chassis Application Switch A Switch B STG 2 VLAN 2 STG 3 VLAN 3 STG 1 VLAN 1 Application Application Switch C Switch D The VLAN participation for each Spanning Tree Group in Figure 14 on page 184 is ...
Page 185: Configuring Multiple Stgs
NE2552E(config)# vlan 2 NE2552E(config-vlan)# stg 2 NE2552E(config-vlan)# exit NE2552E(config)# interface port 8 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# exit If VASA is disabled, enter the following command: NE2552E(config)# spanning-tree stp 2 vlan 2 © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 186 VLAN 2 is automatically removed from STG 1. By default VLAN 1 remains in STG 1. 4. Configure the following on application switch C: Add port 8 to VLAN 3. Ports 1 and 2 are by default in VLAN 1 assigned to STG 1. NE2552E(config)# vlan 3 NE2552E(config-vlan)# stg 3 NE2552E(config-vlan)# exit NE2552E(config)# interface port 8 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# exit If VASA is disabled, enter the following command: NE2552E(config)# spanning-tree stp 3 vlan 3 VLAN 3 is automatically removed from STG 1. By default VLAN 1 remains in STG 1. Switch D does not require any special configuration for multiple Spanning Trees. Switch D uses default STG 1 only.
Page 187: Rapid Spanning Tree Protocol
IEEE 802.1D (2004), superseding the original STP standard. RSTP parameters apply only to Spanning Tree Group (STG) 1. The PVRST mode STGs 2‐128/256 are not used when the switch is placed in RSTP mode.RSTP is compatible with devices that run IEEE 802.1D (1998) Spanning Tree Protocol. If the switch detects IEEE 802.1D (1998) BPDUs, it responds with IEEE 802.1D (1998)‐compatible data units. RSTP is not compatible with Per‐VLAN Rapid Spanning Tree (PVRST) protocol. Note: In RSTP mode, Spanning Tree for the management ports is turned off by default. Port States RSTP port state controls are the same as for PVRST: discarding, learning and forwarding. Due to the sequence involved in these STP states, considerable delays may occur while paths are being resolved. To mitigate delays, ports defined as edge ports (“Port Type and Link Type” on page 193) may bypass the discarding and learning states, and enter directly into the forwarding state. RSTP Configuration Guidelines This section provides important information about configuring RSTP. When RSTP is turned on, the following occurs:  STP parameters apply only to STG 1.  Only STG 1 is available. All other STGs are turned off.  All VLANs, including management VLANs, are moved to STG 1. © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 188: Rstp Configuration Example
RSTP Configuration Example This section provides steps to configure RSTP. 1. Configure port and VLAN membership on the switch. 2. Set the Spanning Tree mode to Rapid Spanning Tree. NE2552E(config)# spanning-tree mode rstp 3. Configure RSTP parameters. NE2552E(config)# spanning-tree stp 1 bridge priority 8192 NE2552E(config)# spanning-tree stp 1 bridge hello-time 5 NE2552E(config)# spanning-tree stp 1 bridge forward-delay 20 NE2552E(config)# spanning-tree stp 1 bridge maximum-age 30 NE2552E(config)# no spanning-tree stp 1 enable 4.
Page 189: Multiple Spanning Tree Protocol
Type and Link Type” on page 193) bypass the Discarding and Learning states, and enter directly into the Forwarding state. Note: In MSTP mode, Spanning Tree for the management ports is turned off by default. MSTP Region A group of interconnected bridges that share the same attributes is called an MST region. Each bridge within the region must share the following attributes:  Alphanumeric name Revision number   VLAN‐to STG mapping scheme MSTP provides rapid re‐configuration, scalability and control due to the support of regions, and multiple Spanning‐Tree instances support within each region. Common Internal Spanning Tree The Common Internal Spanning Tree (CIST) provides a common form of Spanning Tree Protocol, with one Spanning‐Tree instance that can be used throughout the MSTP region. CIST allows the switch to interoperate with legacy equipment, including devices that run IEEE 802.1D (1998) STP. CIST allows the MSTP region to act as a virtual bridge to other bridges outside of the region, and provides a single Spanning‐Tree instance to interact with them. CIST port configuration includes Hello time, Edge port enable/disable, and Link Type. These parameters do not affect Spanning Tree Groups 1–32. They apply only when the CIST is used. © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 190: Mstp Configuration Guidelines
MSTP Configuration Guidelines This section provides important information about configuring Multiple Spanning Tree Groups: When MSTP is turned on, the switch automatically moves management VLAN  4095 to the CIST. When MSTP is turned off, the switch moves VLAN 4095 from the CIST to Spanning Tree Group 128/256.  When you enable MSTP, you must configure the Region Name. A default version number of 0 is configured automatically. Each bridge in the region must have the same name, version number and VLAN  mapping. MSTP Configuration Examples MSTP Configuration Example 1 This section provides steps to configure MSTP on the NE2552E. 1. Configure port and VLAN membership on the switch. 2. Configure Multiple Spanning Tree region parameters and set the mode to MSTP. NE2552E(config)# spanning-tree mst configuration (Enter MST configuration mode) NE2552E(config-mst)# name <name> (Define the Region name) NE2552E(config-mst)# revision 100 (Define the Revision level) NE2552E(config-mst)# exit NE2552E(config)# spanning-tree mode mst (Set mode to Multiple Spanning Trees) 3.
Page 191: Mstp Configuration Example 2
Routing switches. NE2552E(config)# interface port 19,20 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# exit 2. Configure MSTP: Spanning Tree mode, region name, and version. NE2552E(config)# spanning-tree mst configuration NE2552E(config-mst)# name MyRegion (Define the Region name) NE2552E(config-mst)# revision 100 (Define the Revision level) NE2552E(config-mst)# exit NE2552E(config)# spanning-tree mode mst (Set mode to Multiple Spanning Trees) © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 192 3. Map VLANs to MSTP instances: NE2552E(config)# spanning-tree mst configuration NE2552E(config-mst)# instance 1 vlan 1 NE2552E(config-mst)# instance 2 vlan 2 4. Configure port membership and define the STGs for VLAN 2. Add server ports 3, 4 and 5 to VLAN 2. Add uplink ports 19 and 20 to VLAN 2. Assign VLAN 2 to STG 2. NE2552E(config)# interface port 3,4,5,19,20 NE2552E(config-if)# switchport access vlan 2 NE2552E(config-if)# exit Note: Each STG is enabled by default. NE2552E Application Guide for ENOS 8.4...
Page 193: Port Type And Link Type
NE2552E(config-if)# exit Link Type The link type determines how the port behaves in regard to Rapid Spanning Tree. Use the following commands to define the link type for the port: NE2552E(config)# interface port <port> NE2552E(config-if)# [no] spanning-tree link-type <type> NE2552E(config-if)# exit where type corresponds to the duplex mode of the port, as follows:  A full‐duplex link to another device (point‐to‐point) shared  A half‐duplex link is a shared segment and can contain more than one device. auto  The switch dynamically configures the link type. Note: Any STP port in full‐duplex mode can be manually configured as a shared port when connected to a non‐STP‐aware shared device (such as a typical Layer 2 switch) used to interconnect multiple STP‐aware devices. © Copyright Lenovo 2018 Chapter 10: Spanning Tree Protocols...
Page 194 NE2552E Application Guide for ENOS 8.4...
Page 195: Chapter 11. Virtual Link Aggregation Groups
Peers Layer STP blocks Links remain VLAGs implicit loops active Access Layer Servers As shown in the example, a switch in the access layer may be connected to more than one switch in the aggregation layer to provide for network redundancy. Typically, Spanning Tree Protocol (RSTP, PVRST, or MSTP—see “Spanning Tree Protocols” on page 173) is used to prevent broadcast loops, blocking redundant uplink paths. This has the unwanted consequence of reducing the available bandwidth between the layers by as much as 50%. In addition, STP may be slow to resolve topology changes that occur during a link failure, and can result in considerable MAC address flooding. Using Virtual Link Aggregation Groups (VLAGs), the redundant uplinks remain active, utilizing all available bandwidth. Two switches are paired into VLAG peers, and act as a single virtual entity for the purpose of establishing a multi‐port aggregation. Ports from both peers can be grouped into a VLAG and connected to the same LAG‐capable target device. From the perspective of the target device, the ports connected to the VLAG peers appear to be a single LAG connecting to a single logical device. The target device uses the configured Tier ID to identify the VLAG peers as this single logical device. It is important that you use a unique Tier ID for each VLAG pair you configure. The VLAG‐capable switches synchronize their logical view of the access layer port structure and internally prevent implicit loops. The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are also useful in multi‐layer environments for both uplink and downlink redundancy to any regular LAG‐capable device. For example: © Copyright Lenovo 2018...
Page 196 Figure 17. VLAG Application with Multiple Layers Layer 2/3 Border LACP-capable Routers VLAG 5 VLAG 6 Layer 2 Region VLAG with multiple levels Peers C VLAG 3 VLAG 3 VLAG 4 VLAG VLAG Peers A Peers B VLAG 1 VLAG 2 LACP-capable Switch LACP-capable Server Servers Wherever ports from both peered switches are aggregated to another device, the ...
Page 197 In addition, when used with VRRP, VLAGs can provide seamless active‐active failover for network links. For example: Figure 18. VLAG Application with VRRP VLAG Peers VRRP VRRP VLAG Master Backup Note: VLAG is not compatible with UFP vPorts on the same ports. © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 198: Vlag Capacities
VLAG Capacities Servers or switches that connect to the VLAG peers using a multi‐port VLAG are considered VLAG clients. VLAG clients are not required to be VLAG‐capable. The ports participating in the VLAG are configured as regular port LAGs on the VLAG client end. On the VLAG peers, the VLAGs are configured similarly to regular port LAGs, using many of the same features and rules. See “Ports and Link Aggregation (LAG)” on page 155 for general information concerning all port LAGs. Each VLAG begins as a regular port LAG on each VLAG‐peer switch. The VLAG may be either a static LAG (portchannel) or dynamic LACP LAG and consumes one slot from the overall port LAG capacity pool. The type of aggregation must match that used on VLAG client devices. Additional configuration is then required to implement the VLAG on both VLAG peer switches. You may configure up to 52 LAGs on the switch, with all types (regular or VLAG, static or LACP) sharing the same pool. The maximum number of configurable VLAG instances is as follows: With STP off: Maximum of 31 VLAG instances   With STP on: PVRST/MSTP with one VLAG instance per VLAN/STG: Maximum of 31  VLAG instances PVRST/MSTP with one VLAG instance belonging to multiple  VLANs/STGs: Maximum of 20 VLAG instances Note: VLAG is not supported in RSTP mode. Each type of aggregation can contain up to 32 member ports, depending on the port type and availability. NE2552E Application Guide for ENOS 8.4...
Page 199: Vlags Versus Port Lags
 A VLAG can consist of multiple ports on two VLAG peers, which are connected to one logical client device such as a server, switch or another VLAG device.  The participating ports on the client device are configured as a regular port LAG.  The VLAG peers must be the same model and run the same software version.  VLAG peers require a dedicated inter‐switch link (ISL) for synchronization. The ports used to create the ISL must have the following properties: ISL ports must have VLAN tagging turned on.  ISL ports must be configured for all VLAG VLANs.  ISL ports must be placed into a regular port LAG (dynamic or static).  A minimum of two ports on each switch are recommended for ISL use.  Dynamic routing protocols, such as OSPF, cannot terminate on VLAGs.   Routing over VLAGs is not supported. However, IP forwarding between subnets served by VLAGs can be accomplished using VRRP.  VLAGs are configured using additional commands.  It is recommended that end‐devices connected to VLAG switches use NICs with dual‐homing. This increases traffic efficiency, reduces ISL load and provides faster link failover. © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 200: Configuring Vlags
Configuring VLAGs When configuring VLAG or making changes to your VLAG configuration, consider the following VLAG behavior:  When adding a static Mrouter on VLAG links, ensure that you also add it on the ISL link to avoid VLAG link failure. If the VLAG link fails, traffic cannot be recovered through the ISL. Also, make sure you add the same static entry on the peer VLAG switch for VLAG ports. When you enable VLAG on the switch, if a MSTP region mismatch is detected  with the VLAG peer, the ISL will shut down. In such a scenario, correct the region on the VLAG peer and manually enable the ISL.  If you have enabled VLAG on the switch, and you need to change the STP mode, ensure that you first disable VLAG and then change the STP mode. When VLAG is enabled, you may see two root ports on the secondary VLAG  switch. One of these will be the actual root port for the secondary VLAG switch and the other will be a root port synced with the primary VLAG switch.  The LACP key used must be unique for each VLAG in the entire topology.  The STG to VLAN mapping on both VLAG peers must be identical. The following parameters must be identically configured on the VLAG ports of both the VLAG peers:  VLANs Native VLAN tagging   Native VLAN/PVID STP mode   BPDU Guard setting STP port setting   MAC aging timers Static MAC entries ...
Page 201: Basic Vlag Configuration
Mgmt IP: 10.10.10.2/24 LACP 200 VLAN 4094 VLAG 1 VLAG 2 LACP 1000 LACP 2000 VLAN 100 VLAN 100 Client Switch Client Switch In this example, each client switch is connected to both VLAG peers. On each client switch, the ports connecting to the VLAG peers are configured as a dynamic LACP port LAG. The VLAG peer switches share a dedicated ISL for synchronizing VLAG information. On the individual VLAG peers, each port leading to a specific client switch (and part of the client switch’s port LAG) is configured as a VLAG. In the following example configuration, only the configuration for VLAG 1 on VLAG Peer 1 is shown. VLAG Peer 2 and all other VLAGs are configured in a similar fashion. © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 202: Configure The Isl
Configure the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. 1. Configure STP if required. Use PVRST or MSTP mode only: NE2552E(config)# spanning-tree mode pvrst 2. Configure the ISL ports and place them into a LAG (dynamic or static): NE2552E(config)# interface port 1-2 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 200 NE2552E(config-if)# exit NE2552E(config)# vlag isl adminkey 200 Notes:  In this case, a dynamic LAG is shown. A static LAG (portchannel) could be configured instead. ISL ports and VLAG ports must be members of the same VLANs.
Page 203: Configure The Vlag
NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 1000 NE2552E(config-if)# exit 3. Assign the LAG to the VLAG: NE2552E(config)# vlag adminkey 1000 enable 4. Continue by configuring all required VLAGs on VLAG Peer 1 and then repeat the configuration for VLAG Peer 2. For each corresponding VLAG on the peer, the port LAG type (dynamic or static), the port’s VLAN, and STP mode and ID must be the same as on VLAG Peer 1. 5. Enable VLAG globally. NE2552E(config)# vlag enable 6. Verify the completed configuration: NE2552E(config)# show vlag information © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 204: Vlag Configuration - Vlans Mapped To Msti
VLAG Configuration - VLANs Mapped to MSTI Follow the steps in this section to configure VLAG in environments where the STP mode is MSTP and no previous VLAG was configured. Configure the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. Ensure you have the same region name, revision and VLAN‐to‐STG mapping on both VLAG switches. 1. Configure STP: NE2552E(config)# spanning-tree mode mst 2. Configure the ISL ports and place them into a portchannel (dynamic or static): NE2552E(config)# interface port 1-2 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 200 NE2552E(config-if)# exit NE2552E(config)# vlag isl adminkey 200 Note: a.
Page 205: Configure The Vlag
NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 1000 NE2552E(config-if)# exit NE2552E(config)# vlag adminkey 1000 enable 4. Enable VLAG: NE2552E(config)# vlag enable 5. Continue by configuring all required VLAGs on VLAG Peer 1, and then follow the steps for configuring VLAG Peer 2. For each corresponding VLAG on the peer, the port LAG type (dynamic or static), the port’s VLAN and STP mode and ID must be the same as on VLAG Peer 1. 6. Verify the completed configuration: NE2552E# show vlag information © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 206: Configuring Health Check
Configuring Health Check We strongly recommend that you configure the NE2552E to check the health status of its VLAG peer. Although the operational status of the VLAG peer is generally determined via the ISL connection, configuring a network health check provides an alternate means to check peer status in case the ISL links fail. Use an independent link between the VLAG switches to configure health check. Note: Configuring health check on an ISL VLAN interface or on a VLAG data port may impact the accuracy of the health check status. 1. Configure a management interface for the switch. Note: If the switch does not have a dedicated management interface, configure a VLAN for the health check interface. The health check interface can be configured with an IPv4 or IPv6 address: NE2552E(config)# interface ip 127 NE2552E(config-ip-if)# ip address 10.10.10.1 255.255.255.0 NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# exit Note: Configure a similar interface on VLAG Peer 2. For example, use IP address 10.10.10.2. 2. Specify the IPv4 or IPv6 address of the VLAG Peer: NE2552E(config)# vlag hlthchk peer-ip 10.10.10.2 Note: For VLAG Peer 2, the management interface would be configured as ...
Page 207: Vlags With Vrrp
NE2552E(config)# router ospf NE2552E(config-router-ospf)# area 1 area-id 0.0.0.1 NE2552E(config-router-ospf)# enable NE2552E(config-router-ospf)# exit Although OSPF is used in this example, static routing could also be deployed. For more information, see “OSPF” on page 389 or “Basic IP Routing” on page 315. 3. Configure a server‐facing interface. NE2552E(config)# interface ip 3 NE2552E(config-ip-if)# ip address 10.0.1.10 255.255.255.0 NE2552E(config-ip-if)# vlan 100 NE2552E(config-ip-if)# exit © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 208 4. Turn on VRRP and configure the Virtual Interface Router. NE2552E(config)# router vrrp NE2552E(config-vrrp)# enable NE2552E(config-vrrp)# virtual-router 1 virtual-router-id 1 NE2552E(config-vrrp)# virtual-router 1 interface 3 NE2552E(config-vrrp)# virtual-router 1 address 10.0.1.100 NE2552E(config-vrrp)# virtual-router 1 enable 5. Set the priority of Virtual Router 1 to 101, so that it becomes the Master. NE2552E(config-vrrp)# virtual-router 1 priority 101 NE2552E(config-vrrp)# exit 6. Configure the ISL ports and place them into a port LAG: NE2552E(config)# interface port 4-5 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 2000...
Page 209 NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 1200 NE2552E(config-if)# exit 12. Assign the LAGs to the VLAGs: NE2552E(config)# vlag adminkey 1000 enable NE2552E(config)# vlag adminkey 1100 enable NE2552E(config)# vlag adminkey 1200 enable 13. Verify the completed configuration: NE2552E(config)# show vlag © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 210: Configure Vlag Peer 2
Configure VLAG Peer 2 The VLAG peer (VLAG Peer 2) must be configured using the same ISL aggregation type (dynamic or static), the same VLAN and the same STP mode and Tier ID used on VLAG Switch 1. For each corresponding VLAG on the peer, the port LAG type (dynamic or static), VLAN and STP mode and ID must be the same as on VLAG Switch 1. 1. Configure VLAG tier ID and enable VLAG globally. NE2552E(config)# vlag tier-id 10 NE2552E(config)# vlag enable 2. Configure appropriate routing. NE2552E(config)# router ospf NE2552E(config-router-ospf)# area 1 area-id 0.0.0.1 NE2552E(config-router-ospf)# enable NE2552E(config-router-ospf)# exit Although OSPF is used in this example, static routing could also be deployed. 3. Configure a server‐facing interface. NE2552E(config)# interface ip 3 NE2552E(config-ip-if)# ip address 10.0.1.11 255.255.255.0 NE2552E(config-ip-if)# vlan 100 NE2552E(config-ip-if)# exit 4.
Page 211 NE2552E(config-ip-if)# ip ospf enable NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 2 NE2552E(config-ip-if)# ip address 172.1.4.12 255.255.255.0 NE2552E(config-ip-if)# vlan 40 NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# ip ospf area 1 NE2552E(config-ip-if)# ip ospf enable NE2552E(config-ip-if)# exit © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 212 10. Place the VLAG port(s) in their port LAGs: NE2552E(config)# interface port 10 NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 1000 NE2552E(config-if)# exit NE2552E(config)# interface port 11 NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 1100 NE2552E(config-if)# exit NE2552E(config)# interface port 12 NE2552E(config-if)# lacp mode active NE2552E(config-if)# lacp key 1200 NE2552E(config-if)# exit 11.
Page 213: Two-Tier Vlags With Vrrp
Two-tier vLAGs with VRRP vLAG Active‐Active VRRP makes the secondary vLAG switch route Layer 3 traffic, thus reducing routing latency. If it is used in a two‐tier vLAG environment, there may be two VRRP master switches for one VRRP domain and their role will constantly flap. To prevent such occurrences, there are two vLAG VRRP modes: 1. vLAG VRRP Active (Full Active‐Active) mode In active mode, Layer 3 traffic is forwarded in all vLAG related VRRP domains. To enable vLAG VRRP active mode on a switch, use the following command: NE2552E(config)# vlag vrrp active Note: This is the default vLAG VRRP mode. 2. vLAG VRRP Passive (Half Active‐Active) mode In passive mode, Layer 3 traffic is forwarded in a vLAG related VRRP domain only if either the switch or its peer virtual router is the VRRP master. To enable vLAG VRRP passive mode on a switch, use the following command: NE2552E(config)# no vlag vrrp active To verify the currently configured vLAG VRRP mode you can use the following command: NE2552E(config)# show vlag vrrp © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 214: Vlag Peer Gateway
vLAG Peer Gateway vLAG Peer Gateway allows a vLAG switch to act as the active gateway for packets that are addressed to the router MAC address of the vLAG peer. The feature enables local forwarding of such packets without crossing the ISL trunk, therefore improving ISL usage and avoiding potential traffic loss. To make it functional, vLAG Peer Gateway must be configured on both vLAG peer switches. By default, the feature is disabled. To enable it, use the following command: NE2552E(config)# vlag peer-gateway Use the no form of the command to disable vLAG Peer Gateway. To display information about the current vLAG Peer Gateway settings, use the following commands: NE2552E(config)# show vlag NE2552E(config)# show vlag peer-gateway NE2552E Application Guide for ENOS 8.4...
Page 215: Configuring Vlags In Multiple Layers
NE2552E(config)# interface port 1,2 NE2552E(config-if)# lacp key 100 NE2552E(config-if)# lacp mode active NE2552E(config-if)# exit Repeat these steps for the second border switch. Configure Switches in the Layer 2 Region Consider the following:  ISL ports on switches A and B ‐ ports 1, 2  Ports connecting to Layer 2/3 ‐ ports 5, 6  Ports on switches A and B connecting to switches C and D: ports 10, 11  Ports on switch B connecting to switch E: ports 15, 16  Ports on switch B connecting to switch F: ports 17, 18 © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 216 1. Configure VLAG tier ID and enable VLAG globally. NE2552E(config)# vlag tier-id 10 NE2552E(config)# vlag enable 2. Configure ISL ports on Switch A. NE2552E(config)# interface port 1,2 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# lacp key 200 NE2552E(config-if)# lacp mode active NE2552E(config-if)# exit NE2552E(config)# vlag isl adminkey 200 NE2552E(config-vlan)# exit 3. Configure port on Switch A connecting to Layer 2/3 router 1. NE2552E(config)# vlan 10 VLAN number 10 with name “VLAN 10”...
Page 217 C and D. 6. Configure ports on Switch B connecting to downstream switches E and F. NE2552E(config)# vlan 30 NE2552E(config-vlan)# exit NE2552E(config)# interface port 15-18 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# lacp key 700 NE2552E(config-if)# lacp mode active NE2552E(config-if)# exit 7. Configure ISL between switches C and D, and between E and F as shown in Step 1. 8. Configure the Switch G as shown in Step 2. © Copyright Lenovo 2018 Chapter 11: Virtual Link Aggregation Groups...
Page 218 NE2552E Application Guide for ENOS 8.4...
Page 219: Chapter 12. Quality Of Service
QoS helps you allocate guaranteed bandwidth to critical applications, and limit bandwidth for less critical applications. Applications such as video and voice must have a certain amount of bandwidth to work correctly; using QoS, you can provide that bandwidth when necessary. Also, you can put a high priority on applications that are sensitive to timing out or those that cannot tolerate delay, assigning that traffic to a high‐priority queue. By assigning QoS levels to traffic flows on your network, you can ensure that network resources are allocated where they are needed most. QoS features allow you to prioritize network traffic, thereby providing better service for selected applications. Figure 22 on page 219 shows the basic QoS model used by the NE2552E Flex Switch. Figure 22. QoS Model Ingress Ports Meter Perform Queue and Egress Classify Actions Schedule Packets Traffic Drop/Pass/ Filter Meter Re-Mark Queue The NE2552E uses the Differentiated Services (DiffServ) architecture to provide QoS functions. DiffServ is described in IETF RFC 2474 and RFC 2475. © Copyright Lenovo 2018...
Page 220 With DiffServ, you can establish policies for directing traffic. A policy is a traffic‐controlling mechanism that monitors the characteristics of the traffic (for example, its source, destination, and protocol) and performs a controlling action on the traffic when certain characteristics are matched. The NE2552E can classify traffic by reading the DiffServ Code Point (DSCP) or IEEE 802.1p priority value, or by using filters to match specific criteria. When network traffic attributes match those specified in a traffic pattern, the policy instructs the NE2552E to perform specified actions on each packet that passes through it. The packets are assigned to different Class of Service (COS) queues and scheduled for transmission. The basic NE2552E QoS model works as follows:  Classify traffic: Read DSCP  Read 802.1p Priority  Match ACL filter parameters   Meter traffic: Define bandwidth and burst parameters  Select actions to perform on in‐profile and out‐of‐profile traffic  Perform actions:  Drop packets  Pass packets  Mark DSCP or 802.1p Priority  Set COS queue (with or without re‐marking)  Queue and schedule traffic:  Place packets in one of the available COS queues  Schedule transmission based on the COS queue weight ...
Page 221: Using Acl Filters
Packet format—Ethernet format, tagging format, IPv4, IPv6  Egress port For ACL details, see “Access Control Lists” on page 121. Summary of ACL Actions Actions determine how the traffic is treated. The NE2552E QoS actions include the following:  Pass or Drop the packet  Re‐mark the packet with a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the NE2552E by configuring a QoS meter (if desired) and assigning ACL Groups to ports. When you add ACL Groups to a port, make sure they are ordered correctly in terms of precedence. Actions taken by an ACL are called In‐Profile actions. You can configure additional In‐Profile and Out‐of‐Profile actions on a port. Data traffic can be metered, and re‐marked to ensure that the traffic flow provides certain levels of service in terms of bandwidth for different types of network traffic. © Copyright Lenovo 2018 Chapter 12: Quality of Service...
Page 222: Metering
Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile. Out‐of‐Profile–If a meter is configured and the packet does not conform to the  meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Note: Metering is not supported for IPv6 ACLs. All traffic matching an IPv6 ACL is considered in‐profile for re‐marking purposes. Using meters, you set a Committed Rate in Kbps (1000 bits per second in each Kbps). All traffic within this Committed Rate is In‐Profile. Additionally, you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network specifications or desired levels of service. You can configure the ACL to re‐mark a packet as follows: Change the DSCP value of a packet, used to specify the service level traffic  should receive.  Change the 802.1p priority of a packet. NE2552E Application Guide for ENOS 8.4...
Page 223: Using Dscp Values To Provide Qos
Differentiated Services Concepts To differentiate between traffic flows, packets can be classified by their DSCP value. The Differentiated Services (DS) field in the IP header is an octet, and the first six bits, called the DS Code Point (DSCP), can provide QoS functions. Each packet carries its own QoS state in the DSCP. There are 64 possible DSCP values (0‐63). Figure 23. Layer 3 IPv4 Packet Version Length Offset Proto Data Length Differentiated Services Code Point (DSCP) unused The NE2552E can perform the following actions to the DSCP:  Read the DSCP value of ingress packets  Re‐mark the DSCP value to a new value  Map the DSCP value to an 802.1p priority Once the DSCP value is marked, the NE2552E can use it to direct traffic prioritization. © Copyright Lenovo 2018 Chapter 12: Quality of Service...
Page 224: Per-Hop Behavior
Per-Hop Behavior The DSCP value determines the Per Hop Behavior (PHB) of each packet. The PHB is the forwarding treatment given to packets at each hop. QoS policies are built by applying a set of rules to packets, based on the DSCP value, as they hop through the network. The NE2552E default settings are based on the following standard PHBs, as defined in the IEEE standards:  Expedited Forwarding (EF)—This PHB has the highest egress priority and lowest drop precedence level. EF traffic is forwarded ahead of all other traffic. EF PHB is described in RFC 2598.  Assured Forwarding (AF)—This PHB contains four service levels, each with a different drop precedence, as shown below. Routers use drop precedence to determine which packets to discard last when the network becomes congested. AF PHB is described in RFC 2597. Drop Precedence Class 1 Class 2 Class 3 Class 4 AF11 AF21 AF31 AF41 (DSCP 10) (DSCP 18) (DSCP 26) (DSCP 34) Medium AF12 AF22 AF32 AF42 (DSCP 12) (DSCP 20) (DSCP 28)
Page 225: Qos Levels
The NE2552E can re‐mark the DSCP value of ingress packets to a new value, and set the 802.1p priority value, based on the DSCP value. You can view the settings by using the following command: NE2552E(config)# show qos dscp Current DSCP Remarking Configuration: OFF DSCP New DSCP New 802.1p Prio -------- -------- --------------- Use the following command to turn on DSCP re‐marking globally: NE2552E(config)# qos dscp re-marking Then you must enable DSCP re‐marking on any port that you wish to perform this function. Note: If an ACL meter is configured for DSCP re‐marking, the meter function takes precedence over QoS re‐marking. © Copyright Lenovo 2018 Chapter 12: Quality of Service...
Page 226: Dscp Re-Marking Configuration Example 1
DSCP Re-Marking Configuration Example 1 The following example includes the basic steps for re‐marking DSCP value and mapping DSCP value to 802.1p. 1. Turn DSCP re‐marking on globally, and define the DSCP‐DSCP‐802.1p mapping. You can use the default mapping. NE2552E(config)# qos dscp re-marking NE2552E(config)# qos dscp dscp-mapping <DSCP value (0‐63)> <new value> NE2552E(config)# qos dscp dot1p-mapping <DSCP value (0‐63)> <802.1p value> 2. Enable DSCP re‐marking on a port. NE2552E(config)# interface port 1 NE2552E(config-if)# qos dscp re-marking NE2552E(config-if)# exit DSCP Re-Marking Configuration Example 2 The following example assigns strict priority to VoIP traffic and a lower priority to ...
Page 227 6. Assign strict priority to VoIP COS queue. NE2552E(config)# qos transmit-queue weight-cos 7 0 7. Map priority value to COS queue for non‐VoIP traffic. NE2552E(config)# qos transmit-queue mapping 1 1 8. Assign weight to the non‐VoIP COS queue. NE2552E(config)# qos transmit-queue weight-cos 1 2 © Copyright Lenovo 2018 Chapter 12: Quality of Service...
Page 228: Using 802.1P Priorities To Provide Qos
Using 802.1p Priorities to Provide QoS Lenovo ENOS provides Quality of Service functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1q VLAN header.) The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding. Packets with a numerically higher (non‐zero) priority are given forwarding preference over packets with lower priority bit value. The IEEE 802.1p standard uses eight levels of priority (0‐7). Priority 7 is assigned to highest priority network traffic, such as OSPF or RIP routing table updates, priorities 5‐6 are assigned to delay‐sensitive applications such as voice and video, and lower priorities are assigned to standard applications. A value of 0 (zero) indicates a “best effort” traffic prioritization, and this is the default when traffic priority has not been configured on your network. The NE2552E can filter packets based on the 802.1p values, and it can assign or overwrite the 802.1p value in the packet. Figure 24. Layer 2 802.1q/802.1p VLAN Tagged Packet DMAC SMAC E Type Data Preamble Priority VLAN Identifier (VID) Ingress packets receive a priority value, as follows:  Tagged packets—NE2552E reads the 802.1p priority in the VLAN tag.  Untagged packets—NE2552E tags the packet and assigns an 802.1p priority, based on the port’s default priority. Egress packets are placed in a COS queue based on the priority value, and ...
Page 229: Queuing And Scheduling
NE2552E(config)# qos transmit-queue mapping <priority value (0‐7)> <COS queue (0‐7)> To set the COS queue scheduling weight, use the following command. NE2552E(config)# qos transmit-queue weight-cos <COSq number> <COSq weight (0‐15)> The scheduling weight can be set from 0 to 15. Weight values from 1 to 15 set the queue to use weighted round‐robin (WRR) scheduling, which distributes larger numbers of packets to queues with the highest weight values. For distribution purposes, each packet is counted the same, regardless of the packet’s size. A scheduling weight of 0 (zero) indicates strict priority. Traffic in strict priority queue has precedence over other all queues. If more than one queue is assigned a weight of 0, the strict queue with highest queue number will be served first. Once all traffic in strict queues is delivered, any remaining bandwidth will be allocated to the WRR queues, divided according to their weight values. Note: Use caution when assigning strict scheduling to queues. Heavy traffic in queues assigned with a weight of 0 can starve lower priority queues. For a scheduling method that uses a weighted deficit round‐robin (WDRR) algorithm, distributing packets with an awareness of packet size, see “Enhanced Transmission Selection” on page 260. © Copyright Lenovo 2018 Chapter 12: Quality of Service...
Page 230: Control Plane Protection
Control Plane Protection Control plane receives packets that are required for the internal protocol state machines. This type of traffic is usually received at low rate. However, in some situations such as DOS attacks, the switch may receive this traffic at a high rate. If the control plane protocols are unable to process the high rate of traffic, the switch may become unstable. The control plane receives packets that are channeled through protocol‐specific packet queues. Multiple protocols can be channeled through a common packet queue. However, one protocol cannot be channeled through multiple packet queues. These packet queues are applicable only to the packets received by the software and does not impact the regular switching or routing traffic. Packet queue with a higher number has higher priority. You can configure the bandwidth for each packet queue. Protocols that share a packet queue will also share the bandwidth. The following commands configure the control plane protection (CoPP) feature: Configure a queue for a protocol: NE2552E(config)# qos protocol-packet-control packet-queue-map <0‐47> <protocol> Set the bandwidth for the queue, in packets per second: NE2552E(config)# qos protocol-packet-control rate-limit-packet-queue <0‐47> <1‐10000>...
Page 231: Packet Drop Logging
Broadcast packets are received at rate higher than 200pps, hence are discarded on queue 5. To enable or disable packet drop logging, use the following commands: NE2552E(config)# [no] logging pdrop enable You can adjust the logging interval between 0 and 30 minutes using the following command: NE2552E(config)# logging pdrop interval <0-30> Setting the logging interval to 0 will log packet drops immediately (with up to 1 second delay), and will ignore further drops on the same queue during the next 2 minutes. Setting the logging interval to a greater value (1 – 30 minutes), regularly displays packet drop information at the designated time intervals. Once the packet drops stop, or if new packet drops are encountered only within 2 minutes after a syslog message, the switch does not display any more messages. © Copyright Lenovo 2018 Chapter 12: Quality of Service...
Page 232: Microburst Detection
Microburst Detection Microbursts are short peaks in data traffic that manifest as a sudden increase in the number of data packets transmitted over a specific millisecond‐level time frame, potentially overwhelming network buffers. Microburst detection allows users to analyze and mitigate microburst‐related incidents, thus preventing network congestion. Microburst Detection is disabled by default. To enable it, use the following command: NE2552E(config)# microburst enable To disable microburst detection, use the following command: NE2552E(config)# no microburst enable To configure the polling interval (in milliseconds) used by microburst detection to evaluate traffic burst: NE2552E(config)# microburst interval <2‐10000> To see the current microburst state, use the following command: NE2552E# show microburst microburst-status Below is a basic configuration example for Microburst Detection. 1. Enter Configuration mode and enable Microburst Detection, choosing a threshold value: NE2552E(config)# microburst enable NE2552E(config)# microburst port-threshold ext4 10000 2.
Page 233 NORMAL EXT7 NORMAL EXT8 NORMAL EXT9/1 NORMAL EXT9/2 NORMAL EXT9/3 NORMAL EXT9/4 NORMAL EXT10 NORMAL EXT11/1 NORMAL EXT11/2 NORMAL EXT11/3 NORMAL EXT11/4 NORMAL EXT12/1 NORMAL EXT12/2 NORMAL EXT12/3 NORMAL EXT12/4 NORMAL © Copyright Lenovo 2018 Chapter 12: Quality of Service...
Page 234 NE2552E Application Guide for ENOS 8.4...
Page 235: Chapter 13. Precision Time Protocol
Ethernet‐based networks.  Transparent clock: A transparent clock listens for PTP packets and adjusts the correction field in the PTP event packets as they pass the PTP device. Lenovo ThinkSystem NE2552E Flex Switch supports the configuration of ordinary clock and transparent clock. It cannot be a master clock as the switch does not participate in the master clock selection process. Note: Lenovo ENOS does not support IPv6 for PTP. By default, PTP version 2 is installed on the switch but is globally disabled. Use the following command to globally enable PTP: NE2552E(config)# ptp {ordinary|transparent} enable PTP is configured on switch ports. In case of LAG ports, the PTP configuration must be the same on all ports participating in the same LAG. The switch uses only one port from a LAG (typically the one used by a multicast protocol) to forward PTP packets. By default, PTP is enabled on all the switch ports. To disable PTP on a port, use the following commands: NE2552E(config)# interface port <port> NE2552E(config-if)# no ptp Note: PTP cannot be enabled on management ports. © Copyright Lenovo 2018 Chapter 13: Precision Time Protocol...
Page 236: Ordinary Clock Mode
PTP packets have a Control Plane Protection (CoPP) queue of 36. You cannot change this CoPP priority. However, you can modify the PTP queue rate using the following command: NE2552E(config)# qos protocol-packet-control rate-limit-packet-queue <0‐47> <1‐10000> Ordinary Clock Mode When the NE2552E Flex Switch is configured as an ordinary clock, it synchronizes its clock with the master clock. If the NE2552E does not detect a master clock, it will not synchronize its clock with any other device. In this mode, the NE2552E’s clock cannot be modified manually or using another time protocol such as Network Time Protocol (NTP). As an ordinary clock, the NE2552E synchronizes with a single PTP domain. The switch uses a delay‐request mechanism to synchronize with the master clock. The switch uses a source IP address for the packets it generates. You can create a loopback interface for this purpose. By default, the switch uses the lowest interface in the VLAN from which the sync messages are received. To assign a loopback interface, use the following command: NE2552E(config)# ip ptp source-interface loopback <interface number> Note: If there are no interfaces on the switch that belong to the VLAN from which the sync messages are received, then the ordinary clock will not function. An error message will be generated. You can view this message using the following command: NE2552E# show ptp Transparent Clock Mode When the NE2552E is configured as a transparent clock, its time can be set ...
Page 237: Tracing Ptp Packets
General Messages: Announce, follow‐up, delay response, peer delay response follow‐up, management Viewing PTP Information The following table includes commands for viewing PTP information: Table 21. PTP Information Commands Command Description NE2552E(config)# show ptp Displays global PTP information NE2552E(config)# show Displays port information including interface port <port number> port‐specific PTP information NE2552E(config)# show ptp Displays ingress and egress PTP counters counters © Copyright Lenovo 2018 Chapter 13: Precision Time Protocol...
Page 238 NE2552E Application Guide for ENOS 8.4...
Page 240 NE2552E Application Guide for ENOS 8.4...
Page 241: Chapter 14. Virtualization
Chapter 14. Virtualization Virtualization allows resources to be allocated in a fluid manner based on the logical needs of the data center, rather than on the strict, physical nature of components. The following virtualization features are included in Lenovo ENOS 8.4 on the NE2552E Flex Switch (NE2552E):  Virtual Local Area Networks (VLANs) VLANs are commonly used to split groups of networks into manageable broadcast domains, create logical segmentation of workgroups, and to enforce security policies among logical network segments. For details on this feature, see “VLANs” on page 135.  Port aggregation A port LAG pools multiple physical switch ports into a single, high‐bandwidth logical link to other devices. In addition to aggregating capacity, LAGs provides link redundancy. For details on this feature, see “Ports and Link Aggregation (LAG)” on page 155.  Virtual Link Aggregation Groups (VLAGs) With VLAGs, two switches can act as a single logical device for the purpose of establishing port LAGs. Active LAG links from one device can lead to both VLAG peer switches, providing enhanced redundancy, including active‐active VRRP configuration. For details on this feature, see “Virtual Link Aggregation Groups” on page 195  Unified Fabric Port (UFP) An architecture that logically subdivides a high‐speed physical link connecting to a server NIC or to a Converged Network Adapter (CNA). UFP provides a switch fabric component to control the NIC. For details on this feature, see “Unified Fabric Port” on page 285. Lenovo ENOS virtualization features provide a highly‐flexible framework for allocating and managing switch resources. © Copyright Lenovo 2018...
Page 242 NE2552E Application Guide for ENOS 8.4...
Page 243: Chapter 15. Fibre Channel Over Ethernet
Chapter 15. Fibre Channel over Ethernet Fibre Channel over Ethernet (FCoE) is an effort to converge two of the different physical networks in today’s data centers. It allows Fibre Channel traffic (such as that commonly used in Storage Area Networks, or SANs) to be transported without loss over 10Gb Ethernet links (typically used for high‐speed Local Area Networks, or LANs). This provides an evolutionary approach toward network consolidation, allowing Fibre Channel equipment and tools to be retained, while leveraging cheap, ubiquitous Ethernet networks for growth. With server virtualization, servers capable of hosting both Fibre Channel and Ethernet applications will provide advantages in server efficiency, particularly as FCoE‐enabled network adapters provide consolidated SAN and LAN traffic capabilities. The Lenovo ThinkSystem NE2552E Flex Switch with Lenovo ENOS 8.4 software is compliant with the INCITS T11.3, FC‐BB‐5 FCoE specification, supporting up to 2048 FCoE connections. Note: The NE2552E supports up to 2048 FCoE login sessions. © Copyright Lenovo 2018...
Page 244: The Fcoe Topology
Figure 25. A Mixed Fibre Channel and FCoE Network FCoE Fibre 802.1p Priority & Usage EXT4 INTA1 Channel 3 FCoE Applications Switch 802.1p Priority & Usage INTA2 EXT5 Business-Critical LAN Lenovo Chassis Servers In Figure 25 on page 244, the Fibre Channel network is connected to the FCoE network through an FCoE Forwarder (FCF) bridge. The FCF acts as a Fibre Channel gateway to and from the multi‐hop FCoE network. For the FCoE portion of the network, the FCF is connected to the FCoE‐enabled NE2552E, which is internally connected to a blade server (running Fibre Channel applications) through an FCoE‐enabled Converged Network Adapter (CNA) known in Fibre Channel as an Ethernet Node (ENode). Note: The figure also shows a non‐FCoE LAN server connected to the NE2552E using a CNA. This allows the LAN server to take advantage of some CEE features that are useful even outside of an FCoE environment.
Page 245: Fcoe Requirements
FCoE Requirements The following are required for implementing FCoE using the Lenovo ThinkSystem NE2552E Flex Switch (NE2552E) with ENOS 8.4 software:  The NE2552E must be connected to the Fibre Channel network through an FCF such as a Lenovo RackSwitch G2864CS or a CN4093 10Gb Converged Scalable Switch.  For each NE2552E port participating in FCoE, the connected server must use the supported Converged Network Adapter (CNA) and have the FCoE license enabled (if applicable) on the CNA.  CEE must be turned on (see “Turning CEE On or Off” on page 246). When CEE is on, the DCBX, PFC, and ETS features are enabled and configured with default FCoE settings. These features may be reconfigured, but must remain enabled in order for FCoE to function.  FIP snooping must be turned on (see “FCoE Initialization Protocol Snooping” on page 249). When FIP snooping is turned on, the feature is enabled on all ports by default. The administrator can disable FIP snooping on individual ports that do not require FCoE, but FIP snooping must remain enabled on all FCoE ports for FCoE to function.  An FCOE VLAN must always be set as tagged and never set as a native VLAN. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 246: Converged Enhanced Ethernet
Converged Enhanced Ethernet Converged Enhanced Ethernet (CEE) refers to a set of IEEE standards designed to allow different physical networks with different data handling requirements to be converged together, simplifying management, increasing efficiency and utilization, and leveraging legacy investments without sacrificing evolutionary growth. CEE standards were developed primarily to enable Fibre Channel traffic to be carried over Ethernet networks. This required enhancing the existing Ethernet standards to make them lossless on a per‐priority traffic basis, and to provide a mechanism to carry converged (LAN/SAN/IPC) traffic on a single physical link. Although CEE standards were designed with FCoE in mind, they are not limited to FCoE installations. CEE features can be utilized in traditional LAN (non‐FCoE) networks to provide lossless guarantees on a per‐priority basis, and to provide efficient bandwidth allocation based on application needs. Turning CEE On or Off By default on the NE2552E, CEE is turned off. To turn CEE on or off, use the following CLI commands: NE2552E(config)# [no] cee enable For an example, see “FIP Snooping Configuration” on page 255. CAUTION: Turning CEE on and applying the configuration will automatically change some 802.1p QoS and 802.3x standard flow control settings on the NE2552E. Read the following material carefully to determine whether you will need to take action to reconfigure expected settings. It is recommended that you backup your configuration prior to turning CEE on. Viewing the file will allow you to manually re‐create the equivalent configuration once CEE is turned on, and will also allow you to recover your prior configuration if you need to turn CEE off. Effects on Link Layer Discovery Protocol When CEE is turned on, Link Layer Discovery Protocol (LLDP) is automatically ...
Page 247: Effects On 802.1P Quality Of Service
ETS Configuration With CEE Off (default) With CEE On Priority COSq Weight Priority COSq PGID When CEE is on, the default ETS configuration also allocates a portion of link bandwidth to each PGID as shown in Table Table 23. Default ETS Bandwidth Allocation PGID Typical Use Bandwidth Latency‐sensitive LAN If the prior, non‐CEE configuration used 802.1p priority values for different purposes, or does not expect bandwidth allocation as shown in Table 23 on page 247, when CEE is turned on, the administrator should reconfigure ETS settings as appropriate. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 248: Effects On Flow Control
Effects on Flow Control When CEE is off (the default), 802.3x standard flow control is enabled on all switch ports by default. When CEE is turned on, standard flow control is disabled on all ports, and in its place, PFC (see “Priority‐Based Flow Control” on page 256) is enabled on all ports for 802.1p priority value 3. This default is chosen because priority value 3 is commonly used to identify FCoE traffic in a CEE environment and must be guaranteed lossless behavior. PFC is disabled for all other priority values. It is recommend that a configuration backup be made prior to turning CEE on or off. Viewing the configuration file will allow the administrator to manually re‐create the equivalent configuration under the new CEE mode, and will also allow for the recovery of the prior configuration if necessary. When CEE is on, PFC can be enabled only on priority value 3 and one other priority. If flow control is required on additional priorities on any given port, consider using standard flow control on that port, so that regardless of which priority traffic becomes congested, a flow control frame is generated. RoCE and iSCSI RDMA over Converged Ethernet (RoCE) allows remote direct memory access (RDMA) over an Ethernet network. RoCE provides direct memory to memory transfers at the application level without involving the host CPU. Both the transport processing and the memory translation and placement are performed by hardware resulting in dramatically lower latency and higher performance. There are two RoCE versions, RoCEv1 and RoCEv2: RoCEv1 is an Ethernet link layer protocol and hence allows communication between any two hosts in the same Ethernet broadcast domain, while RoCEv2 is designed to allow lossless traffic in the layer 3 network environment. Internet Small Computer System Interface (iSCSI) is an Internet Protocol (IP)‐based storage networking standard for linking data storage facilities. It provides block‐level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI takes a popular high‐performance local storage bus and emulates it over a wide range of networks, creating a storage area network (SAN). Unlike some SAN protocols, iSCSI requires no dedicated cabling; it can be run over existing IP infrastructure. As a result, iSCSI is often seen as a low‐cost alternative to Fibre Channel. RoCE Requirements The following are required for implementing RoCE using the switches with ENOS ...
Page 249: Fcoe Initialization Protocol Snooping
In case of LAG, FIP traffic from a particular FCF can be received by any member port on which the FCF was detected. FIP Snooping Requirements The following are required for implementing the FIP snooping bridge feature: The NE2552E must be connected to the Fibre Channel network through a FCF  such as a Lenovo Rackswitch G8264CS, a Lenovo CN4093 10Gb Converged Scalable Switch or a Cisco Nexus 5000 Series Switch.  For each NE2552E switch port participating in FCoE, the connected server must use a FCoE‐licensed Converged Network Adapter (CNA) and must have the FCoE license enabled (if applicable) on the CNA.  CEE must be turned on (see “Turning CEE On or Off” on page 246). When CEE is on, the DCBX, PFC and ETS features are enabled and configured with default FCoE settings. These features may be reconfigured, but must remain enabled for FCoE to function.  FIP snooping must be turned on (see “Global FIP Snooping Settings” on page 250). When FIP snooping is turned on, the feature is enabled on all ports by default. The administrator can disable FIP snooping on individual ports that do not require FCoE, but FIP snooping must remain enabled on all FCoE ports for FCoE to function. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 250: Port Aggregation
Port Aggregation Lenovo ENOS 8.4 supports port aggregation for FCoE connections. Link Aggregation (LAGs) can be used for separate FCoE traffic, or for Ethernet and FCoE traffic. The ports can be grouped as static LAGs or dynamic LACP LAGs. Normal aggregation operations such as creating or enabling a LAG, and adding or removing member ports can be performed. When a port is added to a LAG, FCFs previously detected on the port will be deleted. The deleted FCF may be relearned later. However, this may cause flickering in the network traffic. It is recommended that any LAG changes are made prior to live FCoE traffic. Priority‐based Flow Control (PFC) and Data Center Bridging (DCBX) are configured on a per‐port basis. Each port in a LAG must have the same ETS, PFC and DCBX configuration. When a port ceases to be a LAG member, its configuration does not change. Note: If the ports chosen to be part of a certain LAG do not have the same PFC, ETS or DCBX configurations, the switch will display an error. Global FIP Snooping Settings By default, the FIP snooping feature is turned off for the NE2552E. The following commands are used to turn the feature on or off: NE2552E(config)# [no] fcoe fips enable Note: FIP snooping requires CEE to be turned on (see “Turning CEE On or Off” on page 246). When FIP snooping is on, port participation may be configured on a port‐by‐port basis. When FIP snooping is off, all FCoE‐related ACLs generated by the feature are removed from all switch ports. FIP snooping configuration must be the same on all member ports in a LAG. If the configuration of a member port is changed, an error message, similar to the following, will be displayed. “FAIL: Trunk x FIP Snooping port y and port z need to have the same fips config.“...
Page 251: Fip Snooping For Specific Ports
FIPS LAG Support on Server Ports FIPS LAG Support allows FCoE and Ethernet traffic to co‐exist within the same LAGs (ports). By default, FCoE servers (CNA/HBA) do not support aggregation, while Ethernet (NIC/CNA) are aggregation capable. Due to this incompatibility on FCoE capable servers, the FCoE traffic is generated on separate (exclusive) ports whenever Ethernet adapters need to be consolidated into a LAG. FIPS LAG Support allows FCoE traffic and traditional Ethernet traffic to use the same ports for traffic by pinning each destination FCoE Enode‐MAC to a static switch port within the LAG. This is due to each server port within a LAG expecting FCoE traffic with a destination ‐ MAC as its Enode‐MAC to arrive on the same port within the LAG from the switch (i.e. FCoE traffic with a destination Enode‐MAC is always expected to traverse the link with that Enode‐MAC). Initially, any incoming FIP packets are snooped by the switch and if the Enode‐MAC is new (previously undiscovered) and source port is part of a LAG, then a static Enode‐MAC entry is installed within the switch. Any unicast (FIP) response then onward is transmitted using the assigned port within the LAG and not any other port. Thus, FCoE traffic then strictly transmits across only the assigned port (within the LAG) for each Enode. Similarly, any VN‐Port MACs are pinned on a port by port basis within a LAG. Regular (non‐FCoE) Ethernet traffic will continue to operate across the LAG normally (using any of the links based on balancing algorithm). This feature is automatically activated upon server‐port LAG mode detection by FIPS. Note: FCoE Fips must be enabled on FSB/FCF switch. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 252: Port Fcf And Enode Detection
Port FCF and ENode Detection When FIP snooping is enabled on a port, the port is placed in FCF auto‐detect mode by default. In this mode, the port assumes connection to an ENode unless FIP packets show the port is connected to an FCF. Ports can also be specifically configured as to whether automatic FCF detection should be used, or whether the port is connected to an FCF or ENode: NE2552E(config)# fcoe fips port <port alias, number, list, or range> fcf-mode {auto|on|off} When FCF mode is on, the port is assumed to be connected to a trusted FCF, and only ACLs appropriate to FCFs will be installed on the port. When off, the port is assumed to be connected to an ENode, and only ACLs appropriate to ENodes will be installed. When the mode is changed (either through manual configuration or as a result of automatic detection), the appropriate ACLs are automatically added, removed, or changed to reflect the new FCF or ENode connection. FCoE Connection Timeout FCoE‐related ACLs and VLANs are added, changed, and removed as FCoE device connection and disconnection are discovered. In addition, the administrator can enable or disable automatic removal of ACLs for FCFs and other FCoE connections that timeout (fail or are disconnected) without FIP notification. By default, automatic removal of ACLs upon timeout is enabled. To change this function, use the following CLI command: NE2552E(config)# [no] fcoe fips timeout-acl FCoE ACL Rules When FIP Snooping is enabled on a port, the switch automatically installs the ...
Page 253: Fcoe Vlans
FIP Snooping on port ext4: This port has been detected to be an FCF port. FIPS ACLs configured on this port: Ethertype 0x8914, action permit. dmac 00:00:18:01:00:XX, Ethertype 0x8914, action permit. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 254: Operational Commands
For each ACL, the required traffic criteria are listed, along with the action taken (permit or deny) for matching traffic. ACLs are listed in order of precedence and evaluated in the order shown. The administrator can also view other FCoE information: NE2552E# show fcoe fips fcf (Show all detected FCFs) NE2552E# show fcoe fips fcoe (Show all FCoE connections) Operational Commands The administrator may use the operational commands to delete FIP‐related entries from the switch. To delete a specific FCF entry and all associated ACLs from the switch, use the following command: NE2552E# no fcoe fips fcf <FCF MAC address> [<VLAN number>] NE2552E Application Guide for ENOS 8.4...
Page 255: Fip Snooping Configuration
NE2552E(config-if)# exit (Exit port configuration mode) Note: Placing ports into the VLAN after tagging is enabled helps to ensure that their port VLAN ID (PVID) is not accidentally changed. 6. (Set by default) Enable FIP snooping on FCoE ports, and set the desired FCF mode: NE2552E(config)# fcoe fips port INTA1 enable (Enable FIPS on FCoE ports) NE2552E(config)# fcoe fips port INTA1 fcf-mode off (Set as ENode connection) NE2552E(config)# fcoe fips port EXT4 fcf-mode on (Set as FCF connection) 7. Save the configuration. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 256: Priority-Based Flow Control
Priority-Based Flow Control Priority‐based Flow Control (PFC) is defined in IEEE 802.1Qbb. PFC extends the IEEE 802.3x standard flow control mechanism. Under standard flow control, when a port becomes busy, the switch manages congestion by pausing all the traffic on the port, regardless of the traffic type. PFC provides more granular flow control, allowing the switch to pause specified types of traffic on the port, while other traffic on the port continues. PFC pauses traffic based on 802.1p priority values in the VLAN tag. The administrator can assign different priority values to different types of traffic and then enable PFC for up to two specific priority values: priority value 3, and one other. The configuration can be applied on a port‐by‐port basis, or globally for all ports on the switch. Then, when traffic congestion occurs on a port (caused when ingress traffic exceeds internal buffer thresholds), only traffic with priority values where PFC is enabled is paused. Traffic with priority values where PFC is disabled proceeds without interruption but may be subject to loss if port ingress buffers become full. Although PFC is useful for a variety of applications, it is required for FCoE implementation where storage (SAN) and networking (LAN) traffic are converged on the same Ethernet links. Typical LAN traffic tolerates Ethernet packet loss that can occur from congestion or other factors, but SAN traffic must be lossless and requires flow control. For FCoE, standard flow control would pause both SAN and LAN traffic during congestion. While this approach would limit SAN traffic loss, it could degrade the performance of some LAN applications that expect to handle congestion by dropping traffic. PFC resolves these FCoE flow control issues. Different types of SAN and LAN traffic can be assigned different IEEE 802.1p priority values. PFC can then be enabled for priority values that represent SAN and LAN traffic that must be paused during congestion, and disabled for priority values that represent LAN traffic that is more loss‐tolerant. PFC requires CEE to be turned on (“Turning CEE On or Off” on page 246). When CEE is turned on, PFC is enabled on priority value 3 by default. Optionally, the administrator can also enable PFC on one other priority value, providing lossless handling for another traffic type, such as for a business‐critical LAN application. Note: For any given port, only one flow control method can be implemented at any given time: either PFC or standard IEEE 802.3x flow control. NE2552E Application Guide for ENOS 8.4...
Page 257: Global Vs. Port-By-Port Pfc Configuration
 PFC is not restricted to CEE and FCoE networks. In any LAN where traffic is separated into different priorities, PFC can be enabled on priority values for loss‐sensitive traffic. If all ports have the same priority definitions and utilize the same PFC strategy, PFC can be globally configured. If you want to enable PFC on a priority, do one of the following:  Create a separate priority group (see “Priority Groups” on page 261).  Move the priority to an existing priority group in which PFC is turned on. Since there are separate COS queue and ETS configurations, creating a distinct priority group is preferred. When configuring ETS and PFC on the switch, perform ETS configuration before performing PFC configuration. If two priorities are enabled on a port, the switch sends PFC frames for both priorities, even if only traffic tagged with one of the priorities is being received on that port. Note: When using global PFC configuration in conjunction with the ETS feature (see “Enhanced Transmission Selection” on page 260), ensure that only pause‐tolerant traffic (such as lossless FCoE traffic) is assigned priority values where PFC is enabled. Pausing other types of traffic can have adverse effects on LAN applications that expect uninterrupted traffic flow and tolerate dropping packets during congestion. Use PFC globally only if all priority values assigned for lossless traffic on one or more ports does not carry loss‐tolerant traffic on other ports. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 258: Pfc Configuration Example
PFC Configuration Example Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices. This example assumes that PFC configuration is being performed manually. See “Data Center Bridging Capability Exchange” on page 266 for more information on DCBX. This example is consistent with the network shown in Figure 25 on page 244. In this example, the following topology is used. Table 24. Port‐Based PFC Configuration Switch 802.1p Usage Priority Port Setting EXT5 0‐2 Disabled (not used) Enabled Business‐critical LAN Enabled others (not used) Disabled FCoE (to FCF bridge) Enabled others (not used) Disabled INT1 FCoE Enabled others (not used) Disabled...
Page 259 NE2552E(config)# cee port INTA2 pfc priority 4 description "Critical LAN" NE2552E(config)# cee port EXT5 pfc priority 4 enable ( LAN priority) NE2552E(config)# cee port EXT5 pfc priority 4 description "Critical LAN" 4. Save the configuration. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 260: Enhanced Transmission Selection
Enhanced Transmission Selection Enhanced Transmission Selection (ETS) is defined in IEEE 802.1Qaz. ETS provides a method for allocating port bandwidth based on 802.1p priority values in the VLAN tag. Using ETS, different amounts of link bandwidth can specified for different traffic types (such as for LAN, SAN, and management). ETS is an essential component in a CEE environment that carries different types of traffic, each of which is sensitive to different handling criteria, such as Storage Area Networks (SANs) that are sensitive to packet loss, and LAN applications that may be latency‐sensitive. In a single converged link, such as when implementing FCoE, ETS allows SAN and LAN traffic to coexist without imposing contrary handling requirements upon each other. The ETS feature requires CEE to be turned on (see “Turning CEE On or Off” on page 246). 802.1p Priority Values Under the 802.1p standard, there are eight available priority values, with values numbered 0 through 7, which can be placed in the priority field of the 802.1Q VLAN tag: 16 bits 3 bits 12 bits Tag Protocol ID (0x8100) Priority C VLAN ID 15 16 Servers and other network devices may be configured to assign different priority values to packets belonging to different traffic types (such as SAN and LAN). ETS uses the assigned 802.1p priority values to identify different traffic types. The ...
Page 261: Priority Groups
For ETS use, each 801.2p priority value is assigned to a priority group which can then be allocated a specific portion of available link bandwidth. To configure a priority group, the following is required:  CEE must be turned on (“Turning CEE On or Off” on page 246) for the ETS feature to function.  A priority group must be assigned a priority group ID (PGID), one or more 802.1p priority values, and allocated link bandwidth greater than 0%. PGID Each priority group is identified with number (0 through 7, and 15) known as the PGID. PGID 0 through 7 may each be assigned a portion of the switch’s available bandwidth. PGID 8 through 14 are reserved as per the 802.1Qaz ETS standard. PGID 15 is a strict priority group. It is generally used for critical traffic, such as network management. Any traffic with priority values assigned to PGID 15 is permitted as much bandwidth as required, up to the maximum available on the switch. After serving PGID 15, any remaining link bandwidth is shared among the other groups, divided according to the configured bandwidth allocation settings. All 802.1p priority values assigned to a particular PGID should have similar traffic handling requirements. For example, PFC‐enabled traffic should not be grouped with non‐PFC traffic. Also, traffic of the same general type should be assigned to the same PGID. Splitting one type of traffic into multiple 802.1p priorities, and then assigning those priorities to different PGIDs may result in unexpected network behavior. Each 802.1p priority value may be assigned to only one PGID. However, each PGID may include multiple priority values. Up to eight PGIDs may be configured at any given time. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 262: Assigning Priority Values To A Priority Group
Assigning Priority Values to a Priority Group Each priority group may be configured from its corresponding ETS Priority Group, available using the following command: NE2552E(config)# cee global ets priority-group pgid <group number (0‐7, or 15)> priority <priority list> where priority list is one or more 802.1p priority values (with each separated by a space). For example, to assign priority values 0 through 2: NE2552E(config)# cee global ets priority-group pgid <group number (0‐7, or 15)> priority 0,1,2 Note: Within any specific PGID, the PFC settings (see “Priority‐Based Flow Control” on page 256) should be the same (enabled or disabled) for all priority values within the group. PFC can be enabled only on priority value 3 and one other priority. If the PFC setting is inconsistent within a PGID, a warning message is reported when attempting to apply the configuration. When assigning priority values to a PGID, the specified priority value will be automatically removed from its old group and assigned to the new group when the configuration is applied. Each priority value must be assigned to a PGID. Priority values may not be deleted or unassigned. To remove a priority value from a PGID, it must be moved to ...
Page 263  Any PGID assigned one or more priority values must have a bandwidth allocation greater than 0%.  Total bandwidth allocation for groups 0 through 7 must equal exactly 100%. Increasing or reducing the bandwidth allocation of any PGID also requires adjusting the allocation of other PGIDs to compensate. If these conditions are not met, the switch will report an error when applying the configuration. Notes:  Actual bandwidth used by any specific PGID may vary from configured values by up to 10% of the available bandwidth in accordance with 802.1Qaz ETS standard. For example, a setting of 10% may be served anywhere from 0% to 20% of the available bandwidth at any given time. Unlimited Bandwidth for PGID 15 PGID 15 is permitted unlimited bandwidth and is generally intended for critical traffic (such as switch management). Traffic in this group is given highest priority and is served before the traffic in any other priority group. If PGID 15 has low traffic levels, most of the switch’s bandwidth will be available to serve priority groups 0 through 7. However, if PGID 15 consumes a larger part of the switch’s total bandwidth, the amount available to the other groups is reduced. Note: Consider traffic load when assigning priority values to PGID 15. Heavy traffic in this group may restrict the bandwidth available to other groups. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 264: Configuring Ets
Configuring ETS Consider an example consistent with that used for port‐based PFC configuration (on page 258): Table 25. ETS Configuration Priority Usage PGID Bandwidth LAN (best effort delivery) LAN (best effort delivery) LAN (best effort delivery) SAN (Fibre Channel over Ethernet, with PFC) Business Critical LAN (lossless Ethernet, with PFC) Latency‐sensitive LAN Latency‐sensitive LAN Network Management (strict) unlimited The example shown in Table 25 is only slightly different than the default configuration shown in Figure 26 on page 260. In this example, latency‐sensitive LAN traffic (802.1p priority 5 through 6) are moved from priority group 2 to priority group 3. This leaves Business Critical LAN traffic (802.1p priority 4) in priority group 2 by itself. Also, a new group for network management traffic has been assigned. Finally, the bandwidth allocation for priority groups 1, 2, and 3 are revised. Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices. This example assumes that PFC configuration is being performed manually. See “Data Center Bridging Capability Exchange” on page 266 for more information on DCBX. NE2552E Application Guide for ENOS 8.4...
Page 265 10 pgid 1 bandwidth 20 pgid 2 bandwidth 30 pgid 3 bandwidth 40 (Configure link bandwidth restriction) 3. Configure the strict priority group with a description (optional) and a list of 802.1p priority values: NE2552E(config)# cee global ets priority-group pgid 15 priority 7 NE2552E(config)# cee global ets priority-group pgid 15 description "Network Management" Note: Priority group 15 is permitted unlimited bandwidth. As such, the commands for priority group 15 do not include bandwidth allocation. 4. Save the configuration. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 266: Data Center Bridging Capability Exchange
Data Center Bridging Capability Exchange Data Center Bridging Capability Exchange (DCBX) protocol is a vital element of CEE. DCBX allows peer CEE devices to exchange information about their advanced capabilities. Using DCBX, neighboring network devices discover their peers, negotiate peer configurations, and detect misconfigurations. DCBX provides two main functions on the NE2552E: Peer information exchange  The switch uses DCBX to exchange information with connected CEE devices. For normal operation of any FCoE implementation on the NE2552E, DCBX must remain enabled on all ports participating in FCoE.  Peer configuration negotiation DCBX also allows CEE devices to negotiate with each other for the purpose of automatically configuring advanced CEE features such as PFC, ETS and (for some CNAs) FIP. The administrator can determine which CEE feature settings on the switch are communicated to and matched by CEE neighbors, and also which CEE feature settings on the switch may be configured by neighbor requirements. The DCBX feature requires CEE to be turned on (see “Turning CEE On or Off” on page 246). DCBX Settings When CEE is turned on, DCBX is enabled for peer information exchange on all ports. For configuration negotiation, the following default settings are configured:  Application Protocol: FCoE and FIP snooping is set for traffic with 802.1p priority 3  PFC: Enabled on 802.1p priority 3  Priority group 0 includes priority values 0 through 2, with bandwidth  allocation of 10% Priority group 1 includes priority value 3, with bandwidth allocation of 50% ...
Page 267: Enabling And Disabling Dcbx
The willing flag Set this flag when required by the remote CEE peer for a particular feature as part of DCBX signaling and support. Although some devices may also expect this flag to indicate that the switch will accept overrides on feature settings, the NE2552E retains its configured settings. As a result, the administrator should configure the feature settings on the switch to match those expected by the remote CEE peer. These flags are available for the following CEE features: Application Protocol  DCBX exchanges information regarding FCoE and FIP snooping, including the 802.1p priority value used for FCoE traffic. The advertise flag is set or reset using the following command: NE2552E(config)# [no] cee port <port> dcbx app_proto advertise The willing flag is set or reset using the following command: NE2552E(config)# [no] cee port <port> dcbx app_proto willing © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 268: Configuring Dcbx
 DCBX exchanges information regarding whether PFC is enabled or disabled on the port. The advertise flag is set or reset using the following command: NE2552E(config)# [no] cee port <port> dcbx pfc advertise The willing flag is set or reset using the following command: NE2552E(config)# [no] cee port <port> dcbx pfc willing  DCBX exchanges information regarding ETS priority groups, including their 802.1p priority members and bandwidth allocation percentages. The advertise flag is set or reset using the following command: NE2552E(config)# [no] cee port <port> dcbx ets advertise The willing flag is set or reset using the following command: NE2552E(config)# [no] cee port <port> dcbx ets willing Configuring DCBX Consider an example consistent Figure on page 244 and used with the previous ...
Page 269 NE2552E(config)# cee port EXT5 dcbx enable NE2552E(config)# cee port EXT5 dcbx ets advertise NE2552E(config)# cee port EXT5 dcbx pfc advertise 4. Disable DCBX for each non‐CEE port as appropriate: NE2552E(config)# no cee port INTA3,INTA4-EXT11 enable 5. Save the configuration. © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 270: Fcoe Example Configuration
802.1p Priority & Usage EXT4 INTA1 Channel 3 FCoE Applications Switch 802.1p Priority & Usage INTA2 EXT5 Business-Critical LAN Lenovo Chassis Servers In Figure 27 on page 270, the Fibre Channel network is connected to the FCoE network through an FCF bridge on port. The FCoE‐enabled NE2552E is internally connected to a blade server (ENode) through an FCoE‐enabled CNA on port INT1. 1. Turn global FIP snooping on: NE2552E(config)# fcoe fips enable 2. Disable FIP snooping on all non‐FCoE external ports: NE2552E(config)# no fcoe fips port EXT5-EXT10 enable 3.
Page 271 10 pgid 1 bandwidth 20 pgid 2 bandwidth 30 pgid 3 bandwidth 40 (Configure link bandwidth restriction) Note: Do not place PFC‐enabled traffic queues and non‐PFC traffic queues in the same priority group, as this may result in unexpected network behavior. 10. Configure the strict priority group: NE2552E(config)# cee global ets priority-group pgid 15 priority 7 NE2552E(config)# cee global ets priority-group pgid 15 description "Network Management" © Copyright Lenovo 2018 Chapter 15: Fibre Channel over Ethernet...
Page 272 11. Enable desired DCBX configuration negotiation on FCoE ports: NE2552E(config)# cee port INTA1,EXT4 dcbx enable NE2552E(config)# cee port INTA1,EXT4 dcbx app_proto advertise NE2552E(config)# cee port INTA1.EXT4 dcbx ets advertise NE2552E(config)# cee port INTA1,EXT4 dcbx pfc advertise 12. Enable desired DCBX advertisements on other CEE ports: NE2552E(config)# cee port INTA2,EXT5 dcbx enable NE2552E(config)# cee port INTA2,EXT5 dcbx ets advertise NE2552E(config)# cee port INTA2,EXT5 dcbx pfc advertise 13.
Page 273: Chapter 16. Static Multicast Arp
Chapter 16. Static Multicast ARP The Microsoft Windows operating system includes the Network Load Balancing (NLB) technology that helps to balance incoming IP traffic among multi‐node clusters. In multicast mode, NLB uses a shared multicast MAC address with a unicast IP address. Since the address resolution protocol (ARP) can map an IP address to only one MAC address, port, and VLAN, the packet reaches only one of the servers (the one attached to the port on which the ARP was learnt). To avoid the ARP resolution, you must create a static ARP entry with multicast MAC address. You must also specify the list of ports through which the multicast packet must be sent out from the gateway or Layer 2/Layer 3 node. With these configurations, a packet with a unicast IPv4 destination address and multicast MAC address can be sent out as per the multicast MAC address configuration. NLB maps the unicast IP address and multicast MAC address as follows: Cluster multicast MAC address: 03‐BF‐W‐X‐Y‐Z; where W.X.Y.Z is the cluster unicast IP address. You must configure the static multicast ARP entry only at the Layer 2/Layer 3 or Router node, and not at the Layer 2‐only node. Lenovo ENOS supports a maximum of 20 static multicast ARP entries. Note: If you use the ACL profile or IPMC‐OPT profile, an ACL entry is consumed for each Static Multicast ARP entry that you configure. Hence, you can configure a maximum of 256 ACL and multicast MAC entries together.The ACL entries have a higher priority. In the default profile, the number of static multicast ARP entries that you configure does not affect the total number of ACL entries. © Copyright Lenovo 2018 Chapter 16: Static Multicast ARP...
Page 274: Configuring Static Multicast Arp
Configuring Static Multicast ARP To configure multicast MAC ARP, you must perform the following steps:  Configure the static multicast forwarding database (FDB) entry: Since there is no port list specified for static multicast ARP, and the associated MAC address is multicast, you must specify a static multicast FDB entry for the cluster MAC address to limit the multicast domain. If there is no static multicast FDB entry defined for the cluster MAC address, traffic will not be forwarded. Use the following command: NE2552E(config)# mac-address-table multicast <cluster MAC address> <port(s)> Configure the static multicast ARP entry: Multicast ARP static entries should be  configured without specifying the list of ports to be used. Use the following command: NE2552E(config)# ip arp <destination unicast IP address> <destination multicast MAC address> vlan <cluster VLAN number> Configuration Example Consider the following example: Cluster unicast IP address: 10.10.10.42   Cluster multicast MAC address: 03:bf:0a:0a:0a:2a Cluster VLAN: 42   List of individual or port LAGs to which traffic should be forwarded: 54 and 56 Following are the steps to configure the static multicast ARP based on the given example: 1.
Page 275 --------------- ----------------- ---- ---- 10.10.10.42 03:bf:0a:0a:0a:2a Total number of arp entries : 2 IP address Flags MAC address VLAN Age Port --------------- ----- ----------------- ---- --- ---- 10.10.10.1 fc:cf:62:9d:74:00 10.10.10.42 03:bf:0a:0a:0a:2a © Copyright Lenovo 2018 Chapter 16: Static Multicast ARP...
Page 276: Limitations
Limitations  You must configure the ARP only in the Layer 2/Layer 3 node or the router node but not in the Layer 2‐only node. Lenovo ENOS cannot validate if the node is Layer 2‐only.  The packet is always forwarded to all the ports as specified in the Multicast MAC address configuration. If VLAN membership changes for the ports, you must update this static multicast MAC entry. If not, the ports, whose membership has changed, will report discards.  ACLs take precedence over static multicast ARP. If an ACL is configured to match and permit ingress of unicast traffic, the traffic will be forwarded based on the ACL rule, and the static multicast ARP will be ignored. NE2552E Application Guide for ENOS 8.4...
Page 277: Chapter 17. Dhcp Snooping
Chapter 17. DHCP Snooping DHCP snooping provides security by filtering untrusted DHCP packets and by building and maintaining a DHCP snooping binding table. This feature is applicable only to IPv4 and only works in non‐stacking mode. An untrusted interface is a port that is configured to receive packets from outside the network or firewall. A trusted interface receives packets only from within the network. By default, all DHCP ports are untrusted. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and port number that correspond to the local untrusted interface on the switch; it does not contain information regarding hosts interconnected with a trusted interface. By default, DHCP snooping is disabled on all VLANs. You can enable DHCP snooping on one or more VLANs. You must enable DHCP snooping globally. To enable this feature, enter the following commands: NE2552E(config)# ip dhcp snooping vlan <vlan number(s)> NE2552E(config)# ip dhcp snooping Note: When you make a DHCP release from a client, the switch does not forward the Unicast DHCP release packet to the server, the entry is not removed from the DHCP snooping binding table, and the counter for Received Request packets does not increase even though the release packet does arrive at the switch. If you want the DHCP Renew/Release packet to be forwarded to the server and the corresponding entry removed from the DHCP snooping binding table, configure an interface IP address with the same subnet in the same VLAN. © Copyright Lenovo 2018...
Page 278 NE2552E Application Guide for ENOS 8.4...
Page 279: Chapter 18. Dynamic Arp Inspection
MAC address MC as the destination MAC address for traffic intended for Host B. Host C then intercepts that traffic. Because Host C knows the true MAC addresses associated with Host B, it forwards the intercepted traffic to that host by using the correct MAC address as the destination, keeping the appearance of regular behavior. Figure 28. ARP Cache Poisoning Host A Host B (IA, MA) (IB, MB) Host C (man-in-the-middle) (IC, MC) Understanding DAI Dynamic ARP Inspection is a security feature that lets the switch intercept and examine all ARP request and response packets in a subnet, discarding those packets with invalid IP to MAC address bindings. This capability protects the network from man‐in‐the‐middle attacks. A switch on which ARP Inspection is configured does the following:  Intercepts all ARP requests and responses on untrusted ports. Verifies that each of these intercepted packets has a valid IP/MAC/VLAN/port  binding before updating the local ARP cache or before forwarding the packet to the appropriate destination. © Copyright Lenovo 2018...
Page 280: Interface Trust States And Network Security
 Drops invalid ARP packets and sends a syslog message with details about each dropped packet. DAI determines the validity of an ARP packet based on valid IP‐to‐MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. As shown in Figure 29, if the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid. For hosts with statically configured IP addresses, static DHCP snooping binding entries can be configured with a big lease time. Figure 29. Dynamic ARP inspection at work Valid Packets Packets Packets DHCP Snooping/ Binding Invalid Packet Interface Trust States and Network Security DAI associates a trust state with each interface on the switch. In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. The trust state configuration should be done carefully: configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity. In Figure 30, assume that both Switch A and Switch B are running DAI on the VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A has the ...
Page 281 Port 1 Port 2 Port 2 Port 3 Port 3 Host 1 Host 2 If Switch A is not running DAI, Host 1 can easily poison the ARP caches of Switch B and Host 2, if the link between the switches is configured as trusted. This condition can occur even though Switch B is running DAI. The best option for the setup from Figure 30 is to have DAI running on both switches and to have the link between the switches configured as trusted. In cases in which some switches in a VLAN run DAI and other switches do not, configure the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from switches where DAI is not configured, configure static DHCP snooping binding entries on the switch running DAI. When you cannot determine such bindings, isolate switches running DAI at Layer 3 from switches not running DAI. DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the network connected through a trusted interface from poisoning the caches of the hosts that are connected to a switch running DAI. © Copyright Lenovo 2018 Chapter 18: Dynamic ARP Inspection...
Page 282: Dai Configuration Guidelines And Restrictions
DAI Configuration Guidelines and Restrictions When configuring DAI, follow these guidelines and restrictions:  DAI is an ingress security feature; it does not perform any egress checking.  DAI is not effective for hosts connected to switches that do not support DAI or that do not have this feature enabled. Because man‐in‐the‐middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI.  DAI depends on the entries in the DHCP snooping binding database to verify IP‐to‐MAC address bindings in incoming ARP requests and ARP responses.  For non‐DHCP environments, for each static IP address add a static DHCP Snooping binding entry with the biggest lease time in order not to expire.  Ports belonging to a port‐channel must have the same trust state. DAI Configuration Example Following is the configuration for the example in Figure SwitchA(config)# ip arp inspection vlan 2 SwitchA(config)# interface port 1-2 SwitchA(config-if)# ip arp inspection trust SwitchA(config-if)# exit SwitchA(config)# interface port 3 SwitchA(config-if)# no ip arp inspection trust...
Page 283 SwitchA# show ip arp inspection interfaces Interface Trust State --------- ----------- Trusted Trusted Untrusted Untrusted When Host 1 tries to send an ARP with an IP address of 1.1.1.3 that is not present in the DHCP Binding table, the packet is dropped and an error message similar to the following is logged: “Dec 16 21:00:10 192.168.49.50 NOTICE ARP-Inspection: Invalid ARP Request on port 3, VLAN 2 ([00:02:00:02:00:02/1.1.1.3/00:00:00:00:00:00/1.1.1.4])” © Copyright Lenovo 2018 Chapter 18: Dynamic ARP Inspection...
Page 284 NE2552E Application Guide for ENOS 8.4...
Page 285: Chapter 19. Unified Fabric Port
NIC Port Switch Port vPort Switch VNIC vPort OS or Hypervisor VNIC vPort vPort VNIC The UFP protocol has the following operation categories: Channel Initialization: The server NIC and the switch port negotiate the number  of channels and establish channel identifiers. Each UFP channel has a data component and a control component. The two components have the same UFP channel ID.  Channel Control: For an established channel, the switch can modify configurable channel properties by sending a control message on the UFP channel. While the channel ID is the same for the control and data components, the destination MAC address of the control message frame is a well‐known address 01-80-C2-00-00-03.  Discovery Capability: UFP can discover other ports that are UFP enabled. Once you enable UFP, you can check the information statistics for established channels. © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 286: Ufp Considerations
UFP Considerations The following limitations apply when configuring UFP:  FCoE must be configured only on vPort 2 of the physical NIC for Emulex CNA and on vPort 1 of the physical NIC for Qlogic CNA. For Qlogic Jawa CNA, FCoE must be configured on vPort 2.  VLANs that have member vPorts configured in trunk or access modes cannot have member vPorts configured in tunnel mode or FCoE.  vPorts on a physical port must be members of separate VLANs.  VLANs 4002‐4009 are reserved for outer tagging.  A UFP‐enabled port with no vPorts configured cannot belong to the same VLAN as a UFP‐enabled port that has vPorts configured in trunk, access modes. UFP bandwidth is guaranteed lossless only for unicast traffic.   UFP vPorts support up to 1024 VLANs in trunk mode on the switch in standalone mode.  When CEE is turned on, FCoE vPort must be used for lossless priority traffic. For loss‐tolerant priority traffic, a non‐FCoE UFP vPort must be used. The lossless property of FCoE vPort is not guaranteed, if lossless and loss‐tolerant traffic are combined. When the vPort is enabled and the channel link state is up, the system does not  support changing vPort VLAN type from private/non‐private to non‐private/private. A maximum of eight vPorts can be configured for each physical switch port.  QoS Enhanced Transmission Selection (ETS) mode must be enabled when configuring more than four vPorts of a physical switch port. For more details about ETS mode, check page 290.  If QoS ETS mode is used, a FCoE vPort must be configured with priority 3.  UFP vPorts cannot be aggregated to form a LAG/vLAG client.
Page 287: Virtual Ports Modes
S‐tag). vPort-VLAN Mapping In local domain data path type, the switch and server identify the vPort and vNIC by the port and VLAN tag in the incoming and outgoing packets. Because no two vPorts carry traffic for the same VLAN, the port‐and‐VLAN combination must be uniquely mapped to a vPort. UFP vPort Mode The UFP mode is configured based on the type of switching domain (single VLAN or multiple VLANs) where the vPort is connected.  Use local domain data path types for trunk or access mode.  Use pass‐through domain data path types for tunnel mode. In tunnel mode, a vPort can belong to only one VLAN. Use the following command to configure UFP vPort mode: NE2552E(config)# ufp port <num> vport <num> NE2552E(config_ufp_vport)# network mode {access|trunk|tunnel|fcoe} Notes:  Default mode is tunnel. © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 288: Tunnel Mode
Use tunnel mode to send all VM data traffic to an upstream switch, for Layer 2 or Layer 3 processing, in one domain. In such cases, the UFP port or vPort must be in tunnel mode and the upstream switch port must be in 802.1Q trunk mode. Note: Two vPorts on a physical port cannot be members of the same VLAN. Figure 32. Packet pass‐through in Tunnel Mode Server vNICs vPorts Lenovo Switch Ports without vNICs OS/Hypervisor Regular NIC attaches UFP Switching uses outer tag; Switch strips VLAN ID Channel VLAN ID Ignores regular VLAN outer tag...
Page 289: Access Mode
Access Mode In access mode, a vPort carries packets with inner tags that belong to one VLAN. The vPort is associated with the VLAN defined by the command: NE2552E(config_ufp_vport)# network default-vlan <2‐4094> Note: VLANs 4002‐4009 are reserved for outer tagging. FCoE Mode FCoE traffic is carried by a vPort. The server‐side endpoint of this virtual port will be represented through a FC vHBA. Setting a virtual port in FCoE mode will enable Priority‐based Flow Control (PFC) on the physical port. A vPort configured in FCoE mode can only be attached to a Fibre Channel (FC) VLAN. A vPort in FCoE mode operates as a local domain data path type with packets being single tagged. © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 290: Ufp Bandwidth Provisioning
UFP Bandwidth Provisioning UFP provides two modes of bandwidth provisioning for vPort: Enhanced Transmission Selection (ETS) mode and Strict Bandwidth Provisioning mode. Enhanced Transmission Selection mode Enhanced Transmission Selection (ETS) mode of bandwidth provisioning is useful when an end‐to‐end QoS framework for the entire data center, with bandwidth provisioning for different applications, is desired. ETS mode color marks traffic from point of origination to point of destination. It helps to couple QoS provisioning in the access layer with data center fabric. Note: ETS mode requires Converged Enhanced Ethernet (CEE) to be enabled globally. This mode functions with the ETS feature available on the NE2552E. You must first define the ETS characteristics of the NE2552E. Assign each vPort to the desired traffic class by assigning a system class priority. The Data Center Bridging Capabilities Exchange (DCBX) and UFP protocols propagate the configured parameters for the vPort to apply appropriate traffic coloring and shaping at the source. When operating in this mode, traffic scheduling and bandwidth allocation behavior on switch egress is driven by the ETS class of traffic. When two vPorts use the same traffic class configuration, the order in which switch schedules traffic at egress depends on the order the traffic arrives at egress buffer. Since bandwidth allocation is derived from traffic class rather than vNIC, switch egress doesn’t differentiate between different vPort traffics. In a virtualized environment, the hypervisor or guest VM may define its own traffic class priority. When configured this way, the priority defined by the OS or Hypervisor takes precedence over vPort‐configured priority. Use the following commands to configure ETS bandwidth provisioning: 1. Enable UFP ETS mode on a specific port: NE2552E(config)# ufp port <port> qos-mode ets 2.
Page 291: Ufp Strict Bandwidth Provisioning Mode
NE2552E(config)# ufp port <port> qos-mode bw 2. Configure the bandwidth settings for a specific vPort: NE2552E(config)# ufp port <port> vport <1‐8> NE2552E(config_ufp_vport)# qos bandwidth {max|min} <10‐100> min - Sets minimum guaranteed bandwidth max - Sets maximum allowed bandwidth Note: Total minimum guaranteed bandwidth of enabled vPorts on a physical switch port needs to be 100%. © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 292: Using Ufp With Other Ne2552E Flex Switch Features
Using UFP with Other NE2552E Flex Switch Features UFP works with other NE2552E features, as described with limitations and details. Layer 2 Failover UFP failover can be configured with auto‐monitoring or manual monitoring. In auto‐monitoring, a vPort is automatically associated with a Failover trigger if it has any VLAN in common with the monitor ports. Layer 2 failover is not supported on UFP ports in auto mode. For more information on failover, see “Layer 2 Failover” on page 437. For an example configuration, see “Example 7: Layer 2 Failover Configuration” on page 302. Increased VLAN Limits Configured with UFP and VLANs, a vPort can support up to 1024 VLANs. A UFP port supports 1024 VLANs on the switch in standalone mode. For more information on VLAN configuration, see “VLANs” on page 135. Private VLANs It supports the following Private VLAN modes in UFP vPorts: Disabled   Trunk Promiscuous   Host The following are the criteria of these Private VLAN modes: Private‐VLAN mode is disabled: ...
Page 293: Igmp
Warns if no primary VLAN is associated with the secondary VLAN assigned  to a vPort. UFP with private VLANs is supported under the following limitations:  vPorts from the same physical port cannot belong to the same private VLAN domain.  vPorts cannot be configured with a primary VLAN as a default VLAN, only with secondary VLANs.  UFP ports cannot have switchport mode private‐VLAN enabled on them.  Private VLAN is supported only on vPorts configured with trunk or access mode.  UFP cannot be configured on promiscuous ports. For more information on private VLANs, see “Private VLANs” on page 151 . IGMP A vPort is able to learn and configure IGMP entries (IGMP/IPMC groups and Mrouters.). The IPMC traffic will always be forwarded according to the IGMP entries, regardless of the location of the IGMP entries (on physical or logical ports) and the RX port type. For an example configuration, see “Example 6: UFP with IGMP Configuration” on page 300. Note: Double tagged IGMP related packets will not be forwarded to tagged VMs based on inner tag when tagpvid‐ingress is enabled or UFP vPorts are configured in tunnel mode. © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 294: Ufp Configuration Examples
UFP Configuration Examples Following is an example configuration of UFP vPorts in access mode. Example 1: Access Mode 1. Turn on UFP. NE2552E(config)# ufp enable 2. Configure internal port as UFP. NE2552E(config)# ufp port INTA1 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA1 3. Configure virtual port. NE2552E(config)# ufp port INTA1 vport 1 4. Configure vPort access mode. NE2552E(config_ufp_vport)# network mode access 5.
Page 295: Example 2: Trunk Mode
NE2552E(config_ufp_vport)# exit 8. Configure internal port 2 as UFP. NE2552E(config)# ufp port INTA2 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA2 9. Configure virtual port. NE2552E(config)# ufp port INTA2 vport 3 10. Configure vPort trunk mode. NE2552E(config_ufp_vport)# network mode trunk © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 296 11. Configure the vPort default VLAN. NE2552E(config_ufp_vport)# network default-vlan 100 12. Optionally, you can disable tagging on the vPort. NE2552E(config_ufp_vport)# no network default-tag 13. Specify QoS parameters for the vPort. NE2552E(config_ufp_vport)# qos bandwidth min 15 (in percentage) NE2552E(config_ufp_vport)# qos bandwidth max 95 (in percentage) 14. Enable vPort. NE2552E(config_ufp_vport)# enable NE2552E(config_ufp_vport)# exit 15. Enable tagging/trunk mode on external port 1. NE2552E(config)# interface port EXT1 NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# switchport trunk native vlan 100 NE2552E(config-if)# switchport trunk allowed vlan add 200,300 NE2552E(config-if)# exit...
Page 297: Example 3: Tunnel Mode
NE2552E(config_ufp_vport)# enable NE2552E(config_ufp_vport)# exit 8. Configure tagging of ingress frames with the port’s VLAN ID on external port 1. NE2552E(config)# interface port EXT1 NE2552E(config-if)# tagpvid-ingress NE2552E(config-if)# no vlan dot1q tag native NE2552E(config-if)# switchport access vlan 4000 NE2552E(config-if)# exit Example 4: FCoE Mode Following is an example configuration of UFP vPorts in FCoE mode. This example is consistent with the network shown in . © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 298 1. Enable CEE. NE2552E(config)# cee enable 2. Enable FIPs. NE2552E(config)# fcoe fips enable 3. Turn on UFP. NE2552E(config)# ufp enable 4. Configure internal port as UFP. NE2552E(config)# ufp port INTA1 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA1 5. Configure virtual port. NE2552E(config)# ufp port INTA1 vport 2 6. Configure vPort FCoE mode. NE2552E(config_ufp_vport)# network mode fcoe 7.
Page 299: Example 5: Private Vlan Configuration
NE2552E(config-vlan)# private-vlan community NE2552E(config-vlan)# exit NE2552E(config)# vlan 703 NE2552E(config-vlan)# private-vlan community NE2552E(config-vlan)# exit 4. Map secondary VLANs to primary VLAN. NE2552E(config)# vlan 700-703 NE2552E(config-vlan)# stg 1 NE2552E(config-vlan)# exit NE2552E(config)# vlan 700 NE2552E(config-vlan)# private-vlan association 701,702,703 NE2552E(config-vlan)# exit © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 300: Example 6: Ufp With Igmp Configuration
5. Set up vPorts on ports 1 and 2. NE2552E(config)# ufp port INTA1 enable NE2552E(config)# ufp port INTA1 vport 1 NE2552E(config-ufp-vport)# network private-vlan trunk NE2552E(config-ufp-vport)# network default-vlan 100 NE2552E(config-ufp-vport)# network mode trunk NE2552E(config-ufp-vport)# enable NE2552E(config-ufp-vport)# exit NE2552E(config)# ufp port INTA2 enable NE2552E(config)# ufp port INTA2 vport 1 NE2552E(config-ufp-vport)# network private-vlan promiscuous NE2552E(config-ufp-vport)# network default-vlan 200 NE2552E(config-ufp-vport)# network mode trunk...
Page 301 NE2552E(config)# ip igmp snoop vlan 100 NE2552E(config)# ip igmp snoop enable 7. Enable IGMP. NE2552E(config)# ip igmp enable (Turn on IGMP) 8. Verify the configuration: NE2552E(config)# show ip igmp groups interface vport inta1.1 NE2552E(config)# show ip igmp mrouter interface vport inta1.1 © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 302: Example 7: Layer 2 Failover Configuration
Example 7: Layer 2 Failover Configuration While configuring a failover trigger, you cannot use the member command for a physical port that has vPorts configured. Instead, you must use the vmember command to add the vPorts as members of a failover trigger. The following example includes the commands to configure a failover trigger using a physical port INTA8 (UFP not enabled) and vPorts INTA9.1, INTA10.2 and INTA11.3 configured on UFP‐enabled physical ports INTA9, INTA10 and INTA11. See “Example 1: Access Mode” on page 294 for steps to configure a vPort in access mode. Follow the steps below for configuring the failover trigger: 1. Enable failover globally: NE2552E(config)# failover enable 2. Configure trigger 1 and add monitor and control ports: NE2552E(config)# failover trigger 1 mmon monitor member EXT1 NE2552E(config)# failover trigger 1 mmon control member INTA8 NE2552E(config)# failover trigger 1 mmon control vmember INTA9.1, INTA10.2,INTA11.3 Note: If you try to add a physical port (that has vPorts configured) as a ...
Page 303: Example 8: 8 Vports With Ets Bandwidth Provisioning Mode
NE2552E(config_ufp_vport)# qos ets priority 6 NE2552E(config_ufp_vport)# enable NE2552E(config_ufp_vport)# exit NE2552E(config)# ufp port INTA10 vport 8 NE2552E(config_ufp_vport)# network mode tunnel NE2552E(config_ufp_vport)# network default-vlan 654 NE2552E(config_ufp_vport)# qos ets priority 7 NE2552E(config_ufp_vport)# enable NE2552E(config_ufp_vport)# exit © Copyright Lenovo 2018 Chapter 19: Unified Fabric Port...
Page 304 2. Configure ETS mode as the UFP QoS mode for port INTA10: NE2552E(config)# ufp port INTA10 qos-mode ets 3. Enable UFP on port INTA10: NE2552E(config)# ufp port INTA10 enable 4. Globally enable Converged Enhanced Ethernet (CEE): NE2552E(config)# cee enable 5. Globally enable UFP: NE2552E(config)# ufp enable 6. Add VLANs to IGMP Snooping and enable IGMP Snooping. NE2552E(config)# ip igmp snoop vlan 101 NE2552E(config)# ip igmp snoop enable 7. Enable IGMPv3 Snooping (optional). NE2552E(config)# ip igmp snoop igmpv3 enable 8.
Page 305: Chapter 20. Switch Partition
Chapter 20. Switch Partition Switch Partition (SPAR) enables consolidation of multiple network partitions within an embedded switch. SPARs divide the data plane of a physical switch into independent switching domains. Switch partitions are isolated from each other. Traffic originating in one SPAR stays local to that SPAR. Within a partitioned switch, traffic from one SPAR is never delivered to another SPAR. Traffic from one SPAR can, however, be delivered to another SPAR by traversing an upstream link and switch. Each individual SPAR requires exactly one uplink, which can be a port, a port channel, or an LACP group. Limiting SPAR connectivity to one external uplink prevents the creation of loops. SPAR operates as a Layer 2 broadcast network. Hosts on the same VLAN, attached to a SPAR, can communicate with each other and with the upstream switch. Hosts on the same VLAN, but attached to different SPARs, communicate via the upstream switch. © Copyright Lenovo 2018 Chapter 20: Switch Partition...
Page 306: Spar Processing Modes
SPAR Processing Modes SPAR operates in two processing modes. The default mode is pass‐through domain.  Local Domain: In local‐domain processing mode, VLAN classification and assignment is based on the user‐defined VLAN.  Pass‐through Domain: In pass‐through domain processing mode, VLAN classification and assignment is based on the outer tag, which contains the unique domain VLAN ID of the SPAR. The inner tag with the user‐defined VLAN remains unchanged. Local Domain Processing Each SPAR on a switch has a unique VLAN ID, which separates data between SPARs. If multiple networks share the uplink, the upstream switch port must be configured as a 802.1Q trunk port so it can process multiple VLAN traffic from a SPAR. The SPAR domain uses a single uplink port or LAG shared among all the VLANs. For link redundancy or greater bandwidth, the uplinks can be grouped as static or LACP LAG. If a VLAN is defined on multiple SPARs, the egress port mask is used to prevent communication between the SPARs in the same local domain VLAN. Since port membership of each SPAR is unique, the egress port mask ensures that different SPAR ports in the same local domain VLAN do not communicate with each other. In local domain processing, all SPAR ports must have the following settings:  Tagging/Trunk mode must be enabled.  Ingress VLAN tagging is disabled on all SPAR ports.  PVID/Native VLAN is based on any VLAN defined in SPAR. NE2552E(config)# interface port <num> NE2552E(config-if)# switchport trunk native vlan <VLAN number> NE2552E Application Guide for ENOS 8.4...
Page 307: Pass-Through Domain Processing
SPAR provides single or multiple VLAN connectivity through a single uplink port or LAG (static or LACP). VLAN definition within the SPAR domain is not required. Pass‐through domain operates in Q‐In‐Q mode. Inside SPAR, different user‐defined VLAN traffic is classified into single S‐VLAN (service VLAN) associated with the SPAR. Although the uplink can be shared by multiple networks using the pass‐through domain, SPAR will not be server‐VLAN aware. Hence, multiple VLAN traffic will be mixed together in a single broadcast domain, that is, broadcast traffic on different VLANs from the upstream network will reach all servers attached to the SPAR pass‐through domain. The servers drop the packets if they do not belong to the desired VLAN. The pass‐through implementation uses ingress VLAN tagging, that is, tagpvid‐ingress is enabled on all SPAR ports. In pass‐through domain processing mode, all SPAR ports must have the following settings: PVID/Native VLAN tagging is disabled.   Ingress VLAN tagging is enabled on all SPAR ports. PVID/Native VLAN is based on the SPAR DVLAN.  NE2552E(config)# interface port <num> NE2552E(config-if)# switchport trunk native vlan <VLAN number> © Copyright Lenovo 2018 Chapter 20: Switch Partition...
Page 308: Limitations
Limitations The following limitations apply:  UFP and SPAR cannot be configured together.  LAGs must first be configured for SPAR before they can be used. Static or Link Aggregation Control Protocol (LACP) LAGs created on the global switch cannot reference any SPAR ports. Use the commands in the following menus to define LAGs in the SPAR context: NE2552E(config)# spar <num> NE2552E(config-spar)# uplink ? adminkey Set lacp trunk for uplink port Set external port for uplink PortChannel Set portchannel for uplink NE2552E(config)# portchannel ? <1-52> PortChannel group <53-104> LACP PortChannel group thash Port Channel hash configuration ACLs defined on the global switch can be used for SPAR ports. However, the ...
Page 309: Unsupported Features
Unsupported Features The following features are not supported when SPAR is configured: 802.1x   Edge Virtual Bridging Hotlinks   IGMP Layer 3 Configuration   Management VLAN Private VLAN   Protocol VLAN sFlow   STP, RSTP, MRSTP, PVST   vLAG © Copyright Lenovo 2018 Chapter 20: Switch Partition...
Page 310: Spar Vlan Management
SPAR VLAN Management SPAR VLANs use the same 4000 VLAN space available for other applications/features on the switch. The VLAN ID can be in the range of 2 ‐ 4094. VLAN 1 and the management VLAN 4095 are reserved for the global switch context. A VLAN assigned to a SPAR cannot be used for any other switch application. Similarly, VLAN used by any other switch application cannot be assigned to a SPAR. SPAR member ports cannot be members of any other VLAN. NE2552E Application Guide for ENOS 8.4...
Page 311: Example Configurations
NE2552E(config-spar)# domain default vlan 4081 5. Add ports INTA5 through INTA10 to SPAR 1. NE2552E(config-spar)# domain default member INTA5-INTA10 6. Enable SPAR 1. NE2552E(config-spar)# enable Local Domain Configuration This example demonstrates how to create a SPAR in local‐domain mode consisting of internal server ports INTA11‐INTA14 and a single uplink port, EXT 2. 1. Create SPAR 2. NE2552E(config)# spar 2 2. Add uplink port EXT 2 to SPAR 2. NE2552E(config-spar)# uplink port EXT2 © Copyright Lenovo 2018 Chapter 20: Switch Partition...
Page 312 3. Set the SPAR to local domain mode. NE2552E(config-spar)# domain mode local 4. Configure SPAR VLAN to 4082. NE2552E(config-spar)# domain default vlan 4082 5. Add server ports INTA11 through INTA14. NE2552E(config-spar)# domain default member INTA11-INTA14 6. Configure the VLANs for SPAR 2. Each SPAR has a set of local domains numbered 1 through 32, each of which identifies an allowed VLAN. The following steps create three local domains: VLAN, 10, 20, and 30 7. Create local domain 1, assign VLAN 10, and specify the SPAR ports that are members of the that VLAN. NE2552E(config-spar)# domain local 1 vlan 10 NE2552E(config-spar)# domain local 1 member INTA11-INTA14 NE2552E(config-spar)# domain local 1 enable 8.
Page 313: Part 5: Ip Routing
Part 5: IP Routing This section discusses Layer 3 switching functions. In addition to switching traffic at near line rates, the application switch can perform multi‐protocol routing. This section discusses basic routing and advanced routing protocols:  Basic Routing  Routing Information Protocol (RIP)  Internet Group Management Protocol (IGMP)  Border Gateway Protocol (BGP)  Open Shortest Path First (OSPF) © Copyright Lenovo 2018...
Page 314 NE2552E Application Guide for ENOS 8.4...
Page 315: Chapter 21. Basic Ip Routing
 Connects the server IP subnets to the rest of the backbone network.  Provides the ability to route IP traffic between multiple Virtual Local Area Networks (VLANs) configured on the switch. Routing Between IP Subnets The physical layout of most corporate networks has evolved over time. Classic hub/router topologies have given way to faster switched topologies, particularly now that switches are increasingly intelligent. The NE2552E is intelligent and fast enough to perform routing functions on par with wire‐speed Layer 2 switching. The combination of faster routing and switching in a single device provides another service—it allows you to build versatile topologies that account for legacy configurations. Consider an example in which a corporate campus has migrated from a router‐centric topology to a faster, more powerful, switch‐based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets. This is a situation that switching alone cannot cure. Instead, the router is flooded with cross‐subnet communication. This compromises efficiency in two ways:  Routers can be slower than switches. The cross‐subnet side trip from the switch to the router and back again adds two hops for the data, slowing throughput con‐ siderably. Traffic to the router increases, increasing congestion.  Even if every end‐station could be moved to better logical subnets (a daunting task), competition for access to common server pools on different subnets still burdens the routers. This problem is solved by using NE2552Es with built‐in IP routing capabilities. Cross‐subnet LAN traffic can now be routed within the switches with wire speed Layer 2 switching performance. This not only eases the load on the router but saves the network administrators from reconfiguring each and every end‐station with new IP addresses. © Copyright Lenovo 2018...
Page 316 Take a closer look at the NE2552E in the following configuration example: Figure 34. Switch‐Based Routing Topology First Floor Second Floor 10/100 Client Subnet 10/100 Client Subnet 100.20.10.2-254 131.15.15.2-254 10 Gbps Server Subnet: 206.30.15.2-254 Primary Default IF#2 IF#3 Router: 205.21.17.1 IF#4 IF#1 10 Gbps Secondary Default Router: 205.21.17.2 The NE2552E connects the Gigabit Ethernet and Fast Ethernet LAGs from various switched subnets throughout one building. Common servers are placed on another subnet attached to the switch. A primary and backup router are attached to the switch on yet another subnet. Without Layer 3 IP routing on the switch, cross‐subnet communication is relayed to the default gateway (in this case, the router) for the next level of routing ...
Page 317: Subnet Routing Example
NE2552E(config-ip-if)# ip address 100.20.10.1 255.255.255.0 enable NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 3 (Select IP interface 3) NE2552E(config-ip-if)# ip address 131.15.15.1 255.255.255.0 enable NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 4 (Select IP interface 4) NE2552E(config-ip-if)# ip address 206.30.15.1 255.255.255.0 enable NE2552E(config-ip-if)# exit © Copyright Lenovo 2018 Chapter 21: Basic IP Routing...
Page 318 3. Set each server and workstation’s default gateway to the appropriate switch IP interface (the one in the same subnet as the server or workstation). 4. Configure the default gateways to the routers’ addresses. Configuring the default gateways allows the switch to send outbound traffic to the routers: NE2552E(config)# ip gateway 1 address 205.21.17.1 enable NE2552E(config)# ip gateway 2 address 205.21.17.2 enable 5. Verify the configuration. NE2552E(config)# show interface ip Examine the resulting information. If any settings are incorrect, make the appropriate changes. NE2552E Application Guide for ENOS 8.4...
Page 319 NE2552E(config-if)# switchport trunk allowed vlan add 2 NE2552E(config-if)# exit NE2552E(config)# vlan 3 NE2552E(config-vlan)# exit NE2552E(config)# interface port inet5a,int6a (Add ports to VLAN 3) NE2552E(config-if)# switchport mode trunk NE2552E(config-if)# switchport trunk allowed vlan add 3 NE2552E(config-if)# exit © Copyright Lenovo 2018 Chapter 21: Basic IP Routing...
Page 320 Each time you add a port to a VLAN, you may get the following prompt: Port 4 is an untagged port and its current PVID is 1. Confirm changing PVID from 1 to 2 [y/n]? Enter y to set the default Port VLAN ID (PVID) for the port. 3. Add each IP interface to the appropriate VLAN. Now that the ports are separated into three VLANs, the IP interface for each subnet must be placed in the appropriate VLAN. From Table 28, the settings are made as follows: NE2552E(config)# interface ip 1 (Select IP interface 1) NE2552E(config-ip-if)# vlan 2 (Add VLAN 2) NE2552E(config-vlan)# exit NE2552E(config)# interface ip 2 (Select IP interface 2) NE2552E(config-ip-if)# vlan 1 (Add VLAN 1)
Page 321: Bootp Relay Agent
BOOTP Relay Agent Configuration To enable the NE2552E to be the BOOTP forwarder, you need to configure the BOOTP server IP addresses on the switch, and enable BOOTP relay on the interface(s) on which the BOOTP requests are received. Generally, you should configure the command on the switch IP interface that is closest to the client, so that the BOOTP server knows from which IP subnet the newly allocated IP address should come. Use the following commands to configure the switch as a BOOTP relay agent: NE2552E(config)# ip bootp-relay enable NE2552E(config)# ip bootp-relay server <1‐5> address <IPv4 address> Use the following command to enable the Relay functionality on an IP interface: NE2552E(config)# interface ip <interface number> NE2552E(config-ip-if)# relay NE2552E(config-ip-if)# exit © Copyright Lenovo 2018 Chapter 21: Basic IP Routing...
Page 322: Domain-Specific Bootp Relay Agent Configuration
Domain-Specific BOOTP Relay Agent Configuration Use the following commands to configure up to four domain‐specific BOOTP relay agents for each of up to 10 VLANs: NE2552E(config)# ip bootp-relay bcast-domain <1‐10> vlan <VLAN number> NE2552E(config)# ip bootp-relay bcast-domain <1‐10> server <1‐5> address <IPv4 address> NE2552E(config)# ip bootp-relay bcast-domain <1‐10> enable As with global relay agent servers, domain‐specific BOOTP/DHCP functionality may be assigned on a per‐interface basis. NE2552E Application Guide for ENOS 8.4...
Page 323: Dynamic Host Configuration Protocol
DHCP relay agent eliminates the need to have DHCP/BOOTP servers on every subnet. It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them. Without the DHCP relay agent, there must be at least one DHCP server deployed at each subnet that has hosts needing to perform the DHCP request. Note: The switch accepts gateway configuration parameters if they were not configured manually. The switch ignores DHCP gateway parameters if the gateway is configured. DHCP Relay Agent DHCP is described in RFC 2131, and the DHCP relay agent supported on NE2552Es is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. DHCP defines the methods through which clients can be assigned an IP address for a finite lease period and allowing reassignment of the IP address to another client later. Additionally, DHCP provides the mechanism for a client to gather other IP configuration parameters it needs to operate in the TCP/IP network. In the DHCP environment, the NE2552E acts as a relay agent. The DHCP relay feature enables the switch to forward a client request for an IP address to two BOOTP servers with IP addresses that have been configured on the switch. When a switch receives a UDP broadcast on port 67 from a DHCP client requesting an IP address, the switch acts as a proxy for the client, replacing the client source IP (SIP) and destination IP (DIP) addresses. The request is then forwarded as a UDP Unicast MAC layer message to two BOOTP servers whose IP addresses are configured on the switch. The servers respond as a UDP Unicast message back to the switch, with the default gateway and IP address for the client. The destination © Copyright Lenovo 2018 Chapter 21: Basic IP Routing...
Page 324: Dhcp Relay Agent Configuration
IP address in the server response represents the interface address on the switch that received the client request. This interface address tells the switch on which VLAN to send the server response to the client. DHCP Relay Agent Configuration To enable the NE2552E to be the BOOTP forwarder, you need to configure the DHCP/BOOTP server IP addresses on the switch. Generally, you should configure the switch IP interface on the client side to match the client’s subnet, and configure VLANs to separate client and server subnets. The DHCP server knows from which IP subnet the newly allocated IP address should come. The following figure shows a basic DHCP network example: Figure 36. DHCP Relay Agent Configuration Boston GbESM 20.1.1.1 DHCP Client DHCP Server In NE2552E implementation, there is no need for primary or secondary servers. The client request is forwarded to the BOOTP servers configured on the switch. The use of two servers provide failover redundancy. However, no health checking is supported. Use the following commands to configure the switch as a DHCP relay agent: NE2552E(config)# ip bootp-relay server 1 <IP address> NE2552E(config)# ip bootp-relay server 2 <IP address> NE2552E(config)# ip bootp-relay server 3 <IP address>...
Page 325: Chapter 22. Internet Protocol Version 6
 RFC 4835 RFC 2462 RFC 3413 RFC 4293 RFC 4861      RFC 2474  RFC 3414  RFC 4301  RFC 4862  RFC 2526  RFC 3484  RFC 4302  RFC 5095  RFC 2711  RFC 3602  RFC 4303  RFC 5114 This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management. © Copyright Lenovo 2018...
Page 326: Ipv6 Limitations
IPv6 Limitations The following IPv6 features are not supported in this release.  Dynamic Host Control Protocol for IPv6 (DHCPv6)  Border Gateway Protocol for IPv6 (BGP)  Routing Information Protocol for IPv6 (RIPng) Most other Lenovo ENOS 8.4 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. However, the following switch features support IPv4 only:  Default switch management IP address  Bootstrap Protocol (BOOTP) and DHCP  RADIUS, TACACS+ and LDAP  QoS metering and re‐marking ACLs for out‐profile traffic  Routing Information Protocol (RIP)  Internet Group Management Protocol (IGMP)  Border Gateway Protocol (BGP)  Virtual Router Redundancy Protocol (VRRP)  sFLOW NE2552E Application Guide for ENOS 8.4...
Page 327: Ipv6 Address Format
Each IPv6 address has two parts:  Subnet prefix representing the network to which the interface is connected  Local identifier, either derived from the MAC address or user‐configured The preferred hexadecimal format is as follows: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Example IPv6 address: FEDC:BA98:7654:BA98:FEDC:1234:ABCD:5412 Some addresses can contain long sequences of zeros. A single contiguous sequence of zeros can be compressed to :: (two colons). For example, consider the following IPv6 address: FE80:0:0:0:2AA:FF:FA:4CA2 The address can be compressed as follows: FE80::2AA:FF:FA:4CA2 Unlike IPv4, a subnet mask is not used for IPv6 addresses. IPv6 uses the subnet prefix as the network identifier. The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix. An IPv6 prefix is written in address/prefix‐length notation. For example, in the following address, 64 is the network prefix: 21DA:D300:0000:2F3C::/64 IPv6 addresses can be either user‐configured or automatically configured. Automatically configured addresses always have a 64‐bit subnet prefix and a 64‐bit interface identifier. In most implementations, the interface identifier is derived from the switchʹs MAC address, using a method called EUI‐64. Most Lenovo ENOS 8.4 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. Throughout this manual, IP address is used in places where either an IPv4 or IPv6 address is allowed. In places where only one type of address is allowed, the type (IPv4 or IPv6 is specified). © Copyright Lenovo 2018 Chapter 22: Internet Protocol Version 6...
Page 328: Ipv6 Address Types
IPv6 Address Types IPv6 supports three types of addresses: unicast (one‐to‐one), multicast (one‐to‐many), and anycast (one‐to‐nearest). Multicast addresses replace the use of broadcast addresses. Unicast Address Unicast is a communication between a single host and a single receiver. Packets sent to a unicast address are delivered to the interface identified by that address. IPv6 defines the following types of unicast address:  Global Unicast address: An address that can be reached and identified globally. Global Unicast addresses use the high‐order bit range up to FF00, therefore all non‐multicast and non‐link‐local addresses are considered to be global unicast. A manually configured IPv6 address must be fully specified. Auto‐configured IPv6 addresses are comprised of a prefix combined with the 64‐bit EUI. RFC 4291 defines the IPv6 addressing architecture. The interface ID must be unique within the same subnet.  Link‐local unicast address: An address used to communicate with a neighbor on the same link. Link‐local addresses use the format FE80::EUI Link‐local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration, neighbor discovery, or when no routers are present. Routers must not forward any packets with link‐local source or destination addresses to other links. Multicast Address Multicast is communication between a single host and multiple receivers. Packets are sent to all interfaces identified by that address. An interface may belong to any number of multicast groups. A multicast address (FF00 ‐ FFFF) is an identifier for a group interface. The multicast address most often encountered is a solicited‐node multicast address using prefix FF02::1:FF00:0000/104 with the low‐order 24 bits of the unicast or anycast address. The following well‐known multicast addresses are pre‐defined. The group IDs defined in this section are defined for explicit scope values, as follows: FF00:::::::0 through FF0F:::::::0 NE2552E Application Guide for ENOS 8.4...
Page 329: Anycast Address
Anycast Address Packets sent to an anycast address or list of addresses are delivered to the nearest interface identified by that address. Anycast is a communication between a single sender and a list of addresses. Anycast addresses are allocated from the unicast address space, using any of the defined unicast address formats. Thus, anycast addresses are syntactically indistinguishable from unicast addresses. When a unicast address is assigned to more than one interface, thus turning it into an anycast address, the nodes to which the address is assigned must be explicitly configured to know that it is an anycast address. © Copyright Lenovo 2018 Chapter 22: Internet Protocol Version 6...
Page 330: Ipv6 Address Auto-Configuration
IPv6 Address Auto-configuration IPv6 supports the following types of address auto‐configuration:  Stateful address configuration Address configuration is based on the use of a stateful address configuration protocol, such as DHCPv6, to obtain addresses and other configuration options. Stateless address configuration  Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options. Lenovo ENOS 8.4 supports stateless address configuration. Stateless address configuration allows hosts on a link to configure themselves with link‐local addresses and with addresses derived from prefixes advertised by local routers. Even if no router is present, hosts on the same link can configure themselves with link‐local addresses and communicate without manual configuration. NE2552E Application Guide for ENOS 8.4...
Page 331: Ipv6 Interfaces
 Second IPv6 address can be a unicast or anycast address . NE2552E(config-ip-if)# ipv6 secaddr6 <IPv6 address> NE2552E(config-ip-if)# exit You cannot configure an IPv4 address on an IPv6 management interface. Each interface can be configured with only one address type: either IPv4 or IPv6, but not both. When changing between IPv4 and IPv6 address formats, the prior address settings for the interface are discarded. Each IPv6 interface can belong to only one VLAN. Each VLAN can support only one IPv6 interface. Each VLAN can support multiple IPv4 interfaces. Interface 125/126 is reserved for IPv6 host support. This interface is included in management VLAN 4095. Use the following commands to configure the IPv6 gateway: NE2552E(config)# ip gateway6 1 address <IPv6 address> NE2552E(config)# ip gateway6 1 enable IPv6 gateway 1 is reserved for IPv6 data interfaces. IPv6 gateway 3 and 4 are the default IPv6 management gateways. © Copyright Lenovo 2018 Chapter 22: Internet Protocol Version 6...
Page 332: Neighbor Discovery
Neighbor Discovery The switch uses Neighbor Discovery protocol (ND) to gather information about other router and host nodes, including the IPv6 addresses. Host nodes use ND to configure their interfaces and perform health detection. ND allows each node to determine the link‐layer addresses of neighboring nodes, and to keep track of each neighbor’s information. A neighboring node is a host or a router that is linked directly to the switch. The switch supports Neighbor Discovery as described in RFC 4861. Neighbor Discover messages allow network nodes to exchange information, as follows:  Neighbor Solicitations allow a node to discover information about other nodes.  Neighbor Advertisements are sent in response to Neighbor Solicitations. The Neighbor Advertisement contains information required by nodes to determine the link‐layer address of the sender, and the sender’s role on the network. IPv6 hosts use Router Solicitations to discover IPv6 routers. When a router  receives a Router Solicitation, it responds immediately to the host.  Routers uses Router Advertisements to announce its presence on the network, and to provide its address prefix to neighbor devices. IPv6 hosts listen for Router Advertisements, and uses the information to build a list of default routers. Each host uses this information to perform autoconfiguration of IPv6 addresses.  Redirect messages are sent by IPv6 routers to inform hosts of a better first‐hop address for a specific destination. Redirect messages are only sent by routers for unicast traffic, are only unicast to originating hosts, and are only processed by hosts. ND configuration for various advertisements, flags, and interval settings is performed on a per‐interface basis using the following command path: NE2552E(config)# interface ip <interface number> NE2552E(config-ip-if)# [no] ipv6 nd ? NE2552E(config-ip-if)# exit To add or remove entries in the static neighbor cache, use the following command ...
Page 333: Host Vs. Router
Host vs. Router Each IPv6 interface can be configured as a router node or a host node, as follows:  A router node’s IP address is configured manually. Router nodes can send Router Advertisements.  A host node’s IP address is auto‐configured. Host nodes listen for Router Advertisements that convey information about devices on the network. Note: When IP forwarding is turned on all IPv6 interfaces configured on the switch can forward packets. You can configure each IPv6 interface as either a host node or a router node. You can manually assign an IPv6 address to an interface in host mode, or the interface can be assigned an IPv6 address by an upstream router, using information from router advertisements to perform stateless auto‐configuration. To set an interface to host mode, use the following command: NE2552E(config)# interface ip <interface number> NE2552E(config-ip-if)# ip6host NE2552E(config-ip-if)# exit By default, host mode is enabled on the management interface, and disabled on data interfaces. The NE2552E supports up to 1156 IPv6 routes. © Copyright Lenovo 2018 Chapter 22: Internet Protocol Version 6...
Page 334: Supported Applications
Supported Applications The following applications have been enhanced to provide IPv6 support.  Ping The ping command supports IPv6 addresses. Use the following format to ping an IPv6 address: ping <host name>|<IPv6 address> [-n <tries (0‐4294967295)>] [-w <msec delay (0‐4294967295)>] [-l <length (0/32‐65500/2080)>] [-s <IP source>] [-v <TOS (0‐255)>] [-f] [-t] To ping a link‐local address (begins with FE80), provide an interface index, as follows: ping <IPv6 address>%<Interface index> [-n <tries (0‐4294967295)>] [-w <msec delay (0‐4294967295)>] [-l <length (0/32‐65500/2080)>] [-s <IP source>] [-v <TOS (0‐255)>] [-f] [-t] ...
Page 335  DNS client DNS commands support both IPv4 and IPv6 addresses. Link‐local addresses are not supported. Use the following command to specify the type of DNS query to be sent first: NE2552E(config)# ip dns ipv6 request-version {ipv4|ipv6} If you set the request version to ipv4, the DNS application sends an A query first, to resolve the hostname with an IPv4 address. If no A record is found for that hostname (no IPv4 address for that hostname) an AAAA query is sent to resolve the hostname with a IPv6 address. If you set the request version to ipv6, the DNS application sends an AAAA query first, to resolve the hostname with an IPv6 address. If no AAAA record is found for that hostname (no IPv6 address for that hostname) an A query is sent to resolve the hostname with an IPv4 address. © Copyright Lenovo 2018 Chapter 22: Internet Protocol Version 6...
Page 336: Ipv6 Configuration
IPv6 Configuration This section provides steps to configure IPv6 on the switch. Configuration Guidelines When you configure an interface for IPv6, consider the following guidelines:  Support for subnet router anycast addresses is not available. Interface 125/126 are reserved for IPv6 management.   A single interface can accept either IPv4 or IPv6 addresses, but not both IPv4 and IPv6 addresses.  A single interface can accept multiple IPv6 addresses.  A single interface can accept only one IPv4 address.  If you change the IPv6 address of a configured interface to an IPv4 address, all IPv6 settings are deleted.  A single VLAN can support only one IPv6 interface.  Health checks are not supported for IPv6 gateways.  IPv6 interfaces support Path MTU Discovery. The CPU’s MTU is fixed at 1500 bytes. Support for jumbo frames (1,500 to 9,216 byte MTUs) is limited. Any jumbo  frames intended for the CPU must be fragmented by the remote node. The switch can re‐assemble fragmented packets up to 9k. It can also fragment and transmit jumbo packets received from higher layers. IPv6 Configuration Examples IPv6 Configuration Example 1 The following example uses IPv6 host mode to autoconfigure an IPv6 address for the interface. By default, the interface is assigned to VLAN 1.
Page 337 2. Configure the IPv6 default gateway. NE2552E(config)# ip gateway6 1 address 2001:BA98:7654:BA98:FEDC:1234: ABCD:5412 NE2552E(config)# ip gateway6 1 enable 3. Configure Router advertisements for the interface (optional) NE2552E(config)# interface ip 3 NE2552E(config-ip-if)# no ipv6 nd suppress-ra 4. Verify the configuration. NE2552E(config-ip-if)# show layer3 © Copyright Lenovo 2018 Chapter 22: Internet Protocol Version 6...
Page 338 NE2552E Application Guide for ENOS 8.4...
Page 339: Chapter 23. Using Ipsec With Ipv6
Chapter 23. Using IPsec with IPv6 Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. Since IPsec was implemented in conjunction with IPv6, all implementations of IPv6 must contain IPsec. To support the National Institute of Standards and Technology (NIST) recommendations for IPv6 implementations, Lenovo ENOS IPv6 feature compliance has been extended to include the following IETF RFCs, with an emphasis on IP Security (IPsec) and Internet Key Exchange version 2, and authentication/confidentiality for OSPFv3:  RFC 4301 for IPv6 security RFC 4302 for the IPv6 Authentication Header   RFCs 2404, 2410, 2451, 3602, and 4303 for IPv6 Encapsulating Security Payload (ESP), including NULL encryption, CBC‐mode 3DES and AES ciphers, and HMAC‐SHA‐1‐96.  RFCs 4306, 4307, 4718, and 4835 for IKEv2 and cryptography  RFC 4552 for OSPFv3 IPv6 authentication  RFC 5114 for Diffie‐Hellman groups Note: This implementation of IPsec supports DH group 24. The following topics are discussed in this chapter: “IPsec Protocols” on page 340   “Using IPsec with the NE2552E” on page 341 © Copyright Lenovo 2018...
Page 340: Ipsec Protocols
IPsec Protocols The Lenovo ENOS implementation of IPsec supports the following protocols:  Authentication Header (AH) AHs provide connectionless integrity and data origin authentication for IP packets, and provide protection against replay attacks. In IPv6, the AH protects the AH itself, the Destination Options extension header after the AH, and the IP payload. It also protects the fixed IPv6 header and all extension headers before the AH, except for the mutable fields DSCP, ECN, Flow Label, and Hop Limit. AH is defined in RFC 4302.  Encapsulating Security Payload (ESP) ESPs provide confidentiality, data origin authentication, integrity, an anti‐replay service (a form of partial sequence integrity), and some traffic flow confidentiality. ESPs may be applied alone or in combination with an AH. ESP is defined in RFC 4303.  Internet Key Exchange Version 2 (IKEv2) IKEv2 is used for mutual authentication between two network elements. An IKE establishes a security association (SA) that includes shared secret information to efficiently establish SAs for ESPs and AHs, and a set of cryptographic algorithms to be used by the SAs to protect the associated traffic. IKEv2 is defined in RFC 4306. Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or authentication, and/or AH for authentication of the remote partner. Both ESP and AH rely on security associations. A security association (SA) is the bundle of algorithms and parameters (such as keys) that encrypt and authenticate a particular flow in one direction. NE2552E Application Guide for ENOS 8.4...
Page 341: Using Ipsec With The Ne2552E
Using IPsec with the NE2552E IPsec supports the fragmentation and reassembly of IP packets that occurs when data goes to and comes from an external device. The Lenovo ThinkSystem NE2552E Flex Switch acts as an end node that processes any fragmentation and reassembly of packets but does not forward the IPsec traffic. The IKEv2 key must be authenticated before you can use IPsec. The security protocol for the session key is either ESP or AH. Outgoing packets are labeled with the SA SPI (Security Parameter Index), which the remote device will use in its verification and decryption process. Every outgoing IPv6 packet is checked against the IPsec policies in force. For each outbound packet, after the packet is encrypted, the software compares the packet size with the MTU size that it either obtains from the default minimum maximum transmission unit (MTU) size (1500) or from path MTU discovery. If the packet size is larger than the MTU size, the receiver drops the packet and sends a message containing the MTU size to the sender. The sender then fragments the packet into smaller pieces and retransmits them using the correct MTU size. The maximum traffic load for each IPSec packet is limited to the following:  IKEv2 SAs: 5  IPsec SAs: 10 (5 SAs in each direction) SPDs: 20 (10 policies in each direction)  IPsec is implemented as a software cryptography engine designed for handling control traffic, such as network management. IPsec is not designed for handling data traffic, such as a VPN. © Copyright Lenovo 2018 Chapter 23: Using IPsec with IPv6...
Page 342: Setting Up Authentication
Setting up Authentication Before you can use IPsec, you need to have key policy authentication in place. There are two types of key policy authentication: Preshared key (default)  The parties agree on a shared, secret key that is used for authentication in an IPsec policy. During security negotiation, information is encrypted before transmission by using a session key created by using a Diffie‐Hellman calculation and the shared, secret key. Information is decrypted on the receiving end using the same key. One IPsec peer authenticates the other peerʹs packet by decryption and verification of the hash inside the packet (the hash inside the packet is a hash of the preshared key). If authentication fails, the packet is discarded. Digital certificate (using RSA algorithms)  The peer being validated must hold a digital certificate signed by a trusted Certificate Authority and the private key for that digital certificate. The side performing the authentication only needs a copy of the trusted certificate authorities digital certificate. During IKEv2 authentication, the side being validated sends a copy of the digital certificate and a hash value signed using the private key. The certificate can be either generated or imported. Note: During the IKEv2 negotiation phase, the digital certificate takes precedence over the preshared key. Creating an IKEv2 Proposal With IKEv2, a single policy can have multiple encryption and authentication types, as well as multiple integrity algorithms. To create an IKEv2 proposal: 1. Enter IKEv2 proposal mode. NE2552E(config)# ikev2 proposal 2. Set the DES encryption algorithm. NE2552E(config-ikev2-prop)# encryption aes-cbc 3.
Page 343: Importing An Ikev2 Digital Certificate
Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm Generate CSR? [y/n]: y ..........+++ ....+++ Cert Req generated successfully © Copyright Lenovo 2018 Chapter 23: Using IPsec with IPv6...
Page 344 [pem-format|txt-format] NE2552E> show https host-csr txt-format Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Cali, L=Santa Barbara, O=Lenovo, OU=Sales, CN=www.zagat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b5:05:f6:d5:ad:ab:f2:1d:a9:57:c4:bc:84:1b:...
Page 345: Generating An Ikev2 Digital Certificate
<email address> Confirm generat‘eywing certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 2. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: NE2552E(config)# access https save-certificate 3. Enable IKEv2 RSA‐signature authentication: NE2552E(config)# access https enable © Copyright Lenovo 2018 Chapter 23: Using IPsec with IPv6...
Page 346: Enabling Ikev2 Preshared Key Authentication
Enabling IKEv2 Preshared Key Authentication To set up IKEv2 preshared key authentication: 1. Enter the local preshared key. NE2552E(config)# ikev2 preshare-key local <preshared key, a string of 1‐256 chars> 2. If asymmetric authentication is supported, enter the remote key: NE2552E(config)# ikev2 preshare-key remote <preshared key> <IPv6 host> where the following parameters are used:  preshared key A string of 1‐256 characters IPv6 host An IPv6‐format host, such as “3000::1”  3. Set up the IKEv2 identification type by entering one of the following commands: NE2552E(config)# ikev2 identity local address (use an IPv6 address) NE2552E(config)# ikev2 identity local email <email address> NE2552E(config)# ikev2 identity local fqdn <domain name>...
Page 347  apply the selector to any type of traffic proto/icmp type|any  only apply the selector only to ICMP traffic of the specified type (an integer from 1‐255) or to any ICMP traffic proto/tcp  only apply the selector to TCP traffic source IP address|any the source IP address in IPv6 format or “any”  source  destination IP address|any the destination IP address in IPv6 format or “any” destination  prefix length (Optional) the length of the destination IPv6 prefix; an integer from 1‐128 Permitted traffic that matches the policy in force is encrypted, while denied traffic that matches the policy in force is dropped. Traffic that does not match the policy bypasses IPsec and passes through clear (unencrypted). 4. Choose whether to use a manual or a dynamic policy. © Copyright Lenovo 2018 Chapter 23: Using IPsec with IPv6...
Page 348: Using A Manual Key Policy
Using a Manual Key Policy A manual policy involves configuring policy and manual SA entries for local and remote peers. To configure a manual key policy, you need:  The IP address of the peer in IPv6 format (for example, “3000::1”).  Inbound/Outbound session keys for the security protocols. You can then assign the policy to an interface. The peer represents the other end of the security association. The security protocol for the session key can be either ESP or AH. To create and configure a manual policy: 1. Enter a manual policy to configure. NE2552E(config)# ipsec manual-policy <policy number> 2. Configure the policy. NE2552E(config-ipsec-manual)#peer <peer’s IPv6 address> NE2552E(config-ipsec-manual)#traffic-selector <IPsec traffic selector> NE2552E(config-ipsec-manual)#transform-set <IPsec transform set> NE2552E(config-ipsec-manual)#in-ah auth-key <inbound AH IPsec key> NE2552E(config-ipsec-manual)#in-ah auth-spi <inbound AH IPsec SPI> NE2552E(config-ipsec-manual)#in-esp cipher-key <inbound ESP cipher key> NE2552E(config-ipsec-manual)#in-esp auth-spi <inbound ESP SPI> NE2552E(config-ipsec-manual)#in-esp auth-key <inbound ESP authenticator key>...
Page 349  The outbound ESP authenticator key code, in outbound ESP authenticator key hexadecimal Note: When configuring a manual policy ESP, the ESP authenticator key is optional. 3. After you configure the IPSec policy, you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot. To accomplish this, enter: NE2552E(config-ip)# interface ip <IP interface number, 1‐128> NE2552E(config-ip-if)# address <IPv6 address> NE2552E(config-ip-if)# ipsec manual-policy <policy index, 1‐10> NE2552E(config-ip-if)# enable (enable the IP interface) NE2552E# write (save the current configuration) © Copyright Lenovo 2018 Chapter 23: Using IPsec with IPv6...
Page 350: Using A Dynamic Key Policy
Using a Dynamic Key Policy When you use a dynamic key policy, the first packet triggers IKE and sets the IPsec SA and IKEv2 SA. The initial packet negotiation also determines the lifetime of the algorithm, or how long it stays in effect. When the key expires, a new key is automatically created. This helps prevent break‐ins. To configure a dynamic key policy: 1. Choose a dynamic policy to configure. NE2552E(config)# ipsec dynamic-policy <policy number> 2. Configure the policy. NE2552E(config-ipsec-dynamic)# peer <peer’s IPv6 address> NE2552E(config-ipsec-dynamic)# traffic-selector <index of traffic selector> NE2552E(config-ipsec-dynamic)# transform-set <index of transform set> NE2552E(config-ipsec-dynamic)# sa-lifetime <SA lifetime, in seconds> NE2552E(config-ipsec-dynamic)# pfs enable|disable where the following parameters are used:  peer’s IPv6 address The IPv6 address of the peer (for example, 3000::1) index of traffic‐selector A number from1‐10 ...
Page 351: Chapter 24. Routing Information Protocol
Chapter 24. Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP). Lenovo ENOS software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IPv4 route information with other routers. Note: Lenovo ENOS 8.4 does not support IPv6 for RIP. Distance Vector Protocol RIP is known as a distance vector protocol. The vector is the network number and next hop, and the distance is the cost associated with the network number. RIP identifies network reachability based on metric, and metric is defined as hop count. One hop is considered to be the distance from one switch to the next, which typically is 1. When a switch receives a routing update that contains a new or changed destination network entry, the switch adds 1 to the metric value indicated in the update and enters the network in the routing table. The IPv4 address of the sender is used as the next hop. Stability RIP includes a number of other stability features that are common to many routing protocols. For example, RIP implements the split horizon and hold‐down mechanisms to prevent incorrect routing information from being propagated. RIP prevents routing loops from continuing indefinitely by limiting the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. The network destination network is considered unreachable if increasing the metric value by 1 causes the metric to be 16 (that is infinity). This limits the maximum diameter of a RIP network to less than 16 hops. RIP is often used in stub networks and in small autonomous systems that do not have many redundant paths. © Copyright Lenovo 2018...
Page 352: Routing Updates
Routing Updates RIP sends routing‐update messages at regular intervals and when the network topology changes. Each router “advertises” routing information by sending a routing information update every 30 seconds. If a router doesn’t receive an update from another router for 180 seconds, those routes provided by that router are declared invalid. The routes are removed from the routing table, but they remain in the RIP routes table. After another 120 seconds without receiving an update for those routes, the routes are removed from regular updates. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. For more information see The Configuration Menu, Routing Information Protocol Configuration in the Lenovo ENOS Command Reference. RIPv1 RIP version 1 uses broadcast User Datagram Protocol (UDP) data packets for the regular routing updates. The main disadvantage is that the routing updates do not carry subnet mask information. Hence, the router cannot determine whether the route is a subnet route or a host route. It is of limited usage after the introduction of RIPv2. For more information about RIPv1 and RIPv2, refer to RFC 1058 and RFC 2453. RIPv2 RIPv2 is the most popular and preferred configuration for most networks. RIPv2 expands the amount of useful information carried in RIP messages and provides a measure of security. For a detailed explanation of RIPv2, refer to RFC 1723 and RFC 2453. RIPv2 improves efficiency by using multicast UDP (address 224.0.0.9) data packets for regular routing updates. Subnet mask information is provided in the routing updates. A security option is added for authenticating routing updates, by using a shared password. Lenovo ENOS supports using clear password for RIPv2. RIPv2 in RIPv1 Compatibility Mode Lenovo ENOS allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive ...
Page 353: Rip Features
Lenovo ENOS provides the following features to support RIPv1 and RIPv2: Poison Reverse Simple split horizon in RIP omits routes learned from one neighbor in updates sent to that neighbor. That is the most common configuration used in RIP, with the Poison Reverse feature disabled. Split horizon with poisoned reverse enabled includes such routes in updates, but sets their metrics to 16. The disadvantage of using this feature is the increase of size in the routing updates. Triggered Updates Triggered updates are an attempt to speed up convergence. When Triggered Updates is enabled, whenever a router changes the metric for a route, it sends update messages almost immediately, without waiting for the regular update interval. It is recommended to enable Triggered Updates. Multicast RIPv2 messages use IPv4 multicast address (224.0.0.9) for periodic updates. Multicast RIPv2 updates are not processed by RIPv1 routers. IGMP is not needed since these are inter‐router messages which are not forwarded. To configure RIPv2 in RIPv1 compatibility mode, set multicast to disable, and set version to both. Default Route The RIP router can listen and supply a default route, usually represented as IPv4 0.0.0.0 in the routing table. When a router does not have an explicit route to a destination network in its routing table, it uses the default route to forward those packets. Metric The metric field contains a configurable value between 1 and 15 (inclusive) which specifies the current metric for the interface. The metric value typically indicates the total number of hops to the destination. The metric value of 16 represents an unreachable destination. © Copyright Lenovo 2018 Chapter 24: Routing Information Protocol...
Page 354: Authentication
Authentication RIPv2 authentication uses plain text password for authentication. If configured using Authentication password, then it is necessary to enter an authentication key value. The following method is used to authenticate a RIP message:  If the router is not configured to authenticate RIPv2 messages, then RIPv1 and unauthenticated RIPv2 messages are accepted; authenticated RIPv2 messages are discarded.  If the router is configured to authenticate RIPv2 messages, then RIPv1 and RIPv2 messages which pass authentication testing are accepted; unauthenticated and failed authentication RIPv2 messages are discarded. For maximum security, RIPv1 messages are ignored when authentication is enabled (interface ip <x>/ ip rip auth type/password); otherwise, the routing information from authenticated messages is propagated by RIPv1 routers in an unauthenticated manner. NE2552E Application Guide for ENOS 8.4...
Page 355: Rip Configuration Example
NE2552E(config-ip-if)# exit 3. Turn on RIP globally and enable RIP for each interface. NE2552E(config)# router rip NE2552E(config-router-rip)# enable NE2552E(config-router-rip)# exit NE2552E# interface ip 2 NE2552E(config-ip-if)# ip rip enable NE2552E(config-ip-if)# exit NE2552E# interface ip 3 NE2552E(config-ip-if)# ip rip enable NE2552E(config-ip-if)# exit © Copyright Lenovo 2018 Chapter 24: Routing Information Protocol...
Page 356 Use the following command to check the current valid routes in the routing table of the switch: NE2552E# show ip route For those RIP learnt routes within the garbage collection period, that are routes phasing out of the routing table with metric 16, use the following command: NE2552E# show ip rip routes Locally configured static routes do not appear in the RIP Routes table. NE2552E Application Guide for ENOS 8.4...
Page 357: Chapter 25. Internet Group Management Protocol
Chapter 25. Internet Group Management Protocol Internet Group Management Protocol (IGMP) is used by IPv4 Multicast routers to learn about the existence of host group members on their directly attached subnet (see RFC 2236). The IPv4 Multicast routers get this information by broadcasting IGMP Membership Queries and listening for IPv4 hosts reporting their host group memberships. This process is used to set up a client/server relationship between an IPv4 Multicast source that provides the data streams and the clients that want to receive the data. IGMP reports over the current 3K limit will be forwarded to a Mrouter. If no Mrouter exists, such IGMP reports will be discarded. IGMPv2 leaves for groups not known by the switch will also be forwarded to the multicast router. The NE2552E Flex Switch (NE2552E) can perform IGMP Snooping, or act as an IGMP Relay (proxy) device. Note: Lenovo ENOS 8.4 does not support IPv6 for IGMP. The following topics are discussed in this chapter:  “IGMP Snooping” on page 358  “IGMP Querier” on page 364  “Additional IGMP Features” on page 365 © Copyright Lenovo 2018...
Page 358: Igmp Snooping
IGMP Snooping IGMP Snooping allows the switch to forward multicast traffic only to those ports that request it. IGMP Snooping prevents multicast traffic from being flooded to all ports. The switch learns which server hosts are interested in receiving multicast traffic, and forwards it only to ports connected to those servers. IGMP Snooping conserves bandwidth. With IGMP Snooping, the switch learns which ports are interested in receiving multicast data, and forwards multicast data only to those ports. In this way, other ports are not burdened with unwanted multicast traffic. The switch can sense IGMP Membership Reports from attached clients and act as a proxy to set up a dedicated path between the requesting host and a local IPv4 Multicast router. After the pathway is established, the switch blocks the IPv4 Multicast stream from flowing through any port that does not connect to a host member, thus conserving bandwidth. The client‐server path is set up as follows:  An IPv4 Multicast Router (Mrouter) sends Membership Queries to the switch, which forwards them to all ports in a given VLAN. Hosts that want to receive the multicast data stream send Membership Reports to  the switch, which sends a proxy Membership Report to the Mrouter. The switch sets up a path between the Mrouter and the host, and blocks all other  ports from receiving the multicast.  Periodically, the Mrouter sends Membership Queries to ensure that the host wants to continue receiving the multicast. If a host fails to respond with a Membership Report, the Mrouter stops sending the multicast to that path. The host can send an IGMP Leave packet to the switch, which responds with an  IGMP Groups Specific Query in order to check if there are other clients that want to receive the multicast traffic for the group referenced in the Leave packet. If an IGMP Report is not received, the group is deleted from the port and the multicast path is terminated. The switch then sends a Proxy Leave packet to the Mrouter in order to update it. If the FastLeave option is enabled on a VLAN, the multicast path is terminated immediately and the Leave packet is directly forwarded to the Mrouter. NE2552E Application Guide for ENOS 8.4...
Page 359: Igmp Groups
This indicates that the host wants to receive traffic only from sources that are not part of the Exclude list. To disable snooping on EXCLUDE mode reports, use the following command: NE2552E(config)# no ip igmp snoop igmpv3 exclude By default, the NE2552E snoops the first eight sources listed in the IGMPv3 Group Record. Use the following command to change the number of snooping sources: NE2552E(config)# ip igmp snoop igmpv3 sources <1‐64> IGMPv3 Snooping is compatible with IGMPv1 and IGMPv2 Snooping. You can disable snooping on version 1 and version 2 reports, using the following command: NE2552E(config)# no ip igmp snoop igmpv3 v1v2 © Copyright Lenovo 2018 Chapter 25: Internet Group Management Protocol...
Page 360: Igmp Snooping Configuration Example
IGMP Snooping Configuration Example This section provides steps to configure IGMP Snooping on the NE2552E, using the Command‐Line Interface (CLI). 1. Configure port and VLAN membership on the switch. 2. Add VLANs to IGMP Snooping and enable IGMP Snooping. NE2552E(config)# ip igmp snoop vlan 1 NE2552E(config)# ip igmp snoop enable 3. Enable IGMPv3 Snooping (optional). NE2552E(config)# ip igmp snoop igmpv3 enable 4. Enable IGMP. NE2552E(config)# ip igmp enable (Turn on IGMP) 5. View dynamic IGMP information. To display information about IGMP Groups: NE2552E# show ip igmp groups Total entries: 5 Total IGMP groups: 2 Note: The <Total IGMP groups>...
Page 361: Static Multicast Router
Static Multicast Router A static multicast router (Mrouter) can be configured for a particular port on a particular VLAN. A total of 128 static Mrouters can be configured on the NE2552E. Both internal and external ports can accept a static Mrouter. Note: When static Mrouters are used, the switch will continue learning dynamic Mrouters via IGMP snooping. However, dynamic Mrouters may not replace static Mrouters. If a dynamic Mrouter has the same port and VLAN combination as a static Mrouter, the dynamic Mrouter will not be learned. Following is an example of configuring a static multicast router: 1. For each Mrouter, configure a port, VLAN, and IGMP version of the multicast router. NE2552E(config)# ip igmp mrouter EXT5 1 2 2. Verify the configuration. NE2552E(config)# show ip igmp mrouter © Copyright Lenovo 2018 Chapter 25: Internet Group Management Protocol...
Page 362: Igmp Relay
IGMP Relay The NE2552E can act as an IGMP Relay (or IGMP Proxy) device that relays IGMP multicast messages and traffic between an Mrouter and end stations. IGMP Relay allows the NE2552E to participate in network multicasts with no configuration of the various multicast routing protocols, so you can deploy it in the network with minimal effort. To an IGMP host connected to the NE2552E, IGMP Relay appears to be an IGMP multicast router (Mrouter). IGMP Relay sends Membership Queries to hosts, which respond by sending an IGMP response message. A host can also send an unsolicited Join message to the IGMP Relay. To a multicast router, IGMP Relay appears as a host. The Mrouter sends IGMP host queries to IGMP Relay, and IGMP Relay responds by forwarding IGMP host reports and unsolicited join messages from its attached hosts. IGMP Relay also forwards multicast traffic between the Mrouter and end stations, similar to IGMP Snooping. You can configure up to two Mrouters to use with IGMP Relay. One Mrouter acts as the primary Mrouter, and one is the backup Mrouter. The NE2552E uses ICMP health checks to determine if the primary and backup mrouters are reachable. Configuration Guidelines Consider the following guidelines when you configure IGMP Relay: IGMP Relay is supported in stand‐alone (non‐stacking) mode only.   IGMP Relay and IGMP Snooping/Querier are mutually exclusive—if you enable IGMP Relay, you must turn off IGMP Snooping/Querier.  Add VLANs to the IGMP Relay list, using the following command: NE2552E(config)# ip igmp relay vlan <VLAN ID>  If IGMP hosts reside on different VLANs, you must: Disable IGMP flooding.  NE2552E(config)# vlan <VLAN ID> NE2552E(config-vlan)# no flood Enable CPU forwarding to ensure that multicast data is forwarded across the ...
Page 363: Igmp Relay Configuration Example
NE2552E(config)# ip igmp relay mrouter 2 address 100.0.2.4 NE2552E(config)# ip igmp relay mrouter 2 enable 4. Add VLANs to the downstream network and enable IGMP Relay NE2552E(config)# ip igmp relay vlan 2 NE2552E(config)# ip igmp relay vlan 3 NE2552E(config)# ip igmp relay enable © Copyright Lenovo 2018 Chapter 25: Internet Group Management Protocol...
Page 364: Igmp Querier
IGMP Querier IGMP Querier allows the switch to perform the multicast router (Mrouter) role and provide Mrouter discovery when the network or virtual LAN (VLAN) does not have a router. When the IGMP Querier feature is enabled on a VLAN, the switch participates in the Querier election process and has the possibility to be elected as Querier for the VLAN. The IGMP querier periodically broadcasts IGMP Queries and listens for hosts to respond with IGMP Reports indicating their IGMP group memberships. If multiple Mrouters exist on a given network, the Mrouters elect one as the querier, which performs all periodic membership queries. The election process can be based on IPv4 address or MAC address. Note: When IGMP Querier is enabled on a VLAN, the switch performs the role of IGMP querier only if it meets the IGMP querier election criteria. IGMP Querier Configuration Example Follow this procedure to configure IGMP Querier. 1. Enable IGMP and configure the source IPv4 address for IGMP Querier on a VLAN. NE2552E(config)# ip igmp enable NE2552E(config)# ip igmp querier vlan 2 source-ip 10.10.10.1 2. Enable IGMP Querier on the VLAN. NE2552E(config)# ip igmp querier vlan 2 enable 3.
Page 365: Additional Igmp Features
 “FastLeave” on page 365  “IGMP Filtering” on page 365 FastLeave In normal IGMP operation, when the switch receives an IGMPv2 leave message, it sends a Group‐Specific Query to determine if any other devices in the same group (and on the same port) are still interested in the specified multicast group traffic. The switch removes the affiliated port from that particular group, if it does not receive an IGMP Membership Report within the query‐response‐interval. With FastLeave enabled on the VLAN, a port can be removed immediately from the port list of the group entry when the IGMP Leave message is received, unless a multicast router was learned on the port. Enable FastLeave only on VLANs that have only one host connected to each physical port. IGMP Filtering With IGMP Filtering, you can allow or deny a port to learn certain IGMP or IPMC groups. This allows you to restrict users from receiving certain multicast traffic. If access to a multicast group is denied, IGMP Membership Reports from the port are dropped, and the port is not allowed to receive IPv4 multicast traffic from that group. If access to the multicast group is allowed, Membership Reports from the port are forwarded for normal processing. To configure IGMP Filtering, you must globally enable IGMP filtering, define an IGMP filter, assign the filter to a port, and enable IGMP Filtering on the port. To define an IGMP filter, you must configure a range of IPv4 multicast groups, choose whether the filter will allow or deny multicast traffic for groups within the range, and enable the filter. © Copyright Lenovo 2018 Chapter 25: Internet Group Management Protocol...
Page 366: Configuring The Range
Configuring the Range Each IGMP Filter allows you to set a start and end point that defines the range of IPv4 addresses upon which the filter takes action. Each IPv4 address in the range must be between 224.0.0.0 and 239.255.255.255. Configuring the Action Each IGMP filter can allow or deny IPv4 multicasts to the range of IPv4 addresses configured. If you configure the filter to deny IPv4 multicasts, then IGMP Membership Reports from multicast groups within the range are dropped. You can configure a secondary filter to allow IPv4 multicasts to a small range of addresses within a larger range that a primary filter is configured to deny. The two filters work together to allow IPv4 multicasts to a small subset of addresses within the larger range of addresses. Note: Lower‐numbered filters take precedence over higher‐number filters. For example, the action defined for IGMP Filter 1 supersedes the action defined for IGMP Filter 2. IGMP Filtering Configuration Example 1. Enable IGMP filtering on the switch. NE2552E(config) ip igmp filtering 2. Define an IGMP filter with IPv4 information. NE2552E(config) ip igmp profile 1 range 225.0.0.0 226.0.0.0 NE2552E(config) ip igmp profile 1 action deny NE2552E(config)
Page 367: Chapter 26. Multicast Listener Discovery
Chapter 26. Multicast Listener Discovery Multicast Listener Discovery (MLD) is an IPv6 protocol that a host uses to request multicast data for a multicast group. An IPv6 router uses MLD to discover the presence of multicast listeners (nodes that want to receive multicast packets) on its directly attached links, and to discover specifically the multicast addresses that are of interest to those neighboring nodes. MLD version 1 is derived from Internet Group Management Protocol version 2 (IGMPv2) and MLDv2 is derived from IGMPv3. MLD uses ICMPv6 (IP Protocol 58) message types. See RFC 2710 and RFC 3810 for details. MLDv2 protocol, when compared to MLDv1, adds support for source filtering— the ability for a node to report interest in listening to packets only from specific source addresses, or from all but specific source addresses, sent to a particular multicast address. MLDv2 is interoperable with MLDv1. See RFC 3569 for details on Source‐Specific Multicast (SSM). The following topics are discussed in this chapter:  “MLD Terms” on page 368  “How MLD Works” on page 369  “MLD Capacity and Default Values” on page 372  “Configuring MLD” on page 373 © Copyright Lenovo 2018...
Page 368: Mld Terms
MLD Terms Following are the commonly used MLD terms:  Multicast traffic: Flow of data from one source to multiple destinations.  Group: A multicast stream to which a host can join.  Multicast Router (Mrouter): A router configured to make routing decisions for multicast traffic. The router identifies the type of packet received (unicast or multicast) and forwards the packet to the intended destination.  Querier: An Mrouter that sends periodic query messages. Only one Mrouter on the subnet can be elected as the Querier.  Multicast Listener Query: Messages sent by the Querier. There are three types of queries: General Query: Sent periodically to learn multicast address listeners from an  attached link. NE2552E uses these queries to build and refresh the Multicast Address Listener state. General Queries are sent to the link‐scope all‐nodes multicast address (FF02::1), with a multicast address field of 0, and a maximum response delay of query response interval. Multicast Address Specific Query: Sent to learn if a specific multicast address  has any listeners on an attached link. The multicast address field is set to the IPv6 multicast address. Multicast Address and Source Specific Query: Sent to learn if, for a specified  multicast address, there are nodes still listening to a specific set of sources. Supported only in MLDv2. Note: Multicast Address Specific Queries and Multicast Address and Source Specific Queries are sent only in response to State Change Reports, and never in response to Current State Reports. Multicast Listener Report: Sent by a host when it joins a multicast group, or in  response to a Multicast Listener Query sent by the Querier. Hosts use these reports to indicate their current multicast listening state, or changes in the multicast listening state of their interfaces. These reports are of two types: Current State Report: Contains the current Multicast Address Listening State ...
Page 369: How Mld Works
Hosts respond to these queries by reporting their per‐interface Multicast Address Listening state, through Current State Report messages sent to a specific multicast address that all MLD routers on the link listen to.  If the listening state of a host changes, the host immediately reports these changes through a State Change Report message.  The Querier sends a Multicast Address Specific Query to verify if hosts are listening to a specified multicast address or not. Similarly, if MLDv2 is configured, the Querier sends a Multicast Address and Source Specific Query to verify, for a specified multicast address, if hosts are listening to a specific set of sources, or not. MLDv2 listener report messages consists of Multicast Address Records: INCLUDE: to receive packets from source specified in the MLDv2 message  EXCLUDE: to receive packets from all sources except the ones specified in the  MLDv2 message A host can send a State Change Report to indicate its desire to stop listening to a  particular multicast address (or source in MLDv2). The Querier then sends a multicast address specific query to verify if there are other listeners of the multicast address. If there aren’t any, the Mrouter deletes the multicast address from its Multicast Address Listener state and stops sending multicast traffic. Similarly in MLDv2, the Mrouter sends a Multicast Address and Source Specific Query to verify if, for a specified multicast address, there are hosts still listening to a specific set of sources. NE2552E supports MLD versions 1 and 2. Note: MLDv2 operates in version 1 compatibility mode when, in a specific network, not all hosts are configured with MLDv2. © Copyright Lenovo 2018 Chapter 26: Multicast Listener Discovery...
Page 370: How Flooding Impacts Mld
How Flooding Impacts MLD When flood option is disabled, the unknown multicast traffic is discarded if no Mrouters are learned on the switch. You can set the flooding behavior by configuring the flood and cpu options. You can optimize the flooding to ensure that unknown IP multicast (IPMC) data packets are not dropped during the learning phase. The flooding options include: flood: Enable hardware flooding in VLAN for the unregistered IPMC; This  option is enabled by default. cpu: Enable sending unregistered IPMC to the Mrouter ports. However, during  the learning period, there will be some packet loss. The cpu option is enabled by default. You must ensure that the flood and optflood options are disabled. optflood: Enable optimized flooding to allow sending the unregistered IPMC  to the Mrouter ports without having any packet loss during the learning period; This option is disabled by default; When optflood is enabled, the flood and cpu settings are ignored. The flooding parameters must be configured per VLAN. Enter the following command to set the flood or cpu options: NE2552E(config)# vlan <VLAN ID> NE2552E(config-vlan)# [no] flood NE2552E(config-vlan)# [no] cpu NE2552E(config-vlan)# [no] optflood MLD Querier An Mrouter acts as a Querier and periodically (at short query intervals) sends query messages in the subnet. If there are multiple Mrouters in the subnet, only one can be the Querier. All Mrouters on the subnet listen to the messages sent by ...
Page 371: Dynamic Mrouters
Dynamic Mrouters The switch learns Mrouters on the ingress VLANs of the MLD‐enabled interface. All report or done messages are forwarded to these Mrouters. By default, the option of dynamically learning Mrouters is disabled. To enable it, use the following command: NE2552E(config)# interface ip <interface number> NE2552E(config-ip-if)# ipv6 mld dmrtr enable © Copyright Lenovo 2018 Chapter 26: Multicast Listener Discovery...
Page 372: Mld Capacity And Default Values
MLD Capacity and Default Values Table 29 lists the maximum and minimum values of the NE2552E variables. Table 29. NE2552E Capacity Table Variable Maximum Value IPv6 Multicast Entries IPv6 Interfaces for MLD Table 30 lists the default settings for MLD features and variables. Table 30. MLD Timers and Default Values Field Default Value Robustness Variable (RV) Query Interval (QI) 125 seconds Query Response Interval (QRI) 10 seconds Multicast Address Listeners Interval 260 seconds [derived: RV*QI+QRI] (MALI) Other Querier Present Interval [OQPT] 255 seconds [derived: RV*QI + ½ QRI] Start up Query Interval [SQI] 31.25 seconds [derived: ¼ * QI] Startup Query Count [SQC] 2 [derived: RV] Last Listener Query Interval [LLQI] 1 second Last Listener Query Count [LLQC] 2 [derived: RV] Last Listener Query Time [LLQT] 2 seconds [derived: LLQI * LLQT]...
Page 373: Configuring Mld
NE2552E(config-ip-if)# ipv6 mld version <1‐2> (MLD version) NE2552E(config-ip-if)# ipv6 mld robust <1‐10> (Robustness) NE2552E(config-ip-if)# ipv6 mld qri <1‐256> (In seconds) NE2552E(config-ip-if)# ipv6 mld qintrval <1‐608> (In seconds) NE2552E(config-ip-if)# ipv6 mld llistnr <1‐32> (In seconds) © Copyright Lenovo 2018 Chapter 26: Multicast Listener Discovery...
Page 374 NE2552E Application Guide for ENOS 8.4...
Page 375: Chapter 27. Border Gateway Protocol
NE2552E Flex Switches (NE2552Es) can advertise their IP interfaces and IPv4 addresses using BGP and take BGP feeds from as many as BGP router peers. This allows more resilience and flexibility in balancing traffic from the Internet. Note: Lenovo ENOS 8.4 does not support IPv6 for BGP. The following topics are discussed in this section: “Internal Routing Versus External Routing” on page 376   “Forming BGP Peer Routers” on page 377 “What is a Route Map?” on page 378   “Aggregating Routes” on page 381 “Redistributing Routes” on page 381   “BGP Attributes” on page 382 “Selecting Route Paths in BGP” on page 383   “BGP Failover Configuration” on page 384 “Default Redistribution and Route Aggregation Example” on page 386  © Copyright Lenovo 2018...
Page 376: Internal Routing Versus External Routing
Internal Routing Versus External Routing To ensure effective processing of network traffic, every router on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active, internal dynamic routing protocols, such as RIP, RIPv2, and OSPF. Static routes should have a higher degree of precedence than dynamic routing protocols. If the destination route is not in the route cache, then the packets are forwarded to the default gateway which may be incorrect if a dynamic routing protocol is enabled. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you can access in your network. External networks (those outside your own) that are under the same administrative control are referred to as autonomous systems (AS). Sharing of routing information between autonomous systems is known as external routing. External BGP (eBGP) is used to exchange routes between different autonomous systems whereas internal BGP (iBGP) is used to exchange routes within the same autonomous system. An iBGP is a type of internal routing protocol you can use to do active routing inside your network. It also carries AS path information, which is important when you are an ISP or doing BGP transit. The iBGP peers have to maintain reciprocal sessions to every other iBGP router in the same AS (in a full‐mesh manner) in order to propagate route information throughout the AS. If the iBGP session shown between the two routers in AS 20 was not present (as indicated in Figure 37), the top router would not learn the route to AS 50, and the bottom router would not learn the route to AS 11, even though the two AS 20 routers are connected via the Flex System and the Application Switch. Figure 37. iBGP and eBGP AS 11 AS 20 ISP A iBGP eBGP Internet...
Page 377: Forming Bgp Peer Routers
Forming BGP Peer Routers Two BGP routers become peers or neighbors once you establish a TCP connection between them. For each new route, if a peer is interested in that route (for example, if a peer would like to receive your static routes and the new route is static), an update message is sent to that peer containing the new route. For each route removed from the route table, if the route has already been sent to a peer, an update message containing the route to withdraw is sent to that peer. For each Internet host, you must be able to send a packet to that host, and that host has to have a path back to you. This means that whoever provides Internet connectivity to that host must have a path to you. Ultimately, this means that they must “hear a route” which covers the section of the IPv4 space you are using; otherwise, you will not have connectivity to the host in question. © Copyright Lenovo 2018 Chapter 27: Border Gateway Protocol...
Page 378: What Is A Route Map
A route map is used to control and modify routing information. Route maps define conditions for redistributing routes from one routing protocol to another or controlling routing information when injecting it in and out of BGP. For example, a route map is used to set a preference value for a specific route from a peer router and another preference value for all other routes learned via the same peer router. For example, the following commands are used to define a route map: NE2552E(config)# route-map <map number> (Select a route map) NE2552E(config-route-map)# ? (List available commands) A route map allows you to match attributes, such as metric, network address, and AS number. It also allows users to overwrite the local preference metric and to append the AS number in the AS route. See “BGP Failover Configuration” on page 384. Lenovo ENOS allows you to configure 32 route maps. Each route map can have up to eight access lists. Each access list consists of a network filter. A network filter defines an IPv4 address and subnet mask of the network that you want to include in the filter. Figure 38 illustrates the relationship between route maps, access lists and network filters. Figure 38. Distributing Network Filters in Access Lists and Route Maps Route Maps Network Filter (rmap) (nwf) Access Lists (alist) Route Map 1 Route Map 2...
Page 379: Incoming And Outgoing Route Maps
NE2552E(config)# ip match-address 1 enable Enter a filter number from 1 to 256. Specify the IPv4 address and subnet mask of the network that you want to match. Enable the network filter. You can distribute up to 256 network filters among 32 route maps each containing eight access lists. 2. (Optional) Define the criteria for the access list and enable it. Specify the access list and associate the network filter number configured in Step 1. NE2552E(config)# route-map 1 NE2552E(config-route-map)# access-list 1 match-address 1 NE2552E(config-route-map)# access-list 1 metric <metric value> NE2552E(config-route-map)# access-list 1 action deny NE2552E(config-route-map)# access-list 1 enable © Copyright Lenovo 2018 Chapter 27: Border Gateway Protocol...
Page 380 Steps 2 and 3 are optional, depending on the criteria that you want to match. In Step 2, the network filter number is used to match the subnets defined in the network filter. In Step 3, the autonomous system number is used to match the subnets. Or, you can use both (Step 2 and Step 3) criteria: access list (network filter) and access path (AS filter) to configure the route maps. 3. (Optional) Configure the attributes in the AS filter menu. NE2552E(config-route-map)# as-path-list 1 as 1 NE2552E(config-route-map)# as-path-list 1 action deny NE2552E(config-route-map)# as-path-list 1 enable 4. Set up the BGP attributes. If you want to overwrite the attributes that the peer router is sending, then define the following BGP attributes:  Specify up to 32 AS numbers that you want to prepend to a matched route and the local preference for the matched route.  Specify the metric [Multi Exit Discriminator (MED)] for the matched route. NE2552E(config-route-map)# as-path-preference <AS number> [<AS number>] ... NE2552E(config-route-map)# local-preference <local preference value> NE2552E(config-route-map)# metric <metric value> 5.
Page 381: Aggregating Routes
386. Redistributing Routes In addition to running multiple routing protocols simultaneously, Lenovo ENOS software can redistribute information from one routing protocol to another. For example, you can instruct the switch to use BGP to re‐advertise static routes. This applies to all of the IP‐based routing protocols. You can also conditionally control the redistribution of routes between routing domains by defining a method known as route maps between the two domains. For more information on route maps, see “What is a Route Map?” on page 378. Redistributing routes is another way of providing policy control over whether to export OSPF routes, fixed routes, and static routes. For an example configuration, see “Default Redistribution and Route Aggregation Example” on page 386. Default routes can be configured using the following methods: Import   Originate—The router sends a default route to peers if it does not have any default routes in its routing table.  Redistribute—Default routes are either configured through the default gateway or learned via other protocols and redistributed to peer routers. If the default routes are from the default gateway, enable the static routes because default routes from the default gateway are static routes. Similarly, if the routes are learned from another routing protocol, make sure you enable that protocol for redistribution.  None © Copyright Lenovo 2018 Chapter 27: Border Gateway Protocol...
Page 382: Bgp Attributes
BGP Attributes The following two BGP attributes are discussed in this section: Local preference and metric (Multi‐Exit Discriminator). Local Preference Attribute When there are multiple paths to the same destination, the local preference attribute indicates the preferred path. The path with the higher preference is preferred (the default value of the local preference attribute is 100). Unlike the weight attribute, which is only relevant to the local router, the local preference attribute is part of the routing update and is exchanged among routers in the same The local preference attribute can be set in one of two ways:  Using the BGP default local preference method, affecting the outbound direction only. NE2552E(config)# router bgp NE2552E(config_router_bgp)# local-preference <0-4294967294> NE2552E(config_router_bgp)# exit  Using the route map local preference method, which affects both inbound and outbound directions. NE2552E(config)# route-map 1 NE2552E(config_route_map)# local-preference <0-4294967294> NE2552E(config_route_map)# enabled NE2552E(config_router_map)# exit NE2552E(config)# router bgp NE2552E(config_router_bgp)# neighbor {<number>/group <number>} route-map ...
Page 383: Selecting Route Paths In Bgp
Selecting Route Paths in BGP BGP selects only one path as the best path. It does not rely on metric attributes to determine the best path. When the same network is learned via more than one BGP peer, BGP uses its policy for selecting the best route to that network. The BGP implementation on the NE2552E uses the following criteria to select a path when the same route is received from multiple peers. 1. Local fixed and static routes are preferred over learned routes. 2. With iBGP peers, routes with higher local preference values are selected. 3. In the case of multiple routes of equal preference, the route with lower AS path weight is selected. AS path weight = 128 x AS path length (number of autonomous systems traversed). 4. In the case of equal weight and routes learned from peers that reside in the same AS, the lower metric is selected. Note: A route with a metric is preferred over a route without a metric. 5. The lower cost to the next hop of routes is selected. 6. In the case of equal cost, the eBGP route is preferred over iBGP. 7. If all routes have same route type (eBGP or iBGP), the route with the lower router ID is selected. When the path is selected, BGP puts the selected path in its routing table and propagates the path to its neighbors. © Copyright Lenovo 2018 Chapter 27: Border Gateway Protocol...
Page 384: Bgp Failover Configuration
BGP Failover Configuration Use the following example to create redundant default gateways for a NE2552E at a Web Host/ISP site, eliminating the possibility, should one gateway go down, that requests will be forwarded to an upstream router unknown to the switch. As shown in Figure 39, the switch is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow the switch to use their peer routers as default gateways. The ISP peer routers will then need to announce themselves as default gateways to the NE2552E. Figure 39. BGP Failover Configuration Example ISP 1 ISP 2 Peer 1 Router Peer 2 Router AS 100 AS 200 (Primary) (Secondary) IP:200.200.200.2 IP:210.210.210.2 GbE Switch Module announces routes with Default gateway, Metric = AS path metric of “3”...
Page 385 NE2552E(config-router-bgp)# as 816 NE2552E(config-router-bgp)# neighbor 1 remote-address 200.200.200.2 NE2552E(config-router-bgp)# neighbor 1 remote-as 100 NE2552E(config-router-bgp)# no neighbor 1 shutdown NE2552E(config-router-bgp)# neighbor 2 remote-address 210.210.210.2 NE2552E(config-router-bgp)# neighbor 2 remote-as 200 NE2552E(config-router-bgp)# no neighbor 2 shutdown © Copyright Lenovo 2018 Chapter 27: Border Gateway Protocol...
Page 386: Default Redistribution And Route Aggregation Example
Default Redistribution and Route Aggregation Example This example shows you how to configure the switch to redistribute information from one routing protocol to another and create an aggregate route entry in the BGP routing table to minimize the size of the routing table. As illustrated in Figure 40, you have two peer routers: an internal and an external peer router. Configure the NE2552E to redistribute the default routes from AS 200 to AS 135. At the same time, configure for route aggregation to allow you to condense the number of routes traversing from AS 135 to AS 200. Figure 40. Route Aggregation and Default Route Redistribution Aggregate routes 135.0.0.0/8 traversing from AS 135 to AS 200 AS 135 AS 200 Internal peer router 1 10.1.1.4 20.20.20.135 External peer router 2 20.20.20.2 135.110.0.0/16 Switch Module...
Page 387 5. Configure aggregation policy control. Configure the routes that you want aggregated. NE2552E(config-router-bgp)# aggregate-address 1 135.0.0.0 255.0.0.0 NE2552E(config-router-bgp)# aggregate-address 1 enable © Copyright Lenovo 2018 Chapter 27: Border Gateway Protocol...
Page 388 NE2552E Application Guide for ENOS 8.4...
Page 389: Chapter 28. Ospf
 “OSPFv2 Overview” on page 389. This section provides information on OSPFv2 concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing. “OSPFv2 Implementation in Lenovo ENOS” on page 394. This section describes  how OSPFv2 is implemented in Lenovo ENOS, such as configuration parameters, electing the designated router, summarizing routes, defining route maps and so forth.  “OSPFv2 Configuration Examples” on page 405. This section provides step‐by‐step instructions on configuring different OSPFv2 examples: Creating a simple OSPF domain  Creating virtual links  Summarizing routes   “OSPFv3 Implementation in Lenovo ENOS” on page 413. This section describes differences and additional features found in OSPFv3. OSPFv2 Overview OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas. Only routing updates are exchanged between areas, thereby significantly reducing the overhead for maintaining routing information on a large, dynamic network. © Copyright Lenovo 2018...
Page 390: Types Of Ospf Areas
Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. As shown in Figure 41, OSPF defines the following types of areas: Stub Area—an area that is connected to only one other area. External route  information is not distributed into stub areas.  Not‐So‐Stubby‐Area (NSSA)—similar to a stub area with additional capabilities. Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the AS can be advertised within the NSSA but can be configured to not be distributed into other areas.  Transit Area—an area that carries data traffic which neither originates nor terminates in the area itself. Figure 41. OSPF Area Types Backbone Area 0 (Also a Transit Area) Internal LSA Virtual Routes Link Stub Area Transit Area Not-So-Stubby Area No External Routes from Backbone...
Page 391: Types Of Ospf Routing Devices
 Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas. Autonomous System Boundary Router (ASBR)—a router that acts as a gateway  between the OSPF domain and non‐OSPF domains, such as RIP, BGP, and static routes. Figure 42. OSPF Domain and an Autonomous System OSPF Autonomous System Backbone Area 3 Area 0 Inter-Area Routes External (Summary Routes) ASBR Routes Internal ASBR Router Area 1 Area 2 © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 392: Neighbors And Adjacencies
Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors. Neighbors continue to send periodic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to determine the health of their neighbors and to establish contact with new neighbors. The hello process is used for electing one of the neighbors as the area’s Designated Router (DR) and one as the area’s Backup Designated Router (BDR). The DR is adjacent to all other neighbors and acts as the central contact for database exchanges. Each neighbor sends its database information to the DR, which relays the information to the other neighbors. The BDR is adjacent to all other neighbors (including the DR). Each neighbor sends its database information to the BDR just as with the DR, but the BDR merely stores this data and does not distribute it. If the DR fails, the BDR will take over the task of distributing database information to the other neighbors. The Link-State Database OSPF is a link‐state routing protocol. A link represents an interface (or routable path) from the routing device. By establishing an adjacency with the DR, each routing device in an OSPF area maintains an identical Link‐State Database (LSDB) describing the network topology for its area. Each routing device transmits a Link‐State Advertisement (LSA) on each of its active interfaces. LSAs are entered into the LSDB of each routing device. OSPF uses flooding to distribute LSAs between routing devices. Interfaces may also be passive. Passive interfaces send LSAs to active interfaces, but do not receive LSAs, hello packets, or any other OSPF protocol information from active interfaces. Passive interfaces behave as stub networks, allowing OSPF routing devices to be aware of devices that do otherwise participate in OSPF (either because they do not support it, or because the administrator chooses to restrict OSPF traffic exchange or transit). When LSAs result in changes to the routing device’s LSDB, the routing device forwards the changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors. OSPF routing updates occur only when changes occur, instead of periodically. For ...
Page 393: The Shortest Path First Tree
The Shortest Path First Tree The routing devices use a link‐state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth. Internal Versus External Routing To ensure effective processing of network traffic, every routing device on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active internal routing protocols, such as OSPF, RIP, or RIPv2. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you have access to in your network. Sharing of routing information between autonomous systems is known as external routing. Typically, an AS will have one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS. When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination. © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 394: Ospfv2 Implementation In Lenovo Enos
OSPFv2 Implementation in Lenovo ENOS Lenovo ENOS supports a single instance of OSPF and up to 2K routes on the network. The following sections describe OSPF implementation in Lenovo ENOS:  “Configurable Parameters” on page 394 “Defining Areas” on page 395   “Interface Cost” on page 397 “Electing the Designated Router and Backup” on page 397   “Summarizing Routes” on page 397 “Default Routes” on page 398   “Virtual Links” on page 399 “Router ID” on page 399   “Authentication” on page 400 Configurable Parameters In Lenovo ENOS, OSPF parameters can be configured through the Command Line Interfaces (CLI/ISCLI), Browser‐Based Interface (BBI), or through SNMP. For more information, see “Switch Administration” on page 29.”...
Page 395: Defining Areas
The aindex <area index> option is actually just an arbitrary index (0‐2) used only by the NE2552E. This index does not necessarily represent the OSPF area number, though for configuration simplicity, it should where possible. For example, both of the following sets of commands define OSPF area 0 (the backbone) and area 1 because that information is held in the area ID portion of the command. However, the first set of commands is easier to maintain because the arbitrary area indexes agree with the area IDs:  Area index and area ID agree area 0 area-id 0.0.0.0 (Use index 0 to set area 0 in ID octet format) area 1 area-id 0.0.0.1 (Use index 1 to set area 1 in ID octet format) Area index set to an arbitrary value  area 1 area-id 0.0.0.0 (Use index 1 to set area 0 in ID octet format) area 2 area-id 0.0.0.1 (Use index 2 to set area 1 in ID octet format) © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 396: Using The Area Id To Assign The Ospf Area Number
NE2552E(config-router-ospf)# area 1 area-id 0.0.0.1 NE2552E(config-router-ospf)# area 1 enable NE2552E(config-router-ospf)# enable NE2552E(config-router-ospf)# exit NE2552E(config)# nterface ip 14 NE2552E(config-ip-if)# ip address 10.10.10.1 255.255.255.0 enable NE2552E(config-ip-if)# ip ospf area 1 NE2552E(config-ip-if)# ip ospf enable Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo ENOS” on page 413). NE2552E Application Guide for ENOS 8.4...
Page 397: Interface Cost
NE2552E(config-ip-if)# ip ospf passive-interface NE2552E(config-ip-if)# exit Summarizing Routes Route summarization condenses routing information. Without summarization, each routing device in an OSPF network would retain a route to every subnet in the network. With summarization, routing devices can reduce some sets of routes to a single advertisement, reducing both the load on the routing device and the perceived complexity of the network. The importance of route summarization increases with network size. Summary routes can be defined for up to 16 IP address ranges using the following command: NE2552E(config)# router ospf NE2552E(config-router-ospf)# area-range <range number> address <IP address> <mask> where <range number> is a number 1 to 16, <IPv4 address> is the base IP address for the range, and <subnet mask> is the IPv4 address mask for the range. For a detailed configuration example, see “Example 3: Summarizing Routes” on page 410. Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo ENOS” on page 413). © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 398: Default Routes
Default Routes When an OSPF routing device encounters traffic for a destination address it does not recognize, it forwards that traffic along the default route. Typically, the default route leads upstream toward the backbone until it reaches the intended area or an external router. Each NE2552E acting as an ABR automatically inserts a default route into each attached area. In simple OSPF stub areas or NSSAs with only one ABR leading upstream (see Area 1 in Figure 43), any traffic for IP address destinations outside the area is forwarded to the switch’s IP interface, and then into the connected transit area (usually the backbone). Since this is automatic, no further configuration is required for such areas. Figure 43. Injecting Default Routes Backbone Stub Area Stub Area Metric: Metric: Area 0 Area 2 Area 1 IF 1 IF 2 Priority Priority default route Default default route route Metric: ASBR to...
Page 399: Virtual Links
For a detailed configuration example on Virtual Links, see “Example 2: Virtual Links” on page 407. Router ID Routing devices in OSPF areas are identified by a router ID, expressed in IP address format. The router ID is not required to be part of any IP interface range or in any OSPF area, and may even use the NE2552E loopback interface (see “Loopback Interfaces in OSPF” on page 403). The router ID can be configured in one of the following two ways:  Dynamically (the default)—OSPF protocol configures the router ID as the lowest IP loopback interface IP address, if available, or else the lowest IP interface IP address, if available. Once dynamically configured, the router ID does not nor‐ mally undergo further updates.  Statically—Use the following command to manually configure the router ID: NE2552E(config-router-ospf)# ip router-id <IPv4 address> To change the router ID from static to dynamic, set the router ID to 0.0.0.0, save the configuration, and reboot the NE2552E. To view the router ID, enter: NE2552E(config-router-ospf)# show ip ospf © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 400: Authentication
Authentication OSPF protocol exchanges can be authenticated so that only trusted routing devices can participate. This ensures less processing on routing devices that are not listening to OSPF packets. OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on pre‐defined passwords. Lenovo ENOS supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication. This type of authentication allows a password to be configured per area. We strongly recommend that you implement MD5 cryptographic authentication as a best practice. Figure shows authentication configured for area 0 with the password test. Simple authentication is also configured for the virtual link between area 2 and area 0. Area 1 is not configured for OSPF authentication. Figure 44. OSPF Authentication Area 0 Area 1 Simple authentication key=test Application Switch 2 IF 1 IF 2 Switch 3 Application IF 4 Switch 1...
Page 401: Configuring Plain Text Ospf Passwords
NE2552E(config-ip-if)# ip ospf key test NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 3 NE2552E(config-ip-if)# ip ospf key test NE2552E(config-ip-if)# exit 3. Enable OSPF authentication for Area 2 on switch 4. NE2552E(config)# router ospf NE2552E(config-router-ospf)# area 2 authentication-type password 4. Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4. NE2552E(config-router-ospf)# area-virtual-link 1 key IBM © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 402: Configuring Md5 Authentication
Configuring MD5 Authentication Use the following commands to configure MD5 authentication on the switches shown in Figure 1. Enable OSPF MD5 authentication for Area 0 on switches 1, 2, and 3. NE2552E(config-router-ospf)# area 0 authentication-type md5 2. Configure MD5 key ID for Area 0 on switches 1, 2, and 3. NE2552E(config-router-ospf)# message-digest-key 1 md5-key test NE2552E(config-router-ospf)# exit 3. Assign MD5 key ID to OSPF interfaces on switches 1, 2, and 3. NE2552E(config)# interface ip 1 NE2552E(config-ip-if)# ip ospf message-digest-key 1 NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 2 NE2552E(config-ip-if)# ip ospf message-digest-key 1 NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 3 NE2552E(config-ip-if)# ip ospf message-digest-key 1...
Page 403: Host Routes For Load Balancing
If redundant routes via multiple routing processes (such as OSPF, RIP, BGP, or static routes) exist on your network, the switch defaults to the OSPF‐derived route. Loopback Interfaces in OSPF Because loopback interfaces are always available on the switch, loopback interfaces may present an advantage when used as the router ID. If dynamic router ID selection is used (see “Router ID” on page 399), loopback interfaces can be used to force router ID selection. If a loopback interface is configured, its IP address is automatically selected as the router ID, even if other IP interfaces have lower IP addresses. If more than one loopback interface is configured, the lowest loopback interface IP address is selected. Loopback interfaces can be advertised into the OSPF domain by specifying an OSPF host route with the loopback interface IP address. To enable OSPF on an existing loopback interface: NE2552E(config)# interface loopback <1‐5> NE2552E(config-ip-loopback)# ip ospf area <area ID> enable NE2552E(config-ip-loopback)# exit © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 404: Ospf Features Not Supported
OSPF Features Not Supported The following OSPF features are not supported in this release:  Summarizing external routes  Filtering OSPF routes  Using OSPF to forward multicast routes  Configuring OSPF on non‐broadcast multi‐access networks (such as frame relay, X.25, or ATM) NE2552E Application Guide for ENOS 8.4...
Page 405: Ospfv2 Configuration Examples
Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into the stub area. Any traffic for IP address destinations outside the stub area will be forwarded to the stub area’s IP interface, and then into the backbone. Figure 45. A Simple OSPF Domain Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1) IF 1 IF 2 10.10.7.1 10.10.12.1 Network Network 10.10.7.0/24 10.10.12.0/24 © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 406 NE2552E(config)# interface ip 1 NE2552E(config-ip-if)# ip address 10.10.7.1 255.255.255.0 enable NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 2 NE2552E(config-ip-if)# ip address 10.10.12.1 255.255.255.0 enable NE2552E(config-ip-if)# exit Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo ENOS” on page 413). 2. Enable OSPF. NE2552E(config)# router ospf NE2552E(config-router-ospf)# enable 3. Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0. NE2552E(config-router-ospf)# area 0 area-id 0.0.0.0...
Page 407: Example 2: Virtual Links
NE2552E(config-ip-if)# exit 2. Configure the router ID. A router ID is required when configuring virtual links. Later, when configuring the other end of the virtual link on Switch 2, the router ID specified here will be used as the target virtual neighbor (nbr) address. NE2552E(config)# ip router-id 10.10.10.1 3. Enable OSPF. NE2552E(config)# router ospf NE2552E(config-router-ospf)# enable 4. Define the backbone. NE2552E(config-router-ospf)# area 0 area-id 0.0.0.0 NE2552E(config-router-ospf)# area 0 type transit NE2552E(config-router-ospf)# area 0 enable © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 408: Configuring Ospf For A Virtual Link On Switch #2
5. Define the transit area. The area that contains the virtual link must be configured as a transit area. NE2552E(config-router-ospf)# area 1 area-id 0.0.0.1 NE2552E(config-router-ospf)# area 1 type transit NE2552E(config-router-ospf)# area 1 enable NE2552E(config-router-ospf)# exit 6. Attach the network interface to the backbone. NE2552E(config)# interface ip 1 NE2552E(config-ip-if)# ip ospf area 0 NE2552E(config-ip-if)# ip ospf enable NE2552E(config-ip-if)# exit 7. Attach the network interface to the transit area. NE2552E(config)# interface ip 2 NE2552E(config-ip-if)# ip ospf area 1 NE2552E(config-ip-if)# ip ospf enable NE2552E(config-ip-if)# exit...
Page 409 7. Attach the network interface to the transmit area: NE2552E(config)# interface ip 1 NE2552E(config-ip-if)# ip ospf area 1 NE2552E(config-ip-if)# ip ospf enable NE2552E(config-ip-if)# exit 8. Attach the network interface to the stub area. NE2552E(config)# interface ip 2 NE2552E(config-ip-if)# ip ospf area 2 NE2552E(config-ip-if)# ip ospf enable NE2552E(config-ip-if)# exit © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 410: Other Virtual Link Options
Example 3: Summarizing Routes By default, ABRs advertise all the network addresses from one area into another area. Route summarization can be used for consolidating advertised addresses and reducing the perceived complexity of the network. If the network IP addresses in an area are assigned to a contiguous subnet range, you can configure the ABR to advertise a single summary route that includes all the individual IP addresses within the area. The following example shows one summary route from area 1 (stub area) injected into area 0 (the backbone). The summary route consists of all IP addresses from 36.128.192.0 through 36.128.254.255 except for the routes in the range 36.128.200.0 through 36.128.200.255. Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo ENOS” on page 413). Figure 47. Summarizing Routes Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1) IF 1 IF 2 10.10.7.1 36.128.192.1 36.128.192.x to Summary Route 36.128.254.x...
Page 411 NE2552E(config-ip-if)# ip ospf area 1 NE2552E(config-ip-if)# ip ospf enable NE2552E(config-ip-if)# exit 7. Configure route summarization by specifying the starting address and mask of the range of addresses to be summarized. NE2552E(config)# router ospf NE2552E(config-router-ospf)# area-range 1 address 36.128.192.0 255.255.192.0 NE2552E(config-router-ospf)# area-range 1 area 1 NE2552E(config-router-ospf)# area-range 1 enable NE2552E(config-router-ospf)# exit © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 412: Verifying Ospf Configuration
NE2552E(config-router-ospf)# area-range 2 area 1 NE2552E(config-router-ospf)# area-range 2 hide NE2552E(config-router-ospf)# exit Verifying OSPF Configuration Use the following commands to verify the OSPF configuration on your switch: show ip ospf  show ip ospf neighbor  show ip ospf database database-summary  show ip ospf routes  Refer to the Lenovo ENOS Command Reference for information on the preceding commands. NE2552E Application Guide for ENOS 8.4...
Page 413: Ospfv3 Implementation In Lenovo Enos
OSPFv3 Implementation in Lenovo ENOS OSPF version 3 is based on OSPF version 2, but has been modified to support IPv6 addressing. In most other ways, OSPFv3 is similar to OSPFv2: They both have the same packet types and interfaces, and both use the same mechanisms for neighbor discovery, adjacency formation, LSA flooding, aging, and so on. The administrator should be familiar with the OSPFv2 concepts covered in the preceding sections of this chapter before implementing the OSPFv3 differences as described in the following sections. Although OSPFv2 and OSPFv3 are very similar, they represent independent features on the NE2552E. They are configured separately, and both can run in parallel on the switch with no relation to one another, serving different IPv6 and IPv4 traffic, respectively. OSPFv3 Differences from OSPFv2 Note: When OSPFv3 is enabled, the OSPF backbone area (0.0.0.0) is created by default and is always active. OSPFv3 Requires IPv6 Interfaces OSPFv3 is designed to support IPv6 addresses. This requires IPv6 interfaces to be configured on the switch and assigned to OSPF areas, in much the same way IPv4 interfaces are assigned to areas in OSPFv2. This is the primary configuration difference between OSPFv3 and OSPFv2. See “Internet Protocol Version 6” on page 325 for configuring IPv6 interfaces. OSPFv3 Uses Independent Command Paths Though OSPFv3 and OSPFv2 are very similar, they are configured independently. OSPFv3 command paths are located as follows: In the ISCLI...
Page 414: Other Internal Improvements
Flexible treatment of unknown LSA types to make integration of OSPFv3 easier.  Interface network type can be specified using the command: ipv6 ospf network {broadcast| NE2552E(config-ip-if)# |non-broadcast|point-to-multipoint|point-to-point}  For an interface network type that is not broadcast or NBMA, link LSA suppression can be enabled so link LSA is not originated for the interface. Use ipv6 ospf linklsasuppress the command: NE2552E(config-ip-if)# OSPFv3 Limitations Lenovo ENOS 8.4 does not currently support the following OSPFv3 features:  Multiple instances of OSPFv3 on one IPv6 link. OSPFv3 Configuration Example The following example depicts the OSPFv3 equivalent configuration of “Example 3: Summarizing Routes” on page 410 for OSPFv2. In this example, one summary route from area 1 (stub area) is injected into area 0 (the backbone). The summary route consists of all IP addresses for the 36.:0/32 portion of the 36::0/56 network except for the routes in the 36::0/8 range. Figure 48. Summarizing Routes Backbone Stub Area Area 0 Area 1 (0.0.0.0)
Page 415 NE2552E(config)# interface ip 3 NE2552E(config-ip-if)# ipv6 ospf area 0 NE2552E(config-ip-if)# ipv6 ospf enable NE2552E(config-ip-if)# exit The ipv6 command path is used instead of the OSPFv2 ip command path 6. Attach the network interface to the stub area. NE2552E(config)# interface ip 4 NE2552E(config-ip-if)# ipv6 ospf area 1 NE2552E(config-ip-if)# ipv6 ospf enable NE2552E(config-ip-if)# exit The ipv6 command path is used instead of the OSPFv2 ip command path. © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 416 7. Configure route summarization by specifying the starting address and prefix length of the range of addresses to be summarized. NE2552E(config)# ipv6 router ospf NE2552E(config-router-ospf3)# area-range 1 address 36:0:0:0:0:0:0:0 32 NE2552E(config-router-ospf3)# area-range 1 area 0 NE2552E(config-router-ospf3)# area-range 1 enable This differs from OSPFv2 only in that the OSPFv3 command path is used, and the address and prefix are specified in IPv6 format. 8. Use the hide command to prevent a range of addresses from advertising to the backbone. NE2552E(config-router-ospf)# area-range 2 address 36:0:0:0:0:0:0:0 8 NE2552E(config-router-ospf)# area-range 2 area 0 NE2552E(config-router-ospf)# area-range 2 hide NE2552E(config-router-ospf)# exit This differs from OSPFv2 only in that the OSPFv3 command path is used, and the ...
Page 417: Neighbor Configuration Example
NE2552E(config-router-ospf3)# area 0 translation-role candidate NE2552E(config-router-ospf3)# area 0 type transit NE2552E(config-router-ospf3)# area 0 enable 4. Configure neighbor entry: NE2552E(config-router-ospf3)# neighbor 1 address fe80:0:0:0:dceb:ff:fe00:9 NE2552E(config-router-ospf3)# neighbor 1 interface 10 NE2552E(config-router-ospf3)# neighbor 1 priority 1 NE2552E(config-router-ospf3)# neighbor 1 enable © Copyright Lenovo 2018 Chapter 28: OSPF...
Page 418 NE2552E Application Guide for ENOS 8.4...
Page 419: Chapter 29. Protocol Independent Multicast
“Additional Sparse Mode Settings” on page 424  “Using PIM with Other Features” on page 426  “PIM Configuration Examples” on page 427 PIM Overview PIM is designed for efficiently routing multicast traffic across one or more IPv4 domains. This has benefits for application such as IP television, collaboration, education, and software delivery, where a single source must deliver content (a multicast) to a group of receivers that span both wide‐area and inter‐domain networks. Instead of sending a separate copy of content to each receiver, a multicast derives efficiency by sending only a single copy of content toward its intended receivers. This single copy only becomes duplicated when it reaches the target domain that includes multiple receivers, or when it reaches a necessary bifurcation point leading to different receiver domains. PIM is used by multicast source stations, client receivers, and intermediary routers and switches, to build and maintain efficient multicast routing trees. PIM is protocol independent; It collects routing information using the existing unicast routing functions underlying the IPv4 network, but does not rely on any particular unicast protocol. For PIM to function, a Layer 3 routing protocol (such as BGP, OSPF, RIP, or static routes) must first be configured on the switch. PIM‐SM is a reverse‐path routing mechanism. Client receiver stations advertise their willingness to join a multicast group. The local routing and switching devices collect multicast routing information and forward the request toward the station that will provide the multicast content. When the join requests reach the sending station, the multicast data is sent toward the receivers, flowing in the opposite direction of the original join requests. Some routing and switching devices perform special PIM‐SM functions. Within each receiver domain, one router is elected as the Designated Router (DR) for handling multicasts for the domain. DRs forward information to a similar device, the Rendezvous Point (RP), which holds the root tree for the particular multicast group. © Copyright Lenovo 2018...
Page 420: Supported Pim Modes And Features
Supported PIM Modes and Features For each interface attached to a PIM network component, PIM can be configured to operate either in PIM Sparse Mode (PIM‐SM) or PIM Dense Mode (PIM‐DM).  PIM‐SM is used in networks where multicast senders and receivers comprise a relatively small (sparse) portion of the overall network. PIM‐SM uses a more complex process than PIM‐DM for collecting and optimizing multicast routes, but minimizes impact on other IP services and is more commonly used.  PIM‐DM is used where multicast devices are a relatively large (dense) portion of the network, with very frequent (or constant) multicast traffic. PIM‐DM requires less configuration on the switch than PIM‐SM, but uses broadcasts that can consume more bandwidth in establishing and optimizing routes. The following PIM modes and features are not currently supported in Lenovo ENOS 8.4: Hybrid Sparse‐Dense Mode (PIM‐SM/DM). Sparse Mode and Dense Mode may  be configured on separate IP interfaces on the switch, but are not currently supported simultaneously on the same IP interface.  PIM Source‐Specific Multicast (PIM‐SSM)  Anycast RP  PIM RP filters  Only configuration via the switch ISCLI is supported. PIM configuration is currently not available using the menu‐based CLI, the BBI, or via SNMP. NE2552E Application Guide for ENOS 8.4...
Page 421: Basic Pim Settings
NE2552E(config)# [no] ip pim enable Defining a PIM Network Component The NE2552E can be attached to a maximum of two independent PIM network components. Each component represents a different PIM network, and can be defined for either PIM‐SM or PIM‐DM operation. Basic PIM component configuration is performed using the following commands: NE2552E(config)# ip pim component <1‐2> NE2552E(config-ip-pim-comp)# mode {sparse|dense} NE2552E(config-ip-pim-comp)# exit The sparse option will place the component in Sparse Mode (PIM‐SM). The dense option will place the component in Dense Mode (PIM‐DM). By default, PIM component 1 is configured for Sparse Mode. PIM component 2 is non configured by default. Note: A component using PIM‐SM must also be configured with a dynamic or static Rendezvous Point (see “Specifying the Rendezvous Point” on page 424). © Copyright Lenovo 2018 Chapter 29: Protocol Independent Multicast...
Page 422: Defining An Ip Interface For Pim Use
Defining an IP Interface for PIM Use Each network attached to an IP interface on the switch may be assigned one of the available PIM components. The same PIM component can be assigned to multiple IP interfaces. The interfaces may belong to the same VLAN, but each interface can belong to only one VLAN. To define an IP interface for use with PIM, first configured the interface with an IPv4 address and VLAN as follows: NE2552E(config)# interface ip <Interface number> NE2552E(config-ip-if)# ip address <IPv4 address> <IPv4 mask> NE2552E(config-ip-if)# vlan <VLAN number> NE2552E(config-ip-if)# enable Note: The PIM feature currently supports only one VLAN for each IP interface. Configurations where different interfaces on different VLANs share IP addresses are not supported. Next, PIM must be enabled on the interface, and the PIM network component ID must be specified: NE2552E(config-ip-if)# ip pim enable NE2552E(config-ip-if)# ip pim component-id <1‐2> NE2552E(config-ip-if)# exit By default, PIM component 1 is automatically assigned when PIM is enabled on ...
Page 423 To remove a PIM neighbor from the accepted list, use the following command. NE2552E(config-ip-if)# ip pim neighbor-addr <neighbor IPv4 address> deny NE2552E(config-ip-if)# exit You can view configured PIM neighbor filters globally or for a specific IP interface using the following commands: NE2552E(config)# show ip pim neighbor-filters NE2552E(config)# show ip pim interface <Interface number> neighbor-filters © Copyright Lenovo 2018 Chapter 29: Protocol Independent Multicast...
Page 424: Additional Sparse Mode Settings
Additional Sparse Mode Settings Specifying the Rendezvous Point Using PIM‐SM, at least one PIM‐capable router must be a candidate for use as a Rendezvous Point (RP) for any given multicast group. If desired, the NE2552E can act as an RP candidate. To assign a configured switch IP interface as a candidate, use the following procedure. 1. Select the PIM component that will represent the RP candidate: NE2552E(config)# ip pim component <1‐2> 2. Configure the IPv4 address of the switch interface which will be advertised as a candidate RP for the specified multicast group: NE2552E(config-ip-pim-comp)# rp-candidate rp-address <group address> <group address mask> <candidate IPv4 address> The switch interface will participate in the election of the RP that occurs on the Bootstrap Router, or BSR (see “Specifying a Bootstrap Router” on page 425). Alternately, if no election is desired, the switch can provide a static RP, specified using the following command: NE2552E(config-ip-pim-comp)# rp-static rp-address <group address> <group address mask> <static RP IPv4 address> 3.
Page 425: Specifying A Bootstrap Router
Specifying a Bootstrap Router Using PIM‐SM, a Bootstrap Router (BSR) is a PIM‐capable router that hosts the election of the RP from available candidate routers. For each PIM‐enabled IP interface, the administrator can set the preference level for which the local interface becomes the BSR: NE2552E(config)# interface ip <Interface number> NE2552E(config-ip-if)# ip pim cbsr-preference <0 to 255> NE2552E(config-ip-if)# exit A value of 255 highly prefers the local interface as a BSR. A value of ‐1 indicates that the PIM CBSR preference is not configured on the local interface. © Copyright Lenovo 2018 Chapter 29: Protocol Independent Multicast...
Page 426: Using Pim With Other Features
Using PIM with Other Features PIM with ACLs If using ACLs , be sure to permit traffic for local hosts and routers. PIM with IGMP If using IGMP (see “Internet Group Management Protocol” on page 357):  IGMP static joins can be configured with a PIM‐SM or PIM‐DM multicast group IPv4 address. Using the ISCLI: NE2552E(config)# ip mroute <multicast group IPv4 address> <VLAN> <port>  IGMP Query is disabled by default. If IGMP Querier is needed with PIM, be sure to enable the IGMP Query feature globally, as well as on each VLAN where it is needed. If the switch is connected to multicast receivers and/or hosts, be sure to enable  IGMP snooping globally, as well as on each VLAN where PIM receivers are attached. NE2552E Application Guide for ENOS 8.4...
Page 427: Pim Configuration Examples
NE2552E(config-ip-if)# vlan 11 NE2552E(config-ip-if)# enable The IP interface represents the PIM network being connected to the switch. The IPv4 addresses in the defined range must not be included in another IP interface on the switch under a different VLAN. 4. Enable PIM on the IP interface and assign the PIM component: NE2552E(config-ip-if)# ip pim enable NE2552E(config-ip-if)# ip pim component-id 1 Note: Because, PIM component 1 is assigned to the interface by default, the component-id command is needed only if the setting has been previously changed. 5. Set the Bootstrap Router (BSR) preference: NE2552E(config-ip-if)# ip pim cbsr-preference 135 NE2552E(config-ip-if)# exit © Copyright Lenovo 2018 Chapter 29: Protocol Independent Multicast...
Page 428: Example 2: Pim-Sm With Static Rp
Figure 49. Network with both PIM‐DM and PIM‐SM Components PIM-SM PIM-DM Multicast Multicast 225.1.0.0/16 239.1.0.0/16 PIM Enabled Lenovo Switch IP Interface 11 IP Interface 22 IP 10.10.1.1 IP 10.10.1.2 VLAN 101 VLAN 102 Component 1 Component 2 Media Servers NE2552E Application Guide for ENOS 8.4...
Page 429 NE2552E(config-ip-if)# exit 5. (Optional) Configure PIM border router if the IPMC traffic is flowing between PIM domains: NE2552E(config)# ip pim pmbr enable NE2552E(config)# interface ip 22 NE2552E(config-ip-if)# ip pim border-bit NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 11 NE2552E(config-ip-if)# ip pim border-bit NE2552E(config-ip-if)# exit Note: For PIM Dense Mode, the DR, RP, and BSR settings do not apply. © Copyright Lenovo 2018 Chapter 29: Protocol Independent Multicast...
Page 430 NE2552E Application Guide for ENOS 8.4...
Page 431: Part 6: High Availability Fundamentals
Part 6: High Availability Fundamentals Internet traffic consists of myriad services and applications which use the Internet Protocol (IP) for data delivery. However, IP is not optimized for all the various applications. High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations. © Copyright Lenovo 2018...
Page 432 NE2552E Application Guide for ENOS 8.4...
Page 433: Chapter 30. Basic Redundancy
Lenovo ENOS 8.4 includes various features for providing basic link or device redundancy:  “Aggregation for Link Redundancy” on page 433  “Hot Links” on page 434 Aggregation for Link Redundancy Multiple switch ports can be combined together to form robust, high‐bandwidth LAGs to other devices. Since LAGs are comprised of multiple physical links, the LAG is inherently fault tolerant. As long as one connection between the switches is available, the LAG remains active. In Figure 50, four ports are aggregated together between the switch and the enterprise routing device. Connectivity is maintained as long as one of the links remains active. The links to the server are also aggregated, allowing the secondary NIC to take over in the event that the primary NIC link fails. Figure 50. Aggregating Ports for Link Redundancy Enterprise Server Routing Switch NIC 1 Internet NIC 2 For more information about aggregation, see “Ports and Link Aggregation (LAG)” on page 155. © Copyright Lenovo 2018...
Page 434: Hot Links
Hot Links Hot Links provides basic link redundancy with fast recovery. Hot Links consists of up to 25 triggers. A trigger consists of a pair of layer 2 interfaces, each containing an individual port, LAG, or LACP adminkey. One interface is the Master, and the other is a Backup. While the Master interface is set to the active state and forwards traffic, the Backup interface is set to the standby state and blocks traffic until the Master interface fails. If the Master interface fails, the Backup interface is set to active and forwards traffic. Once the Master interface is restored, it transitions to the standby state and blocks traffic until the Backup interface fails. You may select a physical port, static LAG, or an LACP adminkey as a Hot Link interface. Only external uplink ports can be members of a Hot Links trigger interface. Forward Delay The Forward Delay timer allows Hot Links to monitor the Master and Backup interfaces for link stability before selecting one interface to transition to the active state. Before the transition occurs, the interface must maintain a stable link for the duration of the Forward Delay interval. For example, if you set the Forward delay timer to 10 seconds using the command: NE2552E(config)# hotlinks trigger <x> forward-delay 10 the switch will select an interface to become active only if a link remained stable for the duration of the Forward Delay period. If the link is unstable, the Forward Delay period starts again. Preemption You can configure the Master interface to resume the active state whenever it becomes available. With Hot Links preemption enabled, the Master interface transitions to the active state immediately upon recovery. The Backup interface immediately transitions to the standby state. If Forward Delay is enabled, the transition occurs when an interface has maintained link stability for the duration of the Forward Delay period. FDB Update Use the FDB update option to notify other devices on the network about updates to the Forwarding Database (FDB). When you enable FDB update, the switch sends ...
Page 435: Configuration Guidelines
An individual port that is configured as a Hot Link interface cannot be a member of a LAG. Configuring Hot Links Use the following commands to configure Hot Links. NE2552E(config)# hotlinks trigger 1 enable (Enable Hot Links Trigger 1) NE2552E(config)# hotlinks trigger 1 master port EXT1 (Add port to Master inter‐ face) NE2552E(config)# hotlinks trigger 1 backup port EXT2 (Add port to Backup inter‐ face) NE2552E(config)# hotlinks enable (Turn on Hot Links) © Copyright Lenovo 2018 Chapter 30: Basic Redundancy...
Page 436 NE2552E Application Guide for ENOS 8.4...
Page 437: Chapter 31. Layer 2 Failover
Chapter 31. Layer 2 Failover The primary application for Layer 2 Failover is to support Network Adapter Teaming. With Network Adapter Teaming, all the NICs on each server share the same IP address, and are configured into a team. One NIC is the primary link, and the other is a standby link.For more details, refer to the documentation for your Ethernet adapter. Note: Only two links per server blade can be used for Layer 2 LAG Failover (one primary and one backup). Network Adapter Teaming allows only one backup NIC for each server blade. © Copyright Lenovo 2018...
Page 438: Auto Monitoring Lag Links
Auto Monitoring LAG Links Layer 2 Failover can be enabled on any LAG in the NE2552E, including LACP LAGs. LAGs can be added to failover trigger groups. Then, if some specified number of trigger links fail, the switch disables all the internal ports in the switch (unless VLAN Monitor is turned on). When the internal ports are disabled, it causes the NIC team on the affected server blades to failover from the primary to the backup NIC. This process is called a failover event. When the appropriate number of links in a trigger group return to service, the switch enables the internal ports. This causes the NIC team on the affected server blades to fail back to the primary switch (unless Auto‐Fallback is disabled on the NIC team). The backup switch processes traffic until the primary switch’s internal links come up, which can take up to five seconds. VLAN Monitor The VLAN Monitor allows Layer 2 Failover to discern different VLANs. With VLAN Monitor turned on:  If enough links in a trigger fail (see “Setting the Failover Limit” on page 440), the switch disables all internal ports that reside in the same VLAN membership as the LAG(s) in the trigger.  When enough links in the trigger return to service, the switch enables the internal ports that reside in the same VLAN membership as the LAG(s) in the trigger. If you turn off the VLAN Monitor (NE2552E# no failover vlan), only one failover trigger is allowed. When a link failure occurs on the trigger, the switch disables all internal server‐blade ports. Auto Monitor Configurations Figure 51 is an example of Layer 2 Failover. One NE2552E is the primary and the other is used as a backup. In this example, all external ports on the primary switch belong to a single LAG, with Layer 2 Failover enabled and Failover Limit set to 2. If ...
Page 439 Trigger 2 Server 2 Internet Server 3 Trigger 1 Server 4 Switch 2 Enterprise Trigger 2 Routing Switch VLAN 1: VLAN 2: VLAN Monitor = On Figure 53 shows a configuration with two LAGs. VLAN Monitor is turned off, so only one Failover Trigger is configured on each switch. Switch 1 is the primary switch for Server 1 and Server 2. Switch 2 is the primary switch for Server 3 and Server 4. STP is turned off. If all links in trigger 1 go down, switch 1 disables all internal links to server blades. © Copyright Lenovo 2018 Chapter 31: Layer 2 Failover...
Page 440: Setting The Failover Limit
Figure 53. Two LAGs, one Failover Trigger Trigger 1 Switch 1 Server 1 Server 2 Internet Server 3 Trigger 1 Server 4 Switch 2 Enterprise Routing Switch VLAN 1: VLAN 2: VLAN Monitor = Off Setting the Failover Limit The failover limit lets you specify the minimum number of operational links required within each trigger before the trigger initiates a failover event. For example, if the limit is two, a failover event occurs when the number of operational links in the trigger is two or fewer. When you set the limit to zero, the switch triggers a failover event only when no links in the trigger are operational. NE2552E Application Guide for ENOS 8.4...
Page 441: Manually Monitoring Port Links
 If the port is part of an LACP LAG, the port must be in the Aggregated state. If any of the above conditions is false, the monitor port is considered to have failed. Control Port State A control port is considered Operational if the monitor trigger is up. As long as the trigger is up, the port is considered operational from a teaming perspective, even if the port itself is actually in the Down state, Blocking state (if STP is enabled on the port), or Not Aggregated state (if part of an LACP LAG). A control port is considered to have failed only if the monitor trigger is in the Down state. To view the state of any port, use one of the following commands: NE2552E# show interface link (View port link status) NE2552E# show interface port <x> spanning-tree stp <x> (View port STP status) NE2552E# show lacp information (View port LACP status) © Copyright Lenovo 2018 Chapter 31: Layer 2 Failover...
Page 442: L2 Failover With Other Features
L2 Failover with Other Features L2 Failover works together with Link Aggregation Control Protocol (LACP) and with Spanning Tree Protocol (STP), as described in the next sections. LACP Link Aggregation Control Protocol allows the switch to form dynamic LAGs. You can use the admin key to add up to two LACP LAGs to a failover trigger using automatic monitoring. When you add an admin key to a trigger, any LACP LAG with that admin key becomes a member of the trigger. Note: If you change the LACP system priority on an LACP aggregation, the failover trigger goes down. Spanning Tree Protocol If Spanning Tree Protocol (STP) is enabled on the ports in a failover trigger, the switch monitors the port STP state rather than the link state. A port failure results when STP is not in a Forwarding state (such as Learning, Discarding or No Link). The switch automatically disables the appropriate internal ports, based on the VLAN monitor. When the switch determines that ports in the trigger are in STP Forwarding state, then it automatically enables the appropriate internal ports, based on the VLAN monitor. The switch fails back to normal operation. NE2552E Application Guide for ENOS 8.4...
Page 443: Configuration Guidelines
All external ports in all static or LACP LAGs added to any specific failover trigger must belong to the same VLAN. A maximum of two LACP keys can be added per trigger.   When VLAN Monitor is on, the following additional guidelines apply: All external ports in all static or LACP LAGs added to a specific failover  trigger must belong to the same VLAN and have the same PVID. Different triggers are not permitted to operate on the same VLAN.  Different triggers are not permitted to operate on the same internal port.  For each port in each LAG in a specific failover trigger, the trigger will  monitor the STP state on only the default PVID. Manual Monitor Guidelines  A Manual Monitor can monitor only external ports. Any specific failover trigger can monitor external ports only, static LAGs only, or  LACP LAGs only. The different types cannot be combined in the same trigger.  A maximum of two LACP keys can be added per trigger.  Management ports, FC ports cannot be monitored.  Control ports for different triggers must not overlap. Monitor ports may overlap. © Copyright Lenovo 2018 Chapter 31: Layer 2 Failover...
Page 444: Configuring Layer 2 Failover
Configuring Layer 2 Failover Auto Monitor Example The following procedure pertains to the configuration shown in Figure 1. Configure Network Adapter Teaming on the servers. 2. Define a LAG on the NE2552E. NE2552E(config)# portchannel 1 port EXT1,EXT2,EXT3 enable 3. Configure Failover parameters. NE2552E(config)# failover trigger 1 enable NE2552E(config)# failover trigger 1 limit <0‐1024> NE2552E(config)# failover trigger 1 amon portchannel 1 4. Verify the configuration. NE2552E(config)# show failover trigger 1 information Manual Monitor Example Use the following procedure to configure a Layer 2 Failover Manual Monitor. ...
Page 445: Chapter 32. Virtual Router Redundancy Protocol
“Lenovo ENOS Extensions to VRRP” on page 451. This section describes VRRP enhancements implemented in Lenovo ENOS.  “Virtual Router Deployment Considerations” on page 452. This section describes issues to consider when deploying virtual routers.  “High Availability Configurations” on page 453. This section discusses the more useful and easily deployed redundant configurations. “Active‐Active Configuration” on page 453  “Hot‐Standby Configuration” on page 457  VRRP Overview In a high‐availability network topology, no device can create a single point‐of‐failure for the network or force a single point‐of‐failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components. VRRP enables redundant router configurations within a LAN, providing alternate router paths for a host to eliminate single points‐of‐failure within a network. Each participating VRRP‐capable routing device is configured with the same virtual router IPv4 address and ID number. One of the virtual routers is elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IPv4 address. If the master fails, one of the backup virtual routers will take control of the virtual router IPv4 address and actively process traffic addressed to it. With VRRP, Virtual Interface Routers (VIR) allow two VRRP routers to share an IP interface across the routers. VIRs provide a single Destination IPv4 (DIP) address for upstream routers to reach various servers, and provide a virtual default Gateway for the server blades. © Copyright Lenovo 2018...
Page 446: Vrrp Components
VRRP Components Each physical router running VRRP is known as a VRRP router. Virtual Router Two or more VRRP routers can be configured to form a virtual router (RFC 2338). Each VRRP router may participate in one or more virtual routers. Each virtual router consists of a user‐configured virtual router identifier (VRID) and an IPv4 address. Virtual Router MAC Address The VRID is used to build the virtual router MAC Address. The five highest‐order octets of the virtual router MAC Address are the standard MAC prefix (00‐00‐5E‐00‐01) defined in RFC 2338. The VRID is used to form the lowest‐order octet. Owners and Renters Only one of the VRRP routers in a virtual router may be configured as the IPv4 address owner. This router has the virtual router’s IPv4 address as its real interface address. This router responds to packets addressed to the virtual router’s IPv4 address for ICMP pings, TCP connections, and so on. There is no requirement for any VRRP router to be the IPv4 address owner. Most VRRP installations choose not to implement an IPv4 address owner. For the purposes of this chapter, VRRP routers that are not the IPv4 address owner are called renters. Master and Backup Virtual Router Within each virtual router, one VRRP router is selected to be the virtual router master. See “Selecting the Master VRRP Router” on page 447 for an explanation of the selection process. Note: If the IPv4 address owner is available, it will always become the virtual router master. The virtual router master forwards packets sent to the virtual router. It also ...
Page 447: Virtual Interface Router
Selecting the Master VRRP Router Each VRRP router is configured with a priority between 1–254. A bidding process determines which VRRP router is or becomes the master—the VRRP router with the highest priority. The master periodically sends advertisements to an IPv4 multicast address. As long as the backups receive these advertisements, they remain in the backup state. If a backup does not receive an advertisement for three advertisement intervals, it initiates a bidding process to determine which VRRP router has the highest priority and takes over as master. In addition to the three advertisement intervals, a manually set holdoff time can further delay the backups from assuming the master status. If, at any time, a backup determines that it has higher priority than the current master does, it can preempt the master and become the master itself, unless configured not to do so. In preemption, the backup assumes the role of master and begins to send its own advertisements. The current master sees that the backup has higher priority and will stop functioning as the master. A backup router can stop receiving advertisements for one of two reasons—the master can be down, or all communications links between the master and the backup can be down. If the master has failed, it is clearly desirable for the backup (or one of the backups, if there is more than one) to become the master. Note: If the master is healthy but communication between the master and the backup has failed, there will then be two masters within the virtual router. To prevent this from happening, configure redundant links to be used between the switches that form a virtual router. © Copyright Lenovo 2018 Chapter 32: Virtual Router Redundancy Protocol...
Page 448: Failover Methods
Figure 54. A Non‐VRRP, Hot‐Standby Configuration Intranet Clients Primary Switch IP: 200.200.200.100 Internet Servers NFS Server Client Switches Secondary Switch IP: 200.200.200.101 While hot‐standby configurations increase site availability by removing single points‐of‐failure, service providers increasingly view them as an inefficient use of network resources because one functional application switch sits by idly until a failure calls it into action. Service providers now demand that vendorsʹ equipment support redundant configurations where all devices can process traffic when they are healthy, increasing site throughput and decreasing user response times when no device has failed. Lenovo ENOS high availability configurations are based on VRRP. The implementation of VRRP includes proprietary extensions. The Lenovo ENOS implementation of VRRP supports the following modes of high availability: Active‐Active—based on proprietary Lenovo ENOS extensions to VRRP   Hot‐Standby—supports Network Adapter Teaming on your server blades NE2552E Application Guide for ENOS 8.4...
Page 449: Active-Active Redundancy
Active (subnet B and D) Hot-Standby Redundancy The primary application for VRRP‐based hot‐standby is to support Server Load Balancing when you have configured Network Adapter Teaming on your server blades. With Network Adapter Teaming, the NICs on each server share the same IPv4 address, and are configured into a team. One NIC is the primary link, and the others are backup links. For more details, refer to the relevant network adapter documentation. The hot‐standby model is shown in Figure Figure 56. Hot‐Standby Redundancy Active 10.10.10.1 Clients Switch 1 Interswitch Servers Link Enterprise Switch 2 Routing Switch 10.10.10.2 Standby Backup Link © Copyright Lenovo 2018 Chapter 32: Virtual Router Redundancy Protocol...
Page 450: Virtual Router Group
Virtual Router Group The virtual router group ties all virtual routers on the switch together as a single entity. By definition, hot‐standby requires that all virtual routers failover as a group, and not individually. As members of a group, all virtual routers on the switch (and therefore the switch itself), are in either a master or standby state. The virtual router group cannot be used for active‐active configurations or any other configuration that require shared interfaces. A VRRP group has the following characteristics:  When enabled, all virtual routers behave as one entity, and all group settings override any individual virtual router settings.  All individual virtual routers, once the VRRP group is enabled, assume the group’s tracking and priority.  When one member of a VRRP group fails, the priority of the group decreases, and the state of the entire switch changes from Master to Standby. Each VRRP advertisement can include up to 128 addresses. All virtual routers are advertised within the same packet, conserving processing and buffering resources. NE2552E Application Guide for ENOS 8.4...
Page 451: Lenovo Enos Extensions To Vrrp
Lenovo ENOS Extensions to VRRP This section describes VRRP enhancements that are implemented in Lenovo ENOS. Lenovo ENOS supports a tracking function that dynamically modifies the priority of a VRRP router, based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same switch. Tracking ensures that the selected switch is the one that offers optimal network performance. For tracking to have any effect on virtual router operation, preemption must be enabled. Lenovo ENOS can track the attributes listed in Table 31 : Table 31. VRRP Tracking Parameters Parameter Description Number of IP interfaces on the Helps elect the virtual routers with the switch that are active (“up”) most available routes as the master. (An IP interface is considered active when there tracking-priority-increment is at least one active port on the same interfaces VLAN.) This parameter influences the VRRP routerʹs priority in virtual interface routers. Number of active ports on the same Helps elect the virtual routers with the VLAN most available ports as the master. This parameter influences the VRRP routerʹs tracking-priority-increment priority in virtual interface routers. ports Note: In a hot‐standby configuration, only ...
Page 452: Virtual Router Deployment Considerations
Virtual Router Deployment Considerations Assigning VRRP Virtual Router ID During the software upgrade process, VRRP virtual router IDs will be automatically assigned if failover is enabled on the switch. When configuring virtual routers at any point after upgrade, virtual router ID numbers must be assigned. The virtual router ID may be configured as any number between 1 and 255. Use the following commands to configure the virtual router ID: NE2552E(config)# router vrrp NE2552E(config-vrrp)# virtual-router 1 virtual-router-id <1‐255> Configuring the Switch for Tracking Tracking configuration largely depends on user preferences and network environment. Consider the configuration shown in Figure 55 on page 449. Assume the following behavior on the network:  Switch 1 is the master router upon initialization. If switch 1 is the master and it has one fewer active servers than switch 2, then  switch 1 remains the master. This behavior is preferred because running one server down is less disruptive than bringing a new master online and severing all active connections in the process. ...
Page 453: High Availability Configurations
NIC 2: 10.0.2.4/24 L2 Switch VIR 1: 192.168.1.200 (Backup) VIR 2: 192.168.2.200 (Master) Although this example shows only two switches, there is no limit on the number of switches used in a redundant configuration. It is possible to implement an active‐active configuration across all the VRRP‐capable switches in a LAN. Each VRRP‐capable switch in an active‐active configuration is autonomous. Switches in a virtual router need not be identically configured. In the scenario illustrated in Figure 57, traffic destined for IPv4 address 10.0.1.1 is forwarded through the Layer 2 switch at the top of the drawing, and ingresses NE2552E 1 on port EXT1. Return traffic uses default gateway 1 (192.168.1.1). If the link between NE2552E 1 and the Layer 2 switch fails, NE2552E 2 becomes the Master because it has a higher priority. Traffic is forwarded to NE2552E 2, which forwards it to NE2552E 1 through port EXT4. Return traffic uses default gateway 2 (192.168.2.1) and is forwarded through the Layer 2 switch at the bottom of the drawing. To implement the active‐active example, perform the following switch configuration. © Copyright Lenovo 2018 Chapter 32: Virtual Router Redundancy Protocol...
Page 454 Task 1: Configure NE2552E 1 1. Configure client and server interfaces. NE2552E(config)# interface ip 1 NE2552E(config-ip-if)# ip address 192.168.1.100 255.255.255.0 NE2552E(config-ip-if)# vlan 10 NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 2 NE2552E(config-ip-if)# ip address 192.168.2.101 255.255.255.0 NE2552E(config-ip-if)# vlan 20 NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 3 NE2552E(config-ip-if)# ip address 10.0.1.100 255.255.255.0 NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# exit...
Page 455 NE2552E(config-ip-if)# ip address 10.0.2.100 255.255.255.0 NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# exit 2. Configure the default gateways. Each default gateway points to a Layer 3 router. NE2552E(config)# ip gateway 1 address 192.168.2.1 NE2552E(config)# ip gateway 1 enable NE2552E(config)# ip gateway 2 address 192.168.1.1 NE2552E(config)# ip gateway 2 enable © Copyright Lenovo 2018 Chapter 32: Virtual Router Redundancy Protocol...
Page 456 3. Turn on VRRP and configure two Virtual Interface Routers. NE2552E(config)# router vrrp NE2552E(config-vrrp)# enable NE2552E(config-vrrp)# virtual-router 1 virtual-router-id 1 NE2552E(config-vrrp)# virtual-router 1 interface 1 NE2552E(config-vrrp)# virtual-router 1 address 192.168.1.200 NE2552E(config-vrrp)# virtual-router 1 enable NE2552E(config-vrrp)# virtual-router 2 virtual-router-id 2 NE2552E(config-vrrp)# virtual-router 2 interface 2 NE2552E(config-vrrp)# virtual-router 2 address 192.168.2.200 NE2552E(config-vrrp)# virtual-router 2 enable 4.
Page 457: Hot-Standby Configuration
Switch 2 NIC 1 IP = 10.0.1.2 Enterprise Server 2 Routing Switch IF 1: 174.14.20.111 IF 2: 10.1.1.111 = Active Links VIR 1: 174.14.20.100 VIR 2: 10.1.1.100 = Standby Links © Copyright Lenovo 2018 Chapter 32: Virtual Router Redundancy Protocol...
Page 458 Task 1: Configure NE2552E 1 1. On NE2552E 1, configure the interfaces for clients (174.14.20.110) and servers (10.1.1.110). NE2552E(config)# interface ip 1 NE2552E(config-ip-if)# ip address 174.14.20.110 (Define IPv4 address for interface 1) NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# exit NE2552E(config)# interface ip 2 NE2552E(config-ip-if)# ip address 10.1.1.110 (Define IPv4 address for interface 2) NE2552E(config-ip-if)# enable NE2552E(config-ip-if)# exit 2. Configure Virtual Interface Routers. NE2552E(config)# router vrrp NE2552E(config-vrrp)# enable NE2552E(config-vrrp)# virtual-router 1 virtual-router-id 1 NE2552E(config-vrrp)# virtual-router 1 interface 1 NE2552E(config-vrrp)# virtual-router 1 address 174.14.20.100 NE2552E(config-vrrp)# virtual-router 1 enable...
Page 459 NE2552E(config-vrrp)# virtual-router 2 enable 3. Enable VRRP Hot Standby. NE2552E(config-vrrp)# hot-standby 4. Configure VRRP Group parameters. Use the default VRRP priority of 100, so that this switch is the Standby. NE2552E(config-vrrp)# group enable (Enable Virtual Router Group) NE2552E(config-vrrp)# group virtual-router-id 1 (Set Virtual Router ID for Group) NE2552E(config-vrrp)# group interface 1 (Set interface for Group) NE2552E(config-vrrp)# group track ports (Enable tracking on ports) 5. Turn off Spanning Tree Protocol globally. . NE2552E(config)# spanning-tree mode disable © Copyright Lenovo 2018 Chapter 32: Virtual Router Redundancy Protocol...
Page 460 NE2552E Application Guide for ENOS 8.4...
Page 462 NE2552E Application Guide for ENOS 8.4...
Page 463: Chapter 33. Link Layer Discovery Protocol
Chapter 33. Link Layer Discovery Protocol The Lenovo ENOS software support Link Layer Discovery Protocol (LLDP). This chapter discusses the use and configuration of LLDP on the switch:  “LLDP Overview” on page 464  “Enabling or Disabling LLDP” on page 465  “LLDP Transmit Features” on page 466  “LLDP Receive Features” on page 471  “LLDP Example Configuration” on page 475 © Copyright Lenovo 2018...
Page 464: Lldp Overview
LLDP Overview Link Layer Discovery Protocol (LLDP) is an IEEE 802.1AB‐2005 standard for discovering and managing network devices. LLDP uses Layer 2 (the data link layer), and allows network management applications to extend their awareness of the network by discovering devices that are direct neighbors of already known devices. With LLDP, the NE2552E can advertise the presence of its ports, their major capabilities, and their current status to other LLDP stations in the same LAN. LLDP transmissions occur on ports at regular intervals or whenever there is a relevant change to their status. The switch can also receive LLDP information advertised from adjacent LLDP‐capable network devices. In addition to discovery of network resources, and notification of network changes, LLDP can help administrators quickly recognize a variety of common network configuration problems, such as unintended VLAN exclusions or mis‐matched port aggregation membership. The LLDP transmit function and receive function can be independently configured on a per‐port basis. The administrator can allow any given port to transmit only, receive only, or both transmit and receive LLDP information. The LLDP information to be distributed by the NE2552E ports, and that which has been collected from other LLDP stations, is stored in the switch’s Management Information Base (MIB). Network Management Systems (NMS) can use Simple Network Management Protocol (SNMP) to access this MIB information. LLDP‐related MIB information is read‐only. Changes, either to the local switch LLDP information or to the remotely received LLDP information, are flagged within the MIB for convenient tracking by SNMP‐based management systems. For LLDP to provide expected benefits, all network devices that support LLDP should be consistent in their LLDP configuration. NE2552E Application Guide for ENOS 8.4...
Page 465: Enabling Or Disabling Lldp
(Do not participate in LLDP) NE2552E(config-if)# no lldp admin-status (Exit port mode) NE2552E(config-if)# exit To view the LLDP transmit and receive status, use the following commands: NE2552E(config)# show lldp port (status of all ports) NE2552E(config)# show interface port <n> lldp (status of selected port) © Copyright Lenovo 2018 Chapter 33: Link Layer Discovery Protocol...
Page 466: Lldp Transmit Features
LLDP Transmit Features Numerous LLDP transmit options are available, including scheduled and minimum transmit interval, expiration on remote systems, SNMP trap notification, and the types of information permitted to be shared. Scheduled Interval The NE2552E can be configured to transmit LLDP information to neighboring devices once each 5 to 32768 seconds. The scheduled interval is global; the same interval value applies to all LLDP transmit‐enabled ports. However, to help balance LLDP transmissions and keep them from being sent simultaneously on all ports, each port maintains its own interval clock, based on its own initialization or reset time. This allows switch‐wide LLDP transmissions to be spread out over time, though individual ports comply with the configured interval. The global transmit interval can be configured using the following command: NE2552E(config)# lldp refresh-interval <interval> where interval is the number of seconds between LLDP transmissions. The range is 5 to 32768. The default is 30 seconds. Minimum Interval In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the NE2552E detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the NE2552E from sending multiple LLDP packets in rapid succession when port status is in flux, a transmit delay timer can be configured. The transmit delay timer represents the minimum time permitted between successive LLDP transmissions on a port. Any interval‐driven or change‐driven updates will be consolidated until the configured transmit delay expires. The minimum transmit interval can be configured using the following command: NE2552E(config)# lldp transmission-delay <interval> where interval is the minimum number of seconds permitted between successive LLDP transmissions on any port. The range is 1 to one‐quarter of the scheduled transmit interval (lldp refresh-interval <value>), up to 8192. The default is 2 seconds.
Page 467: Time-To-Live For Transmitted Information
NE2552E(config-if)# [no] lldp trap-notification NE2552E(config-if)# exit In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the NE2552E detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the NE2552E from sending multiple trap notifications in rapid succession when port status is in flux, a global trap delay timer can be configured. The trap delay timer represents the minimum time permitted between successive trap notifications on any port. Any interval‐driven or change‐driven trap notices from the port will be consolidated until the configured trap delay expires. The minimum trap notification interval can be configured using the following command: NE2552E(config)# lldp trap-notification-interval <interval> where interval is the minimum number of seconds permitted between successive LLDP transmissions on any port. The range is 1 to 3600. The default is 5 seconds. If SNMP trap notification is enabled, the notification messages can also appear in the system log. This is enabled by default. To change whether the SNMP trap notifications for LLDP events appear in the system log, use the following commands: NE2552E(config)# [no] logging log lldp © Copyright Lenovo 2018 Chapter 33: Link Layer Discovery Protocol...
Page 468: Changing The Lldp Transmit State
Changing the LLDP Transmit State When the port is disabled, or when LLDP transmit is turned off for the port using the admstat command’s rx_only or disabled options (see “Transmit and Receive Control” on page 465), a final LLDP packet is transmitted with a time‐to‐live value of 0. Neighbors that receive this packet will remove the LLDP information associated with the NE2552E port from their MIB. In addition, if LLDP is fully disabled on a port (using admstat disabled) and later re‐enabled, the NE2552E will temporarily delay resuming LLDP transmissions on the port in order to allow the port LLDP information to stabilize. The reinitialization delay interval can be globally configured for all ports using the following command: NE2552E(config)# lldp reinit-delay <interval> where interval is the number of seconds to wait before resuming LLDP transmissions. The range is between 1 and 10. The default is 2 seconds. NE2552E Application Guide for ENOS 8.4...
Page 469: Types Of Information Transmitted
Disabled portprot IEEE 802.1 Port and Protocol VLAN ID Disabled vlanname IEEE 802.1 VLAN Name Disabled protid IEEE 802.1 Protocol Identity Disabled macphy IEEE 802.3 MAC/PHY Disabled Configuration/Status, including the auto‐negotiation, duplex, and speed status of the port. powermdi IEEE 802.3 Power via MDI, indicating the Disabled capabilities and status of devices that require or provide power over twisted‐pair copper links. linkaggr IEEE 802.3 Link Aggregation status for Disabled the port. framesz IEEE 802.3 Maximum Frame Size for the Disabled port. © Copyright Lenovo 2018 Chapter 33: Link Layer Discovery Protocol...
Page 470 Table 32. LLDP Optional Information Types (continued) Type Description Default dcbx Data Center Bridging Capability Enabled Exchange Protocol (DCBX) for the port. Select all optional LLDP information for Disabled inclusion or exclusion. NE2552E Application Guide for ENOS 8.4...
Page 471: Lldp Receive Features
System Description  System Capabilities Supported/Enabled  Remote Management Address The NE2552E stores the collected LLDP information in the MIB. Each remote LLDP‐capable device is responsible for transmitting regular LLDP updates. If the received updates contain LLDP information changes (to port state, configuration, LLDP MIB structures, deletion), the switch will set a change flag within the MIB for convenient notification to SNMP‐based management systems. Viewing Remote Device Information LLDP information collected from neighboring systems can be viewed in numerous ways:  Using a centrally‐connected LLDP analysis server  Using an SNMP agent to examine the NE2552E MIB  Using the NE2552E Browser‐Based Interface (BBI)  Using CLI or isCLI commands on the NE2552E Using the isCLI the following command displays remote LLDP information: NE2552E(config)# show lldp remote-device [<index number>] © Copyright Lenovo 2018 Chapter 33: Link Layer Discovery Protocol...
Page 472 Port Id : 23 Port Description : EXT7 System Name System Description : Lenovo ThinkSystem NE2552E Flex Switch, Lenovo ENOS: version 8.4, boot image: version 6.9.1.14 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router Remote Management Address:...
Page 473 : 56 Port Description : EXT14 System Name : CFC System Description : Lenovo Flex System CN4093 10Gb Converged Scalable Switch, Lenovo Networking OS: version 7.8.0.48, Boot image: version 7.8.0.48 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router...
Page 474: Time-To-Live For Received Information
Time-to-Live for Received Information Each remote device LLDP packet includes an expiration time. If the switch port does not receive an LLDP update from the remote device before the time‐to‐live clock expires, the switch will consider the remote information to be invalid, and will remove all associated information from the MIB. Remote devices can also intentionally set their LLDP time‐to‐live to 0, indicating to the switch that the LLDP information is invalid and should be immediately removed. NE2552E Application Guide for ENOS 8.4...
Page 475: Lldp Example Configuration
(Transmit all optional information) NE2552E(config-if)# exit 4. Enable syslog reporting. NE2552E(config)# logging log lldp 5. Verify the configuration settings: NE2552E(config)# show lldp 6. View remote device information as needed. NE2552E(config)# show lldp remote-device NE2552E(config)# show lldp remote-device <index number> NE2552E(config)# show lldp remote-devices detail © Copyright Lenovo 2018 Chapter 33: Link Layer Discovery Protocol...
Page 476 NE2552E Application Guide for ENOS 8.4...
Page 477: Chapter 34. Simple Network Management Protocol
Chapter 34. Simple Network Management Protocol Lenovo ENOS provides Simple Network Management Protocol (SNMP) version 1, version 2, and version 3 support for access through any network management software, such as Lenovo Director. © Copyright Lenovo 2018...
Page 478: Snmp Version 1
SNMP Version 1 To access the SNMP agent on the NE2552E, the read and write community strings on the SNMP manager should be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: NE2552E(config)# snmp-server read-community <1‐32 characters> ‐and‐ NE2552E(config)# snmp-server write-community <1‐32 characters> The SNMP manager should be able to reach the management interface or any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following command: NE2552E(config)# snmp-server trap-source <trap source IP interface> NE2552E(config)# snmp-server host <IPv4 address> <trap host community string> Note: You can use a loopback interface to set the source IP address for SNMP traps. Use the following command to apply a configured loopback interface: snmp-server trap-source loopback NE2552E(config)# <1‐5> NE2552E Application Guide for ENOS 8.4...
Page 479: Snmp Version 3
Default Configuration Lenovo ENOS has SNMPv3 disabled by default. If a user‐created SNMPv3 user is found on the system, SNMPv3 is enabled for backwards compatibility. Up to 17 SNMP users can be configured on the switch. To modify an SNMP user, enter the following commands: NE2552E(config)# snmp-server user <1‐17> name <1‐32 characters> Users can be configured to use the authentication/privacy options. The NE2552E support two authentication algorithms: MD5 and SHA, as specified in the following command: NE2552E(config)# snmp-server user <1‐17> authentication-protocol {md5|sha authentication-password ‐or‐ NE2552E(config)# snmp-server user <1‐17> authentication-protocol none © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 480: User Configuration Example
User Configuration Example 1. To configure a user with name “admin,” authentication type MD5, and authentication password of “admin,” privacy option DES with privacy password of “admin,” use the following ISCLI commands. NE2552E(config)# snmp-server user 5 name admin NE2552E(config)# snmp-server user 5 authentication-protocol md5 authentication-password Changing authentication password; validation required: Enter current admin password: <admin. password> Enter new authentication password: <auth. password> Re-enter new authentication password: <auth. password> New authentication password accepted.
Page 481: View-Based Configurations
NE2552E(config)# snmp-server view 9 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 statistics) NE2552E(config)# snmp-server view 10 name usr NE2552E(config)# snmp-server view 10 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 information) NE2552E(config)# snmp-server view 11 name usr NE2552E(config)# snmp-server view 11 tree 1.3.6.1.4.1.1872.2.5.3.3 © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 482  Switch Oper equivalent (Configure the user) NE2552E(config)# snmp-server user 5 name usr (Configure access group 3) NE2552E(config)# snmp-server access 4 name opergrp NE2552E(config)# snmp-server access 4 read-view oper NE2552E(config)# snmp-server access 4 write-view oper NE2552E(config)# snmp-server access 4 notify-view oper (Assign oper to access group 4) NE2552E(config)# snmp-server group 4 user-name oper NE2552E(config)# snmp-server group 4 group-name opergrp (Create views for oper) NE2552E(config)# snmp-server view 20 name oper...
Page 483: Secure Audit Logging
Networking OS uses SNMPv3 authorization to forward the logs securely to the management tool via the chassis management module (CMM). The switch supports both retrieving the logs via SNMP ʹGetʹ requests and the forwarding of event logs via SNMP traps. Supported management tools are xHMC and other (security and information event management) SIEM tools like Qradar. Security audit logging refers to the following event types: NTP Server/DHCP server configuration changes   Switch management IP address changes  OSPF/BGP/RIP authentication changes  Software Resource alert :ARP Table/IP table/Route table/OSPF table full  L3 Link down/up Note: Audit logging is enabled by default and cannot be disabled. The audit logs are accessed remotely via SNMPv3 hosts. Use the following commands to locally manage the logs: NE2552E(config)# show sal reverse (Display most recent logs first) NE2552E(config)# clear sal (Clear audit logs) © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 484: Configuring Snmp Trap Hosts
NE2552E(config)# snmp-server target-address 10 parameters-name v1param NE2552E(config)# snmp-server target-address 10 taglist v1param NE2552E(config)# snmp-server target-parameters 10 name v1param NE2552E(config)# snmp-server target-parameters 10 user-name v1only NE2552E(config)# snmp-server target-parameters 10 message snmpv1 Note: Lenovo ENOS 8.4 supports only IPv4 addresses for SNMP trap hosts. 5. Use the community table to specify which community string is used in the trap. NE2552E(config)# snmp-server community 10(Define the community string) index v1trap name public user-name v1trap NE2552E Application Guide for ENOS 8.4...
Page 485: Snmpv2 Trap Host Configuration
NE2552E(config)# snmp-server target-parameters 10 message snmpv2c NE2552E(config)# snmp-server target-parameters 10 user-name v2trap NE2552E(config)# snmp-server target-parameters 10 security snmpv2 NE2552E(config)# snmp-server community 10 index v2trap NE2552E(config)# snmp-server community 10 user-name v2trap Note: Lenovo ENOS 8.4 supports only IPv4 addresses for SNMPv1 and SNMP v2 trap hosts. © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 486: Snmpv3 Trap Host Configuration
SNMPv3 Trap Host Configuration To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication. This is configured in the access table using the following commands: NE2552E(config)# snmp-server access <1‐32> level NE2552E(config)# snmp-server target-parameters <1‐16> Configure the user in the user table accordingly. It is not necessary to configure the community table for SNMPv3 traps because the community string is not used by SNMPv3. The following example shows how to configure a SNMPv3 user v3trap with authentication only: NE2552E(config)# snmp-server user 11 name v3trap NE2552E(config)# snmp-server user 11 authentication-protocol md5 authentication-password Changing authentication password; validation required: Enter current admin password: <admin. password>...
Page 487: Snmp Mibs
 rfc2037.mib  rfc2233.mib  rfc2465.mib  rfc2571.mib  rfc2572.mib  rfc2573.mib  rfc2574.mib  rfc2575.mib  rfc2576.mib  rfc3176.mib  The Lenovo ENOS SNMP agent supports the following generic traps as defined in RFC 1215:  ColdStart  WarmStart  LinkDown © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 488  LinkUp  AuthenticationFailure The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493:  NewRoot  TopologyChange The following are the enterprise SNMP traps supported in Lenovo ENOS: Table 33. Lenovo ENOS‐Supported Enterprise SNMP Traps Trap Name Description altSwLoginFailure Signifies that someone failed to enter a valid username/password combination. altSwTrapDisplayString specifies whether the login attempt was from CONSOLE or TELNET. In case of TELNET login it also specifies the IP address of the host from which the attempt was made. altSwValidLogin Signifies that a user login has occurred. altSwApplyComplete Signifies that new configuration has been applied. altSwSaveComplete Signifies that new configuration has been saved. altSwFwDownloadSucess Signifies that firmware has been downloaded to [image1|image2|boot image].
Page 489 Signifies that there are no active interfaces. altSwStgBlockingState Signifies port state has changed to blocking state. altSwTeamingCtrlUp Signifies that the teaming is up. altSwTeamingCtrlDown Signifies that the teaming control is down. altSwTeamingCtrlDownTearDown Signifies that the teaming control is Blked down but teardown is blocked. altSwTeamingCtrlError Signifies error, action is undefined. altSwLACPPortBlocked Signifies that LACP is operationally down on a port, and traffic is blocked on the port. altSwLACPPortUnblocked Signifies that LACP is operationally up on a port, and traffic is no longer blocked on the port. altSwLFDPortErrdisabled Signifies that a port is error‐disabled due to excessive link flaps. © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 490 Table 33. Lenovo ENOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altSwVlagInstanceUp Signifies that VLAG instance is up identified in the trap message. altSwVlagInstanceRemoteUp Signifies that VLAG is down but instance on the remote instance is altSwVlagInstanceLocalUp Signifies that VLAG is down but local instance is up. altSwVlagInstanceDown Signifies that VLAG instance is down identified in the trap message. altSwVlagIslUp Signifies that connection between VLAG switches is up. altSwVlagIslDown Signifies that connection between VLAG switches is down. altSwDefGwUp Signifies that the default gateway is alive. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ipCurCfgGwAddr is the IP address of the default gateway. altSwDefGwDown Signifies that the default gateway is down. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ...
Page 491 Indicates that the sending agent has transitioned to “Backup” state. vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable. The range is from 1 to vrrpVirtRtrTableMaxSize. vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address. altSwVrrpAuthFailure Signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this routerʹs authentication key or authentication type. Implementation of this trap is optional. vrrpCurCfgIfIndx is the VRRP interface index. This is equivalent to ifIndex in RFC 1213 mib. The range is from 1 to vrrpIfTableMaxSize. vrrpCurCfgIfPasswd is the password for authentication. It is a DisplayString of 0 to 7 characters. altSwNtpNotServer Signifies that the primary or secondary NTP server cannot be reached. © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 492 Table 33. Lenovo ENOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altSwNTPUpdateClock Signifies that the system clock is updated with NTP server. altSwECMPGatewayUp Signifies that the ECMP gateway is altSwECMPGatewayDown Signifies that the ECMP gateway is down. altSwOspfRouteUpdated Signifies that an OSPF route update message was received. altSwTempExceedThreshold Signifies that the switch temperature has exceeded maximum safety limits. altSwTempReturnThreshold Signifies that the switch temperature has returned to under maximum safety limits. altSwStackSwitchAttached Signifies that a new switch has attached to the stack. altSwStackSwitchDettached Signifies that a new switch has detached from the stack. altSwStackBackupPresent Signifies that a new backup has been set. altSwStackBackupGone Signifies that the backup switch has been made unavailable. altSwStackMasterAfterInit Signifies that the switch has become ...
Page 493 Signifies that the version of the boot image of a newly attached switch does not match that of the master. altSwStackBootCfgMismatch Signifies that the booted config of a newly attached switch does not match that of the master. altSwStackNvramMasterJoin Signifies that a switch which was configured as a master in NVRAM has attached to the stack. altSwStackForceDetach Signifies that the master has sent a FORCE DETACH message to a member. altVMGroupVMotion Signifies that a virtual machine has moved from a port to another. altVMGroupVMOnline Signifies that an advance provisioned virtual machine has came online. altVMGroupVMVlanChange Signifies that a virtual machine has entered a VLAN, or changed the VLAN. vmCheckSpoofedvm Signifies that a spoofed VM MAC was found. © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 494: Switch Images And Configuration Files
Switch Images and Configuration Files This section describes how to use MIB calls to work with switch images and configuration files. You can use a standard SNMP tool to perform the actions, using the MIBs listed in Table 34. Table 34. lists the MIBS used to perform operations associated with the Switch Image and Configuration files. Table 34. MIBs for Switch Image and Configuration Files MIB Name MIB OID agTransferServer 1.3.6.1.4.1872.2.5.1.1.7.1.0 agTransferImage 1.3.6.1.4.1872.2.5.1.1.7.2.0 agTransferImageFileName 1.3.6.1.4.1872.2.5.1.1.7.3.0 agTransferCfgFileName 1.3.6.1.4.1872.2.5.1.1.7.4.0 agTransferDumpFileName 1.3.6.1.4.1872.2.5.1.1.7.5.0 agTransferAction 1.3.6.1.4.1872.2.5.1.1.7.6.0 agTransferLastActionStatus 1.3.6.1.4.1872.2.5.1.1.7.7.0 agTransferUserName 1.3.6.1.4.1872.2.5.1.1.7.9.0 agTransferPassword 1.3.6.1.4.1.1872.2.5.1.1.7.10.0 agTransferTSDumpFileName 1.3.6.1.4.1.1872.2.5.1.1.7.11.0 The following SNMP actions can be performed using the MIBs listed in Table 34.
Page 495: Loading A New Switch Image
Loading a Saved Switch Configuration To load a saved switch configuration with the name “MyRunningConfig.cfg” into the switch, follow the steps below. This example shows a TFTP server at IPv4 address 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the switch Configuration File resides: Set agTransferServer.0 "192.168.10.10" 2. Set the name of the configuration file: Set agTransferCfgFileName.0 "MyRunningConfig.cfg" 3. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To restore a running configuration, enter 3: Set agTransferAction.0 "3" © Copyright Lenovo 2018 Chapter 34: Simple Network Management Protocol...
Page 496: Saving The Switch Configuration
Saving the Switch Configuration To save the switch configuration to a FTP/TFTP/SFTP server follow the steps below. This example shows a FTP/TFTP/SFTP server at IPv4 address 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the configuration file is saved: Set agTransferServer.0 "192.168.10.10" 2. Set the name of the configuration file: Set agTransferCfgFileName.0 "MyRunningConfig.cfg" 3. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To save a running configuration file, enter 4: Set agTransferAction.0 "4" Saving a Switch Dump To save a switch dump to a FTP/TFTP/SFTP server, follow the steps below. This example shows an FTP/TFTP/SFTP server at 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the configuration will be saved: Set agTransferServer.0 "192.168.10.10"...
Page 497: Chapter 35. Service Location Protocol
 Service Agent (SA) provides service registration and service advertisement. Note: In this release, SA supports UA/DA on Linux with SLPv2 support.  Directory Agent (DA) collects service information from Service Agents to provide a repository of service information in order to centralize it for efficient access by User Agents. There can only be one Directory Agent present per given host. The Directory Agent acts as an intermediate tier in the SLP architecture, placed between the User Agents and the Service Agents, so they communicate only with the Directory Agent instead of with each other. This eliminates a large portion of the multicast request or reply traffic on the network, and it protects the Service Agents from being overwhelmed by too many service requests. Services are described by the configuration of attributes associated with a type of service. A User Agent can select an appropriate service by specifying the attributes that it needs in a service request message. When service replies are returned, they contain a Uniform Resource Locator (URL) pointing to the service desired, and other information, such as server load, needed by the User Agent. For more details on SLP configuration, see the Lenovo ThinkSystem NE2552E Flex Switch Command Reference for Lenovo ENOS 8.4. Active DA Discovery When a Service Agent or User Agent initializes, it can perform Active Directory Agent Discovery using a multicast service request and specifies the special, reserved service type (service:directory-agent). Active DA Discovery is achieved through the same mechanism as any other discovery using SLP. The Directory Agent replies with unicast service replies, which provides the URLs and attributes of the requested service. © Copyright Lenovo 2018 Chapter 35: Service Location Protocol...
Page 498 NE2552E Application Guide for ENOS 8.4...
Page 499: Chapter 36. Netconf
Chapter 36. NETCONF The Network Configuration Protocol (NETCONF) provides a mechanism to manage the NE2552E, retrieve or modify existing configuration data, and upload new configuration data. See RFC 4741 for details on NETCONF. NETCONF operates in a client/server model. The NETCONF client establishes a session with the switch (acting as a NETCONF server) using a Remote Procedure Call (RPC). NETCONF is based on the Extensible Markup Language (XML) for encoding data and for exchanging configuration and protocol messages. The following topics are discussed in this section: “NETCONF Overview” on page 500   “XML Requirements” on page 501 “Installing the NETCONF Client” on page 502   “Using Juniper Perl Client” on page 504 “Establishing a NETCONF Session” on page 505   “NETCONF Operations” on page 507 “Protocol Operations Examples” on page 508  © Copyright Lenovo 2018...
Page 500: Netconf Overview
NETCONF Overview NETCONF provides a method to quickly configure the switch. It also allows you to implement a configuration across multiple switches, thereby saving time and reducing the chances of configuration errors. The NETCONF protocol defines basic operations that are equivalent to the switch ISCLI commands. Note: The current implementation of NETCONF supports only ISCLI commands. NETCONF is a connection‐oriented protocol. See Figure 59 for an overview of NETCONF operation. Figure 59. NETCONF Operations Procedure <hello> <capabilities/> </hello> <hello> <capabilities/> </hello> <rpc> <operation/> </rpc> <rpc-reply> <operation-response/> NETCONF NETCONF </rpc-reply> Client Server <rpc> <close-session/> </rpc> <rpc-reply> <ok/> </rpc-reply> Session • Session-ID Connection Transport Layer Transport Layer...
Page 501: Xml Requirements
XML Requirements XML is the encoding format used within NETCONF. When using XML for NETCONF:  All NETCONF protocol elements are defined in the following namespace: urn:ietf:params:xml:ns:netconf:base:1.0 NETCONF capability names must be Uniform Resource Identifiers (URIs):  urn:ietf:params:netconf:capability:{name}:1.0 where {name} is the name of the capability.  Document type declarations must not appear in the NETCONF content.  For Secure Shell (SSH), you must use a special message termination sequence of six characters to provide message framing: ]]>]]> © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 502: Installing The Netconf Client
Installing the NETCONF Client You can download the required NETCONF Client installation files from www.lenovo.com. Select Support & downloads > Fixes, updates and drivers. Follow instructions on the Lenovo Support Portal page to find the files. Before installing the NETCONF client, ensure you have completed the following tasks: Install a supported version of Python (Python 2.6 or higher, up to but not  including Python 3.0) in the folder C:\.  Install the PyCrypto application appropriate to the Python version you are using. Note: The following steps are for the Windows operating systems. Follow these steps to install the Blade NETCONF Python Client (BNClient): 1. Extract the file blade-netconf-python-client-v0.1.zip to the following folder: C:\ You will see two folders under the root folder C:\blade-netconf-python-client-v0.1: blade-netconf-python-client  python-ssh-library  Note: Ensure you see Paramiko version 1.7.4 or higher in the folder C:\blade-netconf-python-client-v0.1\python-ssh-library\ 2. Open the command prompt (Select Start > Run > cmd).
Page 503 • Using SSH to connect to port 22: python C:\blade-netconf-python-client-v0.1\blade-netconf-python- client\bnclient\bnclient.py {switch IP address}:22 –u admin –p admin –o get As a python library: a. Open the file C:\blade-netconf-python-client-v0.1\blade-netconf- python-client\example\get.py in a Python editor (For example, IDLE). b. Change the IP address in the hostname field to the switch IP address, and save the file. c. Enter the following command to establish a session: python C:\blade-netconf-python-client-v0.1\blade-netconf-python- client\setup.py install d. Enter the following command to get the running configuration: python C:\blade-netconf-python-client-v0.1\blade-netconf-python- client\example\get.py Note: get.py is an example of a NETCONF operation python script. You can edit the script or write a new script as per your requirements. © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 504: Using Juniper Perl Client
Using Juniper Perl Client You can use Juniper Perl client instead of BNClient to communicate with the NETCONF feature on the switch. Follow these steps to use the Juniper Perl client. Note: You must use the Linux operating system for the Juniper Perl client. 1. Extract the file juniper-netconf-perl-client.zip to the folder /home/user/. You will see two folders: juniper-netconf-perl-client  blade-netconf-perl-scripts  2. Follow these steps to install the Juniper Perl client: As a Perl library: a. Change to the following directory: /home/user/juniper-netconf-perl-client b. Extract the following file: netconf-perl-10.0R2.10.tar.gz c. Change to the following directory: /home/user/juniper-netconf-perl-client/netconf-perl-10.0R 2.10 d. Install the client as per the instructions in the README file. Note: If the prerequisites package installation fails, manually install each file in /home/user/juniper-netconf-perl-client\netconf-perl-prereqs- patch. As a Perl script: a. Change to the following directory: /home/user/blade-netconf-perl-scripts/ b. Enter the following command: perl get/get.pl -l admin -p admin {swich IP address} Note: get.pl is an example of a NETCONF operation Perl script. You can edit the ...
Page 505: Establishing A Netconf Session
Linux Shell. Note: You can open a maximum of four simultaneous sessions. 1. Enter the following command to open an SSH connection: ssh admin@{switch IP address} -p 830 -s netconf 2. Type or paste the following hello message: <hello> <capabilities> <capability>urn:ietf:params:netconf:base:1.0</capability> </capabilities> </hello> ]]>]]> The switch returns a hello message: <hello xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <capabilities> <capability>urn:ietf:params:netconf:base:1.0</capability> <capability>urn:ietf:params:netconf:capability:writable-running:1.0</ca pability> <capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</c apability> <capability>urn:ietf:params:netconf:capability:startup:1.0</capability> </capabilities> <session-id>102</session-id> </hello> ]]>]]> © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 506 </rpc> ]]>]]> The switch sends an rpc-reply message: <rpc-reply message-id=“100”> <data> <configuration-text xmlns=“http://www.lenovo.com/netconf/1.0/config-text”> version “6.9.1” switch-type “Lenovo Networking Operating System Lenovo ThinkSystem NE2552E Flex Switch” no system dhcp mgta interface ip 127 ip address 172.31.36.51 enable exit ip gateway 3 address 172.31.1.1 ip gateway 3 enable </configuration-text>...
Page 507: Netconf Operations
Operation Description get-config Retrieve all or part of the running or startup configuration. edit-config Load all or part of a specified configuration to the running or startup configuration. copy-config Replace the target running or startup configuration with a source running or startup configuration. delete-config Delete startup configuration. lock Lock the running configuration to prevent other users (via another NETCONF session) from changing it. unlock Release a locked running configuration. Retrieve running configuration and device state information. close-session Request graceful termination of a NETCONF session. kill-session Force the termination of a NETCONF session. get-configuration Retrieve configuration data from the switch. get-interface-information Retrieve interface status information. © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 508: Protocol Operations Examples
Protocol Operations Examples Following are examples of the NETCONF protocol operations supported by the NE2552E. <get-config> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <get-config> <source> <running/> </source> <filter type=“subtree”> <configuration-text xmlns=“http://www.lenovo.com/netconf/1.0/config-text”/> </filter> </get-config> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <data> <configuration-text xmlns=“http://www.lenovo.com/netconf/1.0/config-text”>  </configuration-text> </data> </rpc-reply> See Table 36 for the tag elements and their values. Table 36. get-config Tag Element Values...
Page 509: Edit-Config
<edit-config> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <edit-config> <target> <running/> </target> <default-operation> <merge/> </default-operation> <error-option> <stop-on-error/> </error-option> <config-text xmlns=“http://www.lenovo.com/netconf/1.0/config-text”> <configuration-text>hostname Router</configuration-text> </config-text> </edit-config> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpc-reply> © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 510 See Table 37 for the tag elements and their values. Table 37. edit-config Tag Element Values Tag Element Description Value target running/ or startup/ The configuration you want to edit. default-operation Set the default merge: The new  operation for the configuration is merged edit-config request. with the target configuration at the corresponding level. replace: The new  configuration replaces the target configuration. none: The target  configuration does not change unless the configuration data in the configuration-text parameter uses the operation attribute to request a different operation. error-option stop-on-error: Abort Set the option to handle ...
Page 511: Copy-Config
<rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <copy-config> <target> <startup/> </target> <source> <running/> </source> </copy-config> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpc-reply> See Table 38 for the tag elements and their values. Table 38. copy-config Tag Element Values Tag Element Description Value target Configuration that needs to be changed. running/ or startup/ source running/ or Source configuration. startup/ © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 512: Delete-Config
<delete-config> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <delete-config> <target> <startup/> </target> </delete-config> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpc-reply> See Table 39 for the tag elements and their values. Table 39. delete-config Tag Element Values Tag Element Description Value target startup/ Configuration that needs to be deleted. <lock> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <lock> <target> <running/> </target> </lock> </rpc> Response from the switch: <rpc-reply message-id=“101”...
Page 513: Unlock
<unlock> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <unlock> <target> <running/> </target> </unlock> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpc-reply> See Table 41 for the tag elements and their values. Table 41. unlock Tag Element Values Tag Element Description Value target running/ Configuration being edited. © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 514: Get
<get> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <get> <filter type=“subtree”>  <configuration-text xmlns=“http://www.lenovo.com/netconf/1.0/config-text”/> </filter> </get> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <data> <configuration-text xmlns=“http://www.lenovo.com/netconf/1.0/config-text”>  </configuration -text> </data> </rpc-reply> See Table 42 for the tag elements and their values. Table 42.
Page 515: Close-Session
<close-session/> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpc-reply> <kill-session> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <kill-session> <session-id>4</session-id> </kill-session> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpc-reply> See Table 43 for the tag elements and their values. Table 43. kill-session Tag Element Values Tag Element Description session-id ID number of the session to be killed © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 516: Get-Configuration
<get-configuration> Usage: <rpc message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <get-configuration database=“commited” format=“text”/> </rpc> Response from the switch: <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <data> <configuration-text xmlns=“http://www.lenovo.com/netconf/1.0/config-text”>  </configuration -text> </data> </rpc-reply> See Table 44 for the tag elements and their values. Table 44. get-configuration Tag Element Values Tag Element Description Attributes get-configuratio database ‐ supports only Retrieve the configuration. committed format ‐ supports only text NE2552E Application Guide for ENOS 8.4...
Page 517: Get-Interface-Information
<rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <interface-information> <physical-interface> <name></name> <admin-status></admin-status> <oper-status></oper-status> <local-index></local-index> <if-type></if-type> <link-level-type></link-level-type> <mtu></mtu> <speed></speed> <link-type></link-type> <traffic-statistics> <input-bytes></input-bytes> <output-bytes></output-bytes> <input-packets></input-packets> <output-packets></output-packets> </traffic-statistics> <input-error-list> <input-errors></input-errors> <framing-errors></framing-errors> <input-giants></input-giants> <input-discards></input-discards> </input-error-list> <output-error-list> <output-collisions></output-collisions> <output-errors></output-errors> <output-drops></output-drops> </output-error-list> </physical-interface> </interface-information> </rpc-reply> © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 518  IP detail information <rpc-reply message-id=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <interface-information> <physical-interface> <logical-interface> <name></name> <local-index></local-index> <address-family> <address-family-name></address-family-name> <mtu></mtu> <interface-address> <ifa-destination></ifa-destination> <ifa-local></ifa-local> <ifa-broadcast></ifa-broadcast> </interface-address> </address-family> </logical-interface> </physical-interface> </interface-information> </rpc-reply> See Table 45 for the tag elements and their values. Table 45. get-interface-information Tag Element Values Tag Element Description interface-name Interface name or number. You can use the tags brief/ or detail/ to specify the amount of information you need. name Name of the port or IP interface. admin-status Administration status of port interface; shutdown or no shutdown. oper-status Operational status of port interface; link‐up or ...
Page 519 Table 45. get-interface-information Tag Element Values Tag Element Description input-errors Sum of discarded frames and FCS Errors framing-errors Number of failed frames received. input-giants Number of frames that are too long. input-discards Number of frames in discarding state. output-collisions Number of Ethernet collisions. output-errors Sum of the outgoing frame aborts and FCS errors. output-drops Number of frames dropped. address-family-name inet ifa-destination Protocol network address of the interface. ifa-local Protocol host address on the interface. ifa-broadcast Network broadcast address. © Copyright Lenovo 2018 Chapter 36: NETCONF...
Page 520 NE2552E Application Guide for ENOS 8.4...
Page 521: Chapter 37. Secure Input/Output Module
Chapter 37. Secure Input/Output Module The Secure Input/Output Module (SIOM) enables you to determine which protocols can be enabled. The SIOM only allows secured traffic and secured authentication management. The following topics are discussed in this chapter: “SIOM Overview” on page 522   “Creating a Policy Setting” on page 525 “Managing User Accounts” on page 528   “Implementing Secure LDAP (LDAPS)” on page 530 “SIOM Dependencies” on page 533  © Copyright Lenovo 2018...
Page 522: Siom Overview
SIOM Overview In networking solutions, a new approach about adopting a security level on Input/Output modules has been developed. This security level encompasses secured authentication management and only allows secure traffic and protocols. IOMs can be classified into two security categories: Legacy Input/Output Modules (LIOMs)  LIOMs are not capable of provisioning any security policy setting. All IOMs developed before the SIOM feature was introduced are of type LIOM. Secure Input/Output Modules (SIOMs)  SIOMs have security characteristics that allow them to integrate the network assigned security policy. For IOM to be in SIOM mode, both the IOM and the CMM (Chassis Management Module) containing it must be running SIOM‐capable software, and the IOM must have SIOM enabled. In all other cases, the IOM operates in LIOM mode. When the IOM is in SIOM mode, the security characteristics configured on the CMM are sent to the IOM. These characteristics can be divided into the following categories:  Policy setting  User Account Management  Secure LDAP (LDAPS) authentication To see whether SIOM is enabled on the IOM, use the following command: NE2552E(config)# show boot siom Current SIOM setting: disabled Saved SIOM setting: disabled This shows both the current SIOM setting and the saved setting that will be applied after reboot.
Page 523: Switch Access In Siom Mode
Switch Access in SIOM Mode After the embedded switch is provisioned by the CMM in the SIOM mode, the switch will automatically update its LDAP settings (startTLS, LDAPS or LDAP) to the ones configured on the CMM. When no external LDAP server is configured on the CMM, CMM itself will serve as the local LDAP server. The LDAP client configured on the CMM is pushed onto the switch and the LDAP credentials used to access the CMM can also be used to access the switch. To access the switch, you may now use one of the following methods:  The CMM credentials  Other user credentials which depend on the SIOM security policy setting, as follows: In legacy mode, if RADIUS or TACACS+ is enabled, they will replace LDAP  as the authentication method. If LDAP backdoor mode is enabled, you can still use local authentication by using noldap as the username. In secure mode, you may use the provisioned LDAP credentials.  Notes:  Once the switch is provisioned by the CMM in SIOM mode, it cannot be accessed using the switch local user accounts.  The switch may perform an additional reboot automatically after changing the SIOM state or upgrading the CMM software. © Copyright Lenovo 2018 Chapter 37: Secure Input/Output Module...
Page 524: Siom Feature Considerations
SIOM Feature Considerations SIOM has two aspects which must be accomplished on the switch:  The provisioning process which supplies all the necessary settings for the secure Ethernet connection for management and for the secure protocols enabled on the switch.  The protocols enabled during the functioning of a switch in SIOM. Switch boots up with all operational (data) ports disabled. Although the management ports are enabled, they canʹt be used by admin to set up the switch until the configuration is applied. Internal management port is used by the CMM during the provisioning to exchange information with IOM. At the end of provisioning, when SIOM is enabled, the rest of the operational ports come up and the switch will be fully functional. When in SIOM mode, the PKI system of switch cannot be controlled. The user cannot import his own certificate. All certificates are provisioned by CMM. NE2552E Application Guide for ENOS 8.4...
Page 525: Creating A Policy Setting
LDAP Client  SNMPv1  SNMPv2  Telnet (server and client)  FTP (server and client)  Radius (client)  TFTP Server Except for the TFTP server, these protocols cannot be enabled when the switch is operating in Secure Mode because the commands to enable or disable them are no longer enabled. The following protocols, although deemed “insecure,” are enabled by default and can be disabled.  DHCP client  SysLog Note: Service Location Protocol (SLP) Discovery is also deemed “insecure” but is unaffected by Secure Mode. SLP has the same default settings as in Legacy Mode. If you can enable or disable SLP in Legacy Mode, you can enable or disable it the same way in Secure Mode. The following supported protocols are not enabled by default but can always be enabled in Secure Mode.  DNS Resolution © Copyright Lenovo 2018 Chapter 37: Secure Input/Output Module...
Page 526: Secure Protocols
 TFTP client (for signed items only, such as switch images) Secure Protocols The following protocols are deemed “secure” and are enabled by default in Secure Mode:  SCP Server  SNMPv3 Client  SFTP Client  SSHv2 Server  SSHv2 Client  HTTPS Server  TACACS+ Client You can disable these protocols. The following protocols are deemed “secure” and cannot be disabled in any mode:  NTP Client v4  LDAPS Client The following protocols are also deemed “secure” on the NE2552E and can be enabled.   IPSec The default state for these protocols in Secure Mode, whether enabled or disabled, is the same as in Legacy Mode. The following protocols are deemed “secure” but are not currently supported by the NE2552E: EAPoL   S/MIME  ...
Page 527  SNMPv3 IPv6  bootp Notes:  Telnet IPv6 and TFTP IPv6 are disabled in Secure Mode.  TFTP IPv6 is allowed in Secure Mode for signed image transfers only. © Copyright Lenovo 2018 Chapter 37: Secure Input/Output Module...
Page 528: Managing User Accounts
Managing User Accounts SNMPv3 user accounts with customized attributes can be created on the CMM and pushed to the IOM. For each SNMPv3 user account created on the CMM, the IOM creates a local SNMPv3 user account. The SNMPv3 user database then creates new user‐per‐profile user lists. It then uses this database to authenticate users. Note: SNMPv3 does not support LDAP user management, so the CMM must provision SNMPv3 user accounts to the IOM. Using Centralized SNMPv3 Management with SIOM There is a setting on the CMM to indicate whether the SNMPv3 centralized user management is enabled; this is called the Centralized Flag. When the IOM runs as SIOM and the Centralized Flag is enabled, SNMPv3 will enable Node Accounts and will disable Local Accounts. When the IOM runs as LIOM or the Centralized Flag is disabled, SNMPv3 will use Local Accounts and disable Node Accounts. Node Accounts represent accounts configured on the CMM, while Local Accounts are accounts configured on the IOM. Since there is no case where both the Node Account and Local Account are enabled, the username of a Node Account can be duplicated with a Local Account username. Implementing SNMPv3 with SIOM The following commands are available for implementing SNMPv3 with SIOM: access snmp read-only  access snmp read-write  snmp-server access ...
Page 529 For more information about these commands, see the Lenovo ISCLI—Industry Standard CLI Command Reference for the Lenovo ThinkSystem NE2552E Flex Switch. © Copyright Lenovo 2018 Chapter 37: Secure Input/Output Module...
Page 530: Implementing Secure Ldap (Ldaps)
Implementing Secure LDAP (LDAPS) Lightweight Directory Access Protocol (LDAP) is a protocol for accessing distributed directory information services over a network. Lenovo ENOS uses LDAP for authentication and authorization. With an LDAP client enabled, the switch will authenticate a user and determine the user’s privilege level by checking with one or more directory servers instead of a local database of users. This prevents customers from having to configure local user accounts on multiple switches; they can maintain a centralized directory instead. As part of SIOM, you can implement Secure Lightweight Directory Access Protocol (LDAPS) in addition to standard LDAP. Enabling LDAPS When the IOM is in SIOM mode, all LDAP configurations are made from the CMM and pushed to the IOM. When the IOM is in LIOM mode, the CLI can be used to configure LDAP settings. LDAPS is disabled by default. To enable LDAPS: 1. Turn LDAP authentication on NE2552E(config)# ldap-server enable 2. Enable LDAP Enhanced Mode: NE2552E(config)# ldap-server mode enhanced This changes the ldap-server subcommands to support LDAPS. 3. Configure the IPv4 addresses of each LDAP server. NE2552E(config)# ldap-server host {1-4} <IP address or hostname> 4. You may change the default TCP port number used to listen to LDAPS (optional). The well‐known port for LDAP is 636.
Page 531: Disabling Ldaps
Note: If no login permissions attribute is configured, LDAP client will not function. 11. Configure the group filter attribute (optional): NE2552E(config)# ldap-server group-filter <filter attributes separated by comma> Note: The group filter string must contain no whitespace. If no group filter attribute is configured, no groups will be filtered and all groups will be considered in any search. 12. Enable DNS server verification: NE2552E(config)# ldap-server srv Disabling LDAPS To disable LDAPS, enter: NE2552E(config)# ldap-server security clear NE2552E(config)# ldap-server mode legacy For information about using LDAP in Legacy Mode, see “LDAP Authentication and Authorization” on page 110. © Copyright Lenovo 2018 Chapter 37: Secure Input/Output Module...
Page 532: Syslogs And Ldaps
Syslogs and LDAPS Syslogs are displayed for the following error conditions: Password change required on first login  Password expired  Username or password invalid  Account temporarily locked  Unknown/no reason given  NE2552E Application Guide for ENOS 8.4...
Page 533: Siom Dependencies
SIOM Dependencies The following points are relevant to SIOM:  The CMM has a Certificate Authority (CA) capable of signing the certificates involved for authenticating the IOM in the SSL and TLS processes and protocols. The correctness of the configuration depends upon the settings on the CMM.  This is especially important for NTP and LDAP, which ensure switch operability. For example, if the LDAP client is configured incorrectly, the switch cannot be managed.  The Enhanced Configuration and Management (EHCM) module configures the NTP client. Therefore, the NTP client is dependent upon the ECHM module being enabled and functional.  Some protocols cannot be changed from enabled to disabled without restarting the switch. The IOM may reboot when switching between the SIOM and LIOM. © Copyright Lenovo 2018 Chapter 37: Secure Input/Output Module...
Page 534 NE2552E Application Guide for ENOS 8.4...
Page 535: Part 8: Monitoring
Part 8: Monitoring The ability to monitor traffic passing through the NE2552E can be invaluable for troubleshooting some types of networking problems. This sections cover the following monitoring features:  Remote Monitoring (RMON)  sFLOW  Port Mirroring © Copyright Lenovo 2018...
Page 536 NE2552E Application Guide for ENOS 8.4...
Page 537: Chapter 38. Remote Monitoring
Chapter 38. Remote Monitoring Remote Monitoring (RMON) allows network devices to exchange network monitoring data. RMON performs the following major functions:  Gathers cumulative statistics for Ethernet interfaces  Tracks a history of statistics for Ethernet interfaces  Creates and triggers alarms for user‐defined events RMON Overview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application. The RMON MIB is described in RFC 1757. The RMON standard defines objects that are suitable for the management of Ethernet networks. The RMON agent continuously collects statistics and proactively monitors switch performance. RMON allows you to monitor traffic flowing through the switch. The switch supports the following RMON Groups, as described in RFC 1757:  RMON Group 1–Statistics  RMON Group 2–History  RMON Group 3–Alarms  RMON Group 9–Events © Copyright Lenovo 2018...
Page 538: Rmon Group 1-Statistics
RMON Group 1–Statistics The switch supports collection of Ethernet statistics as outlined in the RMON statistics MIB, in reference to etherStatsTable. RMON statistics are sampled every second, and new data overwrites any old data on a given port. Note: RMON port statistics must be enabled for the port before you can view RMON statistics. To configure RMON Statistics: 1. Enable RMON on each port where you wish to collect RMON statistics. NE2552E(config)# interface port 23 NE2552E(config-if)# rmon 2. View RMON statistics for the port. NE2552E(config-if)# show interface port 23 rmon-counters ------------------------------------------------------------------ RMON statistics for port 23: etherStatsDropEvents: etherStatsOctets: 7305626 etherStatsPkts: 48686 etherStatsBroadcastPkts: 4380 etherStatsMulticastPkts: 6612 etherStatsCRCAlignErrors: etherStatsUndersizePkts:...
Page 539: Rmon Group 2-History
NE2552E(config-if)# exit 2. Configure the RMON History parameters. NE2552E(config)# rmon history 1 interface-oid 1.3.6.1.2.1.2.2.1.1.<x> NE2552E(config)# rmon history 1 requested-buckets 30 NE2552E(config)# rmon history 1 polling-interval 120 NE2552E(config)# rmon history 1 owner "rmon port 1 history" where <x> is the number of the port to monitor. For example, the full OID for port 1 would be: 1.3.6.1.2.1.2.2.1.1.1 © Copyright Lenovo 2018 Chapter 38: Remote Monitoring...
Page 540 3. View RMON history for the port. NE2552E(config)# show rmon history RMON History group configuration: Index IFOID Interval Rbnum Gbnum ----- ----------------------- -------- ----- ----- 1.3.6.1.2.1.2.2.1.1.1 Index Owner ----- ---------------------------------------------- rmon port 1 history NE2552E Application Guide for ENOS 8.4...
Page 541: Rmon Group 3-Alarms
NE2552E(config)# rmon alarm 1 alarm-type rising NE2552E(config)# rmon alarm 1 rising-crossing-index 100 NE2552E(config)# rmon alarm 1 interval 3600 NE2552E(config)# rmon alarm 1 rising-limit 2000000000 NE2552E(config)# rmon alarm 1 owner "Alarm for ifInOctets" © Copyright Lenovo 2018 Chapter 38: Remote Monitoring...
Page 542: Alarm Example 2
Alarm Example 2 This example configuration creates an RMON alarm that checks icmpInEchos on the switch once every minute. If the statistic exceeds 200 within a 60 second interval, an alarm is generated that triggers event index 5. Configure the RMON Alarm parameters to track ICMP messages. NE2552E(config)# rmon alarm 1 oid 1.3.6.1.2.1.5.8.0 NE2552E(config)# rmon alarm 1 alarm-type rising NE2552E(config)# rmon alarm 1 rising-crossing-index 110 NE2552E(config)# rmon alarm 1 interval-time 60 NE2552E(config)# rmon alarm 1 rising-limit 200 NE2552E(config)# rmon alarm 1 sample delta NE2552E(config)# rmon alarm 1 owner "Alarm for icmpInEchos"...
Page 543: Rmon Group 9-Events
NE2552E(config)# rmon alarm <alarm number> falling-crossing-index <event number> RMON events use SNMP and system logs to send notifications. Therefore, an SNMP trap host must be configured for trap event notification to work properly. RMON uses a syslog host to send syslog messages. Therefore, an existing syslog host must be configured for event log notification to work properly. Each log event generates a system log message of type RMON that corresponds to the event. For example, to configure the RMON event parameters. NE2552E(config)# rmon event 110 type log NE2552E(config)# rmon event 110 description "SYSLOG_this_alarm" NE2552E(config)# rmon event 110 owner "log icmpInEchos alarm" This configuration creates an RMON event that sends a syslog message each time it is triggered by an alarm. © Copyright Lenovo 2018 Chapter 38: Remote Monitoring...
Page 544 NE2552E Application Guide for ENOS 8.4...
Page 545: Chapter 39. Sflow
Statistical Counters The NE2552E can be configured to send network statistics to an sFlow analyzer at regular intervals. For each port, a polling interval of 5 to 60 seconds can be configured, or 0 (the default) to disable this feature. When polling is enabled, at the end of each configured polling interval, the NE2552E reports general port statistics and port Ethernet statistics. sFlow Network Sampling In addition to statistical counters, the NE2552E can be configured to collect periodic samples of the traffic data received on each port. For each sample, 128 bytes are copied, UDP‐encapsulated, and sent to the configured sFlow analyzer. For each port, the sFlow sampling rate can be configured to occur once each 256 to 65536 packets, or 0 to disable (the default). A sampling rate of 256 means that one sample will be taken for approximately every 256 packets received on the port. The sampling rate is statistical, however. It is possible to have slightly more or fewer samples sent to the analyzer for any specific group of packets (especially under low traffic conditions). The actual sample rate becomes most accurate over time, and under higher traffic flow. sFlow sampling has the following restrictions:  Sample Rate—The fastest sFlow sample rate is 1 out of every 256 packets.  ACLs—sFlow sampling is performed before ACLs are processed. For ports configured both with sFlow sampling and one or more ACLs, sampling will occur regardless of the action of the ACL. Port Mirroring—sFlow sampling will not occur on mirrored traffic. If sFlow  sampling is enabled on a port that is configured as a port monitor, the mirrored traffic will not be sampled. Note: Although sFlow sampling is not generally a CPU‐intensive operation, configuring fast sampling rates (such as once every 256 packets) on ports under heavy traffic loads can cause switch CPU utilization to reach maximum. Use larger rate values for ports that experience heavy traffic. © Copyright Lenovo 2018...
Page 546: Sflow Example Configuration
sFlow Example Configuration 1. Specify the location of the sFlow analyzer (the server and optional port to which the sFlow information will be sent): NE2552E(config)# sflow server <IPv4 address>(sFlow server address) NE2552E(config)# sflow port <service port> (Set the optional service port) NE2552E(config)# sflow enable (Enable sFlow features) By default, the switch uses established sFlow service port 6343. To disable sFlow features across all ports, use the following command: NE2552E(config)# no sflow enable 2. On a per‐port basis, define the statistics polling rate: NE2552E(config)# interface port <port> NE2552E(config-if)# sflow polling <polling rate>(Statistics polling rate) Specify a polling rate between 5 and 60 seconds, or 0 to disable. By default, polling is 0 (disabled) for each port. 3. On a per‐port basis, define the data sampling rate: NE2552E(config-if)# sflow sampling <sampling rate>(Data sampling rate) Specify a sampling rate between 256 and 65536 packets, or 0 to disable. By default, ...
Page 547: Chapter 40. Port Mirroring
Figure 60. Mirroring Ports Mirrored Ports Monitor Port Ingress Connected to Both Traffic sniffer device Specified traffic is copied and forwarded to Monitor Port The NE2552E supports two monitor ports with two‐way mirroring, or four monitor ports with one‐way mirroring. Lenovo ENOS does not support “one to many” or “many to many” mirroring models where traffic from a specific port traffic is copied to multiple monitor ports. For example, port EXT1 traffic cannot be monitored by both port EXT3 and EXT4 at the same time, nor can port EXT2 ingress traffic be monitored by a different port than its egress traffic. Ingress and egress traffic is duplicated and sent to the monitor port after processing. Note: The NE2552E cannot mirror LACPDU packets. Also, traffic on management VLANs is not mirrored to the external ports. © Copyright Lenovo 2018...
Page 548: Port Mirroring Behavior
Port Mirroring Behavior This section describes the composition of monitored packets in the NE2552E, based on the configuration of the ports.  Packets mirrored at port egress are mirrored prior to VLAN tag processing and may have a different PVID than packets that egress the port toward their actual network destination.  Packets mirrored at port ingress are not modified. Configuring Port Mirroring The following procedure may be used to configure port mirroring for the example shown in Figure 60 on page 547: 1. Specify the monitoring port, the mirroring port(s), and the port‐mirror direction. NE2552E(config)# port-mirroring monitor-port EXT3 mirroring-port EXT1 in NE2552E(config)# port-mirroring monitor-port EXT3 mirroring-port EXT2 both 2. Enable port mirroring. NE2552E(config)# port-mirroring enable 3. View the current configuration. NE2552E# show port-mirroring (Display the current settings) Port mirroring is enabled...
Page 550 NE2552E Application Guide for ENOS 8.4...
Page 551: Appendix A. Glossary
Priority In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation. Proto (Protocol) The protocol of a frame. Can be any value represented by a 8‐bit value in the IP header adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.) The source IP address of a frame. SPort The source port (application socket: for example, HTTP‐80/HTTPS‐443/DNS‐53). Tracking In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active configuration. You can track the following:  Active IP interfaces on the Web switch (increments priority by 2 for each)  Active ports on the same VLAN (increments priority by 2 for each)  Number of virtual routers in master mode on the switch Virtual Interface Router. A VRRP address is an IP interface address shared between two or more virtual routers. Virtual Router A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the NE2552Es must be in a VLAN. If there is more than one VLAN defined on the Web switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member. © Copyright Lenovo 2018...
Page 552 VRID Virtual Router Identifier. In VRRP, a numeric ID is used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as defined in the RFC is 00‐00‐5E‐00‐01‐<VRID>. If you have a VRRP address that two switches are sharing, then the VRID number needs to be identical on both switches so each virtual router on each switch knows with whom to share. VRRP Virtual Router Redundancy Protocol. A protocol that acts very similarly to Ciscoʹs proprietary HSRP address sharing protocol. The reason for both of these protocols is so devices have a next hop or default gateway that is always available. Two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224.0.0.18. With VRRP, one switch is considered the master and the other the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification. The switch announces this change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didnʹt do the Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338. NE2552E Application Guide for ENOS 8.4...
Page 553: Appendix B. Getting Help And Technical Assistance
Check all cables to make sure that they are connected.  Check the power switches to make sure that the system and any optional devices are turned on.  Check for updated software, firmware, and operating‐system device drivers for your Lenovo product. The Lenovo Warranty terms and conditions state that you, the owner of the Lenovo product, are responsible for maintaining and updating all software and firmware for the product (unless it is covered by an additional maintenance contract). Your service technician will request that you upgrade your software and firmware if the problem has a documented solution within a software upgrade.  If you have installed new hardware or software in your environment, check the Lenovo ServerProven website to make sure that the hardware and software is supported by your product.  Go to the Lenovo Support portal to check for information to help you solve the problem.  Gather the following information to provide to the service technician. This data will help the service technician quickly provide a solution to your problem and ensure that you receive the level of service for which you might have contracted. Hardware and Software Maintenance agreement contract numbers, if  applicable Machine type number (Lenovo 4‐digit machine identifier)  Model number  Serial number  Current system UEFI and firmware levels  Other pertinent information such as error messages and logs  © Copyright Lenovo 2018...
Page 554  Start the process of determining a solution to your problem by making the pertinent information available to the service technicians. The IBM service technicians can start working on your solution as soon as you have completed and submitted an Electronic Service Request. You can solve many problems without outside assistance by following the troubleshooting procedures that Lenovo provides in the online help or in the Lenovo product documentation. The Lenovo product documentation also describes the diagnostic tests that you can perform. The documentation for most systems, operating systems, and programs contains troubleshooting procedures and explanations of error messages and error codes. If you suspect a software problem, see the documentation for the operating system or program. NE2552E Application Guide for ENOS 8.4...
Page 555: Appendix C. Notices
Lenovo may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: Lenovo (United States), Inc. 1009 Think Place ‐ Building One Morrisville, NC 27560 U.S.A. Attention: Lenovo Director of Licensing LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON‐INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. The products described in this document are not intended for use in implantation or other life support applications where malfunction may result in injury or death to persons. The information contained in this document does not affect or change Lenovo product specifications or warranties. Nothing in this document shall operate as an express or implied license or indemnity under the intellectual property rights of Lenovo or third parties. All information contained in this document was obtained in specific environments and is presented as an illustration. The result obtained in other operating environments may vary. Lenovo may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Any references in this publication to non‐Lenovo Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this Lenovo product, and use of those Web sites is at your own risk. © Copyright Lenovo 2018...
Page 556 Any performance data contained herein was determined in a controlled environment. Therefore, the result obtained in other operating environments may vary significantly. Some measurements may have been made on development‐level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. NE2552E Application Guide for ENOS 8.4...
Page 557: Trademarks
Trademarks Lenovo, the Lenovo logo, Flex System, System x, NeXtScale System, and X‐Architecture are trademarks of Lenovo in the United States, other countries, or both. Intel and Intel Xeon are trademarks of Intel Corporation in the United States, other countries, or both. Internet Explorer, Microsoft, and Windows are trademarks of the Microsoft group of companies. Linux is a registered trademark of Linus Torvalds. Other company, product, or service names may be trademarks or service marks of others. © Copyright Lenovo 2018 Appendix C: Notices...
Page 558: Important Notes
Important Notes Processor speed indicates the internal clock speed of the microprocessor; other factors also affect application performance. CD or DVD drive speed is the variable read rate. Actual speeds vary and are often less than the possible maximum. When referring to processor storage, real and virtual storage, or channel volume, KB stands for 1 024 bytes, MB stands for 1 048 576 bytes, and GB stands for 1 073 741 824 bytes. When referring to hard disk drive capacity or communications volume, MB stands for 1 000 000 bytes, and GB stands for 1 000 000 000 bytes. Total user‐accessible capacity can vary depending on operating environments. Maximum internal hard disk drive capacities assume the replacement of any standard hard disk drives and population of all hard‐disk‐drive bays with the largest currently supported drives that are available from Lenovo. Maximum memory might require replacement of the standard memory with an optional memory module. Each solid‐state memory cell has an intrinsic, finite number of write cycles that the cell can incur. Therefore, a solid‐state device has a maximum number of write cycles that it can be subjected to, expressed as total bytes written (TBW). A device that has exceeded this limit might fail to respond to system‐generated commands or might be incapable of being written to. Lenovo is not responsible for replacement of a device that has exceeded its maximum guaranteed number of program/erase cycles, as documented in the Official Published Specifications for the device. Lenovo makes no representations or warranties with respect to non‐Lenovo products. Support (if any) for the non‐Lenovo products is provided by the third party, not Lenovo. Some software might differ from its retail version (if available) and might not include user manuals or all program functionality. NE2552E Application Guide for ENOS 8.4...
Page 559: Recycling Information
Recycling Information Lenovo encourages owners of information technology (IT) equipment to responsibly recycle their equipment when it is no longer needed. Lenovo offers a variety of programs and services to assist equipment owners in recycling their IT products. For information on recycling Lenovo products, go to: http://www.lenovo.com/recycling © Copyright Lenovo 2018 Appendix C: Notices...
Page 560: Particulate Contamination
Particulate Contamination Attention: Airborne particulates (including metal flakes or particles) and reactive gases acting alone or in combination with other environmental factors such as humidity or temperature might pose a risk to the device that is described in this document. Risks that are posed by the presence of excessive particulate levels or concentrations of harmful gases include damage that might cause the device to malfunction or cease functioning altogether. This specification sets forth limits for particulates and gases that are intended to avoid such damage. The limits must not be viewed or used as definitive limits, because numerous other factors, such as temperature or moisture content of the air, can influence the impact of particulates or environmental corrosives and gaseous contaminant transfer. In the absence of specific limits that are set forth in this document, you must implement practices that maintain particulate and gas levels that are consistent with the protection of human health and safety. If Lenovo determines that the levels of particulates or gases in your environment have caused damage to the device, Lenovo may condition provision of repair or replacement of devices or parts on implementation of appropriate remedial measures to mitigate such environmental contamination. Implementation of such remedial measures is a customer responsibility.. Contaminant Limits Particulate • The room air must be continuously filtered with 40% atmospheric dust spot efficiency (MERV 9) according to ASHRAE Standard 52.2 • Air that enters a data center must be filtered to 99.97% efficiency or greater, using high‐efficiency particulate air (HEPA) filters that meet MIL‐STD‐282. • The deliquescent relative humidity of the particulate contamination must be more than 60% • The room must be free of conductive contamination such as zinc whis‐ kers. Gaseous • Copper: Class G1 as per ANSI/ISA 71.04‐1985 • Silver: Corrosion rate of less than 300 Å in 30 days 1 ...
Page 561: Telecommunication Regulatory Statement
Telecommunication Regulatory Statement This product may not be certified in your country for connection by any means whatsoever to interfaces of public telecommunications networks. Further certification may be required by law prior to making any such connection. Contact a Lenovo representative or reseller for any questions. © Copyright Lenovo 2018 Appendix C: Notices...
Page 562: Electronic Emission Notices
Federal Communications Commission (FCC) Statement Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his own expense. Properly shielded and grounded cables and connectors must be used to meet FCC emission limits. Lenovo is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment. Unauthorized changes or modifications could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that might cause undesired operation. Industry Canada Class A Emission Compliance Statement This Class A digital apparatus complies with Canadian ICES‐003. Avis de Conformité à la Réglementation d'Industrie Canada Cet appareil numérique de la classe A est conforme à la norme NMB‐003 du ...
Page 563: European Union - Compliance To The Electromagnetic Compatibility Directive
Lenovo, Einsteinova 21, 851 01 Bratislava, Slovakia Warning: This is a Class A product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures. Germany Class A Statement Deutschsprachiger EU Hinweis: Hinweis für Geräte der Klasse A EU‐Richtlinie zur Elektromagnetischen Verträglichkeit Dieses Produkt entspricht den Schutzanforderungen der EU‐Richtlinie 2014/30/EU (früher 2004/108/EC) zur Angleichung der Rechtsvorschriften über die elektromagnetische Verträglichkeit in den EU‐Mitgliedsstaaten und hält die Grenzwerte der Klasse A der Norm gemäß Richtlinie. Um dieses sicherzustellen, sind die Geräte wie in den Handbüchern beschrieben zu installieren und zu betreiben. Des Weiteren dürfen auch nur von der Lenovo empfohlene Kabel angeschlossen werden. Lenovo übernimmt keine Verantwortung für die Einhaltung der Schutzanforderungen, wenn das Produkt ohne Zustimmung der Lenovo verändert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohne Empfehlung der Lenovo gesteckt/eingebaut werden. Deutschland: Einhaltung des Gesetzes über die elektromagnetische Verträglichkeit von Betriebsmittein Dieses Produkt entspricht dem „Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln“ EMVG (früher „Gesetz über die elektromagnetische Verträglichkeit von Geräten“). Dies ist die Umsetzung der EU‐Richtlinie 2014/30/EU (früher 2004/108/EC) in der Bundesrepublik Deutschland. © Copyright Lenovo 2018 Appendix C: Notices...
Page 564: Japan Vcci Class A Statement
Zulassungsbescheinigung laut dem Deutschen Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln, EMVG vom 20. Juli 2007 (früher Gesetz über die elektromagnetische Verträglichkeit von Geräten), bzw. der EMV EU Richtlinie 2014/30/EU (früher 2004/108/EC ), für Geräte der Klasse A. Dieses Gerät ist berechtigt, in Übereinstimmung mit dem Deutschen EMVG das EG‐Konformitätszeichen ‐ CE ‐ zu führen. Verantwortlich für die Konformitätserklärung nach Paragraf 5 des EMVG ist die Lenovo (Deutschland) GmbH, Meitnerstr. 9, D‐70563 Stuttgart. Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4: Das Gerät erfüllt die Schutzanforderungen nach EN 55024 und EN 55022 Klasse Nach der EN 55022: „Dies ist eine Einrichtung der Klasse A. Diese Einrichtung kann im Wohnbereich Funkstörungen verursachen; in diesem Fall kann vom Betreiber verlangt werden, angemessene Maßnahmen durchzuführen und dafür aufzukommen.“ Nach dem EMVG: „Geräte dürfen an Orten, für die sie nicht ausreichend entstört sind, nur mit besonderer Genehmigung des Bundesministers für Post und Telekommunikation oder des Bundesamtes für Post und Telekommunikation betrieben werden. Die Genehmigung wird erteilt, wenn keine elektromagnetischen Störungen zu erwarten sind.“ (Auszug aus dem EMVG, Paragraph 3, Abs. 4). Dieses Genehmigungsverfahrenist nach Paragraph 9 EMVG in Verbindung mit der entsprechenden Kostenverordnung (Amtsblatt 14/93) kostenpflichtig. Anmerkung: Um die Einhaltung des EMVG sicherzustellen sind die Geräte, wie in den Handbüchern angegeben, zu installieren und zu betreiben. Japan VCCI Class A Statement This is a Class A product based on the standard of the Voluntary Control Council for Interference (VCCI). If this equipment is used in a domestic environment, radio interference may occur, in which case the user may be required to take corrective actions. NE2552E Application Guide for ENOS 8.4...
Page 565: Japan Electronics And Information Technology Industries Association
Japan Electronics and Information Technology Industries Association (JEITA) Confirmed Harmonics Guidelines (products less than or equal to 20 A per phase) Japan Electronics and Information Technology Industries Association (JEITA) Confirmed Harmonics Guidelines with Modifications (products greater than 20 A per phase). Korea Communications Commission (KCC) Statement This is electromagnetic wave compatibility equipment for business (Type A). Sellers and users need to pay attention to it. This is for any areas other than home. Russia Electromagnetic Interference (EMI) Class A statement People’s Republic of China Class A electronic emission statement Taiwan Class A compliance statement © Copyright Lenovo 2018 Appendix C: Notices...
Page 566 NE2552E Application Guide for ENOS 8.4...
Page 567: Index
62 VLANs 164 autonomous systems (AS) 393 configuring BGP failover 384 DCBX 268 ETS 264 bandwidth allocation 247 FIP snooping 255 BBI 30 IP routing 317 BBI. See Browser‐Based Interface OSPF 405 Bootstrap Router, PIM 425 PFC 258 port aggregation 166 spanning tree groups 185 contamination, particulate and gaseous 560 Converged Network Adapter. See CNA. © Copyright Lenovo 2018 Index...
Page 568 FCoE 243 bridge module 244 date CEE 245 setup 60 CNA 244 DCBX 246 ENodes 244 default gateway 316 FCF 244 configuration example 318 FIP snooping 244 default password 46 FLOGI 252 default route, OSPF 398 point‐to‐point links 244 Dense Mode, PIM 420 requirements 245 Designated Router, PIM 419 SAN 243 Differentiated Services Code Point (DSCP) 223 topology 244 digital certificate 342 VLANs 253...
Page 569 Japan Electronics and Information Technology Indus‐ filtering criteria 122 tries Association statement 565 host routes 403 JEITA statement 565 link state database 392 jumbo frames 136 neighbors 392 overview 389 redistributing routes 381 route maps 378 Korea Class A electronic emission statement 565 route summarization 397 router ID 399 virtual link 399 outgoing route maps 379 © Copyright Lenovo 2018 : Index...
Page 570 packet size 136 RADIUS particulate contamination 560 authentication 100 port 1812 and 1645 123 password administrator account 46 port 1813 123 default 46 SSH/SCP 93 user account 46 Rapid Spanning Tree Protocol (RSTP) 187 passwords 46 receive flow control 62 payload size 136 redistributing routes 381 People’s Republic of China Class A electronic emission redundancy statement 565 active‐active 449 Per Hop Behavior (PHB) 224 hot‐standby 449 PFC 248 re‐mark 126 DCBX 268...
Page 571 TCP 122 overview 445 technical assistance 553 virtual interface router 446 virtual router ID numbering 452 technical terms port VLAN identifier (PVID) 140 vrid 446 tagged frame 140 tagged member 140 untagged frame 140 untagged member 140 willing flag (DCBX) 267 VLAN identifier (VID) 140 Telnet support optional setup for Telnet support 69 text conventions 26 time setup 60 © Copyright Lenovo 2018 : Index...
Page 572 NE2552E Application Guide for ENOS 8.4...
Page 574 Part Number: 01KN246 Printed in USA (IP) P/N: 01KN246...

Lenovo ThinkSystem NE2552E Application Manual

Part 1: Getting Started

Chapter 1. Switch Administration

Chapter 2. Initial Setup

Chapter 3. Switch Software Management

Part 2: Securing the Switch

Chapter 4. Securing Administration

Chapter 5. Authentication & Authorization Protocols

Chapter 6. 802.1X Port-Based Network Access Control

Chapter 7. Access Control Lists

Part 3: Switch Basics

Chapter 8. Vlans

Chapter 9. Ports and Link Aggregation (LAG)

Chapter 10. Spanning Tree Protocols

Chapter 11. Virtual Link Aggregation Groups

Chapter 12. Quality of Service

Chapter 13. Precision Time Protocol

Part 4: Advanced Switching Features

Chapter 14. Virtualization

Chapter 15. Fibre Channel over Ethernet

Quick Links

Related Manuals for Lenovo ThinkSystem NE2552E

Summary of Contents for Lenovo ThinkSystem NE2552E